From 71cd1c43a93ba5a079392ea66023ce063e5d58d0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 22 Jan 2024 20:50:49 -0600 Subject: [PATCH 0001/1462] reopen main for 43 dev (#10234) --- CHANGELOG.rst | 8 ++++++++ pyproject.toml | 2 +- src/cryptography/__about__.py | 2 +- vectors/cryptography_vectors/__about__.py | 2 +- vectors/pyproject.toml | 2 +- 5 files changed, 12 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index b11a81f3fbc5..f96ef193d2d9 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,14 @@ Changelog ========= +.. _v43-0-0: + +43.0.0 - `main`_ +~~~~~~~~~~~~~~~~ + +.. note:: This version is not yet released and is under active development. + + .. _v42-0-0: 42.0.0 - 2024-01-22 diff --git a/pyproject.toml b/pyproject.toml index 6369bebf7620..e127e7fa6fd6 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -12,7 +12,7 @@ build-backend = "setuptools.build_meta" [project] name = "cryptography" -version = "42.0.0" +version = "43.0.0.dev1" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index 7d62a32b6fab..5d65d977a08a 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -10,7 +10,7 @@ "__copyright__", ] -__version__ = "42.0.0" +__version__ = "43.0.0.dev1" __author__ = "The Python Cryptographic Authority and individual contributors" diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py index 6040ee84583e..4f859faec08c 100644 --- a/vectors/cryptography_vectors/__about__.py +++ b/vectors/cryptography_vectors/__about__.py @@ -6,4 +6,4 @@ "__version__", ] -__version__ = "42.0.0" +__version__ = "43.0.0.dev1" diff --git a/vectors/pyproject.toml b/vectors/pyproject.toml index 0c43684bb92a..99021511a0cd 100644 --- a/vectors/pyproject.toml +++ b/vectors/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi" [project] name = "cryptography_vectors" -version = "42.0.0" +version = "43.0.0.dev1" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] From c8f732eb27770ecfc2c7a265c213d7e4b595113f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 22 Jan 2024 20:51:02 -0600 Subject: [PATCH 0002/1462] fix the release script (#10233) we removed version as an arg, but didn't remove it from the click decorator --- release.py | 1 - 1 file changed, 1 deletion(-) diff --git a/release.py b/release.py index 4abac1a2ed3e..78b894fe1d44 100644 --- a/release.py +++ b/release.py @@ -22,7 +22,6 @@ def cli(): @cli.command() -@click.argument("version") def release() -> None: base_dir = pathlib.Path(__file__).parent with (base_dir / "pyproject.toml").open("rb") as f: From 317985423b7658881d13f80e2a0fb533ebcf9162 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 23 Jan 2024 07:32:38 -0500 Subject: [PATCH 0003/1462] fixes #10237 -- correct EC sign parameter name (#10239) --- src/rust/src/backend/ec.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index e221b025cbb9..459da6103d3b 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -269,9 +269,9 @@ impl ECPrivateKey { &self, py: pyo3::Python<'p>, data: &[u8], - algorithm: &pyo3::PyAny, + signature_algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - if !algorithm.is_instance(types::ECDSA.get(py)?)? { + if !signature_algorithm.is_instance(types::ECDSA.get(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "Unsupported elliptic curve signature algorithm", @@ -283,7 +283,7 @@ impl ECPrivateKey { let (data, _) = utils::calculate_digest_and_algorithm( py, data, - algorithm.getattr(pyo3::intern!(py, "algorithm"))?, + signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, )?; let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; From bbbf1de73a5d57f8e9a43b6323a43e2d6ae22a3f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Jan 2024 06:34:25 -0600 Subject: [PATCH 0004/1462] Bump pyopenssl from 23.3.0 to 24.0.0 in /.github/requirements (#10238) * Bump pyopenssl from 23.3.0 to 24.0.0 in /.github/requirements Bumps [pyopenssl](https://github.com/pyca/pyopenssl) from 23.3.0 to 24.0.0. - [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/pyopenssl/compare/23.3.0...24.0.0) --- updated-dependencies: - dependency-name: pyopenssl dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 2de251b3aa5b..f1db1b610c84 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -489,9 +489,9 @@ pyjwt==2.8.0 \ --hash=sha256:57e28d156e3d5c10088e0c68abb90bfac3df82b40a71bd0daa20c65ccd5c23de \ --hash=sha256:59127c392cc44c2da5bb3192169a91f429924e17aff6534d70fdc02ab3e04320 # via sigstore -pyopenssl==23.3.0 \ - --hash=sha256:6756834481d9ed5470f4a9393455154bc92fe7a64b7bc6ee2c804e78c52099b2 \ - --hash=sha256:6b2cba5cc46e822750ec3e5a81ee12819850b11303630d575e98108a079c2b12 +pyopenssl==24.0.0 \ + --hash=sha256:6aa33039a93fffa4563e655b61d11364d01264be8ccb49906101e02a334530bf \ + --hash=sha256:ba07553fb6fd6a7a2259adb9b84e12302a9a8a75c44046e8bb5d3e5ee887e3c3 # via sigstore python-dateutil==2.8.2 \ --hash=sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86 \ From f9a0b3d67e406832e4933a0f9d62a66e3800cabc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Jan 2024 07:08:18 -0600 Subject: [PATCH 0005/1462] Bump cryptography from 41.0.7 to 42.0.0 in /.github/requirements (#10241) * Bump cryptography from 41.0.7 to 42.0.0 in /.github/requirements Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.7 to 42.0.0. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/41.0.7...42.0.0) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 57 +++++++++++-------- 1 file changed, 33 insertions(+), 24 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index f1db1b610c84..8bb646c976e5 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -166,30 +166,39 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==41.0.7 \ - --hash=sha256:079b85658ea2f59c4f43b70f8119a52414cdb7be34da5d019a77bf96d473b960 \ - --hash=sha256:09616eeaef406f99046553b8a40fbf8b1e70795a91885ba4c96a70793de5504a \ - --hash=sha256:13f93ce9bea8016c253b34afc6bd6a75993e5c40672ed5405a9c832f0d4a00bc \ - --hash=sha256:37a138589b12069efb424220bf78eac59ca68b95696fc622b6ccc1c0a197204a \ - --hash=sha256:3c78451b78313fa81607fa1b3f1ae0a5ddd8014c38a02d9db0616133987b9cdf \ - --hash=sha256:43f2552a2378b44869fe8827aa19e69512e3245a219104438692385b0ee119d1 \ - --hash=sha256:48a0476626da912a44cc078f9893f292f0b3e4c739caf289268168d8f4702a39 \ - --hash=sha256:49f0805fc0b2ac8d4882dd52f4a3b935b210935d500b6b805f321addc8177406 \ - --hash=sha256:5429ec739a29df2e29e15d082f1d9ad683701f0ec7709ca479b3ff2708dae65a \ - --hash=sha256:5a1b41bc97f1ad230a41657d9155113c7521953869ae57ac39ac7f1bb471469a \ - --hash=sha256:68a2dec79deebc5d26d617bfdf6e8aab065a4f34934b22d3b5010df3ba36612c \ - --hash=sha256:7a698cb1dac82c35fcf8fe3417a3aaba97de16a01ac914b89a0889d364d2f6be \ - --hash=sha256:841df4caa01008bad253bce2a6f7b47f86dc9f08df4b433c404def869f590a15 \ - --hash=sha256:90452ba79b8788fa380dfb587cca692976ef4e757b194b093d845e8d99f612f2 \ - --hash=sha256:928258ba5d6f8ae644e764d0f996d61a8777559f72dfeb2eea7e2fe0ad6e782d \ - --hash=sha256:af03b32695b24d85a75d40e1ba39ffe7db7ffcb099fe507b39fd41a565f1b157 \ - --hash=sha256:b640981bf64a3e978a56167594a0e97db71c89a479da8e175d8bb5be5178c003 \ - --hash=sha256:c5ca78485a255e03c32b513f8c2bc39fedb7f5c5f8535545bdc223a03b24f248 \ - --hash=sha256:c7f3201ec47d5207841402594f1d7950879ef890c0c495052fa62f58283fde1a \ - --hash=sha256:d5ec85080cce7b0513cfd233914eb8b7bbd0633f1d1703aa28d1dd5a72f678ec \ - --hash=sha256:d6c391c021ab1f7a82da5d8d0b3cee2f4b2c455ec86c8aebbc84837a631ff309 \ - --hash=sha256:e3114da6d7f95d2dee7d3f4eec16dacff819740bbab931aff8648cb13c5ff5e7 \ - --hash=sha256:f983596065a18a2183e7f79ab3fd4c475205b839e02cbc0efbbf9666c4b3083d +cryptography==42.0.0 \ + --hash=sha256:0a68bfcf57a6887818307600c3c0ebc3f62fbb6ccad2240aa21887cda1f8df1b \ + --hash=sha256:146e971e92a6dd042214b537a726c9750496128453146ab0ee8971a0299dc9bd \ + --hash=sha256:14e4b909373bc5bf1095311fa0f7fcabf2d1a160ca13f1e9e467be1ac4cbdf94 \ + --hash=sha256:206aaf42e031b93f86ad60f9f5d9da1b09164f25488238ac1dc488334eb5e221 \ + --hash=sha256:3005166a39b70c8b94455fdbe78d87a444da31ff70de3331cdec2c568cf25b7e \ + --hash=sha256:324721d93b998cb7367f1e6897370644751e5580ff9b370c0a50dc60a2003513 \ + --hash=sha256:33588310b5c886dfb87dba5f013b8d27df7ffd31dc753775342a1e5ab139e59d \ + --hash=sha256:35cf6ed4c38f054478a9df14f03c1169bb14bd98f0b1705751079b25e1cb58bc \ + --hash=sha256:3ca482ea80626048975360c8e62be3ceb0f11803180b73163acd24bf014133a0 \ + --hash=sha256:56ce0c106d5c3fec1038c3cca3d55ac320a5be1b44bf15116732d0bc716979a2 \ + --hash=sha256:5a217bca51f3b91971400890905a9323ad805838ca3fa1e202a01844f485ee87 \ + --hash=sha256:678cfa0d1e72ef41d48993a7be75a76b0725d29b820ff3cfd606a5b2b33fda01 \ + --hash=sha256:69fd009a325cad6fbfd5b04c711a4da563c6c4854fc4c9544bff3088387c77c0 \ + --hash=sha256:6cf9b76d6e93c62114bd19485e5cb003115c134cf9ce91f8ac924c44f8c8c3f4 \ + --hash=sha256:74f18a4c8ca04134d2052a140322002fef535c99cdbc2a6afc18a8024d5c9d5b \ + --hash=sha256:85f759ed59ffd1d0baad296e72780aa62ff8a71f94dc1ab340386a1207d0ea81 \ + --hash=sha256:87086eae86a700307b544625e3ba11cc600c3c0ef8ab97b0fda0705d6db3d4e3 \ + --hash=sha256:8814722cffcfd1fbd91edd9f3451b88a8f26a5fd41b28c1c9193949d1c689dc4 \ + --hash=sha256:8fedec73d590fd30c4e3f0d0f4bc961aeca8390c72f3eaa1a0874d180e868ddf \ + --hash=sha256:9515ea7f596c8092fdc9902627e51b23a75daa2c7815ed5aa8cf4f07469212ec \ + --hash=sha256:988b738f56c665366b1e4bfd9045c3efae89ee366ca3839cd5af53eaa1401bce \ + --hash=sha256:a2a8d873667e4fd2f34aedab02ba500b824692c6542e017075a2efc38f60a4c0 \ + --hash=sha256:bd7cf7a8d9f34cc67220f1195884151426ce616fdc8285df9054bfa10135925f \ + --hash=sha256:bdce70e562c69bb089523e75ef1d9625b7417c6297a76ac27b1b8b1eb51b7d0f \ + --hash=sha256:be14b31eb3a293fc6e6aa2807c8a3224c71426f7c4e3639ccf1a2f3ffd6df8c3 \ + --hash=sha256:be41b0c7366e5549265adf2145135dca107718fa44b6e418dc7499cfff6b4689 \ + --hash=sha256:c310767268d88803b653fffe6d6f2f17bb9d49ffceb8d70aed50ad45ea49ab08 \ + --hash=sha256:c58115384bdcfe9c7f644c72f10f6f42bed7cf59f7b52fe1bf7ae0a622b3a139 \ + --hash=sha256:c640b0ef54138fde761ec99a6c7dc4ce05e80420262c20fa239e694ca371d434 \ + --hash=sha256:ca20550bb590db16223eb9ccc5852335b48b8f597e2f6f0878bbfd9e7314eb17 \ + --hash=sha256:d97aae66b7de41cdf5b12087b5509e4e9805ed6f562406dfcf60e8481a9a28f8 \ + --hash=sha256:e9326ca78111e4c645f7e49cbce4ed2f3f85e17b61a563328c85a5208cf34440 # via # pyopenssl # secretstorage From 97eb48eee01edcd081fa546cafecc28d6247d005 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 23 Jan 2024 19:53:49 -0500 Subject: [PATCH 0006/1462] Bump x509-limbo and/or wycheproof in CI (#10243) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index c1df58824014..191272a8c3ed 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jan 23, 2024. - ref: "cf66142f5c27b64c987c6f0aa4c10b8c9677b41c" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jan 24, 2024. + ref: "5df450e490c1edc9d883e0f654e2671b638a2802" # x509-limbo-ref From 050839f4dd0f1394ddb6538d4520424ee84ca99d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 24 Jan 2024 06:52:30 -0500 Subject: [PATCH 0007/1462] Bump argcomplete from 3.2.1 to 3.2.2 (#10245) Bumps [argcomplete](https://github.com/kislyuk/argcomplete) from 3.2.1 to 3.2.2. - [Release notes](https://github.com/kislyuk/argcomplete/releases) - [Changelog](https://github.com/kislyuk/argcomplete/blob/develop/Changes.rst) - [Commits](https://github.com/kislyuk/argcomplete/compare/v3.2.1...v3.2.2) --- updated-dependencies: - dependency-name: argcomplete dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 19110a231d8e..e05835c90880 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -7,7 +7,7 @@ alabaster==0.7.16 # via sphinx -argcomplete==3.2.1; python_version >= "3.8" +argcomplete==3.2.2; python_version >= "3.8" # via nox babel==2.14.0 # via sphinx From 72d94030fce5ddf1b1c4fcd882ab155d2d471a27 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 25 Jan 2024 00:22:02 +0000 Subject: [PATCH 0008/1462] Bump BoringSSL and/or OpenSSL in CI (#10249) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c9d3ab950244..a77e813d78ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 23, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "a4c3f8de4406c2382e43e88a638882fb1a32da32"}} - # Latest commit on the OpenSSL master branch, as of Jan 23, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5ed9a32a2aee89e10eb2891f5fb7a283e1b5199b"}} + # Latest commit on the BoringSSL master branch, as of Jan 25, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "77ee4e4609cfb3480e1a554790348ebcab61313e"}} + # Latest commit on the OpenSSL master branch, as of Jan 25, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ff78d94b131d7bb3b761509d3ce0dd864b1420e3"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From bee35f0d4b2151e530995c1b2ca0c2ba049e8b4b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 25 Jan 2024 00:30:50 +0000 Subject: [PATCH 0009/1462] Bump x509-limbo and/or wycheproof in CI (#10250) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 191272a8c3ed..6dced6338927 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jan 24, 2024. - ref: "5df450e490c1edc9d883e0f654e2671b638a2802" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jan 25, 2024. + ref: "dcbb36ae64a11648c98c42e6610f7d278704c2ea" # x509-limbo-ref From 075925fd55dfef127141bb9ef49e826008da8ae4 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 24 Jan 2024 18:54:23 -0700 Subject: [PATCH 0010/1462] allow SPKI RSA keys to be parsed even if they have an incorrect delimiter (#10248) * allow SPKI RSA keys to be parsed even if they have an incorrect delimiter This allows RSA SPKI keys (typically delimited with PUBLIC KEY) to be parsed even if they are using the RSA PUBLIC KEY delimiter. * formatting * use original error if nothing parses, don't let it parse non-RSA --- docs/development/test-vectors.rst | 6 ++++++ src/rust/src/backend/keys.rs | 21 ++++++++++++++++++- tests/hazmat/primitives/test_serialization.py | 16 ++++++++++++++ .../ec_public_key_rsa_delimiter.pem | 4 ++++ .../rsa_wrong_delimiter_public_key.pem | 9 ++++++++ 5 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 vectors/cryptography_vectors/asymmetric/PEM_Serialization/ec_public_key_rsa_delimiter.pem create mode 100644 vectors/cryptography_vectors/asymmetric/PEM_Serialization/rsa_wrong_delimiter_public_key.pem diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 1255688840f3..0b1f238ffaa2 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -72,12 +72,18 @@ Custom asymmetric vectors * ``asymmetric/PEM_Serialization/ec_public_key.pem`` and ``asymmetric/DER_Serialization/ec_public_key.der``- Contains the public key corresponding to ``ec_private_key.pem``, generated using OpenSSL. +* ``asymmetric/PEM_Serialization/ec_public_key_rsa_delimiter.pem`` - Contains + the public key corresponding to ``ec_private_key.pem``, but with the wrong PEM + delimiter (``RSA PUBLIC KEY`` when it should be ``PUBLIC KEY``). * ``asymmetric/PEM_Serialization/rsa_private_key.pem`` - Contains an RSA 2048 bit key generated using OpenSSL, protected by the secret "123456" with DES3 encryption. * ``asymmetric/PEM_Serialization/rsa_public_key.pem`` and ``asymmetric/DER_Serialization/rsa_public_key.der``- Contains an RSA 2048 bit public generated using OpenSSL from ``rsa_private_key.pem``. +* ``asymmetric/PEM_Serialization/rsa_wrong_delimiter_public_key.pem`` - Contains + an RSA 2048 bit public key generated from ``rsa_private_key.pem``, but with + the wrong PEM delimiter (``RSA PUBLIC KEY`` when it should be ``PUBLIC KEY``). * ``asymmetric/PEM_Serialization/dsa_4096.pem`` - Contains a 4096-bit DSA private key generated using OpenSSL. * ``asymmetric/PEM_Serialization/dsaparam.pem`` - Contains 2048-bit DSA diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index bd3e8eb28e3b..ecdff5db6dcb 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -165,7 +165,26 @@ fn load_pem_public_key( let _ = backend; let p = pem::parse(data.as_bytes())?; let pkey = match p.tag() { - "RSA PUBLIC KEY" => cryptography_key_parsing::rsa::parse_pkcs1_public_key(p.contents())?, + "RSA PUBLIC KEY" => { + // We try to parse it as a PKCS1 first since that's the PEM delimiter, and if + // that fails we try to parse it as an SPKI. This is to match the permissiveness + // of OpenSSL, which doesn't care about the delimiter. + match cryptography_key_parsing::rsa::parse_pkcs1_public_key(p.contents()) { + Ok(pkey) => pkey, + Err(err) => { + let pkey = cryptography_key_parsing::spki::parse_public_key(p.contents()) + .map_err(|_| err)?; + if pkey.id() != openssl::pkey::Id::RSA { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Incorrect PEM delimiter for key type.", + ), + )); + } + pkey + } + } + } "PUBLIC KEY" => cryptography_key_parsing::spki::parse_public_key(p.contents())?, _ => return Err(CryptographyError::from(pem::PemError::MalformedFraming)), }; diff --git a/tests/hazmat/primitives/test_serialization.py b/tests/hazmat/primitives/test_serialization.py index 58693a4912d2..51fcc3563d8a 100644 --- a/tests/hazmat/primitives/test_serialization.py +++ b/tests/hazmat/primitives/test_serialization.py @@ -506,6 +506,11 @@ def test_load_pem_ec_private_key(self, key_path, password, backend): "asymmetric", "PEM_Serialization", "rsa_public_key.pem" ), os.path.join("asymmetric", "public", "PKCS1", "rsa.pub.pem"), + os.path.join( + "asymmetric", + "PEM_Serialization", + "rsa_wrong_delimiter_public_key.pem", + ), ], ) def test_load_pem_rsa_public_key(self, key_file, backend): @@ -520,6 +525,17 @@ def test_load_pem_rsa_public_key(self, key_file, backend): numbers = key.public_numbers() assert numbers.e == 65537 + def test_load_pem_public_fails_with_ec_key_with_rsa_delimiter(self): + with pytest.raises(ValueError): + load_vectors_from_file( + os.path.join( + "asymmetric", + "PEM_Serialization", + "ec_public_key_rsa_delimiter.pem", + ), + lambda pemfile: load_pem_public_key(pemfile.read().encode()), + ) + def test_load_priv_key_with_public_key_api_fails( self, rsa_key_2048, backend ): diff --git a/vectors/cryptography_vectors/asymmetric/PEM_Serialization/ec_public_key_rsa_delimiter.pem b/vectors/cryptography_vectors/asymmetric/PEM_Serialization/ec_public_key_rsa_delimiter.pem new file mode 100644 index 000000000000..565ece176bf5 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/PEM_Serialization/ec_public_key_rsa_delimiter.pem @@ -0,0 +1,4 @@ +-----BEGIN RSA PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJLzzbuz2tRnLFlOL+6bTX6giVavA +sc6NDFFT0IMCd2ibTTNUDDkFGsgq0cH5JYPg/6xUlMBFKrWYe3yQ4has9w== +-----END RSA PUBLIC KEY----- diff --git a/vectors/cryptography_vectors/asymmetric/PEM_Serialization/rsa_wrong_delimiter_public_key.pem b/vectors/cryptography_vectors/asymmetric/PEM_Serialization/rsa_wrong_delimiter_public_key.pem new file mode 100644 index 000000000000..78053b4e6ed9 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/PEM_Serialization/rsa_wrong_delimiter_public_key.pem @@ -0,0 +1,9 @@ +-----BEGIN RSA PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnR4AZ+tgWYql+S3MaTQ6 +zeIO1fKzFIoau9Q0zGuv/1oCAewXwxeDSSxw+/Z3GL1NpuuS9CpbR5EQ3d71bD0v +0G+Sf+mShSl0oljG7YqnNSPzKl+EQ3/KE+eEButcwas6KGof2BA4bFNCw/fPbuhk +u/d8sIIEgdzBMiGRMdW33uci3rsdOenMZQA7uWsM/q/pu85YLAVOxq6wlUCzP4FM +Tw/RKzayrPkn3Jfbqcy1aM2HDlFVx24vaN+RRbPSnVoQbo5EQYkUMXE8WmadSyHl +pXGRnWsJSV9AdGyDrbU+6tcFwcIwnW22jb/OJy8swHdqKGkuR1kQ0XqokK1yGKFZ +8wIDAQAB +-----END RSA PUBLIC KEY----- From 1bb43b0d9ee6978f1bdfafd2df34b0024417a053 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 24 Jan 2024 19:48:17 -0700 Subject: [PATCH 0011/1462] port 42.0.1 changelog to main (#10253) --- CHANGELOG.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index f96ef193d2d9..7abdf8e9f9ef 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -8,6 +8,15 @@ Changelog .. note:: This version is not yet released and is under active development. +.. _v42-0-1: + +42.0.1 - 2024-01-24 +~~~~~~~~~~~~~~~~~~~ + +* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey`` + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign`. +* Resolved compatibility issue with loading certain RSA public keys in + :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`. .. _v42-0-0: From e49a9361bbf717eee8d61fd3fda2d698ac916c08 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Jan 2024 12:01:30 +0000 Subject: [PATCH 0012/1462] Bump pluggy from 1.3.0 to 1.4.0 (#10258) Bumps [pluggy](https://github.com/pytest-dev/pluggy) from 1.3.0 to 1.4.0. - [Changelog](https://github.com/pytest-dev/pluggy/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pluggy/compare/1.3.0...1.4.0) --- updated-dependencies: - dependency-name: pluggy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e05835c90880..6650dc463de8 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -70,7 +70,7 @@ pathspec==0.12.1 # via check-sdist platformdirs==4.1.0; python_version >= "3.8" # via virtualenv -pluggy==1.3.0; python_version >= "3.8" +pluggy==1.4.0; python_version >= "3.8" # via pytest pretend==1.0.9 # via cryptography (pyproject.toml) From 646c0c4b56bbf249b49792fabca75332081ddf78 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Jan 2024 06:06:32 -0800 Subject: [PATCH 0013/1462] Bump cryptography from 42.0.0 to 42.0.1 in /.github/requirements (#10257) * Bump cryptography from 42.0.0 to 42.0.1 in /.github/requirements Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.0 to 42.0.1. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/42.0.0...42.0.1) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 8bb646c976e5..9189187f47fb 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -166,39 +166,39 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==42.0.0 \ - --hash=sha256:0a68bfcf57a6887818307600c3c0ebc3f62fbb6ccad2240aa21887cda1f8df1b \ - --hash=sha256:146e971e92a6dd042214b537a726c9750496128453146ab0ee8971a0299dc9bd \ - --hash=sha256:14e4b909373bc5bf1095311fa0f7fcabf2d1a160ca13f1e9e467be1ac4cbdf94 \ - --hash=sha256:206aaf42e031b93f86ad60f9f5d9da1b09164f25488238ac1dc488334eb5e221 \ - --hash=sha256:3005166a39b70c8b94455fdbe78d87a444da31ff70de3331cdec2c568cf25b7e \ - --hash=sha256:324721d93b998cb7367f1e6897370644751e5580ff9b370c0a50dc60a2003513 \ - --hash=sha256:33588310b5c886dfb87dba5f013b8d27df7ffd31dc753775342a1e5ab139e59d \ - --hash=sha256:35cf6ed4c38f054478a9df14f03c1169bb14bd98f0b1705751079b25e1cb58bc \ - --hash=sha256:3ca482ea80626048975360c8e62be3ceb0f11803180b73163acd24bf014133a0 \ - --hash=sha256:56ce0c106d5c3fec1038c3cca3d55ac320a5be1b44bf15116732d0bc716979a2 \ - --hash=sha256:5a217bca51f3b91971400890905a9323ad805838ca3fa1e202a01844f485ee87 \ - --hash=sha256:678cfa0d1e72ef41d48993a7be75a76b0725d29b820ff3cfd606a5b2b33fda01 \ - --hash=sha256:69fd009a325cad6fbfd5b04c711a4da563c6c4854fc4c9544bff3088387c77c0 \ - --hash=sha256:6cf9b76d6e93c62114bd19485e5cb003115c134cf9ce91f8ac924c44f8c8c3f4 \ - --hash=sha256:74f18a4c8ca04134d2052a140322002fef535c99cdbc2a6afc18a8024d5c9d5b \ - --hash=sha256:85f759ed59ffd1d0baad296e72780aa62ff8a71f94dc1ab340386a1207d0ea81 \ - --hash=sha256:87086eae86a700307b544625e3ba11cc600c3c0ef8ab97b0fda0705d6db3d4e3 \ - --hash=sha256:8814722cffcfd1fbd91edd9f3451b88a8f26a5fd41b28c1c9193949d1c689dc4 \ - --hash=sha256:8fedec73d590fd30c4e3f0d0f4bc961aeca8390c72f3eaa1a0874d180e868ddf \ - --hash=sha256:9515ea7f596c8092fdc9902627e51b23a75daa2c7815ed5aa8cf4f07469212ec \ - --hash=sha256:988b738f56c665366b1e4bfd9045c3efae89ee366ca3839cd5af53eaa1401bce \ - --hash=sha256:a2a8d873667e4fd2f34aedab02ba500b824692c6542e017075a2efc38f60a4c0 \ - --hash=sha256:bd7cf7a8d9f34cc67220f1195884151426ce616fdc8285df9054bfa10135925f \ - --hash=sha256:bdce70e562c69bb089523e75ef1d9625b7417c6297a76ac27b1b8b1eb51b7d0f \ - --hash=sha256:be14b31eb3a293fc6e6aa2807c8a3224c71426f7c4e3639ccf1a2f3ffd6df8c3 \ - --hash=sha256:be41b0c7366e5549265adf2145135dca107718fa44b6e418dc7499cfff6b4689 \ - --hash=sha256:c310767268d88803b653fffe6d6f2f17bb9d49ffceb8d70aed50ad45ea49ab08 \ - --hash=sha256:c58115384bdcfe9c7f644c72f10f6f42bed7cf59f7b52fe1bf7ae0a622b3a139 \ - --hash=sha256:c640b0ef54138fde761ec99a6c7dc4ce05e80420262c20fa239e694ca371d434 \ - --hash=sha256:ca20550bb590db16223eb9ccc5852335b48b8f597e2f6f0878bbfd9e7314eb17 \ - --hash=sha256:d97aae66b7de41cdf5b12087b5509e4e9805ed6f562406dfcf60e8481a9a28f8 \ - --hash=sha256:e9326ca78111e4c645f7e49cbce4ed2f3f85e17b61a563328c85a5208cf34440 +cryptography==42.0.1 \ + --hash=sha256:0b7cacc142260ada944de070ce810c3e2a438963ee3deb45aa26fd2cee94c9a4 \ + --hash=sha256:126e0ba3cc754b200a2fb88f67d66de0d9b9e94070c5bc548318c8dab6383cb6 \ + --hash=sha256:160fa08dfa6dca9cb8ad9bd84e080c0db6414ba5ad9a7470bc60fb154f60111e \ + --hash=sha256:16b9260d04a0bfc8952b00335ff54f471309d3eb9d7e8dbfe9b0bd9e26e67881 \ + --hash=sha256:25ec6e9e81de5d39f111a4114193dbd39167cc4bbd31c30471cebedc2a92c323 \ + --hash=sha256:265bdc693570b895eb641410b8fc9e8ddbce723a669236162b9d9cfb70bd8d77 \ + --hash=sha256:2dff7a32880a51321f5de7869ac9dde6b1fca00fc1fef89d60e93f215468e824 \ + --hash=sha256:2fe16624637d6e3e765530bc55caa786ff2cbca67371d306e5d0a72e7c3d0407 \ + --hash=sha256:32ea63ceeae870f1a62e87f9727359174089f7b4b01e4999750827bf10e15d60 \ + --hash=sha256:351db02c1938c8e6b1fee8a78d6b15c5ccceca7a36b5ce48390479143da3b411 \ + --hash=sha256:430100abed6d3652208ae1dd410c8396213baee2e01a003a4449357db7dc9e14 \ + --hash=sha256:4d84673c012aa698555d4710dcfe5f8a0ad76ea9dde8ef803128cc669640a2e0 \ + --hash=sha256:50aecd93676bcca78379604ed664c45da82bc1241ffb6f97f6b7392ed5bc6f04 \ + --hash=sha256:6ac8924085ed8287545cba89dc472fc224c10cc634cdf2c3e2866fe868108e77 \ + --hash=sha256:6bfd823b336fdcd8e06285ae8883d3d2624d3bdef312a0e2ef905f332f8e9302 \ + --hash=sha256:727387886c9c8de927c360a396c5edcb9340d9e960cda145fca75bdafdabd24c \ + --hash=sha256:7911586fc69d06cd0ab3f874a169433db1bc2f0e40988661408ac06c4527a986 \ + --hash=sha256:802d6f83233cf9696b59b09eb067e6b4d5ae40942feeb8e13b213c8fad47f1aa \ + --hash=sha256:8d7efb6bf427d2add2f40b6e1e8e476c17508fa8907234775214b153e69c2e11 \ + --hash=sha256:9544492e8024f29919eac2117edd8c950165e74eb551a22c53f6fdf6ba5f4cb8 \ + --hash=sha256:95d900d19a370ae36087cc728e6e7be9c964ffd8cbcb517fd1efb9c9284a6abc \ + --hash=sha256:9d61fcdf37647765086030d81872488e4cb3fafe1d2dda1d487875c3709c0a49 \ + --hash=sha256:ab6b302d51fbb1dd339abc6f139a480de14d49d50f65fdc7dff782aa8631d035 \ + --hash=sha256:b512f33c6ab195852595187af5440d01bb5f8dd57cb7a91e1e009a17f1b7ebca \ + --hash=sha256:cb2861a9364fa27d24832c718150fdbf9ce6781d7dc246a516435f57cfa31fe7 \ + --hash=sha256:d3594947d2507d4ef7a180a7f49a6db41f75fb874c2fd0e94f36b89bfd678bf2 \ + --hash=sha256:d3902c779a92151f134f68e555dd0b17c658e13429f270d8a847399b99235a3f \ + --hash=sha256:d50718dd574a49d3ef3f7ef7ece66ef281b527951eb2267ce570425459f6a404 \ + --hash=sha256:e5edf189431b4d51f5c6fb4a95084a75cef6b4646c934eb6e32304fc720e1453 \ + --hash=sha256:e6edc3a568667daf7d349d7e820783426ee4f1c0feab86c29bd1d6fe2755e009 \ + --hash=sha256:ed1b2130f5456a09a134cc505a17fc2830a1a48ed53efd37dcc904a23d7b82fa \ + --hash=sha256:fd33f53809bb363cf126bebe7a99d97735988d9b0131a2be59fbf83e1259a5b7 # via # pyopenssl # secretstorage From 08b24d87a64734ac7f5c575b309ad7d49c246353 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 25 Jan 2024 11:51:59 -0800 Subject: [PATCH 0014/1462] explicitly support bytes-like for signature/data in RSA sign/verify (#10259) this was never documented but previously worked in <42. we now also document that this is supported to confuse ourselves less. --- docs/hazmat/primitives/asymmetric/rsa.rst | 9 ++++++--- src/rust/src/backend/rsa.rs | 15 +++++++++------ tests/hazmat/primitives/test_rsa.py | 20 ++++++++++++++++---- 3 files changed, 31 insertions(+), 13 deletions(-) diff --git a/docs/hazmat/primitives/asymmetric/rsa.rst b/docs/hazmat/primitives/asymmetric/rsa.rst index b8f2acacdf8f..35230f7e982d 100644 --- a/docs/hazmat/primitives/asymmetric/rsa.rst +++ b/docs/hazmat/primitives/asymmetric/rsa.rst @@ -620,7 +620,8 @@ Key interfaces Sign one block of data which can be verified later by others using the public key. - :param bytes data: The message string to sign. + :param data: The message string to sign. + :type data: :term:`bytes-like` :param padding: An instance of :class:`~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding`. @@ -739,9 +740,11 @@ Key interfaces Verify one block of data was signed by the private key associated with this public key. - :param bytes signature: The signature to verify. + :param signature: The signature to verify. + :type signature: :term:`bytes-like` - :param bytes data: The message string that was signed. + :param data: The message string that was signed. + :type data: :term:`bytes-like` :param padding: An instance of :class:`~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding`. diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 35dd1053fdfc..662f30aff084 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -6,6 +6,7 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; use crate::backend::{hashes, utils}; +use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; @@ -281,11 +282,12 @@ impl RsaPrivateKey { fn sign<'p>( &self, py: pyo3::Python<'p>, - data: &[u8], + data: CffiBuf<'_>, padding: &pyo3::PyAny, algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::PyAny> { - let (data, algorithm) = utils::calculate_digest_and_algorithm(py, data, algorithm)?; + let (data, algorithm) = + utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.sign_init().map_err(|_| { @@ -419,18 +421,19 @@ impl RsaPublicKey { fn verify( &self, py: pyo3::Python<'_>, - signature: &[u8], - data: &[u8], + signature: CffiBuf<'_>, + data: CffiBuf<'_>, padding: &pyo3::PyAny, algorithm: &pyo3::PyAny, ) -> CryptographyResult<()> { - let (data, algorithm) = utils::calculate_digest_and_algorithm(py, data, algorithm)?; + let (data, algorithm) = + utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.verify_init()?; setup_signature_ctx(py, &mut ctx, padding, algorithm, self.pkey.size(), false)?; - let valid = ctx.verify(data, signature).unwrap_or(false); + let valid = ctx.verify(data, signature.as_bytes()).unwrap_or(false); if !valid { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err(()), diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 10a84cb08665..8810f0f58e7e 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -763,9 +763,15 @@ def test_pkcs1_minimum_key_size(self, backend): ) private_key.sign(b"no failure", padding.PKCS1v15(), hashes.SHA512()) - def test_sign(self, rsa_key_2048: rsa.RSAPrivateKey, backend): + @pytest.mark.parametrize( + "message", + [ + b"one little message", + bytearray(b"one little message"), + ], + ) + def test_sign(self, rsa_key_2048: rsa.RSAPrivateKey, message, backend): private_key = rsa_key_2048 - message = b"one little message" pkcs = padding.PKCS1v15() algorithm = hashes.SHA256() signature = private_key.sign(message, pkcs, algorithm) @@ -1375,9 +1381,15 @@ def test_pss_verify_salt_length_too_long(self, backend): hashes.SHA1(), ) - def test_verify(self, rsa_key_2048: rsa.RSAPrivateKey, backend): + @pytest.mark.parametrize( + "message", + [ + b"one little message", + bytearray(b"one little message"), + ], + ) + def test_verify(self, rsa_key_2048: rsa.RSAPrivateKey, message, backend): private_key = rsa_key_2048 - message = b"one little message" pkcs = padding.PKCS1v15() algorithm = hashes.SHA256() signature = private_key.sign(message, pkcs, algorithm) From 3da3a3703bef1772b08bfc7da4b9221b5592f506 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 25 Jan 2024 13:09:27 -0800 Subject: [PATCH 0015/1462] support bytes-like consistently across our asym sign/verify APIs (#10260) and update our docs to show it as well --- docs/hazmat/primitives/asymmetric/dsa.rst | 9 ++++++--- docs/hazmat/primitives/asymmetric/ec.rst | 9 ++++++--- docs/hazmat/primitives/asymmetric/ed25519.rst | 9 ++++++--- docs/hazmat/primitives/asymmetric/ed448.rst | 9 ++++++--- src/rust/src/backend/dsa.rs | 13 +++++++------ src/rust/src/backend/ec.rs | 13 +++++++------ src/rust/src/backend/ed25519.rs | 8 ++++---- src/rust/src/backend/ed448.rs | 8 ++++---- tests/hazmat/primitives/test_dsa.py | 8 ++++++++ tests/hazmat/primitives/test_ec.py | 9 +++++++++ tests/hazmat/primitives/test_ed25519.py | 6 ++++++ tests/hazmat/primitives/test_ed448.py | 6 ++++++ 12 files changed, 75 insertions(+), 32 deletions(-) diff --git a/docs/hazmat/primitives/asymmetric/dsa.rst b/docs/hazmat/primitives/asymmetric/dsa.rst index bcd4c993d20a..b159a09116ff 100644 --- a/docs/hazmat/primitives/asymmetric/dsa.rst +++ b/docs/hazmat/primitives/asymmetric/dsa.rst @@ -289,7 +289,8 @@ Key interfaces Sign one block of data which can be verified later by others using the public key. - :param bytes data: The message string to sign. + :param data: The message string to sign. + :type data: :term:`bytes-like` :param algorithm: An instance of :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` or @@ -391,9 +392,11 @@ Key interfaces Verify one block of data was signed by the private key associated with this public key. - :param bytes signature: The signature to verify. + :param signature: The signature to verify. + :type signature: :term:`bytes-like` - :param bytes data: The message string that was signed. + :param data: The message string that was signed. + :type data: :term:`bytes-like` :param algorithm: An instance of :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` or diff --git a/docs/hazmat/primitives/asymmetric/ec.rst b/docs/hazmat/primitives/asymmetric/ec.rst index 561218c35c72..75165b6a4536 100644 --- a/docs/hazmat/primitives/asymmetric/ec.rst +++ b/docs/hazmat/primitives/asymmetric/ec.rst @@ -569,7 +569,8 @@ Key Interfaces Sign one block of data which can be verified later by others using the public key. - :param bytes data: The message string to sign. + :param data: The message string to sign. + :type data: :term:`bytes-like` :param signature_algorithm: An instance of :class:`EllipticCurveSignatureAlgorithm`, such as :class:`ECDSA`. @@ -678,12 +679,14 @@ Key Interfaces Verify one block of data was signed by the private key associated with this public key. - :param bytes signature: The DER-encoded signature to verify. + :param signature: The DER-encoded signature to verify. A raw signature may be DER-encoded by splitting it into the ``r`` and ``s`` components and passing them into :func:`~cryptography.hazmat.primitives.asymmetric.utils.encode_dss_signature`. + :type signature: :term:`bytes-like` - :param bytes data: The message string that was signed. + :param data: The message string that was signed. + :type data: :term:`bytes-like` :param signature_algorithm: An instance of :class:`EllipticCurveSignatureAlgorithm`. diff --git a/docs/hazmat/primitives/asymmetric/ed25519.rst b/docs/hazmat/primitives/asymmetric/ed25519.rst index 1ca06fc1b9f2..8d4b910ca115 100644 --- a/docs/hazmat/primitives/asymmetric/ed25519.rst +++ b/docs/hazmat/primitives/asymmetric/ed25519.rst @@ -67,7 +67,8 @@ Key interfaces .. method:: sign(data) - :param bytes data: The data to sign. + :param data: The data to sign. + :type data: :term:`bytes-like` :returns bytes: The 64 byte signature. @@ -192,9 +193,11 @@ Key interfaces .. method:: verify(signature, data) - :param bytes signature: The signature to verify. + :param signature: The signature to verify. + :type signature: :term:`bytes-like` - :param bytes data: The data to verify. + :param data: The data to verify. + :type data: :term:`bytes-like` :returns: None :raises cryptography.exceptions.InvalidSignature: Raised when the diff --git a/docs/hazmat/primitives/asymmetric/ed448.rst b/docs/hazmat/primitives/asymmetric/ed448.rst index efe245d568e9..27a8092db59c 100644 --- a/docs/hazmat/primitives/asymmetric/ed448.rst +++ b/docs/hazmat/primitives/asymmetric/ed448.rst @@ -47,7 +47,8 @@ Key interfaces .. method:: sign(data) - :param bytes data: The data to sign. + :param data: The data to sign. + :type data: :term:`bytes-like` :returns bytes: The 114 byte signature. @@ -146,9 +147,11 @@ Key interfaces .. method:: verify(signature, data) - :param bytes signature: The signature to verify. + :param signature: The signature to verify. + :type signature: :term:`bytes-like` - :param bytes data: The data to verify. + :param data: The data to verify. + :type data: :term:`bytes-like` :returns: None :raises cryptography.exceptions.InvalidSignature: Raised when the diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index cf0824613fdb..bf341ac71314 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -3,6 +3,7 @@ // for complete details. use crate::backend::utils; +use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; @@ -66,10 +67,10 @@ impl DsaPrivateKey { fn sign<'p>( &self, py: pyo3::Python<'p>, - data: &[u8], + data: CffiBuf<'_>, algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let (data, _) = utils::calculate_digest_and_algorithm(py, data, algorithm)?; + let (data, _) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; signer.sign_init()?; @@ -151,15 +152,15 @@ impl DsaPublicKey { fn verify( &self, py: pyo3::Python<'_>, - signature: &[u8], - data: &[u8], + signature: CffiBuf<'_>, + data: CffiBuf<'_>, algorithm: &pyo3::PyAny, ) -> CryptographyResult<()> { - let (data, _) = utils::calculate_digest_and_algorithm(py, data, algorithm)?; + let (data, _) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; verifier.verify_init()?; - let valid = verifier.verify(data, signature).unwrap_or(false); + let valid = verifier.verify(data, signature.as_bytes()).unwrap_or(false); if !valid { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err(()), diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 459da6103d3b..5a01412981d2 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -8,6 +8,7 @@ use std::hash::{Hash, Hasher}; use pyo3::ToPyObject; use crate::backend::utils; +use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; @@ -268,7 +269,7 @@ impl ECPrivateKey { fn sign<'p>( &self, py: pyo3::Python<'p>, - data: &[u8], + data: CffiBuf<'_>, signature_algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { if !signature_algorithm.is_instance(types::ECDSA.get(py)?)? { @@ -282,7 +283,7 @@ impl ECPrivateKey { let (data, _) = utils::calculate_digest_and_algorithm( py, - data, + data.as_bytes(), signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, )?; @@ -366,8 +367,8 @@ impl ECPublicKey { fn verify( &self, py: pyo3::Python<'_>, - signature: &[u8], - data: &[u8], + signature: CffiBuf<'_>, + data: CffiBuf<'_>, signature_algorithm: &pyo3::PyAny, ) -> CryptographyResult<()> { if !signature_algorithm.is_instance(types::ECDSA.get(py)?)? { @@ -381,13 +382,13 @@ impl ECPublicKey { let (data, _) = utils::calculate_digest_and_algorithm( py, - data, + data.as_bytes(), signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, )?; let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; verifier.verify_init()?; - let valid = verifier.verify(data, signature).unwrap_or(false); + let valid = verifier.verify(data, signature.as_bytes()).unwrap_or(false); if !valid { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err(()), diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index f68da83bfb47..81ca3230088e 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -66,12 +66,12 @@ impl Ed25519PrivateKey { fn sign<'p>( &self, py: pyo3::Python<'p>, - data: &[u8], + data: CffiBuf<'_>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let mut signer = openssl::sign::Signer::new_without_digest(&self.pkey)?; Ok(pyo3::types::PyBytes::new_with(py, signer.len()?, |b| { let n = signer - .sign_oneshot(b, data) + .sign_oneshot(b, data.as_bytes()) .map_err(CryptographyError::from)?; assert_eq!(n, b.len()); Ok(()) @@ -118,9 +118,9 @@ impl Ed25519PrivateKey { #[pyo3::prelude::pymethods] impl Ed25519PublicKey { - fn verify(&self, signature: &[u8], data: &[u8]) -> CryptographyResult<()> { + fn verify(&self, signature: CffiBuf<'_>, data: CffiBuf<'_>) -> CryptographyResult<()> { let valid = openssl::sign::Verifier::new_without_digest(&self.pkey)? - .verify_oneshot(signature, data) + .verify_oneshot(signature.as_bytes(), data.as_bytes()) .unwrap_or(false); if !valid { diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index eeed28e92f6e..15b679d5f993 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -64,12 +64,12 @@ impl Ed448PrivateKey { fn sign<'p>( &self, py: pyo3::Python<'p>, - data: &[u8], + data: CffiBuf<'_>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let mut signer = openssl::sign::Signer::new_without_digest(&self.pkey)?; Ok(pyo3::types::PyBytes::new_with(py, signer.len()?, |b| { let n = signer - .sign_oneshot(b, data) + .sign_oneshot(b, data.as_bytes()) .map_err(CryptographyError::from)?; assert_eq!(n, b.len()); Ok(()) @@ -116,9 +116,9 @@ impl Ed448PrivateKey { #[pyo3::prelude::pymethods] impl Ed448PublicKey { - fn verify(&self, signature: &[u8], data: &[u8]) -> CryptographyResult<()> { + fn verify(&self, signature: CffiBuf<'_>, data: CffiBuf<'_>) -> CryptographyResult<()> { let valid = openssl::sign::Verifier::new_without_digest(&self.pkey)? - .verify_oneshot(signature, data)?; + .verify_oneshot(signature.as_bytes(), data.as_bytes())?; if !valid { return Err(CryptographyError::from( diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py index c3990cd5af44..2928a1eb9d8c 100644 --- a/tests/hazmat/primitives/test_dsa.py +++ b/tests/hazmat/primitives/test_dsa.py @@ -522,6 +522,14 @@ def test_sign(self, backend): public_key = private_key.public_key() public_key.verify(signature, message, algorithm) + def test_sign_verify_buffer(self, backend): + private_key = DSA_KEY_1024.private_key(backend) + message = bytearray(b"one little message") + algorithm = hashes.SHA1() + signature = private_key.sign(message, algorithm) + public_key = private_key.public_key() + public_key.verify(bytearray(signature), message, algorithm) + def test_prehashed_sign(self, backend): private_key = DSA_KEY_1024.private_key(backend) message = b"one little message" diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index d794d429524e..334e76dcc073 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -516,6 +516,15 @@ def test_sign(self, backend): public_key = private_key.public_key() public_key.verify(signature, message, algorithm) + def test_sign_verify_buffers(self, backend): + _skip_curve_unsupported(backend, ec.SECP256R1()) + message = bytearray(b"one little message") + algorithm = ec.ECDSA(hashes.SHA1()) + private_key = ec.generate_private_key(ec.SECP256R1(), backend) + signature = private_key.sign(message, algorithm) + public_key = private_key.public_key() + public_key.verify(bytearray(signature), message, algorithm) + def test_sign_prehashed(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) message = b"one little message" diff --git a/tests/hazmat/primitives/test_ed25519.py b/tests/hazmat/primitives/test_ed25519.py index 8e6b33b1fd62..26f7d0c71b07 100644 --- a/tests/hazmat/primitives/test_ed25519.py +++ b/tests/hazmat/primitives/test_ed25519.py @@ -117,6 +117,12 @@ def test_invalid_signature(self, backend): with pytest.raises(InvalidSignature): key.public_key().verify(b"0" * 64, b"test data") + def test_sign_verify_buffer(self, backend): + key = Ed25519PrivateKey.generate() + data = bytearray(b"test data") + signature = key.sign(data) + key.public_key().verify(bytearray(signature), data) + def test_generate(self, backend): key = Ed25519PrivateKey.generate() assert key diff --git a/tests/hazmat/primitives/test_ed448.py b/tests/hazmat/primitives/test_ed448.py index d363f38dfd96..6c7bdedea39d 100644 --- a/tests/hazmat/primitives/test_ed448.py +++ b/tests/hazmat/primitives/test_ed448.py @@ -86,6 +86,12 @@ def test_invalid_signature(self, backend): with pytest.raises(InvalidSignature): key.public_key().verify(b"0" * 64, b"test data") + def test_sign_verify_buffer(self, backend): + key = Ed448PrivateKey.generate() + data = bytearray(b"test data") + signature = key.sign(data) + key.public_key().verify(bytearray(signature), data) + def test_generate(self, backend): key = Ed448PrivateKey.generate() assert key From 314dd53422eef945fd6cf49d5a5cade2c71dfd0a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 25 Jan 2024 19:16:33 -0500 Subject: [PATCH 0016/1462] Bump BoringSSL and/or OpenSSL in CI (#10262) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a77e813d78ac..dffb089229f8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 25, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "77ee4e4609cfb3480e1a554790348ebcab61313e"}} - # Latest commit on the OpenSSL master branch, as of Jan 25, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ff78d94b131d7bb3b761509d3ce0dd864b1420e3"}} + # Latest commit on the BoringSSL master branch, as of Jan 26, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "cba7adcd108e9a41a992b4c4fc18b050e4d05a66"}} + # Latest commit on the OpenSSL master branch, as of Jan 26, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0f644b96d209443b4566f7e86e3be2568292e75b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 430777fb56f444932c748c9c94dc0cc9e2a260d2 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 26 Jan 2024 00:28:30 +0000 Subject: [PATCH 0017/1462] Bump x509-limbo and/or wycheproof in CI (#10263) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 6dced6338927..fb78f39da598 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jan 25, 2024. - ref: "dcbb36ae64a11648c98c42e6610f7d278704c2ea" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jan 26, 2024. + ref: "3f614440092d3bfd0d0787095c558c4b4626195b" # x509-limbo-ref From f7888eb46e9753d65fa2d4f3c24838bee8aad814 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 26 Jan 2024 10:14:39 -0500 Subject: [PATCH 0018/1462] fixed fips skip condition (#10264) --- tests/hazmat/primitives/test_dh.py | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py index 9caded2cc2ac..4b3b63a96436 100644 --- a/tests/hazmat/primitives/test_dh.py +++ b/tests/hazmat/primitives/test_dh.py @@ -164,10 +164,7 @@ def test_large_key_generate_dh(self, backend): ) def test_dh_parameters_allows_rfc3526_groups(self, backend, vector): p = int.from_bytes(binascii.unhexlify(vector["p"]), "big") - if ( - backend._fips_enabled - and p.bit_length() < backend._fips_dh_min_modulus - ): + if backend._fips_enabled and p < backend._fips_dh_min_modulus: pytest.skip("modulus too small for FIPS mode") params = dh.DHParameterNumbers(p, int(vector["g"])) From dab3536e9378b3b3bef4d2ac069ae38a38ab79ad Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 26 Jan 2024 15:35:39 -0800 Subject: [PATCH 0019/1462] improve the performance of cffibuf (#10266) * improve the performance of cffibuf * Update src/rust/src/buf.rs Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor --- src/cryptography/utils.py | 7 ------- src/rust/src/buf.rs | 19 ++++++++++++------- src/rust/src/types.rs | 11 +++++++++-- 3 files changed, 21 insertions(+), 16 deletions(-) diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py index a0ec7a3cd76d..d6f079d4be0e 100644 --- a/src/cryptography/utils.py +++ b/src/cryptography/utils.py @@ -45,13 +45,6 @@ def int_to_bytes(integer: int, length: int | None = None) -> bytes: ) -def _extract_buffer_length(obj: typing.Any) -> tuple[typing.Any, int]: - from cryptography.hazmat.bindings._rust import _openssl - - buf = _openssl.ffi.from_buffer(obj) - return buf, int(_openssl.ffi.cast("uintptr_t", buf)) - - class InterfaceNotImplemented(Exception): pass diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs index c1f2cc8253c7..edc3860c1050 100644 --- a/src/rust/src/buf.rs +++ b/src/rust/src/buf.rs @@ -12,6 +12,17 @@ pub(crate) struct CffiBuf<'p> { buf: &'p [u8], } +fn _extract_buffer_length(pyobj: &pyo3::PyAny) -> pyo3::PyResult<(&pyo3::PyAny, usize)> { + let py = pyobj.py(); + let bufobj = types::FFI_FROM_BUFFER.get(py)?.call1((pyobj,))?; + let ptrval = types::FFI_CAST + .get(py)? + .call1((pyo3::intern!(py, "uintptr_t"), bufobj))? + .call_method0(pyo3::intern!(py, "__int__"))? + .extract::()?; + Ok((bufobj, ptrval)) +} + impl CffiBuf<'_> { pub(crate) fn as_bytes(&self) -> &[u8] { self.buf @@ -20,13 +31,7 @@ impl CffiBuf<'_> { impl<'a> pyo3::conversion::FromPyObject<'a> for CffiBuf<'a> { fn extract(pyobj: &'a pyo3::PyAny) -> pyo3::PyResult { - let py = pyobj.py(); - - let (bufobj, ptrval): (&pyo3::PyAny, usize) = types::EXTRACT_BUFFER_LENGTH - .get(py)? - .call1((pyobj,))? - .extract()?; - + let (bufobj, ptrval) = _extract_buffer_length(pyobj)?; let len = bufobj.len()?; let buf = if len == 0 { &[] diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 07cf417971b6..76c9bba96d3e 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -441,8 +441,15 @@ pub static DSA_PUBLIC_KEY: LazyPyImport = LazyPyImport::new( &["DSAPublicKey"], ); -pub static EXTRACT_BUFFER_LENGTH: LazyPyImport = - LazyPyImport::new("cryptography.utils", &["_extract_buffer_length"]); +pub static FFI_FROM_BUFFER: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.bindings._rust", + &["_openssl", "ffi", "from_buffer"], +); + +pub static FFI_CAST: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.bindings._rust", + &["_openssl", "ffi", "cast"], +); pub static BLOCK_CIPHER_ALGORITHM: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers", From 92cb4badedd29a022b4d60aab926abb8bb83be79 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 27 Jan 2024 00:15:16 +0000 Subject: [PATCH 0020/1462] Bump BoringSSL and/or OpenSSL in CI (#10269) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dffb089229f8..356ef15e29b0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 26, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "cba7adcd108e9a41a992b4c4fc18b050e4d05a66"}} + # Latest commit on the BoringSSL master branch, as of Jan 27, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "db7308de87ea138e7bbcbbb00dfc9b841774ba2f"}} # Latest commit on the OpenSSL master branch, as of Jan 26, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0f644b96d209443b4566f7e86e3be2568292e75b"}} # Builds with various Rust versions. Includes MSRV and next From 0fca863ac4015a7c2efde1e687784b4638955039 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 27 Jan 2024 13:35:33 +0000 Subject: [PATCH 0021/1462] Bump coverage from 7.4.0 to 7.4.1 (#10271) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.4.0 to 7.4.1. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.4.0...7.4.1) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6650dc463de8..298c3dddb823 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.0 # via nox -coverage==7.4.0; python_version >= "3.8" +coverage==7.4.1; python_version >= "3.8" # via # coverage # pytest-cov From 5cd842bc66b3da171f086eeb59b422f5d1e7314a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 27 Jan 2024 13:42:12 +0000 Subject: [PATCH 0022/1462] Bump colorlog from 6.8.0 to 6.8.2 (#10270) Bumps [colorlog](https://github.com/borntyping/python-colorlog) from 6.8.0 to 6.8.2. - [Release notes](https://github.com/borntyping/python-colorlog/releases) - [Commits](https://github.com/borntyping/python-colorlog/compare/v6.8.0...v6.8.2) --- updated-dependencies: - dependency-name: colorlog dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 298c3dddb823..fd97ab4c9106 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -23,7 +23,7 @@ check-sdist==0.1.3 # via cryptography (pyproject.toml) click==8.1.7 # via cryptography (pyproject.toml) -colorlog==6.8.0 +colorlog==6.8.2 # via nox coverage==7.4.1; python_version >= "3.8" # via From 5427fa1503a5a301fa89530e9f3c53b17a0df5d0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 27 Jan 2024 14:06:56 -0500 Subject: [PATCH 0023/1462] Bump rust-asn1 to 0.16 (#10272) --- src/rust/Cargo.lock | 8 ++++---- src/rust/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- src/rust/cryptography-x509-verification/Cargo.toml | 2 +- src/rust/cryptography-x509-verification/src/policy/mod.rs | 7 +++---- src/rust/cryptography-x509/Cargo.toml | 2 +- src/rust/cryptography-x509/src/pkcs7.rs | 4 ++-- 7 files changed, 13 insertions(+), 14 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index b2e0ac4aad38..37bc849b650e 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -4,18 +4,18 @@ version = 3 [[package]] name = "asn1" -version = "0.15.5" +version = "0.16.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ae3ecbce89a22627b5e8e6e11d69715617138290289e385cde773b1fe50befdb" +checksum = "a227d599843d72985b747c71958d16d670a6e6bc06fadf064570cae70c11fd0a" dependencies = [ "asn1_derive", ] [[package]] name = "asn1_derive" -version = "0.15.5" +version = "0.16.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "861af988fac460ac69a09f41e6217a8fb9178797b76fcc9478444be6a59be19c" +checksum = "87132221a3cb3794c8def2208c723276686e0cd771541deb7768905ce13dc603" dependencies = [ "proc-macro2", "quote", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 2322486d0406..08bd9583cbff 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -11,7 +11,7 @@ rust-version = "1.63.0" once_cell = "1" cfg-if = "1" pyo3 = { version = "0.20", features = ["abi3"] } -asn1 = { version = "0.15.5", default-features = false } +asn1 = { version = "0.16.0", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-key-parsing = { path = "cryptography-key-parsing" } cryptography-x509 = { path = "cryptography-x509" } diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index 3dd0b31fa1a6..f2ae0b6e4aed 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.63.0" [dependencies] -asn1 = { version = "0.15.5", default-features = false } +asn1 = { version = "0.16.0", default-features = false } cfg-if = "1" openssl = "0.10.63" openssl-sys = "0.9.99" diff --git a/src/rust/cryptography-x509-verification/Cargo.toml b/src/rust/cryptography-x509-verification/Cargo.toml index 1ed759074167..30a4e8cb7373 100644 --- a/src/rust/cryptography-x509-verification/Cargo.toml +++ b/src/rust/cryptography-x509-verification/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.63.0" [dependencies] -asn1 = { version = "0.15.5", default-features = false } +asn1 = { version = "0.16.0", default-features = false } cryptography-x509 = { path = "../cryptography-x509" } once_cell = "1" diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 6d96e5feaef1..d5fffd0d8e2a 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -350,8 +350,8 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // Per 5280: The serial number MUST be a positive integer. // In practice, there are a few roots in common trust stores (like certifi) // that have `serial == 0`, so we can't enforce this yet. - let serial_bytes = cert.tbs_cert.serial.as_bytes(); - if !(1..=21).contains(&serial_bytes.len()) { + let serial = cert.tbs_cert.serial; + if !(1..=21).contains(&serial.as_bytes().len()) { // Conforming CAs MUST NOT use serial numbers longer than 20 octets. // NOTE: In practice, this requires us to check for an encoding of // 21 octets, since some CAs generate 20 bytes of randomness and @@ -360,8 +360,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { return Err(ValidationError::Other( "certificate must have a serial between 1 and 20 octets".to_string(), )); - } else if serial_bytes[0] & 0x80 == 0x80 { - // TODO: replace with `is_negative`: https://github.com/alex/rust-asn1/pull/425 + } else if serial.is_negative() { return Err(ValidationError::Other( "certificate serial number cannot be negative".to_string(), )); diff --git a/src/rust/cryptography-x509/Cargo.toml b/src/rust/cryptography-x509/Cargo.toml index 9a877fd13cb6..86d6b971488d 100644 --- a/src/rust/cryptography-x509/Cargo.toml +++ b/src/rust/cryptography-x509/Cargo.toml @@ -8,4 +8,4 @@ publish = false rust-version = "1.63.0" [dependencies] -asn1 = { version = "0.15.5", default-features = false } +asn1 = { version = "0.16.0", default-features = false } diff --git a/src/rust/cryptography-x509/src/pkcs7.rs b/src/rust/cryptography-x509/src/pkcs7.rs index c5b7a9e3f650..6b5c9541aaf5 100644 --- a/src/rust/cryptography-x509/src/pkcs7.rs +++ b/src/rust/cryptography-x509/src/pkcs7.rs @@ -18,9 +18,9 @@ pub struct ContentInfo<'a> { #[derive(asn1::Asn1DefinedByWrite)] pub enum Content<'a> { #[defined_by(PKCS7_SIGNED_DATA_OID)] - SignedData(asn1::Explicit<'a, Box>, 0>), + SignedData(asn1::Explicit>, 0>), #[defined_by(PKCS7_DATA_OID)] - Data(Option>), + Data(Option>), } #[derive(asn1::Asn1Write)] From 10211b8917fb77f194f53bfc98b7d748f3e7498b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 27 Jan 2024 19:17:30 -0500 Subject: [PATCH 0024/1462] Remove unused generate_rsa_parameters_supported (#10273) --- src/cryptography/hazmat/backends/openssl/backend.py | 9 --------- tests/hazmat/backends/test_openssl.py | 6 ------ 2 files changed, 15 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 5d9eb2768dfb..f296303ced1f 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -325,15 +325,6 @@ def pbkdf2_hmac_supported(self, algorithm: hashes.HashAlgorithm) -> bool: def _consume_errors(self) -> list[rust_openssl.OpenSSLError]: return rust_openssl.capture_error_stack() - def generate_rsa_parameters_supported( - self, public_exponent: int, key_size: int - ) -> bool: - return ( - public_exponent >= 3 - and public_exponent & 1 != 0 - and key_size >= 512 - ) - def _bytes_to_bio(self, data: bytes) -> _MemoryBIO: """ Return a _MemoryBIO namedtuple of (BIO, char*). diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index a289c5ba7415..e9cdcc432a50 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -138,12 +138,6 @@ def test_unknown_error_in_cipher_finalize(self): class TestOpenSSLRSA: - def test_generate_rsa_parameters_supported(self): - assert backend.generate_rsa_parameters_supported(1, 1024) is False - assert backend.generate_rsa_parameters_supported(4, 1024) is False - assert backend.generate_rsa_parameters_supported(3, 1024) is True - assert backend.generate_rsa_parameters_supported(3, 511) is False - def test_rsa_padding_unsupported_pss_mgf1_hash(self): assert ( backend.rsa_padding_supported( From 216142269d6068ba2602445fde0a143f25de4456 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 27 Jan 2024 18:17:53 -0600 Subject: [PATCH 0025/1462] Bump pytest from 7.4.4 to 8.0.0 (#10274) Bumps [pytest](https://github.com/pytest-dev/pytest) from 7.4.4 to 8.0.0. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/7.4.4...8.0.0) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index fd97ab4c9106..ce60b8126314 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -86,7 +86,7 @@ pygments==2.17.2 # sphinx pyproject-hooks==1.0.0 # via build -pytest==7.4.4 +pytest==8.0.0; python_version >= "3.8" # via # cryptography (pyproject.toml) # pytest-benchmark From 5ee102dc1853119f3f11a66d0fcf92700cd2f241 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 27 Jan 2024 23:55:18 -0500 Subject: [PATCH 0026/1462] Move _CRL_ENTRY_REASON_ENUM_TO_CODE to a more sensible place (#10275) --- .../hazmat/backends/openssl/decode_asn1.py | 32 ------------------- src/cryptography/x509/extensions.py | 25 +++++++++++++++ src/rust/src/types.rs | 8 ++--- 3 files changed, 29 insertions(+), 36 deletions(-) delete mode 100644 src/cryptography/hazmat/backends/openssl/decode_asn1.py diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py deleted file mode 100644 index bf123b6285b6..000000000000 --- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py +++ /dev/null @@ -1,32 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import annotations - -from cryptography import x509 - -# CRLReason ::= ENUMERATED { -# unspecified (0), -# keyCompromise (1), -# cACompromise (2), -# affiliationChanged (3), -# superseded (4), -# cessationOfOperation (5), -# certificateHold (6), -# -- value 7 is not used -# removeFromCRL (8), -# privilegeWithdrawn (9), -# aACompromise (10) } -_CRL_ENTRY_REASON_ENUM_TO_CODE = { - x509.ReasonFlags.unspecified: 0, - x509.ReasonFlags.key_compromise: 1, - x509.ReasonFlags.ca_compromise: 2, - x509.ReasonFlags.affiliation_changed: 3, - x509.ReasonFlags.superseded: 4, - x509.ReasonFlags.cessation_of_operation: 5, - x509.ReasonFlags.certificate_hold: 6, - x509.ReasonFlags.remove_from_crl: 8, - x509.ReasonFlags.privilege_withdrawn: 9, - x509.ReasonFlags.aa_compromise: 10, -} diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index c61c1f4853fd..db6e3bb5a621 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -729,6 +729,31 @@ class ReasonFlags(utils.Enum): ReasonFlags.aa_compromise: 8, } +# CRLReason ::= ENUMERATED { +# unspecified (0), +# keyCompromise (1), +# cACompromise (2), +# affiliationChanged (3), +# superseded (4), +# cessationOfOperation (5), +# certificateHold (6), +# -- value 7 is not used +# removeFromCRL (8), +# privilegeWithdrawn (9), +# aACompromise (10) } +_CRL_ENTRY_REASON_ENUM_TO_CODE = { + ReasonFlags.unspecified: 0, + ReasonFlags.key_compromise: 1, + ReasonFlags.ca_compromise: 2, + ReasonFlags.affiliation_changed: 3, + ReasonFlags.superseded: 4, + ReasonFlags.cessation_of_operation: 5, + ReasonFlags.certificate_hold: 6, + ReasonFlags.remove_from_crl: 8, + ReasonFlags.privilege_withdrawn: 9, + ReasonFlags.aa_compromise: 10, +} + class PolicyConstraints(ExtensionType): oid = ExtensionOID.POLICY_CONSTRAINTS diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 76c9bba96d3e..e948f49e822d 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -251,6 +251,10 @@ pub static CRL_REASON_FLAGS: LazyPyImport = LazyPyImport::new("cryptography.x509.extensions", &["_CRLREASONFLAGS"]); pub static REASON_BIT_MAPPING: LazyPyImport = LazyPyImport::new("cryptography.x509.extensions", &["_REASON_BIT_MAPPING"]); +pub static CRL_ENTRY_REASON_ENUM_TO_CODE: LazyPyImport = LazyPyImport::new( + "cryptography.x509.extensions", + &["_CRL_ENTRY_REASON_ENUM_TO_CODE"], +); pub static TLS_FEATURE_TYPE_TO_ENUM: LazyPyImport = LazyPyImport::new( "cryptography.x509.extensions", &["_TLS_FEATURE_TYPE_TO_ENUM"], @@ -375,10 +379,6 @@ pub static CALCULATE_MAX_PSS_SALT_LENGTH: LazyPyImport = LazyPyImport::new( &["calculate_max_pss_salt_length"], ); -pub static CRL_ENTRY_REASON_ENUM_TO_CODE: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.backends.openssl.decode_asn1", - &["_CRL_ENTRY_REASON_ENUM_TO_CODE"], -); pub static BACKEND_HANDLE_KEY_LOADING_ERROR: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.backends.openssl.backend", &["backend", "_handle_key_loading_error"], From 581b928a865d51405d73437397a2fcd5f85f0604 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Jan 2024 14:28:29 -0500 Subject: [PATCH 0027/1462] Added another reason for rust 1.65 (#10280) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 356ef15e29b0..d1d18e3bf2dc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -50,7 +50,7 @@ jobs: # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance - # 1.65 - Generic associated types (GATs) + # 1.65 - Generic associated types (GATs), std::backtrace - {VERSION: "3.12", NOXSESSION: "rust-noclippy,tests", RUST: "1.63.0"} - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.64.0"} - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "beta"} From 36368cc056bb517c3ce9b95c80b23fec29a16725 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Jan 2024 14:29:34 -0500 Subject: [PATCH 0028/1462] Include cryptography_vectors in our test deps (#10277) fixes #10242 --- pyproject.toml | 1 + release.py | 32 +++++++++++++++++++++++--------- 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index e127e7fa6fd6..84ffe04f9f95 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -70,6 +70,7 @@ ssh = ["bcrypt >=3.1.5"] # All the following are used for our own testing. nox = ["nox"] test = [ + "cryptography_vectors", "pytest >=6.2.0", "pytest-benchmark", "pytest-cov", diff --git a/release.py b/release.py index 78b894fe1d44..120a6c445738 100644 --- a/release.py +++ b/release.py @@ -38,23 +38,24 @@ def release() -> None: run("git", "push", "--tags", "git@github.com:pyca/cryptography.git") -def replace_version( - p: pathlib.Path, variable_name: str, new_version: str -) -> None: +def replace_pattern(p: pathlib.Path, pattern: str, replacement: str) -> None: content = p.read_text() - - pattern = rf"^{variable_name}\s*=\s*.*$" match = re.search(pattern, content, re.MULTILINE) assert match is not None start, end = match.span() - new_content = ( - content[:start] + f'{variable_name} = "{new_version}"' + content[end:] - ) - + new_content = content[:start] + replacement + content[end:] p.write_text(new_content) +def replace_version( + p: pathlib.Path, variable_name: str, new_version: str +) -> None: + replace_pattern( + p, rf"^{variable_name}\s*=\s*.*$", f'{variable_name} = "{new_version}"' + ) + + @cli.command() @click.argument("new_version") def bump_version(new_version: str) -> None: @@ -75,6 +76,19 @@ def bump_version(new_version: str) -> None: new_version, ) + if Version(new_version).is_prerelease: + replace_pattern( + base_dir / "pyproject.toml", + r'"cryptography_vectors(==.*?)?"', + '"cryptography_vectors"', + ) + else: + replace_pattern( + base_dir / "pyproject.toml", + r'"cryptography_vectors(==.*?)?"', + f'"cryptography_vectors=={new_version}"', + ) + if __name__ == "__main__": cli() From 83dcbc190165ad5c1f86bddaee76e0b288803c43 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Jan 2024 14:39:47 -0500 Subject: [PATCH 0029/1462] Don't generate RSA keys <1024 bits (#10278) * Don't generate RSA keys <1024 bits * Update CHANGELOG.rst --- CHANGELOG.rst | 5 +++++ src/cryptography/hazmat/primitives/asymmetric/rsa.py | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 7abdf8e9f9ef..80e85c85e1de 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -8,6 +8,11 @@ Changelog .. note:: This version is not yet released and is under active development. +* :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key` + now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still + considered insecure, users should generally use a key size of 2048-bits. + + .. _v42-0-1: 42.0.1 - 2024-01-24 diff --git a/src/cryptography/hazmat/primitives/asymmetric/rsa.py b/src/cryptography/hazmat/primitives/asymmetric/rsa.py index 6420434d82b7..49c76af0de94 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/rsa.py +++ b/src/cryptography/hazmat/primitives/asymmetric/rsa.py @@ -150,8 +150,8 @@ def _verify_rsa_parameters(public_exponent: int, key_size: int) -> None: "65537. Almost everyone should choose 65537 here!" ) - if key_size < 512: - raise ValueError("key_size must be at least 512-bits.") + if key_size < 1024: + raise ValueError("key_size must be at least 1024-bits.") def _modinv(e: int, m: int) -> int: From da3eb8fa220aa632504a17883e9845372fc55436 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Jan 2024 15:07:13 -0500 Subject: [PATCH 0030/1462] Fix warnings on libressl (#10281) --- src/rust/Cargo.lock | 1 + src/rust/cryptography-openssl/Cargo.toml | 1 + src/rust/cryptography-openssl/src/fips.rs | 31 +++++++------------ src/rust/cryptography-openssl/src/poly1305.rs | 14 ++++++--- src/rust/src/backend/aead.rs | 13 +++++--- src/rust/src/types.rs | 2 ++ 6 files changed, 32 insertions(+), 30 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 37bc849b650e..d4a9a31adec1 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -85,6 +85,7 @@ dependencies = [ name = "cryptography-openssl" version = "0.1.0" dependencies = [ + "cfg-if", "foreign-types", "foreign-types-shared", "openssl", diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 3a35c9fcaa2d..700704d0dc3a 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -8,6 +8,7 @@ publish = false rust-version = "1.63.0" [dependencies] +cfg-if = "1" openssl = "0.10.63" ffi = { package = "openssl-sys", version = "0.9.99" } foreign-types = "0.3" diff --git a/src/rust/cryptography-openssl/src/fips.rs b/src/rust/cryptography-openssl/src/fips.rs index 9cdbd3f34648..9c89f317ebda 100644 --- a/src/rust/cryptography-openssl/src/fips.rs +++ b/src/rust/cryptography-openssl/src/fips.rs @@ -9,25 +9,16 @@ use std::ptr; pub fn is_enabled() -> bool { - #[cfg(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL))] - { - return false; - } - - #[cfg(all( - CRYPTOGRAPHY_OPENSSL_300_OR_GREATER, - not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)) - ))] - // SAFETY: No pre-conditions - unsafe { - ffi::EVP_default_properties_is_fips_enabled(ptr::null_mut()) == 1 - } - - #[cfg(all( - not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), - not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)) - ))] - { - return openssl::fips::enabled(); + cfg_if::cfg_if! { + if #[cfg(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL))] { + false + } else if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] { + // SAFETY: No pre-conditions + unsafe { + ffi::EVP_default_properties_is_fips_enabled(ptr::null_mut()) == 1 + } + } else { + openssl::fips::enabled() + } } } diff --git a/src/rust/cryptography-openssl/src/poly1305.rs b/src/rust/cryptography-openssl/src/poly1305.rs index 262062eedd3f..e386bc2d7f4a 100644 --- a/src/rust/cryptography-openssl/src/poly1305.rs +++ b/src/rust/cryptography-openssl/src/poly1305.rs @@ -18,9 +18,10 @@ impl Poly1305State { let mut ctx: Box> = Box::new(MaybeUninit::::uninit()); - // After initializing the context, unwrap the Box> into - // a Box while keeping the same memory address. See the docstring of the - // Poly1305State struct above for the rationale. + // SAFETY: After initializing the context, unwrap the + // `Box>` into a `Box` + // while keeping the same memory address. See the docstring of the + // `Poly1305State` struct above for the rationale. let initialized_ctx: Box = unsafe { ffi::CRYPTO_poly1305_init(ctx.as_mut().as_mut_ptr(), key.as_ptr()); let raw_ctx_ptr = (*Box::into_raw(ctx)).as_mut_ptr(); @@ -32,14 +33,17 @@ impl Poly1305State { } } - pub fn update(&mut self, data: &[u8]) -> () { + pub fn update(&mut self, data: &[u8]) { + // SAFETY: context is valid, as is the data ptr. unsafe { ffi::CRYPTO_poly1305_update(self.context.as_mut(), data.as_ptr(), data.len()); }; } - pub fn finalize(&mut self, output: &mut [u8]) -> () { + pub fn finalize(&mut self, output: &mut [u8]) { assert_eq!(output.len(), 16); + // SAFETY: context is valid and we verified that the output is the + // right length. unsafe { ffi::CRYPTO_poly1305_finish(self.context.as_mut(), output.as_mut_ptr()) }; } } diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 7c364dede81e..9fd8a91ceeaf 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -574,13 +574,14 @@ impl AesSiv { ctx: EvpCipherAead::new(&cipher, key.as_bytes(), 16, true)?, }) } else { - return Err(CryptographyError::from( + _ = cipher_name; + + Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "AES-SIV is not supported by this version of OpenSSL", exceptions::Reasons::UNSUPPORTED_CIPHER, )), - )); - + )) } } } @@ -641,12 +642,14 @@ impl AesOcb3 { fn new(key: CffiBuf<'_>) -> CryptographyResult { cfg_if::cfg_if! { if #[cfg(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL))] { - return Err(CryptographyError::from( + _ = key; + + Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "AES-OCB3 is not supported by this version of OpenSSL", exceptions::Reasons::UNSUPPORTED_CIPHER, )), - )); + )) } else { if cryptography_openssl::fips::is_enabled() { return Err(CryptographyError::from( diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index e948f49e822d..b7564955d20e 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -331,6 +331,7 @@ pub static HASHES_MODULE: LazyPyImport = LazyPyImport::new("cryptography.hazmat.primitives.hashes", &[]); pub static HASH_ALGORITHM: LazyPyImport = LazyPyImport::new("cryptography.hazmat.primitives.hashes", &["HashAlgorithm"]); +#[cfg(not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)))] pub static EXTENDABLE_OUTPUT_FUNCTION: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.hashes", &["ExtendableOutputFunction"], @@ -476,6 +477,7 @@ pub static SM4: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", &["SM4"], ); +#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] pub static SEED: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", &["_SEEDInternal"], From 98d764801df9b55fb43d8e772b65adccddbbc87f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 28 Jan 2024 14:40:02 -0600 Subject: [PATCH 0031/1462] increase toctree depth on primitives (#10282) this makes the landing page for hazmat/primtives in the docs much more useful. --- docs/hazmat/primitives/index.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/hazmat/primitives/index.rst b/docs/hazmat/primitives/index.rst index 72e5b26ce33d..98d597be9c99 100644 --- a/docs/hazmat/primitives/index.rst +++ b/docs/hazmat/primitives/index.rst @@ -4,7 +4,7 @@ Primitives ========== .. toctree:: - :maxdepth: 1 + :maxdepth: 2 aead asymmetric/index From e44e124f4a1c7af609bcd05fb47bc0faac033be5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Jan 2024 16:59:56 -0500 Subject: [PATCH 0032/1462] Drop LibreSSL <3.8.0 (#10283) --- .github/workflows/ci.yml | 1 - CHANGELOG.rst | 1 + src/_cffi_src/openssl/cryptography.py | 10 ---------- src/rust/build.rs | 7 +------ src/rust/src/backend/ec.rs | 11 ++--------- src/rust/src/backend/keys.rs | 1 - tests/hazmat/primitives/test_rsa.py | 2 -- 7 files changed, 4 insertions(+), 29 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d1d18e3bf2dc..8d79bc7c0f69 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -40,7 +40,6 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.4"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.0"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jan 27, 2024. diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 80e85c85e1de..8142363dc4d2 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -8,6 +8,7 @@ Changelog .. note:: This version is not yet released and is under active development. +* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.8. * :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key` now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still considered insecure, users should generally use a key size of 2048-bits. diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index b3543ade73cb..173ec1bb4546 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -53,14 +53,6 @@ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E \ (OPENSSL_VERSION_NUMBER < 0x10101050 || CRYPTOGRAPHY_IS_LIBRESSL) - -#if CRYPTOGRAPHY_IS_LIBRESSL -#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380 \ - (LIBRESSL_VERSION_NUMBER < 0x3080000f) - -#else -#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380 (0) -#endif """ TYPES = """ @@ -69,8 +61,6 @@ static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E; -static const int CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380; - static const int CRYPTOGRAPHY_IS_LIBRESSL; static const int CRYPTOGRAPHY_IS_BORINGSSL; """ diff --git a/src/rust/build.rs b/src/rust/build.rs index f247822e0dcd..d4dca24c4566 100644 --- a/src/rust/build.rs +++ b/src/rust/build.rs @@ -17,13 +17,8 @@ fn main() { } } - if let Ok(version) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { - let version = u64::from_str_radix(&version, 16).unwrap(); - + if env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER").is_ok() { println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_LIBRESSL"); - if version >= 0x3_08_00_00_0 { - println!("cargo:rustc-cfg=CRYPTOGRAPHY_LIBRESSL_380_OR_GREATER"); - } } if env::var("DEP_OPENSSL_BORINGSSL").is_ok() { diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 5a01412981d2..f71c9bf505e6 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -90,15 +90,6 @@ fn py_curve_from_curve<'p>( py: pyo3::Python<'p>, curve: &openssl::ec::EcGroupRef, ) -> CryptographyResult<&'p pyo3::PyAny> { - let name = curve - .curve_name() - .ok_or_else(|| { - pyo3::exceptions::PyValueError::new_err( - "ECDSA keys with explicit parameters are unsupported at this time", - ) - })? - .short_name()?; - if curve.asn1_flag() == openssl::ec::Asn1Flag::EXPLICIT_CURVE { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -107,6 +98,8 @@ fn py_curve_from_curve<'p>( )); } + let name = curve.curve_name().unwrap().short_name()?; + types::CURVE_TYPES .get(py)? .extract::<&pyo3::types::PyDict>()? diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index ecdff5db6dcb..f4faecdb5c9e 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -83,7 +83,6 @@ fn private_key_from_pkey( unsafe_skip_rsa_key_validation, )? .into_py(py)), - #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_380_OR_GREATER))] openssl::pkey::Id::RSA_PSS => { // At the moment the way we handle RSA PSS keys is to strip the // PSS constraints from them and treat them as normal RSA keys diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 8810f0f58e7e..7e82743c49bc 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -256,7 +256,6 @@ def test_load_pss_vect_example_keys(self, pkcs1_example): and ( not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E or backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - and not backend._lib.CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380 ) ), skip_message="Does not support RSA PSS loading", @@ -314,7 +313,6 @@ def test_load_pss_pub_keys_strips_constraints(self, backend): and ( not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E or backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - and not backend._lib.CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380 ) ), skip_message="Test requires a backend without RSA-PSS key support", From ea5a5b4ad01737bce57de7ca3803436abf32dc61 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Jan 2024 17:18:00 -0500 Subject: [PATCH 0033/1462] Convert AESGCM AEAD to Rust (#9181) --- .../hazmat/backends/openssl/aead.py | 55 +++----- .../hazmat/bindings/_rust/openssl/aead.pyi | 17 +++ .../hazmat/primitives/ciphers/aead.py | 64 +--------- src/rust/src/backend/aead.rs | 117 +++++++++++++++++- tests/hazmat/primitives/test_aead.py | 2 + 5 files changed, 153 insertions(+), 102 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/aead.py b/src/cryptography/hazmat/backends/openssl/aead.py index f1d990106474..dd2485481203 100644 --- a/src/cryptography/hazmat/backends/openssl/aead.py +++ b/src/cryptography/hazmat/backends/openssl/aead.py @@ -12,10 +12,9 @@ from cryptography.hazmat.backends.openssl.backend import Backend from cryptography.hazmat.primitives.ciphers.aead import ( AESCCM, - AESGCM, ) - _AEADTypes = typing.Union[AESCCM, AESGCM] + _AEADTypes = typing.Union[AESCCM] def _aead_cipher_supported(backend: Backend, cipher: _AEADTypes) -> bool: @@ -55,16 +54,10 @@ def _decrypt( def _evp_cipher_cipher_name(cipher: _AEADTypes) -> bytes: - from cryptography.hazmat.primitives.ciphers.aead import ( - AESCCM, - AESGCM, - ) + from cryptography.hazmat.primitives.ciphers.aead import AESCCM - if isinstance(cipher, AESCCM): - return f"aes-{len(cipher._key) * 8}-ccm".encode("ascii") - else: - assert isinstance(cipher, AESGCM) - return f"aes-{len(cipher._key) * 8}-gcm".encode("ascii") + assert isinstance(cipher, AESCCM) + return f"aes-{len(cipher._key) * 8}-ccm".encode("ascii") def _evp_cipher(cipher_name: bytes, backend: Backend): @@ -105,7 +98,8 @@ def _evp_cipher_aead_setup( if operation == _DECRYPT: assert tag is not None _evp_cipher_set_tag(backend, ctx, tag) - elif cipher_name.endswith(b"-ccm"): + else: + assert cipher_name.endswith(b"-ccm") res = backend._lib.EVP_CIPHER_CTX_ctrl( ctx, backend._lib.EVP_CTRL_AEAD_SET_TAG, @@ -188,8 +182,8 @@ def _evp_cipher_encrypt( # CCM requires us to pass the length of the data before processing # anything. # However calling this with any other AEAD results in an error - if isinstance(cipher, AESCCM): - _evp_cipher_set_length(backend, ctx, len(data)) + assert isinstance(cipher, AESCCM) + _evp_cipher_set_length(backend, ctx, len(data)) for ad in associated_data: _evp_cipher_process_aad(backend, ctx, ad) @@ -241,32 +235,21 @@ def _evp_cipher_decrypt( # CCM requires us to pass the length of the data before processing # anything. # However calling this with any other AEAD results in an error - if isinstance(cipher, AESCCM): - _evp_cipher_set_length(backend, ctx, len(data)) + assert isinstance(cipher, AESCCM) + _evp_cipher_set_length(backend, ctx, len(data)) for ad in associated_data: _evp_cipher_process_aad(backend, ctx, ad) # CCM has a different error path if the tag doesn't match. Errors are # raised in Update and Final is irrelevant. - if isinstance(cipher, AESCCM): - outlen = backend._ffi.new("int *") - buf = backend._ffi.new("unsigned char[]", len(data)) - d_ptr = backend._ffi.from_buffer(data) - res = backend._lib.EVP_CipherUpdate(ctx, buf, outlen, d_ptr, len(data)) - if res != 1: - backend._consume_errors() - raise InvalidTag - - processed_data = backend._ffi.buffer(buf, outlen[0])[:] - else: - processed_data = _evp_cipher_process_data(backend, ctx, data) - outlen = backend._ffi.new("int *") - # OCB can return up to 15 bytes (16 byte block - 1) in finalization - buf = backend._ffi.new("unsigned char[]", 16) - res = backend._lib.EVP_CipherFinal_ex(ctx, buf, outlen) - processed_data += backend._ffi.buffer(buf, outlen[0])[:] - if res == 0: - backend._consume_errors() - raise InvalidTag + outlen = backend._ffi.new("int *") + buf = backend._ffi.new("unsigned char[]", len(data)) + d_ptr = backend._ffi.from_buffer(data) + res = backend._lib.EVP_CipherUpdate(ctx, buf, outlen, d_ptr, len(data)) + if res != 1: + backend._consume_errors() + raise InvalidTag + + processed_data = backend._ffi.buffer(buf, outlen[0])[:] return processed_data diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi index 81e801e30bb5..e274073f201e 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi @@ -2,6 +2,23 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. +class AESGCM: + def __init__(self, key: bytes) -> None: ... + @staticmethod + def generate_key(key_size: int) -> bytes: ... + def encrypt( + self, + nonce: bytes, + data: bytes, + associated_data: bytes | None, + ) -> bytes: ... + def decrypt( + self, + nonce: bytes, + data: bytes, + associated_data: bytes | None, + ) -> bytes: ... + class ChaCha20Poly1305: def __init__(self, key: bytes) -> None: ... @staticmethod diff --git a/src/cryptography/hazmat/primitives/ciphers/aead.py b/src/cryptography/hazmat/primitives/ciphers/aead.py index 40f1b9b74459..e96b735b18f9 100644 --- a/src/cryptography/hazmat/primitives/ciphers/aead.py +++ b/src/cryptography/hazmat/primitives/ciphers/aead.py @@ -20,6 +20,7 @@ "AESSIV", ] +AESGCM = rust_openssl.aead.AESGCM ChaCha20Poly1305 = rust_openssl.aead.ChaCha20Poly1305 AESSIV = rust_openssl.aead.AESSIV AESOCB3 = rust_openssl.aead.AESOCB3 @@ -109,66 +110,3 @@ def _check_params( utils._check_byteslike("associated_data", associated_data) if not 7 <= len(nonce) <= 13: raise ValueError("Nonce must be between 7 and 13 bytes") - - -class AESGCM: - _MAX_SIZE = 2**31 - 1 - - def __init__(self, key: bytes): - utils._check_byteslike("key", key) - if len(key) not in (16, 24, 32): - raise ValueError("AESGCM key must be 128, 192, or 256 bits.") - - self._key = key - - @classmethod - def generate_key(cls, bit_length: int) -> bytes: - if not isinstance(bit_length, int): - raise TypeError("bit_length must be an integer") - - if bit_length not in (128, 192, 256): - raise ValueError("bit_length must be 128, 192, or 256") - - return os.urandom(bit_length // 8) - - def encrypt( - self, - nonce: bytes, - data: bytes, - associated_data: bytes | None, - ) -> bytes: - if associated_data is None: - associated_data = b"" - - if len(data) > self._MAX_SIZE or len(associated_data) > self._MAX_SIZE: - # This is OverflowError to match what cffi would raise - raise OverflowError( - "Data or associated data too long. Max 2**31 - 1 bytes" - ) - - self._check_params(nonce, data, associated_data) - return aead._encrypt(backend, self, nonce, data, [associated_data], 16) - - def decrypt( - self, - nonce: bytes, - data: bytes, - associated_data: bytes | None, - ) -> bytes: - if associated_data is None: - associated_data = b"" - - self._check_params(nonce, data, associated_data) - return aead._decrypt(backend, self, nonce, data, [associated_data], 16) - - def _check_params( - self, - nonce: bytes, - data: bytes, - associated_data: bytes, - ) -> None: - utils._check_byteslike("nonce", nonce) - utils._check_byteslike("data", data) - utils._check_byteslike("associated_data", associated_data) - if len(nonce) < 8 or len(nonce) > 128: - raise ValueError("Nonce must be between 8 and 128 bytes") diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 9fd8a91ceeaf..b13a420c7588 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -486,9 +486,7 @@ impl ChaCha20Poly1305 { #[staticmethod] fn generate_key(py: pyo3::Python<'_>) -> CryptographyResult<&pyo3::PyAny> { - Ok(py - .import(pyo3::intern!(py, "os"))? - .call_method1(pyo3::intern!(py, "urandom"), (32,))?) + Ok(types::OS_URANDOM.get(py)?.call1((32,))?) } fn encrypt<'p>( @@ -532,6 +530,118 @@ impl ChaCha20Poly1305 { } } +#[pyo3::prelude::pyclass( + frozen, + module = "cryptography.hazmat.bindings._rust.openssl.aead", + name = "AESGCM" +)] +struct AesGcm { + #[cfg(any( + CRYPTOGRAPHY_OPENSSL_320_OR_GREATER, + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), + ))] + ctx: EvpCipherAead, + + #[cfg(not(any( + CRYPTOGRAPHY_OPENSSL_320_OR_GREATER, + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), + )))] + ctx: LazyEvpCipherAead, +} + +#[pyo3::prelude::pymethods] +impl AesGcm { + #[new] + fn new(py: pyo3::Python<'_>, key: pyo3::Py) -> CryptographyResult { + let key_buf = key.extract::>(py)?; + let cipher = match key_buf.as_bytes().len() { + 16 => openssl::cipher::Cipher::aes_128_gcm(), + 24 => openssl::cipher::Cipher::aes_192_gcm(), + 32 => openssl::cipher::Cipher::aes_256_gcm(), + _ => { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "AESGCM key must be 128, 192, or 256 bits.", + ), + )) + } + }; + + cfg_if::cfg_if! { + if #[cfg(any( + CRYPTOGRAPHY_OPENSSL_320_OR_GREATER, + CRYPTOGRAPHY_IS_BORINGSSL, + CRYPTOGRAPHY_IS_LIBRESSL, + not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER, + )))] { + Ok(AesGcm { + ctx: EvpCipherAead::new(cipher, key_buf.as_bytes(), 16, false)?, + }) + } else { + Ok(AesGcm { + ctx: LazyEvpCipherAead::new(cipher, key, 16, false), + }) + + } + } + } + + #[staticmethod] + fn generate_key(py: pyo3::Python<'_>, bit_length: usize) -> CryptographyResult<&pyo3::PyAny> { + if bit_length != 128 && bit_length != 192 && bit_length != 256 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("bit_length must be 128, 192, or 256"), + )); + } + + Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) + } + + fn encrypt<'p>( + &self, + py: pyo3::Python<'p>, + nonce: CffiBuf<'_>, + data: CffiBuf<'_>, + associated_data: Option>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let nonce_bytes = nonce.as_bytes(); + let aad = associated_data.map(Aad::Single); + + if nonce_bytes.len() < 8 || nonce_bytes.len() > 128 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Nonce must be between 8 and 128 bytes"), + )); + } + + self.ctx + .encrypt(py, data.as_bytes(), aad, Some(nonce_bytes)) + } + + fn decrypt<'p>( + &self, + py: pyo3::Python<'p>, + nonce: CffiBuf<'_>, + data: CffiBuf<'_>, + associated_data: Option>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let nonce_bytes = nonce.as_bytes(); + let aad = associated_data.map(Aad::Single); + + if nonce_bytes.len() < 8 || nonce_bytes.len() > 128 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Nonce must be between 8 and 128 bytes"), + )); + } + + self.ctx + .decrypt(py, data.as_bytes(), aad, Some(nonce_bytes)) + } +} + #[pyo3::prelude::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead", @@ -845,6 +955,7 @@ impl AesGcmSiv { pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "aead")?; + m.add_class::()?; m.add_class::()?; m.add_class::()?; m.add_class::()?; diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index a4624cefc555..5228edbbd2d3 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -451,6 +451,8 @@ def test_invalid_nonce_length(self, length, backend): aesgcm = AESGCM(key) with pytest.raises(ValueError): aesgcm.encrypt(b"\x00" * length, b"hi", None) + with pytest.raises(ValueError): + aesgcm.decrypt(b"\x00" * length, b"hi", None) def test_bad_key(self, backend): with pytest.raises(TypeError): From 1729edef70315b532379db998efc6d69c546fe27 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 28 Jan 2024 16:34:33 -0600 Subject: [PATCH 0034/1462] add decrepit namespace and put SEED, IDEA, Blowfish, and CAST5 in it (#10284) --- CHANGELOG.rst | 8 +- docs/hazmat/decrepit/ciphers.rst | 87 +++++ docs/hazmat/decrepit/index.rst | 14 + .../primitives/symmetric-encryption.rst | 30 ++ docs/index.rst | 1 + .../hazmat/backends/openssl/backend.py | 16 +- src/cryptography/hazmat/decrepit/__init__.py | 5 + .../hazmat/decrepit/ciphers/__init__.py | 5 + .../hazmat/decrepit/ciphers/algorithms.py | 62 ++++ .../hazmat/primitives/_cipheralgorithm.py | 14 + .../hazmat/primitives/ciphers/algorithms.py | 97 ++--- src/rust/src/types.rs | 20 +- tests/hazmat/primitives/decrepit/__init__.py | 3 + .../primitives/decrepit/test_algorithms.py | 340 ++++++++++++++++++ tests/hazmat/primitives/test_blowfish.py | 86 ----- tests/hazmat/primitives/test_cast5.py | 86 ----- tests/hazmat/primitives/test_ciphers.py | 88 ++--- tests/hazmat/primitives/test_idea.py | 86 ----- tests/hazmat/primitives/test_seed.py | 86 ----- 19 files changed, 630 insertions(+), 504 deletions(-) create mode 100644 docs/hazmat/decrepit/ciphers.rst create mode 100644 docs/hazmat/decrepit/index.rst create mode 100644 src/cryptography/hazmat/decrepit/__init__.py create mode 100644 src/cryptography/hazmat/decrepit/ciphers/__init__.py create mode 100644 src/cryptography/hazmat/decrepit/ciphers/algorithms.py create mode 100644 tests/hazmat/primitives/decrepit/__init__.py create mode 100644 tests/hazmat/primitives/decrepit/test_algorithms.py delete mode 100644 tests/hazmat/primitives/test_blowfish.py delete mode 100644 tests/hazmat/primitives/test_cast5.py delete mode 100644 tests/hazmat/primitives/test_idea.py delete mode 100644 tests/hazmat/primitives/test_seed.py diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 8142363dc4d2..1088e7099323 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -12,7 +12,13 @@ Changelog * :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key` now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still considered insecure, users should generally use a key size of 2048-bits. - +* Added new :doc:`/hazmat/decrepit/index` module which contains outdated and + insecure cryptographic primitives. + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`, + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`, + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish`, which were + deprecated in 37.0.0, have been added to this module. .. _v42-0-1: diff --git a/docs/hazmat/decrepit/ciphers.rst b/docs/hazmat/decrepit/ciphers.rst new file mode 100644 index 000000000000..fed571eab50a --- /dev/null +++ b/docs/hazmat/decrepit/ciphers.rst @@ -0,0 +1,87 @@ +.. hazmat:: + + +Decrepit Symmetric algorithms +============================= + +.. module:: cryptography.hazmat.decrepit.ciphers + +This module contains decrepit symmetric encryption algorithms. These +are algorithms that should not be used unless necessary for backwards +compatibility or interoperability with legacy systems. Their use is +**strongly discouraged**. + +These algorithms require you to use a :class:`~cryptography.hazmat.primitives.ciphers.Cipher` +object along with the appropriate :mod:`~cryptography.hazmat.primitives.ciphers.modes`. + +.. class:: CAST5(key) + + .. versionadded:: 43.0.0 + + CAST5 (also known as CAST-128) is a block cipher approved for use in the + Canadian government by the `Communications Security Establishment`_. It is + a variable key length cipher and supports keys from 40-128 :term:`bits` in + length. + + :param key: The secret key, This must be kept secret. 40 to 128 + :term:`bits` in length in increments of 8 bits. + :type key: :term:`bytes-like` + + .. doctest:: + + >>> import os + >>> from cryptography.hazmat.decrepit.ciphers.algorithms import CAST5 + >>> from cryptography.hazmat.primitives.ciphers import Cipher, modes + >>> key = os.urandom(16) + >>> iv = os.urandom(8) + >>> algorithm = CAST5(key) + >>> cipher = Cipher(algorithm, modes.CBC(iv)) + >>> encryptor = cipher.encryptor() + >>> ct = encryptor.update(b"a secret message") + >>> decryptor = cipher.decryptor() + >>> decryptor.update(ct) + b'a secret message' + +.. class:: SEED(key) + + .. versionadded:: 43.0.0 + + SEED is a block cipher developed by the Korea Information Security Agency + (KISA). It is defined in :rfc:`4269` and is used broadly throughout South + Korean industry, but rarely found elsewhere. + + :param key: The secret key. This must be kept secret. ``128`` + :term:`bits` in length. + :type key: :term:`bytes-like` + + +.. class:: Blowfish(key) + + .. versionadded:: 43.0.0 + + Blowfish is a block cipher developed by Bruce Schneier. It is known to be + susceptible to attacks when using weak keys. The author has recommended + that users of Blowfish move to newer algorithms. + + :param key: The secret key. This must be kept secret. 32 to 448 + :term:`bits` in length in increments of 8 bits. + :type key: :term:`bytes-like` + +.. class:: IDEA(key) + + .. versionadded:: 43.0.0 + + IDEA (`International Data Encryption Algorithm`_) is a block cipher created + in 1991. It is an optional component of the `OpenPGP`_ standard. This cipher + is susceptible to attacks when using weak keys. It is recommended that you + do not use this cipher for new applications. + + :param key: The secret key. This must be kept secret. ``128`` + :term:`bits` in length. + :type key: :term:`bytes-like` + + + +.. _`Communications Security Establishment`: https://www.cse-cst.gc.ca +.. _`International Data Encryption Algorithm`: https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm +.. _`OpenPGP`: https://www.openpgp.org/ diff --git a/docs/hazmat/decrepit/index.rst b/docs/hazmat/decrepit/index.rst new file mode 100644 index 000000000000..f0e541a496ef --- /dev/null +++ b/docs/hazmat/decrepit/index.rst @@ -0,0 +1,14 @@ +.. hazmat:: + +Decrepit cryptography +===================== + +This module holds old, deprecated, and/or insecure cryptographic +algorithms that may be needed in exceptional cases for backwards +compatibility or interoperability reasons. Unless necessary +their use is **strongly discouraged**. + +.. toctree:: + :maxdepth: 2 + + ciphers diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index e12ccac6ecf5..2b21c4162afd 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -205,6 +205,12 @@ Algorithms .. versionadded:: 0.2 + .. warning:: + + This algorithm has been deprecated and moved to the :doc:`/hazmat/decrepit/index` + module. If you need to continue using it then update your code to + use the new module path. It will be removed from this namespace in 45.0.0. + CAST5 (also known as CAST-128) is a block cipher approved for use in the Canadian government by the `Communications Security Establishment`_. It is a variable key length cipher and supports keys from 40-128 :term:`bits` in @@ -218,6 +224,12 @@ Algorithms .. versionadded:: 0.4 + .. warning:: + + This algorithm has been deprecated and moved to the :doc:`/hazmat/decrepit/index` + module. If you need to continue using it then update your code to + use the new module path. It will be removed from this namespace in 45.0.0. + SEED is a block cipher developed by the Korea Information Security Agency (KISA). It is defined in :rfc:`4269` and is used broadly throughout South Korean industry, but rarely found elsewhere. @@ -252,6 +264,12 @@ Weak ciphers .. class:: Blowfish(key) + .. warning:: + + This algorithm has been deprecated and moved to the :doc:`/hazmat/decrepit/index` + module. If you need to continue using it then update your code to + use the new module path. It will be removed from this namespace in 45.0.0. + Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys. The author has recommended that users of Blowfish move to newer algorithms such as :class:`AES`. @@ -262,6 +280,12 @@ Weak ciphers .. class:: ARC4(key) + .. warning:: + + This algorithm has been deprecated and moved to the :doc:`/hazmat/decrepit/index` + module. If you need to continue using it then update your code to + use the new module path. It will be removed from this namespace in 45.0.0. + ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output. Its use is strongly discouraged. ARC4 does not use mode constructions. @@ -284,6 +308,12 @@ Weak ciphers .. class:: IDEA(key) + .. warning:: + + This algorithm has been deprecated and moved to the :doc:`/hazmat/decrepit/index` + module. If you need to continue using it then update your code to + use the new module path. It will be removed from this namespace in 45.0.0. + IDEA (`International Data Encryption Algorithm`_) is a block cipher created in 1991. It is an optional component of the `OpenPGP`_ standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you diff --git a/docs/index.rst b/docs/index.rst index 08fcba34d96f..7086f80ee6e3 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -67,6 +67,7 @@ hazmat layer only when necessary. hazmat/primitives/index exceptions random-numbers + hazmat/decrepit/index .. toctree:: :maxdepth: 2 diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index f296303ced1f..c5b02b2e9f01 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -15,6 +15,12 @@ from cryptography.hazmat.backends.openssl.ciphers import _CipherContext from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.bindings.openssl import binding +from cryptography.hazmat.decrepit.ciphers.algorithms import ( + CAST5, + IDEA, + SEED, + Blowfish, +) from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives._asymmetric import AsymmetricPadding from cryptography.hazmat.primitives.asymmetric import ec @@ -40,10 +46,6 @@ Camellia, ChaCha20, TripleDES, - _BlowfishInternal, - _CAST5Internal, - _IDEAInternal, - _SEEDInternal, ) from cryptography.hazmat.primitives.ciphers.modes import ( CBC, @@ -282,18 +284,18 @@ def _register_default_ciphers(self) -> None: ): for mode_cls in [CBC, CFB, OFB, ECB]: self.register_cipher_adapter( - _BlowfishInternal, + Blowfish, mode_cls, GetCipherByName("bf-{mode.name}"), ) for mode_cls in [CBC, CFB, OFB, ECB]: self.register_cipher_adapter( - _SEEDInternal, + SEED, mode_cls, GetCipherByName("seed-{mode.name}"), ) for cipher_cls, mode_cls in itertools.product( - [_CAST5Internal, _IDEAInternal], + [CAST5, IDEA], [CBC, OFB, CFB, ECB], ): self.register_cipher_adapter( diff --git a/src/cryptography/hazmat/decrepit/__init__.py b/src/cryptography/hazmat/decrepit/__init__.py new file mode 100644 index 000000000000..41d731863aa2 --- /dev/null +++ b/src/cryptography/hazmat/decrepit/__init__.py @@ -0,0 +1,5 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import annotations diff --git a/src/cryptography/hazmat/decrepit/ciphers/__init__.py b/src/cryptography/hazmat/decrepit/ciphers/__init__.py new file mode 100644 index 000000000000..41d731863aa2 --- /dev/null +++ b/src/cryptography/hazmat/decrepit/ciphers/__init__.py @@ -0,0 +1,5 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import annotations diff --git a/src/cryptography/hazmat/decrepit/ciphers/algorithms.py b/src/cryptography/hazmat/decrepit/ciphers/algorithms.py new file mode 100644 index 000000000000..f9432834dc5c --- /dev/null +++ b/src/cryptography/hazmat/decrepit/ciphers/algorithms.py @@ -0,0 +1,62 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import annotations + +from cryptography.hazmat.primitives._cipheralgorithm import ( + BlockCipherAlgorithm, + _verify_key_size, +) + + +class Blowfish(BlockCipherAlgorithm): + name = "Blowfish" + block_size = 64 + key_sizes = frozenset(range(32, 449, 8)) + + def __init__(self, key: bytes): + self.key = _verify_key_size(self, key) + + @property + def key_size(self) -> int: + return len(self.key) * 8 + + +class CAST5(BlockCipherAlgorithm): + name = "CAST5" + block_size = 64 + key_sizes = frozenset(range(40, 129, 8)) + + def __init__(self, key: bytes): + self.key = _verify_key_size(self, key) + + @property + def key_size(self) -> int: + return len(self.key) * 8 + + +class SEED(BlockCipherAlgorithm): + name = "SEED" + block_size = 128 + key_sizes = frozenset([128]) + + def __init__(self, key: bytes): + self.key = _verify_key_size(self, key) + + @property + def key_size(self) -> int: + return len(self.key) * 8 + + +class IDEA(BlockCipherAlgorithm): + name = "IDEA" + block_size = 64 + key_sizes = frozenset([128]) + + def __init__(self, key: bytes): + self.key = _verify_key_size(self, key) + + @property + def key_size(self) -> int: + return len(self.key) * 8 diff --git a/src/cryptography/hazmat/primitives/_cipheralgorithm.py b/src/cryptography/hazmat/primitives/_cipheralgorithm.py index 9d7f5bc79c2b..588a61698fdc 100644 --- a/src/cryptography/hazmat/primitives/_cipheralgorithm.py +++ b/src/cryptography/hazmat/primitives/_cipheralgorithm.py @@ -6,6 +6,8 @@ import abc +from cryptography import utils + # This exists to break an import cycle. It is normally accessible from the # ciphers module. @@ -42,3 +44,15 @@ def block_size(self) -> int: """ The size of a block as an integer in bits (e.g. 64, 128). """ + + +def _verify_key_size(algorithm: CipherAlgorithm, key: bytes) -> bytes: + # Verify that the key is instance of bytes + utils._check_byteslike("key", key) + + # Verify that the key size matches the expected key size + if len(key) * 8 not in algorithm.key_sizes: + raise ValueError( + f"Invalid key size ({len(key) * 8}) for {algorithm.name}." + ) + return key diff --git a/src/cryptography/hazmat/primitives/ciphers/algorithms.py b/src/cryptography/hazmat/primitives/ciphers/algorithms.py index 000bdcba97a4..645d0acd3cac 100644 --- a/src/cryptography/hazmat/primitives/ciphers/algorithms.py +++ b/src/cryptography/hazmat/primitives/ciphers/algorithms.py @@ -5,24 +5,25 @@ from __future__ import annotations from cryptography import utils +from cryptography.hazmat.decrepit.ciphers.algorithms import ( + CAST5 as CAST5, +) +from cryptography.hazmat.decrepit.ciphers.algorithms import ( + IDEA as IDEA, +) +from cryptography.hazmat.decrepit.ciphers.algorithms import ( + SEED as SEED, +) +from cryptography.hazmat.decrepit.ciphers.algorithms import ( + Blowfish as Blowfish, +) +from cryptography.hazmat.primitives._cipheralgorithm import _verify_key_size from cryptography.hazmat.primitives.ciphers import ( BlockCipherAlgorithm, CipherAlgorithm, ) -def _verify_key_size(algorithm: CipherAlgorithm, key: bytes) -> bytes: - # Verify that the key is instance of bytes - utils._check_byteslike("key", key) - - # Verify that the key size matches the expected key size - if len(key) * 8 not in algorithm.key_sizes: - raise ValueError( - f"Invalid key size ({len(key) * 8}) for {algorithm.name}." - ) - return key - - class AES(BlockCipherAlgorithm): name = "AES" block_size = 128 @@ -87,47 +88,23 @@ def key_size(self) -> int: return len(self.key) * 8 -class Blowfish(BlockCipherAlgorithm): - name = "Blowfish" - block_size = 64 - key_sizes = frozenset(range(32, 449, 8)) - - def __init__(self, key: bytes): - self.key = _verify_key_size(self, key) - - @property - def key_size(self) -> int: - return len(self.key) * 8 - - -_BlowfishInternal = Blowfish utils.deprecated( Blowfish, __name__, - "Blowfish has been deprecated and will be removed in a future release", + "Blowfish has been moved to " + "cryptography.hazmat.decrepit.ciphers.algorithms.Blowfish and " + "will be removed from this module in 45.0.0.", utils.DeprecatedIn37, name="Blowfish", ) -class CAST5(BlockCipherAlgorithm): - name = "CAST5" - block_size = 64 - key_sizes = frozenset(range(40, 129, 8)) - - def __init__(self, key: bytes): - self.key = _verify_key_size(self, key) - - @property - def key_size(self) -> int: - return len(self.key) * 8 - - -_CAST5Internal = CAST5 utils.deprecated( CAST5, __name__, - "CAST5 has been deprecated and will be removed in a future release", + "CAST5 has been moved to " + "cryptography.hazmat.decrepit.ciphers.algorithms.CAST5 and " + "will be removed from this module in 45.0.0.", utils.DeprecatedIn37, name="CAST5", ) @@ -145,47 +122,23 @@ def key_size(self) -> int: return len(self.key) * 8 -class IDEA(BlockCipherAlgorithm): - name = "IDEA" - block_size = 64 - key_sizes = frozenset([128]) - - def __init__(self, key: bytes): - self.key = _verify_key_size(self, key) - - @property - def key_size(self) -> int: - return len(self.key) * 8 - - -_IDEAInternal = IDEA utils.deprecated( IDEA, __name__, - "IDEA has been deprecated and will be removed in a future release", + "IDEA has been moved to " + "cryptography.hazmat.decrepit.ciphers.algorithms.IDEA and " + "will be removed from this module in 45.0.0.", utils.DeprecatedIn37, name="IDEA", ) -class SEED(BlockCipherAlgorithm): - name = "SEED" - block_size = 128 - key_sizes = frozenset([128]) - - def __init__(self, key: bytes): - self.key = _verify_key_size(self, key) - - @property - def key_size(self) -> int: - return len(self.key) * 8 - - -_SEEDInternal = SEED utils.deprecated( SEED, __name__, - "SEED has been deprecated and will be removed in a future release", + "SEED has been moved to " + "cryptography.hazmat.decrepit.ciphers.algorithms.SEED and " + "will be removed from this module in 45.0.0.", utils.DeprecatedIn37, name="SEED", ) diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index b7564955d20e..fc60ecd97f10 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -478,27 +478,23 @@ pub static SM4: LazyPyImport = LazyPyImport::new( &["SM4"], ); #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] -pub static SEED: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.ciphers.algorithms", - &["_SEEDInternal"], -); +pub static SEED: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.decrepit.ciphers.algorithms", &["SEED"]); pub static CAMELLIA: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", &["Camellia"], ); pub static BLOWFISH: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.ciphers.algorithms", - &["_BlowfishInternal"], + "cryptography.hazmat.decrepit.ciphers.algorithms", + &["Blowfish"], ); pub static CAST5: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.ciphers.algorithms", - &["_CAST5Internal"], + "cryptography.hazmat.decrepit.ciphers.algorithms", + &["CAST5"], ); #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_IDEA"))] -pub static IDEA: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.ciphers.algorithms", - &["_IDEAInternal"], -); +pub static IDEA: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.decrepit.ciphers.algorithms", &["IDEA"]); pub static CBC: LazyPyImport = LazyPyImport::new("cryptography.hazmat.primitives.ciphers.modes", &["CBC"]); diff --git a/tests/hazmat/primitives/decrepit/__init__.py b/tests/hazmat/primitives/decrepit/__init__.py new file mode 100644 index 000000000000..b509336233c2 --- /dev/null +++ b/tests/hazmat/primitives/decrepit/__init__.py @@ -0,0 +1,3 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. diff --git a/tests/hazmat/primitives/decrepit/test_algorithms.py b/tests/hazmat/primitives/decrepit/test_algorithms.py new file mode 100644 index 000000000000..c812f17fd3d9 --- /dev/null +++ b/tests/hazmat/primitives/decrepit/test_algorithms.py @@ -0,0 +1,340 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + + +import binascii +import os + +import pytest + +from cryptography.hazmat.decrepit.ciphers.algorithms import ( + CAST5, + IDEA, + SEED, + Blowfish, +) +from cryptography.hazmat.primitives.ciphers import modes + +from ....utils import load_nist_vectors +from ..utils import generate_encrypt_test + + +class TestBlowfish: + @pytest.mark.parametrize( + ("key", "keysize"), + [(b"0" * (keysize // 4), keysize) for keysize in range(32, 449, 8)], + ) + def test_key_size(self, key, keysize): + cipher = Blowfish(binascii.unhexlify(key)) + assert cipher.key_size == keysize + + def test_invalid_key_size(self): + with pytest.raises(ValueError): + Blowfish(binascii.unhexlify(b"0" * 6)) + + def test_invalid_key_type(self): + with pytest.raises(TypeError, match="key must be bytes"): + Blowfish("0" * 8) # type: ignore[arg-type] + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + Blowfish(b"\x00" * 56), modes.ECB() + ), + skip_message="Does not support Blowfish ECB", +) +class TestBlowfishModeECB: + test_ecb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "Blowfish"), + ["bf-ecb.txt"], + lambda key, **kwargs: Blowfish(binascii.unhexlify(key)), + lambda **kwargs: modes.ECB(), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + Blowfish(b"\x00" * 56), modes.CBC(b"\x00" * 8) + ), + skip_message="Does not support Blowfish CBC", +) +class TestBlowfishModeCBC: + test_cbc = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "Blowfish"), + ["bf-cbc.txt"], + lambda key, **kwargs: Blowfish(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + Blowfish(b"\x00" * 56), modes.OFB(b"\x00" * 8) + ), + skip_message="Does not support Blowfish OFB", +) +class TestBlowfishModeOFB: + test_ofb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "Blowfish"), + ["bf-ofb.txt"], + lambda key, **kwargs: Blowfish(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + Blowfish(b"\x00" * 56), modes.CFB(b"\x00" * 8) + ), + skip_message="Does not support Blowfish CFB", +) +class TestBlowfishModeCFB: + test_cfb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "Blowfish"), + ["bf-cfb.txt"], + lambda key, **kwargs: Blowfish(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), + ) + + +class TestCAST5: + @pytest.mark.parametrize( + ("key", "keysize"), + [(b"0" * (keysize // 4), keysize) for keysize in range(40, 129, 8)], + ) + def test_key_size(self, key, keysize): + cipher = CAST5(binascii.unhexlify(key)) + assert cipher.key_size == keysize + + def test_invalid_key_size(self): + with pytest.raises(ValueError): + CAST5(binascii.unhexlify(b"0" * 34)) + + def test_invalid_key_type(self): + with pytest.raises(TypeError, match="key must be bytes"): + CAST5("0" * 10) # type: ignore[arg-type] + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + CAST5(b"\x00" * 16), modes.ECB() + ), + skip_message="Does not support CAST5 ECB", +) +class TestCAST5ModeECB: + test_ecb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "CAST5"), + ["cast5-ecb.txt"], + lambda key, **kwargs: CAST5(binascii.unhexlify(key)), + lambda **kwargs: modes.ECB(), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + CAST5(b"\x00" * 16), modes.CBC(b"\x00" * 8) + ), + skip_message="Does not support CAST5 CBC", +) +class TestCAST5ModeCBC: + test_cbc = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "CAST5"), + ["cast5-cbc.txt"], + lambda key, **kwargs: CAST5(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + CAST5(b"\x00" * 16), modes.OFB(b"\x00" * 8) + ), + skip_message="Does not support CAST5 OFB", +) +class TestCAST5ModeOFB: + test_ofb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "CAST5"), + ["cast5-ofb.txt"], + lambda key, **kwargs: CAST5(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + CAST5(b"\x00" * 16), modes.CFB(b"\x00" * 8) + ), + skip_message="Does not support CAST5 CFB", +) +class TestCAST5ModeCFB: + test_cfb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "CAST5"), + ["cast5-cfb.txt"], + lambda key, **kwargs: CAST5(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), + ) + + +class TestIDEA: + def test_key_size(self): + cipher = IDEA(b"\x00" * 16) + assert cipher.key_size == 128 + + def test_invalid_key_size(self): + with pytest.raises(ValueError): + IDEA(b"\x00" * 17) + + def test_invalid_key_type(self): + with pytest.raises(TypeError, match="key must be bytes"): + IDEA("0" * 16) # type: ignore[arg-type] + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + IDEA(b"\x00" * 16), modes.ECB() + ), + skip_message="Does not support IDEA ECB", +) +class TestIDEAModeECB: + test_ecb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "IDEA"), + ["idea-ecb.txt"], + lambda key, **kwargs: IDEA(binascii.unhexlify(key)), + lambda **kwargs: modes.ECB(), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + IDEA(b"\x00" * 16), modes.CBC(b"\x00" * 8) + ), + skip_message="Does not support IDEA CBC", +) +class TestIDEAModeCBC: + test_cbc = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "IDEA"), + ["idea-cbc.txt"], + lambda key, **kwargs: IDEA(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + IDEA(b"\x00" * 16), modes.OFB(b"\x00" * 8) + ), + skip_message="Does not support IDEA OFB", +) +class TestIDEAModeOFB: + test_ofb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "IDEA"), + ["idea-ofb.txt"], + lambda key, **kwargs: IDEA(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + IDEA(b"\x00" * 16), modes.CFB(b"\x00" * 8) + ), + skip_message="Does not support IDEA CFB", +) +class TestIDEAModeCFB: + test_cfb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "IDEA"), + ["idea-cfb.txt"], + lambda key, **kwargs: IDEA(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), + ) + + +class TestSEED: + def test_key_size(self): + cipher = SEED(b"\x00" * 16) + assert cipher.key_size == 128 + + def test_invalid_key_size(self): + with pytest.raises(ValueError): + SEED(b"\x00" * 17) + + def test_invalid_key_type(self): + with pytest.raises(TypeError, match="key must be bytes"): + SEED("0" * 16) # type: ignore[arg-type] + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + SEED(b"\x00" * 16), modes.ECB() + ), + skip_message="Does not support SEED ECB", +) +class TestSEEDModeECB: + test_ecb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "SEED"), + ["rfc-4269.txt"], + lambda key, **kwargs: SEED(binascii.unhexlify(key)), + lambda **kwargs: modes.ECB(), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + SEED(b"\x00" * 16), modes.CBC(b"\x00" * 16) + ), + skip_message="Does not support SEED CBC", +) +class TestSEEDModeCBC: + test_cbc = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "SEED"), + ["rfc-4196.txt"], + lambda key, **kwargs: SEED(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + SEED(b"\x00" * 16), modes.OFB(b"\x00" * 16) + ), + skip_message="Does not support SEED OFB", +) +class TestSEEDModeOFB: + test_ofb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "SEED"), + ["seed-ofb.txt"], + lambda key, **kwargs: SEED(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + SEED(b"\x00" * 16), modes.CFB(b"\x00" * 16) + ), + skip_message="Does not support SEED CFB", +) +class TestSEEDModeCFB: + test_cfb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "SEED"), + ["seed-cfb.txt"], + lambda key, **kwargs: SEED(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), + ) diff --git a/tests/hazmat/primitives/test_blowfish.py b/tests/hazmat/primitives/test_blowfish.py deleted file mode 100644 index b8f34dfcef58..000000000000 --- a/tests/hazmat/primitives/test_blowfish.py +++ /dev/null @@ -1,86 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - - -import binascii -import os - -import pytest - -from cryptography.hazmat.primitives.ciphers import algorithms, modes - -from ...utils import load_nist_vectors -from .utils import generate_encrypt_test - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._BlowfishInternal(b"\x00" * 56), modes.ECB() - ), - skip_message="Does not support Blowfish ECB", -) -class TestBlowfishModeECB: - test_ecb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "Blowfish"), - ["bf-ecb.txt"], - lambda key, **kwargs: algorithms._BlowfishInternal( - binascii.unhexlify(key) - ), - lambda **kwargs: modes.ECB(), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._BlowfishInternal(b"\x00" * 56), modes.CBC(b"\x00" * 8) - ), - skip_message="Does not support Blowfish CBC", -) -class TestBlowfishModeCBC: - test_cbc = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "Blowfish"), - ["bf-cbc.txt"], - lambda key, **kwargs: algorithms._BlowfishInternal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._BlowfishInternal(b"\x00" * 56), modes.OFB(b"\x00" * 8) - ), - skip_message="Does not support Blowfish OFB", -) -class TestBlowfishModeOFB: - test_ofb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "Blowfish"), - ["bf-ofb.txt"], - lambda key, **kwargs: algorithms._BlowfishInternal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._BlowfishInternal(b"\x00" * 56), modes.CFB(b"\x00" * 8) - ), - skip_message="Does not support Blowfish CFB", -) -class TestBlowfishModeCFB: - test_cfb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "Blowfish"), - ["bf-cfb.txt"], - lambda key, **kwargs: algorithms._BlowfishInternal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), - ) diff --git a/tests/hazmat/primitives/test_cast5.py b/tests/hazmat/primitives/test_cast5.py deleted file mode 100644 index 327a463b60e5..000000000000 --- a/tests/hazmat/primitives/test_cast5.py +++ /dev/null @@ -1,86 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - - -import binascii -import os - -import pytest - -from cryptography.hazmat.primitives.ciphers import algorithms, modes - -from ...utils import load_nist_vectors -from .utils import generate_encrypt_test - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._CAST5Internal(b"\x00" * 16), modes.ECB() - ), - skip_message="Does not support CAST5 ECB", -) -class TestCAST5ModeECB: - test_ecb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "CAST5"), - ["cast5-ecb.txt"], - lambda key, **kwargs: algorithms._CAST5Internal( - binascii.unhexlify(key) - ), - lambda **kwargs: modes.ECB(), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._CAST5Internal(b"\x00" * 16), modes.CBC(b"\x00" * 8) - ), - skip_message="Does not support CAST5 CBC", -) -class TestCAST5ModeCBC: - test_cbc = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "CAST5"), - ["cast5-cbc.txt"], - lambda key, **kwargs: algorithms._CAST5Internal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._CAST5Internal(b"\x00" * 16), modes.OFB(b"\x00" * 8) - ), - skip_message="Does not support CAST5 OFB", -) -class TestCAST5ModeOFB: - test_ofb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "CAST5"), - ["cast5-ofb.txt"], - lambda key, **kwargs: algorithms._CAST5Internal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._CAST5Internal(b"\x00" * 16), modes.CFB(b"\x00" * 8) - ), - skip_message="Does not support CAST5 CFB", -) -class TestCAST5ModeCFB: - test_cfb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "CAST5"), - ["cast5-cfb.txt"], - lambda key, **kwargs: algorithms._CAST5Internal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), - ) diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py index 1659fa2cd605..e096986160f8 100644 --- a/tests/hazmat/primitives/test_ciphers.py +++ b/tests/hazmat/primitives/test_ciphers.py @@ -10,6 +10,7 @@ import pytest +from cryptography import utils from cryptography.exceptions import AlreadyFinalized, _Reasons from cryptography.hazmat.primitives import ciphers from cryptography.hazmat.primitives.ciphers import modes @@ -18,10 +19,6 @@ ARC4, Camellia, TripleDES, - _BlowfishInternal, - _CAST5Internal, - _IDEAInternal, - _SEEDInternal, ) from ...utils import ( @@ -31,6 +28,25 @@ ) +def test_deprecated_ciphers_import_with_warning(): + with pytest.warns(utils.CryptographyDeprecationWarning): + from cryptography.hazmat.primitives.ciphers.algorithms import ( + Blowfish, # noqa: F401 + ) + with pytest.warns(utils.CryptographyDeprecationWarning): + from cryptography.hazmat.primitives.ciphers.algorithms import ( + CAST5, # noqa: F401 + ) + with pytest.warns(utils.CryptographyDeprecationWarning): + from cryptography.hazmat.primitives.ciphers.algorithms import ( + IDEA, # noqa: F401 + ) + with pytest.warns(utils.CryptographyDeprecationWarning): + from cryptography.hazmat.primitives.ciphers.algorithms import ( + SEED, # noqa: F401 + ) + + class TestAES: @pytest.mark.parametrize( ("key", "keysize"), @@ -110,42 +126,6 @@ def test_invalid_key_type(self): TripleDES("0" * 16) # type: ignore[arg-type] -class TestBlowfish: - @pytest.mark.parametrize( - ("key", "keysize"), - [(b"0" * (keysize // 4), keysize) for keysize in range(32, 449, 8)], - ) - def test_key_size(self, key, keysize): - cipher = _BlowfishInternal(binascii.unhexlify(key)) - assert cipher.key_size == keysize - - def test_invalid_key_size(self): - with pytest.raises(ValueError): - _BlowfishInternal(binascii.unhexlify(b"0" * 6)) - - def test_invalid_key_type(self): - with pytest.raises(TypeError, match="key must be bytes"): - _BlowfishInternal("0" * 8) # type: ignore[arg-type] - - -class TestCAST5: - @pytest.mark.parametrize( - ("key", "keysize"), - [(b"0" * (keysize // 4), keysize) for keysize in range(40, 129, 8)], - ) - def test_key_size(self, key, keysize): - cipher = _CAST5Internal(binascii.unhexlify(key)) - assert cipher.key_size == keysize - - def test_invalid_key_size(self): - with pytest.raises(ValueError): - _CAST5Internal(binascii.unhexlify(b"0" * 34)) - - def test_invalid_key_type(self): - with pytest.raises(TypeError, match="key must be bytes"): - _CAST5Internal("0" * 10) # type: ignore[arg-type] - - class TestARC4: @pytest.mark.parametrize( ("key", "keysize"), @@ -172,34 +152,6 @@ def test_invalid_key_type(self): ARC4("0" * 10) # type: ignore[arg-type] -class TestIDEA: - def test_key_size(self): - cipher = _IDEAInternal(b"\x00" * 16) - assert cipher.key_size == 128 - - def test_invalid_key_size(self): - with pytest.raises(ValueError): - _IDEAInternal(b"\x00" * 17) - - def test_invalid_key_type(self): - with pytest.raises(TypeError, match="key must be bytes"): - _IDEAInternal("0" * 16) # type: ignore[arg-type] - - -class TestSEED: - def test_key_size(self): - cipher = _SEEDInternal(b"\x00" * 16) - assert cipher.key_size == 128 - - def test_invalid_key_size(self): - with pytest.raises(ValueError): - _SEEDInternal(b"\x00" * 17) - - def test_invalid_key_type(self): - with pytest.raises(TypeError, match="key must be bytes"): - _SEEDInternal("0" * 16) # type: ignore[arg-type] - - def test_invalid_mode_algorithm(): with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): ciphers.Cipher( diff --git a/tests/hazmat/primitives/test_idea.py b/tests/hazmat/primitives/test_idea.py deleted file mode 100644 index 6631a93f91cc..000000000000 --- a/tests/hazmat/primitives/test_idea.py +++ /dev/null @@ -1,86 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - - -import binascii -import os - -import pytest - -from cryptography.hazmat.primitives.ciphers import algorithms, modes - -from ...utils import load_nist_vectors -from .utils import generate_encrypt_test - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._IDEAInternal(b"\x00" * 16), modes.ECB() - ), - skip_message="Does not support IDEA ECB", -) -class TestIDEAModeECB: - test_ecb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "IDEA"), - ["idea-ecb.txt"], - lambda key, **kwargs: algorithms._IDEAInternal( - binascii.unhexlify(key) - ), - lambda **kwargs: modes.ECB(), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._IDEAInternal(b"\x00" * 16), modes.CBC(b"\x00" * 8) - ), - skip_message="Does not support IDEA CBC", -) -class TestIDEAModeCBC: - test_cbc = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "IDEA"), - ["idea-cbc.txt"], - lambda key, **kwargs: algorithms._IDEAInternal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._IDEAInternal(b"\x00" * 16), modes.OFB(b"\x00" * 8) - ), - skip_message="Does not support IDEA OFB", -) -class TestIDEAModeOFB: - test_ofb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "IDEA"), - ["idea-ofb.txt"], - lambda key, **kwargs: algorithms._IDEAInternal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._IDEAInternal(b"\x00" * 16), modes.CFB(b"\x00" * 8) - ), - skip_message="Does not support IDEA CFB", -) -class TestIDEAModeCFB: - test_cfb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "IDEA"), - ["idea-cfb.txt"], - lambda key, **kwargs: algorithms._IDEAInternal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), - ) diff --git a/tests/hazmat/primitives/test_seed.py b/tests/hazmat/primitives/test_seed.py deleted file mode 100644 index f36ce1e4ecea..000000000000 --- a/tests/hazmat/primitives/test_seed.py +++ /dev/null @@ -1,86 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - - -import binascii -import os - -import pytest - -from cryptography.hazmat.primitives.ciphers import algorithms, modes - -from ...utils import load_nist_vectors -from .utils import generate_encrypt_test - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._SEEDInternal(b"\x00" * 16), modes.ECB() - ), - skip_message="Does not support SEED ECB", -) -class TestSEEDModeECB: - test_ecb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "SEED"), - ["rfc-4269.txt"], - lambda key, **kwargs: algorithms._SEEDInternal( - binascii.unhexlify(key) - ), - lambda **kwargs: modes.ECB(), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._SEEDInternal(b"\x00" * 16), modes.CBC(b"\x00" * 16) - ), - skip_message="Does not support SEED CBC", -) -class TestSEEDModeCBC: - test_cbc = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "SEED"), - ["rfc-4196.txt"], - lambda key, **kwargs: algorithms._SEEDInternal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._SEEDInternal(b"\x00" * 16), modes.OFB(b"\x00" * 16) - ), - skip_message="Does not support SEED OFB", -) -class TestSEEDModeOFB: - test_ofb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "SEED"), - ["seed-ofb.txt"], - lambda key, **kwargs: algorithms._SEEDInternal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._SEEDInternal(b"\x00" * 16), modes.CFB(b"\x00" * 16) - ), - skip_message="Does not support SEED CFB", -) -class TestSEEDModeCFB: - test_cfb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "SEED"), - ["seed-cfb.txt"], - lambda key, **kwargs: algorithms._SEEDInternal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), - ) From 98dfafeb8dcdf5e640c9612841f07da66586509b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Jan 2024 17:54:54 -0500 Subject: [PATCH 0035/1462] Migrate AES-CCM to Rust (#10279) --- .../hazmat/backends/openssl/aead.py | 255 ------------------ .../hazmat/backends/openssl/backend.py | 4 - .../hazmat/bindings/_rust/openssl/aead.pyi | 17 ++ .../hazmat/primitives/ciphers/aead.py | 91 +------ src/rust/src/backend/aead.rs | 235 +++++++++++++--- tests/hazmat/primitives/test_aead.py | 3 + 6 files changed, 226 insertions(+), 379 deletions(-) delete mode 100644 src/cryptography/hazmat/backends/openssl/aead.py diff --git a/src/cryptography/hazmat/backends/openssl/aead.py b/src/cryptography/hazmat/backends/openssl/aead.py deleted file mode 100644 index dd2485481203..000000000000 --- a/src/cryptography/hazmat/backends/openssl/aead.py +++ /dev/null @@ -1,255 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import annotations - -import typing - -from cryptography.exceptions import InvalidTag - -if typing.TYPE_CHECKING: - from cryptography.hazmat.backends.openssl.backend import Backend - from cryptography.hazmat.primitives.ciphers.aead import ( - AESCCM, - ) - - _AEADTypes = typing.Union[AESCCM] - - -def _aead_cipher_supported(backend: Backend, cipher: _AEADTypes) -> bool: - cipher_name = _evp_cipher_cipher_name(cipher) - - return backend._lib.EVP_get_cipherbyname(cipher_name) != backend._ffi.NULL - - -def _encrypt( - backend: Backend, - cipher: _AEADTypes, - nonce: bytes, - data: bytes, - associated_data: list[bytes], - tag_length: int, -) -> bytes: - return _evp_cipher_encrypt( - backend, cipher, nonce, data, associated_data, tag_length - ) - - -def _decrypt( - backend: Backend, - cipher: _AEADTypes, - nonce: bytes, - data: bytes, - associated_data: list[bytes], - tag_length: int, -) -> bytes: - return _evp_cipher_decrypt( - backend, cipher, nonce, data, associated_data, tag_length - ) - - -_ENCRYPT = 1 -_DECRYPT = 0 - - -def _evp_cipher_cipher_name(cipher: _AEADTypes) -> bytes: - from cryptography.hazmat.primitives.ciphers.aead import AESCCM - - assert isinstance(cipher, AESCCM) - return f"aes-{len(cipher._key) * 8}-ccm".encode("ascii") - - -def _evp_cipher(cipher_name: bytes, backend: Backend): - evp_cipher = backend._lib.EVP_get_cipherbyname(cipher_name) - backend.openssl_assert(evp_cipher != backend._ffi.NULL) - return evp_cipher - - -def _evp_cipher_aead_setup( - backend: Backend, - cipher_name: bytes, - key: bytes, - nonce: bytes, - tag: bytes | None, - tag_len: int, - operation: int, -): - evp_cipher = _evp_cipher(cipher_name, backend) - ctx = backend._lib.EVP_CIPHER_CTX_new() - ctx = backend._ffi.gc(ctx, backend._lib.EVP_CIPHER_CTX_free) - res = backend._lib.EVP_CipherInit_ex( - ctx, - evp_cipher, - backend._ffi.NULL, - backend._ffi.NULL, - backend._ffi.NULL, - int(operation == _ENCRYPT), - ) - backend.openssl_assert(res != 0) - # CCM requires the IVLEN to be set before calling SET_TAG on decrypt - res = backend._lib.EVP_CIPHER_CTX_ctrl( - ctx, - backend._lib.EVP_CTRL_AEAD_SET_IVLEN, - len(nonce), - backend._ffi.NULL, - ) - backend.openssl_assert(res != 0) - if operation == _DECRYPT: - assert tag is not None - _evp_cipher_set_tag(backend, ctx, tag) - else: - assert cipher_name.endswith(b"-ccm") - res = backend._lib.EVP_CIPHER_CTX_ctrl( - ctx, - backend._lib.EVP_CTRL_AEAD_SET_TAG, - tag_len, - backend._ffi.NULL, - ) - backend.openssl_assert(res != 0) - - nonce_ptr = backend._ffi.from_buffer(nonce) - key_ptr = backend._ffi.from_buffer(key) - res = backend._lib.EVP_CipherInit_ex( - ctx, - backend._ffi.NULL, - backend._ffi.NULL, - key_ptr, - nonce_ptr, - int(operation == _ENCRYPT), - ) - backend.openssl_assert(res != 0) - return ctx - - -def _evp_cipher_set_tag(backend, ctx, tag: bytes) -> None: - tag_ptr = backend._ffi.from_buffer(tag) - res = backend._lib.EVP_CIPHER_CTX_ctrl( - ctx, backend._lib.EVP_CTRL_AEAD_SET_TAG, len(tag), tag_ptr - ) - backend.openssl_assert(res != 0) - - -def _evp_cipher_set_length(backend: Backend, ctx, data_len: int) -> None: - intptr = backend._ffi.new("int *") - res = backend._lib.EVP_CipherUpdate( - ctx, backend._ffi.NULL, intptr, backend._ffi.NULL, data_len - ) - backend.openssl_assert(res != 0) - - -def _evp_cipher_process_aad( - backend: Backend, ctx, associated_data: bytes -) -> None: - outlen = backend._ffi.new("int *") - a_data_ptr = backend._ffi.from_buffer(associated_data) - res = backend._lib.EVP_CipherUpdate( - ctx, backend._ffi.NULL, outlen, a_data_ptr, len(associated_data) - ) - backend.openssl_assert(res != 0) - - -def _evp_cipher_process_data(backend: Backend, ctx, data: bytes) -> bytes: - outlen = backend._ffi.new("int *") - buf = backend._ffi.new("unsigned char[]", len(data)) - data_ptr = backend._ffi.from_buffer(data) - res = backend._lib.EVP_CipherUpdate(ctx, buf, outlen, data_ptr, len(data)) - backend.openssl_assert(res != 0) - return backend._ffi.buffer(buf, outlen[0])[:] - - -def _evp_cipher_encrypt( - backend: Backend, - cipher: _AEADTypes, - nonce: bytes, - data: bytes, - associated_data: list[bytes], - tag_length: int, -) -> bytes: - from cryptography.hazmat.primitives.ciphers.aead import AESCCM - - cipher_name = _evp_cipher_cipher_name(cipher) - ctx = _evp_cipher_aead_setup( - backend, - cipher_name, - cipher._key, - nonce, - None, - tag_length, - _ENCRYPT, - ) - - # CCM requires us to pass the length of the data before processing - # anything. - # However calling this with any other AEAD results in an error - assert isinstance(cipher, AESCCM) - _evp_cipher_set_length(backend, ctx, len(data)) - - for ad in associated_data: - _evp_cipher_process_aad(backend, ctx, ad) - processed_data = _evp_cipher_process_data(backend, ctx, data) - outlen = backend._ffi.new("int *") - # All AEADs we support besides OCB are streaming so they return nothing - # in finalization. OCB can return up to (16 byte block - 1) bytes so - # we need a buffer here too. - buf = backend._ffi.new("unsigned char[]", 16) - res = backend._lib.EVP_CipherFinal_ex(ctx, buf, outlen) - backend.openssl_assert(res != 0) - processed_data += backend._ffi.buffer(buf, outlen[0])[:] - tag_buf = backend._ffi.new("unsigned char[]", tag_length) - res = backend._lib.EVP_CIPHER_CTX_ctrl( - ctx, backend._lib.EVP_CTRL_AEAD_GET_TAG, tag_length, tag_buf - ) - backend.openssl_assert(res != 0) - tag = backend._ffi.buffer(tag_buf)[:] - - return processed_data + tag - - -def _evp_cipher_decrypt( - backend: Backend, - cipher: _AEADTypes, - nonce: bytes, - data: bytes, - associated_data: list[bytes], - tag_length: int, -) -> bytes: - from cryptography.hazmat.primitives.ciphers.aead import AESCCM - - if len(data) < tag_length: - raise InvalidTag - - tag = data[-tag_length:] - data = data[:-tag_length] - cipher_name = _evp_cipher_cipher_name(cipher) - ctx = _evp_cipher_aead_setup( - backend, - cipher_name, - cipher._key, - nonce, - tag, - tag_length, - _DECRYPT, - ) - - # CCM requires us to pass the length of the data before processing - # anything. - # However calling this with any other AEAD results in an error - assert isinstance(cipher, AESCCM) - _evp_cipher_set_length(backend, ctx, len(data)) - - for ad in associated_data: - _evp_cipher_process_aad(backend, ctx, ad) - # CCM has a different error path if the tag doesn't match. Errors are - # raised in Update and Final is irrelevant. - outlen = backend._ffi.new("int *") - buf = backend._ffi.new("unsigned char[]", len(data)) - d_ptr = backend._ffi.from_buffer(data) - res = backend._lib.EVP_CipherUpdate(ctx, buf, outlen, d_ptr, len(data)) - if res != 1: - backend._consume_errors() - raise InvalidTag - - processed_data = backend._ffi.buffer(buf, outlen[0])[:] - - return processed_data diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index c5b02b2e9f01..1412c480b708 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -11,7 +11,6 @@ from cryptography import utils, x509 from cryptography.exceptions import UnsupportedAlgorithm -from cryptography.hazmat.backends.openssl import aead from cryptography.hazmat.backends.openssl.ciphers import _CipherContext from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.bindings.openssl import binding @@ -561,9 +560,6 @@ def ed448_supported(self) -> bool: and not self._lib.CRYPTOGRAPHY_IS_BORINGSSL ) - def aead_cipher_supported(self, cipher) -> bool: - return aead._aead_cipher_supported(self, cipher) - def _zero_data(self, data, length: int) -> None: # We clear things this way because at the moment we're not # sure of a better way that can guarantee it overwrites the diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi index e274073f201e..047f49d819c1 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi @@ -36,6 +36,23 @@ class ChaCha20Poly1305: associated_data: bytes | None, ) -> bytes: ... +class AESCCM: + def __init__(self, key: bytes, tag_length: int = 16) -> None: ... + @staticmethod + def generate_key(key_size: int) -> bytes: ... + def encrypt( + self, + nonce: bytes, + data: bytes, + associated_data: bytes | None, + ) -> bytes: ... + def decrypt( + self, + nonce: bytes, + data: bytes, + associated_data: bytes | None, + ) -> bytes: ... + class AESSIV: def __init__(self, key: bytes) -> None: ... @staticmethod diff --git a/src/cryptography/hazmat/primitives/ciphers/aead.py b/src/cryptography/hazmat/primitives/ciphers/aead.py index e96b735b18f9..f82a05685e02 100644 --- a/src/cryptography/hazmat/primitives/ciphers/aead.py +++ b/src/cryptography/hazmat/primitives/ciphers/aead.py @@ -4,11 +4,6 @@ from __future__ import annotations -import os - -from cryptography import exceptions, utils -from cryptography.hazmat.backends.openssl import aead -from cryptography.hazmat.backends.openssl.backend import backend from cryptography.hazmat.bindings._rust import openssl as rust_openssl __all__ = [ @@ -22,91 +17,7 @@ AESGCM = rust_openssl.aead.AESGCM ChaCha20Poly1305 = rust_openssl.aead.ChaCha20Poly1305 +AESCCM = rust_openssl.aead.AESCCM AESSIV = rust_openssl.aead.AESSIV AESOCB3 = rust_openssl.aead.AESOCB3 AESGCMSIV = rust_openssl.aead.AESGCMSIV - - -class AESCCM: - _MAX_SIZE = 2**31 - 1 - - def __init__(self, key: bytes, tag_length: int = 16): - utils._check_byteslike("key", key) - if len(key) not in (16, 24, 32): - raise ValueError("AESCCM key must be 128, 192, or 256 bits.") - - self._key = key - if not isinstance(tag_length, int): - raise TypeError("tag_length must be an integer") - - if tag_length not in (4, 6, 8, 10, 12, 14, 16): - raise ValueError("Invalid tag_length") - - self._tag_length = tag_length - - if not backend.aead_cipher_supported(self): - raise exceptions.UnsupportedAlgorithm( - "AESCCM is not supported by this version of OpenSSL", - exceptions._Reasons.UNSUPPORTED_CIPHER, - ) - - @classmethod - def generate_key(cls, bit_length: int) -> bytes: - if not isinstance(bit_length, int): - raise TypeError("bit_length must be an integer") - - if bit_length not in (128, 192, 256): - raise ValueError("bit_length must be 128, 192, or 256") - - return os.urandom(bit_length // 8) - - def encrypt( - self, - nonce: bytes, - data: bytes, - associated_data: bytes | None, - ) -> bytes: - if associated_data is None: - associated_data = b"" - - if len(data) > self._MAX_SIZE or len(associated_data) > self._MAX_SIZE: - # This is OverflowError to match what cffi would raise - raise OverflowError( - "Data or associated data too long. Max 2**31 - 1 bytes" - ) - - self._check_params(nonce, data, associated_data) - self._validate_lengths(nonce, len(data)) - return aead._encrypt( - backend, self, nonce, data, [associated_data], self._tag_length - ) - - def decrypt( - self, - nonce: bytes, - data: bytes, - associated_data: bytes | None, - ) -> bytes: - if associated_data is None: - associated_data = b"" - - self._check_params(nonce, data, associated_data) - return aead._decrypt( - backend, self, nonce, data, [associated_data], self._tag_length - ) - - def _validate_lengths(self, nonce: bytes, data_len: int) -> None: - # For information about computing this, see - # https://tools.ietf.org/html/rfc3610#section-2.1 - l_val = 15 - len(nonce) - if 2 ** (8 * l_val) < data_len: - raise ValueError("Data too long for nonce") - - def _check_params( - self, nonce: bytes, data: bytes, associated_data: bytes - ) -> None: - utils._check_byteslike("nonce", nonce) - utils._check_byteslike("data", data) - utils._check_byteslike("associated_data", associated_data) - if not 7 <= len(nonce) <= 13: - raise ValueError("Nonce must be between 7 and 13 bytes") diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index b13a420c7588..7afd7a172e94 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -77,6 +77,7 @@ impl EvpCipherAead { ctx: &mut openssl::cipher_ctx::CipherCtx, data: &[u8], out: &mut [u8], + is_ccm: bool, ) -> CryptographyResult<()> { let bs = ctx.block_size(); @@ -87,9 +88,11 @@ impl EvpCipherAead { let n = ctx.cipher_update(data, Some(out))?; assert_eq!(n, data.len()); - let mut final_block = [0]; - let n = ctx.cipher_final(&mut final_block)?; - assert_eq!(n, 0); + if !is_ccm { + let mut final_block = [0]; + let n = ctx.cipher_final(&mut final_block)?; + assert_eq!(n, 0); + } } else { // Our algorithm here is: split the data into the full chunks, and // the remaining partial chunk. Feed the full chunks into OpenSSL @@ -131,9 +134,19 @@ impl EvpCipherAead { ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; ctx.copy(&self.base_encryption_ctx)?; - Self::encrypt_with_context(py, ctx, plaintext, aad, nonce, self.tag_len, self.tag_first) + Self::encrypt_with_context( + py, + ctx, + plaintext, + aad, + nonce, + self.tag_len, + self.tag_first, + false, + ) } + #[allow(clippy::too_many_arguments)] fn encrypt_with_context<'p>( py: pyo3::Python<'p>, mut ctx: openssl::cipher_ctx::CipherCtx, @@ -142,13 +155,19 @@ impl EvpCipherAead { nonce: Option<&[u8]>, tag_len: usize, tag_first: bool, + is_ccm: bool, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { check_length(plaintext)?; - if let Some(nonce) = nonce { - ctx.set_iv_length(nonce.len())?; + if !is_ccm { + if let Some(nonce) = nonce { + ctx.set_iv_length(nonce.len())?; + } + ctx.encrypt_init(None, None, nonce)?; + } + if is_ccm { + ctx.set_data_len(plaintext.len())?; } - ctx.encrypt_init(None, None, nonce)?; Self::process_aad(&mut ctx, aad)?; @@ -164,7 +183,7 @@ impl EvpCipherAead { (ciphertext, tag) = b.split_at_mut(plaintext.len()); } - Self::process_data(&mut ctx, plaintext, ciphertext)?; + Self::process_data(&mut ctx, plaintext, ciphertext, is_ccm)?; ctx.tag(tag).map_err(CryptographyError::from)?; @@ -190,9 +209,11 @@ impl EvpCipherAead { nonce, self.tag_len, self.tag_first, + false, ) } + #[allow(clippy::too_many_arguments)] fn decrypt_with_context<'p>( py: pyo3::Python<'p>, mut ctx: openssl::cipher_ctx::CipherCtx, @@ -201,16 +222,12 @@ impl EvpCipherAead { nonce: Option<&[u8]>, tag_len: usize, tag_first: bool, + is_ccm: bool, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { if ciphertext.len() < tag_len { return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); } - if let Some(nonce) = nonce { - ctx.set_iv_length(nonce.len())?; - } - ctx.decrypt_init(None, None, nonce)?; - let tag; let ciphertext_data; if tag_first { @@ -221,7 +238,18 @@ impl EvpCipherAead { } else { (ciphertext_data, tag) = ciphertext.split_at(ciphertext.len() - tag_len); } - ctx.set_tag(tag)?; + + if !is_ccm { + if let Some(nonce) = nonce { + ctx.set_iv_length(nonce.len())?; + } + + ctx.decrypt_init(None, None, nonce)?; + ctx.set_tag(tag)?; + } + if is_ccm { + ctx.set_data_len(ciphertext_data.len())?; + } Self::process_aad(&mut ctx, aad)?; @@ -229,7 +257,7 @@ impl EvpCipherAead { py, ciphertext_data.len(), |b| { - Self::process_data(&mut ctx, ciphertext_data, b) + Self::process_data(&mut ctx, ciphertext_data, b, is_ccm) .map_err(|_| exceptions::InvalidTag::new_err(()))?; Ok(()) @@ -238,38 +266,29 @@ impl EvpCipherAead { } } -#[cfg(not(any( - CRYPTOGRAPHY_IS_LIBRESSL, - CRYPTOGRAPHY_IS_BORINGSSL, - not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), - CRYPTOGRAPHY_OPENSSL_320_OR_GREATER -)))] struct LazyEvpCipherAead { cipher: &'static openssl::cipher::CipherRef, key: pyo3::Py, tag_len: usize, tag_first: bool, + is_ccm: bool, } -#[cfg(not(any( - CRYPTOGRAPHY_IS_LIBRESSL, - CRYPTOGRAPHY_IS_BORINGSSL, - not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), - CRYPTOGRAPHY_OPENSSL_320_OR_GREATER -)))] impl LazyEvpCipherAead { fn new( cipher: &'static openssl::cipher::CipherRef, key: pyo3::Py, tag_len: usize, tag_first: bool, + is_ccm: bool, ) -> LazyEvpCipherAead { LazyEvpCipherAead { cipher, key, tag_len, tag_first, + is_ccm, } } @@ -283,7 +302,15 @@ impl LazyEvpCipherAead { let key_buf = self.key.as_ref(py).extract::>()?; let mut encryption_ctx = openssl::cipher_ctx::CipherCtx::new()?; - encryption_ctx.encrypt_init(Some(self.cipher), Some(key_buf.as_bytes()), None)?; + if self.is_ccm { + encryption_ctx.encrypt_init(Some(self.cipher), None, None)?; + encryption_ctx.set_iv_length(nonce.as_ref().unwrap().len())?; + encryption_ctx.set_tag_length(self.tag_len)?; + encryption_ctx.encrypt_init(None, Some(key_buf.as_bytes()), nonce)?; + } else { + encryption_ctx.encrypt_init(Some(self.cipher), Some(key_buf.as_bytes()), None)?; + } + EvpCipherAead::encrypt_with_context( py, encryption_ctx, @@ -292,6 +319,7 @@ impl LazyEvpCipherAead { nonce, self.tag_len, self.tag_first, + self.is_ccm, ) } @@ -305,7 +333,22 @@ impl LazyEvpCipherAead { let key_buf = self.key.as_ref(py).extract::>()?; let mut decryption_ctx = openssl::cipher_ctx::CipherCtx::new()?; - decryption_ctx.decrypt_init(Some(self.cipher), Some(key_buf.as_bytes()), None)?; + if self.is_ccm { + decryption_ctx.decrypt_init(Some(self.cipher), None, None)?; + decryption_ctx.set_iv_length(nonce.as_ref().unwrap().len())?; + + if ciphertext.len() < self.tag_len { + return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); + } + + let (_, tag) = ciphertext.split_at(ciphertext.len() - self.tag_len); + decryption_ctx.set_tag(tag)?; + + decryption_ctx.decrypt_init(None, Some(key_buf.as_bytes()), nonce)?; + } else { + decryption_ctx.decrypt_init(Some(self.cipher), Some(key_buf.as_bytes()), None)?; + } + EvpCipherAead::decrypt_with_context( py, decryption_ctx, @@ -314,6 +357,7 @@ impl LazyEvpCipherAead { nonce, self.tag_len, self.tag_first, + self.is_ccm, ) } } @@ -478,6 +522,7 @@ impl ChaCha20Poly1305 { key, 16, false, + false, ) }) } @@ -583,7 +628,7 @@ impl AesGcm { }) } else { Ok(AesGcm { - ctx: LazyEvpCipherAead::new(cipher, key, 16, false), + ctx: LazyEvpCipherAead::new(cipher, key, 16, false, false), }) } @@ -642,6 +687,135 @@ impl AesGcm { } } +#[pyo3::prelude::pyclass( + frozen, + module = "cryptography.hazmat.bindings._rust.openssl.aead", + name = "AESCCM" +)] +struct AesCcm { + ctx: LazyEvpCipherAead, +} + +#[pyo3::prelude::pymethods] +impl AesCcm { + #[new] + fn new( + py: pyo3::Python<'_>, + key: pyo3::Py, + tag_length: Option, + ) -> CryptographyResult { + cfg_if::cfg_if! { + if #[cfg(CRYPTOGRAPHY_IS_BORINGSSL)] { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "AES-CCM is not supported by this version of OpenSSL", + exceptions::Reasons::UNSUPPORTED_CIPHER, + )), + )); + } else { + let key_buf = key.extract::>(py)?; + let cipher = match key_buf.as_bytes().len() { + 16 => openssl::cipher::Cipher::aes_128_ccm(), + 24 => openssl::cipher::Cipher::aes_192_ccm(), + 32 => openssl::cipher::Cipher::aes_256_ccm(), + _ => { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "AESCCM key must be 128, 192, or 256 bits.", + ), + )) + } + }; + let tag_length = tag_length.unwrap_or(16); + if ![4, 6, 8, 10, 12, 14, 16].contains(&tag_length) { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Invalid tag_length"), + )); + } + + Ok(AesCcm { + ctx: LazyEvpCipherAead::new(cipher, key, tag_length, false, true), + }) + } + } + } + + #[staticmethod] + fn generate_key(py: pyo3::Python<'_>, bit_length: usize) -> CryptographyResult<&pyo3::PyAny> { + if bit_length != 128 && bit_length != 192 && bit_length != 256 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("bit_length must be 128, 192, or 256"), + )); + } + + Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) + } + + fn encrypt<'p>( + &self, + py: pyo3::Python<'p>, + nonce: CffiBuf<'_>, + data: CffiBuf<'_>, + associated_data: Option>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let nonce_bytes = nonce.as_bytes(); + let data_bytes = data.as_bytes(); + let aad = associated_data.map(Aad::Single); + + if nonce_bytes.len() < 7 || nonce_bytes.len() > 13 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Nonce must be between 7 and 13 bytes"), + )); + } + + check_length(data_bytes)?; + // For information about computing this, see + // https://tools.ietf.org/html/rfc3610#section-2.1 + let l_val = 15 - nonce_bytes.len(); + let max_length = 1usize.checked_shl(8 * l_val as u32); + // If `max_length` overflowed, then it's not possible for data to be + // longer than it. + if max_length.map(|v| v < data_bytes.len()).unwrap_or(false) { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Data too long for nonce"), + )); + } + + self.ctx.encrypt(py, data_bytes, aad, Some(nonce_bytes)) + } + + fn decrypt<'p>( + &self, + py: pyo3::Python<'p>, + nonce: CffiBuf<'_>, + data: CffiBuf<'_>, + associated_data: Option>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let nonce_bytes = nonce.as_bytes(); + let data_bytes = data.as_bytes(); + let aad = associated_data.map(Aad::Single); + + if nonce_bytes.len() < 7 || nonce_bytes.len() > 13 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Nonce must be between 7 and 13 bytes"), + )); + } + // For information about computing this, see + // https://tools.ietf.org/html/rfc3610#section-2.1 + let l_val = 15 - nonce_bytes.len(); + let max_length = 1usize.checked_shl(8 * l_val as u32); + // If `max_length` overflowed, then it's not possible for data to be + // longer than it. + if max_length.map(|v| v < data_bytes.len()).unwrap_or(false) { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Data too long for nonce"), + )); + } + + self.ctx.decrypt(py, data_bytes, aad, Some(nonce_bytes)) + } +} + #[pyo3::prelude::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead", @@ -957,6 +1131,7 @@ pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelu m.add_class::()?; m.add_class::()?; + m.add_class::()?; m.add_class::()?; m.add_class::()?; m.add_class::()?; diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index 5228edbbd2d3..a1f99ab815ed 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -296,6 +296,9 @@ def test_nonce_too_long(self, backend): with pytest.raises(ValueError): aesccm.encrypt(nonce, pt, None) + with pytest.raises(ValueError): + aesccm.decrypt(nonce, pt, None) + @pytest.mark.parametrize( ("nonce", "data", "associated_data"), [ From 49bf4e408cd2f93276687f451dd28982e5d501e0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Jan 2024 18:06:11 -0500 Subject: [PATCH 0036/1462] Remove unused attr on backend (#10285) --- src/cryptography/hazmat/backends/openssl/backend.py | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 1412c480b708..6a8c65cebc78 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -80,18 +80,6 @@ class Backend: name = "openssl" - # FIPS has opinions about acceptable algorithms and key sizes, but the - # disallowed algorithms are still present in OpenSSL. They just error if - # you try to use them. To avoid that we allowlist the algorithms in - # FIPS 140-3. This isn't ideal, but FIPS 140-3 is trash so here we are. - _fips_aead: typing.ClassVar[set[bytes]] = { - b"aes-128-ccm", - b"aes-192-ccm", - b"aes-256-ccm", - b"aes-128-gcm", - b"aes-192-gcm", - b"aes-256-gcm", - } # TripleDES encryption is disallowed/deprecated throughout 2023 in # FIPS 140-3. To keep it simple we denylist any use of TripleDES (TDEA). _fips_ciphers = (AES,) From 4ea43098ca252fa4e3dfdb0f9869473f02b8247f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 29 Jan 2024 17:40:25 -0600 Subject: [PATCH 0037/1462] stop using SHA1 in most of test_ec where it isn't needed (#10287) --- tests/hazmat/primitives/test_ec.py | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 334e76dcc073..9a368e67cafa 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -510,7 +510,7 @@ def test_signature_failures(self, backend, subtests): def test_sign(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) message = b"one little message" - algorithm = ec.ECDSA(hashes.SHA1()) + algorithm = ec.ECDSA(hashes.SHA256()) private_key = ec.generate_private_key(ec.SECP256R1(), backend) signature = private_key.sign(message, algorithm) public_key = private_key.public_key() @@ -519,7 +519,7 @@ def test_sign(self, backend): def test_sign_verify_buffers(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) message = bytearray(b"one little message") - algorithm = ec.ECDSA(hashes.SHA1()) + algorithm = ec.ECDSA(hashes.SHA256()) private_key = ec.generate_private_key(ec.SECP256R1(), backend) signature = private_key.sign(message, algorithm) public_key = private_key.public_key() @@ -528,19 +528,19 @@ def test_sign_verify_buffers(self, backend): def test_sign_prehashed(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) message = b"one little message" - h = hashes.Hash(hashes.SHA1(), backend) + h = hashes.Hash(hashes.SHA256(), backend) h.update(message) data = h.finalize() - algorithm = ec.ECDSA(Prehashed(hashes.SHA1())) + algorithm = ec.ECDSA(Prehashed(hashes.SHA256())) private_key = ec.generate_private_key(ec.SECP256R1(), backend) signature = private_key.sign(data, algorithm) public_key = private_key.public_key() - public_key.verify(signature, message, ec.ECDSA(hashes.SHA1())) + public_key.verify(signature, message, ec.ECDSA(hashes.SHA256())) def test_sign_prehashed_digest_mismatch(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) message = b"one little message" - h = hashes.Hash(hashes.SHA1(), backend) + h = hashes.Hash(hashes.SHA224(), backend) h.update(message) data = h.finalize() algorithm = ec.ECDSA(Prehashed(hashes.SHA256())) @@ -551,7 +551,7 @@ def test_sign_prehashed_digest_mismatch(self, backend): def test_verify(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) message = b"one little message" - algorithm = ec.ECDSA(hashes.SHA1()) + algorithm = ec.ECDSA(hashes.SHA256()) private_key = ec.generate_private_key(ec.SECP256R1(), backend) signature = private_key.sign(message, algorithm) public_key = private_key.public_key() @@ -560,20 +560,22 @@ def test_verify(self, backend): def test_verify_prehashed(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) message = b"one little message" - algorithm = ec.ECDSA(hashes.SHA1()) + algorithm = ec.ECDSA(hashes.SHA256()) private_key = ec.generate_private_key(ec.SECP256R1(), backend) signature = private_key.sign(message, algorithm) - h = hashes.Hash(hashes.SHA1(), backend) + h = hashes.Hash(hashes.SHA256(), backend) h.update(message) data = h.finalize() public_key = private_key.public_key() - public_key.verify(signature, data, ec.ECDSA(Prehashed(hashes.SHA1()))) + public_key.verify( + signature, data, ec.ECDSA(Prehashed(hashes.SHA256())) + ) def test_verify_prehashed_digest_mismatch(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) message = b"one little message" private_key = ec.generate_private_key(ec.SECP256R1(), backend) - h = hashes.Hash(hashes.SHA1(), backend) + h = hashes.Hash(hashes.SHA224(), backend) h.update(message) data = h.finalize() public_key = private_key.public_key() From 07b706f336e475fd5dd35fad9e39535a419b6c81 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 29 Jan 2024 17:44:42 -0600 Subject: [PATCH 0038/1462] remove unneeded sha1 and support checks from the rsa tests (#10288) --- tests/hazmat/primitives/test_rsa.py | 136 +++++++++++----------------- 1 file changed, 53 insertions(+), 83 deletions(-) diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 7e82743c49bc..83055fd6fa28 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -72,7 +72,7 @@ def rsa_key_2048() -> rsa.RSAPrivateKey: class DummyMGF(padding.MGF): _salt_length = 0 - _algorithm = hashes.SHA1() + _algorithm = hashes.SHA256() def _check_fips_key_length(backend, private_key): @@ -600,7 +600,7 @@ def test_pss_digest_length(self, rsa_key_2048, backend): backend.hash_supported(hashes.SHA512()) and backend.rsa_padding_supported( padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ) ) @@ -615,7 +615,7 @@ def test_pss_minimum_key_size_for_digest(self, backend): private_key.sign( b"no failure", padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ), hashes.SHA512(), @@ -624,7 +624,7 @@ def test_pss_minimum_key_size_for_digest(self, backend): @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ) ), @@ -643,7 +643,7 @@ def test_pss_signing_digest_too_large_for_key_size( private_key.sign( b"msg", padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ), hashes.SHA512(), @@ -652,7 +652,7 @@ def test_pss_signing_digest_too_large_for_key_size( @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ) ), @@ -666,7 +666,7 @@ def test_pss_signing_salt_length_too_long( private_key.sign( b"failure coming", padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), salt_length=1000000 + mgf=padding.MGF1(hashes.SHA256()), salt_length=1000000 ), hashes.SHA256(), ) @@ -676,7 +676,7 @@ def test_unsupported_padding( ): private_key = rsa_key_2048 with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_PADDING): - private_key.sign(b"msg", DummyAsymmetricPadding(), hashes.SHA1()) + private_key.sign(b"msg", DummyAsymmetricPadding(), hashes.SHA256()) def test_padding_incorrect_type( self, rsa_key_2048: rsa.RSAPrivateKey, backend @@ -691,7 +691,7 @@ def test_padding_incorrect_type( @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( - padding.PSS(mgf=padding.MGF1(hashes.SHA1()), salt_length=0) + padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=0) ), skip_message="Does not support PSS.", ) @@ -706,7 +706,7 @@ def test_unsupported_pss_mgf( mgf=DummyMGF(), salt_length=padding.PSS.MAX_LENGTH, ), - hashes.SHA1(), + hashes.SHA256(), ) @pytest.mark.supported( @@ -778,7 +778,7 @@ def test_sign(self, rsa_key_2048: rsa.RSAPrivateKey, message, backend): @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( - padding.PSS(mgf=padding.MGF1(hashes.SHA1()), salt_length=0) + padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=0) ), skip_message="Does not support PSS.", ) @@ -788,7 +788,7 @@ def test_prehashed_sign(self, rsa_key_2048: rsa.RSAPrivateKey, backend): h = hashes.Hash(hashes.SHA256(), backend) h.update(message) digest = h.finalize() - pss = padding.PSS(mgf=padding.MGF1(hashes.SHA1()), salt_length=0) + pss = padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=0) prehashed_alg = asym_utils.Prehashed(hashes.SHA256()) signature = private_key.sign(digest, pss, prehashed_alg) public_key = private_key.public_key() @@ -828,7 +828,7 @@ def test_prehashed_digest_length( ) @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( - padding.PSS(mgf=padding.MGF1(hashes.SHA1()), salt_length=0) + padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=0) ), skip_message="Does not support PSS.", ) @@ -856,7 +856,7 @@ def test_unsupported_hash_pss_mgf1(self, rsa_key_2048: rsa.RSAPrivateKey): @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( - padding.PSS(mgf=padding.MGF1(hashes.SHA1()), salt_length=0) + padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=0) ), skip_message="Does not support PSS.", ) @@ -868,8 +868,8 @@ def test_prehashed_digest_mismatch( h = hashes.Hash(hashes.SHA512(), backend) h.update(message) digest = h.finalize() - pss = padding.PSS(mgf=padding.MGF1(hashes.SHA1()), salt_length=0) - prehashed_alg = asym_utils.Prehashed(hashes.SHA1()) + pss = padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=0) + prehashed_alg = asym_utils.Prehashed(hashes.SHA256()) with pytest.raises(ValueError): private_key.sign(digest, pss, prehashed_alg) @@ -1105,18 +1105,12 @@ def test_pss_verify_auto_salt_length( @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ) ), skip_message="Does not support PSS.", ) - @pytest.mark.supported( - only_if=lambda backend: backend.signature_hash_supported( - hashes.SHA1() - ), - skip_message="Does not support SHA1 signature.", - ) @pytest.mark.skip_fips(reason="Unsupported key size in FIPS mode.") def test_invalid_pss_signature_wrong_data(self, backend): public_key = rsa.RSAPublicNumbers( @@ -1137,27 +1131,21 @@ def test_invalid_pss_signature_wrong_data(self, backend): signature, b"incorrect data", padding.PSS( - mgf=padding.MGF1(algorithm=hashes.SHA1()), + mgf=padding.MGF1(algorithm=hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ), - hashes.SHA1(), + hashes.SHA256(), ) @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ) ), skip_message="Does not support PSS.", ) - @pytest.mark.supported( - only_if=lambda backend: backend.signature_hash_supported( - hashes.SHA1() - ), - skip_message="Does not support SHA1 signature.", - ) @pytest.mark.skip_fips(reason="Unsupported key size in FIPS mode.") def test_invalid_pss_signature_wrong_key(self, backend): signature = binascii.unhexlify( @@ -1180,27 +1168,21 @@ def test_invalid_pss_signature_wrong_key(self, backend): signature, b"sign me", padding.PSS( - mgf=padding.MGF1(algorithm=hashes.SHA1()), + mgf=padding.MGF1(algorithm=hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ), - hashes.SHA1(), + hashes.SHA256(), ) @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ) ), skip_message="Does not support PSS.", ) - @pytest.mark.supported( - only_if=lambda backend: backend.signature_hash_supported( - hashes.SHA1() - ), - skip_message="Does not support SHA1 signature.", - ) @pytest.mark.skip_fips(reason="Unsupported key size in FIPS mode.") def test_invalid_pss_signature_data_too_large_for_modulus(self, backend): # 2048 bit PSS signature @@ -1223,25 +1205,19 @@ def test_invalid_pss_signature_data_too_large_for_modulus(self, backend): signature, b"sign me", padding.PSS( - mgf=padding.MGF1(algorithm=hashes.SHA1()), + mgf=padding.MGF1(algorithm=hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ), - hashes.SHA1(), + hashes.SHA256(), ) - @pytest.mark.supported( - only_if=lambda backend: backend.signature_hash_supported( - hashes.SHA1() - ), - skip_message="Does not support SHA1 signature.", - ) def test_invalid_pss_signature_recover( self, rsa_key_2048: rsa.RSAPrivateKey, backend ): private_key = rsa_key_2048 public_key = private_key.public_key() pss_padding = padding.PSS( - mgf=padding.MGF1(algorithm=hashes.SHA1()), + mgf=padding.MGF1(algorithm=hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ) signature = private_key.sign(b"sign me", pss_padding, hashes.SHA256()) @@ -1283,7 +1259,7 @@ def test_padding_incorrect_type( @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( - padding.PSS(mgf=padding.MGF1(hashes.SHA1()), salt_length=0) + padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=0) ), skip_message="Does not support PSS.", ) @@ -1305,7 +1281,7 @@ def test_unsupported_pss_mgf( @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA512()), salt_length=padding.PSS.MAX_LENGTH, ) ), @@ -1330,7 +1306,7 @@ def test_pss_verify_digest_too_large_for_key_size( signature, b"msg doesn't matter", padding.PSS( - mgf=padding.MGF1(algorithm=hashes.SHA1()), + mgf=padding.MGF1(algorithm=hashes.SHA512()), salt_length=padding.PSS.MAX_LENGTH, ), hashes.SHA512(), @@ -1339,18 +1315,12 @@ def test_pss_verify_digest_too_large_for_key_size( @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ) ), skip_message="Does not support PSS.", ) - @pytest.mark.supported( - only_if=lambda backend: backend.signature_hash_supported( - hashes.SHA1() - ), - skip_message="Does not support SHA1 signature.", - ) @pytest.mark.skip_fips(reason="Unsupported key size in FIPS mode.") def test_pss_verify_salt_length_too_long(self, backend): signature = binascii.unhexlify( @@ -1372,11 +1342,11 @@ def test_pss_verify_salt_length_too_long(self, backend): b"sign me", padding.PSS( mgf=padding.MGF1( - algorithm=hashes.SHA1(), + algorithm=hashes.SHA256(), ), salt_length=1000000, ), - hashes.SHA1(), + hashes.SHA256(), ) @pytest.mark.parametrize( @@ -1673,16 +1643,16 @@ def test_calculate_max_pss_salt_length(self): def test_invalid_salt_length_not_integer(self): with pytest.raises(TypeError): padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA256()), salt_length=b"not_a_length", # type:ignore[arg-type] ) def test_invalid_salt_length_negative_integer(self): with pytest.raises(ValueError): - padding.PSS(mgf=padding.MGF1(hashes.SHA1()), salt_length=-1) + padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=-1) def test_valid_pss_parameters(self): - algorithm = hashes.SHA1() + algorithm = hashes.SHA256() salt_length = algorithm.digest_size mgf = padding.MGF1(algorithm) pss = padding.PSS(mgf=mgf, salt_length=salt_length) @@ -1690,14 +1660,14 @@ def test_valid_pss_parameters(self): assert pss._salt_length == salt_length def test_valid_pss_parameters_maximum(self): - algorithm = hashes.SHA1() + algorithm = hashes.SHA256() mgf = padding.MGF1(algorithm) pss = padding.PSS(mgf=mgf, salt_length=padding.PSS.MAX_LENGTH) assert pss._mgf == mgf assert pss._salt_length == padding.PSS.MAX_LENGTH def test_mgf_property(self): - algorithm = hashes.SHA1() + algorithm = hashes.SHA256() mgf = padding.MGF1(algorithm) pss = padding.PSS(mgf=mgf, salt_length=padding.PSS.MAX_LENGTH) assert pss.mgf == mgf @@ -1710,14 +1680,14 @@ def test_invalid_hash_algorithm(self): padding.MGF1(b"not_a_hash") # type:ignore[arg-type] def test_valid_mgf1_parameters(self): - algorithm = hashes.SHA1() + algorithm = hashes.SHA256() mgf = padding.MGF1(algorithm) assert mgf._algorithm == algorithm class TestOAEP: def test_invalid_algorithm(self): - mgf = padding.MGF1(hashes.SHA1()) + mgf = padding.MGF1(hashes.SHA256()) with pytest.raises(TypeError): padding.OAEP( mgf=mgf, @@ -1726,14 +1696,14 @@ def test_invalid_algorithm(self): ) def test_algorithm_property(self): - algorithm = hashes.SHA1() + algorithm = hashes.SHA256() mgf = padding.MGF1(algorithm) oaep = padding.OAEP(mgf=mgf, algorithm=algorithm, label=None) assert oaep.algorithm == algorithm assert oaep.algorithm == oaep._algorithm def test_mgf_property(self): - algorithm = hashes.SHA1() + algorithm = hashes.SHA256() mgf = padding.MGF1(algorithm) oaep = padding.OAEP(mgf=mgf, algorithm=algorithm, label=None) assert oaep.mgf == mgf @@ -1898,8 +1868,8 @@ def test_decrypt_oaep_sha2_vectors(self, backend, subtests): @pytest.mark.supported( only_if=lambda backend: backend.rsa_encryption_supported( padding.OAEP( - mgf=padding.MGF1(algorithm=hashes.SHA1()), - algorithm=hashes.SHA1(), + mgf=padding.MGF1(algorithm=hashes.SHA256()), + algorithm=hashes.SHA256(), label=None, ) ), @@ -1916,8 +1886,8 @@ def test_invalid_oaep_decryption( ciphertext = private_key.public_key().encrypt( b"secure data", padding.OAEP( - mgf=padding.MGF1(algorithm=hashes.SHA1()), - algorithm=hashes.SHA1(), + mgf=padding.MGF1(algorithm=hashes.SHA256()), + algorithm=hashes.SHA256(), label=None, ), ) @@ -1930,8 +1900,8 @@ def test_invalid_oaep_decryption( private_key_alt.decrypt( ciphertext, padding.OAEP( - mgf=padding.MGF1(algorithm=hashes.SHA1()), - algorithm=hashes.SHA1(), + mgf=padding.MGF1(algorithm=hashes.SHA256()), + algorithm=hashes.SHA256(), label=None, ), ) @@ -2006,7 +1976,7 @@ def test_unsupported_oaep_mgf( b"0" * 256, padding.OAEP( mgf=DummyMGF(), - algorithm=hashes.SHA1(), + algorithm=hashes.SHA256(), label=None, ), ) @@ -2016,8 +1986,8 @@ class TestRSAEncryption: @pytest.mark.supported( only_if=lambda backend: backend.rsa_encryption_supported( padding.OAEP( - mgf=padding.MGF1(algorithm=hashes.SHA1()), - algorithm=hashes.SHA1(), + mgf=padding.MGF1(algorithm=hashes.SHA256()), + algorithm=hashes.SHA256(), label=None, ) ), @@ -2040,8 +2010,8 @@ class TestRSAEncryption: ), [ padding.OAEP( - mgf=padding.MGF1(algorithm=hashes.SHA1()), - algorithm=hashes.SHA1(), + mgf=padding.MGF1(algorithm=hashes.SHA256()), + algorithm=hashes.SHA256(), label=None, ) ], @@ -2206,7 +2176,7 @@ def test_unsupported_oaep_mgf( b"ciphertext", padding.OAEP( mgf=DummyMGF(), - algorithm=hashes.SHA1(), + algorithm=hashes.SHA256(), label=None, ), ) From 5dd88c92dca61c637649788f98b48a033722201f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 30 Jan 2024 00:14:06 +0000 Subject: [PATCH 0039/1462] Bump BoringSSL and/or OpenSSL in CI (#10291) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8d79bc7c0f69..c7c068c3370f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.0"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 27, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "db7308de87ea138e7bbcbbb00dfc9b841774ba2f"}} + # Latest commit on the BoringSSL master branch, as of Jan 30, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "f58aa24e661d528e07f7c59574926aebb4e92c14"}} # Latest commit on the OpenSSL master branch, as of Jan 26, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0f644b96d209443b4566f7e86e3be2568292e75b"}} # Builds with various Rust versions. Includes MSRV and next From 46655d7736ecabc6a3a90fbbc06fd1fa6114ad2e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 30 Jan 2024 00:41:05 +0000 Subject: [PATCH 0040/1462] Bump x509-limbo and/or wycheproof in CI (#10292) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index fb78f39da598..7e5198c8094a 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jan 26, 2024. - ref: "3f614440092d3bfd0d0787095c558c4b4626195b" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jan 30, 2024. + ref: "dd7541dac329f03756f6358ad0c01d32e5677619" # x509-limbo-ref From 722a6393e61b3acb569f404218f213fe08478a96 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 29 Jan 2024 18:42:21 -0600 Subject: [PATCH 0041/1462] migrate ARC4 and TripleDES to decrepit (#10286) --- CHANGELOG.rst | 7 +- docs/hazmat/decrepit/ciphers.rst | 40 ++++++++++ .../primitives/symmetric-encryption.rst | 8 +- .../hazmat/backends/openssl/backend.py | 4 +- .../hazmat/decrepit/ciphers/algorithms.py | 30 +++++++ .../hazmat/primitives/ciphers/algorithms.py | 50 ++++++------ src/cryptography/utils.py | 1 + src/rust/src/types.rs | 2 +- .../primitives/{ => decrepit}/test_3des.py | 7 +- .../primitives/decrepit/test_algorithms.py | 67 +++++++++++++++- .../primitives/{ => decrepit}/test_arc4.py | 6 +- tests/hazmat/primitives/test_ciphers.py | 79 +++---------------- tests/hazmat/primitives/test_cmac.py | 3 +- tests/hazmat/primitives/test_kbkdf.py | 2 +- tests/hazmat/primitives/utils.py | 9 ++- 15 files changed, 202 insertions(+), 113 deletions(-) rename tests/hazmat/primitives/{ => decrepit}/test_3des.py (96%) rename tests/hazmat/primitives/{ => decrepit}/test_arc4.py (85%) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 1088e7099323..36a90eff5ced 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -18,7 +18,12 @@ Changelog :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`, :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish`, which were - deprecated in 37.0.0, have been added to this module. + deprecated in 37.0.0, have been added to this module. They will be removed + from the ``cipher`` module in 45.0.0. +* Moved :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` + and :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ARC4` into + :doc:`/hazmat/decrepit/index` and deprecated them in the ``cipher`` module. + They will be removed from the ``cipher`` module in 48.0.0. .. _v42-0-1: diff --git a/docs/hazmat/decrepit/ciphers.rst b/docs/hazmat/decrepit/ciphers.rst index fed571eab50a..2f7b12f14333 100644 --- a/docs/hazmat/decrepit/ciphers.rst +++ b/docs/hazmat/decrepit/ciphers.rst @@ -14,6 +14,46 @@ compatibility or interoperability with legacy systems. Their use is These algorithms require you to use a :class:`~cryptography.hazmat.primitives.ciphers.Cipher` object along with the appropriate :mod:`~cryptography.hazmat.primitives.ciphers.modes`. +.. class:: ARC4(key) + + ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its + initial stream output. Its use is strongly discouraged. ARC4 does not use + mode constructions. + + :param key: The secret key. This must be kept secret. Either ``40``, + ``56``, ``64``, ``80``, ``128``, ``192``, or ``256`` :term:`bits` in + length. + :type key: :term:`bytes-like` + + .. doctest:: + + >>> import os + >>> from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes + >>> key = os.urandom(16) + >>> algorithm = algorithms.ARC4(key) + >>> cipher = Cipher(algorithm, mode=None) + >>> encryptor = cipher.encryptor() + >>> ct = encryptor.update(b"a secret message") + >>> decryptor = cipher.decryptor() + >>> decryptor.update(ct) + b'a secret message' + +.. class:: TripleDES(key) + + Triple DES (Data Encryption Standard), sometimes referred to as 3DES, is a + block cipher standardized by NIST. Triple DES has known crypto-analytic + flaws, however none of them currently enable a practical attack. + Nonetheless, Triple DES is not recommended for new applications because it + is incredibly slow; old applications should consider moving away from it. + + :param key: The secret key. This must be kept secret. Either ``64``, + ``128``, or ``192`` :term:`bits` long. DES only uses ``56``, ``112``, + or ``168`` bits of the key as there is a parity byte in each component + of the key. Some writing refers to there being up to three separate + keys that are each ``56`` bits long, they can simply be concatenated + to produce the full key. + :type key: :term:`bytes-like` + .. class:: CAST5(key) .. versionadded:: 43.0.0 diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index 2b21c4162afd..6eb769bb23b1 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -187,6 +187,12 @@ Algorithms .. class:: TripleDES(key) + .. warning:: + + This algorithm has been deprecated and moved to the :doc:`/hazmat/decrepit/index` + module. If you need to continue using it then update your code to + use the new module path. It will be removed from this namespace in 48.0.0. + Triple DES (Data Encryption Standard), sometimes referred to as 3DES, is a block cipher standardized by NIST. Triple DES has known crypto-analytic flaws, however none of them currently enable a practical attack. @@ -284,7 +290,7 @@ Weak ciphers This algorithm has been deprecated and moved to the :doc:`/hazmat/decrepit/index` module. If you need to continue using it then update your code to - use the new module path. It will be removed from this namespace in 45.0.0. + use the new module path. It will be removed from this namespace in 48.0.0. ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output. Its use is strongly discouraged. ARC4 does not use diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 6a8c65cebc78..3cf01664685c 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -15,10 +15,12 @@ from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.bindings.openssl import binding from cryptography.hazmat.decrepit.ciphers.algorithms import ( + ARC4, CAST5, IDEA, SEED, Blowfish, + TripleDES, ) from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives._asymmetric import AsymmetricPadding @@ -40,11 +42,9 @@ AES, AES128, AES256, - ARC4, SM4, Camellia, ChaCha20, - TripleDES, ) from cryptography.hazmat.primitives.ciphers.modes import ( CBC, diff --git a/src/cryptography/hazmat/decrepit/ciphers/algorithms.py b/src/cryptography/hazmat/decrepit/ciphers/algorithms.py index f9432834dc5c..68cd533c9c97 100644 --- a/src/cryptography/hazmat/decrepit/ciphers/algorithms.py +++ b/src/cryptography/hazmat/decrepit/ciphers/algorithms.py @@ -6,10 +6,40 @@ from cryptography.hazmat.primitives._cipheralgorithm import ( BlockCipherAlgorithm, + CipherAlgorithm, _verify_key_size, ) +class ARC4(CipherAlgorithm): + name = "RC4" + key_sizes = frozenset([40, 56, 64, 80, 128, 160, 192, 256]) + + def __init__(self, key: bytes): + self.key = _verify_key_size(self, key) + + @property + def key_size(self) -> int: + return len(self.key) * 8 + + +class TripleDES(BlockCipherAlgorithm): + name = "3DES" + block_size = 64 + key_sizes = frozenset([64, 128, 192]) + + def __init__(self, key: bytes): + if len(key) == 8: + key += key + key + elif len(key) == 16: + key += key[:8] + self.key = _verify_key_size(self, key) + + @property + def key_size(self) -> int: + return len(self.key) * 8 + + class Blowfish(BlockCipherAlgorithm): name = "Blowfish" block_size = 64 diff --git a/src/cryptography/hazmat/primitives/ciphers/algorithms.py b/src/cryptography/hazmat/primitives/ciphers/algorithms.py index 645d0acd3cac..1051ba323506 100644 --- a/src/cryptography/hazmat/primitives/ciphers/algorithms.py +++ b/src/cryptography/hazmat/primitives/ciphers/algorithms.py @@ -5,6 +5,9 @@ from __future__ import annotations from cryptography import utils +from cryptography.hazmat.decrepit.ciphers.algorithms import ( + ARC4 as ARC4, +) from cryptography.hazmat.decrepit.ciphers.algorithms import ( CAST5 as CAST5, ) @@ -17,6 +20,9 @@ from cryptography.hazmat.decrepit.ciphers.algorithms import ( Blowfish as Blowfish, ) +from cryptography.hazmat.decrepit.ciphers.algorithms import ( + TripleDES as TripleDES, +) from cryptography.hazmat.primitives._cipheralgorithm import _verify_key_size from cryptography.hazmat.primitives.ciphers import ( BlockCipherAlgorithm, @@ -71,22 +77,26 @@ def key_size(self) -> int: return len(self.key) * 8 -class TripleDES(BlockCipherAlgorithm): - name = "3DES" - block_size = 64 - key_sizes = frozenset([64, 128, 192]) - - def __init__(self, key: bytes): - if len(key) == 8: - key += key + key - elif len(key) == 16: - key += key[:8] - self.key = _verify_key_size(self, key) +utils.deprecated( + ARC4, + __name__, + "ARC4 has been moved to " + "cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and " + "will be removed from this module in 48.0.0.", + utils.DeprecatedIn43, + name="ARC4", +) - @property - def key_size(self) -> int: - return len(self.key) * 8 +utils.deprecated( + TripleDES, + __name__, + "TripleDES has been moved to " + "cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and " + "will be removed from this module in 48.0.0.", + utils.DeprecatedIn43, + name="TripleDES", +) utils.deprecated( Blowfish, @@ -110,18 +120,6 @@ def key_size(self) -> int: ) -class ARC4(CipherAlgorithm): - name = "RC4" - key_sizes = frozenset([40, 56, 64, 80, 128, 160, 192, 256]) - - def __init__(self, key: bytes): - self.key = _verify_key_size(self, key) - - @property - def key_size(self) -> int: - return len(self.key) * 8 - - utils.deprecated( IDEA, __name__, diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py index d6f079d4be0e..b3f6e736918a 100644 --- a/src/cryptography/utils.py +++ b/src/cryptography/utils.py @@ -25,6 +25,7 @@ class CryptographyDeprecationWarning(UserWarning): DeprecatedIn40 = CryptographyDeprecationWarning DeprecatedIn41 = CryptographyDeprecationWarning DeprecatedIn42 = CryptographyDeprecationWarning +DeprecatedIn43 = CryptographyDeprecationWarning def _check_bytes(name: str, value: bytes) -> None: diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index fc60ecd97f10..ddd5d8f452ff 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -458,7 +458,7 @@ pub static BLOCK_CIPHER_ALGORITHM: LazyPyImport = LazyPyImport::new( ); pub static TRIPLE_DES: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.ciphers.algorithms", + "cryptography.hazmat.decrepit.ciphers.algorithms", &["TripleDES"], ); pub static AES: LazyPyImport = LazyPyImport::new( diff --git a/tests/hazmat/primitives/test_3des.py b/tests/hazmat/primitives/decrepit/test_3des.py similarity index 96% rename from tests/hazmat/primitives/test_3des.py rename to tests/hazmat/primitives/decrepit/test_3des.py index 007ecfe21271..f64cbd2d4412 100644 --- a/tests/hazmat/primitives/test_3des.py +++ b/tests/hazmat/primitives/decrepit/test_3des.py @@ -12,10 +12,11 @@ import pytest -from cryptography.hazmat.primitives.ciphers import algorithms, modes +from cryptography.hazmat.decrepit.ciphers import algorithms +from cryptography.hazmat.primitives.ciphers import modes -from ...utils import load_nist_vectors -from .utils import generate_encrypt_test +from ....utils import load_nist_vectors +from ..utils import generate_encrypt_test @pytest.mark.supported( diff --git a/tests/hazmat/primitives/decrepit/test_algorithms.py b/tests/hazmat/primitives/decrepit/test_algorithms.py index c812f17fd3d9..0dbdac7c5da8 100644 --- a/tests/hazmat/primitives/decrepit/test_algorithms.py +++ b/tests/hazmat/primitives/decrepit/test_algorithms.py @@ -8,18 +8,83 @@ import pytest +from cryptography.exceptions import _Reasons from cryptography.hazmat.decrepit.ciphers.algorithms import ( + ARC4, CAST5, IDEA, SEED, Blowfish, + TripleDES, ) +from cryptography.hazmat.primitives import ciphers from cryptography.hazmat.primitives.ciphers import modes -from ....utils import load_nist_vectors +from ....utils import load_nist_vectors, raises_unsupported_algorithm from ..utils import generate_encrypt_test +class TestARC4: + @pytest.mark.parametrize( + ("key", "keysize"), + [ + (b"0" * 10, 40), + (b"0" * 14, 56), + (b"0" * 16, 64), + (b"0" * 20, 80), + (b"0" * 32, 128), + (b"0" * 48, 192), + (b"0" * 64, 256), + ], + ) + def test_key_size(self, key, keysize): + cipher = ARC4(binascii.unhexlify(key)) + assert cipher.key_size == keysize + + def test_invalid_key_size(self): + with pytest.raises(ValueError): + ARC4(binascii.unhexlify(b"0" * 34)) + + def test_invalid_key_type(self): + with pytest.raises(TypeError, match="key must be bytes"): + ARC4("0" * 10) # type: ignore[arg-type] + + +def test_invalid_mode_algorithm(): + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): + ciphers.Cipher( + ARC4(b"\x00" * 16), + modes.GCM(b"\x00" * 12), + ) + + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): + ciphers.Cipher( + ARC4(b"\x00" * 16), + modes.CBC(b"\x00" * 12), + ) + + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): + ciphers.Cipher( + ARC4(b"\x00" * 16), + modes.CTR(b"\x00" * 12), + ) + + +class TestTripleDES: + @pytest.mark.parametrize("key", [b"0" * 16, b"0" * 32, b"0" * 48]) + def test_key_size(self, key): + cipher = TripleDES(binascii.unhexlify(key)) + assert cipher.key_size == 192 + + def test_invalid_key_size(self): + with pytest.raises(ValueError): + TripleDES(binascii.unhexlify(b"0" * 12)) + + def test_invalid_key_type(self): + with pytest.raises(TypeError, match="key must be bytes"): + TripleDES("0" * 16) # type: ignore[arg-type] + + class TestBlowfish: @pytest.mark.parametrize( ("key", "keysize"), diff --git a/tests/hazmat/primitives/test_arc4.py b/tests/hazmat/primitives/decrepit/test_arc4.py similarity index 85% rename from tests/hazmat/primitives/test_arc4.py rename to tests/hazmat/primitives/decrepit/test_arc4.py index b589518adfec..116f4b15ccff 100644 --- a/tests/hazmat/primitives/test_arc4.py +++ b/tests/hazmat/primitives/decrepit/test_arc4.py @@ -8,10 +8,10 @@ import pytest -from cryptography.hazmat.primitives.ciphers import algorithms +from cryptography.hazmat.decrepit.ciphers import algorithms -from ...utils import load_nist_vectors -from .utils import generate_stream_encryption_test +from ....utils import load_nist_vectors +from ..utils import generate_stream_encryption_test @pytest.mark.supported( diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py index e096986160f8..5fef25b86c0e 100644 --- a/tests/hazmat/primitives/test_ciphers.py +++ b/tests/hazmat/primitives/test_ciphers.py @@ -11,21 +11,15 @@ import pytest from cryptography import utils -from cryptography.exceptions import AlreadyFinalized, _Reasons +from cryptography.exceptions import AlreadyFinalized from cryptography.hazmat.primitives import ciphers from cryptography.hazmat.primitives.ciphers import modes from cryptography.hazmat.primitives.ciphers.algorithms import ( AES, - ARC4, Camellia, - TripleDES, ) -from ...utils import ( - load_nist_vectors, - load_vectors_from_file, - raises_unsupported_algorithm, -) +from ...utils import load_nist_vectors, load_vectors_from_file def test_deprecated_ciphers_import_with_warning(): @@ -45,6 +39,14 @@ def test_deprecated_ciphers_import_with_warning(): from cryptography.hazmat.primitives.ciphers.algorithms import ( SEED, # noqa: F401 ) + with pytest.warns(utils.CryptographyDeprecationWarning): + from cryptography.hazmat.primitives.ciphers.algorithms import ( + ARC4, # noqa: F401 + ) + with pytest.warns(utils.CryptographyDeprecationWarning): + from cryptography.hazmat.primitives.ciphers.algorithms import ( + TripleDES, # noqa: F401 + ) class TestAES: @@ -111,67 +113,6 @@ def test_invalid_key_type(self): Camellia("0" * 32) # type: ignore[arg-type] -class TestTripleDES: - @pytest.mark.parametrize("key", [b"0" * 16, b"0" * 32, b"0" * 48]) - def test_key_size(self, key): - cipher = TripleDES(binascii.unhexlify(key)) - assert cipher.key_size == 192 - - def test_invalid_key_size(self): - with pytest.raises(ValueError): - TripleDES(binascii.unhexlify(b"0" * 12)) - - def test_invalid_key_type(self): - with pytest.raises(TypeError, match="key must be bytes"): - TripleDES("0" * 16) # type: ignore[arg-type] - - -class TestARC4: - @pytest.mark.parametrize( - ("key", "keysize"), - [ - (b"0" * 10, 40), - (b"0" * 14, 56), - (b"0" * 16, 64), - (b"0" * 20, 80), - (b"0" * 32, 128), - (b"0" * 48, 192), - (b"0" * 64, 256), - ], - ) - def test_key_size(self, key, keysize): - cipher = ARC4(binascii.unhexlify(key)) - assert cipher.key_size == keysize - - def test_invalid_key_size(self): - with pytest.raises(ValueError): - ARC4(binascii.unhexlify(b"0" * 34)) - - def test_invalid_key_type(self): - with pytest.raises(TypeError, match="key must be bytes"): - ARC4("0" * 10) # type: ignore[arg-type] - - -def test_invalid_mode_algorithm(): - with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): - ciphers.Cipher( - ARC4(b"\x00" * 16), - modes.GCM(b"\x00" * 12), - ) - - with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): - ciphers.Cipher( - ARC4(b"\x00" * 16), - modes.CBC(b"\x00" * 12), - ) - - with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): - ciphers.Cipher( - ARC4(b"\x00" * 16), - modes.CTR(b"\x00" * 12), - ) - - @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( AES(b"\x00" * 16), modes.ECB() diff --git a/tests/hazmat/primitives/test_cmac.py b/tests/hazmat/primitives/test_cmac.py index 18ba898e7a85..5e81563a6b14 100644 --- a/tests/hazmat/primitives/test_cmac.py +++ b/tests/hazmat/primitives/test_cmac.py @@ -12,10 +12,9 @@ InvalidSignature, _Reasons, ) +from cryptography.hazmat.decrepit.ciphers.algorithms import ARC4, TripleDES from cryptography.hazmat.primitives.ciphers.algorithms import ( AES, - ARC4, - TripleDES, ) from cryptography.hazmat.primitives.cmac import CMAC diff --git a/tests/hazmat/primitives/test_kbkdf.py b/tests/hazmat/primitives/test_kbkdf.py index 4329e3df60cd..965075d2ce2d 100644 --- a/tests/hazmat/primitives/test_kbkdf.py +++ b/tests/hazmat/primitives/test_kbkdf.py @@ -871,7 +871,7 @@ def test_unsupported_algorithm(self, backend): with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): KBKDFCMAC( - algorithms.ARC4, + algorithms.ChaCha20, Mode.CounterMode, 32, 4, diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index b15955fd25fb..9e119f0b636b 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -16,6 +16,9 @@ InvalidTag, NotYetFinalized, ) +from cryptography.hazmat.decrepit.ciphers import ( + algorithms as decrepit_algorithms, +) from cryptography.hazmat.primitives import hashes, hmac, serialization from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives.ciphers import ( @@ -430,15 +433,15 @@ def _kbkdf_cmac_counter_mode_test(backend, prf, ctr_loc, brk_loc, params): "cmac_aes128": algorithms.AES, "cmac_aes192": algorithms.AES, "cmac_aes256": algorithms.AES, - "cmac_tdes2": algorithms.TripleDES, - "cmac_tdes3": algorithms.TripleDES, + "cmac_tdes2": decrepit_algorithms.TripleDES, + "cmac_tdes3": decrepit_algorithms.TripleDES, } algorithm = supported_cipher_algorithms.get(prf) assert algorithm is not None # TripleDES is disallowed in FIPS mode. - if backend._fips_enabled and algorithm is algorithms.TripleDES: + if backend._fips_enabled and algorithm is decrepit_algorithms.TripleDES: pytest.skip("TripleDES is not supported in FIPS mode.") ctrkdf = KBKDFCMAC( From 285ebed5e49bfd15b1a37cdbc8d85ddddd555f51 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 29 Jan 2024 23:31:51 -0500 Subject: [PATCH 0042/1462] Fixes #10294 -- correct accidental change to exchange kwarg (#10295) --- src/rust/src/backend/dh.rs | 4 ++-- src/rust/src/backend/ec.rs | 6 +++--- src/rust/src/backend/x25519.rs | 4 ++-- src/rust/src/backend/x448.rs | 4 ++-- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 5ec1804e0df8..eb6cbdcdc9e4 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -154,11 +154,11 @@ impl DHPrivateKey { fn exchange<'p>( &self, py: pyo3::Python<'p>, - public_key: &DHPublicKey, + peer_public_key: &DHPublicKey, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let mut deriver = openssl::derive::Deriver::new(&self.pkey)?; deriver - .set_peer(&public_key.pkey) + .set_peer(&peer_public_key.pkey) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Error computing shared key."))?; Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index f71c9bf505e6..624b753c07cb 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -225,7 +225,7 @@ impl ECPrivateKey { &self, py: pyo3::Python<'p>, algorithm: &pyo3::PyAny, - public_key: &ECPublicKey, + peer_public_key: &ECPublicKey, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { if !algorithm.is_instance(types::ECDH.get(py)?)? { return Err(CryptographyError::from( @@ -242,12 +242,12 @@ impl ECPrivateKey { // ECPublicKey object. #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] deriver - .set_peer_ex(&public_key.pkey, false) + .set_peer_ex(&peer_public_key.pkey, false) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Error computing shared key."))?; #[cfg(not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER))] deriver - .set_peer(&public_key.pkey) + .set_peer(&peer_public_key.pkey) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Error computing shared key."))?; Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index 00e2866cfc39..b193e18b0483 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -65,10 +65,10 @@ impl X25519PrivateKey { fn exchange<'p>( &self, py: pyo3::Python<'p>, - public_key: &X25519PublicKey, + peer_public_key: &X25519PublicKey, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let mut deriver = openssl::derive::Deriver::new(&self.pkey)?; - deriver.set_peer(&public_key.pkey)?; + deriver.set_peer(&peer_public_key.pkey)?; Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { let n = deriver.derive(b).map_err(|_| { diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index 07c84bc36aca..7a64002d943d 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -64,10 +64,10 @@ impl X448PrivateKey { fn exchange<'p>( &self, py: pyo3::Python<'p>, - public_key: &X448PublicKey, + peer_public_key: &X448PublicKey, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let mut deriver = openssl::derive::Deriver::new(&self.pkey)?; - deriver.set_peer(&public_key.pkey)?; + deriver.set_peer(&peer_public_key.pkey)?; Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { let n = deriver.derive(b).map_err(|_| { From 983ef8c3823bc1e676da93d9beb4ea77b8d0c7ce Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Jan 2024 07:04:31 -0500 Subject: [PATCH 0043/1462] Bump ruff from 0.1.14 to 0.1.15 (#10297) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.1.14 to 0.1.15. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.1.14...v0.1.15) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ce60b8126314..5e74a88e20e5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==42.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.1.14 +ruff==0.1.15 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 3519591d255d4506fbcd0d04037d45271903c64d Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 30 Jan 2024 10:46:21 -0600 Subject: [PATCH 0044/1462] bump openssl in CI (#10298) --- .github/actions/cache/action.yml | 2 +- .github/workflows/ci.yml | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index 6cf0f08e56a8..31af7422da04 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -17,5 +17,5 @@ runs: shell: bash - uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 with: - key: ${{ steps.normalized-key.outputs.key }}-1 + key: ${{ steps.normalized-key.outputs.key }}-2 workspaces: "./src/rust/ -> target" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c7c068c3370f..51de1171a90f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,17 +29,17 @@ jobs: PYTHON: - {VERSION: "3.12", NOXSESSION: "flake"} - {VERSION: "3.12", NOXSESSION: "rust"} - - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0"}} + - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} - {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"} - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1w"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.12"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.4"}} - - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.4"}} - - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.0"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.13"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.5"}} + - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} + - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.5"}} + - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jan 30, 2024. From d06a3db1b453b9aaefea5fe8fce23823e6e36e69 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 30 Jan 2024 11:37:08 -0600 Subject: [PATCH 0045/1462] port 42.0.2 changelog to main (#10301) --- CHANGELOG.rst | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 36a90eff5ced..a522db213916 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -25,6 +25,23 @@ Changelog :doc:`/hazmat/decrepit/index` and deprecated them in the ``cipher`` module. They will be removed from the ``cipher`` module in 48.0.0. +.. _v42-0-2: + +42.0.2 - 2024-01-30 +~~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1. +* Fixed an issue that prevented the use of Python buffer protocol objects in + ``sign`` and ``verify`` methods on asymmetric keys. +* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey`` + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`, + ``X25519PrivateKey`` + :meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`, + ``X448PrivateKey`` + :meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`, + and ``DHPrivateKey`` + :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`. + .. _v42-0-1: 42.0.1 - 2024-01-24 From 6b2dc96f992cb9e13c0e9c5fb7ffd65b7ef39410 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 31 Jan 2024 00:16:12 +0000 Subject: [PATCH 0046/1462] Bump BoringSSL and/or OpenSSL in CI (#10303) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 51de1171a90f..a8d2ab9971f8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 30, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "f58aa24e661d528e07f7c59574926aebb4e92c14"}} - # Latest commit on the OpenSSL master branch, as of Jan 26, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0f644b96d209443b4566f7e86e3be2568292e75b"}} + # Latest commit on the BoringSSL master branch, as of Jan 31, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "6855f30b94ddfd2970a7aa3d904a356dea5ec443"}} + # Latest commit on the OpenSSL master branch, as of Jan 31, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "62ecad5378067ab1f702ef2381c2f4a279d15250"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 103f123efa15191c0125555cfc623a54ba7a5392 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 30 Jan 2024 19:45:18 -0500 Subject: [PATCH 0047/1462] parsing, verification: check RSA key size against WebPKI minimum (#10302) * parsing, verification: check RSA key size against WebPKI minimum Signed-off-by: William Woodruff * move key size check to permits_ca We don't enforce EE key sizes, consistent with other CABF validators. Signed-off-by: William Woodruff * limit is_rsa to key algorithms Signed-off-by: William Woodruff * is_rsa -> is_rsa_key Signed-off-by: William Woodruff * fetch-vectors: bump limbo Signed-off-by: William Woodruff * reorg, remove helper Signed-off-by: William Woodruff * Update .github/actions/fetch-vectors/action.yml Co-authored-by: Alex Gaynor --------- Signed-off-by: William Woodruff Co-authored-by: Alex Gaynor --- .github/actions/fetch-vectors/action.yml | 4 +-- src/rust/Cargo.lock | 1 + src/rust/cryptography-key-parsing/src/rsa.rs | 4 +-- .../cryptography-x509-verification/Cargo.toml | 1 + .../src/policy/mod.rs | 25 +++++++++++++++++++ tests/x509/verification/test_limbo.py | 3 +++ 6 files changed, 34 insertions(+), 4 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 7e5198c8094a..f9715437f878 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jan 30, 2024. - ref: "dd7541dac329f03756f6358ad0c01d32e5677619" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jan 31, 2024. + ref: "481b5d595b00ce55824607e1e8c2f1174539f3f8" # x509-limbo-ref diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index d4a9a31adec1..84e9d90e7eea 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -125,6 +125,7 @@ name = "cryptography-x509-verification" version = "0.1.0" dependencies = [ "asn1", + "cryptography-key-parsing", "cryptography-x509", "once_cell", "pem", diff --git a/src/rust/cryptography-key-parsing/src/rsa.rs b/src/rust/cryptography-key-parsing/src/rsa.rs index 066e7053cb52..5a2f57d58a6b 100644 --- a/src/rust/cryptography-key-parsing/src/rsa.rs +++ b/src/rust/cryptography-key-parsing/src/rsa.rs @@ -5,8 +5,8 @@ use crate::KeyParsingResult; #[derive(asn1::Asn1Read)] -struct Pksc1RsaPublicKey<'a> { - n: asn1::BigUint<'a>, +pub struct Pksc1RsaPublicKey<'a> { + pub n: asn1::BigUint<'a>, e: asn1::BigUint<'a>, } diff --git a/src/rust/cryptography-x509-verification/Cargo.toml b/src/rust/cryptography-x509-verification/Cargo.toml index 30a4e8cb7373..2ec541fb2af0 100644 --- a/src/rust/cryptography-x509-verification/Cargo.toml +++ b/src/rust/cryptography-x509-verification/Cargo.toml @@ -10,6 +10,7 @@ rust-version = "1.63.0" [dependencies] asn1 = { version = "0.16.0", default-features = false } cryptography-x509 = { path = "../cryptography-x509" } +cryptography-key-parsing = { path = "../cryptography-key-parsing" } once_cell = "1" [dev-dependencies] diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index d5fffd0d8e2a..3d8bc86b6b8b 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -9,6 +9,7 @@ use std::ops::Range; use std::sync::Arc; use asn1::ObjectIdentifier; +use cryptography_key_parsing::rsa::Pksc1RsaPublicKey; use cryptography_x509::certificate::Certificate; use cryptography_x509::common::{ AlgorithmIdentifier, AlgorithmParameters, EcParameters, RsaPssParameters, Time, @@ -27,6 +28,9 @@ use crate::policy::extension::{ca, common, ee, Criticality, ExtensionPolicy, Ext use crate::types::{DNSName, DNSPattern, IPAddress}; use crate::{ValidationError, VerificationCertificate}; +// RSA key constraints, as defined in CA/B 6.1.5. +static WEBPKI_MINIMUM_RSA_MODULUS: usize = 2048; + // SubjectPublicKeyInfo AlgorithmIdentifier constants, as defined in CA/B 7.1.3.1. // RSA @@ -213,6 +217,10 @@ pub struct Policy<'a, B: CryptoOps> { /// An extended key usage that must appear in EEs validated by this policy. pub extended_key_usage: ObjectIdentifier, + /// The minimum RSA modulus, in bits. + /// This is equivalent to the public key size, e.g. 2048 for an RSA-2048 key. + pub minimum_rsa_modulus: usize, + /// The set of permitted public key algorithms, identified by their /// algorithm identifiers. pub permitted_public_key_algorithms: Arc>>, @@ -240,6 +248,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { subject, validation_time: time, extended_key_usage: EKU_SERVER_AUTH_OID.clone(), + minimum_rsa_modulus: WEBPKI_MINIMUM_RSA_MODULUS, permitted_public_key_algorithms: Arc::clone(&*WEBPKI_PERMITTED_SPKI_ALGORITHMS), permitted_signature_algorithms: Arc::clone(&*WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS), ca_extension_policy: ExtensionPolicy { @@ -488,6 +497,22 @@ impl<'a, B: CryptoOps> Policy<'a, B> { ))); } + // CA/B 6.1.5: Key sizes + // NOTE: We don't currently enforce that RSA moduli are divisible by 8, + // since other implementations don't bother. + let issuer_spki = &issuer.certificate().tbs_cert.spki; + if matches!( + issuer_spki.algorithm.params, + AlgorithmParameters::Rsa(_) | AlgorithmParameters::RsaPss(_) + ) { + let rsa_key: Pksc1RsaPublicKey<'_> = + asn1::parse_single(issuer_spki.subject_public_key.as_bytes())?; + + if rsa_key.n.as_bytes().len() * 8 < self.minimum_rsa_modulus { + return Err(ValidationError::Other("RSA key is too weak".into())); + } + } + let pk = issuer .public_key(&self.ops) .map_err(|_| ValidationError::Other("issuer has malformed public key".to_string()))?; diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index 194b64f1f0bd..57c429886809 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -62,6 +62,9 @@ # forbidden under CABF. This is consistent with what # Go's crypto/x509 and Rust's webpki crate do. "webpki::aki::root-with-aki-ski-mismatch", + # We allow RSA keys that aren't divisible by 8, which is technically + # forbidden under CABF. No other implementation checks this either. + "webpki::forbidden-rsa-key-not-divisable-by-8", # We disallow CAs in the leaf position, which is explicitly forbidden # by CABF (but implicitly permitted under RFC 5280). This is consistent # with what webpki and rustls do, but inconsistent with Go and OpenSSL. From 586f0a206d76d6d2845d5280ded03ddc66e349c7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 31 Jan 2024 02:13:11 +0000 Subject: [PATCH 0048/1462] Bump urllib3 from 2.1.0 to 2.2.0 (#10305) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.1.0 to 2.2.0. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.1.0...2.2.0) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 5e74a88e20e5..511887699f93 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -148,7 +148,7 @@ tomli==2.0.1 # pytest typing-extensions==4.9.0; python_version >= "3.8" # via mypy -urllib3==2.1.0 +urllib3==2.2.0 # via requests virtualenv==20.25.0 # via nox From 18e8c12757aaaa4c3a00063b1ead3c6d7bcacf22 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 31 Jan 2024 02:15:50 +0000 Subject: [PATCH 0049/1462] Bump platformdirs from 4.1.0 to 4.2.0 (#10306) Bumps [platformdirs](https://github.com/platformdirs/platformdirs) from 4.1.0 to 4.2.0. - [Release notes](https://github.com/platformdirs/platformdirs/releases) - [Changelog](https://github.com/platformdirs/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/platformdirs/platformdirs/compare/4.1.0...4.2.0) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 511887699f93..7db1eb111e6f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -68,7 +68,7 @@ packaging==23.2 # sphinx pathspec==0.12.1 # via check-sdist -platformdirs==4.1.0; python_version >= "3.8" +platformdirs==4.2.0; python_version >= "3.8" # via virtualenv pluggy==1.4.0; python_version >= "3.8" # via pytest From b042df0f14caa1e22692e35537b1f6ddfd4372f3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Jan 2024 20:46:27 -0600 Subject: [PATCH 0050/1462] Bump cryptography from 42.0.1 to 42.0.2 in /.github/requirements (#10307) * Bump cryptography from 42.0.1 to 42.0.2 in /.github/requirements Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.1 to 42.0.2. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/42.0.1...42.0.2) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 9189187f47fb..a073cd40eec1 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -166,39 +166,39 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==42.0.1 \ - --hash=sha256:0b7cacc142260ada944de070ce810c3e2a438963ee3deb45aa26fd2cee94c9a4 \ - --hash=sha256:126e0ba3cc754b200a2fb88f67d66de0d9b9e94070c5bc548318c8dab6383cb6 \ - --hash=sha256:160fa08dfa6dca9cb8ad9bd84e080c0db6414ba5ad9a7470bc60fb154f60111e \ - --hash=sha256:16b9260d04a0bfc8952b00335ff54f471309d3eb9d7e8dbfe9b0bd9e26e67881 \ - --hash=sha256:25ec6e9e81de5d39f111a4114193dbd39167cc4bbd31c30471cebedc2a92c323 \ - --hash=sha256:265bdc693570b895eb641410b8fc9e8ddbce723a669236162b9d9cfb70bd8d77 \ - --hash=sha256:2dff7a32880a51321f5de7869ac9dde6b1fca00fc1fef89d60e93f215468e824 \ - --hash=sha256:2fe16624637d6e3e765530bc55caa786ff2cbca67371d306e5d0a72e7c3d0407 \ - --hash=sha256:32ea63ceeae870f1a62e87f9727359174089f7b4b01e4999750827bf10e15d60 \ - --hash=sha256:351db02c1938c8e6b1fee8a78d6b15c5ccceca7a36b5ce48390479143da3b411 \ - --hash=sha256:430100abed6d3652208ae1dd410c8396213baee2e01a003a4449357db7dc9e14 \ - --hash=sha256:4d84673c012aa698555d4710dcfe5f8a0ad76ea9dde8ef803128cc669640a2e0 \ - --hash=sha256:50aecd93676bcca78379604ed664c45da82bc1241ffb6f97f6b7392ed5bc6f04 \ - --hash=sha256:6ac8924085ed8287545cba89dc472fc224c10cc634cdf2c3e2866fe868108e77 \ - --hash=sha256:6bfd823b336fdcd8e06285ae8883d3d2624d3bdef312a0e2ef905f332f8e9302 \ - --hash=sha256:727387886c9c8de927c360a396c5edcb9340d9e960cda145fca75bdafdabd24c \ - --hash=sha256:7911586fc69d06cd0ab3f874a169433db1bc2f0e40988661408ac06c4527a986 \ - --hash=sha256:802d6f83233cf9696b59b09eb067e6b4d5ae40942feeb8e13b213c8fad47f1aa \ - --hash=sha256:8d7efb6bf427d2add2f40b6e1e8e476c17508fa8907234775214b153e69c2e11 \ - --hash=sha256:9544492e8024f29919eac2117edd8c950165e74eb551a22c53f6fdf6ba5f4cb8 \ - --hash=sha256:95d900d19a370ae36087cc728e6e7be9c964ffd8cbcb517fd1efb9c9284a6abc \ - --hash=sha256:9d61fcdf37647765086030d81872488e4cb3fafe1d2dda1d487875c3709c0a49 \ - --hash=sha256:ab6b302d51fbb1dd339abc6f139a480de14d49d50f65fdc7dff782aa8631d035 \ - --hash=sha256:b512f33c6ab195852595187af5440d01bb5f8dd57cb7a91e1e009a17f1b7ebca \ - --hash=sha256:cb2861a9364fa27d24832c718150fdbf9ce6781d7dc246a516435f57cfa31fe7 \ - --hash=sha256:d3594947d2507d4ef7a180a7f49a6db41f75fb874c2fd0e94f36b89bfd678bf2 \ - --hash=sha256:d3902c779a92151f134f68e555dd0b17c658e13429f270d8a847399b99235a3f \ - --hash=sha256:d50718dd574a49d3ef3f7ef7ece66ef281b527951eb2267ce570425459f6a404 \ - --hash=sha256:e5edf189431b4d51f5c6fb4a95084a75cef6b4646c934eb6e32304fc720e1453 \ - --hash=sha256:e6edc3a568667daf7d349d7e820783426ee4f1c0feab86c29bd1d6fe2755e009 \ - --hash=sha256:ed1b2130f5456a09a134cc505a17fc2830a1a48ed53efd37dcc904a23d7b82fa \ - --hash=sha256:fd33f53809bb363cf126bebe7a99d97735988d9b0131a2be59fbf83e1259a5b7 +cryptography==42.0.2 \ + --hash=sha256:087887e55e0b9c8724cf05361357875adb5c20dec27e5816b653492980d20380 \ + --hash=sha256:09a77e5b2e8ca732a19a90c5bca2d124621a1edb5438c5daa2d2738bfeb02589 \ + --hash=sha256:130c0f77022b2b9c99d8cebcdd834d81705f61c68e91ddd614ce74c657f8b3ea \ + --hash=sha256:141e2aa5ba100d3788c0ad7919b288f89d1fe015878b9659b307c9ef867d3a65 \ + --hash=sha256:28cb2c41f131a5758d6ba6a0504150d644054fd9f3203a1e8e8d7ac3aea7f73a \ + --hash=sha256:2f9f14185962e6a04ab32d1abe34eae8a9001569ee4edb64d2304bf0d65c53f3 \ + --hash=sha256:320948ab49883557a256eab46149df79435a22d2fefd6a66fe6946f1b9d9d008 \ + --hash=sha256:36d4b7c4be6411f58f60d9ce555a73df8406d484ba12a63549c88bd64f7967f1 \ + --hash=sha256:3b15c678f27d66d247132cbf13df2f75255627bcc9b6a570f7d2fd08e8c081d2 \ + --hash=sha256:3dbd37e14ce795b4af61b89b037d4bc157f2cb23e676fa16932185a04dfbf635 \ + --hash=sha256:4383b47f45b14459cab66048d384614019965ba6c1a1a141f11b5a551cace1b2 \ + --hash=sha256:44c95c0e96b3cb628e8452ec060413a49002a247b2b9938989e23a2c8291fc90 \ + --hash=sha256:4b063d3413f853e056161eb0c7724822a9740ad3caa24b8424d776cebf98e7ee \ + --hash=sha256:52ed9ebf8ac602385126c9a2fe951db36f2cb0c2538d22971487f89d0de4065a \ + --hash=sha256:55d1580e2d7e17f45d19d3b12098e352f3a37fe86d380bf45846ef257054b242 \ + --hash=sha256:5ef9bc3d046ce83c4bbf4c25e1e0547b9c441c01d30922d812e887dc5f125c12 \ + --hash=sha256:5fa82a26f92871eca593b53359c12ad7949772462f887c35edaf36f87953c0e2 \ + --hash=sha256:61321672b3ac7aade25c40449ccedbc6db72c7f5f0fdf34def5e2f8b51ca530d \ + --hash=sha256:701171f825dcab90969596ce2af253143b93b08f1a716d4b2a9d2db5084ef7be \ + --hash=sha256:841ec8af7a8491ac76ec5a9522226e287187a3107e12b7d686ad354bb78facee \ + --hash=sha256:8a06641fb07d4e8f6c7dda4fc3f8871d327803ab6542e33831c7ccfdcb4d0ad6 \ + --hash=sha256:8e88bb9eafbf6a4014d55fb222e7360eef53e613215085e65a13290577394529 \ + --hash=sha256:a00aee5d1b6c20620161984f8ab2ab69134466c51f58c052c11b076715e72929 \ + --hash=sha256:a047682d324ba56e61b7ea7c7299d51e61fd3bca7dad2ccc39b72bd0118d60a1 \ + --hash=sha256:a7ef8dd0bf2e1d0a27042b231a3baac6883cdd5557036f5e8df7139255feaac6 \ + --hash=sha256:ad28cff53f60d99a928dfcf1e861e0b2ceb2bc1f08a074fdd601b314e1cc9e0a \ + --hash=sha256:b9097a208875fc7bbeb1286d0125d90bdfed961f61f214d3f5be62cd4ed8a446 \ + --hash=sha256:b97fe7d7991c25e6a31e5d5e795986b18fbbb3107b873d5f3ae6dc9a103278e9 \ + --hash=sha256:e0ec52ba3c7f1b7d813cd52649a5b3ef1fc0d433219dc8c93827c57eab6cf888 \ + --hash=sha256:ea2c3ffb662fec8bbbfce5602e2c159ff097a4631d96235fcf0fb00e59e3ece4 \ + --hash=sha256:fa3dec4ba8fb6e662770b74f62f1a0c7d4e37e25b58b2bf2c1be4c95372b4a33 \ + --hash=sha256:fbeb725c9dc799a574518109336acccaf1303c30d45c075c665c0793c2f79a7f # via # pyopenssl # secretstorage From 0be0a5886cef17c0a2e3a9dfc6645b279e648355 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Jan 2024 20:47:09 -0600 Subject: [PATCH 0051/1462] Bump urllib3 from 2.1.0 to 2.2.0 in /.github/requirements (#10308) * Bump urllib3 from 2.1.0 to 2.2.0 in /.github/requirements Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.1.0 to 2.2.0. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.1.0...2.2.0) --- updated-dependencies: - dependency-name: urllib3 dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index a073cd40eec1..959d370571a1 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -574,9 +574,9 @@ typing-extensions==4.9.0 \ # via # pydantic # pydantic-core -urllib3==2.1.0 \ - --hash=sha256:55901e917a5896a349ff771be919f8bd99aff50b79fe58fec595eb37bbc56bb3 \ - --hash=sha256:df7aa8afb0148fa78488e7899b2c59b5f4ffcfa82e6c54ccb9dd37c1d7b52d54 +urllib3==2.2.0 \ + --hash=sha256:051d961ad0c62a94e50ecf1af379c3aba230c66c710493493560c0c223c49f20 \ + --hash=sha256:ce3711610ddce217e6d113a2732fafad960a03fd0318c91faa79481e35c11224 # via # requests # twine From fd46c01cac798801d6fe3e2fca99d1b6bbbcd74a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 31 Jan 2024 06:09:22 -0600 Subject: [PATCH 0052/1462] Update install docs (#10309) We also test OpenSSL 3.2 --- docs/installation.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/installation.rst b/docs/installation.rst index d24d8062c8ad..6994aa0216f8 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -34,6 +34,7 @@ above supported platforms: * ``OpenSSL 1.1.1-latest`` * ``OpenSSL 3.0-latest`` * ``OpenSSL 3.1-latest`` +* ``OpenSSL 3.2-latest`` We also test against the latest commit of BoringSSL as well as versions of LibreSSL that are receiving security support at the time of a given From b39190140facaedf133648b74a968b4eb5e3c83d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 31 Jan 2024 19:19:25 -0500 Subject: [PATCH 0053/1462] Bump BoringSSL and/or OpenSSL in CI (#10313) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a8d2ab9971f8..beb463ef49d3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 31, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "6855f30b94ddfd2970a7aa3d904a356dea5ec443"}} - # Latest commit on the OpenSSL master branch, as of Jan 31, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "62ecad5378067ab1f702ef2381c2f4a279d15250"}} + # Latest commit on the BoringSSL master branch, as of Feb 01, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "608becc67282174594fdaf0ec9c96daca9710d2f"}} + # Latest commit on the OpenSSL master branch, as of Feb 01, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d2e7855f5bdb2f817f6adb7ce6562505ec244474"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From e80f3eed8e6cf0cee32c05ac5e1d7145902a2aaf Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 31 Jan 2024 19:26:49 -0500 Subject: [PATCH 0054/1462] verification/policy: tweak key checks (#10311) * verification/policy: tweak key checks Needs https://github.com/C2SP/x509-limbo/pull/185. Signed-off-by: William Woodruff * bump limbo Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .github/actions/fetch-vectors/action.yml | 2 +- .../cryptography-x509-verification/src/policy/mod.rs | 9 ++++++++- tests/x509/verification/test_limbo.py | 7 +++++-- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index f9715437f878..f9d21c8234d6 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -17,4 +17,4 @@ runs: repository: "C2SP/x509-limbo" path: "x509-limbo" # Latest commit on the x509-limbo main branch, as of Jan 31, 2024. - ref: "481b5d595b00ce55824607e1e8c2f1174539f3f8" # x509-limbo-ref + ref: "e7b8885bb20e532392e1f7c4be0d54c39b17c58b" # x509-limbo-ref diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 3d8bc86b6b8b..41a4e722d5b7 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -476,9 +476,11 @@ impl<'a, B: CryptoOps> Policy<'a, B> { self.permits_ca(issuer.certificate(), current_depth, issuer_extensions)?; // CA/B 7.1.3.1 SubjectPublicKeyInfo + // NOTE: We check the issuer's SPKI here, since the issuer is + // definitionally a CA and thus subject to CABF key requirements. if !self .permitted_public_key_algorithms - .contains(&child.tbs_cert.spki.algorithm) + .contains(&issuer.certificate().tbs_cert.spki.algorithm) { return Err(ValidationError::Other(format!( "Forbidden public key algorithm: {:?}", @@ -487,6 +489,11 @@ impl<'a, B: CryptoOps> Policy<'a, B> { } // CA/B 7.1.3.2 Signature AlgorithmIdentifier + // NOTE: We check the child's signature here, since the issuer's + // signature is not necessarily subject to signature checks (e.g. + // if it's a root). This works out transitively, as any non root-issuer + // will be checked in its recursive step (where it'll be in the child + // position). if !self .permitted_signature_algorithms .contains(&child.signature_alg) diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index 57c429886809..edcb0fc9bda5 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -27,7 +27,10 @@ # Our support for custom EKUs is limited, and we (like most impls.) don't # handle all EKU conditions under CABF. "pedantic-webpki-eku", - # Similarly: contains tests that fail based on a strict reading of RFC 5280 + # Most CABF validators do not enforce the CABF key requirements on + # subscriber keys (i.e., in the leaf certificate). + "pedantic-webpki-subscriber-key", + # Tests that fail based on a strict reading of RFC 5280 # but are widely ignored by validators. "pedantic-rfc5280", # In rare circumstances, CABF relaxes RFC 5280's prescriptions in @@ -64,7 +67,7 @@ "webpki::aki::root-with-aki-ski-mismatch", # We allow RSA keys that aren't divisible by 8, which is technically # forbidden under CABF. No other implementation checks this either. - "webpki::forbidden-rsa-key-not-divisable-by-8", + "webpki::forbidden-rsa-not-divisable-by-8-in-root", # We disallow CAs in the leaf position, which is explicitly forbidden # by CABF (but implicitly permitted under RFC 5280). This is consistent # with what webpki and rustls do, but inconsistent with Go and OpenSSL. From b7a52b96394539b2a7bf46afdb74792d0a074ca1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 Feb 2024 11:54:56 +0000 Subject: [PATCH 0055/1462] Bump libc from 0.2.152 to 0.2.153 in /src/rust (#10317) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.152 to 0.2.153. - [Release notes](https://github.com/rust-lang/libc/releases) - [Commits](https://github.com/rust-lang/libc/compare/0.2.152...0.2.153) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 84e9d90e7eea..7150fcd88fe1 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -160,9 +160,9 @@ checksum = "1e186cfbae8084e513daff4240b4797e342f988cecda4fb6c939150f96315fd8" [[package]] name = "libc" -version = "0.2.152" +version = "0.2.153" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13e3bf6590cbc649f4d1a3eefc9d5d6eb746f5200ffb04e5e142700b8faa56e7" +checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd" [[package]] name = "lock_api" From 66e7171b946d5768ca682eb048b7a8da4e10e28d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 Feb 2024 11:58:39 +0000 Subject: [PATCH 0056/1462] Bump peter-evans/create-pull-request from 5.0.2 to 6.0.0 (#10316) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 5.0.2 to 6.0.0. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/153407881ec5c347639a548ade7d8ad1d6740e38...b1ddad2c994a25fbc81a28b3ec0e368bb2021c50) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 9a6ba2ae81bc..8c8e4c058e5a 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -58,7 +58,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2 + uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0 with: commit-message: "Bump BoringSSL and/or OpenSSL in CI" title: "Bump BoringSSL and/or OpenSSL in CI" diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index e4a42bf3155f..7df3a5fbcc38 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -57,7 +57,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2 + uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0 with: commit-message: "Bump x509-limbo and/or wycheproof in CI" title: "Bump x509-limbo and/or wycheproof in CI" From 56259b5ff14d7334a17c3326a01e156b64b7b077 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 2 Feb 2024 00:17:47 +0000 Subject: [PATCH 0057/1462] Bump BoringSSL and/or OpenSSL in CI (#10320) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index beb463ef49d3..1bbfba8c57c8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Feb 01, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "608becc67282174594fdaf0ec9c96daca9710d2f"}} - # Latest commit on the OpenSSL master branch, as of Feb 01, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d2e7855f5bdb2f817f6adb7ce6562505ec244474"}} + # Latest commit on the OpenSSL master branch, as of Feb 02, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "afb19f07aecc84998eeea56c4d65f5e0499abb5a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 247ad85305dad535e0549af21acacffc0f5562ab Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 2 Feb 2024 00:33:01 +0000 Subject: [PATCH 0058/1462] Bump x509-limbo and/or wycheproof in CI (#10321) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index f9d21c8234d6..9c7c294d1e37 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jan 31, 2024. - ref: "e7b8885bb20e532392e1f7c4be0d54c39b17c58b" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Feb 02, 2024. + ref: "215546b218a84c35b9aaf3e84b8df4278c06920b" # x509-limbo-ref From b80629c342489b5632bfafad0df871d2c7596c8b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 1 Feb 2024 20:16:05 -0500 Subject: [PATCH 0059/1462] Dropped support for OpenSSL<1.1.1e (#10318) --- CHANGELOG.rst | 2 ++ src/_cffi_src/openssl/cryptography.py | 9 ++------- .../hazmat/backends/openssl/backend.py | 2 +- tests/hazmat/primitives/test_rsa.py | 16 ++-------------- 4 files changed, 7 insertions(+), 22 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index a522db213916..bd6b92f65712 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -8,6 +8,8 @@ Changelog .. note:: This version is not yet released and is under active development. +* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL less than 1.1.1e has been + removed. Users on older version of OpenSSL will need to upgrade. * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.8. * :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key` now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index 173ec1bb4546..9d09471967a2 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -42,25 +42,20 @@ #define CRYPTOGRAPHY_IS_BORINGSSL 0 #endif -#if OPENSSL_VERSION_NUMBER < 0x10101040 - #error "pyca/cryptography MUST be linked with Openssl 1.1.1d or later" +#if OPENSSL_VERSION_NUMBER < 0x10101050 + #error "pyca/cryptography MUST be linked with Openssl 1.1.1e or later" #endif #define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \ (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL) #define CRYPTOGRAPHY_OPENSSL_320_OR_GREATER \ (OPENSSL_VERSION_NUMBER >= 0x30200000 && !CRYPTOGRAPHY_IS_LIBRESSL) - -#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E \ - (OPENSSL_VERSION_NUMBER < 0x10101050 || CRYPTOGRAPHY_IS_LIBRESSL) """ TYPES = """ static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER; static const int CRYPTOGRAPHY_OPENSSL_320_OR_GREATER; -static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E; - static const int CRYPTOGRAPHY_IS_LIBRESSL; static const int CRYPTOGRAPHY_IS_BORINGSSL; """ diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 3cf01664685c..24bfa3a1f4bf 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -149,7 +149,7 @@ def openssl_version_text(self) -> str: Friendly string name of the loaded OpenSSL library. This is not necessarily the same version as it was compiled against. - Example: OpenSSL 1.1.1d 10 Sep 2019 + Example: OpenSSL 3.2.1 30 Jan 2024 """ return self._ffi.string( self._lib.OpenSSL_version(self._lib.OPENSSL_VERSION) diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 83055fd6fa28..eb74be7c6d4c 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -251,13 +251,7 @@ def test_load_pss_vect_example_keys(self, pkcs1_example): assert public_num.e == public_num2.e @pytest.mark.supported( - only_if=lambda backend: ( - not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL - and ( - not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E - or backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - ) - ), + only_if=lambda backend: not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL, skip_message="Does not support RSA PSS loading", ) @pytest.mark.parametrize( @@ -308,13 +302,7 @@ def test_load_pss_pub_keys_strips_constraints(self, backend): ) @pytest.mark.supported( - only_if=lambda backend: ( - backend._lib.CRYPTOGRAPHY_IS_BORINGSSL - and ( - not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E - or backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - ) - ), + only_if=lambda backend: backend._lib.CRYPTOGRAPHY_IS_BORINGSSL, skip_message="Test requires a backend without RSA-PSS key support", ) def test_load_pss_unsupported(self, backend): From c0c9ec8dbb74ad13be09687044dc4eb2182681d0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 1 Feb 2024 20:38:52 -0600 Subject: [PATCH 0060/1462] remove the memleak tests (#10322) they are fragile, haven't caught regressions, and increasingly pointless as we oxidize. --- src/_cffi_src/openssl/crypto.py | 45 -- .../hazmat/bindings/openssl/_conditional.py | 7 - tests/hazmat/backends/test_openssl_memleak.py | 391 ------------------ 3 files changed, 443 deletions(-) delete mode 100644 tests/hazmat/backends/test_openssl_memleak.py diff --git a/src/_cffi_src/openssl/crypto.py b/src/_cffi_src/openssl/crypto.py index b81b5de1da27..5284f329619c 100644 --- a/src/_cffi_src/openssl/crypto.py +++ b/src/_cffi_src/openssl/crypto.py @@ -9,8 +9,6 @@ """ TYPES = """ -static const long Cryptography_HAS_MEM_FUNCTIONS; - static const int OPENSSL_VERSION; static const int OPENSSL_CFLAGS; static const int OPENSSL_BUILT_ON; @@ -26,50 +24,7 @@ void *OPENSSL_malloc(size_t); void OPENSSL_free(void *); - - -/* Signature is significantly different in LibreSSL, so expose via different - symbol name */ -int Cryptography_CRYPTO_set_mem_functions( - void *(*)(size_t, const char *, int), - void *(*)(void *, size_t, const char *, int), - void (*)(void *, const char *, int)); - -void *Cryptography_malloc_wrapper(size_t, const char *, int); -void *Cryptography_realloc_wrapper(void *, size_t, const char *, int); -void Cryptography_free_wrapper(void *, const char *, int); """ CUSTOMIZATIONS = """ -#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_IS_BORINGSSL -static const long Cryptography_HAS_MEM_FUNCTIONS = 0; -int (*Cryptography_CRYPTO_set_mem_functions)( - void *(*)(size_t, const char *, int), - void *(*)(void *, size_t, const char *, int), - void (*)(void *, const char *, int)) = NULL; - -#else -static const long Cryptography_HAS_MEM_FUNCTIONS = 1; - -int Cryptography_CRYPTO_set_mem_functions( - void *(*m)(size_t, const char *, int), - void *(*r)(void *, size_t, const char *, int), - void (*f)(void *, const char *, int) -) { - return CRYPTO_set_mem_functions(m, r, f); -} -#endif - -void *Cryptography_malloc_wrapper(size_t size, const char *path, int line) { - return malloc(size); -} - -void *Cryptography_realloc_wrapper(void *ptr, size_t size, const char *path, - int line) { - return realloc(ptr, size); -} - -void Cryptography_free_wrapper(void *ptr, const char *path, int line) { - free(ptr); -} """ diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 30cc3bfa25ef..fc13348af77f 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -28,12 +28,6 @@ def cryptography_has_tls_st() -> list[str]: ] -def cryptography_has_mem_functions() -> list[str]: - return [ - "Cryptography_CRYPTO_set_mem_functions", - ] - - def cryptography_has_ed448() -> list[str]: return [ "EVP_PKEY_ED448", @@ -202,7 +196,6 @@ def cryptography_has_get_extms_support() -> list[str]: "Cryptography_HAS_SET_CERT_CB": cryptography_has_set_cert_cb, "Cryptography_HAS_SSL_ST": cryptography_has_ssl_st, "Cryptography_HAS_TLS_ST": cryptography_has_tls_st, - "Cryptography_HAS_MEM_FUNCTIONS": cryptography_has_mem_functions, "Cryptography_HAS_ED448": cryptography_has_ed448, "Cryptography_HAS_SIGALGS": cryptography_has_ssl_sigalgs, "Cryptography_HAS_PSK": cryptography_has_psk, diff --git a/tests/hazmat/backends/test_openssl_memleak.py b/tests/hazmat/backends/test_openssl_memleak.py deleted file mode 100644 index 371a7c990188..000000000000 --- a/tests/hazmat/backends/test_openssl_memleak.py +++ /dev/null @@ -1,391 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - - -import json -import os -import platform -import subprocess -import sys -import textwrap - -import pytest - -from cryptography.hazmat.bindings.openssl.binding import Binding - -MEMORY_LEAK_SCRIPT = """ -import sys - - -def main(argv): - import gc - import json - - import cffi - - from cryptography.hazmat.bindings._rust import _openssl - - heap = {} - start_heap = {} - start_heap_realloc_delta = [0] # 1-item list so callbacks can mutate it - - BACKTRACE_ENABLED = False - if BACKTRACE_ENABLED: - backtrace_ffi = cffi.FFI() - backtrace_ffi.cdef(''' - int backtrace(void **, int); - char **backtrace_symbols(void *const *, int); - ''') - backtrace_lib = backtrace_ffi.dlopen(None) - - def backtrace(): - buf = backtrace_ffi.new("void*[]", 24) - length = backtrace_lib.backtrace(buf, len(buf)) - return (buf, length) - - def symbolize_backtrace(trace): - (buf, length) = trace - symbols = backtrace_lib.backtrace_symbols(buf, length) - stack = [ - backtrace_ffi.string(symbols[i]).decode() - for i in range(length) - ] - _openssl.lib.Cryptography_free_wrapper( - symbols, backtrace_ffi.NULL, 0 - ) - return stack - else: - def backtrace(): - return None - - def symbolize_backtrace(trace): - return None - - @_openssl.ffi.callback("void *(size_t, const char *, int)") - def malloc(size, path, line): - ptr = _openssl.lib.Cryptography_malloc_wrapper(size, path, line) - heap[ptr] = (size, path, line, backtrace()) - return ptr - - @_openssl.ffi.callback("void *(void *, size_t, const char *, int)") - def realloc(ptr, size, path, line): - if ptr != _openssl.ffi.NULL: - del heap[ptr] - new_ptr = _openssl.lib.Cryptography_realloc_wrapper( - ptr, size, path, line - ) - heap[new_ptr] = (size, path, line, backtrace()) - - # It is possible that something during the test will cause a - # realloc of memory allocated during the startup phase. (This - # was observed in conda-forge Windows builds of this package with - # provider operation_bits pointers in crypto/provider_core.c.) If - # we don't pay attention to that, the realloc'ed pointer will show - # up as a leak; but we also don't want to allow this kind of realloc - # to consume large amounts of additional memory. So we track the - # realloc and the change in memory consumption. - startup_info = start_heap.pop(ptr, None) - if startup_info is not None: - start_heap[new_ptr] = heap[new_ptr] - start_heap_realloc_delta[0] += size - startup_info[0] - - return new_ptr - - @_openssl.ffi.callback("void(void *, const char *, int)") - def free(ptr, path, line): - if ptr != _openssl.ffi.NULL: - del heap[ptr] - _openssl.lib.Cryptography_free_wrapper(ptr, path, line) - - result = _openssl.lib.Cryptography_CRYPTO_set_mem_functions( - malloc, realloc, free - ) - assert result == 1 - - # Trigger a bunch of initialization stuff. - import hashlib - from cryptography.hazmat.backends.openssl.backend import backend - - hashlib.sha256() - - start_heap.update(heap) - - try: - func(*argv[1:]) - finally: - gc.collect() - gc.collect() - gc.collect() - - if _openssl.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: - _openssl.lib.OSSL_PROVIDER_unload(backend._binding._legacy_provider) - _openssl.lib.OSSL_PROVIDER_unload(backend._binding._default_provider) - - _openssl.lib.OPENSSL_cleanup() - - # Swap back to the original functions so that if OpenSSL tries to free - # something from its atexit handle it won't be going through a Python - # function, which will be deallocated when this function returns - result = _openssl.lib.Cryptography_CRYPTO_set_mem_functions( - _openssl.ffi.addressof( - _openssl.lib, "Cryptography_malloc_wrapper" - ), - _openssl.ffi.addressof( - _openssl.lib, "Cryptography_realloc_wrapper" - ), - _openssl.ffi.addressof(_openssl.lib, "Cryptography_free_wrapper"), - ) - assert result == 1 - - remaining = set(heap) - set(start_heap) - - # The constant here is the number of additional bytes of memory - # consumption that are allowed in reallocs of start_heap memory. - if remaining or start_heap_realloc_delta[0] > 3072: - info = dict( - (int(_openssl.ffi.cast("size_t", ptr)), { - "size": heap[ptr][0], - "path": _openssl.ffi.string(heap[ptr][1]).decode(), - "line": heap[ptr][2], - "backtrace": symbolize_backtrace(heap[ptr][3]), - }) - for ptr in remaining - ) - info["start_heap_realloc_delta"] = start_heap_realloc_delta[0] - sys.stdout.write(json.dumps(info)) - sys.stdout.flush() - sys.exit(255) - -main(sys.argv) -""" - - -def assert_no_memory_leaks(s, argv=[]): - env = os.environ.copy() - env["PYTHONPATH"] = os.pathsep.join(sys.path) - - # When using pytest-cov it attempts to instrument subprocesses. This - # causes the memleak tests to raise exceptions. - # we don't need coverage so we remove the env vars. - env.pop("COV_CORE_CONFIG", None) - env.pop("COV_CORE_DATAFILE", None) - env.pop("COV_CORE_SOURCE", None) - - argv = [sys.executable, "-c", f"{s}\n\n{MEMORY_LEAK_SCRIPT}", *argv] - # Shell out to a fresh Python process because OpenSSL does not allow you to - # install new memory hooks after the first malloc/free occurs. - proc = subprocess.Popen( - argv, - env=env, - stdout=subprocess.PIPE, - stderr=subprocess.PIPE, - ) - assert proc.stdout is not None - assert proc.stderr is not None - try: - proc.wait() - if proc.returncode == 255: - # 255 means there was a leak, load the info about what mallocs - # weren't freed. - out = json.loads(proc.stdout.read().decode()) - raise AssertionError(out) - elif proc.returncode != 0: - # Any exception type will do to be honest - raise ValueError(proc.stdout.read(), proc.stderr.read()) - finally: - proc.stdout.close() - proc.stderr.close() - - -def skip_if_memtesting_not_supported(): - return pytest.mark.skipif( - not Binding().lib.Cryptography_HAS_MEM_FUNCTIONS - or platform.python_implementation() == "PyPy", - reason="Requires OpenSSL memory functions (>=1.1.0) and not PyPy", - ) - - -@pytest.mark.skip_fips(reason="FIPS self-test sets allow_customize = 0") -@skip_if_memtesting_not_supported() -class TestAssertNoMemoryLeaks: - def test_no_leak_no_malloc(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - pass - """ - ) - ) - - def test_no_leak_free(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - from cryptography.hazmat.bindings.openssl.binding import Binding - b = Binding() - name = b.lib.X509_NAME_new() - b.lib.X509_NAME_free(name) - """ - ) - ) - - def test_no_leak_gc(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - from cryptography.hazmat.bindings.openssl.binding import Binding - b = Binding() - name = b.lib.X509_NAME_new() - b.ffi.gc(name, b.lib.X509_NAME_free) - """ - ) - ) - - def test_leak(self): - with pytest.raises(AssertionError): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - from cryptography.hazmat.bindings.openssl.binding import ( - Binding - ) - b = Binding() - b.lib.X509_NAME_new() - """ - ) - ) - - def test_errors(self): - with pytest.raises(ValueError, match="ZeroDivisionError"): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - raise ZeroDivisionError - """ - ) - ) - - -@pytest.mark.skip_fips(reason="FIPS self-test sets allow_customize = 0") -@skip_if_memtesting_not_supported() -class TestOpenSSLMemoryLeaks: - def test_ec_private_numbers_private_key(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - from cryptography.hazmat.backends.openssl import backend - from cryptography.hazmat.primitives.asymmetric import ec - - ec.EllipticCurvePrivateNumbers( - private_value=int( - '280814107134858470598753916394807521398239633534281633982576099083' - '35787109896602102090002196616273211495718603965098' - ), - public_numbers=ec.EllipticCurvePublicNumbers( - curve=ec.SECP384R1(), - x=int( - '10036914308591746758780165503819213553101287571902957054148542' - '504671046744460374996612408381962208627004841444205030' - ), - y=int( - '17337335659928075994560513699823544906448896792102247714689323' - '575406618073069185107088229463828921069465902299522926' - ) - ) - ).private_key(backend) - """ - ) - ) - - def test_ec_derive_private_key(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - from cryptography.hazmat.backends.openssl import backend - from cryptography.hazmat.primitives.asymmetric import ec - ec.derive_private_key(1, ec.SECP256R1(), backend) - """ - ) - ) - - def test_x25519_pubkey_from_private_key(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - from cryptography.hazmat.primitives.asymmetric import x25519 - private_key = x25519.X25519PrivateKey.generate() - private_key.public_key() - """ - ) - ) - - @pytest.mark.parametrize( - "path", - ["pkcs12/cert-aes256cbc-no-key.p12", "pkcs12/cert-key-aes256cbc.p12"], - ) - def test_load_pkcs12_key_and_certificates(self, path): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(path): - from cryptography import x509 - from cryptography.hazmat.backends.openssl import backend - from cryptography.hazmat.primitives.serialization import pkcs12 - import cryptography_vectors - - with cryptography_vectors.open_vector_file(path, "rb") as f: - pkcs12.load_key_and_certificates( - f.read(), b"cryptography", backend - ) - """ - ), - [path], - ) - - def test_write_pkcs12_key_and_certificates(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - import os - from cryptography import x509 - from cryptography.hazmat.backends.openssl import backend - from cryptography.hazmat.primitives import serialization - from cryptography.hazmat.primitives.serialization import pkcs12 - import cryptography_vectors - - path = os.path.join('x509', 'custom', 'ca', 'ca.pem') - with cryptography_vectors.open_vector_file(path, "rb") as f: - cert = x509.load_pem_x509_certificate( - f.read(), backend - ) - path2 = os.path.join('x509', 'custom', 'dsa_selfsigned_ca.pem') - with cryptography_vectors.open_vector_file(path2, "rb") as f: - cert2 = x509.load_pem_x509_certificate( - f.read(), backend - ) - path3 = os.path.join('x509', 'letsencryptx3.pem') - with cryptography_vectors.open_vector_file(path3, "rb") as f: - cert3 = x509.load_pem_x509_certificate( - f.read(), backend - ) - key_path = os.path.join("x509", "custom", "ca", "ca_key.pem") - with cryptography_vectors.open_vector_file(key_path, "rb") as f: - key = serialization.load_pem_private_key( - f.read(), None, backend - ) - encryption = serialization.NoEncryption() - pkcs12.serialize_key_and_certificates( - b"name", key, cert, [cert2, cert3], encryption) - """ - ) - ) From c7ec8a6eed603c2b20a320c4fd1357e33ae2c691 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 1 Feb 2024 21:33:48 -0600 Subject: [PATCH 0061/1462] fix decrepit example (#10324) * fix decrepit example * Update docs/hazmat/decrepit/ciphers.rst Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor --- docs/hazmat/decrepit/ciphers.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/hazmat/decrepit/ciphers.rst b/docs/hazmat/decrepit/ciphers.rst index 2f7b12f14333..b7a79e217836 100644 --- a/docs/hazmat/decrepit/ciphers.rst +++ b/docs/hazmat/decrepit/ciphers.rst @@ -28,9 +28,10 @@ object along with the appropriate :mod:`~cryptography.hazmat.primitives.ciphers. .. doctest:: >>> import os - >>> from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes + >>> from cryptography.hazmat.decrepit.ciphers.algorithms import ARC4 + >>> from cryptography.hazmat.primitives.ciphers import Cipher, modes >>> key = os.urandom(16) - >>> algorithm = algorithms.ARC4(key) + >>> algorithm = ARC4(key) >>> cipher = Cipher(algorithm, mode=None) >>> encryptor = cipher.encryptor() >>> ct = encryptor.update(b"a secret message") From ccd392ed50e49288609884042c6c6cc71881d566 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 1 Feb 2024 21:41:25 -0600 Subject: [PATCH 0062/1462] mark ARC4 and TripleDES with the right version added for decrepit (#10325) --- docs/hazmat/decrepit/ciphers.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/hazmat/decrepit/ciphers.rst b/docs/hazmat/decrepit/ciphers.rst index b7a79e217836..8ae0178df2f1 100644 --- a/docs/hazmat/decrepit/ciphers.rst +++ b/docs/hazmat/decrepit/ciphers.rst @@ -16,6 +16,8 @@ object along with the appropriate :mod:`~cryptography.hazmat.primitives.ciphers. .. class:: ARC4(key) + .. versionadded:: 43.0.0 + ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output. Its use is strongly discouraged. ARC4 does not use mode constructions. @@ -41,6 +43,8 @@ object along with the appropriate :mod:`~cryptography.hazmat.primitives.ciphers. .. class:: TripleDES(key) + .. versionadded:: 43.0.0 + Triple DES (Data Encryption Standard), sometimes referred to as 3DES, is a block cipher standardized by NIST. Triple DES has known crypto-analytic flaws, however none of them currently enable a practical attack. From c7985dfb631d7edd7cdaedbe2f9f0622686c279a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 2 Feb 2024 06:08:37 -0600 Subject: [PATCH 0063/1462] stop using deprecated pkg_resources in CI (#10326) --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1bbfba8c57c8..837d6d1dda27 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -395,15 +395,15 @@ jobs: # dist-info directory to pretend to be an older version to "solve" this. - run: | import json - import pkg_resources + import importlib.metadata import shutil import urllib.request - d = pkg_resources.get_distribution("cryptography") + d = importlib.metadata.distribution("cryptography") with urllib.request.urlopen("https://pypi.org/pypi/cryptography/json") as r: latest_version = json.load(r)["info"]["version"] - new_path = d.egg_info.replace(d.version, latest_version) - shutil.move(d.egg_info, new_path) + new_path = d.locate_file(f"cryptography-{latest_version}.dist-info") + shutil.move(d.locate_file(f"cryptography-{d.version}.dist-info"), new_path) shell: python - run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh run From 47c0394c4e972f870565fdc8731c1e747e84f831 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 2 Feb 2024 07:08:59 -0500 Subject: [PATCH 0064/1462] Bump certifi from 2023.11.17 to 2024.2.2 (#10327) Bumps [certifi](https://github.com/certifi/python-certifi) from 2023.11.17 to 2024.2.2. - [Commits](https://github.com/certifi/python-certifi/compare/2023.11.17...2024.02.02) --- updated-dependencies: - dependency-name: certifi dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 7db1eb111e6f..b24312e82773 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -15,7 +15,7 @@ build==1.0.3 # via # check-sdist # cryptography (pyproject.toml) -certifi==2023.11.17 +certifi==2024.2.2 # via requests charset-normalizer==3.3.2 # via requests From 35a401191029a538a068a191ee966634c3af90ff Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 2 Feb 2024 12:19:58 +0000 Subject: [PATCH 0065/1462] Bump ruff from 0.1.15 to 0.2.0 (#10328) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.1.15 to 0.2.0. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.1.15...v0.2.0) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b24312e82773..e56d198a94ba 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==42.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.1.15 +ruff==0.2.0 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From b557e4d544f0da3744f81634cad66250b4b4611d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 2 Feb 2024 08:51:03 -0500 Subject: [PATCH 0066/1462] We no longer need to install setuptools (#10331) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 837d6d1dda27..b56db037f574 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -385,7 +385,7 @@ jobs: cache-dependency-path: ci-constraints-requirements.txt timeout-minutes: 3 - run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh install - - run: pip install . setuptools + - run: pip install . env: CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} # cryptography main has a version of "(X+1).0.0.dev1" where X is the From 4a7dc8cc923c29fdecedfd7ffdd3b79c9a5634ab Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 2 Feb 2024 08:51:50 -0500 Subject: [PATCH 0067/1462] Update ruff configuration for ruff 0.2.0 (#10332) --- pyproject.toml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 84ffe04f9f95..3348500be7af 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -143,11 +143,12 @@ exclude_lines = [ ] [tool.ruff] -ignore = ['N818'] -select = ['E', 'F', 'I', 'N', 'W', 'UP', 'RUF'] line-length = 79 -[tool.ruff.isort] +lint.ignore = ['N818'] +lint.select = ['E', 'F', 'I', 'N', 'W', 'UP', 'RUF'] + +[tool.ruff.lint.isort] known-first-party = ["cryptography", "cryptography_vectors", "tests"] [tool.check-sdist] From 25fc7ba29f05c18bc37eb33f96b5e0f61aabac26 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 2 Feb 2024 08:22:28 -0600 Subject: [PATCH 0068/1462] Bump certifi from 2023.11.17 to 2024.2.2 in /.github/requirements (#10330) * Bump certifi from 2023.11.17 to 2024.2.2 in /.github/requirements Bumps [certifi](https://github.com/certifi/python-certifi) from 2023.11.17 to 2024.2.2. - [Commits](https://github.com/certifi/python-certifi/compare/2023.11.17...2024.02.02) --- updated-dependencies: - dependency-name: certifi dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 959d370571a1..8ac31639f58c 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -16,9 +16,9 @@ betterproto==2.0.0b6 \ --hash=sha256:720ae92697000f6fcf049c69267d957f0871654c8b0d7458906607685daee784 \ --hash=sha256:a0839ec165d110a69d0d116f4d0e2bec8d186af4db826257931f0831dab73fcf # via sigstore-protobuf-specs -certifi==2023.11.17 \ - --hash=sha256:9b469f3a900bf28dc19b8cfbf8019bf47f7fdd1a65a1d4ffb98fc14166beb4d1 \ - --hash=sha256:e036ab49d5b79556f99cfc2d9320b34cfbe5be05c5871b51de9329f0603b0474 +certifi==2024.2.2 \ + --hash=sha256:0569859f95fc761b18b45ef421b1290a0f65f147e92a1e5eb3e635f9a5e4e66f \ + --hash=sha256:dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1 # via requests cffi==1.16.0 \ --hash=sha256:0c9ef6ff37e974b73c25eecc13952c55bceed9112be2d9d938ded8e856138bcc \ From f9d3531db506a491bf8ce7be0ad9f7f606615db7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 2 Feb 2024 08:22:47 -0600 Subject: [PATCH 0069/1462] Bump multidict from 6.0.4 to 6.0.5 in /.github/requirements (#10329) * Bump multidict from 6.0.4 to 6.0.5 in /.github/requirements Bumps [multidict](https://github.com/aio-libs/multidict) from 6.0.4 to 6.0.5. - [Release notes](https://github.com/aio-libs/multidict/releases) - [Changelog](https://github.com/aio-libs/multidict/blob/master/CHANGES.rst) - [Commits](https://github.com/aio-libs/multidict/compare/v6.0.4...v6.0.5) --- updated-dependencies: - dependency-name: multidict dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 166 ++++++++++-------- 1 file changed, 91 insertions(+), 75 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 8ac31639f58c..5406ffbbca48 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -272,81 +272,97 @@ more-itertools==10.2.0 \ --hash=sha256:686b06abe565edfab151cb8fd385a05651e1fdf8f0a14191e4439283421f8684 \ --hash=sha256:8fccb480c43d3e99a00087634c06dd02b0d50fbf088b380de5a41a015ec239e1 # via jaraco-classes -multidict==6.0.4 \ - --hash=sha256:01a3a55bd90018c9c080fbb0b9f4891db37d148a0a18722b42f94694f8b6d4c9 \ - --hash=sha256:0b1a97283e0c85772d613878028fec909f003993e1007eafa715b24b377cb9b8 \ - --hash=sha256:0dfad7a5a1e39c53ed00d2dd0c2e36aed4650936dc18fd9a1826a5ae1cad6f03 \ - --hash=sha256:11bdf3f5e1518b24530b8241529d2050014c884cf18b6fc69c0c2b30ca248710 \ - --hash=sha256:1502e24330eb681bdaa3eb70d6358e818e8e8f908a22a1851dfd4e15bc2f8161 \ - --hash=sha256:16ab77bbeb596e14212e7bab8429f24c1579234a3a462105cda4a66904998664 \ - --hash=sha256:16d232d4e5396c2efbbf4f6d4df89bfa905eb0d4dc5b3549d872ab898451f569 \ - --hash=sha256:21a12c4eb6ddc9952c415f24eef97e3e55ba3af61f67c7bc388dcdec1404a067 \ - --hash=sha256:27c523fbfbdfd19c6867af7346332b62b586eed663887392cff78d614f9ec313 \ - --hash=sha256:281af09f488903fde97923c7744bb001a9b23b039a909460d0f14edc7bf59706 \ - --hash=sha256:33029f5734336aa0d4c0384525da0387ef89148dc7191aae00ca5fb23d7aafc2 \ - --hash=sha256:3601a3cece3819534b11d4efc1eb76047488fddd0c85a3948099d5da4d504636 \ - --hash=sha256:3666906492efb76453c0e7b97f2cf459b0682e7402c0489a95484965dbc1da49 \ - --hash=sha256:36c63aaa167f6c6b04ef2c85704e93af16c11d20de1d133e39de6a0e84582a93 \ - --hash=sha256:39ff62e7d0f26c248b15e364517a72932a611a9b75f35b45be078d81bdb86603 \ - --hash=sha256:43644e38f42e3af682690876cff722d301ac585c5b9e1eacc013b7a3f7b696a0 \ - --hash=sha256:4372381634485bec7e46718edc71528024fcdc6f835baefe517b34a33c731d60 \ - --hash=sha256:458f37be2d9e4c95e2d8866a851663cbc76e865b78395090786f6cd9b3bbf4f4 \ - --hash=sha256:45e1ecb0379bfaab5eef059f50115b54571acfbe422a14f668fc8c27ba410e7e \ - --hash=sha256:4b9d9e4e2b37daddb5c23ea33a3417901fa7c7b3dee2d855f63ee67a0b21e5b1 \ - --hash=sha256:4ceef517eca3e03c1cceb22030a3e39cb399ac86bff4e426d4fc6ae49052cc60 \ - --hash=sha256:4d1a3d7ef5e96b1c9e92f973e43aa5e5b96c659c9bc3124acbbd81b0b9c8a951 \ - --hash=sha256:4dcbb0906e38440fa3e325df2359ac6cb043df8e58c965bb45f4e406ecb162cc \ - --hash=sha256:509eac6cf09c794aa27bcacfd4d62c885cce62bef7b2c3e8b2e49d365b5003fe \ - --hash=sha256:52509b5be062d9eafc8170e53026fbc54cf3b32759a23d07fd935fb04fc22d95 \ - --hash=sha256:52f2dffc8acaba9a2f27174c41c9e57f60b907bb9f096b36b1a1f3be71c6284d \ - --hash=sha256:574b7eae1ab267e5f8285f0fe881f17efe4b98c39a40858247720935b893bba8 \ - --hash=sha256:5979b5632c3e3534e42ca6ff856bb24b2e3071b37861c2c727ce220d80eee9ed \ - --hash=sha256:59d43b61c59d82f2effb39a93c48b845efe23a3852d201ed2d24ba830d0b4cf2 \ - --hash=sha256:5a4dcf02b908c3b8b17a45fb0f15b695bf117a67b76b7ad18b73cf8e92608775 \ - --hash=sha256:5cad9430ab3e2e4fa4a2ef4450f548768400a2ac635841bc2a56a2052cdbeb87 \ - --hash=sha256:5fc1b16f586f049820c5c5b17bb4ee7583092fa0d1c4e28b5239181ff9532e0c \ - --hash=sha256:62501642008a8b9871ddfccbf83e4222cf8ac0d5aeedf73da36153ef2ec222d2 \ - --hash=sha256:64bdf1086b6043bf519869678f5f2757f473dee970d7abf6da91ec00acb9cb98 \ - --hash=sha256:64da238a09d6039e3bd39bb3aee9c21a5e34f28bfa5aa22518581f910ff94af3 \ - --hash=sha256:666daae833559deb2d609afa4490b85830ab0dfca811a98b70a205621a6109fe \ - --hash=sha256:67040058f37a2a51ed8ea8f6b0e6ee5bd78ca67f169ce6122f3e2ec80dfe9b78 \ - --hash=sha256:6748717bb10339c4760c1e63da040f5f29f5ed6e59d76daee30305894069a660 \ - --hash=sha256:6b181d8c23da913d4ff585afd1155a0e1194c0b50c54fcfe286f70cdaf2b7176 \ - --hash=sha256:6ed5f161328b7df384d71b07317f4d8656434e34591f20552c7bcef27b0ab88e \ - --hash=sha256:7582a1d1030e15422262de9f58711774e02fa80df0d1578995c76214f6954988 \ - --hash=sha256:7d18748f2d30f94f498e852c67d61261c643b349b9d2a581131725595c45ec6c \ - --hash=sha256:7d6ae9d593ef8641544d6263c7fa6408cc90370c8cb2bbb65f8d43e5b0351d9c \ - --hash=sha256:81a4f0b34bd92df3da93315c6a59034df95866014ac08535fc819f043bfd51f0 \ - --hash=sha256:8316a77808c501004802f9beebde51c9f857054a0c871bd6da8280e718444449 \ - --hash=sha256:853888594621e6604c978ce2a0444a1e6e70c8d253ab65ba11657659dcc9100f \ - --hash=sha256:99b76c052e9f1bc0721f7541e5e8c05db3941eb9ebe7b8553c625ef88d6eefde \ - --hash=sha256:a2e4369eb3d47d2034032a26c7a80fcb21a2cb22e1173d761a162f11e562caa5 \ - --hash=sha256:ab55edc2e84460694295f401215f4a58597f8f7c9466faec545093045476327d \ - --hash=sha256:af048912e045a2dc732847d33821a9d84ba553f5c5f028adbd364dd4765092ac \ - --hash=sha256:b1a2eeedcead3a41694130495593a559a668f382eee0727352b9a41e1c45759a \ - --hash=sha256:b1e8b901e607795ec06c9e42530788c45ac21ef3aaa11dbd0c69de543bfb79a9 \ - --hash=sha256:b41156839806aecb3641f3208c0dafd3ac7775b9c4c422d82ee2a45c34ba81ca \ - --hash=sha256:b692f419760c0e65d060959df05f2a531945af31fda0c8a3b3195d4efd06de11 \ - --hash=sha256:bc779e9e6f7fda81b3f9aa58e3a6091d49ad528b11ed19f6621408806204ad35 \ - --hash=sha256:bf6774e60d67a9efe02b3616fee22441d86fab4c6d335f9d2051d19d90a40063 \ - --hash=sha256:c048099e4c9e9d615545e2001d3d8a4380bd403e1a0578734e0d31703d1b0c0b \ - --hash=sha256:c5cb09abb18c1ea940fb99360ea0396f34d46566f157122c92dfa069d3e0e982 \ - --hash=sha256:cc8e1d0c705233c5dd0c5e6460fbad7827d5d36f310a0fadfd45cc3029762258 \ - --hash=sha256:d5e3fc56f88cc98ef8139255cf8cd63eb2c586531e43310ff859d6bb3a6b51f1 \ - --hash=sha256:d6aa0418fcc838522256761b3415822626f866758ee0bc6632c9486b179d0b52 \ - --hash=sha256:d6c254ba6e45d8e72739281ebc46ea5eb5f101234f3ce171f0e9f5cc86991480 \ - --hash=sha256:d6d635d5209b82a3492508cf5b365f3446afb65ae7ebd755e70e18f287b0adf7 \ - --hash=sha256:dcfe792765fab89c365123c81046ad4103fcabbc4f56d1c1997e6715e8015461 \ - --hash=sha256:ddd3915998d93fbcd2566ddf9cf62cdb35c9e093075f862935573d265cf8f65d \ - --hash=sha256:ddff9c4e225a63a5afab9dd15590432c22e8057e1a9a13d28ed128ecf047bbdc \ - --hash=sha256:e41b7e2b59679edfa309e8db64fdf22399eec4b0b24694e1b2104fb789207779 \ - --hash=sha256:e69924bfcdda39b722ef4d9aa762b2dd38e4632b3641b1d9a57ca9cd18f2f83a \ - --hash=sha256:ea20853c6dbbb53ed34cb4d080382169b6f4554d394015f1bef35e881bf83547 \ - --hash=sha256:ee2a1ece51b9b9e7752e742cfb661d2a29e7bcdba2d27e66e28a99f1890e4fa0 \ - --hash=sha256:eeb6dcc05e911516ae3d1f207d4b0520d07f54484c49dfc294d6e7d63b734171 \ - --hash=sha256:f70b98cd94886b49d91170ef23ec5c0e8ebb6f242d734ed7ed677b24d50c82cf \ - --hash=sha256:fc35cb4676846ef752816d5be2193a1e8367b4c1397b74a565a9d0389c433a1d \ - --hash=sha256:ff959bee35038c4624250473988b24f846cbeb2c6639de3602c073f10410ceba +multidict==6.0.5 \ + --hash=sha256:01265f5e40f5a17f8241d52656ed27192be03bfa8764d88e8220141d1e4b3556 \ + --hash=sha256:0275e35209c27a3f7951e1ce7aaf93ce0d163b28948444bec61dd7badc6d3f8c \ + --hash=sha256:04bde7a7b3de05732a4eb39c94574db1ec99abb56162d6c520ad26f83267de29 \ + --hash=sha256:04da1bb8c8dbadf2a18a452639771951c662c5ad03aefe4884775454be322c9b \ + --hash=sha256:09a892e4a9fb47331da06948690ae38eaa2426de97b4ccbfafbdcbe5c8f37ff8 \ + --hash=sha256:0d63c74e3d7ab26de115c49bffc92cc77ed23395303d496eae515d4204a625e7 \ + --hash=sha256:107c0cdefe028703fb5dafe640a409cb146d44a6ae201e55b35a4af8e95457dd \ + --hash=sha256:141b43360bfd3bdd75f15ed811850763555a251e38b2405967f8e25fb43f7d40 \ + --hash=sha256:14c2976aa9038c2629efa2c148022ed5eb4cb939e15ec7aace7ca932f48f9ba6 \ + --hash=sha256:19fe01cea168585ba0f678cad6f58133db2aa14eccaf22f88e4a6dccadfad8b3 \ + --hash=sha256:1d147090048129ce3c453f0292e7697d333db95e52616b3793922945804a433c \ + --hash=sha256:1d9ea7a7e779d7a3561aade7d596649fbecfa5c08a7674b11b423783217933f9 \ + --hash=sha256:215ed703caf15f578dca76ee6f6b21b7603791ae090fbf1ef9d865571039ade5 \ + --hash=sha256:21fd81c4ebdb4f214161be351eb5bcf385426bf023041da2fd9e60681f3cebae \ + --hash=sha256:220dd781e3f7af2c2c1053da9fa96d9cf3072ca58f057f4c5adaaa1cab8fc442 \ + --hash=sha256:228b644ae063c10e7f324ab1ab6b548bdf6f8b47f3ec234fef1093bc2735e5f9 \ + --hash=sha256:29bfeb0dff5cb5fdab2023a7a9947b3b4af63e9c47cae2a10ad58394b517fddc \ + --hash=sha256:2f4848aa3baa109e6ab81fe2006c77ed4d3cd1e0ac2c1fbddb7b1277c168788c \ + --hash=sha256:2faa5ae9376faba05f630d7e5e6be05be22913782b927b19d12b8145968a85ea \ + --hash=sha256:2ffc42c922dbfddb4a4c3b438eb056828719f07608af27d163191cb3e3aa6cc5 \ + --hash=sha256:37b15024f864916b4951adb95d3a80c9431299080341ab9544ed148091b53f50 \ + --hash=sha256:3cc2ad10255f903656017363cd59436f2111443a76f996584d1077e43ee51182 \ + --hash=sha256:3d25f19500588cbc47dc19081d78131c32637c25804df8414463ec908631e453 \ + --hash=sha256:403c0911cd5d5791605808b942c88a8155c2592e05332d2bf78f18697a5fa15e \ + --hash=sha256:411bf8515f3be9813d06004cac41ccf7d1cd46dfe233705933dd163b60e37600 \ + --hash=sha256:425bf820055005bfc8aa9a0b99ccb52cc2f4070153e34b701acc98d201693733 \ + --hash=sha256:435a0984199d81ca178b9ae2c26ec3d49692d20ee29bc4c11a2a8d4514c67eda \ + --hash=sha256:4a6a4f196f08c58c59e0b8ef8ec441d12aee4125a7d4f4fef000ccb22f8d7241 \ + --hash=sha256:4cc0ef8b962ac7a5e62b9e826bd0cd5040e7d401bc45a6835910ed699037a461 \ + --hash=sha256:51d035609b86722963404f711db441cf7134f1889107fb171a970c9701f92e1e \ + --hash=sha256:53689bb4e102200a4fafa9de9c7c3c212ab40a7ab2c8e474491914d2305f187e \ + --hash=sha256:55205d03e8a598cfc688c71ca8ea5f66447164efff8869517f175ea632c7cb7b \ + --hash=sha256:5c0631926c4f58e9a5ccce555ad7747d9a9f8b10619621f22f9635f069f6233e \ + --hash=sha256:5cb241881eefd96b46f89b1a056187ea8e9ba14ab88ba632e68d7a2ecb7aadf7 \ + --hash=sha256:60d698e8179a42ec85172d12f50b1668254628425a6bd611aba022257cac1386 \ + --hash=sha256:612d1156111ae11d14afaf3a0669ebf6c170dbb735e510a7438ffe2369a847fd \ + --hash=sha256:6214c5a5571802c33f80e6c84713b2c79e024995b9c5897f794b43e714daeec9 \ + --hash=sha256:6939c95381e003f54cd4c5516740faba40cf5ad3eeff460c3ad1d3e0ea2549bf \ + --hash=sha256:69db76c09796b313331bb7048229e3bee7928eb62bab5e071e9f7fcc4879caee \ + --hash=sha256:6bf7a982604375a8d49b6cc1b781c1747f243d91b81035a9b43a2126c04766f5 \ + --hash=sha256:766c8f7511df26d9f11cd3a8be623e59cca73d44643abab3f8c8c07620524e4a \ + --hash=sha256:76c0de87358b192de7ea9649beb392f107dcad9ad27276324c24c91774ca5271 \ + --hash=sha256:76f067f5121dcecf0d63a67f29080b26c43c71a98b10c701b0677e4a065fbd54 \ + --hash=sha256:7901c05ead4b3fb75113fb1dd33eb1253c6d3ee37ce93305acd9d38e0b5f21a4 \ + --hash=sha256:79660376075cfd4b2c80f295528aa6beb2058fd289f4c9252f986751a4cd0496 \ + --hash=sha256:79a6d2ba910adb2cbafc95dad936f8b9386e77c84c35bc0add315b856d7c3abb \ + --hash=sha256:7afcdd1fc07befad18ec4523a782cde4e93e0a2bf71239894b8d61ee578c1319 \ + --hash=sha256:7be7047bd08accdb7487737631d25735c9a04327911de89ff1b26b81745bd4e3 \ + --hash=sha256:7c6390cf87ff6234643428991b7359b5f59cc15155695deb4eda5c777d2b880f \ + --hash=sha256:7df704ca8cf4a073334e0427ae2345323613e4df18cc224f647f251e5e75a527 \ + --hash=sha256:85f67aed7bb647f93e7520633d8f51d3cbc6ab96957c71272b286b2f30dc70ed \ + --hash=sha256:896ebdcf62683551312c30e20614305f53125750803b614e9e6ce74a96232604 \ + --hash=sha256:92d16a3e275e38293623ebf639c471d3e03bb20b8ebb845237e0d3664914caef \ + --hash=sha256:99f60d34c048c5c2fabc766108c103612344c46e35d4ed9ae0673d33c8fb26e8 \ + --hash=sha256:9fe7b0653ba3d9d65cbe7698cca585bf0f8c83dbbcc710db9c90f478e175f2d5 \ + --hash=sha256:a3145cb08d8625b2d3fee1b2d596a8766352979c9bffe5d7833e0503d0f0b5e5 \ + --hash=sha256:aeaf541ddbad8311a87dd695ed9642401131ea39ad7bc8cf3ef3967fd093b626 \ + --hash=sha256:b55358304d7a73d7bdf5de62494aaf70bd33015831ffd98bc498b433dfe5b10c \ + --hash=sha256:b82cc8ace10ab5bd93235dfaab2021c70637005e1ac787031f4d1da63d493c1d \ + --hash=sha256:c0868d64af83169e4d4152ec612637a543f7a336e4a307b119e98042e852ad9c \ + --hash=sha256:c1c1496e73051918fcd4f58ff2e0f2f3066d1c76a0c6aeffd9b45d53243702cc \ + --hash=sha256:c9bf56195c6bbd293340ea82eafd0071cb3d450c703d2c93afb89f93b8386ccc \ + --hash=sha256:cbebcd5bcaf1eaf302617c114aa67569dd3f090dd0ce8ba9e35e9985b41ac35b \ + --hash=sha256:cd6c8fca38178e12c00418de737aef1261576bd1b6e8c6134d3e729a4e858b38 \ + --hash=sha256:ceb3b7e6a0135e092de86110c5a74e46bda4bd4fbfeeb3a3bcec79c0f861e450 \ + --hash=sha256:cf590b134eb70629e350691ecca88eac3e3b8b3c86992042fb82e3cb1830d5e1 \ + --hash=sha256:d3eb1ceec286eba8220c26f3b0096cf189aea7057b6e7b7a2e60ed36b373b77f \ + --hash=sha256:d65f25da8e248202bd47445cec78e0025c0fe7582b23ec69c3b27a640dd7a8e3 \ + --hash=sha256:d6f6d4f185481c9669b9447bf9d9cf3b95a0e9df9d169bbc17e363b7d5487755 \ + --hash=sha256:d84a5c3a5f7ce6db1f999fb9438f686bc2e09d38143f2d93d8406ed2dd6b9226 \ + --hash=sha256:d946b0a9eb8aaa590df1fe082cee553ceab173e6cb5b03239716338629c50c7a \ + --hash=sha256:dce1c6912ab9ff5f179eaf6efe7365c1f425ed690b03341911bf4939ef2f3046 \ + --hash=sha256:de170c7b4fe6859beb8926e84f7d7d6c693dfe8e27372ce3b76f01c46e489fcf \ + --hash=sha256:e02021f87a5b6932fa6ce916ca004c4d441509d33bbdbeca70d05dff5e9d2479 \ + --hash=sha256:e030047e85cbcedbfc073f71836d62dd5dadfbe7531cae27789ff66bc551bd5e \ + --hash=sha256:e0e79d91e71b9867c73323a3444724d496c037e578a0e1755ae159ba14f4f3d1 \ + --hash=sha256:e4428b29611e989719874670fd152b6625500ad6c686d464e99f5aaeeaca175a \ + --hash=sha256:e4972624066095e52b569e02b5ca97dbd7a7ddd4294bf4e7247d52635630dd83 \ + --hash=sha256:e7be68734bd8c9a513f2b0cfd508802d6609da068f40dc57d4e3494cefc92929 \ + --hash=sha256:e8e94e6912639a02ce173341ff62cc1201232ab86b8a8fcc05572741a5dc7d93 \ + --hash=sha256:ea1456df2a27c73ce51120fa2f519f1bea2f4a03a917f4a43c8707cf4cbbae1a \ + --hash=sha256:ebd8d160f91a764652d3e51ce0d2956b38efe37c9231cd82cfc0bed2e40b581c \ + --hash=sha256:eca2e9d0cc5a889850e9bbd68e98314ada174ff6ccd1129500103df7a94a7a44 \ + --hash=sha256:edd08e6f2f1a390bf137080507e44ccc086353c8e98c657e666c017718561b89 \ + --hash=sha256:f285e862d2f153a70586579c15c44656f888806ed0e5b56b64489afe4a2dbfba \ + --hash=sha256:f2a1dee728b52b33eebff5072817176c172050d44d67befd681609b4746e1c2e \ + --hash=sha256:f7e301075edaf50500f0b341543c41194d8df3ae5caf4702f2095f3ca73dd8da \ + --hash=sha256:fb616be3538599e797a2017cccca78e354c767165e8858ab5116813146041a24 \ + --hash=sha256:fce28b3c8a81b6b36dfac9feb1de115bab619b3c13905b419ec71d03a3fc1423 \ + --hash=sha256:fe5d7785250541f7f5019ab9cba2c71169dc7d74d0f45253f8313f436458a4ef # via grpclib nh3==0.2.15 \ --hash=sha256:0d02d0ff79dfd8208ed25a39c12cbda092388fff7f1662466e27d97ad011b770 \ From ab83fff3c2658f093fe8e89dca83a85dd113a0b9 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 2 Feb 2024 10:11:37 -0600 Subject: [PATCH 0070/1462] initialize openssl's legacy provider in rust (#10323) * initialize openssl's legacy provider in rust as we oxidize we need to do this here to ensure it actually happens * alex is a comment format pedant --- .../hazmat/backends/openssl/backend.py | 4 +- .../bindings/_rust/openssl/__init__.pyi | 2 + .../hazmat/bindings/openssl/binding.py | 31 --------- src/rust/src/lib.rs | 65 +++++++++++++++++++ tests/hazmat/bindings/test_openssl.py | 7 -- 5 files changed, 69 insertions(+), 40 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 24bfa3a1f4bf..66c7ed624be0 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -127,7 +127,7 @@ def __repr__(self) -> str: return "".format( self.openssl_version_text(), self._fips_enabled, - self._binding._legacy_provider_loaded, + rust_openssl._legacy_provider_loaded, ) def openssl_assert( @@ -266,7 +266,7 @@ def _register_default_ciphers(self) -> None: # we get an EVP_CIPHER * in the _CipherContext __init__, but OpenSSL 3 # will return a valid pointer even though the cipher is unavailable. if ( - self._binding._legacy_provider_loaded + rust_openssl._legacy_provider_loaded or not self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER ): for mode_cls in [CBC, CFB, OFB, ECB]: diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index 9cdb4d6a5c6e..cc54647732cc 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -42,6 +42,8 @@ __all__ = [ "x25519", ] +_legacy_provider_loaded: bool + def openssl_version() -> int: ... def raise_openssl_error() -> typing.NoReturn: ... def capture_error_stack() -> list[OpenSSLError]: ... diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 40814f2a58a0..209fbeb73a8f 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -37,17 +37,6 @@ def _openssl_assert( ) -def _legacy_provider_error(loaded: bool) -> None: - if not loaded: - raise RuntimeError( - "OpenSSL 3.0's legacy provider failed to load. This is a fatal " - "error by default, but cryptography supports running without " - "legacy algorithms by setting the environment variable " - "CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error," - " you have likely made a mistake with your OpenSSL configuration." - ) - - def build_conditional_library( lib: typing.Any, conditional_names: dict[str, typing.Callable[[], list[str]]], @@ -76,7 +65,6 @@ class Binding: _lib_loaded = False _init_lock = threading.Lock() _legacy_provider: typing.Any = ffi.NULL - _legacy_provider_loaded = False _default_provider: typing.Any = ffi.NULL def __init__(self) -> None: @@ -106,25 +94,6 @@ def _ensure_ffi_initialized(cls) -> None: _openssl.lib, CONDITIONAL_NAMES ) cls._lib_loaded = True - # As of OpenSSL 3.0.0 we must register a legacy cipher provider - # to get RC2 (needed for junk asymmetric private key - # serialization), RC4, Blowfish, IDEA, SEED, etc. These things - # are ugly legacy, but we aren't going to get rid of them - # any time soon. - if cls.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: - if not os.environ.get("CRYPTOGRAPHY_OPENSSL_NO_LEGACY"): - cls._legacy_provider = cls.lib.OSSL_PROVIDER_load( - cls.ffi.NULL, b"legacy" - ) - cls._legacy_provider_loaded = ( - cls._legacy_provider != cls.ffi.NULL - ) - _legacy_provider_error(cls._legacy_provider_loaded) - - cls._default_provider = cls.lib.OSSL_PROVIDER_load( - cls.ffi.NULL, b"default" - ) - _openssl_assert(cls._default_provider != cls.ffi.NULL) @classmethod def init_static_locks(cls) -> None: diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 9dd54f4b901d..c9f9285e3825 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -4,6 +4,11 @@ #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +use crate::error::CryptographyResult; +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +use openssl::provider; +use std::env; + mod asn1; mod backend; mod buf; @@ -15,6 +20,12 @@ mod pkcs7; pub(crate) mod types; mod x509; +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")] +struct LoadedProviders { + legacy: Option, +} + #[pyo3::prelude::pyfunction] fn openssl_version() -> i64 { openssl::version::number() @@ -25,6 +36,35 @@ fn is_fips_enabled() -> bool { cryptography_openssl::fips::is_enabled() } +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +fn _initialize_legacy_provider() -> CryptographyResult { + // As of OpenSSL 3.0.0 we must register a legacy cipher provider + // to get RC2 (needed for junk asymmetric private key + // serialization), RC4, Blowfish, IDEA, SEED, etc. These things + // are ugly legacy, but we aren't going to get rid of them + // any time soon. + let load_legacy = env::var("CRYPTOGRAPHY_OPENSSL_NO_LEGACY") + .map(|v| v.is_empty() || v == "0") + .unwrap_or(true); + let legacy = if load_legacy { + let legacy_result = provider::Provider::try_load(None, "legacy", true); + _legacy_provider_error(legacy_result.is_ok())?; + Some(legacy_result?) + } else { + None + }; + Ok(LoadedProviders { legacy }) +} + +fn _legacy_provider_error(success: bool) -> pyo3::PyResult<()> { + if !success { + return Err(pyo3::exceptions::PyRuntimeError::new_err( + "OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration." + )); + } + Ok(()) +} + #[pyo3::prelude::pymodule] fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> { m.add_function(pyo3::wrap_pyfunction!(padding::check_pkcs7_padding, m)?)?; @@ -52,6 +92,20 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> m.add_submodule(cryptography_cffi::create_module(py)?)?; let openssl_mod = pyo3::prelude::PyModule::new(py, "openssl")?; + cfg_if::cfg_if! { + if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] { + let providers = _initialize_legacy_provider()?; + if providers.legacy.is_some() { + openssl_mod.add("_legacy_provider_loaded", true)?; + openssl_mod.add("_providers", providers)?; + } else { + openssl_mod.add("_legacy_provider_loaded", false)?; + } + } else { + // default value for non-openssl 3+ + openssl_mod.add("_legacy_provider_loaded", false)?; + } + } openssl_mod.add_function(pyo3::wrap_pyfunction!(openssl_version, m)?)?; openssl_mod.add_function(pyo3::wrap_pyfunction!(error::raise_openssl_error, m)?)?; openssl_mod.add_function(pyo3::wrap_pyfunction!(error::capture_error_stack, m)?)?; @@ -62,3 +116,14 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> Ok(()) } + +#[cfg(test)] +mod tests { + use super::_legacy_provider_error; + + #[test] + fn test_legacy_provider_error() { + assert!(_legacy_provider_error(true).is_ok()); + assert!(_legacy_provider_error(false).is_err()); + } +} diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index 64c3cfdec05c..ef45b304b4ef 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -8,7 +8,6 @@ from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.bindings.openssl.binding import ( Binding, - _legacy_provider_error, _openssl_assert, _verify_package_version, ) @@ -84,12 +83,6 @@ def test_version_mismatch(self): with pytest.raises(ImportError): _verify_package_version("nottherightversion") - def test_legacy_provider_error(self): - with pytest.raises(RuntimeError): - _legacy_provider_error(False) - - _legacy_provider_error(True) - def test_rust_internal_error(self): with pytest.raises(InternalError) as exc_info: rust_openssl.raise_openssl_error() From c72e53d55bb3891b2ac68c010c1906580b837ad5 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 2 Feb 2024 18:23:00 -0600 Subject: [PATCH 0071/1462] Bump BoringSSL and/or OpenSSL in CI (#10334) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b56db037f574..d920a09ea74d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 01, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "608becc67282174594fdaf0ec9c96daca9710d2f"}} - # Latest commit on the OpenSSL master branch, as of Feb 02, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "afb19f07aecc84998eeea56c4d65f5e0499abb5a"}} + # Latest commit on the BoringSSL master branch, as of Feb 03, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "10a2132f50aaf7d49db7e258666f447b821588d9"}} + # Latest commit on the OpenSSL master branch, as of Feb 03, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ed0f79c7ae63f7f29c9bfce2e0f960f0803be350"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 46b2921d97f4c576c457d2f5df8ec1936fac4f4c Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sat, 3 Feb 2024 14:39:19 +0100 Subject: [PATCH 0072/1462] verification/policy: make subject optional internally (#10335) This is not surfaced in a public API yet; it's purely an internal change to enable a `ClientVerifier` API (which won't take a subject). Signed-off-by: William Woodruff --- .../cryptography-x509-verification/src/policy/extension.rs | 6 +++++- src/rust/cryptography-x509-verification/src/policy/mod.rs | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/policy/extension.rs b/src/rust/cryptography-x509-verification/src/policy/extension.rs index 7006ad5dd110..83d4a5ec1736 100644 --- a/src/rust/cryptography-x509-verification/src/policy/extension.rs +++ b/src/rust/cryptography-x509-verification/src/policy/extension.rs @@ -304,7 +304,11 @@ pub(crate) mod ee { }; let san: SubjectAlternativeName<'_> = extn.value()?; - if !policy.subject.matches(&san) { + if !policy + .subject + .as_ref() + .map_or_else(|| false, |sub| sub.matches(&san)) + { return Err(ValidationError::Other( "leaf certificate has no matching subjectAltName".into(), )); diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 41a4e722d5b7..ef270fc79db4 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -208,7 +208,7 @@ pub struct Policy<'a, B: CryptoOps> { /// A subject (i.e. DNS name or other name format) that any EE certificates /// validated by this policy must match. - pub subject: Subject<'a>, + pub subject: Option>, /// The validation time. All certificates validated by this policy must /// be valid at this time. @@ -245,7 +245,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { Self { ops, max_chain_depth: max_chain_depth.unwrap_or(DEFAULT_MAX_CHAIN_DEPTH), - subject, + subject: Some(subject), validation_time: time, extended_key_usage: EKU_SERVER_AUTH_OID.clone(), minimum_rsa_modulus: WEBPKI_MINIMUM_RSA_MODULUS, From 4814d97c60c58b37ac0d450d0d32c02e907643c0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 3 Feb 2024 08:57:24 -0500 Subject: [PATCH 0073/1462] Revert "Silence new clippy false-positive (#10168)" (#10336) This reverts commit ba2bef6daca77cf1217e470e337b39c284d60151. --- src/rust/src/x509/crl.rs | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index f4d6feebc820..8e43832986c2 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -120,9 +120,6 @@ impl CertificateRevocationList { self.len() } - // Silenced due to false-positives - // https://github.com/rust-lang/rust-clippy/issues/12135 - #[allow(clippy::useless_asref)] fn __iter__(&self) -> CRLIterator { CRLIterator { contents: OwnedCRLIteratorData::try_new(Arc::clone(&self.owned), |v| { From 18591bc279f5caeaeee42d988370f28affd8af94 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 3 Feb 2024 22:19:26 +0000 Subject: [PATCH 0074/1462] Bump markupsafe from 2.1.4 to 2.1.5 (#10338) Bumps [markupsafe](https://github.com/pallets/markupsafe) from 2.1.4 to 2.1.5. - [Release notes](https://github.com/pallets/markupsafe/releases) - [Changelog](https://github.com/pallets/markupsafe/blob/main/CHANGES.rst) - [Commits](https://github.com/pallets/markupsafe/compare/2.1.4...2.1.5) --- updated-dependencies: - dependency-name: markupsafe dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e56d198a94ba..58ab36f65248 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -50,7 +50,7 @@ iniconfig==2.0.0 # via pytest jinja2==3.1.3 # via sphinx -markupsafe==2.1.4 +markupsafe==2.1.5 # via jinja2 mypy==1.8.0 # via cryptography (pyproject.toml) From f52c275ceb6a1c2b709f23a0dddd5f9544c05481 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 3 Feb 2024 18:42:21 -0500 Subject: [PATCH 0075/1462] remove stray space (#10339) --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 3348500be7af..82aa29db129f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -80,7 +80,7 @@ test = [ ] test-randomorder = ["pytest-randomly"] docs = ["sphinx >=5.3.0", "sphinx-rtd-theme >=1.1.1"] -docstest = ["pyenchant >=1.6.11", "readme-renderer", "sphinxcontrib-spelling >=4.0.1"] +docstest = ["pyenchant >=1.6.11", "readme-renderer", "sphinxcontrib-spelling >=4.0.1"] sdist = ["build"] # `click` included because its needed to type check `release.py` pep8test = ["ruff", "mypy", "check-sdist", "click"] From c234cc23047cf98d6475985141a9f249450935bc Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 3 Feb 2024 18:43:07 -0500 Subject: [PATCH 0076/1462] Check to see if we can use the hosted M1 runners (#10340) --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d920a09ea74d..a8c4491bbcc6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -221,14 +221,14 @@ jobs: matrix: RUNNER: - {OS: 'macos-13', ARCH: 'x86_64'} - - {OS: [self-hosted, macos, ARM64, tart], ARCH: 'arm64'} + - {OS: 'macos-14', ARCH: 'arm64'} PYTHON: - {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} - {VERSION: "3.12", NOXSESSION: "tests"} exclude: # We only test latest Python on arm64. py37 won't work since there's no universal2 binary - PYTHON: {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} - RUNNER: {OS: [self-hosted, macos, ARM64, tart], ARCH: 'arm64'} + RUNNER: {OS: 'macos-14', ARCH: 'arm64'} timeout-minutes: 15 steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 From ab6a4a20df416f588272e3ffbb5a04789b1637dd Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 3 Feb 2024 18:43:29 -0500 Subject: [PATCH 0077/1462] Stop pretending to be x64 on M1 in CI (#10341) --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a8c4491bbcc6..4eab452ec35c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -245,7 +245,6 @@ jobs: uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: python-version: ${{ matrix.PYTHON.VERSION }} - architecture: 'x64' # we force this right now so that it will install the universal2 on arm64 cache: pip cache-dependency-path: ci-constraints-requirements.txt timeout-minutes: 3 From 70e4d79f678d8351e08f03c7e935f293614084f8 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 3 Feb 2024 18:29:20 -0600 Subject: [PATCH 0078/1462] Bump BoringSSL and/or OpenSSL in CI (#10342) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4eab452ec35c..8924ce10488e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 03, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "10a2132f50aaf7d49db7e258666f447b821588d9"}} + # Latest commit on the BoringSSL master branch, as of Feb 04, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "79123ca9c0f9ae1532427f704fa626dbaebbdbe9"}} # Latest commit on the OpenSSL master branch, as of Feb 03, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ed0f79c7ae63f7f29c9bfce2e0f960f0803be350"}} # Builds with various Rust versions. Includes MSRV and next From 0c55522b5e8c4d94995c3c8773529540f49b8cf5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 4 Feb 2024 22:32:52 +0000 Subject: [PATCH 0079/1462] Bump actions/checkout in /.github/actions/fetch-vectors (#9853) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.6.0 to 4.1.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/f43a0e5ff2bd294095638e18286ca9a3d1956744...b4ffde65f46336ab88eb53be808477a3936bae11) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 9c7c294d1e37..017a3358edcb 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -5,14 +5,14 @@ runs: using: "composite" steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: "google/wycheproof" path: "wycheproof" # Latest commit on the wycheproof master branch, as of Oct 28, 2023. ref: "d9f6ec7d8bd8c96da05368999094e4a75ba5cb3d" # wycheproof-ref - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: "C2SP/x509-limbo" path: "x509-limbo" From cbaa508e66ba475fe87c8862efe4e89e86a776b3 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 4 Feb 2024 17:01:21 -0600 Subject: [PATCH 0080/1462] update actions/checkout everywhere (#10346) * update actions/checkout everywhere except manylinux2014, where we can't * update rust-cache to use node20 --- .github/actions/cache/action.yml | 2 +- .github/workflows/benchmark.yml | 4 ++-- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/ci.yml | 12 ++++++------ .github/workflows/linkcheck.yml | 2 +- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 6 +++--- .github/workflows/x509-limbo-version-bump.yml | 2 +- 8 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index 31af7422da04..702d82483b6f 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -15,7 +15,7 @@ runs: id: normalized-key run: echo "key=$(echo "${{ inputs.key }}" | tr -d ',')" >> $GITHUB_OUTPUT shell: bash - - uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 + - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 with: key: ${{ steps.normalized-key.outputs.key }}-2 workspaces: "./src/rust/ -> target" diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index d494688db74f..deeebb0f69ba 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -21,12 +21,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 timeout-minutes: 3 with: persist-credentials: false path: "cryptography-pr" - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 timeout-minutes: 3 with: repository: "pyca/cryptography" diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 8c8e4c058e5a..4cc08f5983d3 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - id: check-sha-boring run: | SHA=$(git ls-remote https://boringssl.googlesource.com/boringssl refs/heads/master | cut -f1) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8924ce10488e..3037927d323c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -56,7 +56,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "nightly"} timeout-minutes: 15 steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 timeout-minutes: 3 with: persist-credentials: false @@ -180,7 +180,7 @@ jobs: sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release if: matrix.IMAGE.IMAGE == 'alpine:aarch64' - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 timeout-minutes: 3 with: persist-credentials: false @@ -231,7 +231,7 @@ jobs: RUNNER: {OS: 'macos-14', ARCH: 'arm64'} timeout-minutes: 15 steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 timeout-minutes: 3 with: persist-credentials: false @@ -295,7 +295,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests"} timeout-minutes: 15 steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 timeout-minutes: 3 with: persist-credentials: false @@ -369,7 +369,7 @@ jobs: name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" timeout-minutes: 15 steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 timeout-minutes: 3 with: persist-credentials: false @@ -413,7 +413,7 @@ jobs: if: ${{ always() }} timeout-minutes: 3 steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 timeout-minutes: 3 with: persist-credentials: false diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index d4fb20e091f5..9f694c7cb661 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -20,7 +20,7 @@ jobs: name: "linkcheck" timeout-minutes: 10 steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - name: Setup python diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index a7f75070628e..7c2d3cb6db99 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -35,7 +35,7 @@ jobs: with: python-version: "3.11" - name: Get publish-requirements.txt from repository - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: sparse-checkout: | ${{ env.PUBLISH_REQUIREMENTS_PATH }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 0d2c5774721f..fef4a48bc63f 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest name: sdists steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -212,7 +212,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -306,7 +306,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 7df3a5fbcc38..9866e266065d 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - id: check-sha-x509-limbo run: | SHA=$(git ls-remote https://github.com/C2SP/x509-limbo refs/heads/main | cut -f1) From 172ec89853df99fe53c70bcd4dd3c581e86ed66c Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 4 Feb 2024 17:22:40 -0600 Subject: [PATCH 0081/1462] try to upgrade to upload/download artifact v4 (#10347) --- .github/actions/upload-coverage/action.yml | 4 ++-- .github/workflows/ci.yml | 9 +++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/actions/upload-coverage/action.yml b/.github/actions/upload-coverage/action.yml index a005d6b7462d..d7032c89e303 100644 --- a/.github/actions/upload-coverage/action.yml +++ b/.github/actions/upload-coverage/action.yml @@ -13,9 +13,9 @@ runs: fi id: coverage-uuid shell: bash - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 with: - name: coverage-data + name: coverage-data-${{ steps.coverage-uuid.outputs.COVERAGE_UUID }} path: | .coverage.* *.lcov diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3037927d323c..b339bc05c3e7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -433,9 +433,10 @@ jobs: if: ${{ always() }} - name: Download coverage data if: ${{ always() }} - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: - name: coverage-data + pattern: coverage-data-* + merge-multiple: true - name: Combine coverage and fail if it's <100%. if: ${{ always() }} id: combinecoverage @@ -475,14 +476,14 @@ jobs: run: python -m coverage html if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload HTML report. - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 with: name: _html-report path: htmlcov if-no-files-found: ignore if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload rust HTML report. - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 with: name: _html-rust-report path: rust-coverage From 6f8c79efcd1d8962d676b7a4d3eec9bc5c8b6e20 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Feb 2024 08:03:46 -0600 Subject: [PATCH 0082/1462] Bump sigstore from 2.1.0 to 2.1.2 in /.github/requirements (#10350) * Bump sigstore from 2.1.0 to 2.1.2 in /.github/requirements Bumps [sigstore](https://github.com/sigstore/sigstore-python) from 2.1.0 to 2.1.2. - [Release notes](https://github.com/sigstore/sigstore-python/releases) - [Changelog](https://github.com/sigstore/sigstore-python/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/sigstore-python/compare/v2.1.0...v2.1.2) --- updated-dependencies: - dependency-name: sigstore dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 5406ffbbca48..3d4fbcfed731 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -560,9 +560,9 @@ securesystemslib==0.31.0 \ # via # sigstore # tuf -sigstore==2.1.0 \ - --hash=sha256:68761c3078aca9bb97af8459602959ff47ce648bf722a8c2c868e45b46aad7e1 \ - --hash=sha256:7c64b4c6eccee0ec1b54d524d7be57dabc1f1f3651dd723cf195aa6b1f94b4f7 +sigstore==2.1.2 \ + --hash=sha256:94139c1efa0784135516d11b79c8b06d4ea61245624e69cda44494e87560b07c \ + --hash=sha256:fd9069b50b5789c6e229641e948a9b47c07525e8924f5e4d20d7dc1a8db6d6e2 # via -r publish-requirements.in sigstore-protobuf-specs==0.2.2 \ --hash=sha256:62c7beabc6910fb570dc4c600e33e81f2d2d683f785202ee109ca394bd829e94 \ From 884be2a97b91c1a354afd60429b5d02e2c8c2c89 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 5 Feb 2024 09:03:59 -0500 Subject: [PATCH 0083/1462] Remove unused attributes (#10349) --- src/cryptography/hazmat/bindings/openssl/binding.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 209fbeb73a8f..d9f81ce8dcec 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -64,8 +64,6 @@ class Binding: ffi = _openssl.ffi _lib_loaded = False _init_lock = threading.Lock() - _legacy_provider: typing.Any = ffi.NULL - _default_provider: typing.Any = ffi.NULL def __init__(self) -> None: self._ensure_ffi_initialized() From fafcc03bb731482209cec8e692f4155892a0d3ea Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 5 Feb 2024 18:50:45 -0500 Subject: [PATCH 0084/1462] Remove unused dep (#10351) * Remove unused dep * Update Cargo.lock --- src/rust/Cargo.lock | 1 - src/rust/Cargo.toml | 3 --- 2 files changed, 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 7150fcd88fe1..d7e5e256fa3f 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -97,7 +97,6 @@ name = "cryptography-rust" version = "0.1.0" dependencies = [ "asn1", - "cc", "cfg-if", "cryptography-cffi", "cryptography-key-parsing", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 08bd9583cbff..698328596665 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -23,9 +23,6 @@ openssl-sys = "0.9.99" foreign-types-shared = "0.1" self_cell = "1" -[build-dependencies] -cc = "1.0.83" - [features] extension-module = ["pyo3/extension-module"] default = ["extension-module"] From 9c0163a4e412e7dc1afcf1c0fe78780d0ecda4da Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 6 Feb 2024 00:14:05 +0000 Subject: [PATCH 0085/1462] Bump BoringSSL and/or OpenSSL in CI (#10352) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b339bc05c3e7..1a928771f050 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Feb 04, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "79123ca9c0f9ae1532427f704fa626dbaebbdbe9"}} - # Latest commit on the OpenSSL master branch, as of Feb 03, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ed0f79c7ae63f7f29c9bfce2e0f960f0803be350"}} + # Latest commit on the OpenSSL master branch, as of Feb 06, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "22f82d457c06289ec66a627a3d11649d83beff88"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From ce8aa9f6f137cc5af7071a4ed4be250cb3a3b769 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 6 Feb 2024 00:28:25 +0000 Subject: [PATCH 0086/1462] Bump x509-limbo and/or wycheproof in CI (#10353) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 017a3358edcb..9c24312ffe64 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Feb 02, 2024. - ref: "215546b218a84c35b9aaf3e84b8df4278c06920b" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Feb 06, 2024. + ref: "0171902768511b59844113a9026c645e21e85344" # x509-limbo-ref From 42c4677090ca5e957f527394d164c4f1eec50504 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 6 Feb 2024 11:21:45 +0000 Subject: [PATCH 0087/1462] Bump ruff from 0.2.0 to 0.2.1 (#10354) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.2.0 to 0.2.1. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.2.0...v0.2.1) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 58ab36f65248..703ad54e2f79 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==42.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.2.0 +ruff==0.2.1 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From aade784e71a1b91e1a5a8e239c4d9861feb4193d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 6 Feb 2024 11:56:25 +0000 Subject: [PATCH 0088/1462] Bump actions/upload-artifact in /.github/actions/upload-coverage (#10357) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.0 to 4.3.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/26f96dfa697d77e81fd5907df203aa23a56210a8...5d5d22a31266ced268874388b861e4b58bb5c2f3) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/upload-coverage/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/upload-coverage/action.yml b/.github/actions/upload-coverage/action.yml index d7032c89e303..720cf904f821 100644 --- a/.github/actions/upload-coverage/action.yml +++ b/.github/actions/upload-coverage/action.yml @@ -13,7 +13,7 @@ runs: fi id: coverage-uuid shell: bash - - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: coverage-data-${{ steps.coverage-uuid.outputs.COVERAGE_UUID }} path: | From 5c17851da78dfc55ec9674f92882f94c6569c5f4 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 7 Feb 2024 00:15:15 +0000 Subject: [PATCH 0089/1462] Bump BoringSSL and/or OpenSSL in CI (#10358) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1a928771f050..c32b544a1326 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Feb 04, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "79123ca9c0f9ae1532427f704fa626dbaebbdbe9"}} - # Latest commit on the OpenSSL master branch, as of Feb 06, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "22f82d457c06289ec66a627a3d11649d83beff88"}} + # Latest commit on the OpenSSL master branch, as of Feb 07, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1751185154ab1f1a796e0f39567fe51c8e24b78d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From b4ae8b0ace1d879d87a80c3e61be323975eda9d2 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 7 Feb 2024 00:28:50 +0000 Subject: [PATCH 0090/1462] Bump x509-limbo and/or wycheproof in CI (#10359) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 9c24312ffe64..b26d8c308115 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Feb 06, 2024. - ref: "0171902768511b59844113a9026c645e21e85344" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Feb 07, 2024. + ref: "471656dc73cedf02eaac82c45d7bd874d097dfc9" # x509-limbo-ref From f11560b6a65d6ff7862087584dac4c20b38e656c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 8 Feb 2024 00:17:24 +0000 Subject: [PATCH 0091/1462] Bump BoringSSL and/or OpenSSL in CI (#10362) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c32b544a1326..9608d9dc8fdb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 04, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "79123ca9c0f9ae1532427f704fa626dbaebbdbe9"}} - # Latest commit on the OpenSSL master branch, as of Feb 07, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1751185154ab1f1a796e0f39567fe51c8e24b78d"}} + # Latest commit on the BoringSSL master branch, as of Feb 08, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "34b51faf3a58fe36e3ab1db99a2a441d0f69c754"}} + # Latest commit on the OpenSSL master branch, as of Feb 08, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "387b93e14907cd8203d6f2c9d78e49df01cb6e1f"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 92a79c95aed4290436e8299e5896497aeb0db749 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 8 Feb 2024 08:50:39 -0600 Subject: [PATCH 0092/1462] Bump jaraco-classes from 3.3.0 to 3.3.1 in /.github/requirements (#10363) * Bump jaraco-classes from 3.3.0 to 3.3.1 in /.github/requirements Bumps [jaraco-classes](https://github.com/jaraco/jaraco.classes) from 3.3.0 to 3.3.1. - [Release notes](https://github.com/jaraco/jaraco.classes/releases) - [Changelog](https://github.com/jaraco/jaraco.classes/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/jaraco.classes/compare/v3.3.0...v3.3.1) --- updated-dependencies: - dependency-name: jaraco-classes dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 3d4fbcfed731..28fdfbdadbcb 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -246,9 +246,9 @@ importlib-metadata==7.0.1 \ # via # keyring # twine -jaraco-classes==3.3.0 \ - --hash=sha256:10afa92b6743f25c0cf5f37c6bb6e18e2c5bb84a16527ccfc0040ea377e7aaeb \ - --hash=sha256:c063dd08e89217cee02c8d5e5ec560f2c8ce6cdc2fcdc2e68f7b2e5547ed3621 +jaraco-classes==3.3.1 \ + --hash=sha256:86b534de565381f6b3c1c830d13f931d7be1a75f0081c57dff615578676e2206 \ + --hash=sha256:cb28a5ebda8bc47d8c8015307d93163464f9f2b91ab4006e09ff0ce07e8bfb30 # via keyring jeepney==0.8.0 \ --hash=sha256:5efe48d255973902f6badc3ce55e2aa6c5c3b3bc642059ef3a91247bcfcc5806 \ From b6934e7301d3401ee7f4dcb153f8fa265f577bbf Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 8 Feb 2024 08:51:21 -0600 Subject: [PATCH 0093/1462] smaller mmap in tests to fit in a 32-bit ssize_t (#10365) this still triggers the overflows we expect in the tests and should also work on 32-bit systems --- tests/hazmat/primitives/test_aead.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index a1f99ab815ed..7b8eebb78447 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -38,7 +38,11 @@ def _aead_supported(cls): def large_mmap(): - return mmap.mmap(-1, 2**32, prot=mmap.PROT_READ) + # We need this large but not larger than fits in a 32-bit int. This way + # a 32-bit platform can return this mmap successfully but we'll raise + # OverFlowError in the tests because the underlying type for the + # function signature is a signed int + return mmap.mmap(-1, 2**31, prot=mmap.PROT_READ) @pytest.mark.skipif( From 4e7c2c72efe5b1fbb2c47d1341c5b4c7cbdb6a57 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 8 Feb 2024 09:19:50 -0600 Subject: [PATCH 0094/1462] skip overflow aead tests on 32-bit systems (#10366) * Revert "smaller mmap in tests to fit in a 32-bit ssize_t (#10365)" This reverts commit b6934e7301d3401ee7f4dcb153f8fa265f577bbf. * skip overflow aead tests on 32-bit systems --- tests/hazmat/primitives/test_aead.py | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index 7b8eebb78447..2f0d52d82682 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -38,11 +38,7 @@ def _aead_supported(cls): def large_mmap(): - # We need this large but not larger than fits in a 32-bit int. This way - # a 32-bit platform can return this mmap successfully but we'll raise - # OverFlowError in the tests because the underlying type for the - # function signature is a signed int - return mmap.mmap(-1, 2**31, prot=mmap.PROT_READ) + return mmap.mmap(-1, 2**32, prot=mmap.PROT_READ) @pytest.mark.skipif( @@ -60,7 +56,8 @@ def test_chacha20poly1305_unsupported_on_older_openssl(backend): ) class TestChaCha20Poly1305: @pytest.mark.skipif( - sys.platform not in {"linux", "darwin"}, reason="mmap required" + sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, + reason="mmap and 64-bit platform required", ) def test_data_too_large(self): key = ChaCha20Poly1305.generate_key() @@ -201,7 +198,8 @@ def test_buffer_protocol(self, backend): ) class TestAESCCM: @pytest.mark.skipif( - sys.platform not in {"linux", "darwin"}, reason="mmap required" + sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, + reason="mmap and 64-bit platform required", ) def test_data_too_large(self): key = AESCCM.generate_key(128) @@ -382,7 +380,8 @@ def _load_gcm_vectors(): class TestAESGCM: @pytest.mark.skipif( - sys.platform not in {"linux", "darwin"}, reason="mmap required" + sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, + reason="mmap and 64-bit platform required", ) def test_data_too_large(self): key = AESGCM.generate_key(128) @@ -529,7 +528,8 @@ def test_aesocb3_unsupported_on_older_openssl(backend): ) class TestAESOCB3: @pytest.mark.skipif( - sys.platform not in {"linux", "darwin"}, reason="mmap required" + sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, + reason="mmap and 64-bit platform required", ) def test_data_too_large(self): key = AESOCB3.generate_key(128) @@ -704,7 +704,8 @@ def test_buffer_protocol(self, backend): ) class TestAESSIV: @pytest.mark.skipif( - sys.platform not in {"linux", "darwin"}, reason="mmap required" + sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, + reason="mmap and 64-bit platform required", ) def test_data_too_large(self): key = AESSIV.generate_key(256) @@ -848,7 +849,8 @@ def test_buffer_protocol(self, backend): ) class TestAESGCMSIV: @pytest.mark.skipif( - sys.platform not in {"linux", "darwin"}, reason="mmap required" + sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, + reason="mmap and 64-bit platform required", ) def test_data_too_large(self): key = AESGCMSIV.generate_key(256) From bfcdfbefb32c5a9786ef66d4eb0777f70ae5943b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 9 Feb 2024 00:16:38 +0000 Subject: [PATCH 0095/1462] Bump BoringSSL and/or OpenSSL in CI (#10372) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9608d9dc8fdb..341fd2c07506 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 08, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "34b51faf3a58fe36e3ab1db99a2a441d0f69c754"}} - # Latest commit on the OpenSSL master branch, as of Feb 08, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "387b93e14907cd8203d6f2c9d78e49df01cb6e1f"}} + # Latest commit on the BoringSSL master branch, as of Feb 09, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "8ff5add548e89f3680da398a41ecfca95a863fcd"}} + # Latest commit on the OpenSSL master branch, as of Feb 09, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "01690a7ff36c4d18c48b301cdf375c954105a1d9"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From c23442dd4baa44273398d86f679e26e7c8a1e93c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 10 Feb 2024 00:15:59 +0000 Subject: [PATCH 0096/1462] Bump BoringSSL and/or OpenSSL in CI (#10374) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 341fd2c07506..9fe7e869fccc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 09, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "8ff5add548e89f3680da398a41ecfca95a863fcd"}} - # Latest commit on the OpenSSL master branch, as of Feb 09, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "01690a7ff36c4d18c48b301cdf375c954105a1d9"}} + # Latest commit on the BoringSSL master branch, as of Feb 10, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "71c589682f7d1dabc08b56ef7a0a28913e44110e"}} + # Latest commit on the OpenSSL master branch, as of Feb 10, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "cfabddfb9f6f54b3f3b8e90ccb918967390a7fb2"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 9efa73910454b24074a280725306838bef063709 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sat, 10 Feb 2024 22:34:55 +0000 Subject: [PATCH 0097/1462] policy: `Policy::new` is now `Policy::server` (#10377) Signed-off-by: William Woodruff --- .../src/policy/extension.rs | 10 +++++----- .../cryptography-x509-verification/src/policy/mod.rs | 6 +++--- src/rust/src/x509/verify.rs | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/policy/extension.rs b/src/rust/cryptography-x509-verification/src/policy/extension.rs index 83d4a5ec1736..9ab88ab5189d 100644 --- a/src/rust/cryptography-x509-verification/src/policy/extension.rs +++ b/src/rust/cryptography-x509-verification/src/policy/extension.rs @@ -599,7 +599,7 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = PublicKeyErrorOps {}; - let policy = Policy::new( + let policy = Policy::server( ops, Subject::DNS(DNSName::new("example.com").unwrap()), epoch(), @@ -639,7 +639,7 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = PublicKeyErrorOps {}; - let policy = Policy::new( + let policy = Policy::server( ops, Subject::DNS(DNSName::new("example.com").unwrap()), epoch(), @@ -673,7 +673,7 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = PublicKeyErrorOps {}; - let policy = Policy::new( + let policy = Policy::server( ops, Subject::DNS(DNSName::new("example.com").unwrap()), epoch(), @@ -704,7 +704,7 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = PublicKeyErrorOps {}; - let policy = Policy::new( + let policy = Policy::server( ops, Subject::DNS(DNSName::new("example.com").unwrap()), epoch(), @@ -733,7 +733,7 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = PublicKeyErrorOps {}; - let policy = Policy::new( + let policy = Policy::server( ops, Subject::DNS(DNSName::new("example.com").unwrap()), epoch(), diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index ef270fc79db4..f0a2ba5a7e63 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -234,9 +234,9 @@ pub struct Policy<'a, B: CryptoOps> { } impl<'a, B: CryptoOps> Policy<'a, B> { - /// Create a new policy with defaults for the certificate profile defined in - /// the CA/B Forum's Basic Requirements. - pub fn new( + /// Create a new policy with defaults for the server certificate profile + /// defined in the CA/B Forum's Basic Requirements. + pub fn server( ops: B, subject: Subject<'a>, time: asn1::DateTime, diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 8cd9cfdf964b..d35c3a61ceaa 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -142,7 +142,7 @@ impl PolicyBuilder { let policy = OwnedPolicy::try_new(subject_owner, |subject_owner| { let subject = build_subject(py, subject_owner)?; - Ok::, pyo3::PyErr>(PyCryptoPolicy(Policy::new( + Ok::, pyo3::PyErr>(PyCryptoPolicy(Policy::server( PyCryptoOps {}, subject, time, From 8b521e05b9ef85f0bc96f55713471358613cafd1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 11 Feb 2024 00:20:38 +0000 Subject: [PATCH 0098/1462] Bump BoringSSL and/or OpenSSL in CI (#10378) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9fe7e869fccc..4427b17543ba 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 10, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "71c589682f7d1dabc08b56ef7a0a28913e44110e"}} - # Latest commit on the OpenSSL master branch, as of Feb 10, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "cfabddfb9f6f54b3f3b8e90ccb918967390a7fb2"}} + # Latest commit on the BoringSSL master branch, as of Feb 11, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "c39e6cd9ec5acebb6de2adffc03cfe03b07f08ab"}} + # Latest commit on the OpenSSL master branch, as of Feb 11, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "925118e8c3b1041ce7f9840c2d67e7f878123e6b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From e179d30f9fa8ec20e72c320842ae9b0b2be970ae Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 11 Feb 2024 10:23:02 -0500 Subject: [PATCH 0099/1462] Centralize checks for whether scrypt is available (#10376) --- src/_cffi_src/openssl/evp.py | 7 ------- src/cryptography/hazmat/backends/openssl/backend.py | 2 +- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index 54f5388b83d0..ed73ec99fd5f 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -30,7 +30,6 @@ static const int EVP_CTRL_AEAD_GET_TAG; static const int EVP_CTRL_AEAD_SET_TAG; -static const int Cryptography_HAS_SCRYPT; static const int Cryptography_HAS_EVP_PKEY_DHX; static const long Cryptography_HAS_300_FIPS; static const long Cryptography_HAS_300_EVP_CIPHER; @@ -94,12 +93,6 @@ const long Cryptography_HAS_EVP_PKEY_DHX = 0; #endif -#if CRYPTOGRAPHY_IS_LIBRESSL || defined(OPENSSL_NO_SCRYPT) -static const long Cryptography_HAS_SCRYPT = 0; -#else -static const long Cryptography_HAS_SCRYPT = 1; -#endif - /* This is tied to X448 support so we reuse the Cryptography_HAS_X448 conditional to remove it. OpenSSL 1.1.1 adds this define. We can remove this in the distant future when we drop 1.1.0 support. */ diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 66c7ed624be0..0f3976c3de02 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -194,7 +194,7 @@ def scrypt_supported(self) -> bool: if self._fips_enabled: return False else: - return self._lib.Cryptography_HAS_SCRYPT == 1 + return hasattr(rust_openssl.kdf, "derive_scrypt") def hmac_supported(self, algorithm: hashes.HashAlgorithm) -> bool: # FIPS mode still allows SHA1 for HMAC From be950bde6892738d0e86573b9c66d096d70143b2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 11 Feb 2024 18:34:22 -0500 Subject: [PATCH 0100/1462] Port openssl_version_text to Rust (#10380) --- src/cryptography/hazmat/backends/openssl/backend.py | 6 ++---- src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi | 2 ++ src/rust/src/lib.rs | 6 ++++++ 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 0f3976c3de02..d20945d6a6de 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -151,12 +151,10 @@ def openssl_version_text(self) -> str: Example: OpenSSL 3.2.1 30 Jan 2024 """ - return self._ffi.string( - self._lib.OpenSSL_version(self._lib.OPENSSL_VERSION) - ).decode("ascii") + return rust_openssl.openssl_version_text() def openssl_version_number(self) -> int: - return self._lib.OpenSSL_version_num() + return rust_openssl.openssl_version() def _evp_md_from_algorithm(self, algorithm: hashes.HashAlgorithm): if algorithm.name in ("blake2b", "blake2s"): diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index cc54647732cc..c4997fc12a61 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -24,6 +24,7 @@ from cryptography.hazmat.bindings._rust.openssl import ( __all__ = [ "openssl_version", + "openssl_version_text", "raise_openssl_error", "aead", "cmac", @@ -45,6 +46,7 @@ __all__ = [ _legacy_provider_loaded: bool def openssl_version() -> int: ... +def openssl_version_text() -> str: ... def raise_openssl_error() -> typing.NoReturn: ... def capture_error_stack() -> list[OpenSSLError]: ... def is_fips_enabled() -> bool: ... diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index c9f9285e3825..62d86884af7a 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -31,6 +31,11 @@ fn openssl_version() -> i64 { openssl::version::number() } +#[pyo3::prelude::pyfunction] +fn openssl_version_text() -> &'static str { + openssl::version::version() +} + #[pyo3::prelude::pyfunction] fn is_fips_enabled() -> bool { cryptography_openssl::fips::is_enabled() @@ -107,6 +112,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> } } openssl_mod.add_function(pyo3::wrap_pyfunction!(openssl_version, m)?)?; + openssl_mod.add_function(pyo3::wrap_pyfunction!(openssl_version_text, m)?)?; openssl_mod.add_function(pyo3::wrap_pyfunction!(error::raise_openssl_error, m)?)?; openssl_mod.add_function(pyo3::wrap_pyfunction!(error::capture_error_stack, m)?)?; openssl_mod.add_function(pyo3::wrap_pyfunction!(is_fips_enabled, m)?)?; From e8ca1cd8c62593fd8d65de9c1e4efdf1259efa68 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 11 Feb 2024 18:34:54 -0500 Subject: [PATCH 0101/1462] Don't reinstall test deps in local nox session (#10379) They're already installed first thing --- noxfile.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/noxfile.py b/noxfile.py index f1117d7fee3b..999654427eca 100644 --- a/noxfile.py +++ b/noxfile.py @@ -288,7 +288,7 @@ def local(session): "noxfile.py", ) - install(session, ".[test]") + install(session, ".") if session.posargs: tests = session.posargs From 2853f64cce4cc88f06f1fbba27f0d8b6031458e4 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 12 Feb 2024 00:29:30 +0000 Subject: [PATCH 0102/1462] Bump x509-limbo and/or wycheproof in CI (#10381) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index b26d8c308115..c56834ced2cb 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Feb 07, 2024. - ref: "471656dc73cedf02eaac82c45d7bd874d097dfc9" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Feb 12, 2024. + ref: "e656fb25e9582c62576bfe2d5322f60c633b9ea5" # x509-limbo-ref From 6b9e5299403953ae30bc26e4043bfcf436aa7d32 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Feb 2024 06:41:16 -0500 Subject: [PATCH 0103/1462] Bump setuptools from 69.0.3 to 69.1.0 in /.github/requirements (#10382) Bumps [setuptools](https://github.com/pypa/setuptools) from 69.0.3 to 69.1.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v69.0.3...v69.1.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 1b6bb11dcd3b..aff425f1834b 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -80,9 +80,9 @@ wheel==0.42.0 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==69.0.3 \ - --hash=sha256:385eb4edd9c9d5c17540511303e39a147ce2fc04bc55289c322b9e5904fe2c05 \ - --hash=sha256:be1af57fc409f93647f2e8e4573a142ed38724b8cdd389706a867bb4efcf1e78 +setuptools==69.1.0 \ + --hash=sha256:850894c4195f09c4ed30dba56213bf7c3f21d86ed6bdaafb5df5972593bfc401 \ + --hash=sha256:c054629b81b946d63a9c6e732bc8b2513a7c3ea645f11d0139a2191d735c60c6 # via # -r build-requirements.in # setuptools-rust From 87246ebe4072ba216eb8c8a6ca22566614cb0323 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Feb 2024 08:06:16 -0600 Subject: [PATCH 0104/1462] Bump twine from 4.0.2 to 5.0.0 in /.github/requirements (#10383) * Bump twine from 4.0.2 to 5.0.0 in /.github/requirements Bumps [twine](https://github.com/pypa/twine) from 4.0.2 to 5.0.0. - [Release notes](https://github.com/pypa/twine/releases) - [Changelog](https://github.com/pypa/twine/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/twine/compare/4.0.2...5.0.0) --- updated-dependencies: - dependency-name: twine dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 28fdfbdadbcb..d6a15d8bf03a 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -580,9 +580,9 @@ tuf==3.1.0 \ --hash=sha256:3a4e9abba9d03c221842f62a9a687d51cc2b4a26c43ee7deb1ffb5fa2fb49374 \ --hash=sha256:a8f055fbaf90d1477258c98fe29d23217e793ca0bdc5fb5a7d252ff5acecddc0 # via sigstore -twine==4.0.2 \ - --hash=sha256:929bc3c280033347a00f847236564d1c52a3e61b1ac2516c97c48f3ceab756d8 \ - --hash=sha256:9e102ef5fdd5a20661eb88fad46338806c3bd32cf1db729603fe3697b1bc83c8 +twine==5.0.0 \ + --hash=sha256:89b0cc7d370a4b66421cc6102f269aa910fe0f1861c124f573cf2ddedbc10cf4 \ + --hash=sha256:a262933de0b484c53408f9edae2e7821c1c45a3314ff2df9bdd343aa7ab8edc0 # via -r publish-requirements.in typing-extensions==4.9.0 \ --hash=sha256:23478f88c37f27d76ac8aee6c905017a143b0b1b886c3c9f66bc2fd94f9f5783 \ From f7972c80ec58b5a32bd1b43a9eff3e11a1a69eda Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 13 Feb 2024 00:16:52 +0000 Subject: [PATCH 0105/1462] Bump BoringSSL and/or OpenSSL in CI (#10384) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4427b17543ba..8b02cfb83032 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Feb 11, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "c39e6cd9ec5acebb6de2adffc03cfe03b07f08ab"}} - # Latest commit on the OpenSSL master branch, as of Feb 11, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "925118e8c3b1041ce7f9840c2d67e7f878123e6b"}} + # Latest commit on the OpenSSL master branch, as of Feb 13, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ace3afa087bc52d9613fd0dcd2dae758d43bde2c"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 93932db73d57074ef3ed2f0b9ff4b14846b279df Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 13 Feb 2024 00:33:41 +0000 Subject: [PATCH 0106/1462] Bump x509-limbo and/or wycheproof in CI (#10385) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index c56834ced2cb..9d7c438b1a51 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Feb 12, 2024. - ref: "e656fb25e9582c62576bfe2d5322f60c633b9ea5" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Feb 13, 2024. + ref: "bf860cdd81d87250b7b67cf9ccd52f6d3741a2d7" # x509-limbo-ref From c835401c4aaaef17d421a5b8fb1136cfe8a681b6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 13 Feb 2024 07:15:42 -0500 Subject: [PATCH 0107/1462] Bump cc from 1.0.83 to 1.0.85 in /src/rust (#10386) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.83 to 1.0.85. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.83...1.0.85) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 7 ++----- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index d7e5e256fa3f..9c127b6b6a0c 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,12 +48,9 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.83" +version = "1.0.85" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0" -dependencies = [ - "libc", -] +checksum = "9b918671670962b48bc23753aef0c51d072dca6f52f01f800854ada6ddb7f7d3" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index a025e58ceda7..c7b0782587c3 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.20", features = ["abi3"] } openssl-sys = "0.9.99" [build-dependencies] -cc = "1.0.83" +cc = "1.0.85" From b059986c4cf106ccde7f5d9d1747b7f41be160c6 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 13 Feb 2024 09:22:38 -0600 Subject: [PATCH 0108/1462] Revert "Bump cc from 1.0.83 to 1.0.85 in /src/rust (#10386)" (#10387) This reverts commit c835401c4aaaef17d421a5b8fb1136cfe8a681b6. --- src/rust/Cargo.lock | 7 +++++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 9c127b6b6a0c..d7e5e256fa3f 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,9 +48,12 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.85" +version = "1.0.83" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9b918671670962b48bc23753aef0c51d072dca6f52f01f800854ada6ddb7f7d3" +checksum = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0" +dependencies = [ + "libc", +] [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index c7b0782587c3..a025e58ceda7 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.20", features = ["abi3"] } openssl-sys = "0.9.99" [build-dependencies] -cc = "1.0.85" +cc = "1.0.83" From 9c6113abb6d3f06ca53337a48d7c9b6aa4da8baf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 15 Feb 2024 22:35:53 +0000 Subject: [PATCH 0109/1462] Bump pkg-config from 0.3.29 to 0.3.30 in /src/rust (#10392) Bumps [pkg-config](https://github.com/rust-lang/pkg-config-rs) from 0.3.29 to 0.3.30. - [Changelog](https://github.com/rust-lang/pkg-config-rs/blob/master/CHANGELOG.md) - [Commits](https://github.com/rust-lang/pkg-config-rs/commits) --- updated-dependencies: - dependency-name: pkg-config dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index d7e5e256fa3f..97f35d15008a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -260,9 +260,9 @@ dependencies = [ [[package]] name = "pkg-config" -version = "0.3.29" +version = "0.3.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2900ede94e305130c13ddd391e0ab7cbaeb783945ae07a279c268cb05109c6cb" +checksum = "d231b230927b5e4ad203db57bbcbee2802f6bce620b1e4a9024a07d94e2907ec" [[package]] name = "proc-macro2" From 64b9095c7ae62e9da8003701666be355c2db4128 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 15 Feb 2024 14:36:24 -0800 Subject: [PATCH 0110/1462] fix provider loading take two (#10390) we previously hoisted this into rust, but we used the try_load feature which supposedly retains fallbacks. Something about that doesn't behave the way we expect though and the machinery in providers is sufficiently complex that we are just going to load the default provider explicitly. this matches our behavior pre-rust. --- src/rust/src/lib.rs | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 62d86884af7a..a21f3986dd18 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -24,6 +24,7 @@ mod x509; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")] struct LoadedProviders { legacy: Option, + _default: provider::Provider, } #[pyo3::prelude::pyfunction] @@ -42,7 +43,7 @@ fn is_fips_enabled() -> bool { } #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] -fn _initialize_legacy_provider() -> CryptographyResult { +fn _initialize_providers() -> CryptographyResult { // As of OpenSSL 3.0.0 we must register a legacy cipher provider // to get RC2 (needed for junk asymmetric private key // serialization), RC4, Blowfish, IDEA, SEED, etc. These things @@ -52,13 +53,14 @@ fn _initialize_legacy_provider() -> CryptographyResult { .map(|v| v.is_empty() || v == "0") .unwrap_or(true); let legacy = if load_legacy { - let legacy_result = provider::Provider::try_load(None, "legacy", true); + let legacy_result = provider::Provider::load(None, "legacy"); _legacy_provider_error(legacy_result.is_ok())?; Some(legacy_result?) } else { None }; - Ok(LoadedProviders { legacy }) + let _default = provider::Provider::load(None, "default")?; + Ok(LoadedProviders { legacy, _default }) } fn _legacy_provider_error(success: bool) -> pyo3::PyResult<()> { @@ -99,13 +101,13 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> let openssl_mod = pyo3::prelude::PyModule::new(py, "openssl")?; cfg_if::cfg_if! { if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] { - let providers = _initialize_legacy_provider()?; + let providers = _initialize_providers()?; if providers.legacy.is_some() { openssl_mod.add("_legacy_provider_loaded", true)?; - openssl_mod.add("_providers", providers)?; } else { openssl_mod.add("_legacy_provider_loaded", false)?; } + openssl_mod.add("_providers", providers)?; } else { // default value for non-openssl 3+ openssl_mod.add("_legacy_provider_loaded", false)?; From d60e8b6198ce9530ff9b8ef3384fb7cc8dc77bb7 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 15 Feb 2024 14:37:17 -0800 Subject: [PATCH 0111/1462] Bump BoringSSL and/or OpenSSL in CI (#10391) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8b02cfb83032..f414de66591a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 11, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "c39e6cd9ec5acebb6de2adffc03cfe03b07f08ab"}} - # Latest commit on the OpenSSL master branch, as of Feb 13, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ace3afa087bc52d9613fd0dcd2dae758d43bde2c"}} + # Latest commit on the BoringSSL master branch, as of Feb 15, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ba5eb621d7d9bf2872386b4303fd5e9aa64f7230"}} + # Latest commit on the OpenSSL master branch, as of Feb 15, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d597b46f9bdb533761e36fcf1d96ce83f3f6f04d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From fe7f03a4152e24b8706fd7454f329113d8f24115 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 15 Feb 2024 19:34:59 -0500 Subject: [PATCH 0112/1462] Bump x509-limbo and/or wycheproof in CI (#10394) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 9d7c438b1a51..326ef2cf71f7 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Feb 13, 2024. - ref: "bf860cdd81d87250b7b67cf9ccd52f6d3741a2d7" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Feb 16, 2024. + ref: "5f2f7b0a1ac8a8ebae3e418c2569f524c80f29db" # x509-limbo-ref From 378bf75a553acdd31fc4fd6bce9dd6fd14983de7 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 15 Feb 2024 19:56:32 -0800 Subject: [PATCH 0113/1462] port 42.0.3 changelog to main (#10397) --- CHANGELOG.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index bd6b92f65712..2a529c2d7b80 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -27,6 +27,14 @@ Changelog :doc:`/hazmat/decrepit/index` and deprecated them in the ``cipher`` module. They will be removed from the ``cipher`` module in 48.0.0. +.. _v42-0-3: + +42.0.3 - 2024-02-15 +~~~~~~~~~~~~~~~~~~~ + +* Fixed an initialization issue that caused key loading failures for some + users. + .. _v42-0-2: 42.0.2 - 2024-01-30 From 0730de72ab6e57335a8ff14bd0710f3a3abe6f68 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 16 Feb 2024 07:12:38 -0500 Subject: [PATCH 0114/1462] Bump syn from 2.0.48 to 2.0.49 in /src/rust (#10399) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.48 to 2.0.49. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.48...2.0.49) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 97f35d15008a..091f763dee64 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -372,9 +372,9 @@ checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" [[package]] name = "syn" -version = "2.0.48" +version = "2.0.49" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0f3531638e407dfc0814761abb7c00a5b54992b849452a0646b7f65c9f770f3f" +checksum = "915aea9e586f80826ee59f8453c1101f9d1c4b3964cd2460185ee8e299ada496" dependencies = [ "proc-macro2", "quote", From 40f2d39ac7a0d43a7778e082e5a09fbd21bf77d2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 16 Feb 2024 12:20:59 +0000 Subject: [PATCH 0115/1462] Bump dawidd6/action-download-artifact from 3.0.0 to 3.1.0 (#10398) Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 3.0.0 to 3.1.0. - [Release notes](https://github.com/dawidd6/action-download-artifact/releases) - [Commits](https://github.com/dawidd6/action-download-artifact/compare/e7466d1a7587ed14867642c2ca74b5bcc1e19a2d...f6b0bace624032e30a85a8fd9c1a7f8f611f5737) --- updated-dependencies: - dependency-name: dawidd6/action-download-artifact dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f414de66591a..08a13a83b4ce 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -256,7 +256,7 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/fetch-vectors - - uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0 + - uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3.1.0 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -316,7 +316,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - run: python -m pip install -c ci-constraints-requirements.txt "nox" "tomli; python_version < '3.11'" - - uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0 + - uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3.1.0 with: repo: pyca/infra workflow: build-windows-openssl.yml diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 7c2d3cb6db99..620697af42f2 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -44,7 +44,7 @@ jobs: - name: Install Python dependencies run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }} - - uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0 + - uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3.1.0 with: path: dist/ run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index fef4a48bc63f..416db67e8c06 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -232,7 +232,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') - - uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0 + - uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3.1.0 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -329,7 +329,7 @@ jobs: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} - - uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0 + - uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3.1.0 with: repo: pyca/infra workflow: build-windows-openssl.yml From 3e6231f35925fe6897d26cfd597c49c7a15f7851 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 16 Feb 2024 15:57:25 -0800 Subject: [PATCH 0116/1462] Bump cryptography from 42.0.2 to 42.0.3 in /.github/requirements (#10401) * Bump cryptography from 42.0.2 to 42.0.3 in /.github/requirements Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.2 to 42.0.3. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/42.0.2...42.0.3) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index d6a15d8bf03a..4010b549763c 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -166,39 +166,39 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==42.0.2 \ - --hash=sha256:087887e55e0b9c8724cf05361357875adb5c20dec27e5816b653492980d20380 \ - --hash=sha256:09a77e5b2e8ca732a19a90c5bca2d124621a1edb5438c5daa2d2738bfeb02589 \ - --hash=sha256:130c0f77022b2b9c99d8cebcdd834d81705f61c68e91ddd614ce74c657f8b3ea \ - --hash=sha256:141e2aa5ba100d3788c0ad7919b288f89d1fe015878b9659b307c9ef867d3a65 \ - --hash=sha256:28cb2c41f131a5758d6ba6a0504150d644054fd9f3203a1e8e8d7ac3aea7f73a \ - --hash=sha256:2f9f14185962e6a04ab32d1abe34eae8a9001569ee4edb64d2304bf0d65c53f3 \ - --hash=sha256:320948ab49883557a256eab46149df79435a22d2fefd6a66fe6946f1b9d9d008 \ - --hash=sha256:36d4b7c4be6411f58f60d9ce555a73df8406d484ba12a63549c88bd64f7967f1 \ - --hash=sha256:3b15c678f27d66d247132cbf13df2f75255627bcc9b6a570f7d2fd08e8c081d2 \ - --hash=sha256:3dbd37e14ce795b4af61b89b037d4bc157f2cb23e676fa16932185a04dfbf635 \ - --hash=sha256:4383b47f45b14459cab66048d384614019965ba6c1a1a141f11b5a551cace1b2 \ - --hash=sha256:44c95c0e96b3cb628e8452ec060413a49002a247b2b9938989e23a2c8291fc90 \ - --hash=sha256:4b063d3413f853e056161eb0c7724822a9740ad3caa24b8424d776cebf98e7ee \ - --hash=sha256:52ed9ebf8ac602385126c9a2fe951db36f2cb0c2538d22971487f89d0de4065a \ - --hash=sha256:55d1580e2d7e17f45d19d3b12098e352f3a37fe86d380bf45846ef257054b242 \ - --hash=sha256:5ef9bc3d046ce83c4bbf4c25e1e0547b9c441c01d30922d812e887dc5f125c12 \ - --hash=sha256:5fa82a26f92871eca593b53359c12ad7949772462f887c35edaf36f87953c0e2 \ - --hash=sha256:61321672b3ac7aade25c40449ccedbc6db72c7f5f0fdf34def5e2f8b51ca530d \ - --hash=sha256:701171f825dcab90969596ce2af253143b93b08f1a716d4b2a9d2db5084ef7be \ - --hash=sha256:841ec8af7a8491ac76ec5a9522226e287187a3107e12b7d686ad354bb78facee \ - --hash=sha256:8a06641fb07d4e8f6c7dda4fc3f8871d327803ab6542e33831c7ccfdcb4d0ad6 \ - --hash=sha256:8e88bb9eafbf6a4014d55fb222e7360eef53e613215085e65a13290577394529 \ - --hash=sha256:a00aee5d1b6c20620161984f8ab2ab69134466c51f58c052c11b076715e72929 \ - --hash=sha256:a047682d324ba56e61b7ea7c7299d51e61fd3bca7dad2ccc39b72bd0118d60a1 \ - --hash=sha256:a7ef8dd0bf2e1d0a27042b231a3baac6883cdd5557036f5e8df7139255feaac6 \ - --hash=sha256:ad28cff53f60d99a928dfcf1e861e0b2ceb2bc1f08a074fdd601b314e1cc9e0a \ - --hash=sha256:b9097a208875fc7bbeb1286d0125d90bdfed961f61f214d3f5be62cd4ed8a446 \ - --hash=sha256:b97fe7d7991c25e6a31e5d5e795986b18fbbb3107b873d5f3ae6dc9a103278e9 \ - --hash=sha256:e0ec52ba3c7f1b7d813cd52649a5b3ef1fc0d433219dc8c93827c57eab6cf888 \ - --hash=sha256:ea2c3ffb662fec8bbbfce5602e2c159ff097a4631d96235fcf0fb00e59e3ece4 \ - --hash=sha256:fa3dec4ba8fb6e662770b74f62f1a0c7d4e37e25b58b2bf2c1be4c95372b4a33 \ - --hash=sha256:fbeb725c9dc799a574518109336acccaf1303c30d45c075c665c0793c2f79a7f +cryptography==42.0.3 \ + --hash=sha256:04859aa7f12c2b5f7e22d25198ddd537391f1695df7057c8700f71f26f47a129 \ + --hash=sha256:069d2ce9be5526a44093a0991c450fe9906cdf069e0e7cd67d9dee49a62b9ebe \ + --hash=sha256:0d3ec384058b642f7fb7e7bff9664030011ed1af8f852540c76a1317a9dd0d20 \ + --hash=sha256:0fab2a5c479b360e5e0ea9f654bcebb535e3aa1e493a715b13244f4e07ea8eec \ + --hash=sha256:0fea01527d4fb22ffe38cd98951c9044400f6eff4788cf52ae116e27d30a1ba3 \ + --hash=sha256:1b797099d221df7cce5ff2a1d272761d1554ddf9a987d3e11f6459b38cd300fd \ + --hash=sha256:1e935c2900fb53d31f491c0de04f41110351377be19d83d908c1fd502ae8daa5 \ + --hash=sha256:20100c22b298c9eaebe4f0b9032ea97186ac2555f426c3e70670f2517989543b \ + --hash=sha256:20180da1b508f4aefc101cebc14c57043a02b355d1a652b6e8e537967f1e1b46 \ + --hash=sha256:25b09b73db78facdfd7dd0fa77a3f19e94896197c86e9f6dc16bce7b37a96504 \ + --hash=sha256:2619487f37da18d6826e27854a7f9d4d013c51eafb066c80d09c63cf24505306 \ + --hash=sha256:2eb6368d5327d6455f20327fb6159b97538820355ec00f8cc9464d617caecead \ + --hash=sha256:35772a6cffd1f59b85cb670f12faba05513446f80352fe811689b4e439b5d89e \ + --hash=sha256:39d5c93e95bcbc4c06313fc6a500cee414ee39b616b55320c1904760ad686938 \ + --hash=sha256:3d96ea47ce6d0055d5b97e761d37b4e84195485cb5a38401be341fabf23bc32a \ + --hash=sha256:4dcab7c25e48fc09a73c3e463d09ac902a932a0f8d0c568238b3696d06bf377b \ + --hash=sha256:5fbf0f3f0fac7c089308bd771d2c6c7b7d53ae909dce1db52d8e921f6c19bb3a \ + --hash=sha256:6c25e1e9c2ce682d01fc5e2dde6598f7313027343bd14f4049b82ad0402e52cd \ + --hash=sha256:762f3771ae40e111d78d77cbe9c1035e886ac04a234d3ee0856bf4ecb3749d54 \ + --hash=sha256:90147dad8c22d64b2ff7331f8d4cddfdc3ee93e4879796f837bdbb2a0b141e0c \ + --hash=sha256:935cca25d35dda9e7bd46a24831dfd255307c55a07ff38fd1a92119cffc34857 \ + --hash=sha256:93fbee08c48e63d5d1b39ab56fd3fdd02e6c2431c3da0f4edaf54954744c718f \ + --hash=sha256:9541c69c62d7446539f2c1c06d7046aef822940d248fa4b8962ff0302862cc1f \ + --hash=sha256:c23f03cfd7d9826cdcbad7850de67e18b4654179e01fe9bc623d37c2638eb4ef \ + --hash=sha256:c3d1f5a1d403a8e640fa0887e9f7087331abb3f33b0f2207d2cc7f213e4a864c \ + --hash=sha256:d1998e545081da0ab276bcb4b33cce85f775adb86a516e8f55b3dac87f469548 \ + --hash=sha256:d5cf11bc7f0b71fb71af26af396c83dfd3f6eed56d4b6ef95d57867bf1e4ba65 \ + --hash=sha256:db0480ffbfb1193ac4e1e88239f31314fe4c6cdcf9c0b8712b55414afbf80db4 \ + --hash=sha256:de4ae486041878dc46e571a4c70ba337ed5233a1344c14a0790c4c4be4bbb8b4 \ + --hash=sha256:de5086cd475d67113ccb6f9fae6d8fe3ac54a4f9238fd08bfdb07b03d791ff0a \ + --hash=sha256:df34312149b495d9d03492ce97471234fd9037aa5ba217c2a6ea890e9166f151 \ + --hash=sha256:ead69ba488f806fe1b1b4050febafdbf206b81fa476126f3e16110c818bac396 # via # pyopenssl # secretstorage From 6f60735f86e1db740655f07a9e2491c4bc172497 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 16 Feb 2024 15:57:41 -0800 Subject: [PATCH 0117/1462] Bump tuf from 3.1.0 to 3.1.1 in /.github/requirements (#10400) * Bump tuf from 3.1.0 to 3.1.1 in /.github/requirements Bumps [tuf](https://github.com/theupdateframework/python-tuf) from 3.1.0 to 3.1.1. - [Release notes](https://github.com/theupdateframework/python-tuf/releases) - [Changelog](https://github.com/theupdateframework/python-tuf/blob/v3.1.1/docs/CHANGELOG.md) - [Commits](https://github.com/theupdateframework/python-tuf/compare/v3.1.0...v3.1.1) --- updated-dependencies: - dependency-name: tuf dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 4010b549763c..d01b3a50121c 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -576,9 +576,9 @@ six==1.16.0 \ --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \ --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254 # via python-dateutil -tuf==3.1.0 \ - --hash=sha256:3a4e9abba9d03c221842f62a9a687d51cc2b4a26c43ee7deb1ffb5fa2fb49374 \ - --hash=sha256:a8f055fbaf90d1477258c98fe29d23217e793ca0bdc5fb5a7d252ff5acecddc0 +tuf==3.1.1 \ + --hash=sha256:73b3c89a0acdfe90434bba3118c90c584ef1c56bc0c4565852e917408b774130 \ + --hash=sha256:d6441d11bc9a928cb82cf571519bb99e70ed3ea6fd5a52ce116a8e121023f7ef # via sigstore twine==5.0.0 \ --hash=sha256:89b0cc7d370a4b66421cc6102f269aa910fe0f1861c124f573cf2ddedbc10cf4 \ From 4d3ead8ff373390df852d7d0522a965586e3fe1b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 17 Feb 2024 00:07:45 +0000 Subject: [PATCH 0118/1462] Bump pytest from 8.0.0 to 8.0.1 (#10403) Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.0.0 to 8.0.1. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/8.0.0...8.0.1) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 703ad54e2f79..c60b11bbfab6 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -86,7 +86,7 @@ pygments==2.17.2 # sphinx pyproject-hooks==1.0.0 # via build -pytest==8.0.0; python_version >= "3.8" +pytest==8.0.1; python_version >= "3.8" # via # cryptography (pyproject.toml) # pytest-benchmark From 608ce9520f9859811f0bc8f7254f42bba359b824 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 16 Feb 2024 19:20:14 -0800 Subject: [PATCH 0119/1462] add RC2-128-CBC vector (#10402) vector created using golang's x/crypto internal impl and verified against openssl --- docs/development/custom-vectors/rc2.rst | 24 ++ docs/development/custom-vectors/rc2/genrc2.go | 35 +++ docs/development/custom-vectors/rc2/go.mod | 3 + .../development/custom-vectors/rc2/rc2/rc2.go | 269 ++++++++++++++++++ docs/development/test-vectors.rst | 2 + .../ciphers/RC2/rc2-cbc.txt | 8 + 6 files changed, 341 insertions(+) create mode 100644 docs/development/custom-vectors/rc2.rst create mode 100644 docs/development/custom-vectors/rc2/genrc2.go create mode 100644 docs/development/custom-vectors/rc2/go.mod create mode 100644 docs/development/custom-vectors/rc2/rc2/rc2.go create mode 100644 vectors/cryptography_vectors/ciphers/RC2/rc2-cbc.txt diff --git a/docs/development/custom-vectors/rc2.rst b/docs/development/custom-vectors/rc2.rst new file mode 100644 index 000000000000..6c7bb9ccdeb9 --- /dev/null +++ b/docs/development/custom-vectors/rc2.rst @@ -0,0 +1,24 @@ +RC2 vector creation +=================== + +This page documents the code that was used to generate the RC2 CBC test vector. +The CBC vector was generated using Go's internal RC2 implementation and +verified using Go and OpenSSL. + +Creation/Verification +--------------------- + +The program below outputs a test vector in the standard format we use and +also verifies that the encrypted value round trips as expected. The output +was also checked against OpenSSL by modifying ``cryptography`` to support +the algorithm. If you wish to run this program we recommend cloning the +repository, which also contains the requisite ``go.mod`` file. + +.. literalinclude:: /development/custom-vectors/rc2/genrc2.go + :language: go + +Download link: :download:`genrc2.go +` + +Download link: :download:`rc2.go +` diff --git a/docs/development/custom-vectors/rc2/genrc2.go b/docs/development/custom-vectors/rc2/genrc2.go new file mode 100644 index 000000000000..eaacf7510232 --- /dev/null +++ b/docs/development/custom-vectors/rc2/genrc2.go @@ -0,0 +1,35 @@ +package main + +import ( + "bytes" + "crypto/cipher" + "encoding/hex" + "fmt" + "rc2sucks/rc2" +) + +func main() { + // Generate + count := 1 + key := []byte("0000000000000000") + iv := []byte("00000000") + plaintext := []byte("the quick brown fox jumped over the lazy dog!!!!") + ciphertext := make([]byte, len(plaintext)) + block, _ := rc2.New(key, 128) + mode := cipher.NewCBCEncrypter(block, iv) + mode.CryptBlocks(ciphertext, plaintext) + fmt.Printf("COUNT = %v\n", count) + fmt.Printf("Key = %s\n", hex.EncodeToString(key)) + fmt.Printf("IV = %s\n", hex.EncodeToString(iv)) + fmt.Printf("Plaintext = %s\n", hex.EncodeToString(plaintext)) + fmt.Printf("Ciphertext = %s\n", hex.EncodeToString(ciphertext)) + // Verify + decrypted := make([]byte, len(plaintext)) + decmode := cipher.NewCBCDecrypter(block, iv) + decmode.CryptBlocks(decrypted, ciphertext) + if bytes.Equal(decrypted, plaintext) { + fmt.Println("Success") + } else { + fmt.Println("Failed") + } +} diff --git a/docs/development/custom-vectors/rc2/go.mod b/docs/development/custom-vectors/rc2/go.mod new file mode 100644 index 000000000000..ebc124b48faf --- /dev/null +++ b/docs/development/custom-vectors/rc2/go.mod @@ -0,0 +1,3 @@ +module rc2sucks + +go 1.21.7 diff --git a/docs/development/custom-vectors/rc2/rc2/rc2.go b/docs/development/custom-vectors/rc2/rc2/rc2.go new file mode 100644 index 000000000000..25025fa71101 --- /dev/null +++ b/docs/development/custom-vectors/rc2/rc2/rc2.go @@ -0,0 +1,269 @@ +// From https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.19.0:pkcs12/internal/rc2/rc2.go +// Copyright 2015 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package rc2 implements the RC2 cipher +/* +https://www.ietf.org/rfc/rfc2268.txt +http://people.csail.mit.edu/rivest/pubs/KRRR98.pdf + +This code is licensed under the MIT license. +*/ +package rc2 + +import ( + "crypto/cipher" + "encoding/binary" + "math/bits" +) + +// The rc2 block size in bytes +const BlockSize = 8 + +type rc2Cipher struct { + k [64]uint16 +} + +// New returns a new rc2 cipher with the given key and effective key length t1 +func New(key []byte, t1 int) (cipher.Block, error) { + // TODO(dgryski): error checking for key length + return &rc2Cipher{ + k: expandKey(key, t1), + }, nil +} + +func (*rc2Cipher) BlockSize() int { return BlockSize } + +var piTable = [256]byte{ + 0xd9, 0x78, 0xf9, 0xc4, 0x19, 0xdd, 0xb5, 0xed, 0x28, 0xe9, 0xfd, 0x79, 0x4a, 0xa0, 0xd8, 0x9d, + 0xc6, 0x7e, 0x37, 0x83, 0x2b, 0x76, 0x53, 0x8e, 0x62, 0x4c, 0x64, 0x88, 0x44, 0x8b, 0xfb, 0xa2, + 0x17, 0x9a, 0x59, 0xf5, 0x87, 0xb3, 0x4f, 0x13, 0x61, 0x45, 0x6d, 0x8d, 0x09, 0x81, 0x7d, 0x32, + 0xbd, 0x8f, 0x40, 0xeb, 0x86, 0xb7, 0x7b, 0x0b, 0xf0, 0x95, 0x21, 0x22, 0x5c, 0x6b, 0x4e, 0x82, + 0x54, 0xd6, 0x65, 0x93, 0xce, 0x60, 0xb2, 0x1c, 0x73, 0x56, 0xc0, 0x14, 0xa7, 0x8c, 0xf1, 0xdc, + 0x12, 0x75, 0xca, 0x1f, 0x3b, 0xbe, 0xe4, 0xd1, 0x42, 0x3d, 0xd4, 0x30, 0xa3, 0x3c, 0xb6, 0x26, + 0x6f, 0xbf, 0x0e, 0xda, 0x46, 0x69, 0x07, 0x57, 0x27, 0xf2, 0x1d, 0x9b, 0xbc, 0x94, 0x43, 0x03, + 0xf8, 0x11, 0xc7, 0xf6, 0x90, 0xef, 0x3e, 0xe7, 0x06, 0xc3, 0xd5, 0x2f, 0xc8, 0x66, 0x1e, 0xd7, + 0x08, 0xe8, 0xea, 0xde, 0x80, 0x52, 0xee, 0xf7, 0x84, 0xaa, 0x72, 0xac, 0x35, 0x4d, 0x6a, 0x2a, + 0x96, 0x1a, 0xd2, 0x71, 0x5a, 0x15, 0x49, 0x74, 0x4b, 0x9f, 0xd0, 0x5e, 0x04, 0x18, 0xa4, 0xec, + 0xc2, 0xe0, 0x41, 0x6e, 0x0f, 0x51, 0xcb, 0xcc, 0x24, 0x91, 0xaf, 0x50, 0xa1, 0xf4, 0x70, 0x39, + 0x99, 0x7c, 0x3a, 0x85, 0x23, 0xb8, 0xb4, 0x7a, 0xfc, 0x02, 0x36, 0x5b, 0x25, 0x55, 0x97, 0x31, + 0x2d, 0x5d, 0xfa, 0x98, 0xe3, 0x8a, 0x92, 0xae, 0x05, 0xdf, 0x29, 0x10, 0x67, 0x6c, 0xba, 0xc9, + 0xd3, 0x00, 0xe6, 0xcf, 0xe1, 0x9e, 0xa8, 0x2c, 0x63, 0x16, 0x01, 0x3f, 0x58, 0xe2, 0x89, 0xa9, + 0x0d, 0x38, 0x34, 0x1b, 0xab, 0x33, 0xff, 0xb0, 0xbb, 0x48, 0x0c, 0x5f, 0xb9, 0xb1, 0xcd, 0x2e, + 0xc5, 0xf3, 0xdb, 0x47, 0xe5, 0xa5, 0x9c, 0x77, 0x0a, 0xa6, 0x20, 0x68, 0xfe, 0x7f, 0xc1, 0xad, +} + +func expandKey(key []byte, t1 int) [64]uint16 { + + l := make([]byte, 128) + copy(l, key) + + var t = len(key) + var t8 = (t1 + 7) / 8 + var tm = byte(255 % uint(1<<(8+uint(t1)-8*uint(t8)))) + + for i := len(key); i < 128; i++ { + l[i] = piTable[l[i-1]+l[uint8(i-t)]] + } + + l[128-t8] = piTable[l[128-t8]&tm] + + for i := 127 - t8; i >= 0; i-- { + l[i] = piTable[l[i+1]^l[i+t8]] + } + + var k [64]uint16 + + for i := range k { + k[i] = uint16(l[2*i]) + uint16(l[2*i+1])*256 + } + + return k +} + +func (c *rc2Cipher) Encrypt(dst, src []byte) { + + r0 := binary.LittleEndian.Uint16(src[0:]) + r1 := binary.LittleEndian.Uint16(src[2:]) + r2 := binary.LittleEndian.Uint16(src[4:]) + r3 := binary.LittleEndian.Uint16(src[6:]) + + var j int + + for j <= 16 { + // mix r0 + r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1) + r0 = bits.RotateLeft16(r0, 1) + j++ + + // mix r1 + r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2) + r1 = bits.RotateLeft16(r1, 2) + j++ + + // mix r2 + r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3) + r2 = bits.RotateLeft16(r2, 3) + j++ + + // mix r3 + r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0) + r3 = bits.RotateLeft16(r3, 5) + j++ + + } + + r0 = r0 + c.k[r3&63] + r1 = r1 + c.k[r0&63] + r2 = r2 + c.k[r1&63] + r3 = r3 + c.k[r2&63] + + for j <= 40 { + // mix r0 + r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1) + r0 = bits.RotateLeft16(r0, 1) + j++ + + // mix r1 + r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2) + r1 = bits.RotateLeft16(r1, 2) + j++ + + // mix r2 + r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3) + r2 = bits.RotateLeft16(r2, 3) + j++ + + // mix r3 + r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0) + r3 = bits.RotateLeft16(r3, 5) + j++ + + } + + r0 = r0 + c.k[r3&63] + r1 = r1 + c.k[r0&63] + r2 = r2 + c.k[r1&63] + r3 = r3 + c.k[r2&63] + + for j <= 60 { + // mix r0 + r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1) + r0 = bits.RotateLeft16(r0, 1) + j++ + + // mix r1 + r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2) + r1 = bits.RotateLeft16(r1, 2) + j++ + + // mix r2 + r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3) + r2 = bits.RotateLeft16(r2, 3) + j++ + + // mix r3 + r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0) + r3 = bits.RotateLeft16(r3, 5) + j++ + } + + binary.LittleEndian.PutUint16(dst[0:], r0) + binary.LittleEndian.PutUint16(dst[2:], r1) + binary.LittleEndian.PutUint16(dst[4:], r2) + binary.LittleEndian.PutUint16(dst[6:], r3) +} + +func (c *rc2Cipher) Decrypt(dst, src []byte) { + + r0 := binary.LittleEndian.Uint16(src[0:]) + r1 := binary.LittleEndian.Uint16(src[2:]) + r2 := binary.LittleEndian.Uint16(src[4:]) + r3 := binary.LittleEndian.Uint16(src[6:]) + + j := 63 + + for j >= 44 { + // unmix r3 + r3 = bits.RotateLeft16(r3, 16-5) + r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0) + j-- + + // unmix r2 + r2 = bits.RotateLeft16(r2, 16-3) + r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3) + j-- + + // unmix r1 + r1 = bits.RotateLeft16(r1, 16-2) + r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2) + j-- + + // unmix r0 + r0 = bits.RotateLeft16(r0, 16-1) + r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1) + j-- + } + + r3 = r3 - c.k[r2&63] + r2 = r2 - c.k[r1&63] + r1 = r1 - c.k[r0&63] + r0 = r0 - c.k[r3&63] + + for j >= 20 { + // unmix r3 + r3 = bits.RotateLeft16(r3, 16-5) + r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0) + j-- + + // unmix r2 + r2 = bits.RotateLeft16(r2, 16-3) + r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3) + j-- + + // unmix r1 + r1 = bits.RotateLeft16(r1, 16-2) + r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2) + j-- + + // unmix r0 + r0 = bits.RotateLeft16(r0, 16-1) + r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1) + j-- + + } + + r3 = r3 - c.k[r2&63] + r2 = r2 - c.k[r1&63] + r1 = r1 - c.k[r0&63] + r0 = r0 - c.k[r3&63] + + for j >= 0 { + // unmix r3 + r3 = bits.RotateLeft16(r3, 16-5) + r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0) + j-- + + // unmix r2 + r2 = bits.RotateLeft16(r2, 16-3) + r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3) + j-- + + // unmix r1 + r1 = bits.RotateLeft16(r1, 16-2) + r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2) + j-- + + // unmix r0 + r0 = bits.RotateLeft16(r0, 16-1) + r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1) + j-- + + } + + binary.LittleEndian.PutUint16(dst[0:], r0) + binary.LittleEndian.PutUint16(dst[2:], r1) + binary.LittleEndian.PutUint16(dst[4:], r2) + binary.LittleEndian.PutUint16(dst[6:], r3) +} diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 0b1f238ffaa2..35f7b7b9864a 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -986,6 +986,7 @@ Symmetric ciphers * IDEA (ECB) from the `NESSIE IDEA vectors`_ created by `NESSIE`_. * IDEA (CBC, CFB, OFB) generated by this project. See: :doc:`/development/custom-vectors/idea` +* RC2-128-CBC generated by this project. See: :doc:`/development/custom-vectors/rc2` * SEED (ECB) from :rfc:`4269`. * SEED (CBC) from :rfc:`4196`. * SEED (CFB, OFB) generated by this project. @@ -1029,6 +1030,7 @@ Created Vectors custom-vectors/idea custom-vectors/seed custom-vectors/hkdf + custom-vectors/rc2 If official test vectors appear in the future the custom generated vectors diff --git a/vectors/cryptography_vectors/ciphers/RC2/rc2-cbc.txt b/vectors/cryptography_vectors/ciphers/RC2/rc2-cbc.txt new file mode 100644 index 000000000000..4bff7c3518b5 --- /dev/null +++ b/vectors/cryptography_vectors/ciphers/RC2/rc2-cbc.txt @@ -0,0 +1,8 @@ +# RC2 128-bit CBC vector built for https://github.com/pyca/cryptography +# Verified against OpenSSL and Go crypto + +COUNT = 0 +Key = 30303030303030303030303030303030 +IV = 3030303030303030 +Plaintext = 74686520717569636b2062726f776e20666f78206a756d706564206f76657220746865206c617a7920646f6721212121 +Ciphertext = 5b886175cdbb0161badf64936b8ee4cb8f4b75fc28833f61668bb2bea88cfd32c410ac7ec016c5028f75078a88968887 From 8f9d79ddcf2b52b3553423d3f1473d27a05b9b26 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 16 Feb 2024 22:20:33 -0500 Subject: [PATCH 0120/1462] Install '.' in nox in a way that's uv friendly (#10405) --- noxfile.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/noxfile.py b/noxfile.py index 999654427eca..50f7f488f409 100644 --- a/noxfile.py +++ b/noxfile.py @@ -288,7 +288,7 @@ def local(session): "noxfile.py", ) - install(session, ".") + install(session, "cryptography @ .") if session.posargs: tests = session.posargs From 6643f54ac9620d94330d4a31ffc58763168c3e29 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 16 Feb 2024 22:21:06 -0500 Subject: [PATCH 0121/1462] Don't install cryptography_vectors 2x in local nox (#10406) Now that it's a part of the test extras, we were installing it twice, once from PyPI and once from local. Don't do that. --- noxfile.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/noxfile.py b/noxfile.py index 50f7f488f409..4aab73149c18 100644 --- a/noxfile.py +++ b/noxfile.py @@ -250,11 +250,15 @@ def rust(session: nox.Session) -> None: @nox.session def local(session): pyproject_data = load_pyproject_toml() + test_dependencies = pyproject_data["project"]["optional-dependencies"][ + "test" + ] + test_dependencies.remove("cryptography_vectors") install( session, *pyproject_data["build-system"]["requires"], *pyproject_data["project"]["optional-dependencies"]["pep8test"], - *pyproject_data["project"]["optional-dependencies"]["test"], + *test_dependencies, *pyproject_data["project"]["optional-dependencies"]["ssh"], *pyproject_data["project"]["optional-dependencies"]["nox"], "flit", From 429d34906ce39c082413c10c23386e0b1f520230 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 16 Feb 2024 19:40:43 -0800 Subject: [PATCH 0122/1462] support RC2-CBC (#10407) This PR supports a bad old algorithm to support a scapy use case, but does not expose support for effective key bits or any key length other than 128-bit. CBC support only -- no other modes. --- .../hazmat/backends/openssl/backend.py | 9 +---- .../hazmat/decrepit/ciphers/algorithms.py | 15 ++++++++ tests/hazmat/primitives/decrepit/test_rc2.py | 37 +++++++++++++++++++ tests/hazmat/primitives/test_pkcs12.py | 7 +++- 4 files changed, 59 insertions(+), 9 deletions(-) create mode 100644 tests/hazmat/primitives/decrepit/test_rc2.py diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index d20945d6a6de..5dea4dcda82c 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -18,6 +18,7 @@ ARC4, CAST5, IDEA, + RC2, SEED, Blowfish, TripleDES, @@ -68,11 +69,6 @@ _MemoryBIO = collections.namedtuple("_MemoryBIO", ["bio", "char_ptr"]) -# Not actually supported, just used as a marker for some serialization tests. -class _RC2: - pass - - class Backend: """ OpenSSL API binding interfaces. @@ -291,9 +287,8 @@ def _register_default_ciphers(self) -> None: self.register_cipher_adapter( ARC4, type(None), GetCipherByName("rc4") ) - # We don't actually support RC2, this is just used by some tests. self.register_cipher_adapter( - _RC2, type(None), GetCipherByName("rc2") + RC2, CBC, GetCipherByName("{cipher.name}-{mode.name}") ) def create_symmetric_encryption_ctx( diff --git a/src/cryptography/hazmat/decrepit/ciphers/algorithms.py b/src/cryptography/hazmat/decrepit/ciphers/algorithms.py index 68cd533c9c97..a7d4aa3c5d87 100644 --- a/src/cryptography/hazmat/decrepit/ciphers/algorithms.py +++ b/src/cryptography/hazmat/decrepit/ciphers/algorithms.py @@ -90,3 +90,18 @@ def __init__(self, key: bytes): @property def key_size(self) -> int: return len(self.key) * 8 + + +# This class only allows RC2 with a 128-bit key. No support for +# effective key bits or other key sizes is provided. +class RC2(BlockCipherAlgorithm): + name = "RC2" + block_size = 64 + key_sizes = frozenset([128]) + + def __init__(self, key: bytes): + self.key = _verify_key_size(self, key) + + @property + def key_size(self) -> int: + return len(self.key) * 8 diff --git a/tests/hazmat/primitives/decrepit/test_rc2.py b/tests/hazmat/primitives/decrepit/test_rc2.py new file mode 100644 index 000000000000..ecd4ce2accc2 --- /dev/null +++ b/tests/hazmat/primitives/decrepit/test_rc2.py @@ -0,0 +1,37 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +""" +Test using the NIST Test Vectors +""" + + +import binascii +import os + +import pytest + +from cryptography.hazmat.decrepit.ciphers.algorithms import RC2 +from cryptography.hazmat.primitives.ciphers import modes + +from ....utils import load_nist_vectors +from ..utils import generate_encrypt_test + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + RC2(b"\x00" * 16), modes.CBC(b"\x00" * 8) + ), + skip_message="Does not support RC2 CBC", +) +class TestRC2ModeCBC: + test_kat = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "RC2"), + [ + "rc2-cbc.txt", + ], + lambda key, **kwargs: RC2(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), + ) diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index cd9c279ac4b0..f49c98a4ed3d 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -10,7 +10,7 @@ from cryptography import x509 from cryptography.exceptions import UnsupportedAlgorithm -from cryptography.hazmat.backends.openssl.backend import _RC2 +from cryptography.hazmat.decrepit.ciphers.algorithms import RC2 from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ( dsa, @@ -19,6 +19,7 @@ ed25519, rsa, ) +from cryptography.hazmat.primitives.ciphers.modes import CBC from cryptography.hazmat.primitives.serialization import ( Encoding, PublicFormat, @@ -81,7 +82,9 @@ def test_load_pkcs12_ec_keys(self, filename, password, backend): ], ) @pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported(_RC2(), None), + only_if=lambda backend: backend.cipher_supported( + RC2(b"0" * 16), CBC(b"0" * 8) + ), skip_message="Does not support RC2", ) def test_load_pkcs12_ec_keys_rc2(self, filename, password, backend): From 8992995c1bf60c2ee334a856075109858c36ce62 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Feb 2024 10:40:53 -0500 Subject: [PATCH 0123/1462] Fix rust warnings when building with BoringSSL (#10408) --- noxfile.py | 2 +- src/rust/cryptography-openssl/src/aead.rs | 6 ++++++ src/rust/cryptography-openssl/src/hmac.rs | 3 +++ src/rust/src/backend/aead.rs | 8 ++++++-- src/rust/src/backend/keys.rs | 2 ++ src/rust/src/lib.rs | 2 ++ src/rust/src/pkcs7.rs | 12 ++++++++---- src/rust/src/types.rs | 4 ++++ 8 files changed, 32 insertions(+), 7 deletions(-) diff --git a/noxfile.py b/noxfile.py index 4aab73149c18..ea4f205e1764 100644 --- a/noxfile.py +++ b/noxfile.py @@ -292,7 +292,7 @@ def local(session): "noxfile.py", ) - install(session, "cryptography @ .") + install(session, ".") if session.posargs: tests = session.posargs diff --git a/src/rust/cryptography-openssl/src/aead.rs b/src/rust/cryptography-openssl/src/aead.rs index 000d5a9c65f9..42f0fd7f8041 100644 --- a/src/rust/cryptography-openssl/src/aead.rs +++ b/src/rust/cryptography-openssl/src/aead.rs @@ -17,15 +17,19 @@ foreign_types::foreign_type! { pub struct AeadCtxRef; } +// SAFETY: Can safely be used from multiple threads concurrently. unsafe impl Sync for AeadCtx {} +// SAFETY: Can safely be sent between threads. unsafe impl Send for AeadCtx {} impl AeadCtx { pub fn new(aead: AeadType, key: &[u8]) -> OpenSSLResult { let aead = match aead { + // SAFETY: No preconditions. AeadType::ChaCha20Poly1305 => unsafe { ffi::EVP_aead_chacha20_poly1305() }, }; + // SAFETY: We're passing a valid key and aead. unsafe { let ctx = cvt_p(ffi::EVP_AEAD_CTX_new( aead, @@ -47,6 +51,7 @@ impl AeadCtxRef { out: &mut [u8], ) -> OpenSSLResult<()> { let mut out_len = out.len(); + // SAFETY: All the lengths and pointers are known valid. unsafe { cvt(ffi::EVP_AEAD_CTX_seal( self.as_ptr(), @@ -72,6 +77,7 @@ impl AeadCtxRef { out: &mut [u8], ) -> OpenSSLResult<()> { let mut out_len = out.len(); + // SAFETY: All the lengths and pointers are known valid. unsafe { cvt(ffi::EVP_AEAD_CTX_open( self.as_ptr(), diff --git a/src/rust/cryptography-openssl/src/hmac.rs b/src/rust/cryptography-openssl/src/hmac.rs index 84b3a1e3b9b5..64abf83d40ae 100644 --- a/src/rust/cryptography-openssl/src/hmac.rs +++ b/src/rust/cryptography-openssl/src/hmac.rs @@ -22,6 +22,9 @@ unsafe impl Sync for Hmac {} unsafe impl Send for Hmac {} impl Hmac { + // On BoringSSL, the length is a size_t, so the length conversion is a + // no-op. + #[cfg_attr(CRYPTOGRAPHY_IS_BORINGSSL, allow(clippy::useless_conversion))] pub fn new(key: &[u8], md: openssl::hash::MessageDigest) -> OpenSSLResult { // SAFETY: All FFI conditions are handled. unsafe { diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 7afd7a172e94..2438ae644cb6 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -276,6 +276,7 @@ struct LazyEvpCipherAead { } impl LazyEvpCipherAead { + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] fn new( cipher: &'static openssl::cipher::CipherRef, key: pyo3::Py, @@ -706,12 +707,15 @@ impl AesCcm { ) -> CryptographyResult { cfg_if::cfg_if! { if #[cfg(CRYPTOGRAPHY_IS_BORINGSSL)] { - return Err(CryptographyError::from( + let _ = py; + let _ = key; + let _ = tag_length; + Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "AES-CCM is not supported by this version of OpenSSL", exceptions::Reasons::UNSUPPORTED_CIPHER, )), - )); + )) } else { let key_buf = key.extract::>(py)?; let cipher = match key_buf.as_bytes().len() { diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index f4faecdb5c9e..6af0b923aebc 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -243,9 +243,11 @@ pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelu #[cfg(test)] mod tests { + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use super::public_key_from_pkey; #[test] + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] fn test_public_key_from_pkey_unknown_key() { pyo3::prepare_freethreaded_python(); diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index a21f3986dd18..56093af012fb 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -4,9 +4,11 @@ #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use crate::error::CryptographyResult; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use openssl::provider; +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use std::env; mod asn1; diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index f307cf483ad7..28edd016b863 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -345,12 +345,14 @@ fn load_pem_pkcs7_certificates<'p>( })?; load_pkcs7_certificates(py, pkcs7_decoded) } else { - return Err(CryptographyError::from( + let _ = py; + let _ = data; + Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "PKCS#7 is not supported by this backend.", exceptions::Reasons::UNSUPPORTED_SERIALIZATION, )), - )); + )) } } } @@ -369,12 +371,14 @@ fn load_der_pkcs7_certificates<'p>( })?; load_pkcs7_certificates(py, pkcs7_decoded) } else { - return Err(CryptographyError::from( + let _ = py; + let _ = data; + Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "PKCS#7 is not supported by this backend.", exceptions::Reasons::UNSUPPORTED_SERIALIZATION, )), - )); + )) } } } diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index ddd5d8f452ff..10272e14aa8f 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -473,6 +473,7 @@ pub static AES256: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", &["AES256"], ); +#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SM4"))] pub static SM4: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", &["SM4"], @@ -480,14 +481,17 @@ pub static SM4: LazyPyImport = LazyPyImport::new( #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] pub static SEED: LazyPyImport = LazyPyImport::new("cryptography.hazmat.decrepit.ciphers.algorithms", &["SEED"]); +#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] pub static CAMELLIA: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", &["Camellia"], ); +#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] pub static BLOWFISH: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.decrepit.ciphers.algorithms", &["Blowfish"], ); +#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAST"))] pub static CAST5: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.decrepit.ciphers.algorithms", &["CAST5"], From ffaab66c18fb0cdd742d9b125d713c950c96361c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Feb 2024 11:28:59 -0500 Subject: [PATCH 0124/1462] Run rust tests and clippy with BoringSSL and LibreSSL (#10409) * Run rust tests and clippy with BoringSSL and LibreSSL * Don't bother building a shared libressl * Update ci.yml * improve libressl build --- .github/workflows/build_openssl.sh | 4 ++-- .github/workflows/ci.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build_openssl.sh b/.github/workflows/build_openssl.sh index 013fcf42698a..b646a325a98a 100755 --- a/.github/workflows/build_openssl.sh +++ b/.github/workflows/build_openssl.sh @@ -60,9 +60,9 @@ elif [[ "${TYPE}" == "libressl" ]]; then curl -O "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${VERSION}.tar.gz" tar zxf "libressl-${VERSION}.tar.gz" pushd "libressl-${VERSION}" - ./config -Wl -Wl,-Bsymbolic-functions -fPIC shared --prefix="${OSSL_PATH}" + ./configure --disable-shared --prefix="${OSSL_PATH}" shlib_sed - make -j"$(nproc)" install + make -j"$(nproc)" install CFLAGS="-fPIC" # delete binaries, libtls, and docs we don't need. can't skip install/compile sadly rm -rf "${OSSL_PATH}/bin" rm -rf "${OSSL_PATH}/share" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 08a13a83b4ce..a1fd2a5387dc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -40,10 +40,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.5"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Feb 15, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ba5eb621d7d9bf2872386b4303fd5e9aa64f7230"}} + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ba5eb621d7d9bf2872386b4303fd5e9aa64f7230"}} # Latest commit on the OpenSSL master branch, as of Feb 15, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d597b46f9bdb533761e36fcf1d96ce83f3f6f04d"}} # Builds with various Rust versions. Includes MSRV and next @@ -102,7 +102,7 @@ jobs: # When altering the openssl build process you may need to increment # the value on the end of this cache key so that you can prevent it # from fetching the cache and skipping the build step. - key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.OPENSSL_HASH }}-9 + key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.OPENSSL_HASH }}-11 if: matrix.PYTHON.OPENSSL - name: Build custom OpenSSL/LibreSSL run: .github/workflows/build_openssl.sh From 33e74ad45a2f377beb272b297da108eefc2ec9cd Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 17 Feb 2024 08:49:48 -0800 Subject: [PATCH 0125/1462] Bump BoringSSL and/or OpenSSL in CI (#10404) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- src/rust/cryptography-openssl/build.rs | 1 + 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a1fd2a5387dc..6aa6062bff3e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 15, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ba5eb621d7d9bf2872386b4303fd5e9aa64f7230"}} - # Latest commit on the OpenSSL master branch, as of Feb 15, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d597b46f9bdb533761e36fcf1d96ce83f3f6f04d"}} + # Latest commit on the BoringSSL master branch, as of Feb 17, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "99e8c6e2a383a25679c3d6767702732b27bc16ea"}} + # Latest commit on the OpenSSL master branch, as of Feb 17, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c3e8d67885c0c4295cfd1df35a41bf1f3fa9dc37"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance diff --git a/src/rust/cryptography-openssl/build.rs b/src/rust/cryptography-openssl/build.rs index a0b4566a753c..5e626f7de614 100644 --- a/src/rust/cryptography-openssl/build.rs +++ b/src/rust/cryptography-openssl/build.rs @@ -20,5 +20,6 @@ fn main() { if env::var("DEP_OPENSSL_BORINGSSL").is_ok() { println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_BORINGSSL"); + println!("cargo:rustc-link-lib=stdc++"); } } From d8cadccf06874b12e7b81a30651ea255c5a5021a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 18 Feb 2024 15:04:34 +0000 Subject: [PATCH 0126/1462] Bump ruff from 0.2.1 to 0.2.2 (#10411) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.2.1 to 0.2.2. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.2.1...v0.2.2) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c60b11bbfab6..27a5a9ffa3da 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==42.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.2.1 +ruff==0.2.2 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 291f6b80cf4f25691515186b4fc9ffeb91eee700 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 18 Feb 2024 15:04:49 +0000 Subject: [PATCH 0127/1462] Bump dawidd6/action-download-artifact from 3.1.0 to 3.1.1 (#10410) Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 3.1.0 to 3.1.1. - [Release notes](https://github.com/dawidd6/action-download-artifact/releases) - [Commits](https://github.com/dawidd6/action-download-artifact/compare/f6b0bace624032e30a85a8fd9c1a7f8f611f5737...72aaadce3bc708349fc665eee3785cbb1b6e51d0) --- updated-dependencies: - dependency-name: dawidd6/action-download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6aa6062bff3e..0cb9bf9d91fe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -256,7 +256,7 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/fetch-vectors - - uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3.1.0 + - uses: dawidd6/action-download-artifact@72aaadce3bc708349fc665eee3785cbb1b6e51d0 # v3.1.1 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -316,7 +316,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - run: python -m pip install -c ci-constraints-requirements.txt "nox" "tomli; python_version < '3.11'" - - uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3.1.0 + - uses: dawidd6/action-download-artifact@72aaadce3bc708349fc665eee3785cbb1b6e51d0 # v3.1.1 with: repo: pyca/infra workflow: build-windows-openssl.yml diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 620697af42f2..40ba5997c319 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -44,7 +44,7 @@ jobs: - name: Install Python dependencies run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }} - - uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3.1.0 + - uses: dawidd6/action-download-artifact@72aaadce3bc708349fc665eee3785cbb1b6e51d0 # v3.1.1 with: path: dist/ run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 416db67e8c06..3223f7982f86 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -232,7 +232,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') - - uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3.1.0 + - uses: dawidd6/action-download-artifact@72aaadce3bc708349fc665eee3785cbb1b6e51d0 # v3.1.1 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -329,7 +329,7 @@ jobs: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} - - uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3.1.0 + - uses: dawidd6/action-download-artifact@72aaadce3bc708349fc665eee3785cbb1b6e51d0 # v3.1.1 with: repo: pyca/infra workflow: build-windows-openssl.yml From 33d3bde5a4751f72f41834850907aa75b8523c29 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 18 Feb 2024 15:05:01 +0000 Subject: [PATCH 0128/1462] Bump urllib3 from 2.2.0 to 2.2.1 (#10412) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.2.0 to 2.2.1. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.2.0...2.2.1) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 27a5a9ffa3da..460c621257e8 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -148,7 +148,7 @@ tomli==2.0.1 # pytest typing-extensions==4.9.0; python_version >= "3.8" # via mypy -urllib3==2.2.0 +urllib3==2.2.1 # via requests virtualenv==20.25.0 # via nox From b89e32c7ec3826bd79d52f54b63e1b5a424b2963 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 18 Feb 2024 15:05:12 +0000 Subject: [PATCH 0129/1462] Bump urllib3 from 2.2.0 to 2.2.1 in /.github/requirements (#10413) * Bump urllib3 from 2.2.0 to 2.2.1 in /.github/requirements Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.2.0 to 2.2.1. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.2.0...2.2.1) --- updated-dependencies: - dependency-name: urllib3 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index d01b3a50121c..65dfc67bce00 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -590,9 +590,9 @@ typing-extensions==4.9.0 \ # via # pydantic # pydantic-core -urllib3==2.2.0 \ - --hash=sha256:051d961ad0c62a94e50ecf1af379c3aba230c66c710493493560c0c223c49f20 \ - --hash=sha256:ce3711610ddce217e6d113a2732fafad960a03fd0318c91faa79481e35c11224 +urllib3==2.2.1 \ + --hash=sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d \ + --hash=sha256:d0570876c61ab9e520d776c38acbbb5b05a776d3f9ff98a5c8fd5162a444cf19 # via # requests # twine From ce7ae1a575d7de0407d4135589053fcee3295cde Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 18 Feb 2024 11:14:14 -0500 Subject: [PATCH 0130/1462] Added more logging to pypi-publish.yml (#10416) --- .github/workflows/pypi-publish.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 40ba5997c319..bd31dbaeaaf3 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -31,6 +31,9 @@ jobs: permissions: id-token: "write" steps: + - run: echo "$EVENT_CONTEXT" + env: + EVENT_CONTEXT: ${{ toJson(github.event) }} - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: python-version: "3.11" From 88cb4dab956fea40494a1799107d333b8ac6d078 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 18 Feb 2024 08:15:18 -0800 Subject: [PATCH 0131/1462] Bump dnspython from 2.5.0 to 2.6.0 in /.github/requirements (#10414) * Bump dnspython from 2.5.0 to 2.6.0 in /.github/requirements Bumps [dnspython](https://github.com/rthalley/dnspython) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/rthalley/dnspython/releases) - [Changelog](https://github.com/rthalley/dnspython/blob/main/doc/whatsnew.rst) - [Commits](https://github.com/rthalley/dnspython/compare/v2.5.0...v2.6.0) --- updated-dependencies: - dependency-name: dnspython dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 65dfc67bce00..7d96e71a86ae 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -203,9 +203,9 @@ cryptography==42.0.3 \ # pyopenssl # secretstorage # sigstore -dnspython==2.5.0 \ - --hash=sha256:6facdf76b73c742ccf2d07add296f178e629da60be23ce4b0a9c927b1e02c3a6 \ - --hash=sha256:a0034815a59ba9ae888946be7ccca8f7c157b286f8455b379c692efb51022a15 +dnspython==2.6.0 \ + --hash=sha256:233f871ff384d84c33b2eaf4358ffe7f8927eae3b257ad8467f9bdba7e7ac6bc \ + --hash=sha256:44c40af3bffed66e3307cea9ab667fd583e138ecc0777b18f262a9dae034e5fa # via email-validator docutils==0.20.1 \ --hash=sha256:96f387a2c5562db4476f09f13bbab2192e764cac08ebbf3a34a95d9b1e4a59d6 \ From 50ea0faab70d2830e7d89756731fecf9ca64528e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 18 Feb 2024 17:23:21 -0500 Subject: [PATCH 0132/1462] Convert symmetric ciphers to Rust (#9859) --- .../hazmat/backends/openssl/backend.py | 164 +---- .../hazmat/backends/openssl/ciphers.py | 282 --------- .../bindings/_rust/openssl/__init__.pyi | 2 + .../hazmat/bindings/_rust/openssl/ciphers.pyi | 38 ++ .../hazmat/bindings/openssl/binding.py | 8 +- .../hazmat/primitives/ciphers/base.py | 143 +---- src/rust/src/backend/cipher_registry.rs | 184 +++++- src/rust/src/backend/ciphers.rs | 567 ++++++++++++++++++ src/rust/src/backend/mod.rs | 2 + src/rust/src/buf.rs | 59 +- src/rust/src/exceptions.rs | 2 + src/rust/src/types.rs | 45 ++ src/rust/src/x509/common.rs | 2 +- tests/hazmat/backends/test_openssl.py | 31 - tests/hazmat/primitives/test_aes_gcm.py | 53 +- 15 files changed, 899 insertions(+), 683 deletions(-) delete mode 100644 src/cryptography/hazmat/backends/openssl/ciphers.py create mode 100644 src/cryptography/hazmat/bindings/_rust/openssl/ciphers.pyi create mode 100644 src/rust/src/backend/ciphers.rs diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 5dea4dcda82c..54c4b11401da 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -6,23 +6,12 @@ import collections import contextlib -import itertools import typing from cryptography import utils, x509 from cryptography.exceptions import UnsupportedAlgorithm -from cryptography.hazmat.backends.openssl.ciphers import _CipherContext from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.bindings.openssl import binding -from cryptography.hazmat.decrepit.ciphers.algorithms import ( - ARC4, - CAST5, - IDEA, - RC2, - SEED, - Blowfish, - TripleDES, -) from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives._asymmetric import AsymmetricPadding from cryptography.hazmat.primitives.asymmetric import ec @@ -41,21 +30,9 @@ ) from cryptography.hazmat.primitives.ciphers.algorithms import ( AES, - AES128, - AES256, - SM4, - Camellia, - ChaCha20, ) from cryptography.hazmat.primitives.ciphers.modes import ( CBC, - CFB, - CFB8, - CTR, - ECB, - GCM, - OFB, - XTS, Mode, ) from cryptography.hazmat.primitives.serialization.pkcs12 import ( @@ -113,12 +90,6 @@ def __init__(self) -> None: self._lib = self._binding.lib self._fips_enabled = rust_openssl.is_fips_enabled() - self._cipher_registry: dict[ - tuple[type[CipherAlgorithm], type[Mode]], - typing.Callable, - ] = {} - self._register_default_ciphers() - def __repr__(self) -> str: return "".format( self.openssl_version_text(), @@ -126,12 +97,8 @@ def __repr__(self) -> str: rust_openssl._legacy_provider_loaded, ) - def openssl_assert( - self, - ok: bool, - errors: list[rust_openssl.OpenSSLError] | None = None, - ) -> None: - return binding._openssl_assert(ok, errors=errors) + def openssl_assert(self, ok: bool) -> None: + return binding._openssl_assert(ok) def _enable_fips(self) -> None: # This function enables FIPS mode for OpenSSL 3.0.0 on installs that @@ -204,102 +171,7 @@ def cipher_supported(self, cipher: CipherAlgorithm, mode: Mode) -> bool: if not isinstance(cipher, self._fips_ciphers): return False - try: - adapter = self._cipher_registry[type(cipher), type(mode)] - except KeyError: - return False - evp_cipher = adapter(self, cipher, mode) - return self._ffi.NULL != evp_cipher - - def register_cipher_adapter(self, cipher_cls, mode_cls, adapter) -> None: - if (cipher_cls, mode_cls) in self._cipher_registry: - raise ValueError( - f"Duplicate registration for: {cipher_cls} {mode_cls}." - ) - self._cipher_registry[cipher_cls, mode_cls] = adapter - - def _register_default_ciphers(self) -> None: - for cipher_cls in [AES, AES128, AES256]: - for mode_cls in [CBC, CTR, ECB, OFB, CFB, CFB8, GCM]: - self.register_cipher_adapter( - cipher_cls, - mode_cls, - GetCipherByName( - "{cipher.name}-{cipher.key_size}-{mode.name}" - ), - ) - for mode_cls in [CBC, CTR, ECB, OFB, CFB]: - self.register_cipher_adapter( - Camellia, - mode_cls, - GetCipherByName("{cipher.name}-{cipher.key_size}-{mode.name}"), - ) - for mode_cls in [CBC, CFB, CFB8, OFB]: - self.register_cipher_adapter( - TripleDES, mode_cls, GetCipherByName("des-ede3-{mode.name}") - ) - self.register_cipher_adapter( - TripleDES, ECB, GetCipherByName("des-ede3") - ) - # ChaCha20 uses the Long Name "chacha20" in OpenSSL, but in LibreSSL - # it uses "chacha" - self.register_cipher_adapter( - ChaCha20, - type(None), - GetCipherByName( - "chacha" if self._lib.CRYPTOGRAPHY_IS_LIBRESSL else "chacha20" - ), - ) - self.register_cipher_adapter(AES, XTS, _get_xts_cipher) - for mode_cls in [ECB, CBC, OFB, CFB, CTR, GCM]: - self.register_cipher_adapter( - SM4, mode_cls, GetCipherByName("sm4-{mode.name}") - ) - # Don't register legacy ciphers if they're unavailable. Hypothetically - # this wouldn't be necessary because we test availability by seeing if - # we get an EVP_CIPHER * in the _CipherContext __init__, but OpenSSL 3 - # will return a valid pointer even though the cipher is unavailable. - if ( - rust_openssl._legacy_provider_loaded - or not self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER - ): - for mode_cls in [CBC, CFB, OFB, ECB]: - self.register_cipher_adapter( - Blowfish, - mode_cls, - GetCipherByName("bf-{mode.name}"), - ) - for mode_cls in [CBC, CFB, OFB, ECB]: - self.register_cipher_adapter( - SEED, - mode_cls, - GetCipherByName("seed-{mode.name}"), - ) - for cipher_cls, mode_cls in itertools.product( - [CAST5, IDEA], - [CBC, OFB, CFB, ECB], - ): - self.register_cipher_adapter( - cipher_cls, - mode_cls, - GetCipherByName("{cipher.name}-{mode.name}"), - ) - self.register_cipher_adapter( - ARC4, type(None), GetCipherByName("rc4") - ) - self.register_cipher_adapter( - RC2, CBC, GetCipherByName("{cipher.name}-{mode.name}") - ) - - def create_symmetric_encryption_ctx( - self, cipher: CipherAlgorithm, mode: Mode - ) -> _CipherContext: - return _CipherContext(self, cipher, mode, _CipherContext._ENCRYPT) - - def create_symmetric_decryption_ctx( - self, cipher: CipherAlgorithm, mode: Mode - ) -> _CipherContext: - return _CipherContext(self, cipher, mode, _CipherContext._DECRYPT) + return rust_openssl.ciphers.cipher_supported(cipher, mode) def pbkdf2_hmac_supported(self, algorithm: hashes.HashAlgorithm) -> bool: return self.hmac_supported(algorithm) @@ -834,34 +706,4 @@ def pkcs7_supported(self) -> bool: return not self._lib.CRYPTOGRAPHY_IS_BORINGSSL -class GetCipherByName: - def __init__(self, fmt: str): - self._fmt = fmt - - def __call__(self, backend: Backend, cipher: CipherAlgorithm, mode: Mode): - cipher_name = self._fmt.format(cipher=cipher, mode=mode).lower() - evp_cipher = backend._lib.EVP_get_cipherbyname( - cipher_name.encode("ascii") - ) - - # try EVP_CIPHER_fetch if present - if ( - evp_cipher == backend._ffi.NULL - and backend._lib.Cryptography_HAS_300_EVP_CIPHER - ): - evp_cipher = backend._lib.EVP_CIPHER_fetch( - backend._ffi.NULL, - cipher_name.encode("ascii"), - backend._ffi.NULL, - ) - - backend._consume_errors() - return evp_cipher - - -def _get_xts_cipher(backend: Backend, cipher: AES, mode): - cipher_name = f"aes-{cipher.key_size // 2}-xts" - return backend._lib.EVP_get_cipherbyname(cipher_name.encode("ascii")) - - backend = Backend() diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py deleted file mode 100644 index 3916b1a510ad..000000000000 --- a/src/cryptography/hazmat/backends/openssl/ciphers.py +++ /dev/null @@ -1,282 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import annotations - -import typing - -from cryptography.exceptions import InvalidTag, UnsupportedAlgorithm, _Reasons -from cryptography.hazmat.primitives import ciphers -from cryptography.hazmat.primitives.ciphers import algorithms, modes - -if typing.TYPE_CHECKING: - from cryptography.hazmat.backends.openssl.backend import Backend - - -class _CipherContext: - _ENCRYPT = 1 - _DECRYPT = 0 - _MAX_CHUNK_SIZE = 2**29 - - def __init__(self, backend: Backend, cipher, mode, operation: int) -> None: - self._backend = backend - self._cipher = cipher - self._mode = mode - self._operation = operation - self._tag: bytes | None = None - - if isinstance(self._cipher, ciphers.BlockCipherAlgorithm): - self._block_size_bytes = self._cipher.block_size // 8 - else: - self._block_size_bytes = 1 - - ctx = self._backend._lib.EVP_CIPHER_CTX_new() - ctx = self._backend._ffi.gc( - ctx, self._backend._lib.EVP_CIPHER_CTX_free - ) - - registry = self._backend._cipher_registry - try: - adapter = registry[type(cipher), type(mode)] - except KeyError: - raise UnsupportedAlgorithm( - "cipher {} in {} mode is not supported " - "by this backend.".format( - cipher.name, mode.name if mode else mode - ), - _Reasons.UNSUPPORTED_CIPHER, - ) - - evp_cipher = adapter(self._backend, cipher, mode) - if evp_cipher == self._backend._ffi.NULL: - msg = f"cipher {cipher.name} " - if mode is not None: - msg += f"in {mode.name} mode " - msg += ( - "is not supported by this backend (Your version of OpenSSL " - "may be too old. Current version: {}.)" - ).format(self._backend.openssl_version_text()) - raise UnsupportedAlgorithm(msg, _Reasons.UNSUPPORTED_CIPHER) - - if isinstance(mode, modes.ModeWithInitializationVector): - iv_nonce = self._backend._ffi.from_buffer( - mode.initialization_vector - ) - elif isinstance(mode, modes.ModeWithTweak): - iv_nonce = self._backend._ffi.from_buffer(mode.tweak) - elif isinstance(mode, modes.ModeWithNonce): - iv_nonce = self._backend._ffi.from_buffer(mode.nonce) - elif isinstance(cipher, algorithms.ChaCha20): - iv_nonce = self._backend._ffi.from_buffer(cipher.nonce) - else: - iv_nonce = self._backend._ffi.NULL - # begin init with cipher and operation type - res = self._backend._lib.EVP_CipherInit_ex( - ctx, - evp_cipher, - self._backend._ffi.NULL, - self._backend._ffi.NULL, - self._backend._ffi.NULL, - operation, - ) - self._backend.openssl_assert(res != 0) - # set the key length to handle variable key ciphers - res = self._backend._lib.EVP_CIPHER_CTX_set_key_length( - ctx, len(cipher.key) - ) - self._backend.openssl_assert(res != 0) - if isinstance(mode, modes.GCM): - res = self._backend._lib.EVP_CIPHER_CTX_ctrl( - ctx, - self._backend._lib.EVP_CTRL_AEAD_SET_IVLEN, - len(iv_nonce), - self._backend._ffi.NULL, - ) - self._backend.openssl_assert(res != 0) - if mode.tag is not None: - res = self._backend._lib.EVP_CIPHER_CTX_ctrl( - ctx, - self._backend._lib.EVP_CTRL_AEAD_SET_TAG, - len(mode.tag), - mode.tag, - ) - self._backend.openssl_assert(res != 0) - self._tag = mode.tag - - # pass key/iv - res = self._backend._lib.EVP_CipherInit_ex( - ctx, - self._backend._ffi.NULL, - self._backend._ffi.NULL, - self._backend._ffi.from_buffer(cipher.key), - iv_nonce, - operation, - ) - - # Check for XTS mode duplicate keys error - errors = self._backend._consume_errors() - lib = self._backend._lib - if res == 0 and ( - ( - not lib.CRYPTOGRAPHY_IS_LIBRESSL - and errors[0]._lib_reason_match( - lib.ERR_LIB_EVP, lib.EVP_R_XTS_DUPLICATED_KEYS - ) - ) - or ( - lib.Cryptography_HAS_PROVIDERS - and errors[0]._lib_reason_match( - lib.ERR_LIB_PROV, lib.PROV_R_XTS_DUPLICATED_KEYS - ) - ) - ): - raise ValueError("In XTS mode duplicated keys are not allowed") - - self._backend.openssl_assert(res != 0, errors=errors) - - # We purposely disable padding here as it's handled higher up in the - # API. - self._backend._lib.EVP_CIPHER_CTX_set_padding(ctx, 0) - self._ctx = ctx - - def update(self, data: bytes) -> bytes: - buf = bytearray(len(data) + self._block_size_bytes - 1) - n = self.update_into(data, buf) - return bytes(buf[:n]) - - def update_into(self, data: bytes, buf: bytes) -> int: - total_data_len = len(data) - if len(buf) < (total_data_len + self._block_size_bytes - 1): - raise ValueError( - "buffer must be at least {} bytes for this payload".format( - len(data) + self._block_size_bytes - 1 - ) - ) - - data_processed = 0 - total_out = 0 - outlen = self._backend._ffi.new("int *") - baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) - baseinbuf = self._backend._ffi.from_buffer(data) - - while data_processed != total_data_len: - outbuf = baseoutbuf + total_out - inbuf = baseinbuf + data_processed - inlen = min(self._MAX_CHUNK_SIZE, total_data_len - data_processed) - - res = self._backend._lib.EVP_CipherUpdate( - self._ctx, outbuf, outlen, inbuf, inlen - ) - if res == 0 and isinstance(self._mode, modes.XTS): - self._backend._consume_errors() - raise ValueError( - "In XTS mode you must supply at least a full block in the " - "first update call. For AES this is 16 bytes." - ) - else: - self._backend.openssl_assert(res != 0) - data_processed += inlen - total_out += outlen[0] - - return total_out - - def finalize(self) -> bytes: - if ( - self._operation == self._DECRYPT - and isinstance(self._mode, modes.ModeWithAuthenticationTag) - and self.tag is None - ): - raise ValueError( - "Authentication tag must be provided when decrypting." - ) - - buf = self._backend._ffi.new("unsigned char[]", self._block_size_bytes) - outlen = self._backend._ffi.new("int *") - res = self._backend._lib.EVP_CipherFinal_ex(self._ctx, buf, outlen) - if res == 0: - errors = self._backend._consume_errors() - - if not errors and isinstance(self._mode, modes.GCM): - raise InvalidTag - - lib = self._backend._lib - self._backend.openssl_assert( - errors[0]._lib_reason_match( - lib.ERR_LIB_EVP, - lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH, - ) - or ( - lib.Cryptography_HAS_PROVIDERS - and errors[0]._lib_reason_match( - lib.ERR_LIB_PROV, - lib.PROV_R_WRONG_FINAL_BLOCK_LENGTH, - ) - ) - or ( - lib.CRYPTOGRAPHY_IS_BORINGSSL - and errors[0].reason - == lib.CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH - ), - errors=errors, - ) - raise ValueError( - "The length of the provided data is not a multiple of " - "the block length." - ) - - if ( - isinstance(self._mode, modes.GCM) - and self._operation == self._ENCRYPT - ): - tag_buf = self._backend._ffi.new( - "unsigned char[]", self._block_size_bytes - ) - res = self._backend._lib.EVP_CIPHER_CTX_ctrl( - self._ctx, - self._backend._lib.EVP_CTRL_AEAD_GET_TAG, - self._block_size_bytes, - tag_buf, - ) - self._backend.openssl_assert(res != 0) - self._tag = self._backend._ffi.buffer(tag_buf)[:] - - res = self._backend._lib.EVP_CIPHER_CTX_reset(self._ctx) - self._backend.openssl_assert(res == 1) - return self._backend._ffi.buffer(buf)[: outlen[0]] - - def finalize_with_tag(self, tag: bytes) -> bytes: - tag_len = len(tag) - if tag_len < self._mode._min_tag_length: - raise ValueError( - "Authentication tag must be {} bytes or longer.".format( - self._mode._min_tag_length - ) - ) - elif tag_len > self._block_size_bytes: - raise ValueError( - "Authentication tag cannot be more than {} bytes.".format( - self._block_size_bytes - ) - ) - res = self._backend._lib.EVP_CIPHER_CTX_ctrl( - self._ctx, self._backend._lib.EVP_CTRL_AEAD_SET_TAG, len(tag), tag - ) - self._backend.openssl_assert(res != 0) - self._tag = tag - return self.finalize() - - def authenticate_additional_data(self, data: bytes) -> None: - outlen = self._backend._ffi.new("int *") - res = self._backend._lib.EVP_CipherUpdate( - self._ctx, - self._backend._ffi.NULL, - outlen, - self._backend._ffi.from_buffer(data), - len(data), - ) - self._backend.openssl_assert(res != 0) - - @property - def tag(self) -> bytes | None: - return self._tag diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index c4997fc12a61..d5ec2522fe1d 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -6,6 +6,7 @@ import typing from cryptography.hazmat.bindings._rust.openssl import ( aead, + ciphers, cmac, dh, dsa, @@ -27,6 +28,7 @@ __all__ = [ "openssl_version_text", "raise_openssl_error", "aead", + "ciphers", "cmac", "dh", "dsa", diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/ciphers.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/ciphers.pyi new file mode 100644 index 000000000000..759f3b591cba --- /dev/null +++ b/src/cryptography/hazmat/bindings/_rust/openssl/ciphers.pyi @@ -0,0 +1,38 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +import typing + +from cryptography.hazmat.primitives import ciphers +from cryptography.hazmat.primitives.ciphers import modes + +@typing.overload +def create_encryption_ctx( + algorithm: ciphers.CipherAlgorithm, mode: modes.ModeWithAuthenticationTag +) -> ciphers.AEADEncryptionContext: ... +@typing.overload +def create_encryption_ctx( + algorithm: ciphers.CipherAlgorithm, mode: modes.Mode +) -> ciphers.CipherContext: ... +@typing.overload +def create_decryption_ctx( + algorithm: ciphers.CipherAlgorithm, mode: modes.ModeWithAuthenticationTag +) -> ciphers.AEADDecryptionContext: ... +@typing.overload +def create_decryption_ctx( + algorithm: ciphers.CipherAlgorithm, mode: modes.Mode +) -> ciphers.CipherContext: ... +def cipher_supported( + algorithm: ciphers.CipherAlgorithm, mode: modes.Mode +) -> bool: ... +def _advance( + ctx: ciphers.AEADEncryptionContext | ciphers.AEADDecryptionContext, n: int +) -> None: ... +def _advance_aad( + ctx: ciphers.AEADEncryptionContext | ciphers.AEADDecryptionContext, n: int +) -> None: ... + +class CipherContext: ... +class AEADEncryptionContext: ... +class AEADDecryptionContext: ... diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index d9f81ce8dcec..4e24914a37fc 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -17,13 +17,9 @@ from cryptography.hazmat.bindings.openssl._conditional import CONDITIONAL_NAMES -def _openssl_assert( - ok: bool, - errors: list[openssl.OpenSSLError] | None = None, -) -> None: +def _openssl_assert(ok: bool) -> None: if not ok: - if errors is None: - errors = openssl.capture_error_stack() + errors = openssl.capture_error_stack() raise InternalError( "Unknown OpenSSL error. This error is commonly encountered when " diff --git a/src/cryptography/hazmat/primitives/ciphers/base.py b/src/cryptography/hazmat/primitives/ciphers/base.py index 2082df669a23..7c32cbec693e 100644 --- a/src/cryptography/hazmat/primitives/ciphers/base.py +++ b/src/cryptography/hazmat/primitives/ciphers/base.py @@ -7,19 +7,10 @@ import abc import typing -from cryptography.exceptions import ( - AlreadyFinalized, - AlreadyUpdated, - NotYetFinalized, -) +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives._cipheralgorithm import CipherAlgorithm from cryptography.hazmat.primitives.ciphers import modes -if typing.TYPE_CHECKING: - from cryptography.hazmat.backends.openssl.ciphers import ( - _CipherContext as _BackendCipherContext, - ) - class CipherContext(metaclass=abc.ABCMeta): @abc.abstractmethod @@ -112,12 +103,10 @@ def encryptor(self): raise ValueError( "Authentication tag must be None when encrypting." ) - from cryptography.hazmat.backends.openssl.backend import backend - ctx = backend.create_symmetric_encryption_ctx( + return rust_openssl.ciphers.create_encryption_ctx( self.algorithm, self.mode ) - return self._wrap_ctx(ctx, encrypt=True) @typing.overload def decryptor( @@ -132,23 +121,9 @@ def decryptor( ... def decryptor(self): - from cryptography.hazmat.backends.openssl.backend import backend - - ctx = backend.create_symmetric_decryption_ctx( + return rust_openssl.ciphers.create_decryption_ctx( self.algorithm, self.mode ) - return self._wrap_ctx(ctx, encrypt=False) - - def _wrap_ctx( - self, ctx: _BackendCipherContext, encrypt: bool - ) -> AEADEncryptionContext | AEADDecryptionContext | CipherContext: - if isinstance(self.mode, modes.ModeWithAuthenticationTag): - if encrypt: - return _AEADEncryptionContext(ctx) - else: - return _AEADDecryptionContext(ctx) - else: - return _CipherContext(ctx) _CIPHER_TYPE = Cipher[ @@ -161,112 +136,6 @@ def _wrap_ctx( ] ] - -class _CipherContext(CipherContext): - _ctx: _BackendCipherContext | None - - def __init__(self, ctx: _BackendCipherContext) -> None: - self._ctx = ctx - - def update(self, data: bytes) -> bytes: - if self._ctx is None: - raise AlreadyFinalized("Context was already finalized.") - return self._ctx.update(data) - - def update_into(self, data: bytes, buf: bytes) -> int: - if self._ctx is None: - raise AlreadyFinalized("Context was already finalized.") - return self._ctx.update_into(data, buf) - - def finalize(self) -> bytes: - if self._ctx is None: - raise AlreadyFinalized("Context was already finalized.") - data = self._ctx.finalize() - self._ctx = None - return data - - -class _AEADCipherContext(AEADCipherContext): - _ctx: _BackendCipherContext | None - _tag: bytes | None - - def __init__(self, ctx: _BackendCipherContext) -> None: - self._ctx = ctx - self._bytes_processed = 0 - self._aad_bytes_processed = 0 - self._tag = None - self._updated = False - - def _check_limit(self, data_size: int) -> None: - if self._ctx is None: - raise AlreadyFinalized("Context was already finalized.") - self._updated = True - self._bytes_processed += data_size - if self._bytes_processed > self._ctx._mode._MAX_ENCRYPTED_BYTES: - raise ValueError( - "{} has a maximum encrypted byte limit of {}".format( - self._ctx._mode.name, self._ctx._mode._MAX_ENCRYPTED_BYTES - ) - ) - - def update(self, data: bytes) -> bytes: - self._check_limit(len(data)) - # mypy needs this assert even though _check_limit already checked - assert self._ctx is not None - return self._ctx.update(data) - - def update_into(self, data: bytes, buf: bytes) -> int: - self._check_limit(len(data)) - # mypy needs this assert even though _check_limit already checked - assert self._ctx is not None - return self._ctx.update_into(data, buf) - - def finalize(self) -> bytes: - if self._ctx is None: - raise AlreadyFinalized("Context was already finalized.") - data = self._ctx.finalize() - self._tag = self._ctx.tag - self._ctx = None - return data - - def authenticate_additional_data(self, data: bytes) -> None: - if self._ctx is None: - raise AlreadyFinalized("Context was already finalized.") - if self._updated: - raise AlreadyUpdated("Update has been called on this context.") - - self._aad_bytes_processed += len(data) - if self._aad_bytes_processed > self._ctx._mode._MAX_AAD_BYTES: - raise ValueError( - "{} has a maximum AAD byte limit of {}".format( - self._ctx._mode.name, self._ctx._mode._MAX_AAD_BYTES - ) - ) - - self._ctx.authenticate_additional_data(data) - - -class _AEADDecryptionContext(_AEADCipherContext, AEADDecryptionContext): - def finalize_with_tag(self, tag: bytes) -> bytes: - if self._ctx is None: - raise AlreadyFinalized("Context was already finalized.") - if self._ctx._tag is not None: - raise ValueError( - "tag provided both in mode and in call with finalize_with_tag:" - " tag should only be provided once" - ) - data = self._ctx.finalize_with_tag(tag) - self._tag = self._ctx.tag - self._ctx = None - return data - - -class _AEADEncryptionContext(_AEADCipherContext, AEADEncryptionContext): - @property - def tag(self) -> bytes: - if self._ctx is not None: - raise NotYetFinalized( - "You must finalize encryption before " "getting the tag." - ) - assert self._tag is not None - return self._tag +CipherContext.register(rust_openssl.ciphers.CipherContext) +AEADEncryptionContext.register(rust_openssl.ciphers.AEADEncryptionContext) +AEADDecryptionContext.register(rust_openssl.ciphers.AEADDecryptionContext) diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index 128f087ff498..46f6e09b5aac 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -56,6 +56,7 @@ impl std::hash::Hash for RegistryKey { enum RegistryCipher { Ref(&'static openssl::cipher::CipherRef), + Owned(Cipher), } impl From<&'static openssl::cipher::CipherRef> for RegistryCipher { @@ -64,6 +65,12 @@ impl From<&'static openssl::cipher::CipherRef> for RegistryCipher { } } +impl From for RegistryCipher { + fn from(c: Cipher) -> RegistryCipher { + RegistryCipher::Owned(c) + } +} + struct RegistryBuilder<'p> { py: pyo3::Python<'p>, m: HashMap, @@ -122,49 +129,185 @@ fn get_cipher_registry( let sm4 = types::SM4.get(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] let seed = types::SEED.get(py)?; + let arc4 = types::ARC4.get(py)?; + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + let chacha20 = types::CHACHA20.get(py)?; + let rc2 = types::RC2.get(py)?; let cbc = types::CBC.get(py)?; + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + let cfb = types::CFB.get(py)?; + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + let cfb8 = types::CFB8.get(py)?; + let ofb = types::OFB.get(py)?; + let ecb = types::ECB.get(py)?; + let ctr = types::CTR.get(py)?; + let gcm = types::GCM.get(py)?; + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + let xts = types::XTS.get(py)?; + + let none = py.None(); + let none_type = none.as_ref(py).get_type(); m.add(aes, cbc, Some(128), Cipher::aes_128_cbc())?; m.add(aes, cbc, Some(192), Cipher::aes_192_cbc())?; m.add(aes, cbc, Some(256), Cipher::aes_256_cbc())?; + m.add(aes, ofb, Some(128), Cipher::aes_128_ofb())?; + m.add(aes, ofb, Some(192), Cipher::aes_192_ofb())?; + m.add(aes, ofb, Some(256), Cipher::aes_256_ofb())?; + + m.add(aes, gcm, Some(128), Cipher::aes_128_gcm())?; + m.add(aes, gcm, Some(192), Cipher::aes_192_gcm())?; + m.add(aes, gcm, Some(256), Cipher::aes_256_gcm())?; + + m.add(aes, ctr, Some(128), Cipher::aes_128_ctr())?; + m.add(aes, ctr, Some(192), Cipher::aes_192_ctr())?; + m.add(aes, ctr, Some(256), Cipher::aes_256_ctr())?; + + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + { + m.add(aes, cfb8, Some(128), Cipher::aes_128_cfb8())?; + m.add(aes, cfb8, Some(192), Cipher::aes_192_cfb8())?; + m.add(aes, cfb8, Some(256), Cipher::aes_256_cfb8())?; + + m.add(aes, cfb, Some(128), Cipher::aes_128_cfb128())?; + m.add(aes, cfb, Some(192), Cipher::aes_192_cfb128())?; + m.add(aes, cfb, Some(256), Cipher::aes_256_cfb128())?; + } + + m.add(aes, ecb, Some(128), Cipher::aes_128_ecb())?; + m.add(aes, ecb, Some(192), Cipher::aes_192_ecb())?; + m.add(aes, ecb, Some(256), Cipher::aes_256_ecb())?; + + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + { + m.add(aes, xts, Some(256), Cipher::aes_128_xts())?; + m.add(aes, xts, Some(512), Cipher::aes_256_xts())?; + } + m.add(aes128, cbc, Some(128), Cipher::aes_128_cbc())?; m.add(aes256, cbc, Some(256), Cipher::aes_256_cbc())?; - m.add(triple_des, cbc, Some(192), Cipher::des_ede3_cbc())?; + m.add(aes128, ofb, Some(128), Cipher::aes_128_ofb())?; + m.add(aes256, ofb, Some(256), Cipher::aes_256_ofb())?; - #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] - m.add(camellia, cbc, Some(128), Cipher::camellia128_cbc())?; - #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] - m.add(camellia, cbc, Some(192), Cipher::camellia192_cbc())?; - #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] - m.add(camellia, cbc, Some(256), Cipher::camellia256_cbc())?; + m.add(aes128, gcm, Some(128), Cipher::aes_128_gcm())?; + m.add(aes256, gcm, Some(256), Cipher::aes_256_gcm())?; - #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SM4"))] - m.add(sm4, cbc, Some(128), Cipher::sm4_cbc())?; + m.add(aes128, ctr, Some(128), Cipher::aes_128_ctr())?; + m.add(aes256, ctr, Some(256), Cipher::aes_256_ctr())?; - #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] - m.add(seed, cbc, Some(128), Cipher::seed_cbc())?; + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + { + m.add(aes128, cfb8, Some(128), Cipher::aes_128_cfb8())?; + m.add(aes256, cfb8, Some(256), Cipher::aes_256_cfb8())?; - #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] - m.add(blowfish, cbc, None, Cipher::bf_cbc())?; + m.add(aes128, cfb, Some(128), Cipher::aes_128_cfb128())?; + m.add(aes256, cfb, Some(256), Cipher::aes_256_cfb128())?; + } - #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAST"))] - m.add(cast5, cbc, None, Cipher::cast5_cbc())?; + m.add(aes128, ecb, Some(128), Cipher::aes_128_ecb())?; + m.add(aes256, ecb, Some(256), Cipher::aes_256_ecb())?; - #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_IDEA"))] - m.add(idea, cbc, Some(128), Cipher::idea_cbc())?; + m.add(triple_des, cbc, Some(192), Cipher::des_ede3_cbc())?; + m.add(triple_des, ecb, Some(192), Cipher::des_ede3_ecb())?; + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + { + m.add(triple_des, cfb8, Some(192), Cipher::des_ede3_cfb8())?; + m.add(triple_des, cfb, Some(192), Cipher::des_ede3_cfb64())?; + m.add(triple_des, ofb, Some(192), Cipher::des_ede3_ofb())?; + } + + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] + { + m.add(camellia, cbc, Some(128), Cipher::camellia128_cbc())?; + m.add(camellia, cbc, Some(192), Cipher::camellia192_cbc())?; + m.add(camellia, cbc, Some(256), Cipher::camellia256_cbc())?; + + m.add(camellia, ecb, Some(128), Cipher::camellia128_ecb())?; + m.add(camellia, ecb, Some(192), Cipher::camellia192_ecb())?; + m.add(camellia, ecb, Some(256), Cipher::camellia256_ecb())?; + + m.add(camellia, ofb, Some(128), Cipher::camellia128_ofb())?; + m.add(camellia, ofb, Some(192), Cipher::camellia192_ofb())?; + m.add(camellia, ofb, Some(256), Cipher::camellia256_ofb())?; + + m.add(camellia, cfb, Some(128), Cipher::camellia128_cfb128())?; + m.add(camellia, cfb, Some(192), Cipher::camellia192_cfb128())?; + m.add(camellia, cfb, Some(256), Cipher::camellia256_cfb128())?; + } + + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SM4"))] + { + m.add(sm4, cbc, Some(128), Cipher::sm4_cbc())?; + m.add(sm4, ctr, Some(128), Cipher::sm4_ctr())?; + m.add(sm4, cfb, Some(128), Cipher::sm4_cfb128())?; + m.add(sm4, ofb, Some(128), Cipher::sm4_ofb())?; + m.add(sm4, ecb, Some(128), Cipher::sm4_ecb())?; + + #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] + if let Ok(c) = Cipher::fetch(None, "sm4-gcm", None) { + m.add(sm4, gcm, Some(128), c)?; + } + } + + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + m.add(chacha20, none_type, None, Cipher::chacha20())?; + + // Don't register legacy ciphers if they're unavailable. In theory + // this should't be necessary but OpenSSL 3 will return an EVP_CIPHER + // even when the cipher is unavailable. + if cfg!(not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)) + || types::LEGACY_PROVIDER_LOADED.get(py)?.is_true()? + { + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] + { + m.add(blowfish, cbc, None, Cipher::bf_cbc())?; + m.add(blowfish, cfb, None, Cipher::bf_cfb64())?; + m.add(blowfish, ofb, None, Cipher::bf_ofb())?; + m.add(blowfish, ecb, None, Cipher::bf_ecb())?; + } + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] + { + m.add(seed, cbc, Some(128), Cipher::seed_cbc())?; + m.add(seed, cfb, Some(128), Cipher::seed_cfb128())?; + m.add(seed, ofb, Some(128), Cipher::seed_ofb())?; + m.add(seed, ecb, Some(128), Cipher::seed_ecb())?; + } + + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAST"))] + { + m.add(cast5, cbc, None, Cipher::cast5_cbc())?; + m.add(cast5, ecb, None, Cipher::cast5_ecb())?; + m.add(cast5, ofb, None, Cipher::cast5_ofb())?; + m.add(cast5, cfb, None, Cipher::cast5_cfb64())?; + } + + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_IDEA"))] + { + m.add(idea, cbc, Some(128), Cipher::idea_cbc())?; + m.add(idea, ecb, Some(128), Cipher::idea_ecb())?; + m.add(idea, ofb, Some(128), Cipher::idea_ofb())?; + m.add(idea, cfb, Some(128), Cipher::idea_cfb64())?; + } + + m.add(arc4, none_type, None, Cipher::rc4())?; + + if let Some(rc2_cbc) = Cipher::from_nid(openssl::nid::Nid::RC2_CBC) { + m.add(rc2, cbc, Some(128), rc2_cbc)?; + } + } Ok(m.build()) }) } -pub(crate) fn get_cipher<'a>( - py: pyo3::Python<'_>, +pub(crate) fn get_cipher<'py>( + py: pyo3::Python<'py>, algorithm: &pyo3::PyAny, mode_cls: &pyo3::PyAny, -) -> CryptographyResult> { +) -> CryptographyResult> { let registry = get_cipher_registry(py)?; let key_size = algorithm @@ -174,6 +317,7 @@ pub(crate) fn get_cipher<'a>( match registry.get(&key) { Some(RegistryCipher::Ref(c)) => Ok(Some(c)), + Some(RegistryCipher::Owned(c)) => Ok(Some(c)), None => Ok(None), } } diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs new file mode 100644 index 000000000000..3695ca1d89df --- /dev/null +++ b/src/rust/src/backend/ciphers.rs @@ -0,0 +1,567 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use crate::backend::cipher_registry; +use crate::buf::{CffiBuf, CffiMutBuf}; +use crate::error::{CryptographyError, CryptographyResult}; +use crate::exceptions; +use crate::types; +use pyo3::IntoPy; + +struct CipherContext { + ctx: openssl::cipher_ctx::CipherCtx, + py_mode: pyo3::PyObject, +} + +impl CipherContext { + fn new( + py: pyo3::Python<'_>, + algorithm: &pyo3::PyAny, + mode: &pyo3::PyAny, + side: openssl::symm::Mode, + ) -> CryptographyResult { + let cipher = match cipher_registry::get_cipher(py, algorithm, mode.get_type())? { + Some(c) => c, + None => { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + format!( + "cipher {} in {} mode is not supported ", + algorithm.getattr(pyo3::intern!(py, "name"))?, + if mode.is_true()? { + mode.getattr(pyo3::intern!(py, "name"))? + } else { + mode + } + ), + exceptions::Reasons::UNSUPPORTED_CIPHER, + )), + )) + } + }; + + let iv_nonce = if mode.is_instance(types::MODE_WITH_INITIALIZATION_VECTOR.get(py)?)? { + Some( + mode.getattr(pyo3::intern!(py, "initialization_vector"))? + .extract::>()?, + ) + } else if mode.is_instance(types::MODE_WITH_TWEAK.get(py)?)? { + Some( + mode.getattr(pyo3::intern!(py, "tweak"))? + .extract::>()?, + ) + } else if mode.is_instance(types::MODE_WITH_NONCE.get(py)?)? { + Some( + mode.getattr(pyo3::intern!(py, "nonce"))? + .extract::>()?, + ) + } else if algorithm.is_instance(types::CHACHA20.get(py)?)? { + Some( + algorithm + .getattr(pyo3::intern!(py, "nonce"))? + .extract::>()?, + ) + } else { + None + }; + + let key = algorithm + .getattr(pyo3::intern!(py, "key"))? + .extract::>()?; + + let init_op = match side { + openssl::symm::Mode::Encrypt => openssl::cipher_ctx::CipherCtxRef::encrypt_init, + openssl::symm::Mode::Decrypt => openssl::cipher_ctx::CipherCtxRef::decrypt_init, + }; + + let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; + init_op(&mut ctx, Some(cipher), None, None)?; + ctx.set_key_length(key.as_bytes().len())?; + + if let Some(iv) = iv_nonce.as_ref() { + if cipher.iv_length() != 0 && cipher.iv_length() != iv.as_bytes().len() { + ctx.set_iv_length(iv.as_bytes().len())?; + } + } + + if mode.is_instance(types::XTS.get(py)?)? { + init_op( + &mut ctx, + None, + Some(key.as_bytes()), + iv_nonce.as_ref().map(|b| b.as_bytes()), + ) + .map_err(|_| { + pyo3::exceptions::PyValueError::new_err( + "In XTS mode duplicated keys are not allowed", + ) + })?; + } else { + init_op( + &mut ctx, + None, + Some(key.as_bytes()), + iv_nonce.as_ref().map(|b| b.as_bytes()), + )?; + }; + + ctx.set_padding(false); + + Ok(CipherContext { + ctx, + py_mode: mode.into(), + }) + } + + fn update<'p>( + &mut self, + py: pyo3::Python<'p>, + buf: &[u8], + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let mut out_buf = vec![0; buf.len() + self.ctx.block_size()]; + let n = self.update_into(py, buf, &mut out_buf)?; + Ok(pyo3::types::PyBytes::new(py, &out_buf[..n])) + } + + fn update_into( + &mut self, + py: pyo3::Python<'_>, + buf: &[u8], + out_buf: &mut [u8], + ) -> CryptographyResult { + if out_buf.len() < (buf.len() + self.ctx.block_size() - 1) { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err(format!( + "buffer must be at least {} bytes for this payload", + buf.len() + self.ctx.block_size() - 1 + )), + )); + } + + let mut total_written = 0; + for chunk in buf.chunks(1 << 29) { + // SAFETY: We ensure that outbuf is sufficiently large above. + unsafe { + let n = if self.py_mode.as_ref(py).is_instance(types::XTS.get(py)?)? { + self.ctx.cipher_update_unchecked(chunk, Some(&mut out_buf[total_written..])).map_err(|_| { + pyo3::exceptions::PyValueError::new_err( + "In XTS mode you must supply at least a full block in the first update call. For AES this is 16 bytes." + ) + })? + } else { + self.ctx + .cipher_update_unchecked(chunk, Some(&mut out_buf[total_written..]))? + }; + total_written += n; + } + } + + Ok(total_written) + } + + fn authenticate_additional_data(&mut self, buf: &[u8]) -> CryptographyResult<()> { + self.ctx.cipher_update(buf, None)?; + Ok(()) + } + + fn finalize<'p>( + &mut self, + py: pyo3::Python<'p>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let mut out_buf = vec![0; self.ctx.block_size()]; + let n = self.ctx.cipher_final(&mut out_buf).or_else(|e| { + if e.errors().is_empty() + && self + .py_mode + .as_ref(py) + .is_instance(types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? + { + return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); + } + Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "The length of the provided data is not a multiple of the block length.", + ), + )) + })?; + Ok(pyo3::types::PyBytes::new(py, &out_buf[..n])) + } +} + +#[pyo3::prelude::pyclass( + module = "cryptography.hazmat.bindings._rust.openssl.ciphers", + name = "CipherContext" +)] +struct PyCipherContext { + ctx: Option, +} + +#[pyo3::prelude::pyclass( + module = "cryptography.hazmat.bindings._rust.openssl.ciphers", + name = "AEADEncryptionContext" +)] +struct PyAEADEncryptionContext { + ctx: Option, + tag: Option>, + updated: bool, + bytes_remaining: u64, + aad_bytes_remaining: u64, +} + +#[pyo3::prelude::pyclass( + module = "cryptography.hazmat.bindings._rust.openssl.ciphers", + name = "AEADDecryptionContext" +)] +struct PyAEADDecryptionContext { + ctx: Option, + updated: bool, + bytes_remaining: u64, + aad_bytes_remaining: u64, +} + +fn get_mut_ctx(ctx: Option<&mut CipherContext>) -> pyo3::PyResult<&mut CipherContext> { + ctx.ok_or_else(|| exceptions::AlreadyFinalized::new_err("Context was already finalized.")) +} + +#[pyo3::prelude::pymethods] +impl PyCipherContext { + fn update<'p>( + &mut self, + py: pyo3::Python<'p>, + buf: CffiBuf<'_>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + get_mut_ctx(self.ctx.as_mut())?.update(py, buf.as_bytes()) + } + + fn update_into( + &mut self, + py: pyo3::Python<'_>, + buf: CffiBuf<'_>, + mut out_buf: CffiMutBuf<'_>, + ) -> CryptographyResult { + get_mut_ctx(self.ctx.as_mut())?.update_into(py, buf.as_bytes(), out_buf.as_mut_bytes()) + } + + fn finalize<'p>( + &mut self, + py: pyo3::Python<'p>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let result = get_mut_ctx(self.ctx.as_mut())?.finalize(py)?; + self.ctx = None; + Ok(result) + } +} + +#[pyo3::prelude::pymethods] +impl PyAEADEncryptionContext { + fn update<'p>( + &mut self, + py: pyo3::Python<'p>, + buf: CffiBuf<'_>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let data = buf.as_bytes(); + + self.updated = true; + self.bytes_remaining = self + .bytes_remaining + .checked_sub(data.len().try_into().unwrap()) + .ok_or_else(|| { + pyo3::exceptions::PyValueError::new_err("Exceeded maximum encrypted byte limit") + })?; + get_mut_ctx(self.ctx.as_mut())?.update(py, data) + } + + fn update_into( + &mut self, + py: pyo3::Python<'_>, + buf: CffiBuf<'_>, + mut out_buf: CffiMutBuf<'_>, + ) -> CryptographyResult { + let data = buf.as_bytes(); + + self.updated = true; + self.bytes_remaining = self + .bytes_remaining + .checked_sub(data.len().try_into().unwrap()) + .ok_or_else(|| { + pyo3::exceptions::PyValueError::new_err("Exceeded maximum encrypted byte limit") + })?; + get_mut_ctx(self.ctx.as_mut())?.update_into(py, data, out_buf.as_mut_bytes()) + } + + fn authenticate_additional_data(&mut self, buf: CffiBuf<'_>) -> CryptographyResult<()> { + let ctx = get_mut_ctx(self.ctx.as_mut())?; + if self.updated { + return Err(CryptographyError::from( + exceptions::AlreadyUpdated::new_err("Update has been called on this context."), + )); + } + + let data = buf.as_bytes(); + self.aad_bytes_remaining = self + .aad_bytes_remaining + .checked_sub(data.len().try_into().unwrap()) + .ok_or_else(|| { + pyo3::exceptions::PyValueError::new_err("Exceeded maximum AAD byte limit") + })?; + ctx.authenticate_additional_data(data) + } + + fn finalize<'p>( + &mut self, + py: pyo3::Python<'p>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let ctx = get_mut_ctx(self.ctx.as_mut())?; + let result = ctx.finalize(py)?; + + // XXX: do not hard code 16 + let tag = pyo3::types::PyBytes::new_with(py, 16, |t| { + ctx.ctx.tag(t).map_err(CryptographyError::from)?; + Ok(()) + })?; + self.tag = Some(tag.into_py(py)); + self.ctx = None; + + Ok(result) + } + + #[getter] + fn tag(&self, py: pyo3::Python<'_>) -> CryptographyResult> { + Ok(self + .tag + .as_ref() + .ok_or_else(|| { + exceptions::NotYetFinalized::new_err( + "You must finalize encryption before getting the tag.", + ) + })? + .clone_ref(py)) + } +} + +#[pyo3::prelude::pymethods] +impl PyAEADDecryptionContext { + fn update<'p>( + &mut self, + py: pyo3::Python<'p>, + buf: CffiBuf<'_>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let data = buf.as_bytes(); + + self.updated = true; + self.bytes_remaining = self + .bytes_remaining + .checked_sub(data.len().try_into().unwrap()) + .ok_or_else(|| { + pyo3::exceptions::PyValueError::new_err("Exceeded maximum encrypted byte limit") + })?; + get_mut_ctx(self.ctx.as_mut())?.update(py, data) + } + + fn update_into( + &mut self, + py: pyo3::Python<'_>, + buf: CffiBuf<'_>, + mut out_buf: CffiMutBuf<'_>, + ) -> CryptographyResult { + let data = buf.as_bytes(); + + self.updated = true; + self.bytes_remaining = self + .bytes_remaining + .checked_sub(data.len().try_into().unwrap()) + .ok_or_else(|| { + pyo3::exceptions::PyValueError::new_err("Exceeded maximum encrypted byte limit") + })?; + get_mut_ctx(self.ctx.as_mut())?.update_into(py, data, out_buf.as_mut_bytes()) + } + + fn authenticate_additional_data(&mut self, buf: CffiBuf<'_>) -> CryptographyResult<()> { + let ctx = get_mut_ctx(self.ctx.as_mut())?; + if self.updated { + return Err(CryptographyError::from( + exceptions::AlreadyUpdated::new_err("Update has been called on this context."), + )); + } + + let data = buf.as_bytes(); + self.aad_bytes_remaining = self + .aad_bytes_remaining + .checked_sub(data.len().try_into().unwrap()) + .ok_or_else(|| { + pyo3::exceptions::PyValueError::new_err("Exceeded maximum AAD byte limit") + })?; + ctx.authenticate_additional_data(data) + } + + fn finalize<'p>( + &mut self, + py: pyo3::Python<'p>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let ctx = get_mut_ctx(self.ctx.as_mut())?; + + if ctx + .py_mode + .as_ref(py) + .getattr(pyo3::intern!(py, "tag"))? + .is_none() + { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Authentication tag must be provided when decrypting.", + ), + )); + } + + let result = ctx.finalize(py)?; + self.ctx = None; + Ok(result) + } + + fn finalize_with_tag<'p>( + &mut self, + py: pyo3::Python<'p>, + tag: &[u8], + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let ctx = get_mut_ctx(self.ctx.as_mut())?; + + if !ctx + .py_mode + .as_ref(py) + .getattr(pyo3::intern!(py, "tag"))? + .is_none() + { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Authentication tag must be provided only once.", + ), + )); + } + + let min_tag_length = ctx + .py_mode + .as_ref(py) + .getattr(pyo3::intern!(py, "_min_tag_length"))? + .extract()?; + // XXX: Do not hard code 16 + if tag.len() < min_tag_length { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err(format!( + "Authentication tag must be {} bytes or longer.", + min_tag_length + )), + )); + } else if tag.len() > 16 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err(format!( + "Authentication tag cannot be more than {} bytes.", + 16 + )), + )); + } + + ctx.ctx.set_tag(tag)?; + let result = ctx.finalize(py)?; + self.ctx = None; + Ok(result) + } +} + +#[pyo3::prelude::pyfunction] +fn create_encryption_ctx( + py: pyo3::Python<'_>, + algorithm: &pyo3::PyAny, + mode: &pyo3::PyAny, +) -> CryptographyResult { + let ctx = CipherContext::new(py, algorithm, mode, openssl::symm::Mode::Encrypt)?; + + if mode.is_instance(types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? { + Ok(PyAEADEncryptionContext { + ctx: Some(ctx), + tag: None, + updated: false, + bytes_remaining: mode + .getattr(pyo3::intern!(py, "_MAX_ENCRYPTED_BYTES"))? + .extract()?, + aad_bytes_remaining: mode + .getattr(pyo3::intern!(py, "_MAX_AAD_BYTES"))? + .extract()?, + } + .into_py(py)) + } else { + Ok(PyCipherContext { ctx: Some(ctx) }.into_py(py)) + } +} + +#[pyo3::prelude::pyfunction] +fn create_decryption_ctx( + py: pyo3::Python<'_>, + algorithm: &pyo3::PyAny, + mode: &pyo3::PyAny, +) -> CryptographyResult { + let mut ctx = CipherContext::new(py, algorithm, mode, openssl::symm::Mode::Decrypt)?; + + if mode.is_instance(types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? { + if let Some(tag) = mode.getattr(pyo3::intern!(py, "tag"))?.extract()? { + ctx.ctx.set_tag(tag)?; + } + + Ok(PyAEADDecryptionContext { + ctx: Some(ctx), + updated: false, + bytes_remaining: mode + .getattr(pyo3::intern!(py, "_MAX_ENCRYPTED_BYTES"))? + .extract()?, + aad_bytes_remaining: mode + .getattr(pyo3::intern!(py, "_MAX_AAD_BYTES"))? + .extract()?, + } + .into_py(py)) + } else { + Ok(PyCipherContext { ctx: Some(ctx) }.into_py(py)) + } +} + +#[pyo3::prelude::pyfunction] +fn cipher_supported( + py: pyo3::Python<'_>, + algorithm: &pyo3::PyAny, + mode: &pyo3::PyAny, +) -> CryptographyResult { + Ok(cipher_registry::get_cipher(py, algorithm, mode.get_type())?.is_some()) +} + +#[pyo3::prelude::pyfunction] +fn _advance(ctx: &pyo3::PyAny, n: u64) { + if let Ok(c) = ctx.downcast::>() { + c.borrow_mut().bytes_remaining -= n; + } else if let Ok(c) = ctx.downcast::>() { + c.borrow_mut().bytes_remaining -= n; + } +} + +#[pyo3::prelude::pyfunction] +fn _advance_aad(ctx: &pyo3::PyAny, n: u64) { + if let Ok(c) = ctx.downcast::>() { + c.borrow_mut().aad_bytes_remaining -= n; + } else if let Ok(c) = ctx.downcast::>() { + c.borrow_mut().aad_bytes_remaining -= n; + } +} + +pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { + let m = pyo3::prelude::PyModule::new(py, "ciphers")?; + m.add_function(pyo3::wrap_pyfunction!(create_encryption_ctx, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(create_decryption_ctx, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(cipher_supported, m)?)?; + + m.add_function(pyo3::wrap_pyfunction!(_advance, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(_advance_aad, m)?)?; + + m.add_class::()?; + m.add_class::()?; + m.add_class::()?; + + Ok(m) +} diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 7e085d623b40..be7b2d0ac280 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -4,6 +4,7 @@ pub(crate) mod aead; pub(crate) mod cipher_registry; +pub(crate) mod ciphers; pub(crate) mod cmac; pub(crate) mod dh; pub(crate) mod dsa; @@ -24,6 +25,7 @@ pub(crate) mod x448; pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { module.add_submodule(aead::create_module(module.py())?)?; + module.add_submodule(ciphers::create_module(module.py())?)?; module.add_submodule(cmac::create_module(module.py())?)?; module.add_submodule(dh::create_module(module.py())?)?; module.add_submodule(dsa::create_module(module.py())?)?; diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs index edc3860c1050..028322dfe0da 100644 --- a/src/rust/src/buf.rs +++ b/src/rust/src/buf.rs @@ -2,9 +2,9 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use std::slice; - use crate::types; +use pyo3::types::IntoPyDict; +use std::slice; pub(crate) struct CffiBuf<'p> { _pyobj: &'p pyo3::PyAny, @@ -12,9 +12,19 @@ pub(crate) struct CffiBuf<'p> { buf: &'p [u8], } -fn _extract_buffer_length(pyobj: &pyo3::PyAny) -> pyo3::PyResult<(&pyo3::PyAny, usize)> { +fn _extract_buffer_length( + pyobj: &pyo3::PyAny, + mutable: bool, +) -> pyo3::PyResult<(&pyo3::PyAny, usize)> { let py = pyobj.py(); - let bufobj = types::FFI_FROM_BUFFER.get(py)?.call1((pyobj,))?; + let bufobj = if mutable { + let kwargs = [(pyo3::intern!(py, "require_writable"), true)].into_py_dict(py); + types::FFI_FROM_BUFFER + .get(py)? + .call((pyobj,), Some(kwargs))? + } else { + types::FFI_FROM_BUFFER.get(py)?.call1((pyobj,))? + }; let ptrval = types::FFI_CAST .get(py)? .call1((pyo3::intern!(py, "uintptr_t"), bufobj))? @@ -31,7 +41,7 @@ impl CffiBuf<'_> { impl<'a> pyo3::conversion::FromPyObject<'a> for CffiBuf<'a> { fn extract(pyobj: &'a pyo3::PyAny) -> pyo3::PyResult { - let (bufobj, ptrval) = _extract_buffer_length(pyobj)?; + let (bufobj, ptrval) = _extract_buffer_length(pyobj, false)?; let len = bufobj.len()?; let buf = if len == 0 { &[] @@ -54,3 +64,42 @@ impl<'a> pyo3::conversion::FromPyObject<'a> for CffiBuf<'a> { }) } } + +pub(crate) struct CffiMutBuf<'p> { + _pyobj: &'p pyo3::PyAny, + _bufobj: &'p pyo3::PyAny, + buf: &'p mut [u8], +} + +impl CffiMutBuf<'_> { + pub(crate) fn as_mut_bytes(&mut self) -> &mut [u8] { + self.buf + } +} + +impl<'a> pyo3::conversion::FromPyObject<'a> for CffiMutBuf<'a> { + fn extract(pyobj: &'a pyo3::PyAny) -> pyo3::PyResult { + let (bufobj, ptrval) = _extract_buffer_length(pyobj, true)?; + + let len = bufobj.len()?; + let buf = if len == 0 { + &mut [] + } else { + // SAFETY: _extract_buffer_length ensures that we have a valid ptr + // and length (and we ensure we meet slice's requirements for + // 0-length slices above), we're keeping pyobj alive which ensures + // the buffer is valid. But! There is no actually guarantee + // against concurrent mutation. See + // https://alexgaynor.net/2022/oct/23/buffers-on-the-edge/ + // for details. This is the same as our cffi status quo ante, so + // we're doing an unsound thing and living with it. + unsafe { slice::from_raw_parts_mut(ptrval as *mut u8, len) } + }; + + Ok(CffiMutBuf { + _pyobj: pyobj, + _bufobj: bufobj, + buf, + }) + } +} diff --git a/src/rust/src/exceptions.rs b/src/rust/src/exceptions.rs index c9456513993d..67f57b9adcb5 100644 --- a/src/rust/src/exceptions.rs +++ b/src/rust/src/exceptions.rs @@ -23,10 +23,12 @@ pub(crate) enum Reasons { UNSUPPORTED_MAC, } +pyo3::import_exception!(cryptography.exceptions, AlreadyUpdated); pyo3::import_exception!(cryptography.exceptions, AlreadyFinalized); pyo3::import_exception!(cryptography.exceptions, InternalError); pyo3::import_exception!(cryptography.exceptions, InvalidSignature); pyo3::import_exception!(cryptography.exceptions, InvalidTag); +pyo3::import_exception!(cryptography.exceptions, NotYetFinalized); pyo3::import_exception!(cryptography.exceptions, UnsupportedAlgorithm); pyo3::import_exception!(cryptography.x509, AttributeNotFound); pyo3::import_exception!(cryptography.x509, DuplicateExtension); diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 10272e14aa8f..e48c63fbb0bf 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -473,6 +473,10 @@ pub static AES256: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", &["AES256"], ); +pub static CHACHA20: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers.algorithms", + &["ChaCha20"], +); #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SM4"))] pub static SM4: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", @@ -499,9 +503,50 @@ pub static CAST5: LazyPyImport = LazyPyImport::new( #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_IDEA"))] pub static IDEA: LazyPyImport = LazyPyImport::new("cryptography.hazmat.decrepit.ciphers.algorithms", &["IDEA"]); +pub static ARC4: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.decrepit.ciphers.algorithms", &["ARC4"]); +pub static RC2: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.decrepit.ciphers.algorithms", &["RC2"]); +pub static MODE_WITH_INITIALIZATION_VECTOR: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers.modes", + &["ModeWithInitializationVector"], +); +pub static MODE_WITH_TWEAK: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers.modes", + &["ModeWithTweak"], +); +pub static MODE_WITH_NONCE: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers.modes", + &["ModeWithNonce"], +); +pub static MODE_WITH_AUTHENTICATION_TAG: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers.modes", + &["ModeWithAuthenticationTag"], +); pub static CBC: LazyPyImport = LazyPyImport::new("cryptography.hazmat.primitives.ciphers.modes", &["CBC"]); +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +pub static CFB: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.ciphers.modes", &["CFB"]); +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +pub static CFB8: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.ciphers.modes", &["CFB8"]); +pub static OFB: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.ciphers.modes", &["OFB"]); +pub static ECB: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.ciphers.modes", &["ECB"]); +pub static CTR: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.ciphers.modes", &["CTR"]); +pub static GCM: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.ciphers.modes", &["GCM"]); +pub static XTS: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.ciphers.modes", &["XTS"]); + +pub static LEGACY_PROVIDER_LOADED: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.bindings._rust", + &["openssl", "_legacy_provider_loaded"], +); #[cfg(test)] mod tests { diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index a941f50b928c..d838c2f8dfe1 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -216,7 +216,7 @@ fn parse_name_attribute( pyo3::types::PyString::new(py, parsed) } }; - let kwargs = [("_validate", false)].into_py_dict(py); + let kwargs = [(pyo3::intern!(py, "_validate"), false)].into_py_dict(py); Ok(types::NAME_ATTRIBUTE .get(py)? .call((oid, py_data, py_tag), Some(kwargs))? diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index e9cdcc432a50..6115e48f9cc3 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -14,9 +14,6 @@ from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import padding -from cryptography.hazmat.primitives.ciphers import Cipher -from cryptography.hazmat.primitives.ciphers.algorithms import AES -from cryptography.hazmat.primitives.ciphers.modes import CBC from ...doubles import ( DummyAsymmetricPadding, @@ -80,26 +77,6 @@ def test_supports_cipher(self): is False ) - def test_register_duplicate_cipher_adapter(self): - with pytest.raises(ValueError): - backend.register_cipher_adapter(AES, CBC, None) - - @pytest.mark.parametrize("mode", [DummyMode(), None]) - def test_nonexistent_cipher(self, mode, backend, monkeypatch): - # We can't use register_cipher_adapter because backend is a - # global singleton and we want to revert the change after the test - monkeypatch.setitem( - backend._cipher_registry, - (DummyCipherAlgorithm, type(mode)), - lambda backend, cipher, mode: backend._ffi.NULL, - ) - cipher = Cipher( - DummyCipherAlgorithm(), - mode, - ) - with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): - cipher.encryptor() - def test_openssl_assert(self): backend.openssl_assert(True) with pytest.raises(InternalError): @@ -128,14 +105,6 @@ def test_evp_ciphers_registered(self): cipher = backend._lib.EVP_get_cipherbyname(b"aes-256-cbc") assert cipher != backend._ffi.NULL - def test_unknown_error_in_cipher_finalize(self): - cipher = Cipher(AES(b"\0" * 16), CBC(b"\0" * 16), backend=backend) - enc = cipher.encryptor() - enc.update(b"\0") - backend._lib.ERR_put_error(0, 0, 1, b"test_openssl.py", -1) - with pytest.raises(InternalError): - enc.finalize() - class TestOpenSSLRSA: def test_rsa_padding_unsupported_pss_mgf1_hash(self): diff --git a/tests/hazmat/primitives/test_aes_gcm.py b/tests/hazmat/primitives/test_aes_gcm.py index d82e37470cae..054327041358 100644 --- a/tests/hazmat/primitives/test_aes_gcm.py +++ b/tests/hazmat/primitives/test_aes_gcm.py @@ -8,20 +8,13 @@ import pytest +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives.ciphers import algorithms, base, modes from ...utils import load_nist_vectors from .utils import generate_aead_test -def _advance(ctx, n): - ctx._bytes_processed += n - - -def _advance_aad(ctx, n): - ctx._aad_bytes_processed += n - - @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( algorithms.AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) @@ -80,7 +73,9 @@ def test_gcm_ciphertext_limit(self, backend): backend=backend, ) encryptor = cipher.encryptor() - _advance(encryptor, modes.GCM._MAX_ENCRYPTED_BYTES - 16) + rust_openssl.ciphers._advance( + encryptor, modes.GCM._MAX_ENCRYPTED_BYTES - 16 + ) encryptor.update(b"0" * 16) with pytest.raises(ValueError): encryptor.update(b"0") @@ -88,7 +83,9 @@ def test_gcm_ciphertext_limit(self, backend): encryptor.update_into(b"0", bytearray(1)) decryptor = cipher.decryptor() - _advance(decryptor, modes.GCM._MAX_ENCRYPTED_BYTES - 16) + rust_openssl.ciphers._advance( + decryptor, modes.GCM._MAX_ENCRYPTED_BYTES - 16 + ) decryptor.update(b"0" * 16) with pytest.raises(ValueError): decryptor.update(b"0") @@ -102,45 +99,21 @@ def test_gcm_aad_limit(self, backend): backend=backend, ) encryptor = cipher.encryptor() - _advance_aad(encryptor, modes.GCM._MAX_AAD_BYTES - 16) + rust_openssl.ciphers._advance_aad( + encryptor, modes.GCM._MAX_AAD_BYTES - 16 + ) encryptor.authenticate_additional_data(b"0" * 16) with pytest.raises(ValueError): encryptor.authenticate_additional_data(b"0") decryptor = cipher.decryptor() - _advance_aad(decryptor, modes.GCM._MAX_AAD_BYTES - 16) + rust_openssl.ciphers._advance_aad( + decryptor, modes.GCM._MAX_AAD_BYTES - 16 + ) decryptor.authenticate_additional_data(b"0" * 16) with pytest.raises(ValueError): decryptor.authenticate_additional_data(b"0") - def test_gcm_ciphertext_increments(self, backend): - encryptor = base.Cipher( - algorithms.AES(b"\x00" * 16), - modes.GCM(b"\x01" * 16), - backend=backend, - ).encryptor() - encryptor.update(b"0" * 8) - assert encryptor._bytes_processed == 8 # type: ignore[attr-defined] - encryptor.update(b"0" * 7) - assert encryptor._bytes_processed == 15 # type: ignore[attr-defined] - encryptor.update(b"0" * 18) - assert encryptor._bytes_processed == 33 # type: ignore[attr-defined] - - def test_gcm_aad_increments(self, backend): - encryptor = base.Cipher( - algorithms.AES(b"\x00" * 16), - modes.GCM(b"\x01" * 16), - backend=backend, - ).encryptor() - encryptor.authenticate_additional_data(b"0" * 8) - assert ( - encryptor._aad_bytes_processed == 8 # type: ignore[attr-defined] - ) - encryptor.authenticate_additional_data(b"0" * 18) - assert ( - encryptor._aad_bytes_processed == 26 # type: ignore[attr-defined] - ) - def test_gcm_tag_decrypt_none(self, backend): key = binascii.unhexlify(b"5211242698bed4774a090620a6ca56f3") iv = binascii.unhexlify(b"b1e1349120b6e832ef976f5d") From 9f9c5ea9424162f40544fdfa923dcb6fc87d499c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 18 Feb 2024 23:11:10 -0500 Subject: [PATCH 0133/1462] Migrate some basic constants to Rust (#10418) --- .../hazmat/backends/openssl/backend.py | 31 ++++++++++--------- .../bindings/_rust/openssl/__init__.pyi | 5 +++ src/rust/src/lib.rs | 12 +++++++ 3 files changed, 33 insertions(+), 15 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 54c4b11401da..336028833ff9 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -256,7 +256,8 @@ def rsa_encryption_supported(self, padding: AsymmetricPadding) -> bool: def dsa_supported(self) -> bool: return ( - not self._lib.CRYPTOGRAPHY_IS_BORINGSSL and not self._fips_enabled + not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL + and not self._fips_enabled ) def dsa_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool: @@ -374,7 +375,7 @@ def elliptic_curve_exchange_algorithm_supported( ) def dh_supported(self) -> bool: - return not self._lib.CRYPTOGRAPHY_IS_BORINGSSL + return not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL def dh_x942_serialization_supported(self) -> bool: return self._lib.Cryptography_HAS_EVP_PKEY_DHX == 1 @@ -383,7 +384,7 @@ def x25519_supported(self) -> bool: # Beginning with OpenSSL 3.2.0, X25519 is considered FIPS. if ( self._fips_enabled - and not self._lib.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER + and not rust_openssl.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER ): return False return True @@ -392,12 +393,12 @@ def x448_supported(self) -> bool: # Beginning with OpenSSL 3.2.0, X448 is considered FIPS. if ( self._fips_enabled - and not self._lib.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER + and not rust_openssl.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER ): return False return ( - not self._lib.CRYPTOGRAPHY_IS_LIBRESSL - and not self._lib.CRYPTOGRAPHY_IS_BORINGSSL + not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL + and not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL ) def ed25519_supported(self) -> bool: @@ -409,8 +410,8 @@ def ed448_supported(self) -> bool: if self._fips_enabled: return False return ( - not self._lib.CRYPTOGRAPHY_IS_LIBRESSL - and not self._lib.CRYPTOGRAPHY_IS_BORINGSSL + not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL + and not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL ) def _zero_data(self, data, length: int) -> None: @@ -511,8 +512,8 @@ def load_pkcs12( # certificates. indices: typing.Iterable[int] if ( - self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER - or self._lib.CRYPTOGRAPHY_IS_BORINGSSL + rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER + or rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL ): indices = range(num) else: @@ -557,7 +558,7 @@ def serialize_key_and_certificates_to_pkcs12( # PKCS12 encryption is hopeless trash and can never be fixed. # OpenSSL 3 supports PBESv2, but Libre and Boring do not, so # we use PBESv1 with 3DES on the older paths. - if self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: + if rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: nid_cert = self._lib.NID_aes_256_cbc nid_key = self._lib.NID_aes_256_cbc else: @@ -593,7 +594,7 @@ def serialize_key_and_certificates_to_pkcs12( nid_cert = self._lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC nid_key = self._lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC elif keycertalg is PBES.PBESv2SHA256AndAES256CBC: - if not self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: + if not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: raise UnsupportedAlgorithm( "PBESv2 is not supported by this version of OpenSSL" ) @@ -695,15 +696,15 @@ def poly1305_supported(self) -> bool: if self._fips_enabled: return False elif ( - self._lib.CRYPTOGRAPHY_IS_BORINGSSL - or self._lib.CRYPTOGRAPHY_IS_LIBRESSL + rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL + or rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL ): return True else: return self._lib.Cryptography_HAS_POLY1305 == 1 def pkcs7_supported(self) -> bool: - return not self._lib.CRYPTOGRAPHY_IS_BORINGSSL + return not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL backend = Backend() diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index d5ec2522fe1d..0d6b1a15f776 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -45,6 +45,11 @@ __all__ = [ "x25519", ] +CRYPTOGRAPHY_IS_LIBRESSL: bool +CRYPTOGRAPHY_IS_BORINGSSL: bool +CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: bool +CRYPTOGRAPHY_OPENSSL_320_OR_GREATER: bool + _legacy_provider_loaded: bool def openssl_version() -> int: ... diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 56093af012fb..a92fdebe42df 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -101,6 +101,18 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> m.add_submodule(cryptography_cffi::create_module(py)?)?; let openssl_mod = pyo3::prelude::PyModule::new(py, "openssl")?; + openssl_mod.add( + "CRYPTOGRAPHY_OPENSSL_300_OR_GREATER", + cfg!(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), + )?; + openssl_mod.add( + "CRYPTOGRAPHY_OPENSSL_320_OR_GREATER", + cfg!(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER), + )?; + + openssl_mod.add("CRYPTOGRAPHY_IS_LIBRESSL", cfg!(CRYPTOGRAPHY_IS_LIBRESSL))?; + openssl_mod.add("CRYPTOGRAPHY_IS_BORINGSSL", cfg!(CRYPTOGRAPHY_IS_BORINGSSL))?; + cfg_if::cfg_if! { if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] { let providers = _initialize_providers()?; From a20d495536742a8a21f74c868b4b95f133228771 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 18 Feb 2024 23:12:28 -0500 Subject: [PATCH 0134/1462] Simplify emitting errors on key parsing (#10417) --- .../hazmat/backends/openssl/backend.py | 46 ------------------- .../bindings/_rust/openssl/__init__.pyi | 1 - src/rust/src/backend/utils.rs | 9 ++-- src/rust/src/error.rs | 4 -- src/rust/src/types.rs | 5 -- 5 files changed, 5 insertions(+), 60 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 336028833ff9..060f242cd8d3 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -299,52 +299,6 @@ def _key2ossl(self, key: PKCS12PrivateKeyTypes) -> typing.Any: self.openssl_assert(evp_pkey != self._ffi.NULL) return self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - def _handle_key_loading_error( - self, errors: list[rust_openssl.OpenSSLError] - ) -> typing.NoReturn: - if not errors: - raise ValueError( - "Could not deserialize key data. The data may be in an " - "incorrect format or it may be encrypted with an unsupported " - "algorithm." - ) - - elif ( - errors[0]._lib_reason_match( - self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT - ) - or errors[0]._lib_reason_match( - self._lib.ERR_LIB_PKCS12, - self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR, - ) - or ( - self._lib.Cryptography_HAS_PROVIDERS - and errors[0]._lib_reason_match( - self._lib.ERR_LIB_PROV, - self._lib.PROV_R_BAD_DECRYPT, - ) - ) - ): - raise ValueError("Bad decrypt. Incorrect password?") - - elif any( - error._lib_reason_match( - self._lib.ERR_LIB_EVP, - self._lib.EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM, - ) - for error in errors - ): - raise ValueError("Unsupported public key algorithm.") - - else: - raise ValueError( - "Could not deserialize key data. The data may be in an " - "incorrect format, it may be encrypted with an unsupported " - "algorithm, or it may be an unsupported key type (e.g. EC " - "curves with explicit parameters).", - errors, - ) - def elliptic_curve_supported(self, curve: ec.EllipticCurve) -> bool: if self._fips_enabled and not isinstance( curve, self._fips_ecdh_curves diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index 0d6b1a15f776..25e0427496e5 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -65,4 +65,3 @@ class OpenSSLError: def reason(self) -> int: ... @property def reason_text(self) -> bytes: ... - def _lib_reason_match(self, lib: int, reason: int) -> bool: ... diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 3373a565cf2c..5c15cba57741 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -5,6 +5,7 @@ use crate::backend::hashes::Hash; use crate::error::{CryptographyError, CryptographyResult}; use crate::{error, types}; +use pyo3::ToPyObject; pub(crate) fn py_int_to_bn( py: pyo3::Python<'_>, @@ -431,10 +432,10 @@ pub(crate) fn handle_key_load_result( (Err(e), _, _) => { let errors = error::list_from_openssl_error(py, e); Err(CryptographyError::from( - types::BACKEND_HANDLE_KEY_LOADING_ERROR - .get(py)? - .call1((errors,)) - .unwrap_err(), + pyo3::exceptions::PyValueError::new_err(( + "Could not deserialize key data. The data may be in an incorrect format, the provided password may be incorrect, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).", + errors.to_object(py), + )) )) } } diff --git a/src/rust/src/error.rs b/src/rust/src/error.rs index a4461d05a87a..62b1ff4a6daa 100644 --- a/src/rust/src/error.rs +++ b/src/rust/src/error.rs @@ -174,10 +174,6 @@ impl OpenSSLError { self.e.reason().unwrap_or("").as_bytes() } - fn _lib_reason_match(&self, lib: i32, reason: i32) -> bool { - self.e.library_code() == lib && self.e.reason_code() == reason - } - fn __repr__(&self) -> pyo3::PyResult { Ok(format!( "", diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index e48c63fbb0bf..98dd9ecbb269 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -380,11 +380,6 @@ pub static CALCULATE_MAX_PSS_SALT_LENGTH: LazyPyImport = LazyPyImport::new( &["calculate_max_pss_salt_length"], ); -pub static BACKEND_HANDLE_KEY_LOADING_ERROR: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.backends.openssl.backend", - &["backend", "_handle_key_loading_error"], -); - pub static RSA_PRIVATE_KEY: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.asymmetric.rsa", &["RSAPrivateKey"], From 090bdf06016737e6df713f432c8b0c9fe5f871c1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 18 Feb 2024 23:48:50 -0500 Subject: [PATCH 0135/1462] We always have Poly1305, I think (#10419) --- src/_cffi_src/openssl/nid.py | 6 ------ src/cryptography/hazmat/backends/openssl/backend.py | 8 +------- 2 files changed, 1 insertion(+), 13 deletions(-) diff --git a/src/_cffi_src/openssl/nid.py b/src/_cffi_src/openssl/nid.py index 0a38fe038da7..f20646f7e56e 100644 --- a/src/_cffi_src/openssl/nid.py +++ b/src/_cffi_src/openssl/nid.py @@ -10,7 +10,6 @@ TYPES = """ static const int Cryptography_HAS_ED448; -static const int Cryptography_HAS_POLY1305; static const int NID_undef; static const int NID_aes_256_cbc; @@ -31,9 +30,4 @@ #else static const long Cryptography_HAS_ED448 = 1; #endif -#ifndef NID_poly1305 -static const long Cryptography_HAS_POLY1305 = 0; -#else -static const long Cryptography_HAS_POLY1305 = 1; -#endif """ diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 060f242cd8d3..45888f36168a 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -649,13 +649,7 @@ def serialize_key_and_certificates_to_pkcs12( def poly1305_supported(self) -> bool: if self._fips_enabled: return False - elif ( - rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL - or rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL - ): - return True - else: - return self._lib.Cryptography_HAS_POLY1305 == 1 + return True def pkcs7_supported(self) -> bool: return not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL From 66088c9a656ccb1f12adaa77b6152e490230abb7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Feb 2024 07:21:56 -0800 Subject: [PATCH 0136/1462] Bump dnspython from 2.6.0 to 2.6.1 in /.github/requirements (#10420) * Bump dnspython from 2.6.0 to 2.6.1 in /.github/requirements Bumps [dnspython](https://github.com/rthalley/dnspython) from 2.6.0 to 2.6.1. - [Release notes](https://github.com/rthalley/dnspython/releases) - [Changelog](https://github.com/rthalley/dnspython/blob/main/doc/whatsnew.rst) - [Commits](https://github.com/rthalley/dnspython/compare/v2.6.0...v2.6.1) --- updated-dependencies: - dependency-name: dnspython dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 7d96e71a86ae..0f65bca76c66 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -203,9 +203,9 @@ cryptography==42.0.3 \ # pyopenssl # secretstorage # sigstore -dnspython==2.6.0 \ - --hash=sha256:233f871ff384d84c33b2eaf4358ffe7f8927eae3b257ad8467f9bdba7e7ac6bc \ - --hash=sha256:44c40af3bffed66e3307cea9ab667fd583e138ecc0777b18f262a9dae034e5fa +dnspython==2.6.1 \ + --hash=sha256:5ef3b9680161f6fa89daf8ad451b5f1a33b18ae8a1c6778cdf4b43f08c0a6e50 \ + --hash=sha256:e8f0f9c23a7b7cb99ded64e6c3a6f3e701d78f50c55e002b839dea7225cff7cc # via email-validator docutils==0.20.1 \ --hash=sha256:96f387a2c5562db4476f09f13bbab2192e764cac08ebbf3a34a95d9b1e4a59d6 \ From 4398f19e0700ffb1bb1e13be4f8efe7271feb62a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 19 Feb 2024 11:24:38 -0500 Subject: [PATCH 0137/1462] See if loading the base provider is actually required (#10421) --- src/cryptography/hazmat/bindings/openssl/binding.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 4e24914a37fc..9f268b89aebc 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -68,10 +68,6 @@ def _enable_fips(self) -> None: # This function enables FIPS mode for OpenSSL 3.0.0 on installs that # have the FIPS provider installed properly. _openssl_assert(self.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER) - self._base_provider = self.lib.OSSL_PROVIDER_load( - self.ffi.NULL, b"base" - ) - _openssl_assert(self._base_provider != self.ffi.NULL) self.lib._fips_provider = self.lib.OSSL_PROVIDER_load( self.ffi.NULL, b"fips" ) From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 19 Feb 2024 11:50:28 -0500 Subject: [PATCH 0138/1462] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match (#10423) --- .../hazmat/backends/openssl/backend.py | 9 +++++++++ tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 45888f36168a..6a4aeca7521f 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -623,6 +623,15 @@ def serialize_key_and_certificates_to_pkcs12( mac_iter, 0, ) + if p12 == self._ffi.NULL: + errors = self._consume_errors() + raise ValueError( + ( + "Failed to create PKCS12 (does the key match the " + "certificate?)" + ), + errors, + ) if ( self._lib.Cryptography_HAS_PKCS12_SET_MAC diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index f49c98a4ed3d..cb998c4a4bc0 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -660,6 +660,24 @@ def test_key_serialization_encryption_set_mac_unsupported( b"name", cakey, cacert, [], algorithm ) + @pytest.mark.supported( + only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC, + skip_message="Requires OpenSSL with PKCS12_set_mac", + ) + def test_set_mac_key_certificate_mismatch(self, backend): + cacert, _ = _load_ca(backend) + key = ec.generate_private_key(ec.SECP256R1()) + encryption = ( + serialization.PrivateFormat.PKCS12.encryption_builder() + .hmac_hash(hashes.SHA256()) + .build(b"password") + ) + + with pytest.raises(ValueError): + serialize_key_and_certificates( + b"name", key, cacert, [], encryption + ) + @pytest.mark.skip_fips( reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it." From b19a2862f239eea54cccb077d73f54ffca18924a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 19 Feb 2024 08:59:41 -0800 Subject: [PATCH 0139/1462] remove more unneeded bindings (#10424) --- src/_cffi_src/openssl/err.py | 5 ---- src/_cffi_src/openssl/evp.py | 25 ------------------- src/_cffi_src/openssl/provider.py | 4 --- .../hazmat/bindings/openssl/_conditional.py | 6 ----- 4 files changed, 40 deletions(-) diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py index 2bb2545fc932..dd5aa64f44c0 100644 --- a/src/_cffi_src/openssl/err.py +++ b/src/_cffi_src/openssl/err.py @@ -16,7 +16,6 @@ static const int EVP_R_BAD_DECRYPT; static const int EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM; static const int PKCS12_R_PKCS12_CIPHERFINAL_ERROR; -static const int EVP_R_XTS_DUPLICATED_KEYS; static const int ERR_LIB_EVP; static const int ERR_LIB_PROV; @@ -50,10 +49,6 @@ #define ERR_LIB_PROV 0 #endif -#ifndef EVP_R_XTS_DUPLICATED_KEYS -static const int EVP_R_XTS_DUPLICATED_KEYS = 0; -#endif - #if CRYPTOGRAPHY_IS_BORINGSSL static const int ERR_LIB_PKCS12 = 0; static const int EVP_F_EVP_ENCRYPTFINAL_EX = 0; diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index ed73ec99fd5f..7432bc046bb5 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -10,7 +10,6 @@ TYPES = """ typedef ... EVP_CIPHER; -typedef ... EVP_CIPHER_CTX; typedef ... EVP_MD; typedef ... EVP_MD_CTX; @@ -26,30 +25,13 @@ static const int EVP_PKEY_X448; static const int EVP_PKEY_ED448; static const int EVP_MAX_MD_SIZE; -static const int EVP_CTRL_AEAD_SET_IVLEN; -static const int EVP_CTRL_AEAD_GET_TAG; -static const int EVP_CTRL_AEAD_SET_TAG; static const int Cryptography_HAS_EVP_PKEY_DHX; static const long Cryptography_HAS_300_FIPS; -static const long Cryptography_HAS_300_EVP_CIPHER; """ FUNCTIONS = """ const EVP_CIPHER *EVP_get_cipherbyname(const char *); -EVP_CIPHER *EVP_CIPHER_fetch(OSSL_LIB_CTX *, const char *, const char *); -void EVP_CIPHER_free(EVP_CIPHER *); - -int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *, int); -int EVP_CipherInit_ex(EVP_CIPHER_CTX *, const EVP_CIPHER *, ENGINE *, - const unsigned char *, const unsigned char *, int); -int EVP_CipherUpdate(EVP_CIPHER_CTX *, unsigned char *, int *, - const unsigned char *, int); -int EVP_CipherFinal_ex(EVP_CIPHER_CTX *, unsigned char *, int *); -int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *); -EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void); -void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *); -int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *, int); const EVP_MD *EVP_get_digestbyname(const char *); @@ -81,8 +63,6 @@ int EVP_PKEY_assign_RSA(EVP_PKEY *, RSA *); -int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *, int, int, void *); - int EVP_default_properties_enable_fips(OSSL_LIB_CTX *, int); """ @@ -108,13 +88,8 @@ #if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER static const long Cryptography_HAS_300_FIPS = 1; -static const long Cryptography_HAS_300_EVP_CIPHER = 1; #else static const long Cryptography_HAS_300_FIPS = 0; -static const long Cryptography_HAS_300_EVP_CIPHER = 0; int (*EVP_default_properties_enable_fips)(OSSL_LIB_CTX *, int) = NULL; -EVP_CIPHER * (*EVP_CIPHER_fetch)(OSSL_LIB_CTX *, const char *, - const char *) = NULL; -void (*EVP_CIPHER_free)(EVP_CIPHER *) = NULL; #endif """ diff --git a/src/_cffi_src/openssl/provider.py b/src/_cffi_src/openssl/provider.py index 769fded96d23..a9fb92f17d13 100644 --- a/src/_cffi_src/openssl/provider.py +++ b/src/_cffi_src/openssl/provider.py @@ -18,8 +18,6 @@ typedef ... OSSL_LIB_CTX; static const long PROV_R_BAD_DECRYPT; -static const long PROV_R_XTS_DUPLICATED_KEYS; -static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH; """ FUNCTIONS = """ @@ -35,8 +33,6 @@ typedef void OSSL_PROVIDER; typedef void OSSL_LIB_CTX; static const long PROV_R_BAD_DECRYPT = 0; -static const long PROV_R_XTS_DUPLICATED_KEYS = 0; -static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH = 0; OSSL_PROVIDER *(*OSSL_PROVIDER_load)(OSSL_LIB_CTX *, const char *) = NULL; int (*OSSL_PROVIDER_unload)(OSSL_PROVIDER *) = NULL; #endif diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index fc13348af77f..5a559c3b9ab5 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -120,7 +120,6 @@ def cryptography_has_providers() -> list[str]: "OSSL_PROVIDER_load", "OSSL_PROVIDER_unload", "ERR_LIB_PROV", - "PROV_R_WRONG_FINAL_BLOCK_LENGTH", "PROV_R_BAD_DECRYPT", ] @@ -165,10 +164,6 @@ def cryptography_has_prime_checks() -> list[str]: ] -def cryptography_has_300_evp_cipher() -> list[str]: - return ["EVP_CIPHER_fetch", "EVP_CIPHER_free"] - - def cryptography_has_unexpected_eof_while_reading() -> list[str]: return ["SSL_R_UNEXPECTED_EOF_WHILE_READING"] @@ -214,7 +209,6 @@ def cryptography_has_get_extms_support() -> list[str]: "Cryptography_HAS_SSL_COOKIE": cryptography_has_ssl_cookie, "Cryptography_HAS_PKCS7_FUNCS": cryptography_has_pkcs7_funcs, "Cryptography_HAS_PRIME_CHECKS": cryptography_has_prime_checks, - "Cryptography_HAS_300_EVP_CIPHER": cryptography_has_300_evp_cipher, "Cryptography_HAS_UNEXPECTED_EOF_WHILE_READING": ( cryptography_has_unexpected_eof_while_reading ), From 83c6010e8571eb53450cad2f846ac6564303d4f9 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 19 Feb 2024 09:36:12 -0800 Subject: [PATCH 0140/1462] remove more unused bindings (#10426) --- src/_cffi_src/openssl/asn1.py | 5 ----- src/_cffi_src/openssl/ec.py | 2 -- src/_cffi_src/openssl/err.py | 12 ------------ src/_cffi_src/openssl/nid.py | 2 -- src/_cffi_src/openssl/pkcs7.py | 28 +--------------------------- 5 files changed, 1 insertion(+), 48 deletions(-) diff --git a/src/_cffi_src/openssl/asn1.py b/src/_cffi_src/openssl/asn1.py index d2be452a687b..16ce6b32f505 100644 --- a/src/_cffi_src/openssl/asn1.py +++ b/src/_cffi_src/openssl/asn1.py @@ -22,15 +22,10 @@ typedef struct asn1_string_st ASN1_OCTET_STRING; typedef struct asn1_string_st ASN1_IA5STRING; -typedef struct asn1_string_st ASN1_BIT_STRING; typedef struct asn1_string_st ASN1_TIME; typedef ... ASN1_OBJECT; typedef struct asn1_string_st ASN1_STRING; typedef struct asn1_string_st ASN1_UTF8STRING; -typedef struct { - int type; - ...; -} ASN1_TYPE; typedef ... ASN1_GENERALIZEDTIME; typedef ... ASN1_ENUMERATED; diff --git a/src/_cffi_src/openssl/ec.py b/src/_cffi_src/openssl/ec.py index 8b9558f8d311..6816934ed0be 100644 --- a/src/_cffi_src/openssl/ec.py +++ b/src/_cffi_src/openssl/ec.py @@ -25,8 +25,6 @@ void EC_KEY_free(EC_KEY *); EC_KEY *EC_KEY_new_by_curve_name(int); - -const char *EC_curve_nid2nist(int); """ CUSTOMIZATIONS = """ diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py index dd5aa64f44c0..2c7469ff892c 100644 --- a/src/_cffi_src/openssl/err.py +++ b/src/_cffi_src/openssl/err.py @@ -9,17 +9,11 @@ """ TYPES = """ -static const int CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH; - static const int EVP_F_EVP_ENCRYPTFINAL_EX; static const int EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH; -static const int EVP_R_BAD_DECRYPT; -static const int EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM; -static const int PKCS12_R_PKCS12_CIPHERFINAL_ERROR; static const int ERR_LIB_EVP; static const int ERR_LIB_PROV; -static const int ERR_LIB_PKCS12; static const int SSL_TLSEXT_ERR_OK; static const int SSL_TLSEXT_ERR_ALERT_FATAL; @@ -50,14 +44,8 @@ #endif #if CRYPTOGRAPHY_IS_BORINGSSL -static const int ERR_LIB_PKCS12 = 0; static const int EVP_F_EVP_ENCRYPTFINAL_EX = 0; -static const int EVP_R_BAD_DECRYPT = 0; static const int EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH = 0; -static const int EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM = 0; -static const int PKCS12_R_PKCS12_CIPHERFINAL_ERROR = 0; -#else -static const int CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH = 0; #endif /* SSL_R_UNEXPECTED_EOF_WHILE_READING is needed for pyOpenSSL diff --git a/src/_cffi_src/openssl/nid.py b/src/_cffi_src/openssl/nid.py index f20646f7e56e..fe1cdda10137 100644 --- a/src/_cffi_src/openssl/nid.py +++ b/src/_cffi_src/openssl/nid.py @@ -17,8 +17,6 @@ static const int NID_subject_alt_name; static const int NID_crl_reason; - -static const int NID_pkcs7_signed; """ FUNCTIONS = """ diff --git a/src/_cffi_src/openssl/pkcs7.py b/src/_cffi_src/openssl/pkcs7.py index cce06c6ec0c8..8e93a61b4e60 100644 --- a/src/_cffi_src/openssl/pkcs7.py +++ b/src/_cffi_src/openssl/pkcs7.py @@ -10,33 +10,7 @@ TYPES = """ static const long Cryptography_HAS_PKCS7_FUNCS; - -typedef struct { - Cryptography_STACK_OF_X509 *cert; - ...; -} PKCS7_SIGNED; - -typedef ... PKCS7_SIGN_ENVELOPE; -typedef ... PKCS7_DIGEST; -typedef ... PKCS7_ENCRYPT; -typedef ... PKCS7_ENVELOPE; -typedef ... PKCS7_SIGNER_INFO; - -typedef struct { - ASN1_OBJECT *type; - union { - char *ptr; - ASN1_OCTET_STRING *data; - PKCS7_SIGNED *sign; - PKCS7_ENVELOPE *enveloped; - PKCS7_SIGN_ENVELOPE *signed_and_enveloped; - PKCS7_DIGEST *digest; - PKCS7_ENCRYPT *encrypted; - ASN1_TYPE *other; - } d; - ...; -} PKCS7; - +typedef ... PKCS7; static const int PKCS7_TEXT; """ From 48290a592a12736d724dfa99c24f82e354448e8a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 19 Feb 2024 12:49:53 -0500 Subject: [PATCH 0141/1462] Remove unused bindings (#10427) --- src/_cffi_src/openssl/err.py | 7 ------- src/_cffi_src/openssl/evp.py | 15 --------------- src/_cffi_src/openssl/provider.py | 3 --- .../hazmat/bindings/openssl/_conditional.py | 9 --------- 4 files changed, 34 deletions(-) diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py index 2c7469ff892c..a86e560a659c 100644 --- a/src/_cffi_src/openssl/err.py +++ b/src/_cffi_src/openssl/err.py @@ -13,7 +13,6 @@ static const int EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH; static const int ERR_LIB_EVP; -static const int ERR_LIB_PROV; static const int SSL_TLSEXT_ERR_OK; static const int SSL_TLSEXT_ERR_ALERT_FATAL; @@ -37,12 +36,6 @@ """ CUSTOMIZATIONS = """ -/* This define is tied to provider support and is conditionally - removed if Cryptography_HAS_PROVIDERS is false */ -#ifndef ERR_LIB_PROV -#define ERR_LIB_PROV 0 -#endif - #if CRYPTOGRAPHY_IS_BORINGSSL static const int EVP_F_EVP_ENCRYPTFINAL_EX = 0; static const int EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH = 0; diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index 7432bc046bb5..59e002bad682 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -22,8 +22,6 @@ static const int EVP_PKEY_EC; static const int EVP_PKEY_X25519; static const int EVP_PKEY_ED25519; -static const int EVP_PKEY_X448; -static const int EVP_PKEY_ED448; static const int EVP_MAX_MD_SIZE; static const int Cryptography_HAS_EVP_PKEY_DHX; @@ -73,19 +71,6 @@ const long Cryptography_HAS_EVP_PKEY_DHX = 0; #endif -/* This is tied to X448 support so we reuse the Cryptography_HAS_X448 - conditional to remove it. OpenSSL 1.1.1 adds this define. We can remove - this in the distant future when we drop 1.1.0 support. */ -#ifndef EVP_PKEY_X448 -#define EVP_PKEY_X448 NID_X448 -#endif - -/* This is tied to ED448 support so we reuse the Cryptography_HAS_ED448 - conditional to remove it. */ -#ifndef EVP_PKEY_ED448 -#define EVP_PKEY_ED448 0 -#endif - #if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER static const long Cryptography_HAS_300_FIPS = 1; #else diff --git a/src/_cffi_src/openssl/provider.py b/src/_cffi_src/openssl/provider.py index a9fb92f17d13..f00b28325164 100644 --- a/src/_cffi_src/openssl/provider.py +++ b/src/_cffi_src/openssl/provider.py @@ -16,8 +16,6 @@ typedef ... OSSL_PROVIDER; typedef ... OSSL_LIB_CTX; - -static const long PROV_R_BAD_DECRYPT; """ FUNCTIONS = """ @@ -32,7 +30,6 @@ static const long Cryptography_HAS_PROVIDERS = 0; typedef void OSSL_PROVIDER; typedef void OSSL_LIB_CTX; -static const long PROV_R_BAD_DECRYPT = 0; OSSL_PROVIDER *(*OSSL_PROVIDER_load)(OSSL_LIB_CTX *, const char *) = NULL; int (*OSSL_PROVIDER_unload)(OSSL_PROVIDER *) = NULL; #endif diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 5a559c3b9ab5..8def8bf487b9 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -28,12 +28,6 @@ def cryptography_has_tls_st() -> list[str]: ] -def cryptography_has_ed448() -> list[str]: - return [ - "EVP_PKEY_ED448", - ] - - def cryptography_has_ssl_sigalgs() -> list[str]: return [ "SSL_CTX_set1_sigalgs_list", @@ -119,8 +113,6 @@ def cryptography_has_providers() -> list[str]: return [ "OSSL_PROVIDER_load", "OSSL_PROVIDER_unload", - "ERR_LIB_PROV", - "PROV_R_BAD_DECRYPT", ] @@ -191,7 +183,6 @@ def cryptography_has_get_extms_support() -> list[str]: "Cryptography_HAS_SET_CERT_CB": cryptography_has_set_cert_cb, "Cryptography_HAS_SSL_ST": cryptography_has_ssl_st, "Cryptography_HAS_TLS_ST": cryptography_has_tls_st, - "Cryptography_HAS_ED448": cryptography_has_ed448, "Cryptography_HAS_SIGALGS": cryptography_has_ssl_sigalgs, "Cryptography_HAS_PSK": cryptography_has_psk, "Cryptography_HAS_PSK_TLSv1_3": cryptography_has_psk_tlsv13, From 732eea3c819a8ea9b14e48a2e1adddd8c3c8d881 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 19 Feb 2024 15:33:12 -0500 Subject: [PATCH 0142/1462] Move a few more constants fully to Rust (#10428) --- src/_cffi_src/openssl/cryptography.py | 5 ----- src/cryptography/hazmat/bindings/openssl/binding.py | 2 +- tests/hazmat/backends/test_openssl.py | 8 ++++---- tests/hazmat/bindings/test_openssl.py | 10 +++++----- tests/hazmat/primitives/test_aes.py | 3 ++- tests/hazmat/primitives/test_dh.py | 3 ++- tests/hazmat/primitives/test_ec.py | 5 +++-- tests/hazmat/primitives/test_pkcs12.py | 5 +++-- tests/hazmat/primitives/test_pkcs7.py | 3 ++- tests/hazmat/primitives/test_rsa.py | 5 +++-- 10 files changed, 25 insertions(+), 24 deletions(-) diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index 9d09471967a2..11afbdc182f0 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -53,11 +53,6 @@ """ TYPES = """ -static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER; -static const int CRYPTOGRAPHY_OPENSSL_320_OR_GREATER; - -static const int CRYPTOGRAPHY_IS_LIBRESSL; -static const int CRYPTOGRAPHY_IS_BORINGSSL; """ FUNCTIONS = """ diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 9f268b89aebc..e8577763c57e 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -67,7 +67,7 @@ def __init__(self) -> None: def _enable_fips(self) -> None: # This function enables FIPS mode for OpenSSL 3.0.0 on installs that # have the FIPS provider installed properly. - _openssl_assert(self.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER) + _openssl_assert(openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER) self.lib._fips_provider = self.lib.OSSL_PROVIDER_load( self.ffi.NULL, b"fips" ) diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 6115e48f9cc3..7cf98afe91d0 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -59,13 +59,13 @@ def test_openssl_version_text(self): # Verify the correspondence between these two. And do it in a way that # ensures coverage. if version.startswith("LibreSSL"): - assert backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - if backend._lib.CRYPTOGRAPHY_IS_LIBRESSL: + assert rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL + if rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL: assert version.startswith("LibreSSL") if version.startswith("BoringSSL"): - assert backend._lib.CRYPTOGRAPHY_IS_BORINGSSL - if backend._lib.CRYPTOGRAPHY_IS_BORINGSSL: + assert rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL + if rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL: assert version.startswith("BoringSSL") def test_openssl_version_number(self): diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index ef45b304b4ef..db6410d5d1e5 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -24,7 +24,7 @@ def test_ssl_ctx_options(self): # Test that we're properly handling 32-bit unsigned on all platforms. b = Binding() # SSL_OP_ALL is 0 on BoringSSL - if not b.lib.CRYPTOGRAPHY_IS_BORINGSSL: + if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL: assert b.lib.SSL_OP_ALL > 0 ctx = b.lib.SSL_CTX_new(b.lib.TLS_method()) assert ctx != b.ffi.NULL @@ -39,7 +39,7 @@ def test_ssl_options(self): # Test that we're properly handling 32-bit unsigned on all platforms. b = Binding() # SSL_OP_ALL is 0 on BoringSSL - if not b.lib.CRYPTOGRAPHY_IS_BORINGSSL: + if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL: assert b.lib.SSL_OP_ALL > 0 ctx = b.lib.SSL_CTX_new(b.lib.TLS_method()) assert ctx != b.ffi.NULL @@ -55,7 +55,7 @@ def test_ssl_options(self): def test_conditional_removal(self): b = Binding() - if not b.lib.CRYPTOGRAPHY_IS_LIBRESSL: + if not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL: assert b.lib.TLS_ST_OK else: with pytest.raises(AttributeError): @@ -76,7 +76,7 @@ def test_openssl_assert_error_on_stack(self): error = exc_info.value.err_code[0] assert error.lib == b.lib.ERR_LIB_EVP assert error.reason == b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH - if not b.lib.CRYPTOGRAPHY_IS_BORINGSSL: + if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL: assert b"data not multiple of block length" in error.reason_text def test_version_mismatch(self): @@ -103,5 +103,5 @@ def test_rust_internal_error(self): error = exc_info.value.err_code[0] assert error.lib == b.lib.ERR_LIB_EVP assert error.reason == b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH - if not b.lib.CRYPTOGRAPHY_IS_BORINGSSL: + if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL: assert b"data not multiple of block length" in error.reason_text diff --git a/tests/hazmat/primitives/test_aes.py b/tests/hazmat/primitives/test_aes.py index 1f3dfd0014b4..7b4b065cb2ce 100644 --- a/tests/hazmat/primitives/test_aes.py +++ b/tests/hazmat/primitives/test_aes.py @@ -8,6 +8,7 @@ import pytest +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives.ciphers import algorithms, base, modes from ...doubles import DummyMode @@ -61,7 +62,7 @@ def test_xts_too_short(self, backend): enc.update(b"0" * 15) @pytest.mark.supported( - only_if=lambda backend: (not backend._lib.CRYPTOGRAPHY_IS_LIBRESSL), + only_if=lambda backend: not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL, skip_message="duplicate key encryption error added in OpenSSL 1.1.1d", ) def test_xts_no_duplicate_keys_encryption(self, backend): diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py index 4b3b63a96436..d287d29460ae 100644 --- a/tests/hazmat/primitives/test_dh.py +++ b/tests/hazmat/primitives/test_dh.py @@ -11,6 +11,7 @@ import pytest +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import dh @@ -379,7 +380,7 @@ def test_bad_exchange(self, backend, vector): @pytest.mark.skip_fips(reason="key_size too small for FIPS") @pytest.mark.supported( only_if=lambda backend: ( - not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER + not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER ), skip_message="256-bit DH keys are not supported in OpenSSL 3.0.0+", ) diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 9a368e67cafa..a558af3b9b70 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -13,6 +13,7 @@ import pytest from cryptography import exceptions, utils, x509 +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ec from cryptography.hazmat.primitives.asymmetric.utils import ( @@ -133,7 +134,7 @@ def test_derive_point_at_infinity(backend): # BoringSSL rejects infinity points before it ever gets to us, so it # uses a more generic error message. match = ( - "infinity" if not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL else "Invalid" + "infinity" if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL else "Invalid" ) with pytest.raises(ValueError, match=match): ec.derive_private_key(q, ec.SECP256R1()) @@ -423,7 +424,7 @@ def test_load_invalid_ec_key_from_pem(self, backend): # uses a more generic error message. match = ( r"infinity|invalid form" - if not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL + if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL else None ) with pytest.raises(ValueError, match=match): diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index cb998c4a4bc0..d9f2cdebd5c6 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -10,6 +10,7 @@ from cryptography import x509 from cryptography.exceptions import UnsupportedAlgorithm +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.decrepit.ciphers.algorithms import RC2 from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ( @@ -558,7 +559,7 @@ def test_key_serialization_encryption( ): if ( enc_alg is PBES.PBESv2SHA256AndAES256CBC - ) and not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: + ) and not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: pytest.skip("PBESv2 is not supported on OpenSSL < 3.0") if ( @@ -615,7 +616,7 @@ def test_key_serialization_encryption( @pytest.mark.supported( only_if=lambda backend: ( - not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER + not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER ), skip_message="Requires OpenSSL < 3.0.0 (or Libre/Boring)", ) diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 03b04cd389e5..837ad261941c 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -11,6 +11,7 @@ from cryptography import x509 from cryptography.exceptions import _Reasons +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ed25519, padding, rsa from cryptography.hazmat.primitives.serialization import pkcs7 @@ -148,7 +149,7 @@ def _pkcs7_verify(encoding, sig, msg, certs, options, backend): backend.openssl_assert(res == 1) # OpenSSL 3.0 leaves a random bio error on the stack: # https://github.com/openssl/openssl/issues/16681 - if backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: + if rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: backend._consume_errors() diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index eb74be7c6d4c..3ce55b48c10c 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -15,6 +15,7 @@ UnsupportedAlgorithm, _Reasons, ) +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import padding, rsa from cryptography.hazmat.primitives.asymmetric import utils as asym_utils @@ -251,7 +252,7 @@ def test_load_pss_vect_example_keys(self, pkcs1_example): assert public_num.e == public_num2.e @pytest.mark.supported( - only_if=lambda backend: not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL, + only_if=lambda backend: not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL, skip_message="Does not support RSA PSS loading", ) @pytest.mark.parametrize( @@ -302,7 +303,7 @@ def test_load_pss_pub_keys_strips_constraints(self, backend): ) @pytest.mark.supported( - only_if=lambda backend: backend._lib.CRYPTOGRAPHY_IS_BORINGSSL, + only_if=lambda backend: rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL, skip_message="Test requires a backend without RSA-PSS key support", ) def test_load_pss_unsupported(self, backend): From 2ac571de77a60c8c7ef6567f1cd5f4b1f802f915 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 19 Feb 2024 15:36:18 -0500 Subject: [PATCH 0143/1462] Remove pointless none check (#10430) --- src/rust/src/x509/sign.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index 4d9637d1f2de..099032210e8b 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -134,7 +134,7 @@ pub(crate) fn compute_signature_algorithm<'p>( // If this is RSA-PSS we need to compute the signature algorithm from the // parameters provided in rsa_padding. - if !rsa_padding.is_none() && rsa_padding.is_instance(types::PSS.get(py)?)? { + if rsa_padding.is_instance(types::PSS.get(py)?)? { let hash_alg_params = identify_alg_params_for_hash_type(hash_type)?; let hash_algorithm_id = common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), From e8dc7d88850e0c2eb917444c352c779681a4a000 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Feb 2024 21:33:33 +0000 Subject: [PATCH 0144/1462] Bump openssl-sys from 0.9.99 to 0.9.100 in /src/rust (#10431) Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.99 to 0.9.100. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.99...openssl-sys-v0.9.100) --- updated-dependencies: - dependency-name: openssl-sys dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 091f763dee64..f3f5426dcfab 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -216,9 +216,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.99" +version = "0.9.100" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22e1bf214306098e4832460f797824c05d25aacdf896f64a985fb0fd992454ae" +checksum = "ae94056a791d0e1217d18b6cbdccb02c61e3054fc69893607f4067e3bb0b1fd1" dependencies = [ "cc", "libc", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 698328596665..4d016e61e578 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -19,7 +19,7 @@ cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.63" -openssl-sys = "0.9.99" +openssl-sys = "0.9.100" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index a025e58ceda7..af977b0d6a51 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -9,7 +9,7 @@ rust-version = "1.63.0" [dependencies] pyo3 = { version = "0.20", features = ["abi3"] } -openssl-sys = "0.9.99" +openssl-sys = "0.9.100" [build-dependencies] cc = "1.0.83" diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index f2ae0b6e4aed..5799701f8457 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -11,5 +11,5 @@ rust-version = "1.63.0" asn1 = { version = "0.16.0", default-features = false } cfg-if = "1" openssl = "0.10.63" -openssl-sys = "0.9.99" +openssl-sys = "0.9.100" cryptography-x509 = { path = "../cryptography-x509" } From f867eeb87351da1613466c5ac98d560011d5287f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Feb 2024 21:46:26 +0000 Subject: [PATCH 0145/1462] Bump openssl from 0.10.63 to 0.10.64 in /src/rust (#10432) Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.63 to 0.10.64. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.63...openssl-v0.10.64) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index f3f5426dcfab..65d173e5f824 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -190,9 +190,9 @@ checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" [[package]] name = "openssl" -version = "0.10.63" +version = "0.10.64" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "15c9d69dd87a29568d4d017cfe8ec518706046a05184e5aea92d0af890b803c8" +checksum = "95a0481286a310808298130d22dd1fef0fa571e05a8f44ec801801e84b216b1f" dependencies = [ "bitflags 2.4.2", "cfg-if", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 4d016e61e578..83c6605ad453 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -18,7 +18,7 @@ cryptography-x509 = { path = "cryptography-x509" } cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } -openssl = "0.10.63" +openssl = "0.10.64" openssl-sys = "0.9.100" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index 5799701f8457..2922568d15ef 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -10,6 +10,6 @@ rust-version = "1.63.0" [dependencies] asn1 = { version = "0.16.0", default-features = false } cfg-if = "1" -openssl = "0.10.63" +openssl = "0.10.64" openssl-sys = "0.9.100" cryptography-x509 = { path = "../cryptography-x509" } diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 700704d0dc3a..0da98d70dda2 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -9,7 +9,7 @@ rust-version = "1.63.0" [dependencies] cfg-if = "1" -openssl = "0.10.63" +openssl = "0.10.64" ffi = { package = "openssl-sys", version = "0.9.99" } foreign-types = "0.3" foreign-types-shared = "0.1" From fb2d6ec75a704a503f305d24a0f34d9b2e08e4dc Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 20 Feb 2024 00:13:58 +0000 Subject: [PATCH 0146/1462] Bump BoringSSL and/or OpenSSL in CI (#10435) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0cb9bf9d91fe..b7b8535445ab 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Feb 17, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "99e8c6e2a383a25679c3d6767702732b27bc16ea"}} - # Latest commit on the OpenSSL master branch, as of Feb 17, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c3e8d67885c0c4295cfd1df35a41bf1f3fa9dc37"}} + # Latest commit on the OpenSSL master branch, as of Feb 20, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a768a796f26ecebc12ac0bd9b86c5c30bfd9370b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 8224447b1eba88038d9f9a760e9f2a7d91ede28e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 19 Feb 2024 19:44:28 -0500 Subject: [PATCH 0147/1462] Convert PKCS#12 loading to Rust (#10434) --- .../hazmat/backends/openssl/backend.py | 100 ------------ .../hazmat/bindings/_rust/openssl/keys.pyi | 4 - .../hazmat/bindings/_rust/pkcs12.pyi | 26 +++ .../hazmat/bindings/_rust/pkcs7.pyi | 4 + .../hazmat/primitives/serialization/pkcs12.py | 25 +-- src/rust/src/backend/keys.rs | 29 ++-- src/rust/src/lib.rs | 2 + src/rust/src/pkcs12.rs | 150 ++++++++++++++++++ src/rust/src/types.rs | 9 ++ tests/hazmat/backends/test_openssl.py | 9 -- tests/hazmat/primitives/test_pkcs12.py | 17 +- 11 files changed, 222 insertions(+), 153 deletions(-) create mode 100644 src/cryptography/hazmat/bindings/_rust/pkcs12.pyi create mode 100644 src/rust/src/pkcs12.rs diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 6a4aeca7521f..56d8206612e6 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -22,9 +22,6 @@ PSS, PKCS1v15, ) -from cryptography.hazmat.primitives.asymmetric.types import ( - PrivateKeyTypes, -) from cryptography.hazmat.primitives.ciphers import ( CipherAlgorithm, ) @@ -38,7 +35,6 @@ from cryptography.hazmat.primitives.serialization.pkcs12 import ( PBES, PKCS12Certificate, - PKCS12KeyAndCertificates, PKCS12PrivateKeyTypes, _PKCS12CATypes, ) @@ -278,12 +274,6 @@ def _cert2ossl(self, cert: x509.Certificate) -> typing.Any: x509 = self._ffi.gc(x509, self._lib.X509_free) return x509 - def _ossl2cert(self, x509_ptr: typing.Any) -> x509.Certificate: - bio = self._create_mem_bio_gc() - res = self._lib.i2d_X509_bio(bio, x509_ptr) - self.openssl_assert(res == 1) - return x509.load_der_x509_certificate(self._read_mem_bio(bio)) - def _key2ossl(self, key: PKCS12PrivateKeyTypes) -> typing.Any: data = key.private_bytes( serialization.Encoding.DER, @@ -398,96 +388,6 @@ def _zeroed_null_terminated_buf(self, data): # Cast to a uint8_t * so we can assign by integer self._zero_data(self._ffi.cast("uint8_t *", buf), data_len) - def load_key_and_certificates_from_pkcs12( - self, data: bytes, password: bytes | None - ) -> tuple[ - PrivateKeyTypes | None, - x509.Certificate | None, - list[x509.Certificate], - ]: - pkcs12 = self.load_pkcs12(data, password) - return ( - pkcs12.key, - pkcs12.cert.certificate if pkcs12.cert else None, - [cert.certificate for cert in pkcs12.additional_certs], - ) - - def load_pkcs12( - self, data: bytes, password: bytes | None - ) -> PKCS12KeyAndCertificates: - if password is not None: - utils._check_byteslike("password", password) - - bio = self._bytes_to_bio(data) - p12 = self._lib.d2i_PKCS12_bio(bio.bio, self._ffi.NULL) - if p12 == self._ffi.NULL: - self._consume_errors() - raise ValueError("Could not deserialize PKCS12 data") - - p12 = self._ffi.gc(p12, self._lib.PKCS12_free) - evp_pkey_ptr = self._ffi.new("EVP_PKEY **") - x509_ptr = self._ffi.new("X509 **") - sk_x509_ptr = self._ffi.new("Cryptography_STACK_OF_X509 **") - with self._zeroed_null_terminated_buf(password) as password_buf: - res = self._lib.PKCS12_parse( - p12, password_buf, evp_pkey_ptr, x509_ptr, sk_x509_ptr - ) - if res == 0: - self._consume_errors() - raise ValueError("Invalid password or PKCS12 data") - - cert = None - key = None - additional_certificates = [] - - if evp_pkey_ptr[0] != self._ffi.NULL: - evp_pkey = self._ffi.gc(evp_pkey_ptr[0], self._lib.EVP_PKEY_free) - # We don't support turning off RSA key validation when loading - # PKCS12 keys - key = rust_openssl.keys.private_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)), - unsafe_skip_rsa_key_validation=False, - ) - - if x509_ptr[0] != self._ffi.NULL: - x509 = self._ffi.gc(x509_ptr[0], self._lib.X509_free) - cert_obj = self._ossl2cert(x509) - name = None - maybe_name = self._lib.X509_alias_get0(x509, self._ffi.NULL) - if maybe_name != self._ffi.NULL: - name = self._ffi.string(maybe_name) - cert = PKCS12Certificate(cert_obj, name) - - if sk_x509_ptr[0] != self._ffi.NULL: - sk_x509 = self._ffi.gc(sk_x509_ptr[0], self._lib.sk_X509_free) - num = self._lib.sk_X509_num(sk_x509_ptr[0]) - - # In OpenSSL < 3.0.0 PKCS12 parsing reverses the order of the - # certificates. - indices: typing.Iterable[int] - if ( - rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER - or rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL - ): - indices = range(num) - else: - indices = reversed(range(num)) - - for i in indices: - x509 = self._lib.sk_X509_value(sk_x509, i) - self.openssl_assert(x509 != self._ffi.NULL) - x509 = self._ffi.gc(x509, self._lib.X509_free) - addl_cert = self._ossl2cert(x509) - addl_name = None - maybe_name = self._lib.X509_alias_get0(x509, self._ffi.NULL) - if maybe_name != self._ffi.NULL: - addl_name = self._ffi.string(maybe_name) - additional_certificates.append( - PKCS12Certificate(addl_cert, addl_name) - ) - - return PKCS12KeyAndCertificates(key, cert, additional_certificates) - def serialize_key_and_certificates_to_pkcs12( self, name: bytes | None, diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi index e312d51dc58b..6815b7d9154b 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi @@ -9,10 +9,6 @@ from cryptography.hazmat.primitives.asymmetric.types import ( PublicKeyTypes, ) -def private_key_from_ptr( - ptr: int, - unsafe_skip_rsa_key_validation: bool, -) -> PrivateKeyTypes: ... def load_der_private_key( data: bytes, password: bytes | None, diff --git a/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi b/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi new file mode 100644 index 000000000000..c82892f6debc --- /dev/null +++ b/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi @@ -0,0 +1,26 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +import typing + +from cryptography import x509 +from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes +from cryptography.hazmat.primitives.serialization.pkcs12 import ( + PKCS12KeyAndCertificates, +) + +def load_key_and_certificates( + data: bytes, + password: bytes | None, + backend: typing.Any = None, +) -> tuple[ + PrivateKeyTypes | None, + x509.Certificate | None, + list[x509.Certificate], +]: ... +def load_pkcs12( + data: bytes, + password: bytes | None, + backend: typing.Any = None, +) -> PKCS12KeyAndCertificates: ... diff --git a/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi b/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi index a84978246572..f7f9883eb311 100644 --- a/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi +++ b/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi @@ -1,3 +1,7 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + import typing from cryptography import x509 diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs12.py b/src/cryptography/hazmat/primitives/serialization/pkcs12.py index 006a248bd244..b6d6a198a4f6 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs12.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs12.py @@ -7,6 +7,7 @@ import typing from cryptography import x509 +from cryptography.hazmat.bindings._rust import pkcs12 as rust_pkcs12 from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives._serialization import PBES as PBES from cryptography.hazmat.primitives.asymmetric import ( @@ -143,28 +144,8 @@ def __repr__(self) -> str: return fmt.format(self.key, self.cert, self.additional_certs) -def load_key_and_certificates( - data: bytes, - password: bytes | None, - backend: typing.Any = None, -) -> tuple[ - PrivateKeyTypes | None, - x509.Certificate | None, - list[x509.Certificate], -]: - from cryptography.hazmat.backends.openssl.backend import backend as ossl - - return ossl.load_key_and_certificates_from_pkcs12(data, password) - - -def load_pkcs12( - data: bytes, - password: bytes | None, - backend: typing.Any = None, -) -> PKCS12KeyAndCertificates: - from cryptography.hazmat.backends.openssl.backend import backend as ossl - - return ossl.load_pkcs12(data, password) +load_key_and_certificates = rust_pkcs12.load_key_and_certificates +load_pkcs12 = rust_pkcs12.load_pkcs12 _PKCS12CATypes = typing.Union[ diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index 6af0b923aebc..a41b6805695f 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -2,7 +2,6 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use foreign_types_shared::ForeignTypeRef; use pyo3::IntoPy; use crate::backend::utils; @@ -61,18 +60,7 @@ fn load_pem_private_key( private_key_from_pkey(py, &pkey, unsafe_skip_rsa_key_validation) } -#[pyo3::prelude::pyfunction] -fn private_key_from_ptr( - py: pyo3::Python<'_>, - ptr: usize, - unsafe_skip_rsa_key_validation: bool, -) -> CryptographyResult { - // SAFETY: Caller is responsible for passing a valid pointer. - let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; - private_key_from_pkey(py, pkey, unsafe_skip_rsa_key_validation) -} - -fn private_key_from_pkey( +pub(crate) fn private_key_from_pkey( py: pyo3::Python<'_>, pkey: &openssl::pkey::PKeyRef, unsafe_skip_rsa_key_validation: bool, @@ -236,15 +224,13 @@ pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelu m.add_function(pyo3::wrap_pyfunction!(load_der_public_key, m)?)?; m.add_function(pyo3::wrap_pyfunction!(load_pem_public_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(private_key_from_ptr, m)?)?; - Ok(m) } #[cfg(test)] mod tests { #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - use super::public_key_from_pkey; + use super::{private_key_from_pkey, public_key_from_pkey}; #[test] #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] @@ -260,4 +246,15 @@ mod tests { assert!(public_key_from_pkey(py, &pkey, openssl::pkey::Id::CMAC).is_err()); }); } + + #[test] + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + fn test_private_key_from_pkey_unknown_key() { + pyo3::prepare_freethreaded_python(); + + pyo3::Python::with_gil(|py| { + let pkey = openssl::pkey::PKey::hmac(&[0; 32]).unwrap(); + assert!(private_key_from_pkey(py, &pkey, false).is_err()); + }); + } } diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index a92fdebe42df..af9eb42a520b 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -18,6 +18,7 @@ mod error; mod exceptions; pub(crate) mod oid; mod padding; +mod pkcs12; mod pkcs7; pub(crate) mod types; mod x509; @@ -82,6 +83,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> m.add_submodule(asn1::create_submodule(py)?)?; m.add_submodule(pkcs7::create_submodule(py)?)?; + m.add_submodule(pkcs12::create_submodule(py)?)?; m.add_submodule(exceptions::create_submodule(py)?)?; let x509_mod = pyo3::prelude::PyModule::new(py, "x509")?; diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs new file mode 100644 index 000000000000..34b2c8f04c5e --- /dev/null +++ b/src/rust/src/pkcs12.rs @@ -0,0 +1,150 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use crate::backend::keys; +use crate::buf::CffiBuf; +use crate::error::CryptographyResult; +use crate::{types, x509}; +use pyo3::IntoPy; + +fn decode_p12( + data: CffiBuf<'_>, + password: Option>, +) -> CryptographyResult { + let p12 = openssl::pkcs12::Pkcs12::from_der(data.as_bytes()).map_err(|_| { + pyo3::exceptions::PyValueError::new_err("Could not deserialize PKCS12 data") + })?; + + let password = if let Some(p) = password.as_ref() { + std::str::from_utf8(p.as_bytes()) + .map_err(|_| pyo3::exceptions::PyUnicodeDecodeError::new_err(()))? + } else { + // Treat `password=None` the same as empty string. They're actually + // not the same in PKCS#12, but OpenSSL transparently handles them the + // same. + "" + }; + let parsed = p12 + .parse2(password) + .map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid password or PKCS12 data"))?; + + Ok(parsed) +} + +#[pyo3::prelude::pyfunction] +fn load_key_and_certificates<'p>( + py: pyo3::Python<'p>, + data: CffiBuf<'_>, + password: Option>, + backend: Option<&pyo3::PyAny>, +) -> CryptographyResult<( + pyo3::PyObject, + Option, + &'p pyo3::types::PyList, +)> { + let _ = backend; + + let p12 = decode_p12(data, password)?; + + let private_key = if let Some(pkey) = p12.pkey { + keys::private_key_from_pkey(py, &pkey, false)? + } else { + py.None() + }; + let cert = if let Some(ossl_cert) = p12.cert { + let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).into_py(py); + Some(x509::certificate::load_der_x509_certificate( + py, cert_der, None, + )?) + } else { + None + }; + let additional_certs = pyo3::types::PyList::empty(py); + if let Some(ossl_certs) = p12.ca { + cfg_if::cfg_if! { + if #[cfg(any( + CRYPTOGRAPHY_OPENSSL_300_OR_GREATER, CRYPTOGRAPHY_IS_BORINGSSL + ))] { + let it = ossl_certs.iter(); + } else { + let it = ossl_certs.iter().rev(); + } + }; + + for ossl_cert in it { + let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).into_py(py); + let cert = x509::certificate::load_der_x509_certificate(py, cert_der, None)?; + additional_certs.append(cert.into_py(py))?; + } + } + + Ok((private_key, cert, additional_certs)) +} + +#[pyo3::prelude::pyfunction] +fn load_pkcs12<'p>( + py: pyo3::Python<'p>, + data: CffiBuf<'_>, + password: Option>, + backend: Option<&pyo3::PyAny>, +) -> CryptographyResult<&'p pyo3::PyAny> { + let _ = backend; + + let p12 = decode_p12(data, password)?; + + let private_key = if let Some(pkey) = p12.pkey { + keys::private_key_from_pkey(py, &pkey, false)? + } else { + py.None() + }; + let cert = if let Some(ossl_cert) = p12.cert { + let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).into_py(py); + let cert = x509::certificate::load_der_x509_certificate(py, cert_der, None)?; + let alias = ossl_cert.alias(); + + types::PKCS12CERTIFICATE + .get(py)? + .call1((cert, alias))? + .into_py(py) + } else { + py.None() + }; + let additional_certs = pyo3::types::PyList::empty(py); + if let Some(ossl_certs) = p12.ca { + cfg_if::cfg_if! { + if #[cfg(any( + CRYPTOGRAPHY_OPENSSL_300_OR_GREATER, CRYPTOGRAPHY_IS_BORINGSSL + ))] { + let it = ossl_certs.iter(); + } else { + let it = ossl_certs.iter().rev(); + } + }; + + for ossl_cert in it { + let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).into_py(py); + let cert = x509::certificate::load_der_x509_certificate(py, cert_der, None)?; + let alias = ossl_cert.alias(); + + let p12_cert = types::PKCS12CERTIFICATE + .get(py)? + .call1((cert, alias))? + .into_py(py); + additional_certs.append(p12_cert)?; + } + } + + Ok(types::PKCS12KEYANDCERTIFICATES + .get(py)? + .call1((private_key, cert, additional_certs))?) +} + +pub(crate) fn create_submodule(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { + let submod = pyo3::prelude::PyModule::new(py, "pkcs12")?; + + submod.add_function(pyo3::wrap_pyfunction!(load_key_and_certificates, submod)?)?; + submod.add_function(pyo3::wrap_pyfunction!(load_pkcs12, submod)?)?; + + Ok(submod) +} diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 98dd9ecbb269..3afdbb980914 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -327,6 +327,15 @@ pub static SMIME_ENCODE: LazyPyImport = LazyPyImport::new( &["_smime_encode"], ); +pub static PKCS12CERTIFICATE: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.pkcs12", + &["PKCS12Certificate"], +); +pub static PKCS12KEYANDCERTIFICATES: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.pkcs12", + &["PKCS12KeyAndCertificates"], +); + pub static HASHES_MODULE: LazyPyImport = LazyPyImport::new("cryptography.hazmat.primitives.hashes", &[]); pub static HASH_ALGORITHM: LazyPyImport = diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 7cf98afe91d0..901eec59776f 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -201,15 +201,6 @@ def test_unsupported_mgf1_hash_algorithm_md5_decrypt(self, rsa_key_2048): class TestOpenSSLSerializationWithOpenSSL: - def test_unsupported_evp_pkey_type(self): - key = backend._lib.EVP_PKEY_new() - key = backend._ffi.gc(key, backend._lib.EVP_PKEY_free) - with raises_unsupported_algorithm(None): - rust_openssl.keys.private_key_from_ptr( - int(backend._ffi.cast("uintptr_t", key)), - unsafe_skip_rsa_key_validation=False, - ) - def test_very_long_pem_serialization_password(self): password = b"x" * 1025 diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index d9f2cdebd5c6..e096894956e8 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -91,7 +91,7 @@ def test_load_pkcs12_ec_keys(self, filename, password, backend): def test_load_pkcs12_ec_keys_rc2(self, filename, password, backend): self._test_load_pkcs12_ec_keys(filename, password, backend) - def test_load_pkcs12_cert_only(self, backend): + def test_load_key_and_cert_cert_only(self, backend): cert, _ = _load_ca(backend) parsed_key, parsed_cert, parsed_more_certs = load_vectors_from_file( os.path.join("pkcs12", "cert-aes256cbc-no-key.p12"), @@ -104,7 +104,7 @@ def test_load_pkcs12_cert_only(self, backend): assert parsed_key is None assert parsed_more_certs == [cert] - def test_load_pkcs12_key_only(self, backend): + def test_load_key_and_certificates_key_only(self, backend): _, key = _load_ca(backend) assert isinstance(key, ec.EllipticCurvePrivateKey) parsed_key, parsed_cert, parsed_more_certs = load_vectors_from_file( @@ -119,6 +119,19 @@ def test_load_pkcs12_key_only(self, backend): assert parsed_cert is None assert parsed_more_certs == [] + def test_load_pkcs12_key_only(self, backend): + _, key = _load_ca(backend) + assert isinstance(key, ec.EllipticCurvePrivateKey) + p12 = load_vectors_from_file( + os.path.join("pkcs12", "no-cert-key-aes256cbc.p12"), + lambda data: load_pkcs12(data.read(), b"cryptography", backend), + mode="rb", + ) + assert isinstance(p12.key, ec.EllipticCurvePrivateKey) + assert p12.key.private_numbers() == key.private_numbers() + assert p12.cert is None + assert p12.additional_certs == [] + def test_non_bytes(self, backend): with pytest.raises(TypeError): load_key_and_certificates( From 9db55b592963b588a62d3c88afabe45000ac9f66 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 19 Feb 2024 20:00:19 -0500 Subject: [PATCH 0148/1462] Move FIPS enablement to Rust (#10433) --- src/_cffi_src/build_openssl.py | 2 -- src/_cffi_src/openssl/evp.py | 10 ------ src/_cffi_src/openssl/provider.py | 36 ------------------- .../bindings/_rust/openssl/__init__.pyi | 4 +++ .../hazmat/bindings/openssl/_conditional.py | 15 -------- .../hazmat/bindings/openssl/binding.py | 11 +----- src/rust/cryptography-openssl/src/fips.rs | 12 +++++++ src/rust/src/lib.rs | 20 +++++++++-- 8 files changed, 35 insertions(+), 75 deletions(-) delete mode 100644 src/_cffi_src/openssl/provider.py diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py index 6065e7aeed37..642b56ce490f 100644 --- a/src/_cffi_src/build_openssl.py +++ b/src/_cffi_src/build_openssl.py @@ -21,8 +21,6 @@ modules=[ # This goes first so we can define some cryptography-wide symbols. "cryptography", - # Provider comes early as well so we define OSSL_LIB_CTX - "provider", "asn1", "bignum", "bio", diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index 59e002bad682..141b43ce0b3b 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -25,7 +25,6 @@ static const int EVP_MAX_MD_SIZE; static const int Cryptography_HAS_EVP_PKEY_DHX; -static const long Cryptography_HAS_300_FIPS; """ FUNCTIONS = """ @@ -60,8 +59,6 @@ int EVP_PKEY_bits(const EVP_PKEY *); int EVP_PKEY_assign_RSA(EVP_PKEY *, RSA *); - -int EVP_default_properties_enable_fips(OSSL_LIB_CTX *, int); """ CUSTOMIZATIONS = """ @@ -70,11 +67,4 @@ #else const long Cryptography_HAS_EVP_PKEY_DHX = 0; #endif - -#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER -static const long Cryptography_HAS_300_FIPS = 1; -#else -static const long Cryptography_HAS_300_FIPS = 0; -int (*EVP_default_properties_enable_fips)(OSSL_LIB_CTX *, int) = NULL; -#endif """ diff --git a/src/_cffi_src/openssl/provider.py b/src/_cffi_src/openssl/provider.py deleted file mode 100644 index f00b28325164..000000000000 --- a/src/_cffi_src/openssl/provider.py +++ /dev/null @@ -1,36 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import annotations - -INCLUDES = """ -#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER -#include -#include -#endif -""" - -TYPES = """ -static const long Cryptography_HAS_PROVIDERS; - -typedef ... OSSL_PROVIDER; -typedef ... OSSL_LIB_CTX; -""" - -FUNCTIONS = """ -OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *, const char *); -int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov); -""" - -CUSTOMIZATIONS = """ -#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER -static const long Cryptography_HAS_PROVIDERS = 1; -#else -static const long Cryptography_HAS_PROVIDERS = 0; -typedef void OSSL_PROVIDER; -typedef void OSSL_LIB_CTX; -OSSL_PROVIDER *(*OSSL_PROVIDER_load)(OSSL_LIB_CTX *, const char *) = NULL; -int (*OSSL_PROVIDER_unload)(OSSL_PROVIDER *) = NULL; -#endif -""" diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index 25e0427496e5..e4e742bdfedf 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -50,13 +50,17 @@ CRYPTOGRAPHY_IS_BORINGSSL: bool CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: bool CRYPTOGRAPHY_OPENSSL_320_OR_GREATER: bool +class Providers: ... + _legacy_provider_loaded: bool +_providers: Providers def openssl_version() -> int: ... def openssl_version_text() -> str: ... def raise_openssl_error() -> typing.NoReturn: ... def capture_error_stack() -> list[OpenSSLError]: ... def is_fips_enabled() -> bool: ... +def enable_fips(providers: Providers) -> None: ... class OpenSSLError: @property diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 8def8bf487b9..805991c560c3 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -109,13 +109,6 @@ def cryptography_has_srtp() -> list[str]: ] -def cryptography_has_providers() -> list[str]: - return [ - "OSSL_PROVIDER_load", - "OSSL_PROVIDER_unload", - ] - - def cryptography_has_op_no_renegotiation() -> list[str]: return [ "SSL_OP_NO_RENEGOTIATION", @@ -128,12 +121,6 @@ def cryptography_has_dtls_get_data_mtu() -> list[str]: ] -def cryptography_has_300_fips() -> list[str]: - return [ - "EVP_default_properties_enable_fips", - ] - - def cryptography_has_ssl_cookie() -> list[str]: return [ "SSL_OP_COOKIE_EXCHANGE", @@ -191,12 +178,10 @@ def cryptography_has_get_extms_support() -> list[str]: "Cryptography_HAS_ENGINE": cryptography_has_engine, "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain, "Cryptography_HAS_SRTP": cryptography_has_srtp, - "Cryptography_HAS_PROVIDERS": cryptography_has_providers, "Cryptography_HAS_OP_NO_RENEGOTIATION": ( cryptography_has_op_no_renegotiation ), "Cryptography_HAS_DTLS_GET_DATA_MTU": cryptography_has_dtls_get_data_mtu, - "Cryptography_HAS_300_FIPS": cryptography_has_300_fips, "Cryptography_HAS_SSL_COOKIE": cryptography_has_ssl_cookie, "Cryptography_HAS_PKCS7_FUNCS": cryptography_has_pkcs7_funcs, "Cryptography_HAS_PRIME_CHECKS": cryptography_has_prime_checks, diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index e8577763c57e..65eb5829134a 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -65,16 +65,7 @@ def __init__(self) -> None: self._ensure_ffi_initialized() def _enable_fips(self) -> None: - # This function enables FIPS mode for OpenSSL 3.0.0 on installs that - # have the FIPS provider installed properly. - _openssl_assert(openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER) - self.lib._fips_provider = self.lib.OSSL_PROVIDER_load( - self.ffi.NULL, b"fips" - ) - _openssl_assert(self.lib._fips_provider != self.ffi.NULL) - - res = self.lib.EVP_default_properties_enable_fips(self.ffi.NULL, 1) - _openssl_assert(res == 1) + openssl.enable_fips(openssl._providers) @classmethod def _ensure_ffi_initialized(cls) -> None: diff --git a/src/rust/cryptography-openssl/src/fips.rs b/src/rust/cryptography-openssl/src/fips.rs index 9c89f317ebda..b14d2a5a659d 100644 --- a/src/rust/cryptography-openssl/src/fips.rs +++ b/src/rust/cryptography-openssl/src/fips.rs @@ -2,6 +2,8 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +use crate::{cvt, OpenSSLResult}; #[cfg(all( CRYPTOGRAPHY_OPENSSL_300_OR_GREATER, not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)) @@ -22,3 +24,13 @@ pub fn is_enabled() -> bool { } } } + +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +pub fn enable() -> OpenSSLResult<()> { + // SAFETY: No pre-conditions + unsafe { + cvt(ffi::EVP_default_properties_enable_fips(ptr::null_mut(), 1))?; + } + + Ok(()) +} diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index af9eb42a520b..582d2e139577 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -24,10 +24,12 @@ pub(crate) mod types; mod x509; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")] +#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust")] struct LoadedProviders { legacy: Option, _default: provider::Provider, + + fips: Option, } #[pyo3::prelude::pyfunction] @@ -63,7 +65,11 @@ fn _initialize_providers() -> CryptographyResult { None }; let _default = provider::Provider::load(None, "default")?; - Ok(LoadedProviders { legacy, _default }) + Ok(LoadedProviders { + legacy, + _default, + fips: None, + }) } fn _legacy_provider_error(success: bool) -> pyo3::PyResult<()> { @@ -75,6 +81,14 @@ fn _legacy_provider_error(success: bool) -> pyo3::PyResult<()> { Ok(()) } +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +#[pyo3::prelude::pyfunction] +fn enable_fips(providers: &mut LoadedProviders) -> CryptographyResult<()> { + providers.fips = Some(provider::Provider::load(None, "fips")?); + cryptography_openssl::fips::enable()?; + Ok(()) +} + #[pyo3::prelude::pymodule] fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> { m.add_function(pyo3::wrap_pyfunction!(padding::check_pkcs7_padding, m)?)?; @@ -124,6 +138,8 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> openssl_mod.add("_legacy_provider_loaded", false)?; } openssl_mod.add("_providers", providers)?; + + openssl_mod.add_function(pyo3::wrap_pyfunction!(enable_fips, m)?)?; } else { // default value for non-openssl 3+ openssl_mod.add("_legacy_provider_loaded", false)?; From 027845cc4d2e3238eb895dde824a1a618f715e52 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 19 Feb 2024 17:10:08 -0800 Subject: [PATCH 0149/1462] remove a useless function (#10436) --- src/cryptography/hazmat/backends/openssl/backend.py | 2 +- src/cryptography/hazmat/bindings/openssl/binding.py | 3 --- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 56d8206612e6..406b1ea990a2 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -99,7 +99,7 @@ def openssl_assert(self, ok: bool) -> None: def _enable_fips(self) -> None: # This function enables FIPS mode for OpenSSL 3.0.0 on installs that # have the FIPS provider installed properly. - self._binding._enable_fips() + rust_openssl.enable_fips(rust_openssl._providers) assert rust_openssl.is_fips_enabled() self._fips_enabled = rust_openssl.is_fips_enabled() diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 65eb5829134a..f5d8cb0b7d9f 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -64,9 +64,6 @@ class Binding: def __init__(self) -> None: self._ensure_ffi_initialized() - def _enable_fips(self) -> None: - openssl.enable_fips(openssl._providers) - @classmethod def _ensure_ffi_initialized(cls) -> None: with cls._init_lock: From 4aa0d9ad35be926a7f19e0a89bab72de606f770a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Feb 2024 07:04:35 -0500 Subject: [PATCH 0150/1462] Bump syn from 2.0.49 to 2.0.50 in /src/rust (#10439) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.49 to 2.0.50. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.49...2.0.50) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 65d173e5f824..c85ea888aa3a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -372,9 +372,9 @@ checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" [[package]] name = "syn" -version = "2.0.49" +version = "2.0.50" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "915aea9e586f80826ee59f8453c1101f9d1c4b3964cd2460185ee8e299ada496" +checksum = "74f1bdc9872430ce9b75da68329d1c1746faf50ffac5f19e02b71e37ff881ffb" dependencies = [ "proc-macro2", "quote", From c97808ca7716667037804a6b8709b7e9045b6629 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Tue, 20 Feb 2024 15:57:07 +0100 Subject: [PATCH 0151/1462] Add test vectors for deterministic ECDSA (RFC6979) (#10438) --- docs/development/test-vectors.rst | 2 + .../ECDSA/RFC6979/evppkey_ecdsa_rfc6979.txt | 2807 +++++++++++++++++ 2 files changed, 2809 insertions(+) create mode 100644 vectors/cryptography_vectors/asymmetric/ECDSA/RFC6979/evppkey_ecdsa_rfc6979.txt diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 35f7b7b9864a..aeff528faf78 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -51,6 +51,7 @@ Asymmetric ciphers * X25519 and X448 test vectors from :rfc:`7748`. * RSA OAEP with custom label from the `BoringSSL evp tests`_. * Ed448 test vectors from :rfc:`8032`. +* Deterministic ECDSA (:rfc:`6979`) from `OpenSSL's RFC 6979 test vectors`_. Custom asymmetric vectors @@ -1094,3 +1095,4 @@ header format (substituting the correct information): .. _`dkg's additional OCB3 vectors`: https://gitlab.com/dkg/ocb-test-vectors .. _`OpenSSL's OCB vectors`: https://github.com/openssl/openssl/commit/2f19ab18a29cf9c82cdd68bc8c7e5be5061b19be .. _`badkeys`: https://github.com/vcsjones/badkeys/tree/50f1cc5f8d13bf3a2046d689f6452decb15d9c3c +.. _`OpenSSL's RFC 6979 test vectors`: https://github.com/openssl/openssl/blob/01690a7ff36c4d18c48b301cdf375c954105a1d9/test/recipes/30-test_evp_data/evppkey_ecdsa_rfc6979.txt diff --git a/vectors/cryptography_vectors/asymmetric/ECDSA/RFC6979/evppkey_ecdsa_rfc6979.txt b/vectors/cryptography_vectors/asymmetric/ECDSA/RFC6979/evppkey_ecdsa_rfc6979.txt new file mode 100644 index 000000000000..3bc27a603c29 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/ECDSA/RFC6979/evppkey_ecdsa_rfc6979.txt @@ -0,0 +1,2807 @@ +# +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# Tests start with one of these keywords +# Cipher Decrypt Derive Digest Encoding KDF MAC PBE +# PrivPubKeyPair Sign Verify VerifyRecover +# and continue until a blank line. Lines starting with a pound sign are ignored. + + +Title = RFC 6979 P-192 deterministic ECDSA tests + +PrivateKey=P-192_PRIV +-----BEGIN PRIVATE KEY----- +MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQEEHzAdAgEBBBhvqwNJNOTA/Jrmf1tWWanX0f79GH7g +n9Q= +-----END PRIVATE KEY----- + +PublicKey=P-192_PUB +-----BEGIN PUBLIC KEY----- +MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAErCx39Sn5Fon+oOpe/sfyENjuoLngR+1WO8cj5XZw +vUiH68cyxSMGPQp8lXvJfBxD +-----END PUBLIC KEY----- + +PrivPubKeyPair=P-192_PRIV:P-192_PUB + +DigestSign = SHA1 +Key = P-192_PRIV +NonceType = deterministic +Input = "sample" +Output = 303502190098C6BD12B23EAF5E2A2045132086BE3EB8EBD62ABF6698FF021857A22B07DEA9530F8DE9471B1DC6624472E8E2844BC25B64 + +DigestVerify = SHA1 +Key = P-192_PUB +Input = "sample" +Output = 303502190098C6BD12B23EAF5E2A2045132086BE3EB8EBD62ABF6698FF021857A22B07DEA9530F8DE9471B1DC6624472E8E2844BC25B64 + +DigestVerify = SHA1 +Key = P-192_PUB +Input = "sample" +Output = 303502190098C6BD12B23EAF5E2A2045132086BE3EB8EBD62ABF6698FF021857A22B07DEA9530F8DE9471B1DC6624472E8E2844BC25B65 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = P-192_PRIV +NonceType = deterministic +Input = "sample" +Output = 3036021900A1F00DAD97AEEC91C95585F36200C65F3C01812AA60378F5021900E07EC1304C7C6C9DEBBE980B9692668F81D4DE7922A0F97A + +DigestVerify = SHA224 +Key = P-192_PUB +Input = "sample" +Output = 3036021900A1F00DAD97AEEC91C95585F36200C65F3C01812AA60378F5021900E07EC1304C7C6C9DEBBE980B9692668F81D4DE7922A0F97A + +DigestVerify = SHA224 +Key = P-192_PUB +Input = "sample" +Output = 3036021900A1F00DAD97AEEC91C95585F36200C65F3C01812AA60378F5021900E07EC1304C7C6C9DEBBE980B9692668F81D4DE7922A0F97B +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = P-192_PRIV +NonceType = deterministic +Input = "sample" +Output = 303502184B0B8CE98A92866A2820E20AA6B75B56382E0F9BFD5ECB55021900CCDB006926EA9565CBADC840829D8C384E06DE1F1E381B85 + +DigestVerify = SHA256 +Key = P-192_PUB +Input = "sample" +Output = 303502184B0B8CE98A92866A2820E20AA6B75B56382E0F9BFD5ECB55021900CCDB006926EA9565CBADC840829D8C384E06DE1F1E381B85 + +DigestVerify = SHA256 +Key = P-192_PUB +Input = "sample" +Output = 303502184B0B8CE98A92866A2820E20AA6B75B56382E0F9BFD5ECB55021900CCDB006926EA9565CBADC840829D8C384E06DE1F1E381B84 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = P-192_PRIV +NonceType = deterministic +Input = "sample" +Output = 3036021900DA63BF0B9ABCF948FBB1E9167F136145F7A20426DCC287D5021900C3AA2C960972BD7A2003A57E1C4C77F0578F8AE95E31EC5E + +DigestVerify = SHA384 +Key = P-192_PUB +Input = "sample" +Output = 3036021900DA63BF0B9ABCF948FBB1E9167F136145F7A20426DCC287D5021900C3AA2C960972BD7A2003A57E1C4C77F0578F8AE95E31EC5E + +DigestVerify = SHA384 +Key = P-192_PUB +Input = "sample" +Output = 3036021900DA63BF0B9ABCF948FBB1E9167F136145F7A20426DCC287D5021900C3AA2C960972BD7A2003A57E1C4C77F0578F8AE95E31EC5F +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = P-192_PRIV +NonceType = deterministic +Input = "sample" +Output = 303402184D60C5AB1996BD848343B31C00850205E2EA6922DAC2E4B802183F6E837448F027A1BF4B34E796E32A811CBB4050908D8F67 + +DigestVerify = SHA512 +Key = P-192_PUB +Input = "sample" +Output = 303402184D60C5AB1996BD848343B31C00850205E2EA6922DAC2E4B802183F6E837448F027A1BF4B34E796E32A811CBB4050908D8F67 + +DigestVerify = SHA512 +Key = P-192_PUB +Input = "sample" +Output = 303402184D60C5AB1996BD848343B31C00850205E2EA6922DAC2E4B802183F6E837448F027A1BF4B34E796E32A811CBB4050908D8F66 +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = P-192_PRIV +NonceType = deterministic +Input = "test" +Output = 303502180F2141A0EBBC44D2E1AF90A50EBCFCE5E197B3B7D4DE036D021900EB18BC9E1F3D7387500CB99CF5F7C157070A8961E38700B7 + +DigestVerify = SHA1 +Key = P-192_PUB +Input = "test" +Output = 303502180F2141A0EBBC44D2E1AF90A50EBCFCE5E197B3B7D4DE036D021900EB18BC9E1F3D7387500CB99CF5F7C157070A8961E38700B7 + +DigestVerify = SHA1 +Key = P-192_PUB +Input = "test" +Output = 303502180F2141A0EBBC44D2E1AF90A50EBCFCE5E197B3B7D4DE036D021900EB18BC9E1F3D7387500CB99CF5F7C157070A8961E38700B6 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = P-192_PRIV +NonceType = deterministic +Input = "test" +Output = 303502186945A1C1D1B2206B8145548F633BB61CEF04891BAF26ED34021900B7FB7FDFC339C0B9BD61A9F5A8EAF9BE58FC5CBA2CB15293 + +DigestVerify = SHA224 +Key = P-192_PUB +Input = "test" +Output = 303502186945A1C1D1B2206B8145548F633BB61CEF04891BAF26ED34021900B7FB7FDFC339C0B9BD61A9F5A8EAF9BE58FC5CBA2CB15293 + +DigestVerify = SHA224 +Key = P-192_PUB +Input = "test" +Output = 303502186945A1C1D1B2206B8145548F633BB61CEF04891BAF26ED34021900B7FB7FDFC339C0B9BD61A9F5A8EAF9BE58FC5CBA2CB15292 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = P-192_PRIV +NonceType = deterministic +Input = "test" +Output = 303402183A718BD8B4926C3B52EE6BBE67EF79B18CB6EB62B1AD97AE02185662E6848A4A19B1F1AE2F72ACD4B8BBE50F1EAC65D9124F + +DigestVerify = SHA256 +Key = P-192_PUB +Input = "test" +Output = 303402183A718BD8B4926C3B52EE6BBE67EF79B18CB6EB62B1AD97AE02185662E6848A4A19B1F1AE2F72ACD4B8BBE50F1EAC65D9124F + +DigestVerify = SHA256 +Key = P-192_PUB +Input = "test" +Output = 303402183A718BD8B4926C3B52EE6BBE67EF79B18CB6EB62B1AD97AE02185662E6848A4A19B1F1AE2F72ACD4B8BBE50F1EAC65D9124E +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = P-192_PRIV +NonceType = deterministic +Input = "test" +Output = 3035021900B234B60B4DB75A733E19280A7A6034BD6B1EE88AF533236702187994090B2D59BB782BE57E74A44C9A1C700413F8ABEFE77A + +DigestVerify = SHA384 +Key = P-192_PUB +Input = "test" +Output = 3035021900B234B60B4DB75A733E19280A7A6034BD6B1EE88AF533236702187994090B2D59BB782BE57E74A44C9A1C700413F8ABEFE77A + +DigestVerify = SHA384 +Key = P-192_PUB +Input = "test" +Output = 3035021900B234B60B4DB75A733E19280A7A6034BD6B1EE88AF533236702187994090B2D59BB782BE57E74A44C9A1C700413F8ABEFE77B +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = P-192_PRIV +NonceType = deterministic +Input = "test" +Output = 3035021900FE4F4AE86A58B6507946715934FE2D8FF9D95B6B098FE739021874CF5605C98FBA0E1EF34D4B5A1577A7DCF59457CAE52290 + +DigestVerify = SHA512 +Key = P-192_PUB +Input = "test" +Output = 3035021900FE4F4AE86A58B6507946715934FE2D8FF9D95B6B098FE739021874CF5605C98FBA0E1EF34D4B5A1577A7DCF59457CAE52290 + +DigestVerify = SHA512 +Key = P-192_PUB +Input = "test" +Output = 3035021900FE4F4AE86A58B6507946715934FE2D8FF9D95B6B098FE739021874CF5605C98FBA0E1EF34D4B5A1577A7DCF59457CAE52291 +Result = VERIFY_ERROR + +Title = RFC 6979 P-224 deterministic ECDSA tests + +PrivateKey=P-224_PRIV +-----BEGIN PRIVATE KEY----- +MDoCAQAwEAYHKoZIzj0CAQYFK4EEACEEIzAhAgEBBBzyICZuEQW/4wg+A+x6OmVGUfReNxZ+iGAL +8lfB +-----END PRIVATE KEY----- + +PublicKey=P-224_PUB +-----BEGIN PUBLIC KEY----- +ME4wEAYHKoZIzj0CAQYFK4EEACEDOgAEAM8I2lrXGeQnB/pDEpLeoRJE1k/FFhDZSxMNbO6rbz3r +5FXj2/hUFvcDDL2U808tbyMsafPBOFo= +-----END PUBLIC KEY----- + +PrivPubKeyPair=P-224_PRIV:P-224_PUB + +DigestSign = SHA1 +Key = P-224_PRIV +NonceType = deterministic +Input = "sample" +Output = 303C021C22226F9D40A96E19C4A301CE5B74B115303C0F3A4FD30FC257FB57AC021C66D1CDD83E3AF75605DD6E2FEFF196D30AA7ED7A2EDF7AF475403D69 + +DigestVerify = SHA1 +Key = P-224_PUB +Input = "sample" +Output = 303C021C22226F9D40A96E19C4A301CE5B74B115303C0F3A4FD30FC257FB57AC021C66D1CDD83E3AF75605DD6E2FEFF196D30AA7ED7A2EDF7AF475403D69 + +DigestVerify = SHA1 +Key = P-224_PUB +Input = "sample" +Output = 303C021C22226F9D40A96E19C4A301CE5B74B115303C0F3A4FD30FC257FB57AC021C66D1CDD83E3AF75605DD6E2FEFF196D30AA7ED7A2EDF7AF475403D68 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = P-224_PRIV +NonceType = deterministic +Input = "sample" +Output = 303D021C1CDFE6662DDE1E4A1EC4CDEDF6A1F5A2FB7FBD9145C12113E6ABFD3E021D00A6694FD7718A21053F225D3F46197CA699D45006C06F871808F43EBC + +DigestVerify = SHA224 +Key = P-224_PUB +Input = "sample" +Output = 303D021C1CDFE6662DDE1E4A1EC4CDEDF6A1F5A2FB7FBD9145C12113E6ABFD3E021D00A6694FD7718A21053F225D3F46197CA699D45006C06F871808F43EBC + +DigestVerify = SHA224 +Key = P-224_PUB +Input = "sample" +Output = 303D021C1CDFE6662DDE1E4A1EC4CDEDF6A1F5A2FB7FBD9145C12113E6ABFD3E021D00A6694FD7718A21053F225D3F46197CA699D45006C06F871808F43EBD +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = P-224_PRIV +NonceType = deterministic +Input = "sample" +Output = 303D021C61AA3DA010E8E8406C656BC477A7A7189895E7E840CDFE8FF42307BA021D00BC814050DAB5D23770879494F9E0A680DC1AF7161991BDE692B10101 + +DigestVerify = SHA256 +Key = P-224_PUB +Input = "sample" +Output = 303D021C61AA3DA010E8E8406C656BC477A7A7189895E7E840CDFE8FF42307BA021D00BC814050DAB5D23770879494F9E0A680DC1AF7161991BDE692B10101 + +DigestVerify = SHA256 +Key = P-224_PUB +Input = "sample" +Output = 303D021C61AA3DA010E8E8406C656BC477A7A7189895E7E840CDFE8FF42307BA021D00BC814050DAB5D23770879494F9E0A680DC1AF7161991BDE692B10100 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = P-224_PRIV +NonceType = deterministic +Input = "sample" +Output = 303D021C0B115E5E36F0F9EC81F1325A5952878D745E19D7BB3EABFABA77E953021D00830F34CCDFE826CCFDC81EB4129772E20E122348A2BBD889A1B1AF1D + +DigestVerify = SHA384 +Key = P-224_PUB +Input = "sample" +Output = 303D021C0B115E5E36F0F9EC81F1325A5952878D745E19D7BB3EABFABA77E953021D00830F34CCDFE826CCFDC81EB4129772E20E122348A2BBD889A1B1AF1D + +DigestVerify = SHA384 +Key = P-224_PUB +Input = "sample" +Output = 303D021C0B115E5E36F0F9EC81F1325A5952878D745E19D7BB3EABFABA77E953021D00830F34CCDFE826CCFDC81EB4129772E20E122348A2BBD889A1B1AF1C +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = P-224_PRIV +NonceType = deterministic +Input = "sample" +Output = 303D021C074BD1D979D5F32BF958DDC61E4FB4872ADCAFEB2256497CDAC30397021D00A4CECA196C3D5A1FF31027B33185DC8EE43F288B21AB342E5D8EB084 + +DigestVerify = SHA512 +Key = P-224_PUB +Input = "sample" +Output = 303D021C074BD1D979D5F32BF958DDC61E4FB4872ADCAFEB2256497CDAC30397021D00A4CECA196C3D5A1FF31027B33185DC8EE43F288B21AB342E5D8EB084 + +DigestVerify = SHA512 +Key = P-224_PUB +Input = "sample" +Output = 303D021C074BD1D979D5F32BF958DDC61E4FB4872ADCAFEB2256497CDAC30397021D00A4CECA196C3D5A1FF31027B33185DC8EE43F288B21AB342E5D8EB085 +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = P-224_PRIV +NonceType = deterministic +Input = "test" +Output = 303E021D00DEAA646EC2AF2EA8AD53ED66B2E2DDAA49A12EFD8356561451F3E21C021D0095987796F6CF2062AB8135271DE56AE55366C045F6D9593F53787BD2 + +DigestVerify = SHA1 +Key = P-224_PUB +Input = "test" +Output = 303E021D00DEAA646EC2AF2EA8AD53ED66B2E2DDAA49A12EFD8356561451F3E21C021D0095987796F6CF2062AB8135271DE56AE55366C045F6D9593F53787BD2 + +DigestVerify = SHA1 +Key = P-224_PUB +Input = "test" +Output = 303E021D00DEAA646EC2AF2EA8AD53ED66B2E2DDAA49A12EFD8356561451F3E21C021D0095987796F6CF2062AB8135271DE56AE55366C045F6D9593F53787BD3 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = P-224_PRIV +NonceType = deterministic +Input = "test" +Output = 303E021D00C441CE8E261DED634E4CF84910E4C5D1D22C5CF3B732BB204DBEF019021D00902F42847A63BDC5F6046ADA114953120F99442D76510150F372A3F4 + +DigestVerify = SHA224 +Key = P-224_PUB +Input = "test" +Output = 303E021D00C441CE8E261DED634E4CF84910E4C5D1D22C5CF3B732BB204DBEF019021D00902F42847A63BDC5F6046ADA114953120F99442D76510150F372A3F4 + +DigestVerify = SHA224 +Key = P-224_PUB +Input = "test" +Output = 303E021D00C441CE8E261DED634E4CF84910E4C5D1D22C5CF3B732BB204DBEF019021D00902F42847A63BDC5F6046ADA114953120F99442D76510150F372A3F5 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = P-224_PRIV +NonceType = deterministic +Input = "test" +Output = 303D021D00AD04DDE87B84747A243A631EA47A1BA6D1FAA059149AD2440DE6FBA6021C178D49B1AE90E3D8B629BE3DB5683915F4E8C99FDF6E666CF37ADCFD + +DigestVerify = SHA256 +Key = P-224_PUB +Input = "test" +Output = 303D021D00AD04DDE87B84747A243A631EA47A1BA6D1FAA059149AD2440DE6FBA6021C178D49B1AE90E3D8B629BE3DB5683915F4E8C99FDF6E666CF37ADCFD + +DigestVerify = SHA256 +Key = P-224_PUB +Input = "test" +Output = 303D021D00AD04DDE87B84747A243A631EA47A1BA6D1FAA059149AD2440DE6FBA6021C178D49B1AE90E3D8B629BE3DB5683915F4E8C99FDF6E666CF37ADCFC +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = P-224_PRIV +NonceType = deterministic +Input = "test" +Output = 303C021C389B92682E399B26518A95506B52C03BC9379A9DADF3391A21FB0EA4021C414A718ED3249FF6DBC5B50C27F71F01F070944DA22AB1F78F559AAB + +DigestVerify = SHA384 +Key = P-224_PUB +Input = "test" +Output = 303C021C389B92682E399B26518A95506B52C03BC9379A9DADF3391A21FB0EA4021C414A718ED3249FF6DBC5B50C27F71F01F070944DA22AB1F78F559AAB + +DigestVerify = SHA384 +Key = P-224_PUB +Input = "test" +Output = 303C021C389B92682E399B26518A95506B52C03BC9379A9DADF3391A21FB0EA4021C414A718ED3249FF6DBC5B50C27F71F01F070944DA22AB1F78F559AAA +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = P-224_PRIV +NonceType = deterministic +Input = "test" +Output = 303C021C049F050477C5ADD858CAC56208394B5A55BAEBBE887FDF765047C17C021C077EB13E7005929CEFA3CD0403C7CDCC077ADF4E44F3C41B2F60ECFF + +DigestVerify = SHA512 +Key = P-224_PUB +Input = "test" +Output = 303C021C049F050477C5ADD858CAC56208394B5A55BAEBBE887FDF765047C17C021C077EB13E7005929CEFA3CD0403C7CDCC077ADF4E44F3C41B2F60ECFF + +DigestVerify = SHA512 +Key = P-224_PUB +Input = "test" +Output = 303C021C049F050477C5ADD858CAC56208394B5A55BAEBBE887FDF765047C17C021C077EB13E7005929CEFA3CD0403C7CDCC077ADF4E44F3C41B2F60ECFE +Result = VERIFY_ERROR + +Title = RFC 6979 P-256 deterministic ECDSA tests + +PrivateKey=P-256_PRIV +-----BEGIN PRIVATE KEY----- +MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCDJr6nYRbp1FmtcIVdnsdaTTlDD2zbo +mxJ7imIrEg9nIQ== +-----END PRIVATE KEY----- + +PublicKey=P-256_PUB +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYP7UuiVanTHJYet0xjVtaMBJuJI7Yfps5mliLmDy +n7Z5A/4QCLi8maQa6elWKLxk8vGyDC1+n1F3o8KU1EYimQ== +-----END PUBLIC KEY----- + +PrivPubKeyPair=P-256_PRIV:P-256_PUB + +DigestSign = SHA1 +Key = P-256_PRIV +NonceType = deterministic +Input = "sample" +Output = 3044022061340C88C3AAEBEB4F6D667F672CA9759A6CCAA9FA8811313039EE4A35471D3202206D7F147DAC089441BB2E2FE8F7A3FA264B9C475098FDCF6E00D7C996E1B8B7EB + +DigestVerify = SHA1 +Key = P-256_PUB +Input = "sample" +Output = 3044022061340C88C3AAEBEB4F6D667F672CA9759A6CCAA9FA8811313039EE4A35471D3202206D7F147DAC089441BB2E2FE8F7A3FA264B9C475098FDCF6E00D7C996E1B8B7EB + +DigestVerify = SHA1 +Key = P-256_PUB +Input = "sample" +Output = 3044022061340C88C3AAEBEB4F6D667F672CA9759A6CCAA9FA8811313039EE4A35471D3202206D7F147DAC089441BB2E2FE8F7A3FA264B9C475098FDCF6E00D7C996E1B8B7EA +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = P-256_PRIV +NonceType = deterministic +Input = "sample" +Output = 3045022053B2FFF5D1752B2C689DF257C04C40A587FABABB3F6FC2702F1343AF7CA9AA3F022100B9AFB64FDC03DC1A131C7D2386D11E349F070AA432A4ACC918BEA988BF75C74C + +DigestVerify = SHA224 +Key = P-256_PUB +Input = "sample" +Output = 3045022053B2FFF5D1752B2C689DF257C04C40A587FABABB3F6FC2702F1343AF7CA9AA3F022100B9AFB64FDC03DC1A131C7D2386D11E349F070AA432A4ACC918BEA988BF75C74C + +DigestVerify = SHA224 +Key = P-256_PUB +Input = "sample" +Output = 3045022053B2FFF5D1752B2C689DF257C04C40A587FABABB3F6FC2702F1343AF7CA9AA3F022100B9AFB64FDC03DC1A131C7D2386D11E349F070AA432A4ACC918BEA988BF75C74D +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = P-256_PRIV +NonceType = deterministic +Input = "sample" +Output = 3046022100EFD48B2AACB6A8FD1140DD9CD45E81D69D2C877B56AAF991C34D0EA84EAF3716022100F7CB1C942D657C41D436C7A1B6E29F65F3E900DBB9AFF4064DC4AB2F843ACDA8 + +DigestVerify = SHA256 +Key = P-256_PUB +Input = "sample" +Output = 3046022100EFD48B2AACB6A8FD1140DD9CD45E81D69D2C877B56AAF991C34D0EA84EAF3716022100F7CB1C942D657C41D436C7A1B6E29F65F3E900DBB9AFF4064DC4AB2F843ACDA8 + +DigestVerify = SHA256 +Key = P-256_PUB +Input = "sample" +Output = 3046022100EFD48B2AACB6A8FD1140DD9CD45E81D69D2C877B56AAF991C34D0EA84EAF3716022100F7CB1C942D657C41D436C7A1B6E29F65F3E900DBB9AFF4064DC4AB2F843ACDA9 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = P-256_PRIV +NonceType = deterministic +Input = "sample" +Output = 304402200EAFEA039B20E9B42309FB1D89E213057CBF973DC0CFC8F129EDDDC800EF771902204861F0491E6998B9455193E34E7B0D284DDD7149A74B95B9261F13ABDE940954 + +DigestVerify = SHA384 +Key = P-256_PUB +Input = "sample" +Output = 304402200EAFEA039B20E9B42309FB1D89E213057CBF973DC0CFC8F129EDDDC800EF771902204861F0491E6998B9455193E34E7B0D284DDD7149A74B95B9261F13ABDE940954 + +DigestVerify = SHA384 +Key = P-256_PUB +Input = "sample" +Output = 304402200EAFEA039B20E9B42309FB1D89E213057CBF973DC0CFC8F129EDDDC800EF771902204861F0491E6998B9455193E34E7B0D284DDD7149A74B95B9261F13ABDE940955 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = P-256_PRIV +NonceType = deterministic +Input = "sample" +Output = 30450221008496A60B5E9B47C825488827E0495B0E3FA109EC4568FD3F8D1097678EB97F0002202362AB1ADBE2B8ADF9CB9EDAB740EA6049C028114F2460F96554F61FAE3302FE + +DigestVerify = SHA512 +Key = P-256_PUB +Input = "sample" +Output = 30450221008496A60B5E9B47C825488827E0495B0E3FA109EC4568FD3F8D1097678EB97F0002202362AB1ADBE2B8ADF9CB9EDAB740EA6049C028114F2460F96554F61FAE3302FE + +DigestVerify = SHA512 +Key = P-256_PUB +Input = "sample" +Output = 30450221008496A60B5E9B47C825488827E0495B0E3FA109EC4568FD3F8D1097678EB97F0002202362AB1ADBE2B8ADF9CB9EDAB740EA6049C028114F2460F96554F61FAE3302FF +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = P-256_PRIV +NonceType = deterministic +Input = "test" +Output = 304402200CBCC86FD6ABD1D99E703E1EC50069EE5C0B4BA4B9AC60E409E8EC5910D81A89022001B9D7B73DFAA60D5651EC4591A0136F87653E0FD780C3B1BC872FFDEAE479B1 + +DigestVerify = SHA1 +Key = P-256_PUB +Input = "test" +Output = 304402200CBCC86FD6ABD1D99E703E1EC50069EE5C0B4BA4B9AC60E409E8EC5910D81A89022001B9D7B73DFAA60D5651EC4591A0136F87653E0FD780C3B1BC872FFDEAE479B1 + +DigestVerify = SHA1 +Key = P-256_PUB +Input = "test" +Output = 304402200CBCC86FD6ABD1D99E703E1EC50069EE5C0B4BA4B9AC60E409E8EC5910D81A89022001B9D7B73DFAA60D5651EC4591A0136F87653E0FD780C3B1BC872FFDEAE479B0 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = P-256_PRIV +NonceType = deterministic +Input = "test" +Output = 3046022100C37EDB6F0AE79D47C3C27E962FA269BB4F441770357E114EE511F662EC34A692022100C820053A05791E521FCAAD6042D40AEA1D6B1A540138558F47D0719800E18F2D + +DigestVerify = SHA224 +Key = P-256_PUB +Input = "test" +Output = 3046022100C37EDB6F0AE79D47C3C27E962FA269BB4F441770357E114EE511F662EC34A692022100C820053A05791E521FCAAD6042D40AEA1D6B1A540138558F47D0719800E18F2D + +DigestVerify = SHA224 +Key = P-256_PUB +Input = "test" +Output = 3046022100C37EDB6F0AE79D47C3C27E962FA269BB4F441770357E114EE511F662EC34A692022100C820053A05791E521FCAAD6042D40AEA1D6B1A540138558F47D0719800E18F2C +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = P-256_PRIV +NonceType = deterministic +Input = "test" +Output = 3045022100F1ABB023518351CD71D881567B1EA663ED3EFCF6C5132B354F28D3B0B7D383670220019F4113742A2B14BD25926B49C649155F267E60D3814B4C0CC84250E46F0083 + +DigestVerify = SHA256 +Key = P-256_PUB +Input = "test" +Output = 3045022100F1ABB023518351CD71D881567B1EA663ED3EFCF6C5132B354F28D3B0B7D383670220019F4113742A2B14BD25926B49C649155F267E60D3814B4C0CC84250E46F0083 + +DigestVerify = SHA256 +Key = P-256_PUB +Input = "test" +Output = 3045022100F1ABB023518351CD71D881567B1EA663ED3EFCF6C5132B354F28D3B0B7D383670220019F4113742A2B14BD25926B49C649155F267E60D3814B4C0CC84250E46F0082 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = P-256_PRIV +NonceType = deterministic +Input = "test" +Output = 304602210083910E8B48BB0C74244EBDF7F07A1C5413D61472BD941EF3920E623FBCCEBEB60221008DDBEC54CF8CD5874883841D712142A56A8D0F218F5003CB0296B6B509619F2C + +DigestVerify = SHA384 +Key = P-256_PUB +Input = "test" +Output = 304602210083910E8B48BB0C74244EBDF7F07A1C5413D61472BD941EF3920E623FBCCEBEB60221008DDBEC54CF8CD5874883841D712142A56A8D0F218F5003CB0296B6B509619F2C + +DigestVerify = SHA384 +Key = P-256_PUB +Input = "test" +Output = 304602210083910E8B48BB0C74244EBDF7F07A1C5413D61472BD941EF3920E623FBCCEBEB60221008DDBEC54CF8CD5874883841D712142A56A8D0F218F5003CB0296B6B509619F2D +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = P-256_PRIV +NonceType = deterministic +Input = "test" +Output = 30440220461D93F31B6540894788FD206C07CFA0CC35F46FA3C91816FFF1040AD1581A04022039AF9F15DE0DB8D97E72719C74820D304CE5226E32DEDAE67519E840D1194E55 + +DigestVerify = SHA512 +Key = P-256_PUB +Input = "test" +Output = 30440220461D93F31B6540894788FD206C07CFA0CC35F46FA3C91816FFF1040AD1581A04022039AF9F15DE0DB8D97E72719C74820D304CE5226E32DEDAE67519E840D1194E55 + +DigestVerify = SHA512 +Key = P-256_PUB +Input = "test" +Output = 30440220461D93F31B6540894788FD206C07CFA0CC35F46FA3C91816FFF1040AD1581A04022039AF9F15DE0DB8D97E72719C74820D304CE5226E32DEDAE67519E840D1194E54 +Result = VERIFY_ERROR + +Title = RFC 6979 P-384 deterministic ECDSA tests + +PrivateKey=P-384_PRIV +-----BEGIN PRIVATE KEY----- +ME4CAQAwEAYHKoZIzj0CAQYFK4EEACIENzA1AgEBBDBrnT2tLhuMHAWxmHW2ZZ9N4jw7Znvyl7qa +pHdAeHE32JbVck5McKgl+HLJ6mDS7fU= +-----END PRIVATE KEY----- + +PublicKey=P-384_PUB +-----BEGIN PUBLIC KEY----- +MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE7DpOQVtOGaRWhhgCn0J/pdqai8SukuAuBqrlKGswDGTe ++PDqkFWGYGSiVFFUgLwTgBXZty19VyROqO+awMYhiWcIpZNn+d+59UyoSz8cnbEoiyMcOuDU/nNE +/SUzJkcg +-----END PUBLIC KEY----- + +PrivPubKeyPair=P-384_PRIV:P-384_PUB + +DigestSign = SHA1 +Key = P-384_PRIV +NonceType = deterministic +Input = "sample" +Output = 3066023100EC748D839243D6FBEF4FC5C4859A7DFFD7F3ABDDF72014540C16D73309834FA37B9BA002899F6FDA3A4A9386790D4EB2023100A3BCFA947BEEF4732BF247AC17F71676CB31A847B9FF0CBC9C9ED4C1A5B3FACF26F49CA031D4857570CCB5CA4424A443 + +DigestVerify = SHA1 +Key = P-384_PUB +Input = "sample" +Output = 3066023100EC748D839243D6FBEF4FC5C4859A7DFFD7F3ABDDF72014540C16D73309834FA37B9BA002899F6FDA3A4A9386790D4EB2023100A3BCFA947BEEF4732BF247AC17F71676CB31A847B9FF0CBC9C9ED4C1A5B3FACF26F49CA031D4857570CCB5CA4424A443 + +DigestVerify = SHA1 +Key = P-384_PUB +Input = "sample" +Output = 3066023100EC748D839243D6FBEF4FC5C4859A7DFFD7F3ABDDF72014540C16D73309834FA37B9BA002899F6FDA3A4A9386790D4EB2023100A3BCFA947BEEF4732BF247AC17F71676CB31A847B9FF0CBC9C9ED4C1A5B3FACF26F49CA031D4857570CCB5CA4424A442 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = P-384_PRIV +NonceType = deterministic +Input = "sample" +Output = 3065023042356E76B55A6D9B4631C865445DBE54E056D3B3431766D0509244793C3F9366450F76EE3DE43F5A125333A6BE0601220231009DA0C81787064021E78DF658F2FBB0B042BF304665DB721F077A4298B095E4834C082C03D83028EFBF93A3C23940CA8D + +DigestVerify = SHA224 +Key = P-384_PUB +Input = "sample" +Output = 3065023042356E76B55A6D9B4631C865445DBE54E056D3B3431766D0509244793C3F9366450F76EE3DE43F5A125333A6BE0601220231009DA0C81787064021E78DF658F2FBB0B042BF304665DB721F077A4298B095E4834C082C03D83028EFBF93A3C23940CA8D + +DigestVerify = SHA224 +Key = P-384_PUB +Input = "sample" +Output = 3065023042356E76B55A6D9B4631C865445DBE54E056D3B3431766D0509244793C3F9366450F76EE3DE43F5A125333A6BE0601220231009DA0C81787064021E78DF658F2FBB0B042BF304665DB721F077A4298B095E4834C082C03D83028EFBF93A3C23940CA8C +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = P-384_PRIV +NonceType = deterministic +Input = "sample" +Output = 3065023021B13D1E013C7FA1392D03C5F99AF8B30C570C6F98D4EA8E354B63A21D3DAA33BDE1E888E63355D92FA2B3C36D8FB2CD023100F3AA443FB107745BF4BD77CB3891674632068A10CA67E3D45DB2266FA7D1FEEBEFDC63ECCD1AC42EC0CB8668A4FA0AB0 + +DigestVerify = SHA256 +Key = P-384_PUB +Input = "sample" +Output = 3065023021B13D1E013C7FA1392D03C5F99AF8B30C570C6F98D4EA8E354B63A21D3DAA33BDE1E888E63355D92FA2B3C36D8FB2CD023100F3AA443FB107745BF4BD77CB3891674632068A10CA67E3D45DB2266FA7D1FEEBEFDC63ECCD1AC42EC0CB8668A4FA0AB0 + +DigestVerify = SHA256 +Key = P-384_PUB +Input = "sample" +Output = 3065023021B13D1E013C7FA1392D03C5F99AF8B30C570C6F98D4EA8E354B63A21D3DAA33BDE1E888E63355D92FA2B3C36D8FB2CD023100F3AA443FB107745BF4BD77CB3891674632068A10CA67E3D45DB2266FA7D1FEEBEFDC63ECCD1AC42EC0CB8668A4FA0AB1 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = P-384_PRIV +NonceType = deterministic +Input = "sample" +Output = 306602310094EDBB92A5ECB8AAD4736E56C691916B3F88140666CE9FA73D64C4EA95AD133C81A648152E44ACF96E36DD1E80FABE4602310099EF4AEB15F178CEA1FE40DB2603138F130E740A19624526203B6351D0A3A94FA329C145786E679E7B82C71A38628AC8 + +DigestVerify = SHA384 +Key = P-384_PUB +Input = "sample" +Output = 306602310094EDBB92A5ECB8AAD4736E56C691916B3F88140666CE9FA73D64C4EA95AD133C81A648152E44ACF96E36DD1E80FABE4602310099EF4AEB15F178CEA1FE40DB2603138F130E740A19624526203B6351D0A3A94FA329C145786E679E7B82C71A38628AC8 + +DigestVerify = SHA384 +Key = P-384_PUB +Input = "sample" +Output = 306602310094EDBB92A5ECB8AAD4736E56C691916B3F88140666CE9FA73D64C4EA95AD133C81A648152E44ACF96E36DD1E80FABE4602310099EF4AEB15F178CEA1FE40DB2603138F130E740A19624526203B6351D0A3A94FA329C145786E679E7B82C71A38628AC9 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = P-384_PRIV +NonceType = deterministic +Input = "sample" +Output = 3065023100ED0959D5880AB2D869AE7F6C2915C6D60F96507F9CB3E047C0046861DA4A799CFE30F35CC900056D7C99CD78824337090230512C8CCEEE3890A84058CE1E22DBC2198F42323CE8ACA9135329F03C068E5112DC7CC3EF3446DEFCEB01A45C2667FDD5 + +DigestVerify = SHA512 +Key = P-384_PUB +Input = "sample" +Output = 3065023100ED0959D5880AB2D869AE7F6C2915C6D60F96507F9CB3E047C0046861DA4A799CFE30F35CC900056D7C99CD78824337090230512C8CCEEE3890A84058CE1E22DBC2198F42323CE8ACA9135329F03C068E5112DC7CC3EF3446DEFCEB01A45C2667FDD5 + +DigestVerify = SHA512 +Key = P-384_PUB +Input = "sample" +Output = 3065023100ED0959D5880AB2D869AE7F6C2915C6D60F96507F9CB3E047C0046861DA4A799CFE30F35CC900056D7C99CD78824337090230512C8CCEEE3890A84058CE1E22DBC2198F42323CE8ACA9135329F03C068E5112DC7CC3EF3446DEFCEB01A45C2667FDD4 +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = P-384_PRIV +NonceType = deterministic +Input = "test" +Output = 306502304BC35D3A50EF4E30576F58CD96CE6BF638025EE624004A1F7789A8B8E43D0678ACD9D29876DAF46638645F7F404B11C7023100D5A6326C494ED3FF614703878961C0FDE7B2C278F9A65FD8C4B7186201A2991695BA1C84541327E966FA7B50F7382282 + +DigestVerify = SHA1 +Key = P-384_PUB +Input = "test" +Output = 306502304BC35D3A50EF4E30576F58CD96CE6BF638025EE624004A1F7789A8B8E43D0678ACD9D29876DAF46638645F7F404B11C7023100D5A6326C494ED3FF614703878961C0FDE7B2C278F9A65FD8C4B7186201A2991695BA1C84541327E966FA7B50F7382282 + +DigestVerify = SHA1 +Key = P-384_PUB +Input = "test" +Output = 306502304BC35D3A50EF4E30576F58CD96CE6BF638025EE624004A1F7789A8B8E43D0678ACD9D29876DAF46638645F7F404B11C7023100D5A6326C494ED3FF614703878961C0FDE7B2C278F9A65FD8C4B7186201A2991695BA1C84541327E966FA7B50F7382283 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = P-384_PRIV +NonceType = deterministic +Input = "test" +Output = 3065023100E8C9D0B6EA72A0E7837FEA1D14A1A9557F29FAA45D3E7EE888FC5BF954B5E62464A9A817C47FF78B8C11066B24080E72023007041D4A7A0379AC7232FF72E6F77B6DDB8F09B16CCE0EC3286B2BD43FA8C6141C53EA5ABEF0D8231077A04540A96B66 + +DigestVerify = SHA224 +Key = P-384_PUB +Input = "test" +Output = 3065023100E8C9D0B6EA72A0E7837FEA1D14A1A9557F29FAA45D3E7EE888FC5BF954B5E62464A9A817C47FF78B8C11066B24080E72023007041D4A7A0379AC7232FF72E6F77B6DDB8F09B16CCE0EC3286B2BD43FA8C6141C53EA5ABEF0D8231077A04540A96B66 + +DigestVerify = SHA224 +Key = P-384_PUB +Input = "test" +Output = 3065023100E8C9D0B6EA72A0E7837FEA1D14A1A9557F29FAA45D3E7EE888FC5BF954B5E62464A9A817C47FF78B8C11066B24080E72023007041D4A7A0379AC7232FF72E6F77B6DDB8F09B16CCE0EC3286B2BD43FA8C6141C53EA5ABEF0D8231077A04540A96B67 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = P-384_PRIV +NonceType = deterministic +Input = "test" +Output = 306402306D6DEFAC9AB64DABAFE36C6BF510352A4CC27001263638E5B16D9BB51D451559F918EEDAF2293BE5B475CC8F0188636B02302D46F3BECBCC523D5F1A1256BF0C9B024D879BA9E838144C8BA6BAEB4B53B47D51AB373F9845C0514EEFB14024787265 + +DigestVerify = SHA256 +Key = P-384_PUB +Input = "test" +Output = 306402306D6DEFAC9AB64DABAFE36C6BF510352A4CC27001263638E5B16D9BB51D451559F918EEDAF2293BE5B475CC8F0188636B02302D46F3BECBCC523D5F1A1256BF0C9B024D879BA9E838144C8BA6BAEB4B53B47D51AB373F9845C0514EEFB14024787265 + +DigestVerify = SHA256 +Key = P-384_PUB +Input = "test" +Output = 306402306D6DEFAC9AB64DABAFE36C6BF510352A4CC27001263638E5B16D9BB51D451559F918EEDAF2293BE5B475CC8F0188636B02302D46F3BECBCC523D5F1A1256BF0C9B024D879BA9E838144C8BA6BAEB4B53B47D51AB373F9845C0514EEFB14024787264 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = P-384_PRIV +NonceType = deterministic +Input = "test" +Output = 30660231008203B63D3C853E8D77227FB377BCF7B7B772E97892A80F36AB775D509D7A5FEB0542A7F0812998DA8F1DD3CA3CF023DB023100DDD0760448D42D8A43AF45AF836FCE4DE8BE06B485E9B61B827C2F13173923E06A739F040649A667BF3B828246BAA5A5 + +DigestVerify = SHA384 +Key = P-384_PUB +Input = "test" +Output = 30660231008203B63D3C853E8D77227FB377BCF7B7B772E97892A80F36AB775D509D7A5FEB0542A7F0812998DA8F1DD3CA3CF023DB023100DDD0760448D42D8A43AF45AF836FCE4DE8BE06B485E9B61B827C2F13173923E06A739F040649A667BF3B828246BAA5A5 + +DigestVerify = SHA384 +Key = P-384_PUB +Input = "test" +Output = 30660231008203B63D3C853E8D77227FB377BCF7B7B772E97892A80F36AB775D509D7A5FEB0542A7F0812998DA8F1DD3CA3CF023DB023100DDD0760448D42D8A43AF45AF836FCE4DE8BE06B485E9B61B827C2F13173923E06A739F040649A667BF3B828246BAA5A4 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = P-384_PRIV +NonceType = deterministic +Input = "test" +Output = 3066023100A0D5D090C9980FAF3C2CE57B7AE951D31977DD11C775D314AF55F76C676447D06FB6495CD21B4B6E340FC236584FB277023100976984E59B4C77B0E8E4460DCA3D9F20E07B9BB1F63BEEFAF576F6B2E8B224634A2092CD3792E0159AD9CEE37659C736 + +DigestVerify = SHA512 +Key = P-384_PUB +Input = "test" +Output = 3066023100A0D5D090C9980FAF3C2CE57B7AE951D31977DD11C775D314AF55F76C676447D06FB6495CD21B4B6E340FC236584FB277023100976984E59B4C77B0E8E4460DCA3D9F20E07B9BB1F63BEEFAF576F6B2E8B224634A2092CD3792E0159AD9CEE37659C736 + +DigestVerify = SHA512 +Key = P-384_PUB +Input = "test" +Output = 3066023100A0D5D090C9980FAF3C2CE57B7AE951D31977DD11C775D314AF55F76C676447D06FB6495CD21B4B6E340FC236584FB277023100976984E59B4C77B0E8E4460DCA3D9F20E07B9BB1F63BEEFAF576F6B2E8B224634A2092CD3792E0159AD9CEE37659C737 +Result = VERIFY_ERROR + +Title = RFC 6979 P-521 deterministic ECDSA tests + +PrivateKey=P-521_PRIV +-----BEGIN PRIVATE KEY----- +MF8CAQAwEAYHKoZIzj0CAQYFK4EEACMESDBGAgEBBEH60G2qYro7JdL7QBM9p1cgXeZ/W7ABj+6M +huG2jH51yqiW6zLx9HxwhVg2ptFvzBRm9tj77GfbiewMCLDplrg1OA== +-----END PRIVATE KEY----- + +PublicKey=P-521_PUB +-----BEGIN PUBLIC KEY----- +MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBiUVQ0HhZMuAOqiO2lPIT+MMSH4bcl6BOWnFn205b +zTcRI9RuRdtrXVNwp/IPtjMVXTj/oW0r12HcrEdLmi9QI6QASTEByWLNTS/d94IoXmRYQTnC+RtH ++H/4I1TWYw90aiig2yV0G1s0qCgAiyKswj+ST6r71NM/gepmlW3+qiv9/PU= +-----END PUBLIC KEY----- + +PrivPubKeyPair=P-521_PRIV:P-521_PUB + +DigestSign = SHA1 +Key = P-521_PRIV +NonceType = deterministic +Input = "sample" +Output = 3081870241343B6EC45728975EA5CBA6659BBB6062A5FF89EEA58BE3C80B619F322C87910FE092F7D45BB0F8EEE01ED3F20BABEC079D202AE677B243AB40B5431D497C55D75D024200E7B0E675A9B24413D448B8CC119D2BF7B2D2DF032741C096634D6D65D0DBE3D5694625FB9E8104D3B842C1B0E2D0B98BEA19341E8676AEF66AE4EBA3D5475D5D16 + +DigestVerify = SHA1 +Key = P-521_PUB +Input = "sample" +Output = 3081870241343B6EC45728975EA5CBA6659BBB6062A5FF89EEA58BE3C80B619F322C87910FE092F7D45BB0F8EEE01ED3F20BABEC079D202AE677B243AB40B5431D497C55D75D024200E7B0E675A9B24413D448B8CC119D2BF7B2D2DF032741C096634D6D65D0DBE3D5694625FB9E8104D3B842C1B0E2D0B98BEA19341E8676AEF66AE4EBA3D5475D5D16 + +DigestVerify = SHA1 +Key = P-521_PUB +Input = "sample" +Output = 3081870241343B6EC45728975EA5CBA6659BBB6062A5FF89EEA58BE3C80B619F322C87910FE092F7D45BB0F8EEE01ED3F20BABEC079D202AE677B243AB40B5431D497C55D75D024200E7B0E675A9B24413D448B8CC119D2BF7B2D2DF032741C096634D6D65D0DBE3D5694625FB9E8104D3B842C1B0E2D0B98BEA19341E8676AEF66AE4EBA3D5475D5D17 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = P-521_PRIV +NonceType = deterministic +Input = "sample" +Output = 308187024201776331CFCDF927D666E032E00CF776187BC9FDD8E69D0DABB4109FFE1B5E2A30715F4CC923A4A5E94D2503E9ACFED92857B7F31D7152E0F8C00C15FF3D87E2ED2E024150CB5265417FE2320BBB5A122B8E1A32BD699089851128E360E620A30C7E17BA41A666AF126CE100E5799B153B60528D5300D08489CA9178FB610A2006C254B41F + +DigestVerify = SHA224 +Key = P-521_PUB +Input = "sample" +Output = 308187024201776331CFCDF927D666E032E00CF776187BC9FDD8E69D0DABB4109FFE1B5E2A30715F4CC923A4A5E94D2503E9ACFED92857B7F31D7152E0F8C00C15FF3D87E2ED2E024150CB5265417FE2320BBB5A122B8E1A32BD699089851128E360E620A30C7E17BA41A666AF126CE100E5799B153B60528D5300D08489CA9178FB610A2006C254B41F + +DigestVerify = SHA224 +Key = P-521_PUB +Input = "sample" +Output = 308187024201776331CFCDF927D666E032E00CF776187BC9FDD8E69D0DABB4109FFE1B5E2A30715F4CC923A4A5E94D2503E9ACFED92857B7F31D7152E0F8C00C15FF3D87E2ED2E024150CB5265417FE2320BBB5A122B8E1A32BD699089851128E360E620A30C7E17BA41A666AF126CE100E5799B153B60528D5300D08489CA9178FB610A2006C254B41E +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = P-521_PRIV +NonceType = deterministic +Input = "sample" +Output = 308187024201511BB4D675114FE266FC4372B87682BAECC01D3CC62CF2303C92B3526012659D16876E25C7C1E57648F23B73564D67F61C6F14D527D54972810421E7D87589E1A702414A171143A83163D6DF460AAF61522695F207A58B95C0644D87E52AA1A347916E4F7A72930B1BC06DBE22CE3F58264AFD23704CBB63B29B931F7DE6C9D949A7ECFC + +DigestVerify = SHA256 +Key = P-521_PUB +Input = "sample" +Output = 308187024201511BB4D675114FE266FC4372B87682BAECC01D3CC62CF2303C92B3526012659D16876E25C7C1E57648F23B73564D67F61C6F14D527D54972810421E7D87589E1A702414A171143A83163D6DF460AAF61522695F207A58B95C0644D87E52AA1A347916E4F7A72930B1BC06DBE22CE3F58264AFD23704CBB63B29B931F7DE6C9D949A7ECFC + +DigestVerify = SHA256 +Key = P-521_PUB +Input = "sample" +Output = 308187024201511BB4D675114FE266FC4372B87682BAECC01D3CC62CF2303C92B3526012659D16876E25C7C1E57648F23B73564D67F61C6F14D527D54972810421E7D87589E1A702414A171143A83163D6DF460AAF61522695F207A58B95C0644D87E52AA1A347916E4F7A72930B1BC06DBE22CE3F58264AFD23704CBB63B29B931F7DE6C9D949A7ECFD +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = P-521_PRIV +NonceType = deterministic +Input = "sample" +Output = 308188024201EA842A0E17D2DE4F92C15315C63DDF72685C18195C2BB95E572B9C5136CA4B4B576AD712A52BE9730627D16054BA40CC0B8D3FF035B12AE75168397F5D50C67451024201F21A3CEE066E1961025FB048BD5FE2B7924D0CD797BABE0A83B66F1E35EEAF5FDE143FA85DC394A7DEE766523393784484BDF3E00114A1C857CDE1AA203DB65D61 + +DigestVerify = SHA384 +Key = P-521_PUB +Input = "sample" +Output = 308188024201EA842A0E17D2DE4F92C15315C63DDF72685C18195C2BB95E572B9C5136CA4B4B576AD712A52BE9730627D16054BA40CC0B8D3FF035B12AE75168397F5D50C67451024201F21A3CEE066E1961025FB048BD5FE2B7924D0CD797BABE0A83B66F1E35EEAF5FDE143FA85DC394A7DEE766523393784484BDF3E00114A1C857CDE1AA203DB65D61 + +DigestVerify = SHA384 +Key = P-521_PUB +Input = "sample" +Output = 308188024201EA842A0E17D2DE4F92C15315C63DDF72685C18195C2BB95E572B9C5136CA4B4B576AD712A52BE9730627D16054BA40CC0B8D3FF035B12AE75168397F5D50C67451024201F21A3CEE066E1961025FB048BD5FE2B7924D0CD797BABE0A83B66F1E35EEAF5FDE143FA85DC394A7DEE766523393784484BDF3E00114A1C857CDE1AA203DB65D60 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = P-521_PRIV +NonceType = deterministic +Input = "sample" +Output = 308187024200C328FAFCBD79DD77850370C46325D987CB525569FB63C5D3BC53950E6D4C5F174E25A1EE9017B5D450606ADD152B534931D7D4E8455CC91F9B15BF05EC36E377FA0241617CCE7CF5064806C467F678D3B4080D6F1CC50AF26CA209417308281B68AF282623EAA63E5B5C0723D8B8C37FF0777B1A20F8CCB1DCCC43997F1EE0E44DA4A67A + +DigestVerify = SHA512 +Key = P-521_PUB +Input = "sample" +Output = 308187024200C328FAFCBD79DD77850370C46325D987CB525569FB63C5D3BC53950E6D4C5F174E25A1EE9017B5D450606ADD152B534931D7D4E8455CC91F9B15BF05EC36E377FA0241617CCE7CF5064806C467F678D3B4080D6F1CC50AF26CA209417308281B68AF282623EAA63E5B5C0723D8B8C37FF0777B1A20F8CCB1DCCC43997F1EE0E44DA4A67A + +DigestVerify = SHA512 +Key = P-521_PUB +Input = "sample" +Output = 308187024200C328FAFCBD79DD77850370C46325D987CB525569FB63C5D3BC53950E6D4C5F174E25A1EE9017B5D450606ADD152B534931D7D4E8455CC91F9B15BF05EC36E377FA0241617CCE7CF5064806C467F678D3B4080D6F1CC50AF26CA209417308281B68AF282623EAA63E5B5C0723D8B8C37FF0777B1A20F8CCB1DCCC43997F1EE0E44DA4A67B +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = P-521_PRIV +NonceType = deterministic +Input = "test" +Output = 3081880242013BAD9F29ABE20DE37EBEB823C252CA0F63361284015A3BF430A46AAA80B87B0693F0694BD88AFE4E661FC33B094CD3B7963BED5A727ED8BD6A3A202ABE009D0367024201E9BB81FF7944CA409AD138DBBEE228E1AFCC0C890FC78EC8604639CB0DBDC90F717A99EAD9D272855D00162EE9527567DD6A92CBD629805C0445282BBC916797FF + +DigestVerify = SHA1 +Key = P-521_PUB +Input = "test" +Output = 3081880242013BAD9F29ABE20DE37EBEB823C252CA0F63361284015A3BF430A46AAA80B87B0693F0694BD88AFE4E661FC33B094CD3B7963BED5A727ED8BD6A3A202ABE009D0367024201E9BB81FF7944CA409AD138DBBEE228E1AFCC0C890FC78EC8604639CB0DBDC90F717A99EAD9D272855D00162EE9527567DD6A92CBD629805C0445282BBC916797FF + +DigestVerify = SHA1 +Key = P-521_PUB +Input = "test" +Output = 3081880242013BAD9F29ABE20DE37EBEB823C252CA0F63361284015A3BF430A46AAA80B87B0693F0694BD88AFE4E661FC33B094CD3B7963BED5A727ED8BD6A3A202ABE009D0367024201E9BB81FF7944CA409AD138DBBEE228E1AFCC0C890FC78EC8604639CB0DBDC90F717A99EAD9D272855D00162EE9527567DD6A92CBD629805C0445282BBC916797FE +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = P-521_PRIV +NonceType = deterministic +Input = "test" +Output = 308188024201C7ED902E123E6815546065A2C4AF977B22AA8EADDB68B2C1110E7EA44D42086BFE4A34B67DDC0E17E96536E358219B23A706C6A6E16BA77B65E1C595D43CAE17FB02420177336676304FCB343CE028B38E7B4FBA76C1C1B277DA18CAD2A8478B2A9A9F5BEC0F3BA04F35DB3E4263569EC6AADE8C92746E4C82F8299AE1B8F1739F8FD519A4 + +DigestVerify = SHA224 +Key = P-521_PUB +Input = "test" +Output = 308188024201C7ED902E123E6815546065A2C4AF977B22AA8EADDB68B2C1110E7EA44D42086BFE4A34B67DDC0E17E96536E358219B23A706C6A6E16BA77B65E1C595D43CAE17FB02420177336676304FCB343CE028B38E7B4FBA76C1C1B277DA18CAD2A8478B2A9A9F5BEC0F3BA04F35DB3E4263569EC6AADE8C92746E4C82F8299AE1B8F1739F8FD519A4 + +DigestVerify = SHA224 +Key = P-521_PUB +Input = "test" +Output = 308188024201C7ED902E123E6815546065A2C4AF977B22AA8EADDB68B2C1110E7EA44D42086BFE4A34B67DDC0E17E96536E358219B23A706C6A6E16BA77B65E1C595D43CAE17FB02420177336676304FCB343CE028B38E7B4FBA76C1C1B277DA18CAD2A8478B2A9A9F5BEC0F3BA04F35DB3E4263569EC6AADE8C92746E4C82F8299AE1B8F1739F8FD519A5 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = P-521_PRIV +NonceType = deterministic +Input = "test" +Output = 30818702410E871C4A14F993C6C7369501900C4BC1E9C7B0B4BA44E04868B30B41D8071042EB28C4C250411D0CE08CD197E4188EA4876F279F90B3D8D74A3C76E6F1E4656AA8024200CD52DBAA33B063C3A6CD8058A1FB0A46A4754B034FCC644766CA14DA8CA5CA9FDE00E88C1AD60CCBA759025299079D7A427EC3CC5B619BFBC828E7769BCD694E86 + +DigestVerify = SHA256 +Key = P-521_PUB +Input = "test" +Output = 30818702410E871C4A14F993C6C7369501900C4BC1E9C7B0B4BA44E04868B30B41D8071042EB28C4C250411D0CE08CD197E4188EA4876F279F90B3D8D74A3C76E6F1E4656AA8024200CD52DBAA33B063C3A6CD8058A1FB0A46A4754B034FCC644766CA14DA8CA5CA9FDE00E88C1AD60CCBA759025299079D7A427EC3CC5B619BFBC828E7769BCD694E86 + +DigestVerify = SHA256 +Key = P-521_PUB +Input = "test" +Output = 30818702410E871C4A14F993C6C7369501900C4BC1E9C7B0B4BA44E04868B30B41D8071042EB28C4C250411D0CE08CD197E4188EA4876F279F90B3D8D74A3C76E6F1E4656AA8024200CD52DBAA33B063C3A6CD8058A1FB0A46A4754B034FCC644766CA14DA8CA5CA9FDE00E88C1AD60CCBA759025299079D7A427EC3CC5B619BFBC828E7769BCD694E87 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = P-521_PRIV +NonceType = deterministic +Input = "test" +Output = 3081880242014BEE21A18B6D8B3C93FAB08D43E739707953244FDBE924FA926D76669E7AC8C89DF62ED8975C2D8397A65A49DCC09F6B0AC62272741924D479354D74FF6075578C02420133330865C067A0EAF72362A65E2D7BC4E461E8C8995C3B6226A21BD1AA78F0ED94FE536A0DCA35534F0CD1510C41525D163FE9D74D134881E35141ED5E8E95B979 + +DigestVerify = SHA384 +Key = P-521_PUB +Input = "test" +Output = 3081880242014BEE21A18B6D8B3C93FAB08D43E739707953244FDBE924FA926D76669E7AC8C89DF62ED8975C2D8397A65A49DCC09F6B0AC62272741924D479354D74FF6075578C02420133330865C067A0EAF72362A65E2D7BC4E461E8C8995C3B6226A21BD1AA78F0ED94FE536A0DCA35534F0CD1510C41525D163FE9D74D134881E35141ED5E8E95B979 + +DigestVerify = SHA384 +Key = P-521_PUB +Input = "test" +Output = 3081880242014BEE21A18B6D8B3C93FAB08D43E739707953244FDBE924FA926D76669E7AC8C89DF62ED8975C2D8397A65A49DCC09F6B0AC62272741924D479354D74FF6075578C02420133330865C067A0EAF72362A65E2D7BC4E461E8C8995C3B6226A21BD1AA78F0ED94FE536A0DCA35534F0CD1510C41525D163FE9D74D134881E35141ED5E8E95B978 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = P-521_PRIV +NonceType = deterministic +Input = "test" +Output = 3081880242013E99020ABF5CEE7525D16B69B229652AB6BDF2AFFCAEF38773B4B7D08725F10CDB93482FDCC54EDCEE91ECA4166B2A7C6265EF0CE2BD7051B7CEF945BABD47EE6D024201FBD0013C674AA79CB39849527916CE301C66EA7CE8B80682786AD60F98F7E78A19CA69EFF5C57400E3B3A0AD66CE0978214D13BAF4E9AC60752F7B155E2DE4DCE3 + +DigestVerify = SHA512 +Key = P-521_PUB +Input = "test" +Output = 3081880242013E99020ABF5CEE7525D16B69B229652AB6BDF2AFFCAEF38773B4B7D08725F10CDB93482FDCC54EDCEE91ECA4166B2A7C6265EF0CE2BD7051B7CEF945BABD47EE6D024201FBD0013C674AA79CB39849527916CE301C66EA7CE8B80682786AD60F98F7E78A19CA69EFF5C57400E3B3A0AD66CE0978214D13BAF4E9AC60752F7B155E2DE4DCE3 + +DigestVerify = SHA512 +Key = P-521_PUB +Input = "test" +Output = 3081880242013E99020ABF5CEE7525D16B69B229652AB6BDF2AFFCAEF38773B4B7D08725F10CDB93482FDCC54EDCEE91ECA4166B2A7C6265EF0CE2BD7051B7CEF945BABD47EE6D024201FBD0013C674AA79CB39849527916CE301C66EA7CE8B80682786AD60F98F7E78A19CA69EFF5C57400E3B3A0AD66CE0978214D13BAF4E9AC60752F7B155E2DE4DCE2 +Result = VERIFY_ERROR + +Title = RFC 6979 K-163 deterministic ECDSA tests + +PrivateKey=K-163_PRIV +-----BEGIN PRIVATE KEY----- +MDICAQAwEAYHKoZIzj0CAQYFK4EEAAEEGzAZAgEBBBSaTWeSKVp/cw/D8rScvA9i6GInLw== +-----END PRIVATE KEY----- + +PublicKey=K-163_PUB +-----BEGIN PUBLIC KEY----- +MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEB5ruCQ2wXsJS1ctEUvNWvhmKT/lvB4LiljTdyaMe9AOG +6Ja6oYtTr6Wj +-----END PUBLIC KEY----- + +PrivPubKeyPair=K-163_PRIV:K-163_PUB + +DigestSign = SHA1 +Key = K-163_PRIV +NonceType = deterministic +Input = "sample" +Output = 302E0215030C45B80BA0E1406C4EFBBB7000D6DE4FA465D5050215038D87DF89493522FC4CD7DE1553BD9DBBA2123011 + +DigestVerify = SHA1 +Key = K-163_PUB +Input = "sample" +Output = 302E0215030C45B80BA0E1406C4EFBBB7000D6DE4FA465D5050215038D87DF89493522FC4CD7DE1553BD9DBBA2123011 + +DigestVerify = SHA1 +Key = K-163_PUB +Input = "sample" +Output = 302E0215030C45B80BA0E1406C4EFBBB7000D6DE4FA465D5050215038D87DF89493522FC4CD7DE1553BD9DBBA2123010 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = K-163_PRIV +NonceType = deterministic +Input = "sample" +Output = 302D0215038A2749F7EA13BD5DA0C76C842F512D5A65FFAF32021464F841F70112B793FD773F5606BFA5AC2A04C1E8 + +DigestVerify = SHA224 +Key = K-163_PUB +Input = "sample" +Output = 302D0215038A2749F7EA13BD5DA0C76C842F512D5A65FFAF32021464F841F70112B793FD773F5606BFA5AC2A04C1E8 + +DigestVerify = SHA224 +Key = K-163_PUB +Input = "sample" +Output = 302D0215038A2749F7EA13BD5DA0C76C842F512D5A65FFAF32021464F841F70112B793FD773F5606BFA5AC2A04C1E9 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = K-163_PRIV +NonceType = deterministic +Input = "sample" +Output = 302E02150113A63990598A3828C407C0F4D2438D990DF99A7F021501313A2E03F5412DDB296A22E2C455335545672D9F + +DigestVerify = SHA256 +Key = K-163_PUB +Input = "sample" +Output = 302E02150113A63990598A3828C407C0F4D2438D990DF99A7F021501313A2E03F5412DDB296A22E2C455335545672D9F + +DigestVerify = SHA256 +Key = K-163_PUB +Input = "sample" +Output = 302E02150113A63990598A3828C407C0F4D2438D990DF99A7F021501313A2E03F5412DDB296A22E2C455335545672D9E +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = K-163_PRIV +NonceType = deterministic +Input = "sample" +Output = 302E0215034D4DE955871BB84FEA4E7D068BA5E9A11BD8B6C4021502BAAF4D4FD57F175C405A2F39F9755D9045C820BD + +DigestVerify = SHA384 +Key = K-163_PUB +Input = "sample" +Output = 302E0215034D4DE955871BB84FEA4E7D068BA5E9A11BD8B6C4021502BAAF4D4FD57F175C405A2F39F9755D9045C820BD + +DigestVerify = SHA384 +Key = K-163_PUB +Input = "sample" +Output = 302E0215034D4DE955871BB84FEA4E7D068BA5E9A11BD8B6C4021502BAAF4D4FD57F175C405A2F39F9755D9045C820BC +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = K-163_PRIV +NonceType = deterministic +Input = "sample" +Output = 302E0215038E487F218D696A7323B891F0CCF055D895B77ADC021500972D7721093F9B3835A5EB7F0442FA8DCAA873C4 + +DigestVerify = SHA512 +Key = K-163_PUB +Input = "sample" +Output = 302E0215038E487F218D696A7323B891F0CCF055D895B77ADC021500972D7721093F9B3835A5EB7F0442FA8DCAA873C4 + +DigestVerify = SHA512 +Key = K-163_PUB +Input = "sample" +Output = 302E0215038E487F218D696A7323B891F0CCF055D895B77ADC021500972D7721093F9B3835A5EB7F0442FA8DCAA873C5 +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = K-163_PRIV +NonceType = deterministic +Input = "test" +Output = 302E021501375BEF93F21582F601497036A7DC8014A99C2B7902150254B7F1472FFFEE9002D081BB8CE819CCE6E687F9 + +DigestVerify = SHA1 +Key = K-163_PUB +Input = "test" +Output = 302E021501375BEF93F21582F601497036A7DC8014A99C2B7902150254B7F1472FFFEE9002D081BB8CE819CCE6E687F9 + +DigestVerify = SHA1 +Key = K-163_PUB +Input = "test" +Output = 302E021501375BEF93F21582F601497036A7DC8014A99C2B7902150254B7F1472FFFEE9002D081BB8CE819CCE6E687F8 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = K-163_PRIV +NonceType = deterministic +Input = "test" +Output = 302D02150110F17EF209957214E35E8C2E83CBE73B3BFDEE2C021457D5022392D359851B95DEC2444012502A5349CB + +DigestVerify = SHA224 +Key = K-163_PUB +Input = "test" +Output = 302D02150110F17EF209957214E35E8C2E83CBE73B3BFDEE2C021457D5022392D359851B95DEC2444012502A5349CB + +DigestVerify = SHA224 +Key = K-163_PUB +Input = "test" +Output = 302D02150110F17EF209957214E35E8C2E83CBE73B3BFDEE2C021457D5022392D359851B95DEC2444012502A5349CA +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = K-163_PRIV +NonceType = deterministic +Input = "test" +Output = 302C0214354D5CD24F9C41F85D02E856FA2B0001C83AF53E021420B200677731CD4FE48612A92F72A19853A82B65 + +DigestVerify = SHA256 +Key = K-163_PUB +Input = "test" +Output = 302C0214354D5CD24F9C41F85D02E856FA2B0001C83AF53E021420B200677731CD4FE48612A92F72A19853A82B65 + +DigestVerify = SHA256 +Key = K-163_PUB +Input = "test" +Output = 302C0214354D5CD24F9C41F85D02E856FA2B0001C83AF53E021420B200677731CD4FE48612A92F72A19853A82B64 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = K-163_PRIV +NonceType = deterministic +Input = "test" +Output = 302E0215011B6A84206515495AD8DBB2E5785D6D018D75817E021501A7D4C1E17D4030A5D748ADEA785C77A54581F6D0 + +DigestVerify = SHA384 +Key = K-163_PUB +Input = "test" +Output = 302E0215011B6A84206515495AD8DBB2E5785D6D018D75817E021501A7D4C1E17D4030A5D748ADEA785C77A54581F6D0 + +DigestVerify = SHA384 +Key = K-163_PUB +Input = "test" +Output = 302E0215011B6A84206515495AD8DBB2E5785D6D018D75817E021501A7D4C1E17D4030A5D748ADEA785C77A54581F6D1 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = K-163_PRIV +NonceType = deterministic +Input = "test" +Output = 302E02150148934745B351F6367FF5BB56B1848A2F508902A90215036214B19444FAB504DBA61D4D6FF2D2F9640F4837 + +DigestVerify = SHA512 +Key = K-163_PUB +Input = "test" +Output = 302E02150148934745B351F6367FF5BB56B1848A2F508902A90215036214B19444FAB504DBA61D4D6FF2D2F9640F4837 + +DigestVerify = SHA512 +Key = K-163_PUB +Input = "test" +Output = 302E02150148934745B351F6367FF5BB56B1848A2F508902A90215036214B19444FAB504DBA61D4D6FF2D2F9640F4836 +Result = VERIFY_ERROR + +Title = RFC 6979 K-233 deterministic ECDSA tests + +PrivateKey=K-233_PRIV +-----BEGIN PRIVATE KEY----- +MDsCAQAwEAYHKoZIzj0CAQYFK4EEABoEJDAiAgEBBB0QOyFCvcKjw7VQgNCd8YCPeTNtojmfXKcX +HRvpsA== +-----END PRIVATE KEY----- + +PublicKey=K-233_PUB +-----BEGIN PUBLIC KEY----- +MFIwEAYHKoZIzj0CAQYFK4EEABoDPgAEAGgohvNsaEc8GiIXIMKxK5vhNFi6kH4cRzZZV3nyAbIG +ObQb4JJwkJmbeBejs5KNIFA6OVRgROwToQMJ +-----END PUBLIC KEY----- + +PrivPubKeyPair=K-233_PRIV:K-233_PUB + +DigestSign = SHA1 +Key = K-233_PRIV +NonceType = deterministic +Input = "sample" +Output = 303E021D5474541C988A9A1F73899F55EF28963DFFBBF0C2B1A1EE787C6A76C6A4021D46301F9EC6624257BFC70D72186F17898EDBD0A3522560A88DD1B7D45A + +DigestVerify = SHA1 +Key = K-233_PUB +Input = "sample" +Output = 303E021D5474541C988A9A1F73899F55EF28963DFFBBF0C2B1A1EE787C6A76C6A4021D46301F9EC6624257BFC70D72186F17898EDBD0A3522560A88DD1B7D45A + +DigestVerify = SHA1 +Key = K-233_PUB +Input = "sample" +Output = 303E021D5474541C988A9A1F73899F55EF28963DFFBBF0C2B1A1EE787C6A76C6A4021D46301F9EC6624257BFC70D72186F17898EDBD0A3522560A88DD1B7D45B +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = K-233_PRIV +NonceType = deterministic +Input = "sample" +Output = 303E021D667F2FCE3E1C497EBD8E4B7C6372A8234003FE4ED6D4515814E7E11430021D6A1C41340DAA730320DB9475F10E29A127D7AE3432F155E1F7954E1B57 + +DigestVerify = SHA224 +Key = K-233_PUB +Input = "sample" +Output = 303E021D667F2FCE3E1C497EBD8E4B7C6372A8234003FE4ED6D4515814E7E11430021D6A1C41340DAA730320DB9475F10E29A127D7AE3432F155E1F7954E1B57 + +DigestVerify = SHA224 +Key = K-233_PUB +Input = "sample" +Output = 303E021D667F2FCE3E1C497EBD8E4B7C6372A8234003FE4ED6D4515814E7E11430021D6A1C41340DAA730320DB9475F10E29A127D7AE3432F155E1F7954E1B56 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = K-233_PRIV +NonceType = deterministic +Input = "sample" +Output = 303E021D38AD9C1D2CB29906E7D63C24601AC55736B438FB14F4093D6C32F63A10021D647AAD2599C21B6EE89BE7FF957D98F684B7921DE1FD3CC82C079624F4 + +DigestVerify = SHA256 +Key = K-233_PUB +Input = "sample" +Output = 303E021D38AD9C1D2CB29906E7D63C24601AC55736B438FB14F4093D6C32F63A10021D647AAD2599C21B6EE89BE7FF957D98F684B7921DE1FD3CC82C079624F4 + +DigestVerify = SHA256 +Key = K-233_PUB +Input = "sample" +Output = 303E021D38AD9C1D2CB29906E7D63C24601AC55736B438FB14F4093D6C32F63A10021D647AAD2599C21B6EE89BE7FF957D98F684B7921DE1FD3CC82C079624F5 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = K-233_PRIV +NonceType = deterministic +Input = "sample" +Output = 303E021D0C6510F57559C36FBCFF8C7BA4B81853DC618AD0BAAB03CFFDF3FD09FD021D0AD331EE1C9B91A88BA77997235769C60AD07EE69E11F7137E17C5CF67 + +DigestVerify = SHA384 +Key = K-233_PUB +Input = "sample" +Output = 303E021D0C6510F57559C36FBCFF8C7BA4B81853DC618AD0BAAB03CFFDF3FD09FD021D0AD331EE1C9B91A88BA77997235769C60AD07EE69E11F7137E17C5CF67 + +DigestVerify = SHA384 +Key = K-233_PUB +Input = "sample" +Output = 303E021D0C6510F57559C36FBCFF8C7BA4B81853DC618AD0BAAB03CFFDF3FD09FD021D0AD331EE1C9B91A88BA77997235769C60AD07EE69E11F7137E17C5CF66 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = K-233_PRIV +NonceType = deterministic +Input = "sample" +Output = 303E021D47C4AC1B344028CC740BA7BB9F8AA59D6390E3158153D4F2ADE4B74950021D26CE0CDE18A1B884B3EE1A879C13B42F11BB7C85F7A3745C8BECEC8E6E + +DigestVerify = SHA512 +Key = K-233_PUB +Input = "sample" +Output = 303E021D47C4AC1B344028CC740BA7BB9F8AA59D6390E3158153D4F2ADE4B74950021D26CE0CDE18A1B884B3EE1A879C13B42F11BB7C85F7A3745C8BECEC8E6E + +DigestVerify = SHA512 +Key = K-233_PUB +Input = "sample" +Output = 303E021D47C4AC1B344028CC740BA7BB9F8AA59D6390E3158153D4F2ADE4B74950021D26CE0CDE18A1B884B3EE1A879C13B42F11BB7C85F7A3745C8BECEC8E6F +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = K-233_PRIV +NonceType = deterministic +Input = "test" +Output = 303E021D4780B2DE4BAA5613872179AD90664249842E8B96FCD5653B55DD63EED4021D6AF46BA322E21D4A88DAEC1650EF38774231276266D6A45ED6A64ECB44 + +DigestVerify = SHA1 +Key = K-233_PUB +Input = "test" +Output = 303E021D4780B2DE4BAA5613872179AD90664249842E8B96FCD5653B55DD63EED4021D6AF46BA322E21D4A88DAEC1650EF38774231276266D6A45ED6A64ECB44 + +DigestVerify = SHA1 +Key = K-233_PUB +Input = "test" +Output = 303E021D4780B2DE4BAA5613872179AD90664249842E8B96FCD5653B55DD63EED4021D6AF46BA322E21D4A88DAEC1650EF38774231276266D6A45ED6A64ECB45 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = K-233_PRIV +NonceType = deterministic +Input = "test" +Output = 303E021D61D9CC8C842DF19B3D9F4BDA0D0E14A957357ADABC239444610FB39AEA021D66432278891CB594BA8D08A0C556053D15917E53449E03C2EF88474CF6 + +DigestVerify = SHA224 +Key = K-233_PUB +Input = "test" +Output = 303E021D61D9CC8C842DF19B3D9F4BDA0D0E14A957357ADABC239444610FB39AEA021D66432278891CB594BA8D08A0C556053D15917E53449E03C2EF88474CF6 + +DigestVerify = SHA224 +Key = K-233_PUB +Input = "test" +Output = 303E021D61D9CC8C842DF19B3D9F4BDA0D0E14A957357ADABC239444610FB39AEA021D66432278891CB594BA8D08A0C556053D15917E53449E03C2EF88474CF7 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = K-233_PRIV +NonceType = deterministic +Input = "test" +Output = 303E021D05E4E6B4DB0E13034E7F1F2E5DBAB766D37C15AE4056C7EE607C8AC7F4021D5FC46AA489BF828B34FBAD25EC432190F161BEA8F60D3FCADB0EE3B725 + +DigestVerify = SHA256 +Key = K-233_PUB +Input = "test" +Output = 303E021D05E4E6B4DB0E13034E7F1F2E5DBAB766D37C15AE4056C7EE607C8AC7F4021D5FC46AA489BF828B34FBAD25EC432190F161BEA8F60D3FCADB0EE3B725 + +DigestVerify = SHA256 +Key = K-233_PUB +Input = "test" +Output = 303E021D05E4E6B4DB0E13034E7F1F2E5DBAB766D37C15AE4056C7EE607C8AC7F4021D5FC46AA489BF828B34FBAD25EC432190F161BEA8F60D3FCADB0EE3B724 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = K-233_PRIV +NonceType = deterministic +Input = "test" +Output = 303E021D50F1EFEDFFEC1088024620280EE0D7641542E4D4B5D61DB32358FC571B021D4614EAE449927A9EB2FCC42EA3E955B43D194087719511A007EC9217A5 + +DigestVerify = SHA384 +Key = K-233_PUB +Input = "test" +Output = 303E021D50F1EFEDFFEC1088024620280EE0D7641542E4D4B5D61DB32358FC571B021D4614EAE449927A9EB2FCC42EA3E955B43D194087719511A007EC9217A5 + +DigestVerify = SHA384 +Key = K-233_PUB +Input = "test" +Output = 303E021D50F1EFEDFFEC1088024620280EE0D7641542E4D4B5D61DB32358FC571B021D4614EAE449927A9EB2FCC42EA3E955B43D194087719511A007EC9217A4 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = K-233_PRIV +NonceType = deterministic +Input = "test" +Output = 303E021D6FE6D0D3A953BB66BB01BC6B9EDFAD9F35E88277E5768D1B214395320F021D7C01A236E4BFF0A771050AD01EC1D24025D3130BBD9E4E81978EB3EC09 + +DigestVerify = SHA512 +Key = K-233_PUB +Input = "test" +Output = 303E021D6FE6D0D3A953BB66BB01BC6B9EDFAD9F35E88277E5768D1B214395320F021D7C01A236E4BFF0A771050AD01EC1D24025D3130BBD9E4E81978EB3EC09 + +DigestVerify = SHA512 +Key = K-233_PUB +Input = "test" +Output = 303E021D6FE6D0D3A953BB66BB01BC6B9EDFAD9F35E88277E5768D1B214395320F021D7C01A236E4BFF0A771050AD01EC1D24025D3130BBD9E4E81978EB3EC08 +Result = VERIFY_ERROR + +Title = RFC 6979 K-283 deterministic ECDSA tests + +PrivateKey=K-283_PRIV +-----BEGIN PRIVATE KEY----- +MEECAQAwEAYHKoZIzj0CAQYFK4EEABAEKjAoAgEBBCNqB3c1boe4m6HtOj2EU1e+MyFzyPemW9x9 +tPqzxMx5rMgZTg== +-----END PRIVATE KEY----- + +PublicKey=K-283_PUB +-----BEGIN PUBLIC KEY----- +MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEAlMw0KZR1aINxjibwCNFEXclZArsPBJmEs5ETt0ZZJve +zAPWBQW9YKS2cYJHTsTRxminMUD3BQSmjznvzZckh+lTDgUIp2GT +-----END PUBLIC KEY----- + +PrivPubKeyPair=K-283_PRIV:K-283_PUB + +DigestSign = SHA1 +Key = K-283_PRIV +NonceType = deterministic +Input = "sample" +Output = 304B022401B66D1E33FBDB6E107A69B610995C93C744CEBAEAF623CB42737C27D60188BD1D045A6802232E45B62C9C258643532FD536594B46C63B063946494F95DAFF8759FD552502324295C5 + +DigestVerify = SHA1 +Key = K-283_PUB +Input = "sample" +Output = 304B022401B66D1E33FBDB6E107A69B610995C93C744CEBAEAF623CB42737C27D60188BD1D045A6802232E45B62C9C258643532FD536594B46C63B063946494F95DAFF8759FD552502324295C5 + +DigestVerify = SHA1 +Key = K-283_PUB +Input = "sample" +Output = 304B022401B66D1E33FBDB6E107A69B610995C93C744CEBAEAF623CB42737C27D60188BD1D045A6802232E45B62C9C258643532FD536594B46C63B063946494F95DAFF8759FD552502324295C4 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = K-283_PRIV +NonceType = deterministic +Input = "sample" +Output = 304B022318CF2F371BE86BB62E02B27CDE56DDAC83CCFBB3141FC59AEE022B66AC1A60DBBD8B76022401854E02A381295EA7F184CEE71AB7222D6974522D3B99B309B1A8025EB84118A28BF20E + +DigestVerify = SHA224 +Key = K-283_PUB +Input = "sample" +Output = 304B022318CF2F371BE86BB62E02B27CDE56DDAC83CCFBB3141FC59AEE022B66AC1A60DBBD8B76022401854E02A381295EA7F184CEE71AB7222D6974522D3B99B309B1A8025EB84118A28BF20E + +DigestVerify = SHA224 +Key = K-283_PUB +Input = "sample" +Output = 304B022318CF2F371BE86BB62E02B27CDE56DDAC83CCFBB3141FC59AEE022B66AC1A60DBBD8B76022401854E02A381295EA7F184CEE71AB7222D6974522D3B99B309B1A8025EB84118A28BF20F +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = K-283_PRIV +NonceType = deterministic +Input = "sample" +Output = 304C0224019E90AA3DE5FB20AED22879F92C6FED278D9C9B9293CC5E94922CD952C9DBF20DF1753A02240135AA7443B6A25D11BB64AC482E04D47902D017752882BD72527114F46CF8BB56C5A8C3 + +DigestVerify = SHA256 +Key = K-283_PUB +Input = "sample" +Output = 304C0224019E90AA3DE5FB20AED22879F92C6FED278D9C9B9293CC5E94922CD952C9DBF20DF1753A02240135AA7443B6A25D11BB64AC482E04D47902D017752882BD72527114F46CF8BB56C5A8C3 + +DigestVerify = SHA256 +Key = K-283_PUB +Input = "sample" +Output = 304C0224019E90AA3DE5FB20AED22879F92C6FED278D9C9B9293CC5E94922CD952C9DBF20DF1753A02240135AA7443B6A25D11BB64AC482E04D47902D017752882BD72527114F46CF8BB56C5A8C2 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = K-283_PRIV +NonceType = deterministic +Input = "sample" +Output = 304C022400F8C1CA9C221AD9907A136F787D33BA56B0495A40E86E671C940FD767EDD75EB6001A49022401071A56915DEE89E22E511975AA09D00CDC4AA7F5054CBE83F5977EE6F8E1CC31EC43FD + +DigestVerify = SHA384 +Key = K-283_PUB +Input = "sample" +Output = 304C022400F8C1CA9C221AD9907A136F787D33BA56B0495A40E86E671C940FD767EDD75EB6001A49022401071A56915DEE89E22E511975AA09D00CDC4AA7F5054CBE83F5977EE6F8E1CC31EC43FD + +DigestVerify = SHA384 +Key = K-283_PUB +Input = "sample" +Output = 304C022400F8C1CA9C221AD9907A136F787D33BA56B0495A40E86E671C940FD767EDD75EB6001A49022401071A56915DEE89E22E511975AA09D00CDC4AA7F5054CBE83F5977EE6F8E1CC31EC43FC +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = K-283_PRIV +NonceType = deterministic +Input = "sample" +Output = 304C022401D0008CF4BA4A701BEF70771934C2A4A87386155A2354140E2ED52E18553C35B47D9E50022400D15F4FA1B7A4D41D9843578E22EF98773179103DC4FF0DD1F74A6B5642841B91056F78 + +DigestVerify = SHA512 +Key = K-283_PUB +Input = "sample" +Output = 304C022401D0008CF4BA4A701BEF70771934C2A4A87386155A2354140E2ED52E18553C35B47D9E50022400D15F4FA1B7A4D41D9843578E22EF98773179103DC4FF0DD1F74A6B5642841B91056F78 + +DigestVerify = SHA512 +Key = K-283_PUB +Input = "sample" +Output = 304C022401D0008CF4BA4A701BEF70771934C2A4A87386155A2354140E2ED52E18553C35B47D9E50022400D15F4FA1B7A4D41D9843578E22EF98773179103DC4FF0DD1F74A6B5642841B91056F79 +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = K-283_PRIV +NonceType = deterministic +Input = "test" +Output = 304C02240140932FA7307666A8CCB1E1A09656CC40F5932965841ABD5E8E43559D93CF2311B027670224016A2FD46DA497E5E739DED67F426308C45C2E16528BF2A17EB5D65964FD88B770FBB9C6 + +DigestVerify = SHA1 +Key = K-283_PUB +Input = "test" +Output = 304C02240140932FA7307666A8CCB1E1A09656CC40F5932965841ABD5E8E43559D93CF2311B027670224016A2FD46DA497E5E739DED67F426308C45C2E16528BF2A17EB5D65964FD88B770FBB9C6 + +DigestVerify = SHA1 +Key = K-283_PUB +Input = "test" +Output = 304C02240140932FA7307666A8CCB1E1A09656CC40F5932965841ABD5E8E43559D93CF2311B027670224016A2FD46DA497E5E739DED67F426308C45C2E16528BF2A17EB5D65964FD88B770FBB9C7 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = K-283_PRIV +NonceType = deterministic +Input = "test" +Output = 304C022400E72AF7E39CD72EF21E61964D87C838F977485FA6A7E999000AFA97A381B2445FCEE541022401644FF7D848DA1A040F77515082C27C763B1B4BF332BCF5D08251C6B57D806319778208 + +DigestVerify = SHA224 +Key = K-283_PUB +Input = "test" +Output = 304C022400E72AF7E39CD72EF21E61964D87C838F977485FA6A7E999000AFA97A381B2445FCEE541022401644FF7D848DA1A040F77515082C27C763B1B4BF332BCF5D08251C6B57D806319778208 + +DigestVerify = SHA224 +Key = K-283_PUB +Input = "test" +Output = 304C022400E72AF7E39CD72EF21E61964D87C838F977485FA6A7E999000AFA97A381B2445FCEE541022401644FF7D848DA1A040F77515082C27C763B1B4BF332BCF5D08251C6B57D806319778209 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = K-283_PRIV +NonceType = deterministic +Input = "test" +Output = 304B02240158FAEB2470B306C57764AFC8528174589008449E11DB8B36994B607A65956A597155310223521BC667CA1CA42B5649E78A3D76823C678B7BB3CD58D2E93CD791D53043A6F83F1FD1 + +DigestVerify = SHA256 +Key = K-283_PUB +Input = "test" +Output = 304B02240158FAEB2470B306C57764AFC8528174589008449E11DB8B36994B607A65956A597155310223521BC667CA1CA42B5649E78A3D76823C678B7BB3CD58D2E93CD791D53043A6F83F1FD1 + +DigestVerify = SHA256 +Key = K-283_PUB +Input = "test" +Output = 304B02240158FAEB2470B306C57764AFC8528174589008449E11DB8B36994B607A65956A597155310223521BC667CA1CA42B5649E78A3D76823C678B7BB3CD58D2E93CD791D53043A6F83F1FD0 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = K-283_PRIV +NonceType = deterministic +Input = "test" +Output = 304B022401CC4DC5479E0F34C4339631A45AA690580060BF0EB518184C983E0E618C3B93AAB14BBE0223284D72FF8AFA83DE364502CBA0494BB06D40AE08F9D9746E747EA87240E589BA0683B7 + +DigestVerify = SHA384 +Key = K-283_PUB +Input = "test" +Output = 304B022401CC4DC5479E0F34C4339631A45AA690580060BF0EB518184C983E0E618C3B93AAB14BBE0223284D72FF8AFA83DE364502CBA0494BB06D40AE08F9D9746E747EA87240E589BA0683B7 + +DigestVerify = SHA384 +Key = K-283_PUB +Input = "test" +Output = 304B022401CC4DC5479E0F34C4339631A45AA690580060BF0EB518184C983E0E618C3B93AAB14BBE0223284D72FF8AFA83DE364502CBA0494BB06D40AE08F9D9746E747EA87240E589BA0683B6 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = K-283_PRIV +NonceType = deterministic +Input = "test" +Output = 304C022401E7912517C6899732E09756B1660F6B96635D638283DF9A8A11D30E008895D7F5C9C7F3022400887E75CBD0B7DD9DE30ED79BDB3D78E4F1121C5EAFF5946918F594F88D363644789DA7 + +DigestVerify = SHA512 +Key = K-283_PUB +Input = "test" +Output = 304C022401E7912517C6899732E09756B1660F6B96635D638283DF9A8A11D30E008895D7F5C9C7F3022400887E75CBD0B7DD9DE30ED79BDB3D78E4F1121C5EAFF5946918F594F88D363644789DA7 + +DigestVerify = SHA512 +Key = K-283_PUB +Input = "test" +Output = 304C022401E7912517C6899732E09756B1660F6B96635D638283DF9A8A11D30E008895D7F5C9C7F3022400887E75CBD0B7DD9DE30ED79BDB3D78E4F1121C5EAFF5946918F594F88D363644789DA6 +Result = VERIFY_ERROR + +Title = RFC 6979 K-409 deterministic ECDSA tests + +PrivateKey=K-409_PRIV +-----BEGIN PRIVATE KEY----- +MFECAQAwEAYHKoZIzj0CAQYFK4EEACQEOjA4AgEBBDMpwWdo8B0bion9qF4u/XOglVi5KheKKTHz +WeTXCthT5WnNrxbapWl1j7TnMInkUl2Lv88= +-----END PRIVATE KEY----- + +PublicKey=K-409_PUB +-----BEGIN PUBLIC KEY----- +MH4wEAYHKoZIzj0CAQYFK4EEACQDagAEAM+SP1I/40puhj2LpF+x/m14TI8hnEFO7024Ni2708px +rrKPVoZo1degCT4rhPb611nbQgE7HDdNUTKXihsRI+u+mlxU0anVawmv20rek8zXxNMy4pFvfUud +GFeO48Li3k0uzg3mNUk= +-----END PUBLIC KEY----- + +PrivPubKeyPair=K-409_PRIV:K-409_PUB + +DigestSign = SHA1 +Key = K-409_PRIV +NonceType = deterministic +Input = "sample" +Output = 306A02337192EE99EC7AFE23E02CB1F9850D1ECE620475EDA6B65D04984029408EC1E5A6476BC940D81F218FC31D979814CAC6E78340FA02331DE75DE97CBE740FC79A6B5B22BC2B7832C687E6960F0B8173D5D8BE2A75AC6CA43438BAF69C669CE6D64E0FB93BC5854E0F81 + +DigestVerify = SHA1 +Key = K-409_PUB +Input = "sample" +Output = 306A02337192EE99EC7AFE23E02CB1F9850D1ECE620475EDA6B65D04984029408EC1E5A6476BC940D81F218FC31D979814CAC6E78340FA02331DE75DE97CBE740FC79A6B5B22BC2B7832C687E6960F0B8173D5D8BE2A75AC6CA43438BAF69C669CE6D64E0FB93BC5854E0F81 + +DigestVerify = SHA1 +Key = K-409_PUB +Input = "sample" +Output = 306A02337192EE99EC7AFE23E02CB1F9850D1ECE620475EDA6B65D04984029408EC1E5A6476BC940D81F218FC31D979814CAC6E78340FA02331DE75DE97CBE740FC79A6B5B22BC2B7832C687E6960F0B8173D5D8BE2A75AC6CA43438BAF69C669CE6D64E0FB93BC5854E0F80 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = K-409_PRIV +NonceType = deterministic +Input = "sample" +Output = 306A023341C8EDF39D5E4E76A04D24E6BFD4B2EC35F99CD2483478FD8B0A03E99379576EDACC4167590B7D9C387857A5130B1220CB771F0233659652EEAC9747BCAD58034B25362B6AA61836E1BA50E2F37630813050D43457E62EAB0F13AE197E6CFE0244F983107555E269 + +DigestVerify = SHA224 +Key = K-409_PUB +Input = "sample" +Output = 306A023341C8EDF39D5E4E76A04D24E6BFD4B2EC35F99CD2483478FD8B0A03E99379576EDACC4167590B7D9C387857A5130B1220CB771F0233659652EEAC9747BCAD58034B25362B6AA61836E1BA50E2F37630813050D43457E62EAB0F13AE197E6CFE0244F983107555E269 + +DigestVerify = SHA224 +Key = K-409_PUB +Input = "sample" +Output = 306A023341C8EDF39D5E4E76A04D24E6BFD4B2EC35F99CD2483478FD8B0A03E99379576EDACC4167590B7D9C387857A5130B1220CB771F0233659652EEAC9747BCAD58034B25362B6AA61836E1BA50E2F37630813050D43457E62EAB0F13AE197E6CFE0244F983107555E268 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = K-409_PRIV +NonceType = deterministic +Input = "sample" +Output = 306A023349EC220D6D24980693E6D33B191532EAB4C5D924E97E305E2C1CCFE6F1EAEF96C17F6EC27D1E06191023615368628A7E0BD6A902331A4AB1DD9BAAA21F77C503E1B39E770FFD44718349D54BA4CF08F688CE89D7D7C5F7213F225944BE5F7C9BA42B8BEE382F8AF9 + +DigestVerify = SHA256 +Key = K-409_PUB +Input = "sample" +Output = 306A023349EC220D6D24980693E6D33B191532EAB4C5D924E97E305E2C1CCFE6F1EAEF96C17F6EC27D1E06191023615368628A7E0BD6A902331A4AB1DD9BAAA21F77C503E1B39E770FFD44718349D54BA4CF08F688CE89D7D7C5F7213F225944BE5F7C9BA42B8BEE382F8AF9 + +DigestVerify = SHA256 +Key = K-409_PUB +Input = "sample" +Output = 306A023349EC220D6D24980693E6D33B191532EAB4C5D924E97E305E2C1CCFE6F1EAEF96C17F6EC27D1E06191023615368628A7E0BD6A902331A4AB1DD9BAAA21F77C503E1B39E770FFD44718349D54BA4CF08F688CE89D7D7C5F7213F225944BE5F7C9BA42B8BEE382F8AF8 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = K-409_PRIV +NonceType = deterministic +Input = "sample" +Output = 306A0233562BB99EE027644EC04E493C5E81B41F261F6BD18FB2FAE3AFEAD91FAB8DD44AFA910B13B9C79C87555225219E44E72245BB7C023325BA5F28047DDDBDA7ED7E49DA31B62B20FD9C7E5B8988817BBF738B3F4DFDD2DCD06EE6DF2A1B744C850DAF952C12B9A56774 + +DigestVerify = SHA384 +Key = K-409_PUB +Input = "sample" +Output = 306A0233562BB99EE027644EC04E493C5E81B41F261F6BD18FB2FAE3AFEAD91FAB8DD44AFA910B13B9C79C87555225219E44E72245BB7C023325BA5F28047DDDBDA7ED7E49DA31B62B20FD9C7E5B8988817BBF738B3F4DFDD2DCD06EE6DF2A1B744C850DAF952C12B9A56774 + +DigestVerify = SHA384 +Key = K-409_PUB +Input = "sample" +Output = 306A0233562BB99EE027644EC04E493C5E81B41F261F6BD18FB2FAE3AFEAD91FAB8DD44AFA910B13B9C79C87555225219E44E72245BB7C023325BA5F28047DDDBDA7ED7E49DA31B62B20FD9C7E5B8988817BBF738B3F4DFDD2DCD06EE6DF2A1B744C850DAF952C12B9A56775 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = K-409_PRIV +NonceType = deterministic +Input = "sample" +Output = 306A023316C7E7FB33B5577F7CF6F77762F0F2D531C6E7A3528BD2CF582498C1A48F200789E9DF7B754029DA0D7E3CE96A2DC76093260602332729617EFBF80DA5D2F201AC7910D3404A992C39921C2F65F8CF4601392DFE933E6457EAFDBD13DFE160D243100378B55C290A + +DigestVerify = SHA512 +Key = K-409_PUB +Input = "sample" +Output = 306A023316C7E7FB33B5577F7CF6F77762F0F2D531C6E7A3528BD2CF582498C1A48F200789E9DF7B754029DA0D7E3CE96A2DC76093260602332729617EFBF80DA5D2F201AC7910D3404A992C39921C2F65F8CF4601392DFE933E6457EAFDBD13DFE160D243100378B55C290A + +DigestVerify = SHA512 +Key = K-409_PUB +Input = "sample" +Output = 306A023316C7E7FB33B5577F7CF6F77762F0F2D531C6E7A3528BD2CF582498C1A48F200789E9DF7B754029DA0D7E3CE96A2DC76093260602332729617EFBF80DA5D2F201AC7910D3404A992C39921C2F65F8CF4601392DFE933E6457EAFDBD13DFE160D243100378B55C290B +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = K-409_PRIV +NonceType = deterministic +Input = "test" +Output = 306A0233565648A5BAD24E747A7D7531FA9DBDFCB184ECFEFDB00A319459242B68D0989E52BED4107AED35C27D8ECA10E876ACA48006C902337420BA6FF72ECC5C92B7CA0309258B5879F26393DB22753B9EC5DF905500A04228AC08880C485E2AC8834E13E8FA44FA57BF18 + +DigestVerify = SHA1 +Key = K-409_PUB +Input = "test" +Output = 306A0233565648A5BAD24E747A7D7531FA9DBDFCB184ECFEFDB00A319459242B68D0989E52BED4107AED35C27D8ECA10E876ACA48006C902337420BA6FF72ECC5C92B7CA0309258B5879F26393DB22753B9EC5DF905500A04228AC08880C485E2AC8834E13E8FA44FA57BF18 + +DigestVerify = SHA1 +Key = K-409_PUB +Input = "test" +Output = 306A0233565648A5BAD24E747A7D7531FA9DBDFCB184ECFEFDB00A319459242B68D0989E52BED4107AED35C27D8ECA10E876ACA48006C902337420BA6FF72ECC5C92B7CA0309258B5879F26393DB22753B9EC5DF905500A04228AC08880C485E2AC8834E13E8FA44FA57BF19 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = K-409_PRIV +NonceType = deterministic +Input = "test" +Output = 306A0233251DFE54EAEC8A781ADF8A623F7F36B4ABFC7EE0AE78C8406E93B5C3932A8120AB8DFC49D8E243C7C30CB5B1E021BADBDF9CA4023377854C2E72EAA6924CC0B5F6751379D132569843B1C7885978DBBAA6678967F643A50DBB06E6EA6102FFAB7766A57C3887BD22 + +DigestVerify = SHA224 +Key = K-409_PUB +Input = "test" +Output = 306A0233251DFE54EAEC8A781ADF8A623F7F36B4ABFC7EE0AE78C8406E93B5C3932A8120AB8DFC49D8E243C7C30CB5B1E021BADBDF9CA4023377854C2E72EAA6924CC0B5F6751379D132569843B1C7885978DBBAA6678967F643A50DBB06E6EA6102FFAB7766A57C3887BD22 + +DigestVerify = SHA224 +Key = K-409_PUB +Input = "test" +Output = 306A0233251DFE54EAEC8A781ADF8A623F7F36B4ABFC7EE0AE78C8406E93B5C3932A8120AB8DFC49D8E243C7C30CB5B1E021BADBDF9CA4023377854C2E72EAA6924CC0B5F6751379D132569843B1C7885978DBBAA6678967F643A50DBB06E6EA6102FFAB7766A57C3887BD23 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = K-409_PRIV +NonceType = deterministic +Input = "test" +Output = 306A023358075FF7E8D36844EED0FC3F78B7CFFDEEF6ADE5982D5636552A081923E24841C9E37DF2C8C4BF2F2F7A174927F3B7E6A0BEB202330A737469D013A31B91E781CE201100FDE1FA488ABF2252C025C678462D715AD3078C9D049E06555CABDF37878CFB909553FF51 + +DigestVerify = SHA256 +Key = K-409_PUB +Input = "test" +Output = 306A023358075FF7E8D36844EED0FC3F78B7CFFDEEF6ADE5982D5636552A081923E24841C9E37DF2C8C4BF2F2F7A174927F3B7E6A0BEB202330A737469D013A31B91E781CE201100FDE1FA488ABF2252C025C678462D715AD3078C9D049E06555CABDF37878CFB909553FF51 + +DigestVerify = SHA256 +Key = K-409_PUB +Input = "test" +Output = 306A023358075FF7E8D36844EED0FC3F78B7CFFDEEF6ADE5982D5636552A081923E24841C9E37DF2C8C4BF2F2F7A174927F3B7E6A0BEB202330A737469D013A31B91E781CE201100FDE1FA488ABF2252C025C678462D715AD3078C9D049E06555CABDF37878CFB909553FF50 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = K-409_PRIV +NonceType = deterministic +Input = "test" +Output = 306A02331C5C88642EA216682244E46E24B7CE9AAEF9B3F97E585577D158C3CBC3C598250A53F6D46DFB1E2DD9DC302E7DA4F0CAAFF29102331D3FD721C35872C74514359F88AD983E170E5DE5B31AFC0BE12E9F4AB2B2538C7797686BA955C1D042FD1F8CDC482775579F11 + +DigestVerify = SHA384 +Key = K-409_PUB +Input = "test" +Output = 306A02331C5C88642EA216682244E46E24B7CE9AAEF9B3F97E585577D158C3CBC3C598250A53F6D46DFB1E2DD9DC302E7DA4F0CAAFF29102331D3FD721C35872C74514359F88AD983E170E5DE5B31AFC0BE12E9F4AB2B2538C7797686BA955C1D042FD1F8CDC482775579F11 + +DigestVerify = SHA384 +Key = K-409_PUB +Input = "test" +Output = 306A02331C5C88642EA216682244E46E24B7CE9AAEF9B3F97E585577D158C3CBC3C598250A53F6D46DFB1E2DD9DC302E7DA4F0CAAFF29102331D3FD721C35872C74514359F88AD983E170E5DE5B31AFC0BE12E9F4AB2B2538C7797686BA955C1D042FD1F8CDC482775579F10 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = K-409_PRIV +NonceType = deterministic +Input = "test" +Output = 306A02331A32CD7764149DF79349DBF79451F4585BB490BD63A200700D7111B45DDA414000AE1B0A69AEACBA1364DD7719968AAD123F930233582AB1076CAFAE23A76244B82341AEFC4C6D8D8060A62A352C33187720C8A37F3DAC227E62758B11DF1562FD249941C1679F82 + +DigestVerify = SHA512 +Key = K-409_PUB +Input = "test" +Output = 306A02331A32CD7764149DF79349DBF79451F4585BB490BD63A200700D7111B45DDA414000AE1B0A69AEACBA1364DD7719968AAD123F930233582AB1076CAFAE23A76244B82341AEFC4C6D8D8060A62A352C33187720C8A37F3DAC227E62758B11DF1562FD249941C1679F82 + +DigestVerify = SHA512 +Key = K-409_PUB +Input = "test" +Output = 306A02331A32CD7764149DF79349DBF79451F4585BB490BD63A200700D7111B45DDA414000AE1B0A69AEACBA1364DD7719968AAD123F930233582AB1076CAFAE23A76244B82341AEFC4C6D8D8060A62A352C33187720C8A37F3DAC227E62758B11DF1562FD249941C1679F83 +Result = VERIFY_ERROR + +Title = RFC 6979 K-571 deterministic ECDSA tests + +PrivateKey=K-571_PRIV +-----BEGIN PRIVATE KEY----- +MGUCAQAwEAYHKoZIzj0CAQYFK4EEACYETjBMAgEBBEfBb1hVDYJO17lVadREU3XTpJC8fgGUxBo5 +3rcywpOWzfHWbeAt0UYKgWYG877A8yICx70Yoy2HUGRmqpIDLxMU7XsZdisNIg== +-----END PRIVATE KEY----- + +PublicKey=K-571_PUB +-----BEGIN PUBLIC KEY----- +MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQGz7DfdUHN1MQe8xnqiOhJ78hgXZd3kUgILsmRxGPt +MjGVlvn99HecF8ryDv2b61fp9O1Vv8UqL6FcojvGK3vwGdtZeT3XcxgBz8kRAvd1mlYb2NW1Gqru +x/QOZZ1nhwNhmQ1t4p9rT34YrhO95epcH3eyPWdvRAUMnb/M3Xs3VjKN2gWXearoRG/FFYp1wic= +-----END PUBLIC KEY----- + +PrivPubKeyPair=K-571_PRIV:K-571_PUB + +DigestSign = SHA1 +Key = K-571_PRIV +NonceType = deterministic +Input = "sample" +Output = 3081930247767913F96C82E38B7146A505938B79EC07E9AA3214377651BE968B52C039D3E4837B4A2DE26C481C4E1DE96F4D9DE63845D9B32E26D0D332725678E3CE57F668A5E3108FB6CEA502480109F89F55FA39FF465E40EBCF869A9B1DB425AEA53AB4ECBCE3C310572F79315F5D4891461372A0C36E63871BEDDBB3BA2042C6410B67311F1A185589FF4C987DBA02F9D992B9DF + +DigestVerify = SHA1 +Key = K-571_PUB +Input = "sample" +Output = 3081930247767913F96C82E38B7146A505938B79EC07E9AA3214377651BE968B52C039D3E4837B4A2DE26C481C4E1DE96F4D9DE63845D9B32E26D0D332725678E3CE57F668A5E3108FB6CEA502480109F89F55FA39FF465E40EBCF869A9B1DB425AEA53AB4ECBCE3C310572F79315F5D4891461372A0C36E63871BEDDBB3BA2042C6410B67311F1A185589FF4C987DBA02F9D992B9DF + +DigestVerify = SHA1 +Key = K-571_PUB +Input = "sample" +Output = 3081930247767913F96C82E38B7146A505938B79EC07E9AA3214377651BE968B52C039D3E4837B4A2DE26C481C4E1DE96F4D9DE63845D9B32E26D0D332725678E3CE57F668A5E3108FB6CEA502480109F89F55FA39FF465E40EBCF869A9B1DB425AEA53AB4ECBCE3C310572F79315F5D4891461372A0C36E63871BEDDBB3BA2042C6410B67311F1A185589FF4C987DBA02F9D992B9DE +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = K-571_PRIV +NonceType = deterministic +Input = "sample" +Output = 308192024710774B9F14DE6C9525131AD61531FA30987170D43782E9FB84FF0D70F093946DF75ECB69D400FE39B12D58C67C19DCE96335CEC1D9AADE004FE5B498AB8A940D46C8444348686A02476DFE9AA5FEA6CF2CEDC06EE1F9FD9853D411F0B958F1C9C519C90A85F6D24C1C3435B3CDF4E207B4A67467C87B7543F6C0948DD382D24D1E48B3763EC27D4D32A0151C240CC5E0 + +DigestVerify = SHA224 +Key = K-571_PUB +Input = "sample" +Output = 308192024710774B9F14DE6C9525131AD61531FA30987170D43782E9FB84FF0D70F093946DF75ECB69D400FE39B12D58C67C19DCE96335CEC1D9AADE004FE5B498AB8A940D46C8444348686A02476DFE9AA5FEA6CF2CEDC06EE1F9FD9853D411F0B958F1C9C519C90A85F6D24C1C3435B3CDF4E207B4A67467C87B7543F6C0948DD382D24D1E48B3763EC27D4D32A0151C240CC5E0 + +DigestVerify = SHA224 +Key = K-571_PUB +Input = "sample" +Output = 308192024710774B9F14DE6C9525131AD61531FA30987170D43782E9FB84FF0D70F093946DF75ECB69D400FE39B12D58C67C19DCE96335CEC1D9AADE004FE5B498AB8A940D46C8444348686A02476DFE9AA5FEA6CF2CEDC06EE1F9FD9853D411F0B958F1C9C519C90A85F6D24C1C3435B3CDF4E207B4A67467C87B7543F6C0948DD382D24D1E48B3763EC27D4D32A0151C240CC5E1 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = K-571_PRIV +NonceType = deterministic +Input = "sample" +Output = 308194024801604BE98D1A27CEC2D3FA4BD07B42799E07743071E4905D7DCE7F6992B21A27F14F55D0FE5A7810DF65CF07F2F2554658817E5A88D952282EA1B8310514C0B40FFF46F1599651680248018249377C654B8588475510F7B797081F68C2F8CCCE49F730353B2DA3364B1CD3E984813E11BB791824038EA367BA74583AB97A69AF2D77FA691AA694E348E15DA76F5A44EC1F40 + +DigestVerify = SHA256 +Key = K-571_PUB +Input = "sample" +Output = 308194024801604BE98D1A27CEC2D3FA4BD07B42799E07743071E4905D7DCE7F6992B21A27F14F55D0FE5A7810DF65CF07F2F2554658817E5A88D952282EA1B8310514C0B40FFF46F1599651680248018249377C654B8588475510F7B797081F68C2F8CCCE49F730353B2DA3364B1CD3E984813E11BB791824038EA367BA74583AB97A69AF2D77FA691AA694E348E15DA76F5A44EC1F40 + +DigestVerify = SHA256 +Key = K-571_PUB +Input = "sample" +Output = 308194024801604BE98D1A27CEC2D3FA4BD07B42799E07743071E4905D7DCE7F6992B21A27F14F55D0FE5A7810DF65CF07F2F2554658817E5A88D952282EA1B8310514C0B40FFF46F1599651680248018249377C654B8588475510F7B797081F68C2F8CCCE49F730353B2DA3364B1CD3E984813E11BB791824038EA367BA74583AB97A69AF2D77FA691AA694E348E15DA76F5A44EC1F41 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = K-571_PRIV +NonceType = deterministic +Input = "sample" +Output = 308193024801E6D7FB237040EA1904CCBF0984B81B866DE10D8AA93B06364C4A46F6C9573FA288C8BDDCC0C6B984E6AA75B42E7BF82FF34D51DFFBD7C87FDBFAD971656185BD12E4B8372F4BF102474F94550072ADA7E8C82B7E83577DD39959577799CDABCEA60E267F36F1BEB981ABF24E722A7F031582D2CC5D80DAA7C0DEEBBE1AC5E729A6DBB34A5D645B698719FCA409FBA370 + +DigestVerify = SHA384 +Key = K-571_PUB +Input = "sample" +Output = 308193024801E6D7FB237040EA1904CCBF0984B81B866DE10D8AA93B06364C4A46F6C9573FA288C8BDDCC0C6B984E6AA75B42E7BF82FF34D51DFFBD7C87FDBFAD971656185BD12E4B8372F4BF102474F94550072ADA7E8C82B7E83577DD39959577799CDABCEA60E267F36F1BEB981ABF24E722A7F031582D2CC5D80DAA7C0DEEBBE1AC5E729A6DBB34A5D645B698719FCA409FBA370 + +DigestVerify = SHA384 +Key = K-571_PUB +Input = "sample" +Output = 308193024801E6D7FB237040EA1904CCBF0984B81B866DE10D8AA93B06364C4A46F6C9573FA288C8BDDCC0C6B984E6AA75B42E7BF82FF34D51DFFBD7C87FDBFAD971656185BD12E4B8372F4BF102474F94550072ADA7E8C82B7E83577DD39959577799CDABCEA60E267F36F1BEB981ABF24E722A7F031582D2CC5D80DAA7C0DEEBBE1AC5E729A6DBB34A5D645B698719FCA409FBA371 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = K-571_PRIV +NonceType = deterministic +Input = "sample" +Output = 30819402480086C9E048EADD7D3D2908501086F3AF449A01AF6BEB2026DC381B39530BCDDBE8E854251CBD5C31E6976553813C11213E4761CB8CA2E5352240AD9FB9C635D55FAB13AE42E4EE4F0248009FEE0A68F322B380217FCF6ABFF15D78C432BD8DD82E18B6BA877C01C860E24410F5150A44F979920147826219766ECB4E2E11A151B6A15BB8E2E825AC95BCCA228D8A1C9D3568 + +DigestVerify = SHA512 +Key = K-571_PUB +Input = "sample" +Output = 30819402480086C9E048EADD7D3D2908501086F3AF449A01AF6BEB2026DC381B39530BCDDBE8E854251CBD5C31E6976553813C11213E4761CB8CA2E5352240AD9FB9C635D55FAB13AE42E4EE4F0248009FEE0A68F322B380217FCF6ABFF15D78C432BD8DD82E18B6BA877C01C860E24410F5150A44F979920147826219766ECB4E2E11A151B6A15BB8E2E825AC95BCCA228D8A1C9D3568 + +DigestVerify = SHA512 +Key = K-571_PUB +Input = "sample" +Output = 30819402480086C9E048EADD7D3D2908501086F3AF449A01AF6BEB2026DC381B39530BCDDBE8E854251CBD5C31E6976553813C11213E4761CB8CA2E5352240AD9FB9C635D55FAB13AE42E4EE4F0248009FEE0A68F322B380217FCF6ABFF15D78C432BD8DD82E18B6BA877C01C860E24410F5150A44F979920147826219766ECB4E2E11A151B6A15BB8E2E825AC95BCCA228D8A1C9D3569 +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = K-571_PRIV +NonceType = deterministic +Input = "test" +Output = 308194024801D055F499A3F7E3FC73D6E7D517B470879BDCB14ABC938369F23643C7B96D0242C1FF326FDAF1CCC8593612ACE982209658E73C24C9EC493B785608669DA74A5B7C9A1D8EA843BC024801621376C53CFE3390A0520D2C657B1FF0EBB10E4B9C2510EDC39D04FEBAF12B8502B098A8B8F842EA6E8EB9D55CFEF94B7FF6D145AC3FFCE71BD978FEA3EF8194D4AB5293A8F3EA + +DigestVerify = SHA1 +Key = K-571_PUB +Input = "test" +Output = 308194024801D055F499A3F7E3FC73D6E7D517B470879BDCB14ABC938369F23643C7B96D0242C1FF326FDAF1CCC8593612ACE982209658E73C24C9EC493B785608669DA74A5B7C9A1D8EA843BC024801621376C53CFE3390A0520D2C657B1FF0EBB10E4B9C2510EDC39D04FEBAF12B8502B098A8B8F842EA6E8EB9D55CFEF94B7FF6D145AC3FFCE71BD978FEA3EF8194D4AB5293A8F3EA + +DigestVerify = SHA1 +Key = K-571_PUB +Input = "test" +Output = 308194024801D055F499A3F7E3FC73D6E7D517B470879BDCB14ABC938369F23643C7B96D0242C1FF326FDAF1CCC8593612ACE982209658E73C24C9EC493B785608669DA74A5B7C9A1D8EA843BC024801621376C53CFE3390A0520D2C657B1FF0EBB10E4B9C2510EDC39D04FEBAF12B8502B098A8B8F842EA6E8EB9D55CFEF94B7FF6D145AC3FFCE71BD978FEA3EF8194D4AB5293A8F3EB +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = K-571_PRIV +NonceType = deterministic +Input = "test" +Output = 3081940248018709BDE4E9B73D046CE0D48842C97063DA54DCCA28DCB087168FA37DA2BF5FDBE4720EE48D49EDE4DD5BD31AC0149DB8297BD410F9BC02A11EB79B60C8EE63AF51B65267D718810248012D8B9E98FBF1D264D78669E236319D8FFD8426C56AFB10C76471EE88D7F0AB1B158E685B6D93C850D47FB1D02E4B24527473DB60B8D1AEF26CEEBD3467B65A70FFDDC0DBB64D5F + +DigestVerify = SHA224 +Key = K-571_PUB +Input = "test" +Output = 3081940248018709BDE4E9B73D046CE0D48842C97063DA54DCCA28DCB087168FA37DA2BF5FDBE4720EE48D49EDE4DD5BD31AC0149DB8297BD410F9BC02A11EB79B60C8EE63AF51B65267D718810248012D8B9E98FBF1D264D78669E236319D8FFD8426C56AFB10C76471EE88D7F0AB1B158E685B6D93C850D47FB1D02E4B24527473DB60B8D1AEF26CEEBD3467B65A70FFDDC0DBB64D5F + +DigestVerify = SHA224 +Key = K-571_PUB +Input = "test" +Output = 3081940248018709BDE4E9B73D046CE0D48842C97063DA54DCCA28DCB087168FA37DA2BF5FDBE4720EE48D49EDE4DD5BD31AC0149DB8297BD410F9BC02A11EB79B60C8EE63AF51B65267D718810248012D8B9E98FBF1D264D78669E236319D8FFD8426C56AFB10C76471EE88D7F0AB1B158E685B6D93C850D47FB1D02E4B24527473DB60B8D1AEF26CEEBD3467B65A70FFDDC0DBB64D5E +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = K-571_PRIV +NonceType = deterministic +Input = "test" +Output = 308194024801F5BF6B044048E0E310309FFDAC825290A69634A0D3592DBEE7BE71F69E45412F766AC92E174CC99AABAA5C9C89FCB187DFDBCC7A26765DB6D9F1EEC8A6127BBDFA5801E44E3BEC024801B44CBFB233BFA2A98D5E8B2F0B2C27F9494BEAA77FEB59CDE3E7AE9CB2E385BE8DA7B80D7944AA71E0654E5067E9A70E88E68833054EED49F28283F02B229123995AF37A6089F0 + +DigestVerify = SHA256 +Key = K-571_PUB +Input = "test" +Output = 308194024801F5BF6B044048E0E310309FFDAC825290A69634A0D3592DBEE7BE71F69E45412F766AC92E174CC99AABAA5C9C89FCB187DFDBCC7A26765DB6D9F1EEC8A6127BBDFA5801E44E3BEC024801B44CBFB233BFA2A98D5E8B2F0B2C27F9494BEAA77FEB59CDE3E7AE9CB2E385BE8DA7B80D7944AA71E0654E5067E9A70E88E68833054EED49F28283F02B229123995AF37A6089F0 + +DigestVerify = SHA256 +Key = K-571_PUB +Input = "test" +Output = 308194024801F5BF6B044048E0E310309FFDAC825290A69634A0D3592DBEE7BE71F69E45412F766AC92E174CC99AABAA5C9C89FCB187DFDBCC7A26765DB6D9F1EEC8A6127BBDFA5801E44E3BEC024801B44CBFB233BFA2A98D5E8B2F0B2C27F9494BEAA77FEB59CDE3E7AE9CB2E385BE8DA7B80D7944AA71E0654E5067E9A70E88E68833054EED49F28283F02B229123995AF37A6089F1 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = K-571_PRIV +NonceType = deterministic +Input = "test" +Output = 3081940248011F61A6EFAB6D83053D9C52665B3542FF3F63BD5913E527BDBA07FBAF34BC766C2EC83163C5273243AA834C75FDDD1BC8A2BEAD388CD06C4EBA1962D645EEB35E92D44E8F2E081D0248016BF6341876F051DF224770CC8BA0E4D48B3332568A2B014BC80827BAA89DE18D1AEBC73E3BE8F85A8008C682AAC7D5F0E9FB5ECBEFBB637E30E4A0F226D2C2AA3E569BB54AB72B + +DigestVerify = SHA384 +Key = K-571_PUB +Input = "test" +Output = 3081940248011F61A6EFAB6D83053D9C52665B3542FF3F63BD5913E527BDBA07FBAF34BC766C2EC83163C5273243AA834C75FDDD1BC8A2BEAD388CD06C4EBA1962D645EEB35E92D44E8F2E081D0248016BF6341876F051DF224770CC8BA0E4D48B3332568A2B014BC80827BAA89DE18D1AEBC73E3BE8F85A8008C682AAC7D5F0E9FB5ECBEFBB637E30E4A0F226D2C2AA3E569BB54AB72B + +DigestVerify = SHA384 +Key = K-571_PUB +Input = "test" +Output = 3081940248011F61A6EFAB6D83053D9C52665B3542FF3F63BD5913E527BDBA07FBAF34BC766C2EC83163C5273243AA834C75FDDD1BC8A2BEAD388CD06C4EBA1962D645EEB35E92D44E8F2E081D0248016BF6341876F051DF224770CC8BA0E4D48B3332568A2B014BC80827BAA89DE18D1AEBC73E3BE8F85A8008C682AAC7D5F0E9FB5ECBEFBB637E30E4A0F226D2C2AA3E569BB54AB72A +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = K-571_PRIV +NonceType = deterministic +Input = "test" +Output = 308194024800F1E50353A39EA64CDF23081D6BB4B2A91DD73E99D3DD5A1AA1C49B4F6E34A665EAD24FD530B9103D522609A395AF3EF174C85206F67EF84835ED1632E0F6BAB718EA90DF9E2DA0024800B385004D7596625028E3FDE72282DE4EDC5B4CE33C1127F21CC37527C90B7307AE7D09281B840AEBCECAA711B00718103DDB32B3E9F6A9FBC6AF23E224A73B9435F619D9C62527 + +DigestVerify = SHA512 +Key = K-571_PUB +Input = "test" +Output = 308194024800F1E50353A39EA64CDF23081D6BB4B2A91DD73E99D3DD5A1AA1C49B4F6E34A665EAD24FD530B9103D522609A395AF3EF174C85206F67EF84835ED1632E0F6BAB718EA90DF9E2DA0024800B385004D7596625028E3FDE72282DE4EDC5B4CE33C1127F21CC37527C90B7307AE7D09281B840AEBCECAA711B00718103DDB32B3E9F6A9FBC6AF23E224A73B9435F619D9C62527 + +DigestVerify = SHA512 +Key = K-571_PUB +Input = "test" +Output = 308194024800F1E50353A39EA64CDF23081D6BB4B2A91DD73E99D3DD5A1AA1C49B4F6E34A665EAD24FD530B9103D522609A395AF3EF174C85206F67EF84835ED1632E0F6BAB718EA90DF9E2DA0024800B385004D7596625028E3FDE72282DE4EDC5B4CE33C1127F21CC37527C90B7307AE7D09281B840AEBCECAA711B00718103DDB32B3E9F6A9FBC6AF23E224A73B9435F619D9C62526 +Result = VERIFY_ERROR + +Title = RFC 6979 B-163 deterministic ECDSA tests + +PrivateKey=B-163_PRIV +-----BEGIN PRIVATE KEY----- +MDMCAQAwEAYHKoZIzj0CAQYFK4EEAA8EHDAaAgEBBBUDUxj8RH1I1+a8k7SGF93e3yaqZY8= +-----END PRIVATE KEY----- + +PublicKey=B-163_PUB +-----BEGIN PUBLIC KEY----- +MEAwEAYHKoZIzj0CAQYFK4EEAA8DLAAEASbPVi2Vodd9OHunWj6joUB/I0JaB9fLUnPJTajKkwSa +/aGHIcJGcr1x +-----END PUBLIC KEY----- + +PrivPubKeyPair=B-163_PRIV:B-163_PUB + +DigestSign = SHA1 +Key = B-163_PRIV +NonceType = deterministic +Input = "sample" +Output = 302E02150153FEBD179A69B6122DEBF5BC61EB947B24C935260215037AC9C670F8CF18045049BAE7DD35553545C19E49 + +DigestVerify = SHA1 +Key = B-163_PUB +Input = "sample" +Output = 302E02150153FEBD179A69B6122DEBF5BC61EB947B24C935260215037AC9C670F8CF18045049BAE7DD35553545C19E49 + +DigestVerify = SHA1 +Key = B-163_PUB +Input = "sample" +Output = 302E02150153FEBD179A69B6122DEBF5BC61EB947B24C935260215037AC9C670F8CF18045049BAE7DD35553545C19E48 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = B-163_PRIV +NonceType = deterministic +Input = "sample" +Output = 302D021500A379E69C44F9C16EA3215EA39EB1A9B5D58CC95502144BAFF5308DA2A7FE2C1742769265AD3ED1D24E74 + +DigestVerify = SHA224 +Key = B-163_PUB +Input = "sample" +Output = 302D021500A379E69C44F9C16EA3215EA39EB1A9B5D58CC95502144BAFF5308DA2A7FE2C1742769265AD3ED1D24E74 + +DigestVerify = SHA224 +Key = B-163_PUB +Input = "sample" +Output = 302D021500A379E69C44F9C16EA3215EA39EB1A9B5D58CC95502144BAFF5308DA2A7FE2C1742769265AD3ED1D24E75 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = B-163_PRIV +NonceType = deterministic +Input = "sample" +Output = 302E02150134E00F78FC1CB9501675D91C401DE20DDF228CDC02150373273AEC6C36CB7BAFBB1903A5F5EA6A1D50B624 + +DigestVerify = SHA256 +Key = B-163_PUB +Input = "sample" +Output = 302E02150134E00F78FC1CB9501675D91C401DE20DDF228CDC02150373273AEC6C36CB7BAFBB1903A5F5EA6A1D50B624 + +DigestVerify = SHA256 +Key = B-163_PUB +Input = "sample" +Output = 302E02150134E00F78FC1CB9501675D91C401DE20DDF228CDC02150373273AEC6C36CB7BAFBB1903A5F5EA6A1D50B625 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = B-163_PRIV +NonceType = deterministic +Input = "sample" +Output = 302E0215029430B935AF8E77519B0CA4F6903B0B82E6A21A66021501EA1415306E9353FA5AA54BC7C2581DFBB888440D + +DigestVerify = SHA384 +Key = B-163_PUB +Input = "sample" +Output = 302E0215029430B935AF8E77519B0CA4F6903B0B82E6A21A66021501EA1415306E9353FA5AA54BC7C2581DFBB888440D + +DigestVerify = SHA384 +Key = B-163_PUB +Input = "sample" +Output = 302E0215029430B935AF8E77519B0CA4F6903B0B82E6A21A66021501EA1415306E9353FA5AA54BC7C2581DFBB888440C +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = B-163_PRIV +NonceType = deterministic +Input = "sample" +Output = 302E021500B2F177A99F9DF2D51CCAF55F015F326E4B65E7A0021500DF1FB4487E9B120C5E970EFE48F55E406306C3A1 + +DigestVerify = SHA512 +Key = B-163_PUB +Input = "sample" +Output = 302E021500B2F177A99F9DF2D51CCAF55F015F326E4B65E7A0021500DF1FB4487E9B120C5E970EFE48F55E406306C3A1 + +DigestVerify = SHA512 +Key = B-163_PUB +Input = "sample" +Output = 302E021500B2F177A99F9DF2D51CCAF55F015F326E4B65E7A0021500DF1FB4487E9B120C5E970EFE48F55E406306C3A0 +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = B-163_PRIV +NonceType = deterministic +Input = "test" +Output = 302E02150256D4079C6C7169B8BC92529D701776A269D5630802150341D3FFEC9F1EB6A6ACBE88E3C86A1C8FDEB8B8E1 + +DigestVerify = SHA1 +Key = B-163_PUB +Input = "test" +Output = 302E02150256D4079C6C7169B8BC92529D701776A269D5630802150341D3FFEC9F1EB6A6ACBE88E3C86A1C8FDEB8B8E1 + +DigestVerify = SHA1 +Key = B-163_PUB +Input = "test" +Output = 302E02150256D4079C6C7169B8BC92529D701776A269D5630802150341D3FFEC9F1EB6A6ACBE88E3C86A1C8FDEB8B8E0 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = B-163_PRIV +NonceType = deterministic +Input = "test" +Output = 302E0215028ECC6F1272CE80EA59DCF32F7AC2D861BA803393021500AD4AE2C06E60183C1567D2B82F19421FE3053CE2 + +DigestVerify = SHA224 +Key = B-163_PUB +Input = "test" +Output = 302E0215028ECC6F1272CE80EA59DCF32F7AC2D861BA803393021500AD4AE2C06E60183C1567D2B82F19421FE3053CE2 + +DigestVerify = SHA224 +Key = B-163_PUB +Input = "test" +Output = 302E0215028ECC6F1272CE80EA59DCF32F7AC2D861BA803393021500AD4AE2C06E60183C1567D2B82F19421FE3053CE3 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = B-163_PRIV +NonceType = deterministic +Input = "test" +Output = 302E02150227DF377B3FA50F90C1CB3CDCBBDBA552C1D35104021501F7BEAD92583FE920D353F368C1960D0E88B46A56 + +DigestVerify = SHA256 +Key = B-163_PUB +Input = "test" +Output = 302E02150227DF377B3FA50F90C1CB3CDCBBDBA552C1D35104021501F7BEAD92583FE920D353F368C1960D0E88B46A56 + +DigestVerify = SHA256 +Key = B-163_PUB +Input = "test" +Output = 302E02150227DF377B3FA50F90C1CB3CDCBBDBA552C1D35104021501F7BEAD92583FE920D353F368C1960D0E88B46A57 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = B-163_PRIV +NonceType = deterministic +Input = "test" +Output = 302E0215011811DAFEEA441845B6118A0DFEE8A0061231337D0215036258301865EE48C5C6F91D63F62695002AB55B57 + +DigestVerify = SHA384 +Key = B-163_PUB +Input = "test" +Output = 302E0215011811DAFEEA441845B6118A0DFEE8A0061231337D0215036258301865EE48C5C6F91D63F62695002AB55B57 + +DigestVerify = SHA384 +Key = B-163_PUB +Input = "test" +Output = 302E0215011811DAFEEA441845B6118A0DFEE8A0061231337D0215036258301865EE48C5C6F91D63F62695002AB55B56 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = B-163_PRIV +NonceType = deterministic +Input = "test" +Output = 302E021503B6BB95CA823BE2ED8E3972FF516EB8972D7655710215013DC6F420628969DF900C3FCC48220B38BE24A541 + +DigestVerify = SHA512 +Key = B-163_PUB +Input = "test" +Output = 302E021503B6BB95CA823BE2ED8E3972FF516EB8972D7655710215013DC6F420628969DF900C3FCC48220B38BE24A541 + +DigestVerify = SHA512 +Key = B-163_PUB +Input = "test" +Output = 302E021503B6BB95CA823BE2ED8E3972FF516EB8972D7655710215013DC6F420628969DF900C3FCC48220B38BE24A540 +Result = VERIFY_ERROR + +Title = RFC 6979 B-233 deterministic ECDSA tests + +PrivateKey=B-233_PRIV +-----BEGIN PRIVATE KEY----- +MDsCAQAwEAYHKoZIzj0CAQYFK4EEABsEJDAiAgEBBB163BPdW/NNHd7rULLOI7X15tGAZzBtYMX2 +/xHl0w== +-----END PRIVATE KEY----- + +PublicKey=B-233_PUB +-----BEGIN PUBLIC KEY----- +MFIwEAYHKoZIzj0CAQYFK4EEABsDPgAEAPs0izJGtHOqf7sqAbeNYbYsQiHQ+atV/HLbPfR4ARYv +ofbGrPf9jRn8fXS92RBAdugziYvEwEKm5r6/ +-----END PUBLIC KEY----- + +PrivPubKeyPair=B-233_PRIV:B-233_PUB + +DigestSign = SHA1 +Key = B-233_PRIV +NonceType = deterministic +Input = "sample" +Output = 303F021D15CC6FD78BB06E0878E71465515EA5A21A2C18E6FC77B4B158DBEB3944021E00822A4A6C2EB2DF213A5E90BF40377956365EE8C4B4A5A4E2EB9270CB6A + +DigestVerify = SHA1 +Key = B-233_PUB +Input = "sample" +Output = 303F021D15CC6FD78BB06E0878E71465515EA5A21A2C18E6FC77B4B158DBEB3944021E00822A4A6C2EB2DF213A5E90BF40377956365EE8C4B4A5A4E2EB9270CB6A + +DigestVerify = SHA1 +Key = B-233_PUB +Input = "sample" +Output = 303F021D15CC6FD78BB06E0878E71465515EA5A21A2C18E6FC77B4B158DBEB3944021E00822A4A6C2EB2DF213A5E90BF40377956365EE8C4B4A5A4E2EB9270CB6B +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = B-233_PRIV +NonceType = deterministic +Input = "sample" +Output = 303E021D5D9920B53471148E10502AB49AB7A3F11084820A074FD89883CF51BC1A021D4D3938900C0A9AAA7080D1DFEB56CFB0FADABE4214536C7ED5117ED13A + +DigestVerify = SHA224 +Key = B-233_PUB +Input = "sample" +Output = 303E021D5D9920B53471148E10502AB49AB7A3F11084820A074FD89883CF51BC1A021D4D3938900C0A9AAA7080D1DFEB56CFB0FADABE4214536C7ED5117ED13A + +DigestVerify = SHA224 +Key = B-233_PUB +Input = "sample" +Output = 303E021D5D9920B53471148E10502AB49AB7A3F11084820A074FD89883CF51BC1A021D4D3938900C0A9AAA7080D1DFEB56CFB0FADABE4214536C7ED5117ED13B +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = B-233_PRIV +NonceType = deterministic +Input = "sample" +Output = 303F021E00A797F3B8AEFCE7456202DF1E46CCC291EA5A49DA3D4BDDA9A4B62D5E0D021D1F6F81DA55C22DA4152134C661588F4BD6F82FDBAF0C5877096B070DC2 + +DigestVerify = SHA256 +Key = B-233_PUB +Input = "sample" +Output = 303F021E00A797F3B8AEFCE7456202DF1E46CCC291EA5A49DA3D4BDDA9A4B62D5E0D021D1F6F81DA55C22DA4152134C661588F4BD6F82FDBAF0C5877096B070DC2 + +DigestVerify = SHA256 +Key = B-233_PUB +Input = "sample" +Output = 303F021E00A797F3B8AEFCE7456202DF1E46CCC291EA5A49DA3D4BDDA9A4B62D5E0D021D1F6F81DA55C22DA4152134C661588F4BD6F82FDBAF0C5877096B070DC3 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = B-233_PRIV +NonceType = deterministic +Input = "sample" +Output = 303E021D15E85A8D46225DD7E314A1C4289731FC14DECE949349FE535D11043B85021D3F189D37F50493EFD5111A129443A662AB3C6B289129AD8C0CAC85119C + +DigestVerify = SHA384 +Key = B-233_PUB +Input = "sample" +Output = 303E021D15E85A8D46225DD7E314A1C4289731FC14DECE949349FE535D11043B85021D3F189D37F50493EFD5111A129443A662AB3C6B289129AD8C0CAC85119C + +DigestVerify = SHA384 +Key = B-233_PUB +Input = "sample" +Output = 303E021D15E85A8D46225DD7E314A1C4289731FC14DECE949349FE535D11043B85021D3F189D37F50493EFD5111A129443A662AB3C6B289129AD8C0CAC85119D +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = B-233_PRIV +NonceType = deterministic +Input = "sample" +Output = 303F021D3B62A4BF783919098B1E42F496E65F7621F01D1D466C46940F0F132A95021E00F4BE031C6E5239E7DAA014CBBF1ED19425E49DAEB426EC9DF4C28A2E30 + +DigestVerify = SHA512 +Key = B-233_PUB +Input = "sample" +Output = 303F021D3B62A4BF783919098B1E42F496E65F7621F01D1D466C46940F0F132A95021E00F4BE031C6E5239E7DAA014CBBF1ED19425E49DAEB426EC9DF4C28A2E30 + +DigestVerify = SHA512 +Key = B-233_PUB +Input = "sample" +Output = 303F021D3B62A4BF783919098B1E42F496E65F7621F01D1D466C46940F0F132A95021E00F4BE031C6E5239E7DAA014CBBF1ED19425E49DAEB426EC9DF4C28A2E31 +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = B-233_PRIV +NonceType = deterministic +Input = "test" +Output = 303E021D2F1FEDC57BE203E4C8C6B8C1CEB35E13C1FCD956AB41E3BD4C8A6EFB1F021D5738EC8A8EDEA8E435EE7266AD3EDE1EEFC2CEBE2BE1D614008D5D2951 + +DigestVerify = SHA1 +Key = B-233_PUB +Input = "test" +Output = 303E021D2F1FEDC57BE203E4C8C6B8C1CEB35E13C1FCD956AB41E3BD4C8A6EFB1F021D5738EC8A8EDEA8E435EE7266AD3EDE1EEFC2CEBE2BE1D614008D5D2951 + +DigestVerify = SHA1 +Key = B-233_PUB +Input = "test" +Output = 303E021D2F1FEDC57BE203E4C8C6B8C1CEB35E13C1FCD956AB41E3BD4C8A6EFB1F021D5738EC8A8EDEA8E435EE7266AD3EDE1EEFC2CEBE2BE1D614008D5D2950 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = B-233_PRIV +NonceType = deterministic +Input = "test" +Output = 3040021E00CCE175124D3586BA7486F7146894C65C2A4A5A1904658E5C7F9DF5FA5D021E008804B456D847ACE5CA86D97BF79FD6335E5B17F6C0D964B5D0036C867E + +DigestVerify = SHA224 +Key = B-233_PUB +Input = "test" +Output = 3040021E00CCE175124D3586BA7486F7146894C65C2A4A5A1904658E5C7F9DF5FA5D021E008804B456D847ACE5CA86D97BF79FD6335E5B17F6C0D964B5D0036C867E + +DigestVerify = SHA224 +Key = B-233_PUB +Input = "test" +Output = 3040021E00CCE175124D3586BA7486F7146894C65C2A4A5A1904658E5C7F9DF5FA5D021E008804B456D847ACE5CA86D97BF79FD6335E5B17F6C0D964B5D0036C867F +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = B-233_PRIV +NonceType = deterministic +Input = "test" +Output = 303E021D35C3D6DFEEA1CFB29B93BE3FDB91A7B130951770C2690C16833A159677021D600F7301D12AB376B56D4459774159ADB51F97E282FF384406AFD53A02 + +DigestVerify = SHA256 +Key = B-233_PUB +Input = "test" +Output = 303E021D35C3D6DFEEA1CFB29B93BE3FDB91A7B130951770C2690C16833A159677021D600F7301D12AB376B56D4459774159ADB51F97E282FF384406AFD53A02 + +DigestVerify = SHA256 +Key = B-233_PUB +Input = "test" +Output = 303E021D35C3D6DFEEA1CFB29B93BE3FDB91A7B130951770C2690C16833A159677021D600F7301D12AB376B56D4459774159ADB51F97E282FF384406AFD53A03 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = B-233_PRIV +NonceType = deterministic +Input = "test" +Output = 303E021D61602FC8068BFD5FB86027B97455D200EC603057446CCE4D76DB8EF42C021D3396DD0D59C067BB999B422D9883736CF9311DFD6951F91033BD03CA8D + +DigestVerify = SHA384 +Key = B-233_PUB +Input = "test" +Output = 303E021D61602FC8068BFD5FB86027B97455D200EC603057446CCE4D76DB8EF42C021D3396DD0D59C067BB999B422D9883736CF9311DFD6951F91033BD03CA8D + +DigestVerify = SHA384 +Key = B-233_PUB +Input = "test" +Output = 303E021D61602FC8068BFD5FB86027B97455D200EC603057446CCE4D76DB8EF42C021D3396DD0D59C067BB999B422D9883736CF9311DFD6951F91033BD03CA8C +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = B-233_PRIV +NonceType = deterministic +Input = "test" +Output = 303F021D7E12CB60FDD614958E8E34B3C12DDFF35D85A9C5800E31EA2CC2EF63B1021E00E8970FD99D836F3CC1C807A2C58760DE6EDAA23705A82B9CB1CE93FECC + +DigestVerify = SHA512 +Key = B-233_PUB +Input = "test" +Output = 303F021D7E12CB60FDD614958E8E34B3C12DDFF35D85A9C5800E31EA2CC2EF63B1021E00E8970FD99D836F3CC1C807A2C58760DE6EDAA23705A82B9CB1CE93FECC + +DigestVerify = SHA512 +Key = B-233_PUB +Input = "test" +Output = 303F021D7E12CB60FDD614958E8E34B3C12DDFF35D85A9C5800E31EA2CC2EF63B1021E00E8970FD99D836F3CC1C807A2C58760DE6EDAA23705A82B9CB1CE93FECD +Result = VERIFY_ERROR + +Title = RFC 6979 B-283 deterministic ECDSA tests + +PrivateKey=B-283_PRIV +-----BEGIN PRIVATE KEY----- +MEICAQAwEAYHKoZIzj0CAQYFK4EEABEEKzApAgEBBCQBRRDUvETy0m9FU5QsmAc8G9NVRc6rtcwT +iFPFFY0nKepAiDY= +-----END PRIVATE KEY----- + +PublicKey=B-283_PUB +-----BEGIN PUBLIC KEY----- +MF4wEAYHKoZIzj0CAQYFK4EEABEDSgAEAX40CaE8OZ8MqKGS8CjUbjRGvP/N9R/4qQXtLe14bnT5 +w+ipBH78vMMcAdhtGZL3v6wCd9vQKm0oknQJmiwPA5yPWfMYNxsO +-----END PUBLIC KEY----- + +PrivPubKeyPair=B-283_PRIV:B-283_PUB + +DigestSign = SHA1 +Key = B-283_PRIV +NonceType = deterministic +Input = "sample" +Output = 304C02240201E18D48C6DB3D5D097C4DCE1E25587E1501FC3CF47BDB5B4289D79E273D6A9ACB828502240151AE05712B024CE617358260774C8CA8B0E7A7E72EF8229BF2ACE7609560CB30322C4F + +DigestVerify = SHA1 +Key = B-283_PUB +Input = "sample" +Output = 304C02240201E18D48C6DB3D5D097C4DCE1E25587E1501FC3CF47BDB5B4289D79E273D6A9ACB828502240151AE05712B024CE617358260774C8CA8B0E7A7E72EF8229BF2ACE7609560CB30322C4F + +DigestVerify = SHA1 +Key = B-283_PUB +Input = "sample" +Output = 304C02240201E18D48C6DB3D5D097C4DCE1E25587E1501FC3CF47BDB5B4289D79E273D6A9ACB828502240151AE05712B024CE617358260774C8CA8B0E7A7E72EF8229BF2ACE7609560CB30322C4E +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = B-283_PRIV +NonceType = deterministic +Input = "sample" +Output = 304C02240143E878DDFD4DF40D97B8CD638B3C4706501C2201CF7108F2FB91478C11D69473246925022400CBF1B9717FEEA3AABB09D9654110144267098E0E1E8D0289A6211BE0EEDFDD86A3DB79 + +DigestVerify = SHA224 +Key = B-283_PUB +Input = "sample" +Output = 304C02240143E878DDFD4DF40D97B8CD638B3C4706501C2201CF7108F2FB91478C11D69473246925022400CBF1B9717FEEA3AABB09D9654110144267098E0E1E8D0289A6211BE0EEDFDD86A3DB79 + +DigestVerify = SHA224 +Key = B-283_PUB +Input = "sample" +Output = 304C02240143E878DDFD4DF40D97B8CD638B3C4706501C2201CF7108F2FB91478C11D69473246925022400CBF1B9717FEEA3AABB09D9654110144267098E0E1E8D0289A6211BE0EEDFDD86A3DB78 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = B-283_PRIV +NonceType = deterministic +Input = "sample" +Output = 304B0224029FD82497FB3E5CEF65579272138DE59E2B666B8689466572B3B69A172CEE83BE14565902235A89D9166B40795AF0FE5958201B9C0523E500013CA12B4840EA2BC53F25F9B3CE87C0 + +DigestVerify = SHA256 +Key = B-283_PUB +Input = "sample" +Output = 304B0224029FD82497FB3E5CEF65579272138DE59E2B666B8689466572B3B69A172CEE83BE14565902235A89D9166B40795AF0FE5958201B9C0523E500013CA12B4840EA2BC53F25F9B3CE87C0 + +DigestVerify = SHA256 +Key = B-283_PUB +Input = "sample" +Output = 304B0224029FD82497FB3E5CEF65579272138DE59E2B666B8689466572B3B69A172CEE83BE14565902235A89D9166B40795AF0FE5958201B9C0523E500013CA12B4840EA2BC53F25F9B3CE87C1 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = B-283_PRIV +NonceType = deterministic +Input = "sample" +Output = 304C022402F00689C1BFCD2A8C7A41E0DE55AE182E6463A152828EF89FE3525139B6603294E69353022401744514FE0A37447250C8A329EAAADA81572226CABA16F39270EE5DD03F27B1F665EB5D + +DigestVerify = SHA384 +Key = B-283_PUB +Input = "sample" +Output = 304C022402F00689C1BFCD2A8C7A41E0DE55AE182E6463A152828EF89FE3525139B6603294E69353022401744514FE0A37447250C8A329EAAADA81572226CABA16F39270EE5DD03F27B1F665EB5D + +DigestVerify = SHA384 +Key = B-283_PUB +Input = "sample" +Output = 304C022402F00689C1BFCD2A8C7A41E0DE55AE182E6463A152828EF89FE3525139B6603294E69353022401744514FE0A37447250C8A329EAAADA81572226CABA16F39270EE5DD03F27B1F665EB5C +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = B-283_PRIV +NonceType = deterministic +Input = "sample" +Output = 304C022400DA43A9ADFAA6AD767998A054C6A8F1CF77A562924628D73C62761847AD8286E0D91B47022401D118733AE2C88357827CAFC6F68ABC25C80C640532925E95CFE66D40F8792F3AC44C42 + +DigestVerify = SHA512 +Key = B-283_PUB +Input = "sample" +Output = 304C022400DA43A9ADFAA6AD767998A054C6A8F1CF77A562924628D73C62761847AD8286E0D91B47022401D118733AE2C88357827CAFC6F68ABC25C80C640532925E95CFE66D40F8792F3AC44C42 + +DigestVerify = SHA512 +Key = B-283_PUB +Input = "sample" +Output = 304C022400DA43A9ADFAA6AD767998A054C6A8F1CF77A562924628D73C62761847AD8286E0D91B47022401D118733AE2C88357827CAFC6F68ABC25C80C640532925E95CFE66D40F8792F3AC44C43 +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = B-283_PRIV +NonceType = deterministic +Input = "test" +Output = 304A02235A408133919F2CDCDBE5E4C14FBC706C1F71BADAFEF41F5DE4EC27272FC1CA9366FBB2022312966272872C097FEA7BCE64FAB1A81982A773E26F6E4EF7C99969846E67CA9CBE1692 + +DigestVerify = SHA1 +Key = B-283_PUB +Input = "test" +Output = 304A02235A408133919F2CDCDBE5E4C14FBC706C1F71BADAFEF41F5DE4EC27272FC1CA9366FBB2022312966272872C097FEA7BCE64FAB1A81982A773E26F6E4EF7C99969846E67CA9CBE1692 + +DigestVerify = SHA1 +Key = B-283_PUB +Input = "test" +Output = 304A02235A408133919F2CDCDBE5E4C14FBC706C1F71BADAFEF41F5DE4EC27272FC1CA9366FBB2022312966272872C097FEA7BCE64FAB1A81982A773E26F6E4EF7C99969846E67CA9CBE1693 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = B-283_PRIV +NonceType = deterministic +Input = "test" +Output = 304C0224008F3824E40C16FF1DDA8DC992776D26F4A5981AB5092956C4FDBB4F1AE0A711EEAA10E5022400A64B91EFADB213E11483FB61C73E3EF63D3B44EEFC56EA401B99DCC60CC28E99F0F1FA + +DigestVerify = SHA224 +Key = B-283_PUB +Input = "test" +Output = 304C0224008F3824E40C16FF1DDA8DC992776D26F4A5981AB5092956C4FDBB4F1AE0A711EEAA10E5022400A64B91EFADB213E11483FB61C73E3EF63D3B44EEFC56EA401B99DCC60CC28E99F0F1FA + +DigestVerify = SHA224 +Key = B-283_PUB +Input = "test" +Output = 304C0224008F3824E40C16FF1DDA8DC992776D26F4A5981AB5092956C4FDBB4F1AE0A711EEAA10E5022400A64B91EFADB213E11483FB61C73E3EF63D3B44EEFC56EA401B99DCC60CC28E99F0F1FB +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = B-283_PRIV +NonceType = deterministic +Input = "test" +Output = 304C022403597B406F5329D11A79E887847E5EC60861CCBB19EC61F252DB7BD549C699951C182796022400A6A100B997BC622D91701D9F5C6F6D3815517E577622DA69D3A0E8917C1CBE63ACD345 + +DigestVerify = SHA256 +Key = B-283_PUB +Input = "test" +Output = 304C022403597B406F5329D11A79E887847E5EC60861CCBB19EC61F252DB7BD549C699951C182796022400A6A100B997BC622D91701D9F5C6F6D3815517E577622DA69D3A0E8917C1CBE63ACD345 + +DigestVerify = SHA256 +Key = B-283_PUB +Input = "test" +Output = 304C022403597B406F5329D11A79E887847E5EC60861CCBB19EC61F252DB7BD549C699951C182796022400A6A100B997BC622D91701D9F5C6F6D3815517E577622DA69D3A0E8917C1CBE63ACD344 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = B-283_PRIV +NonceType = deterministic +Input = "test" +Output = 304C022401BB490926E5A1FDC7C5AA86D0835F9B994EDA315CA408002AF54A298728D422EBF59E4C0224036C682CFC9E2C89A782BFD3A191609D1F0C1910D5FD6981442070393159D65FBCC0A8BA + +DigestVerify = SHA384 +Key = B-283_PUB +Input = "test" +Output = 304C022401BB490926E5A1FDC7C5AA86D0835F9B994EDA315CA408002AF54A298728D422EBF59E4C0224036C682CFC9E2C89A782BFD3A191609D1F0C1910D5FD6981442070393159D65FBCC0A8BA + +DigestVerify = SHA384 +Key = B-283_PUB +Input = "test" +Output = 304C022401BB490926E5A1FDC7C5AA86D0835F9B994EDA315CA408002AF54A298728D422EBF59E4C0224036C682CFC9E2C89A782BFD3A191609D1F0C1910D5FD6981442070393159D65FBCC0A8BB +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = B-283_PRIV +NonceType = deterministic +Input = "test" +Output = 304B0224019944AA68F9778C2E3D6E240947613E6DA60EFCE9B9B2C063FF5466D72745B5A0B25BA202233F1567B3C5B02DF15C874F0EE22850824693D5ADC4663BAA19E384E550B1DD41F31EE6 + +DigestVerify = SHA512 +Key = B-283_PUB +Input = "test" +Output = 304B0224019944AA68F9778C2E3D6E240947613E6DA60EFCE9B9B2C063FF5466D72745B5A0B25BA202233F1567B3C5B02DF15C874F0EE22850824693D5ADC4663BAA19E384E550B1DD41F31EE6 + +DigestVerify = SHA512 +Key = B-283_PUB +Input = "test" +Output = 304B0224019944AA68F9778C2E3D6E240947613E6DA60EFCE9B9B2C063FF5466D72745B5A0B25BA202233F1567B3C5B02DF15C874F0EE22850824693D5ADC4663BAA19E384E550B1DD41F31EE7 +Result = VERIFY_ERROR + +Title = RFC 6979 B-409 deterministic ECDSA tests + +PrivateKey=B-409_PRIV +-----BEGIN PRIVATE KEY----- +MFECAQAwEAYHKoZIzj0CAQYFK4EEACUEOjA4AgEBBDNJSZTMMlsI57TOA4vZQ2+QteWaLBPDFAzT +rgfASgH8SJ9XLOBWmm23uAYDk952MwxiQXc= +-----END PRIVATE KEY----- + +PublicKey=B-409_PUB +-----BEGIN PUBLIC KEY----- +MH4wEAYHKoZIzj0CAQYFK4EEACUDagAEAacFWWHPHaS5oBWxixUk7wH92bk/rvwm+x8vgopyJ7cD +GSXaCsGooHXDszVUsiLqhZwX5wGBBcBC8pBzYIjzCux653MqRd5HvOCUAROrgTJRbR4Fmw9YH9WB +qaPLOgrEKhlic4rbhuY= +-----END PUBLIC KEY----- + +PrivPubKeyPair=B-409_PRIV:B-409_PUB + +DigestSign = SHA1 +Key = B-409_PRIV +NonceType = deterministic +Input = "sample" +Output = 306B023400D8783188E1A540E2022D389E1D35B32F56F8C2BB5636B8ABF7718806B27A713EBAE37F63ECD4B61445CEF5801B62594EF3E98202333A6B4A80E204DB0DE12E7415C13C9EC091C52935658316B4A0C591216A3879154BEB1712560E346E7EF26517707435B55C3141 + +DigestVerify = SHA1 +Key = B-409_PUB +Input = "sample" +Output = 306B023400D8783188E1A540E2022D389E1D35B32F56F8C2BB5636B8ABF7718806B27A713EBAE37F63ECD4B61445CEF5801B62594EF3E98202333A6B4A80E204DB0DE12E7415C13C9EC091C52935658316B4A0C591216A3879154BEB1712560E346E7EF26517707435B55C3141 + +DigestVerify = SHA1 +Key = B-409_PUB +Input = "sample" +Output = 306B023400D8783188E1A540E2022D389E1D35B32F56F8C2BB5636B8ABF7718806B27A713EBAE37F63ECD4B61445CEF5801B62594EF3E98202333A6B4A80E204DB0DE12E7415C13C9EC091C52935658316B4A0C591216A3879154BEB1712560E346E7EF26517707435B55C3140 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = B-409_PRIV +NonceType = deterministic +Input = "sample" +Output = 306B023400EE4F39ACC2E03CE96C3D9FCBAFA5C22C89053662F8D4117752A9B10F09ADFDA59DB061E247FE5321D6B170EE758ACE1BE4D15702330A2B83265B456A430A8BF27DCC8A9488B3F126C10F0D6D64BF7B8A218FAAF20E51A295A3AE78F205E5A4A6AE224C3639F1BB34 + +DigestVerify = SHA224 +Key = B-409_PUB +Input = "sample" +Output = 306B023400EE4F39ACC2E03CE96C3D9FCBAFA5C22C89053662F8D4117752A9B10F09ADFDA59DB061E247FE5321D6B170EE758ACE1BE4D15702330A2B83265B456A430A8BF27DCC8A9488B3F126C10F0D6D64BF7B8A218FAAF20E51A295A3AE78F205E5A4A6AE224C3639F1BB34 + +DigestVerify = SHA224 +Key = B-409_PUB +Input = "sample" +Output = 306B023400EE4F39ACC2E03CE96C3D9FCBAFA5C22C89053662F8D4117752A9B10F09ADFDA59DB061E247FE5321D6B170EE758ACE1BE4D15702330A2B83265B456A430A8BF27DCC8A9488B3F126C10F0D6D64BF7B8A218FAAF20E51A295A3AE78F205E5A4A6AE224C3639F1BB35 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = B-409_PRIV +NonceType = deterministic +Input = "sample" +Output = 306A02332D8B1B31E33E74D7EB46C30FDE5AD2CA04EC8FE08FBA0E73BA5E568953AC5EA307C072942238DFC07F4A4D7C7C6A9F86436D17023379F7D471E6CB73234AF7F7C381D2CE15DE35BAF8BB68393B73235B3A26EC2DF4842CE433FB492D6E074E604D4870024D42189A + +DigestVerify = SHA256 +Key = B-409_PUB +Input = "sample" +Output = 306A02332D8B1B31E33E74D7EB46C30FDE5AD2CA04EC8FE08FBA0E73BA5E568953AC5EA307C072942238DFC07F4A4D7C7C6A9F86436D17023379F7D471E6CB73234AF7F7C381D2CE15DE35BAF8BB68393B73235B3A26EC2DF4842CE433FB492D6E074E604D4870024D42189A + +DigestVerify = SHA256 +Key = B-409_PUB +Input = "sample" +Output = 306A02332D8B1B31E33E74D7EB46C30FDE5AD2CA04EC8FE08FBA0E73BA5E568953AC5EA307C072942238DFC07F4A4D7C7C6A9F86436D17023379F7D471E6CB73234AF7F7C381D2CE15DE35BAF8BB68393B73235B3A26EC2DF4842CE433FB492D6E074E604D4870024D42189B +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = B-409_PRIV +NonceType = deterministic +Input = "sample" +Output = 306A02337BC638B7E7CE6FEE5E9C64A0F966D722D01BB4BC3F3A35F30D4CDDA92DFC5F7F0B4BBFE8065D9AD452FD77A1914BE3A2440C1802336D904429850521B28A32CBF55C7C0FDF35DC4E0BDA2552C7BF68A171E970E6788ACC0B9521EACB4796E057C70DD9B95FED5BFB + +DigestVerify = SHA384 +Key = B-409_PUB +Input = "sample" +Output = 306A02337BC638B7E7CE6FEE5E9C64A0F966D722D01BB4BC3F3A35F30D4CDDA92DFC5F7F0B4BBFE8065D9AD452FD77A1914BE3A2440C1802336D904429850521B28A32CBF55C7C0FDF35DC4E0BDA2552C7BF68A171E970E6788ACC0B9521EACB4796E057C70DD9B95FED5BFB + +DigestVerify = SHA384 +Key = B-409_PUB +Input = "sample" +Output = 306A02337BC638B7E7CE6FEE5E9C64A0F966D722D01BB4BC3F3A35F30D4CDDA92DFC5F7F0B4BBFE8065D9AD452FD77A1914BE3A2440C1802336D904429850521B28A32CBF55C7C0FDF35DC4E0BDA2552C7BF68A171E970E6788ACC0B9521EACB4796E057C70DD9B95FED5BFA +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = B-409_PRIV +NonceType = deterministic +Input = "sample" +Output = 306A02335D178DECAFD2D02A3DA0D8BA1C4C1D95EE083C760DF782193A9F7B4A8BE6FC5C21FD60613BCA65C063A61226E050A680B3ABD4023313B7581E98F6A63FBBCB3E49BCDA60F816DB230B888506D105DC229600497C3B46588C784BE3AA9343BEF82F7C9C80AEB63C3B + +DigestVerify = SHA512 +Key = B-409_PUB +Input = "sample" +Output = 306A02335D178DECAFD2D02A3DA0D8BA1C4C1D95EE083C760DF782193A9F7B4A8BE6FC5C21FD60613BCA65C063A61226E050A680B3ABD4023313B7581E98F6A63FBBCB3E49BCDA60F816DB230B888506D105DC229600497C3B46588C784BE3AA9343BEF82F7C9C80AEB63C3B + +DigestVerify = SHA512 +Key = B-409_PUB +Input = "sample" +Output = 306A02335D178DECAFD2D02A3DA0D8BA1C4C1D95EE083C760DF782193A9F7B4A8BE6FC5C21FD60613BCA65C063A61226E050A680B3ABD4023313B7581E98F6A63FBBCB3E49BCDA60F816DB230B888506D105DC229600497C3B46588C784BE3AA9343BEF82F7C9C80AEB63C3A +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = B-409_PRIV +NonceType = deterministic +Input = "test" +Output = 306A023349F54E7C10D2732B4638473053782C6919218BBEFCEC8B51640FC193E832291F05FA12371E9B448417B3290193F08EE93191950233499E267DEC84E02F6F108B10E82172C414F15B1B7364BE8BFD66ADC0C5DE23FEE3DF0D811134C25AFE0E05A6672F98889F28F1 + +DigestVerify = SHA1 +Key = B-409_PUB +Input = "test" +Output = 306A023349F54E7C10D2732B4638473053782C6919218BBEFCEC8B51640FC193E832291F05FA12371E9B448417B3290193F08EE93191950233499E267DEC84E02F6F108B10E82172C414F15B1B7364BE8BFD66ADC0C5DE23FEE3DF0D811134C25AFE0E05A6672F98889F28F1 + +DigestVerify = SHA1 +Key = B-409_PUB +Input = "test" +Output = 306A023349F54E7C10D2732B4638473053782C6919218BBEFCEC8B51640FC193E832291F05FA12371E9B448417B3290193F08EE93191950233499E267DEC84E02F6F108B10E82172C414F15B1B7364BE8BFD66ADC0C5DE23FEE3DF0D811134C25AFE0E05A6672F98889F28F0 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = B-409_PRIV +NonceType = deterministic +Input = "test" +Output = 306B023400B1527FFAA7DD7C7E46B628587A5BEC0539A2D04D3CF27C54841C2544E1BBDB42FDBDAAF8671A4CA86DFD619B1E3732D7BB56F20233442C68C044868DF4832C807F1EDDEBF7F5052A64B826FD03451440794063F52B022DF304F47403D4069234CA9EB4C964B37C02 + +DigestVerify = SHA224 +Key = B-409_PUB +Input = "test" +Output = 306B023400B1527FFAA7DD7C7E46B628587A5BEC0539A2D04D3CF27C54841C2544E1BBDB42FDBDAAF8671A4CA86DFD619B1E3732D7BB56F20233442C68C044868DF4832C807F1EDDEBF7F5052A64B826FD03451440794063F52B022DF304F47403D4069234CA9EB4C964B37C02 + +DigestVerify = SHA224 +Key = B-409_PUB +Input = "test" +Output = 306B023400B1527FFAA7DD7C7E46B628587A5BEC0539A2D04D3CF27C54841C2544E1BBDB42FDBDAAF8671A4CA86DFD619B1E3732D7BB56F20233442C68C044868DF4832C807F1EDDEBF7F5052A64B826FD03451440794063F52B022DF304F47403D4069234CA9EB4C964B37C03 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = B-409_PRIV +NonceType = deterministic +Input = "test" +Output = 306C023400BB27755B991D6D31757BCBF68CB01225A38E1CFA20F775E861055DD108ED7EA455E4B96B2F6F7CD6C6EC2B3C70C3EDDEB9743B023400C5BE90980E7F444B5F7A12C9E9AC7A04CA81412822DD5AD1BE7C45D5032555EA070864245CF69266871FEB8CD1B7EDC30EF6D5 + +DigestVerify = SHA256 +Key = B-409_PUB +Input = "test" +Output = 306C023400BB27755B991D6D31757BCBF68CB01225A38E1CFA20F775E861055DD108ED7EA455E4B96B2F6F7CD6C6EC2B3C70C3EDDEB9743B023400C5BE90980E7F444B5F7A12C9E9AC7A04CA81412822DD5AD1BE7C45D5032555EA070864245CF69266871FEB8CD1B7EDC30EF6D5 + +DigestVerify = SHA256 +Key = B-409_PUB +Input = "test" +Output = 306C023400BB27755B991D6D31757BCBF68CB01225A38E1CFA20F775E861055DD108ED7EA455E4B96B2F6F7CD6C6EC2B3C70C3EDDEB9743B023400C5BE90980E7F444B5F7A12C9E9AC7A04CA81412822DD5AD1BE7C45D5032555EA070864245CF69266871FEB8CD1B7EDC30EF6D4 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = B-409_PRIV +NonceType = deterministic +Input = "test" +Output = 306B02334EFEB7098772187907C87B33E0FBBA4584226C50C11E98CA7AAC6986F8D3BE044E5B52D201A410B852536527724CA5F8CE65490234009574102FEB3EF87E6D66B94119F5A6062950FF4F902EA1E6BD9E2037F33FF991E31F5956C23AFE48FCDC557FD6F088C7C9B2B3 + +DigestVerify = SHA384 +Key = B-409_PUB +Input = "test" +Output = 306B02334EFEB7098772187907C87B33E0FBBA4584226C50C11E98CA7AAC6986F8D3BE044E5B52D201A410B852536527724CA5F8CE65490234009574102FEB3EF87E6D66B94119F5A6062950FF4F902EA1E6BD9E2037F33FF991E31F5956C23AFE48FCDC557FD6F088C7C9B2B3 + +DigestVerify = SHA384 +Key = B-409_PUB +Input = "test" +Output = 306B02334EFEB7098772187907C87B33E0FBBA4584226C50C11E98CA7AAC6986F8D3BE044E5B52D201A410B852536527724CA5F8CE65490234009574102FEB3EF87E6D66B94119F5A6062950FF4F902EA1E6BD9E2037F33FF991E31F5956C23AFE48FCDC557FD6F088C7C9B2B2 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = B-409_PRIV +NonceType = deterministic +Input = "test" +Output = 306B02337E0249C68536AE2AEC2EC30090340DA49E6DC9E9EEC8F85E5AABFB234B6DA7D2E9524028CF821F21C6019770474CC40B01FAF60234008125B5A03FB44AE81EA46D446130C2A415ECCA265910CA69D55F2453E16CD7B2DFA4E28C50FA8137F9C0C6CEE4CD37ABCCF6D8 + +DigestVerify = SHA512 +Key = B-409_PUB +Input = "test" +Output = 306B02337E0249C68536AE2AEC2EC30090340DA49E6DC9E9EEC8F85E5AABFB234B6DA7D2E9524028CF821F21C6019770474CC40B01FAF60234008125B5A03FB44AE81EA46D446130C2A415ECCA265910CA69D55F2453E16CD7B2DFA4E28C50FA8137F9C0C6CEE4CD37ABCCF6D8 + +DigestVerify = SHA512 +Key = B-409_PUB +Input = "test" +Output = 306B02337E0249C68536AE2AEC2EC30090340DA49E6DC9E9EEC8F85E5AABFB234B6DA7D2E9524028CF821F21C6019770474CC40B01FAF60234008125B5A03FB44AE81EA46D446130C2A415ECCA265910CA69D55F2453E16CD7B2DFA4E28C50FA8137F9C0C6CEE4CD37ABCCF6D9 +Result = VERIFY_ERROR + +Title = RFC 6979 B-571 deterministic ECDSA tests + +PrivateKey=B-571_PRIV +-----BEGIN PRIVATE KEY----- +MGUCAQAwEAYHKoZIzj0CAQYFK4EEACcETjBMAgEBBEcooEhX8kwcCC3w2QnA5y9FPy4jQMywcfDj +ibyiV12hkSQZjFcXSSmtJuNIz2P3jSgCHvWpvy1cvq9rfMtsTagk3VyCz7JOEQ== +-----END PRIVATE KEY----- + +PublicKey=B-571_PUB +-----BEGIN PUBLIC KEY----- +MIGnMBAGByqGSM49AgEGBSuBBAAnA4GSAAQEtLPOk3dVAUC2LBBhdjqlJIFN3O83sAzVzelPd5K7 +DpZ1jlXaLp/qj/KotoMK4dV6nKenf8sINr9D6lRUzdn+rVzP5zdcaoMERTsY8mHnoOdXDNcvI16n +UEOOQ5Rvvr0lGLaWlUdnqnhJwXGeGOHFFlLCjKhTQm8VwJqktXlIczirx/M3aPrdYbWjpkQ6gYk= +-----END PUBLIC KEY----- + +PrivPubKeyPair=B-571_PRIV:B-571_PUB + +DigestSign = SHA1 +Key = B-571_PRIV +NonceType = deterministic +Input = "sample" +Output = 30819402480147D3EB0EDA9F2152DFD014363D6A9CE816D7A1467D326A625FC4AB0C786E1B74DDF7CD4D0E99541391B266C704BB6B6E8DCCD27B460802E0867143727AA415555454321EFE5CB60248017319571CAF533D90D2E78A64060B9C53169AB7FC908947B3EDADC54C79CCF0A7920B4C64A4EAB6282AFE9A459677CDA37FD6DD50BEF18709590FE18B923BDF74A66B189A850819 + +DigestVerify = SHA1 +Key = B-571_PUB +Input = "sample" +Output = 30819402480147D3EB0EDA9F2152DFD014363D6A9CE816D7A1467D326A625FC4AB0C786E1B74DDF7CD4D0E99541391B266C704BB6B6E8DCCD27B460802E0867143727AA415555454321EFE5CB60248017319571CAF533D90D2E78A64060B9C53169AB7FC908947B3EDADC54C79CCF0A7920B4C64A4EAB6282AFE9A459677CDA37FD6DD50BEF18709590FE18B923BDF74A66B189A850819 + +DigestVerify = SHA1 +Key = B-571_PUB +Input = "sample" +Output = 30819402480147D3EB0EDA9F2152DFD014363D6A9CE816D7A1467D326A625FC4AB0C786E1B74DDF7CD4D0E99541391B266C704BB6B6E8DCCD27B460802E0867143727AA415555454321EFE5CB60248017319571CAF533D90D2E78A64060B9C53169AB7FC908947B3EDADC54C79CCF0A7920B4C64A4EAB6282AFE9A459677CDA37FD6DD50BEF18709590FE18B923BDF74A66B189A850818 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = B-571_PRIV +NonceType = deterministic +Input = "sample" +Output = 3081940248010F4B63E79B2E54E4F4F6A2DBC786D8F4A143ECA7B2AD97810F6472AC6AE20853222854553BE1D44A7974599DB7061AE8560DF57F2675BE5F9DD94ABAF3D47F1582B318E459748B024803BBEA07C6B269C2B7FE9AE4DDB118338D0C2F0022920A7F9DCFCB7489594C03B536A9900C4EA6A10410007222D3DAE1A96F291C4C9275D75D98EB290DC0EEF176037B2C7A7A39A3 + +DigestVerify = SHA224 +Key = B-571_PUB +Input = "sample" +Output = 3081940248010F4B63E79B2E54E4F4F6A2DBC786D8F4A143ECA7B2AD97810F6472AC6AE20853222854553BE1D44A7974599DB7061AE8560DF57F2675BE5F9DD94ABAF3D47F1582B318E459748B024803BBEA07C6B269C2B7FE9AE4DDB118338D0C2F0022920A7F9DCFCB7489594C03B536A9900C4EA6A10410007222D3DAE1A96F291C4C9275D75D98EB290DC0EEF176037B2C7A7A39A3 + +DigestVerify = SHA224 +Key = B-571_PUB +Input = "sample" +Output = 3081940248010F4B63E79B2E54E4F4F6A2DBC786D8F4A143ECA7B2AD97810F6472AC6AE20853222854553BE1D44A7974599DB7061AE8560DF57F2675BE5F9DD94ABAF3D47F1582B318E459748B024803BBEA07C6B269C2B7FE9AE4DDB118338D0C2F0022920A7F9DCFCB7489594C03B536A9900C4EA6A10410007222D3DAE1A96F291C4C9275D75D98EB290DC0EEF176037B2C7A7A39A2 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = B-571_PRIV +NonceType = deterministic +Input = "sample" +Output = 30819402480213EF9F3B0CFC4BF996B8AF3A7E1F6CACD2B87C8C63820000800AC787F17EC99C04BCEDF29A8413CFF83142BB88A50EF8D9A086AF4EB03E97C567500C21D865714D832E03C6D054024803D32322559B094E20D8935E250B6EC139AC4AAB77920812C119AF419FB62B332C8D226C6C9362AE3C1E4AABE19359B8428EA74EC8FBE83C8618C2BCCB6B43FBAA0F2CCB7D303945 + +DigestVerify = SHA256 +Key = B-571_PUB +Input = "sample" +Output = 30819402480213EF9F3B0CFC4BF996B8AF3A7E1F6CACD2B87C8C63820000800AC787F17EC99C04BCEDF29A8413CFF83142BB88A50EF8D9A086AF4EB03E97C567500C21D865714D832E03C6D054024803D32322559B094E20D8935E250B6EC139AC4AAB77920812C119AF419FB62B332C8D226C6C9362AE3C1E4AABE19359B8428EA74EC8FBE83C8618C2BCCB6B43FBAA0F2CCB7D303945 + +DigestVerify = SHA256 +Key = B-571_PUB +Input = "sample" +Output = 30819402480213EF9F3B0CFC4BF996B8AF3A7E1F6CACD2B87C8C63820000800AC787F17EC99C04BCEDF29A8413CFF83142BB88A50EF8D9A086AF4EB03E97C567500C21D865714D832E03C6D054024803D32322559B094E20D8935E250B6EC139AC4AAB77920812C119AF419FB62B332C8D226C6C9362AE3C1E4AABE19359B8428EA74EC8FBE83C8618C2BCCB6B43FBAA0F2CCB7D303944 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = B-571_PRIV +NonceType = deterministic +Input = "sample" +Output = 30819402480375D8F49C656A0BBD21D3F54CDA287D853C4BB1849983CD891EF6CD6BB56A62B687807C16685C2C9BCA2663C33696ACCE344C45F3910B1DF806204FF731ECB289C100EF4D1805EC024801CDEC6F46DFEEE44BCE71D41C60550DC67CF98D6C91363625AC2553E4368D2DFB734A8E8C72E118A76ACDB0E58697940A0F3DF49E72894BD799450FC9E550CC04B9FF9B0380021C + +DigestVerify = SHA384 +Key = B-571_PUB +Input = "sample" +Output = 30819402480375D8F49C656A0BBD21D3F54CDA287D853C4BB1849983CD891EF6CD6BB56A62B687807C16685C2C9BCA2663C33696ACCE344C45F3910B1DF806204FF731ECB289C100EF4D1805EC024801CDEC6F46DFEEE44BCE71D41C60550DC67CF98D6C91363625AC2553E4368D2DFB734A8E8C72E118A76ACDB0E58697940A0F3DF49E72894BD799450FC9E550CC04B9FF9B0380021C + +DigestVerify = SHA384 +Key = B-571_PUB +Input = "sample" +Output = 30819402480375D8F49C656A0BBD21D3F54CDA287D853C4BB1849983CD891EF6CD6BB56A62B687807C16685C2C9BCA2663C33696ACCE344C45F3910B1DF806204FF731ECB289C100EF4D1805EC024801CDEC6F46DFEEE44BCE71D41C60550DC67CF98D6C91363625AC2553E4368D2DFB734A8E8C72E118A76ACDB0E58697940A0F3DF49E72894BD799450FC9E550CC04B9FF9B0380021D +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = B-571_PRIV +NonceType = deterministic +Input = "sample" +Output = 308194024801C26F40D940A7EAA0EB1E62991028057D91FEDA0366B606F6C434C361F04E545A6A51A435E26416F6838FFA260C617E798E946B57215284182BE55F29A355E6024FE32A47289CF0024803691DE4369D921FE94EDDA67CB71FBBEC9A436787478063EB1CC778B3DCDC1C4162662752D28DEEDF6F32A269C82D1DB80C87CE4D3B662E03AC347806E3F19D18D6D4DE7358DF7E + +DigestVerify = SHA512 +Key = B-571_PUB +Input = "sample" +Output = 308194024801C26F40D940A7EAA0EB1E62991028057D91FEDA0366B606F6C434C361F04E545A6A51A435E26416F6838FFA260C617E798E946B57215284182BE55F29A355E6024FE32A47289CF0024803691DE4369D921FE94EDDA67CB71FBBEC9A436787478063EB1CC778B3DCDC1C4162662752D28DEEDF6F32A269C82D1DB80C87CE4D3B662E03AC347806E3F19D18D6D4DE7358DF7E + +DigestVerify = SHA512 +Key = B-571_PUB +Input = "sample" +Output = 308194024801C26F40D940A7EAA0EB1E62991028057D91FEDA0366B606F6C434C361F04E545A6A51A435E26416F6838FFA260C617E798E946B57215284182BE55F29A355E6024FE32A47289CF0024803691DE4369D921FE94EDDA67CB71FBBEC9A436787478063EB1CC778B3DCDC1C4162662752D28DEEDF6F32A269C82D1DB80C87CE4D3B662E03AC347806E3F19D18D6D4DE7358DF7F +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = B-571_PRIV +NonceType = deterministic +Input = "test" +Output = 30819402480133F5414F2A9BC41466D339B79376038A64D045E5B0F792A98E5A7AA87E0AD016419E5F8D176007D5C9C10B5FD9E2E0AB8331B195797C0358BA05ECBF24ACE59C5F368A6C0997CC024803D16743AE9F00F0B1A500F738719C5582550FEB64689DA241665C4CE4F328BA0E34A7EF527ED13BFA5889FD2D1D214C11EB17D6BC338E05A56F41CAFF1AF7B8D574DB62EF0D0F21 + +DigestVerify = SHA1 +Key = B-571_PUB +Input = "test" +Output = 30819402480133F5414F2A9BC41466D339B79376038A64D045E5B0F792A98E5A7AA87E0AD016419E5F8D176007D5C9C10B5FD9E2E0AB8331B195797C0358BA05ECBF24ACE59C5F368A6C0997CC024803D16743AE9F00F0B1A500F738719C5582550FEB64689DA241665C4CE4F328BA0E34A7EF527ED13BFA5889FD2D1D214C11EB17D6BC338E05A56F41CAFF1AF7B8D574DB62EF0D0F21 + +DigestVerify = SHA1 +Key = B-571_PUB +Input = "test" +Output = 30819402480133F5414F2A9BC41466D339B79376038A64D045E5B0F792A98E5A7AA87E0AD016419E5F8D176007D5C9C10B5FD9E2E0AB8331B195797C0358BA05ECBF24ACE59C5F368A6C0997CC024803D16743AE9F00F0B1A500F738719C5582550FEB64689DA241665C4CE4F328BA0E34A7EF527ED13BFA5889FD2D1D214C11EB17D6BC338E05A56F41CAFF1AF7B8D574DB62EF0D0F20 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = B-571_PRIV +NonceType = deterministic +Input = "test" +Output = 308194024803048E76506C5C43D92B2E33F62B33E3111CEEB87F6C7DF7C7C01E3CDA28FA5E8BE04B5B23AA03C0C70FEF8F723CBCEBFF0B7A52A3F5C8B84B741B4F6157E69A5FB0524B48F31828024802C99078CCFE5C82102B8D006E3703E020C46C87C75163A2CD839C885550BA5CB501AC282D29A1C26D26773B60FBE05AAB62BFA0BA32127563D42F7669C97784C8897C22CFB4B8FA + +DigestVerify = SHA224 +Key = B-571_PUB +Input = "test" +Output = 308194024803048E76506C5C43D92B2E33F62B33E3111CEEB87F6C7DF7C7C01E3CDA28FA5E8BE04B5B23AA03C0C70FEF8F723CBCEBFF0B7A52A3F5C8B84B741B4F6157E69A5FB0524B48F31828024802C99078CCFE5C82102B8D006E3703E020C46C87C75163A2CD839C885550BA5CB501AC282D29A1C26D26773B60FBE05AAB62BFA0BA32127563D42F7669C97784C8897C22CFB4B8FA + +DigestVerify = SHA224 +Key = B-571_PUB +Input = "test" +Output = 308194024803048E76506C5C43D92B2E33F62B33E3111CEEB87F6C7DF7C7C01E3CDA28FA5E8BE04B5B23AA03C0C70FEF8F723CBCEBFF0B7A52A3F5C8B84B741B4F6157E69A5FB0524B48F31828024802C99078CCFE5C82102B8D006E3703E020C46C87C75163A2CD839C885550BA5CB501AC282D29A1C26D26773B60FBE05AAB62BFA0BA32127563D42F7669C97784C8897C22CFB4B8FB +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = B-571_PRIV +NonceType = deterministic +Input = "test" +Output = 30819402480184BC808506E11A65D628B457FDA60952803C604CC7181B59BD25AEE1411A66D12A777F3A0DC99E1190C58D0037807A95E5080FA1B2E5CCAA37B50D401CFFC3417C005AEE9634690248027280D45F81B19334DBDB07B7E63FE8F39AC7E9AE14DE1D2A6884D2101850289D70EE400F26ACA5E7D73F534A14568478E59D00594981ABE6A1BA18554C13EB5E03921E4DC98333 + +DigestVerify = SHA256 +Key = B-571_PUB +Input = "test" +Output = 30819402480184BC808506E11A65D628B457FDA60952803C604CC7181B59BD25AEE1411A66D12A777F3A0DC99E1190C58D0037807A95E5080FA1B2E5CCAA37B50D401CFFC3417C005AEE9634690248027280D45F81B19334DBDB07B7E63FE8F39AC7E9AE14DE1D2A6884D2101850289D70EE400F26ACA5E7D73F534A14568478E59D00594981ABE6A1BA18554C13EB5E03921E4DC98333 + +DigestVerify = SHA256 +Key = B-571_PUB +Input = "test" +Output = 30819402480184BC808506E11A65D628B457FDA60952803C604CC7181B59BD25AEE1411A66D12A777F3A0DC99E1190C58D0037807A95E5080FA1B2E5CCAA37B50D401CFFC3417C005AEE9634690248027280D45F81B19334DBDB07B7E63FE8F39AC7E9AE14DE1D2A6884D2101850289D70EE400F26ACA5E7D73F534A14568478E59D00594981ABE6A1BA18554C13EB5E03921E4DC98332 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = B-571_PRIV +NonceType = deterministic +Input = "test" +Output = 30819402480319EE57912E7B0FAA1FBB145B0505849A89C6DB1EC06EA20A6A7EDE072A6268AF6FD9C809C7E422A5F33C6C3326EAD7402467DF3272A1B2726C1C20975950F0F50D8324578F13EC024802CF3EA27EADD0612DD2F96F46E89AB894B01A10DF985C5FC099CFFE0EA083EB44BE682B08BFE405DAD5F37D0A2C59015BA41027E24B99F8F75A70B6B7385BF39BBEA02513EB880C + +DigestVerify = SHA384 +Key = B-571_PUB +Input = "test" +Output = 30819402480319EE57912E7B0FAA1FBB145B0505849A89C6DB1EC06EA20A6A7EDE072A6268AF6FD9C809C7E422A5F33C6C3326EAD7402467DF3272A1B2726C1C20975950F0F50D8324578F13EC024802CF3EA27EADD0612DD2F96F46E89AB894B01A10DF985C5FC099CFFE0EA083EB44BE682B08BFE405DAD5F37D0A2C59015BA41027E24B99F8F75A70B6B7385BF39BBEA02513EB880C + +DigestVerify = SHA384 +Key = B-571_PUB +Input = "test" +Output = 30819402480319EE57912E7B0FAA1FBB145B0505849A89C6DB1EC06EA20A6A7EDE072A6268AF6FD9C809C7E422A5F33C6C3326EAD7402467DF3272A1B2726C1C20975950F0F50D8324578F13EC024802CF3EA27EADD0612DD2F96F46E89AB894B01A10DF985C5FC099CFFE0EA083EB44BE682B08BFE405DAD5F37D0A2C59015BA41027E24B99F8F75A70B6B7385BF39BBEA02513EB880D +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = B-571_PRIV +NonceType = deterministic +Input = "test" +Output = 308194024802AA1888EAB05F7B00B6A784C4F7081D2C833D50794D9FEAF6E22B8BE728A2A90BFCABDC803162020AA629718295A1489EE7ED0ECB8AAA197B9BDFC49D18DDD78FC85A48F9715544024800AA5371FE5CA671D6ED9665849C37F394FED85D51FEF72DA2B5F28EDFB2C6479CA63320C19596F5E1101988E2C619E302DD05112F47E8823040CE540CD3E90DCF41DBC461744EE9 + +DigestVerify = SHA512 +Key = B-571_PUB +Input = "test" +Output = 308194024802AA1888EAB05F7B00B6A784C4F7081D2C833D50794D9FEAF6E22B8BE728A2A90BFCABDC803162020AA629718295A1489EE7ED0ECB8AAA197B9BDFC49D18DDD78FC85A48F9715544024800AA5371FE5CA671D6ED9665849C37F394FED85D51FEF72DA2B5F28EDFB2C6479CA63320C19596F5E1101988E2C619E302DD05112F47E8823040CE540CD3E90DCF41DBC461744EE9 + +DigestVerify = SHA512 +Key = B-571_PUB +Input = "test" +Output = 308194024802AA1888EAB05F7B00B6A784C4F7081D2C833D50794D9FEAF6E22B8BE728A2A90BFCABDC803162020AA629718295A1489EE7ED0ECB8AAA197B9BDFC49D18DDD78FC85A48F9715544024800AA5371FE5CA671D6ED9665849C37F394FED85D51FEF72DA2B5F28EDFB2C6479CA63320C19596F5E1101988E2C619E302DD05112F47E8823040CE540CD3E90DCF41DBC461744EE8 +Result = VERIFY_ERROR From 8ef3b381bf76349e3277f758e2b1f116b21b776d Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Tue, 20 Feb 2024 23:17:34 +0100 Subject: [PATCH 0152/1462] Fix ASN.1 issues in PKCS#7 and S/MIME signing (#10373) * Fix ASN.1 for S/MIME capabilities. The current implementation defines the SMIMECapabilities attribute so that its value is a SEQUENCE of all the algorithm OIDs that are supported. However, the S/MIME v3 spec (RFC 2633) specifies that each algorithm should be specified in its own SEQUENCE: SMIMECapabilities ::= SEQUENCE OF SMIMECapability SMIMECapability ::= SEQUENCE { capabilityID OBJECT IDENTIFIER, parameters ANY DEFINED BY capabilityID OPTIONAL } (RFC 2633, Appendix A) This commit changes the implementation so that each algorithm is inside its own SEQUENCE. This also matches the OpenSSL implementation. * Fix the RSA OID used for signing PKCS#7/SMIME The current implementation computes the algorithm identifier used in the `digest_encryption_algorithm` PKCS#7 field (or `SignatureAlgorithmIdentifier` in S/MIME) based on both the algorithm used to sign (e.g. RSA) and the digest algorithm (e.g. SHA512). This is correct for ECDSA signatures, where the OIDs used include the digest algorithm (e.g: ecdsa-with-SHA512). However, due to historical reasons, when signing with RSA the OID specified should be the one corresponding to just RSA ("1.2.840.113549.1.1.1" rsaEncryption), rather than OIDs which also include the digest algorithm (such as "1.2.840.113549.1.1.13", sha512WithRSAEncryption). This means that the logic to compute the algorithm identifier is the same except when signing with RSA, in which case the OID will always be `rsaEncryption`. This is consistent with the OpenSSL implementation, and the RFCs that define PKCS#7 and S/MIME. See RFC 3851 (section 2.2), and RFC 3370 (section 3.2) for more details. * Add tests for the changes in PKCS7 signing * PKCS7 fixes from code review * Update CHANGELOG --- CHANGELOG.rst | 3 ++ src/rust/src/pkcs7.rs | 28 ++++++++++++-- src/rust/src/x509/sign.rs | 5 ++- tests/hazmat/primitives/test_pkcs7.py | 54 ++++++++++++++++++++++++++- 4 files changed, 83 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 2a529c2d7b80..348a7770a316 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -26,6 +26,9 @@ Changelog and :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ARC4` into :doc:`/hazmat/decrepit/index` and deprecated them in the ``cipher`` module. They will be removed from the ``cipher`` module in 48.0.0. +* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities`` + and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the + definitions in :rfc:`2633` :rfc:`3370`. .. _v42-0-3: diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 28edd016b863..9732b6b93b9b 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -104,9 +104,9 @@ fn sign_and_serialize<'p>( // Subset of values OpenSSL provides: // https://github.com/openssl/openssl/blob/667a8501f0b6e5705fd611d5bb3ca24848b07154/crypto/pkcs7/pk7_smime.c#L150 // removing all the ones that are bad cryptography - AES_256_CBC_OID, - AES_192_CBC_OID, - AES_128_CBC_OID, + &asn1::SequenceOfWriter::new([AES_256_CBC_OID]), + &asn1::SequenceOfWriter::new([AES_192_CBC_OID]), + &asn1::SequenceOfWriter::new([AES_128_CBC_OID]), ]))?; let py_signers: Vec<( @@ -205,7 +205,7 @@ fn sign_and_serialize<'p>( }, digest_algorithm: digest_alg, authenticated_attributes: authenticated_attrs, - digest_encryption_algorithm: x509::sign::compute_signature_algorithm( + digest_encryption_algorithm: compute_pkcs7_signature_algorithm( py, py_private_key, py_hash_alg, @@ -262,6 +262,26 @@ fn sign_and_serialize<'p>( } } +fn compute_pkcs7_signature_algorithm<'p>( + py: pyo3::Python<'p>, + private_key: &'p pyo3::PyAny, + hash_algorithm: &'p pyo3::PyAny, + rsa_padding: &'p pyo3::PyAny, +) -> pyo3::PyResult> { + let key_type = x509::sign::identify_key_type(py, private_key)?; + let has_pss_padding = rsa_padding.is_instance(types::PSS.get(py)?)?; + // For RSA signatures (with no PSS padding), the OID is always the same no matter the + // digest algorithm. See RFC 3370 (section 3.2). + if key_type == x509::sign::KeyType::Rsa && !has_pss_padding { + Ok(common::AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Rsa(Some(())), + }) + } else { + x509::sign::compute_signature_algorithm(py, private_key, hash_algorithm, rsa_padding) + } +} + fn smime_canonicalize(data: &[u8], text_mode: bool) -> (Cow<'_, [u8]>, Cow<'_, [u8]>) { let mut new_data_with_header = vec![]; let mut new_data_without_header = vec![]; diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index 099032210e8b..638bbbe909af 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -48,7 +48,10 @@ enum HashType { Sha3_512, } -fn identify_key_type(py: pyo3::Python<'_>, private_key: &pyo3::PyAny) -> pyo3::PyResult { +pub(crate) fn identify_key_type( + py: pyo3::Python<'_>, + private_key: &pyo3::PyAny, +) -> pyo3::PyResult { if private_key.is_instance(types::RSA_PRIVATE_KEY.get(py)?)? { Ok(KeyType::Rsa) } else if private_key.is_instance(types::DSA_PRIVATE_KEY.get(py)?)? { diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 837ad261941c..a929a9e83ae3 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -558,6 +558,50 @@ def test_sign_text(self, backend): backend, ) + def test_smime_capabilities(self, backend): + data = b"hello world" + cert, key = _load_cert_key() + builder = ( + pkcs7.PKCS7SignatureBuilder() + .set_data(data) + .add_signer(cert, key, hashes.SHA256()) + ) + + sig_binary = builder.sign(serialization.Encoding.DER, []) + + # 1.2.840.113549.1.9.15 (SMIMECapabilities) as an ASN.1 DER encoded OID + assert b"\x06\t*\x86H\x86\xf7\r\x01\t\x0f" in sig_binary + + # 2.16.840.1.101.3.4.1.42 (aes256-CBC-PAD) as an ASN.1 DER encoded OID + aes256_cbc_pad_oid = b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x2A" + # 2.16.840.1.101.3.4.1.22 (aes192-CBC-PAD) as an ASN.1 DER encoded OID + aes192_cbc_pad_oid = b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x16" + # 2.16.840.1.101.3.4.1.2 (aes128-CBC-PAD) as an ASN.1 DER encoded OID + aes128_cbc_pad_oid = b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x02" + + # Each algorithm in SMIMECapabilities should be inside its own + # SEQUENCE. + # This is encoded as SEQUENCE_IDENTIFIER + LENGTH + ALGORITHM_OID. + # This tests that each algorithm is indeed encoded inside its own + # sequence. See RFC 2633, Appendix A for more details. + sequence_identifier = b"\x30" + for oid in [ + aes256_cbc_pad_oid, + aes192_cbc_pad_oid, + aes128_cbc_pad_oid, + ]: + len_oid = len(oid).to_bytes(length=1, byteorder="big") + assert sequence_identifier + len_oid + oid in sig_binary + + _pkcs7_verify( + serialization.Encoding.DER, + sig_binary, + None, + [cert], + [], + backend, + ) + def test_sign_no_capabilities(self, backend): data = b"hello world" cert, key = _load_cert_key() @@ -678,9 +722,15 @@ def test_rsa_pkcs_padding_options(self, pad, backend): sig.count(b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x08") == 1 ) else: - # This should be a pkcs1 sha512 signature + # This should be a pkcs1 RSA signature, which uses the + # `rsaEncryption` OID (1.2.840.113549.1.1.1) no matter which + # digest algorithm is used. + # See RFC 3370 section 3.2 for more details. + # This OID appears twice, once in the certificate itself and + # another in the SignerInfo data structure in the + # `digest_encryption_algorithm` field. assert ( - sig.count(b"\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0D") == 1 + sig.count(b"\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01") == 2 ) _pkcs7_verify( serialization.Encoding.DER, From 3d329f2320e695abbd71c5feb4e3494f1c6df59e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 21 Feb 2024 00:15:38 +0000 Subject: [PATCH 0153/1462] Bump BoringSSL and/or OpenSSL in CI (#10443) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b7b8535445ab..ac090595b7fa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 17, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "99e8c6e2a383a25679c3d6767702732b27bc16ea"}} - # Latest commit on the OpenSSL master branch, as of Feb 20, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a768a796f26ecebc12ac0bd9b86c5c30bfd9370b"}} + # Latest commit on the BoringSSL master branch, as of Feb 21, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "48b0edfdf2dd9f38650d2ec13fa72cc0407a0d84"}} + # Latest commit on the OpenSSL master branch, as of Feb 21, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "709637c8764e153f77c1d55d00b37fb08634aca9"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 5020735e87ddf6bf72c5f1ed962fc2ff3f81cd8d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 21 Feb 2024 00:28:26 +0000 Subject: [PATCH 0154/1462] Bump x509-limbo and/or wycheproof in CI (#10444) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 326ef2cf71f7..d633399239c6 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Feb 16, 2024. - ref: "5f2f7b0a1ac8a8ebae3e418c2569f524c80f29db" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Feb 21, 2024. + ref: "8ad17cdde59a1e62e8df1b8b0ffa4cfa3ab53f33" # x509-limbo-ref From 2492af56a45fb4fd7bd5ea1b5a69f8a141b1adac Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 20 Feb 2024 22:20:59 -0500 Subject: [PATCH 0155/1462] Forward port 42.0.4 changelog (#10446) --- CHANGELOG.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 348a7770a316..78fd4b7d4d19 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -26,6 +26,15 @@ Changelog and :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ARC4` into :doc:`/hazmat/decrepit/index` and deprecated them in the ``cipher`` module. They will be removed from the ``cipher`` module in 48.0.0. + +.. _v42-0-4: + +42.0.4 - 2024-02-20 +~~~~~~~~~~~~~~~~~~~ + +* Fixed a null-pointer-dereference and segfault that could occur when creating + a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the + issue. **CVE-2024-26130** * Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities`` and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the definitions in :rfc:`2633` :rfc:`3370`. From fd933a86836c6f9ca35b53a274d1ce3729690a15 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 21 Feb 2024 07:06:33 -0500 Subject: [PATCH 0156/1462] Bump coverage from 7.4.1 to 7.4.2 (#10448) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.4.1 to 7.4.2. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.4.1...7.4.2) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 460c621257e8..60363341b890 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.2 # via nox -coverage==7.4.1; python_version >= "3.8" +coverage==7.4.2; python_version >= "3.8" # via # coverage # pytest-cov From 583304ee0ab3379c94e87e7c9e274007dcd5c887 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 21 Feb 2024 07:06:55 -0500 Subject: [PATCH 0157/1462] Bump cc from 1.0.83 to 1.0.86 in /src/rust (#10449) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.83 to 1.0.86. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.83...1.0.86) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 7 ++----- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index c85ea888aa3a..21930a302524 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,12 +48,9 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.83" +version = "1.0.86" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0" -dependencies = [ - "libc", -] +checksum = "7f9fa1897e4325be0d68d48df6aa1a71ac2ed4d27723887e7754192705350730" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index af977b0d6a51..956728c7beba 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.20", features = ["abi3"] } openssl-sys = "0.9.100" [build-dependencies] -cc = "1.0.83" +cc = "1.0.86" From b997a63f6a4a72824ea7b5fa10efabc56855bb03 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 21 Feb 2024 09:03:36 -0600 Subject: [PATCH 0158/1462] Bump cryptography from 42.0.3 to 42.0.4 in /.github/requirements (#10447) * Bump cryptography from 42.0.3 to 42.0.4 in /.github/requirements Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.3 to 42.0.4. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/42.0.3...42.0.4) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 0f65bca76c66..9086575892ae 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -166,39 +166,39 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==42.0.3 \ - --hash=sha256:04859aa7f12c2b5f7e22d25198ddd537391f1695df7057c8700f71f26f47a129 \ - --hash=sha256:069d2ce9be5526a44093a0991c450fe9906cdf069e0e7cd67d9dee49a62b9ebe \ - --hash=sha256:0d3ec384058b642f7fb7e7bff9664030011ed1af8f852540c76a1317a9dd0d20 \ - --hash=sha256:0fab2a5c479b360e5e0ea9f654bcebb535e3aa1e493a715b13244f4e07ea8eec \ - --hash=sha256:0fea01527d4fb22ffe38cd98951c9044400f6eff4788cf52ae116e27d30a1ba3 \ - --hash=sha256:1b797099d221df7cce5ff2a1d272761d1554ddf9a987d3e11f6459b38cd300fd \ - --hash=sha256:1e935c2900fb53d31f491c0de04f41110351377be19d83d908c1fd502ae8daa5 \ - --hash=sha256:20100c22b298c9eaebe4f0b9032ea97186ac2555f426c3e70670f2517989543b \ - --hash=sha256:20180da1b508f4aefc101cebc14c57043a02b355d1a652b6e8e537967f1e1b46 \ - --hash=sha256:25b09b73db78facdfd7dd0fa77a3f19e94896197c86e9f6dc16bce7b37a96504 \ - --hash=sha256:2619487f37da18d6826e27854a7f9d4d013c51eafb066c80d09c63cf24505306 \ - --hash=sha256:2eb6368d5327d6455f20327fb6159b97538820355ec00f8cc9464d617caecead \ - --hash=sha256:35772a6cffd1f59b85cb670f12faba05513446f80352fe811689b4e439b5d89e \ - --hash=sha256:39d5c93e95bcbc4c06313fc6a500cee414ee39b616b55320c1904760ad686938 \ - --hash=sha256:3d96ea47ce6d0055d5b97e761d37b4e84195485cb5a38401be341fabf23bc32a \ - --hash=sha256:4dcab7c25e48fc09a73c3e463d09ac902a932a0f8d0c568238b3696d06bf377b \ - --hash=sha256:5fbf0f3f0fac7c089308bd771d2c6c7b7d53ae909dce1db52d8e921f6c19bb3a \ - --hash=sha256:6c25e1e9c2ce682d01fc5e2dde6598f7313027343bd14f4049b82ad0402e52cd \ - --hash=sha256:762f3771ae40e111d78d77cbe9c1035e886ac04a234d3ee0856bf4ecb3749d54 \ - --hash=sha256:90147dad8c22d64b2ff7331f8d4cddfdc3ee93e4879796f837bdbb2a0b141e0c \ - --hash=sha256:935cca25d35dda9e7bd46a24831dfd255307c55a07ff38fd1a92119cffc34857 \ - --hash=sha256:93fbee08c48e63d5d1b39ab56fd3fdd02e6c2431c3da0f4edaf54954744c718f \ - --hash=sha256:9541c69c62d7446539f2c1c06d7046aef822940d248fa4b8962ff0302862cc1f \ - --hash=sha256:c23f03cfd7d9826cdcbad7850de67e18b4654179e01fe9bc623d37c2638eb4ef \ - --hash=sha256:c3d1f5a1d403a8e640fa0887e9f7087331abb3f33b0f2207d2cc7f213e4a864c \ - --hash=sha256:d1998e545081da0ab276bcb4b33cce85f775adb86a516e8f55b3dac87f469548 \ - --hash=sha256:d5cf11bc7f0b71fb71af26af396c83dfd3f6eed56d4b6ef95d57867bf1e4ba65 \ - --hash=sha256:db0480ffbfb1193ac4e1e88239f31314fe4c6cdcf9c0b8712b55414afbf80db4 \ - --hash=sha256:de4ae486041878dc46e571a4c70ba337ed5233a1344c14a0790c4c4be4bbb8b4 \ - --hash=sha256:de5086cd475d67113ccb6f9fae6d8fe3ac54a4f9238fd08bfdb07b03d791ff0a \ - --hash=sha256:df34312149b495d9d03492ce97471234fd9037aa5ba217c2a6ea890e9166f151 \ - --hash=sha256:ead69ba488f806fe1b1b4050febafdbf206b81fa476126f3e16110c818bac396 +cryptography==42.0.4 \ + --hash=sha256:01911714117642a3f1792c7f376db572aadadbafcd8d75bb527166009c9f1d1b \ + --hash=sha256:0e89f7b84f421c56e7ff69f11c441ebda73b8a8e6488d322ef71746224c20fce \ + --hash=sha256:12d341bd42cdb7d4937b0cabbdf2a94f949413ac4504904d0cdbdce4a22cbf88 \ + --hash=sha256:15a1fb843c48b4a604663fa30af60818cd28f895572386e5f9b8a665874c26e7 \ + --hash=sha256:1cdcdbd117681c88d717437ada72bdd5be9de117f96e3f4d50dab3f59fd9ab20 \ + --hash=sha256:1df6fcbf60560d2113b5ed90f072dc0b108d64750d4cbd46a21ec882c7aefce9 \ + --hash=sha256:3c6048f217533d89f2f8f4f0fe3044bf0b2090453b7b73d0b77db47b80af8dff \ + --hash=sha256:3e970a2119507d0b104f0a8e281521ad28fc26f2820687b3436b8c9a5fcf20d1 \ + --hash=sha256:44a64043f743485925d3bcac548d05df0f9bb445c5fcca6681889c7c3ab12764 \ + --hash=sha256:4e36685cb634af55e0677d435d425043967ac2f3790ec652b2b88ad03b85c27b \ + --hash=sha256:5f8907fcf57392cd917892ae83708761c6ff3c37a8e835d7246ff0ad251d9298 \ + --hash=sha256:69b22ab6506a3fe483d67d1ed878e1602bdd5912a134e6202c1ec672233241c1 \ + --hash=sha256:6bfadd884e7280df24d26f2186e4e07556a05d37393b0f220a840b083dc6a824 \ + --hash=sha256:6d0fbe73728c44ca3a241eff9aefe6496ab2656d6e7a4ea2459865f2e8613257 \ + --hash=sha256:6ffb03d419edcab93b4b19c22ee80c007fb2d708429cecebf1dd3258956a563a \ + --hash=sha256:810bcf151caefc03e51a3d61e53335cd5c7316c0a105cc695f0959f2c638b129 \ + --hash=sha256:831a4b37accef30cccd34fcb916a5d7b5be3cbbe27268a02832c3e450aea39cb \ + --hash=sha256:887623fe0d70f48ab3f5e4dbf234986b1329a64c066d719432d0698522749929 \ + --hash=sha256:a0298bdc6e98ca21382afe914c642620370ce0470a01e1bef6dd9b5354c36854 \ + --hash=sha256:a1327f280c824ff7885bdeef8578f74690e9079267c1c8bd7dc5cc5aa065ae52 \ + --hash=sha256:c1f25b252d2c87088abc8bbc4f1ecbf7c919e05508a7e8628e6875c40bc70923 \ + --hash=sha256:c3a5cbc620e1e17009f30dd34cb0d85c987afd21c41a74352d1719be33380885 \ + --hash=sha256:ce8613beaffc7c14f091497346ef117c1798c202b01153a8cc7b8e2ebaaf41c0 \ + --hash=sha256:d2a27aca5597c8a71abbe10209184e1a8e91c1fd470b5070a2ea60cafec35bcd \ + --hash=sha256:dad9c385ba8ee025bb0d856714f71d7840020fe176ae0229de618f14dae7a6e2 \ + --hash=sha256:db4b65b02f59035037fde0998974d84244a64c3265bdef32a827ab9b63d61b18 \ + --hash=sha256:e09469a2cec88fb7b078e16d4adec594414397e8879a4341c6ace96013463d5b \ + --hash=sha256:e53dc41cda40b248ebc40b83b31516487f7db95ab8ceac1f042626bc43a2f992 \ + --hash=sha256:f1e85a178384bf19e36779d91ff35c7617c885da487d689b05c1366f9933ad74 \ + --hash=sha256:f47be41843200f7faec0683ad751e5ef11b9a56a220d57f300376cd8aba81660 \ + --hash=sha256:fb0cef872d8193e487fc6bdb08559c3aa41b659a7d9be48b2e10747f47863925 \ + --hash=sha256:ffc73996c4fca3d2b6c1c8c12bfd3ad00def8621da24f547626bf06441400449 # via # pyopenssl # secretstorage From c86b1b273203988598bc91ecff303d12537df7f5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 21 Feb 2024 23:30:15 +0000 Subject: [PATCH 0159/1462] Bump openssl-sys from 0.9.100 to 0.9.101 in /src/rust (#10452) Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.100 to 0.9.101. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.100...openssl-sys-v0.9.101) --- updated-dependencies: - dependency-name: openssl-sys dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 21930a302524..6a68aa4b54cf 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -213,9 +213,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.100" +version = "0.9.101" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ae94056a791d0e1217d18b6cbdccb02c61e3054fc69893607f4067e3bb0b1fd1" +checksum = "dda2b0f344e78efc2facf7d195d098df0dd72151b26ab98da807afc26c198dff" dependencies = [ "cc", "libc", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 83c6605ad453..aa533bf210c3 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -19,7 +19,7 @@ cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.64" -openssl-sys = "0.9.100" +openssl-sys = "0.9.101" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 956728c7beba..44afed76d219 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -9,7 +9,7 @@ rust-version = "1.63.0" [dependencies] pyo3 = { version = "0.20", features = ["abi3"] } -openssl-sys = "0.9.100" +openssl-sys = "0.9.101" [build-dependencies] cc = "1.0.86" diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index 2922568d15ef..fdde0053df4c 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -11,5 +11,5 @@ rust-version = "1.63.0" asn1 = { version = "0.16.0", default-features = false } cfg-if = "1" openssl = "0.10.64" -openssl-sys = "0.9.100" +openssl-sys = "0.9.101" cryptography-x509 = { path = "../cryptography-x509" } From 9db845669d36555723c4444768da31a061bc6371 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 21 Feb 2024 18:31:13 -0500 Subject: [PATCH 0160/1462] Bump dawidd6/action-download-artifact from 3.1.1 to 3.1.2 (#10451) Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 3.1.1 to 3.1.2. - [Release notes](https://github.com/dawidd6/action-download-artifact/releases) - [Commits](https://github.com/dawidd6/action-download-artifact/compare/72aaadce3bc708349fc665eee3785cbb1b6e51d0...71072fbb1229e1317f1a8de6b04206afb461bd67) --- updated-dependencies: - dependency-name: dawidd6/action-download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ac090595b7fa..7d9a2226aa8f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -256,7 +256,7 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/fetch-vectors - - uses: dawidd6/action-download-artifact@72aaadce3bc708349fc665eee3785cbb1b6e51d0 # v3.1.1 + - uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -316,7 +316,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - run: python -m pip install -c ci-constraints-requirements.txt "nox" "tomli; python_version < '3.11'" - - uses: dawidd6/action-download-artifact@72aaadce3bc708349fc665eee3785cbb1b6e51d0 # v3.1.1 + - uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2 with: repo: pyca/infra workflow: build-windows-openssl.yml diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index bd31dbaeaaf3..f95c72b497dc 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -47,7 +47,7 @@ jobs: - name: Install Python dependencies run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }} - - uses: dawidd6/action-download-artifact@72aaadce3bc708349fc665eee3785cbb1b6e51d0 # v3.1.1 + - uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2 with: path: dist/ run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 3223f7982f86..4ddcff39e6df 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -232,7 +232,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') - - uses: dawidd6/action-download-artifact@72aaadce3bc708349fc665eee3785cbb1b6e51d0 # v3.1.1 + - uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -329,7 +329,7 @@ jobs: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} - - uses: dawidd6/action-download-artifact@72aaadce3bc708349fc665eee3785cbb1b6e51d0 # v3.1.1 + - uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2 with: repo: pyca/infra workflow: build-windows-openssl.yml From 69f00114101503b3b6dc253da4a857f845009ebd Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 22 Feb 2024 00:25:00 +0000 Subject: [PATCH 0161/1462] Bump BoringSSL and/or OpenSSL in CI (#10453) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7d9a2226aa8f..85c58679c23e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 21, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "48b0edfdf2dd9f38650d2ec13fa72cc0407a0d84"}} - # Latest commit on the OpenSSL master branch, as of Feb 21, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "709637c8764e153f77c1d55d00b37fb08634aca9"}} + # Latest commit on the BoringSSL master branch, as of Feb 22, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e44712755dd9281656009d4931cf7ae12201ae21"}} + # Latest commit on the OpenSSL master branch, as of Feb 22, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4a6f70c03182b421d326831532edca32bcdb3fb1"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 62458e7dff8674d77a20c59b0deca559cfa3e491 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 22 Feb 2024 06:51:21 -0500 Subject: [PATCH 0162/1462] Bump target-lexicon from 0.12.13 to 0.12.14 in /src/rust (#10454) Bumps [target-lexicon](https://github.com/bytecodealliance/target-lexicon) from 0.12.13 to 0.12.14. - [Commits](https://github.com/bytecodealliance/target-lexicon/compare/v0.12.13...v0.12.14) --- updated-dependencies: - dependency-name: target-lexicon dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 6a68aa4b54cf..6b15f585b316 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -380,9 +380,9 @@ dependencies = [ [[package]] name = "target-lexicon" -version = "0.12.13" +version = "0.12.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69758bda2e78f098e4ccb393021a0963bb3442eac05f135c30f61b7370bbafae" +checksum = "e1fc403891a21bcfb7c37834ba66a547a8f402146eba7265b5a6d88059c9ff2f" [[package]] name = "unicode-ident" From 9ba494087045a61248f791eacd40ed152de26847 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 22 Feb 2024 06:51:27 -0500 Subject: [PATCH 0163/1462] Bump virtualenv from 20.25.0 to 20.25.1 (#10455) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.25.0 to 20.25.1. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.25.0...20.25.1) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 60363341b890..4b9df4929612 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -150,7 +150,7 @@ typing-extensions==4.9.0; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests -virtualenv==20.25.0 +virtualenv==20.25.1 # via nox # The following packages are considered to be unsafe in a requirements file: From e02757c4486cd4c655839a734355a98846803077 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 23 Feb 2024 00:13:56 +0000 Subject: [PATCH 0164/1462] Bump BoringSSL and/or OpenSSL in CI (#10456) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 85c58679c23e..2913312f83b4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 22, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e44712755dd9281656009d4931cf7ae12201ae21"}} - # Latest commit on the OpenSSL master branch, as of Feb 22, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4a6f70c03182b421d326831532edca32bcdb3fb1"}} + # Latest commit on the BoringSSL master branch, as of Feb 23, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ab4037e3d14b2b1e02c93f76d80a8dd0ce3193fc"}} + # Latest commit on the OpenSSL master branch, as of Feb 23, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "11adf9a75d6b34723d1a20a0da4e4100ea6ca593"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 292d925c44e1687222e9b6eb6f2a537e83b34799 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 23 Feb 2024 00:29:49 +0000 Subject: [PATCH 0165/1462] Bump x509-limbo and/or wycheproof in CI (#10457) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index d633399239c6..821d7ffc91c8 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Feb 21, 2024. - ref: "8ad17cdde59a1e62e8df1b8b0ffa4cfa3ab53f33" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Feb 23, 2024. + ref: "aa48664a5baddd27129bf0d6cf2b4c54112e6745" # x509-limbo-ref From 048153ab3da5fe818cc7eb507132ff105dff1b6c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 22 Feb 2024 20:01:04 -0500 Subject: [PATCH 0166/1462] Stop running linkcheck on every push - its pointless (#10458) --- .github/workflows/linkcheck.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index 9f694c7cb661..0e5b688c051f 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -4,9 +4,9 @@ on: paths: - docs/conf.py - .github/workflows/linkcheck.yml - push: - branches: - - main + schedule: + # Run once a week on Fridays + - cron: "0 0 * * FRI" permissions: contents: read From 3ffcf539899b5abcec81f1967b31b99f1ac7cbf1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 22 Feb 2024 22:41:40 -0500 Subject: [PATCH 0167/1462] Simplify implementation of repr on OIDs (#10459) --- src/rust/src/oid.rs | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/src/rust/src/oid.rs b/src/rust/src/oid.rs index 4bf764eee408..7996895ca1f0 100644 --- a/src/rust/src/oid.rs +++ b/src/rust/src/oid.rs @@ -41,17 +41,12 @@ impl ObjectIdentifier { slf } - fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { - let self_clone = pyo3::PyCell::new( - py, - ObjectIdentifier { - oid: self.oid.clone(), - }, - )?; - let name = ObjectIdentifier::_name(self_clone.borrow(), py)?.extract::<&str>()?; + fn __repr__(slf: &pyo3::PyCell, py: pyo3::Python<'_>) -> pyo3::PyResult { + let name = Self::_name(slf.borrow(), py)?.extract::<&str>()?; Ok(format!( "", - self.oid, name + slf.get().oid, + name )) } From f78c6ea9190425e59a2dc5d8de05cefff3f9fc7a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Feb 2024 07:34:59 -0500 Subject: [PATCH 0168/1462] Bump setuptools from 69.1.0 to 69.1.1 in /.github/requirements (#10461) Bumps [setuptools](https://github.com/pypa/setuptools) from 69.1.0 to 69.1.1. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v69.1.0...v69.1.1) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index aff425f1834b..92527ddbe91e 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -80,9 +80,9 @@ wheel==0.42.0 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==69.1.0 \ - --hash=sha256:850894c4195f09c4ed30dba56213bf7c3f21d86ed6bdaafb5df5972593bfc401 \ - --hash=sha256:c054629b81b946d63a9c6e732bc8b2513a7c3ea645f11d0139a2191d735c60c6 +setuptools==69.1.1 \ + --hash=sha256:02fa291a0471b3a18b2b2481ed902af520c69e8ae0919c13da936542754b4c56 \ + --hash=sha256:5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8 # via # -r build-requirements.in # setuptools-rust From 3598d2ee4b5060dbbe6938b893410ed35074567c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Feb 2024 13:10:48 +0000 Subject: [PATCH 0169/1462] Bump pyo3 from 0.20.2 to 0.20.3 in /src/rust (#10462) Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.20.2 to 0.20.3. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/v0.20.3/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.20.2...v0.20.3) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 6b15f585b316..f74594106eb2 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -261,6 +261,12 @@ version = "0.3.30" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d231b230927b5e4ad203db57bbcbee2802f6bce620b1e4a9024a07d94e2907ec" +[[package]] +name = "portable-atomic" +version = "1.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" + [[package]] name = "proc-macro2" version = "1.0.78" @@ -272,15 +278,16 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.20.2" +version = "0.20.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9a89dc7a5850d0e983be1ec2a463a171d20990487c3cfcd68b5363f1ee3d6fe0" +checksum = "53bdbb96d49157e65d45cc287af5f32ffadd5f4761438b527b055fb0d4bb8233" dependencies = [ "cfg-if", "indoc", "libc", "memoffset", "parking_lot", + "portable-atomic", "pyo3-build-config", "pyo3-ffi", "pyo3-macros", @@ -289,9 +296,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.20.2" +version = "0.20.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "07426f0d8fe5a601f26293f300afd1a7b1ed5e78b2a705870c5f30893c5163be" +checksum = "deaa5745de3f5231ce10517a1f5dd97d53e5a2fd77aa6b5842292085831d48d7" dependencies = [ "once_cell", "target-lexicon", @@ -299,9 +306,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.20.2" +version = "0.20.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dbb7dec17e17766b46bca4f1a4215a85006b4c2ecde122076c562dd058da6cf1" +checksum = "62b42531d03e08d4ef1f6e85a2ed422eb678b8cd62b762e53891c05faf0d4afa" dependencies = [ "libc", "pyo3-build-config", @@ -309,9 +316,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.20.2" +version = "0.20.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "05f738b4e40d50b5711957f142878cfa0f28e054aa0ebdfc3fd137a843f74ed3" +checksum = "7305c720fa01b8055ec95e484a6eca7a83c841267f0dd5280f0c8b8551d2c158" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -321,12 +328,13 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.20.2" +version = "0.20.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0fc910d4851847827daf9d6cdd4a823fbdaab5b8818325c5e97a86da79e8881f" +checksum = "7c7e9b68bb9c3149c5b0cade5d07f953d6d125eb4337723c4ccdb665f1f96185" dependencies = [ "heck", "proc-macro2", + "pyo3-build-config", "quote", "syn", ] From 28bb975af1f831ea2e8763b2ce6d111e7d6aca40 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 23 Feb 2024 16:07:27 +0000 Subject: [PATCH 0170/1462] Bump x509-limbo and/or wycheproof in CI (#10464) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 821d7ffc91c8..f896ef7079aa 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -17,4 +17,4 @@ runs: repository: "C2SP/x509-limbo" path: "x509-limbo" # Latest commit on the x509-limbo main branch, as of Feb 23, 2024. - ref: "aa48664a5baddd27129bf0d6cf2b4c54112e6745" # x509-limbo-ref + ref: "34ee9a57606e2875e698fe4320689fd9ee4c0ccd" # x509-limbo-ref From 4f260d3b6726db6ffa3c66dbba3efdea4b9f01aa Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 23 Feb 2024 19:04:47 -0500 Subject: [PATCH 0171/1462] Added a budget for NC checks to protect against DoS (#10467) --- .github/actions/fetch-vectors/action.yml | 2 +- .../cryptography-x509-verification/src/lib.rs | 47 +++++++++++++++++-- 2 files changed, 43 insertions(+), 6 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index f896ef7079aa..3d027df32788 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -17,4 +17,4 @@ runs: repository: "C2SP/x509-limbo" path: "x509-limbo" # Latest commit on the x509-limbo main branch, as of Feb 23, 2024. - ref: "34ee9a57606e2875e698fe4320689fd9ee4c0ccd" # x509-limbo-ref + ref: "c8f6a4f4946076db55778ed7b3cffdab082a1a12" # x509-limbo-ref diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 6265f75c5502..5ded892d5cbb 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -33,9 +33,35 @@ pub enum ValidationError { CandidatesExhausted(Box), Malformed(asn1::ParseError), DuplicateExtension(DuplicateExtensionsError), + FatalError(&'static str), Other(String), } +struct Budget { + name_constraint_checks: usize, +} + +impl Budget { + // Same limit as other validators + const DEFAULT_NAME_CONSTRAINT_CHECK_LIMIT: usize = 1 << 20; + + fn new() -> Budget { + Budget { + name_constraint_checks: Self::DEFAULT_NAME_CONSTRAINT_CHECK_LIMIT, + } + } + + fn name_constraint_check(&mut self) -> Result<(), ValidationError> { + self.name_constraint_checks = + self.name_constraint_checks + .checked_sub(1) + .ok_or(ValidationError::FatalError( + "Exceeded maximum name constraint check limit", + ))?; + Ok(()) + } +} + impl From for ValidationError { fn from(value: asn1::ParseError) -> Self { Self::Malformed(value) @@ -76,7 +102,10 @@ impl<'a, 'chain> NameChain<'a, 'chain> { &self, constraint: &GeneralName<'chain>, san: &GeneralName<'chain>, + budget: &mut Budget, ) -> Result { + budget.name_constraint_check()?; + match (constraint, san) { (GeneralName::DNSName(pattern), GeneralName::DNSName(name)) => { match (DNSConstraint::new(pattern.0), DNSName::new(name.0)) { @@ -114,9 +143,10 @@ impl<'a, 'chain> NameChain<'a, 'chain> { fn evaluate_constraints( &self, constraints: &NameConstraints<'chain>, + budget: &mut Budget, ) -> Result<(), ValidationError> { if let Some(child) = self.child { - child.evaluate_constraints(constraints)?; + child.evaluate_constraints(constraints, budget)?; } for san in self.sans.clone() { @@ -124,7 +154,7 @@ impl<'a, 'chain> NameChain<'a, 'chain> { let mut permit = true; if let Some(permitted_subtrees) = &constraints.permitted_subtrees { for p in permitted_subtrees.unwrap_read().clone() { - let status = self.evaluate_single_constraint(&p.base, &san)?; + let status = self.evaluate_single_constraint(&p.base, &san, budget)?; if status.is_applied() { permit = status.is_match(); if permit { @@ -142,7 +172,7 @@ impl<'a, 'chain> NameChain<'a, 'chain> { if let Some(excluded_subtrees) = &constraints.excluded_subtrees { for e in excluded_subtrees.unwrap_read().clone() { - let status = self.evaluate_single_constraint(&e.base, &san)?; + let status = self.evaluate_single_constraint(&e.base, &san, budget)?; if status.is_match() { return Err(ValidationError::Other( "excluded name constraint matched SAN".into(), @@ -166,7 +196,8 @@ pub fn verify<'chain, B: CryptoOps>( ) -> Result, ValidationError> { let builder = ChainBuilder::new(intermediates.into_iter().collect(), policy, store); - builder.build_chain(leaf) + let mut budget = Budget::new(); + builder.build_chain(leaf, &mut budget) } struct ChainBuilder<'a, 'chain, B: CryptoOps> { @@ -227,9 +258,10 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { current_depth: u8, working_cert_extensions: &Extensions<'chain>, name_chain: NameChain<'_, 'chain>, + budget: &mut Budget, ) -> Result, ValidationError> { if let Some(nc) = working_cert_extensions.get_extension(&NAME_CONSTRAINTS_OID) { - name_chain.evaluate_constraints(&nc.value()?)?; + name_chain.evaluate_constraints(&nc.value()?, budget)?; } // Look in the store's root set to see if the working cert is listed. @@ -295,11 +327,14 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // candidate (which is a non-leaf by definition) isn't self-issued. cert_is_self_issued(issuing_cert_candidate.certificate()), )?, + budget, ) { Ok(mut chain) => { chain.push(working_cert.clone()); return Ok(chain); } + // Immediately return on fatal error. + Err(e @ ValidationError::FatalError(..)) => return Err(e), Err(e) => last_err = Some(e), }; } @@ -326,6 +361,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn build_chain( &self, leaf: &VerificationCertificate<'chain, B>, + budget: &mut Budget, ) -> Result, ValidationError> { // Before anything else, check whether the given leaf cert // is well-formed according to our policy (and its underlying @@ -342,6 +378,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { 0, &leaf_extensions, NameChain::new(None, &leaf_extensions, false)?, + budget, )?; // We build the chain in reverse order, fix it now. chain.reverse(); From 2981f128543ad23a931f651dfb2783528dd6fb4c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 24 Feb 2024 00:21:02 +0000 Subject: [PATCH 0172/1462] Bump BoringSSL and/or OpenSSL in CI (#10469) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2913312f83b4..9080d862f888 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 23, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ab4037e3d14b2b1e02c93f76d80a8dd0ce3193fc"}} + # Latest commit on the BoringSSL master branch, as of Feb 24, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9d7535f51f84a079c05b27134fcf6111649c56c9"}} # Latest commit on the OpenSSL master branch, as of Feb 23, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "11adf9a75d6b34723d1a20a0da4e4100ea6ca593"}} # Builds with various Rust versions. Includes MSRV and next From 3f6931ee13b758f8b500af4a9a8876dd4aafc2c1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 23 Feb 2024 20:28:28 -0500 Subject: [PATCH 0173/1462] Forward port 42.0.5 changelog (#10471) --- CHANGELOG.rst | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 78fd4b7d4d19..7fa93101a919 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -27,6 +27,16 @@ Changelog :doc:`/hazmat/decrepit/index` and deprecated them in the ``cipher`` module. They will be removed from the ``cipher`` module in 48.0.0. +.. _v42-0-5: + +42.0.5 - 2024-02-23 +~~~~~~~~~~~~~~~~~~~ + +* Limit the number of name constraint checks that will be performed in + :mod:`X.509 path validation ` to protect + against denial of service attacks. +* Upgrade ``pyo3`` version, which fixes building on PowerPC. + .. _v42-0-4: 42.0.4 - 2024-02-20 From 68538b1c94bf4f4be35694fb7bf576e7ee3946a1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 24 Feb 2024 04:55:17 +0000 Subject: [PATCH 0174/1462] Bump cc from 1.0.86 to 1.0.87 in /src/rust (#10472) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.86 to 1.0.87. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.86...1.0.87) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index f74594106eb2..0a09cd54e498 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,9 +48,9 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.86" +version = "1.0.87" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f9fa1897e4325be0d68d48df6aa1a71ac2ed4d27723887e7754192705350730" +checksum = "3286b845d0fccbdd15af433f61c5970e711987036cb468f437ff6badd70f4e24" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 44afed76d219..21e48cbf7624 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.20", features = ["abi3"] } openssl-sys = "0.9.101" [build-dependencies] -cc = "1.0.86" +cc = "1.0.87" From 9ceecb5c7f1dc055513b100e9ccf2df15335fc5c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 24 Feb 2024 04:59:31 +0000 Subject: [PATCH 0175/1462] Bump coverage from 7.4.2 to 7.4.3 (#10473) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.4.2 to 7.4.3. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.4.2...7.4.3) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 4b9df4929612..59d805e1ce12 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.2 # via nox -coverage==7.4.2; python_version >= "3.8" +coverage==7.4.3; python_version >= "3.8" # via # coverage # pytest-cov From e3c2d8c10276298b60106fc977d1d2b4bcce13ea Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 24 Feb 2024 00:14:02 -0600 Subject: [PATCH 0176/1462] Bump cryptography from 42.0.4 to 42.0.5 in /.github/requirements (#10474) * Bump cryptography from 42.0.4 to 42.0.5 in /.github/requirements Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.4 to 42.0.5. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/42.0.4...42.0.5) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 9086575892ae..fb13f66a171a 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -166,39 +166,39 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==42.0.4 \ - --hash=sha256:01911714117642a3f1792c7f376db572aadadbafcd8d75bb527166009c9f1d1b \ - --hash=sha256:0e89f7b84f421c56e7ff69f11c441ebda73b8a8e6488d322ef71746224c20fce \ - --hash=sha256:12d341bd42cdb7d4937b0cabbdf2a94f949413ac4504904d0cdbdce4a22cbf88 \ - --hash=sha256:15a1fb843c48b4a604663fa30af60818cd28f895572386e5f9b8a665874c26e7 \ - --hash=sha256:1cdcdbd117681c88d717437ada72bdd5be9de117f96e3f4d50dab3f59fd9ab20 \ - --hash=sha256:1df6fcbf60560d2113b5ed90f072dc0b108d64750d4cbd46a21ec882c7aefce9 \ - --hash=sha256:3c6048f217533d89f2f8f4f0fe3044bf0b2090453b7b73d0b77db47b80af8dff \ - --hash=sha256:3e970a2119507d0b104f0a8e281521ad28fc26f2820687b3436b8c9a5fcf20d1 \ - --hash=sha256:44a64043f743485925d3bcac548d05df0f9bb445c5fcca6681889c7c3ab12764 \ - --hash=sha256:4e36685cb634af55e0677d435d425043967ac2f3790ec652b2b88ad03b85c27b \ - --hash=sha256:5f8907fcf57392cd917892ae83708761c6ff3c37a8e835d7246ff0ad251d9298 \ - --hash=sha256:69b22ab6506a3fe483d67d1ed878e1602bdd5912a134e6202c1ec672233241c1 \ - --hash=sha256:6bfadd884e7280df24d26f2186e4e07556a05d37393b0f220a840b083dc6a824 \ - --hash=sha256:6d0fbe73728c44ca3a241eff9aefe6496ab2656d6e7a4ea2459865f2e8613257 \ - --hash=sha256:6ffb03d419edcab93b4b19c22ee80c007fb2d708429cecebf1dd3258956a563a \ - --hash=sha256:810bcf151caefc03e51a3d61e53335cd5c7316c0a105cc695f0959f2c638b129 \ - --hash=sha256:831a4b37accef30cccd34fcb916a5d7b5be3cbbe27268a02832c3e450aea39cb \ - --hash=sha256:887623fe0d70f48ab3f5e4dbf234986b1329a64c066d719432d0698522749929 \ - --hash=sha256:a0298bdc6e98ca21382afe914c642620370ce0470a01e1bef6dd9b5354c36854 \ - --hash=sha256:a1327f280c824ff7885bdeef8578f74690e9079267c1c8bd7dc5cc5aa065ae52 \ - --hash=sha256:c1f25b252d2c87088abc8bbc4f1ecbf7c919e05508a7e8628e6875c40bc70923 \ - --hash=sha256:c3a5cbc620e1e17009f30dd34cb0d85c987afd21c41a74352d1719be33380885 \ - --hash=sha256:ce8613beaffc7c14f091497346ef117c1798c202b01153a8cc7b8e2ebaaf41c0 \ - --hash=sha256:d2a27aca5597c8a71abbe10209184e1a8e91c1fd470b5070a2ea60cafec35bcd \ - --hash=sha256:dad9c385ba8ee025bb0d856714f71d7840020fe176ae0229de618f14dae7a6e2 \ - --hash=sha256:db4b65b02f59035037fde0998974d84244a64c3265bdef32a827ab9b63d61b18 \ - --hash=sha256:e09469a2cec88fb7b078e16d4adec594414397e8879a4341c6ace96013463d5b \ - --hash=sha256:e53dc41cda40b248ebc40b83b31516487f7db95ab8ceac1f042626bc43a2f992 \ - --hash=sha256:f1e85a178384bf19e36779d91ff35c7617c885da487d689b05c1366f9933ad74 \ - --hash=sha256:f47be41843200f7faec0683ad751e5ef11b9a56a220d57f300376cd8aba81660 \ - --hash=sha256:fb0cef872d8193e487fc6bdb08559c3aa41b659a7d9be48b2e10747f47863925 \ - --hash=sha256:ffc73996c4fca3d2b6c1c8c12bfd3ad00def8621da24f547626bf06441400449 +cryptography==42.0.5 \ + --hash=sha256:0270572b8bd2c833c3981724b8ee9747b3ec96f699a9665470018594301439ee \ + --hash=sha256:111a0d8553afcf8eb02a4fea6ca4f59d48ddb34497aa8706a6cf536f1a5ec576 \ + --hash=sha256:16a48c23a62a2f4a285699dba2e4ff2d1cff3115b9df052cdd976a18856d8e3d \ + --hash=sha256:1b95b98b0d2af784078fa69f637135e3c317091b615cd0905f8b8a087e86fa30 \ + --hash=sha256:1f71c10d1e88467126f0efd484bd44bca5e14c664ec2ede64c32f20875c0d413 \ + --hash=sha256:2424ff4c4ac7f6b8177b53c17ed5d8fa74ae5955656867f5a8affaca36a27abb \ + --hash=sha256:2bce03af1ce5a5567ab89bd90d11e7bbdff56b8af3acbbec1faded8f44cb06da \ + --hash=sha256:329906dcc7b20ff3cad13c069a78124ed8247adcac44b10bea1130e36caae0b4 \ + --hash=sha256:37dd623507659e08be98eec89323469e8c7b4c1407c85112634ae3dbdb926fdd \ + --hash=sha256:3eaafe47ec0d0ffcc9349e1708be2aaea4c6dd4978d76bf6eb0cb2c13636c6fc \ + --hash=sha256:5e6275c09d2badf57aea3afa80d975444f4be8d3bc58f7f80d2a484c6f9485c8 \ + --hash=sha256:6fe07eec95dfd477eb9530aef5bead34fec819b3aaf6c5bd6d20565da607bfe1 \ + --hash=sha256:7367d7b2eca6513681127ebad53b2582911d1736dc2ffc19f2c3ae49997496bc \ + --hash=sha256:7cde5f38e614f55e28d831754e8a3bacf9ace5d1566235e39d91b35502d6936e \ + --hash=sha256:9481ffe3cf013b71b2428b905c4f7a9a4f76ec03065b05ff499bb5682a8d9ad8 \ + --hash=sha256:98d8dc6d012b82287f2c3d26ce1d2dd130ec200c8679b6213b3c73c08b2b7940 \ + --hash=sha256:a011a644f6d7d03736214d38832e030d8268bcff4a41f728e6030325fea3e400 \ + --hash=sha256:a2913c5375154b6ef2e91c10b5720ea6e21007412f6437504ffea2109b5a33d7 \ + --hash=sha256:a30596bae9403a342c978fb47d9b0ee277699fa53bbafad14706af51fe543d16 \ + --hash=sha256:b03c2ae5d2f0fc05f9a2c0c997e1bc18c8229f392234e8a0194f202169ccd278 \ + --hash=sha256:b6cd2203306b63e41acdf39aa93b86fb566049aeb6dc489b70e34bcd07adca74 \ + --hash=sha256:b7ffe927ee6531c78f81aa17e684e2ff617daeba7f189f911065b2ea2d526dec \ + --hash=sha256:b8cac287fafc4ad485b8a9b67d0ee80c66bf3574f655d3b97ef2e1082360faf1 \ + --hash=sha256:ba334e6e4b1d92442b75ddacc615c5476d4ad55cc29b15d590cc6b86efa487e2 \ + --hash=sha256:ba3e4a42397c25b7ff88cdec6e2a16c2be18720f317506ee25210f6d31925f9c \ + --hash=sha256:c41fb5e6a5fe9ebcd58ca3abfeb51dffb5d83d6775405305bfa8715b76521922 \ + --hash=sha256:cd2030f6650c089aeb304cf093f3244d34745ce0cfcc39f20c6fbfe030102e2a \ + --hash=sha256:cd65d75953847815962c84a4654a84850b2bb4aed3f26fadcc1c13892e1e29f6 \ + --hash=sha256:e4985a790f921508f36f81831817cbc03b102d643b5fcb81cd33df3fa291a1a1 \ + --hash=sha256:e807b3188f9eb0eaa7bbb579b462c5ace579f1cedb28107ce8b48a9f7ad3679e \ + --hash=sha256:f12764b8fffc7a123f641d7d049d382b73f96a34117e0b637b80643169cec8ac \ + --hash=sha256:f8837fe1d6ac4a8052a9a8ddab256bc006242696f03368a4009be7ee3075cdb7 # via # pyopenssl # secretstorage From be48c94bfbb76e285e0dddf3fafdd89fa62faec0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 24 Feb 2024 11:14:32 -0500 Subject: [PATCH 0177/1462] Bump setuptools-rust from 1.8.1 to 1.9.0 in /.github/requirements (#10475) Bumps [setuptools-rust](https://github.com/PyO3/setuptools-rust) from 1.8.1 to 1.9.0. - [Release notes](https://github.com/PyO3/setuptools-rust/releases) - [Changelog](https://github.com/PyO3/setuptools-rust/blob/v1.9.0/CHANGELOG.md) - [Commits](https://github.com/PyO3/setuptools-rust/compare/v1.8.1...v1.9.0) --- updated-dependencies: - dependency-name: setuptools-rust dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 92527ddbe91e..3dd62d074f81 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -66,9 +66,9 @@ semantic-version==2.10.0 \ --hash=sha256:bdabb6d336998cbb378d4b9db3a4b56a1e3235701dc05ea2690d9a997ed5041c \ --hash=sha256:de78a3b8e0feda74cabc54aab2da702113e33ac9d9eb9d2389bcf1f58b7d9177 # via setuptools-rust -setuptools-rust==1.8.1 \ - --hash=sha256:94b1dd5d5308b3138d5b933c3a2b55e6d6927d1a22632e509fcea9ddd0f7e486 \ - --hash=sha256:b5324493949ccd6aa0c03890c5f6b5f02de4512e3ac1697d02e9a6c02b18aa8e +setuptools-rust==1.9.0 \ + --hash=sha256:409caf49dcf7ad9bd510b4bf4011fbad504e745fae98f57fe1c06f3a97719638 \ + --hash=sha256:704df0948f2e4cc60c2596ad6e840ea679f4f43e58ed4ad0c1857807240eab96 # via -r build-requirements.in tomli==2.0.1 \ --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \ From 8a150de673edfb25d8aef63ce30707ffe5cf8385 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 24 Feb 2024 11:31:45 -0500 Subject: [PATCH 0178/1462] Update build-requirements.in to match pyproject.toml (#10476) Doesn't actually impact the generated requirements file --- .github/requirements/build-requirements.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/requirements/build-requirements.in b/.github/requirements/build-requirements.in index bdf6916690ca..564eacec8d48 100644 --- a/.github/requirements/build-requirements.in +++ b/.github/requirements/build-requirements.in @@ -2,7 +2,7 @@ setuptools>=61.0.0 wheel cffi>=1.12; platform_python_implementation != 'PyPy' -setuptools-rust>=0.11.4 +setuptools-rust>=1.7.0 # WARN: changing the requirements here DOES NOT update the dependencies used for building at the github workflow, as the build process used build-requirements.txt # To update build-requirements.txt according to the dependencies here, run pip-compile --allow-unsafe --generate-hashes build-requirements.in From 0115da7527022a4fe5065d7e9bf5e37369c17d40 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 25 Feb 2024 18:17:32 +0000 Subject: [PATCH 0179/1462] Bump cc from 1.0.87 to 1.0.88 in /src/rust (#10479) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.87 to 1.0.88. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.87...1.0.88) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 0a09cd54e498..ba1d6d1fcf97 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,9 +48,9 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.87" +version = "1.0.88" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3286b845d0fccbdd15af433f61c5970e711987036cb468f437ff6badd70f4e24" +checksum = "02f341c093d19155a6e41631ce5971aac4e9a868262212153124c15fa22d1cdc" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 21e48cbf7624..1c498f96932b 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.20", features = ["abi3"] } openssl-sys = "0.9.101" [build-dependencies] -cc = "1.0.87" +cc = "1.0.88" From a67a72b9e482d668baa26a883e684f2b739aa355 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 25 Feb 2024 18:19:28 +0000 Subject: [PATCH 0180/1462] Bump pytest from 8.0.1 to 8.0.2 (#10480) Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.0.1 to 8.0.2. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/8.0.1...8.0.2) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 59d805e1ce12..2cb0b79c951d 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -86,7 +86,7 @@ pygments==2.17.2 # sphinx pyproject-hooks==1.0.0 # via build -pytest==8.0.1; python_version >= "3.8" +pytest==8.0.2; python_version >= "3.8" # via # cryptography (pyproject.toml) # pytest-benchmark From d9cb236c1a41ee6de3dd55ea52c4308a1dde78ec Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 25 Feb 2024 14:49:27 -0500 Subject: [PATCH 0181/1462] fixed typos and confusing phrasing in comment (#10477) --- pyproject.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 82aa29db129f..886b99bd0722 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,5 +1,6 @@ [build-system] -# These requirements must be kept sync with the requirements on ./github/requirements/build-requirements files +# These requirements must be kept sync with the requirements in +# ./github/requirements/build-requirements.{in,txt} requires = [ # First version of setuptools to support pyproject.toml configuration "setuptools>=61.0.0", From e12b8ae5e0de6be116e45a540e5ea06c6a6e29db Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 25 Feb 2024 15:22:00 -0500 Subject: [PATCH 0182/1462] See if we can avoid rebuilding cffi in wheel builder (#10478) --- .github/workflows/wheel-builder.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 4ddcff39e6df..15380e301d51 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -135,7 +135,7 @@ jobs: fi OPENSSL_DIR="/opt/pyca/cryptography/openssl" \ OPENSSL_STATIC=1 \ - .venv/bin/python -m pip wheel -v $PY_LIMITED_API cryptograph*.tar.gz -w dist/ && mv dist/cryptography*.whl tmpwheelhouse + .venv/bin/python -m pip wheel -v --no-deps $PY_LIMITED_API cryptograph*.tar.gz -w dist/ && mv dist/cryptography*.whl tmpwheelhouse env: RUSTUP_HOME: /root/.rustup - run: auditwheel repair --plat ${{ matrix.MANYLINUX.NAME }} tmpwheelhouse/cryptograph*.whl -w wheelhouse/ @@ -262,7 +262,7 @@ jobs: OPENSSL_DIR="$(readlink -f ../openssl-macos-universal2/)" \ OPENSSL_STATIC=1 \ - venv/bin/python -m pip wheel -v $PY_LIMITED_API cryptograph*.tar.gz -w dist/ && mv dist/cryptography*.whl wheelhouse + venv/bin/python -m pip wheel -v --no-deps $PY_LIMITED_API cryptograph*.tar.gz -w dist/ && mv dist/cryptography*.whl wheelhouse env: MACOSX_DEPLOYMENT_TARGET: ${{ matrix.PYTHON.DEPLOYMENT_TARGET }} ARCHFLAGS: ${{ matrix.PYTHON.ARCHFLAGS }} @@ -351,7 +351,7 @@ jobs: PY_LIMITED_API="--config-settings=--build-option=--py-limited-api=${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" fi - python -m pip wheel -v cryptography*.tar.gz $PY_LIMITED_API -w dist/ && mv dist/cryptography*.whl wheelhouse/ + python -m pip wheel -v --no-deps cryptography*.tar.gz $PY_LIMITED_API -w dist/ && mv dist/cryptography*.whl wheelhouse/ shell: bash - run: pip install -f wheelhouse --no-index cryptography - name: Print the OpenSSL we built and linked against From 43b8b7910d7557aa41e98efeab34be23657fc15c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 25 Feb 2024 18:04:40 -0500 Subject: [PATCH 0183/1462] Raise MSRV to 1.65 (#10481) --- .github/workflows/ci.yml | 7 ++----- CHANGELOG.rst | 1 + docs/installation.rst | 4 ++-- pyproject.toml | 2 +- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- src/rust/cryptography-x509-verification/Cargo.toml | 2 +- src/rust/cryptography-x509/Cargo.toml | 2 +- 10 files changed, 12 insertions(+), 14 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9080d862f888..cc199c75c5fe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,11 +47,8 @@ jobs: # Latest commit on the OpenSSL master branch, as of Feb 23, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "11adf9a75d6b34723d1a20a0da4e4100ea6ca593"}} # Builds with various Rust versions. Includes MSRV and next - # potential future MSRV: - # 1.64 - maturin, workspace inheritance - # 1.65 - Generic associated types (GATs), std::backtrace - - {VERSION: "3.12", NOXSESSION: "rust-noclippy,tests", RUST: "1.63.0"} - - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.64.0"} + # potential future MSRV. + - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "beta"} - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "nightly"} timeout-minutes: 15 diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 7fa93101a919..fa4812dbb2dd 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -11,6 +11,7 @@ Changelog * **BACKWARDS INCOMPATIBLE:** Support for OpenSSL less than 1.1.1e has been removed. Users on older version of OpenSSL will need to upgrade. * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.8. +* Updated the minimum supported Rust version (MSRV) to 1.65.0, from 1.63.0. * :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key` now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still considered insecure, users should generally use a key size of 2048-bits. diff --git a/docs/installation.rst b/docs/installation.rst index 6994aa0216f8..c97dfaeab41c 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -134,7 +134,7 @@ Fedora/RHEL/CentOS .. warning:: For RHEL and CentOS you must be on version 8.8 or newer for the command - below to install a sufficiently new Rust. If your Rust is less than 1.63.0 + below to install a sufficiently new Rust. If your Rust is less than 1.65.0 please see the :ref:`Rust installation instructions ` for information about installing a newer Rust. @@ -312,7 +312,7 @@ Rust a Rust toolchain. Building ``cryptography`` requires having a working Rust toolchain. The current -minimum supported Rust version is 1.63.0. **This is newer than the Rust some +minimum supported Rust version is 1.65.0. **This is newer than the Rust some package managers ship**, so users may need to install with the instructions below. diff --git a/pyproject.toml b/pyproject.toml index 886b99bd0722..64e33aac8aca 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -90,7 +90,7 @@ pep8test = ["ruff", "mypy", "check-sdist", "click"] target = "cryptography.hazmat.bindings._rust" path = "src/rust/Cargo.toml" py-limited-api = "auto" -rust-version = ">=1.63.0" +rust-version = ">=1.65.0" [tool.pytest.ini_options] diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index aa533bf210c3..96ea8425ec45 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -5,7 +5,7 @@ authors = ["The cryptography developers "] edition = "2021" publish = false # This specifies the MSRV -rust-version = "1.63.0" +rust-version = "1.65.0" [dependencies] once_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 1c498f96932b..e4cd77756121 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -5,7 +5,7 @@ authors = ["The cryptography developers "] edition = "2021" publish = false # This specifies the MSRV -rust-version = "1.63.0" +rust-version = "1.65.0" [dependencies] pyo3 = { version = "0.20", features = ["abi3"] } diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index fdde0053df4c..138ff6cd7984 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -5,7 +5,7 @@ authors = ["The cryptography developers "] edition = "2021" publish = false # This specifies the MSRV -rust-version = "1.63.0" +rust-version = "1.65.0" [dependencies] asn1 = { version = "0.16.0", default-features = false } diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 0da98d70dda2..cfec09f6abdf 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -5,7 +5,7 @@ authors = ["The cryptography developers "] edition = "2021" publish = false # This specifies the MSRV -rust-version = "1.63.0" +rust-version = "1.65.0" [dependencies] cfg-if = "1" diff --git a/src/rust/cryptography-x509-verification/Cargo.toml b/src/rust/cryptography-x509-verification/Cargo.toml index 2ec541fb2af0..5ba846878633 100644 --- a/src/rust/cryptography-x509-verification/Cargo.toml +++ b/src/rust/cryptography-x509-verification/Cargo.toml @@ -5,7 +5,7 @@ authors = ["The cryptography developers "] edition = "2021" publish = false # This specifies the MSRV -rust-version = "1.63.0" +rust-version = "1.65.0" [dependencies] asn1 = { version = "0.16.0", default-features = false } diff --git a/src/rust/cryptography-x509/Cargo.toml b/src/rust/cryptography-x509/Cargo.toml index 86d6b971488d..cf6df6f3d3c4 100644 --- a/src/rust/cryptography-x509/Cargo.toml +++ b/src/rust/cryptography-x509/Cargo.toml @@ -5,7 +5,7 @@ authors = ["The cryptography developers "] edition = "2021" publish = false # This specifies the MSRV -rust-version = "1.63.0" +rust-version = "1.65.0" [dependencies] asn1 = { version = "0.16.0", default-features = false } From c3dcb46d3955a225e0581b51f4bde3654ea737ab Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 25 Feb 2024 18:23:18 -0600 Subject: [PATCH 0184/1462] Bump BoringSSL and/or OpenSSL in CI (#10482) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cc199c75c5fe..2de2ca8d27d6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Feb 24, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9d7535f51f84a079c05b27134fcf6111649c56c9"}} - # Latest commit on the OpenSSL master branch, as of Feb 23, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "11adf9a75d6b34723d1a20a0da4e4100ea6ca593"}} + # Latest commit on the OpenSSL master branch, as of Feb 26, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2d70cc9cecf8b322d795985efecee06242b203b3"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From bf35e069173d5127f06f7d3169be300c05b9576c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 26 Feb 2024 09:32:26 -0500 Subject: [PATCH 0185/1462] fix warning from latest nightly rust (#10486) * fix warning from latest nightly rust * Update lib.rs --- src/rust/src/lib.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 582d2e139577..e8b881126f20 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -3,6 +3,7 @@ // for complete details. #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +#![allow(unknown_lints, non_local_definitions)] #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use crate::error::CryptographyResult; From 6257ca24064740865a9d0d948f9433b0d3763346 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Feb 2024 14:42:58 +0000 Subject: [PATCH 0186/1462] Bump syn from 2.0.50 to 2.0.51 in /src/rust (#10483) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.50 to 2.0.51. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.50...2.0.51) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index ba1d6d1fcf97..bb54df84cecb 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -377,9 +377,9 @@ checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" [[package]] name = "syn" -version = "2.0.50" +version = "2.0.51" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "74f1bdc9872430ce9b75da68329d1c1746faf50ffac5f19e02b71e37ff881ffb" +checksum = "6ab617d94515e94ae53b8406c628598680aa0c9587474ecbe58188f7b345d66c" dependencies = [ "proc-macro2", "quote", From 4193caf208b8490fb7be7770e348aa445f0117df Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Feb 2024 14:48:23 +0000 Subject: [PATCH 0187/1462] Bump typing-extensions from 4.9.0 to 4.10.0 (#10485) Bumps [typing-extensions](https://github.com/python/typing_extensions) from 4.9.0 to 4.10.0. - [Release notes](https://github.com/python/typing_extensions/releases) - [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md) - [Commits](https://github.com/python/typing_extensions/commits) --- updated-dependencies: - dependency-name: typing-extensions dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 2cb0b79c951d..15fb32977180 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -146,7 +146,7 @@ tomli==2.0.1 # mypy # pyproject-hooks # pytest -typing-extensions==4.9.0; python_version >= "3.8" +typing-extensions==4.10.0; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests From 4bfd3216380c7925609c46759f9c6c48d78a4697 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Feb 2024 09:12:56 -0600 Subject: [PATCH 0188/1462] Bump typing-extensions from 4.9.0 to 4.10.0 in /.github/requirements (#10484) * Bump typing-extensions from 4.9.0 to 4.10.0 in /.github/requirements Bumps [typing-extensions](https://github.com/python/typing_extensions) from 4.9.0 to 4.10.0. - [Release notes](https://github.com/python/typing_extensions/releases) - [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md) - [Commits](https://github.com/python/typing_extensions/commits) --- updated-dependencies: - dependency-name: typing-extensions dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index fb13f66a171a..67ee1c0c2652 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -584,9 +584,9 @@ twine==5.0.0 \ --hash=sha256:89b0cc7d370a4b66421cc6102f269aa910fe0f1861c124f573cf2ddedbc10cf4 \ --hash=sha256:a262933de0b484c53408f9edae2e7821c1c45a3314ff2df9bdd343aa7ab8edc0 # via -r publish-requirements.in -typing-extensions==4.9.0 \ - --hash=sha256:23478f88c37f27d76ac8aee6c905017a143b0b1b886c3c9f66bc2fd94f9f5783 \ - --hash=sha256:af72aea155e91adfc61c3ae9e0e342dbc0cba726d6cba4b6c72c1f34e47291cd +typing-extensions==4.10.0 \ + --hash=sha256:69b1a937c3a517342112fb4c6df7e72fc39a38e7891a5730ed4985b5214b5475 \ + --hash=sha256:b0abd7c89e8fb96f98db18d86106ff1d90ab692004eb746cf6eda2682f91b3cb # via # pydantic # pydantic-core From 0a1098fcf09dfb7aef75ec87d29fb133deb0d70d Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Mon, 26 Feb 2024 20:13:47 +0100 Subject: [PATCH 0189/1462] Support for ECDSA deterministic signing (RFC 6979) (#10369) * Add support for deterministic ECDSA (RFC 6979) --- CHANGELOG.rst | 2 + docs/hazmat/primitives/asymmetric/ec.rst | 13 ++++ .../hazmat/backends/openssl/backend.py | 6 ++ .../hazmat/primitives/asymmetric/ec.py | 20 ++++++ src/rust/cryptography-openssl/Cargo.toml | 2 +- src/rust/cryptography-openssl/build.rs | 3 + src/rust/src/backend/ec.rs | 25 ++++++- tests/hazmat/primitives/test_ec.py | 67 +++++++++++++++++++ tests/utils.py | 51 ++++++++++++++ 9 files changed, 186 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index fa4812dbb2dd..fb71418f32f5 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -27,6 +27,8 @@ Changelog and :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ARC4` into :doc:`/hazmat/decrepit/index` and deprecated them in the ``cipher`` module. They will be removed from the ``cipher`` module in 48.0.0. +* Added support for deterministic + :class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDSA` (:rfc:`6979`) .. _v42-0-5: diff --git a/docs/hazmat/primitives/asymmetric/ec.rst b/docs/hazmat/primitives/asymmetric/ec.rst index 75165b6a4536..c0a0ff757eab 100644 --- a/docs/hazmat/primitives/asymmetric/ec.rst +++ b/docs/hazmat/primitives/asymmetric/ec.rst @@ -47,6 +47,19 @@ Elliptic Curve Signature Algorithms :param algorithm: An instance of :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`. + :param bool deterministic_signing: A boolean flag defaulting to ``False`` + that specifies whether the signing procedure should be deterministic + or not, as defined in :rfc:`6979`. This only impacts the signing + process, verification is not affected (the verification process + is the same for both deterministic and non-deterministic signed + messages). + + .. versionadded:: 43.0.0 + + :raises cryptography.exceptions.UnsupportedAlgorithm: If + ``deterministic_signing`` is set to ``True`` and the version of + OpenSSL does not support ECDSA with deterministic signing. + .. doctest:: >>> from cryptography.hazmat.primitives import hashes diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 406b1ea990a2..eaaaf783f1c5 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -358,6 +358,12 @@ def ed448_supported(self) -> bool: and not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL ) + def ecdsa_deterministic_supported(self) -> bool: + return ( + rust_openssl.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER + and not self._fips_enabled + ) + def _zero_data(self, data, length: int) -> None: # We clear things this way because at the moment we're not # sure of a better way that can guarantee it overwrites the diff --git a/src/cryptography/hazmat/primitives/asymmetric/ec.py b/src/cryptography/hazmat/primitives/asymmetric/ec.py index b612b40149d4..da1fbea13a6e 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/ec.py +++ b/src/cryptography/hazmat/primitives/asymmetric/ec.py @@ -8,6 +8,7 @@ import typing from cryptography import utils +from cryptography.exceptions import UnsupportedAlgorithm, _Reasons from cryptography.hazmat._oid import ObjectIdentifier from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import _serialization, hashes @@ -319,8 +320,21 @@ class ECDSA(EllipticCurveSignatureAlgorithm): def __init__( self, algorithm: asym_utils.Prehashed | hashes.HashAlgorithm, + deterministic_signing: bool = False, ): + from cryptography.hazmat.backends.openssl.backend import backend + + if ( + deterministic_signing + and not backend.ecdsa_deterministic_supported() + ): + raise UnsupportedAlgorithm( + "ECDSA with deterministic signature (RFC 6979) is not " + "supported by this version of OpenSSL.", + _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM, + ) self._algorithm = algorithm + self._deterministic_signing = deterministic_signing @property def algorithm( @@ -328,6 +342,12 @@ def algorithm( ) -> asym_utils.Prehashed | hashes.HashAlgorithm: return self._algorithm + @property + def deterministic_signing( + self, + ) -> bool: + return self._deterministic_signing + generate_private_key = rust_openssl.ec.generate_private_key diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index cfec09f6abdf..04bef373ca35 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -10,6 +10,6 @@ rust-version = "1.65.0" [dependencies] cfg-if = "1" openssl = "0.10.64" -ffi = { package = "openssl-sys", version = "0.9.99" } +ffi = { package = "openssl-sys", version = "0.9.101" } foreign-types = "0.3" foreign-types-shared = "0.1" diff --git a/src/rust/cryptography-openssl/build.rs b/src/rust/cryptography-openssl/build.rs index 5e626f7de614..87e1fa528b22 100644 --- a/src/rust/cryptography-openssl/build.rs +++ b/src/rust/cryptography-openssl/build.rs @@ -12,6 +12,9 @@ fn main() { if version >= 0x3_00_00_00_0 { println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_300_OR_GREATER"); } + if version >= 0x3_02_00_00_0 { + println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_320_OR_GREATER"); + } } if env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER").is_ok() { diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 624b753c07cb..1c4cf95d0f61 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -273,8 +273,7 @@ impl ECPrivateKey { )), )); } - - let (data, _) = utils::calculate_digest_and_algorithm( + let (data, algo) = utils::calculate_digest_and_algorithm( py, data.as_bytes(), signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, @@ -282,6 +281,28 @@ impl ECPrivateKey { let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; signer.sign_init()?; + cfg_if::cfg_if! { + if #[cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)]{ + let deterministic: bool = signature_algorithm + .getattr(pyo3::intern!(py, "deterministic_signing"))? + .extract()?; + if deterministic { + let hash_function_name = algo + .getattr(pyo3::intern!(py, "name"))? + .extract::<&str>()?; + let hash_function = openssl::md::Md::fetch(None, hash_function_name, None)?; + // Setting a deterministic nonce type requires to explicitly set the hash function. + // See https://github.com/openssl/openssl/issues/23205 + signer.set_signature_md(&hash_function)?; + signer.set_nonce_type(openssl::pkey_ctx::NonceType::DETERMINISTIC_K)?; + } else { + signer.set_nonce_type(openssl::pkey_ctx::NonceType::RANDOM_K)?; + } + } else { + let _ = algo; + } + } + // TODO: This does an extra allocation and copy. This can't easily use // `PyBytes::new_with` because the exact length of the signature isn't // easily known a priori (if `r` or `s` has a leading 0, the signature diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index a558af3b9b70..33b4c6d065f3 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -16,6 +16,10 @@ from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ec +from cryptography.hazmat.primitives.asymmetric.ec import ( + EllipticCurvePrivateKey, + EllipticCurvePublicKey, +) from cryptography.hazmat.primitives.asymmetric.utils import ( Prehashed, encode_dss_signature, @@ -27,6 +31,7 @@ load_fips_ecdsa_signing_vectors, load_kasvs_ecdh_vectors, load_nist_vectors, + load_rfc6979_vectors, load_vectors_from_file, raises_unsupported_algorithm, ) @@ -508,6 +513,68 @@ def test_signature_failures(self, backend, subtests): signature, vector["message"], ec.ECDSA(hash_type()) ) + def test_unsupported_deterministic_nonce(self, backend): + if backend.ecdsa_deterministic_supported(): + pytest.skip( + f"ECDSA deterministic signing is supported by this" + f" backend {backend}" + ) + with pytest.raises(exceptions.UnsupportedAlgorithm): + ec.ECDSA(hashes.SHA256(), deterministic_signing=True) + + def test_deterministic_nonce(self, backend, subtests): + if not backend.ecdsa_deterministic_supported(): + pytest.skip( + f"ECDSA deterministic signing is not supported by this" + f" backend {backend}" + ) + + supported_hash_algorithms = { + "SHA1": hashes.SHA1(), + "SHA224": hashes.SHA224(), + "SHA256": hashes.SHA256(), + "SHA384": hashes.SHA384(), + "SHA512": hashes.SHA512(), + } + vectors = load_vectors_from_file( + os.path.join( + "asymmetric", "ECDSA", "RFC6979", "evppkey_ecdsa_rfc6979.txt" + ), + load_rfc6979_vectors, + ) + + for vector in vectors: + with subtests.test(): + input = bytes(vector["input"], "utf-8") + output = bytes.fromhex(vector["output"]) + key = bytes("\n".join(vector["key"]), "utf-8") + if "digest_sign" in vector: + algorithm = vector["digest_sign"] + hash_algorithm = supported_hash_algorithms[algorithm] + algorithm = ec.ECDSA( + hash_algorithm, + deterministic_signing=vector["deterministic_nonce"], + ) + private_key = serialization.load_pem_private_key( + key, password=None + ) + assert isinstance(private_key, EllipticCurvePrivateKey) + signature = private_key.sign(input, algorithm) + assert signature == output + else: + assert "digest_verify" in vector + algorithm = vector["digest_verify"] + assert algorithm in supported_hash_algorithms + hash_algorithm = supported_hash_algorithms[algorithm] + algorithm = ec.ECDSA(hash_algorithm) + public_key = serialization.load_pem_public_key(key) + assert isinstance(public_key, EllipticCurvePublicKey) + if vector["verify_error"]: + with pytest.raises(exceptions.InvalidSignature): + public_key.verify(output, input, algorithm) + else: + public_key.verify(output, input, algorithm) + def test_sign(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) message = b"one little message" diff --git a/tests/utils.py b/tests/utils.py index 595e8dc04e1c..c1aa34ef4d30 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -701,6 +701,57 @@ def load_kasvs_ecdh_vectors(vector_data): return vectors +def load_rfc6979_vectors(vector_data): + """ + Loads data out of the ECDSA and DSA RFC6979 vector files. + """ + vectors = [] + keys: typing.Dict[str, typing.List[str]] = dict() + reading_key = False + current_key_name = None + + data: typing.Dict[str, object] = dict() + for line in vector_data: + line = line.strip() + + if reading_key and current_key_name: + keys[current_key_name].append(line) + if line.startswith("-----END"): + reading_key = False + current_key_name = None + + if line.startswith("PrivateKey=") or line.startswith("PublicKey="): + reading_key = True + current_key_name = line.split("=")[1].strip() + keys[current_key_name] = [] + elif line.startswith("DigestSign = "): + data["digest_sign"] = line.split("=")[1].strip() + data["deterministic_nonce"] = False + elif line.startswith("DigestVerify = "): + data["digest_verify"] = line.split("=")[1].strip() + data["verify_error"] = False + elif line.startswith("Key = "): + key_name = line.split("=")[1].strip() + assert key_name in keys + data["key"] = keys[key_name] + elif line.startswith("NonceType = "): + nonce_type = line.split("=")[1].strip() + data["deterministic_nonce"] = nonce_type == "deterministic" + elif line.startswith("Input = "): + data["input"] = line.split("=")[1].strip(' "') + elif line.startswith("Output = "): + data["output"] = line.split("=")[1].strip() + elif line.startswith("Result = "): + data["verify_error"] = line.split("=")[1].strip() == "VERIFY_ERROR" + + elif not line: + if data: + vectors.append(data) + data = {} + + return vectors + + def load_x963_vectors(vector_data): """ Loads data out of the X9.63 vector data From bcaf37597f6033b523dec7236344ccdc67fa0b93 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 26 Feb 2024 17:42:14 -0500 Subject: [PATCH 0190/1462] verification: add RFC822Name (#10487) * verification: add RFC822Name Signed-off-by: William Woodruff * verification: clippy Signed-off-by: William Woodruff * verification: clippage Signed-off-by: William Woodruff * verification: feedback Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .../src/types.rs | 109 +++++++++++++++++- 1 file changed, 108 insertions(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-verification/src/types.rs b/src/rust/cryptography-x509-verification/src/types.rs index f564715219cd..529ecbe8f8e6 100644 --- a/src/rust/cryptography-x509-verification/src/types.rs +++ b/src/rust/cryptography-x509-verification/src/types.rs @@ -5,6 +5,11 @@ use std::net::IpAddr; use std::str::FromStr; +use asn1::IA5String; + +// RFC 2822 3.2.4 +static ATEXT_CHARS: &str = "!#$%&'*+-/=?^_`{|}~"; + /// A `DNSName` is an `asn1::IA5String` with additional invariant preservations /// per [RFC 5280 4.2.1.6], which in turn uses the preferred name syntax defined /// in [RFC 1034 3.5] and amended in [RFC 1123 2.1]. @@ -298,9 +303,54 @@ impl IPConstraint { } } +/// An `RFC822Name` represents an email address, as defined in [RFC 822 6.1] +/// and as amended by [RFC 2821 4.1.2]. In particular, it represents the `Mailbox` +/// rule from RFC 2821's grammar. +/// +/// This type does not currently support the quoted local-part form; email +/// addresses that use this form will be rejected. +/// +/// [RFC 822 6.1]: https://datatracker.ietf.org/doc/html/rfc822#section-6.1 +/// [RFC 2821 4.1.2]: https://datatracker.ietf.org/doc/html/rfc2821#section-4.1.2 +pub struct RFC822Name<'a> { + pub mailbox: IA5String<'a>, + pub domain: DNSName<'a>, +} + +impl<'a> RFC822Name<'a> { + pub fn new(value: &'a str) -> Option { + // Mailbox = Local-part "@" Domain + // Both must be present. + let (local_part, domain) = value.split_once('@')?; + let local_part = IA5String::new(local_part)?; + + // Local-part = Dot-string / Quoted-string + // NOTE(ww): We do not support the Quoted-string form, for now. + // + // Dot-string: Atom *("." Atom) + // Atom = 1*atext + // + // NOTE(ww): `atext`'s production is in RFC 2822 3.2.4. + for component in local_part.as_str().split('.') { + if component.is_empty() + || !component + .chars() + .all(|c| c.is_ascii_alphanumeric() || ATEXT_CHARS.contains(c)) + { + return None; + } + } + + Some(Self { + mailbox: local_part, + domain: DNSName::new(domain)?, + }) + } +} + #[cfg(test)] mod tests { - use crate::types::{DNSConstraint, DNSName, DNSPattern, IPAddress, IPConstraint}; + use crate::types::{DNSConstraint, DNSName, DNSPattern, IPAddress, IPConstraint, RFC822Name}; #[test] fn test_dnsname_debug_trait() { @@ -587,4 +637,61 @@ mod tests { assert!(!ipv6_128.matches(&IPAddress::from_str("2600::ff00:dede").unwrap())); assert!(!ipv6_128.matches(&IPAddress::from_str("2600:db8::ff00:0").unwrap())); } + + #[test] + fn test_rfc822name() { + for bad_case in &[ + "", + // Missing local-part. + "@example.com", + " @example.com", + " @example.com", + // Missing domain cases. + "foo", + "foo@", + "foo@ ", + "foo@ ", + // Invalid domains. + "foo@!!!", + "foo@white space", + "foo@🙈", + // Invalid local part (empty mailbox sections). + ".@example.com", + "foo.@example.com", + ".foo@example.com", + ".foo.@example.com", + ".f.o.o.@example.com", + // Invalid local part (@ in mailbox). + "lol@lol@example.com", + "lol\\@lol@example.com", + "example@example.com@example.com", + "@@example.com", + // Invalid local part (invalid characters). + "lol\"lol@example.com", + "lol;lol@example.com", + "🙈@example.com", + // Intentionally unsupported quoted local parts. + "\"validbutunsupported\"@example.com", + ] { + assert!(RFC822Name::new(bad_case).is_none()); + } + + // Each good case is (address, (mailbox, domain)). + for (address, (mailbox, domain)) in &[ + // Normal mailboxes. + ("foo@example.com", ("foo", "example.com")), + ("foo.bar@example.com", ("foo.bar", "example.com")), + ("foo.bar.baz@example.com", ("foo.bar.baz", "example.com")), + ("1.2.3.4.5@example.com", ("1.2.3.4.5", "example.com")), + // Mailboxes with special but valid characters. + ("{legal}@example.com", ("{legal}", "example.com")), + ("{&*.legal}@example.com", ("{&*.legal}", "example.com")), + ("``````````@example.com", ("``````````", "example.com")), + ("hello?@sub.example.com", ("hello?", "sub.example.com")), + ] { + let parsed = RFC822Name::new(&address).unwrap(); + assert_eq!(&parsed.mailbox.as_str(), mailbox); + assert_eq!(&parsed.domain.as_str(), domain); + } + } } From 899902f80ae4b4c442423435b13873419e888479 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 26 Feb 2024 19:16:20 -0500 Subject: [PATCH 0191/1462] Bump BoringSSL and/or OpenSSL in CI (#10489) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2de2ca8d27d6..b334e78bddc1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 24, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9d7535f51f84a079c05b27134fcf6111649c56c9"}} + # Latest commit on the BoringSSL master branch, as of Feb 27, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "5bed5b9aaab4edc8c0ee62493b6e760f9f7a3457"}} # Latest commit on the OpenSSL master branch, as of Feb 26, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2d70cc9cecf8b322d795985efecee06242b203b3"}} # Builds with various Rust versions. Includes MSRV and next From fbeef5177e350eadb90742a862aecb7aa37fd9ac Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 26 Feb 2024 19:27:00 -0500 Subject: [PATCH 0192/1462] Added basic PKCS#12 ASN.1 structures (#10488) --- src/rust/cryptography-x509/src/lib.rs | 1 + src/rust/cryptography-x509/src/pkcs12.rs | 20 ++++++++++++++++++++ src/rust/cryptography-x509/src/pkcs7.rs | 6 ++++++ 3 files changed, 27 insertions(+) create mode 100644 src/rust/cryptography-x509/src/pkcs12.rs diff --git a/src/rust/cryptography-x509/src/lib.rs b/src/rust/cryptography-x509/src/lib.rs index c74424acfa34..5fbedbf7ebc7 100644 --- a/src/rust/cryptography-x509/src/lib.rs +++ b/src/rust/cryptography-x509/src/lib.rs @@ -14,4 +14,5 @@ pub mod name; pub mod ocsp_req; pub mod ocsp_resp; pub mod oid; +pub mod pkcs12; pub mod pkcs7; diff --git a/src/rust/cryptography-x509/src/pkcs12.rs b/src/rust/cryptography-x509/src/pkcs12.rs new file mode 100644 index 000000000000..e5676bfb59e6 --- /dev/null +++ b/src/rust/cryptography-x509/src/pkcs12.rs @@ -0,0 +1,20 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use crate::pkcs7; + +// #[derive(asn1::Asn1Write)] +pub struct Pfx<'a> { + pub version: u8, + pub auth_safe: pkcs7::ContentInfo<'a>, + pub mac_data: Option>, +} + +// #[derive(asn1::Asn1Write)] +pub struct MacData<'a> { + pub mac: pkcs7::DigestInfo<'a>, + pub salt: &'a [u8], + // #[default(1)] + pub iterations: u64, +} diff --git a/src/rust/cryptography-x509/src/pkcs7.rs b/src/rust/cryptography-x509/src/pkcs7.rs index 6b5c9541aaf5..e1581a0e069a 100644 --- a/src/rust/cryptography-x509/src/pkcs7.rs +++ b/src/rust/cryptography-x509/src/pkcs7.rs @@ -58,3 +58,9 @@ pub struct IssuerAndSerialNumber<'a> { pub issuer: name::Name<'a>, pub serial_number: asn1::BigInt<'a>, } + +// #[derive(asn1::Asn1Write)] +pub struct DigestInfo<'a> { + pub algorithm: common::AlgorithmIdentifier<'a>, + pub digest: &'a [u8], +} From ce7f7fb973cfb469f3b84cbeef527e114ef2da54 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 27 Feb 2024 00:30:44 +0000 Subject: [PATCH 0193/1462] Bump x509-limbo and/or wycheproof in CI (#10490) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 3d027df32788..4434eb909f29 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Feb 23, 2024. - ref: "c8f6a4f4946076db55778ed7b3cffdab082a1a12" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Feb 27, 2024. + ref: "2217a0e4c579edc231dd502c961caeb5a4763796" # x509-limbo-ref From 524d9459a707f91cdebe097b7dba98be2d57c24b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Feb 2024 07:04:50 -0500 Subject: [PATCH 0194/1462] Bump readme-renderer from 42.0 to 43.0 (#10491) Bumps [readme-renderer](https://github.com/pypa/readme_renderer) from 42.0 to 43.0. - [Release notes](https://github.com/pypa/readme_renderer/releases) - [Changelog](https://github.com/pypa/readme_renderer/blob/main/CHANGES.rst) - [Commits](https://github.com/pypa/readme_renderer/compare/42.0...43.0) --- updated-dependencies: - dependency-name: readme-renderer dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 15fb32977180..069e8b731dd9 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -101,7 +101,7 @@ pytest-randomly==3.15.0 # via cryptography (pyproject.toml) pytest-xdist==3.5.0 # via cryptography (pyproject.toml) -readme-renderer==42.0 +readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx From 3c256f0e36aa757a8ac861029ee56f3fe56af2df Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 27 Feb 2024 11:52:46 -0500 Subject: [PATCH 0195/1462] Remove unused typedefs (#10495) --- src/_cffi_src/openssl/ec.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/_cffi_src/openssl/ec.py b/src/_cffi_src/openssl/ec.py index 6816934ed0be..9450b1262609 100644 --- a/src/_cffi_src/openssl/ec.py +++ b/src/_cffi_src/openssl/ec.py @@ -11,8 +11,6 @@ TYPES = """ typedef ... EC_KEY; -typedef ... EC_GROUP; -typedef ... EC_POINT; typedef struct { int nid; const char *comment; From 3ddf14fb80d9168a097ece0c5a9d1ae87b559837 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Feb 2024 11:00:42 -0600 Subject: [PATCH 0196/1462] Bump readme-renderer from 42.0 to 43.0 in /.github/requirements (#10493) * Bump readme-renderer from 42.0 to 43.0 in /.github/requirements Bumps [readme-renderer](https://github.com/pypa/readme_renderer) from 42.0 to 43.0. - [Release notes](https://github.com/pypa/readme_renderer/releases) - [Changelog](https://github.com/pypa/readme_renderer/blob/main/CHANGES.rst) - [Commits](https://github.com/pypa/readme_renderer/compare/42.0...43.0) --- updated-dependencies: - dependency-name: readme-renderer dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 67ee1c0c2652..26a844cd7215 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -522,9 +522,9 @@ python-dateutil==2.8.2 \ --hash=sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86 \ --hash=sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9 # via betterproto -readme-renderer==42.0 \ - --hash=sha256:13d039515c1f24de668e2c93f2e877b9dbe6c6c32328b90a40a49d8b2b85f36d \ - --hash=sha256:2d55489f83be4992fe4454939d1a051c33edbab778e82761d060c9fc6b308cd1 +readme-renderer==43.0 \ + --hash=sha256:1818dd28140813509eeed8d62687f7cd4f7bad90d4db586001c5dc09d4fde311 \ + --hash=sha256:19db308d86ecd60e5affa3b2a98f017af384678c63c88e5d4556a380e674f3f9 # via twine requests==2.31.0 \ --hash=sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f \ From 8a16f598e7006342fdfd5e25073dd4ef545d7c7c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Feb 2024 11:00:57 -0600 Subject: [PATCH 0197/1462] Bump email-validator from 2.1.0.post1 to 2.1.1 in /.github/requirements (#10492) * Bump email-validator from 2.1.0.post1 to 2.1.1 in /.github/requirements Bumps [email-validator](https://github.com/JoshData/python-email-validator) from 2.1.0.post1 to 2.1.1. - [Release notes](https://github.com/JoshData/python-email-validator/releases) - [Changelog](https://github.com/JoshData/python-email-validator/blob/main/CHANGELOG.md) - [Commits](https://github.com/JoshData/python-email-validator/commits/v2.1.1) --- updated-dependencies: - dependency-name: email-validator dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 26a844cd7215..6d6b85f7043f 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -211,9 +211,9 @@ docutils==0.20.1 \ --hash=sha256:96f387a2c5562db4476f09f13bbab2192e764cac08ebbf3a34a95d9b1e4a59d6 \ --hash=sha256:f08a4e276c3a1583a86dce3e34aba3fe04d02bba2dd51ed16106244e8a923e3b # via readme-renderer -email-validator==2.1.0.post1 \ - --hash=sha256:a4b0bd1cf55f073b924258d19321b1f3aa74b4b5a71a42c305575dba920e1a44 \ - --hash=sha256:c973053efbeddfef924dc0bd93f6e77a1ea7ee0fce935aea7103c7a3d6d2d637 +email-validator==2.1.1 \ + --hash=sha256:200a70680ba08904be6d1eef729205cc0d687634399a5924d842533efb824b84 \ + --hash=sha256:97d882d174e2a65732fb43bfce81a3a834cbc1bde8bf419e30ef5ea976370a05 # via pydantic grpclib==0.4.7 \ --hash=sha256:2988ef57c02b22b7a2e8e961792c41ccf97efc2ace91ae7a5b0de03c363823c3 From 9b4008b805b68b7077c52459d2bdec5f35652851 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 28 Feb 2024 00:16:24 +0000 Subject: [PATCH 0198/1462] Bump BoringSSL and/or OpenSSL in CI (#10498) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b334e78bddc1..7ffd1d6a1920 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 27, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "5bed5b9aaab4edc8c0ee62493b6e760f9f7a3457"}} + # Latest commit on the BoringSSL master branch, as of Feb 28, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "a9a3ca49444bb1efac115e64d3ab469c54bec984"}} # Latest commit on the OpenSSL master branch, as of Feb 26, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2d70cc9cecf8b322d795985efecee06242b203b3"}} # Builds with various Rust versions. Includes MSRV and next From be31fd5f2e2eb9132d8a06e2d4e3fddae408eaf4 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 27 Feb 2024 19:34:20 -0500 Subject: [PATCH 0199/1462] verification: add RFC822Constraint (#10497) * verification: add RFC822Constraint Signed-off-by: William Woodruff * verification: derive, don't be so clever Signed-off-by: William Woodruff * verification: reduce cleverness some more Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .../src/types.rs | 166 ++++++++++++++++++ 1 file changed, 166 insertions(+) diff --git a/src/rust/cryptography-x509-verification/src/types.rs b/src/rust/cryptography-x509-verification/src/types.rs index 529ecbe8f8e6..dfb05b9b52f2 100644 --- a/src/rust/cryptography-x509-verification/src/types.rs +++ b/src/rust/cryptography-x509-verification/src/types.rs @@ -80,6 +80,17 @@ impl<'a> DNSName<'a> { fn rlabels(&self) -> impl Iterator { self.as_str().rsplit('.') } + + /// Returns true if this domain is a subdomain of the other domain. + fn is_subdomain_of(&self, other: &DNSName<'_>) -> bool { + // NOTE: This is nearly identical to `DNSConstraint::matches`, + // except that the subdomain must be strictly longer than the parent domain. + self.as_str().len() > other.as_str().len() + && self + .rlabels() + .zip(other.rlabels()) + .all(|(a, o)| a.eq_ignore_ascii_case(o)) + } } impl PartialEq for DNSName<'_> { @@ -312,6 +323,7 @@ impl IPConstraint { /// /// [RFC 822 6.1]: https://datatracker.ietf.org/doc/html/rfc822#section-6.1 /// [RFC 2821 4.1.2]: https://datatracker.ietf.org/doc/html/rfc2821#section-4.1.2 +#[derive(PartialEq)] pub struct RFC822Name<'a> { pub mailbox: IA5String<'a>, pub domain: DNSName<'a>, @@ -348,10 +360,45 @@ impl<'a> RFC822Name<'a> { } } +/// An `RFC822Constraint` represents a Name Constraint on email addresses. +pub enum RFC822Constraint<'a> { + /// A constraint for an exact match on a specific email address. + Exact(RFC822Name<'a>), + /// A constraint for any mailbox on a particular domain. + OnDomain(DNSName<'a>), + /// A constraint for any mailbox *within* a particular domain. + /// For example, `InDomain("example.com")` will match `foo@bar.example.com` + /// but not `foo@example.com`, since `bar.example.com` is in `example.com` + /// but `example.com` is not within itself. + InDomain(DNSName<'a>), +} + +impl<'a> RFC822Constraint<'a> { + pub fn new(constraint: &'a str) -> Option { + if let Some(constraint) = constraint.strip_prefix('.') { + Some(Self::InDomain(DNSName::new(constraint)?)) + } else if let Some(email) = RFC822Name::new(constraint) { + Some(Self::Exact(email)) + } else { + Some(Self::OnDomain(DNSName::new(constraint)?)) + } + } + + pub fn matches(&self, email: &RFC822Name<'_>) -> bool { + match self { + Self::Exact(pat) => pat == email, + Self::OnDomain(pat) => &email.domain == pat, + Self::InDomain(pat) => email.domain.is_subdomain_of(pat), + } + } +} + #[cfg(test)] mod tests { use crate::types::{DNSConstraint, DNSName, DNSPattern, IPAddress, IPConstraint, RFC822Name}; + use super::RFC822Constraint; + #[test] fn test_dnsname_debug_trait() { // Just to get coverage on the `Debug` derive. @@ -442,6 +489,33 @@ mod tests { ); } + #[test] + fn test_dnsname_is_subdomain_of() { + for (sup, sub, check) in &[ + // good cases + ("example.com", "sub.example.com", true), + ("example.com", "a.b.example.com", true), + ("sub.example.com", "sub.sub.example.com", true), + ("sub.example.com", "sub.sub.sub.example.com", true), + ("com", "example.com", true), + ("example.com", "com.example.com", true), + ("example.com", "com.example.example.com", true), + // bad cases + ("example.com", "example.com", false), + ("example.com", "com", false), + ("sub.example.com", "example.com", false), + ("sub.sub.example.com", "sub.sub.example.com", false), + ("sub.sub.example.com", "example.com", false), + ("com.example.com", "com.example.com", false), + ("com.example.example.com", "com.example.example.com", false), + ] { + let sup = DNSName::new(sup).unwrap(); + let sub = DNSName::new(sub).unwrap(); + + assert_eq!(sub.is_subdomain_of(&sup), *check); + } + } + #[test] fn test_dnspattern_new() { assert_eq!(DNSPattern::new("*"), None); @@ -694,4 +768,96 @@ mod tests { assert_eq!(&parsed.domain.as_str(), domain); } } + + #[test] + fn test_rfc822constraint_new() { + for (case, valid) in &[ + // good cases + ("foo@example.com", true), + ("foo.bar@example.com", true), + ("foo!bar@example.com", true), + ("example.com", true), + ("sub.example.com", true), + ("foo@sub.example.com", true), + ("foo.bar@sub.example.com", true), + ("foo!bar@sub.example.com", true), + (".example.com", true), + (".sub.example.com", true), + // bad cases + ("@example.com", false), + ("@@example.com", false), + ("foo@.example.com", false), + (".foo@example.com", false), + (".foo.@example.com", false), + ("foo.@example.com", false), + ("invaliddomain!", false), + ("..example.com", false), + ("foo..example.com", false), + (".foo..example.com", false), + ("..foo..example.com", false), + ] { + assert_eq!(RFC822Constraint::new(case).is_some(), *valid); + } + } + + #[test] + fn test_rfc822constraint_matches() { + { + let exact = RFC822Constraint::new("foo@example.com").unwrap(); + + // Ordinary exact match. + assert!(exact.matches(&RFC822Name::new("foo@example.com").unwrap())); + // Case changes are okay in the domain. + assert!(exact.matches(&RFC822Name::new("foo@EXAMPLE.com").unwrap())); + + // Case changes are not okay in the mailbox. + assert!(!exact.matches(&RFC822Name::new("Foo@example.com").unwrap())); + assert!(!exact.matches(&RFC822Name::new("FOO@example.com").unwrap())); + + // Different mailboxes and domains do not match. + assert!(!exact.matches(&RFC822Name::new("foo.bar@example.com").unwrap())); + assert!(!exact.matches(&RFC822Name::new("foo@sub.example.com").unwrap())); + } + + { + let on_domain = RFC822Constraint::new("example.com").unwrap(); + + // Ordinary domain matches. + assert!(on_domain.matches(&RFC822Name::new("foo@example.com").unwrap())); + assert!(on_domain.matches(&RFC822Name::new("bar@example.com").unwrap())); + assert!(on_domain.matches(&RFC822Name::new("foo.bar@example.com").unwrap())); + assert!(on_domain.matches(&RFC822Name::new("foo!bar@example.com").unwrap())); + // Case changes are okay in the domain and in the mailbox, + // since any mailbox on the domain is okay. + assert!(on_domain.matches(&RFC822Name::new("foo@EXAMPLE.com").unwrap())); + assert!(on_domain.matches(&RFC822Name::new("FOO@example.com").unwrap())); + + // Subdomains and other domains do not match. + assert!(!on_domain.matches(&RFC822Name::new("foo@sub.example.com").unwrap())); + assert!(!on_domain.matches(&RFC822Name::new("foo@localhost").unwrap())); + } + + { + let in_domain = RFC822Constraint::new(".example.com").unwrap(); + + // Any subdomain and mailbox matches. + assert!(in_domain.matches(&RFC822Name::new("foo@sub.example.com").unwrap())); + assert!(in_domain.matches(&RFC822Name::new("foo@sub.sub.example.com").unwrap())); + assert!(in_domain.matches(&RFC822Name::new("foo@com.example.example.com").unwrap())); + assert!(in_domain.matches(&RFC822Name::new("foo.bar@com.example.example.com").unwrap())); + assert!(in_domain.matches(&RFC822Name::new("foo!bar@com.example.example.com").unwrap())); + assert!(in_domain.matches(&RFC822Name::new("bar@com.example.example.com").unwrap())); + // Case changes are okay in the subdomains and in the mailbox, since any mailbox + // in the domain is okay. + assert!(in_domain.matches(&RFC822Name::new("foo@SUB.example.com").unwrap())); + assert!(in_domain.matches(&RFC822Name::new("foo@sub.EXAMPLE.com").unwrap())); + assert!(in_domain.matches(&RFC822Name::new("foo@sub.example.COM").unwrap())); + assert!(in_domain.matches(&RFC822Name::new("FOO@sub.example.COM").unwrap())); + assert!(in_domain.matches(&RFC822Name::new("FOO@sub.example.com").unwrap())); + + // Superdomains and other domains do not match. + assert!(!in_domain.matches(&RFC822Name::new("foo@example.com").unwrap())); + assert!(!in_domain.matches(&RFC822Name::new("foo@com").unwrap())); + } + } } From 5f688ec2ac69927dd215306a50ecbcef34b2e289 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 28 Feb 2024 07:20:08 -0500 Subject: [PATCH 0200/1462] Bump peter-evans/create-pull-request from 6.0.0 to 6.0.1 (#10500) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 6.0.0 to 6.0.1. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/b1ddad2c994a25fbc81a28b3ec0e368bb2021c50...a4f52f8033a6168103c2538976c07b467e8163bc) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 4cc08f5983d3..d20aea2bee15 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -58,7 +58,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0 + uses: peter-evans/create-pull-request@a4f52f8033a6168103c2538976c07b467e8163bc # v6.0.1 with: commit-message: "Bump BoringSSL and/or OpenSSL in CI" title: "Bump BoringSSL and/or OpenSSL in CI" diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 9866e266065d..c8b14038a15f 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -57,7 +57,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0 + uses: peter-evans/create-pull-request@a4f52f8033a6168103c2538976c07b467e8163bc # v6.0.1 with: commit-message: "Bump x509-limbo and/or wycheproof in CI" title: "Bump x509-limbo and/or wycheproof in CI" From 7b814efe779f0a42df5301635394c125a8ac1ce8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 28 Feb 2024 16:58:30 -0600 Subject: [PATCH 0201/1462] Bump keyring from 24.3.0 to 24.3.1 in /.github/requirements (#10499) * Bump keyring from 24.3.0 to 24.3.1 in /.github/requirements Bumps [keyring](https://github.com/jaraco/keyring) from 24.3.0 to 24.3.1. - [Release notes](https://github.com/jaraco/keyring/releases) - [Changelog](https://github.com/jaraco/keyring/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/keyring/compare/v24.3.0...v24.3.1) --- updated-dependencies: - dependency-name: keyring dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 6d6b85f7043f..090ca39d3578 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -256,9 +256,9 @@ jeepney==0.8.0 \ # via # keyring # secretstorage -keyring==24.3.0 \ - --hash=sha256:4446d35d636e6a10b8bce7caa66913dd9eca5fd222ca03a3d42c38608ac30836 \ - --hash=sha256:e730ecffd309658a08ee82535a3b5ec4b4c8669a9be11efb66249d8e0aeb9a25 +keyring==24.3.1 \ + --hash=sha256:c3327b6ffafc0e8befbdb597cacdb4928ffe5c1212f7645f186e6d9957a898db \ + --hash=sha256:df38a4d7419a6a60fea5cef1e45a948a3e8430dd12ad88b0f423c5c143906218 # via twine markdown-it-py==3.0.0 \ --hash=sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1 \ From c1a90af5a68083f444dbf9e2a6b713692857cdf4 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 29 Feb 2024 00:14:27 +0000 Subject: [PATCH 0202/1462] Bump BoringSSL and/or OpenSSL in CI (#10503) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7ffd1d6a1920..f394a819a380 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 28, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "a9a3ca49444bb1efac115e64d3ab469c54bec984"}} + # Latest commit on the BoringSSL master branch, as of Feb 29, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "df3b58ea74c50ff785ab902be3b007ff008d3e3c"}} # Latest commit on the OpenSSL master branch, as of Feb 26, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2d70cc9cecf8b322d795985efecee06242b203b3"}} # Builds with various Rust versions. Includes MSRV and next From 9ea2b5f1965c6f2566595ae7a3f71679f62cb002 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 29 Feb 2024 12:06:06 +0000 Subject: [PATCH 0203/1462] Bump syn from 2.0.51 to 2.0.52 in /src/rust (#10504) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.51 to 2.0.52. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.51...2.0.52) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index bb54df84cecb..9066b8c06006 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -377,9 +377,9 @@ checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" [[package]] name = "syn" -version = "2.0.51" +version = "2.0.52" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6ab617d94515e94ae53b8406c628598680aa0c9587474ecbe58188f7b345d66c" +checksum = "b699d15b36d1f02c3e7c69f8ffef53de37aefae075d8488d4ba1a7788d574a07" dependencies = [ "proc-macro2", "quote", From 269f1c0b4cd116f3c850fd006c9de2370768adb8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 29 Feb 2024 11:34:20 -0600 Subject: [PATCH 0204/1462] Bump rich from 13.7.0 to 13.7.1 in /.github/requirements (#10505) * Bump rich from 13.7.0 to 13.7.1 in /.github/requirements Bumps [rich](https://github.com/Textualize/rich) from 13.7.0 to 13.7.1. - [Release notes](https://github.com/Textualize/rich/releases) - [Changelog](https://github.com/Textualize/rich/blob/master/CHANGELOG.md) - [Commits](https://github.com/Textualize/rich/compare/v13.7.0...v13.7.1) --- updated-dependencies: - dependency-name: rich dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 090ca39d3578..62bf3cb38826 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -544,9 +544,9 @@ rfc3986==2.0.0 \ --hash=sha256:50b1502b60e289cb37883f3dfd34532b8873c7de9f49bb546641ce9cbd256ebd \ --hash=sha256:97aacf9dbd4bfd829baad6e6309fa6573aaf1be3f6fa735c8ab05e46cecb261c # via twine -rich==13.7.0 \ - --hash=sha256:5cb5123b5cf9ee70584244246816e9114227e0b98ad9176eede6ad54bf5403fa \ - --hash=sha256:6da14c108c4866ee9520bbffa71f6fe3962e193b7da68720583850cd4548e235 +rich==13.7.1 \ + --hash=sha256:4edbae314f59eb482f54e9e30bf00d33350aaa94f4bfcd4e9e3110e64d0d7222 \ + --hash=sha256:9be308cb1fe2f1f57d67ce99e95af38a1e2bc71ad9813b0e247cf7ffbcc3a432 # via # sigstore # twine From 992188efe4b14b6375c7d1c904b9fea04c554317 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 29 Feb 2024 17:36:19 +0000 Subject: [PATCH 0205/1462] Bump build from 1.0.3 to 1.1.0 (#10508) Bumps [build](https://github.com/pypa/build) from 1.0.3 to 1.1.0. - [Release notes](https://github.com/pypa/build/releases) - [Changelog](https://github.com/pypa/build/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pypa/build/compare/1.0.3...v1.1.0) --- updated-dependencies: - dependency-name: build dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 069e8b731dd9..6a38c5019dec 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -11,7 +11,7 @@ argcomplete==3.2.2; python_version >= "3.8" # via nox babel==2.14.0 # via sphinx -build==1.0.3 +build==1.1.0 # via # check-sdist # cryptography (pyproject.toml) From 905983fe56bddce6c2aa18dbe52d78c51e8c5285 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 29 Feb 2024 12:54:19 -0500 Subject: [PATCH 0206/1462] Upgraded version of ruff (#10509) --- ci-constraints-requirements.txt | 2 +- noxfile.py | 2 +- .../hazmat/primitives/ciphers/base.py | 12 ++-- src/cryptography/hazmat/primitives/keywrap.py | 2 +- src/cryptography/x509/base.py | 6 +- src/cryptography/x509/extensions.py | 68 ++++++++----------- src/cryptography/x509/name.py | 6 +- tests/hazmat/primitives/decrepit/test_3des.py | 1 - tests/hazmat/primitives/decrepit/test_rc2.py | 1 - tests/hazmat/primitives/test_hashes.py | 2 +- tests/hazmat/primitives/test_hmac.py | 2 +- tests/hazmat/primitives/test_padding.py | 4 +- tests/hazmat/primitives/test_pkcs7.py | 6 +- tests/hazmat/primitives/test_ssh.py | 2 +- tests/test_fernet.py | 2 +- tests/x509/test_x509.py | 2 +- tests/x509/test_x509_ext.py | 10 +-- 17 files changed, 54 insertions(+), 76 deletions(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6a38c5019dec..7e40b5095cd1 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.2.2 +ruff==0.3.0 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx diff --git a/noxfile.py b/noxfile.py index ea4f205e1764..9d7d50c761a8 100644 --- a/noxfile.py +++ b/noxfile.py @@ -175,7 +175,7 @@ def flake(session: nox.Session) -> None: ) install(session, "-e", "vectors/") - session.run("ruff", ".") + session.run("ruff", "check", ".") session.run("ruff", "format", "--check", ".") session.run( "mypy", diff --git a/src/cryptography/hazmat/primitives/ciphers/base.py b/src/cryptography/hazmat/primitives/ciphers/base.py index 7c32cbec693e..a9fa2bf07b9d 100644 --- a/src/cryptography/hazmat/primitives/ciphers/base.py +++ b/src/cryptography/hazmat/primitives/ciphers/base.py @@ -88,14 +88,12 @@ def __init__( @typing.overload def encryptor( self: Cipher[modes.ModeWithAuthenticationTag], - ) -> AEADEncryptionContext: - ... + ) -> AEADEncryptionContext: ... @typing.overload def encryptor( self: _CIPHER_TYPE, - ) -> CipherContext: - ... + ) -> CipherContext: ... def encryptor(self): if isinstance(self.mode, modes.ModeWithAuthenticationTag): @@ -111,14 +109,12 @@ def encryptor(self): @typing.overload def decryptor( self: Cipher[modes.ModeWithAuthenticationTag], - ) -> AEADDecryptionContext: - ... + ) -> AEADDecryptionContext: ... @typing.overload def decryptor( self: _CIPHER_TYPE, - ) -> CipherContext: - ... + ) -> CipherContext: ... def decryptor(self): return rust_openssl.ciphers.create_decryption_ctx( diff --git a/src/cryptography/hazmat/primitives/keywrap.py b/src/cryptography/hazmat/primitives/keywrap.py index 3ee152b7903a..b93d87d31cff 100644 --- a/src/cryptography/hazmat/primitives/keywrap.py +++ b/src/cryptography/hazmat/primitives/keywrap.py @@ -86,7 +86,7 @@ def aes_key_wrap_with_padding( if len(wrapping_key) not in [16, 24, 32]: raise ValueError("The wrapping key must be a valid AES key length") - aiv = b"\xA6\x59\x59\xA6" + len(key_to_wrap).to_bytes( + aiv = b"\xa6\x59\x59\xa6" + len(key_to_wrap).to_bytes( length=4, byteorder="big" ) # pad the key to wrap if necessary diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index 89a75a23ac36..2ab482ec817f 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -503,12 +503,10 @@ def __len__(self) -> int: """ @typing.overload - def __getitem__(self, idx: int) -> RevokedCertificate: - ... + def __getitem__(self, idx: int) -> RevokedCertificate: ... @typing.overload - def __getitem__(self, idx: slice) -> list[RevokedCertificate]: - ... + def __getitem__(self, idx: slice) -> list[RevokedCertificate]: ... @abc.abstractmethod def __getitem__( diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index db6e3bb5a621..7dd38700e537 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -1456,32 +1456,29 @@ def get_values_for_type( type: type[DNSName] | type[UniformResourceIdentifier] | type[RFC822Name], - ) -> list[str]: - ... + ) -> list[str]: ... @typing.overload def get_values_for_type( self, type: type[DirectoryName], - ) -> list[Name]: - ... + ) -> list[Name]: ... @typing.overload def get_values_for_type( self, type: type[RegisteredID], - ) -> list[ObjectIdentifier]: - ... + ) -> list[ObjectIdentifier]: ... @typing.overload def get_values_for_type( self, type: type[IPAddress] - ) -> list[_IPAddressTypes]: - ... + ) -> list[_IPAddressTypes]: ... @typing.overload - def get_values_for_type(self, type: type[OtherName]) -> list[OtherName]: - ... + def get_values_for_type( + self, type: type[OtherName] + ) -> list[OtherName]: ... def get_values_for_type( self, @@ -1534,32 +1531,29 @@ def get_values_for_type( type: type[DNSName] | type[UniformResourceIdentifier] | type[RFC822Name], - ) -> list[str]: - ... + ) -> list[str]: ... @typing.overload def get_values_for_type( self, type: type[DirectoryName], - ) -> list[Name]: - ... + ) -> list[Name]: ... @typing.overload def get_values_for_type( self, type: type[RegisteredID], - ) -> list[ObjectIdentifier]: - ... + ) -> list[ObjectIdentifier]: ... @typing.overload def get_values_for_type( self, type: type[IPAddress] - ) -> list[_IPAddressTypes]: - ... + ) -> list[_IPAddressTypes]: ... @typing.overload - def get_values_for_type(self, type: type[OtherName]) -> list[OtherName]: - ... + def get_values_for_type( + self, type: type[OtherName] + ) -> list[OtherName]: ... def get_values_for_type( self, @@ -1609,32 +1603,29 @@ def get_values_for_type( type: type[DNSName] | type[UniformResourceIdentifier] | type[RFC822Name], - ) -> list[str]: - ... + ) -> list[str]: ... @typing.overload def get_values_for_type( self, type: type[DirectoryName], - ) -> list[Name]: - ... + ) -> list[Name]: ... @typing.overload def get_values_for_type( self, type: type[RegisteredID], - ) -> list[ObjectIdentifier]: - ... + ) -> list[ObjectIdentifier]: ... @typing.overload def get_values_for_type( self, type: type[IPAddress] - ) -> list[_IPAddressTypes]: - ... + ) -> list[_IPAddressTypes]: ... @typing.overload - def get_values_for_type(self, type: type[OtherName]) -> list[OtherName]: - ... + def get_values_for_type( + self, type: type[OtherName] + ) -> list[OtherName]: ... def get_values_for_type( self, @@ -1684,32 +1675,29 @@ def get_values_for_type( type: type[DNSName] | type[UniformResourceIdentifier] | type[RFC822Name], - ) -> list[str]: - ... + ) -> list[str]: ... @typing.overload def get_values_for_type( self, type: type[DirectoryName], - ) -> list[Name]: - ... + ) -> list[Name]: ... @typing.overload def get_values_for_type( self, type: type[RegisteredID], - ) -> list[ObjectIdentifier]: - ... + ) -> list[ObjectIdentifier]: ... @typing.overload def get_values_for_type( self, type: type[IPAddress] - ) -> list[_IPAddressTypes]: - ... + ) -> list[_IPAddressTypes]: ... @typing.overload - def get_values_for_type(self, type: type[OtherName]) -> list[OtherName]: - ... + def get_values_for_type( + self, type: type[OtherName] + ) -> list[OtherName]: ... def get_values_for_type( self, diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py index 5e8ccfff5994..1edfc2b4f598 100644 --- a/src/cryptography/x509/name.py +++ b/src/cryptography/x509/name.py @@ -263,14 +263,12 @@ def __repr__(self) -> str: class Name: @typing.overload - def __init__(self, attributes: typing.Iterable[NameAttribute]) -> None: - ... + def __init__(self, attributes: typing.Iterable[NameAttribute]) -> None: ... @typing.overload def __init__( self, attributes: typing.Iterable[RelativeDistinguishedName] - ) -> None: - ... + ) -> None: ... def __init__( self, diff --git a/tests/hazmat/primitives/decrepit/test_3des.py b/tests/hazmat/primitives/decrepit/test_3des.py index f64cbd2d4412..2b7a10470c0f 100644 --- a/tests/hazmat/primitives/decrepit/test_3des.py +++ b/tests/hazmat/primitives/decrepit/test_3des.py @@ -6,7 +6,6 @@ Test using the NIST Test Vectors """ - import binascii import os diff --git a/tests/hazmat/primitives/decrepit/test_rc2.py b/tests/hazmat/primitives/decrepit/test_rc2.py index ecd4ce2accc2..dd2ce5d4b4b8 100644 --- a/tests/hazmat/primitives/decrepit/test_rc2.py +++ b/tests/hazmat/primitives/decrepit/test_rc2.py @@ -6,7 +6,6 @@ Test using the NIST Test Vectors """ - import binascii import os diff --git a/tests/hazmat/primitives/test_hashes.py b/tests/hazmat/primitives/test_hashes.py index 1d096772aed0..092ba9af41d4 100644 --- a/tests/hazmat/primitives/test_hashes.py +++ b/tests/hazmat/primitives/test_hashes.py @@ -19,7 +19,7 @@ class TestHashContext: def test_hash_reject_unicode(self, backend): m = hashes.Hash(hashes.SHA1(), backend=backend) with pytest.raises(TypeError): - m.update("\u00FC") # type: ignore[arg-type] + m.update("\u00fc") # type: ignore[arg-type] def test_hash_algorithm_instance(self, backend): with pytest.raises(TypeError): diff --git a/tests/hazmat/primitives/test_hmac.py b/tests/hazmat/primitives/test_hmac.py index 04c3e8588f01..52d3e8ee9b07 100644 --- a/tests/hazmat/primitives/test_hmac.py +++ b/tests/hazmat/primitives/test_hmac.py @@ -33,7 +33,7 @@ class TestHMAC: def test_hmac_reject_unicode(self, backend): h = hmac.HMAC(b"mykey", hashes.SHA1(), backend=backend) with pytest.raises(TypeError): - h.update("\u00FC") # type: ignore[arg-type] + h.update("\u00fc") # type: ignore[arg-type] def test_hmac_algorithm_instance(self, backend): with pytest.raises(TypeError): diff --git a/tests/hazmat/primitives/test_padding.py b/tests/hazmat/primitives/test_padding.py index 1a9a01f6cf15..2e20363f6f75 100644 --- a/tests/hazmat/primitives/test_padding.py +++ b/tests/hazmat/primitives/test_padding.py @@ -62,7 +62,7 @@ def __str__(self): b"111111111111111122222222222222\x02\x02", ), (128, b"1" * 16, b"1" * 16 + b"\x10" * 16), - (128, b"1" * 17, b"1" * 17 + b"\x0F" * 15), + (128, b"1" * 17, b"1" * 17 + b"\x0f" * 15), ], ) def test_pad(self, size, unpadded, padded): @@ -185,7 +185,7 @@ def __str__(self): b"111111111111111122222222222222\x00\x02", ), (128, b"1" * 16, b"1" * 16 + b"\x00" * 15 + b"\x10"), - (128, b"1" * 17, b"1" * 17 + b"\x00" * 14 + b"\x0F"), + (128, b"1" * 17, b"1" * 17 + b"\x00" * 14 + b"\x0f"), ], ) def test_pad(self, size, unpadded, padded): diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index a929a9e83ae3..9a9eab3da503 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -91,7 +91,7 @@ def test_load_pkcs7_unsupported_type(self, backend): ) def test_load_pkcs7_empty_certificates(self): - der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" + der = b"\x30\x0b\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x07\x02" with pytest.raises(ValueError): pkcs7.load_der_pkcs7_certificates(der) @@ -573,7 +573,7 @@ def test_smime_capabilities(self, backend): assert b"\x06\t*\x86H\x86\xf7\r\x01\t\x0f" in sig_binary # 2.16.840.1.101.3.4.1.42 (aes256-CBC-PAD) as an ASN.1 DER encoded OID - aes256_cbc_pad_oid = b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x2A" + aes256_cbc_pad_oid = b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x2a" # 2.16.840.1.101.3.4.1.22 (aes192-CBC-PAD) as an ASN.1 DER encoded OID aes192_cbc_pad_oid = b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x16" # 2.16.840.1.101.3.4.1.2 (aes128-CBC-PAD) as an ASN.1 DER encoded OID @@ -730,7 +730,7 @@ def test_rsa_pkcs_padding_options(self, pad, backend): # another in the SignerInfo data structure in the # `digest_encryption_algorithm` field. assert ( - sig.count(b"\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01") == 2 + sig.count(b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01") == 2 ) _pkcs7_verify( serialization.Encoding.DER, diff --git a/tests/hazmat/primitives/test_ssh.py b/tests/hazmat/primitives/test_ssh.py index d3372566e93f..cda2aad77b59 100644 --- a/tests/hazmat/primitives/test_ssh.py +++ b/tests/hazmat/primitives/test_ssh.py @@ -390,7 +390,7 @@ def make_file( b"\x04" * 65, ), priv_type=None, - priv_fields=(b"nistp256", b"\x04" * 65, b"\x7F" * 32), + priv_fields=(b"nistp256", b"\x04" * 65, b"\x7f" * 32), comment=b"comment", checkval1=b"1234", checkval2=b"1234", diff --git a/tests/test_fernet.py b/tests/test_fernet.py index ef4ef70e25b0..7ebab3e59915 100644 --- a/tests/test_fernet.py +++ b/tests/test_fernet.py @@ -138,7 +138,7 @@ def test_ttl_required_in_decrypt_at_time(self, backend): current_time=int(time.time()), ) - @pytest.mark.parametrize("message", [b"", b"Abc!", b"\x00\xFF\x00\x80"]) + @pytest.mark.parametrize("message", [b"", b"Abc!", b"\x00\xff\x00\x80"]) def test_roundtrips(self, message, backend): f = Fernet(Fernet.generate_key(), backend=backend) assert f.decrypt(f.encrypt(message)) == message diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index 1a6fc7b437cc..e5e941e45e4a 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -5732,7 +5732,7 @@ def test_init_bad_country_code_value(self): # unicode string of length 2, but > 2 bytes with pytest.raises(ValueError): - x509.NameAttribute(NameOID.COUNTRY_NAME, "\U0001F37A\U0001F37A") + x509.NameAttribute(NameOID.COUNTRY_NAME, "\U0001f37a\U0001f37a") def test_invalid_type(self): with pytest.raises(TypeError): diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index fc3e3e06f00e..491271ade526 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -5994,11 +5994,11 @@ def test_simple(self, backend): == x509.certificate_transparency.SignatureAlgorithm.ECDSA ) assert sct.signature == ( - b"\x30\x45\x02\x21\x00\xB8\x03\xAD\x34\xF6\xFC\x0F\x2C\xFF\x84\xA0" - b"\x86\xE5\xD7\xCF\x5A\xF0\x0A\x07\x62\x6A\x7F\xB3\xA6\x44\x64\xF1" - b"\x95\xA4\x48\x45\x11\x02\x20\x2F\x61\x8D\x53\x1B\x6F\x4A\xB8\x0A" - b"\x67\xB2\x07\xE1\x8F\x6D\xAD\xD1\x04\x4A\x5E\xB3\x89\xEF\x7C\x60" - b"\xC2\x68\x53\xF9\x3D\x1F\x6D" + b"\x30\x45\x02\x21\x00\xb8\x03\xad\x34\xf6\xfc\x0f\x2c\xff\x84\xa0" + b"\x86\xe5\xd7\xcf\x5a\xf0\x0a\x07\x62\x6a\x7f\xb3\xa6\x44\x64\xf1" + b"\x95\xa4\x48\x45\x11\x02\x20\x2f\x61\x8d\x53\x1b\x6f\x4a\xb8\x0a" + b"\x67\xb2\x07\xe1\x8f\x6d\xad\xd1\x04\x4a\x5e\xb3\x89\xef\x7c\x60" + b"\xc2\x68\x53\xf9\x3d\x1f\x6d" ) assert sct.extension_bytes == b"" From 276f7e2cd49b60604c5c224d30ad527d65c843f1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 1 Mar 2024 00:31:59 +0000 Subject: [PATCH 0207/1462] Bump x509-limbo and/or wycheproof in CI (#10511) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 4434eb909f29..55213e6beba7 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Feb 27, 2024. - ref: "2217a0e4c579edc231dd502c961caeb5a4763796" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 01, 2024. + ref: "a9c42d8d243942e95d9365e39bd45822e5af6981" # x509-limbo-ref From a08ae1c2cb025488bc3a2d7629b4c9812914529f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 Mar 2024 07:02:01 -0500 Subject: [PATCH 0208/1462] Bump actions/cache from 4.0.0 to 4.0.1 (#10513) Bumps [actions/cache](https://github.com/actions/cache) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/13aacd865c20de90d75de3b17ebe84f7a17d57d2...ab5e6d0c87105b4c9c2047343972218f562e4319) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f394a819a380..ea81517da372 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -91,7 +91,7 @@ jobs: CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }} if: matrix.PYTHON.OPENSSL - name: Load OpenSSL cache - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 id: ossl-cache timeout-minutes: 2 with: From 6911dd847f25ad7c2e86684623bbd4fda4a00ea3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 Mar 2024 07:02:15 -0500 Subject: [PATCH 0209/1462] Bump build from 1.1.0 to 1.1.1 (#10512) Bumps [build](https://github.com/pypa/build) from 1.1.0 to 1.1.1. - [Release notes](https://github.com/pypa/build/releases) - [Changelog](https://github.com/pypa/build/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pypa/build/compare/v1.1.0...1.1.1) --- updated-dependencies: - dependency-name: build dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 7e40b5095cd1..c3b1e8885ddb 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -11,7 +11,7 @@ argcomplete==3.2.2; python_version >= "3.8" # via nox babel==2.14.0 # via sphinx -build==1.1.0 +build==1.1.1 # via # check-sdist # cryptography (pyproject.toml) From 1cb4c9f5384a2b751f09177d7df2f1e022d606a1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 1 Mar 2024 09:11:16 -0500 Subject: [PATCH 0210/1462] Update local nox session for ruff change (#10515) --- noxfile.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/noxfile.py b/noxfile.py index 9d7d50c761a8..c66fe6bae578 100644 --- a/noxfile.py +++ b/noxfile.py @@ -268,7 +268,7 @@ def local(session): session.run("flit", "install", "-s", silent=True) session.run("ruff", "format", ".") - session.run("ruff", ".") + session.run("ruff", "check", ".") with session.chdir("src/rust/"): session.run("cargo", "fmt", "--all", external=True) From 5c2193f500672eefee7c42854f023b7119cb5e19 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 Mar 2024 08:19:00 -0600 Subject: [PATCH 0211/1462] Bump python-dateutil from 2.8.2 to 2.9.0 in /.github/requirements (#10514) * Bump python-dateutil from 2.8.2 to 2.9.0 in /.github/requirements Bumps [python-dateutil](https://github.com/dateutil/dateutil) from 2.8.2 to 2.9.0. - [Release notes](https://github.com/dateutil/dateutil/releases) - [Changelog](https://github.com/dateutil/dateutil/blob/master/NEWS) - [Commits](https://github.com/dateutil/dateutil/compare/2.8.2...2.9.0) --- updated-dependencies: - dependency-name: python-dateutil dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 62bf3cb38826..ed7c1d3813aa 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -518,9 +518,9 @@ pyopenssl==24.0.0 \ --hash=sha256:6aa33039a93fffa4563e655b61d11364d01264be8ccb49906101e02a334530bf \ --hash=sha256:ba07553fb6fd6a7a2259adb9b84e12302a9a8a75c44046e8bb5d3e5ee887e3c3 # via sigstore -python-dateutil==2.8.2 \ - --hash=sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86 \ - --hash=sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9 +python-dateutil==2.9.0 \ + --hash=sha256:78e73e19c63f5b20ffa567001531680d939dc042bf7850431877645523c66709 \ + --hash=sha256:cbf2f1da5e6083ac2fbfd4da39a25f34312230110440f424a14c7558bb85d82e # via betterproto readme-renderer==43.0 \ --hash=sha256:1818dd28140813509eeed8d62687f7cd4f7bad90d4db586001c5dc09d4fde311 \ From 17710c7e61d2373b89468e547895d32ac41600d0 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 1 Mar 2024 19:20:07 -0500 Subject: [PATCH 0212/1462] Bump BoringSSL and/or OpenSSL in CI (#10516) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ea81517da372..cbb740d630b1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Feb 29, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "df3b58ea74c50ff785ab902be3b007ff008d3e3c"}} - # Latest commit on the OpenSSL master branch, as of Feb 26, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2d70cc9cecf8b322d795985efecee06242b203b3"}} + # Latest commit on the OpenSSL master branch, as of Mar 02, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fbce6ebf706cdd273f2569edfea7ade106426e0b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From e64f50992919c9f5e00a0fa8f3bd62e9496a608a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 2 Mar 2024 23:21:02 -0500 Subject: [PATCH 0213/1462] Bump BoringSSL and/or OpenSSL in CI (#10519) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cbb740d630b1..e384bfe8805e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Feb 29, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "df3b58ea74c50ff785ab902be3b007ff008d3e3c"}} - # Latest commit on the OpenSSL master branch, as of Mar 02, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fbce6ebf706cdd273f2569edfea7ade106426e0b"}} + # Latest commit on the OpenSSL master branch, as of Mar 03, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5677992679b38950c6a0c3775fd57378e1879ba5"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 6e6b17d8ba9d9ea36f1d457b803713df64ff71ff Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 4 Mar 2024 00:33:45 -0500 Subject: [PATCH 0214/1462] Conert PKCS12Certificate to Rust (#10521) --- .../hazmat/bindings/_rust/pkcs12.pyi | 9 ++ .../hazmat/primitives/serialization/pkcs12.py | 38 +-------- src/rust/src/pkcs12.rs | 84 ++++++++++++++++--- src/rust/src/types.rs | 4 - tests/hazmat/primitives/test_pkcs12.py | 2 +- 5 files changed, 85 insertions(+), 52 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi b/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi index c82892f6debc..109ae4fce5d8 100644 --- a/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi +++ b/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi @@ -10,6 +10,15 @@ from cryptography.hazmat.primitives.serialization.pkcs12 import ( PKCS12KeyAndCertificates, ) +class PKCS12Certificate: + def __init__( + self, cert: x509.Certificate, friendly_name: bytes | None + ) -> None: ... + @property + def friendly_name(self) -> bytes | None: ... + @property + def certificate(self) -> x509.Certificate: ... + def load_key_and_certificates( data: bytes, password: bytes | None, diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs12.py b/src/cryptography/hazmat/primitives/serialization/pkcs12.py index b6d6a198a4f6..8ed5f1e0872b 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs12.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs12.py @@ -38,43 +38,7 @@ ] -class PKCS12Certificate: - def __init__( - self, - cert: x509.Certificate, - friendly_name: bytes | None, - ): - if not isinstance(cert, x509.Certificate): - raise TypeError("Expecting x509.Certificate object") - if friendly_name is not None and not isinstance(friendly_name, bytes): - raise TypeError("friendly_name must be bytes or None") - self._cert = cert - self._friendly_name = friendly_name - - @property - def friendly_name(self) -> bytes | None: - return self._friendly_name - - @property - def certificate(self) -> x509.Certificate: - return self._cert - - def __eq__(self, other: object) -> bool: - if not isinstance(other, PKCS12Certificate): - return NotImplemented - - return ( - self.certificate == other.certificate - and self.friendly_name == other.friendly_name - ) - - def __hash__(self) -> int: - return hash((self.certificate, self.friendly_name)) - - def __repr__(self) -> str: - return "".format( - self.certificate, self.friendly_name - ) +PKCS12Certificate = rust_pkcs12.PKCS12Certificate class PKCS12KeyAndCertificates: diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 34b2c8f04c5e..58178fe3918d 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -5,8 +5,72 @@ use crate::backend::keys; use crate::buf::CffiBuf; use crate::error::CryptographyResult; +use crate::x509::certificate::Certificate; use crate::{types, x509}; use pyo3::IntoPy; +use std::collections::hash_map::DefaultHasher; +use std::hash::{Hash, Hasher}; + +#[pyo3::prelude::pyclass] +struct PKCS12Certificate { + #[pyo3(get)] + certificate: pyo3::Py, + #[pyo3(get)] + friendly_name: Option>, +} + +#[pyo3::prelude::pymethods] +impl PKCS12Certificate { + #[new] + fn new( + cert: pyo3::Py, + friendly_name: Option>, + ) -> PKCS12Certificate { + PKCS12Certificate { + certificate: cert, + friendly_name, + } + } + + fn __eq__( + &self, + py: pyo3::Python<'_>, + other: pyo3::PyRef<'_, Self>, + ) -> CryptographyResult { + let friendly_name_eq = match (&self.friendly_name, &other.friendly_name) { + (Some(a), Some(b)) => a.as_ref(py).eq(b.as_ref(py))?, + (None, None) => true, + _ => false, + }; + Ok(friendly_name_eq + && self + .certificate + .as_ref(py) + .eq(other.certificate.as_ref(py))?) + } + + fn __hash__(&self, py: pyo3::Python<'_>) -> CryptographyResult { + let mut hasher = DefaultHasher::new(); + self.certificate.as_ref(py).hash()?.hash(&mut hasher); + match &self.friendly_name { + Some(v) => v.as_ref(py).hash()?.hash(&mut hasher), + None => None::.hash(&mut hasher), + }; + Ok(hasher.finish()) + } + + fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { + let friendly_name_repr = match &self.friendly_name { + Some(v) => v.as_ref(py).repr()?.extract()?, + None => "None", + }; + Ok(format!( + "", + self.certificate.as_ref(py).str()?, + friendly_name_repr + )) + } +} fn decode_p12( data: CffiBuf<'_>, @@ -101,12 +165,11 @@ fn load_pkcs12<'p>( let cert = if let Some(ossl_cert) = p12.cert { let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).into_py(py); let cert = x509::certificate::load_der_x509_certificate(py, cert_der, None)?; - let alias = ossl_cert.alias(); + let alias = ossl_cert + .alias() + .map(|a| pyo3::types::PyBytes::new(py, a).into_py(py)); - types::PKCS12CERTIFICATE - .get(py)? - .call1((cert, alias))? - .into_py(py) + PKCS12Certificate::new(pyo3::Py::new(py, cert)?, alias).into_py(py) } else { py.None() }; @@ -125,12 +188,11 @@ fn load_pkcs12<'p>( for ossl_cert in it { let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).into_py(py); let cert = x509::certificate::load_der_x509_certificate(py, cert_der, None)?; - let alias = ossl_cert.alias(); + let alias = ossl_cert + .alias() + .map(|a| pyo3::types::PyBytes::new(py, a).into_py(py)); - let p12_cert = types::PKCS12CERTIFICATE - .get(py)? - .call1((cert, alias))? - .into_py(py); + let p12_cert = PKCS12Certificate::new(pyo3::Py::new(py, cert)?, alias).into_py(py); additional_certs.append(p12_cert)?; } } @@ -146,5 +208,7 @@ pub(crate) fn create_submodule(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::pr submod.add_function(pyo3::wrap_pyfunction!(load_key_and_certificates, submod)?)?; submod.add_function(pyo3::wrap_pyfunction!(load_pkcs12, submod)?)?; + submod.add_class::()?; + Ok(submod) } diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 3afdbb980914..55250a0b0b58 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -327,10 +327,6 @@ pub static SMIME_ENCODE: LazyPyImport = LazyPyImport::new( &["_smime_encode"], ); -pub static PKCS12CERTIFICATE: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.serialization.pkcs12", - &["PKCS12Certificate"], -); pub static PKCS12KEYANDCERTIFICATES: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.serialization.pkcs12", &["PKCS12KeyAndCertificates"], diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index e096894956e8..2f702aaf9626 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -781,7 +781,7 @@ def test_certificate_equality(self, backend): assert c2a != c2b assert c2a != c3a - assert c2n != "test" + assert c2n != "test" # type: ignore[comparison-overlap] def test_certificate_hash(self, backend): cert2 = _load_cert( From 47013043cfd16d634e8eb17fe2cc01a4d2e8701e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Mar 2024 15:17:04 +0000 Subject: [PATCH 0215/1462] Bump cc from 1.0.88 to 1.0.89 in /src/rust (#10527) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.88 to 1.0.89. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.88...1.0.89) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 9066b8c06006..eb46a5b38c00 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,9 +48,9 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.88" +version = "1.0.89" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "02f341c093d19155a6e41631ce5971aac4e9a868262212153124c15fa22d1cdc" +checksum = "a0ba8f7aaa012f30d5b2861462f6708eccd49c3c39863fe083a308035f63d723" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index e4cd77756121..138f7a38070f 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.20", features = ["abi3"] } openssl-sys = "0.9.101" [build-dependencies] -cc = "1.0.88" +cc = "1.0.89" From 2d9d8ee43fd87d24a14dc617504cf3624987b479 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Mar 2024 15:17:27 +0000 Subject: [PATCH 0216/1462] Bump nox from 2023.4.22 to 2024.3.2 (#10522) Bumps [nox](https://github.com/wntrblm/nox) from 2023.4.22 to 2024.3.2. - [Release notes](https://github.com/wntrblm/nox/releases) - [Changelog](https://github.com/wntrblm/nox/blob/main/CHANGELOG.md) - [Commits](https://github.com/wntrblm/nox/compare/2023.04.22...2024.03.02) --- updated-dependencies: - dependency-name: nox dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c3b1e8885ddb..f0336b49ccd5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -58,7 +58,7 @@ mypy-extensions==1.0.0 # via mypy nh3==0.2.15 # via readme-renderer -nox==2023.4.22 +nox==2024.3.2 # via cryptography (pyproject.toml) packaging==23.2 # via From ec028756101c34be2e7285af724ee80647dd6aaa Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Mar 2024 10:05:34 -0600 Subject: [PATCH 0217/1462] Bump pkginfo from 1.9.6 to 1.10.0 in /.github/requirements (#10525) * Bump pkginfo from 1.9.6 to 1.10.0 in /.github/requirements Bumps [pkginfo](https://code.launchpad.net/~tseaver/pkginfo/trunk) from 1.9.6 to 1.10.0. --- updated-dependencies: - dependency-name: pkginfo dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index ed7c1d3813aa..2e1905e09069 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -382,9 +382,9 @@ nh3==0.2.15 \ --hash=sha256:d1e30ff2d8d58fb2a14961f7aac1bbb1c51f9bdd7da727be35c63826060b0bf3 \ --hash=sha256:f3b53ba93bb7725acab1e030bc2ecd012a817040fd7851b332f86e2f9bb98dc6 # via readme-renderer -pkginfo==1.9.6 \ - --hash=sha256:4b7a555a6d5a22169fcc9cf7bfd78d296b0361adad412a346c1226849af5e546 \ - --hash=sha256:8fd5896e8718a4372f0ea9cc9d96f6417c9b986e23a4d116dda26b62cc29d046 +pkginfo==1.10.0 \ + --hash=sha256:5df73835398d10db79f8eecd5cd86b1f6d29317589ea70796994d49399af6297 \ + --hash=sha256:889a6da2ed7ffc58ab5b900d888ddce90bce912f2d2de1dc1c26f4cb9fe65097 # via twine pycparser==2.21 \ --hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \ From d50249fe19806c5a44dd86afa2126ee9110a3577 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Mar 2024 10:05:48 -0600 Subject: [PATCH 0218/1462] Bump python-dateutil from 2.9.0 to 2.9.0.post0 in /.github/requirements (#10526) * Bump python-dateutil from 2.9.0 to 2.9.0.post0 in /.github/requirements Bumps [python-dateutil](https://github.com/dateutil/dateutil) from 2.9.0 to 2.9.0.post0. - [Release notes](https://github.com/dateutil/dateutil/releases) - [Changelog](https://github.com/dateutil/dateutil/blob/master/NEWS) - [Commits](https://github.com/dateutil/dateutil/compare/2.9.0...2.9.0.post0) --- updated-dependencies: - dependency-name: python-dateutil dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 2e1905e09069..a4cc7ce4314f 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -518,9 +518,9 @@ pyopenssl==24.0.0 \ --hash=sha256:6aa33039a93fffa4563e655b61d11364d01264be8ccb49906101e02a334530bf \ --hash=sha256:ba07553fb6fd6a7a2259adb9b84e12302a9a8a75c44046e8bb5d3e5ee887e3c3 # via sigstore -python-dateutil==2.9.0 \ - --hash=sha256:78e73e19c63f5b20ffa567001531680d939dc042bf7850431877645523c66709 \ - --hash=sha256:cbf2f1da5e6083ac2fbfd4da39a25f34312230110440f424a14c7558bb85d82e +python-dateutil==2.9.0.post0 \ + --hash=sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3 \ + --hash=sha256:a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427 # via betterproto readme-renderer==43.0 \ --hash=sha256:1818dd28140813509eeed8d62687f7cd4f7bad90d4db586001c5dc09d4fde311 \ From 0106842b28393dc4f8a5d999dce0ef2311c0eba4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 4 Mar 2024 15:56:34 -0500 Subject: [PATCH 0219/1462] Added more data structures from the PKCS#12 RFC (#10518) --- src/rust/cryptography-x509/src/pkcs12.rs | 46 +++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509/src/pkcs12.rs b/src/rust/cryptography-x509/src/pkcs12.rs index e5676bfb59e6..49f2ddc629f3 100644 --- a/src/rust/cryptography-x509/src/pkcs12.rs +++ b/src/rust/cryptography-x509/src/pkcs12.rs @@ -4,6 +4,10 @@ use crate::pkcs7; +pub const CERT_BAG_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 12, 10, 1, 3); +pub const X509_CERTIFICATE_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 22, 1); +pub const FRIENDLY_NAME_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 20); + // #[derive(asn1::Asn1Write)] pub struct Pfx<'a> { pub version: u8, @@ -15,6 +19,46 @@ pub struct Pfx<'a> { pub struct MacData<'a> { pub mac: pkcs7::DigestInfo<'a>, pub salt: &'a [u8], - // #[default(1)] + // #[default(1u64)] pub iterations: u64, } + +// #[derive(asn1::Asn1Write)] +pub struct SafeBag<'a> { + pub _bag_id: asn1::DefinedByMarker, + // #[defined_by(_bag_id)] + pub bag_value: asn1::Explicit, 0>, + // pub attributes: Option>>, +} + +// #[derive(asn1::Asn1Write)] +pub struct Attribute<'a> { + pub _attr_id: asn1::DefinedByMarker, + // #[defined_by(_attr_id)] + pub attr_values: AttributeSet<'a>, +} + +// #[derive(asn1::Asn1DefinedByWrite)] +pub enum AttributeSet<'a> { + // #[defined_by(FRIENDLY_NAME_OID)] + FriendlyName(asn1::SetOfWriter<'a, asn1::BMPString<'a>>), +} + +// #[derive(asn1::Asn1DefinedByWrite)] +pub enum BagValue<'a> { + // #[defined_by(CERT_BAG_OID)] + CertBag(CertBag<'a>), +} + +// #[derive(asn1::Asn1Write)] +pub struct CertBag<'a> { + pub _cert_id: asn1::DefinedByMarker, + // #[defined_by(_cert_id)] + pub cert_value: asn1::Explicit, 0>, +} + +// #[derive(asn1::Asn1DefinedByWrite)] +pub enum CertType<'a> { + // #[defined_by(X509_CERTIFICATE_OID)] + X509(asn1::OctetStringEncoded>), +} From 6238f91634dfc9009ef15bbdf782d9c4f2a73613 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 4 Mar 2024 16:21:13 -0500 Subject: [PATCH 0220/1462] Allow clippy::result_large_err (#10532) This is triggered by the latest rust-asn1 (see #10530) --- src/rust/cryptography-key-parsing/src/lib.rs | 4 ++++ src/rust/cryptography-key-parsing/src/rsa.rs | 2 +- src/rust/cryptography-key-parsing/src/spki.rs | 2 +- src/rust/cryptography-x509-verification/src/lib.rs | 1 + src/rust/cryptography-x509/src/lib.rs | 1 + src/rust/src/lib.rs | 2 +- 6 files changed, 9 insertions(+), 3 deletions(-) diff --git a/src/rust/cryptography-key-parsing/src/lib.rs b/src/rust/cryptography-key-parsing/src/lib.rs index 93c49181c1fe..c97bc3f754c6 100644 --- a/src/rust/cryptography-key-parsing/src/lib.rs +++ b/src/rust/cryptography-key-parsing/src/lib.rs @@ -2,6 +2,10 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +#![forbid(unsafe_code)] +#![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +#![allow(unknown_lints, clippy::result_large_err)] + pub mod rsa; pub mod spki; diff --git a/src/rust/cryptography-key-parsing/src/rsa.rs b/src/rust/cryptography-key-parsing/src/rsa.rs index 5a2f57d58a6b..05bbc41dae2e 100644 --- a/src/rust/cryptography-key-parsing/src/rsa.rs +++ b/src/rust/cryptography-key-parsing/src/rsa.rs @@ -13,7 +13,7 @@ pub struct Pksc1RsaPublicKey<'a> { pub fn parse_pkcs1_public_key( data: &[u8], ) -> KeyParsingResult> { - let k = asn1::parse_single::(data)?; + let k = asn1::parse_single::>(data)?; let n = openssl::bn::BigNum::from_slice(k.n.as_bytes())?; let e = openssl::bn::BigNum::from_slice(k.e.as_bytes())?; diff --git a/src/rust/cryptography-key-parsing/src/spki.rs b/src/rust/cryptography-key-parsing/src/spki.rs index e6e1133c490a..68f2f33e06e3 100644 --- a/src/rust/cryptography-key-parsing/src/spki.rs +++ b/src/rust/cryptography-key-parsing/src/spki.rs @@ -9,7 +9,7 @@ use crate::{KeyParsingError, KeyParsingResult}; pub fn parse_public_key( data: &[u8], ) -> KeyParsingResult> { - let k = asn1::parse_single::(data)?; + let k = asn1::parse_single::>(data)?; match k.algorithm.params { AlgorithmParameters::Ec(ec_params) => match ec_params { diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 5ded892d5cbb..1c18f498cd88 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -4,6 +4,7 @@ #![forbid(unsafe_code)] #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +#![allow(unknown_lints, clippy::result_large_err)] pub mod certificate; pub mod ops; diff --git a/src/rust/cryptography-x509/src/lib.rs b/src/rust/cryptography-x509/src/lib.rs index 5fbedbf7ebc7..54c3b12aa942 100644 --- a/src/rust/cryptography-x509/src/lib.rs +++ b/src/rust/cryptography-x509/src/lib.rs @@ -4,6 +4,7 @@ #![forbid(unsafe_code)] #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +#![allow(unknown_lints, clippy::result_large_err)] pub mod certificate; pub mod common; diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index e8b881126f20..47102dfde1dd 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -3,7 +3,7 @@ // for complete details. #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] -#![allow(unknown_lints, non_local_definitions)] +#![allow(unknown_lints, non_local_definitions, clippy::result_large_err)] #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use crate::error::CryptographyResult; From f40cf4a743ae380bcb910f96f943ae759cf086d0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 4 Mar 2024 15:29:07 -0600 Subject: [PATCH 0221/1462] fix rsa key name typo (#10533) --- src/rust/cryptography-key-parsing/src/rsa.rs | 4 ++-- src/rust/cryptography-x509-verification/src/policy/mod.rs | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/cryptography-key-parsing/src/rsa.rs b/src/rust/cryptography-key-parsing/src/rsa.rs index 05bbc41dae2e..bf33a492352e 100644 --- a/src/rust/cryptography-key-parsing/src/rsa.rs +++ b/src/rust/cryptography-key-parsing/src/rsa.rs @@ -5,7 +5,7 @@ use crate::KeyParsingResult; #[derive(asn1::Asn1Read)] -pub struct Pksc1RsaPublicKey<'a> { +pub struct Pkcs1RsaPublicKey<'a> { pub n: asn1::BigUint<'a>, e: asn1::BigUint<'a>, } @@ -13,7 +13,7 @@ pub struct Pksc1RsaPublicKey<'a> { pub fn parse_pkcs1_public_key( data: &[u8], ) -> KeyParsingResult> { - let k = asn1::parse_single::>(data)?; + let k = asn1::parse_single::>(data)?; let n = openssl::bn::BigNum::from_slice(k.n.as_bytes())?; let e = openssl::bn::BigNum::from_slice(k.e.as_bytes())?; diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index f0a2ba5a7e63..8f704a39c0e2 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -9,7 +9,7 @@ use std::ops::Range; use std::sync::Arc; use asn1::ObjectIdentifier; -use cryptography_key_parsing::rsa::Pksc1RsaPublicKey; +use cryptography_key_parsing::rsa::Pkcs1RsaPublicKey; use cryptography_x509::certificate::Certificate; use cryptography_x509::common::{ AlgorithmIdentifier, AlgorithmParameters, EcParameters, RsaPssParameters, Time, @@ -512,7 +512,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { issuer_spki.algorithm.params, AlgorithmParameters::Rsa(_) | AlgorithmParameters::RsaPss(_) ) { - let rsa_key: Pksc1RsaPublicKey<'_> = + let rsa_key: Pkcs1RsaPublicKey<'_> = asn1::parse_single(issuer_spki.subject_public_key.as_bytes())?; if rsa_key.n.as_bytes().len() * 8 < self.minimum_rsa_modulus { From 9ddf6c08ca189ad5289a65020904814e1d8a8cc0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Mar 2024 21:37:46 +0000 Subject: [PATCH 0222/1462] Bump asn1 from 0.16.0 to 0.16.1 in /src/rust (#10530) Bumps [asn1](https://github.com/alex/rust-asn1) from 0.16.0 to 0.16.1. - [Commits](https://github.com/alex/rust-asn1/compare/0.16.0...0.16.1) --- updated-dependencies: - dependency-name: asn1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 8 ++++---- src/rust/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- src/rust/cryptography-x509-verification/Cargo.toml | 2 +- src/rust/cryptography-x509/Cargo.toml | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index eb46a5b38c00..3eaa4b11a19a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -4,18 +4,18 @@ version = 3 [[package]] name = "asn1" -version = "0.16.0" +version = "0.16.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a227d599843d72985b747c71958d16d670a6e6bc06fadf064570cae70c11fd0a" +checksum = "889adc8fd6c1344619926529e605cccad1f832b3a2a5a3fe6d7c8557c8f05368" dependencies = [ "asn1_derive", ] [[package]] name = "asn1_derive" -version = "0.16.0" +version = "0.16.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "87132221a3cb3794c8def2208c723276686e0cd771541deb7768905ce13dc603" +checksum = "e2271cec9b830009b9c3b9e21767083c553f51f996b690c476c27f541199aa99" dependencies = [ "proc-macro2", "quote", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 96ea8425ec45..e3145ca05262 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -11,7 +11,7 @@ rust-version = "1.65.0" once_cell = "1" cfg-if = "1" pyo3 = { version = "0.20", features = ["abi3"] } -asn1 = { version = "0.16.0", default-features = false } +asn1 = { version = "0.16.1", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-key-parsing = { path = "cryptography-key-parsing" } cryptography-x509 = { path = "cryptography-x509" } diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index 138ff6cd7984..d5071e5ef8a4 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.65.0" [dependencies] -asn1 = { version = "0.16.0", default-features = false } +asn1 = { version = "0.16.1", default-features = false } cfg-if = "1" openssl = "0.10.64" openssl-sys = "0.9.101" diff --git a/src/rust/cryptography-x509-verification/Cargo.toml b/src/rust/cryptography-x509-verification/Cargo.toml index 5ba846878633..2ffa8e3d273e 100644 --- a/src/rust/cryptography-x509-verification/Cargo.toml +++ b/src/rust/cryptography-x509-verification/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.65.0" [dependencies] -asn1 = { version = "0.16.0", default-features = false } +asn1 = { version = "0.16.1", default-features = false } cryptography-x509 = { path = "../cryptography-x509" } cryptography-key-parsing = { path = "../cryptography-key-parsing" } once_cell = "1" diff --git a/src/rust/cryptography-x509/Cargo.toml b/src/rust/cryptography-x509/Cargo.toml index cf6df6f3d3c4..2332756b2275 100644 --- a/src/rust/cryptography-x509/Cargo.toml +++ b/src/rust/cryptography-x509/Cargo.toml @@ -8,4 +8,4 @@ publish = false rust-version = "1.65.0" [dependencies] -asn1 = { version = "0.16.0", default-features = false } +asn1 = { version = "0.16.1", default-features = false } From af56f15f6cde23db25a9bc919f411847772e7d14 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 4 Mar 2024 16:57:53 -0500 Subject: [PATCH 0223/1462] added KeyBag to pkcs12 structs (#10534) --- src/rust/cryptography-x509/src/pkcs12.rs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/rust/cryptography-x509/src/pkcs12.rs b/src/rust/cryptography-x509/src/pkcs12.rs index 49f2ddc629f3..328961fce053 100644 --- a/src/rust/cryptography-x509/src/pkcs12.rs +++ b/src/rust/cryptography-x509/src/pkcs12.rs @@ -5,6 +5,7 @@ use crate::pkcs7; pub const CERT_BAG_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 12, 10, 1, 3); +pub const KEY_BAG_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 12, 10, 1, 1); pub const X509_CERTIFICATE_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 22, 1); pub const FRIENDLY_NAME_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 20); @@ -48,6 +49,9 @@ pub enum AttributeSet<'a> { pub enum BagValue<'a> { // #[defined_by(CERT_BAG_OID)] CertBag(CertBag<'a>), + + // #[defined_by(KEY_BAG_OID)] + KeyBag(asn1::Tlv<'a>), } // #[derive(asn1::Asn1Write)] From c3ddb58c58acf74cb06604b1bac0a5aa060df857 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 4 Mar 2024 18:18:36 -0500 Subject: [PATCH 0224/1462] Mark PKCS12Certificate as frozen (#10535) --- src/rust/src/pkcs12.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 58178fe3918d..0743e5e7778f 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -11,7 +11,7 @@ use pyo3::IntoPy; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -#[pyo3::prelude::pyclass] +#[pyo3::prelude::pyclass(frozen)] struct PKCS12Certificate { #[pyo3(get)] certificate: pyo3::Py, From e1d313af94b75e38dfb9f4f5123e5dd5243d89bc Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 4 Mar 2024 19:15:42 -0500 Subject: [PATCH 0225/1462] Bump BoringSSL and/or OpenSSL in CI (#10536) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e384bfe8805e..351c479bea23 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 29, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "df3b58ea74c50ff785ab902be3b007ff008d3e3c"}} + # Latest commit on the BoringSSL master branch, as of Mar 05, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e3af7710ed006e228382c8041782cba81ff4040a"}} # Latest commit on the OpenSSL master branch, as of Mar 03, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5677992679b38950c6a0c3775fd57378e1879ba5"}} # Builds with various Rust versions. Includes MSRV and next From 8221e18abdb361c3e249809de0f6228c3d12c55d Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 4 Mar 2024 19:44:20 -0500 Subject: [PATCH 0226/1462] test_limbo: skip non-SERVER cases for now (#10538) * test_limbo: skip non-SERVER cases for now Signed-off-by: William Woodruff * Bump x509-limbo and/or wycheproof in CI --------- Signed-off-by: William Woodruff Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- tests/x509/verification/test_limbo.py | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 55213e6beba7..55cae6733457 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 01, 2024. - ref: "a9c42d8d243942e95d9365e39bd45822e5af6981" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 05, 2024. + ref: "b13ff3276809afc754434808033bd1a48f0157f6" # x509-limbo-ref diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index edcb0fc9bda5..133482476c6b 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -73,6 +73,9 @@ # with what webpki and rustls do, but inconsistent with Go and OpenSSL. "rfc5280::ca-as-leaf", "pathlen::validation-ignores-pathlen-in-leaf", + # Client testcases are not supported yet. + "rfc5280::nc::nc-permits-email-exact", + "rfc5280::nc::nc-permits-email-domain", } From b507701ab4c14c345fd036c20ec7b95dae78c1a4 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 4 Mar 2024 20:09:19 -0500 Subject: [PATCH 0227/1462] test_limbo: skip things more idiomatically (#10539) --- tests/x509/verification/test_limbo.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index 133482476c6b..c745bdbe5729 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -73,9 +73,6 @@ # with what webpki and rustls do, but inconsistent with Go and OpenSSL. "rfc5280::ca-as-leaf", "pathlen::validation-ignores-pathlen-in-leaf", - # Client testcases are not supported yet. - "rfc5280::nc::nc-permits-email-exact", - "rfc5280::nc::nc-permits-email-domain", } @@ -91,12 +88,16 @@ def _get_limbo_peer(expected_peer): def _limbo_testcase(id_, testcase): if id_ in LIMBO_SKIP_TESTCASES: - return + pytest.skip(f"explicitly skipped testcase: {id_}") features = testcase["features"] - if LIMBO_UNSUPPORTED_FEATURES.intersection(features): - return - assert testcase["validation_kind"] == "SERVER" + unsupported = LIMBO_UNSUPPORTED_FEATURES.intersection(features) + if unsupported: + pytest.skip(f"explicitly skipped features: {unsupported}") + + if testcase["validation_kind"] != "SERVER": + pytest.skip("non-SERVER testcase") + assert testcase["signature_algorithms"] == [] assert testcase["extended_key_usage"] == [] or testcase[ "extended_key_usage" From 45739ef264c3032b816b3240297dcae9a019dea6 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 6 Mar 2024 00:15:09 +0000 Subject: [PATCH 0228/1462] Bump BoringSSL and/or OpenSSL in CI (#10542) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 351c479bea23..a6fe6771ec54 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 05, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e3af7710ed006e228382c8041782cba81ff4040a"}} + # Latest commit on the BoringSSL master branch, as of Mar 06, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "2fb5cdb6c44506442fce110c2d3903a880888dfb"}} # Latest commit on the OpenSSL master branch, as of Mar 03, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5677992679b38950c6a0c3775fd57378e1879ba5"}} # Builds with various Rust versions. Includes MSRV and next From 7c72b458720b6619e340de40ab0a6d11f53e658c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 6 Mar 2024 00:28:14 +0000 Subject: [PATCH 0229/1462] Bump x509-limbo and/or wycheproof in CI (#10543) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 55cae6733457..a16a6da481bb 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 05, 2024. - ref: "b13ff3276809afc754434808033bd1a48f0157f6" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 06, 2024. + ref: "ad25d168bd7bdaa13e42d91fb6a5845ae9ddf96e" # x509-limbo-ref From c48eabb6f46da8181b17ce29d4fc45f365c41f46 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 5 Mar 2024 19:41:36 -0500 Subject: [PATCH 0230/1462] Use uv with the local nox session (#10540) --- noxfile.py | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/noxfile.py b/noxfile.py index c66fe6bae578..71f878572c44 100644 --- a/noxfile.py +++ b/noxfile.py @@ -22,14 +22,18 @@ nox.options.reuse_existing_virtualenvs = True -def install(session: nox.Session, *args: str, silent: bool = False) -> None: - if not silent: +def install( + session: nox.Session, + *args: str, + verbose: bool = True, +) -> None: + if verbose: args += ("-v",) session.install( "-c", "ci-constraints-requirements.txt", *args, - silent=silent, + silent=False, ) @@ -247,7 +251,7 @@ def rust(session: nox.Session) -> None: process_rust_coverage(session, rust_tests, prof_location) -@nox.session +@nox.session(venv_backend="uv") def local(session): pyproject_data = load_pyproject_toml() test_dependencies = pyproject_data["project"]["optional-dependencies"][ @@ -261,11 +265,9 @@ def local(session): *test_dependencies, *pyproject_data["project"]["optional-dependencies"]["ssh"], *pyproject_data["project"]["optional-dependencies"]["nox"], - "flit", - silent=True, + "cryptography_vectors @ ./vectors/", + verbose=False, ) - with session.cd("vectors/"): - session.run("flit", "install", "-s", silent=True) session.run("ruff", "format", ".") session.run("ruff", "check", ".") @@ -292,7 +294,15 @@ def local(session): "noxfile.py", ) - install(session, ".") + install( + session, + # Needed until https://github.com/astral-sh/uv/issues/2152 is fixed + "--reinstall-package", + "cryptography", + "--refresh-package", + "cryptography", + "cryptography @ .", + ) if session.posargs: tests = session.posargs From b5a51ae323de9855b66a345a898305967ef30388 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 7 Mar 2024 00:12:53 +0000 Subject: [PATCH 0231/1462] Bump BoringSSL and/or OpenSSL in CI (#10545) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a6fe6771ec54..0e2aa229f188 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 06, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "2fb5cdb6c44506442fce110c2d3903a880888dfb"}} - # Latest commit on the OpenSSL master branch, as of Mar 03, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5677992679b38950c6a0c3775fd57378e1879ba5"}} + # Latest commit on the BoringSSL master branch, as of Mar 07, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "860db9e98f23c6e2692afb143a04987cc232e1f5"}} + # Latest commit on the OpenSSL master branch, as of Mar 07, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8d8866aff39399dbee2d49c59aca466794c53ba7"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From d4364b5931ab275c1ef7b7f4be68de6fdced8e68 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Mar 2024 12:07:02 +0000 Subject: [PATCH 0232/1462] Bump cc from 1.0.89 to 1.0.90 in /src/rust (#10547) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.89 to 1.0.90. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.89...1.0.90) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 3eaa4b11a19a..600408d4e880 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,9 +48,9 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.89" +version = "1.0.90" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a0ba8f7aaa012f30d5b2861462f6708eccd49c3c39863fe083a308035f63d723" +checksum = "8cd6604a82acf3039f1144f54b8eb34e91ffba622051189e71b781822d5ee1f5" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 138f7a38070f..00b214f6f7e3 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.20", features = ["abi3"] } openssl-sys = "0.9.101" [build-dependencies] -cc = "1.0.89" +cc = "1.0.90" From dcf6ac240de1d9c465868964c972a632ebbf0170 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 7 Mar 2024 13:57:37 -0500 Subject: [PATCH 0233/1462] Updates for ruff 0.3.1 (#10548) --- .../custom-vectors/arc4/generate_arc4.py | 5 ++--- .../rsa-oaep-sha2/generate_rsa_oaep_sha2.py | 5 ++--- .../hazmat/backends/openssl/backend.py | 8 +++---- .../hazmat/bindings/openssl/binding.py | 5 ++--- .../hazmat/primitives/ciphers/modes.py | 19 ++++++---------- .../hazmat/primitives/kdf/pbkdf2.py | 4 +--- src/cryptography/x509/extensions.py | 21 +++++++++--------- tests/hazmat/primitives/test_dsa.py | 5 ++--- tests/hazmat/primitives/test_ec.py | 5 ++--- tests/hazmat/primitives/test_pkcs12.py | 22 ++++++++----------- tests/wycheproof/test_rsa.py | 5 ++--- 11 files changed, 44 insertions(+), 60 deletions(-) diff --git a/docs/development/custom-vectors/arc4/generate_arc4.py b/docs/development/custom-vectors/arc4/generate_arc4.py index 208d18585ac6..3f81691e817a 100644 --- a/docs/development/custom-vectors/arc4/generate_arc4.py +++ b/docs/development/custom-vectors/arc4/generate_arc4.py @@ -80,9 +80,8 @@ def _build_vectors(): output.append(f"OFFSET = {offset}") output.append(f"PLAINTEXT = {binascii.hexlify(plaintext)}") output.append( - "CIPHERTEXT = {}".format( - binascii.hexlify(encryptor.update(plaintext)) - ) + f"CIPHERTEXT = " + f"{binascii.hexlify(encryptor.update(plaintext))}" ) current_offset += len(plaintext) assert not encryptor.finalize() diff --git a/docs/development/custom-vectors/rsa-oaep-sha2/generate_rsa_oaep_sha2.py b/docs/development/custom-vectors/rsa-oaep-sha2/generate_rsa_oaep_sha2.py index f9e79122686e..42975ff1a07a 100644 --- a/docs/development/custom-vectors/rsa-oaep-sha2/generate_rsa_oaep_sha2.py +++ b/docs/development/custom-vectors/rsa-oaep-sha2/generate_rsa_oaep_sha2.py @@ -82,9 +82,8 @@ def build_vectors(mgf1alg, hashalg, filename): ), ) output.append( - "# OAEP Example {} alg={} mgf1={}".format( - count, hashalg.name, mgf1alg.name - ) + f"# OAEP Example {count} alg={hashalg.name} " + f"mgf1={mgf1alg.name}" ) count += 1 output.append("# Message:") diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index eaaaf783f1c5..99442cf8aa03 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -87,10 +87,10 @@ def __init__(self) -> None: self._fips_enabled = rust_openssl.is_fips_enabled() def __repr__(self) -> str: - return "".format( - self.openssl_version_text(), - self._fips_enabled, - rust_openssl._legacy_provider_loaded, + return ( + f"" ) def openssl_assert(self, ok: bool) -> None: diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index f5d8cb0b7d9f..d4dfeef485d1 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -95,9 +95,8 @@ def _verify_package_version(version: str) -> None: "shared object. This can happen if you have multiple copies of " "cryptography installed in your Python path. Please try creating " "a new virtual environment to resolve this issue. " - "Loaded python version: {}, shared object version: {}".format( - version, so_package_version - ) + f"Loaded python version: {version}, " + f"shared object version: {so_package_version}" ) _openssl_assert( diff --git a/src/cryptography/hazmat/primitives/ciphers/modes.py b/src/cryptography/hazmat/primitives/ciphers/modes.py index 712ccd3f7945..1dd2cc1e80c3 100644 --- a/src/cryptography/hazmat/primitives/ciphers/modes.py +++ b/src/cryptography/hazmat/primitives/ciphers/modes.py @@ -77,12 +77,9 @@ def _check_aes_key_length(self: Mode, algorithm: CipherAlgorithm) -> None: def _check_iv_length( self: ModeWithInitializationVector, algorithm: BlockCipherAlgorithm ) -> None: - if len(self.initialization_vector) * 8 != algorithm.block_size: - raise ValueError( - "Invalid IV size ({}) for {}.".format( - len(self.initialization_vector), self.name - ) - ) + iv_len = len(self.initialization_vector) + if iv_len * 8 != algorithm.block_size: + raise ValueError(f"Invalid IV size ({iv_len}) for {self.name}.") def _check_nonce_length( @@ -242,9 +239,8 @@ def __init__( raise ValueError("min_tag_length must be >= 4") if len(tag) < min_tag_length: raise ValueError( - "Authentication tag must be {} bytes or longer.".format( - min_tag_length - ) + f"Authentication tag must be {min_tag_length} bytes or " + "longer." ) self._tag = tag self._min_tag_length = min_tag_length @@ -267,7 +263,6 @@ def validate_for_algorithm(self, algorithm: CipherAlgorithm) -> None: block_size_bytes = algorithm.block_size // 8 if self._tag is not None and len(self._tag) > block_size_bytes: raise ValueError( - "Authentication tag cannot be more than {} bytes.".format( - block_size_bytes - ) + f"Authentication tag cannot be more than {block_size_bytes} " + "bytes." ) diff --git a/src/cryptography/hazmat/primitives/kdf/pbkdf2.py b/src/cryptography/hazmat/primitives/kdf/pbkdf2.py index 623e1ca7f9eb..82689ebca4ae 100644 --- a/src/cryptography/hazmat/primitives/kdf/pbkdf2.py +++ b/src/cryptography/hazmat/primitives/kdf/pbkdf2.py @@ -33,9 +33,7 @@ def __init__( if not ossl.pbkdf2_hmac_supported(algorithm): raise UnsupportedAlgorithm( - "{} is not supported for PBKDF2 by this backend.".format( - algorithm.name - ), + f"{algorithm.name} is not supported for PBKDF2.", _Reasons.UNSUPPORTED_HASH, ) self._used = False diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index 7dd38700e537..1842a9e2b0c6 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -401,8 +401,8 @@ def __init__( def __repr__(self) -> str: return ( - "".format(self) + f"" ) def __eq__(self, other: object) -> bool: @@ -456,8 +456,9 @@ def path_length(self) -> int | None: def __repr__(self) -> str: return ( - "" - ).format(self) + f"" + ) def __eq__(self, other: object) -> bool: if not isinstance(other, BasicConstraints): @@ -876,8 +877,8 @@ def __init__( def __repr__(self) -> str: return ( - "".format(self) + f"" ) def __eq__(self, other: object) -> bool: @@ -928,8 +929,8 @@ def __init__( def __repr__(self) -> str: return ( - "".format(self) + f"" ) def __eq__(self, other: object) -> bool: @@ -968,8 +969,8 @@ def __init__( def __repr__(self) -> str: return ( - "".format(self) + f"" ) def __eq__(self, other: object) -> bool: diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py index 2928a1eb9d8c..35b7f56f69e0 100644 --- a/tests/hazmat/primitives/test_dsa.py +++ b/tests/hazmat/primitives/test_dsa.py @@ -46,9 +46,8 @@ def _skip_if_dsa_not_supported( ) -> None: if not backend.dsa_hash_supported(algorithm): pytest.skip( - "{} does not support the provided args. p: {}, hash: {}".format( - backend, p.bit_length(), algorithm.name - ) + f"{backend} does not support the provided args. " + f"p: {p.bit_length()}, hash: {algorithm.name}" ) diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 33b4c6d065f3..b0e29b3803e6 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -52,9 +52,8 @@ def _skip_ecdsa_vector(backend, curve: ec.EllipticCurve, hash_type): ec.ECDSA(hash_type()), curve ): pytest.skip( - "ECDSA not supported with this hash {} and curve {}.".format( - hash_type().name, curve.name - ) + f"ECDSA not supported with this hash {hash_type().name} and " + f"curve {curve.name}." ) diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 2f702aaf9626..9ee3cc3fc769 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -954,19 +954,15 @@ def test_key_and_certificates_repr(self, backend): cert2 = _load_cert( backend, os.path.join("x509", "cryptography.io.pem") ) - assert ( - repr( - PKCS12KeyAndCertificates( - key, - PKCS12Certificate(cert, None), - [PKCS12Certificate(cert2, b"name2")], - ) - ) - == ", additional_certs=[])>".format( + assert repr( + PKCS12KeyAndCertificates( key, - cert, - cert2, + PKCS12Certificate(cert, None), + [PKCS12Certificate(cert2, b"name2")], ) + ) == ( + f", " + f"additional_certs=[" + f"])>" ) diff --git a/tests/wycheproof/test_rsa.py b/tests/wycheproof/test_rsa.py index c85eb6e7a669..d3b26a2ab3ba 100644 --- a/tests/wycheproof/test_rsa.py +++ b/tests/wycheproof/test_rsa.py @@ -113,9 +113,8 @@ def test_rsa_pkcs1v15_signature_generation(backend, wycheproof): digest, hashes.SHA1 ): pytest.skip( - "Invalid params for FIPS. key: {} bits, digest: {}".format( - key.key_size, digest.name - ) + f"Invalid params for FIPS. key: {key.key_size} bits, " + f"digest: {digest.name}" ) sig = key.sign( From 0c0e9f9012ba6f70f7fc29746dd2a74e03349894 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Mar 2024 19:04:50 +0000 Subject: [PATCH 0234/1462] Bump ruff from 0.3.0 to 0.3.1 (#10546) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.3.0 to 0.3.1. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.3.0...v0.3.1) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index f0336b49ccd5..e8339a581eb5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.3.0 +ruff==0.3.1 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From bec370e8a1a5c4840105432aacb3020ed54b040f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 8 Mar 2024 00:14:35 +0000 Subject: [PATCH 0235/1462] Bump BoringSSL and/or OpenSSL in CI (#10549) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0e2aa229f188..267d507f5164 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 07, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "860db9e98f23c6e2692afb143a04987cc232e1f5"}} - # Latest commit on the OpenSSL master branch, as of Mar 07, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8d8866aff39399dbee2d49c59aca466794c53ba7"}} + # Latest commit on the BoringSSL master branch, as of Mar 08, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "5a3faaa2d50b2540c6973531841723f633f388cd"}} + # Latest commit on the OpenSSL master branch, as of Mar 08, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6d42be3af76aa16586b3f32a176837ee4a4bb65b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 6d7326c1c931afff18440d3a6659efb2d87d173e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 7 Mar 2024 16:29:20 -0800 Subject: [PATCH 0236/1462] Bump x509-limbo and/or wycheproof in CI (#10550) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index a16a6da481bb..863b978f0909 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 06, 2024. - ref: "ad25d168bd7bdaa13e42d91fb6a5845ae9ddf96e" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 08, 2024. + ref: "1b1c161b8b4cb03b90c236450bfb2f6567dd7a03" # x509-limbo-ref From 5fe526d00f9f540451b41bedd916b798dedb4d3c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 Mar 2024 07:04:02 -0500 Subject: [PATCH 0237/1462] Bump argcomplete from 3.2.2 to 3.2.3 (#10552) Bumps [argcomplete](https://github.com/kislyuk/argcomplete) from 3.2.2 to 3.2.3. - [Release notes](https://github.com/kislyuk/argcomplete/releases) - [Changelog](https://github.com/kislyuk/argcomplete/blob/develop/Changes.rst) - [Commits](https://github.com/kislyuk/argcomplete/compare/v3.2.2...v3.2.3) --- updated-dependencies: - dependency-name: argcomplete dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e8339a581eb5..1cd9aa61cd31 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -7,7 +7,7 @@ alabaster==0.7.16 # via sphinx -argcomplete==3.2.2; python_version >= "3.8" +argcomplete==3.2.3; python_version >= "3.8" # via nox babel==2.14.0 # via sphinx From e0d022c3a33b3dcf312d0b21a888667287c66eae Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 Mar 2024 07:19:00 -0800 Subject: [PATCH 0238/1462] Bump importlib-metadata from 7.0.1 to 7.0.2 in /.github/requirements (#10551) * Bump importlib-metadata from 7.0.1 to 7.0.2 in /.github/requirements Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 7.0.1 to 7.0.2. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v7.0.1...v7.0.2) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index a4cc7ce4314f..635c06617e4f 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -240,9 +240,9 @@ idna==3.6 \ # via # email-validator # requests -importlib-metadata==7.0.1 \ - --hash=sha256:4805911c3a4ec7c3966410053e9ec6a1fecd629117df5adee56dfc9432a1081e \ - --hash=sha256:f238736bb06590ae52ac1fab06a3a9ef1d8dce2b7a35b5ab329371d6c8f5d2cc +importlib-metadata==7.0.2 \ + --hash=sha256:198f568f3230878cb1b44fbd7975f87906c22336dba2e4a7f05278c281fbd792 \ + --hash=sha256:f4bc4c0c070c490abf4ce96d715f68e95923320370efb66143df00199bb6c100 # via # keyring # twine From 549738cc679d747ecf784e533d98a40427d9022b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 9 Mar 2024 00:13:39 +0000 Subject: [PATCH 0239/1462] Bump BoringSSL and/or OpenSSL in CI (#10554) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 267d507f5164..36b0a6162ab8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 08, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "5a3faaa2d50b2540c6973531841723f633f388cd"}} - # Latest commit on the OpenSSL master branch, as of Mar 08, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6d42be3af76aa16586b3f32a176837ee4a4bb65b"}} + # Latest commit on the BoringSSL master branch, as of Mar 09, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "cf4f615d706d54fca9323fb1595d88f7ee2d7517"}} + # Latest commit on the OpenSSL master branch, as of Mar 09, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a24f29bbb4e7c2c73b0b3b2193b81c9b444b0864"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 8d7c60d7b2a95f0e039ff45b469b960a0d439af2 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 8 Mar 2024 19:54:24 -0500 Subject: [PATCH 0240/1462] Bump x509-limbo and/or wycheproof in CI (#10555) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 863b978f0909..3338913bee86 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 08, 2024. - ref: "1b1c161b8b4cb03b90c236450bfb2f6567dd7a03" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 09, 2024. + ref: "d12e21223160fb03db412c3060e897ffd3e836d5" # x509-limbo-ref From 7c0b5b562dd85e93a7780010424e5c501d8dbefa Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 9 Mar 2024 01:10:28 -0500 Subject: [PATCH 0241/1462] Remove weird self-import (#10556) --- src/rust/src/x509/ocsp.rs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/rust/src/x509/ocsp.rs b/src/rust/src/x509/ocsp.rs index b86753110606..3565588bc0f1 100644 --- a/src/rust/src/x509/ocsp.rs +++ b/src/rust/src/x509/ocsp.rs @@ -10,7 +10,6 @@ use once_cell::sync::Lazy; use crate::backend::hashes::Hash; use crate::error::CryptographyResult; -use crate::x509; use crate::x509::certificate::Certificate; pub(crate) static ALGORITHM_PARAMETERS_TO_HASH: Lazy< @@ -93,7 +92,7 @@ pub(crate) fn certid_new<'p>( )?; Ok(CertID { - hash_algorithm: x509::ocsp::HASH_NAME_TO_ALGORITHM_IDENTIFIERS[hash_algorithm + hash_algorithm: HASH_NAME_TO_ALGORITHM_IDENTIFIERS[hash_algorithm .getattr(pyo3::intern!(py, "name"))? .extract::<&str>()?] .clone(), @@ -111,7 +110,7 @@ pub(crate) fn certid_new_from_hash<'p>( hash_algorithm: &'p pyo3::PyAny, ) -> CryptographyResult> { Ok(CertID { - hash_algorithm: x509::ocsp::HASH_NAME_TO_ALGORITHM_IDENTIFIERS[hash_algorithm + hash_algorithm: HASH_NAME_TO_ALGORITHM_IDENTIFIERS[hash_algorithm .getattr(pyo3::intern!(py, "name"))? .extract::<&str>()?] .clone(), From 9c3cec67406ac74ab05638b5170e1fc086683091 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 9 Mar 2024 18:23:48 -0500 Subject: [PATCH 0242/1462] Set mac_iter to OpenSSL's default (#10561) On OpenSSL 3, it uses 2048 iterations for mac_iter by default. We've been doing this with NoEncryption for two years, so I guess it's fine now and the comment is out of date. --- src/cryptography/hazmat/backends/openssl/backend.py | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 99442cf8aa03..42ec1a2c9519 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -410,6 +410,7 @@ def serialize_key_and_certificates_to_pkcs12( nid_cert = -1 nid_key = -1 pkcs12_iter = 0 + # mac_iter of 0 uses OpenSSL's default value mac_iter = 0 mac_alg = self._ffi.NULL elif isinstance( @@ -426,10 +427,7 @@ def serialize_key_and_certificates_to_pkcs12( nid_key = self._lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC # At least we can set this higher than OpenSSL's default pkcs12_iter = 20000 - # mac_iter chosen for compatibility reasons, see: - # https://www.openssl.org/docs/man1.1.1/man3/PKCS12_create.html - # Did we mention how lousy PKCS12 encryption is? - mac_iter = 1 + mac_iter = 0 # MAC algorithm can only be set on OpenSSL 3.0.0+ mac_alg = self._ffi.NULL password = encryption_algorithm.password @@ -446,8 +444,7 @@ def serialize_key_and_certificates_to_pkcs12( nid_key = 0 # Use the default iters we use in best available pkcs12_iter = 20000 - # See the Best Available comment for why this is 1 - mac_iter = 1 + mac_iter = 0 password = encryption_algorithm.password keycertalg = encryption_algorithm._key_cert_algorithm if keycertalg is PBES.PBESv1SHA1And3KeyTripleDESCBC: From dd1d6059b385e0b7d47ee71ce89eebb7f6de1099 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 9 Mar 2024 18:24:00 -0500 Subject: [PATCH 0243/1462] Additional type asserts for latest mypy (#10560) --- tests/hazmat/primitives/test_pkcs7.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 9a9eab3da503..36abfae9c052 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -316,11 +316,15 @@ def test_smime_sign_detached(self, backend): # Parse the message to get the signed data, which is the # first payload in the message message = email.parser.BytesParser().parsebytes(sig) - signed_data = message.get_payload()[0].get_payload().encode() + payload = message.get_payload() + assert isinstance(payload, list) + assert isinstance(payload[0], email.message.Message) + signed_data = payload[0].get_payload() + assert isinstance(signed_data, str) _pkcs7_verify( serialization.Encoding.SMIME, sig, - signed_data, + signed_data.encode(), [cert], options, backend, @@ -546,7 +550,10 @@ def test_sign_text(self, backend): # Parse the message to get the signed data, which is the # first payload in the message message = email.parser.BytesParser().parsebytes(sig_pem) - signed_data = message.get_payload()[0].as_bytes( + payload = message.get_payload() + assert isinstance(payload, list) + assert isinstance(payload[0], email.message.Message) + signed_data = payload[0].as_bytes( policy=message.policy.clone(linesep="\r\n") ) _pkcs7_verify( From 94535feda6fdcd2666f62766011f3c17dd1e234f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 9 Mar 2024 23:32:33 +0000 Subject: [PATCH 0244/1462] Bump pytest from 8.0.2 to 8.1.1 (#10559) Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.0.2 to 8.1.1. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/8.0.2...8.1.1) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 1cd9aa61cd31..de3e2511e62e 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -86,7 +86,7 @@ pygments==2.17.2 # sphinx pyproject-hooks==1.0.0 # via build -pytest==8.0.2; python_version >= "3.8" +pytest==8.1.1; python_version >= "3.8" # via # cryptography (pyproject.toml) # pytest-benchmark From 1fe050e0e7a986f89c3dc7bc30eabf888cf1f641 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 9 Mar 2024 23:34:22 +0000 Subject: [PATCH 0245/1462] Bump ruff from 0.3.1 to 0.3.2 (#10558) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.3.1 to 0.3.2. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.3.1...v0.3.2) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index de3e2511e62e..12c13d048553 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.3.1 +ruff==0.3.2 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From f05298e08b1d9c5095a4639377a829ef417015a6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 9 Mar 2024 23:36:22 +0000 Subject: [PATCH 0246/1462] Bump mypy from 1.8.0 to 1.9.0 (#10557) Bumps [mypy](https://github.com/python/mypy) from 1.8.0 to 1.9.0. - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](https://github.com/python/mypy/compare/v1.8.0...1.9.0) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 12c13d048553..887d0b006555 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -52,7 +52,7 @@ jinja2==3.1.3 # via sphinx markupsafe==2.1.5 # via jinja2 -mypy==1.8.0 +mypy==1.9.0 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via mypy From 8da2444fc85138e5b02f720e9eb3e3273b31156c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 10 Mar 2024 00:17:14 +0000 Subject: [PATCH 0247/1462] Bump BoringSSL and/or OpenSSL in CI (#10562) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 36b0a6162ab8..ec0855c8a7b2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 09, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "cf4f615d706d54fca9323fb1595d88f7ee2d7517"}} - # Latest commit on the OpenSSL master branch, as of Mar 09, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a24f29bbb4e7c2c73b0b3b2193b81c9b444b0864"}} + # Latest commit on the BoringSSL master branch, as of Mar 10, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "29bb1a7ebe55102c90611c021a142fdb6e97f8d5"}} + # Latest commit on the OpenSSL master branch, as of Mar 10, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "bf7ae259a405a642dee93b18ffe5b875a056045a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From c8991dafe72679071a28114fa9b5a5c49b758844 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 9 Mar 2024 21:04:42 -0500 Subject: [PATCH 0248/1462] Small refactors to HMAC to make it usable from Rust code (#10563) --- src/rust/src/backend/hmac.rs | 44 +++++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/src/rust/src/backend/hmac.rs b/src/rust/src/backend/hmac.rs index d035a6156c3d..f8572f9103c9 100644 --- a/src/rust/src/backend/hmac.rs +++ b/src/rust/src/backend/hmac.rs @@ -11,13 +11,37 @@ use crate::exceptions; module = "cryptography.hazmat.bindings._rust.openssl.hmac", name = "HMAC" )] -struct Hmac { +pub(crate) struct Hmac { #[pyo3(get)] algorithm: pyo3::Py, ctx: Option, } impl Hmac { + pub(crate) fn new_bytes( + py: pyo3::Python<'_>, + key: &[u8], + algorithm: &pyo3::PyAny, + ) -> CryptographyResult { + let md = message_digest_from_algorithm(py, algorithm)?; + let ctx = cryptography_openssl::hmac::Hmac::new(key, md).map_err(|_| { + exceptions::UnsupportedAlgorithm::new_err(( + "Digest is not supported for HMAC", + exceptions::Reasons::UNSUPPORTED_HASH, + )) + })?; + + Ok(Hmac { + ctx: Some(ctx), + algorithm: algorithm.into(), + }) + } + + pub(crate) fn update_bytes(&mut self, data: &[u8]) -> CryptographyResult<()> { + self.get_mut_ctx()?.update(data)?; + Ok(()) + } + fn get_ctx(&self) -> CryptographyResult<&cryptography_openssl::hmac::Hmac> { if let Some(ctx) = self.ctx.as_ref() { return Ok(ctx); @@ -45,26 +69,14 @@ impl Hmac { ) -> CryptographyResult { let _ = backend; - let md = message_digest_from_algorithm(py, algorithm)?; - let ctx = cryptography_openssl::hmac::Hmac::new(key.as_bytes(), md).map_err(|_| { - exceptions::UnsupportedAlgorithm::new_err(( - "Digest is not supported for HMAC", - exceptions::Reasons::UNSUPPORTED_HASH, - )) - })?; - - Ok(Hmac { - ctx: Some(ctx), - algorithm: algorithm.into(), - }) + Hmac::new_bytes(py, key.as_bytes(), algorithm) } fn update(&mut self, data: CffiBuf<'_>) -> CryptographyResult<()> { - self.get_mut_ctx()?.update(data.as_bytes())?; - Ok(()) + self.update_bytes(data.as_bytes()) } - fn finalize<'p>( + pub(crate) fn finalize<'p>( &mut self, py: pyo3::Python<'p>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { From d27f912473485c3f04697ee478214ca2ee4a61c7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 10 Mar 2024 20:44:17 +0000 Subject: [PATCH 0249/1462] Bump packaging from 23.2 to 24.0 (#10566) Bumps [packaging](https://github.com/pypa/packaging) from 23.2 to 24.0. - [Release notes](https://github.com/pypa/packaging/releases) - [Changelog](https://github.com/pypa/packaging/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pypa/packaging/compare/23.2...24.0) --- updated-dependencies: - dependency-name: packaging dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 887d0b006555..bde74a2c536a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -60,7 +60,7 @@ nh3==0.2.15 # via readme-renderer nox==2024.3.2 # via cryptography (pyproject.toml) -packaging==23.2 +packaging==24.0 # via # build # nox From bcf76c6926313ac645021c9bb9614951e3e36130 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 11 Mar 2024 00:15:15 +0000 Subject: [PATCH 0250/1462] Bump BoringSSL and/or OpenSSL in CI (#10568) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ec0855c8a7b2..8b633649397a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Mar 10, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "29bb1a7ebe55102c90611c021a142fdb6e97f8d5"}} - # Latest commit on the OpenSSL master branch, as of Mar 10, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "bf7ae259a405a642dee93b18ffe5b875a056045a"}} + # Latest commit on the OpenSSL master branch, as of Mar 11, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "53a8728686663f4fe044cd1a5757f6fcfd777317"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From d66d571b7655492c7e449a96a4fff2e019070d3e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Mar 2024 07:33:14 -0500 Subject: [PATCH 0251/1462] Bump pyopenssl from 24.0.0 to 24.1.0 in /.github/requirements (#10567) * Bump pyopenssl from 24.0.0 to 24.1.0 in /.github/requirements Bumps [pyopenssl](https://github.com/pyca/pyopenssl) from 24.0.0 to 24.1.0. - [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/pyopenssl/compare/24.0.0...24.1.0) --- updated-dependencies: - dependency-name: pyopenssl dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 635c06617e4f..7f2d889e758c 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -514,9 +514,9 @@ pyjwt==2.8.0 \ --hash=sha256:57e28d156e3d5c10088e0c68abb90bfac3df82b40a71bd0daa20c65ccd5c23de \ --hash=sha256:59127c392cc44c2da5bb3192169a91f429924e17aff6534d70fdc02ab3e04320 # via sigstore -pyopenssl==24.0.0 \ - --hash=sha256:6aa33039a93fffa4563e655b61d11364d01264be8ccb49906101e02a334530bf \ - --hash=sha256:ba07553fb6fd6a7a2259adb9b84e12302a9a8a75c44046e8bb5d3e5ee887e3c3 +pyopenssl==24.1.0 \ + --hash=sha256:17ed5be5936449c5418d1cd269a1a9e9081bc54c17aed272b45856a3d3dc86ad \ + --hash=sha256:cabed4bfaa5df9f1a16c0ef64a0cb65318b5cd077a7eda7d6970131ca2f41a6f # via sigstore python-dateutil==2.9.0.post0 \ --hash=sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3 \ From fe82ffa1971ac0299eeba46178a863f4c61926d6 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 11 Mar 2024 23:40:05 -0400 Subject: [PATCH 0252/1462] verification: forbid unsupported NCs (#10570) * verification: forbid unsupported NCs ...rather than silently ignoring them. Signed-off-by: William Woodruff * fetch-vectors: bump Signed-off-by: William Woodruff * fetch-vectors: bump limbo Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .github/actions/fetch-vectors/action.yml | 4 ++-- src/rust/cryptography-x509-verification/src/lib.rs | 12 ++++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 3338913bee86..ed335bad876f 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 09, 2024. - ref: "d12e21223160fb03db412c3060e897ffd3e836d5" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 11, 2024. + ref: "b64509b2ce6d788667220b2509be559ee1a72dfe" # x509-limbo-ref diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 1c18f498cd88..01bc76affc59 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -137,6 +137,18 @@ impl<'a, 'chain> NameChain<'a, 'chain> { ))), } } + // All other matching pairs of (constraint, name) are currently unsupported. + (GeneralName::OtherName(_), GeneralName::OtherName(_)) + | (GeneralName::X400Address(_), GeneralName::X400Address(_)) + | (GeneralName::DirectoryName(_), GeneralName::DirectoryName(_)) + | (GeneralName::EDIPartyName(_), GeneralName::EDIPartyName(_)) + | ( + GeneralName::UniformResourceIdentifier(_), + GeneralName::UniformResourceIdentifier(_), + ) + | (GeneralName::RegisteredID(_), GeneralName::RegisteredID(_)) => Err( + ValidationError::Other("unsupported name constraint".to_string()), + ), _ => Ok(Skipped), } } From 4674f29d5866c78813b1e03cfd1e4a46922cf74f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Mar 2024 07:28:02 -0400 Subject: [PATCH 0253/1462] Bump proc-macro2 from 1.0.78 to 1.0.79 in /src/rust (#10572) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.78 to 1.0.79. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.78...1.0.79) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 600408d4e880..6f9b5dbf258c 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -269,9 +269,9 @@ checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" [[package]] name = "proc-macro2" -version = "1.0.78" +version = "1.0.79" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e2422ad645d89c99f8f3e6b88a9fdeca7fabeac836b1002371c4367c8f984aae" +checksum = "e835ff2298f5721608eb1a980ecaee1aef2c132bf95ecc026a11b7bf3c01c02e" dependencies = [ "unicode-ident", ] From 3f84c7df9e48810c50794402e4b971626ea69bdb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Mar 2024 07:29:18 -0400 Subject: [PATCH 0254/1462] Bump wheel from 0.42.0 to 0.43.0 in /.github/requirements (#10573) Bumps [wheel](https://github.com/pypa/wheel) from 0.42.0 to 0.43.0. - [Release notes](https://github.com/pypa/wheel/releases) - [Changelog](https://github.com/pypa/wheel/blob/main/docs/news.rst) - [Commits](https://github.com/pypa/wheel/compare/0.42.0...0.43.0) --- updated-dependencies: - dependency-name: wheel dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 3dd62d074f81..102059b986dd 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -74,9 +74,9 @@ tomli==2.0.1 \ --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \ --hash=sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f # via setuptools-rust -wheel==0.42.0 \ - --hash=sha256:177f9c9b0d45c47873b619f5b650346d632cdc35fb5e4d25058e09c9e581433d \ - --hash=sha256:c45be39f7882c9d34243236f2d63cbd58039e360f85d0913425fbd7ceea617a8 +wheel==0.43.0 \ + --hash=sha256:465ef92c69fa5c5da2d1cf8ac40559a8c940886afcef87dcf14b9470862f1d85 \ + --hash=sha256:55c570405f142630c6b9f72fe09d9b67cf1477fcf543ae5b8dcb1f5b7377da81 # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: From de40739bc7f80a6c7e682eeb0842d0431b8c2ada Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 12 Mar 2024 12:42:11 +0000 Subject: [PATCH 0255/1462] Bump BoringSSL and/or OpenSSL in CI (#10574) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8b633649397a..a7f5a3072168 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 10, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "29bb1a7ebe55102c90611c021a142fdb6e97f8d5"}} - # Latest commit on the OpenSSL master branch, as of Mar 11, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "53a8728686663f4fe044cd1a5757f6fcfd777317"}} + # Latest commit on the BoringSSL master branch, as of Mar 12, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "dbad745811195c00b729efd0ee0a09b7d9fce1d2"}} + # Latest commit on the OpenSSL master branch, as of Mar 12, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "52a75f4088f2b2c59721152d9ec6ecf4d17c7e43"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 1db62a1f91a44963521316dd9b18e380a5e12cee Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 12 Mar 2024 16:23:39 -0400 Subject: [PATCH 0256/1462] verification: abbreviate two errors slightly (#10575) Signed-off-by: William Woodruff --- src/rust/cryptography-x509-verification/src/policy/mod.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 8f704a39c0e2..47bc387d54af 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -484,7 +484,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { { return Err(ValidationError::Other(format!( "Forbidden public key algorithm: {:?}", - &child.tbs_cert.spki.algorithm + &child.tbs_cert.spki.algorithm.oid() ))); } @@ -500,7 +500,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { { return Err(ValidationError::Other(format!( "Forbidden signature algorithm: {:?}", - &child.signature_alg + &child.signature_alg.oid() ))); } From ef9e652c18d689f97d4b260a289ea687c92fc949 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 12 Mar 2024 17:08:45 -0400 Subject: [PATCH 0257/1462] Revert "verification: abbreviate two errors slightly (#10575)" (#10576) This reverts commit 1db62a1f91a44963521316dd9b18e380a5e12cee. --- src/rust/cryptography-x509-verification/src/policy/mod.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 47bc387d54af..8f704a39c0e2 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -484,7 +484,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { { return Err(ValidationError::Other(format!( "Forbidden public key algorithm: {:?}", - &child.tbs_cert.spki.algorithm.oid() + &child.tbs_cert.spki.algorithm ))); } @@ -500,7 +500,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { { return Err(ValidationError::Other(format!( "Forbidden signature algorithm: {:?}", - &child.signature_alg.oid() + &child.signature_alg ))); } From 0b2194af0afc8e90f60f74c13d2ebea207abd1b8 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 13 Mar 2024 00:20:01 +0000 Subject: [PATCH 0258/1462] Bump BoringSSL and/or OpenSSL in CI (#10577) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a7f5a3072168..c5a8f109c29b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 12, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "dbad745811195c00b729efd0ee0a09b7d9fce1d2"}} - # Latest commit on the OpenSSL master branch, as of Mar 12, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "52a75f4088f2b2c59721152d9ec6ecf4d17c7e43"}} + # Latest commit on the BoringSSL master branch, as of Mar 13, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "356d37861f5772e2d87ef443f61f33c020e52b04"}} + # Latest commit on the OpenSSL master branch, as of Mar 13, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7649b5548e5c0352b91d9d3ed695e42a2ac1e99c"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From da744c3587494cd009cc593e0467e0551cb8802c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 13 Mar 2024 00:28:56 +0000 Subject: [PATCH 0259/1462] Bump x509-limbo and/or wycheproof in CI (#10578) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index ed335bad876f..e69a221ad41b 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -10,11 +10,11 @@ runs: repository: "google/wycheproof" path: "wycheproof" # Latest commit on the wycheproof master branch, as of Oct 28, 2023. - ref: "d9f6ec7d8bd8c96da05368999094e4a75ba5cb3d" # wycheproof-ref + ref: "3ea6fe11370fd0dd6ba5a68129ce82045b0e81ec" # wycheproof-ref - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 11, 2024. - ref: "b64509b2ce6d788667220b2509be559ee1a72dfe" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 13, 2024. + ref: "b112d32703c254124b4611c6d6dda0c61ee00ffe" # x509-limbo-ref From 5f410fd366be3376be3f1f897c7e5ad159a0f7bb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 12 Mar 2024 23:00:59 -0400 Subject: [PATCH 0260/1462] fix updating commit date for wycheproof (#10579) * fix updating commit date for wycheproof * Update .github/workflows/x509-limbo-version-bump.yml Co-authored-by: Paul Kehrer --------- Co-authored-by: Paul Kehrer --- .github/workflows/x509-limbo-version-bump.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index c8b14038a15f..effab7a2b08d 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -46,7 +46,7 @@ jobs: run: | set -xe CURRENT_DATE=$(date "+%b %d, %Y") - sed -E -i "s/Latest commit on the wycheproof main branch.*/Latest commit on the wycheproof main branch, as of ${CURRENT_DATE}./" .github/actions/fetch-vectors/action.yml + sed -E -i "s/Latest commit on the wycheproof master branch.*/Latest commit on the wycheproof master branch, as of ${CURRENT_DATE}./" .github/actions/fetch-vectors/action.yml sed -E -i "s/ref: \"[0-9a-f]{40}\" # wycheproof-ref/ref: \"${{ steps.check-sha-wycheproof.outputs.COMMIT_SHA }}\" # wycheproof-ref/" .github/actions/fetch-vectors/action.yml git status if: steps.check-sha-wycheproof.outputs.COMMIT_SHA From f3a0366f27c48760ced381af1b9b653cf31d7ff2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Mar 2024 07:03:32 -0400 Subject: [PATCH 0261/1462] Bump peter-evans/create-pull-request from 6.0.1 to 6.0.2 (#10581) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 6.0.1 to 6.0.2. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/a4f52f8033a6168103c2538976c07b467e8163bc...70a41aba780001da0a30141984ae2a0c95d8704e) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index d20aea2bee15..42535a26b6d2 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -58,7 +58,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@a4f52f8033a6168103c2538976c07b467e8163bc # v6.0.1 + uses: peter-evans/create-pull-request@70a41aba780001da0a30141984ae2a0c95d8704e # v6.0.2 with: commit-message: "Bump BoringSSL and/or OpenSSL in CI" title: "Bump BoringSSL and/or OpenSSL in CI" diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index effab7a2b08d..951a663e56ea 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -57,7 +57,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@a4f52f8033a6168103c2538976c07b467e8163bc # v6.0.1 + uses: peter-evans/create-pull-request@70a41aba780001da0a30141984ae2a0c95d8704e # v6.0.2 with: commit-message: "Bump x509-limbo and/or wycheproof in CI" title: "Bump x509-limbo and/or wycheproof in CI" From 4287f0284fc8ddff6d24cb5f21efcf9b80333442 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Mar 2024 07:42:14 -0400 Subject: [PATCH 0262/1462] Bump setuptools from 69.1.1 to 69.2.0 in /.github/requirements (#10584) Bumps [setuptools](https://github.com/pypa/setuptools) from 69.1.1 to 69.2.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v69.1.1...v69.2.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 102059b986dd..cbec6164e9df 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -80,9 +80,9 @@ wheel==0.43.0 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==69.1.1 \ - --hash=sha256:02fa291a0471b3a18b2b2481ed902af520c69e8ae0919c13da936542754b4c56 \ - --hash=sha256:5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8 +setuptools==69.2.0 \ + --hash=sha256:0ff4183f8f42cd8fa3acea16c45205521a4ef28f73c6391d8a25e92893134f2e \ + --hash=sha256:c21c49fb1042386df081cb5d86759792ab89efca84cf114889191cd09aacc80c # via # -r build-requirements.in # setuptools-rust From e42ba6895a1761a29ee2a66f0576b695104f3fa9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Mar 2024 16:49:51 -0500 Subject: [PATCH 0263/1462] Bump zipp from 3.17.0 to 3.18.0 in /.github/requirements (#10583) * Bump zipp from 3.17.0 to 3.18.0 in /.github/requirements Bumps [zipp](https://github.com/jaraco/zipp) from 3.17.0 to 3.18.0. - [Release notes](https://github.com/jaraco/zipp/releases) - [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/zipp/compare/v3.17.0...v3.18.0) --- updated-dependencies: - dependency-name: zipp dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 7f2d889e758c..e00c2c242d76 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -596,7 +596,7 @@ urllib3==2.2.1 \ # via # requests # twine -zipp==3.17.0 \ - --hash=sha256:0e923e726174922dce09c53c59ad483ff7bbb8e572e00c7f7c46b88556409f31 \ - --hash=sha256:84e64a1c28cf7e91ed2078bb8cc8c259cb19b76942096c8d7b84947690cabaf0 +zipp==3.18.0 \ + --hash=sha256:c1bb803ed69d2cce2373152797064f7e79bc43f0a3748eb494096a867e0ebf79 \ + --hash=sha256:df8d042b02765029a09b157efd8e820451045890acc30f8e37dd2f94a060221f # via importlib-metadata From 5e96f922aa8c480da19c5213f4a1440708192233 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 14 Mar 2024 00:20:51 +0000 Subject: [PATCH 0264/1462] Bump BoringSSL and/or OpenSSL in CI (#10585) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c5a8f109c29b..c84bb9a320e8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 13, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "356d37861f5772e2d87ef443f61f33c020e52b04"}} - # Latest commit on the OpenSSL master branch, as of Mar 13, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7649b5548e5c0352b91d9d3ed695e42a2ac1e99c"}} + # Latest commit on the BoringSSL master branch, as of Mar 14, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "fae0964b3d44e94ca2a2d21f86e61dabe683d130"}} + # Latest commit on the OpenSSL master branch, as of Mar 14, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3cb0755323281267211fbe951b94a2552e99d32a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 608ed22e27fbc4c0d9d6145faa064993bb862a5a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 14 Mar 2024 00:42:46 +0000 Subject: [PATCH 0265/1462] Bump x509-limbo and/or wycheproof in CI (#10586) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index e69a221ad41b..19a1633b19c4 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -9,12 +9,12 @@ runs: with: repository: "google/wycheproof" path: "wycheproof" - # Latest commit on the wycheproof master branch, as of Oct 28, 2023. - ref: "3ea6fe11370fd0dd6ba5a68129ce82045b0e81ec" # wycheproof-ref + # Latest commit on the wycheproof master branch, as of Mar 14, 2024. + ref: "dbe819bb94a5dc6081f440eeb4a6809c7ff66511" # wycheproof-ref - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 13, 2024. - ref: "b112d32703c254124b4611c6d6dda0c61ee00ffe" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 14, 2024. + ref: "a04fb05cf132e1405f71c12616cf0aead829909a" # x509-limbo-ref From 24a0c022acf88fef28bc27f472fecaee984a4eca Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 15 Mar 2024 00:14:46 +0000 Subject: [PATCH 0266/1462] Bump BoringSSL and/or OpenSSL in CI (#10587) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c84bb9a320e8..cc8422d9140c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Mar 14, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "fae0964b3d44e94ca2a2d21f86e61dabe683d130"}} - # Latest commit on the OpenSSL master branch, as of Mar 14, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3cb0755323281267211fbe951b94a2552e99d32a"}} + # Latest commit on the OpenSSL master branch, as of Mar 15, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f08be096517f9bdae8a9d1d837748237db4d13a9"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From c5830e5d7986de0b9f2b361cdc2db4d873351854 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 Mar 2024 07:05:03 -0400 Subject: [PATCH 0267/1462] Bump coverage from 7.4.3 to 7.4.4 (#10589) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.4.3 to 7.4.4. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.4.3...7.4.4) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index bde74a2c536a..74a6b882d209 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.2 # via nox -coverage==7.4.3; python_version >= "3.8" +coverage==7.4.4; python_version >= "3.8" # via # coverage # pytest-cov From 8aee481d191e8b99237572783a43d79e5e0f7c70 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 Mar 2024 07:39:37 -0500 Subject: [PATCH 0268/1462] Bump zipp from 3.18.0 to 3.18.1 in /.github/requirements (#10588) * Bump zipp from 3.18.0 to 3.18.1 in /.github/requirements Bumps [zipp](https://github.com/jaraco/zipp) from 3.18.0 to 3.18.1. - [Release notes](https://github.com/jaraco/zipp/releases) - [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/zipp/compare/v3.18.0...v3.18.1) --- updated-dependencies: - dependency-name: zipp dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index e00c2c242d76..8e185c6e2645 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -596,7 +596,7 @@ urllib3==2.2.1 \ # via # requests # twine -zipp==3.18.0 \ - --hash=sha256:c1bb803ed69d2cce2373152797064f7e79bc43f0a3748eb494096a867e0ebf79 \ - --hash=sha256:df8d042b02765029a09b157efd8e820451045890acc30f8e37dd2f94a060221f +zipp==3.18.1 \ + --hash=sha256:206f5a15f2af3dbaee80769fb7dc6f249695e940acca08dfb2a4769fe61e538b \ + --hash=sha256:2884ed22e7d8961de1c9a05142eb69a247f120291bc0206a00a7642f09b5b715 # via importlib-metadata From 3ce6f735fa8a0c0a431ecddac6695009a5190350 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 15 Mar 2024 18:18:48 -0400 Subject: [PATCH 0269/1462] Bump pydantic version (#10590) dependabot chokes on this one for whatever reason --- .github/requirements/publish-requirements.txt | 192 ++++++++---------- 1 file changed, 83 insertions(+), 109 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 8e185c6e2645..533df0772235 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -390,119 +390,93 @@ pycparser==2.21 \ --hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \ --hash=sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206 # via cffi -pydantic[email]==2.5.3 \ - --hash=sha256:b3ef57c62535b0941697cce638c08900d87fcb67e29cfa99e8a68f747f393f7a \ - --hash=sha256:d0caf5954bee831b6bfe7e338c32b9e30c85dfe080c843680783ac2b631673b4 +pydantic[email]==2.6.4 \ + --hash=sha256:b1704e0847db01817624a6b86766967f552dd9dbf3afba4004409f908dcc84e6 \ + --hash=sha256:cc46fce86607580867bdc3361ad462bab9c222ef042d3da86f2fb333e1d916c5 # via # id # sigstore # sigstore-rekor-types -pydantic-core==2.14.6 \ - --hash=sha256:00646784f6cd993b1e1c0e7b0fdcbccc375d539db95555477771c27555e3c556 \ - --hash=sha256:00b1087dabcee0b0ffd104f9f53d7d3eaddfaa314cdd6726143af6bc713aa27e \ - --hash=sha256:0348b1dc6b76041516e8a854ff95b21c55f5a411c3297d2ca52f5528e49d8411 \ - --hash=sha256:036137b5ad0cb0004c75b579445a1efccd072387a36c7f217bb8efd1afbe5245 \ - --hash=sha256:095b707bb287bfd534044166ab767bec70a9bba3175dcdc3371782175c14e43c \ - --hash=sha256:0c08de15d50fa190d577e8591f0329a643eeaed696d7771760295998aca6bc66 \ - --hash=sha256:1302a54f87b5cd8528e4d6d1bf2133b6aa7c6122ff8e9dc5220fbc1e07bffebd \ - --hash=sha256:172de779e2a153d36ee690dbc49c6db568d7b33b18dc56b69a7514aecbcf380d \ - --hash=sha256:1b027c86c66b8627eb90e57aee1f526df77dc6d8b354ec498be9a757d513b92b \ - --hash=sha256:1ce830e480f6774608dedfd4a90c42aac4a7af0a711f1b52f807130c2e434c06 \ - --hash=sha256:1fd0c1d395372843fba13a51c28e3bb9d59bd7aebfeb17358ffaaa1e4dbbe948 \ - --hash=sha256:23598acb8ccaa3d1d875ef3b35cb6376535095e9405d91a3d57a8c7db5d29341 \ - --hash=sha256:24368e31be2c88bd69340fbfe741b405302993242ccb476c5c3ff48aeee1afe0 \ - --hash=sha256:26a92ae76f75d1915806b77cf459811e772d8f71fd1e4339c99750f0e7f6324f \ - --hash=sha256:27e524624eace5c59af499cd97dc18bb201dc6a7a2da24bfc66ef151c69a5f2a \ - --hash=sha256:2b8719037e570639e6b665a4050add43134d80b687288ba3ade18b22bbb29dd2 \ - --hash=sha256:2c5bcf3414367e29f83fd66f7de64509a8fd2368b1edf4351e862910727d3e51 \ - --hash=sha256:2dbe357bc4ddda078f79d2a36fc1dd0494a7f2fad83a0a684465b6f24b46fe80 \ - --hash=sha256:2f5fa187bde8524b1e37ba894db13aadd64faa884657473b03a019f625cee9a8 \ - --hash=sha256:2f6ffc6701a0eb28648c845f4945a194dc7ab3c651f535b81793251e1185ac3d \ - --hash=sha256:314ccc4264ce7d854941231cf71b592e30d8d368a71e50197c905874feacc8a8 \ - --hash=sha256:36026d8f99c58d7044413e1b819a67ca0e0b8ebe0f25e775e6c3d1fabb3c38fb \ - --hash=sha256:36099c69f6b14fc2c49d7996cbf4f87ec4f0e66d1c74aa05228583225a07b590 \ - --hash=sha256:36fa402dcdc8ea7f1b0ddcf0df4254cc6b2e08f8cd80e7010d4c4ae6e86b2a87 \ - --hash=sha256:370ffecb5316ed23b667d99ce4debe53ea664b99cc37bfa2af47bc769056d534 \ - --hash=sha256:3860c62057acd95cc84044e758e47b18dcd8871a328ebc8ccdefd18b0d26a21b \ - --hash=sha256:399ac0891c284fa8eb998bcfa323f2234858f5d2efca3950ae58c8f88830f145 \ - --hash=sha256:3a0b5db001b98e1c649dd55afa928e75aa4087e587b9524a4992316fa23c9fba \ - --hash=sha256:3dcf1978be02153c6a31692d4fbcc2a3f1db9da36039ead23173bc256ee3b91b \ - --hash=sha256:4241204e4b36ab5ae466ecec5c4c16527a054c69f99bba20f6f75232a6a534e2 \ - --hash=sha256:438027a975cc213a47c5d70672e0d29776082155cfae540c4e225716586be75e \ - --hash=sha256:43e166ad47ba900f2542a80d83f9fc65fe99eb63ceec4debec160ae729824052 \ - --hash=sha256:478e9e7b360dfec451daafe286998d4a1eeaecf6d69c427b834ae771cad4b622 \ - --hash=sha256:4ce8299b481bcb68e5c82002b96e411796b844d72b3e92a3fbedfe8e19813eab \ - --hash=sha256:4f86f1f318e56f5cbb282fe61eb84767aee743ebe32c7c0834690ebea50c0a6b \ - --hash=sha256:55a23dcd98c858c0db44fc5c04fc7ed81c4b4d33c653a7c45ddaebf6563a2f66 \ - --hash=sha256:599c87d79cab2a6a2a9df4aefe0455e61e7d2aeede2f8577c1b7c0aec643ee8e \ - --hash=sha256:5aa90562bc079c6c290f0512b21768967f9968e4cfea84ea4ff5af5d917016e4 \ - --hash=sha256:64634ccf9d671c6be242a664a33c4acf12882670b09b3f163cd00a24cffbd74e \ - --hash=sha256:667aa2eac9cd0700af1ddb38b7b1ef246d8cf94c85637cbb03d7757ca4c3fdec \ - --hash=sha256:6a31d98c0d69776c2576dda4b77b8e0c69ad08e8b539c25c7d0ca0dc19a50d6c \ - --hash=sha256:6af4b3f52cc65f8a0bc8b1cd9676f8c21ef3e9132f21fed250f6958bd7223bed \ - --hash=sha256:6c8edaea3089bf908dd27da8f5d9e395c5b4dc092dbcce9b65e7156099b4b937 \ - --hash=sha256:71d72ca5eaaa8d38c8df16b7deb1a2da4f650c41b58bb142f3fb75d5ad4a611f \ - --hash=sha256:72f9a942d739f09cd42fffe5dc759928217649f070056f03c70df14f5770acf9 \ - --hash=sha256:747265448cb57a9f37572a488a57d873fd96bf51e5bb7edb52cfb37124516da4 \ - --hash=sha256:75ec284328b60a4e91010c1acade0c30584f28a1f345bc8f72fe8b9e46ec6a96 \ - --hash=sha256:78d0768ee59baa3de0f4adac9e3748b4b1fffc52143caebddfd5ea2961595277 \ - --hash=sha256:78ee52ecc088c61cce32b2d30a826f929e1708f7b9247dc3b921aec367dc1b23 \ - --hash=sha256:7be719e4d2ae6c314f72844ba9d69e38dff342bc360379f7c8537c48e23034b7 \ - --hash=sha256:7e1f4744eea1501404b20b0ac059ff7e3f96a97d3e3f48ce27a139e053bb370b \ - --hash=sha256:7e90d6cc4aad2cc1f5e16ed56e46cebf4877c62403a311af20459c15da76fd91 \ - --hash=sha256:7ebe3416785f65c28f4f9441e916bfc8a54179c8dea73c23023f7086fa601c5d \ - --hash=sha256:7f41533d7e3cf9520065f610b41ac1c76bc2161415955fbcead4981b22c7611e \ - --hash=sha256:7f5025db12fc6de7bc1104d826d5aee1d172f9ba6ca936bf6474c2148ac336c1 \ - --hash=sha256:86c963186ca5e50d5c8287b1d1c9d3f8f024cbe343d048c5bd282aec2d8641f2 \ - --hash=sha256:86ce5fcfc3accf3a07a729779d0b86c5d0309a4764c897d86c11089be61da160 \ - --hash=sha256:8a14c192c1d724c3acbfb3f10a958c55a2638391319ce8078cb36c02283959b9 \ - --hash=sha256:8b93785eadaef932e4fe9c6e12ba67beb1b3f1e5495631419c784ab87e975670 \ - --hash=sha256:8ed1af8692bd8d2a29d702f1a2e6065416d76897d726e45a1775b1444f5928a7 \ - --hash=sha256:92879bce89f91f4b2416eba4429c7b5ca22c45ef4a499c39f0c5c69257522c7c \ - --hash=sha256:94fc0e6621e07d1e91c44e016cc0b189b48db053061cc22d6298a611de8071bb \ - --hash=sha256:982487f8931067a32e72d40ab6b47b1628a9c5d344be7f1a4e668fb462d2da42 \ - --hash=sha256:9862bf828112e19685b76ca499b379338fd4c5c269d897e218b2ae8fcb80139d \ - --hash=sha256:99b14dbea2fdb563d8b5a57c9badfcd72083f6006caf8e126b491519c7d64ca8 \ - --hash=sha256:9c6a5c79b28003543db3ba67d1df336f253a87d3112dac3a51b94f7d48e4c0e1 \ - --hash=sha256:a19b794f8fe6569472ff77602437ec4430f9b2b9ec7a1105cfd2232f9ba355e6 \ - --hash=sha256:a306cdd2ad3a7d795d8e617a58c3a2ed0f76c8496fb7621b6cd514eb1532cae8 \ - --hash=sha256:a3dde6cac75e0b0902778978d3b1646ca9f438654395a362cb21d9ad34b24acf \ - --hash=sha256:a874f21f87c485310944b2b2734cd6d318765bcbb7515eead33af9641816506e \ - --hash=sha256:a983cca5ed1dd9a35e9e42ebf9f278d344603bfcb174ff99a5815f953925140a \ - --hash=sha256:aca48506a9c20f68ee61c87f2008f81f8ee99f8d7f0104bff3c47e2d148f89d9 \ - --hash=sha256:b2602177668f89b38b9f84b7b3435d0a72511ddef45dc14446811759b82235a1 \ - --hash=sha256:b3e5fe4538001bb82e2295b8d2a39356a84694c97cb73a566dc36328b9f83b40 \ - --hash=sha256:b6ca36c12a5120bad343eef193cc0122928c5c7466121da7c20f41160ba00ba2 \ - --hash=sha256:b89f4477d915ea43b4ceea6756f63f0288941b6443a2b28c69004fe07fde0d0d \ - --hash=sha256:b9a9d92f10772d2a181b5ca339dee066ab7d1c9a34ae2421b2a52556e719756f \ - --hash=sha256:c99462ffc538717b3e60151dfaf91125f637e801f5ab008f81c402f1dff0cd0f \ - --hash=sha256:cb92f9061657287eded380d7dc455bbf115430b3aa4741bdc662d02977e7d0af \ - --hash=sha256:cdee837710ef6b56ebd20245b83799fce40b265b3b406e51e8ccc5b85b9099b7 \ - --hash=sha256:cf10b7d58ae4a1f07fccbf4a0a956d705356fea05fb4c70608bb6fa81d103cda \ - --hash=sha256:d15687d7d7f40333bd8266f3814c591c2e2cd263fa2116e314f60d82086e353a \ - --hash=sha256:d5c28525c19f5bb1e09511669bb57353d22b94cf8b65f3a8d141c389a55dec95 \ - --hash=sha256:d5f916acf8afbcab6bacbb376ba7dc61f845367901ecd5e328fc4d4aef2fcab0 \ - --hash=sha256:dab03ed811ed1c71d700ed08bde8431cf429bbe59e423394f0f4055f1ca0ea60 \ - --hash=sha256:db453f2da3f59a348f514cfbfeb042393b68720787bbef2b4c6068ea362c8149 \ - --hash=sha256:de2a0645a923ba57c5527497daf8ec5df69c6eadf869e9cd46e86349146e5975 \ - --hash=sha256:dea7fcd62915fb150cdc373212141a30037e11b761fbced340e9db3379b892d4 \ - --hash=sha256:dfcbebdb3c4b6f739a91769aea5ed615023f3c88cb70df812849aef634c25fbe \ - --hash=sha256:dfcebb950aa7e667ec226a442722134539e77c575f6cfaa423f24371bb8d2e94 \ - --hash=sha256:e0641b506486f0b4cd1500a2a65740243e8670a2549bb02bc4556a83af84ae03 \ - --hash=sha256:e33b0834f1cf779aa839975f9d8755a7c2420510c0fa1e9fa0497de77cd35d2c \ - --hash=sha256:e4ace1e220b078c8e48e82c081e35002038657e4b37d403ce940fa679e57113b \ - --hash=sha256:e4cf2d5829f6963a5483ec01578ee76d329eb5caf330ecd05b3edd697e7d768a \ - --hash=sha256:e574de99d735b3fc8364cba9912c2bec2da78775eba95cbb225ef7dda6acea24 \ - --hash=sha256:e646c0e282e960345314f42f2cea5e0b5f56938c093541ea6dbf11aec2862391 \ - --hash=sha256:e8a5ac97ea521d7bde7621d86c30e86b798cdecd985723c4ed737a2aa9e77d0c \ - --hash=sha256:eedf97be7bc3dbc8addcef4142f4b4164066df0c6f36397ae4aaed3eb187d8ab \ - --hash=sha256:ef633add81832f4b56d3b4c9408b43d530dfca29e68fb1b797dcb861a2c734cd \ - --hash=sha256:f27207e8ca3e5e021e2402ba942e5b4c629718e665c81b8b306f3c8b1ddbb786 \ - --hash=sha256:f85f3843bdb1fe80e8c206fe6eed7a1caeae897e496542cee499c374a85c6e08 \ - --hash=sha256:f8e81e4b55930e5ffab4a68db1af431629cf2e4066dbdbfef65348b8ab804ea8 \ - --hash=sha256:f96ae96a060a8072ceff4cfde89d261837b4294a4f28b84a28765470d502ccc6 \ - --hash=sha256:fd9e98b408384989ea4ab60206b8e100d8687da18b5c813c11e92fd8212a98e0 \ - --hash=sha256:ffff855100bc066ff2cd3aa4a60bc9534661816b110f0243e59503ec2df38421 +pydantic-core==2.16.3 \ + --hash=sha256:00ee1c97b5364b84cb0bd82e9bbf645d5e2871fb8c58059d158412fee2d33d8a \ + --hash=sha256:0d32576b1de5a30d9a97f300cc6a3f4694c428d956adbc7e6e2f9cad279e45ed \ + --hash=sha256:0df446663464884297c793874573549229f9eca73b59360878f382a0fc085979 \ + --hash=sha256:0f56ae86b60ea987ae8bcd6654a887238fd53d1384f9b222ac457070b7ac4cff \ + --hash=sha256:13dcc4802961b5f843a9385fc821a0b0135e8c07fc3d9949fd49627c1a5e6ae5 \ + --hash=sha256:162e498303d2b1c036b957a1278fa0899d02b2842f1ff901b6395104c5554a45 \ + --hash=sha256:1b662180108c55dfbf1280d865b2d116633d436cfc0bba82323554873967b340 \ + --hash=sha256:1cac689f80a3abab2d3c0048b29eea5751114054f032a941a32de4c852c59cad \ + --hash=sha256:21b888c973e4f26b7a96491c0965a8a312e13be108022ee510248fe379a5fa23 \ + --hash=sha256:287073c66748f624be4cef893ef9174e3eb88fe0b8a78dc22e88eca4bc357ca6 \ + --hash=sha256:2a1ef6a36fdbf71538142ed604ad19b82f67b05749512e47f247a6ddd06afdc7 \ + --hash=sha256:2a72fb9963cba4cd5793854fd12f4cfee731e86df140f59ff52a49b3552db241 \ + --hash=sha256:2acca2be4bb2f2147ada8cac612f8a98fc09f41c89f87add7256ad27332c2fda \ + --hash=sha256:2f583bd01bbfbff4eaee0868e6fc607efdfcc2b03c1c766b06a707abbc856187 \ + --hash=sha256:33809aebac276089b78db106ee692bdc9044710e26f24a9a2eaa35a0f9fa70ba \ + --hash=sha256:36fa178aacbc277bc6b62a2c3da95226520da4f4e9e206fdf076484363895d2c \ + --hash=sha256:4204e773b4b408062960e65468d5346bdfe139247ee5f1ca2a378983e11388a2 \ + --hash=sha256:4384a8f68ddb31a0b0c3deae88765f5868a1b9148939c3f4121233314ad5532c \ + --hash=sha256:456855f57b413f077dff513a5a28ed838dbbb15082ba00f80750377eed23d132 \ + --hash=sha256:49d5d58abd4b83fb8ce763be7794d09b2f50f10aa65c0f0c1696c677edeb7cbf \ + --hash=sha256:4ac6b4ce1e7283d715c4b729d8f9dab9627586dafce81d9eaa009dd7f25dd972 \ + --hash=sha256:4df8a199d9f6afc5ae9a65f8f95ee52cae389a8c6b20163762bde0426275b7db \ + --hash=sha256:500960cb3a0543a724a81ba859da816e8cf01b0e6aaeedf2c3775d12ee49cade \ + --hash=sha256:519ae0312616026bf4cedc0fe459e982734f3ca82ee8c7246c19b650b60a5ee4 \ + --hash=sha256:578114bc803a4c1ff9946d977c221e4376620a46cf78da267d946397dc9514a8 \ + --hash=sha256:5c5cbc703168d1b7a838668998308018a2718c2130595e8e190220238addc96f \ + --hash=sha256:6162f8d2dc27ba21027f261e4fa26f8bcb3cf9784b7f9499466a311ac284b5b9 \ + --hash=sha256:704d35ecc7e9c31d48926150afada60401c55efa3b46cd1ded5a01bdffaf1d48 \ + --hash=sha256:716b542728d4c742353448765aa7cdaa519a7b82f9564130e2b3f6766018c9ec \ + --hash=sha256:72282ad4892a9fb2da25defeac8c2e84352c108705c972db82ab121d15f14e6d \ + --hash=sha256:7233d65d9d651242a68801159763d09e9ec96e8a158dbf118dc090cd77a104c9 \ + --hash=sha256:732da3243e1b8d3eab8c6ae23ae6a58548849d2e4a4e03a1924c8ddf71a387cb \ + --hash=sha256:75b81e678d1c1ede0785c7f46690621e4c6e63ccd9192af1f0bd9d504bbb6bf4 \ + --hash=sha256:75f76ee558751746d6a38f89d60b6228fa174e5172d143886af0f85aa306fd89 \ + --hash=sha256:7ee8d5f878dccb6d499ba4d30d757111847b6849ae07acdd1205fffa1fc1253c \ + --hash=sha256:7f752826b5b8361193df55afcdf8ca6a57d0232653494ba473630a83ba50d8c9 \ + --hash=sha256:86b3d0033580bd6bbe07590152007275bd7af95f98eaa5bd36f3da219dcd93da \ + --hash=sha256:8d62da299c6ecb04df729e4b5c52dc0d53f4f8430b4492b93aa8de1f541c4aac \ + --hash=sha256:8e47755d8152c1ab5b55928ab422a76e2e7b22b5ed8e90a7d584268dd49e9c6b \ + --hash=sha256:9091632a25b8b87b9a605ec0e61f241c456e9248bfdcf7abdf344fdb169c81cf \ + --hash=sha256:936e5db01dd49476fa8f4383c259b8b1303d5dd5fb34c97de194560698cc2c5e \ + --hash=sha256:99b6add4c0b39a513d323d3b93bc173dac663c27b99860dd5bf491b240d26137 \ + --hash=sha256:9c865a7ee6f93783bd5d781af5a4c43dadc37053a5b42f7d18dc019f8c9d2bd1 \ + --hash=sha256:a425479ee40ff021f8216c9d07a6a3b54b31c8267c6e17aa88b70d7ebd0e5e5b \ + --hash=sha256:a4b2bf78342c40b3dc830880106f54328928ff03e357935ad26c7128bbd66ce8 \ + --hash=sha256:a6b1bb0827f56654b4437955555dc3aeeebeddc47c2d7ed575477f082622c49e \ + --hash=sha256:aaf09e615a0bf98d406657e0008e4a8701b11481840be7d31755dc9f97c44053 \ + --hash=sha256:b1f6f5938d63c6139860f044e2538baeee6f0b251a1816e7adb6cbce106a1f01 \ + --hash=sha256:b29eeb887aa931c2fcef5aa515d9d176d25006794610c264ddc114c053bf96fe \ + --hash=sha256:b3992a322a5617ded0a9f23fd06dbc1e4bd7cf39bc4ccf344b10f80af58beacd \ + --hash=sha256:b5b6079cc452a7c53dd378c6f881ac528246b3ac9aae0f8eef98498a75657805 \ + --hash=sha256:b60cc1a081f80a2105a59385b92d82278b15d80ebb3adb200542ae165cd7d183 \ + --hash=sha256:b926dd38db1519ed3043a4de50214e0d600d404099c3392f098a7f9d75029ff8 \ + --hash=sha256:bd87f48924f360e5d1c5f770d6155ce0e7d83f7b4e10c2f9ec001c73cf475c99 \ + --hash=sha256:bda1ee3e08252b8d41fa5537413ffdddd58fa73107171a126d3b9ff001b9b820 \ + --hash=sha256:be0ec334369316fa73448cc8c982c01e5d2a81c95969d58b8f6e272884df0074 \ + --hash=sha256:c6119dc90483a5cb50a1306adb8d52c66e447da88ea44f323e0ae1a5fcb14256 \ + --hash=sha256:c9803edf8e29bd825f43481f19c37f50d2b01899448273b3a7758441b512acf8 \ + --hash=sha256:c9bd22a2a639e26171068f8ebb5400ce2c1bc7d17959f60a3b753ae13c632975 \ + --hash=sha256:cbcc558401de90a746d02ef330c528f2e668c83350f045833543cd57ecead1ad \ + --hash=sha256:cf6204fe865da605285c34cf1172879d0314ff267b1c35ff59de7154f35fdc2e \ + --hash=sha256:d33dd21f572545649f90c38c227cc8631268ba25c460b5569abebdd0ec5974ca \ + --hash=sha256:d89ca19cdd0dd5f31606a9329e309d4fcbb3df860960acec32630297d61820df \ + --hash=sha256:d8f99b147ff3fcf6b3cc60cb0c39ea443884d5559a30b1481e92495f2310ff2b \ + --hash=sha256:d937653a696465677ed583124b94a4b2d79f5e30b2c46115a68e482c6a591c8a \ + --hash=sha256:dcca5d2bf65c6fb591fff92da03f94cd4f315972f97c21975398bd4bd046854a \ + --hash=sha256:ded1c35f15c9dea16ead9bffcde9bb5c7c031bff076355dc58dcb1cb436c4721 \ + --hash=sha256:e3e70c94a0c3841e6aa831edab1619ad5c511199be94d0c11ba75fe06efe107a \ + --hash=sha256:e56f8186d6210ac7ece503193ec84104da7ceb98f68ce18c07282fcc2452e76f \ + --hash=sha256:e7774b570e61cb998490c5235740d475413a1f6de823169b4cf94e2fe9e9f6b2 \ + --hash=sha256:e7c6ed0dc9d8e65f24f5824291550139fe6f37fac03788d4580da0d33bc00c97 \ + --hash=sha256:ec08be75bb268473677edb83ba71e7e74b43c008e4a7b1907c6d57e940bf34b6 \ + --hash=sha256:ecdf6bf5f578615f2e985a5e1f6572e23aa632c4bd1dc67f8f406d445ac115ed \ + --hash=sha256:ed25e1835c00a332cb10c683cd39da96a719ab1dfc08427d476bce41b92531fc \ + --hash=sha256:f4cb85f693044e0f71f394ff76c98ddc1bc0953e48c061725e540396d5c8a2e1 \ + --hash=sha256:f53aace168a2a10582e570b7736cc5bef12cae9cf21775e3eafac597e8551fbe \ + --hash=sha256:f651dd19363c632f4abe3480a7c87a9773be27cfe1341aef06e8759599454120 \ + --hash=sha256:fc4ad7f7ee1a13d9cb49d8198cd7d7e3aa93e425f371a68235f784e99741561f \ + --hash=sha256:fee427241c2d9fb7192b658190f9f5fd6dfe41e02f3c1489d2ec1e6a5ab1e04a # via pydantic pygments==2.17.2 \ --hash=sha256:b27c2826c47d0f3219f29554824c30c5e8945175d888647acd804ddd04af846c \ From 1af96015f8673644d6d3efb7c00e580d9bdacb45 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 Mar 2024 22:19:19 +0000 Subject: [PATCH 0270/1462] Bump ruff from 0.3.2 to 0.3.3 (#10591) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.3.2 to 0.3.3. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.3.2...v0.3.3) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 74a6b882d209..60342287e07a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.3.2 +ruff==0.3.3 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 87d224f613ca4d84cf58ba45eaa43a298a9dd68a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 15 Mar 2024 21:12:50 -0400 Subject: [PATCH 0271/1462] Bump x509-limbo and/or wycheproof in CI (#10592) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 19a1633b19c4..d3e8f3ad9d0b 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -9,12 +9,12 @@ runs: with: repository: "google/wycheproof" path: "wycheproof" - # Latest commit on the wycheproof master branch, as of Mar 14, 2024. - ref: "dbe819bb94a5dc6081f440eeb4a6809c7ff66511" # wycheproof-ref + # Latest commit on the wycheproof master branch, as of Mar 16, 2024. + ref: "1621269c9f8e4a11f7de5dd2cb353400f054ce6f" # wycheproof-ref - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 14, 2024. - ref: "a04fb05cf132e1405f71c12616cf0aead829909a" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 16, 2024. + ref: "1381655977188ad42f49cc5cd0eabff9b3c77670" # x509-limbo-ref From 1dccbcd2df5d017926bb0d7eeef0f58f458a7e30 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 16 Mar 2024 01:23:30 +0000 Subject: [PATCH 0272/1462] Bump BoringSSL and/or OpenSSL in CI (#10594) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cc8422d9140c..7f269947a5f5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Mar 14, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "fae0964b3d44e94ca2a2d21f86e61dabe683d130"}} - # Latest commit on the OpenSSL master branch, as of Mar 15, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f08be096517f9bdae8a9d1d837748237db4d13a9"}} + # Latest commit on the OpenSSL master branch, as of Mar 16, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "dc9bc6c8e1bd329ead703417a2235ab3e97557ec"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 37e3e2916544c8d557c2a452a2fd4f4628265411 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 15 Mar 2024 22:20:55 -0400 Subject: [PATCH 0273/1462] Use distinct branch names for different bump jobs (#10593) --- .github/workflows/boring-open-version-bump.yml | 1 + .github/workflows/x509-limbo-version-bump.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 42535a26b6d2..cfe495d2652a 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -60,6 +60,7 @@ jobs: - name: Create Pull Request uses: peter-evans/create-pull-request@70a41aba780001da0a30141984ae2a0c95d8704e # v6.0.2 with: + branch: "bump-openssl-boringssl" commit-message: "Bump BoringSSL and/or OpenSSL in CI" title: "Bump BoringSSL and/or OpenSSL in CI" author: "pyca-boringbot[bot] " diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 951a663e56ea..dfd4f9b46c59 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -59,6 +59,7 @@ jobs: - name: Create Pull Request uses: peter-evans/create-pull-request@70a41aba780001da0a30141984ae2a0c95d8704e # v6.0.2 with: + branch: "bump-vectors" commit-message: "Bump x509-limbo and/or wycheproof in CI" title: "Bump x509-limbo and/or wycheproof in CI" author: "pyca-boringbot[bot] " From c4046a4bdd9d7a06aee9360bfbc2ac6bfc2e39d4 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 17 Mar 2024 00:17:17 +0000 Subject: [PATCH 0274/1462] Bump BoringSSL and/or OpenSSL in CI (#10595) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7f269947a5f5..ff04e0493efa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 14, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "fae0964b3d44e94ca2a2d21f86e61dabe683d130"}} + # Latest commit on the BoringSSL master branch, as of Mar 17, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f57a11ae566ac17c1b028d79950227a33ae32fad"}} # Latest commit on the OpenSSL master branch, as of Mar 16, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "dc9bc6c8e1bd329ead703417a2235ab3e97557ec"}} # Builds with various Rust versions. Includes MSRV and next From 152f06b35bac094fb4e93f0651452345f2449e7c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 17 Mar 2024 00:19:48 +0000 Subject: [PATCH 0275/1462] Bump syn from 2.0.52 to 2.0.53 in /src/rust (#10597) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.52 to 2.0.53. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.52...2.0.53) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 6f9b5dbf258c..1f28cb2d9c02 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -377,9 +377,9 @@ checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" [[package]] name = "syn" -version = "2.0.52" +version = "2.0.53" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b699d15b36d1f02c3e7c69f8ffef53de37aefae075d8488d4ba1a7788d574a07" +checksum = "7383cd0e49fff4b6b90ca5670bfd3e9d6a733b3f90c686605aa7eec8c4996032" dependencies = [ "proc-macro2", "quote", From 0314ebfcebcacbf29163d8a53186877e42d350f8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 17 Mar 2024 00:20:02 +0000 Subject: [PATCH 0276/1462] Bump dawidd6/action-download-artifact from 3.1.2 to 3.1.3 (#10596) Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 3.1.2 to 3.1.3. - [Release notes](https://github.com/dawidd6/action-download-artifact/releases) - [Commits](https://github.com/dawidd6/action-download-artifact/compare/71072fbb1229e1317f1a8de6b04206afb461bd67...a430ac5786b39ad5869da25a98130624d2ce340c) --- updated-dependencies: - dependency-name: dawidd6/action-download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ff04e0493efa..283e53c27a8a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -253,7 +253,7 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/fetch-vectors - - uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2 + - uses: dawidd6/action-download-artifact@a430ac5786b39ad5869da25a98130624d2ce340c # v3.1.3 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -313,7 +313,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - run: python -m pip install -c ci-constraints-requirements.txt "nox" "tomli; python_version < '3.11'" - - uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2 + - uses: dawidd6/action-download-artifact@a430ac5786b39ad5869da25a98130624d2ce340c # v3.1.3 with: repo: pyca/infra workflow: build-windows-openssl.yml diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index f95c72b497dc..7f9ea2c9563a 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -47,7 +47,7 @@ jobs: - name: Install Python dependencies run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }} - - uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2 + - uses: dawidd6/action-download-artifact@a430ac5786b39ad5869da25a98130624d2ce340c # v3.1.3 with: path: dist/ run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 15380e301d51..27cf1e8c8176 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -232,7 +232,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') - - uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2 + - uses: dawidd6/action-download-artifact@a430ac5786b39ad5869da25a98130624d2ce340c # v3.1.3 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -329,7 +329,7 @@ jobs: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} - - uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2 + - uses: dawidd6/action-download-artifact@a430ac5786b39ad5869da25a98130624d2ce340c # v3.1.3 with: repo: pyca/infra workflow: build-windows-openssl.yml From 725f8c2c1d9cac4e21fc3f0fc7692d1271dad0c9 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 17 Mar 2024 22:32:49 -0400 Subject: [PATCH 0277/1462] Bump BoringSSL and/or OpenSSL in CI (#10599) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 283e53c27a8a..600a9ea1cefc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 17, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f57a11ae566ac17c1b028d79950227a33ae32fad"}} + # Latest commit on the BoringSSL master branch, as of Mar 18, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b85a0d1ebe76d80986708ce3a8faa120d49ef8fe"}} # Latest commit on the OpenSSL master branch, as of Mar 16, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "dc9bc6c8e1bd329ead703417a2235ab3e97557ec"}} # Builds with various Rust versions. Includes MSRV and next From 3401dc2681063b3de501a3395bafb2b1abce9f5f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Mar 2024 07:47:43 -0500 Subject: [PATCH 0278/1462] Bump dawidd6/action-download-artifact from 3.1.3 to 3.1.4 (#10601) Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/dawidd6/action-download-artifact/releases) - [Commits](https://github.com/dawidd6/action-download-artifact/compare/a430ac5786b39ad5869da25a98130624d2ce340c...09f2f74827fd3a8607589e5ad7f9398816f540fe) --- updated-dependencies: - dependency-name: dawidd6/action-download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 600a9ea1cefc..00789cd0003e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -253,7 +253,7 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/fetch-vectors - - uses: dawidd6/action-download-artifact@a430ac5786b39ad5869da25a98130624d2ce340c # v3.1.3 + - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -313,7 +313,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - run: python -m pip install -c ci-constraints-requirements.txt "nox" "tomli; python_version < '3.11'" - - uses: dawidd6/action-download-artifact@a430ac5786b39ad5869da25a98130624d2ce340c # v3.1.3 + - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 with: repo: pyca/infra workflow: build-windows-openssl.yml diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 7f9ea2c9563a..433b1a1b1ac4 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -47,7 +47,7 @@ jobs: - name: Install Python dependencies run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }} - - uses: dawidd6/action-download-artifact@a430ac5786b39ad5869da25a98130624d2ce340c # v3.1.3 + - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 with: path: dist/ run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 27cf1e8c8176..9367b2d16ccf 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -232,7 +232,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') - - uses: dawidd6/action-download-artifact@a430ac5786b39ad5869da25a98130624d2ce340c # v3.1.3 + - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -329,7 +329,7 @@ jobs: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} - - uses: dawidd6/action-download-artifact@a430ac5786b39ad5869da25a98130624d2ce340c # v3.1.3 + - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 with: repo: pyca/infra workflow: build-windows-openssl.yml From c694fa2913416c78428bf959162f54d24b9a6ffd Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 19 Mar 2024 00:16:05 +0000 Subject: [PATCH 0279/1462] Bump BoringSSL and/or OpenSSL in CI (#10602) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 00789cd0003e..70ec07f92311 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 18, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b85a0d1ebe76d80986708ce3a8faa120d49ef8fe"}} + # Latest commit on the BoringSSL master branch, as of Mar 19, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "044fbc86ef5505d5fdab2befd476992ad1074665"}} # Latest commit on the OpenSSL master branch, as of Mar 16, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "dc9bc6c8e1bd329ead703417a2235ab3e97557ec"}} # Builds with various Rust versions. Includes MSRV and next From fa43111758a6bfd65cef2901484f8686c4200448 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 18 Mar 2024 20:16:18 -0500 Subject: [PATCH 0280/1462] Bump x509-limbo and/or wycheproof in CI (#10603) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index d3e8f3ad9d0b..1a481b11756a 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 16, 2024. - ref: "1381655977188ad42f49cc5cd0eabff9b3c77670" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 19, 2024. + ref: "bd3c2cf87448dc5770b8b372b22bffbfc928d7a0" # x509-limbo-ref From 78ad21339ec158c7bdf21228ea171585698d204e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 20 Mar 2024 01:15:53 +0000 Subject: [PATCH 0281/1462] Bump BoringSSL and/or OpenSSL in CI (#10605) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 70ec07f92311..118ce5155416 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 19, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "044fbc86ef5505d5fdab2befd476992ad1074665"}} + # Latest commit on the BoringSSL master branch, as of Mar 20, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c5e9b4be0f2fabaac68961c0edce381703731d03"}} # Latest commit on the OpenSSL master branch, as of Mar 16, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "dc9bc6c8e1bd329ead703417a2235ab3e97557ec"}} # Builds with various Rust versions. Includes MSRV and next From 9f065e9a477f15d4be0b4544b10d69a98d46c68f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 20 Mar 2024 01:16:27 +0000 Subject: [PATCH 0282/1462] Bump x509-limbo and/or wycheproof in CI (#10606) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 1a481b11756a..804ef8de51c8 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 19, 2024. - ref: "bd3c2cf87448dc5770b8b372b22bffbfc928d7a0" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 20, 2024. + ref: "511fe1c0565f7931db6f4f9eb986778effb68a44" # x509-limbo-ref From 94ed69d83540d49eab1e20289854136caddabe54 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Mar 2024 07:09:15 -0400 Subject: [PATCH 0283/1462] Bump actions/cache from 4.0.1 to 4.0.2 (#10610) Bumps [actions/cache](https://github.com/actions/cache) from 4.0.1 to 4.0.2. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/ab5e6d0c87105b4c9c2047343972218f562e4319...0c45773b623bea8c8e75f6c82b208c3cf94ea4f9) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 118ce5155416..cb16e53b5af1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -91,7 +91,7 @@ jobs: CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }} if: matrix.PYTHON.OPENSSL - name: Load OpenSSL cache - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: ossl-cache timeout-minutes: 2 with: From c5659517c65ca97b98efdf02d814caa375d1d510 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Mar 2024 07:53:05 -0500 Subject: [PATCH 0284/1462] Bump sigstore from 2.1.2 to 2.1.3 in /.github/requirements (#10611) * Bump sigstore from 2.1.2 to 2.1.3 in /.github/requirements Bumps [sigstore](https://github.com/sigstore/sigstore-python) from 2.1.2 to 2.1.3. - [Release notes](https://github.com/sigstore/sigstore-python/releases) - [Changelog](https://github.com/sigstore/sigstore-python/blob/v2.1.3/CHANGELOG.md) - [Commits](https://github.com/sigstore/sigstore-python/compare/v2.1.2...v2.1.3) --- updated-dependencies: - dependency-name: sigstore dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 533df0772235..bb925eb0f5b7 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -534,9 +534,9 @@ securesystemslib==0.31.0 \ # via # sigstore # tuf -sigstore==2.1.2 \ - --hash=sha256:94139c1efa0784135516d11b79c8b06d4ea61245624e69cda44494e87560b07c \ - --hash=sha256:fd9069b50b5789c6e229641e948a9b47c07525e8924f5e4d20d7dc1a8db6d6e2 +sigstore==2.1.3 \ + --hash=sha256:7a0c1252cb7974024aee87c8e0f0f6247604af16e8b5a8e3d0a9e1201e330aa2 \ + --hash=sha256:f3aaa564c0d48a62fb40c103615bba01af787eaf9fda3b6e1a3e1dc5abc2d311 # via -r publish-requirements.in sigstore-protobuf-specs==0.2.2 \ --hash=sha256:62c7beabc6910fb570dc4c600e33e81f2d2d683f785202ee109ca394bd829e94 \ From 1cdfd410f6044b616088c642aa7aa9b9d39acdf2 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 20 Mar 2024 13:14:55 -0500 Subject: [PATCH 0285/1462] add openssl 3.3.0-alpha1 to testing (#10612) --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cb16e53b5af1..3a2bc38e5174 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,6 +36,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.13"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.5"}} - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} + - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.3.0-alpha1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.5"}} From 95764126ca1649281744ddff254776b8338b773b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 00:16:01 +0000 Subject: [PATCH 0286/1462] Bump BoringSSL and/or OpenSSL in CI (#10613) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3a2bc38e5174..b660cdbaf860 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 20, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c5e9b4be0f2fabaac68961c0edce381703731d03"}} + # Latest commit on the BoringSSL master branch, as of Mar 21, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "a200650ac344338f9af86822266984804eb86370"}} # Latest commit on the OpenSSL master branch, as of Mar 16, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "dc9bc6c8e1bd329ead703417a2235ab3e97557ec"}} # Builds with various Rust versions. Includes MSRV and next From ee8e8c4910d501fc8ad8a67e96d8d0684b3959b9 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 20 Mar 2024 20:46:43 -0400 Subject: [PATCH 0287/1462] Bump x509-limbo and/or wycheproof in CI (#10614) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 804ef8de51c8..4e3a214ce086 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 20, 2024. - ref: "511fe1c0565f7931db6f4f9eb986778effb68a44" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 21, 2024. + ref: "2d797b4f9d21e8c0ac3c070d2ff8198b4640acf9" # x509-limbo-ref From 4a3e7dcc977cc3f9091154c15e6ecdcee3b1d00d Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 20 Mar 2024 21:00:00 -0400 Subject: [PATCH 0288/1462] verification: client verification APIs (#10345) * verification: WIP client verification skeleton Signed-off-by: William Woodruff * verify: fill in build_client_verifier Signed-off-by: William Woodruff * implement ClientVerifier.verify Signed-off-by: William Woodruff * verification: make Python 3.8 happy Signed-off-by: William Woodruff * switch to a full VerifiedClient type Signed-off-by: William Woodruff * remove the SubjectOwner::None hack Signed-off-by: William Woodruff * docs: fix ClientVerifier Signed-off-by: William Woodruff * verification: replace match with if Signed-off-by: William Woodruff * return GNs directly, not whole extension Signed-off-by: William Woodruff * docs/verification: document UnsupportedGeneralNameType raise Signed-off-by: William Woodruff * lib: RFC822 checks on NCs * test_limbo: enable client tests * tests: flake * test_verification: more Python API coverage * verification: filter GNs by NC support * verification: forbid unsupported NC GNs This is what we should have been doing originally, per RFC 5280 4.2.1.10: > If a name constraints extension that is marked as critical > imposes constraints on a particular name form, and an instance of > that name form appears in the subject field or subjectAltName > extension of a subsequent certificate, then the application MUST > either process the constraint or reject the certificate. * docs/verification: remove old sentence Signed-off-by: William Woodruff * verification: ensure the right EKU for client/server paths Signed-off-by: William Woodruff * test_limbo: fixup EKU assertion * verification: feedback --------- Signed-off-by: William Woodruff --- docs/x509/verification.rst | 84 +++++++++++- .../hazmat/bindings/_rust/x509.pyi | 20 +++ src/cryptography/x509/verification.py | 4 + .../cryptography-x509-verification/src/lib.rs | 14 ++ .../src/policy/extension.rs | 20 +-- .../src/policy/mod.rs | 50 ++++++- src/rust/src/x509/verify.rs | 122 +++++++++++++++++- tests/x509/verification/test_limbo.py | 45 +++++-- tests/x509/verification/test_verification.py | 34 +++++ 9 files changed, 361 insertions(+), 32 deletions(-) diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst index 6afc75f289e5..ab360417b482 100644 --- a/docs/x509/verification.rst +++ b/docs/x509/verification.rst @@ -104,6 +104,73 @@ the root of trust: :class:`cryptography.x509.general_name.DNSName`, :class:`cryptography.x509.general_name.IPAddress`. +.. class:: VerifiedClient + + .. versionadded:: 43.0.0 + + .. attribute:: subjects + + :type: list of :class:`~cryptography.x509.GeneralName` + + The subjects presented in the verified client's Subject Alternative Name + extension. + + .. attribute:: chain + + :type: A list of :class:`~cryptography.x509.Certificate`, in leaf-first order + + The chain of certificates that forms the valid chain to the client + certificate. + + +.. class:: ClientVerifier + + .. versionadded:: 43.0.0 + + A ClientVerifier verifies client certificates. + + It contains and describes various pieces of configurable path + validation logic, such as how deep prospective validation chains may go, + which signature algorithms are allowed, and so forth. + + ClientVerifier instances cannot be constructed directly; + :class:`PolicyBuilder` must be used. + + .. attribute:: validation_time + + :type: :class:`datetime.datetime` + + The verifier's validation time. + + .. attribute:: max_chain_depth + + :type: :class:`int` + + The verifier's maximum intermediate CA chain depth. + + .. attribute:: store + + :type: :class:`Store` + + The verifier's trust store. + + .. method:: verify(leaf, intermediates) + + Performs path validation on ``leaf``, returning a valid path + if one exists. The path is returned in leaf-first order: + the first member is ``leaf``, followed by the intermediates used + (if any), followed by a member of the ``store``. + + :param leaf: The leaf :class:`~cryptography.x509.Certificate` to validate + :param intermediates: A :class:`list` of intermediate :class:`~cryptography.x509.Certificate` to attempt to use + + :returns: + A new instance of :class:`VerifiedClient` + + :raises VerificationError: If a valid chain cannot be constructed + + :raises UnsupportedGeneralNameType: If a valid chain exists, but contains an unsupported general name type + .. class:: ServerVerifier .. versionadded:: 42.0.0 @@ -174,7 +241,8 @@ the root of trust: Sets the verifier's verification time. If not called explicitly, this is set to :meth:`datetime.datetime.now` - when :meth:`build_server_verifier` is called. + when :meth:`build_server_verifier` or :meth:`build_client_verifier` + is called. :param new_time: The :class:`datetime.datetime` to use in the verifier @@ -209,3 +277,17 @@ the root of trust: :param subject: A :class:`Subject` to use in the verifier :returns: An instance of :class:`ServerVerifier` + + .. method:: build_client_verifier() + + .. versionadded:: 43.0.0 + + Builds a verifier for verifying client certificates. + + .. warning:: + + This API is not suitable for website (i.e. server) certificate + verification. You **must** use :meth:`build_server_verifier` + for server verification. + + :returns: An instance of :class:`ClientVerifier` diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi index 418184f8a6fd..aa85657fcfd8 100644 --- a/src/cryptography/hazmat/bindings/_rust/x509.pyi +++ b/src/cryptography/hazmat/bindings/_rust/x509.pyi @@ -62,10 +62,30 @@ class PolicyBuilder: def time(self, new_time: datetime.datetime) -> PolicyBuilder: ... def store(self, new_store: Store) -> PolicyBuilder: ... def max_chain_depth(self, new_max_chain_depth: int) -> PolicyBuilder: ... + def build_client_verifier(self) -> ClientVerifier: ... def build_server_verifier( self, subject: x509.verification.Subject ) -> ServerVerifier: ... +class VerifiedClient: + @property + def subjects(self) -> list[x509.GeneralName]: ... + @property + def chain(self) -> list[x509.Certificate]: ... + +class ClientVerifier: + @property + def validation_time(self) -> datetime.datetime: ... + @property + def store(self) -> Store: ... + @property + def max_chain_depth(self) -> int: ... + def verify( + self, + leaf: x509.Certificate, + intermediates: list[x509.Certificate], + ) -> VerifiedClient: ... + class ServerVerifier: @property def subject(self) -> x509.verification.Subject: ... diff --git a/src/cryptography/x509/verification.py b/src/cryptography/x509/verification.py index ab1a37ae6b01..191705e8352b 100644 --- a/src/cryptography/x509/verification.py +++ b/src/cryptography/x509/verification.py @@ -12,6 +12,8 @@ __all__ = [ "Store", "Subject", + "VerifiedClient", + "ClientVerifier", "ServerVerifier", "PolicyBuilder", "VerificationError", @@ -19,6 +21,8 @@ Store = rust_x509.Store Subject = typing.Union[DNSName, IPAddress] +VerifiedClient = rust_x509.VerifiedClient +ClientVerifier = rust_x509.ClientVerifier ServerVerifier = rust_x509.ServerVerifier PolicyBuilder = rust_x509.PolicyBuilder VerificationError = rust_x509.VerificationError diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 01bc76affc59..036e9dcd1b0f 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -20,6 +20,7 @@ use cryptography_x509::{ name::GeneralName, oid::{NAME_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID}, }; +use types::{RFC822Constraint, RFC822Name}; use crate::certificate::cert_is_self_issued; use crate::ops::{CryptoOps, VerificationCertificate}; @@ -137,6 +138,19 @@ impl<'a, 'chain> NameChain<'a, 'chain> { ))), } } + (GeneralName::RFC822Name(pattern), GeneralName::RFC822Name(name)) => { + match (RFC822Constraint::new(pattern.0), RFC822Name::new(name.0)) { + (Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))), + (_, None) => Err(ValidationError::Other(format!( + "unsatisfiable RFC822 name constraint: malformed SAN {:?}", + name.0, + ))), + (None, _) => Err(ValidationError::Other(format!( + "malformed RFC822 name constraints: {:?}", + pattern.0 + ))), + } + } // All other matching pairs of (constraint, name) are currently unsupported. (GeneralName::OtherName(_), GeneralName::OtherName(_)) | (GeneralName::X400Address(_), GeneralName::X400Address(_)) diff --git a/src/rust/cryptography-x509-verification/src/policy/extension.rs b/src/rust/cryptography-x509-verification/src/policy/extension.rs index 9ab88ab5189d..a707b0d8d65f 100644 --- a/src/rust/cryptography-x509-verification/src/policy/extension.rs +++ b/src/rust/cryptography-x509-verification/src/policy/extension.rs @@ -303,15 +303,17 @@ pub(crate) mod ee { _ => (), }; - let san: SubjectAlternativeName<'_> = extn.value()?; - if !policy - .subject - .as_ref() - .map_or_else(|| false, |sub| sub.matches(&san)) - { - return Err(ValidationError::Other( - "leaf certificate has no matching subjectAltName".into(), - )); + // NOTE: We only verify the SAN against the policy's subject if the + // policy actually contains one. This enables both client and server + // profiles to use this validator, **with the expectation** that + // server profile construction requires a subject to be present. + if let Some(sub) = policy.subject.as_ref() { + let san: SubjectAlternativeName<'_> = extn.value()?; + if !sub.matches(&san) { + return Err(ValidationError::Other( + "leaf certificate has no matching subjectAltName".into(), + )); + } } Ok(()) diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 8f704a39c0e2..22f5a13dc0aa 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -19,7 +19,8 @@ use cryptography_x509::common::{ use cryptography_x509::extensions::{BasicConstraints, Extensions, SubjectAlternativeName}; use cryptography_x509::name::GeneralName; use cryptography_x509::oid::{ - BASIC_CONSTRAINTS_OID, EC_SECP256R1, EC_SECP384R1, EC_SECP521R1, EKU_SERVER_AUTH_OID, + BASIC_CONSTRAINTS_OID, EC_SECP256R1, EC_SECP384R1, EC_SECP521R1, EKU_CLIENT_AUTH_OID, + EKU_SERVER_AUTH_OID, }; use once_cell::sync::Lazy; @@ -234,20 +235,19 @@ pub struct Policy<'a, B: CryptoOps> { } impl<'a, B: CryptoOps> Policy<'a, B> { - /// Create a new policy with defaults for the server certificate profile - /// defined in the CA/B Forum's Basic Requirements. - pub fn server( + fn new( ops: B, - subject: Subject<'a>, + subject: Option>, time: asn1::DateTime, max_chain_depth: Option, + extended_key_usage: ObjectIdentifier, ) -> Self { Self { ops, max_chain_depth: max_chain_depth.unwrap_or(DEFAULT_MAX_CHAIN_DEPTH), - subject: Some(subject), + subject, validation_time: time, - extended_key_usage: EKU_SERVER_AUTH_OID.clone(), + extended_key_usage, minimum_rsa_modulus: WEBPKI_MINIMUM_RSA_MODULUS, permitted_public_key_algorithms: Arc::clone(&*WEBPKI_PERMITTED_SPKI_ALGORITHMS), permitted_signature_algorithms: Arc::clone(&*WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS), @@ -316,6 +316,9 @@ impl<'a, B: CryptoOps> Policy<'a, B> { Some(ee::key_usage), ), // CA/B 7.1.2.7.12 Subscriber Certificate Subject Alternative Name + // This validator handles both client and server cases by only matching against + // the SAN if the profile contains a subject, which it won't in the client + // validation case. subject_alternative_name: ExtensionValidator::present( Criticality::Agnostic, Some(ee::subject_alternative_name), @@ -337,6 +340,39 @@ impl<'a, B: CryptoOps> Policy<'a, B> { } } + /// Create a new policy with suitable defaults for client certification + /// validation. + /// + /// **IMPORTANT**: This is **not** the appropriate API for verifying + /// website (i.e. server) certificates. For that, you **must** use + /// [`Policy::server`]. + pub fn client(ops: B, time: asn1::DateTime, max_chain_depth: Option) -> Self { + Self::new( + ops, + None, + time, + max_chain_depth, + EKU_CLIENT_AUTH_OID.clone(), + ) + } + + /// Create a new policy with defaults for the server certificate profile + /// defined in the CA/B Forum's Basic Requirements. + pub fn server( + ops: B, + subject: Subject<'a>, + time: asn1::DateTime, + max_chain_depth: Option, + ) -> Self { + Self::new( + ops, + Some(subject), + time, + max_chain_depth, + EKU_SERVER_AUTH_OID.clone(), + ) + } + fn permits_basic(&self, cert: &Certificate<'_>) -> Result<(), ValidationError> { // CA/B 7.1.1: // Certificates MUST be of type X.509 v3. diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index d35c3a61ceaa..2c65f6327103 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -2,13 +2,16 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use cryptography_x509::certificate::Certificate; +use cryptography_x509::{ + certificate::Certificate, extensions::SubjectAlternativeName, oid::SUBJECT_ALTERNATIVE_NAME_OID, +}; use cryptography_x509_verification::{ ops::{CryptoOps, VerificationCertificate}, policy::{Policy, Subject}, trust_store::Store, types::{DNSName, IPAddress}, }; +use pyo3::IntoPy; use crate::backend::keys; use crate::error::{CryptographyError, CryptographyResult}; @@ -17,6 +20,8 @@ use crate::x509::certificate::Certificate as PyCertificate; use crate::x509::common::{datetime_now, datetime_to_py, py_to_datetime}; use crate::x509::sign; +use super::parse_general_names; + pub(crate) struct PyCryptoOps {} impl CryptoOps for PyCryptoOps { @@ -118,6 +123,28 @@ impl PolicyBuilder { }) } + fn build_client_verifier(&self, py: pyo3::Python<'_>) -> CryptographyResult { + let store = match self.store.as_ref() { + Some(s) => s.clone_ref(py), + None => { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "A client verifier must have a trust store.", + ), + )); + } + }; + + let time = match self.time.as_ref() { + Some(t) => t.clone(), + None => datetime_now(py)?, + }; + + let policy = PyCryptoPolicy(Policy::client(PyCryptoOps {}, time, self.max_chain_depth)); + + Ok(PyClientVerifier { policy, store }) + } + fn build_server_verifier( &self, py: pyo3::Python<'_>, @@ -180,6 +207,97 @@ self_cell::self_cell!( } ); +#[pyo3::pyclass( + frozen, + name = "VerifiedClient", + module = "cryptography.hazmat.bindings._rust.x509" +)] +struct PyVerifiedClient { + #[pyo3(get)] + subjects: pyo3::Py, + #[pyo3(get)] + chain: pyo3::Py, +} + +#[pyo3::pyclass( + frozen, + name = "ClientVerifier", + module = "cryptography.hazmat.bindings._rust.x509" +)] +struct PyClientVerifier { + policy: PyCryptoPolicy<'static>, + #[pyo3(get)] + store: pyo3::Py, +} + +impl PyClientVerifier { + fn as_policy(&self) -> &Policy<'_, PyCryptoOps> { + &self.policy.0 + } +} + +#[pyo3::pymethods] +impl PyClientVerifier { + #[getter] + fn validation_time<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + datetime_to_py(py, &self.as_policy().validation_time) + } + + #[getter] + fn max_chain_depth(&self) -> u8 { + self.as_policy().max_chain_depth + } + + fn verify( + &self, + py: pyo3::Python<'_>, + leaf: pyo3::Py, + intermediates: Vec>, + ) -> CryptographyResult { + let policy = self.as_policy(); + let store = self.store.get(); + + let chain = cryptography_x509_verification::verify( + &VerificationCertificate::new( + leaf.get().raw.borrow_dependent().clone(), + leaf.clone_ref(py), + ), + intermediates.iter().map(|i| { + VerificationCertificate::new( + i.get().raw.borrow_dependent().clone(), + i.clone_ref(py), + ) + }), + policy, + store.raw.borrow_dependent(), + ) + .map_err(|e| VerificationError::new_err(format!("validation failed: {e:?}")))?; + + let py_chain = pyo3::types::PyList::empty(py); + for c in &chain { + py_chain.append(c.extra())?; + } + + // NOTE: These `unwrap()`s cannot fail, since the underlying policy + // enforces the presence of a SAN and the well-formedness of the + // extension set. + let leaf_san = &chain[0] + .certificate() + .extensions() + .unwrap() + .get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) + .unwrap(); + + let leaf_gns = leaf_san.value::>()?; + let py_gns = parse_general_names(py, &leaf_gns)?; + + Ok(PyVerifiedClient { + subjects: py_gns, + chain: py_chain.into_py(py), + }) + } +} + #[pyo3::pyclass( frozen, name = "ServerVerifier", @@ -333,6 +451,8 @@ impl PyStore { } pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { + module.add_class::()?; + module.add_class::()?; module.add_class::()?; module.add_class::()?; module.add_class::()?; diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index c745bdbe5729..2675ca735475 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -12,7 +12,9 @@ from cryptography import x509 from cryptography.x509 import load_pem_x509_certificate from cryptography.x509.verification import ( + ClientVerifier, PolicyBuilder, + ServerVerifier, Store, VerificationError, ) @@ -78,12 +80,14 @@ def _get_limbo_peer(expected_peer): kind = expected_peer["kind"] - assert kind in ("DNS", "IP") + assert kind in ("DNS", "IP", "RFC822") value = expected_peer["value"] if kind == "DNS": return x509.DNSName(value) - else: + elif kind == "IP": return x509.IPAddress(ipaddress.ip_address(value)) + else: + return x509.RFC822Name(value) def _limbo_testcase(id_, testcase): @@ -95,14 +99,7 @@ def _limbo_testcase(id_, testcase): if unsupported: pytest.skip(f"explicitly skipped features: {unsupported}") - if testcase["validation_kind"] != "SERVER": - pytest.skip("non-SERVER testcase") - assert testcase["signature_algorithms"] == [] - assert testcase["extended_key_usage"] == [] or testcase[ - "extended_key_usage" - ] == ["serverAuth"] - assert testcase["expected_peer_names"] == [] trusted_certs = [ load_pem_x509_certificate(cert.encode()) @@ -115,7 +112,6 @@ def _limbo_testcase(id_, testcase): peer_certificate = load_pem_x509_certificate( testcase["peer_certificate"].encode() ) - peer_name = _get_limbo_peer(testcase["expected_peer_name"]) validation_time = testcase["validation_time"] validation_time = ( datetime.datetime.fromisoformat(validation_time) @@ -131,12 +127,33 @@ def _limbo_testcase(id_, testcase): if max_chain_depth is not None: builder = builder.max_chain_depth(max_chain_depth) - verifier = builder.build_server_verifier(peer_name) + verifier: ServerVerifier | ClientVerifier + if testcase["validation_kind"] == "SERVER": + assert testcase["extended_key_usage"] == [] or testcase[ + "extended_key_usage" + ] == ["serverAuth"] + peer_name = _get_limbo_peer(testcase["expected_peer_name"]) + verifier = builder.build_server_verifier(peer_name) + else: + assert testcase["extended_key_usage"] == ["clientAuth"] + verifier = builder.build_client_verifier() if should_pass: - built_chain = verifier.verify( - peer_certificate, untrusted_intermediates - ) + if isinstance(verifier, ServerVerifier): + built_chain = verifier.verify( + peer_certificate, untrusted_intermediates + ) + else: + verified_client = verifier.verify( + peer_certificate, untrusted_intermediates + ) + + expected_subjects = [ + _get_limbo_peer(p) for p in testcase["expected_peer_names"] + ] + assert expected_subjects == verified_client.subjects + + built_chain = verified_client.chain # Assert that the verifier returns chains in [EE, ..., TA] order. assert built_chain[0] == peer_certificate diff --git a/tests/x509/verification/test_verification.py b/tests/x509/verification/test_verification.py index 8c2be7054227..e8c280fce0e6 100644 --- a/tests/x509/verification/test_verification.py +++ b/tests/x509/verification/test_verification.py @@ -105,6 +105,40 @@ def test_store_rejects_non_certificates(self): Store(["not a cert"]) # type: ignore[list-item] +class TestClientVerifier: + def test_build_client_verifier_missing_store(self): + with pytest.raises( + ValueError, match="A client verifier must have a trust store" + ): + PolicyBuilder().build_client_verifier() + + def test_verify(self): + # expires 2018-11-16 01:15:03 UTC + leaf = _load_cert( + os.path.join("x509", "cryptography.io.pem"), + x509.load_pem_x509_certificate, + ) + + store = Store([leaf]) + + validation_time = datetime.datetime.fromisoformat( + "2018-11-16T00:00:00+00:00" + ) + builder = PolicyBuilder().store(store) + builder = builder.time(validation_time).max_chain_depth(16) + verifier = builder.build_client_verifier() + + assert verifier.validation_time == validation_time.replace(tzinfo=None) + assert verifier.max_chain_depth == 16 + + verified_client = verifier.verify(leaf, []) + assert verified_client.chain == [leaf] + + assert x509.DNSName("www.cryptography.io") in verified_client.subjects + assert x509.DNSName("cryptography.io") in verified_client.subjects + assert len(verified_client.subjects) == 2 + + class TestServerVerifier: @pytest.mark.parametrize( ("validation_time", "valid"), From 71e4ae3434aea8b434aea97ac156cc31804e81cd Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 20 Mar 2024 21:14:08 -0400 Subject: [PATCH 0289/1462] Added the PKCS#12 KDF (#10564) --- src/rust/src/pkcs12.rs | 155 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 155 insertions(+) diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 0743e5e7778f..1df4d51ae2e8 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -72,6 +72,113 @@ impl PKCS12Certificate { } } +#[allow(dead_code)] +const KDF_ENCRYPTION_KEY_ID: u8 = 1; +#[allow(dead_code)] +const KDF_IV_ID: u8 = 2; +#[allow(dead_code)] +const KDF_MAC_KEY_ID: u8 = 3; +#[allow(dead_code)] +fn pkcs12_kdf( + pass: &[u8], + salt: &[u8], + id: u8, + rounds: u64, + key_len: usize, + hash_alg: openssl::hash::MessageDigest, +) -> CryptographyResult> { + // Encode the password as big-endian UTF-16 with NUL trailer + let pass = std::str::from_utf8(pass) + .map_err(|_| pyo3::exceptions::PyValueError::new_err("key must be valid UTF-8"))? + .encode_utf16() + .chain([0]) + .flat_map(|v| v.to_be_bytes()) + .collect::>(); + + // Comments are borrowed from BoringSSL. + // In the spec, |block_size| is called "v", but measured in bits. + let block_size = hash_alg.block_size(); + + // 1. Construct a string, D (the "diversifier"), by concatenating v/8 copies + // of ID. + let d = vec![id; block_size]; + + // 2. Concatenate copies of the salt together to create a string S of length + // v(ceiling(s/v)) bits (the final copy of the salt may be truncated to + // create S). Note that if the salt is the empty string, then so is S. + // + // 3. Concatenate copies of the password together to create a string P of + // length v(ceiling(p/v)) bits (the final copy of the password may be + // truncated to create P). Note that if the password is the empty string, + // then so is P. + // + // 4. Set I=S||P to be the concatenation of S and P. + let s_len = block_size * ((salt.len() + block_size - 1) / block_size); + let p_len = block_size * ((pass.len() + block_size - 1) / block_size); + + let mut init_key = vec![0; s_len + p_len]; + for i in 0..s_len { + init_key[i] = salt[i % salt.len()]; + } + for i in 0..p_len { + init_key[i + s_len] = pass[i % pass.len()]; + } + + let mut result = vec![0; key_len]; + let mut pos = 0; + loop { + // A. Set A_i=H^r(D||I). (i.e., the r-th hash of D||I, + // H(H(H(... H(D||I)))) + + let mut h = openssl::hash::Hasher::new(hash_alg)?; + h.update(&d)?; + h.update(&init_key)?; + let mut a = h.finish()?; + + for _ in 1..rounds { + let mut h = openssl::hash::Hasher::new(hash_alg)?; + h.update(&a)?; + a = h.finish()?; + } + + let to_add = a.len().min(result.len() - pos); + result[pos..pos + to_add].copy_from_slice(&a[..to_add]); + pos += to_add; + if pos == result.len() { + break; + } + + // B. Concatenate copies of A_i to create a string B of length v bits (the + // final copy of A_i may be truncated to create B). + let mut b = vec![0; block_size]; + for i in 0..block_size { + b[i] = a[i % a.len()]; + } + + // C. Treating I as a concatenation I_0, I_1, ..., I_(k-1) of v-bit blocks, + // where k=ceiling(s/v)+ceiling(p/v), modify I by setting I_j=(I_j+B+1) mod + // 2^v for each j. + assert!(init_key.len() % block_size == 0); + let mut j = 0; + while j < init_key.len() { + let mut carry = 1u16; + let mut k = block_size - 1; + loop { + carry += init_key[k + j] as u16 + b[k] as u16; + init_key[j + k] = carry as u8; + carry >>= 8; + if k == 0 { + break; + } + k -= 1; + } + j += block_size; + } + } + + Ok(result) +} + fn decode_p12( data: CffiBuf<'_>, password: Option>, @@ -212,3 +319,51 @@ pub(crate) fn create_submodule(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::pr Ok(submod) } + +#[cfg(test)] +mod tests { + use super::{pkcs12_kdf, KDF_ENCRYPTION_KEY_ID, KDF_IV_ID, KDF_MAC_KEY_ID}; + + #[test] + fn test_pkcs12_kdf() { + for (password, salt, id, rounds, key_len, hash, expected_key) in [ + // From https://github.com/RustCrypto/formats/blob/master/pkcs12/tests/kdf.rs + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_ENCRYPTION_KEY_ID, 100, 32, openssl::hash::MessageDigest::sha256(), b"\xfa\xe4\xd4\x95z<\xc7\x81\xe1\x18\x0b\x9dO\xb7\x9c\x1e\x0c\x85y\xb7F\xa3\x17~[\x07h\xa3\x11\x8b\xf8c" as &[u8]), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_IV_ID, 100, 32, openssl::hash::MessageDigest::sha256(), b"\xe5\xff\x81;\xc6T}\xe5\x15[\x14\xd2\xfa\xda\x85\xb3 \x1a\x97sI\xdbn&\xcc\xc9\x98\xd9\xe8\xf8=l"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_MAC_KEY_ID, 100, 32, openssl::hash::MessageDigest::sha256(), b"\x13cU\xed\x944Qf\x82SOF\xd69V\xdb_\xf0k\x84G\x02\xc2\xc1\xf3\xb4c!\xe2RJM"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_ENCRYPTION_KEY_ID, 100, 20, openssl::hash::MessageDigest::sha256(), b"\xfa\xe4\xd4\x95z<\xc7\x81\xe1\x18\x0b\x9dO\xb7\x9c\x1e\x0c\x85y\xb7"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_IV_ID, 100, 20, openssl::hash::MessageDigest::sha256(), b"\xe5\xff\x81;\xc6T}\xe5\x15[\x14\xd2\xfa\xda\x85\xb3 \x1a\x97s"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_MAC_KEY_ID, 100, 20, openssl::hash::MessageDigest::sha256(), b"\x13cU\xed\x944Qf\x82SOF\xd69V\xdb_\xf0k\x84"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_ENCRYPTION_KEY_ID, 100, 12, openssl::hash::MessageDigest::sha256(), b"\xfa\xe4\xd4\x95z<\xc7\x81\xe1\x18\x0b\x9d"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_IV_ID, 100, 12, openssl::hash::MessageDigest::sha256(), b"\xe5\xff\x81;\xc6T}\xe5\x15[\x14\xd2"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_MAC_KEY_ID, 100, 12, openssl::hash::MessageDigest::sha256(), b"\x13cU\xed\x944Qf\x82SOF"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_ENCRYPTION_KEY_ID, 1000, 32, openssl::hash::MessageDigest::sha256(), b"+\x95\xa0V\x9bc\xf6A\xfa\xe1\xef\xca2\xe8M\xb3i\x9a\xb7E@b\x8b\xa6b\x83\xb5\x8c\xf5@\x05'"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_IV_ID, 1000, 32, openssl::hash::MessageDigest::sha256(), b"dr\xc0\xeb\xad?\xabA#\xe8\xb5\xedx4\xde!\xee\xb2\x01\x87\xb3\xef\xf7\x8a}\x1c\xdf\xfa@4\x85\x1d"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_MAC_KEY_ID, 1000, 32, openssl::hash::MessageDigest::sha256(), b"?\x91\x13\xf0\\0\xa9\x96\xc4\xa5\x16@\x9b\xda\xc9\xd0e\xf4B\x96\xcc\xd5+\xb7]\xe3\xfc\xfd\xbe+\xf10"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_ENCRYPTION_KEY_ID, 1000, 100, openssl::hash::MessageDigest::sha256(), b"+\x95\xa0V\x9bc\xf6A\xfa\xe1\xef\xca2\xe8M\xb3i\x9a\xb7E@b\x8b\xa6b\x83\xb5\x8c\xf5@\x05\'\xd8\xd0\xeb\xe2\xcc\xbfv\x8cQ\xc4\xd8\xfb\xd1\xbb\x15k\xe0l\x1cY\xcb\xb6\x9eD\x05/\xfc77o\xdbG\xb2\xde\x7f\x9eT=\xe9\xd0\x96\xd8\xe5GK\"\x04\x10\xff\x1c]\x8b\xb7\xe5\xbc\x0fa\xba\xea\xa1/\xd0\xda\x1dz\x97\x01r"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_ENCRYPTION_KEY_ID, 1000, 200, openssl::hash::MessageDigest::sha256(), b"+\x95\xa0V\x9bc\xf6A\xfa\xe1\xef\xca2\xe8M\xb3i\x9a\xb7E@b\x8b\xa6b\x83\xb5\x8c\xf5@\x05\'\xd8\xd0\xeb\xe2\xcc\xbfv\x8cQ\xc4\xd8\xfb\xd1\xbb\x15k\xe0l\x1cY\xcb\xb6\x9eD\x05/\xfc77o\xdbG\xb2\xde\x7f\x9eT=\xe9\xd0\x96\xd8\xe5GK\"\x04\x10\xff\x1c]\x8b\xb7\xe5\xbc\x0fa\xba\xea\xa1/\xd0\xda\x1dz\x97\x01r\x9c\xea`\x14\xd7\xfeb\xa2\xed\x92m\xc3ka0\x7f\x11\x9dd\xed\xbc\xebZ\x9cX\x13;\xbfu\xba\x0b\xef\x00\n\x1aQ\x80\xe4\xb1\xde}\x89\xc8\x95(\xbc\xb7\x89\x9a\x1eF\xfdM\xa0\xd9\xde\x8f\x8ee\xe8\xd0\xd7u\xe3=\x12G\xe7mYj401a\xb2\x19\xf3\x9a\xfd\xa4H\xbfQ\x8a(5\xfc^(\xf0\xb5Z\x1ba7\xa2\xc7\x0c\xf7"), + + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_ENCRYPTION_KEY_ID, 100, 32, openssl::hash::MessageDigest::sha512(), b"\xb1J\x9f\x01\xbf\xd9\xdc\xe4\xc9\xd6m/\xe9\x93~_\xd9\xf1\xaf\xa5\x9e7\no\xa4\xfc\x81\xc1\xcc\x8e\xc8\xee"), + + // From https://cs.opensource.google/go/x/crypto/+/master:pkcs12/pbkdf_test.go + (b"sesame", b"\xff\xff\xff\xff\xff\xff\xff\xff", KDF_ENCRYPTION_KEY_ID, 2048, 24, openssl::hash::MessageDigest::sha1(), b"\x7c\xd9\xfd\x3e\x2b\x3b\xe7\x69\x1a\x44\xe3\xbe\xf0\xf9\xea\x0f\xb9\xb8\x97\xd4\xe3\x25\xd9\xd1"), + ] { + let result = pkcs12_kdf(password, salt, id, rounds, key_len, hash).map_err(|_| ()).unwrap(); + assert_eq!(result, expected_key); + } + } + + #[test] + fn test_pkcs12_kdf_error() { + // Key is not valid UTF-8 + let result = pkcs12_kdf( + b"\x91\x82%\xa1", + b"\x01\x02\x03\x04", + KDF_ENCRYPTION_KEY_ID, + 100, + 8, + openssl::hash::MessageDigest::sha256(), + ); + assert!(matches!(result, Err(_))); + } +} From 9482fdef7b40a2d43913b48a53a36e8c5b055bc0 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 20 Mar 2024 21:15:24 -0400 Subject: [PATCH 0290/1462] CHANGELOG: record new X.509 client verification APIs (#10615) --- .gitignore | 4 +++- CHANGELOG.rst | 6 ++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 035b15ccd025..1d4ebfbc597a 100644 --- a/.gitignore +++ b/.gitignore @@ -13,4 +13,6 @@ htmlcov/ *.py[cdo] .hypothesis/ target/ -.rust-cov/ \ No newline at end of file +.rust-cov/ +*.lcov +*.profdata diff --git a/CHANGELOG.rst b/CHANGELOG.rst index fb71418f32f5..a1ce4d63793c 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -29,6 +29,12 @@ Changelog They will be removed from the ``cipher`` module in 48.0.0. * Added support for deterministic :class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDSA` (:rfc:`6979`) +* Added support for client certificate verification to the + :mod:`X.509 path validation ` APIs in the + form of :class:`~cryptography.x509.verification.ClientVerifier`, + :class:`~cryptography.x509.verification.VerifiedClient`, and + ``PolicyBuilder`` + :meth:`~cryptography.x509.verification.PolicyBuilder.build_client_verifier`. .. _v42-0-5: From deb2bae5117266781cc65fe56eae87075ac0cb37 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 11:09:58 +0000 Subject: [PATCH 0291/1462] Bump smallvec from 1.13.1 to 1.13.2 in /src/rust (#10617) Bumps [smallvec](https://github.com/servo/rust-smallvec) from 1.13.1 to 1.13.2. - [Release notes](https://github.com/servo/rust-smallvec/releases) - [Commits](https://github.com/servo/rust-smallvec/compare/v1.13.1...v1.13.2) --- updated-dependencies: - dependency-name: smallvec dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 1f28cb2d9c02..a8102b1b9a96 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -371,9 +371,9 @@ checksum = "58bf37232d3bb9a2c4e641ca2a11d83b5062066f88df7fed36c28772046d65ba" [[package]] name = "smallvec" -version = "1.13.1" +version = "1.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" +checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" From de7d0b0bd0d99f5a3ba58090372bf67f0342f6c5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 08:02:41 -0400 Subject: [PATCH 0292/1462] Bump sigstore-protobuf-specs from 0.2.2 to 0.3.0 in /.github/requirements (#10619) * Bump sigstore-protobuf-specs in /.github/requirements Bumps [sigstore-protobuf-specs](https://github.com/sigstore/protobuf-specs) from 0.2.2 to 0.3.0. - [Release notes](https://github.com/sigstore/protobuf-specs/releases) - [Changelog](https://github.com/sigstore/protobuf-specs/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/protobuf-specs/compare/release/python/v0.2.2...v0.3.0) --- updated-dependencies: - dependency-name: sigstore-protobuf-specs dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index bb925eb0f5b7..b894aff8d091 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -538,9 +538,9 @@ sigstore==2.1.3 \ --hash=sha256:7a0c1252cb7974024aee87c8e0f0f6247604af16e8b5a8e3d0a9e1201e330aa2 \ --hash=sha256:f3aaa564c0d48a62fb40c103615bba01af787eaf9fda3b6e1a3e1dc5abc2d311 # via -r publish-requirements.in -sigstore-protobuf-specs==0.2.2 \ - --hash=sha256:62c7beabc6910fb570dc4c600e33e81f2d2d683f785202ee109ca394bd829e94 \ - --hash=sha256:c05c1e7478a80af0c7dea9cc2d11f047826e4c029573d564137f788e11377391 +sigstore-protobuf-specs==0.3.0 \ + --hash=sha256:3322adb73992bca0f3dc6d4c2c38bac29086a11d2631a983adb2798e58e32a54 \ + --hash=sha256:e06321d28e58cb1505ae682b63756b4fb858da6b11bd7b49a2b6beabe412ebfd # via sigstore sigstore-rekor-types==0.0.11 \ --hash=sha256:791a696eccd5d07c933cc11d46dea22983efedaf5f1068734263ce0f25695bba \ From 6e9b22af436c9da1b1752c811b9e63e326cb05f9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 08:02:54 -0400 Subject: [PATCH 0293/1462] Bump importlib-metadata from 7.0.2 to 7.1.0 in /.github/requirements (#10618) * Bump importlib-metadata from 7.0.2 to 7.1.0 in /.github/requirements Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 7.0.2 to 7.1.0. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v7.0.2...v7.1.0) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index b894aff8d091..2dfde9d77409 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -240,9 +240,9 @@ idna==3.6 \ # via # email-validator # requests -importlib-metadata==7.0.2 \ - --hash=sha256:198f568f3230878cb1b44fbd7975f87906c22336dba2e4a7f05278c281fbd792 \ - --hash=sha256:f4bc4c0c070c490abf4ce96d715f68e95923320370efb66143df00199bb6c100 +importlib-metadata==7.1.0 \ + --hash=sha256:30962b96c0c223483ed6cc7280e7f0199feb01a0e40cfae4d4450fc6fab1f570 \ + --hash=sha256:b78938b926ee8d5f020fc4772d487045805a55ddbad2ecf21c6d60938dc7fcd2 # via # keyring # twine From f9b78cf489528ca90ebb51ca67b35983537fdbcf Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 21:54:58 -0400 Subject: [PATCH 0294/1462] Bump BoringSSL and/or OpenSSL in CI (#10624) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b660cdbaf860..55823ac088a5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 21, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "a200650ac344338f9af86822266984804eb86370"}} - # Latest commit on the OpenSSL master branch, as of Mar 16, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "dc9bc6c8e1bd329ead703417a2235ab3e97557ec"}} + # Latest commit on the BoringSSL master branch, as of Mar 22, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "06fb6e1b129d426b0f543e0e77890295175f012a"}} + # Latest commit on the OpenSSL master branch, as of Mar 22, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9abcf116962e9a117717c751de93846f11da16cd"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 8bd15a1d28c78b48791e68aa6800271fd11abf8b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 21 Mar 2024 22:08:56 -0400 Subject: [PATCH 0295/1462] Added additional PKCS#12 tests (#10622) --- tests/hazmat/primitives/test_pkcs12.py | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 9ee3cc3fc769..f5284b788cc3 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -414,7 +414,33 @@ def test_generate_cas_friendly_names(self, backend): p12_cert = load_pkcs12(p12, None, backend) cas = p12_cert.additional_certs + assert cas[0].certificate == cert2 assert cas[0].friendly_name == b"cert2" + assert cas[1].certificate == cert3 + assert cas[1].friendly_name is None + + def test_generate_cas_friendly_names_no_key(self, backend): + cert2 = _load_cert( + backend, os.path.join("x509", "custom", "dsa_selfsigned_ca.pem") + ) + cert3 = _load_cert(backend, os.path.join("x509", "letsencryptx3.pem")) + encryption = serialization.NoEncryption() + p12 = serialize_key_and_certificates( + None, + None, + None, + [ + PKCS12Certificate(cert2, b"cert2"), + PKCS12Certificate(cert3, None), + ], + encryption, + ) + + p12_cert = load_pkcs12(p12, None, backend) + cas = p12_cert.additional_certs + assert cas[0].certificate == cert2 + assert cas[0].friendly_name == b"cert2" + assert cas[1].certificate == cert3 assert cas[1].friendly_name is None def test_generate_wrong_types(self, backend): From 089039d0f6bb34d6a8b4dcdb04265547abc74c1d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 21 Mar 2024 22:44:41 -0400 Subject: [PATCH 0296/1462] Added additional PKCS#12 tests (#10625) --- tests/hazmat/primitives/test_pkcs12.py | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index f5284b788cc3..9217e4eca5f2 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -529,6 +529,30 @@ def test_generate_cert_only(self, encryption_algorithm, password, backend): assert parsed_key is None assert parsed_more_certs == [cert] + def test_generate_cert_only_none_cas(self, backend): + # Same as test_generate_cert_only, but passing None instead of an + # empty list for cas. + cert, _ = _load_ca(backend) + p12 = serialize_key_and_certificates( + None, None, cert, None, serialization.NoEncryption() + ) + parsed_key, parsed_cert, parsed_more_certs = load_key_and_certificates( + p12, None + ) + assert parsed_cert is None + assert parsed_key is None + assert parsed_more_certs == [cert] + + def test_invalid_utf8_friendly_name(self, backend): + if rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL: + pytest.skip("Temporarily doesn't work on LibreSSL") + + cert, _ = _load_ca(backend) + with pytest.raises(ValueError): + serialize_key_and_certificates( + b"\xc9", None, cert, None, serialization.NoEncryption() + ) + def test_must_supply_something(self): with pytest.raises(ValueError) as exc: serialize_key_and_certificates( From 51a6dd28ccbb7587fff9e951299b17aac39ee5cc Mon Sep 17 00:00:00 2001 From: commonism Date: Fri, 22 Mar 2024 04:24:22 +0100 Subject: [PATCH 0297/1462] Adding support for OpenSSH ecdsa-sk & ed25519-sk public keys (#10608) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Adding support for OpenSSH ecdsa-sk & ed25519-sk public keys fixes #10604 * Revert changing the keygen * Add application string to sk key generation * Typing - fix load_application return value annotation * fix sk keys skipping loading in the tests * fix ruff E509 * Fix ruff … * comment wording Co-authored-by: Alex Gaynor * requested changes * no subclassing * fix SyntaxError: annotated name '_KEY_FORMATS' can't be global in python 3.7 c.f. https://github.com/python/cpython/issues/79120 * typo * Update src/cryptography/hazmat/primitives/serialization/ssh.py Co-authored-by: Alex Gaynor * Update src/cryptography/hazmat/primitives/serialization/ssh.py Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor --- .../hazmat/primitives/serialization/ssh.py | 56 +++++++++++++++++++ tests/hazmat/primitives/test_ssh.py | 33 +++++++++-- .../asymmetric/OpenSSH/gen.sh | 6 +- .../asymmetric/OpenSSH/sk-ecdsa-nopsw.key | 11 ++++ .../asymmetric/OpenSSH/sk-ecdsa-nopsw.key.pub | 1 + .../asymmetric/OpenSSH/sk-ecdsa-psw.key | 12 ++++ .../asymmetric/OpenSSH/sk-ecdsa-psw.key.pub | 1 + .../asymmetric/OpenSSH/sk-ed25519-nopsw.key | 10 ++++ .../OpenSSH/sk-ed25519-nopsw.key.pub | 1 + .../asymmetric/OpenSSH/sk-ed25519-psw.key | 11 ++++ .../asymmetric/OpenSSH/sk-ed25519-psw.key.pub | 1 + 11 files changed, 138 insertions(+), 5 deletions(-) create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-nopsw.key create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-nopsw.key.pub create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-psw.key create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-psw.key.pub create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-nopsw.key create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-nopsw.key.pub create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-psw.key create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-psw.key.pub diff --git a/src/cryptography/hazmat/primitives/serialization/ssh.py b/src/cryptography/hazmat/primitives/serialization/ssh.py index f33edd55e0ea..fc9fbf42584f 100644 --- a/src/cryptography/hazmat/primitives/serialization/ssh.py +++ b/src/cryptography/hazmat/primitives/serialization/ssh.py @@ -64,6 +64,10 @@ def _bcrypt_kdf( _ECDSA_NISTP521 = b"ecdsa-sha2-nistp521" _CERT_SUFFIX = b"-cert-v01@openssh.com" +# U2F application string suffixed pubkey +_SK_SSH_ED25519 = b"sk-ssh-ed25519@openssh.com" +_SK_SSH_ECDSA_NISTP256 = b"sk-ecdsa-sha2-nistp256@openssh.com" + # These are not key types, only algorithms, so they cannot appear # as a public key type _SSH_RSA_SHA256 = b"rsa-sha2-256" @@ -572,6 +576,56 @@ def encode_private( f_priv.put_sshstr(f_keypair) +def load_application(data) -> tuple[memoryview, memoryview]: + """ + U2F application strings + """ + application, data = _get_sshstr(data) + if not application.tobytes().startswith(b"ssh:"): + raise ValueError( + "U2F application string does not start with b'ssh:' " + f"({application})" + ) + return application, data + + +class _SSHFormatSKEd25519: + """ + The format of a sk-ssh-ed25519@openssh.com public key is: + + string "sk-ssh-ed25519@openssh.com" + string public key + string application (user-specified, but typically "ssh:") + """ + + def load_public( + self, data: memoryview + ) -> tuple[ed25519.Ed25519PublicKey, memoryview]: + """Make Ed25519 public key from data.""" + public_key, data = _lookup_kformat(_SSH_ED25519).load_public(data) + application, data = load_application(data) + return public_key, data + + +class _SSHFormatSKECDSA: + """ + The format of a sk-ecdsa-sha2-nistp256@openssh.com public key is: + + string "sk-ecdsa-sha2-nistp256@openssh.com" + string curve name + ec_point Q + string application (user-specified, but typically "ssh:") + """ + + def load_public( + self, data: memoryview + ) -> tuple[ec.EllipticCurvePublicKey, memoryview]: + """Make Ed25519 public key from data.""" + public_key, data = _lookup_kformat(_ECDSA_NISTP256).load_public(data) + application, data = load_application(data) + return public_key, data + + _KEY_FORMATS = { _SSH_RSA: _SSHFormatRSA(), _SSH_DSA: _SSHFormatDSA(), @@ -579,6 +633,8 @@ def encode_private( _ECDSA_NISTP256: _SSHFormatECDSA(b"nistp256", ec.SECP256R1()), _ECDSA_NISTP384: _SSHFormatECDSA(b"nistp384", ec.SECP384R1()), _ECDSA_NISTP521: _SSHFormatECDSA(b"nistp521", ec.SECP521R1()), + _SK_SSH_ED25519: _SSHFormatSKEd25519(), + _SK_SSH_ECDSA_NISTP256: _SSHFormatSKECDSA(), } diff --git a/tests/hazmat/primitives/test_ssh.py b/tests/hazmat/primitives/test_ssh.py index cda2aad77b59..82f398305e21 100644 --- a/tests/hazmat/primitives/test_ssh.py +++ b/tests/hazmat/primitives/test_ssh.py @@ -55,6 +55,10 @@ class TestOpenSSHSerialization: ("ecdsa-nopsw.key.pub", "ecdsa-nopsw.key-cert.pub"), ("ed25519-psw.key.pub", None), ("ed25519-nopsw.key.pub", "ed25519-nopsw.key-cert.pub"), + ("sk-ecdsa-psw.key.pub", None), + ("sk-ecdsa-nopsw.key.pub", None), + ("sk-ed25519-psw.key.pub", None), + ("sk-ed25519-nopsw.key.pub", None), ], ) def test_load_ssh_public_key(self, key_file, cert_file, backend): @@ -80,10 +84,14 @@ def test_load_ssh_public_key(self, key_file, cert_file, backend): ) else: public_key = load_ssh_public_key(pub_data, backend) - assert ( - public_key.public_bytes(Encoding.OpenSSH, PublicFormat.OpenSSH) - == nocomment_data - ) + if not key_file.startswith("sk-"): + # SK keys do not round-trip + assert ( + public_key.public_bytes( + Encoding.OpenSSH, PublicFormat.OpenSSH + ) + == nocomment_data + ) self.run_partial_pubkey(pub_data, backend) @@ -1800,3 +1808,20 @@ def test_sign_and_byte_compare_ed25519(self, monkeypatch, backend): b"t8yRa8IRbxvOyA9TZYDGG1dRE3DiR0fuudU20v6vqfTd1gx0S5QyEdECXLl9ZI3" b"AwZgc=" ) + + +class TestSSHSK: + @staticmethod + def ssh_str(application): + data = ( + len(application).to_bytes(length=4, byteorder="big") + + application.encode() + ) + return memoryview(data) + + def test_load_application(self): + ssh.load_application(self.ssh_str("ssh:test")) + + def test_load_application_valueerror(self): + with pytest.raises(ValueError): + ssh.load_application(self.ssh_str("hss:test")) diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/gen.sh b/vectors/cryptography_vectors/asymmetric/OpenSSH/gen.sh index b18c338b3803..4a494bda1153 100755 --- a/vectors/cryptography_vectors/asymmetric/OpenSSH/gen.sh +++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/gen.sh @@ -19,10 +19,13 @@ getecbits() { genkey() { fn="$1" args="-f $fn -C $fn" + sk="-O application=ssh:the-application-string" case "$fn" in + sk-ecdsa-*) args="$args -t ecdsa-sk -b $(getecbits) $sk" ;; ecdsa-*) args="$args -t ecdsa -b $(getecbits)" ;; rsa-*) args="$args -t rsa" ;; dsa-*) args="$args -t dsa" ;; + sk-ed25519-*) args="$args -t ed25519-sk $sk" ;; ed25519-*) args="$args -t ed25519" ;; esac password='' @@ -33,12 +36,13 @@ genkey() { } # generate private key files -for ktype in rsa dsa ecdsa ed25519; do +for ktype in rsa dsa ecdsa sk-ecdsa ed25519 sk-ed25519; do for psw in nopsw psw; do genkey "${ktype}-${psw}.key" done done + # generate public key files for fn in *.key; do ssh-keygen -q -y -f "$fn" > /dev/null diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-nopsw.key b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-nopsw.key new file mode 100644 index 000000000000..23fd193a92fa --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-nopsw.key @@ -0,0 +1,11 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAlQAAACJzay1lY2 +RzYS1zaGEyLW5pc3RwMjU2QG9wZW5zc2guY29tAAAACG5pc3RwMjU2AAAAQQQ7XunI8QRf +myT0PKWJXtaE0lA6+Hy5HTfIDfHexsZV68AGAj0nYyf2+mAK/vPp6IyVBALJqdzdJYiyeX +p/3neLAAAAGnNzaDp0aGUtYXBwbGljYXRpb24tc3RyaW5nAAABAOGdI7jhnSO4AAAAInNr +LWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBDte6c +jxBF+bJPQ8pYle1oTSUDr4fLkdN8gN8d7GxlXrwAYCPSdjJ/b6YAr+8+nojJUEAsmp3N0l +iLJ5en/ed4sAAAAac3NoOnRoZS1hcHBsaWNhdGlvbi1zdHJpbmcBAAAAQDkL+WvhalaEJi +Lf/MaFsFeYzwvC06GZVqUXgCnzyutZzMB9a1deF9uFke1ib56tgZR9iVsskIJeWuwiAIg0 +es4AAAAAAAAAEnNrLWVjZHNhLW5vcHN3LmtleQECAwQ= +-----END OPENSSH PRIVATE KEY----- diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-nopsw.key.pub b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-nopsw.key.pub new file mode 100644 index 000000000000..7c4193df3826 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-nopsw.key.pub @@ -0,0 +1 @@ +sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBDte6cjxBF+bJPQ8pYle1oTSUDr4fLkdN8gN8d7GxlXrwAYCPSdjJ/b6YAr+8+nojJUEAsmp3N0liLJ5en/ed4sAAAAac3NoOnRoZS1hcHBsaWNhdGlvbi1zdHJpbmc= sk-ecdsa-nopsw.key diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-psw.key b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-psw.key new file mode 100644 index 000000000000..b406fa06800d --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-psw.key @@ -0,0 +1,12 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDIj2qUG3 +LdljUMp0/4zuFuAAAAEAAAAAEAAACVAAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3Bl +bnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACdJuKxgDLk+a1NeeCtRqCropd0hXume/cTdO +vV/B4lmupr9viNQsUT09wbKRflnOc9jxPAiQOzZbXTkmnV8kkAAAAac3NoOnRoZS1hcHBs +aWNhdGlvbi1zdHJpbmcAAAEAO6Vsfb59XIe524NKbXMjA0xleAi3lcZ5EF0dF48yRO2LfA +12B948LzsKOrgo+Cdq7BMLkCCA1z2811yvKtvy/7cR3D/p31cW7VEun4OAn+QoPCHmv25r +WVfUAv5PC5Ofdm7dtExTcMmyNUMcziovirTyhnlpc/wHD+wgp2oQGpcm+rjQlqX96cLJ7H +PM3wls38biP3wh2QWkoKWPyq7tMR4PiJOw9h6YNeZY3M1JnC9b2b0iHD6Ra/5LBBqV/Uyu +irkHWLB7ASchamexxRqu4fLFK4tjijhLV8hc/XLsQGeDNBHf4QSvZJP0usSSP37F1Ai+XM +stjM1iCsk1UEV9aA== +-----END OPENSSH PRIVATE KEY----- diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-psw.key.pub b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-psw.key.pub new file mode 100644 index 000000000000..b9a6fa34156c --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-psw.key.pub @@ -0,0 +1 @@ +sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACdJuKxgDLk+a1NeeCtRqCropd0hXume/cTdOvV/B4lmupr9viNQsUT09wbKRflnOc9jxPAiQOzZbXTkmnV8kkAAAAac3NoOnRoZS1hcHBsaWNhdGlvbi1zdHJpbmc= sk-ecdsa-psw.key diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-nopsw.key b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-nopsw.key new file mode 100644 index 000000000000..db48fcd3e9a5 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-nopsw.key @@ -0,0 +1,10 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAYAAAABpzay1zc2 +gtZWQyNTUxOUBvcGVuc3NoLmNvbQAAACB6auRr7BwVOqTawgDOxUpaUFcN8SZ7SWzoR2Vs +ubbk3wAAABpzc2g6dGhlLWFwcGxpY2F0aW9uLXN0cmluZwAAARCWIPLyliDy8gAAABpzay +1zc2gtZWQyNTUxOUBvcGVuc3NoLmNvbQAAACB6auRr7BwVOqTawgDOxUpaUFcN8SZ7SWzo +R2Vsubbk3wAAABpzc2g6dGhlLWFwcGxpY2F0aW9uLXN0cmluZwEAAACAQPv/aY2F3YN1kD +1FHPa1HpEHOGAbsYj/2b6h8Rn+N4pU6hdTD5v19Efdz5jlt8Y84c61+8HKDPCI/g5Cbcvd +3uuGHuFUdgiarOZqKyuwBj3Kll9Whb/yV4wGo/NVXtCHa2SnWr2wjYtRTGPNNCgGPsLU05 +/KTNCStsNhEcsNDjEAAAAAAAAAFHNrLWVkMjU1MTktbm9wc3cua2V5AQIDBAUGBw== +-----END OPENSSH PRIVATE KEY----- diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-nopsw.key.pub b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-nopsw.key.pub new file mode 100644 index 000000000000..dc900ed9dd6f --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-nopsw.key.pub @@ -0,0 +1 @@ +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHpq5GvsHBU6pNrCAM7FSlpQVw3xJntJbOhHZWy5tuTfAAAAGnNzaDp0aGUtYXBwbGljYXRpb24tc3RyaW5n sk-ed25519-nopsw.key diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-psw.key b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-psw.key new file mode 100644 index 000000000000..92328aa1ecdd --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-psw.key @@ -0,0 +1,11 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBZQIE5S+ +fq0J5esB3Jo4smAAAAEAAAAAEAAABgAAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29t +AAAAIHf0iiNQTiR7NNAbeAwY+READVx9G0mP6idSAZ7bPTrMAAAAGnNzaDp0aGUtYXBwbG +ljYXRpb24tc3RyaW5nAAABEEeyENyjnVry24AKkT0cC6nRakzHeBY7nSmDiy3MX7sQNRze +illy4uWLZyv022QlMR4GqnXwnQ9bPqcPD0S/SAhuYnFRWI6PPUXkNqiqiS/ZsMkaSKDvBS +UKv5EXjBBk3Sh9IjNXXK8tt0+WIIR973hVEtolcgxvFZpc1IJuRl9gkpKlQFNzwcANTuwB +kr6t0qad/fp0bZldBL/zRtqfgMHTSFzNoITTaxA8ZQZ1Zm585u0NIX4ZDrTaoZVaO8t7Z5 +3r1784oCk6h/lomf9Qsg2eBf6CHMGlTHVFPop5VtGDKFVlgIxQCdwt0V1e6dWK6j5zOzBh +mNA7qT0q3quRLBqUADN698q5fLRFR1PzQ5bx +-----END OPENSSH PRIVATE KEY----- diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-psw.key.pub b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-psw.key.pub new file mode 100644 index 000000000000..65fc4c31591b --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-psw.key.pub @@ -0,0 +1 @@ +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHf0iiNQTiR7NNAbeAwY+READVx9G0mP6idSAZ7bPTrMAAAAGnNzaDp0aGUtYXBwbGljYXRpb24tc3RyaW5n sk-ed25519-psw.key From 775bb2ffb8a6a0502def7ab707857a04b0449a92 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 22 Mar 2024 11:11:00 +0000 Subject: [PATCH 0298/1462] Bump ruff from 0.3.3 to 0.3.4 (#10626) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.3.3 to 0.3.4. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.3.3...v0.3.4) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 60342287e07a..656b365fdbed 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.3.3 +ruff==0.3.4 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 857d6b1d2fb1b93251a89ca3534e2a28b32c4950 Mon Sep 17 00:00:00 2001 From: Axel Gembe Date: Fri, 22 Mar 2024 23:00:54 +0900 Subject: [PATCH 0299/1462] Pass -fmacro-prefix-map to cc to not leak paths into the binary (#10627) Without this compiling the CFFI generated `_openssl.c` file embeds the build path into the binary. When installed using PyPi this path is random, which makes the resulting binary not reproducible. --- src/rust/cryptography-cffi/build.rs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/rust/cryptography-cffi/build.rs b/src/rust/cryptography-cffi/build.rs index 5f73714f3415..13eae0f49df4 100644 --- a/src/rust/cryptography-cffi/build.rs +++ b/src/rust/cryptography-cffi/build.rs @@ -69,6 +69,13 @@ fn main() { .flag_if_supported("-Wno-error=sign-conversion") .flag_if_supported("-Wno-unused-parameter"); + // We use the `-fmacro-prefix-map` option to replace the output directory in macros with a dot. + // This is because we don't want a potentially random build path to end up in the binary because + // CFFI generated code uses the __FILE__ macro in its debug messages. + if let Some(out_dir_str) = Path::new(&out_dir).to_str() { + build.flag_if_supported(format!("-fmacro-prefix-map={}=.", out_dir_str).as_str()); + } + for python_include in env::split_paths(&python_includes) { build.include(python_include); } From 8436316862642fb515e51d5284a718df3b501bee Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 22 Mar 2024 19:34:41 -0400 Subject: [PATCH 0300/1462] Wycheproof lives under C2SP now (#10628) --- .github/actions/fetch-vectors/action.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 4 ++-- docs/development/test-vectors.rst | 5 +---- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 4e3a214ce086..4dc167660dad 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -7,7 +7,7 @@ runs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: "google/wycheproof" + repository: "C2SP/wycheproof" path: "wycheproof" # Latest commit on the wycheproof master branch, as of Mar 16, 2024. ref: "1621269c9f8e4a11f7de5dd2cb353400f054ce6f" # wycheproof-ref diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index dfd4f9b46c59..225a8d37538c 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -34,12 +34,12 @@ jobs: if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA - id: check-sha-wycheproof run: | - SHA=$(git ls-remote https://github.com/google/wycheproof refs/heads/master | cut -f1) + SHA=$(git ls-remote https://github.com/C2SP/wycheproof refs/heads/master | cut -f1) LAST_COMMIT=$(grep wycheproof-ref .github/actions/fetch-vectors/action.yml | grep -oE '[a-f0-9]{40}') if ! grep -q "$SHA" .github/actions/fetch-vectors/action.yml; then echo "COMMIT_SHA=${SHA}" >> $GITHUB_OUTPUT echo "COMMIT_MSG<> $GITHUB_OUTPUT - echo -e "## wycheproof\n[Commit: ${SHA}](https://github.com/google/wycheproof/commit/${SHA})\n\n[Diff](https://github.com/google/wycheproof/compare/${LAST_COMMIT}...${SHA}) between the last commit hash merged to this repository and the new commit." >> $GITHUB_OUTPUT + echo -e "## wycheproof\n[Commit: ${SHA}](https://github.com/C2SP/wycheproof/commit/${SHA})\n\n[Diff](https://github.com/C2SP/wycheproof/compare/${LAST_COMMIT}...${SHA}) between the last commit hash merged to this repository and the new commit." >> $GITHUB_OUTPUT echo "EOF" >> $GITHUB_OUTPUT fi - name: Update wycheproof diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index aeff528faf78..0f608e840c03 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -21,9 +21,6 @@ for various cryptographic algorithms. These are not included in the repository (or ``cryptography_vectors`` package), but rather cloned from Git in our continuous integration environments. -We have ensured all test vectors are used as of commit -``d9f6ec7d8bd8c96da05368999094e4a75ba5cb3d``. - Asymmetric ciphers ~~~~~~~~~~~~~~~~~~ @@ -1049,7 +1046,7 @@ header format (substituting the correct information): .. _`NIST`: https://www.nist.gov/ .. _`IETF`: https://www.ietf.org/ -.. _`Project Wycheproof`: https://github.com/google/wycheproof +.. _`Project Wycheproof`: https://github.com/C2SP/wycheproof .. _`NIST CAVP`: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program .. _`Bruce Schneier's vectors`: https://www.schneier.com/wp-content/uploads/2015/12/vectors-2.txt .. _`Camellia page`: https://info.isl.ntt.co.jp/crypt/eng/camellia/ From ee097cb2b7e140a98d2dfd37f0330f6c6e460688 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 23 Mar 2024 00:15:11 +0000 Subject: [PATCH 0301/1462] Bump BoringSSL and/or OpenSSL in CI (#10629) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 55823ac088a5..531eea195442 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 22, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "06fb6e1b129d426b0f543e0e77890295175f012a"}} - # Latest commit on the OpenSSL master branch, as of Mar 22, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9abcf116962e9a117717c751de93846f11da16cd"}} + # Latest commit on the BoringSSL master branch, as of Mar 23, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "231510cf506711eae6f7f06be9626bc7e44982b4"}} + # Latest commit on the OpenSSL master branch, as of Mar 23, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "24109dca5a793d58c68a346db5b21746079ec317"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 78fdf553a1913f86fe2bad08c33b1a2bee4cda5e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 23 Mar 2024 08:42:00 -0400 Subject: [PATCH 0302/1462] Remove uv-ism that's no longer required in local nox (#10630) --- noxfile.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/noxfile.py b/noxfile.py index 71f878572c44..c254b5e3685e 100644 --- a/noxfile.py +++ b/noxfile.py @@ -265,7 +265,7 @@ def local(session): *test_dependencies, *pyproject_data["project"]["optional-dependencies"]["ssh"], *pyproject_data["project"]["optional-dependencies"]["nox"], - "cryptography_vectors @ ./vectors/", + "./vectors/", verbose=False, ) @@ -301,7 +301,7 @@ def local(session): "cryptography", "--refresh-package", "cryptography", - "cryptography @ .", + ".", ) if session.posargs: From e9954a0a31db22201b96d62535f51a5f0316e218 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 23 Mar 2024 08:53:01 -0400 Subject: [PATCH 0303/1462] fixes #10631 -- remove documentation for method that was removed (#10632) * fixes #10631 -- remove documentation for method that was removed * Update CHANGELOG.rst --- CHANGELOG.rst | 4 ++-- docs/hazmat/primitives/asymmetric/ec.rst | 25 ------------------------ 2 files changed, 2 insertions(+), 27 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index a1ce4d63793c..4fc48964b21b 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1168,7 +1168,7 @@ Changelog :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point`, which immediately checks if the point is on the curve and supports compressed points. Deprecated the previous method - :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`. + ``cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point``. * Added :attr:`~cryptography.x509.ocsp.OCSPResponse.signature_hash_algorithm` to ``OCSPResponse``. * Updated :doc:`/hazmat/primitives/asymmetric/x25519` support to allow @@ -1878,7 +1878,7 @@ Changelog form using ``cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.encode_point`` and - :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`. + ``cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point``. * Added :meth:`~cryptography.x509.Extensions.get_extension_for_class`. * :class:`~cryptography.x509.CertificatePolicies` are now supported in the :class:`~cryptography.x509.CertificateBuilder`. diff --git a/docs/hazmat/primitives/asymmetric/ec.rst b/docs/hazmat/primitives/asymmetric/ec.rst index c0a0ff757eab..a22a64be5c41 100644 --- a/docs/hazmat/primitives/asymmetric/ec.rst +++ b/docs/hazmat/primitives/asymmetric/ec.rst @@ -200,31 +200,6 @@ Elliptic Curve Signature Algorithms :raises ValueError: Raised if the point is invalid for the curve. :returns: A new instance of :class:`EllipticCurvePublicKey`. - .. classmethod:: from_encoded_point(curve, data) - - .. versionadded:: 1.1 - - .. note:: - - This has been deprecated in favor of - :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point` - - Decodes a byte string as described in `SEC 1 v2.0`_ section 2.3.3 and - returns an :class:`EllipticCurvePublicNumbers`. This method only - supports uncompressed points. - - :param curve: An - :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve` - instance. - - :param bytes data: The serialized point byte string. - - :returns: An :class:`EllipticCurvePublicNumbers` instance. - - :raises ValueError: Raised on invalid point type or data length. - - :raises TypeError: Raised when curve is not an - :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`. Elliptic Curve Key Exchange algorithm ------------------------------------- From 2f82c251c863fb81948f9ff7d99473f4963c5db2 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 24 Mar 2024 00:16:35 +0000 Subject: [PATCH 0304/1462] Bump BoringSSL and/or OpenSSL in CI (#10634) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 531eea195442..229eb24028dc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 23, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "231510cf506711eae6f7f06be9626bc7e44982b4"}} - # Latest commit on the OpenSSL master branch, as of Mar 23, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "24109dca5a793d58c68a346db5b21746079ec317"}} + # Latest commit on the BoringSSL master branch, as of Mar 24, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "70b33d39048abaa1c810ad63ace4b05af7b94d15"}} + # Latest commit on the OpenSSL master branch, as of Mar 24, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4a9e48f727ce7ad924c53a55b301e426d7e43863"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From e257fc6277b71532ddc1ae133296a34f58703e98 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 24 Mar 2024 01:03:39 +0000 Subject: [PATCH 0305/1462] Bump indoc from 2.0.4 to 2.0.5 in /src/rust (#10635) Bumps [indoc](https://github.com/dtolnay/indoc) from 2.0.4 to 2.0.5. - [Release notes](https://github.com/dtolnay/indoc/releases) - [Commits](https://github.com/dtolnay/indoc/compare/2.0.4...2.0.5) --- updated-dependencies: - dependency-name: indoc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index a8102b1b9a96..15593ef1d12a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -150,9 +150,9 @@ checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8" [[package]] name = "indoc" -version = "2.0.4" +version = "2.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e186cfbae8084e513daff4240b4797e342f988cecda4fb6c939150f96315fd8" +checksum = "b248f5224d1d606005e02c97f5aa4e88eeb230488bcc03bc9ca4d7991399f2b5" [[package]] name = "libc" From b7b6c30ec61e2e8bbecee3997f89070046bc67e6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 23 Mar 2024 23:19:17 -0400 Subject: [PATCH 0306/1462] Bump keyring from 24.3.1 to 25.0.0 in /.github/requirements (#10636) * Bump keyring from 24.3.1 to 25.0.0 in /.github/requirements Bumps [keyring](https://github.com/jaraco/keyring) from 24.3.1 to 25.0.0. - [Release notes](https://github.com/jaraco/keyring/releases) - [Changelog](https://github.com/jaraco/keyring/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/keyring/compare/v24.3.1...v25.0.0) --- updated-dependencies: - dependency-name: keyring dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 2dfde9d77409..12755fbf8fba 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -250,15 +250,23 @@ jaraco-classes==3.3.1 \ --hash=sha256:86b534de565381f6b3c1c830d13f931d7be1a75f0081c57dff615578676e2206 \ --hash=sha256:cb28a5ebda8bc47d8c8015307d93163464f9f2b91ab4006e09ff0ce07e8bfb30 # via keyring +jaraco-context==4.3.0 \ + --hash=sha256:4dad2404540b936a20acedec53355bdaea223acb88fd329fa6de9261c941566e \ + --hash=sha256:5d9e95ca0faa78943ed66f6bc658dd637430f16125d86988e77844c741ff2f11 + # via keyring +jaraco-functools==4.0.0 \ + --hash=sha256:c279cb24c93d694ef7270f970d499cab4d3813f4e08273f95398651a634f0925 \ + --hash=sha256:daf276ddf234bea897ef14f43c4e1bf9eefeac7b7a82a4dd69228ac20acff68d + # via keyring jeepney==0.8.0 \ --hash=sha256:5efe48d255973902f6badc3ce55e2aa6c5c3b3bc642059ef3a91247bcfcc5806 \ --hash=sha256:c0a454ad016ca575060802ee4d590dd912e35c122fa04e70306de3d076cce755 # via # keyring # secretstorage -keyring==24.3.1 \ - --hash=sha256:c3327b6ffafc0e8befbdb597cacdb4928ffe5c1212f7645f186e6d9957a898db \ - --hash=sha256:df38a4d7419a6a60fea5cef1e45a948a3e8430dd12ad88b0f423c5c143906218 +keyring==25.0.0 \ + --hash=sha256:9a15cd280338920388e8c1787cb8792b9755dabb3e7c61af5ac1f8cd437cefde \ + --hash=sha256:fc024ed53c7ea090e30723e6bd82f58a39dc25d9a6797d866203ecd0ee6306cb # via twine markdown-it-py==3.0.0 \ --hash=sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1 \ @@ -271,7 +279,9 @@ mdurl==0.1.2 \ more-itertools==10.2.0 \ --hash=sha256:686b06abe565edfab151cb8fd385a05651e1fdf8f0a14191e4439283421f8684 \ --hash=sha256:8fccb480c43d3e99a00087634c06dd02b0d50fbf088b380de5a41a015ec239e1 - # via jaraco-classes + # via + # jaraco-classes + # jaraco-functools multidict==6.0.5 \ --hash=sha256:01265f5e40f5a17f8241d52656ed27192be03bfa8764d88e8220141d1e4b3556 \ --hash=sha256:0275e35209c27a3f7951e1ce7aaf93ce0d163b28948444bec61dd7badc6d3f8c \ From 4486017868fba383d1075e0e350bf0bc4830a021 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 24 Mar 2024 20:17:44 +0000 Subject: [PATCH 0307/1462] Bump syn from 2.0.53 to 2.0.55 in /src/rust (#10638) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.53 to 2.0.55. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.53...2.0.55) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 15593ef1d12a..11ee8b08475d 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -377,9 +377,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.53" +version = "2.0.55" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7383cd0e49fff4b6b90ca5670bfd3e9d6a733b3f90c686605aa7eec8c4996032" +checksum = "002a1b3dbf967edfafc32655d0f377ab0bb7b994aa1d32c8cc7e9b8bf3ebb8f0" dependencies = [ "proc-macro2", "quote", From ca606189dc6bb377bba48d2e38013547b1857059 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Mar 2024 08:01:20 -0400 Subject: [PATCH 0308/1462] Bump pytest-cov from 4.1.0 to 5.0.0 (#10639) * Bump pytest-cov from 4.1.0 to 5.0.0 Bumps [pytest-cov](https://github.com/pytest-dev/pytest-cov) from 4.1.0 to 5.0.0. - [Changelog](https://github.com/pytest-dev/pytest-cov/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest-cov/compare/v4.1.0...v5.0.0) --- updated-dependencies: - dependency-name: pytest-cov dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update ci-constraints-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 656b365fdbed..87b0a646c3db 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -95,7 +95,7 @@ pytest==8.1.1; python_version >= "3.8" # pytest-xdist pytest-benchmark==4.0.0 # via cryptography (pyproject.toml) -pytest-cov==4.1.0 +pytest-cov==5.0.0; python_version >= "3.8" # via cryptography (pyproject.toml) pytest-randomly==3.15.0 # via cryptography (pyproject.toml) From 558875fd8333006f5e29008815fc0aac44542b07 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 26 Mar 2024 00:14:50 +0000 Subject: [PATCH 0309/1462] Bump BoringSSL and/or OpenSSL in CI (#10640) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 229eb24028dc..f48557aedfd5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 24, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "70b33d39048abaa1c810ad63ace4b05af7b94d15"}} - # Latest commit on the OpenSSL master branch, as of Mar 24, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4a9e48f727ce7ad924c53a55b301e426d7e43863"}} + # Latest commit on the BoringSSL master branch, as of Mar 26, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ee4c2a38a05873b8812fed97efae0ffc5ff51d46"}} + # Latest commit on the OpenSSL master branch, as of Mar 26, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a4cbffcd8998180b98bb9f7ce6065ed37d079d8b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 19ef6dd741bd2cb0127a2320557ba37b29b6c76f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 25 Mar 2024 20:26:59 -0400 Subject: [PATCH 0310/1462] run cron lock jobs at a diff time (#10641) --- .github/workflows/lock.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index 88379415f801..f037c6555c4f 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -2,7 +2,7 @@ name: Lock Issues on: workflow_dispatch: schedule: - - cron: '0 0 * * *' + - cron: '0 3 * * *' permissions: issues: "write" From 72da5a87ea05a1ec65cd6b6b933ad13c82f1064b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 26 Mar 2024 00:28:07 +0000 Subject: [PATCH 0311/1462] Bump x509-limbo and/or wycheproof in CI (#10642) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 4dc167660dad..c872ad5e74d3 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 21, 2024. - ref: "2d797b4f9d21e8c0ac3c070d2ff8198b4640acf9" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 26, 2024. + ref: "dd62010dad89bd0102c448fbf85303ea70bfcbe2" # x509-limbo-ref From 21788cc353dd512e361afa06736cfdd96fdc1a3e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Mar 2024 07:08:02 -0400 Subject: [PATCH 0312/1462] Bump filelock from 3.13.1 to 3.13.3 (#10644) Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.13.1 to 3.13.3. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](https://github.com/tox-dev/py-filelock/compare/3.13.1...3.13.3) --- updated-dependencies: - dependency-name: filelock dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 87b0a646c3db..ba89573b4e69 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -40,7 +40,7 @@ exceptiongroup==1.2.0 # via pytest execnet==2.0.2 # via pytest-xdist -filelock==3.13.1; python_version >= "3.8" +filelock==3.13.3; python_version >= "3.8" # via virtualenv idna==3.6 # via requests From a32da2e10f5974e9338cb191cc471a6f1b77e300 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Mar 2024 11:12:53 +0000 Subject: [PATCH 0313/1462] Bump autocfg from 1.1.0 to 1.2.0 in /src/rust (#10645) Bumps [autocfg](https://github.com/cuviper/autocfg) from 1.1.0 to 1.2.0. - [Commits](https://github.com/cuviper/autocfg/compare/1.1.0...1.2.0) --- updated-dependencies: - dependency-name: autocfg dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 11ee8b08475d..6aa04afe6fc1 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -24,9 +24,9 @@ dependencies = [ [[package]] name = "autocfg" -version = "1.1.0" +version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" +checksum = "f1fdabc7756949593fe60f30ec81974b613357de856987752631dea1e3394c80" [[package]] name = "base64" From 1fe44c21cac785f1887b91ee5c57b03551c40671 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 26 Mar 2024 20:16:32 -0400 Subject: [PATCH 0314/1462] Bump BoringSSL and/or OpenSSL in CI (#10648) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f48557aedfd5..3f353321e48d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Mar 26, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ee4c2a38a05873b8812fed97efae0ffc5ff51d46"}} - # Latest commit on the OpenSSL master branch, as of Mar 26, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a4cbffcd8998180b98bb9f7ce6065ed37d079d8b"}} + # Latest commit on the OpenSSL master branch, as of Mar 27, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1967539e212c17139dc810096da987c8100b1ba2"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 9fdcea4f35b05670dc98e601a9d42b137cc4aba6 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 27 Mar 2024 00:29:00 +0000 Subject: [PATCH 0315/1462] Bump x509-limbo and/or wycheproof in CI (#10649) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index c872ad5e74d3..f633964e3d21 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -9,12 +9,12 @@ runs: with: repository: "C2SP/wycheproof" path: "wycheproof" - # Latest commit on the wycheproof master branch, as of Mar 16, 2024. - ref: "1621269c9f8e4a11f7de5dd2cb353400f054ce6f" # wycheproof-ref + # Latest commit on the wycheproof master branch, as of Mar 27, 2024. + ref: "507bb993e90a87d0a62591a5284bc34a3f1c5c22" # wycheproof-ref - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 26, 2024. - ref: "dd62010dad89bd0102c448fbf85303ea70bfcbe2" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 27, 2024. + ref: "5550a13c69181f17f716eac5be382a0edb59be4b" # x509-limbo-ref From dc906c5d54035c84613f2567466ff6b07cb01fb2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Mar 2024 07:05:44 -0400 Subject: [PATCH 0316/1462] Bump actions/setup-python from 5.0.0 to 5.1.0 (#10650) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.0.0 to 5.1.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/0a5c61591373683505ea898e09a3ea4f39ef2b9c...82c7e631bb3cdc910f68e0081d67478d79c6982d) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 2 +- .github/workflows/ci.yml | 10 +++++----- .github/workflows/linkcheck.yml | 2 +- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index deeebb0f69ba..91de604df56f 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -38,7 +38,7 @@ jobs: - name: Setup python id: setup-python - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.11" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3f353321e48d..51d959646291 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -60,7 +60,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{ matrix.PYTHON.VERSION }} cache: pip @@ -240,7 +240,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.PYTHON.VERSION }} - name: Setup python - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{ matrix.PYTHON.VERSION }} cache: pip @@ -299,7 +299,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} @@ -375,7 +375,7 @@ jobs: uses: ./.github/actions/cache timeout-minutes: 2 - name: Setup python - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{ matrix.PYTHON }} cache: pip @@ -421,7 +421,7 @@ jobs: jobs: ${{ toJSON(needs) }} - name: Setup python if: ${{ always() }} - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: '3.12' cache: pip diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index 0e5b688c051f..b06da096537f 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -25,7 +25,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: 3.11 - name: Cache rust and pip diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 433b1a1b1ac4..90e3ad79608f 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -34,7 +34,7 @@ jobs: - run: echo "$EVENT_CONTEXT" env: EVENT_CONTEXT: ${{ toJson(github.event) }} - - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.11" - name: Get publish-requirements.txt from repository diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 9367b2d16ccf..18579f6c60fc 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -228,7 +228,7 @@ jobs: PYTHON_DOWNLOAD_URL: ${{ matrix.PYTHON.DOWNLOAD_URL }} if: contains(matrix.PYTHON.VERSION, 'pypy') == false - name: Setup pypy - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') @@ -320,7 +320,7 @@ jobs: name: cryptography-sdist - name: Setup python - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} From 44857ea7502b4ebea4104cd44e443d4d5d928d36 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Mar 2024 07:06:49 -0400 Subject: [PATCH 0317/1462] Bump nh3 from 0.2.15 to 0.2.17 (#10652) Bumps [nh3](https://github.com/messense/nh3) from 0.2.15 to 0.2.17. - [Release notes](https://github.com/messense/nh3/releases) - [Commits](https://github.com/messense/nh3/compare/v0.2.15...v0.2.17) --- updated-dependencies: - dependency-name: nh3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ba89573b4e69..9027617cee4d 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -56,7 +56,7 @@ mypy==1.9.0 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via mypy -nh3==0.2.15 +nh3==0.2.17 # via readme-renderer nox==2024.3.2 # via cryptography (pyproject.toml) From c13be115e859f077e8661f1e68bc7c6984a7f9e6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Mar 2024 07:07:05 -0400 Subject: [PATCH 0318/1462] Bump memoffset from 0.9.0 to 0.9.1 in /src/rust (#10653) Bumps [memoffset](https://github.com/Gilnaa/memoffset) from 0.9.0 to 0.9.1. - [Changelog](https://github.com/Gilnaa/memoffset/blob/master/CHANGELOG.md) - [Commits](https://github.com/Gilnaa/memoffset/compare/v0.9.0...v0.9.1) --- updated-dependencies: - dependency-name: memoffset dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 6aa04afe6fc1..10d7821b416b 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -172,9 +172,9 @@ dependencies = [ [[package]] name = "memoffset" -version = "0.9.0" +version = "0.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a634b1c61a95585bd15607c6ab0c4e5b226e695ff2800ba0cdccddf208c406c" +checksum = "488016bfae457b036d996092f6cb448677611ce4449e970ceaf42695203f218a" dependencies = [ "autocfg", ] From 5593992417c9b75bab4d4725966fed7c17d49d40 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Mar 2024 08:22:35 -0400 Subject: [PATCH 0319/1462] Bump nh3 from 0.2.15 to 0.2.17 in /.github/requirements (#10651) * Bump nh3 from 0.2.15 to 0.2.17 in /.github/requirements Bumps [nh3](https://github.com/messense/nh3) from 0.2.15 to 0.2.17. - [Release notes](https://github.com/messense/nh3/releases) - [Commits](https://github.com/messense/nh3/compare/v0.2.15...v0.2.17) --- updated-dependencies: - dependency-name: nh3 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 12755fbf8fba..010f500a8064 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -374,23 +374,23 @@ multidict==6.0.5 \ --hash=sha256:fce28b3c8a81b6b36dfac9feb1de115bab619b3c13905b419ec71d03a3fc1423 \ --hash=sha256:fe5d7785250541f7f5019ab9cba2c71169dc7d74d0f45253f8313f436458a4ef # via grpclib -nh3==0.2.15 \ - --hash=sha256:0d02d0ff79dfd8208ed25a39c12cbda092388fff7f1662466e27d97ad011b770 \ - --hash=sha256:3277481293b868b2715907310c7be0f1b9d10491d5adf9fce11756a97e97eddf \ - --hash=sha256:3b803a5875e7234907f7d64777dfde2b93db992376f3d6d7af7f3bc347deb305 \ - --hash=sha256:427fecbb1031db085eaac9931362adf4a796428ef0163070c484b5a768e71601 \ - --hash=sha256:5f0d77272ce6d34db6c87b4f894f037d55183d9518f948bba236fe81e2bb4e28 \ - --hash=sha256:60684857cfa8fdbb74daa867e5cad3f0c9789415aba660614fe16cd66cbb9ec7 \ - --hash=sha256:6f42f99f0cf6312e470b6c09e04da31f9abaadcd3eb591d7d1a88ea931dca7f3 \ - --hash=sha256:86e447a63ca0b16318deb62498db4f76fc60699ce0a1231262880b38b6cff911 \ - --hash=sha256:8d595df02413aa38586c24811237e95937ef18304e108b7e92c890a06793e3bf \ - --hash=sha256:9c0d415f6b7f2338f93035bba5c0d8c1b464e538bfbb1d598acd47d7969284f0 \ - --hash=sha256:a5167a6403d19c515217b6bcaaa9be420974a6ac30e0da9e84d4fc67a5d474c5 \ - --hash=sha256:ac19c0d68cd42ecd7ead91a3a032fdfff23d29302dbb1311e641a130dfefba97 \ - --hash=sha256:b1e97221cedaf15a54f5243f2c5894bb12ca951ae4ddfd02a9d4ea9df9e1a29d \ - --hash=sha256:bc2d086fb540d0fa52ce35afaded4ea526b8fc4d3339f783db55c95de40ef02e \ - --hash=sha256:d1e30ff2d8d58fb2a14961f7aac1bbb1c51f9bdd7da727be35c63826060b0bf3 \ - --hash=sha256:f3b53ba93bb7725acab1e030bc2ecd012a817040fd7851b332f86e2f9bb98dc6 +nh3==0.2.17 \ + --hash=sha256:0316c25b76289cf23be6b66c77d3608a4fdf537b35426280032f432f14291b9a \ + --hash=sha256:1a814dd7bba1cb0aba5bcb9bebcc88fd801b63e21e2450ae6c52d3b3336bc911 \ + --hash=sha256:1aa52a7def528297f256de0844e8dd680ee279e79583c76d6fa73a978186ddfb \ + --hash=sha256:22c26e20acbb253a5bdd33d432a326d18508a910e4dcf9a3316179860d53345a \ + --hash=sha256:40015514022af31975c0b3bca4014634fa13cb5dc4dbcbc00570acc781316dcc \ + --hash=sha256:40d0741a19c3d645e54efba71cb0d8c475b59135c1e3c580f879ad5514cbf028 \ + --hash=sha256:551672fd71d06cd828e282abdb810d1be24e1abb7ae2543a8fa36a71c1006fe9 \ + --hash=sha256:66f17d78826096291bd264f260213d2b3905e3c7fae6dfc5337d49429f1dc9f3 \ + --hash=sha256:85cdbcca8ef10733bd31f931956f7fbb85145a4d11ab9e6742bbf44d88b7e351 \ + --hash=sha256:a3f55fabe29164ba6026b5ad5c3151c314d136fd67415a17660b4aaddacf1b10 \ + --hash=sha256:b4427ef0d2dfdec10b641ed0bdaf17957eb625b2ec0ea9329b3d28806c153d71 \ + --hash=sha256:ba73a2f8d3a1b966e9cdba7b211779ad8a2561d2dba9674b8a19ed817923f65f \ + --hash=sha256:c21bac1a7245cbd88c0b0e4a420221b7bfa838a2814ee5bb924e9c2f10a1120b \ + --hash=sha256:c551eb2a3876e8ff2ac63dff1585236ed5dfec5ffd82216a7a174f7c5082a78a \ + --hash=sha256:c790769152308421283679a142dbdb3d1c46c79c823008ecea8e8141db1a2062 \ + --hash=sha256:d7a25fd8c86657f5d9d576268e3b3767c5cd4f42867c9383618be8517f0f022a # via readme-renderer pkginfo==1.10.0 \ --hash=sha256:5df73835398d10db79f8eecd5cd86b1f6d29317589ea70796994d49399af6297 \ From 031d407e4df3225fddfcf52ff18fe221c5a8bf34 Mon Sep 17 00:00:00 2001 From: Julien Castiaux Date: Wed, 27 Mar 2024 19:32:35 +0100 Subject: [PATCH 0320/1462] Add public_key_algorithm_oid to certificate and CSR (#10517) --- CHANGELOG.rst | 6 ++ docs/development/test-vectors.rst | 2 + docs/spelling_wordlist.txt | 1 + docs/x509/reference.rst | 89 ++++++++++++++++++ src/cryptography/hazmat/_oid.py | 17 ++++ src/cryptography/x509/__init__.py | 2 + src/cryptography/x509/base.py | 7 ++ src/cryptography/x509/oid.py | 2 + src/rust/src/x509/certificate.rs | 11 +++ src/rust/src/x509/csr.rs | 11 +++ tests/x509/test_x509.py | 91 ++++++++++++++++++- .../x509/custom/ca/rsae_ca.pem | 32 +++++++ 12 files changed, 268 insertions(+), 3 deletions(-) create mode 100644 vectors/cryptography_vectors/x509/custom/ca/rsae_ca.pem diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 4fc48964b21b..8a97f7d7da1a 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -35,6 +35,12 @@ Changelog :class:`~cryptography.x509.verification.VerifiedClient`, and ``PolicyBuilder`` :meth:`~cryptography.x509.verification.PolicyBuilder.build_client_verifier`. +* Added Certificate + :attr:`~cryptography.x509.Certificate.public_key_algorithm_oid` + and Certificate Signing Request + :attr:`~cryptography.x509.CertificateSigningRequest.public_key_algorithm_oid` + to determine the :class:`~cryptography.hazmat._oid.PublicKeyAlgorithmOID` + Object Identifier of the public key found inside the certificate. .. _v42-0-5: diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 0f608e840c03..e0746ab792b2 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -496,6 +496,8 @@ Custom X.509 Vectors using ``ed448-pkcs8.pem`` as key. * ``ca/rsa_ca.pem`` - A self-signed RSA certificate with ``basicConstraints`` set to true. Its private key is ``ca/rsa_key.pem``. +* ``ca/rsae_ca.pem`` - A self-signed RSA certificate using a (non-PSS) RSA + public key and a RSA PSS signature. Its private key is ``ca/rsa_key.pem``. * ``invalid-sct-version.der`` - A certificate with an SCT with an unknown version. * ``invalid-sct-length.der`` - A certificate with an SCT with an internal diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 933e781308ed..9be4a107a70d 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -106,6 +106,7 @@ preprocessor preprocessors presentational pseudorandom +PSS pyOpenSSL pytest relicensed diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index 166c01f9a58a..0d0db19fdee4 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -364,6 +364,21 @@ X.509 Certificate Object >>> isinstance(public_key, rsa.RSAPublicKey) True + .. attribute:: public_key_algorithm_oid + + .. versionadded:: 43.0.0 + + :type: :class:`ObjectIdentifier` + + Returns the :class:`ObjectIdentifier` of the public key algorithm found + inside the certificate. This will be one of the OIDs from + :class:`~cryptography.x509.oid.PublicKeyAlgorithmOID`. + + .. doctest:: + + >>> cert.public_key_algorithm_oid + + .. attribute:: not_valid_before :type: :class:`datetime.datetime` @@ -1033,6 +1048,21 @@ X.509 CSR (Certificate Signing Request) Object >>> isinstance(public_key, rsa.RSAPublicKey) True + .. attribute:: public_key_algorithm_oid + + .. versionadded:: 43.0.0 + + :type: :class:`ObjectIdentifier` + + Returns the :class:`ObjectIdentifier` of the public key algorithm found + inside the certificate. This will be one of the OIDs from + :class:`~cryptography.x509.oid.PublicKeyAlgorithmOID`. + + .. doctest:: + + >>> csr.public_key_algorithm_oid + + .. attribute:: subject :type: :class:`Name` @@ -3840,6 +3870,65 @@ instances. The following common OIDs are available as constants. Corresponds to the dotted string ``"1.2.840.113549.1.9.2"``. + +.. class:: PublicKeyAlgorithmOID + :canonical: cryptography.hazmat._oid.PublicKeyAlgorithmOID + + .. versionadded:: 43.0.0 + + .. attribute:: DSA + + Corresponds to the dotted string ``"1.2.840.10040.4.1"``. This is a + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` + public key. + + .. attribute:: EC_PUBLIC_KEY + + Corresponds to the dotted string ``"1.2.840.10045.2.1"``. This is a + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey` + public key. + + .. attribute:: RSAES_PKCS1_v1_5 + + Corresponds to the dotted string ``"1.2.840.113549.1.1.1"``. This is a + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` + public key with + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15` + padding. + + .. attribute:: RSASSA_PSS + + Corresponds to the dotted string ``"1.2.840.113549.1.1.10"``. This is a + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` + public key with + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` + padding. + + .. attribute:: X25519 + + Corresponds to the dotted string ``"1.3.101.110"``. This is a + :class:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey` + public key. + + .. attribute:: X448 + + Corresponds to the dotted string ``"1.3.101.111"``. This is a + :class:`~cryptography.hazmat.primitives.asymmetric.x448.X448PublicKey` + public key. + + .. attribute:: ED25519 + + Corresponds to the dotted string ``"1.3.101.112"``. This is a + :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey` + public key. + + .. attribute:: ED448 + + Corresponds to the dotted string ``"1.3.101.113"``. This is a + :class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey` + public key. + + Helper Functions ~~~~~~~~~~~~~~~~ .. currentmodule:: cryptography.x509 diff --git a/src/cryptography/hazmat/_oid.py b/src/cryptography/hazmat/_oid.py index c5d062c1374a..fd5e37d9e2ff 100644 --- a/src/cryptography/hazmat/_oid.py +++ b/src/cryptography/hazmat/_oid.py @@ -154,6 +154,17 @@ class SignatureAlgorithmOID: } +class PublicKeyAlgorithmOID: + DSA = ObjectIdentifier("1.2.840.10040.4.1") + EC_PUBLIC_KEY = ObjectIdentifier("1.2.840.10045.2.1") + RSAES_PKCS1_v1_5 = ObjectIdentifier("1.2.840.113549.1.1.1") + RSASSA_PSS = ObjectIdentifier("1.2.840.113549.1.1.10") + X25519 = ObjectIdentifier("1.3.101.110") + X448 = ObjectIdentifier("1.3.101.111") + ED25519 = ObjectIdentifier("1.3.101.112") + ED448 = ObjectIdentifier("1.3.101.113") + + class ExtendedKeyUsageOID: SERVER_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.1") CLIENT_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.2") @@ -245,6 +256,12 @@ class AttributeOID: SignatureAlgorithmOID.GOSTR3410_2012_WITH_3411_2012_512: ( "GOST R 34.10-2012 with GOST R 34.11-2012 (512 bit)" ), + PublicKeyAlgorithmOID.DSA: "dsaEncryption", + PublicKeyAlgorithmOID.EC_PUBLIC_KEY: "id-ecPublicKey", + PublicKeyAlgorithmOID.RSAES_PKCS1_v1_5: "rsaEncryption", + PublicKeyAlgorithmOID.RSASSA_PSS: "rsassaPss", + PublicKeyAlgorithmOID.X25519: "X25519", + PublicKeyAlgorithmOID.X448: "X448", ExtendedKeyUsageOID.SERVER_AUTH: "serverAuth", ExtendedKeyUsageOID.CLIENT_AUTH: "clientAuth", ExtendedKeyUsageOID.CODE_SIGNING: "codeSigning", diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py index 931618aa49d1..e73e527fc4a0 100644 --- a/src/cryptography/x509/__init__.py +++ b/src/cryptography/x509/__init__.py @@ -97,6 +97,7 @@ ExtensionOID, NameOID, ObjectIdentifier, + PublicKeyAlgorithmOID, SignatureAlgorithmOID, ) @@ -250,6 +251,7 @@ "PrecertificateSignedCertificateTimestamps", "PrecertPoison", "OCSPNonce", + "PublicKeyAlgorithmOID", "SignedCertificateTimestamps", "SignatureAlgorithmOID", "NameOID", diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index 2ab482ec817f..c035cbb70b4b 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -187,6 +187,13 @@ def public_key(self) -> CertificatePublicKeyTypes: Returns the public key """ + @property + @abc.abstractmethod + def public_key_algorithm_oid(self) -> ObjectIdentifier: + """ + Returns the ObjectIdentifier of the public key. + """ + @property @abc.abstractmethod def not_valid_before(self) -> datetime.datetime: diff --git a/src/cryptography/x509/oid.py b/src/cryptography/x509/oid.py index cda50cced5c4..d4e409e0a2a0 100644 --- a/src/cryptography/x509/oid.py +++ b/src/cryptography/x509/oid.py @@ -14,6 +14,7 @@ NameOID, ObjectIdentifier, OCSPExtensionOID, + PublicKeyAlgorithmOID, SignatureAlgorithmOID, SubjectInformationAccessOID, ) @@ -28,6 +29,7 @@ "NameOID", "OCSPExtensionOID", "ObjectIdentifier", + "PublicKeyAlgorithmOID", "SignatureAlgorithmOID", "SubjectInformationAccessOID", ] diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 552f4eda7d81..d4873256fe22 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -72,6 +72,17 @@ impl Certificate { ) } + #[getter] + fn public_key_algorithm_oid<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult<&'p pyo3::PyAny> { + oid_to_py_oid( + py, + self.raw.borrow_dependent().tbs_cert.spki.algorithm.oid(), + ) + } + fn fingerprint<'p>( &self, py: pyo3::Python<'p>, diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index c49f6e04421a..27eff5e12e95 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -54,6 +54,17 @@ impl CertificateSigningRequest { ) } + #[getter] + fn public_key_algorithm_oid<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult<&'p pyo3::PyAny> { + oid_to_py_oid( + py, + self.raw.borrow_dependent().csr_info.spki.algorithm.oid(), + ) + } + #[getter] fn subject<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { Ok(x509::parse_name( diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index e5e941e45e4a..40686e4eb7c2 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -37,6 +37,7 @@ ExtendedKeyUsageOID, ExtensionOID, NameOID, + PublicKeyAlgorithmOID, SignatureAlgorithmOID, SubjectInformationAccessOID, ) @@ -792,6 +793,42 @@ def test_get_revoked_certificate_doesnt_reorder( assert crl[2].serial_number == 3 +class TestRSAECertificate: + def test_load_cert_pub_key(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "ca", "rsae_ca.pem"), + x509.load_pem_x509_certificate, + ) + assert isinstance(cert, x509.Certificate) + expected_pub_key = load_vectors_from_file( + os.path.join("x509", "custom", "ca", "rsa_key.pem"), + lambda pemfile: serialization.load_pem_private_key( + pemfile.read(), None, unsafe_skip_rsa_key_validation=True + ), + mode="rb", + ).public_key() + assert isinstance(expected_pub_key, rsa.RSAPublicKey) + pub_key = cert.public_key() + assert isinstance(pub_key, rsa.RSAPublicKey) + assert ( + cert.public_key_algorithm_oid + == PublicKeyAlgorithmOID.RSAES_PKCS1_v1_5 + ) + assert pub_key == expected_pub_key + pss = cert.signature_algorithm_parameters + assert isinstance(pss, padding.PSS) + assert isinstance(pss._mgf, padding.MGF1) + assert isinstance(pss._mgf._algorithm, hashes.SHA256) + assert pss._salt_length == 0x14 + assert isinstance(cert.signature_hash_algorithm, hashes.SHA256) + pub_key.verify( + cert.signature, + cert.tbs_certificate_bytes, + pss, + cert.signature_hash_algorithm, + ) + + class TestRSAPSSCertificate: def test_load_cert_pub_key(self, backend): cert = _load_cert( @@ -806,6 +843,9 @@ def test_load_cert_pub_key(self, backend): assert isinstance(expected_pub_key, rsa.RSAPublicKey) pub_key = cert.public_key() assert isinstance(pub_key, rsa.RSAPublicKey) + assert ( + cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.RSASSA_PSS + ) assert pub_key == expected_pub_key pss = cert.signature_algorithm_parameters assert isinstance(pss, padding.PSS) @@ -898,6 +938,11 @@ def test_load_pem_cert(self, backend): assert isinstance( cert.signature_algorithm_parameters, padding.PKCS1v15 ) + assert isinstance(cert.public_key(), rsa.RSAPublicKey) + assert ( + cert.public_key_algorithm_oid + == PublicKeyAlgorithmOID.RSAES_PKCS1_v1_5 + ) def test_check_pkcs1_signature_algorithm_parameters(self, backend): cert = _load_cert( @@ -995,6 +1040,11 @@ def test_alternate_rsa_with_sha1_oid(self, backend): cert.signature_algorithm_oid == SignatureAlgorithmOID._RSA_WITH_SHA1 ) + assert isinstance(cert.public_key(), rsa.RSAPublicKey) + assert ( + cert.public_key_algorithm_oid + == PublicKeyAlgorithmOID.RSAES_PKCS1_v1_5 + ) def test_load_bmpstring_explicittext(self, backend): cert = _load_cert( @@ -1834,6 +1884,10 @@ def test_load_rsa_certificate_request(self, path, loader_func, backend): ) public_key = request.public_key() assert isinstance(public_key, rsa.RSAPublicKey) + assert ( + request.public_key_algorithm_oid + == PublicKeyAlgorithmOID.RSAES_PKCS1_v1_5 + ) subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ @@ -2250,6 +2304,12 @@ def test_build_cert( cert = builder.sign(issuer_private_key, hashalg(), backend) assert cert.version is x509.Version.v3 + public_key = cert.public_key() + assert isinstance(public_key, rsa.RSAPublicKey) + assert ( + cert.public_key_algorithm_oid + == PublicKeyAlgorithmOID.RSAES_PKCS1_v1_5 + ) assert cert.signature_algorithm_oid == hashalg_oid assert type(cert.signature_hash_algorithm) is hashalg _check_cert_times( @@ -3308,6 +3368,9 @@ def test_build_cert_with_dsa_private_key( assert cert.version is x509.Version.v3 assert cert.signature_algorithm_oid == hashalg_oid + public_key = cert.public_key() + assert isinstance(public_key, dsa.DSAPublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.DSA _check_cert_times( cert, not_valid_before=not_valid_before, @@ -3380,6 +3443,12 @@ def test_build_cert_with_ec_private_key( cert = builder.sign(issuer_private_key, hashalg(), backend) assert cert.version is x509.Version.v3 + public_key = cert.public_key() + assert isinstance(public_key, ec.EllipticCurvePublicKey) + assert ( + cert.public_key_algorithm_oid + == PublicKeyAlgorithmOID.EC_PUBLIC_KEY + ) assert cert.signature_algorithm_oid == hashalg_oid assert type(cert.signature_hash_algorithm) is hashalg _check_cert_times( @@ -3480,6 +3549,7 @@ def test_build_cert_with_ed25519(self, backend): assert cert.signature_algorithm_oid == SignatureAlgorithmOID.ED25519 assert cert.signature_hash_algorithm is None assert isinstance(cert.public_key(), ed25519.Ed25519PublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.ED25519 assert cert.version is x509.Version.v3 _check_cert_times( cert, @@ -3542,6 +3612,7 @@ def test_build_cert_with_public_ed25519_rsa_sig( ) assert isinstance(cert.signature_hash_algorithm, hashes.SHA256) assert isinstance(cert.public_key(), ed25519.Ed25519PublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.ED25519 @pytest.mark.supported( only_if=lambda backend: backend.ed448_supported(), @@ -3583,6 +3654,7 @@ def test_build_cert_with_ed448(self, backend): assert cert.signature_algorithm_oid == SignatureAlgorithmOID.ED448 assert cert.signature_hash_algorithm is None assert isinstance(cert.public_key(), ed448.Ed448PublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.ED448 assert cert.version is x509.Version.v3 _check_cert_times( cert, @@ -3645,6 +3717,7 @@ def test_build_cert_with_public_ed448_rsa_sig( ) assert isinstance(cert.signature_hash_algorithm, hashes.SHA256) assert isinstance(cert.public_key(), ed448.Ed448PublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.ED448 @pytest.mark.supported( only_if=lambda backend: ( @@ -3653,10 +3726,18 @@ def test_build_cert_with_public_ed448_rsa_sig( skip_message="Requires OpenSSL with x25519 & x448 support", ) @pytest.mark.parametrize( - ("priv_key_cls", "pub_key_cls"), + ("priv_key_cls", "pub_key_cls", "pub_key_oid"), [ - (x25519.X25519PrivateKey, x25519.X25519PublicKey), - (x448.X448PrivateKey, x448.X448PublicKey), + ( + x25519.X25519PrivateKey, + x25519.X25519PublicKey, + PublicKeyAlgorithmOID.X25519, + ), + ( + x448.X448PrivateKey, + x448.X448PublicKey, + PublicKeyAlgorithmOID.X448, + ), ], ) def test_build_cert_with_public_x25519_x448_rsa_sig( @@ -3664,6 +3745,7 @@ def test_build_cert_with_public_x25519_x448_rsa_sig( rsa_key_2048: rsa.RSAPrivateKey, priv_key_cls, pub_key_cls, + pub_key_oid, backend, ): issuer_private_key = rsa_key_2048 @@ -3699,6 +3781,7 @@ def test_build_cert_with_public_x25519_x448_rsa_sig( ) assert isinstance(cert.signature_hash_algorithm, hashes.SHA256) assert isinstance(cert.public_key(), pub_key_cls) + assert cert.public_key_algorithm_oid == pub_key_oid def test_build_cert_with_rsa_key_too_small( self, rsa_key_512: rsa.RSAPrivateKey, backend @@ -6169,6 +6252,7 @@ def test_load_pem_cert(self, backend): # self-signed, so this will work public_key = cert.public_key() assert isinstance(public_key, ed25519.Ed25519PublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.ED25519 public_key.verify(cert.signature, cert.tbs_certificate_bytes) assert isinstance(cert, x509.Certificate) assert cert.serial_number == 9579446940964433301 @@ -6215,6 +6299,7 @@ def test_load_pem_cert(self, backend): # self-signed, so this will work public_key = cert.public_key() assert isinstance(public_key, ed448.Ed448PublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.ED448 public_key.verify(cert.signature, cert.tbs_certificate_bytes) assert isinstance(cert, x509.Certificate) assert cert.serial_number == 448 diff --git a/vectors/cryptography_vectors/x509/custom/ca/rsae_ca.pem b/vectors/cryptography_vectors/x509/custom/ca/rsae_ca.pem new file mode 100644 index 000000000000..1b357a1007d6 --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/ca/rsae_ca.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFczCCAyygAwIBAgIUXd3jDutyo6oiszLWxbtjcQQQh9kwPAYJKoZIhvcNAQEK +MC+gDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF +ADAaMRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wHhcNMjQwMzIzMjMwNzU1WhcN +NDMwNTIzMjMwNzU1WjAaMRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wggIiMA0G +CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDQSIXkXNR0+DM1eRr1Gw5PQhVOg06J +kQKTakZos64kapujmOB7d3e9QV6IOvyAZKgJ2eP1yUONBuLFQ2+dpNdaD73yfxea +XPulKjwS/kBs2BpCaLmwKlxaSOqMNKmshTUC79E/aOModEEDqBr4Apr/daporS62 +TV7uFPUu+hvg4hkk/kMjJDMY/lbBkbEUQbn1dbq3J7xVo1OkNvnK9nKdJjABvejU +8iLJGIifLy9N1s+A1+JJTuF+O3z5g51PzjJ+Em7zGfPeo9S9CdOEvrlU4U5MUFnB +XKl4V+ajPJM3IyVJsmxZW39edI91ornFuPCv4+3ydMfat4lKOBr2tHKEnIJSVnIK +PwQQsBQ8PDVW2u56cUkTImkt6k79HRBXEZ7wcnPu4chscZVnUxPbR4rFCNXmVZPT +/c4qjTmSrHGPGV9fvwuDPV+vWOwPCO+BeXTtuyEcnBIDq0qNs9TYX0sG6ia/Wtkw +bUbBYp5/K4ygSMzZ9BOafYztVo8bZHIx3116SzfBRTL6GCPZfyvmVg5vbG6GhfI6 +4KM0nNNOABXpgB+/ZpghlUSl59bwwKOAywuqdzYgRWEHGG1vVfm3hg+rK7BesSbb +mP1MLT0Ti1ks7ggq2f+AZZqTbEdHoSBRb8xCo1+q0dsqd2CpYLg2zATCjKX0hsQB +cHGezomsUdtFBwIDAQABo1MwUTAdBgNVHQ4EFgQU1qwA85hiqD2SFTX+kL5zmDDr +TIQwHwYDVR0jBBgwFoAU1qwA85hiqD2SFTX+kL5zmDDrTIQwDwYDVR0TAQH/BAUw +AwEB/zA8BgkqhkiG9w0BAQowL6APMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcN +AQEIMA0GCWCGSAFlAwQCAQUAA4ICAQCyy7dZwQGOiS7id+sSFIm7EPR8GGFEE49D +2CfKl6eRqfwwRBeGE8NO+Ndh3ZD88cVKDlyHLZdNefnY0fXK5dakZDAP6cCSvJYP +lo0q2ugZy80SmQstDtMTfOic6sfQTmdtCf5PqFgSt+zeDnU7RpmAVY8QO2WVS1HK +5X4/WW1YG/fEU1r/5KN80GsLaxyWip9xBlQ5M0FvFML7kKawbQn2e2juckvJMMhL +bQnS/viPqFjqk6e9NwXO7uTr3eXKJ2gLasFrP2WDXLvpnfjFIPyE7cg+oZFSNa96 +i0bzDGgQPa13cT5Bz5BzHrCmvnFOV5xX54MdkKNROxmyLBC8rTLqtUqaoW27q05S +novxXRVfxDbHVgNcealaAX40xLPXAF+Os8wWbZ58Gnhi4g/UvxOV5oqT7oql3n4M +f67B5ko45fetLAbyezT6znAd7sapaukEDWyiSOftHdxhnDKi16F96EMdh1h0ZrRE +u/CfUUntm6ET6sGAM+exrH7Rd3NTYfTof00I9H0hVxEIHSmszWTQjrF8EScJkgcL +PgkuKOQ32TzKjq+QQVIvk5tXf02VlBSUA9THctPxGewGzk9YJBCSYiBkSjqXqyiS +5MflShh/ktK07jGGMlC+k8+IhPjMUnEzQxwseHiIVlwMz6h7tmsL1ciVN1oLrAld +zvv7WyNrLA== +-----END CERTIFICATE----- From 143fff00145dbb7c1b0d32a65e1c53f35e8e017f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 28 Mar 2024 00:22:10 +0000 Subject: [PATCH 0321/1462] Bump BoringSSL and/or OpenSSL in CI (#10657) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 51d959646291..a3739e2c6669 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 26, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ee4c2a38a05873b8812fed97efae0ffc5ff51d46"}} + # Latest commit on the BoringSSL master branch, as of Mar 28, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "54c956b2e668e11c75f1ee0367f1b3a0ad28eff9"}} # Latest commit on the OpenSSL master branch, as of Mar 27, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1967539e212c17139dc810096da987c8100b1ba2"}} # Builds with various Rust versions. Includes MSRV and next From 2b7715460782711def3d0c5669f75a6c589e1f2a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 28 Mar 2024 08:00:44 -0400 Subject: [PATCH 0322/1462] libressl 3.8.4 (#10658) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a3739e2c6669..263e4ff604dc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -41,7 +41,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.5"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Mar 28, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "54c956b2e668e11c75f1ee0367f1b3a0ad28eff9"}} From e4ae5e9faf9cc0c7df6a2567f8733b9074176509 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 28 Mar 2024 21:25:13 +0000 Subject: [PATCH 0323/1462] Bump build from 1.1.1 to 1.2.1 (#10660) Bumps [build](https://github.com/pypa/build) from 1.1.1 to 1.2.1. - [Release notes](https://github.com/pypa/build/releases) - [Changelog](https://github.com/pypa/build/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pypa/build/compare/1.1.1...1.2.1) --- updated-dependencies: - dependency-name: build dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 9027617cee4d..18b2d07fdfcc 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -11,7 +11,7 @@ argcomplete==3.2.3; python_version >= "3.8" # via nox babel==2.14.0 # via sphinx -build==1.1.1 +build==1.2.1 # via # check-sdist # cryptography (pyproject.toml) From 29f2eb350a635589594f4bbef58808289fd78fdb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 28 Mar 2024 21:26:57 +0000 Subject: [PATCH 0324/1462] Bump openssl-sys from 0.9.101 to 0.9.102 in /src/rust (#10659) Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.101 to 0.9.102. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.101...openssl-sys-v0.9.102) --- updated-dependencies: - dependency-name: openssl-sys dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 10d7821b416b..207bbdd96232 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -213,9 +213,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.101" +version = "0.9.102" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dda2b0f344e78efc2facf7d195d098df0dd72151b26ab98da807afc26c198dff" +checksum = "c597637d56fbc83893a35eb0dd04b2b8e7a50c91e64e9493e398b5df4fb45fa2" dependencies = [ "cc", "libc", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index e3145ca05262..ffb3205cb8f8 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -19,7 +19,7 @@ cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.64" -openssl-sys = "0.9.101" +openssl-sys = "0.9.102" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 00b214f6f7e3..d944fb7e977e 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -9,7 +9,7 @@ rust-version = "1.65.0" [dependencies] pyo3 = { version = "0.20", features = ["abi3"] } -openssl-sys = "0.9.101" +openssl-sys = "0.9.102" [build-dependencies] cc = "1.0.90" diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index d5071e5ef8a4..2b2313453269 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -11,5 +11,5 @@ rust-version = "1.65.0" asn1 = { version = "0.16.1", default-features = false } cfg-if = "1" openssl = "0.10.64" -openssl-sys = "0.9.101" +openssl-sys = "0.9.102" cryptography-x509 = { path = "../cryptography-x509" } From 6d9a52cd50bab4e956798bf5677168a131b5acb6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 28 Mar 2024 17:36:56 -0400 Subject: [PATCH 0325/1462] Update CI for new libressl releases (#10565) --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 263e4ff604dc..5c5ce9156417 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,6 +42,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.5"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Mar 28, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "54c956b2e668e11c75f1ee0367f1b3a0ad28eff9"}} From 83b2933c4a8c8e807e1f463ad4f13b519b55d497 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 28 Mar 2024 21:53:48 -0400 Subject: [PATCH 0326/1462] Bump x509-limbo and/or wycheproof in CI (#10661) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index f633964e3d21..0756a07dc1d2 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 27, 2024. - ref: "5550a13c69181f17f716eac5be382a0edb59be4b" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 29, 2024. + ref: "4c4634d102feab973d06625cd974530d6f9dc98d" # x509-limbo-ref From 01561ded0ed75d123357035d9e2bec25060ffd74 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 29 Mar 2024 08:27:29 -0400 Subject: [PATCH 0327/1462] Added test for ClientVerifier.store (#10665) --- tests/x509/verification/test_verification.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/x509/verification/test_verification.py b/tests/x509/verification/test_verification.py index e8c280fce0e6..409f6f9b6408 100644 --- a/tests/x509/verification/test_verification.py +++ b/tests/x509/verification/test_verification.py @@ -130,6 +130,7 @@ def test_verify(self): assert verifier.validation_time == validation_time.replace(tzinfo=None) assert verifier.max_chain_depth == 16 + assert verifier.store is store verified_client = verifier.verify(leaf, []) assert verified_client.chain == [leaf] From 78c0be4b029036fbbe504b6a20db094316e3f8ea Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 29 Mar 2024 11:13:39 -0400 Subject: [PATCH 0328/1462] Test with 3.3.0-beta1 (#10666) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5c5ce9156417..f4460278409b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,7 +36,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.13"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.5"}} - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} - - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.3.0-alpha1"}} + - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.3.0-beta1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.5"}} From 99f44085a889d7b9e4be994166ccc1bda014f7c5 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 29 Mar 2024 20:50:11 -0400 Subject: [PATCH 0329/1462] Bump BoringSSL and/or OpenSSL in CI (#10668) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f4460278409b..4065d7ac666f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 28, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "54c956b2e668e11c75f1ee0367f1b3a0ad28eff9"}} - # Latest commit on the OpenSSL master branch, as of Mar 27, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1967539e212c17139dc810096da987c8100b1ba2"}} + # Latest commit on the BoringSSL master branch, as of Mar 30, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ec6cb3e3a016a8e7ffee42d589d423e6057f21bf"}} + # Latest commit on the OpenSSL master branch, as of Mar 30, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4169d58c855718d90424fd5da632cf2f2b46e691"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From f82c09691ebd3932f6ef539446b6789371926b54 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 30 Mar 2024 12:44:22 +0000 Subject: [PATCH 0330/1462] Bump syn from 2.0.55 to 2.0.57 in /src/rust (#10670) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.55 to 2.0.57. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.55...2.0.57) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 207bbdd96232..3d2d33f780ba 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -377,9 +377,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.55" +version = "2.0.57" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "002a1b3dbf967edfafc32655d0f377ab0bb7b994aa1d32c8cc7e9b8bf3ebb8f0" +checksum = "11a6ae1e52eb25aab8f3fb9fca13be982a373b8f1157ca14b897a825ba4a2d35" dependencies = [ "proc-macro2", "quote", From 74ed3a4b734369b195efa6d45509874e59e886bb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 30 Mar 2024 08:55:09 -0400 Subject: [PATCH 0331/1462] Remove a pair of derives that are unused (#10669) --- src/rust/cryptography-x509-verification/src/lib.rs | 2 +- src/rust/cryptography-x509/src/extensions.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 036e9dcd1b0f..169226c908ea 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -30,7 +30,7 @@ use crate::types::DNSName; use crate::types::{DNSConstraint, IPAddress, IPConstraint}; use crate::ApplyNameConstraintStatus::{Applied, Skipped}; -#[derive(Debug, PartialEq, Eq)] +#[derive(Debug)] pub enum ValidationError { CandidatesExhausted(Box), Malformed(asn1::ParseError), diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index bbd0f2377896..1a1e13484272 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -8,7 +8,7 @@ use crate::common; use crate::crl; use crate::name; -#[derive(Debug, PartialEq, Eq)] +#[derive(Debug)] pub struct DuplicateExtensionsError(pub asn1::ObjectIdentifier); pub type RawExtensions<'a> = common::Asn1ReadableOrWritable< From d6f2a7bed1ac300f4ad2d9494e7c649a283e80d8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 30 Mar 2024 13:26:42 -0500 Subject: [PATCH 0332/1462] Bump pycparser from 2.21 to 2.22 in /.github/requirements (#10672) * Bump pycparser from 2.21 to 2.22 in /.github/requirements Bumps [pycparser](https://github.com/eliben/pycparser) from 2.21 to 2.22. - [Release notes](https://github.com/eliben/pycparser/releases) - [Changelog](https://github.com/eliben/pycparser/blob/main/CHANGES) - [Commits](https://github.com/eliben/pycparser/compare/release_v2.21...release_v2.22) --- updated-dependencies: - dependency-name: pycparser dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/build-requirements.txt | 6 +++--- .github/requirements/publish-requirements.txt | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index cbec6164e9df..70fe56dc3ca1 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -58,9 +58,9 @@ cffi==1.16.0 ; platform_python_implementation != "PyPy" \ --hash=sha256:fa3a0128b152627161ce47201262d3140edb5a5c3da88d73a1b790a959126956 \ --hash=sha256:fcc8eb6d5902bb1cf6dc4f187ee3ea80a1eba0a89aba40a5cb20a5087d961357 # via -r build-requirements.in -pycparser==2.21 \ - --hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \ - --hash=sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206 +pycparser==2.22 \ + --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ + --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc # via cffi semantic-version==2.10.0 \ --hash=sha256:bdabb6d336998cbb378d4b9db3a4b56a1e3235701dc05ea2690d9a997ed5041c \ diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 010f500a8064..647f3d7cc6b7 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -396,9 +396,9 @@ pkginfo==1.10.0 \ --hash=sha256:5df73835398d10db79f8eecd5cd86b1f6d29317589ea70796994d49399af6297 \ --hash=sha256:889a6da2ed7ffc58ab5b900d888ddce90bce912f2d2de1dc1c26f4cb9fe65097 # via twine -pycparser==2.21 \ - --hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \ - --hash=sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206 +pycparser==2.22 \ + --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ + --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc # via cffi pydantic[email]==2.6.4 \ --hash=sha256:b1704e0847db01817624a6b86766967f552dd9dbf3afba4004409f908dcc84e6 \ From 7b52f3796c6b9da9137a87fc4d1706f857acb4ae Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 31 Mar 2024 00:16:51 +0000 Subject: [PATCH 0333/1462] Bump BoringSSL and/or OpenSSL in CI (#10673) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4065d7ac666f..67403a8b936b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Mar 30, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ec6cb3e3a016a8e7ffee42d589d423e6057f21bf"}} - # Latest commit on the OpenSSL master branch, as of Mar 30, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4169d58c855718d90424fd5da632cf2f2b46e691"}} + # Latest commit on the OpenSSL master branch, as of Mar 31, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "15e06b12ee9df6347433398cb3f732c4458d4218"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 60a54ea81213a0f421d899e34f64254609daea78 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 31 Mar 2024 22:00:44 -0400 Subject: [PATCH 0334/1462] Build LibreSSL with cmake instead of vanilla make (#10674) --- .github/workflows/build_openssl.sh | 8 +++----- .github/workflows/ci.yml | 2 +- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build_openssl.sh b/.github/workflows/build_openssl.sh index b646a325a98a..abdd09cf3e55 100755 --- a/.github/workflows/build_openssl.sh +++ b/.github/workflows/build_openssl.sh @@ -60,9 +60,8 @@ elif [[ "${TYPE}" == "libressl" ]]; then curl -O "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${VERSION}.tar.gz" tar zxf "libressl-${VERSION}.tar.gz" pushd "libressl-${VERSION}" - ./configure --disable-shared --prefix="${OSSL_PATH}" - shlib_sed - make -j"$(nproc)" install CFLAGS="-fPIC" + cmake -B build -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DBUILD_SHARED_LIBS=OFF -DCMAKE_INSTALL_PREFIX="${OSSL_PATH}" + make -C build -j"$(nproc)" install # delete binaries, libtls, and docs we don't need. can't skip install/compile sadly rm -rf "${OSSL_PATH}/bin" rm -rf "${OSSL_PATH}/share" @@ -73,8 +72,7 @@ elif [[ "${TYPE}" == "boringssl" ]]; then pushd boringssl git checkout "${VERSION}" cmake -B build -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DCMAKE_INSTALL_PREFIX="${OSSL_PATH}" - make -C build -j"$(nproc)" - make -C build install + make -C build -j"$(nproc)" install # delete binaries we don't need rm -rf "${OSSL_PATH}/bin" popd diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 67403a8b936b..47bb66365129 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -101,7 +101,7 @@ jobs: # When altering the openssl build process you may need to increment # the value on the end of this cache key so that you can prevent it # from fetching the cache and skipping the build step. - key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.OPENSSL_HASH }}-11 + key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.OPENSSL_HASH }}-12 if: matrix.PYTHON.OPENSSL - name: Build custom OpenSSL/LibreSSL run: .github/workflows/build_openssl.sh From ad0ef5e556444ad057106660a90cd9c7f350fa74 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Apr 2024 07:27:07 -0500 Subject: [PATCH 0335/1462] Bump jaraco-classes from 3.3.1 to 3.4.0 in /.github/requirements (#10675) * Bump jaraco-classes from 3.3.1 to 3.4.0 in /.github/requirements Bumps [jaraco-classes](https://github.com/jaraco/jaraco.classes) from 3.3.1 to 3.4.0. - [Release notes](https://github.com/jaraco/jaraco.classes/releases) - [Changelog](https://github.com/jaraco/jaraco.classes/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/jaraco.classes/compare/v3.3.1...v3.4.0) --- updated-dependencies: - dependency-name: jaraco-classes dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 647f3d7cc6b7..c61ee4e7ce20 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -246,9 +246,9 @@ importlib-metadata==7.1.0 \ # via # keyring # twine -jaraco-classes==3.3.1 \ - --hash=sha256:86b534de565381f6b3c1c830d13f931d7be1a75f0081c57dff615578676e2206 \ - --hash=sha256:cb28a5ebda8bc47d8c8015307d93163464f9f2b91ab4006e09ff0ce07e8bfb30 +jaraco-classes==3.4.0 \ + --hash=sha256:47a024b51d0239c0dd8c8540c6c7f484be3b8fcf0b2d85c13825780d3b3f3acd \ + --hash=sha256:f662826b6bed8cace05e7ff873ce0f9283b5c924470fe664fff1c2f00f581790 # via keyring jaraco-context==4.3.0 \ --hash=sha256:4dad2404540b936a20acedec53355bdaea223acb88fd329fa6de9261c941566e \ From 6c83965454704e0dec0c63cb95c301cd1c9c1e4d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 1 Apr 2024 16:12:54 -0400 Subject: [PATCH 0336/1462] Attempt to port to pyo3 0.21 more minimally (#10671) --- src/rust/Cargo.lock | 20 ++++++------ src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-cffi/src/lib.rs | 11 +++---- src/rust/src/backend/cipher_registry.rs | 2 +- src/rust/src/backend/ciphers.rs | 2 +- src/rust/src/lib.rs | 2 +- src/rust/src/x509/extensions.rs | 42 +++++++++++++++---------- 8 files changed, 46 insertions(+), 37 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 3d2d33f780ba..580672e2bebc 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -278,9 +278,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.20.3" +version = "0.21.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "53bdbb96d49157e65d45cc287af5f32ffadd5f4761438b527b055fb0d4bb8233" +checksum = "a7a8b1990bd018761768d5e608a13df8bd1ac5f678456e0f301bb93e5f3ea16b" dependencies = [ "cfg-if", "indoc", @@ -296,9 +296,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.20.3" +version = "0.21.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "deaa5745de3f5231ce10517a1f5dd97d53e5a2fd77aa6b5842292085831d48d7" +checksum = "650dca34d463b6cdbdb02b1d71bfd6eb6b6816afc708faebb3bac1380ff4aef7" dependencies = [ "once_cell", "target-lexicon", @@ -306,9 +306,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.20.3" +version = "0.21.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "62b42531d03e08d4ef1f6e85a2ed422eb678b8cd62b762e53891c05faf0d4afa" +checksum = "09a7da8fc04a8a2084909b59f29e1b8474decac98b951d77b80b26dc45f046ad" dependencies = [ "libc", "pyo3-build-config", @@ -316,9 +316,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.20.3" +version = "0.21.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7305c720fa01b8055ec95e484a6eca7a83c841267f0dd5280f0c8b8551d2c158" +checksum = "4b8a199fce11ebb28e3569387228836ea98110e43a804a530a9fd83ade36d513" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -328,9 +328,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.20.3" +version = "0.21.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7c7e9b68bb9c3149c5b0cade5d07f953d6d125eb4337723c4ccdb665f1f96185" +checksum = "93fbbfd7eb553d10036513cb122b888dcd362a945a00b06c165f2ab480d4cc3b" dependencies = [ "heck", "proc-macro2", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index ffb3205cb8f8..e8a26cfd53ae 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -10,7 +10,7 @@ rust-version = "1.65.0" [dependencies] once_cell = "1" cfg-if = "1" -pyo3 = { version = "0.20", features = ["abi3"] } +pyo3 = { version = "0.21.1", features = ["abi3", "gil-refs"] } asn1 = { version = "0.16.1", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-key-parsing = { path = "cryptography-key-parsing" } diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index d944fb7e977e..5ef7438651e6 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.65.0" [dependencies] -pyo3 = { version = "0.20", features = ["abi3"] } +pyo3 = { version = "0.21.1", features = ["abi3", "gil-refs"] } openssl-sys = "0.9.102" [build-dependencies] diff --git a/src/rust/cryptography-cffi/src/lib.rs b/src/rust/cryptography-cffi/src/lib.rs index 110341a1901e..17d63c44c43f 100644 --- a/src/rust/cryptography-cffi/src/lib.rs +++ b/src/rust/cryptography-cffi/src/lib.rs @@ -4,9 +4,6 @@ #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] -#[cfg(not(python_implementation = "PyPy"))] -use pyo3::FromPyPointer; - #[cfg(python_implementation = "PyPy")] extern "C" { fn Cryptography_make_openssl_module() -> std::os::raw::c_int; @@ -16,18 +13,20 @@ extern "C" { fn PyInit__openssl() -> *mut pyo3::ffi::PyObject; } -pub fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::types::PyModule> { +pub fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { #[cfg(python_implementation = "PyPy")] let openssl_mod = unsafe { let res = Cryptography_make_openssl_module(); assert_eq!(res, 0); - pyo3::types::PyModule::import(py, "_openssl")? + pyo3::types::PyModule::import_bound(py, "_openssl")?.clone() }; #[cfg(not(python_implementation = "PyPy"))] // SAFETY: `PyInit__openssl` returns an owned reference. let openssl_mod = unsafe { let ptr = PyInit__openssl(); - pyo3::types::PyModule::from_owned_ptr(py, ptr) + pyo3::Py::from_owned_ptr(py, ptr).bind(py).clone() }; Ok(openssl_mod) diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index 46f6e09b5aac..ef54b7460e82 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -259,7 +259,7 @@ fn get_cipher_registry( // this should't be necessary but OpenSSL 3 will return an EVP_CIPHER // even when the cipher is unavailable. if cfg!(not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)) - || types::LEGACY_PROVIDER_LOADED.get(py)?.is_true()? + || types::LEGACY_PROVIDER_LOADED.get(py)?.is_truthy()? { #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] { diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index 3695ca1d89df..8becdc597f22 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -29,7 +29,7 @@ impl CipherContext { format!( "cipher {} in {} mode is not supported ", algorithm.getattr(pyo3::intern!(py, "name"))?, - if mode.is_true()? { + if mode.is_truthy()? { mode.getattr(pyo3::intern!(py, "name"))? } else { mode diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 47102dfde1dd..9c445fa1776f 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -115,7 +115,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> crate::x509::ocsp_resp::add_to_module(ocsp_mod)?; m.add_submodule(ocsp_mod)?; - m.add_submodule(cryptography_cffi::create_module(py)?)?; + m.add_submodule(cryptography_cffi::create_module(py)?.into_gil_ref())?; let openssl_mod = pyo3::prelude::PyModule::new(py, "openssl")?; openssl_mod.add( diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 03fd1da9ff07..76bdf3c388d5 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -139,51 +139,58 @@ fn encode_key_usage(py: pyo3::Python<'_>, ext: &pyo3::PyAny) -> CryptographyResu &mut bs, 0, ext.getattr(pyo3::intern!(py, "digital_signature"))? - .is_true()?, + .is_truthy()?, ); certificate::set_bit( &mut bs, 1, ext.getattr(pyo3::intern!(py, "content_commitment"))? - .is_true()?, + .is_truthy()?, ); certificate::set_bit( &mut bs, 2, ext.getattr(pyo3::intern!(py, "key_encipherment"))? - .is_true()?, + .is_truthy()?, ); certificate::set_bit( &mut bs, 3, ext.getattr(pyo3::intern!(py, "data_encipherment"))? - .is_true()?, + .is_truthy()?, ); certificate::set_bit( &mut bs, 4, - ext.getattr(pyo3::intern!(py, "key_agreement"))?.is_true()?, + ext.getattr(pyo3::intern!(py, "key_agreement"))? + .is_truthy()?, ); certificate::set_bit( &mut bs, 5, - ext.getattr(pyo3::intern!(py, "key_cert_sign"))?.is_true()?, + ext.getattr(pyo3::intern!(py, "key_cert_sign"))? + .is_truthy()?, ); certificate::set_bit( &mut bs, 6, - ext.getattr(pyo3::intern!(py, "crl_sign"))?.is_true()?, + ext.getattr(pyo3::intern!(py, "crl_sign"))?.is_truthy()?, ); - if ext.getattr(pyo3::intern!(py, "key_agreement"))?.is_true()? { + if ext + .getattr(pyo3::intern!(py, "key_agreement"))? + .is_truthy()? + { certificate::set_bit( &mut bs, 7, - ext.getattr(pyo3::intern!(py, "encipher_only"))?.is_true()?, + ext.getattr(pyo3::intern!(py, "encipher_only"))? + .is_truthy()?, ); certificate::set_bit( &mut bs, 8, - ext.getattr(pyo3::intern!(py, "decipher_only"))?.is_true()?, + ext.getattr(pyo3::intern!(py, "decipher_only"))? + .is_truthy()?, ); } let (bits, unused_bits) = if bs[1] == 0 { @@ -208,7 +215,7 @@ fn encode_certificate_policies( let py_policy_info = py_policy_info?; let py_policy_qualifiers = py_policy_info.getattr(pyo3::intern!(py, "policy_qualifiers"))?; - let qualifiers = if py_policy_qualifiers.is_true()? { + let qualifiers = if py_policy_qualifiers.is_truthy()? { let mut qualifiers = vec![]; for py_qualifier in py_policy_qualifiers.iter()? { let py_qualifier = py_qualifier?; @@ -228,7 +235,7 @@ fn encode_certificate_policies( } } else { let py_notice = py_qualifier.getattr(pyo3::intern!(py, "notice_reference"))?; - let notice_ref = if py_notice.is_true()? { + let notice_ref = if py_notice.is_truthy()? { let mut notice_numbers = vec![]; for py_num in py_notice .getattr(pyo3::intern!(py, "notice_numbers"))? @@ -255,7 +262,7 @@ fn encode_certificate_policies( }; let py_explicit_text = py_qualifier.getattr(pyo3::intern!(py, "explicit_text"))?; - let explicit_text = if py_explicit_text.is_true()? { + let explicit_text = if py_explicit_text.is_truthy()? { Some(extensions::DisplayText::Utf8String(asn1::Utf8String::new( py_explicit_text.extract()?, ))) @@ -296,7 +303,7 @@ fn encode_issuing_distribution_point( ) -> CryptographyResult> { let only_some_reasons = if ext .getattr(pyo3::intern!(py, "only_some_reasons"))? - .is_true()? + .is_truthy()? { let py_reasons = ext.getattr(pyo3::intern!(py, "only_some_reasons"))?; let reasons = certificate::encode_distribution_point_reasons(ext.py(), py_reasons)?; @@ -304,13 +311,16 @@ fn encode_issuing_distribution_point( } else { None }; - let distribution_point = if ext.getattr(pyo3::intern!(py, "full_name"))?.is_true()? { + let distribution_point = if ext.getattr(pyo3::intern!(py, "full_name"))?.is_truthy()? { let py_full_name = ext.getattr(pyo3::intern!(py, "full_name"))?; let gns = x509::common::encode_general_names(ext.py(), py_full_name)?; Some(extensions::DistributionPointName::FullName( common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(gns)), )) - } else if ext.getattr(pyo3::intern!(py, "relative_name"))?.is_true()? { + } else if ext + .getattr(pyo3::intern!(py, "relative_name"))? + .is_truthy()? + { let mut name_entries = vec![]; for py_name_entry in ext.getattr(pyo3::intern!(py, "relative_name"))?.iter()? { name_entries.push(x509::common::encode_name_entry(ext.py(), py_name_entry?)?); From c30cc6fd6592c8ed177ff7b406f2c6f0c392ee33 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 1 Apr 2024 17:57:58 -0400 Subject: [PATCH 0337/1462] Convert `py_uint_to_big_endian_bytes` to the new pyo3 APIs (#10677) --- src/rust/src/asn1.rs | 7 ++++--- src/rust/src/x509/crl.rs | 2 +- src/rust/src/x509/extensions.rs | 9 +++++---- src/rust/src/x509/ocsp_req.rs | 2 +- 4 files changed, 11 insertions(+), 9 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 641417545fce..9677064b536c 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -6,6 +6,7 @@ use asn1::SimpleAsn1Readable; use cryptography_x509::certificate::Certificate; use cryptography_x509::common::{DssSignature, SubjectPublicKeyInfo, Time}; use cryptography_x509::name::Name; +use pyo3::prelude::PyAnyMethods; use pyo3::types::IntoPyDict; use pyo3::ToPyObject; @@ -65,7 +66,7 @@ fn decode_dss_signature( pub(crate) fn py_uint_to_big_endian_bytes<'p>( py: pyo3::Python<'p>, - v: &'p pyo3::types::PyLong, + v: pyo3::Bound<'p, pyo3::types::PyLong>, ) -> pyo3::PyResult<&'p [u8]> { let zero = (0).to_object(py); if v.lt(zero)? { @@ -114,8 +115,8 @@ pub(crate) fn encode_der_data<'p>( #[pyo3::prelude::pyfunction] fn encode_dss_signature( py: pyo3::Python<'_>, - r: &pyo3::types::PyLong, - s: &pyo3::types::PyLong, + r: pyo3::Bound<'_, pyo3::types::PyLong>, + s: pyo3::Bound<'_, pyo3::types::PyLong>, ) -> CryptographyResult { let sig = DssSignature { r: asn1::BigUint::new(py_uint_to_big_endian_bytes(py, r)?).unwrap(), diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 8e43832986c2..c040abfffe85 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -375,7 +375,7 @@ impl CertificateRevocationList { fn get_revoked_certificate_by_serial_number( &self, py: pyo3::Python<'_>, - serial: &pyo3::types::PyLong, + serial: pyo3::Bound<'_, pyo3::types::PyLong>, ) -> pyo3::PyResult> { let serial_bytes = py_uint_to_big_endian_bytes(py, serial)?; let owned = OwnedRevokedCertificate::try_new(Arc::clone(&self.owned), |v| { diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 76bdf3c388d5..54cf0d555e3a 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -8,6 +8,7 @@ use crate::asn1::{py_oid_to_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, sct}; use crate::{types, x509}; +use pyo3::PyNativeType; fn encode_general_subtrees<'a>( py: pyo3::Python<'a>, @@ -39,7 +40,7 @@ pub(crate) fn encode_authority_key_identifier<'a>( struct PyAuthorityKeyIdentifier<'a> { key_identifier: Option<&'a [u8]>, authority_cert_issuer: Option<&'a pyo3::PyAny>, - authority_cert_serial_number: Option<&'a pyo3::types::PyLong>, + authority_cert_serial_number: Option>, } let aki = py_aki.extract::>()?; let authority_cert_issuer = if let Some(authority_cert_issuer) = aki.authority_cert_issuer { @@ -241,7 +242,7 @@ fn encode_certificate_policies( .getattr(pyo3::intern!(py, "notice_numbers"))? .iter()? { - let bytes = py_uint_to_big_endian_bytes(ext.py(), py_num?.downcast()?)?; + let bytes = py_uint_to_big_endian_bytes(ext.py(), py_num?.extract()?)?; notice_numbers.push(asn1::BigUint::new(bytes).unwrap()); } @@ -444,7 +445,7 @@ pub(crate) fn encode_extension( let intval = ext .getattr(pyo3::intern!(py, "skip_certs"))? .downcast::()?; - let bytes = py_uint_to_big_endian_bytes(ext.py(), intval)?; + let bytes = py_uint_to_big_endian_bytes(ext.py(), intval.as_borrowed().to_owned())?; Ok(Some(asn1::write_single( &asn1::BigUint::new(bytes).unwrap(), )?)) @@ -491,7 +492,7 @@ pub(crate) fn encode_extension( let intval = ext .getattr(pyo3::intern!(py, "crl_number"))? .downcast::()?; - let bytes = py_uint_to_big_endian_bytes(ext.py(), intval)?; + let bytes = py_uint_to_big_endian_bytes(ext.py(), intval.as_borrowed().to_owned())?; Ok(Some(asn1::write_single( &asn1::BigUint::new(bytes).unwrap(), )?)) diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index baa2dd00dfb4..931036c4b0a7 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -192,7 +192,7 @@ fn create_ocsp_request( let (issuer_name_hash, issuer_key_hash, py_serial, py_hash): ( &[u8], &[u8], - &pyo3::types::PyLong, + pyo3::Bound<'_, pyo3::types::PyLong>, &pyo3::PyAny, ) = builder .getattr(pyo3::intern!(py, "_request_hash"))? From c69e7cb79a49f1147ba5649e1f440a9ec6b40bd5 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 1 Apr 2024 20:35:55 -0400 Subject: [PATCH 0338/1462] Bump x509-limbo and/or wycheproof in CI (#10681) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 0756a07dc1d2..b152b7af5c1c 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 29, 2024. - ref: "4c4634d102feab973d06625cd974530d6f9dc98d" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Apr 02, 2024. + ref: "daf8dd36c0f7457d2b9ea006a514b30a4d49b6c1" # x509-limbo-ref From e26f437af4c3e3493c2735364440b8925d9ce641 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 1 Apr 2024 20:37:43 -0400 Subject: [PATCH 0339/1462] sign: bound-ify sig_alg APIs (#10679) * sign: bound-ify sig_alg APIs This unfortunately taints a few certificate, CRL, etc. APIs in the process. However, each is a singular top-level API, so the diff isn't too bad. * types: implement get via get_bound --- src/rust/src/types.rs | 25 ++++++++++++++++--------- src/rust/src/x509/certificate.rs | 4 ++-- src/rust/src/x509/crl.rs | 2 +- src/rust/src/x509/csr.rs | 4 ++-- src/rust/src/x509/sign.rs | 25 ++++++++++++++++--------- 5 files changed, 37 insertions(+), 23 deletions(-) diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 55250a0b0b58..c3590948bf90 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -18,15 +18,22 @@ impl LazyPyImport { } pub fn get<'p>(&'p self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - self.value - .get_or_try_init(py, || { - let mut obj = py.import(self.module)?.as_ref(); - for name in self.names { - obj = obj.getattr(*name)?; - } - obj.extract() - }) - .map(|p| p.as_ref(py)) + Ok(self.get_bound(py)?.into_gil_ref()) + } + + pub fn get_bound<'p>( + &'p self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let p = self.value.get_or_try_init(py, || { + let mut obj = py.import(self.module)?.as_ref(); + for name in self.names { + obj = obj.getattr(*name)?; + } + obj.extract() + })?; + + Ok(p.clone().into_bound(py)) } } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index d4873256fe22..27f30f329b6f 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -257,7 +257,7 @@ impl Certificate { fn signature_hash_algorithm<'p>( &self, py: pyo3::Python<'p>, - ) -> Result<&'p pyo3::PyAny, CryptographyError> { + ) -> Result, CryptographyError> { sign::identify_signature_hash_algorithm(py, &self.raw.borrow_dependent().signature_alg) } @@ -270,7 +270,7 @@ impl Certificate { fn signature_algorithm_parameters<'p>( &'p self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::PyAny> { + ) -> CryptographyResult> { sign::identify_signature_algorithm_parameters( py, &self.raw.borrow_dependent().signature_alg, diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index c040abfffe85..67c8b1d0093d 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -207,7 +207,7 @@ impl CertificateRevocationList { fn signature_algorithm_parameters<'p>( &'p self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::PyAny> { + ) -> CryptographyResult> { sign::identify_signature_algorithm_parameters( py, &self.owned.borrow_dependent().signature_algorithm, diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 27eff5e12e95..704dd2c93655 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -91,7 +91,7 @@ impl CertificateSigningRequest { fn signature_hash_algorithm<'p>( &self, py: pyo3::Python<'p>, - ) -> Result<&'p pyo3::PyAny, CryptographyError> { + ) -> Result, CryptographyError> { sign::identify_signature_hash_algorithm(py, &self.raw.borrow_dependent().signature_alg) } @@ -104,7 +104,7 @@ impl CertificateSigningRequest { fn signature_algorithm_parameters<'p>( &'p self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::PyAny> { + ) -> CryptographyResult> { sign::identify_signature_algorithm_parameters( py, &self.raw.borrow_dependent().signature_alg, diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index 638bbbe909af..e1d2b877938c 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -6,6 +6,8 @@ use std::collections::HashMap; use cryptography_x509::{common, oid}; use once_cell::sync::Lazy; +use pyo3::prelude::PyAnyMethods; +use pyo3::PyNativeType; use crate::asn1::oid_to_py_oid; use crate::error::{CryptographyError, CryptographyResult}; @@ -427,9 +429,12 @@ fn identify_alg_params_for_hash_type( fn hash_oid_py_hash( py: pyo3::Python<'_>, oid: asn1::ObjectIdentifier, -) -> CryptographyResult<&pyo3::PyAny> { +) -> CryptographyResult> { match HASH_OIDS_TO_HASH.get(&oid) { - Some(alg_name) => Ok(types::HASHES_MODULE.get(py)?.getattr(*alg_name)?.call0()?), + Some(alg_name) => Ok(types::HASHES_MODULE + .get_bound(py)? + .getattr(*alg_name)? + .call0()?), None => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", @@ -442,7 +447,7 @@ fn hash_oid_py_hash( pub(crate) fn identify_signature_hash_algorithm<'p>( py: pyo3::Python<'p>, signature_algorithm: &common::AlgorithmIdentifier<'_>, -) -> CryptographyResult<&'p pyo3::PyAny> { +) -> CryptographyResult> { let sig_oids_to_hash = types::SIG_OIDS_TO_HASH.get(py)?; match &signature_algorithm.params { common::AlgorithmParameters::RsaPss(opt_pss) => { @@ -455,7 +460,7 @@ pub(crate) fn identify_signature_hash_algorithm<'p>( let py_sig_alg_oid = oid_to_py_oid(py, signature_algorithm.oid())?; let hash_alg = sig_oids_to_hash.get_item(py_sig_alg_oid); match hash_alg { - Ok(data) => Ok(data), + Ok(data) => Ok(data.as_borrowed().to_owned()), Err(_) => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", @@ -470,7 +475,7 @@ pub(crate) fn identify_signature_hash_algorithm<'p>( pub(crate) fn identify_signature_algorithm_parameters<'p>( py: pyo3::Python<'p>, signature_algorithm: &common::AlgorithmIdentifier<'_>, -) -> CryptographyResult<&'p pyo3::PyAny> { +) -> CryptographyResult> { match &signature_algorithm.params { common::AlgorithmParameters::RsaPss(opt_pss) => { let pss = opt_pss.as_ref().ok_or_else(|| { @@ -487,7 +492,7 @@ pub(crate) fn identify_signature_algorithm_parameters<'p>( let py_mask_gen_hash_alg = hash_oid_py_hash(py, pss.mask_gen_algorithm.params.oid().clone())?; let py_mgf = types::MGF1.get(py)?.call1((py_mask_gen_hash_alg,))?; - Ok(types::PSS.get(py)?.call1((py_mgf, pss.salt_length))?) + Ok(types::PSS.get_bound(py)?.call1((py_mgf, pss.salt_length))?) } common::AlgorithmParameters::RsaWithSha1(_) | common::AlgorithmParameters::RsaWithSha1Alt(_) @@ -499,7 +504,7 @@ pub(crate) fn identify_signature_algorithm_parameters<'p>( | common::AlgorithmParameters::RsaWithSha3_256(_) | common::AlgorithmParameters::RsaWithSha3_384(_) | common::AlgorithmParameters::RsaWithSha3_512(_) => { - Ok(types::PKCS1V15.get(py)?.call0()?) + Ok(types::PKCS1V15.get_bound(py)?.call0()?) } common::AlgorithmParameters::EcDsaWithSha224(_) | common::AlgorithmParameters::EcDsaWithSha256(_) @@ -512,9 +517,11 @@ pub(crate) fn identify_signature_algorithm_parameters<'p>( let signature_hash_algorithm = identify_signature_hash_algorithm(py, signature_algorithm)?; - Ok(types::ECDSA.get(py)?.call1((signature_hash_algorithm,))?) + Ok(types::ECDSA + .get_bound(py)? + .call1((signature_hash_algorithm,))?) } - _ => Ok(py.None().into_ref(py)), + _ => Ok(py.None().into_bound(py)), } } From d2ee468c0da38a97af70827a3e4735421b68f3d7 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 2 Apr 2024 00:40:07 +0000 Subject: [PATCH 0340/1462] Bump BoringSSL and/or OpenSSL in CI (#10680) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 47bb66365129..a98f02e3f531 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 30, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ec6cb3e3a016a8e7ffee42d589d423e6057f21bf"}} - # Latest commit on the OpenSSL master branch, as of Mar 31, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "15e06b12ee9df6347433398cb3f732c4458d4218"}} + # Latest commit on the BoringSSL master branch, as of Apr 02, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "077d4d2b1a768028603ae1b26287224d7f985d1f"}} + # Latest commit on the OpenSSL master branch, as of Apr 02, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "81f2b0420abab47a7fd9fc9ef69309578115d342"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From e8180e2349a20ae4fc91baf890cc654e94061b90 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Apr 2024 07:01:39 -0400 Subject: [PATCH 0341/1462] Bump ruff from 0.3.4 to 0.3.5 (#10683) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.3.4 to 0.3.5. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.3.4...v0.3.5) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 18b2d07fdfcc..702299344a67 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.3.4 +ruff==0.3.5 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 598870229f466ddf082dd5e9dabe0ae140799133 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 3 Apr 2024 00:16:23 +0000 Subject: [PATCH 0342/1462] Bump BoringSSL and/or OpenSSL in CI (#10689) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a98f02e3f531..640f2a574632 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 02, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "077d4d2b1a768028603ae1b26287224d7f985d1f"}} - # Latest commit on the OpenSSL master branch, as of Apr 02, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "81f2b0420abab47a7fd9fc9ef69309578115d342"}} + # Latest commit on the BoringSSL master branch, as of Apr 03, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "68c6fd8943ffba4e5054ff3a9befa8882b6b226a"}} + # Latest commit on the OpenSSL master branch, as of Apr 03, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c45ca0656f8d1fe43b8cf444c88d295a063341ca"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 46b5be8c8ca647774e272f7e543a3dabdeb2f33e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 3 Apr 2024 07:06:13 -0400 Subject: [PATCH 0343/1462] Bump syn from 2.0.57 to 2.0.58 in /src/rust (#10690) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.57 to 2.0.58. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.57...2.0.58) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 580672e2bebc..91ac810df5c2 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -377,9 +377,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.57" +version = "2.0.58" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "11a6ae1e52eb25aab8f3fb9fca13be982a373b8f1157ca14b897a825ba4a2d35" +checksum = "44cfb93f38070beee36b3fef7d4f5a16f27751d94b187b666a5cc5e9b0d30687" dependencies = [ "proc-macro2", "quote", From f9c422f074931bd8edcc4da836a2776abf8780be Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 4 Apr 2024 00:15:23 +0000 Subject: [PATCH 0344/1462] Bump BoringSSL and/or OpenSSL in CI (#10695) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 640f2a574632..6ef592535110 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 03, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "68c6fd8943ffba4e5054ff3a9befa8882b6b226a"}} - # Latest commit on the OpenSSL master branch, as of Apr 03, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c45ca0656f8d1fe43b8cf444c88d295a063341ca"}} + # Latest commit on the BoringSSL master branch, as of Apr 04, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e97787e7f33fe8f0aeb2fc3ee7fbb86e1a074ba5"}} + # Latest commit on the OpenSSL master branch, as of Apr 04, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "882a387d0dc12afe8612c4d3f6b9cae5c04611d7"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From a54ca106c43e25e8313eec994d6f7c6b9e2d7c7e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Apr 2024 07:16:10 +0200 Subject: [PATCH 0345/1462] Bump sigstore-protobuf-specs from 0.3.0 to 0.3.1 in /.github/requirements (#10691) * Bump sigstore-protobuf-specs in /.github/requirements Bumps [sigstore-protobuf-specs](https://github.com/sigstore/protobuf-specs) from 0.3.0 to 0.3.1. - [Release notes](https://github.com/sigstore/protobuf-specs/releases) - [Changelog](https://github.com/sigstore/protobuf-specs/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/protobuf-specs/compare/v0.3.0...v0.3.1) --- updated-dependencies: - dependency-name: sigstore-protobuf-specs dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index c61ee4e7ce20..1abe043ba1a5 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -548,9 +548,9 @@ sigstore==2.1.3 \ --hash=sha256:7a0c1252cb7974024aee87c8e0f0f6247604af16e8b5a8e3d0a9e1201e330aa2 \ --hash=sha256:f3aaa564c0d48a62fb40c103615bba01af787eaf9fda3b6e1a3e1dc5abc2d311 # via -r publish-requirements.in -sigstore-protobuf-specs==0.3.0 \ - --hash=sha256:3322adb73992bca0f3dc6d4c2c38bac29086a11d2631a983adb2798e58e32a54 \ - --hash=sha256:e06321d28e58cb1505ae682b63756b4fb858da6b11bd7b49a2b6beabe412ebfd +sigstore-protobuf-specs==0.3.1 \ + --hash=sha256:c40b61975b957ae906eb29a5bc7040ec015b68b6b46005cc5805e629493e8dec \ + --hash=sha256:ea6d7325af70019b6639e0fd16ef6f78511645d46dd3f9876fb008641d80a125 # via sigstore sigstore-rekor-types==0.0.11 \ --hash=sha256:791a696eccd5d07c933cc11d46dea22983efedaf5f1068734263ce0f25695bba \ From e5b847a193092c4eb66fa2c4473216187a92ddb9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Apr 2024 07:16:27 +0200 Subject: [PATCH 0346/1462] Bump keyring from 25.0.0 to 25.1.0 in /.github/requirements (#10692) * Bump keyring from 25.0.0 to 25.1.0 in /.github/requirements Bumps [keyring](https://github.com/jaraco/keyring) from 25.0.0 to 25.1.0. - [Release notes](https://github.com/jaraco/keyring/releases) - [Changelog](https://github.com/jaraco/keyring/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/keyring/compare/v25.0.0...v25.1.0) --- updated-dependencies: - dependency-name: keyring dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 1abe043ba1a5..160ac650d276 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -264,9 +264,9 @@ jeepney==0.8.0 \ # via # keyring # secretstorage -keyring==25.0.0 \ - --hash=sha256:9a15cd280338920388e8c1787cb8792b9755dabb3e7c61af5ac1f8cd437cefde \ - --hash=sha256:fc024ed53c7ea090e30723e6bd82f58a39dc25d9a6797d866203ecd0ee6306cb +keyring==25.1.0 \ + --hash=sha256:26fc12e6a329d61d24aa47b22a7c5c3f35753df7d8f2860973cf94f4e1fb3427 \ + --hash=sha256:7230ea690525133f6ad536a9b5def74a4bd52642abe594761028fc044d7c7893 # via twine markdown-it-py==3.0.0 \ --hash=sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1 \ From 14e8a3296acde6622f0b713f2f194f133f77cc35 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 01:17:18 -0400 Subject: [PATCH 0347/1462] Convert `src/backend/utils.rs` to new pyo3 APIs (#10678) --- src/rust/src/backend/dh.rs | 5 +++-- src/rust/src/backend/dsa.rs | 5 +++-- src/rust/src/backend/ec.rs | 5 +++-- src/rust/src/backend/ed25519.rs | 4 ++-- src/rust/src/backend/ed448.rs | 4 ++-- src/rust/src/backend/rsa.rs | 5 +++-- src/rust/src/backend/utils.rs | 39 +++++++++++++++++---------------- src/rust/src/backend/x25519.rs | 4 ++-- src/rust/src/backend/x448.rs | 4 ++-- 9 files changed, 40 insertions(+), 35 deletions(-) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index eb6cbdcdc9e4..1145b32327c3 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -8,6 +8,7 @@ use crate::asn1::encode_der_data; use crate::backend::utils; use crate::error::{CryptographyError, CryptographyResult}; use crate::{types, x509}; +use pyo3::prelude::PyAnyMethods; const MIN_MODULUS_SIZE: u32 = 512; @@ -226,7 +227,7 @@ impl DHPrivateKey { encoding: &pyo3::PyAny, format: &pyo3::PyAny, encryption_algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { if !format.is(types::PRIVATE_FORMAT_PKCS8.get(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -260,7 +261,7 @@ impl DHPublicKey { py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { if !format.is(types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index bf341ac71314..2d567db5e086 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -6,6 +6,7 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; +use pyo3::prelude::PyAnyMethods; #[pyo3::prelude::pyclass( frozen, @@ -133,7 +134,7 @@ impl DsaPrivateKey { encoding: &pyo3::PyAny, format: &pyo3::PyAny, encryption_algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_private_bytes( py, slf, @@ -205,7 +206,7 @@ impl DsaPublicKey { py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, false) } diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 1c4cf95d0f61..0291c96b7f70 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -5,6 +5,7 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; +use pyo3::prelude::PyAnyMethods; use pyo3::ToPyObject; use crate::backend::utils; @@ -357,7 +358,7 @@ impl ECPrivateKey { encoding: &pyo3::PyAny, format: &pyo3::PyAny, encryption_algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_private_bytes( py, slf, @@ -438,7 +439,7 @@ impl ECPublicKey { py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, false) } diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index 81ca3230088e..4fc199969aec 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -102,7 +102,7 @@ impl Ed25519PrivateKey { encoding: &pyo3::PyAny, format: &pyo3::PyAny, encryption_algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_private_bytes( py, slf, @@ -145,7 +145,7 @@ impl Ed25519PublicKey { py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, true) } diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index 15b679d5f993..79d650a1cb46 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -100,7 +100,7 @@ impl Ed448PrivateKey { encoding: &pyo3::PyAny, format: &pyo3::PyAny, encryption_algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_private_bytes( py, slf, @@ -142,7 +142,7 @@ impl Ed448PublicKey { py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, true) } diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 662f30aff084..1d47b8c6c326 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -9,6 +9,7 @@ use crate::backend::{hashes, utils}; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; +use pyo3::prelude::PyAnyMethods; #[pyo3::prelude::pyclass( frozen, @@ -402,7 +403,7 @@ impl RsaPrivateKey { encoding: &pyo3::PyAny, format: &pyo3::PyAny, encryption_algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_private_bytes( py, slf, @@ -514,7 +515,7 @@ impl RsaPublicKey { py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, false) } diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 5c15cba57741..ecd83edfe467 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -5,6 +5,7 @@ use crate::backend::hashes::Hash; use crate::error::{CryptographyError, CryptographyResult}; use crate::{error, types}; +use pyo3::prelude::PyAnyMethods; use pyo3::ToPyObject; pub(crate) fn py_int_to_bn( @@ -26,10 +27,10 @@ pub(crate) fn py_int_to_bn( pub(crate) fn bn_to_py_int<'p>( py: pyo3::Python<'p>, b: &openssl::bn::BigNumRef, -) -> CryptographyResult<&'p pyo3::PyAny> { +) -> CryptographyResult> { assert!(!b.is_negative()); - let int_type = py.get_type::(); + let int_type = py.get_type_bound::(); Ok(int_type.call_method1( pyo3::intern!(py, "from_bytes"), (b.to_vec(), pyo3::intern!(py, "big")), @@ -50,7 +51,7 @@ pub(crate) fn pkey_private_bytes<'p>( encryption_algorithm: &pyo3::PyAny, openssh_allowed: bool, raw_allowed: bool, -) -> CryptographyResult<&'p pyo3::types::PyBytes> { +) -> CryptographyResult> { if !encoding.is_instance(types::ENCODING.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( @@ -86,7 +87,7 @@ pub(crate) fn pkey_private_bytes<'p>( ))); } let raw_bytes = pkey.raw_private_key()?; - return Ok(pyo3::types::PyBytes::new(py, &raw_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)); } let password = if encryption_algorithm.is_instance(types::NO_ENCRYPTION.get(py)?)? { @@ -124,7 +125,7 @@ pub(crate) fn pkey_private_bytes<'p>( password, )? }; - return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); } else if encoding.is(types::ENCODING_DER.get(py)?) { let der_bytes = if password.is_empty() { pkey.private_key_to_pkcs8()? @@ -134,7 +135,7 @@ pub(crate) fn pkey_private_bytes<'p>( password, )? }; - return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("Unsupported encoding for PKCS8"), @@ -152,7 +153,7 @@ pub(crate) fn pkey_private_bytes<'p>( password, )? }; - return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); } else if encoding.is(types::ENCODING_DER.get(py)?) { if !password.is_empty() { return Err(CryptographyError::from( @@ -163,7 +164,7 @@ pub(crate) fn pkey_private_bytes<'p>( } let der_bytes = rsa.private_key_to_der()?; - return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } } else if let Ok(dsa) = pkey.dsa() { if encoding.is(types::ENCODING_PEM.get(py)?) { @@ -175,7 +176,7 @@ pub(crate) fn pkey_private_bytes<'p>( password, )? }; - return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); } else if encoding.is(types::ENCODING_DER.get(py)?) { if !password.is_empty() { return Err(CryptographyError::from( @@ -186,7 +187,7 @@ pub(crate) fn pkey_private_bytes<'p>( } let der_bytes = dsa.private_key_to_der()?; - return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } } else if let Ok(ec) = pkey.ec_key() { if encoding.is(types::ENCODING_PEM.get(py)?) { @@ -198,7 +199,7 @@ pub(crate) fn pkey_private_bytes<'p>( password, )? }; - return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); } else if encoding.is(types::ENCODING_DER.get(py)?) { if !password.is_empty() { return Err(CryptographyError::from( @@ -209,7 +210,7 @@ pub(crate) fn pkey_private_bytes<'p>( } let der_bytes = ec.private_key_to_der()?; - return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } } } @@ -243,7 +244,7 @@ pub(crate) fn pkey_public_bytes<'p>( format: &pyo3::PyAny, openssh_allowed: bool, raw_allowed: bool, -) -> CryptographyResult<&'p pyo3::types::PyBytes> { +) -> CryptographyResult> { if !encoding.is_instance(types::ENCODING.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( @@ -273,17 +274,17 @@ pub(crate) fn pkey_public_bytes<'p>( )); } let raw_bytes = pkey.raw_public_key()?; - return Ok(pyo3::types::PyBytes::new(py, &raw_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)); } // SubjectPublicKeyInfo + PEM/DER if format.is(types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?) { if encoding.is(types::ENCODING_PEM.get(py)?) { let pem_bytes = pkey.public_key_to_pem()?; - return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); } else if encoding.is(types::ENCODING_DER.get(py)?) { let der_bytes = pkey.public_key_to_der()?; - return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -309,7 +310,7 @@ pub(crate) fn pkey_public_bytes<'p>( let data = ec .public_key() .to_bytes(ec.group(), point_form, &mut bn_ctx)?; - return Ok(pyo3::types::PyBytes::new(py, &data)); + return Ok(pyo3::types::PyBytes::new_bound(py, &data)); } } @@ -317,10 +318,10 @@ pub(crate) fn pkey_public_bytes<'p>( if format.is(types::PUBLIC_FORMAT_PKCS1.get(py)?) { if encoding.is(types::ENCODING_PEM.get(py)?) { let pem_bytes = rsa.public_key_to_pem_pkcs1()?; - return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); } else if encoding.is(types::ENCODING_DER.get(py)?) { let der_bytes = rsa.public_key_to_der_pkcs1()?; - return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index b193e18b0483..1789c9f20a03 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -103,7 +103,7 @@ impl X25519PrivateKey { encoding: &pyo3::PyAny, format: &pyo3::PyAny, encryption_algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_private_bytes( py, slf, @@ -132,7 +132,7 @@ impl X25519PublicKey { py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, false, true) } diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index 7a64002d943d..ae61ac4eafe9 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -102,7 +102,7 @@ impl X448PrivateKey { encoding: &pyo3::PyAny, format: &pyo3::PyAny, encryption_algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_private_bytes( py, slf, @@ -131,7 +131,7 @@ impl X448PublicKey { py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, false, true) } From bbb1a75dc180ea4ee3da9d75fe5bbc19be796269 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 01:18:31 -0400 Subject: [PATCH 0348/1462] Convert cipher registry to new pyo3 API (#10682) Refs https://github.com/pyca/cryptography/issues/10676 --- src/rust/src/backend/cipher_registry.rs | 5 +- src/rust/src/backend/ciphers.rs | 119 ++++++++++++------------ src/rust/src/backend/cmac.rs | 9 +- 3 files changed, 69 insertions(+), 64 deletions(-) diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index ef54b7460e82..1ceccbe0a1cd 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -5,6 +5,7 @@ use std::collections::HashMap; use openssl::cipher::Cipher; +use pyo3::prelude::PyAnyMethods; use crate::error::CryptographyResult; use crate::types; @@ -305,8 +306,8 @@ fn get_cipher_registry( pub(crate) fn get_cipher<'py>( py: pyo3::Python<'py>, - algorithm: &pyo3::PyAny, - mode_cls: &pyo3::PyAny, + algorithm: pyo3::Bound<'_, pyo3::PyAny>, + mode_cls: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { let registry = get_cipher_registry(py)?; diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index 8becdc597f22..2cf97d7b8800 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -7,6 +7,7 @@ use crate::buf::{CffiBuf, CffiMutBuf}; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; use crate::types; +use pyo3::prelude::PyAnyMethods; use pyo3::IntoPy; struct CipherContext { @@ -17,54 +18,56 @@ struct CipherContext { impl CipherContext { fn new( py: pyo3::Python<'_>, - algorithm: &pyo3::PyAny, - mode: &pyo3::PyAny, + algorithm: pyo3::Bound<'_, pyo3::PyAny>, + mode: pyo3::Bound<'_, pyo3::PyAny>, side: openssl::symm::Mode, ) -> CryptographyResult { - let cipher = match cipher_registry::get_cipher(py, algorithm, mode.get_type())? { - Some(c) => c, - None => { - return Err(CryptographyError::from( - exceptions::UnsupportedAlgorithm::new_err(( - format!( - "cipher {} in {} mode is not supported ", - algorithm.getattr(pyo3::intern!(py, "name"))?, - if mode.is_truthy()? { - mode.getattr(pyo3::intern!(py, "name"))? - } else { - mode - } - ), - exceptions::Reasons::UNSUPPORTED_CIPHER, - )), - )) - } - }; - - let iv_nonce = if mode.is_instance(types::MODE_WITH_INITIALIZATION_VECTOR.get(py)?)? { - Some( - mode.getattr(pyo3::intern!(py, "initialization_vector"))? - .extract::>()?, - ) - } else if mode.is_instance(types::MODE_WITH_TWEAK.get(py)?)? { - Some( - mode.getattr(pyo3::intern!(py, "tweak"))? - .extract::>()?, - ) - } else if mode.is_instance(types::MODE_WITH_NONCE.get(py)?)? { - Some( - mode.getattr(pyo3::intern!(py, "nonce"))? - .extract::>()?, - ) - } else if algorithm.is_instance(types::CHACHA20.get(py)?)? { - Some( - algorithm - .getattr(pyo3::intern!(py, "nonce"))? - .extract::>()?, - ) - } else { - None - }; + let cipher = + match cipher_registry::get_cipher(py, algorithm.clone(), mode.get_type().into_any())? { + Some(c) => c, + None => { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + format!( + "cipher {} in {} mode is not supported ", + algorithm.getattr(pyo3::intern!(py, "name"))?, + if mode.is_truthy()? { + mode.getattr(pyo3::intern!(py, "name"))? + } else { + mode + } + ), + exceptions::Reasons::UNSUPPORTED_CIPHER, + )), + )) + } + }; + + let iv_nonce = + if mode.is_instance(&types::MODE_WITH_INITIALIZATION_VECTOR.get_bound(py)?)? { + Some( + mode.getattr(pyo3::intern!(py, "initialization_vector"))? + .extract::>()?, + ) + } else if mode.is_instance(&types::MODE_WITH_TWEAK.get_bound(py)?)? { + Some( + mode.getattr(pyo3::intern!(py, "tweak"))? + .extract::>()?, + ) + } else if mode.is_instance(&types::MODE_WITH_NONCE.get_bound(py)?)? { + Some( + mode.getattr(pyo3::intern!(py, "nonce"))? + .extract::>()?, + ) + } else if algorithm.is_instance(&types::CHACHA20.get_bound(py)?)? { + Some( + algorithm + .getattr(pyo3::intern!(py, "nonce"))? + .extract::>()?, + ) + } else { + None + }; let key = algorithm .getattr(pyo3::intern!(py, "key"))? @@ -85,7 +88,7 @@ impl CipherContext { } } - if mode.is_instance(types::XTS.get(py)?)? { + if mode.is_instance(&types::XTS.get_bound(py)?)? { init_op( &mut ctx, None, @@ -471,12 +474,12 @@ impl PyAEADDecryptionContext { #[pyo3::prelude::pyfunction] fn create_encryption_ctx( py: pyo3::Python<'_>, - algorithm: &pyo3::PyAny, - mode: &pyo3::PyAny, + algorithm: pyo3::Bound<'_, pyo3::PyAny>, + mode: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - let ctx = CipherContext::new(py, algorithm, mode, openssl::symm::Mode::Encrypt)?; + let ctx = CipherContext::new(py, algorithm, mode.clone(), openssl::symm::Mode::Encrypt)?; - if mode.is_instance(types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? { + if mode.is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get_bound(py)?)? { Ok(PyAEADEncryptionContext { ctx: Some(ctx), tag: None, @@ -497,12 +500,12 @@ fn create_encryption_ctx( #[pyo3::prelude::pyfunction] fn create_decryption_ctx( py: pyo3::Python<'_>, - algorithm: &pyo3::PyAny, - mode: &pyo3::PyAny, + algorithm: pyo3::Bound<'_, pyo3::PyAny>, + mode: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - let mut ctx = CipherContext::new(py, algorithm, mode, openssl::symm::Mode::Decrypt)?; + let mut ctx = CipherContext::new(py, algorithm, mode.clone(), openssl::symm::Mode::Decrypt)?; - if mode.is_instance(types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? { + if mode.is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get_bound(py)?)? { if let Some(tag) = mode.getattr(pyo3::intern!(py, "tag"))?.extract()? { ctx.ctx.set_tag(tag)?; } @@ -526,10 +529,10 @@ fn create_decryption_ctx( #[pyo3::prelude::pyfunction] fn cipher_supported( py: pyo3::Python<'_>, - algorithm: &pyo3::PyAny, - mode: &pyo3::PyAny, + algorithm: pyo3::Bound<'_, pyo3::PyAny>, + mode: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - Ok(cipher_registry::get_cipher(py, algorithm, mode.get_type())?.is_some()) + Ok(cipher_registry::get_cipher(py, algorithm, mode.get_type().into_any())?.is_some()) } #[pyo3::prelude::pyfunction] diff --git a/src/rust/src/backend/cmac.rs b/src/rust/src/backend/cmac.rs index acacbf02f6ad..f23ccca37271 100644 --- a/src/rust/src/backend/cmac.rs +++ b/src/rust/src/backend/cmac.rs @@ -7,6 +7,7 @@ use crate::backend::hashes::already_finalized_error; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; +use pyo3::prelude::PyAnyMethods; #[pyo3::prelude::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.cmac", @@ -37,12 +38,12 @@ impl Cmac { #[new] fn new( py: pyo3::Python<'_>, - algorithm: &pyo3::PyAny, + algorithm: pyo3::Bound<'_, pyo3::PyAny>, backend: Option<&pyo3::PyAny>, ) -> CryptographyResult { let _ = backend; - if !algorithm.is_instance(types::BLOCK_CIPHER_ALGORITHM.get(py)?)? { + if !algorithm.is_instance(&types::BLOCK_CIPHER_ALGORITHM.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Expected instance of BlockCipherAlgorithm.", @@ -50,8 +51,8 @@ impl Cmac { )); } - let cipher = - cipher_registry::get_cipher(py, algorithm, types::CBC.get(py)?)?.ok_or_else(|| { + let cipher = cipher_registry::get_cipher(py, algorithm.clone(), types::CBC.get_bound(py)?)? + .ok_or_else(|| { exceptions::UnsupportedAlgorithm::new_err(( "CMAC is not supported with this algorithm", exceptions::Reasons::UNSUPPORTED_CIPHER, From ec025527487d129e6c305c37ffb0694a229c2741 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 01:19:05 -0400 Subject: [PATCH 0349/1462] Convert `src/buf.rs` to new pyo3 APIs (#10684) --- src/rust/src/buf.rs | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs index 028322dfe0da..c480216147ff 100644 --- a/src/rust/src/buf.rs +++ b/src/rust/src/buf.rs @@ -3,31 +3,32 @@ // for complete details. use crate::types; +use pyo3::prelude::PyAnyMethods; use pyo3::types::IntoPyDict; use std::slice; pub(crate) struct CffiBuf<'p> { - _pyobj: &'p pyo3::PyAny, - _bufobj: &'p pyo3::PyAny, + _pyobj: pyo3::Bound<'p, pyo3::PyAny>, + _bufobj: pyo3::Bound<'p, pyo3::PyAny>, buf: &'p [u8], } -fn _extract_buffer_length( - pyobj: &pyo3::PyAny, +fn _extract_buffer_length<'p>( + pyobj: &pyo3::Bound<'p, pyo3::PyAny>, mutable: bool, -) -> pyo3::PyResult<(&pyo3::PyAny, usize)> { +) -> pyo3::PyResult<(pyo3::Bound<'p, pyo3::PyAny>, usize)> { let py = pyobj.py(); let bufobj = if mutable { - let kwargs = [(pyo3::intern!(py, "require_writable"), true)].into_py_dict(py); + let kwargs = [(pyo3::intern!(py, "require_writable"), true)].into_py_dict_bound(py); types::FFI_FROM_BUFFER - .get(py)? - .call((pyobj,), Some(kwargs))? + .get_bound(py)? + .call((pyobj,), Some(&kwargs))? } else { - types::FFI_FROM_BUFFER.get(py)?.call1((pyobj,))? + types::FFI_FROM_BUFFER.get_bound(py)?.call1((pyobj,))? }; let ptrval = types::FFI_CAST .get(py)? - .call1((pyo3::intern!(py, "uintptr_t"), bufobj))? + .call1((pyo3::intern!(py, "uintptr_t"), bufobj.clone()))? .call_method0(pyo3::intern!(py, "__int__"))? .extract::()?; Ok((bufobj, ptrval)) @@ -40,7 +41,7 @@ impl CffiBuf<'_> { } impl<'a> pyo3::conversion::FromPyObject<'a> for CffiBuf<'a> { - fn extract(pyobj: &'a pyo3::PyAny) -> pyo3::PyResult { + fn extract_bound(pyobj: &pyo3::Bound<'a, pyo3::PyAny>) -> pyo3::PyResult { let (bufobj, ptrval) = _extract_buffer_length(pyobj, false)?; let len = bufobj.len()?; let buf = if len == 0 { @@ -58,7 +59,7 @@ impl<'a> pyo3::conversion::FromPyObject<'a> for CffiBuf<'a> { }; Ok(CffiBuf { - _pyobj: pyobj, + _pyobj: pyobj.clone(), _bufobj: bufobj, buf, }) @@ -66,8 +67,8 @@ impl<'a> pyo3::conversion::FromPyObject<'a> for CffiBuf<'a> { } pub(crate) struct CffiMutBuf<'p> { - _pyobj: &'p pyo3::PyAny, - _bufobj: &'p pyo3::PyAny, + _pyobj: pyo3::Bound<'p, pyo3::PyAny>, + _bufobj: pyo3::Bound<'p, pyo3::PyAny>, buf: &'p mut [u8], } @@ -78,7 +79,7 @@ impl CffiMutBuf<'_> { } impl<'a> pyo3::conversion::FromPyObject<'a> for CffiMutBuf<'a> { - fn extract(pyobj: &'a pyo3::PyAny) -> pyo3::PyResult { + fn extract_bound(pyobj: &pyo3::Bound<'a, pyo3::PyAny>) -> pyo3::PyResult { let (bufobj, ptrval) = _extract_buffer_length(pyobj, true)?; let len = bufobj.len()?; @@ -97,7 +98,7 @@ impl<'a> pyo3::conversion::FromPyObject<'a> for CffiMutBuf<'a> { }; Ok(CffiMutBuf { - _pyobj: pyobj, + _pyobj: pyobj.clone(), _bufobj: bufobj, buf, }) From 80c7ad811a05ec291ee7c9dde67a345d62003123 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 01:20:38 -0400 Subject: [PATCH 0350/1462] Convert `src/error.rs` to new pyo3 APIs (#10686) --- src/rust/src/error.rs | 22 ++++++++++++---------- src/rust/src/x509/extensions.rs | 19 ++++++++++++------- 2 files changed, 24 insertions(+), 17 deletions(-) diff --git a/src/rust/src/error.rs b/src/rust/src/error.rs index 62b1ff4a6daa..380531c65509 100644 --- a/src/rust/src/error.rs +++ b/src/rust/src/error.rs @@ -2,6 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use pyo3::prelude::PyListMethods; use pyo3::ToPyObject; use crate::exceptions; @@ -32,8 +33,8 @@ impl From for CryptographyError { } } -impl From> for CryptographyError { - fn from(e: pyo3::PyDowncastError<'_>) -> CryptographyError { +impl From> for CryptographyError { + fn from(e: pyo3::DowncastError<'_, '_>) -> CryptographyError { CryptographyError::Py(e.into()) } } @@ -83,12 +84,12 @@ impl From for CryptographyError { pub(crate) fn list_from_openssl_error( py: pyo3::Python<'_>, error_stack: openssl::error::ErrorStack, -) -> &pyo3::types::PyList { - let errors = pyo3::types::PyList::empty(py); +) -> pyo3::Bound<'_, pyo3::types::PyList> { + let errors = pyo3::types::PyList::empty_bound(py); for e in error_stack.errors() { errors .append( - pyo3::PyCell::new(py, OpenSSLError { e: e.clone() }) + pyo3::Bound::new(py, OpenSSLError { e: e.clone() }) .expect("Failed to create OpenSSLError"), ) .expect("Failed to append to list"); @@ -186,10 +187,12 @@ impl OpenSSLError { } #[pyo3::prelude::pyfunction] -pub(crate) fn capture_error_stack(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::types::PyList> { - let errs = pyo3::types::PyList::empty(py); +pub(crate) fn capture_error_stack( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let errs = pyo3::types::PyList::empty_bound(py); for e in openssl::error::ErrorStack::get().errors() { - errs.append(pyo3::PyCell::new(py, OpenSSLError { e: e.clone() })?)?; + errs.append(pyo3::Bound::new(py, OpenSSLError { e: e.clone() })?)?; } Ok(errs) } @@ -210,8 +213,7 @@ mod tests { let py_e: pyo3::PyErr = e.into(); assert!(py_e.is_instance_of::(py)); - let e: CryptographyError = - pyo3::PyDowncastError::new(py.None().as_ref(py), "abc").into(); + let e: CryptographyError = pyo3::DowncastError::new(py.None().bind(py), "abc").into(); assert!(matches!(e, CryptographyError::Py(_))); let e = cryptography_key_parsing::KeyParsingError::OpenSSL( diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 54cf0d555e3a..eede1e5c0ab9 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -8,6 +8,7 @@ use crate::asn1::{py_oid_to_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, sct}; use crate::{types, x509}; +use pyo3::prelude::PyAnyMethods; use pyo3::PyNativeType; fn encode_general_subtrees<'a>( @@ -375,16 +376,16 @@ fn encode_tls_features(py: pyo3::Python<'_>, ext: &pyo3::PyAny) -> CryptographyR fn encode_scts(ext: &pyo3::PyAny) -> CryptographyResult> { let mut length = 0; for sct in ext.iter()? { - let sct = sct?.downcast::>()?; - length += sct.borrow().sct_data.len() + 2; + let sct = sct?.as_borrowed().downcast::()?.clone(); + length += sct.get().sct_data.len() + 2; } let mut result = vec![]; result.extend_from_slice(&(length as u16).to_be_bytes()); for sct in ext.iter()? { - let sct = sct?.downcast::>()?; - result.extend_from_slice(&(sct.borrow().sct_data.len() as u16).to_be_bytes()); - result.extend_from_slice(&sct.borrow().sct_data); + let sct = sct?.as_borrowed().downcast::()?.clone(); + result.extend_from_slice(&(sct.get().sct_data.len() as u16).to_be_bytes()); + result.extend_from_slice(&sct.get().sct_data); } Ok(asn1::write_single(&result.as_slice())?) } @@ -444,7 +445,9 @@ pub(crate) fn encode_extension( &oid::INHIBIT_ANY_POLICY_OID => { let intval = ext .getattr(pyo3::intern!(py, "skip_certs"))? - .downcast::()?; + .as_borrowed() + .downcast::()? + .clone(); let bytes = py_uint_to_big_endian_bytes(ext.py(), intval.as_borrowed().to_owned())?; Ok(Some(asn1::write_single( &asn1::BigUint::new(bytes).unwrap(), @@ -491,7 +494,9 @@ pub(crate) fn encode_extension( &oid::CRL_NUMBER_OID | &oid::DELTA_CRL_INDICATOR_OID => { let intval = ext .getattr(pyo3::intern!(py, "crl_number"))? - .downcast::()?; + .as_borrowed() + .downcast::()? + .clone(); let bytes = py_uint_to_big_endian_bytes(ext.py(), intval.as_borrowed().to_owned())?; Ok(Some(asn1::write_single( &asn1::BigUint::new(bytes).unwrap(), From a693a9767908ca1366cd8600b439202b6b9cf4b7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 01:22:30 -0400 Subject: [PATCH 0351/1462] Convert `src/pkcs12.rs` to new pyo3 APIs (#10687) --- src/rust/src/lib.rs | 2 +- src/rust/src/pkcs12.rs | 59 +++++++++++++++++++++--------------------- 2 files changed, 31 insertions(+), 30 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 9c445fa1776f..8ea8709c6e11 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -98,7 +98,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> m.add_submodule(asn1::create_submodule(py)?)?; m.add_submodule(pkcs7::create_submodule(py)?)?; - m.add_submodule(pkcs12::create_submodule(py)?)?; + m.add_submodule(pkcs12::create_submodule(py)?.into_gil_ref())?; m.add_submodule(exceptions::create_submodule(py)?)?; let x509_mod = pyo3::prelude::PyModule::new(py, "x509")?; diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 1df4d51ae2e8..084cee6660bc 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -7,6 +7,7 @@ use crate::buf::CffiBuf; use crate::error::CryptographyResult; use crate::x509::certificate::Certificate; use crate::{types, x509}; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::IntoPy; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; @@ -38,22 +39,18 @@ impl PKCS12Certificate { other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { let friendly_name_eq = match (&self.friendly_name, &other.friendly_name) { - (Some(a), Some(b)) => a.as_ref(py).eq(b.as_ref(py))?, + (Some(a), Some(b)) => a.bind(py).eq(b.bind(py))?, (None, None) => true, _ => false, }; - Ok(friendly_name_eq - && self - .certificate - .as_ref(py) - .eq(other.certificate.as_ref(py))?) + Ok(friendly_name_eq && self.certificate.bind(py).eq(other.certificate.bind(py))?) } fn __hash__(&self, py: pyo3::Python<'_>) -> CryptographyResult { let mut hasher = DefaultHasher::new(); - self.certificate.as_ref(py).hash()?.hash(&mut hasher); + self.certificate.bind(py).hash()?.hash(&mut hasher); match &self.friendly_name { - Some(v) => v.as_ref(py).hash()?.hash(&mut hasher), + Some(v) => v.bind(py).hash()?.hash(&mut hasher), None => None::.hash(&mut hasher), }; Ok(hasher.finish()) @@ -61,12 +58,12 @@ impl PKCS12Certificate { fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { let friendly_name_repr = match &self.friendly_name { - Some(v) => v.as_ref(py).repr()?.extract()?, + Some(v) => v.bind(py).repr()?.extract()?, None => "None", }; Ok(format!( "", - self.certificate.as_ref(py).str()?, + self.certificate.bind(py).str()?, friendly_name_repr )) } @@ -208,11 +205,11 @@ fn load_key_and_certificates<'p>( py: pyo3::Python<'p>, data: CffiBuf<'_>, password: Option>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult<( pyo3::PyObject, Option, - &'p pyo3::types::PyList, + pyo3::Bound<'p, pyo3::types::PyList>, )> { let _ = backend; @@ -224,14 +221,14 @@ fn load_key_and_certificates<'p>( py.None() }; let cert = if let Some(ossl_cert) = p12.cert { - let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).into_py(py); + let cert_der = pyo3::types::PyBytes::new_bound(py, &ossl_cert.to_der()?).unbind(); Some(x509::certificate::load_der_x509_certificate( py, cert_der, None, )?) } else { None }; - let additional_certs = pyo3::types::PyList::empty(py); + let additional_certs = pyo3::types::PyList::empty_bound(py); if let Some(ossl_certs) = p12.ca { cfg_if::cfg_if! { if #[cfg(any( @@ -244,7 +241,7 @@ fn load_key_and_certificates<'p>( }; for ossl_cert in it { - let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).into_py(py); + let cert_der = pyo3::types::PyBytes::new_bound(py, &ossl_cert.to_der()?).unbind(); let cert = x509::certificate::load_der_x509_certificate(py, cert_der, None)?; additional_certs.append(cert.into_py(py))?; } @@ -258,8 +255,8 @@ fn load_pkcs12<'p>( py: pyo3::Python<'p>, data: CffiBuf<'_>, password: Option>, - backend: Option<&pyo3::PyAny>, -) -> CryptographyResult<&'p pyo3::PyAny> { + backend: Option>, +) -> CryptographyResult> { let _ = backend; let p12 = decode_p12(data, password)?; @@ -270,17 +267,17 @@ fn load_pkcs12<'p>( py.None() }; let cert = if let Some(ossl_cert) = p12.cert { - let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).into_py(py); + let cert_der = pyo3::types::PyBytes::new_bound(py, &ossl_cert.to_der()?).unbind(); let cert = x509::certificate::load_der_x509_certificate(py, cert_der, None)?; let alias = ossl_cert .alias() - .map(|a| pyo3::types::PyBytes::new(py, a).into_py(py)); + .map(|a| pyo3::types::PyBytes::new_bound(py, a).unbind()); PKCS12Certificate::new(pyo3::Py::new(py, cert)?, alias).into_py(py) } else { py.None() }; - let additional_certs = pyo3::types::PyList::empty(py); + let additional_certs = pyo3::types::PyList::empty_bound(py); if let Some(ossl_certs) = p12.ca { cfg_if::cfg_if! { if #[cfg(any( @@ -293,27 +290,31 @@ fn load_pkcs12<'p>( }; for ossl_cert in it { - let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).into_py(py); + let cert_der = pyo3::types::PyBytes::new_bound(py, &ossl_cert.to_der()?).unbind(); let cert = x509::certificate::load_der_x509_certificate(py, cert_der, None)?; let alias = ossl_cert .alias() - .map(|a| pyo3::types::PyBytes::new(py, a).into_py(py)); + .map(|a| pyo3::types::PyBytes::new_bound(py, a).unbind()); let p12_cert = PKCS12Certificate::new(pyo3::Py::new(py, cert)?, alias).into_py(py); additional_certs.append(p12_cert)?; } } - Ok(types::PKCS12KEYANDCERTIFICATES - .get(py)? - .call1((private_key, cert, additional_certs))?) + Ok(types::PKCS12KEYANDCERTIFICATES.get_bound(py)?.call1(( + private_key, + cert, + additional_certs, + ))?) } -pub(crate) fn create_submodule(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let submod = pyo3::prelude::PyModule::new(py, "pkcs12")?; +pub(crate) fn create_submodule( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let submod = pyo3::prelude::PyModule::new_bound(py, "pkcs12")?; - submod.add_function(pyo3::wrap_pyfunction!(load_key_and_certificates, submod)?)?; - submod.add_function(pyo3::wrap_pyfunction!(load_pkcs12, submod)?)?; + submod.add_function(pyo3::wrap_pyfunction!(load_key_and_certificates, &submod)?)?; + submod.add_function(pyo3::wrap_pyfunction!(load_pkcs12, &submod)?)?; submod.add_class::()?; From e4929125067e19029ac17513c00e36e026efc78b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 01:23:22 -0400 Subject: [PATCH 0352/1462] Convert `src/oid.rs` to new pyo3 APIs (#10688) --- src/rust/src/oid.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/src/oid.rs b/src/rust/src/oid.rs index 7996895ca1f0..18f3be654f1e 100644 --- a/src/rust/src/oid.rs +++ b/src/rust/src/oid.rs @@ -23,8 +23,8 @@ impl ObjectIdentifier { } #[getter] - fn dotted_string<'p>(&self, py: pyo3::Python<'p>) -> &'p pyo3::types::PyString { - pyo3::types::PyString::new(py, &self.oid.to_string()) + fn dotted_string(&self) -> String { + self.oid.to_string() } #[getter] @@ -41,7 +41,7 @@ impl ObjectIdentifier { slf } - fn __repr__(slf: &pyo3::PyCell, py: pyo3::Python<'_>) -> pyo3::PyResult { + fn __repr__(slf: &pyo3::Bound<'_, Self>, py: pyo3::Python<'_>) -> pyo3::PyResult { let name = Self::_name(slf.borrow(), py)?.extract::<&str>()?; Ok(format!( "", From f44cf82977800f05ba6d57024c936a1c6763878c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 01:25:38 -0400 Subject: [PATCH 0353/1462] Convert py_oid_to_oid to new pyo3 APIs (#10694) --- src/rust/src/asn1.rs | 8 +++++--- src/rust/src/x509/common.rs | 33 +++++++++++++++++++++++++-------- src/rust/src/x509/csr.rs | 7 ++++--- src/rust/src/x509/extensions.rs | 6 +++--- 4 files changed, 37 insertions(+), 17 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 9677064b536c..2257b3bf9663 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -13,10 +13,12 @@ use pyo3::ToPyObject; use crate::error::{CryptographyError, CryptographyResult}; use crate::types; -pub(crate) fn py_oid_to_oid(py_oid: &pyo3::PyAny) -> pyo3::PyResult { +pub(crate) fn py_oid_to_oid( + py_oid: pyo3::Bound<'_, pyo3::PyAny>, +) -> pyo3::PyResult { Ok(py_oid - .downcast::>()? - .borrow() + .downcast::()? + .get() .oid .clone()) } diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index d838c2f8dfe1..7a7bd50ce1f9 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -7,8 +7,9 @@ use cryptography_x509::extensions::{ AccessDescription, DuplicateExtensionsError, Extension, Extensions, RawExtensions, }; use cryptography_x509::name::{GeneralName, Name, NameReadable, OtherName, UnvalidatedIA5String}; +use pyo3::prelude::PyAnyMethods; use pyo3::types::IntoPyDict; -use pyo3::{IntoPy, ToPyObject}; +use pyo3::{IntoPy, PyNativeType, ToPyObject}; use crate::asn1::{oid_to_py_oid, py_oid_to_oid}; use crate::error::{CryptographyError, CryptographyResult}; @@ -75,7 +76,11 @@ pub(crate) fn encode_name_entry<'p>( .getattr(pyo3::intern!(py, "value"))? .extract()? }; - let oid = py_oid_to_oid(py_name_entry.getattr(pyo3::intern!(py, "oid"))?)?; + let py_oid = py_name_entry + .getattr(pyo3::intern!(py, "oid"))? + .as_borrowed() + .to_owned(); + let oid = py_oid_to_oid(py_oid)?; Ok(AttributeTypeValue { type_id: oid, @@ -124,8 +129,12 @@ pub(crate) fn encode_general_name<'a>( let name = encode_name(py, gn_value)?; Ok(GeneralName::DirectoryName(name)) } else if gn_type.is(types::OTHER_NAME.get(py)?) { + let py_oid = gn + .getattr(pyo3::intern!(py, "type_id"))? + .as_borrowed() + .to_owned(); Ok(GeneralName::OtherName(OtherName { - type_id: py_oid_to_oid(gn.getattr(pyo3::intern!(py, "type_id"))?)?, + type_id: py_oid_to_oid(py_oid)?, value: asn1::parse_single(gn_value.extract::<&[u8]>()?).map_err(|e| { pyo3::exceptions::PyValueError::new_err(format!( "OtherName value must be valid DER: {e:?}" @@ -142,7 +151,7 @@ pub(crate) fn encode_general_name<'a>( .extract::<&[u8]>()?, )) } else if gn_type.is(types::REGISTERED_ID.get(py)?) { - let oid = py_oid_to_oid(gn_value)?; + let oid = py_oid_to_oid(gn_value.as_borrowed().to_owned())?; Ok(GeneralName::RegisteredID(oid)) } else { Err(CryptographyError::from( @@ -158,7 +167,11 @@ pub(crate) fn encode_access_descriptions<'a>( let mut ads = vec![]; for py_ad in py_ads.iter()? { let py_ad = py_ad?; - let access_method = py_oid_to_oid(py_ad.getattr(pyo3::intern!(py, "access_method"))?)?; + let py_oid = py_ad + .getattr(pyo3::intern!(py, "access_method"))? + .as_borrowed() + .to_owned(); + let access_method = py_oid_to_oid(py_oid)?; let access_location = encode_general_name(py, py_ad.getattr(pyo3::intern!(py, "access_location"))?)?; ads.push(AccessDescription { @@ -412,7 +425,11 @@ pub(crate) fn encode_extensions< let mut exts = vec![]; for py_ext in py_exts.iter()? { let py_ext = py_ext?; - let oid = py_oid_to_oid(py_ext.getattr(pyo3::intern!(py, "oid"))?)?; + let py_oid = py_ext + .getattr(pyo3::intern!(py, "oid"))? + .as_borrowed() + .to_owned(); + let oid = py_oid_to_oid(py_oid)?; let ext_val = py_ext.getattr(pyo3::intern!(py, "value"))?; if ext_val.is_instance(types::UNRECOGNIZED_EXTENSION.get(py)?)? { @@ -453,11 +470,11 @@ pub(crate) fn encode_extensions< #[pyo3::prelude::pyfunction] fn encode_extension_value<'p>( py: pyo3::Python<'p>, - py_ext: &'p pyo3::PyAny, + py_ext: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult<&'p pyo3::types::PyBytes> { let oid = py_oid_to_oid(py_ext.getattr(pyo3::intern!(py, "oid"))?)?; - if let Some(data) = x509::extensions::encode_extension(py, &oid, py_ext)? { + if let Some(data) = x509::extensions::encode_extension(py, &oid, py_ext.into_gil_ref())? { // TODO: extra copy let py_data = pyo3::types::PyBytes::new(py, &data); return Ok(py_data); diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 704dd2c93655..ce527d054d29 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -124,13 +124,13 @@ impl CertificateSigningRequest { fn get_attribute_for_oid<'p>( &self, py: pyo3::Python<'p>, - oid: &pyo3::PyAny, + oid: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult<&'p pyo3::PyAny> { let warning_cls = types::DEPRECATED_IN_36.get(py)?; let warning_msg = "CertificateSigningRequest.get_attribute_for_oid has been deprecated. Please switch to request.attributes.get_attribute_for_oid."; pyo3::PyErr::warn(py, warning_cls, warning_msg, 1)?; - let rust_oid = py_oid_to_oid(oid)?; + let rust_oid = py_oid_to_oid(oid.clone())?; for attribute in self .raw .borrow_dependent() @@ -314,7 +314,8 @@ fn create_x509_csr( } for py_attr in builder.getattr(pyo3::intern!(py, "_attributes"))?.iter()? { - let (py_oid, value, tag): (&pyo3::PyAny, &[u8], Option) = py_attr?.extract()?; + let (py_oid, value, tag): (pyo3::Bound<'_, pyo3::PyAny>, &[u8], Option) = + py_attr?.extract()?; let oid = py_oid_to_oid(py_oid)?; let tag = if let Some(tag) = tag { asn1::Tag::from_bytes(&[tag])?.0 diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index eede1e5c0ab9..c44d1c888c47 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -290,7 +290,7 @@ fn encode_certificate_policies( }; let py_policy_id = py_policy_info.getattr(pyo3::intern!(py, "policy_identifier"))?; policy_informations.push(extensions::PolicyInformation { - policy_identifier: py_oid_to_oid(py_policy_id)?, + policy_identifier: py_oid_to_oid(py_policy_id.as_borrowed().to_owned())?, policy_qualifiers: qualifiers, }); } @@ -354,7 +354,7 @@ fn encode_issuing_distribution_point( fn encode_oid_sequence(ext: &pyo3::PyAny) -> CryptographyResult> { let mut oids = vec![]; for el in ext.iter()? { - let oid = py_oid_to_oid(el?)?; + let oid = py_oid_to_oid(el?.as_borrowed().to_owned())?; oids.push(oid); } Ok(asn1::write_single(&asn1::SequenceOfWriter::new(oids))?) @@ -515,7 +515,7 @@ pub(crate) fn encode_extension( &oid::MS_CERTIFICATE_TEMPLATE => { let py_template_id = ext.getattr(pyo3::intern!(py, "template_id"))?; let mstpl = extensions::MSCertificateTemplate { - template_id: py_oid_to_oid(py_template_id)?, + template_id: py_oid_to_oid(py_template_id.as_borrowed().to_owned())?, major_version: ext.getattr(pyo3::intern!(py, "major_version"))?.extract()?, minor_version: ext.getattr(pyo3::intern!(py, "minor_version"))?.extract()?, }; From 71f1e092eb44b987cd8b02e0a308fbdd3622f4a1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 01:27:06 -0400 Subject: [PATCH 0354/1462] Convert `src/backend/aead.rs` to new pyo3 APIs (#10696) --- src/rust/src/backend/aead.rs | 65 +++++++++++++++++++----------------- src/rust/src/backend/mod.rs | 2 +- 2 files changed, 35 insertions(+), 32 deletions(-) diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 2438ae644cb6..55ac8b842dca 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -5,6 +5,7 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; fn check_length(data: &[u8]) -> CryptographyResult<()> { if data.len() > (i32::MAX as usize) { @@ -21,7 +22,7 @@ fn check_length(data: &[u8]) -> CryptographyResult<()> { enum Aad<'a> { Single(CffiBuf<'a>), - List(&'a pyo3::types::PyList), + List(pyo3::Bound<'a, pyo3::types::PyList>), } struct EvpCipherAead { @@ -131,7 +132,7 @@ impl EvpCipherAead { plaintext: &[u8], aad: Option>, nonce: Option<&[u8]>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; ctx.copy(&self.base_encryption_ctx)?; Self::encrypt_with_context( @@ -156,7 +157,7 @@ impl EvpCipherAead { tag_len: usize, tag_first: bool, is_ccm: bool, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { check_length(plaintext)?; if !is_ccm { @@ -171,7 +172,7 @@ impl EvpCipherAead { Self::process_aad(&mut ctx, aad)?; - Ok(pyo3::types::PyBytes::new_with( + Ok(pyo3::types::PyBytes::new_bound_with( py, plaintext.len() + tag_len, |b| { @@ -198,7 +199,7 @@ impl EvpCipherAead { ciphertext: &[u8], aad: Option>, nonce: Option<&[u8]>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; ctx.copy(&self.base_decryption_ctx)?; Self::decrypt_with_context( @@ -223,7 +224,7 @@ impl EvpCipherAead { tag_len: usize, tag_first: bool, is_ccm: bool, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { if ciphertext.len() < tag_len { return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); } @@ -253,7 +254,7 @@ impl EvpCipherAead { Self::process_aad(&mut ctx, aad)?; - Ok(pyo3::types::PyBytes::new_with( + Ok(pyo3::types::PyBytes::new_bound_with( py, ciphertext_data.len(), |b| { @@ -299,8 +300,8 @@ impl LazyEvpCipherAead { plaintext: &[u8], aad: Option>, nonce: Option<&[u8]>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let key_buf = self.key.as_ref(py).extract::>()?; + ) -> CryptographyResult> { + let key_buf = self.key.bind(py).extract::>()?; let mut encryption_ctx = openssl::cipher_ctx::CipherCtx::new()?; if self.is_ccm { @@ -330,8 +331,8 @@ impl LazyEvpCipherAead { ciphertext: &[u8], aad: Option>, nonce: Option<&[u8]>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let key_buf = self.key.as_ref(py).extract::>()?; + ) -> CryptographyResult> { + let key_buf = self.key.bind(py).extract::>()?; let mut decryption_ctx = openssl::cipher_ctx::CipherCtx::new()?; if self.is_ccm { @@ -388,7 +389,7 @@ impl EvpAead { plaintext: &[u8], aad: Option>, nonce: Option<&[u8]>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { check_length(plaintext)?; let ad = if let Some(Aad::Single(ad)) = &aad { @@ -398,7 +399,7 @@ impl EvpAead { assert!(aad.is_none()); b"" }; - Ok(pyo3::types::PyBytes::new_with( + Ok(pyo3::types::PyBytes::new_bound_with( py, plaintext.len() + self.tag_len, |b| { @@ -416,7 +417,7 @@ impl EvpAead { ciphertext: &[u8], aad: Option>, nonce: Option<&[u8]>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { if ciphertext.len() < self.tag_len { return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); } @@ -429,7 +430,7 @@ impl EvpAead { b"" }; - Ok(pyo3::types::PyBytes::new_with( + Ok(pyo3::types::PyBytes::new_bound_with( py, ciphertext.len() - self.tag_len, |b| { @@ -541,7 +542,7 @@ impl ChaCha20Poly1305 { nonce: CffiBuf<'_>, data: CffiBuf<'_>, associated_data: Option>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let nonce_bytes = nonce.as_bytes(); let aad = associated_data.map(Aad::Single); @@ -561,7 +562,7 @@ impl ChaCha20Poly1305 { nonce: CffiBuf<'_>, data: CffiBuf<'_>, associated_data: Option>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let nonce_bytes = nonce.as_bytes(); let aad = associated_data.map(Aad::Single); @@ -653,7 +654,7 @@ impl AesGcm { nonce: CffiBuf<'_>, data: CffiBuf<'_>, associated_data: Option>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let nonce_bytes = nonce.as_bytes(); let aad = associated_data.map(Aad::Single); @@ -673,7 +674,7 @@ impl AesGcm { nonce: CffiBuf<'_>, data: CffiBuf<'_>, associated_data: Option>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let nonce_bytes = nonce.as_bytes(); let aad = associated_data.map(Aad::Single); @@ -761,7 +762,7 @@ impl AesCcm { nonce: CffiBuf<'_>, data: CffiBuf<'_>, associated_data: Option>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let nonce_bytes = nonce.as_bytes(); let data_bytes = data.as_bytes(); let aad = associated_data.map(Aad::Single); @@ -794,7 +795,7 @@ impl AesCcm { nonce: CffiBuf<'_>, data: CffiBuf<'_>, associated_data: Option>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let nonce_bytes = nonce.as_bytes(); let data_bytes = data.as_bytes(); let aad = associated_data.map(Aad::Single); @@ -890,8 +891,8 @@ impl AesSiv { &self, py: pyo3::Python<'p>, data: CffiBuf<'_>, - associated_data: Option<&pyo3::types::PyList>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + associated_data: Option>, + ) -> CryptographyResult> { let data_bytes = data.as_bytes(); let aad = associated_data.map(Aad::List); @@ -908,8 +909,8 @@ impl AesSiv { &self, py: pyo3::Python<'p>, data: CffiBuf<'_>, - associated_data: Option<&pyo3::types::PyList>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + associated_data: Option>, + ) -> CryptographyResult> { let aad = associated_data.map(Aad::List); self.ctx.decrypt(py, data.as_bytes(), aad, None) } @@ -986,7 +987,7 @@ impl AesOcb3 { nonce: CffiBuf<'_>, data: CffiBuf<'_>, associated_data: Option>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let nonce_bytes = nonce.as_bytes(); let aad = associated_data.map(Aad::Single); @@ -1007,7 +1008,7 @@ impl AesOcb3 { nonce: CffiBuf<'_>, data: CffiBuf<'_>, associated_data: Option>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let nonce_bytes = nonce.as_bytes(); let aad = associated_data.map(Aad::Single); @@ -1092,7 +1093,7 @@ impl AesGcmSiv { nonce: CffiBuf<'_>, data: CffiBuf<'_>, associated_data: Option>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let nonce_bytes = nonce.as_bytes(); let data_bytes = data.as_bytes(); let aad = associated_data.map(Aad::Single); @@ -1117,7 +1118,7 @@ impl AesGcmSiv { nonce: CffiBuf<'_>, data: CffiBuf<'_>, associated_data: Option>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let nonce_bytes = nonce.as_bytes(); let aad = associated_data.map(Aad::Single); if nonce_bytes.len() != 12 { @@ -1130,8 +1131,10 @@ impl AesGcmSiv { } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "aead")?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "aead")?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index be7b2d0ac280..ceedacb8614b 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -24,7 +24,7 @@ pub(crate) mod x25519; pub(crate) mod x448; pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { - module.add_submodule(aead::create_module(module.py())?)?; + module.add_submodule(aead::create_module(module.py())?.into_gil_ref())?; module.add_submodule(ciphers::create_module(module.py())?)?; module.add_submodule(cmac::create_module(module.py())?)?; module.add_submodule(dh::create_module(module.py())?)?; From bb45dc6a0d29db4f679bbc1f577dc3ef5e9a1b3f Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Thu, 4 Apr 2024 11:22:05 +0200 Subject: [PATCH 0355/1462] Start converting `src/backend/rsa.rs` to the new pyo3 APIs (#10693) --- src/rust/src/backend/dh.rs | 16 ++-- src/rust/src/backend/dsa.rs | 28 +++---- src/rust/src/backend/ec.rs | 12 +-- src/rust/src/backend/ed25519.rs | 4 +- src/rust/src/backend/ed448.rs | 4 +- src/rust/src/backend/mod.rs | 2 +- src/rust/src/backend/rsa.rs | 133 ++++++++++++++++---------------- src/rust/src/backend/utils.rs | 6 +- src/rust/src/backend/x25519.rs | 4 +- src/rust/src/backend/x448.rs | 4 +- 10 files changed, 106 insertions(+), 107 deletions(-) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 1145b32327c3..2eb9189bb1ce 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -125,13 +125,13 @@ fn dh_parameters_from_numbers( py: pyo3::Python<'_>, numbers: &DHParameterNumbers, ) -> CryptographyResult> { - let p = utils::py_int_to_bn(py, numbers.p.as_ref(py))?; + let p = utils::py_int_to_bn(py, numbers.p.bind(py))?; let q = numbers .q .as_ref() - .map(|v| utils::py_int_to_bn(py, v.as_ref(py))) + .map(|v| utils::py_int_to_bn(py, v.bind(py))) .transpose()?; - let g = utils::py_int_to_bn(py, numbers.g.as_ref(py))?; + let g = utils::py_int_to_bn(py, numbers.g.bind(py))?; Ok(openssl::dh::Dh::from_pqg(p, q, g)?) } @@ -222,7 +222,7 @@ impl DHPrivateKey { } fn private_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -257,7 +257,7 @@ impl DHPublicKey { } fn public_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -418,8 +418,8 @@ impl DHPrivateNumbers { let dh = dh_parameters_from_numbers(py, self.public_numbers.get().parameter_numbers.get())?; - let pub_key = utils::py_int_to_bn(py, self.public_numbers.get().y.as_ref(py))?; - let priv_key = utils::py_int_to_bn(py, self.x.as_ref(py))?; + let pub_key = utils::py_int_to_bn(py, self.public_numbers.get().y.bind(py))?; + let priv_key = utils::py_int_to_bn(py, self.x.bind(py))?; let dh = dh.set_key(pub_key, priv_key)?; if !dh.check_key()? { @@ -470,7 +470,7 @@ impl DHPublicNumbers { let dh = dh_parameters_from_numbers(py, self.parameter_numbers.get())?; - let pub_key = utils::py_int_to_bn(py, self.y.as_ref(py))?; + let pub_key = utils::py_int_to_bn(py, self.y.bind(py))?; let pkey = pkey_from_dh(dh.set_public_key(pub_key)?)?; diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index 2d567db5e086..5023a2eace40 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -129,7 +129,7 @@ impl DsaPrivateKey { } fn private_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -202,7 +202,7 @@ impl DsaPublicKey { } fn public_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -371,11 +371,11 @@ impl DsaPrivateNumbers { check_dsa_private_numbers(py, self)?; let dsa = openssl::dsa::Dsa::from_private_components( - utils::py_int_to_bn(py, parameter_numbers.p.as_ref(py))?, - utils::py_int_to_bn(py, parameter_numbers.q.as_ref(py))?, - utils::py_int_to_bn(py, parameter_numbers.g.as_ref(py))?, - utils::py_int_to_bn(py, self.x.as_ref(py))?, - utils::py_int_to_bn(py, public_numbers.y.as_ref(py))?, + utils::py_int_to_bn(py, parameter_numbers.p.bind(py))?, + utils::py_int_to_bn(py, parameter_numbers.q.bind(py))?, + utils::py_int_to_bn(py, parameter_numbers.g.bind(py))?, + utils::py_int_to_bn(py, self.x.bind(py))?, + utils::py_int_to_bn(py, public_numbers.y.bind(py))?, ) .unwrap(); let pkey = openssl::pkey::PKey::from_dsa(dsa)?; @@ -420,10 +420,10 @@ impl DsaPublicNumbers { check_dsa_parameters(py, parameter_numbers)?; let dsa = openssl::dsa::Dsa::from_public_components( - utils::py_int_to_bn(py, parameter_numbers.p.as_ref(py))?, - utils::py_int_to_bn(py, parameter_numbers.q.as_ref(py))?, - utils::py_int_to_bn(py, parameter_numbers.g.as_ref(py))?, - utils::py_int_to_bn(py, self.y.as_ref(py))?, + utils::py_int_to_bn(py, parameter_numbers.p.bind(py))?, + utils::py_int_to_bn(py, parameter_numbers.q.bind(py))?, + utils::py_int_to_bn(py, parameter_numbers.g.bind(py))?, + utils::py_int_to_bn(py, self.y.bind(py))?, ) .unwrap(); let pkey = openssl::pkey::PKey::from_dsa(dsa)?; @@ -472,9 +472,9 @@ impl DsaParameterNumbers { check_dsa_parameters(py, self)?; let dsa = openssl::dsa::Dsa::from_pqg( - utils::py_int_to_bn(py, self.p.as_ref(py))?, - utils::py_int_to_bn(py, self.q.as_ref(py))?, - utils::py_int_to_bn(py, self.g.as_ref(py))?, + utils::py_int_to_bn(py, self.p.bind(py))?, + utils::py_int_to_bn(py, self.q.bind(py))?, + utils::py_int_to_bn(py, self.g.bind(py))?, ) .unwrap(); Ok(DsaParameters { dsa }) diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 0291c96b7f70..68c53a7e9f40 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -175,7 +175,7 @@ fn generate_private_key( #[pyo3::prelude::pyfunction] fn derive_private_key( py: pyo3::Python<'_>, - py_private_value: &pyo3::types::PyLong, + py_private_value: &pyo3::Bound<'_, pyo3::types::PyLong>, py_curve: &pyo3::PyAny, ) -> CryptographyResult { let curve = curve_from_py_curve(py, py_curve, false)?; @@ -353,7 +353,7 @@ impl ECPrivateKey { } fn private_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -435,7 +435,7 @@ impl ECPublicKey { } fn public_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -484,8 +484,8 @@ fn public_key_from_numbers( )); } - let x = utils::py_int_to_bn(py, numbers.x.as_ref(py))?; - let y = utils::py_int_to_bn(py, numbers.y.as_ref(py))?; + let x = utils::py_int_to_bn(py, numbers.x.bind(py))?; + let y = utils::py_int_to_bn(py, numbers.y.bind(py))?; let mut point = openssl::ec::EcPoint::new(curve)?; let mut bn_ctx = openssl::bn::BigNumContext::new()?; @@ -522,7 +522,7 @@ impl EllipticCurvePrivateNumbers { let curve = curve_from_py_curve(py, self.public_numbers.get().curve.as_ref(py), false)?; let public_key = public_key_from_numbers(py, self.public_numbers.get(), &curve)?; - let private_value = utils::py_int_to_bn(py, self.private_value.as_ref(py))?; + let private_value = utils::py_int_to_bn(py, self.private_value.bind(py))?; let mut bn_ctx = openssl::bn::BigNumContext::new()?; let mut expected_pub = openssl::ec::EcPoint::new(&curve)?; diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index 4fc199969aec..4ddb8d14abe7 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -97,7 +97,7 @@ impl Ed25519PrivateKey { } fn private_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -141,7 +141,7 @@ impl Ed25519PublicKey { } fn public_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index 79d650a1cb46..0e6698af0f1e 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -95,7 +95,7 @@ impl Ed448PrivateKey { } fn private_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -138,7 +138,7 @@ impl Ed448PublicKey { } fn public_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index ceedacb8614b..2b1592906a1f 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -45,7 +45,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(hashes::create_module(module.py())?)?; module.add_submodule(hmac::create_module(module.py())?)?; module.add_submodule(kdf::create_module(module.py())?)?; - module.add_submodule(rsa::create_module(module.py())?)?; + module.add_submodule(rsa::create_module(module.py())?.into_gil_ref())?; Ok(()) } diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 1d47b8c6c326..07fea2b49187 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -9,7 +9,7 @@ use crate::backend::{hashes, utils}; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use pyo3::prelude::PyAnyMethods; +use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; #[pyo3::prelude::pyclass( frozen, @@ -286,7 +286,7 @@ impl RsaPrivateKey { data: CffiBuf<'_>, padding: &pyo3::PyAny, algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::PyAny> { + ) -> CryptographyResult> { let (data, algorithm) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; @@ -297,7 +297,7 @@ impl RsaPrivateKey { setup_signature_ctx(py, &mut ctx, padding, algorithm, self.pkey.size(), true)?; let length = ctx.sign(data, None)?; - Ok(pyo3::types::PyBytes::new_with(py, length, |b| { + Ok(pyo3::types::PyBytes::new_bound_with(py, length, |b| { let length = ctx.sign(data, Some(b)).map_err(|_| { pyo3::exceptions::PyValueError::new_err( "Digest or salt length too long for key size. Use a larger key or shorter salt length if you are specifying a PSS salt", @@ -305,7 +305,7 @@ impl RsaPrivateKey { })?; assert_eq!(length, b.len()); Ok(()) - })?) + })?.into_any()) } fn decrypt<'p>( @@ -313,7 +313,7 @@ impl RsaPrivateKey { py: pyo3::Python<'p>, ciphertext: &[u8], padding: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let key_size_bytes = usize::try_from((self.pkey.rsa().unwrap().n().num_bits() + 7) / 8).unwrap(); if key_size_bytes != ciphertext.len() { @@ -345,7 +345,7 @@ impl RsaPrivateKey { let result = ctx.decrypt(ciphertext, Some(&mut plaintext)); let py_result = - pyo3::types::PyBytes::new(py, &plaintext[..*result.as_ref().unwrap_or(&length)]); + pyo3::types::PyBytes::new_bound(py, &plaintext[..*result.as_ref().unwrap_or(&length)]); if result.is_err() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("Decryption failed"), @@ -398,7 +398,7 @@ impl RsaPrivateKey { } fn private_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -449,14 +449,14 @@ impl RsaPublicKey { py: pyo3::Python<'p>, plaintext: &[u8], padding: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.encrypt_init()?; setup_encryption_ctx(py, &mut ctx, padding)?; let length = ctx.encrypt(plaintext, None)?; - Ok(pyo3::types::PyBytes::new_with(py, length, |b| { + Ok(pyo3::types::PyBytes::new_bound_with(py, length, |b| { let length = ctx .encrypt(plaintext, Some(b)) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Encryption failed"))?; @@ -471,7 +471,7 @@ impl RsaPublicKey { signature: &[u8], padding: &pyo3::PyAny, algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { if algorithm.is_instance(types::PREHASHED.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( @@ -490,7 +490,7 @@ impl RsaPublicKey { .verify_recover(signature, Some(&mut buf)) .map_err(|_| exceptions::InvalidSignature::new_err(()))?; - Ok(pyo3::types::PyBytes::new(py, &buf[..length])) + Ok(pyo3::types::PyBytes::new_bound(py, &buf[..length])) } #[getter] @@ -511,7 +511,7 @@ impl RsaPublicKey { } fn public_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -564,14 +564,14 @@ struct RsaPublicNumbers { #[allow(clippy::too_many_arguments)] fn check_private_key_components( - p: &pyo3::types::PyLong, - q: &pyo3::types::PyLong, - private_exponent: &pyo3::types::PyLong, - dmp1: &pyo3::types::PyLong, - dmq1: &pyo3::types::PyLong, - iqmp: &pyo3::types::PyLong, - public_exponent: &pyo3::types::PyLong, - modulus: &pyo3::types::PyLong, + p: &pyo3::Bound<'_, pyo3::types::PyLong>, + q: &pyo3::Bound<'_, pyo3::types::PyLong>, + private_exponent: &pyo3::Bound<'_, pyo3::types::PyLong>, + dmp1: &pyo3::Bound<'_, pyo3::types::PyLong>, + dmq1: &pyo3::Bound<'_, pyo3::types::PyLong>, + iqmp: &pyo3::Bound<'_, pyo3::types::PyLong>, + public_exponent: &pyo3::Bound<'_, pyo3::types::PyLong>, + modulus: &pyo3::Bound<'_, pyo3::types::PyLong>, ) -> CryptographyResult<()> { if modulus.lt(3)? { return Err(CryptographyError::from( @@ -682,25 +682,25 @@ impl RsaPrivateNumbers { let _ = backend; check_private_key_components( - self.p.as_ref(py), - self.q.as_ref(py), - self.d.as_ref(py), - self.dmp1.as_ref(py), - self.dmq1.as_ref(py), - self.iqmp.as_ref(py), - self.public_numbers.get().e.as_ref(py), - self.public_numbers.get().n.as_ref(py), + self.p.bind(py), + self.q.bind(py), + self.d.bind(py), + self.dmp1.bind(py), + self.dmq1.bind(py), + self.iqmp.bind(py), + self.public_numbers.get().e.bind(py), + self.public_numbers.get().n.bind(py), )?; let public_numbers = self.public_numbers.get(); let rsa = openssl::rsa::Rsa::from_private_components( - utils::py_int_to_bn(py, public_numbers.n.as_ref(py))?, - utils::py_int_to_bn(py, public_numbers.e.as_ref(py))?, - utils::py_int_to_bn(py, self.d.as_ref(py))?, - utils::py_int_to_bn(py, self.p.as_ref(py))?, - utils::py_int_to_bn(py, self.q.as_ref(py))?, - utils::py_int_to_bn(py, self.dmp1.as_ref(py))?, - utils::py_int_to_bn(py, self.dmq1.as_ref(py))?, - utils::py_int_to_bn(py, self.iqmp.as_ref(py))?, + utils::py_int_to_bn(py, public_numbers.n.bind(py))?, + utils::py_int_to_bn(py, public_numbers.e.bind(py))?, + utils::py_int_to_bn(py, self.d.bind(py))?, + utils::py_int_to_bn(py, self.p.bind(py))?, + utils::py_int_to_bn(py, self.q.bind(py))?, + utils::py_int_to_bn(py, self.dmp1.bind(py))?, + utils::py_int_to_bn(py, self.dmq1.bind(py))?, + utils::py_int_to_bn(py, self.iqmp.bind(py))?, ) .unwrap(); if !unsafe_skip_rsa_key_validation { @@ -715,34 +715,34 @@ impl RsaPrivateNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.p.as_ref(py).eq(other.p.as_ref(py))? - && self.q.as_ref(py).eq(other.q.as_ref(py))? - && self.d.as_ref(py).eq(other.d.as_ref(py))? - && self.dmp1.as_ref(py).eq(other.dmp1.as_ref(py))? - && self.dmq1.as_ref(py).eq(other.dmq1.as_ref(py))? - && self.iqmp.as_ref(py).eq(other.iqmp.as_ref(py))? + Ok(self.p.bind(py).eq(other.p.bind(py))? + && self.q.bind(py).eq(other.q.bind(py))? + && self.d.bind(py).eq(other.d.bind(py))? + && self.dmp1.bind(py).eq(other.dmp1.bind(py))? + && self.dmq1.bind(py).eq(other.dmq1.bind(py))? + && self.iqmp.bind(py).eq(other.iqmp.bind(py))? && self .public_numbers - .as_ref(py) - .eq(other.public_numbers.as_ref(py))?) + .bind(py) + .eq(other.public_numbers.bind(py))?) } fn __hash__(&self, py: pyo3::Python<'_>) -> CryptographyResult { let mut hasher = DefaultHasher::new(); - self.p.as_ref(py).hash()?.hash(&mut hasher); - self.q.as_ref(py).hash()?.hash(&mut hasher); - self.d.as_ref(py).hash()?.hash(&mut hasher); - self.dmp1.as_ref(py).hash()?.hash(&mut hasher); - self.dmq1.as_ref(py).hash()?.hash(&mut hasher); - self.iqmp.as_ref(py).hash()?.hash(&mut hasher); - self.public_numbers.as_ref(py).hash()?.hash(&mut hasher); + self.p.bind(py).hash()?.hash(&mut hasher); + self.q.bind(py).hash()?.hash(&mut hasher); + self.d.bind(py).hash()?.hash(&mut hasher); + self.dmp1.bind(py).hash()?.hash(&mut hasher); + self.dmq1.bind(py).hash()?.hash(&mut hasher); + self.iqmp.bind(py).hash()?.hash(&mut hasher); + self.public_numbers.bind(py).hash()?.hash(&mut hasher); Ok(hasher.finish()) } } fn check_public_key_components( - e: &pyo3::types::PyLong, - n: &pyo3::types::PyLong, + e: &pyo3::Bound<'_, pyo3::types::PyLong>, + n: &pyo3::Bound<'_, pyo3::types::PyLong>, ) -> CryptographyResult<()> { if n.lt(3)? { return Err(CryptographyError::from( @@ -780,11 +780,11 @@ impl RsaPublicNumbers { ) -> CryptographyResult { let _ = backend; - check_public_key_components(self.e.as_ref(py), self.n.as_ref(py))?; + check_public_key_components(self.e.bind(py), self.n.bind(py))?; let rsa = openssl::rsa::Rsa::from_public_components( - utils::py_int_to_bn(py, self.n.as_ref(py))?, - utils::py_int_to_bn(py, self.e.as_ref(py))?, + utils::py_int_to_bn(py, self.n.bind(py))?, + utils::py_int_to_bn(py, self.e.bind(py))?, ) .unwrap(); let pkey = openssl::pkey::PKey::from_rsa(rsa)?; @@ -796,29 +796,28 @@ impl RsaPublicNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok( - self.e.as_ref(py).eq(other.e.as_ref(py))? - && self.n.as_ref(py).eq(other.n.as_ref(py))?, - ) + Ok(self.e.bind(py).eq(other.e.bind(py))? && self.n.bind(py).eq(other.n.bind(py))?) } fn __hash__(&self, py: pyo3::Python<'_>) -> CryptographyResult { let mut hasher = DefaultHasher::new(); - self.e.as_ref(py).hash()?.hash(&mut hasher); - self.n.as_ref(py).hash()?.hash(&mut hasher); + self.e.bind(py).hash()?.hash(&mut hasher); + self.n.bind(py).hash()?.hash(&mut hasher); Ok(hasher.finish()) } fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { - let e = self.e.as_ref(py); - let n = self.n.as_ref(py); + let e = self.e.bind(py); + let n = self.n.bind(py); Ok(format!("")) } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "rsa")?; - m.add_function(pyo3::wrap_pyfunction!(generate_private_key, m)?)?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "rsa")?; + m.add_function(pyo3::wrap_pyfunction!(generate_private_key, &m)?)?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index ecd83edfe467..f44db97101ed 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -10,7 +10,7 @@ use pyo3::ToPyObject; pub(crate) fn py_int_to_bn( py: pyo3::Python<'_>, - v: &pyo3::PyAny, + v: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { let n = v .call_method0(pyo3::intern!(py, "bit_length"))? @@ -44,7 +44,7 @@ pub(crate) fn bn_to_big_endian_bytes(b: &openssl::bn::BigNumRef) -> Cryptography #[allow(clippy::too_many_arguments)] pub(crate) fn pkey_private_bytes<'p>( py: pyo3::Python<'p>, - key_obj: &pyo3::PyAny, + key_obj: &pyo3::Bound<'p, pyo3::PyAny>, pkey: &openssl::pkey::PKey, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -238,7 +238,7 @@ pub(crate) fn pkey_private_bytes<'p>( pub(crate) fn pkey_public_bytes<'p>( py: pyo3::Python<'p>, - key_obj: &pyo3::PyAny, + key_obj: &pyo3::Bound<'p, pyo3::PyAny>, pkey: &openssl::pkey::PKey, encoding: &pyo3::PyAny, format: &pyo3::PyAny, diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index 1789c9f20a03..89d8a53e500e 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -98,7 +98,7 @@ impl X25519PrivateKey { } fn private_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -128,7 +128,7 @@ impl X25519PublicKey { } fn public_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index ae61ac4eafe9..49dbfbd65e06 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -97,7 +97,7 @@ impl X448PrivateKey { } fn private_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -127,7 +127,7 @@ impl X448PublicKey { } fn public_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, From 4abd5febcadcc0e8c492cf4a37f9a96807c6506b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 4 Apr 2024 13:06:47 +0200 Subject: [PATCH 0356/1462] migrate backend args to bound (#10698) this doesn't touch a few files to try to avoid potential conflicts --- src/rust/src/backend/cmac.rs | 2 +- src/rust/src/backend/dsa.rs | 6 +++--- src/rust/src/backend/ec.rs | 6 +++--- src/rust/src/backend/hashes.rs | 2 +- src/rust/src/backend/hmac.rs | 2 +- src/rust/src/backend/keys.rs | 8 ++++---- src/rust/src/x509/certificate.rs | 4 ++-- src/rust/src/x509/crl.rs | 4 ++-- src/rust/src/x509/csr.rs | 4 ++-- 9 files changed, 19 insertions(+), 19 deletions(-) diff --git a/src/rust/src/backend/cmac.rs b/src/rust/src/backend/cmac.rs index f23ccca37271..7bf0fe1d4ff0 100644 --- a/src/rust/src/backend/cmac.rs +++ b/src/rust/src/backend/cmac.rs @@ -39,7 +39,7 @@ impl Cmac { fn new( py: pyo3::Python<'_>, algorithm: pyo3::Bound<'_, pyo3::PyAny>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index 5023a2eace40..a62de7c73239 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -361,7 +361,7 @@ impl DsaPrivateNumbers { fn private_key( &self, py: pyo3::Python<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -411,7 +411,7 @@ impl DsaPublicNumbers { fn public_key( &self, py: pyo3::Python<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -465,7 +465,7 @@ impl DsaParameterNumbers { fn parameters( &self, py: pyo3::Python<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 68c53a7e9f40..f63444ef0fab 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -159,7 +159,7 @@ pub(crate) fn public_key_from_pkey( fn generate_private_key( py: pyo3::Python<'_>, curve: &pyo3::PyAny, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -516,7 +516,7 @@ impl EllipticCurvePrivateNumbers { fn private_key( &self, py: pyo3::Python<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -597,7 +597,7 @@ impl EllipticCurvePublicNumbers { fn public_key( &self, py: pyo3::Python<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; diff --git a/src/rust/src/backend/hashes.rs b/src/rust/src/backend/hashes.rs index ac5de597c354..e26727092a6c 100644 --- a/src/rust/src/backend/hashes.rs +++ b/src/rust/src/backend/hashes.rs @@ -84,7 +84,7 @@ impl Hash { pub(crate) fn new( py: pyo3::Python<'_>, algorithm: &pyo3::PyAny, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; diff --git a/src/rust/src/backend/hmac.rs b/src/rust/src/backend/hmac.rs index f8572f9103c9..3c19f1d124cb 100644 --- a/src/rust/src/backend/hmac.rs +++ b/src/rust/src/backend/hmac.rs @@ -65,7 +65,7 @@ impl Hmac { py: pyo3::Python<'_>, key: CffiBuf<'_>, algorithm: &pyo3::PyAny, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index a41b6805695f..d31f76b1d7ac 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -15,7 +15,7 @@ fn load_der_private_key( py: pyo3::Python<'_>, data: CffiBuf<'_>, password: Option>, - backend: Option<&pyo3::PyAny>, + backend: Option>, unsafe_skip_rsa_key_validation: bool, ) -> CryptographyResult { let _ = backend; @@ -46,7 +46,7 @@ fn load_pem_private_key( py: pyo3::Python<'_>, data: CffiBuf<'_>, password: Option>, - backend: Option<&pyo3::PyAny>, + backend: Option>, unsafe_skip_rsa_key_validation: bool, ) -> CryptographyResult { let _ = backend; @@ -119,7 +119,7 @@ pub(crate) fn private_key_from_pkey( fn load_der_public_key( py: pyo3::Python<'_>, data: CffiBuf<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; load_der_public_key_bytes(py, data.as_bytes()) @@ -147,7 +147,7 @@ pub(crate) fn load_der_public_key_bytes( fn load_pem_public_key( py: pyo3::Python<'_>, data: CffiBuf<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; let p = pem::parse(data.as_bytes())?; diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 27f30f329b6f..d21892eb9703 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -346,7 +346,7 @@ fn cert_version(py: pyo3::Python<'_>, version: u8) -> Result<&pyo3::PyAny, Crypt fn load_pem_x509_certificate( py: pyo3::Python<'_>, data: &[u8], - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -392,7 +392,7 @@ fn load_pem_x509_certificates( pub(crate) fn load_der_x509_certificate( py: pyo3::Python<'_>, data: pyo3::Py, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 67c8b1d0093d..6d1cbd6beb33 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -27,7 +27,7 @@ use crate::{exceptions, types, x509}; fn load_der_x509_crl( py: pyo3::Python<'_>, data: pyo3::Py, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> Result { let _ = backend; @@ -56,7 +56,7 @@ fn load_der_x509_crl( fn load_pem_x509_crl( py: pyo3::Python<'_>, data: &[u8], - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> Result { let _ = backend; diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index ce527d054d29..d5342175a69e 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -235,7 +235,7 @@ impl CertificateSigningRequest { fn load_pem_x509_csr( py: pyo3::Python<'_>, data: &[u8], - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -257,7 +257,7 @@ fn load_pem_x509_csr( fn load_der_x509_csr( py: pyo3::Python<'_>, data: pyo3::Py, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; From 974d5e7743d1de6138b6cf5b9481f908bc6a2023 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 07:45:50 -0400 Subject: [PATCH 0357/1462] Convert `src/backend/cipher_registry.rs` to new pyo3 APIs (#10700) --- src/rust/src/backend/cipher_registry.rs | 217 ++++++++++++------------ 1 file changed, 111 insertions(+), 106 deletions(-) diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index 1ceccbe0a1cd..ee95e6539540 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -30,8 +30,8 @@ impl RegistryKey { algorithm: algorithm.clone_ref(py), mode: mode.clone_ref(py), key_size, - algorithm_hash: algorithm.as_ref(py).hash()?, - mode_hash: mode.as_ref(py).hash()?, + algorithm_hash: algorithm.bind(py).hash()?, + mode_hash: mode.bind(py).hash()?, }) } } @@ -87,13 +87,18 @@ impl<'p> RegistryBuilder<'p> { fn add( &mut self, - algorithm: &pyo3::PyAny, - mode: &pyo3::PyAny, + algorithm: &pyo3::Bound<'_, pyo3::PyAny>, + mode: &pyo3::Bound<'_, pyo3::PyAny>, key_size: Option, cipher: impl Into, ) -> CryptographyResult<()> { self.m.insert( - RegistryKey::new(self.py, algorithm.into(), mode.into(), key_size)?, + RegistryKey::new( + self.py, + algorithm.clone().unbind(), + mode.clone().unbind(), + key_size, + )?, cipher.into(), ); @@ -114,147 +119,147 @@ fn get_cipher_registry( REGISTRY.get_or_try_init(py, || { let mut m = RegistryBuilder::new(py); - let aes = types::AES.get(py)?; - let aes128 = types::AES128.get(py)?; - let aes256 = types::AES256.get(py)?; - let triple_des = types::TRIPLE_DES.get(py)?; + let aes = types::AES.get_bound(py)?; + let aes128 = types::AES128.get_bound(py)?; + let aes256 = types::AES256.get_bound(py)?; + let triple_des = types::TRIPLE_DES.get_bound(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] - let camellia = types::CAMELLIA.get(py)?; + let camellia = types::CAMELLIA.get_bound(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] - let blowfish = types::BLOWFISH.get(py)?; + let blowfish = types::BLOWFISH.get_bound(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAST"))] - let cast5 = types::CAST5.get(py)?; + let cast5 = types::CAST5.get_bound(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_IDEA"))] - let idea = types::IDEA.get(py)?; + let idea = types::IDEA.get_bound(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SM4"))] - let sm4 = types::SM4.get(py)?; + let sm4 = types::SM4.get_bound(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] - let seed = types::SEED.get(py)?; - let arc4 = types::ARC4.get(py)?; + let seed = types::SEED.get_bound(py)?; + let arc4 = types::ARC4.get_bound(py)?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - let chacha20 = types::CHACHA20.get(py)?; - let rc2 = types::RC2.get(py)?; + let chacha20 = types::CHACHA20.get_bound(py)?; + let rc2 = types::RC2.get_bound(py)?; - let cbc = types::CBC.get(py)?; + let cbc = types::CBC.get_bound(py)?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - let cfb = types::CFB.get(py)?; + let cfb = types::CFB.get_bound(py)?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - let cfb8 = types::CFB8.get(py)?; - let ofb = types::OFB.get(py)?; - let ecb = types::ECB.get(py)?; - let ctr = types::CTR.get(py)?; - let gcm = types::GCM.get(py)?; + let cfb8 = types::CFB8.get_bound(py)?; + let ofb = types::OFB.get_bound(py)?; + let ecb = types::ECB.get_bound(py)?; + let ctr = types::CTR.get_bound(py)?; + let gcm = types::GCM.get_bound(py)?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - let xts = types::XTS.get(py)?; + let xts = types::XTS.get_bound(py)?; let none = py.None(); - let none_type = none.as_ref(py).get_type(); + let none_type = none.bind(py).get_type(); - m.add(aes, cbc, Some(128), Cipher::aes_128_cbc())?; - m.add(aes, cbc, Some(192), Cipher::aes_192_cbc())?; - m.add(aes, cbc, Some(256), Cipher::aes_256_cbc())?; + m.add(&aes, &cbc, Some(128), Cipher::aes_128_cbc())?; + m.add(&aes, &cbc, Some(192), Cipher::aes_192_cbc())?; + m.add(&aes, &cbc, Some(256), Cipher::aes_256_cbc())?; - m.add(aes, ofb, Some(128), Cipher::aes_128_ofb())?; - m.add(aes, ofb, Some(192), Cipher::aes_192_ofb())?; - m.add(aes, ofb, Some(256), Cipher::aes_256_ofb())?; + m.add(&aes, &ofb, Some(128), Cipher::aes_128_ofb())?; + m.add(&aes, &ofb, Some(192), Cipher::aes_192_ofb())?; + m.add(&aes, &ofb, Some(256), Cipher::aes_256_ofb())?; - m.add(aes, gcm, Some(128), Cipher::aes_128_gcm())?; - m.add(aes, gcm, Some(192), Cipher::aes_192_gcm())?; - m.add(aes, gcm, Some(256), Cipher::aes_256_gcm())?; + m.add(&aes, &gcm, Some(128), Cipher::aes_128_gcm())?; + m.add(&aes, &gcm, Some(192), Cipher::aes_192_gcm())?; + m.add(&aes, &gcm, Some(256), Cipher::aes_256_gcm())?; - m.add(aes, ctr, Some(128), Cipher::aes_128_ctr())?; - m.add(aes, ctr, Some(192), Cipher::aes_192_ctr())?; - m.add(aes, ctr, Some(256), Cipher::aes_256_ctr())?; + m.add(&aes, &ctr, Some(128), Cipher::aes_128_ctr())?; + m.add(&aes, &ctr, Some(192), Cipher::aes_192_ctr())?; + m.add(&aes, &ctr, Some(256), Cipher::aes_256_ctr())?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] { - m.add(aes, cfb8, Some(128), Cipher::aes_128_cfb8())?; - m.add(aes, cfb8, Some(192), Cipher::aes_192_cfb8())?; - m.add(aes, cfb8, Some(256), Cipher::aes_256_cfb8())?; + m.add(&aes, &cfb8, Some(128), Cipher::aes_128_cfb8())?; + m.add(&aes, &cfb8, Some(192), Cipher::aes_192_cfb8())?; + m.add(&aes, &cfb8, Some(256), Cipher::aes_256_cfb8())?; - m.add(aes, cfb, Some(128), Cipher::aes_128_cfb128())?; - m.add(aes, cfb, Some(192), Cipher::aes_192_cfb128())?; - m.add(aes, cfb, Some(256), Cipher::aes_256_cfb128())?; + m.add(&aes, &cfb, Some(128), Cipher::aes_128_cfb128())?; + m.add(&aes, &cfb, Some(192), Cipher::aes_192_cfb128())?; + m.add(&aes, &cfb, Some(256), Cipher::aes_256_cfb128())?; } - m.add(aes, ecb, Some(128), Cipher::aes_128_ecb())?; - m.add(aes, ecb, Some(192), Cipher::aes_192_ecb())?; - m.add(aes, ecb, Some(256), Cipher::aes_256_ecb())?; + m.add(&aes, &ecb, Some(128), Cipher::aes_128_ecb())?; + m.add(&aes, &ecb, Some(192), Cipher::aes_192_ecb())?; + m.add(&aes, &ecb, Some(256), Cipher::aes_256_ecb())?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] { - m.add(aes, xts, Some(256), Cipher::aes_128_xts())?; - m.add(aes, xts, Some(512), Cipher::aes_256_xts())?; + m.add(&aes, &xts, Some(256), Cipher::aes_128_xts())?; + m.add(&aes, &xts, Some(512), Cipher::aes_256_xts())?; } - m.add(aes128, cbc, Some(128), Cipher::aes_128_cbc())?; - m.add(aes256, cbc, Some(256), Cipher::aes_256_cbc())?; + m.add(&aes128, &cbc, Some(128), Cipher::aes_128_cbc())?; + m.add(&aes256, &cbc, Some(256), Cipher::aes_256_cbc())?; - m.add(aes128, ofb, Some(128), Cipher::aes_128_ofb())?; - m.add(aes256, ofb, Some(256), Cipher::aes_256_ofb())?; + m.add(&aes128, &ofb, Some(128), Cipher::aes_128_ofb())?; + m.add(&aes256, &ofb, Some(256), Cipher::aes_256_ofb())?; - m.add(aes128, gcm, Some(128), Cipher::aes_128_gcm())?; - m.add(aes256, gcm, Some(256), Cipher::aes_256_gcm())?; + m.add(&aes128, &gcm, Some(128), Cipher::aes_128_gcm())?; + m.add(&aes256, &gcm, Some(256), Cipher::aes_256_gcm())?; - m.add(aes128, ctr, Some(128), Cipher::aes_128_ctr())?; - m.add(aes256, ctr, Some(256), Cipher::aes_256_ctr())?; + m.add(&aes128, &ctr, Some(128), Cipher::aes_128_ctr())?; + m.add(&aes256, &ctr, Some(256), Cipher::aes_256_ctr())?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] { - m.add(aes128, cfb8, Some(128), Cipher::aes_128_cfb8())?; - m.add(aes256, cfb8, Some(256), Cipher::aes_256_cfb8())?; + m.add(&aes128, &cfb8, Some(128), Cipher::aes_128_cfb8())?; + m.add(&aes256, &cfb8, Some(256), Cipher::aes_256_cfb8())?; - m.add(aes128, cfb, Some(128), Cipher::aes_128_cfb128())?; - m.add(aes256, cfb, Some(256), Cipher::aes_256_cfb128())?; + m.add(&aes128, &cfb, Some(128), Cipher::aes_128_cfb128())?; + m.add(&aes256, &cfb, Some(256), Cipher::aes_256_cfb128())?; } - m.add(aes128, ecb, Some(128), Cipher::aes_128_ecb())?; - m.add(aes256, ecb, Some(256), Cipher::aes_256_ecb())?; + m.add(&aes128, &ecb, Some(128), Cipher::aes_128_ecb())?; + m.add(&aes256, &ecb, Some(256), Cipher::aes_256_ecb())?; - m.add(triple_des, cbc, Some(192), Cipher::des_ede3_cbc())?; - m.add(triple_des, ecb, Some(192), Cipher::des_ede3_ecb())?; + m.add(&triple_des, &cbc, Some(192), Cipher::des_ede3_cbc())?; + m.add(&triple_des, &ecb, Some(192), Cipher::des_ede3_ecb())?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] { - m.add(triple_des, cfb8, Some(192), Cipher::des_ede3_cfb8())?; - m.add(triple_des, cfb, Some(192), Cipher::des_ede3_cfb64())?; - m.add(triple_des, ofb, Some(192), Cipher::des_ede3_ofb())?; + m.add(&triple_des, &cfb8, Some(192), Cipher::des_ede3_cfb8())?; + m.add(&triple_des, &cfb, Some(192), Cipher::des_ede3_cfb64())?; + m.add(&triple_des, &ofb, Some(192), Cipher::des_ede3_ofb())?; } #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] { - m.add(camellia, cbc, Some(128), Cipher::camellia128_cbc())?; - m.add(camellia, cbc, Some(192), Cipher::camellia192_cbc())?; - m.add(camellia, cbc, Some(256), Cipher::camellia256_cbc())?; + m.add(&camellia, &cbc, Some(128), Cipher::camellia128_cbc())?; + m.add(&camellia, &cbc, Some(192), Cipher::camellia192_cbc())?; + m.add(&camellia, &cbc, Some(256), Cipher::camellia256_cbc())?; - m.add(camellia, ecb, Some(128), Cipher::camellia128_ecb())?; - m.add(camellia, ecb, Some(192), Cipher::camellia192_ecb())?; - m.add(camellia, ecb, Some(256), Cipher::camellia256_ecb())?; + m.add(&camellia, &ecb, Some(128), Cipher::camellia128_ecb())?; + m.add(&camellia, &ecb, Some(192), Cipher::camellia192_ecb())?; + m.add(&camellia, &ecb, Some(256), Cipher::camellia256_ecb())?; - m.add(camellia, ofb, Some(128), Cipher::camellia128_ofb())?; - m.add(camellia, ofb, Some(192), Cipher::camellia192_ofb())?; - m.add(camellia, ofb, Some(256), Cipher::camellia256_ofb())?; + m.add(&camellia, &ofb, Some(128), Cipher::camellia128_ofb())?; + m.add(&camellia, &ofb, Some(192), Cipher::camellia192_ofb())?; + m.add(&camellia, &ofb, Some(256), Cipher::camellia256_ofb())?; - m.add(camellia, cfb, Some(128), Cipher::camellia128_cfb128())?; - m.add(camellia, cfb, Some(192), Cipher::camellia192_cfb128())?; - m.add(camellia, cfb, Some(256), Cipher::camellia256_cfb128())?; + m.add(&camellia, &cfb, Some(128), Cipher::camellia128_cfb128())?; + m.add(&camellia, &cfb, Some(192), Cipher::camellia192_cfb128())?; + m.add(&camellia, &cfb, Some(256), Cipher::camellia256_cfb128())?; } #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SM4"))] { - m.add(sm4, cbc, Some(128), Cipher::sm4_cbc())?; - m.add(sm4, ctr, Some(128), Cipher::sm4_ctr())?; - m.add(sm4, cfb, Some(128), Cipher::sm4_cfb128())?; - m.add(sm4, ofb, Some(128), Cipher::sm4_ofb())?; - m.add(sm4, ecb, Some(128), Cipher::sm4_ecb())?; + m.add(&sm4, &cbc, Some(128), Cipher::sm4_cbc())?; + m.add(&sm4, &ctr, Some(128), Cipher::sm4_ctr())?; + m.add(&sm4, &cfb, Some(128), Cipher::sm4_cfb128())?; + m.add(&sm4, &ofb, Some(128), Cipher::sm4_ofb())?; + m.add(&sm4, &ecb, Some(128), Cipher::sm4_ecb())?; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] if let Ok(c) = Cipher::fetch(None, "sm4-gcm", None) { - m.add(sm4, gcm, Some(128), c)?; + m.add(&sm4, &gcm, Some(128), c)?; } } #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - m.add(chacha20, none_type, None, Cipher::chacha20())?; + m.add(&chacha20, none_type.as_any(), None, Cipher::chacha20())?; // Don't register legacy ciphers if they're unavailable. In theory // this should't be necessary but OpenSSL 3 will return an EVP_CIPHER @@ -264,39 +269,39 @@ fn get_cipher_registry( { #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] { - m.add(blowfish, cbc, None, Cipher::bf_cbc())?; - m.add(blowfish, cfb, None, Cipher::bf_cfb64())?; - m.add(blowfish, ofb, None, Cipher::bf_ofb())?; - m.add(blowfish, ecb, None, Cipher::bf_ecb())?; + m.add(&blowfish, &cbc, None, Cipher::bf_cbc())?; + m.add(&blowfish, &cfb, None, Cipher::bf_cfb64())?; + m.add(&blowfish, &ofb, None, Cipher::bf_ofb())?; + m.add(&blowfish, &ecb, None, Cipher::bf_ecb())?; } #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] { - m.add(seed, cbc, Some(128), Cipher::seed_cbc())?; - m.add(seed, cfb, Some(128), Cipher::seed_cfb128())?; - m.add(seed, ofb, Some(128), Cipher::seed_ofb())?; - m.add(seed, ecb, Some(128), Cipher::seed_ecb())?; + m.add(&seed, &cbc, Some(128), Cipher::seed_cbc())?; + m.add(&seed, &cfb, Some(128), Cipher::seed_cfb128())?; + m.add(&seed, &ofb, Some(128), Cipher::seed_ofb())?; + m.add(&seed, &ecb, Some(128), Cipher::seed_ecb())?; } #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAST"))] { - m.add(cast5, cbc, None, Cipher::cast5_cbc())?; - m.add(cast5, ecb, None, Cipher::cast5_ecb())?; - m.add(cast5, ofb, None, Cipher::cast5_ofb())?; - m.add(cast5, cfb, None, Cipher::cast5_cfb64())?; + m.add(&cast5, &cbc, None, Cipher::cast5_cbc())?; + m.add(&cast5, &ecb, None, Cipher::cast5_ecb())?; + m.add(&cast5, &ofb, None, Cipher::cast5_ofb())?; + m.add(&cast5, &cfb, None, Cipher::cast5_cfb64())?; } #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_IDEA"))] { - m.add(idea, cbc, Some(128), Cipher::idea_cbc())?; - m.add(idea, ecb, Some(128), Cipher::idea_ecb())?; - m.add(idea, ofb, Some(128), Cipher::idea_ofb())?; - m.add(idea, cfb, Some(128), Cipher::idea_cfb64())?; + m.add(&idea, &cbc, Some(128), Cipher::idea_cbc())?; + m.add(&idea, &ecb, Some(128), Cipher::idea_ecb())?; + m.add(&idea, &ofb, Some(128), Cipher::idea_ofb())?; + m.add(&idea, &cfb, Some(128), Cipher::idea_cfb64())?; } - m.add(arc4, none_type, None, Cipher::rc4())?; + m.add(&arc4, none_type.as_any(), None, Cipher::rc4())?; if let Some(rc2_cbc) = Cipher::from_nid(openssl::nid::Nid::RC2_CBC) { - m.add(rc2, cbc, Some(128), rc2_cbc)?; + m.add(&rc2, &cbc, Some(128), rc2_cbc)?; } } From ccec416c6c4cc0956a8dd7d2d27f8b699a90793d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 07:54:32 -0400 Subject: [PATCH 0358/1462] Convert `oid_to_py_oid` to new pyo3 APIs (#10701) --- src/rust/src/asn1.rs | 4 ++-- src/rust/src/x509/certificate.rs | 7 +++++-- src/rust/src/x509/common.rs | 2 +- src/rust/src/x509/crl.rs | 5 ++++- src/rust/src/x509/csr.rs | 7 +++++-- src/rust/src/x509/ocsp_resp.rs | 5 ++++- 6 files changed, 21 insertions(+), 9 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 2257b3bf9663..dcc06bdcf7a0 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -26,8 +26,8 @@ pub(crate) fn py_oid_to_oid( pub(crate) fn oid_to_py_oid<'p>( py: pyo3::Python<'p>, oid: &asn1::ObjectIdentifier, -) -> pyo3::PyResult<&'p pyo3::PyAny> { - Ok(pyo3::Py::new(py, crate::oid::ObjectIdentifier { oid: oid.clone() })?.into_ref(py)) +) -> pyo3::PyResult> { + Ok(pyo3::Bound::new(py, crate::oid::ObjectIdentifier { oid: oid.clone() })?.into_any()) } #[pyo3::prelude::pyfunction] diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index d21892eb9703..dde9aa1dc278 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -76,7 +76,7 @@ impl Certificate { fn public_key_algorithm_oid<'p>( &self, py: pyo3::Python<'p>, - ) -> pyo3::PyResult<&'p pyo3::PyAny> { + ) -> pyo3::PyResult> { oid_to_py_oid( py, self.raw.borrow_dependent().tbs_cert.spki.algorithm.oid(), @@ -262,7 +262,10 @@ impl Certificate { } #[getter] - fn signature_algorithm_oid<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn signature_algorithm_oid<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { oid_to_py_oid(py, self.raw.borrow_dependent().signature_alg.oid()) } diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 7a7bd50ce1f9..27f162a8c6e9 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -397,7 +397,7 @@ pub(crate) fn parse_and_cache_extensions< Some(e) => e, None => types::UNRECOGNIZED_EXTENSION .get(py)? - .call1((oid_obj, raw_ext.extn_value))?, + .call1((oid_obj.clone(), raw_ext.extn_value))?, }; let ext_obj = types::EXTENSION diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 6d1cbd6beb33..cac3692e3017 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -184,7 +184,10 @@ impl CertificateRevocationList { } #[getter] - fn signature_algorithm_oid<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn signature_algorithm_oid<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { oid_to_py_oid(py, self.owned.borrow_dependent().signature_algorithm.oid()) } diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index d5342175a69e..1f1eb9f9de9c 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -58,7 +58,7 @@ impl CertificateSigningRequest { fn public_key_algorithm_oid<'p>( &self, py: pyo3::Python<'p>, - ) -> pyo3::PyResult<&'p pyo3::PyAny> { + ) -> pyo3::PyResult> { oid_to_py_oid( py, self.raw.borrow_dependent().csr_info.spki.algorithm.oid(), @@ -96,7 +96,10 @@ impl CertificateSigningRequest { } #[getter] - fn signature_algorithm_oid<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn signature_algorithm_oid<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { oid_to_py_oid(py, self.raw.borrow_dependent().signature_alg.oid()) } diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index e5f8b479576a..1f088a484e5d 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -172,7 +172,10 @@ impl OCSPResponse { } #[getter] - fn signature_algorithm_oid<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn signature_algorithm_oid<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; oid_to_py_oid(py, resp.signature_algorithm.oid()) } From 01d27ac06c7a7cc721fe716834b9794573284034 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Thu, 4 Apr 2024 14:25:53 +0200 Subject: [PATCH 0359/1462] Convert `src/backend/hashes.rs` to new pyo3 APIs (#10705) --- src/rust/src/backend/hashes.rs | 28 +++++----- src/rust/src/backend/hmac.rs | 3 +- src/rust/src/backend/kdf.rs | 2 +- src/rust/src/backend/mod.rs | 2 +- src/rust/src/backend/rsa.rs | 87 ++++++++++++++++++++------------ src/rust/src/backend/utils.rs | 6 +-- src/rust/src/x509/certificate.rs | 6 +-- src/rust/src/x509/crl.rs | 6 +-- src/rust/src/x509/ocsp.rs | 5 +- 9 files changed, 86 insertions(+), 59 deletions(-) diff --git a/src/rust/src/backend/hashes.rs b/src/rust/src/backend/hashes.rs index e26727092a6c..c97171689863 100644 --- a/src/rust/src/backend/hashes.rs +++ b/src/rust/src/backend/hashes.rs @@ -2,6 +2,8 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; +use pyo3::IntoPy; use std::borrow::Cow; use crate::buf::CffiBuf; @@ -39,9 +41,9 @@ impl Hash { pub(crate) fn message_digest_from_algorithm( py: pyo3::Python<'_>, - algorithm: &pyo3::PyAny, + algorithm: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - if !algorithm.is_instance(types::HASH_ALGORITHM.get(py)?)? { + if !algorithm.is_instance(&types::HASH_ALGORITHM.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err("Expected instance of hashes.HashAlgorithm."), )); @@ -83,8 +85,8 @@ impl Hash { #[pyo3(signature = (algorithm, backend=None))] pub(crate) fn new( py: pyo3::Python<'_>, - algorithm: &pyo3::PyAny, - backend: Option>, + algorithm: &pyo3::Bound<'_, pyo3::PyAny>, + backend: Option<&pyo3::Bound<'_, pyo3::PyAny>>, ) -> CryptographyResult { let _ = backend; @@ -92,7 +94,7 @@ impl Hash { let ctx = openssl::hash::Hasher::new(md)?; Ok(Hash { - algorithm: algorithm.into(), + algorithm: algorithm.clone().into_py(py), ctx: Some(ctx), }) } @@ -104,17 +106,17 @@ impl Hash { pub(crate) fn finalize<'p>( &mut self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { #[cfg(not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)))] { let algorithm = self.algorithm.clone_ref(py); - let algorithm = algorithm.as_ref(py); - if algorithm.is_instance(types::EXTENDABLE_OUTPUT_FUNCTION.get(py)?)? { + let algorithm = algorithm.bind(py); + if algorithm.is_instance(&types::EXTENDABLE_OUTPUT_FUNCTION.get_bound(py)?)? { let ctx = self.get_mut_ctx()?; let digest_size = algorithm .getattr(pyo3::intern!(py, "digest_size"))? .extract::()?; - let result = pyo3::types::PyBytes::new_with(py, digest_size, |b| { + let result = pyo3::types::PyBytes::new_bound_with(py, digest_size, |b| { ctx.finish_xof(b).unwrap(); Ok(()) })?; @@ -125,7 +127,7 @@ impl Hash { let data = self.get_mut_ctx()?.finish()?; self.ctx = None; - Ok(pyo3::types::PyBytes::new(py, &data)) + Ok(pyo3::types::PyBytes::new_bound(py, &data)) } fn copy(&self, py: pyo3::Python<'_>) -> CryptographyResult { @@ -136,8 +138,10 @@ impl Hash { } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "hashes")?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "hashes")?; m.add_class::()?; Ok(m) diff --git a/src/rust/src/backend/hmac.rs b/src/rust/src/backend/hmac.rs index 3c19f1d124cb..4d1b4b325bdb 100644 --- a/src/rust/src/backend/hmac.rs +++ b/src/rust/src/backend/hmac.rs @@ -6,6 +6,7 @@ use crate::backend::hashes::{already_finalized_error, message_digest_from_algori use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; +use pyo3::PyNativeType; #[pyo3::prelude::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.hmac", @@ -23,7 +24,7 @@ impl Hmac { key: &[u8], algorithm: &pyo3::PyAny, ) -> CryptographyResult { - let md = message_digest_from_algorithm(py, algorithm)?; + let md = message_digest_from_algorithm(py, &algorithm.as_borrowed())?; let ctx = cryptography_openssl::hmac::Hmac::new(key, md).map_err(|_| { exceptions::UnsupportedAlgorithm::new_err(( "Digest is not supported for HMAC", diff --git a/src/rust/src/backend/kdf.rs b/src/rust/src/backend/kdf.rs index 35cf0eb266a3..942b5613cd5f 100644 --- a/src/rust/src/backend/kdf.rs +++ b/src/rust/src/backend/kdf.rs @@ -10,7 +10,7 @@ use crate::error::CryptographyResult; fn derive_pbkdf2_hmac<'p>( py: pyo3::Python<'p>, key_material: CffiBuf<'_>, - algorithm: &pyo3::PyAny, + algorithm: &pyo3::Bound<'_, pyo3::PyAny>, salt: &[u8], iterations: usize, length: usize, diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 2b1592906a1f..bab72f289056 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -42,7 +42,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(poly1305::create_module(module.py())?)?; - module.add_submodule(hashes::create_module(module.py())?)?; + module.add_submodule(hashes::create_module(module.py())?.into_gil_ref())?; module.add_submodule(hmac::create_module(module.py())?)?; module.add_submodule(kdf::create_module(module.py())?)?; module.add_submodule(rsa::create_module(module.py())?.into_gil_ref())?; diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 07fea2b49187..45dd5c309c4f 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -10,6 +10,7 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; +use pyo3::PyNativeType; #[pyo3::prelude::pyclass( frozen, @@ -80,9 +81,9 @@ fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool { fn setup_encryption_ctx( py: pyo3::Python<'_>, ctx: &mut openssl::pkey_ctx::PkeyCtx, - padding: &pyo3::PyAny, + padding: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult<()> { - if !padding.is_instance(types::ASYMMETRIC_PADDING.get(py)?)? { + if !padding.is_instance(&types::ASYMMETRIC_PADDING.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Padding must be an instance of AsymmetricPadding.", @@ -90,12 +91,12 @@ fn setup_encryption_ctx( )); } - let padding_enum = if padding.is_instance(types::PKCS1V15.get(py)?)? { + let padding_enum = if padding.is_instance(&types::PKCS1V15.get_bound(py)?)? { openssl::rsa::Padding::PKCS1 - } else if padding.is_instance(types::OAEP.get(py)?)? { + } else if padding.is_instance(&types::OAEP.get_bound(py)?)? { if !padding .getattr(pyo3::intern!(py, "_mgf"))? - .is_instance(types::MGF1.get(py)?)? + .is_instance(&types::MGF1.get_bound(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( @@ -123,13 +124,13 @@ fn setup_encryption_ctx( if padding_enum == openssl::rsa::Padding::PKCS1_OAEP { let mgf1_md = hashes::message_digest_from_algorithm( py, - padding + &padding .getattr(pyo3::intern!(py, "_mgf"))? .getattr(pyo3::intern!(py, "_algorithm"))?, )?; let oaep_md = hashes::message_digest_from_algorithm( py, - padding.getattr(pyo3::intern!(py, "_algorithm"))?, + &padding.getattr(pyo3::intern!(py, "_algorithm"))?, )?; if !oaep_hash_supported(&mgf1_md) || !oaep_hash_supported(&oaep_md) { @@ -160,12 +161,12 @@ fn setup_encryption_ctx( fn setup_signature_ctx( py: pyo3::Python<'_>, ctx: &mut openssl::pkey_ctx::PkeyCtx, - padding: &pyo3::PyAny, - algorithm: &pyo3::PyAny, + padding: &pyo3::Bound<'_, pyo3::PyAny>, + algorithm: &pyo3::Bound<'_, pyo3::PyAny>, key_size: usize, is_signing: bool, ) -> CryptographyResult<()> { - if !padding.is_instance(types::ASYMMETRIC_PADDING.get(py)?)? { + if !padding.is_instance(&types::ASYMMETRIC_PADDING.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Padding must be an instance of AsymmetricPadding.", @@ -173,12 +174,12 @@ fn setup_signature_ctx( )); } - let padding_enum = if padding.is_instance(types::PKCS1V15.get(py)?)? { + let padding_enum = if padding.is_instance(&types::PKCS1V15.get_bound(py)?)? { openssl::rsa::Padding::PKCS1 - } else if padding.is_instance(types::PSS.get(py)?)? { + } else if padding.is_instance(&types::PSS.get_bound(py)?)? { if !padding .getattr(pyo3::intern!(py, "_mgf"))? - .is_instance(types::MGF1.get(py)?)? + .is_instance(&types::MGF1.get_bound(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( @@ -189,7 +190,7 @@ fn setup_signature_ctx( } // PSS padding requires a hash algorithm - if !algorithm.is_instance(types::HASH_ALGORITHM.get(py)?)? { + if !algorithm.is_instance(&types::HASH_ALGORITHM.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Expected instance of hashes.HashAlgorithm.", @@ -250,11 +251,11 @@ fn setup_signature_ctx( if padding_enum == openssl::rsa::Padding::PKCS1_PSS { let salt = padding.getattr(pyo3::intern!(py, "_salt_length"))?; - if salt.is_instance(types::PADDING_MAX_LENGTH.get(py)?)? { + if salt.is_instance(&types::PADDING_MAX_LENGTH.get_bound(py)?)? { ctx.set_rsa_pss_saltlen(openssl::sign::RsaPssSaltlen::MAXIMUM_LENGTH)?; - } else if salt.is_instance(types::PADDING_DIGEST_LENGTH.get(py)?)? { + } else if salt.is_instance(&types::PADDING_DIGEST_LENGTH.get_bound(py)?)? { ctx.set_rsa_pss_saltlen(openssl::sign::RsaPssSaltlen::DIGEST_LENGTH)?; - } else if salt.is_instance(types::PADDING_AUTO.get(py)?)? { + } else if salt.is_instance(&types::PADDING_AUTO.get_bound(py)?)? { if is_signing { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -268,7 +269,7 @@ fn setup_signature_ctx( let mgf1_md = hashes::message_digest_from_algorithm( py, - padding + &padding .getattr(pyo3::intern!(py, "_mgf"))? .getattr(pyo3::intern!(py, "_algorithm"))?, )?; @@ -284,17 +285,27 @@ impl RsaPrivateKey { &self, py: pyo3::Python<'p>, data: CffiBuf<'_>, - padding: &pyo3::PyAny, - algorithm: &pyo3::PyAny, + padding: &pyo3::Bound<'p, pyo3::PyAny>, + algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - let (data, algorithm) = - utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; + let (data, algorithm) = utils::calculate_digest_and_algorithm( + py, + data.as_bytes(), + algorithm.clone().into_gil_ref(), + )?; let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.sign_init().map_err(|_| { pyo3::exceptions::PyValueError::new_err("Unable to sign/verify with this key") })?; - setup_signature_ctx(py, &mut ctx, padding, algorithm, self.pkey.size(), true)?; + setup_signature_ctx( + py, + &mut ctx, + padding, + &algorithm.as_borrowed(), + self.pkey.size(), + true, + )?; let length = ctx.sign(data, None)?; Ok(pyo3::types::PyBytes::new_bound_with(py, length, |b| { @@ -312,7 +323,7 @@ impl RsaPrivateKey { &self, py: pyo3::Python<'p>, ciphertext: &[u8], - padding: &pyo3::PyAny, + padding: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { let key_size_bytes = usize::try_from((self.pkey.rsa().unwrap().n().num_bits() + 7) / 8).unwrap(); @@ -424,15 +435,25 @@ impl RsaPublicKey { py: pyo3::Python<'_>, signature: CffiBuf<'_>, data: CffiBuf<'_>, - padding: &pyo3::PyAny, - algorithm: &pyo3::PyAny, + padding: &pyo3::Bound<'_, pyo3::PyAny>, + algorithm: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult<()> { - let (data, algorithm) = - utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; + let (data, algorithm) = utils::calculate_digest_and_algorithm( + py, + data.as_bytes(), + algorithm.clone().into_gil_ref(), + )?; let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.verify_init()?; - setup_signature_ctx(py, &mut ctx, padding, algorithm, self.pkey.size(), false)?; + setup_signature_ctx( + py, + &mut ctx, + padding, + &algorithm.as_borrowed(), + self.pkey.size(), + false, + )?; let valid = ctx.verify(data, signature.as_bytes()).unwrap_or(false); if !valid { @@ -448,7 +469,7 @@ impl RsaPublicKey { &self, py: pyo3::Python<'p>, plaintext: &[u8], - padding: &pyo3::PyAny, + padding: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.encrypt_init()?; @@ -469,10 +490,10 @@ impl RsaPublicKey { &self, py: pyo3::Python<'p>, signature: &[u8], - padding: &pyo3::PyAny, - algorithm: &pyo3::PyAny, + padding: &pyo3::Bound<'_, pyo3::PyAny>, + algorithm: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { - if algorithm.is_instance(types::PREHASHED.get(py)?)? { + if algorithm.is_instance(&types::PREHASHED.get(py)?.as_borrowed())? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Prehashed is only supported in the sign and verify methods. It cannot be used with recover_data_from_signature.", diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index f44db97101ed..63ee13bca525 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -6,7 +6,7 @@ use crate::backend::hashes::Hash; use crate::error::{CryptographyError, CryptographyResult}; use crate::{error, types}; use pyo3::prelude::PyAnyMethods; -use pyo3::ToPyObject; +use pyo3::{PyNativeType, ToPyObject}; pub(crate) fn py_int_to_bn( py: pyo3::Python<'_>, @@ -362,9 +362,9 @@ pub(crate) fn calculate_digest_and_algorithm<'p>( } else { // Potential optimization: rather than allocate a PyBytes in // `h.finalize()`, have a way to get the `DigestBytes` directly. - let mut h = Hash::new(py, algorithm, None)?; + let mut h = Hash::new(py, &algorithm.as_borrowed(), None)?; h.update_bytes(data)?; - data = h.finalize(py)?.as_bytes(); + data = h.finalize(py)?.into_gil_ref().as_bytes(); } if data.len() != algorithm.getattr("digest_size")?.extract()? { diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index dde9aa1dc278..9797c30f39f8 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -17,7 +17,7 @@ use cryptography_x509::extensions::{ use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; use cryptography_x509::{common, oid}; use cryptography_x509_verification::ops::CryptoOps; -use pyo3::{IntoPy, ToPyObject}; +use pyo3::{IntoPy, PyNativeType, ToPyObject}; use crate::asn1::{ big_byte_slice_to_py_int, encode_der_data, oid_to_py_oid, py_uint_to_big_endian_bytes, @@ -90,9 +90,9 @@ impl Certificate { ) -> CryptographyResult<&'p pyo3::PyAny> { let serialized = asn1::write_single(&self.raw.borrow_dependent())?; - let mut h = hashes::Hash::new(py, algorithm, None)?; + let mut h = hashes::Hash::new(py, &algorithm.as_borrowed(), None)?; h.update_bytes(&serialized)?; - Ok(h.finalize(py)?) + Ok(h.finalize(py)?.into_gil_ref()) } fn public_bytes<'p>( diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index cac3692e3017..3521adf71b34 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -13,7 +13,7 @@ use cryptography_x509::{ }, name, oid, }; -use pyo3::{IntoPy, ToPyObject}; +use pyo3::{IntoPy, PyNativeType, ToPyObject}; use crate::asn1::{ big_byte_slice_to_py_int, encode_der_data, oid_to_py_oid, py_uint_to_big_endian_bytes, @@ -178,9 +178,9 @@ impl CertificateRevocationList { ) -> pyo3::PyResult<&'p pyo3::PyAny> { let data = self.public_bytes_der()?; - let mut h = Hash::new(py, algorithm, None)?; + let mut h = Hash::new(py, &algorithm.as_borrowed(), None)?; h.update_bytes(&data)?; - Ok(h.finalize(py)?) + Ok(h.finalize(py)?.into_gil_ref()) } #[getter] diff --git a/src/rust/src/x509/ocsp.rs b/src/rust/src/x509/ocsp.rs index 3565588bc0f1..10590354b8df 100644 --- a/src/rust/src/x509/ocsp.rs +++ b/src/rust/src/x509/ocsp.rs @@ -7,6 +7,7 @@ use std::collections::HashMap; use cryptography_x509::common; use cryptography_x509::ocsp_req::CertID; use once_cell::sync::Lazy; +use pyo3::PyNativeType; use crate::backend::hashes::Hash; use crate::error::CryptographyResult; @@ -125,7 +126,7 @@ pub(crate) fn hash_data<'p>( py_hash_alg: &'p pyo3::PyAny, data: &[u8], ) -> pyo3::PyResult<&'p [u8]> { - let mut h = Hash::new(py, py_hash_alg, None)?; + let mut h = Hash::new(py, &py_hash_alg.as_borrowed(), None)?; h.update_bytes(data)?; - Ok(h.finalize(py)?.as_bytes()) + Ok(h.finalize(py)?.into_gil_ref().as_bytes()) } From 6813602069304f5282109c091f355d0a3c2dd804 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 08:40:48 -0400 Subject: [PATCH 0360/1462] Convert two more `asn1.rs` APIs to new pyo3 APIs (#10704) --- src/rust/src/asn1.rs | 19 +++++++++++-------- src/rust/src/x509/certificate.rs | 2 +- src/rust/src/x509/crl.rs | 5 ++++- src/rust/src/x509/ocsp_req.rs | 2 +- src/rust/src/x509/ocsp_resp.rs | 12 +++++++++--- 5 files changed, 26 insertions(+), 14 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index dcc06bdcf7a0..394f19218083 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -31,25 +31,28 @@ pub(crate) fn oid_to_py_oid<'p>( } #[pyo3::prelude::pyfunction] -fn parse_spki_for_data( - py: pyo3::Python<'_>, +fn parse_spki_for_data<'p>( + py: pyo3::Python<'p>, data: &[u8], -) -> Result { +) -> Result, CryptographyError> { let spki = asn1::parse_single::>(data)?; if spki.subject_public_key.padding_bits() != 0 { return Err(pyo3::exceptions::PyValueError::new_err("Invalid public key encoding").into()); } - Ok(pyo3::types::PyBytes::new(py, spki.subject_public_key.as_bytes()).to_object(py)) + Ok(pyo3::types::PyBytes::new_bound( + py, + spki.subject_public_key.as_bytes(), + )) } pub(crate) fn big_byte_slice_to_py_int<'p>( py: pyo3::Python<'p>, v: &'_ [u8], -) -> pyo3::PyResult<&'p pyo3::PyAny> { - let int_type = py.get_type::(); - let kwargs = [("signed", true)].into_py_dict(py); - int_type.call_method(pyo3::intern!(py, "from_bytes"), (v, "big"), Some(kwargs)) +) -> pyo3::PyResult> { + let int_type = py.get_type_bound::(); + let kwargs = [("signed", true)].into_py_dict_bound(py); + int_type.call_method(pyo3::intern!(py, "from_bytes"), (v, "big"), Some(&kwargs)) } #[pyo3::prelude::pyfunction] diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 9797c30f39f8..2be995def916 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -109,7 +109,7 @@ impl Certificate { fn serial_number<'p>( &self, py: pyo3::Python<'p>, - ) -> Result<&'p pyo3::PyAny, CryptographyError> { + ) -> Result, CryptographyError> { let bytes = self.raw.borrow_dependent().tbs_cert.serial.as_bytes(); warn_if_negative_serial(py, bytes)?; Ok(big_byte_slice_to_py_int(py, bytes)?) diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 3521adf71b34..900914241ec2 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -521,7 +521,10 @@ struct RevokedCertificate { #[pyo3::prelude::pymethods] impl RevokedCertificate { #[getter] - fn serial_number<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn serial_number<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { big_byte_slice_to_py_int( py, self.owned.borrow_dependent().user_certificate.as_bytes(), diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 931036c4b0a7..5d6674d04b3f 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -105,7 +105,7 @@ impl OCSPRequest { fn serial_number<'p>( &self, py: pyo3::Python<'p>, - ) -> Result<&'p pyo3::PyAny, CryptographyError> { + ) -> Result, CryptographyError> { let bytes = self.cert_id().serial_number.as_bytes(); Ok(big_byte_slice_to_py_int(py, bytes)?) } diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 1f088a484e5d..7d93fde6fc6a 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -256,7 +256,10 @@ impl OCSPResponse { } #[getter] - fn serial_number<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn serial_number<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_serial_number(&single_resp, py) @@ -461,7 +464,7 @@ fn single_response<'a>( fn singleresp_py_serial_number<'p>( resp: &ocsp_resp::SingleResponse<'_>, py: pyo3::Python<'p>, -) -> pyo3::PyResult<&'p pyo3::PyAny> { +) -> pyo3::PyResult> { big_byte_slice_to_py_int(py, resp.cert_id.serial_number.as_bytes()) } @@ -781,7 +784,10 @@ impl OCSPSingleResponse { #[pyo3::prelude::pymethods] impl OCSPSingleResponse { #[getter] - fn serial_number<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn serial_number<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { singleresp_py_serial_number(self.single_response(), py) } From 632389f2fd0689a7de7a80f26d8f18ac255870e5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 09:10:49 -0400 Subject: [PATCH 0361/1462] Convert `src/backend/ciphers.rs` to new pyo3 APIs (#10703) --- src/rust/src/backend/ciphers.rs | 81 ++++++++++++++++++--------------- src/rust/src/backend/mod.rs | 2 +- 2 files changed, 46 insertions(+), 37 deletions(-) diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index 2cf97d7b8800..5677e0fbba3d 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -7,7 +7,7 @@ use crate::buf::{CffiBuf, CffiMutBuf}; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; use crate::types; -use pyo3::prelude::PyAnyMethods; +use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; use pyo3::IntoPy; struct CipherContext { @@ -121,10 +121,10 @@ impl CipherContext { &mut self, py: pyo3::Python<'p>, buf: &[u8], - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut out_buf = vec![0; buf.len() + self.ctx.block_size()]; let n = self.update_into(py, buf, &mut out_buf)?; - Ok(pyo3::types::PyBytes::new(py, &out_buf[..n])) + Ok(pyo3::types::PyBytes::new_bound(py, &out_buf[..n])) } fn update_into( @@ -146,7 +146,11 @@ impl CipherContext { for chunk in buf.chunks(1 << 29) { // SAFETY: We ensure that outbuf is sufficiently large above. unsafe { - let n = if self.py_mode.as_ref(py).is_instance(types::XTS.get(py)?)? { + let n = if self + .py_mode + .bind(py) + .is_instance(&types::XTS.get_bound(py)?)? + { self.ctx.cipher_update_unchecked(chunk, Some(&mut out_buf[total_written..])).map_err(|_| { pyo3::exceptions::PyValueError::new_err( "In XTS mode you must supply at least a full block in the first update call. For AES this is 16 bytes." @@ -171,14 +175,14 @@ impl CipherContext { fn finalize<'p>( &mut self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut out_buf = vec![0; self.ctx.block_size()]; let n = self.ctx.cipher_final(&mut out_buf).or_else(|e| { if e.errors().is_empty() && self .py_mode - .as_ref(py) - .is_instance(types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? + .bind(py) + .is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get_bound(py)?)? { return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); } @@ -188,7 +192,7 @@ impl CipherContext { ), )) })?; - Ok(pyo3::types::PyBytes::new(py, &out_buf[..n])) + Ok(pyo3::types::PyBytes::new_bound(py, &out_buf[..n])) } } @@ -233,7 +237,7 @@ impl PyCipherContext { &mut self, py: pyo3::Python<'p>, buf: CffiBuf<'_>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { get_mut_ctx(self.ctx.as_mut())?.update(py, buf.as_bytes()) } @@ -249,7 +253,7 @@ impl PyCipherContext { fn finalize<'p>( &mut self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let result = get_mut_ctx(self.ctx.as_mut())?.finalize(py)?; self.ctx = None; Ok(result) @@ -262,7 +266,7 @@ impl PyAEADEncryptionContext { &mut self, py: pyo3::Python<'p>, buf: CffiBuf<'_>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let data = buf.as_bytes(); self.updated = true; @@ -314,16 +318,16 @@ impl PyAEADEncryptionContext { fn finalize<'p>( &mut self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let ctx = get_mut_ctx(self.ctx.as_mut())?; let result = ctx.finalize(py)?; // XXX: do not hard code 16 - let tag = pyo3::types::PyBytes::new_with(py, 16, |t| { + let tag = pyo3::types::PyBytes::new_bound_with(py, 16, |t| { ctx.ctx.tag(t).map_err(CryptographyError::from)?; Ok(()) })?; - self.tag = Some(tag.into_py(py)); + self.tag = Some(tag.unbind()); self.ctx = None; Ok(result) @@ -349,7 +353,7 @@ impl PyAEADDecryptionContext { &mut self, py: pyo3::Python<'p>, buf: CffiBuf<'_>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let data = buf.as_bytes(); self.updated = true; @@ -401,12 +405,12 @@ impl PyAEADDecryptionContext { fn finalize<'p>( &mut self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let ctx = get_mut_ctx(self.ctx.as_mut())?; if ctx .py_mode - .as_ref(py) + .bind(py) .getattr(pyo3::intern!(py, "tag"))? .is_none() { @@ -426,12 +430,12 @@ impl PyAEADDecryptionContext { &mut self, py: pyo3::Python<'p>, tag: &[u8], - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let ctx = get_mut_ctx(self.ctx.as_mut())?; if !ctx .py_mode - .as_ref(py) + .bind(py) .getattr(pyo3::intern!(py, "tag"))? .is_none() { @@ -444,7 +448,7 @@ impl PyAEADDecryptionContext { let min_tag_length = ctx .py_mode - .as_ref(py) + .bind(py) .getattr(pyo3::intern!(py, "_min_tag_length"))? .extract()?; // XXX: Do not hard code 16 @@ -506,8 +510,11 @@ fn create_decryption_ctx( let mut ctx = CipherContext::new(py, algorithm, mode.clone(), openssl::symm::Mode::Decrypt)?; if mode.is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get_bound(py)?)? { - if let Some(tag) = mode.getattr(pyo3::intern!(py, "tag"))?.extract()? { - ctx.ctx.set_tag(tag)?; + if let Some(tag) = mode + .getattr(pyo3::intern!(py, "tag"))? + .extract::>()? + { + ctx.ctx.set_tag(&tag)?; } Ok(PyAEADDecryptionContext { @@ -536,31 +543,33 @@ fn cipher_supported( } #[pyo3::prelude::pyfunction] -fn _advance(ctx: &pyo3::PyAny, n: u64) { - if let Ok(c) = ctx.downcast::>() { +fn _advance(ctx: pyo3::Bound<'_, pyo3::PyAny>, n: u64) { + if let Ok(c) = ctx.downcast::() { c.borrow_mut().bytes_remaining -= n; - } else if let Ok(c) = ctx.downcast::>() { + } else if let Ok(c) = ctx.downcast::() { c.borrow_mut().bytes_remaining -= n; } } #[pyo3::prelude::pyfunction] -fn _advance_aad(ctx: &pyo3::PyAny, n: u64) { - if let Ok(c) = ctx.downcast::>() { +fn _advance_aad(ctx: pyo3::Bound<'_, pyo3::PyAny>, n: u64) { + if let Ok(c) = ctx.downcast::() { c.borrow_mut().aad_bytes_remaining -= n; - } else if let Ok(c) = ctx.downcast::>() { + } else if let Ok(c) = ctx.downcast::() { c.borrow_mut().aad_bytes_remaining -= n; } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "ciphers")?; - m.add_function(pyo3::wrap_pyfunction!(create_encryption_ctx, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(create_decryption_ctx, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(cipher_supported, m)?)?; - - m.add_function(pyo3::wrap_pyfunction!(_advance, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(_advance_aad, m)?)?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "ciphers")?; + m.add_function(pyo3::wrap_pyfunction!(create_encryption_ctx, &m)?)?; + m.add_function(pyo3::wrap_pyfunction!(create_decryption_ctx, &m)?)?; + m.add_function(pyo3::wrap_pyfunction!(cipher_supported, &m)?)?; + + m.add_function(pyo3::wrap_pyfunction!(_advance, &m)?)?; + m.add_function(pyo3::wrap_pyfunction!(_advance_aad, &m)?)?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index bab72f289056..4cae1e3d5bef 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -25,7 +25,7 @@ pub(crate) mod x448; pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { module.add_submodule(aead::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(ciphers::create_module(module.py())?)?; + module.add_submodule(ciphers::create_module(module.py())?.into_gil_ref())?; module.add_submodule(cmac::create_module(module.py())?)?; module.add_submodule(dh::create_module(module.py())?)?; module.add_submodule(dsa::create_module(module.py())?)?; From 52bed48a925024d744a2c29a1be917e6a5f639c6 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Thu, 4 Apr 2024 16:46:25 +0200 Subject: [PATCH 0362/1462] Convert `private_bytes` methods to new pyo3 APIs (#10707) --- src/rust/src/backend/dh.rs | 6 +++--- src/rust/src/backend/dsa.rs | 6 +++--- src/rust/src/backend/ec.rs | 6 +++--- src/rust/src/backend/ed25519.rs | 6 +++--- src/rust/src/backend/ed448.rs | 6 +++--- src/rust/src/backend/rsa.rs | 10 +++++----- src/rust/src/backend/utils.rs | 28 ++++++++++++++-------------- src/rust/src/backend/x25519.rs | 6 +++--- src/rust/src/backend/x448.rs | 6 +++--- 9 files changed, 40 insertions(+), 40 deletions(-) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 2eb9189bb1ce..5e84febbc1c1 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -224,9 +224,9 @@ impl DHPrivateKey { fn private_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, - encryption_algorithm: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, + encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { if !format.is(types::PRIVATE_FORMAT_PKCS8.get(py)?) { return Err(CryptographyError::from( diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index a62de7c73239..0bcfd2bf7120 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -131,9 +131,9 @@ impl DsaPrivateKey { fn private_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, - encryption_algorithm: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, + encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_private_bytes( py, diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index f63444ef0fab..500e0b6e7a22 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -355,9 +355,9 @@ impl ECPrivateKey { fn private_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, - encryption_algorithm: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, + encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_private_bytes( py, diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index 4ddb8d14abe7..55db28c30c55 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -99,9 +99,9 @@ impl Ed25519PrivateKey { fn private_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, - encryption_algorithm: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, + encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_private_bytes( py, diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index 0e6698af0f1e..a8678a6aa01e 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -97,9 +97,9 @@ impl Ed448PrivateKey { fn private_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, - encryption_algorithm: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, + encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_private_bytes( py, diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 45dd5c309c4f..f1d9217d9f62 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -147,10 +147,10 @@ fn setup_encryption_ctx( if let Some(label) = padding .getattr(pyo3::intern!(py, "_label"))? - .extract::>()? + .extract::>()? { if !label.is_empty() { - ctx.set_rsa_oaep_label(label)?; + ctx.set_rsa_oaep_label(&label)?; } } } @@ -411,9 +411,9 @@ impl RsaPrivateKey { fn private_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, - encryption_algorithm: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, + encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_private_bytes( py, diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 63ee13bca525..7c01e0be3772 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -46,27 +46,27 @@ pub(crate) fn pkey_private_bytes<'p>( py: pyo3::Python<'p>, key_obj: &pyo3::Bound<'p, pyo3::PyAny>, pkey: &openssl::pkey::PKey, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, - encryption_algorithm: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, + encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, openssh_allowed: bool, raw_allowed: bool, ) -> CryptographyResult> { - if !encoding.is_instance(types::ENCODING.get(py)?)? { + if !encoding.is_instance(&types::ENCODING.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "encoding must be an item from the Encoding enum", ), )); } - if !format.is_instance(types::PRIVATE_FORMAT.get(py)?)? { + if !format.is_instance(&types::PRIVATE_FORMAT.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "format must be an item from the PrivateFormat enum", ), )); } - if !encryption_algorithm.is_instance(types::KEY_SERIALIZATION_ENCRYPTION.get(py)?)? { + if !encryption_algorithm.is_instance(&types::KEY_SERIALIZATION_ENCRYPTION.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Encryption algorithm must be a KeySerializationEncryption instance", @@ -80,7 +80,7 @@ pub(crate) fn pkey_private_bytes<'p>( { if !encoding.is(types::ENCODING_RAW.get(py)?) || !format.is(types::PRIVATE_FORMAT_RAW.get(py)?) - || !encryption_algorithm.is_instance(types::NO_ENCRYPTION.get(py)?)? + || !encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get_bound(py)?)? { return Err(CryptographyError::from(pyo3::exceptions::PyValueError::new_err( "When using Raw both encoding and format must be Raw and encryption_algorithm must be NoEncryption()" @@ -90,10 +90,10 @@ pub(crate) fn pkey_private_bytes<'p>( return Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)); } - let password = if encryption_algorithm.is_instance(types::NO_ENCRYPTION.get(py)?)? { + let password = if encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get_bound(py)?)? { b"" - } else if encryption_algorithm.is_instance(types::BEST_AVAILABLE_ENCRYPTION.get(py)?)? - || (encryption_algorithm.is_instance(types::ENCRYPTION_BUILDER.get(py)?)? + } else if encryption_algorithm.is_instance(&types::BEST_AVAILABLE_ENCRYPTION.get_bound(py)?)? + || (encryption_algorithm.is_instance(&types::ENCRYPTION_BUILDER.get_bound(py)?)? && encryption_algorithm .getattr(pyo3::intern!(py, "_format"))? .is(format)) @@ -144,7 +144,7 @@ pub(crate) fn pkey_private_bytes<'p>( if format.is(types::PRIVATE_FORMAT_TRADITIONAL_OPENSSL.get(py)?) { if let Ok(rsa) = pkey.rsa() { - if encoding.is(types::ENCODING_PEM.get(py)?) { + if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { let pem_bytes = if password.is_empty() { rsa.private_key_to_pem()? } else { @@ -154,7 +154,7 @@ pub(crate) fn pkey_private_bytes<'p>( )? }; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(types::ENCODING_DER.get(py)?) { + } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { if !password.is_empty() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -167,7 +167,7 @@ pub(crate) fn pkey_private_bytes<'p>( return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } } else if let Ok(dsa) = pkey.dsa() { - if encoding.is(types::ENCODING_PEM.get(py)?) { + if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { let pem_bytes = if password.is_empty() { dsa.private_key_to_pem()? } else { @@ -177,7 +177,7 @@ pub(crate) fn pkey_private_bytes<'p>( )? }; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(types::ENCODING_DER.get(py)?) { + } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { if !password.is_empty() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index 89d8a53e500e..45d397e751f0 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -100,9 +100,9 @@ impl X25519PrivateKey { fn private_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, - encryption_algorithm: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, + encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_private_bytes( py, diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index 49dbfbd65e06..bd2833df48dc 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -99,9 +99,9 @@ impl X448PrivateKey { fn private_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, - encryption_algorithm: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, + encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_private_bytes( py, From c0b80d6d0b6157304a10e3172ad302e99b21b4b7 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Thu, 4 Apr 2024 19:39:02 +0200 Subject: [PATCH 0363/1462] Convert more `utils.rs` APIs to new pyo3 APIs (#10708) --- src/rust/src/backend/dh.rs | 4 ++-- src/rust/src/backend/dsa.rs | 11 +++++++---- src/rust/src/backend/ec.rs | 20 +++++++++++--------- src/rust/src/backend/ed25519.rs | 4 ++-- src/rust/src/backend/ed448.rs | 4 ++-- src/rust/src/backend/rsa.rs | 18 ++++++------------ src/rust/src/backend/utils.rs | 21 +++++++++++---------- src/rust/src/backend/x25519.rs | 4 ++-- src/rust/src/backend/x448.rs | 4 ++-- 9 files changed, 45 insertions(+), 45 deletions(-) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 5e84febbc1c1..b0527fca16b5 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -259,8 +259,8 @@ impl DHPublicKey { fn public_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { if !format.is(types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?) { return Err(CryptographyError::from( diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index 0bcfd2bf7120..9793da8a0c7b 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -7,6 +7,7 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; use pyo3::prelude::PyAnyMethods; +use pyo3::PyNativeType; #[pyo3::prelude::pyclass( frozen, @@ -71,7 +72,8 @@ impl DsaPrivateKey { data: CffiBuf<'_>, algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let (data, _) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; + let (data, _) = + utils::calculate_digest_and_algorithm(py, data.as_bytes(), &algorithm.as_borrowed())?; let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; signer.sign_init()?; @@ -157,7 +159,8 @@ impl DsaPublicKey { data: CffiBuf<'_>, algorithm: &pyo3::PyAny, ) -> CryptographyResult<()> { - let (data, _) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; + let (data, _) = + utils::calculate_digest_and_algorithm(py, data.as_bytes(), &algorithm.as_borrowed())?; let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; verifier.verify_init()?; @@ -204,8 +207,8 @@ impl DsaPublicKey { fn public_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, false) } diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 500e0b6e7a22..a34fc131e8f9 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -6,7 +6,7 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; use pyo3::prelude::PyAnyMethods; -use pyo3::ToPyObject; +use pyo3::{PyNativeType, ToPyObject}; use crate::backend::utils; use crate::buf::CffiBuf; @@ -274,11 +274,11 @@ impl ECPrivateKey { )), )); } - let (data, algo) = utils::calculate_digest_and_algorithm( - py, - data.as_bytes(), - signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, - )?; + let bound_algorithm = signature_algorithm + .getattr(pyo3::intern!(py, "algorithm"))? + .as_borrowed(); + let (data, algo) = + utils::calculate_digest_and_algorithm(py, data.as_bytes(), &bound_algorithm)?; let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; signer.sign_init()?; @@ -398,7 +398,9 @@ impl ECPublicKey { let (data, _) = utils::calculate_digest_and_algorithm( py, data.as_bytes(), - signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, + &signature_algorithm + .as_borrowed() + .getattr(pyo3::intern!(py, "algorithm"))?, )?; let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; @@ -437,8 +439,8 @@ impl ECPublicKey { fn public_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, false) } diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index 55db28c30c55..383fa3a5fd2d 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -143,8 +143,8 @@ impl Ed25519PublicKey { fn public_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, true) } diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index a8678a6aa01e..9d9bf485cd61 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -140,8 +140,8 @@ impl Ed448PublicKey { fn public_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, true) } diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index f1d9217d9f62..512b12ece224 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -288,11 +288,8 @@ impl RsaPrivateKey { padding: &pyo3::Bound<'p, pyo3::PyAny>, algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - let (data, algorithm) = utils::calculate_digest_and_algorithm( - py, - data.as_bytes(), - algorithm.clone().into_gil_ref(), - )?; + let (data, algorithm) = + utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.sign_init().map_err(|_| { @@ -438,11 +435,8 @@ impl RsaPublicKey { padding: &pyo3::Bound<'_, pyo3::PyAny>, algorithm: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult<()> { - let (data, algorithm) = utils::calculate_digest_and_algorithm( - py, - data.as_bytes(), - algorithm.clone().into_gil_ref(), - )?; + let (data, algorithm) = + utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.verify_init()?; @@ -534,8 +528,8 @@ impl RsaPublicKey { fn public_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, false) } diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 7c01e0be3772..d3cc3b24b580 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -6,7 +6,7 @@ use crate::backend::hashes::Hash; use crate::error::{CryptographyError, CryptographyResult}; use crate::{error, types}; use pyo3::prelude::PyAnyMethods; -use pyo3::{PyNativeType, ToPyObject}; +use pyo3::ToPyObject; pub(crate) fn py_int_to_bn( py: pyo3::Python<'_>, @@ -240,19 +240,19 @@ pub(crate) fn pkey_public_bytes<'p>( py: pyo3::Python<'p>, key_obj: &pyo3::Bound<'p, pyo3::PyAny>, pkey: &openssl::pkey::PKey, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, openssh_allowed: bool, raw_allowed: bool, ) -> CryptographyResult> { - if !encoding.is_instance(types::ENCODING.get(py)?)? { + if !encoding.is_instance(&types::ENCODING.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "encoding must be an item from the Encoding enum", ), )); } - if !format.is_instance(types::PUBLIC_FORMAT.get(py)?)? { + if !format.is_instance(&types::PUBLIC_FORMAT.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "format must be an item from the PublicFormat enum", @@ -355,10 +355,11 @@ pub(crate) fn pkey_public_bytes<'p>( pub(crate) fn calculate_digest_and_algorithm<'p>( py: pyo3::Python<'p>, mut data: &'p [u8], - mut algorithm: &'p pyo3::PyAny, -) -> CryptographyResult<(&'p [u8], &'p pyo3::PyAny)> { - if algorithm.is_instance(types::PREHASHED.get(py)?)? { - algorithm = algorithm.getattr("_algorithm")?; + algorithm: &pyo3::Bound<'p, pyo3::PyAny>, +) -> CryptographyResult<(&'p [u8], pyo3::Bound<'p, pyo3::PyAny>)> { + let mut algorithm_result = algorithm.clone(); + if algorithm.is_instance(&types::PREHASHED.get_bound(py)?)? { + algorithm_result = algorithm.getattr("_algorithm")?; } else { // Potential optimization: rather than allocate a PyBytes in // `h.finalize()`, have a way to get the `DigestBytes` directly. @@ -375,7 +376,7 @@ pub(crate) fn calculate_digest_and_algorithm<'p>( )); } - Ok((data, algorithm)) + Ok((data, algorithm_result)) } pub(crate) enum PasswordCallbackStatus { diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index 45d397e751f0..970f8b8ea646 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -130,8 +130,8 @@ impl X25519PublicKey { fn public_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, false, true) } diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index bd2833df48dc..517fc48c0493 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -129,8 +129,8 @@ impl X448PublicKey { fn public_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, false, true) } From d764ae2a0b8622d4957c2dcece37163e611d1351 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Thu, 4 Apr 2024 21:42:37 +0200 Subject: [PATCH 0364/1462] Convert more APIs in `certificate.rs` to new pyo3 APIs (#10709) --- src/rust/src/x509/certificate.rs | 196 ++++++++++++++++++++----------- src/rust/src/x509/crl.rs | 18 ++- src/rust/src/x509/csr.rs | 2 +- src/rust/src/x509/extensions.rs | 6 +- 4 files changed, 144 insertions(+), 78 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 2be995def916..8b41d36a879f 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -17,6 +17,7 @@ use cryptography_x509::extensions::{ use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; use cryptography_x509::{common, oid}; use cryptography_x509_verification::ops::CryptoOps; +use pyo3::prelude::PyAnyMethods; use pyo3::{IntoPy, PyNativeType, ToPyObject}; use crate::asn1::{ @@ -86,23 +87,30 @@ impl Certificate { fn fingerprint<'p>( &self, py: pyo3::Python<'p>, - algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::PyAny> { + algorithm: &pyo3::Bound<'p, pyo3::PyAny>, + ) -> CryptographyResult> { let serialized = asn1::write_single(&self.raw.borrow_dependent())?; let mut h = hashes::Hash::new(py, &algorithm.as_borrowed(), None)?; h.update_bytes(&serialized)?; - Ok(h.finalize(py)?.into_gil_ref()) + Ok(h.finalize(py)?.into_any()) } fn public_bytes<'p>( &self, py: pyo3::Python<'p>, - encoding: &'p pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + ) -> CryptographyResult> { let result = asn1::write_single(self.raw.borrow_dependent())?; - encode_der_data(py, "CERTIFICATE".to_string(), result, encoding) + Ok(encode_der_data( + py, + "CERTIFICATE".to_string(), + result, + encoding.clone().into_gil_ref(), + )? + .as_borrowed() + .to_owned()) } #[getter] @@ -116,37 +124,44 @@ impl Certificate { } #[getter] - fn version<'p>(&self, py: pyo3::Python<'p>) -> Result<&'p pyo3::PyAny, CryptographyError> { + fn version<'p>( + &self, + py: pyo3::Python<'p>, + ) -> Result, CryptographyError> { let version = &self.raw.borrow_dependent().tbs_cert.version; cert_version(py, *version) } #[getter] - fn issuer<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn issuer<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { Ok(x509::parse_name(py, self.raw.borrow_dependent().issuer()) - .map_err(|e| e.add_location(asn1::ParseLocation::Field("issuer")))?) + .map_err(|e| e.add_location(asn1::ParseLocation::Field("issuer")))? + .as_borrowed() + .to_owned()) } #[getter] - fn subject<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn subject<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { Ok(x509::parse_name(py, self.raw.borrow_dependent().subject()) - .map_err(|e| e.add_location(asn1::ParseLocation::Field("subject")))?) + .map_err(|e| e.add_location(asn1::ParseLocation::Field("subject")))? + .as_borrowed() + .to_owned()) } #[getter] fn tbs_certificate_bytes<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let result = asn1::write_single(&self.raw.borrow_dependent().tbs_cert)?; - Ok(pyo3::types::PyBytes::new(py, &result)) + Ok(pyo3::types::PyBytes::new_bound(py, &result)) } #[getter] fn tbs_precertificate_bytes<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let val = self.raw.borrow_dependent(); let mut tbs_precert = val.tbs_cert.clone(); // Remove the SCT list extension @@ -173,7 +188,7 @@ impl Certificate { tbs_precert.raw_extensions = Some(filtered_extensions); let result = asn1::write_single(&tbs_precert)?; - Ok(pyo3::types::PyBytes::new(py, &result)) + Ok(pyo3::types::PyBytes::new_bound(py, &result)) } Err(DuplicateExtensionsError(oid)) => { let oid_obj = oid_to_py_oid(py, &oid)?; @@ -187,12 +202,15 @@ impl Certificate { } #[getter] - fn signature<'p>(&self, py: pyo3::Python<'p>) -> &'p pyo3::types::PyBytes { - pyo3::types::PyBytes::new(py, self.raw.borrow_dependent().signature.as_bytes()) + fn signature<'p>(&self, py: pyo3::Python<'p>) -> pyo3::Bound<'p, pyo3::types::PyBytes> { + pyo3::types::PyBytes::new_bound(py, self.raw.borrow_dependent().signature.as_bytes()) } #[getter] - fn not_valid_before<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn not_valid_before<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let warning_cls = types::DEPRECATED_IN_42.get(py)?; pyo3::PyErr::warn( py, @@ -207,11 +225,14 @@ impl Certificate { .validity .not_before .as_datetime(); - x509::datetime_to_py(py, dt) + Ok(x509::datetime_to_py(py, dt)?.as_borrowed().to_owned()) } #[getter] - fn not_valid_before_utc<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn not_valid_before_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let dt = &self .raw .borrow_dependent() @@ -219,11 +240,14 @@ impl Certificate { .validity .not_before .as_datetime(); - x509::datetime_to_py_utc(py, dt) + Ok(x509::datetime_to_py_utc(py, dt)?.as_borrowed().to_owned()) } #[getter] - fn not_valid_after<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn not_valid_after<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let warning_cls = types::DEPRECATED_IN_42.get(py)?; pyo3::PyErr::warn( py, @@ -238,11 +262,14 @@ impl Certificate { .validity .not_after .as_datetime(); - x509::datetime_to_py(py, dt) + Ok(x509::datetime_to_py(py, dt)?.as_borrowed().to_owned()) } #[getter] - fn not_valid_after_utc<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn not_valid_after_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let dt = &self .raw .borrow_dependent() @@ -250,7 +277,7 @@ impl Certificate { .validity .not_after .as_datetime(); - x509::datetime_to_py_utc(py, dt) + Ok(x509::datetime_to_py_utc(py, dt)?.as_borrowed().to_owned()) } #[getter] @@ -300,7 +327,7 @@ impl Certificate { .call1((scts,))?, )) } - _ => parse_cert_ext(py, ext), + _ => parse_cert_ext(py, ext).map(|x| x.map(|y| y.into_gil_ref())), }, ) } @@ -332,10 +359,13 @@ impl Certificate { } } -fn cert_version(py: pyo3::Python<'_>, version: u8) -> Result<&pyo3::PyAny, CryptographyError> { +fn cert_version( + py: pyo3::Python<'_>, + version: u8, +) -> Result, CryptographyError> { match version { - 0 => Ok(types::CERTIFICATE_VERSION_V1.get(py)?), - 2 => Ok(types::CERTIFICATE_VERSION_V3.get(py)?), + 0 => Ok(types::CERTIFICATE_VERSION_V1.get_bound(py)?), + 2 => Ok(types::CERTIFICATE_VERSION_V3.get_bound(py)?), _ => Err(CryptographyError::from( exceptions::InvalidVersion::new_err(( format!("{version} is not a valid X509 version"), @@ -654,7 +684,7 @@ pub(crate) fn parse_distribution_point_reasons( pub(crate) fn encode_distribution_point_reasons( py: pyo3::Python<'_>, - py_reasons: &pyo3::PyAny, + py_reasons: &pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult { let reason_flag_mapping = types::CRL_REASON_FLAGS.get(py)?; @@ -675,7 +705,7 @@ pub(crate) fn encode_distribution_point_reasons( pub(crate) fn parse_authority_key_identifier<'p>( py: pyo3::Python<'p>, ext: &Extension<'_>, -) -> Result<&'p pyo3::PyAny, CryptographyError> { +) -> Result, CryptographyError> { let aki = ext.value::>()?; let serial = match aki.authority_cert_serial_number { Some(biguint) => big_byte_slice_to_py_int(py, biguint.as_bytes())?.to_object(py), @@ -687,7 +717,9 @@ pub(crate) fn parse_authority_key_identifier<'p>( }; Ok(types::AUTHORITY_KEY_IDENTIFIER .get(py)? - .call1((aki.key_identifier, issuer, serial))?) + .call1((aki.key_identifier, issuer, serial))? + .as_borrowed() + .to_owned()) } pub(crate) fn parse_access_descriptions( @@ -711,20 +743,24 @@ pub(crate) fn parse_access_descriptions( pub fn parse_cert_ext<'p>( py: pyo3::Python<'p>, ext: &Extension<'_>, -) -> CryptographyResult> { +) -> CryptographyResult>> { match ext.extn_id { oid::SUBJECT_ALTERNATIVE_NAME_OID => { let gn_seq = ext.value::>()?; let sans = x509::parse_general_names(py, &gn_seq)?; Ok(Some( - types::SUBJECT_ALTERNATIVE_NAME.get(py)?.call1((sans,))?, + types::SUBJECT_ALTERNATIVE_NAME + .get_bound(py)? + .call1((sans,))?, )) } oid::ISSUER_ALTERNATIVE_NAME_OID => { let gn_seq = ext.value::>()?; let ians = x509::parse_general_names(py, &gn_seq)?; Ok(Some( - types::ISSUER_ALTERNATIVE_NAME.get(py)?.call1((ians,))?, + types::ISSUER_ALTERNATIVE_NAME + .get_bound(py)? + .call1((ians,))?, )) } oid::TLS_FEATURE_OID => { @@ -735,13 +771,13 @@ pub fn parse_cert_ext<'p>( let py_feature = tls_feature_type_to_enum.get_item(feature.to_object(py))?; features.append(py_feature)?; } - Ok(Some(types::TLS_FEATURE.get(py)?.call1((features,))?)) + Ok(Some(types::TLS_FEATURE.get_bound(py)?.call1((features,))?)) } oid::SUBJECT_KEY_IDENTIFIER_OID => { let identifier = ext.value::<&[u8]>()?; Ok(Some( types::SUBJECT_KEY_IDENTIFIER - .get(py)? + .get_bound(py)? .call1((identifier,))?, )) } @@ -751,12 +787,14 @@ pub fn parse_cert_ext<'p>( let oid_obj = oid_to_py_oid(py, &oid)?; ekus.append(oid_obj)?; } - Ok(Some(types::EXTENDED_KEY_USAGE.get(py)?.call1((ekus,))?)) + Ok(Some( + types::EXTENDED_KEY_USAGE.get_bound(py)?.call1((ekus,))?, + )) } oid::KEY_USAGE_OID => { let kus = ext.value::>()?; - Ok(Some(types::KEY_USAGE.get(py)?.call1(( + Ok(Some(types::KEY_USAGE.get_bound(py)?.call1(( kus.digital_signature(), kus.content_comitment(), kus.key_encipherment(), @@ -771,51 +809,61 @@ pub fn parse_cert_ext<'p>( oid::AUTHORITY_INFORMATION_ACCESS_OID => { let ads = parse_access_descriptions(py, ext)?; Ok(Some( - types::AUTHORITY_INFORMATION_ACCESS.get(py)?.call1((ads,))?, + types::AUTHORITY_INFORMATION_ACCESS + .get_bound(py)? + .call1((ads,))?, )) } oid::SUBJECT_INFORMATION_ACCESS_OID => { let ads = parse_access_descriptions(py, ext)?; Ok(Some( - types::SUBJECT_INFORMATION_ACCESS.get(py)?.call1((ads,))?, + types::SUBJECT_INFORMATION_ACCESS + .get_bound(py)? + .call1((ads,))?, )) } oid::CERTIFICATE_POLICIES_OID => { let cp = parse_cp(py, ext)?; - Ok(Some(types::CERTIFICATE_POLICIES.get(py)?.call1((cp,))?)) + Ok(Some( + types::CERTIFICATE_POLICIES.get_bound(py)?.call1((cp,))?, + )) } oid::POLICY_CONSTRAINTS_OID => { let pc = ext.value::()?; - Ok(Some(types::POLICY_CONSTRAINTS.get(py)?.call1(( + Ok(Some(types::POLICY_CONSTRAINTS.get_bound(py)?.call1(( pc.require_explicit_policy, pc.inhibit_policy_mapping, ))?)) } oid::OCSP_NO_CHECK_OID => { ext.value::<()>()?; - Ok(Some(types::OCSP_NO_CHECK.get(py)?.call0()?)) + Ok(Some(types::OCSP_NO_CHECK.get_bound(py)?.call0()?)) } oid::INHIBIT_ANY_POLICY_OID => { let bignum = ext.value::>()?; let pynum = big_byte_slice_to_py_int(py, bignum.as_bytes())?; - Ok(Some(types::INHIBIT_ANY_POLICY.get(py)?.call1((pynum,))?)) + Ok(Some( + types::INHIBIT_ANY_POLICY.get_bound(py)?.call1((pynum,))?, + )) } oid::BASIC_CONSTRAINTS_OID => { let bc = ext.value::()?; Ok(Some( types::BASIC_CONSTRAINTS - .get(py)? + .get_bound(py)? .call1((bc.ca, bc.path_length))?, )) } oid::AUTHORITY_KEY_IDENTIFIER_OID => Ok(Some(parse_authority_key_identifier(py, ext)?)), oid::CRL_DISTRIBUTION_POINTS_OID => { let dp = parse_distribution_points(py, ext)?; - Ok(Some(types::CRL_DISTRIBUTION_POINTS.get(py)?.call1((dp,))?)) + Ok(Some( + types::CRL_DISTRIBUTION_POINTS.get_bound(py)?.call1((dp,))?, + )) } oid::FRESHEST_CRL_OID => { let dp = parse_distribution_points(py, ext)?; - Ok(Some(types::FRESHEST_CRL.get(py)?.call1((dp,))?)) + Ok(Some(types::FRESHEST_CRL.get_bound(py)?.call1((dp,))?)) } oid::NAME_CONSTRAINTS_OID => { let nc = ext.value::>()?; @@ -829,18 +877,16 @@ pub fn parse_cert_ext<'p>( }; Ok(Some( types::NAME_CONSTRAINTS - .get(py)? + .get_bound(py)? .call1((permitted_subtrees, excluded_subtrees))?, )) } oid::MS_CERTIFICATE_TEMPLATE => { let ms_cert_tpl = ext.value::()?; let py_oid = oid_to_py_oid(py, &ms_cert_tpl.template_id)?; - Ok(Some(types::MS_CERTIFICATE_TEMPLATE.get(py)?.call1(( - py_oid, - ms_cert_tpl.major_version, - ms_cert_tpl.minor_version, - ))?)) + Ok(Some(types::MS_CERTIFICATE_TEMPLATE.get_bound(py)?.call1( + (py_oid, ms_cert_tpl.major_version, ms_cert_tpl.minor_version), + )?)) } _ => Ok(None), } @@ -848,9 +894,9 @@ pub fn parse_cert_ext<'p>( pub(crate) fn time_from_py( py: pyo3::Python<'_>, - val: &pyo3::PyAny, + val: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - let dt = x509::py_to_datetime(py, val)?; + let dt = x509::py_to_datetime(py, val.clone().into_gil_ref())?; time_from_datetime(dt) } @@ -867,13 +913,17 @@ pub(crate) fn time_from_datetime(dt: asn1::DateTime) -> CryptographyResult, - builder: &pyo3::PyAny, - private_key: &pyo3::PyAny, - hash_algorithm: &pyo3::PyAny, - rsa_padding: &pyo3::PyAny, + builder: &pyo3::Bound<'_, pyo3::PyAny>, + private_key: &pyo3::Bound<'_, pyo3::PyAny>, + hash_algorithm: &pyo3::Bound<'_, pyo3::PyAny>, + rsa_padding: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - let sigalg = - x509::sign::compute_signature_algorithm(py, private_key, hash_algorithm, rsa_padding)?; + let sigalg = x509::sign::compute_signature_algorithm( + py, + private_key.clone().into_gil_ref(), + hash_algorithm.clone().into_gil_ref(), + rsa_padding.clone().into_gil_ref(), + )?; let der = types::ENCODING_DER.get(py)?; let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?; @@ -898,25 +948,33 @@ fn create_x509_certificate( .extract()?, serial: asn1::BigInt::new(py_uint_to_big_endian_bytes(py, py_serial)?).unwrap(), signature_alg: sigalg.clone(), - issuer: x509::common::encode_name(py, py_issuer_name)?, + issuer: x509::common::encode_name(py, py_issuer_name.clone().into_gil_ref())?, validity: cryptography_x509::certificate::Validity { - not_before: time_from_py(py, py_not_before)?, - not_after: time_from_py(py, py_not_after)?, + not_before: time_from_py(py, &py_not_before)?, + not_after: time_from_py(py, &py_not_after)?, }, - subject: x509::common::encode_name(py, py_subject_name)?, + subject: x509::common::encode_name(py, py_subject_name.clone().into_gil_ref())?, spki: asn1::parse_single(spki_bytes)?, issuer_unique_id: None, subject_unique_id: None, raw_extensions: x509::common::encode_extensions( py, - builder.getattr(pyo3::intern!(py, "_extensions"))?, + builder + .getattr(pyo3::intern!(py, "_extensions"))? + .clone() + .into_gil_ref(), extensions::encode_extension, )?, }; let tbs_bytes = asn1::write_single(&tbs_cert)?; - let signature = - x509::sign::sign_data(py, private_key, hash_algorithm, rsa_padding, &tbs_bytes)?; + let signature = x509::sign::sign_data( + py, + private_key.clone().into_gil_ref(), + hash_algorithm.clone().into_gil_ref(), + rsa_padding.clone().into_gil_ref(), + &tbs_bytes, + )?; let data = asn1::write_single(&cryptography_x509::certificate::Certificate { tbs_cert, signature_alg: sigalg, diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 900914241ec2..479a1769ed60 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -339,9 +339,9 @@ impl CertificateRevocationList { types::AUTHORITY_INFORMATION_ACCESS.get(py)?.call1((ads,))?, )) } - oid::AUTHORITY_KEY_IDENTIFIER_OID => { - Ok(Some(certificate::parse_authority_key_identifier(py, ext)?)) - } + oid::AUTHORITY_KEY_IDENTIFIER_OID => Ok(Some( + certificate::parse_authority_key_identifier(py, ext)?.into_gil_ref(), + )), oid::ISSUING_DISTRIBUTION_POINT_OID => { let idp = ext.value::>()?; let (full_name, relative_name) = match idp.distribution_point { @@ -638,7 +638,10 @@ fn create_x509_crl( revoked_certs.push(crl::RevokedCertificate { user_certificate: asn1::BigUint::new(py_uint_to_big_endian_bytes(py, serial_number)?) .unwrap(), - revocation_date: x509::certificate::time_from_py(py, py_revocation_date)?, + revocation_date: x509::certificate::time_from_py( + py, + &py_revocation_date.as_borrowed(), + )?, raw_crl_entry_extensions: x509::common::encode_extensions( py, py_revoked_cert.getattr(pyo3::intern!(py, "extensions"))?, @@ -654,8 +657,11 @@ fn create_x509_crl( version: Some(1), signature: sigalg.clone(), issuer: x509::common::encode_name(py, py_issuer_name)?, - this_update: x509::certificate::time_from_py(py, py_this_update)?, - next_update: Some(x509::certificate::time_from_py(py, py_next_update)?), + this_update: x509::certificate::time_from_py(py, &py_this_update.as_borrowed())?, + next_update: Some(x509::certificate::time_from_py( + py, + &py_next_update.as_borrowed(), + )?), revoked_certificates: if revoked_certs.is_empty() { None } else { diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 1f1eb9f9de9c..4fb3a301ed47 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -213,7 +213,7 @@ impl CertificateSigningRequest { })?; x509::parse_and_cache_extensions(py, &self.cached_extensions, &raw_exts, |ext| { - certificate::parse_cert_ext(py, ext) + certificate::parse_cert_ext(py, ext).map(|x| x.map(|y| y.into_gil_ref())) }) } diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index c44d1c888c47..d618fb29fa1a 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -107,7 +107,8 @@ pub(crate) fn encode_distribution_points<'p>( None }; let reasons = if let Some(py_reasons) = py_dp.reasons { - let reasons = certificate::encode_distribution_point_reasons(py, py_reasons)?; + let reasons = + certificate::encode_distribution_point_reasons(py, &py_reasons.as_borrowed())?; Some(common::Asn1ReadableOrWritable::new_write(reasons)) } else { None @@ -308,7 +309,8 @@ fn encode_issuing_distribution_point( .is_truthy()? { let py_reasons = ext.getattr(pyo3::intern!(py, "only_some_reasons"))?; - let reasons = certificate::encode_distribution_point_reasons(ext.py(), py_reasons)?; + let reasons = + certificate::encode_distribution_point_reasons(ext.py(), &py_reasons.as_borrowed())?; Some(common::Asn1ReadableOrWritable::new_write(reasons)) } else { None From 88004e9a93a24c334665484f841be4091d61894b Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Thu, 4 Apr 2024 22:22:11 +0200 Subject: [PATCH 0365/1462] Finish migrating `certificate.rs` to new pyo3 APIs (#10710) --- src/rust/src/x509/certificate.rs | 74 ++++++++++++++++++-------------- 1 file changed, 41 insertions(+), 33 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 8b41d36a879f..b552fde8086d 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -17,7 +17,7 @@ use cryptography_x509::extensions::{ use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; use cryptography_x509::{common, oid}; use cryptography_x509_verification::ops::CryptoOps; -use pyo3::prelude::PyAnyMethods; +use pyo3::prelude::{PyAnyMethods, PyListMethods}; use pyo3::{IntoPy, PyNativeType, ToPyObject}; use crate::asn1::{ @@ -211,10 +211,10 @@ impl Certificate { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { - let warning_cls = types::DEPRECATED_IN_42.get(py)?; - pyo3::PyErr::warn( + let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + pyo3::PyErr::warn_bound( py, - warning_cls, + &warning_cls, "Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_before_utc.", 1, )?; @@ -248,10 +248,10 @@ impl Certificate { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { - let warning_cls = types::DEPRECATED_IN_42.get(py)?; - pyo3::PyErr::warn( + let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + pyo3::PyErr::warn_bound( py, - warning_cls, + &warning_cls, "Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_after_utc.", 1, )?; @@ -392,7 +392,7 @@ fn load_pem_x509_certificate( )?; load_der_x509_certificate( py, - pyo3::types::PyBytes::new(py, parsed.contents()).into_py(py), + pyo3::types::PyBytes::new_bound(py, parsed.contents()).unbind(), None, ) } @@ -408,7 +408,7 @@ fn load_pem_x509_certificates( .map(|p| { load_der_x509_certificate( py, - pyo3::types::PyBytes::new(py, p.contents()).into_py(py), + pyo3::types::PyBytes::new_bound(py, p.contents()).unbind(), None, ) }) @@ -452,10 +452,10 @@ pub(crate) fn load_der_x509_certificate( fn warn_if_negative_serial(py: pyo3::Python<'_>, bytes: &'_ [u8]) -> pyo3::PyResult<()> { if bytes[0] & 0x80 != 0 { - let warning_cls = types::DEPRECATED_IN_36.get(py)?; - pyo3::PyErr::warn( + let warning_cls = types::DEPRECATED_IN_36.get_bound(py)?; + pyo3::PyErr::warn_bound( py, - warning_cls, + &warning_cls, "Parsed a negative serial number, which is disallowed by RFC 5280. Loading this certificate will cause an exception in the next release of cryptography.", 1, )?; @@ -476,10 +476,10 @@ fn warn_if_invalid_params( | AlgorithmParameters::DsaWithSha256(Some(..)) | AlgorithmParameters::DsaWithSha384(Some(..)) | AlgorithmParameters::DsaWithSha512(Some(..)) => { - let warning_cls = types::DEPRECATED_IN_41.get(py)?; - pyo3::PyErr::warn( + let warning_cls = types::DEPRECATED_IN_41.get_bound(py)?; + pyo3::PyErr::warn_bound( py, - warning_cls, + &warning_cls, "The parsed certificate contains a NULL parameter value in its signature algorithm parameters. This is invalid and will be rejected in a future version of cryptography. If this certificate was created via Java, please upgrade to JDK21+ or the latest JDK11/17 once a fix is issued. If this certificate was created in some other fashion please report the issue to the cryptography issue tracker. See https://github.com/pyca/cryptography/issues/8996 and https://github.com/pyca/cryptography/issues/9253 for more details.", 2, )?; @@ -494,22 +494,26 @@ fn parse_display_text( text: DisplayText<'_>, ) -> pyo3::PyResult { match text { - DisplayText::IA5String(o) => Ok(pyo3::types::PyString::new(py, o.as_str()).to_object(py)), - DisplayText::Utf8String(o) => Ok(pyo3::types::PyString::new(py, o.as_str()).to_object(py)), + DisplayText::IA5String(o) => { + Ok(pyo3::types::PyString::new_bound(py, o.as_str()).to_object(py)) + } + DisplayText::Utf8String(o) => { + Ok(pyo3::types::PyString::new_bound(py, o.as_str()).to_object(py)) + } DisplayText::VisibleString(o) => { if asn1::VisibleString::new(o.as_str()).is_none() { - let warning_cls = types::DEPRECATED_IN_41.get(py)?; - pyo3::PyErr::warn( + let warning_cls = types::DEPRECATED_IN_41.get_bound(py)?; + pyo3::PyErr::warn_bound( py, - warning_cls, + &warning_cls, "Invalid ASN.1 (UTF-8 characters in a VisibleString) in the explicit text and/or notice reference of the certificate policies extension. In a future version of cryptography, an exception will be raised.", 1, )?; } - Ok(pyo3::types::PyString::new(py, o.as_str()).to_object(py)) + Ok(pyo3::types::PyString::new_bound(py, o.as_str()).to_object(py)) } DisplayText::BmpString(o) => { - let py_bytes = pyo3::types::PyBytes::new(py, o.as_utf16_be_bytes()); + let py_bytes = pyo3::types::PyBytes::new_bound(py, o.as_utf16_be_bytes()); // TODO: do the string conversion in rust perhaps Ok(py_bytes .call_method1( @@ -532,7 +536,7 @@ fn parse_user_notice( let nr = match un.notice_ref { Some(data) => { let org = parse_display_text(py, data.organization)?; - let numbers = pyo3::types::PyList::empty(py); + let numbers = pyo3::types::PyList::empty_bound(py); for num in data.notice_numbers.unwrap_read().clone() { numbers.append(big_byte_slice_to_py_int(py, num.as_bytes())?.to_object(py))?; } @@ -550,12 +554,12 @@ fn parse_policy_qualifiers<'a>( py: pyo3::Python<'_>, policy_qualifiers: &asn1::SequenceOf<'a, PolicyQualifierInfo<'a>>, ) -> Result { - let py_pq = pyo3::types::PyList::empty(py); + let py_pq = pyo3::types::PyList::empty_bound(py); for pqi in policy_qualifiers.clone() { let qualifier = match pqi.qualifier { Qualifier::CpsUri(data) => { if pqi.policy_qualifier_id == oid::CP_CPS_URI_OID { - pyo3::types::PyString::new(py, data.as_str()).to_object(py) + pyo3::types::PyString::new_bound(py, data.as_str()).to_object(py) } else { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -585,7 +589,7 @@ fn parse_cp( ext: &Extension<'_>, ) -> Result { let cp = ext.value::>>()?; - let certificate_policies = pyo3::types::PyList::empty(py); + let certificate_policies = pyo3::types::PyList::empty_bound(py); for policyinfo in cp { let pi_oid = oid_to_py_oid(py, &policyinfo.policy_identifier)?.to_object(py); let py_pqis = match policyinfo.policy_qualifiers { @@ -607,7 +611,7 @@ fn parse_general_subtrees( py: pyo3::Python<'_>, subtrees: SequenceOfSubtrees<'_>, ) -> Result { - let gns = pyo3::types::PyList::empty(py); + let gns = pyo3::types::PyList::empty_bound(py); for gs in subtrees.unwrap_read().clone() { gns.append(x509::parse_general_name(py, gs.base)?)?; } @@ -654,7 +658,7 @@ pub(crate) fn parse_distribution_points( ext: &Extension<'_>, ) -> Result { let dps = ext.value::>>()?; - let py_dps = pyo3::types::PyList::empty(py); + let py_dps = pyo3::types::PyList::empty_bound(py); for dp in dps { let py_dp = parse_distribution_point(py, dp)?; py_dps.append(py_dp)?; @@ -676,7 +680,7 @@ pub(crate) fn parse_distribution_point_reasons( vec.push(reason_bit_mapping.get_item(i)?); } } - pyo3::types::PyFrozenSet::new(py, &vec)?.to_object(py) + pyo3::types::PyFrozenSet::new_bound(py, &vec)?.to_object(py) } None => py.None(), }) @@ -726,7 +730,7 @@ pub(crate) fn parse_access_descriptions( py: pyo3::Python<'_>, ext: &Extension<'_>, ) -> Result { - let ads = pyo3::types::PyList::empty(py); + let ads = pyo3::types::PyList::empty_bound(py); let parsed = ext.value::>()?; for access in parsed.unwrap_read().clone() { let py_oid = oid_to_py_oid(py, &access.access_method)?.to_object(py); @@ -766,7 +770,7 @@ pub fn parse_cert_ext<'p>( oid::TLS_FEATURE_OID => { let tls_feature_type_to_enum = types::TLS_FEATURE_TYPE_TO_ENUM.get(py)?; - let features = pyo3::types::PyList::empty(py); + let features = pyo3::types::PyList::empty_bound(py); for feature in ext.value::>()? { let py_feature = tls_feature_type_to_enum.get_item(feature.to_object(py))?; features.append(py_feature)?; @@ -782,7 +786,7 @@ pub fn parse_cert_ext<'p>( )) } oid::EXTENDED_KEY_USAGE_OID => { - let ekus = pyo3::types::PyList::empty(py); + let ekus = pyo3::types::PyList::empty_bound(py); for oid in ext.value::>()? { let oid_obj = oid_to_py_oid(py, &oid)?; ekus.append(oid_obj)?; @@ -980,7 +984,11 @@ fn create_x509_certificate( signature_alg: sigalg, signature: asn1::BitString::new(signature, 0).unwrap(), })?; - load_der_x509_certificate(py, pyo3::types::PyBytes::new(py, &data).into_py(py), None) + load_der_x509_certificate( + py, + pyo3::types::PyBytes::new_bound(py, &data).unbind(), + None, + ) } pub(crate) fn set_bit(vals: &mut [u8], n: usize, set: bool) { From 69e7e5bbec2f7e9777ef7c427701e4401ce85872 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 18:42:02 -0400 Subject: [PATCH 0366/1462] Convert `src/x509/sct.rs` to new pyo3 APIs (#10713) --- src/rust/src/lib.rs | 2 +- src/rust/src/x509/sct.rs | 17 ++++++++++------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 8ea8709c6e11..022c78eaf515 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -106,7 +106,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> crate::x509::common::add_to_module(x509_mod)?; crate::x509::crl::add_to_module(x509_mod)?; crate::x509::csr::add_to_module(x509_mod)?; - crate::x509::sct::add_to_module(x509_mod)?; + crate::x509::sct::add_to_module(&x509_mod.as_borrowed())?; crate::x509::verify::add_to_module(x509_mod)?; m.add_submodule(x509_mod)?; diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index b7cce3ff4036..a7bfbb5eb472 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -5,6 +5,7 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; +use pyo3::prelude::{PyAnyMethods, PyDictMethods, PyListMethods, PyModuleMethods}; use pyo3::ToPyObject; use crate::error::CryptographyError; @@ -163,20 +164,20 @@ impl Sct { } #[getter] - fn timestamp<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn timestamp<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { let utc = types::DATETIME_TIMEZONE_UTC.get(py)?; - let kwargs = pyo3::types::PyDict::new(py); + let kwargs = pyo3::types::PyDict::new_bound(py); kwargs.set_item("microsecond", self.timestamp % 1000 * 1000)?; kwargs.set_item("tzinfo", None::>)?; types::DATETIME_DATETIME - .get(py)? + .get_bound(py)? .call_method1( pyo3::intern!(py, "fromtimestamp"), (self.timestamp / 1000, utc), )? - .call_method("replace", (), Some(kwargs)) + .call_method("replace", (), Some(&kwargs)) } #[getter] @@ -222,7 +223,7 @@ pub(crate) fn parse_scts( ) -> Result { let mut reader = TLSReader::new(data).read_length_prefixed()?; - let py_scts = pyo3::types::PyList::empty(py); + let py_scts = pyo3::types::PyList::empty_bound(py); while !reader.is_empty() { let mut sct_data = reader.read_length_prefixed()?; let raw_sct_data = sct_data.data.to_vec(); @@ -250,12 +251,14 @@ pub(crate) fn parse_scts( extension_bytes, sct_data: raw_sct_data, }; - py_scts.append(pyo3::PyCell::new(py, sct)?)?; + py_scts.append(pyo3::Bound::new(py, sct)?)?; } Ok(py_scts.to_object(py)) } -pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { +pub(crate) fn add_to_module( + module: &pyo3::Bound<'_, pyo3::prelude::PyModule>, +) -> pyo3::PyResult<()> { module.add_class::()?; Ok(()) From c65793bf124d758c42f9a3279f24458a1dd4df0c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 18:42:43 -0400 Subject: [PATCH 0367/1462] Convert `src/exceptions.rs` to new pyo3 APIs (#10712) --- src/rust/src/exceptions.rs | 30 +++++++++++++++++------------- src/rust/src/lib.rs | 2 +- 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/src/rust/src/exceptions.rs b/src/rust/src/exceptions.rs index 67f57b9adcb5..95600faf08bd 100644 --- a/src/rust/src/exceptions.rs +++ b/src/rust/src/exceptions.rs @@ -2,6 +2,8 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use pyo3::prelude::PyModuleMethods; + #[pyo3::prelude::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.exceptions", @@ -23,20 +25,22 @@ pub(crate) enum Reasons { UNSUPPORTED_MAC, } -pyo3::import_exception!(cryptography.exceptions, AlreadyUpdated); -pyo3::import_exception!(cryptography.exceptions, AlreadyFinalized); -pyo3::import_exception!(cryptography.exceptions, InternalError); -pyo3::import_exception!(cryptography.exceptions, InvalidSignature); -pyo3::import_exception!(cryptography.exceptions, InvalidTag); -pyo3::import_exception!(cryptography.exceptions, NotYetFinalized); -pyo3::import_exception!(cryptography.exceptions, UnsupportedAlgorithm); -pyo3::import_exception!(cryptography.x509, AttributeNotFound); -pyo3::import_exception!(cryptography.x509, DuplicateExtension); -pyo3::import_exception!(cryptography.x509, UnsupportedGeneralNameType); -pyo3::import_exception!(cryptography.x509, InvalidVersion); +pyo3::import_exception_bound!(cryptography.exceptions, AlreadyUpdated); +pyo3::import_exception_bound!(cryptography.exceptions, AlreadyFinalized); +pyo3::import_exception_bound!(cryptography.exceptions, InternalError); +pyo3::import_exception_bound!(cryptography.exceptions, InvalidSignature); +pyo3::import_exception_bound!(cryptography.exceptions, InvalidTag); +pyo3::import_exception_bound!(cryptography.exceptions, NotYetFinalized); +pyo3::import_exception_bound!(cryptography.exceptions, UnsupportedAlgorithm); +pyo3::import_exception_bound!(cryptography.x509, AttributeNotFound); +pyo3::import_exception_bound!(cryptography.x509, DuplicateExtension); +pyo3::import_exception_bound!(cryptography.x509, UnsupportedGeneralNameType); +pyo3::import_exception_bound!(cryptography.x509, InvalidVersion); -pub(crate) fn create_submodule(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let submod = pyo3::prelude::PyModule::new(py, "exceptions")?; +pub(crate) fn create_submodule( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let submod = pyo3::prelude::PyModule::new_bound(py, "exceptions")?; submod.add_class::()?; diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 022c78eaf515..0e3b0a3150b7 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -99,7 +99,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> m.add_submodule(asn1::create_submodule(py)?)?; m.add_submodule(pkcs7::create_submodule(py)?)?; m.add_submodule(pkcs12::create_submodule(py)?.into_gil_ref())?; - m.add_submodule(exceptions::create_submodule(py)?)?; + m.add_submodule(exceptions::create_submodule(py)?.into_gil_ref())?; let x509_mod = pyo3::prelude::PyModule::new(py, "x509")?; crate::x509::certificate::add_to_module(x509_mod)?; From f284aeea05a5519cb6b69e1306efa937767d262c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 18:43:33 -0400 Subject: [PATCH 0368/1462] Convert `src/asn1.rs` to new pyo3 APIs (#10711) --- src/rust/src/asn1.rs | 36 +++++++++++++++++++++--------------- src/rust/src/backend/dh.rs | 2 +- src/rust/src/lib.rs | 2 +- src/rust/src/pkcs7.rs | 4 ++-- src/rust/src/x509/crl.rs | 2 +- src/rust/src/x509/csr.rs | 2 +- 6 files changed, 27 insertions(+), 21 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 394f19218083..62cbd069bfd9 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -7,6 +7,7 @@ use cryptography_x509::certificate::Certificate; use cryptography_x509::common::{DssSignature, SubjectPublicKeyInfo, Time}; use cryptography_x509::name::Name; use pyo3::prelude::PyAnyMethods; +use pyo3::prelude::PyModuleMethods; use pyo3::types::IntoPyDict; use pyo3::ToPyObject; @@ -97,11 +98,11 @@ pub(crate) fn encode_der_data<'p>( pem_tag: String, data: Vec, encoding: &'p pyo3::PyAny, -) -> CryptographyResult<&'p pyo3::types::PyBytes> { - if encoding.is(types::ENCODING_DER.get(py)?) { - Ok(pyo3::types::PyBytes::new(py, &data)) - } else if encoding.is(types::ENCODING_PEM.get(py)?) { - Ok(pyo3::types::PyBytes::new( +) -> CryptographyResult> { + if encoding.is(&types::ENCODING_DER.get_bound(py)?) { + Ok(pyo3::types::PyBytes::new_bound(py, &data)) + } else if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { + Ok(pyo3::types::PyBytes::new_bound( py, &pem::encode_config( &pem::Pem::new(pem_tag, data), @@ -118,17 +119,17 @@ pub(crate) fn encode_der_data<'p>( } #[pyo3::prelude::pyfunction] -fn encode_dss_signature( - py: pyo3::Python<'_>, +fn encode_dss_signature<'p>( + py: pyo3::Python<'p>, r: pyo3::Bound<'_, pyo3::types::PyLong>, s: pyo3::Bound<'_, pyo3::types::PyLong>, -) -> CryptographyResult { +) -> CryptographyResult> { let sig = DssSignature { r: asn1::BigUint::new(py_uint_to_big_endian_bytes(py, r)?).unwrap(), s: asn1::BigUint::new(py_uint_to_big_endian_bytes(py, s)?).unwrap(), }; let result = asn1::write_single(&sig)?; - Ok(pyo3::types::PyBytes::new(py, &result).to_object(py)) + Ok(pyo3::types::PyBytes::new_bound(py, &result)) } #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.asn1")] @@ -173,14 +174,19 @@ fn test_parse_certificate(data: &[u8]) -> Result) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let submod = pyo3::prelude::PyModule::new(py, "asn1")?; - submod.add_function(pyo3::wrap_pyfunction!(parse_spki_for_data, submod)?)?; +pub(crate) fn create_submodule( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let submod = pyo3::prelude::PyModule::new_bound(py, "asn1")?; + submod.add_function(pyo3::wrap_pyfunction_bound!(parse_spki_for_data, &submod)?)?; - submod.add_function(pyo3::wrap_pyfunction!(decode_dss_signature, submod)?)?; - submod.add_function(pyo3::wrap_pyfunction!(encode_dss_signature, submod)?)?; + submod.add_function(pyo3::wrap_pyfunction_bound!(decode_dss_signature, &submod)?)?; + submod.add_function(pyo3::wrap_pyfunction_bound!(encode_dss_signature, &submod)?)?; - submod.add_function(pyo3::wrap_pyfunction!(test_parse_certificate, submod)?)?; + submod.add_function(pyo3::wrap_pyfunction_bound!( + test_parse_certificate, + &submod + )?)?; Ok(submod) } diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index b0527fca16b5..defe32333734 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -343,7 +343,7 @@ impl DHParameters { py: pyo3::Python<'p>, encoding: &'p pyo3::PyAny, format: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { if !format.is(types::PARAMETER_FORMAT_PKCS3.get(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("Only PKCS3 serialization is supported"), diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 0e3b0a3150b7..97bb54bf1631 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -96,7 +96,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> m.add_function(pyo3::wrap_pyfunction!(padding::check_ansix923_padding, m)?)?; m.add_class::()?; - m.add_submodule(asn1::create_submodule(py)?)?; + m.add_submodule(asn1::create_submodule(py)?.into_gil_ref())?; m.add_submodule(pkcs7::create_submodule(py)?)?; m.add_submodule(pkcs12::create_submodule(py)?.into_gil_ref())?; m.add_submodule(exceptions::create_submodule(py)?.into_gil_ref())?; diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 9732b6b93b9b..b33d054b4ef8 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -44,7 +44,7 @@ fn serialize_certificates<'p>( py: pyo3::Python<'p>, py_certs: Vec>, encoding: &'p pyo3::PyAny, -) -> CryptographyResult<&'p pyo3::types::PyBytes> { +) -> CryptographyResult> { if py_certs.is_empty() { return Err(pyo3::exceptions::PyTypeError::new_err( "certs must be a list of certs with length >= 1", @@ -84,7 +84,7 @@ fn sign_and_serialize<'p>( builder: &'p pyo3::PyAny, encoding: &'p pyo3::PyAny, options: &'p pyo3::types::PyList, -) -> CryptographyResult<&'p pyo3::types::PyBytes> { +) -> CryptographyResult> { let raw_data: CffiBuf<'p> = builder.getattr(pyo3::intern!(py, "_data"))?.extract()?; let text_mode = options.contains(types::PKCS7_TEXT.get(py)?)?; let (data_with_header, data_without_header) = diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 479a1769ed60..529e499fcb72 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -235,7 +235,7 @@ impl CertificateRevocationList { &self, py: pyo3::Python<'p>, encoding: &'p pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let result = asn1::write_single(&self.owned.borrow_dependent())?; encode_der_data(py, "X509 CRL".to_string(), result, encoding) diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 4fb3a301ed47..999276fa3e62 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -118,7 +118,7 @@ impl CertificateSigningRequest { &self, py: pyo3::Python<'p>, encoding: &'p pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let result = asn1::write_single(self.raw.borrow_dependent())?; encode_der_data(py, "CERTIFICATE REQUEST".to_string(), result, encoding) From 98e6fd407255ba1008fc454263d011703290b9d0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 19:13:08 -0400 Subject: [PATCH 0369/1462] Convert `src/backend/dh.rs` to new pyo3 APIs (#10714) --- src/rust/src/backend/dh.rs | 59 +++++++++++++++++++------------------ src/rust/src/backend/mod.rs | 2 +- 2 files changed, 32 insertions(+), 29 deletions(-) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index defe32333734..e52b8760212c 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -8,7 +8,7 @@ use crate::asn1::encode_der_data; use crate::backend::utils; use crate::error::{CryptographyError, CryptographyResult}; use crate::{types, x509}; -use pyo3::prelude::PyAnyMethods; +use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; const MIN_MODULUS_SIZE: u32 = 512; @@ -31,7 +31,7 @@ struct DHParameters { fn generate_parameters( generator: u32, key_size: u32, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -89,7 +89,7 @@ fn pkey_from_dh( #[pyo3::prelude::pyfunction] fn from_der_parameters( data: &[u8], - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; let asn1_params = asn1::parse_single::>(data)?; @@ -109,7 +109,7 @@ fn from_der_parameters( #[pyo3::prelude::pyfunction] fn from_pem_parameters( data: &[u8], - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; let parsed = x509::find_in_pem( @@ -156,13 +156,14 @@ impl DHPrivateKey { &self, py: pyo3::Python<'p>, peer_public_key: &DHPublicKey, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut deriver = openssl::derive::Deriver::new(&self.pkey)?; deriver .set_peer(&peer_public_key.pkey) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Error computing shared key."))?; - Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { + let len = deriver.len()?; + Ok(pyo3::types::PyBytes::new_bound_with(py, len, |b| { let n = deriver.derive(b).unwrap(); let pad = b.len() - n; @@ -341,8 +342,8 @@ impl DHParameters { fn parameter_bytes<'p>( &self, py: pyo3::Python<'p>, - encoding: &'p pyo3::PyAny, - format: &pyo3::PyAny, + encoding: pyo3::Bound<'p, pyo3::PyAny>, + format: pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { if !format.is(types::PARAMETER_FORMAT_PKCS3.get(py)?) { return Err(CryptographyError::from( @@ -368,7 +369,7 @@ impl DHParameters { } else { "X9.42 DH PARAMETERS" }; - encode_der_data(py, tag.to_string(), data, encoding) + encode_der_data(py, tag.to_string(), data, encoding.into_gil_ref()) } } @@ -412,7 +413,7 @@ impl DHPrivateNumbers { fn private_key( &self, py: pyo3::Python<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -439,11 +440,11 @@ impl DHPrivateNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.x.as_ref(py).eq(other.x.as_ref(py))? + Ok(self.x.bind(py).eq(other.x.bind(py))? && self .public_numbers - .as_ref(py) - .eq(other.public_numbers.as_ref(py))?) + .bind(py) + .eq(other.public_numbers.bind(py))?) } } @@ -464,7 +465,7 @@ impl DHPublicNumbers { fn public_key( &self, py: pyo3::Python<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -482,11 +483,11 @@ impl DHPublicNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.y.as_ref(py).eq(other.y.as_ref(py))? + Ok(self.y.bind(py).eq(other.y.bind(py))? && self .parameter_numbers - .as_ref(py) - .eq(other.parameter_numbers.as_ref(py))?) + .bind(py) + .eq(other.parameter_numbers.bind(py))?) } } @@ -499,13 +500,13 @@ impl DHParameterNumbers { g: pyo3::Py, q: Option>, ) -> CryptographyResult { - if g.as_ref(py).lt(2)? { + if g.bind(py).lt(2)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("DH generator must be 2 or greater"), )); } - if p.as_ref(py) + if p.bind(py) .call_method0("bit_length")? .lt(MIN_MODULUS_SIZE)? { @@ -522,7 +523,7 @@ impl DHParameterNumbers { fn parameters( &self, py: pyo3::Python<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -536,21 +537,23 @@ impl DHParameterNumbers { other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { let q_equal = match (self.q.as_ref(), other.q.as_ref()) { - (Some(self_q), Some(other_q)) => self_q.as_ref(py).eq(other_q.as_ref(py))?, + (Some(self_q), Some(other_q)) => self_q.bind(py).eq(other_q.bind(py))?, (None, None) => true, _ => false, }; - Ok(self.p.as_ref(py).eq(other.p.as_ref(py))? - && self.g.as_ref(py).eq(other.g.as_ref(py))? + Ok(self.p.bind(py).eq(other.p.bind(py))? + && self.g.bind(py).eq(other.g.bind(py))? && q_equal) } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "dh")?; - m.add_function(pyo3::wrap_pyfunction!(generate_parameters, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_der_parameters, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_pem_parameters, m)?)?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "dh")?; + m.add_function(pyo3::wrap_pyfunction_bound!(generate_parameters, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_der_parameters, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_pem_parameters, &m)?)?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 4cae1e3d5bef..90e837f6c480 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -27,7 +27,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(aead::create_module(module.py())?.into_gil_ref())?; module.add_submodule(ciphers::create_module(module.py())?.into_gil_ref())?; module.add_submodule(cmac::create_module(module.py())?)?; - module.add_submodule(dh::create_module(module.py())?)?; + module.add_submodule(dh::create_module(module.py())?.into_gil_ref())?; module.add_submodule(dsa::create_module(module.py())?)?; module.add_submodule(ec::create_module(module.py())?)?; module.add_submodule(keys::create_module(module.py())?)?; From 166d21a8c6208df802e1fa7f5cc3e2382e824c2b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 20:17:00 -0400 Subject: [PATCH 0370/1462] Convert `src/backend/cmac.rs` to new pyo3 APIs (#10702) --- src/rust/src/backend/cmac.rs | 15 +++++++++------ src/rust/src/backend/mod.rs | 2 +- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/src/rust/src/backend/cmac.rs b/src/rust/src/backend/cmac.rs index 7bf0fe1d4ff0..599a1ee4bf27 100644 --- a/src/rust/src/backend/cmac.rs +++ b/src/rust/src/backend/cmac.rs @@ -7,7 +7,7 @@ use crate::backend::hashes::already_finalized_error; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use pyo3::prelude::PyAnyMethods; +use pyo3::prelude::{PyAnyMethods, PyBytesMethods, PyModuleMethods}; #[pyo3::prelude::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.cmac", @@ -74,14 +74,15 @@ impl Cmac { fn finalize<'p>( &mut self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let data = self.get_mut_ctx()?.finish()?; self.ctx = None; - Ok(pyo3::types::PyBytes::new(py, &data)) + Ok(pyo3::types::PyBytes::new_bound(py, &data)) } fn verify(&mut self, py: pyo3::Python<'_>, signature: &[u8]) -> CryptographyResult<()> { - let actual = self.finalize(py)?.as_bytes(); + let actual = self.finalize(py)?; + let actual = actual.as_bytes(); if actual.len() != signature.len() || !openssl::memcmp::eq(actual, signature) { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err("Signature did not match digest."), @@ -98,8 +99,10 @@ impl Cmac { } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "cmac")?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "cmac")?; m.add_class::()?; diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 90e837f6c480..202d6152aa1a 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -26,7 +26,7 @@ pub(crate) mod x448; pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { module.add_submodule(aead::create_module(module.py())?.into_gil_ref())?; module.add_submodule(ciphers::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(cmac::create_module(module.py())?)?; + module.add_submodule(cmac::create_module(module.py())?.into_gil_ref())?; module.add_submodule(dh::create_module(module.py())?.into_gil_ref())?; module.add_submodule(dsa::create_module(module.py())?)?; module.add_submodule(ec::create_module(module.py())?)?; From c913f8885a8cf349ecd397bb23da1e480ec0488a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 20:36:00 -0400 Subject: [PATCH 0371/1462] Use native binop methods instead of weird calls (#10716) --- src/rust/src/backend/dsa.rs | 13 ++++--------- src/rust/src/backend/rsa.rs | 12 +++++------- 2 files changed, 9 insertions(+), 16 deletions(-) diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index 9793da8a0c7b..a1dd5a9d4823 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -295,15 +295,10 @@ fn check_dsa_private_numbers( )); } - if numbers - .public_numbers - .get() - .y - .as_ref(py) - .ne(params.g.as_ref(py).call_method1( - pyo3::intern!(py, "__pow__"), - (numbers.x.as_ref(py), params.p.as_ref(py)), - )?)? + if numbers.public_numbers.get().y.as_ref(py).ne(params + .g + .bind(py) + .pow(numbers.x.as_ref(py), Some(params.p.as_ref(py)))?)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("y must be equal to (g ** x % p)."), diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 512b12ece224..11bd5a96d610 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -636,26 +636,25 @@ fn check_private_key_components( )); } - // No `bitand` method. - if public_exponent.call_method1("__and__", (1,))?.eq(0)? { + if public_exponent.bitand(1)?.eq(0)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("public_exponent must be odd."), )); } - if dmp1.call_method1("__and__", (1,))?.eq(0)? { + if dmp1.bitand(1)?.eq(0)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("dmp1 must be odd."), )); } - if dmq1.call_method1("__and__", (1,))?.eq(0)? { + if dmq1.bitand(1)?.eq(0)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("dmq1 must be odd."), )); } - if p.call_method1("__mul__", (q,))?.ne(modulus)? { + if p.mul(q)?.ne(modulus)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("p*q must equal modulus."), )); @@ -771,8 +770,7 @@ fn check_public_key_components( )); } - // No `bitand` method. - if e.call_method1("__and__", (1,))?.eq(0)? { + if e.bitand(1)?.eq(0)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("e must be odd."), )); From 0a2acb1ac61be81084a0ecc7c717ae430634e970 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 4 Apr 2024 19:36:19 -0500 Subject: [PATCH 0372/1462] Bump BoringSSL and/or OpenSSL in CI (#10718) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6ef592535110..2f5973b153f6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 04, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e97787e7f33fe8f0aeb2fc3ee7fbb86e1a074ba5"}} - # Latest commit on the OpenSSL master branch, as of Apr 04, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "882a387d0dc12afe8612c4d3f6b9cae5c04611d7"}} + # Latest commit on the BoringSSL master branch, as of Apr 05, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f94f3ed3965ea033001fb9ae006084eee408b861"}} + # Latest commit on the OpenSSL master branch, as of Apr 05, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a19553cd872047289d6fc730a864bf9d984283ce"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From b7602b2945cb5639deacc54c7466fd1bcb27a1c1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 20:38:28 -0400 Subject: [PATCH 0373/1462] Convert `src/backend/kdf.rs` to new pyo3 APIs (#10717) --- src/rust/src/backend/kdf.rs | 19 +++++++++++-------- src/rust/src/backend/mod.rs | 2 +- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/src/rust/src/backend/kdf.rs b/src/rust/src/backend/kdf.rs index 942b5613cd5f..efdd89804f20 100644 --- a/src/rust/src/backend/kdf.rs +++ b/src/rust/src/backend/kdf.rs @@ -5,6 +5,7 @@ use crate::backend::hashes; use crate::buf::CffiBuf; use crate::error::CryptographyResult; +use pyo3::prelude::PyModuleMethods; #[pyo3::prelude::pyfunction] fn derive_pbkdf2_hmac<'p>( @@ -14,10 +15,10 @@ fn derive_pbkdf2_hmac<'p>( salt: &[u8], iterations: usize, length: usize, -) -> CryptographyResult<&'p pyo3::types::PyBytes> { +) -> CryptographyResult> { let md = hashes::message_digest_from_algorithm(py, algorithm)?; - Ok(pyo3::types::PyBytes::new_with(py, length, |b| { + Ok(pyo3::types::PyBytes::new_bound_with(py, length, |b| { openssl::pkcs5::pbkdf2_hmac(key_material.as_bytes(), salt, iterations, md, b).unwrap(); Ok(()) })?) @@ -35,8 +36,8 @@ fn derive_scrypt<'p>( p: u64, max_mem: u64, length: usize, -) -> CryptographyResult<&'p pyo3::types::PyBytes> { - Ok(pyo3::types::PyBytes::new_with(py, length, |b| { +) -> CryptographyResult> { + Ok(pyo3::types::PyBytes::new_bound_with(py, length, |b| { openssl::pkcs5::scrypt(key_material.as_bytes(), salt, n, r, p, max_mem, b).map_err(|_| { // memory required formula explained here: // https://blog.filippo.io/the-scrypt-parameters/ @@ -48,12 +49,14 @@ fn derive_scrypt<'p>( })?) } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "kdf")?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "kdf")?; - m.add_function(pyo3::wrap_pyfunction!(derive_pbkdf2_hmac, m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(derive_pbkdf2_hmac, &m)?)?; #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] - m.add_function(pyo3::wrap_pyfunction!(derive_scrypt, m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(derive_scrypt, &m)?)?; Ok(m) } diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 202d6152aa1a..e26cffd10c45 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -44,7 +44,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(hashes::create_module(module.py())?.into_gil_ref())?; module.add_submodule(hmac::create_module(module.py())?)?; - module.add_submodule(kdf::create_module(module.py())?)?; + module.add_submodule(kdf::create_module(module.py())?.into_gil_ref())?; module.add_submodule(rsa::create_module(module.py())?.into_gil_ref())?; Ok(()) From adc0873f6469a699f2a07a038f7c789e96503dc3 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 20:59:48 -0400 Subject: [PATCH 0374/1462] Convert `src/backend/keys.rs` to new pyo3 APIs (#10719) --- src/rust/src/backend/keys.rs | 15 +++++++++------ src/rust/src/backend/mod.rs | 2 +- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index d31f76b1d7ac..2113ecec3cac 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -2,6 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use pyo3::prelude::PyModuleMethods; use pyo3::IntoPy; use crate::backend::utils; @@ -216,13 +217,15 @@ fn public_key_from_pkey( } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "keys")?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "keys")?; - m.add_function(pyo3::wrap_pyfunction!(load_pem_private_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(load_der_private_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(load_der_public_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(load_pem_public_key, m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(load_pem_private_key, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(load_der_private_key, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(load_der_public_key, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(load_pem_public_key, &m)?)?; Ok(m) } diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index e26cffd10c45..75eabba64ccb 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -30,7 +30,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(dh::create_module(module.py())?.into_gil_ref())?; module.add_submodule(dsa::create_module(module.py())?)?; module.add_submodule(ec::create_module(module.py())?)?; - module.add_submodule(keys::create_module(module.py())?)?; + module.add_submodule(keys::create_module(module.py())?.into_gil_ref())?; module.add_submodule(ed25519::create_module(module.py())?)?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] From 4c0859f558336f543b09d2f158faa2ef68a7ba83 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 21:13:52 -0400 Subject: [PATCH 0375/1462] Convert `src/backend/dsa.rs` to new pyo3 APIs (#10715) --- src/rust/src/backend/dsa.rs | 58 +++++++++++++++++++------------------ src/rust/src/backend/mod.rs | 2 +- 2 files changed, 31 insertions(+), 29 deletions(-) diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index a1dd5a9d4823..8db405c87533 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -7,7 +7,7 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; use pyo3::prelude::PyAnyMethods; -use pyo3::PyNativeType; +use pyo3::prelude::PyModuleMethods; #[pyo3::prelude::pyclass( frozen, @@ -70,8 +70,8 @@ impl DsaPrivateKey { &self, py: pyo3::Python<'p>, data: CffiBuf<'_>, - algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + algorithm: pyo3::Bound<'_, pyo3::PyAny>, + ) -> CryptographyResult> { let (data, _) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), &algorithm.as_borrowed())?; @@ -79,7 +79,7 @@ impl DsaPrivateKey { signer.sign_init()?; let mut sig = vec![]; signer.sign_to_vec(data, &mut sig)?; - Ok(pyo3::types::PyBytes::new(py, &sig)) + Ok(pyo3::types::PyBytes::new_bound(py, &sig)) } #[getter] @@ -157,7 +157,7 @@ impl DsaPublicKey { py: pyo3::Python<'_>, signature: CffiBuf<'_>, data: CffiBuf<'_>, - algorithm: &pyo3::PyAny, + algorithm: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult<()> { let (data, _) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), &algorithm.as_borrowed())?; @@ -250,7 +250,7 @@ fn check_dsa_parameters( if ![1024, 2048, 3072, 4096].contains( ¶meters .p - .as_ref(py) + .bind(py) .call_method0("bit_length")? .extract::()?, ) { @@ -264,7 +264,7 @@ fn check_dsa_parameters( if ![160, 224, 256].contains( ¶meters .q - .as_ref(py) + .bind(py) .call_method0("bit_length")? .extract::()?, ) { @@ -273,7 +273,7 @@ fn check_dsa_parameters( )); } - if parameters.g.as_ref(py).le(1)? || parameters.g.as_ref(py).ge(parameters.p.as_ref(py))? { + if parameters.g.bind(py).le(1)? || parameters.g.bind(py).ge(parameters.p.bind(py))? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("g, p don't satisfy 1 < g < p."), )); @@ -289,16 +289,16 @@ fn check_dsa_private_numbers( let params = numbers.public_numbers.get().parameter_numbers.get(); check_dsa_parameters(py, params)?; - if numbers.x.as_ref(py).le(0)? || numbers.x.as_ref(py).ge(params.q.as_ref(py))? { + if numbers.x.bind(py).le(0)? || numbers.x.bind(py).ge(params.q.bind(py))? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("x must be > 0 and < q."), )); } - if numbers.public_numbers.get().y.as_ref(py).ne(params + if numbers.public_numbers.get().y.bind(py).ne(params .g .bind(py) - .pow(numbers.x.as_ref(py), Some(params.p.as_ref(py)))?)? + .pow(numbers.x.bind(py), Some(params.p.bind(py)))?)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("y must be equal to (g ** x % p)."), @@ -385,11 +385,11 @@ impl DsaPrivateNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.x.as_ref(py).eq(other.x.as_ref(py))? + Ok(self.x.bind(py).eq(other.x.bind(py))? && self .public_numbers - .as_ref(py) - .eq(other.public_numbers.as_ref(py))?) + .bind(py) + .eq(other.public_numbers.bind(py))?) } } @@ -433,16 +433,16 @@ impl DsaPublicNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.y.as_ref(py).eq(other.y.as_ref(py))? + Ok(self.y.bind(py).eq(other.y.bind(py))? && self .parameter_numbers - .as_ref(py) - .eq(other.parameter_numbers.as_ref(py))?) + .bind(py) + .eq(other.parameter_numbers.bind(py))?) } fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { - let y = self.y.as_ref(py); - let parameter_numbers = self.parameter_numbers.as_ref(py).repr()?; + let y = self.y.bind(py); + let parameter_numbers = self.parameter_numbers.bind(py).repr()?; Ok(format!( "" )) @@ -483,22 +483,24 @@ impl DsaParameterNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.p.as_ref(py).eq(other.p.as_ref(py))? - && self.q.as_ref(py).eq(other.q.as_ref(py))? - && self.g.as_ref(py).eq(other.g.as_ref(py))?) + Ok(self.p.bind(py).eq(other.p.bind(py))? + && self.q.bind(py).eq(other.q.bind(py))? + && self.g.bind(py).eq(other.g.bind(py))?) } fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { - let p = self.p.as_ref(py); - let q = self.q.as_ref(py); - let g = self.g.as_ref(py); + let p = self.p.bind(py); + let q = self.q.bind(py); + let g = self.g.bind(py); Ok(format!("")) } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "dsa")?; - m.add_function(pyo3::wrap_pyfunction!(generate_parameters, m)?)?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "dsa")?; + m.add_function(pyo3::wrap_pyfunction_bound!(generate_parameters, &m)?)?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 75eabba64ccb..883fee74cf4a 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -28,7 +28,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(ciphers::create_module(module.py())?.into_gil_ref())?; module.add_submodule(cmac::create_module(module.py())?.into_gil_ref())?; module.add_submodule(dh::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(dsa::create_module(module.py())?)?; + module.add_submodule(dsa::create_module(module.py())?.into_gil_ref())?; module.add_submodule(ec::create_module(module.py())?)?; module.add_submodule(keys::create_module(module.py())?.into_gil_ref())?; From 654e580a0c7c9d1a034c84ed612d52d36973d9b0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 22:01:49 -0400 Subject: [PATCH 0376/1462] Convert several functions to new pyo3 APIs (#10720) --- src/rust/src/x509/common.rs | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 27f162a8c6e9..ab6634302db0 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -212,27 +212,27 @@ fn parse_name_attribute( let py_tag = types::ASN1_TYPE_TO_ENUM.get(py)?.get_item(tag_val)?; let py_data = match attribute.value.tag().as_u8() { // BitString tag value - Some(3) => pyo3::types::PyBytes::new(py, attribute.value.data()), + Some(3) => pyo3::types::PyBytes::new_bound(py, attribute.value.data()).into_any(), // BMPString tag value Some(30) => { - let py_bytes = pyo3::types::PyBytes::new(py, attribute.value.data()); + let py_bytes = pyo3::types::PyBytes::new_bound(py, attribute.value.data()); py_bytes.call_method1(pyo3::intern!(py, "decode"), ("utf_16_be",))? } // UniversalString Some(28) => { - let py_bytes = pyo3::types::PyBytes::new(py, attribute.value.data()); + let py_bytes = pyo3::types::PyBytes::new_bound(py, attribute.value.data()); py_bytes.call_method1(pyo3::intern!(py, "decode"), ("utf_32_be",))? } _ => { let parsed = std::str::from_utf8(attribute.value.data()) .map_err(|_| asn1::ParseError::new(asn1::ParseErrorKind::InvalidValue))?; - pyo3::types::PyString::new(py, parsed) + pyo3::types::PyString::new_bound(py, parsed).into_any() } }; - let kwargs = [(pyo3::intern!(py, "_validate"), false)].into_py_dict(py); + let kwargs = [(pyo3::intern!(py, "_validate"), false)].into_py_dict_bound(py); Ok(types::NAME_ATTRIBUTE - .get(py)? - .call((oid, py_data, py_tag), Some(kwargs))? + .get_bound(py)? + .call((oid, py_data, py_tag), Some(&kwargs))? .to_object(py)) } @@ -259,33 +259,36 @@ pub(crate) fn parse_general_name( GeneralName::OtherName(data) => { let oid = oid_to_py_oid(py, &data.type_id)?.to_object(py); types::OTHER_NAME - .get(py)? + .get_bound(py)? .call1((oid, data.value.full_data()))? .to_object(py) } GeneralName::RFC822Name(data) => types::RFC822_NAME - .get(py)? + .get_bound(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? .to_object(py), GeneralName::DNSName(data) => types::DNS_NAME - .get(py)? + .get_bound(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? .to_object(py), GeneralName::DirectoryName(data) => { let py_name = parse_name(py, data.unwrap_read())?; types::DIRECTORY_NAME - .get(py)? + .get_bound(py)? .call1((py_name,))? .to_object(py) } GeneralName::UniformResourceIdentifier(data) => types::UNIFORM_RESOURCE_IDENTIFIER - .get(py)? + .get_bound(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? .to_object(py), GeneralName::IPAddress(data) => { if data.len() == 4 || data.len() == 16 { let addr = types::IPADDRESS_IPADDRESS.get(py)?.call1((data,))?; - types::IP_ADDRESS.get(py)?.call1((addr,))?.to_object(py) + types::IP_ADDRESS + .get_bound(py)? + .call1((addr,))? + .to_object(py) } else { // if it's not an IPv4 or IPv6 we assume it's an IPNetwork and // verify length in this function. From 852c45dc375f874dc2d2e049a6e6c604a77e3643 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 22:05:07 -0400 Subject: [PATCH 0377/1462] Convert `src/backend/ec.rs` to new pyo3 APIs (#10721) --- src/rust/src/backend/ec.rs | 126 +++++++++++++++++++----------------- src/rust/src/backend/mod.rs | 2 +- 2 files changed, 68 insertions(+), 60 deletions(-) diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index a34fc131e8f9..a562bbf74e3b 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -5,8 +5,8 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -use pyo3::prelude::PyAnyMethods; -use pyo3::{PyNativeType, ToPyObject}; +use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; +use pyo3::ToPyObject; use crate::backend::utils; use crate::buf::CffiBuf; @@ -29,14 +29,14 @@ pub(crate) struct ECPublicKey { fn curve_from_py_curve( py: pyo3::Python<'_>, - py_curve: &pyo3::PyAny, + py_curve: pyo3::Bound<'_, pyo3::PyAny>, allow_curve_class: bool, ) -> CryptographyResult { - if !py_curve.is_instance(types::ELLIPTIC_CURVE.get(py)?)? { + if !py_curve.is_instance(&types::ELLIPTIC_CURVE.get_bound(py)?)? { if allow_curve_class { - let warning_cls = types::DEPRECATED_IN_42.get(py)?; + let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; let warning_msg = "Curve argument must be an instance of an EllipticCurve class. Did you pass a class by mistake? This will be an exception in a future version of cryptography."; - pyo3::PyErr::warn(py, warning_cls, warning_msg, 1)?; + pyo3::PyErr::warn_bound(py, &warning_cls, warning_msg, 1)?; } else { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err("curve must be an EllipticCurve instance"), @@ -127,7 +127,7 @@ fn check_key_infinity( } #[pyo3::prelude::pyfunction] -fn curve_supported(py: pyo3::Python<'_>, py_curve: &pyo3::PyAny) -> bool { +fn curve_supported(py: pyo3::Python<'_>, py_curve: pyo3::Bound<'_, pyo3::PyAny>) -> bool { curve_from_py_curve(py, py_curve, false).is_ok() } @@ -158,7 +158,7 @@ pub(crate) fn public_key_from_pkey( #[pyo3::prelude::pyfunction] fn generate_private_key( py: pyo3::Python<'_>, - curve: &pyo3::PyAny, + curve: pyo3::Bound<'_, pyo3::PyAny>, backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -176,9 +176,9 @@ fn generate_private_key( fn derive_private_key( py: pyo3::Python<'_>, py_private_value: &pyo3::Bound<'_, pyo3::types::PyLong>, - py_curve: &pyo3::PyAny, + py_curve: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - let curve = curve_from_py_curve(py, py_curve, false)?; + let curve = curve_from_py_curve(py, py_curve.clone(), false)?; let private_value = utils::py_int_to_bn(py, py_private_value)?; let mut point = openssl::ec::EcPoint::new(&curve)?; @@ -198,10 +198,10 @@ fn derive_private_key( #[pyo3::prelude::pyfunction] fn from_public_bytes( py: pyo3::Python<'_>, - py_curve: &pyo3::PyAny, + py_curve: pyo3::Bound<'_, pyo3::PyAny>, data: &[u8], ) -> CryptographyResult { - let curve = curve_from_py_curve(py, py_curve, false)?; + let curve = curve_from_py_curve(py, py_curve.clone(), false)?; let mut bn_ctx = openssl::bn::BigNumContext::new()?; let point = openssl::ec::EcPoint::from_bytes(&curve, data, &mut bn_ctx) @@ -218,17 +218,20 @@ fn from_public_bytes( #[pyo3::prelude::pymethods] impl ECPrivateKey { #[getter] - fn key_size<'p>(&'p self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - self.curve.as_ref(py).getattr(pyo3::intern!(py, "key_size")) + fn key_size<'p>( + &'p self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + self.curve.bind(py).getattr(pyo3::intern!(py, "key_size")) } fn exchange<'p>( &self, py: pyo3::Python<'p>, - algorithm: &pyo3::PyAny, + algorithm: pyo3::Bound<'_, pyo3::PyAny>, peer_public_key: &ECPublicKey, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - if !algorithm.is_instance(types::ECDH.get(py)?)? { + ) -> CryptographyResult> { + if !algorithm.is_instance(&types::ECDH.get_bound(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "Unsupported EC exchange algorithm", @@ -251,7 +254,8 @@ impl ECPrivateKey { .set_peer(&peer_public_key.pkey) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Error computing shared key."))?; - Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { + let len = deriver.len()?; + Ok(pyo3::types::PyBytes::new_bound_with(py, len, |b| { let n = deriver.derive(b).map_err(|_| { pyo3::exceptions::PyValueError::new_err("Error computing shared key.") })?; @@ -264,9 +268,9 @@ impl ECPrivateKey { &self, py: pyo3::Python<'p>, data: CffiBuf<'_>, - signature_algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - if !signature_algorithm.is_instance(types::ECDSA.get(py)?)? { + signature_algorithm: pyo3::Bound<'_, pyo3::PyAny>, + ) -> CryptographyResult> { + if !signature_algorithm.is_instance(&types::ECDSA.get_bound(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "Unsupported elliptic curve signature algorithm", @@ -274,9 +278,7 @@ impl ECPrivateKey { )), )); } - let bound_algorithm = signature_algorithm - .getattr(pyo3::intern!(py, "algorithm"))? - .as_borrowed(); + let bound_algorithm = signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?; let (data, algo) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), &bound_algorithm)?; @@ -310,7 +312,7 @@ impl ECPrivateKey { // will be a byte or two shorter than the maximum possible length). let mut sig = vec![]; signer.sign_to_vec(data, &mut sig)?; - Ok(pyo3::types::PyBytes::new(py, &sig)) + Ok(pyo3::types::PyBytes::new_bound(py, &sig)) } fn public_key(&self, py: pyo3::Python<'_>) -> CryptographyResult { @@ -375,8 +377,11 @@ impl ECPrivateKey { #[pyo3::prelude::pymethods] impl ECPublicKey { #[getter] - fn key_size<'p>(&'p self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - self.curve.as_ref(py).getattr(pyo3::intern!(py, "key_size")) + fn key_size<'p>( + &'p self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + self.curve.bind(py).getattr(pyo3::intern!(py, "key_size")) } fn verify( @@ -384,9 +389,9 @@ impl ECPublicKey { py: pyo3::Python<'_>, signature: CffiBuf<'_>, data: CffiBuf<'_>, - signature_algorithm: &pyo3::PyAny, + signature_algorithm: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult<()> { - if !signature_algorithm.is_instance(types::ECDSA.get(py)?)? { + if !signature_algorithm.is_instance(&types::ECDSA.get_bound(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "Unsupported elliptic curve signature algorithm", @@ -478,7 +483,7 @@ fn public_key_from_numbers( curve: &openssl::ec::EcGroupRef, ) -> CryptographyResult> { let zero = (0).to_object(py); - if numbers.x.as_ref(py).lt(&zero)? || numbers.y.as_ref(py).lt(&zero)? { + if numbers.x.bind(py).lt(&zero)? || numbers.y.bind(py).lt(&zero)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "Invalid EC key. Both x and y must be non-negative.", @@ -522,7 +527,8 @@ impl EllipticCurvePrivateNumbers { ) -> CryptographyResult { let _ = backend; - let curve = curve_from_py_curve(py, self.public_numbers.get().curve.as_ref(py), false)?; + let curve = + curve_from_py_curve(py, self.public_numbers.get().curve.bind(py).clone(), false)?; let public_key = public_key_from_numbers(py, self.public_numbers.get(), &curve)?; let private_value = utils::py_int_to_bn(py, self.private_value.bind(py))?; @@ -557,18 +563,18 @@ impl EllipticCurvePrivateNumbers { ) -> CryptographyResult { Ok(self .private_value - .as_ref(py) - .eq(other.private_value.as_ref(py))? + .bind(py) + .eq(other.private_value.bind(py))? && self .public_numbers - .as_ref(py) - .eq(other.public_numbers.as_ref(py))?) + .bind(py) + .eq(other.public_numbers.bind(py))?) } fn __hash__(&self, py: pyo3::Python<'_>) -> CryptographyResult { let mut hasher = DefaultHasher::new(); - self.private_value.as_ref(py).hash()?.hash(&mut hasher); - self.public_numbers.as_ref(py).hash()?.hash(&mut hasher); + self.private_value.bind(py).hash()?.hash(&mut hasher); + self.public_numbers.bind(py).hash()?.hash(&mut hasher); Ok(hasher.finish()) } } @@ -583,8 +589,8 @@ impl EllipticCurvePublicNumbers { curve: pyo3::Py, ) -> CryptographyResult { if !curve - .as_ref(py) - .is_instance(types::ELLIPTIC_CURVE.get(py)?)? + .bind(py) + .is_instance(&types::ELLIPTIC_CURVE.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( @@ -603,7 +609,7 @@ impl EllipticCurvePublicNumbers { ) -> CryptographyResult { let _ = backend; - let curve = curve_from_py_curve(py, self.curve.as_ref(py), false)?; + let curve = curve_from_py_curve(py, self.curve.bind(py).clone(), false)?; let public_key = public_key_from_numbers(py, self, &curve)?; let pkey = openssl::pkey::PKey::from_ec_key(public_key)?; @@ -619,34 +625,34 @@ impl EllipticCurvePublicNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.x.as_ref(py).eq(other.x.as_ref(py))? - && self.y.as_ref(py).eq(other.y.as_ref(py))? + Ok(self.x.bind(py).eq(other.x.bind(py))? + && self.y.bind(py).eq(other.y.bind(py))? && self .curve - .as_ref(py) + .bind(py) .getattr(pyo3::intern!(py, "name"))? - .eq(other.curve.as_ref(py).getattr(pyo3::intern!(py, "name"))?)? + .eq(other.curve.bind(py).getattr(pyo3::intern!(py, "name"))?)? && self .curve - .as_ref(py) + .bind(py) .getattr(pyo3::intern!(py, "key_size"))? .eq(other .curve - .as_ref(py) + .bind(py) .getattr(pyo3::intern!(py, "key_size"))?)?) } fn __hash__(&self, py: pyo3::Python<'_>) -> CryptographyResult { let mut hasher = DefaultHasher::new(); - self.x.as_ref(py).hash()?.hash(&mut hasher); - self.y.as_ref(py).hash()?.hash(&mut hasher); + self.x.bind(py).hash()?.hash(&mut hasher); + self.y.bind(py).hash()?.hash(&mut hasher); self.curve - .as_ref(py) + .bind(py) .getattr(pyo3::intern!(py, "name"))? .hash()? .hash(&mut hasher); self.curve - .as_ref(py) + .bind(py) .getattr(pyo3::intern!(py, "key_size"))? .hash()? .hash(&mut hasher); @@ -654,21 +660,23 @@ impl EllipticCurvePublicNumbers { } fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { - let x = self.x.as_ref(py); - let y = self.y.as_ref(py); - let curve_name = self.curve.as_ref(py).getattr(pyo3::intern!(py, "name"))?; + let x = self.x.bind(py); + let y = self.y.bind(py); + let curve_name = self.curve.bind(py).getattr(pyo3::intern!(py, "name"))?; Ok(format!( "" )) } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "ec")?; - m.add_function(pyo3::wrap_pyfunction!(curve_supported, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(generate_private_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(derive_private_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_public_bytes, m)?)?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "ec")?; + m.add_function(pyo3::wrap_pyfunction_bound!(curve_supported, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(generate_private_key, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(derive_private_key, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 883fee74cf4a..666c15b47d48 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -29,7 +29,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(cmac::create_module(module.py())?.into_gil_ref())?; module.add_submodule(dh::create_module(module.py())?.into_gil_ref())?; module.add_submodule(dsa::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(ec::create_module(module.py())?)?; + module.add_submodule(ec::create_module(module.py())?.into_gil_ref())?; module.add_submodule(keys::create_module(module.py())?.into_gil_ref())?; module.add_submodule(ed25519::create_module(module.py())?)?; From 0ac63a4bb98f6ca0a34039cf4f90867a274c7268 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 22:20:48 -0400 Subject: [PATCH 0378/1462] Convert `src/backend/x448.rs` to new pyo3 APIs (#10723) --- src/rust/src/backend/mod.rs | 2 +- src/rust/src/backend/x448.rs | 41 +++++++++++++++++++++--------------- 2 files changed, 25 insertions(+), 18 deletions(-) diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 666c15b47d48..25142bab2622 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -38,7 +38,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(x25519::create_module(module.py())?)?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] - module.add_submodule(x448::create_module(module.py())?)?; + module.add_submodule(x448::create_module(module.py())?.into_gil_ref())?; module.add_submodule(poly1305::create_module(module.py())?)?; diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index 517fc48c0493..1d8d9e5837cc 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -5,6 +5,7 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::CryptographyResult; +use pyo3::prelude::PyModuleMethods; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x448")] pub(crate) struct X448PrivateKey { @@ -65,17 +66,21 @@ impl X448PrivateKey { &self, py: pyo3::Python<'p>, peer_public_key: &X448PublicKey, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut deriver = openssl::derive::Deriver::new(&self.pkey)?; deriver.set_peer(&peer_public_key.pkey)?; - Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { - let n = deriver.derive(b).map_err(|_| { - pyo3::exceptions::PyValueError::new_err("Error computing shared key.") - })?; - assert_eq!(n, b.len()); - Ok(()) - })?) + Ok(pyo3::types::PyBytes::new_bound_with( + py, + deriver.len()?, + |b| { + let n = deriver.derive(b).map_err(|_| { + pyo3::exceptions::PyValueError::new_err("Error computing shared key.") + })?; + assert_eq!(n, b.len()); + Ok(()) + }, + )?) } fn public_key(&self) -> CryptographyResult { @@ -91,9 +96,9 @@ impl X448PrivateKey { fn private_bytes_raw<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_private_key()?; - Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) } fn private_bytes<'p>( @@ -121,9 +126,9 @@ impl X448PublicKey { fn public_bytes_raw<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_public_key()?; - Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) } fn public_bytes<'p>( @@ -144,11 +149,13 @@ impl X448PublicKey { } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "x448")?; - m.add_function(pyo3::wrap_pyfunction!(generate_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_private_bytes, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_public_bytes, m)?)?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "x448")?; + m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; m.add_class::()?; m.add_class::()?; From c56ff9679c68c3dae1f683d098dce88ce9858474 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 22:32:56 -0400 Subject: [PATCH 0379/1462] Convert `src/backend/ed25519.rs` to new pyo3 APIs (#10722) --- src/rust/src/backend/ed25519.rs | 26 +++++++++++++++----------- src/rust/src/backend/mod.rs | 2 +- 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index 383fa3a5fd2d..565f839f7096 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -6,6 +6,7 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; +use pyo3::prelude::PyModuleMethods; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed25519")] pub(crate) struct Ed25519PrivateKey { @@ -67,9 +68,10 @@ impl Ed25519PrivateKey { &self, py: pyo3::Python<'p>, data: CffiBuf<'_>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut signer = openssl::sign::Signer::new_without_digest(&self.pkey)?; - Ok(pyo3::types::PyBytes::new_with(py, signer.len()?, |b| { + let len = signer.len()?; + Ok(pyo3::types::PyBytes::new_bound_with(py, len, |b| { let n = signer .sign_oneshot(b, data.as_bytes()) .map_err(CryptographyError::from)?; @@ -91,9 +93,9 @@ impl Ed25519PrivateKey { fn private_bytes_raw<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_private_key()?; - Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) } fn private_bytes<'p>( @@ -135,9 +137,9 @@ impl Ed25519PublicKey { fn public_bytes_raw<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_public_key()?; - Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) } fn public_bytes<'p>( @@ -158,11 +160,13 @@ impl Ed25519PublicKey { } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "ed25519")?; - m.add_function(pyo3::wrap_pyfunction!(generate_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_private_bytes, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_public_bytes, m)?)?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "ed25519")?; + m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 25142bab2622..050963f9c8b8 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -32,7 +32,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(ec::create_module(module.py())?.into_gil_ref())?; module.add_submodule(keys::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(ed25519::create_module(module.py())?)?; + module.add_submodule(ed25519::create_module(module.py())?.into_gil_ref())?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] module.add_submodule(ed448::create_module(module.py())?)?; From 8d27a3c6ce657634311f49581fbff7c83722d0cf Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 13:04:42 +0200 Subject: [PATCH 0380/1462] Convert `src/backend/hmac.rs` to new pyo3 APIs (#10726) --- src/rust/src/backend/hmac.rs | 21 ++++++++++++--------- src/rust/src/backend/mod.rs | 2 +- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/src/rust/src/backend/hmac.rs b/src/rust/src/backend/hmac.rs index 4d1b4b325bdb..f7718ad55d90 100644 --- a/src/rust/src/backend/hmac.rs +++ b/src/rust/src/backend/hmac.rs @@ -6,7 +6,7 @@ use crate::backend::hashes::{already_finalized_error, message_digest_from_algori use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use pyo3::PyNativeType; +use pyo3::prelude::{PyBytesMethods, PyModuleMethods}; #[pyo3::prelude::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.hmac", @@ -22,7 +22,7 @@ impl Hmac { pub(crate) fn new_bytes( py: pyo3::Python<'_>, key: &[u8], - algorithm: &pyo3::PyAny, + algorithm: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { let md = message_digest_from_algorithm(py, &algorithm.as_borrowed())?; let ctx = cryptography_openssl::hmac::Hmac::new(key, md).map_err(|_| { @@ -34,7 +34,7 @@ impl Hmac { Ok(Hmac { ctx: Some(ctx), - algorithm: algorithm.into(), + algorithm: algorithm.clone().unbind(), }) } @@ -65,7 +65,7 @@ impl Hmac { fn new( py: pyo3::Python<'_>, key: CffiBuf<'_>, - algorithm: &pyo3::PyAny, + algorithm: &pyo3::Bound<'_, pyo3::PyAny>, backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -80,14 +80,15 @@ impl Hmac { pub(crate) fn finalize<'p>( &mut self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let data = self.get_mut_ctx()?.finish()?; self.ctx = None; - Ok(pyo3::types::PyBytes::new(py, &data)) + Ok(pyo3::types::PyBytes::new_bound(py, &data)) } fn verify(&mut self, py: pyo3::Python<'_>, signature: &[u8]) -> CryptographyResult<()> { - let actual = self.finalize(py)?.as_bytes(); + let actual_bound = self.finalize(py)?; + let actual = actual_bound.as_bytes(); if actual.len() != signature.len() || !openssl::memcmp::eq(actual, signature) { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err("Signature did not match digest."), @@ -105,8 +106,10 @@ impl Hmac { } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "hmac")?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "hmac")?; m.add_class::()?; Ok(m) diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 050963f9c8b8..baf41ea1ae9c 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -43,7 +43,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(poly1305::create_module(module.py())?)?; module.add_submodule(hashes::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(hmac::create_module(module.py())?)?; + module.add_submodule(hmac::create_module(module.py())?.into_gil_ref())?; module.add_submodule(kdf::create_module(module.py())?.into_gil_ref())?; module.add_submodule(rsa::create_module(module.py())?.into_gil_ref())?; From 1232c8a78a9bdc06d2d6b6330561e52af71bdba1 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 13:06:18 +0200 Subject: [PATCH 0381/1462] Convert `src/backend/poly1305.rs` to new pyo3 APIs (#10728) --- src/rust/src/backend/mod.rs | 2 +- src/rust/src/backend/poly1305.rs | 22 +++++++++++++--------- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index baf41ea1ae9c..16659f6d190a 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -40,7 +40,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] module.add_submodule(x448::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(poly1305::create_module(module.py())?)?; + module.add_submodule(poly1305::create_module(module.py())?.into_gil_ref())?; module.add_submodule(hashes::create_module(module.py())?.into_gil_ref())?; module.add_submodule(hmac::create_module(module.py())?.into_gil_ref())?; diff --git a/src/rust/src/backend/poly1305.rs b/src/rust/src/backend/poly1305.rs index 66fc6239fa02..b1c3698700a4 100644 --- a/src/rust/src/backend/poly1305.rs +++ b/src/rust/src/backend/poly1305.rs @@ -6,6 +6,7 @@ use crate::backend::hashes::already_finalized_error; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; +use pyo3::prelude::{PyBytesMethods, PyModuleMethods}; #[cfg(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_LIBRESSL))] struct Poly1305Boring { @@ -31,8 +32,8 @@ impl Poly1305Boring { fn finalize<'p>( &mut self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let result = pyo3::types::PyBytes::new_with(py, 16usize, |b| { + ) -> CryptographyResult> { + let result = pyo3::types::PyBytes::new_bound_with(py, 16usize, |b| { self.context.finalize(b.as_mut()); Ok(()) })?; @@ -77,8 +78,8 @@ impl Poly1305Open { fn finalize<'p>( &mut self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let result = pyo3::types::PyBytes::new_with(py, self.signer.len()?, |b| { + ) -> CryptographyResult> { + let result = pyo3::types::PyBytes::new_bound_with(py, self.signer.len()?, |b| { let n = self.signer.sign(b).unwrap(); assert_eq!(n, b.len()); Ok(()) @@ -114,7 +115,7 @@ impl Poly1305 { py: pyo3::Python<'p>, key: CffiBuf<'_>, data: CffiBuf<'_>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut p = Poly1305::new(key)?; p.update(data)?; p.finalize(py) @@ -141,7 +142,7 @@ impl Poly1305 { fn finalize<'p>( &mut self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let res = self .inner .as_mut() @@ -152,7 +153,8 @@ impl Poly1305 { } fn verify(&mut self, py: pyo3::Python<'_>, signature: &[u8]) -> CryptographyResult<()> { - let actual = self.finalize(py)?.as_bytes(); + let actual_bound = self.finalize(py)?; + let actual = actual_bound.as_bytes(); if actual.len() != signature.len() || !openssl::memcmp::eq(actual, signature) { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err("Value did not match computed tag."), @@ -163,8 +165,10 @@ impl Poly1305 { } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "poly1305")?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "poly1305")?; m.add_class::()?; From 1d05a6cb492c74c5f0414ab9e32628226f61d802 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 13:06:47 +0200 Subject: [PATCH 0382/1462] Finish conversion of `src/backend/rsa.rs` to new pyo3 APIs (#10729) --- src/rust/src/backend/rsa.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 11bd5a96d610..0a279f7fdc30 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -690,7 +690,7 @@ impl RsaPrivateNumbers { fn private_key( &self, py: pyo3::Python<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option<&pyo3::Bound<'_, pyo3::PyAny>>, unsafe_skip_rsa_key_validation: bool, ) -> CryptographyResult { let _ = backend; @@ -789,7 +789,7 @@ impl RsaPublicNumbers { fn public_key( &self, py: pyo3::Python<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option<&pyo3::Bound<'_, pyo3::PyAny>>, ) -> CryptographyResult { let _ = backend; From 855f28a6047dcd50ff50fc57472e8a6d6c9a72b0 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 13:07:40 +0200 Subject: [PATCH 0383/1462] Convert `src/backend/x25519.rs` to new pyo3 APIs (#10730) --- src/rust/src/backend/mod.rs | 2 +- src/rust/src/backend/x25519.rs | 41 ++++++++++++++++++++-------------- 2 files changed, 25 insertions(+), 18 deletions(-) diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 16659f6d190a..a460812d8ca3 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -36,7 +36,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] module.add_submodule(ed448::create_module(module.py())?)?; - module.add_submodule(x25519::create_module(module.py())?)?; + module.add_submodule(x25519::create_module(module.py())?.into_gil_ref())?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] module.add_submodule(x448::create_module(module.py())?.into_gil_ref())?; diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index 970f8b8ea646..045aa909596c 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -5,6 +5,7 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::CryptographyResult; +use pyo3::prelude::PyModuleMethods; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x25519")] pub(crate) struct X25519PrivateKey { @@ -66,17 +67,21 @@ impl X25519PrivateKey { &self, py: pyo3::Python<'p>, peer_public_key: &X25519PublicKey, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut deriver = openssl::derive::Deriver::new(&self.pkey)?; deriver.set_peer(&peer_public_key.pkey)?; - Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { - let n = deriver.derive(b).map_err(|_| { - pyo3::exceptions::PyValueError::new_err("Error computing shared key.") - })?; - assert_eq!(n, b.len()); - Ok(()) - })?) + Ok(pyo3::types::PyBytes::new_bound_with( + py, + deriver.len()?, + |b| { + let n = deriver.derive(b).map_err(|_| { + pyo3::exceptions::PyValueError::new_err("Error computing shared key.") + })?; + assert_eq!(n, b.len()); + Ok(()) + }, + )?) } fn public_key(&self) -> CryptographyResult { @@ -92,9 +97,9 @@ impl X25519PrivateKey { fn private_bytes_raw<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_private_key()?; - Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) } fn private_bytes<'p>( @@ -122,9 +127,9 @@ impl X25519PublicKey { fn public_bytes_raw<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_public_key()?; - Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) } fn public_bytes<'p>( @@ -145,11 +150,13 @@ impl X25519PublicKey { } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "x25519")?; - m.add_function(pyo3::wrap_pyfunction!(generate_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_private_bytes, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_public_bytes, m)?)?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "x25519")?; + m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; m.add_class::()?; m.add_class::()?; From 33817b8a942d5263b34c934a9d7518492f8befa7 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 13:47:14 +0200 Subject: [PATCH 0384/1462] Convert `src/x509/common.rs` to new pyo3 APIs (#10732) * Convert `src/x509/common.rs` to new pyo3 APIs * Fix coverage issue in `extensions.rs` * Fix another coverage issue in `extensions.rs` --- src/rust/src/x509/certificate.rs | 4 +-- src/rust/src/x509/common.rs | 50 ++++++++++++++++---------------- src/rust/src/x509/crl.rs | 5 ++-- src/rust/src/x509/csr.rs | 7 +++-- src/rust/src/x509/extensions.rs | 22 +++++++------- src/rust/src/x509/ocsp_resp.rs | 2 +- 6 files changed, 47 insertions(+), 43 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index b552fde8086d..12b996609f3a 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -952,12 +952,12 @@ fn create_x509_certificate( .extract()?, serial: asn1::BigInt::new(py_uint_to_big_endian_bytes(py, py_serial)?).unwrap(), signature_alg: sigalg.clone(), - issuer: x509::common::encode_name(py, py_issuer_name.clone().into_gil_ref())?, + issuer: x509::common::encode_name(py, &py_issuer_name)?, validity: cryptography_x509::certificate::Validity { not_before: time_from_py(py, &py_not_before)?, not_after: time_from_py(py, &py_not_after)?, }, - subject: x509::common::encode_name(py, py_subject_name.clone().into_gil_ref())?, + subject: x509::common::encode_name(py, &py_subject_name)?, spki: asn1::parse_single(spki_bytes)?, issuer_unique_id: None, subject_unique_id: None, diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index ab6634302db0..176eb6050901 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -7,7 +7,7 @@ use cryptography_x509::extensions::{ AccessDescription, DuplicateExtensionsError, Extension, Extensions, RawExtensions, }; use cryptography_x509::name::{GeneralName, Name, NameReadable, OtherName, UnvalidatedIA5String}; -use pyo3::prelude::PyAnyMethods; +use pyo3::prelude::{PyAnyMethods, PyListMethods}; use pyo3::types::IntoPyDict; use pyo3::{IntoPy, PyNativeType, ToPyObject}; @@ -33,7 +33,7 @@ pub(crate) fn find_in_pem( pub(crate) fn encode_name<'p>( py: pyo3::Python<'p>, - py_name: &'p pyo3::PyAny, + py_name: &pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult> { let mut rdns = vec![]; @@ -42,7 +42,7 @@ pub(crate) fn encode_name<'p>( let mut attrs = vec![]; for py_attr in py_rdn.iter()? { - attrs.push(encode_name_entry(py, py_attr?)?); + attrs.push(encode_name_entry(py, &py_attr?)?); } rdns.push(asn1::SetOfWriter::new(attrs)); } @@ -53,7 +53,7 @@ pub(crate) fn encode_name<'p>( pub(crate) fn encode_name_entry<'p>( py: pyo3::Python<'p>, - py_name_entry: &'p pyo3::PyAny, + py_name_entry: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { let attr_type = py_name_entry.getattr(pyo3::intern!(py, "_type"))?; let tag = attr_type @@ -91,20 +91,20 @@ pub(crate) fn encode_name_entry<'p>( #[pyo3::prelude::pyfunction] fn encode_name_bytes<'p>( py: pyo3::Python<'p>, - py_name: &'p pyo3::PyAny, -) -> CryptographyResult<&'p pyo3::types::PyBytes> { + py_name: &pyo3::Bound<'p, pyo3::PyAny>, +) -> CryptographyResult> { let name = encode_name(py, py_name)?; let result = asn1::write_single(&name)?; - Ok(pyo3::types::PyBytes::new(py, &result)) + Ok(pyo3::types::PyBytes::new_bound(py, &result)) } pub(crate) fn encode_general_names<'a>( py: pyo3::Python<'a>, - py_gns: &'a pyo3::PyAny, + py_gns: &pyo3::Bound<'a, pyo3::PyAny>, ) -> Result>, CryptographyError> { let mut gns = vec![]; for el in py_gns.iter()? { - let gn = encode_general_name(py, el?)?; + let gn = encode_general_name(py, &el?)?; gns.push(gn); } Ok(gns) @@ -112,9 +112,9 @@ pub(crate) fn encode_general_names<'a>( pub(crate) fn encode_general_name<'a>( py: pyo3::Python<'a>, - gn: &'a pyo3::PyAny, + gn: &pyo3::Bound<'a, pyo3::PyAny>, ) -> Result, CryptographyError> { - let gn_type = gn.get_type().as_ref(); + let gn_type = gn.get_type(); let gn_value = gn.getattr(pyo3::intern!(py, "value"))?; if gn_type.is(types::DNS_NAME.get(py)?) { @@ -126,7 +126,7 @@ pub(crate) fn encode_general_name<'a>( gn_value.extract::<&str>()?, ))) } else if gn_type.is(types::DIRECTORY_NAME.get(py)?) { - let name = encode_name(py, gn_value)?; + let name = encode_name(py, &gn_value)?; Ok(GeneralName::DirectoryName(name)) } else if gn_type.is(types::OTHER_NAME.get(py)?) { let py_oid = gn @@ -162,7 +162,7 @@ pub(crate) fn encode_general_name<'a>( pub(crate) fn encode_access_descriptions<'a>( py: pyo3::Python<'a>, - py_ads: &'a pyo3::PyAny, + py_ads: &pyo3::Bound<'a, pyo3::PyAny>, ) -> CryptographyResult> { let mut ads = vec![]; for py_ad in py_ads.iter()? { @@ -173,7 +173,7 @@ pub(crate) fn encode_access_descriptions<'a>( .to_owned(); let access_method = py_oid_to_oid(py_oid)?; let access_location = - encode_general_name(py, py_ad.getattr(pyo3::intern!(py, "access_location"))?)?; + encode_general_name(py, &py_ad.getattr(pyo3::intern!(py, "access_location"))?)?; ads.push(AccessDescription { access_method, access_location, @@ -185,13 +185,13 @@ pub(crate) fn encode_access_descriptions<'a>( pub(crate) fn parse_name<'p>( py: pyo3::Python<'p>, name: &NameReadable<'_>, -) -> Result<&'p pyo3::PyAny, CryptographyError> { - let py_rdns = pyo3::types::PyList::empty(py); +) -> Result, CryptographyError> { + let py_rdns = pyo3::types::PyList::empty_bound(py); for rdn in name.clone() { let py_rdn = parse_rdn(py, &rdn)?; py_rdns.append(py_rdn)?; } - Ok(types::NAME.get(py)?.call1((py_rdns,))?) + Ok(types::NAME.get_bound(py)?.call1((py_rdns,))?) } fn parse_name_attribute( @@ -240,7 +240,7 @@ pub(crate) fn parse_rdn<'a>( py: pyo3::Python<'_>, rdn: &asn1::SetOf<'a, AttributeTypeValue<'a>>, ) -> Result { - let py_attrs = pyo3::types::PyList::empty(py); + let py_attrs = pyo3::types::PyList::empty_bound(py); for attribute in rdn.clone() { let na = parse_name_attribute(py, attribute)?; py_attrs.append(na)?; @@ -314,7 +314,7 @@ pub(crate) fn parse_general_names<'a>( py: pyo3::Python<'_>, gn_seq: &asn1::SequenceOf<'a, GeneralName<'a>>, ) -> Result { - let gns = pyo3::types::PyList::empty(py); + let gns = pyo3::types::PyList::empty_bound(py); for gn in gn_seq.clone() { let py_gn = parse_general_name(py, gn)?; gns.append(py_gn)?; @@ -341,7 +341,7 @@ fn create_ip_network( }; let base = types::IPADDRESS_IPADDRESS .get(py)? - .call1((pyo3::types::PyBytes::new(py, &data[..data.len() / 2]),))?; + .call1((pyo3::types::PyBytes::new_bound(py, &data[..data.len() / 2]),))?; let net = format!( "{}/{}", base.getattr(pyo3::intern!(py, "exploded"))? @@ -392,7 +392,7 @@ pub(crate) fn parse_and_cache_extensions< } }; - let exts = pyo3::types::PyList::empty(py); + let exts = pyo3::types::PyList::empty_bound(py); for raw_ext in extensions.iter() { let oid_obj = oid_to_py_oid(py, &raw_ext.extn_id)?; @@ -448,11 +448,11 @@ pub(crate) fn encode_extensions< match encode_ext(py, &oid, ext_val)? { Some(data) => { // TODO: extra copy - let py_data = pyo3::types::PyBytes::new(py, &data); + let py_data = pyo3::types::PyBytes::new_bound(py, &data); exts.push(Extension { extn_id: oid, critical: py_ext.getattr(pyo3::intern!(py, "critical"))?.extract()?, - extn_value: py_data.as_bytes(), + extn_value: py_data.extract()?, }); } None => { @@ -474,12 +474,12 @@ pub(crate) fn encode_extensions< fn encode_extension_value<'p>( py: pyo3::Python<'p>, py_ext: pyo3::Bound<'p, pyo3::PyAny>, -) -> pyo3::PyResult<&'p pyo3::types::PyBytes> { +) -> pyo3::PyResult> { let oid = py_oid_to_oid(py_ext.getattr(pyo3::intern!(py, "oid"))?)?; if let Some(data) = x509::extensions::encode_extension(py, &oid, py_ext.into_gil_ref())? { // TODO: extra copy - let py_data = pyo3::types::PyBytes::new(py, &data); + let py_data = pyo3::types::PyBytes::new_bound(py, &data); return Ok(py_data); } diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 529e499fcb72..ba7361d0664a 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -250,7 +250,8 @@ impl CertificateRevocationList { .tbs_cert_list .issuer .unwrap_read(), - )?) + )? + .into_gil_ref()) } #[getter] @@ -656,7 +657,7 @@ fn create_x509_crl( let tbs_cert_list = crl::TBSCertList { version: Some(1), signature: sigalg.clone(), - issuer: x509::common::encode_name(py, py_issuer_name)?, + issuer: x509::common::encode_name(py, &py_issuer_name.as_borrowed())?, this_update: x509::certificate::time_from_py(py, &py_this_update.as_borrowed())?, next_update: Some(x509::certificate::time_from_py( py, diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 999276fa3e62..16617bf9de04 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -8,7 +8,7 @@ use std::hash::{Hash, Hasher}; use asn1::SimpleAsn1Readable; use cryptography_x509::csr::{check_attribute_length, Attribute, CertificationRequestInfo, Csr}; use cryptography_x509::{common, oid}; -use pyo3::IntoPy; +use pyo3::{IntoPy, PyNativeType}; use crate::asn1::{encode_der_data, oid_to_py_oid, py_oid_to_oid}; use crate::backend::keys; @@ -70,7 +70,8 @@ impl CertificateSigningRequest { Ok(x509::parse_name( py, self.raw.borrow_dependent().csr_info.subject.unwrap_read(), - )?) + )? + .into_gil_ref()) } #[getter] @@ -345,7 +346,7 @@ fn create_x509_csr( let csr_info = CertificationRequestInfo { version: 0, - subject: x509::common::encode_name(py, py_subject_name)?, + subject: x509::common::encode_name(py, &py_subject_name.as_borrowed())?, spki: asn1::parse_single(spki_bytes)?, attributes: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(attrs)), }; diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index d618fb29fa1a..beed9cda9b3a 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -20,7 +20,7 @@ fn encode_general_subtrees<'a>( } else { let mut subtree_seq = vec![]; for name in subtrees.iter()? { - let gn = x509::common::encode_general_name(py, name?)?; + let gn = x509::common::encode_general_name(py, &name?.as_borrowed())?; subtree_seq.push(extensions::GeneralSubtree { base: gn, minimum: 0, @@ -45,7 +45,7 @@ pub(crate) fn encode_authority_key_identifier<'a>( } let aki = py_aki.extract::>()?; let authority_cert_issuer = if let Some(authority_cert_issuer) = aki.authority_cert_issuer { - let gns = x509::common::encode_general_names(py, authority_cert_issuer)?; + let gns = x509::common::encode_general_names(py, &authority_cert_issuer.as_borrowed())?; Some(common::Asn1ReadableOrWritable::new_write( asn1::SequenceOfWriter::new(gns), )) @@ -83,7 +83,7 @@ pub(crate) fn encode_distribution_points<'p>( let py_dp = py_dp?.extract::>()?; let crl_issuer = if let Some(py_crl_issuer) = py_dp.crl_issuer { - let gns = x509::common::encode_general_names(py, py_crl_issuer)?; + let gns = x509::common::encode_general_names(py, &py_crl_issuer.as_borrowed())?; Some(common::Asn1ReadableOrWritable::new_write( asn1::SequenceOfWriter::new(gns), )) @@ -91,14 +91,15 @@ pub(crate) fn encode_distribution_points<'p>( None }; let distribution_point = if let Some(py_full_name) = py_dp.full_name { - let gns = x509::common::encode_general_names(py, py_full_name)?; + let gns = x509::common::encode_general_names(py, &py_full_name.as_borrowed())?; Some(extensions::DistributionPointName::FullName( common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(gns)), )) } else if let Some(py_relative_name) = py_dp.relative_name { let mut name_entries = vec![]; for py_name_entry in py_relative_name.iter()? { - name_entries.push(x509::common::encode_name_entry(py, py_name_entry?)?); + let bound_name_entry = &py_name_entry?.as_borrowed(); + name_entries.push(x509::common::encode_name_entry(py, bound_name_entry)?); } Some(extensions::DistributionPointName::NameRelativeToCRLIssuer( common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(name_entries)), @@ -317,7 +318,7 @@ fn encode_issuing_distribution_point( }; let distribution_point = if ext.getattr(pyo3::intern!(py, "full_name"))?.is_truthy()? { let py_full_name = ext.getattr(pyo3::intern!(py, "full_name"))?; - let gns = x509::common::encode_general_names(ext.py(), py_full_name)?; + let gns = x509::common::encode_general_names(ext.py(), &py_full_name.as_borrowed())?; Some(extensions::DistributionPointName::FullName( common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(gns)), )) @@ -327,7 +328,8 @@ fn encode_issuing_distribution_point( { let mut name_entries = vec![]; for py_name_entry in ext.getattr(pyo3::intern!(py, "relative_name"))?.iter()? { - name_entries.push(x509::common::encode_name_entry(ext.py(), py_name_entry?)?); + let bound_name_entry = &py_name_entry?.as_borrowed(); + name_entries.push(x509::common::encode_name_entry(ext.py(), bound_name_entry)?); } Some(extensions::DistributionPointName::NameRelativeToCRLIssuer( common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(name_entries)), @@ -413,7 +415,7 @@ pub(crate) fn encode_extension( Ok(Some(der)) } &oid::AUTHORITY_INFORMATION_ACCESS_OID | &oid::SUBJECT_INFORMATION_ACCESS_OID => { - let der = x509::common::encode_access_descriptions(ext.py(), ext)?; + let der = x509::common::encode_access_descriptions(ext.py(), &ext.as_borrowed())?; Ok(Some(der)) } &oid::EXTENDED_KEY_USAGE_OID | &oid::ACCEPTABLE_RESPONSES_OID => { @@ -456,7 +458,7 @@ pub(crate) fn encode_extension( )?)) } &oid::ISSUER_ALTERNATIVE_NAME_OID | &oid::SUBJECT_ALTERNATIVE_NAME_OID => { - let gns = x509::common::encode_general_names(ext.py(), ext)?; + let gns = x509::common::encode_general_names(ext.py(), &ext.as_borrowed())?; Ok(Some(asn1::write_single(&asn1::SequenceOfWriter::new(gns))?)) } &oid::AUTHORITY_KEY_IDENTIFIER_OID => { @@ -486,7 +488,7 @@ pub(crate) fn encode_extension( Ok(Some(asn1::write_single(&asn1::Enumerated::new(value))?)) } &oid::CERTIFICATE_ISSUER_OID => { - let gns = x509::common::encode_general_names(ext.py(), ext)?; + let gns = x509::common::encode_general_names(ext.py(), &ext.as_borrowed())?; Ok(Some(asn1::write_single(&asn1::SequenceOfWriter::new(gns))?)) } &oid::INVALIDITY_DATE_OID => { diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 7d93fde6fc6a..76faa1b1ad31 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -148,7 +148,7 @@ impl OCSPResponse { let resp = self.requires_successful_response()?; match resp.tbs_response_data.responder_id { ocsp_resp::ResponderId::ByName(ref name) => { - Ok(x509::parse_name(py, name.unwrap_read())?) + Ok(x509::parse_name(py, name.unwrap_read())?.into_gil_ref()) } ocsp_resp::ResponderId::ByKey(_) => Ok(py.None().into_ref(py)), } From 0a6d3ea7502e0671b8b224376f828db3bb780b82 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 14:12:39 +0200 Subject: [PATCH 0385/1462] Start converting `src/x509/csr.rs` to new pyo3 APIs (#10733) --- src/rust/src/x509/csr.rs | 79 ++++++++++++++++++++++++++-------------- 1 file changed, 51 insertions(+), 28 deletions(-) diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 16617bf9de04..55031adf0418 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -8,7 +8,8 @@ use std::hash::{Hash, Hasher}; use asn1::SimpleAsn1Readable; use cryptography_x509::csr::{check_attribute_length, Attribute, CertificationRequestInfo, Csr}; use cryptography_x509::{common, oid}; -use pyo3::{IntoPy, PyNativeType}; +use pyo3::prelude::{PyAnyMethods, PyListMethods}; +use pyo3::IntoPy; use crate::asn1::{encode_der_data, oid_to_py_oid, py_oid_to_oid}; use crate::backend::keys; @@ -78,14 +79,14 @@ impl CertificateSigningRequest { fn tbs_certrequest_bytes<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let result = asn1::write_single(&self.raw.borrow_dependent().csr_info)?; - Ok(pyo3::types::PyBytes::new(py, &result)) + Ok(pyo3::types::PyBytes::new_bound(py, &result)) } #[getter] - fn signature<'p>(&self, py: pyo3::Python<'p>) -> &'p pyo3::types::PyBytes { - pyo3::types::PyBytes::new(py, self.raw.borrow_dependent().signature.as_bytes()) + fn signature<'p>(&self, py: pyo3::Python<'p>) -> pyo3::Bound<'p, pyo3::types::PyBytes> { + pyo3::types::PyBytes::new_bound(py, self.raw.borrow_dependent().signature.as_bytes()) } #[getter] @@ -118,21 +119,26 @@ impl CertificateSigningRequest { fn public_bytes<'p>( &self, py: pyo3::Python<'p>, - encoding: &'p pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { let result = asn1::write_single(self.raw.borrow_dependent())?; - encode_der_data(py, "CERTIFICATE REQUEST".to_string(), result, encoding) + encode_der_data( + py, + "CERTIFICATE REQUEST".to_string(), + result, + encoding.clone().into_gil_ref(), + ) } fn get_attribute_for_oid<'p>( &self, py: pyo3::Python<'p>, oid: pyo3::Bound<'p, pyo3::PyAny>, - ) -> pyo3::PyResult<&'p pyo3::PyAny> { - let warning_cls = types::DEPRECATED_IN_36.get(py)?; + ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_36.get_bound(py)?; let warning_msg = "CertificateSigningRequest.get_attribute_for_oid has been deprecated. Please switch to request.attributes.get_attribute_for_oid."; - pyo3::PyErr::warn(py, warning_cls, warning_msg, 1)?; + pyo3::PyErr::warn_bound(py, &warning_cls, warning_msg, 1)?; let rust_oid = py_oid_to_oid(oid.clone())?; for attribute in self @@ -155,7 +161,7 @@ impl CertificateSigningRequest { || val.tag() == asn1::PrintableString::TAG || val.tag() == asn1::IA5String::TAG { - return Ok(pyo3::types::PyBytes::new(py, val.data())); + return Ok(pyo3::types::PyBytes::new_bound(py, val.data()).into_any()); } return Err(pyo3::exceptions::PyValueError::new_err(format!( "OID {} has a disallowed ASN.1 type: {:?}", @@ -171,8 +177,8 @@ impl CertificateSigningRequest { } #[getter] - fn attributes<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - let pyattrs = pyo3::types::PyList::empty(py); + fn attributes<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { + let pyattrs = pyo3::types::PyList::empty_bound(py); for attribute in self .raw .borrow_dependent() @@ -188,16 +194,18 @@ impl CertificateSigningRequest { })?; let oid = oid_to_py_oid(py, &attribute.type_id)?; let val = attribute.values.unwrap_read().clone().next().unwrap(); - let serialized = pyo3::types::PyBytes::new(py, val.data()); + let serialized = pyo3::types::PyBytes::new_bound(py, val.data()); let tag = val.tag().as_u8().ok_or_else(|| { CryptographyError::from(pyo3::exceptions::PyValueError::new_err( "Long-form tags are not supported in CSR attribute values", )) })?; - let pyattr = types::ATTRIBUTE.get(py)?.call1((oid, serialized, tag))?; + let pyattr = types::ATTRIBUTE + .get_bound(py)? + .call1((oid, serialized, tag))?; pyattrs.append(pyattr)?; } - types::ATTRIBUTES.get(py)?.call1((pyattrs,)) + types::ATTRIBUTES.get_bound(py)?.call1((pyattrs,)) } #[getter] @@ -226,7 +234,7 @@ impl CertificateSigningRequest { let public_key = slf.public_key(py)?; Ok(sign::verify_signature_with_signature_algorithm( py, - public_key.as_ref(py), + public_key.bind(py).clone().into_gil_ref(), &slf.raw.borrow_dependent().signature_alg, slf.raw.borrow_dependent().signature.as_bytes(), &asn1::write_single(&slf.raw.borrow_dependent().csr_info)?, @@ -252,7 +260,7 @@ fn load_pem_x509_csr( )?; load_der_x509_csr( py, - pyo3::types::PyBytes::new(py, parsed.contents()).into_py(py), + pyo3::types::PyBytes::new_bound(py, parsed.contents()).unbind(), None, ) } @@ -286,13 +294,17 @@ fn load_der_x509_csr( #[pyo3::prelude::pyfunction] fn create_x509_csr( py: pyo3::Python<'_>, - builder: &pyo3::PyAny, - private_key: &pyo3::PyAny, - hash_algorithm: &pyo3::PyAny, - rsa_padding: &pyo3::PyAny, + builder: &pyo3::Bound<'_, pyo3::PyAny>, + private_key: &pyo3::Bound<'_, pyo3::PyAny>, + hash_algorithm: &pyo3::Bound<'_, pyo3::PyAny>, + rsa_padding: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - let sigalg = - x509::sign::compute_signature_algorithm(py, private_key, hash_algorithm, rsa_padding)?; + let sigalg = x509::sign::compute_signature_algorithm( + py, + private_key.clone().into_gil_ref(), + hash_algorithm.clone().into_gil_ref(), + rsa_padding.clone().into_gil_ref(), + )?; let der = types::ENCODING_DER.get(py)?; let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?; @@ -305,7 +317,9 @@ fn create_x509_csr( let ext_bytes; if let Some(exts) = x509::common::encode_extensions( py, - builder.getattr(pyo3::intern!(py, "_extensions"))?, + builder + .getattr(pyo3::intern!(py, "_extensions"))? + .into_gil_ref(), x509::extensions::encode_extension, )? { ext_bytes = asn1::write_single(&exts)?; @@ -352,14 +366,23 @@ fn create_x509_csr( }; let tbs_bytes = asn1::write_single(&csr_info)?; - let signature = - x509::sign::sign_data(py, private_key, hash_algorithm, rsa_padding, &tbs_bytes)?; + let signature = x509::sign::sign_data( + py, + private_key.clone().into_gil_ref(), + hash_algorithm.clone().into_gil_ref(), + rsa_padding.clone().into_gil_ref(), + &tbs_bytes, + )?; let data = asn1::write_single(&Csr { csr_info, signature_alg: sigalg, signature: asn1::BitString::new(signature, 0).unwrap(), })?; - load_der_x509_csr(py, pyo3::types::PyBytes::new(py, &data).into_py(py), None) + load_der_x509_csr( + py, + pyo3::types::PyBytes::new_bound(py, &data).clone().unbind(), + None, + ) } pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { From 533b35d775d4d8ec18605a3d2cabc9d01272e948 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 08:33:32 -0400 Subject: [PATCH 0386/1462] Remove gil-refs feature from cryptography-cffi (#10735) It doesn't need it --- src/rust/cryptography-cffi/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 5ef7438651e6..3251e6622d1d 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.65.0" [dependencies] -pyo3 = { version = "0.21.1", features = ["abi3", "gil-refs"] } +pyo3 = { version = "0.21.1", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] From 62607e9f1f61a94b991e200485644fbca7ac1d90 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 5 Apr 2024 07:35:07 -0500 Subject: [PATCH 0387/1462] Bump jaraco-context from 4.3.0 to 5.1.0 in /.github/requirements (#10731) * Bump jaraco-context from 4.3.0 to 5.1.0 in /.github/requirements Bumps [jaraco-context](https://github.com/jaraco/jaraco.context) from 4.3.0 to 5.1.0. - [Release notes](https://github.com/jaraco/jaraco.context/releases) - [Changelog](https://github.com/jaraco/jaraco.context/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/jaraco.context/compare/v4.3.0...v5.1.0) --- updated-dependencies: - dependency-name: jaraco-context dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 160ac650d276..2444daad6f2f 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -250,9 +250,9 @@ jaraco-classes==3.4.0 \ --hash=sha256:47a024b51d0239c0dd8c8540c6c7f484be3b8fcf0b2d85c13825780d3b3f3acd \ --hash=sha256:f662826b6bed8cace05e7ff873ce0f9283b5c924470fe664fff1c2f00f581790 # via keyring -jaraco-context==4.3.0 \ - --hash=sha256:4dad2404540b936a20acedec53355bdaea223acb88fd329fa6de9261c941566e \ - --hash=sha256:5d9e95ca0faa78943ed66f6bc658dd637430f16125d86988e77844c741ff2f11 +jaraco-context==5.1.0 \ + --hash=sha256:0e4161ebbaeead78850b4ca5465b5853217cf23ad74ec82d00ebfb69d8ea5fcb \ + --hash=sha256:24ec1f739aec2c5766c68027ccc70d91d7b0cb931699442f5c7ed93515b955e7 # via keyring jaraco-functools==4.0.0 \ --hash=sha256:c279cb24c93d694ef7270f970d499cab4d3813f4e08273f95398651a634f0925 \ From 4d8945d754fc33a92fe2688f5aeb0fa73083be01 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 08:37:19 -0400 Subject: [PATCH 0388/1462] Convert `src/backend/ed448.rs` to new pyo3 APIs (#10725) --- src/rust/src/backend/ed448.rs | 26 +++++++++++++++----------- src/rust/src/backend/mod.rs | 2 +- 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index 9d9bf485cd61..ef6c193e1fa7 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -6,6 +6,7 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; +use pyo3::prelude::PyModuleMethods; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed448")] pub(crate) struct Ed448PrivateKey { @@ -65,9 +66,10 @@ impl Ed448PrivateKey { &self, py: pyo3::Python<'p>, data: CffiBuf<'_>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut signer = openssl::sign::Signer::new_without_digest(&self.pkey)?; - Ok(pyo3::types::PyBytes::new_with(py, signer.len()?, |b| { + let len = signer.len()?; + Ok(pyo3::types::PyBytes::new_bound_with(py, len, |b| { let n = signer .sign_oneshot(b, data.as_bytes()) .map_err(CryptographyError::from)?; @@ -89,9 +91,9 @@ impl Ed448PrivateKey { fn private_bytes_raw<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_private_key()?; - Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) } fn private_bytes<'p>( @@ -132,9 +134,9 @@ impl Ed448PublicKey { fn public_bytes_raw<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_public_key()?; - Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) } fn public_bytes<'p>( @@ -155,11 +157,13 @@ impl Ed448PublicKey { } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "ed448")?; - m.add_function(pyo3::wrap_pyfunction!(generate_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_private_bytes, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_public_bytes, m)?)?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "ed448")?; + m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index a460812d8ca3..062b9a85ecf5 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -34,7 +34,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(ed25519::create_module(module.py())?.into_gil_ref())?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] - module.add_submodule(ed448::create_module(module.py())?)?; + module.add_submodule(ed448::create_module(module.py())?.into_gil_ref())?; module.add_submodule(x25519::create_module(module.py())?.into_gil_ref())?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] From 9d7e72149802ab5b90de7bdee835d8e61c83af91 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 08:46:12 -0400 Subject: [PATCH 0389/1462] Convert part of `crl.rs` to new pyo3 APIs (#10724) --- src/rust/src/x509/crl.rs | 116 +++++++++++++++++++++------------ src/rust/src/x509/ocsp_resp.rs | 2 +- 2 files changed, 74 insertions(+), 44 deletions(-) diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index ba7361d0664a..7c935bf2a7d9 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -13,7 +13,8 @@ use cryptography_x509::{ }, name, oid, }; -use pyo3::{IntoPy, PyNativeType, ToPyObject}; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PySliceMethods}; +use pyo3::{PyNativeType, ToPyObject}; use crate::asn1::{ big_byte_slice_to_py_int, encode_der_data, oid_to_py_oid, py_uint_to_big_endian_bytes, @@ -67,7 +68,7 @@ fn load_pem_x509_crl( )?; load_der_x509_crl( py, - pyo3::types::PyBytes::new(py, block.contents()).into_py(py), + pyo3::types::PyBytes::new_bound(py, block.contents()).unbind(), None, ) } @@ -138,7 +139,7 @@ impl CertificateRevocationList { fn __getitem__( &self, py: pyo3::Python<'_>, - idx: &pyo3::PyAny, + idx: pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult { self.revoked_certs.get_or_init(py, || { let mut revoked_certs = vec![]; @@ -153,9 +154,9 @@ impl CertificateRevocationList { let indices = idx .downcast::()? .indices(self.len().try_into().unwrap())?; - let result = pyo3::types::PyList::empty(py); + let result = pyo3::types::PyList::empty_bound(py); for i in (indices.start..indices.stop).step_by(indices.step.try_into().unwrap()) { - let revoked_cert = pyo3::PyCell::new(py, self.revoked_cert(py, i as usize))?; + let revoked_cert = pyo3::Bound::new(py, self.revoked_cert(py, i as usize))?; result.append(revoked_cert)?; } Ok(result.to_object(py)) @@ -167,20 +168,20 @@ impl CertificateRevocationList { if idx >= (self.len() as isize) || idx < 0 { return Err(pyo3::exceptions::PyIndexError::new_err(())); } - Ok(pyo3::PyCell::new(py, self.revoked_cert(py, idx as usize))?.to_object(py)) + Ok(pyo3::Bound::new(py, self.revoked_cert(py, idx as usize))?.to_object(py)) } } fn fingerprint<'p>( &self, py: pyo3::Python<'p>, - algorithm: &pyo3::PyAny, - ) -> pyo3::PyResult<&'p pyo3::PyAny> { + algorithm: pyo3::Bound<'_, pyo3::PyAny>, + ) -> pyo3::PyResult> { let data = self.public_bytes_der()?; let mut h = Hash::new(py, &algorithm.as_borrowed(), None)?; h.update_bytes(&data)?; - Ok(h.finalize(py)?.into_gil_ref()) + Ok(h.finalize(py)?) } #[getter] @@ -226,19 +227,19 @@ impl CertificateRevocationList { fn tbs_certlist_bytes<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let b = asn1::write_single(&self.owned.borrow_dependent().tbs_cert_list)?; - Ok(pyo3::types::PyBytes::new(py, &b)) + Ok(pyo3::types::PyBytes::new_bound(py, &b)) } fn public_bytes<'p>( &self, py: pyo3::Python<'p>, - encoding: &'p pyo3::PyAny, + encoding: pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { let result = asn1::write_single(&self.owned.borrow_dependent())?; - encode_der_data(py, "X509 CRL".to_string(), result, encoding) + encode_der_data(py, "X509 CRL".to_string(), result, encoding.into_gil_ref()) } #[getter] @@ -255,45 +256,60 @@ impl CertificateRevocationList { } #[getter] - fn next_update<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - let warning_cls = types::DEPRECATED_IN_42.get(py)?; - pyo3::PyErr::warn( + fn next_update<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + pyo3::PyErr::warn_bound( py, - warning_cls, + &warning_cls, "Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc.", 1, )?; match &self.owned.borrow_dependent().tbs_cert_list.next_update { - Some(t) => x509::datetime_to_py(py, t.as_datetime()), - None => Ok(py.None().into_ref(py)), + Some(t) => Ok(x509::datetime_to_py(py, t.as_datetime())? + .as_borrowed() + .to_owned()), + None => Ok(py.None().bind(py).clone()), } } #[getter] - fn next_update_utc<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn next_update_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { match &self.owned.borrow_dependent().tbs_cert_list.next_update { - Some(t) => x509::datetime_to_py_utc(py, t.as_datetime()), - None => Ok(py.None().into_ref(py)), + Some(t) => Ok(x509::datetime_to_py_utc(py, t.as_datetime())? + .as_borrowed() + .to_owned()), + None => Ok(py.None().bind(py).clone()), } } #[getter] - fn last_update<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - let warning_cls = types::DEPRECATED_IN_42.get(py)?; - pyo3::PyErr::warn( + fn last_update<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + pyo3::PyErr::warn_bound( py, - warning_cls, + &warning_cls, "Properties that return a naïve datetime object have been deprecated. Please switch to last_update_utc.", 1, )?; - x509::datetime_to_py( + Ok(x509::datetime_to_py( py, self.owned .borrow_dependent() .tbs_cert_list .this_update .as_datetime(), - ) + )? + .as_borrowed() + .to_owned()) } #[getter] @@ -408,7 +424,7 @@ impl CertificateRevocationList { fn is_signature_valid<'p>( slf: pyo3::PyRef<'_, Self>, py: pyo3::Python<'p>, - public_key: &'p pyo3::PyAny, + public_key: pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult { if slf.owned.borrow_dependent().tbs_cert_list.signature != slf.owned.borrow_dependent().signature_algorithm @@ -418,11 +434,11 @@ impl CertificateRevocationList { // Error on invalid public key -- below we treat any error as just // being an invalid signature. - sign::identify_public_key_type(py, public_key)?; + sign::identify_public_key_type(py, public_key.clone().into_gil_ref())?; Ok(sign::verify_signature_with_signature_algorithm( py, - public_key, + public_key.into_gil_ref(), &slf.owned.borrow_dependent().signature_algorithm, slf.owned.borrow_dependent().signature_value.as_bytes(), &asn1::write_single(&slf.owned.borrow_dependent().tbs_cert_list)?, @@ -533,26 +549,36 @@ impl RevokedCertificate { } #[getter] - fn revocation_date<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - let warning_cls = types::DEPRECATED_IN_42.get(py)?; - pyo3::PyErr::warn( + fn revocation_date<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + pyo3::PyErr::warn_bound( py, - warning_cls, + &warning_cls, "Properties that return a naïve datetime object have been deprecated. Please switch to revocation_date_utc.", 1, )?; - x509::datetime_to_py( + Ok(x509::datetime_to_py( py, self.owned.borrow_dependent().revocation_date.as_datetime(), - ) + )? + .as_borrowed() + .to_owned()) } #[getter] - fn revocation_date_utc<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - x509::datetime_to_py_utc( + fn revocation_date_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + Ok(x509::datetime_to_py_utc( py, self.owned.borrow_dependent().revocation_date.as_datetime(), - ) + )? + .as_borrowed() + .to_owned()) } #[getter] @@ -569,7 +595,7 @@ impl RevokedCertificate { pub(crate) fn parse_crl_reason_flags<'p>( py: pyo3::Python<'p>, reason: &crl::CRLReason, -) -> CryptographyResult<&'p pyo3::PyAny> { +) -> CryptographyResult> { let flag_name = match reason.value() { 0 => "unspecified", 1 => "key_compromise", @@ -589,7 +615,7 @@ pub(crate) fn parse_crl_reason_flags<'p>( )) } }; - Ok(types::REASON_FLAGS.get(py)?.getattr(flag_name)?) + Ok(types::REASON_FLAGS.get_bound(py)?.getattr(flag_name)?) } pub fn parse_crl_entry_ext<'p>( @@ -685,7 +711,11 @@ fn create_x509_crl( signature_algorithm: sigalg, signature_value: asn1::BitString::new(signature, 0).unwrap(), })?; - load_der_x509_crl(py, pyo3::types::PyBytes::new(py, &data).into_py(py), None) + load_der_x509_crl( + py, + pyo3::types::PyBytes::new_bound(py, &data).unbind(), + None, + ) } pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 76faa1b1ad31..89c5a0d25e7b 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -518,7 +518,7 @@ fn singleresp_py_revocation_reason<'p>( ) -> CryptographyResult<&'p pyo3::PyAny> { match &resp.cert_status { ocsp_resp::CertStatus::Revoked(revoked_info) => match revoked_info.revocation_reason { - Some(ref v) => crl::parse_crl_reason_flags(py, v), + Some(ref v) => Ok(crl::parse_crl_reason_flags(py, v)?.into_gil_ref()), None => Ok(py.None().into_ref(py)), }, ocsp_resp::CertStatus::Good(_) | ocsp_resp::CertStatus::Unknown(_) => { From afe3951956dd737a04fae369d21e8c5e56dff644 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 15:36:21 +0200 Subject: [PATCH 0390/1462] Start converting `src/x509/verify.rs` to new pyo3 APIs (#10736) * Start converting `src/x509/verify.rs` to new pyo3 APIs * Fix errors with temp values being dropped * Fix error when using `Bound::to_str` in Python<3.10 * Remove extra clone() call * Add TODO message --- src/rust/src/x509/verify.rs | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 2c65f6327103..23d865df7191 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -11,7 +11,7 @@ use cryptography_x509_verification::{ trust_store::Store, types::{DNSName, IPAddress}, }; -use pyo3::IntoPy; +use pyo3::prelude::{PyAnyMethods, PyListMethods}; use crate::backend::keys; use crate::error::{CryptographyError, CryptographyResult}; @@ -75,7 +75,7 @@ impl PolicyBuilder { fn time( &self, py: pyo3::Python<'_>, - new_time: &pyo3::PyAny, + new_time: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { if self.time.is_some() { return Err(CryptographyError::from( @@ -85,7 +85,7 @@ impl PolicyBuilder { )); } Ok(PolicyBuilder { - time: Some(py_to_datetime(py, new_time)?), + time: Some(py_to_datetime(py, new_time.clone().into_gil_ref())?), store: self.store.as_ref().map(|s| s.clone_ref(py)), max_chain_depth: self.max_chain_depth, }) @@ -273,7 +273,7 @@ impl PyClientVerifier { ) .map_err(|e| VerificationError::new_err(format!("validation failed: {e:?}")))?; - let py_chain = pyo3::types::PyList::empty(py); + let py_chain = pyo3::types::PyList::empty_bound(py); for c in &chain { py_chain.append(c.extra())?; } @@ -293,7 +293,7 @@ impl PyClientVerifier { Ok(PyVerifiedClient { subjects: py_gns, - chain: py_chain.into_py(py), + chain: py_chain.unbind(), }) } } @@ -334,7 +334,7 @@ impl PyServerVerifier { py: pyo3::Python<'p>, leaf: pyo3::Py, intermediates: Vec>, - ) -> CryptographyResult<&'p pyo3::types::PyList> { + ) -> CryptographyResult> { let policy = self.as_policy(); let store = self.store.get(); @@ -354,7 +354,7 @@ impl PyServerVerifier { ) .map_err(|e| VerificationError::new_err(format!("validation failed: {e:?}")))?; - let result = pyo3::types::PyList::empty(py); + let result = pyo3::types::PyList::empty_bound(py); for c in chain { result.append(c.extra())?; } @@ -366,21 +366,22 @@ fn build_subject_owner( py: pyo3::Python<'_>, subject: &pyo3::Py, ) -> pyo3::PyResult { - let subject = subject.as_ref(py); + let subject = subject.bind(py); - if subject.is_instance(types::DNS_NAME.get(py)?)? { + if subject.is_instance(&types::DNS_NAME.get_bound(py)?)? { let value = subject .getattr(pyo3::intern!(py, "value"))? - .downcast::()?; - - Ok(SubjectOwner::DNSName(value.to_str()?.to_owned())) - } else if subject.is_instance(types::IP_ADDRESS.get(py)?)? { + // TODO: switch this to borrowing the string (using Bound::to_str) once our + // minimum Python version is 3.10 + .extract::()?; + Ok(SubjectOwner::DNSName(value)) + } else if subject.is_instance(&types::IP_ADDRESS.get_bound(py)?)? { let value = subject .getattr(pyo3::intern!(py, "_packed"))? .call0()? - .downcast::()?; - - Ok(SubjectOwner::IPAddress(value.into())) + .downcast::()? + .clone(); + Ok(SubjectOwner::IPAddress(value.unbind())) } else { Err(pyo3::exceptions::PyTypeError::new_err( "unsupported subject type", @@ -458,7 +459,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_class::()?; module.add( "VerificationError", - module.py().get_type::(), + module.py().get_type_bound::(), )?; Ok(()) From f79b6a1e0f4c23a081128c21ef62e2500956be09 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 10:01:10 -0400 Subject: [PATCH 0391/1462] Convert more datetime functions to new pyo3 APIs (#10737) --- src/rust/src/x509/certificate.rs | 2 +- src/rust/src/x509/common.rs | 18 +++++----- src/rust/src/x509/crl.rs | 23 ++++++------ src/rust/src/x509/extensions.rs | 6 +++- src/rust/src/x509/ocsp_resp.rs | 60 +++++++++++++++++++++++--------- src/rust/src/x509/verify.rs | 14 +++++--- 6 files changed, 78 insertions(+), 45 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 12b996609f3a..7ee3f8709920 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -900,7 +900,7 @@ pub(crate) fn time_from_py( py: pyo3::Python<'_>, val: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - let dt = x509::py_to_datetime(py, val.clone().into_gil_ref())?; + let dt = x509::py_to_datetime(py, val.clone())?; time_from_datetime(dt) } diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 176eb6050901..b8cf6a3e7246 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -491,8 +491,8 @@ fn encode_extension_value<'p>( pub(crate) fn datetime_to_py<'p>( py: pyo3::Python<'p>, dt: &asn1::DateTime, -) -> pyo3::PyResult<&'p pyo3::PyAny> { - types::DATETIME_DATETIME.get(py)?.call1(( +) -> pyo3::PyResult> { + types::DATETIME_DATETIME.get_bound(py)?.call1(( dt.year(), dt.month(), dt.day(), @@ -505,9 +505,9 @@ pub(crate) fn datetime_to_py<'p>( pub(crate) fn datetime_to_py_utc<'p>( py: pyo3::Python<'p>, dt: &asn1::DateTime, -) -> pyo3::PyResult<&'p pyo3::PyAny> { - let timezone = types::DATETIME_TIMEZONE_UTC.get(py)?; - types::DATETIME_DATETIME.get(py)?.call1(( +) -> pyo3::PyResult> { + let timezone = types::DATETIME_TIMEZONE_UTC.get_bound(py)?; + types::DATETIME_DATETIME.get_bound(py)?.call1(( dt.year(), dt.month(), dt.day(), @@ -521,14 +521,14 @@ pub(crate) fn datetime_to_py_utc<'p>( pub(crate) fn py_to_datetime( py: pyo3::Python<'_>, - val: &pyo3::PyAny, + val: pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult { // We treat naive datetimes as UTC times, while aware datetimes get // normalized to UTC before conversion. let val_utc = if val.getattr(pyo3::intern!(py, "tzinfo"))?.is_none() { val } else { - let utc = types::DATETIME_TIMEZONE_UTC.get(py)?; + let utc = types::DATETIME_TIMEZONE_UTC.get_bound(py)?; val.call_method1(pyo3::intern!(py, "astimezone"), (utc,))? }; @@ -544,12 +544,12 @@ pub(crate) fn py_to_datetime( } pub(crate) fn datetime_now(py: pyo3::Python<'_>) -> pyo3::PyResult { - let utc = types::DATETIME_TIMEZONE_UTC.get(py)?; + let utc = types::DATETIME_TIMEZONE_UTC.get_bound(py)?; py_to_datetime( py, types::DATETIME_DATETIME - .get(py)? + .get_bound(py)? .call_method1(pyo3::intern!(py, "now"), (utc,))?, ) } diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 7c935bf2a7d9..c776a7178285 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -268,10 +268,8 @@ impl CertificateRevocationList { 1, )?; match &self.owned.borrow_dependent().tbs_cert_list.next_update { - Some(t) => Ok(x509::datetime_to_py(py, t.as_datetime())? - .as_borrowed() - .to_owned()), - None => Ok(py.None().bind(py).clone()), + Some(t) => x509::datetime_to_py(py, t.as_datetime()), + None => Ok(py.None().into_bound(py)), } } @@ -281,10 +279,8 @@ impl CertificateRevocationList { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { match &self.owned.borrow_dependent().tbs_cert_list.next_update { - Some(t) => Ok(x509::datetime_to_py_utc(py, t.as_datetime())? - .as_borrowed() - .to_owned()), - None => Ok(py.None().bind(py).clone()), + Some(t) => x509::datetime_to_py_utc(py, t.as_datetime()), + None => Ok(py.None().into_bound(py)), } } @@ -313,7 +309,10 @@ impl CertificateRevocationList { } #[getter] - fn last_update_utc<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn last_update_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { x509::datetime_to_py_utc( py, self.owned @@ -573,12 +572,10 @@ impl RevokedCertificate { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { - Ok(x509::datetime_to_py_utc( + x509::datetime_to_py_utc( py, self.owned.borrow_dependent().revocation_date.as_datetime(), - )? - .as_borrowed() - .to_owned()) + ) } #[getter] diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index beed9cda9b3a..9bbd7443a594 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -492,7 +492,11 @@ pub(crate) fn encode_extension( Ok(Some(asn1::write_single(&asn1::SequenceOfWriter::new(gns))?)) } &oid::INVALIDITY_DATE_OID => { - let dt = x509::py_to_datetime(py, ext.getattr(pyo3::intern!(py, "invalidity_date"))?)?; + let py_dt = ext + .getattr(pyo3::intern!(py, "invalidity_date"))? + .as_borrowed() + .to_owned(); + let dt = x509::py_to_datetime(py, py_dt)?; Ok(Some(asn1::write_single(&asn1::GeneralizedTime::new(dt)?)?)) } &oid::CRL_NUMBER_OID | &oid::DELTA_CRL_INDICATOR_OID => { diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 89c5a0d25e7b..1ea7cf19b055 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -10,7 +10,7 @@ use cryptography_x509::{ ocsp_resp::{self, OCSPResponse as RawOCSPResponse, SingleResponse as RawSingleResponse}, oid, }; -use pyo3::IntoPy; +use pyo3::{IntoPy, PyNativeType}; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid}; use crate::error::{CryptographyError, CryptographyResult}; @@ -166,7 +166,10 @@ impl OCSPResponse { } #[getter] - fn produced_at<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn produced_at<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; x509::datetime_to_py(py, resp.tbs_response_data.produced_at.as_datetime()) } @@ -297,7 +300,10 @@ impl OCSPResponse { } #[getter] - fn revocation_time<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn revocation_time<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_revocation_time(&single_resp, py) @@ -311,14 +317,20 @@ impl OCSPResponse { } #[getter] - fn this_update<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn this_update<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_this_update(&single_resp, py) } #[getter] - fn next_update<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn next_update<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_next_update(&single_resp, py) @@ -498,17 +510,17 @@ fn singleresp_py_hash_algorithm<'p>( fn singleresp_py_this_update<'p>( resp: &ocsp_resp::SingleResponse<'_>, py: pyo3::Python<'p>, -) -> pyo3::PyResult<&'p pyo3::PyAny> { +) -> pyo3::PyResult> { x509::datetime_to_py(py, resp.this_update.as_datetime()) } fn singleresp_py_next_update<'p>( resp: &ocsp_resp::SingleResponse<'_>, py: pyo3::Python<'p>, -) -> pyo3::PyResult<&'p pyo3::PyAny> { +) -> pyo3::PyResult> { match &resp.next_update { Some(v) => x509::datetime_to_py(py, v.as_datetime()), - None => Ok(py.None().into_ref(py)), + None => Ok(py.None().into_bound(py)), } } @@ -530,13 +542,13 @@ fn singleresp_py_revocation_reason<'p>( fn singleresp_py_revocation_time<'p>( resp: &ocsp_resp::SingleResponse<'_>, py: pyo3::Python<'p>, -) -> pyo3::PyResult<&'p pyo3::PyAny> { +) -> pyo3::PyResult> { match &resp.cert_status { ocsp_resp::CertStatus::Revoked(revoked_info) => { x509::datetime_to_py(py, revoked_info.revocation_time.as_datetime()) } ocsp_resp::CertStatus::Good(_) | ocsp_resp::CertStatus::Unknown(_) => { - Ok(py.None().into_ref(py)) + Ok(py.None().into_bound(py)) } } } @@ -594,8 +606,10 @@ fn create_ocsp_response( // REVOKED let py_revocation_time = py_single_resp.getattr(pyo3::intern!(py, "_revocation_time"))?; - let revocation_time = - asn1::GeneralizedTime::new(py_to_datetime(py, py_revocation_time)?)?; + let revocation_time = asn1::GeneralizedTime::new(py_to_datetime( + py, + py_revocation_time.as_borrowed().to_owned(), + )?)?; ocsp_resp::CertStatus::Revoked(ocsp_resp::RevokedInfo { revocation_time, revocation_reason, @@ -608,13 +622,16 @@ fn create_ocsp_response( let py_next_update = py_single_resp.getattr(pyo3::intern!(py, "_next_update"))?; Some(asn1::GeneralizedTime::new(py_to_datetime( py, - py_next_update, + py_next_update.as_borrowed().to_owned(), )?)?) } else { None }; let py_this_update = py_single_resp.getattr(pyo3::intern!(py, "_this_update"))?; - let this_update = asn1::GeneralizedTime::new(py_to_datetime(py, py_this_update)?)?; + let this_update = asn1::GeneralizedTime::new(py_to_datetime( + py, + py_this_update.as_borrowed().to_owned(), + )?)?; let responses = vec![SingleResponse { cert_id: ocsp::certid_new(py, &py_cert, &py_issuer, py_cert_hash_algorithm)?, @@ -819,7 +836,10 @@ impl OCSPSingleResponse { } #[getter] - fn revocation_time<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn revocation_time<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let single_resp = self.single_response(); singleresp_py_revocation_time(single_resp, py) } @@ -831,13 +851,19 @@ impl OCSPSingleResponse { } #[getter] - fn this_update<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn this_update<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let single_resp = self.single_response(); singleresp_py_this_update(single_resp, py) } #[getter] - fn next_update<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn next_update<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let single_resp = self.single_response(); singleresp_py_next_update(single_resp, py) } diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 23d865df7191..c5babda8ea76 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -75,7 +75,7 @@ impl PolicyBuilder { fn time( &self, py: pyo3::Python<'_>, - new_time: &pyo3::Bound<'_, pyo3::PyAny>, + new_time: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { if self.time.is_some() { return Err(CryptographyError::from( @@ -85,7 +85,7 @@ impl PolicyBuilder { )); } Ok(PolicyBuilder { - time: Some(py_to_datetime(py, new_time.clone().into_gil_ref())?), + time: Some(py_to_datetime(py, new_time)?), store: self.store.as_ref().map(|s| s.clone_ref(py)), max_chain_depth: self.max_chain_depth, }) @@ -239,7 +239,10 @@ impl PyClientVerifier { #[pyo3::pymethods] impl PyClientVerifier { #[getter] - fn validation_time<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn validation_time<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { datetime_to_py(py, &self.as_policy().validation_time) } @@ -320,7 +323,10 @@ impl PyServerVerifier { #[pyo3::pymethods] impl PyServerVerifier { #[getter] - fn validation_time<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn validation_time<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { datetime_to_py(py, &self.as_policy().validation_time) } From 0a57074ca359c5cd4592c154117ba124095517c4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 10:08:38 -0400 Subject: [PATCH 0392/1462] Fix a compilation error without gil-refs (#10738) --- src/rust/src/x509/extensions.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 9bbd7443a594..bbba8170d416 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -39,8 +39,8 @@ pub(crate) fn encode_authority_key_identifier<'a>( ) -> CryptographyResult> { #[derive(pyo3::prelude::FromPyObject)] struct PyAuthorityKeyIdentifier<'a> { - key_identifier: Option<&'a [u8]>, - authority_cert_issuer: Option<&'a pyo3::PyAny>, + key_identifier: Option, + authority_cert_issuer: Option>, authority_cert_serial_number: Option>, } let aki = py_aki.extract::>()?; @@ -62,7 +62,7 @@ pub(crate) fn encode_authority_key_identifier<'a>( Ok(asn1::write_single(&extensions::AuthorityKeyIdentifier { authority_cert_issuer, authority_cert_serial_number, - key_identifier: aki.key_identifier, + key_identifier: aki.key_identifier.as_deref(), })?) } From 6c11a3e6aab163056689a3c3dea7d98abef6cd83 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 10:25:02 -0400 Subject: [PATCH 0393/1462] Convert more module creation to new pyo3 APIs (#10739) --- src/rust/src/lib.rs | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 97bb54bf1631..94137ce8c2c6 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -117,7 +117,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> m.add_submodule(cryptography_cffi::create_module(py)?.into_gil_ref())?; - let openssl_mod = pyo3::prelude::PyModule::new(py, "openssl")?; + let openssl_mod = pyo3::prelude::PyModule::new_bound(py, "openssl")?; openssl_mod.add( "CRYPTOGRAPHY_OPENSSL_300_OR_GREATER", cfg!(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), @@ -140,20 +140,29 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> } openssl_mod.add("_providers", providers)?; - openssl_mod.add_function(pyo3::wrap_pyfunction!(enable_fips, m)?)?; + openssl_mod.add_function(pyo3::wrap_pyfunction_bound!(enable_fips, &openssl_mod)?)?; } else { // default value for non-openssl 3+ openssl_mod.add("_legacy_provider_loaded", false)?; } } - openssl_mod.add_function(pyo3::wrap_pyfunction!(openssl_version, m)?)?; - openssl_mod.add_function(pyo3::wrap_pyfunction!(openssl_version_text, m)?)?; - openssl_mod.add_function(pyo3::wrap_pyfunction!(error::raise_openssl_error, m)?)?; - openssl_mod.add_function(pyo3::wrap_pyfunction!(error::capture_error_stack, m)?)?; - openssl_mod.add_function(pyo3::wrap_pyfunction!(is_fips_enabled, m)?)?; + openssl_mod.add_function(pyo3::wrap_pyfunction_bound!(openssl_version, &openssl_mod)?)?; + openssl_mod.add_function(pyo3::wrap_pyfunction_bound!( + openssl_version_text, + &openssl_mod + )?)?; + openssl_mod.add_function(pyo3::wrap_pyfunction_bound!( + error::raise_openssl_error, + &openssl_mod + )?)?; + openssl_mod.add_function(pyo3::wrap_pyfunction_bound!( + error::capture_error_stack, + &openssl_mod + )?)?; + openssl_mod.add_function(pyo3::wrap_pyfunction_bound!(is_fips_enabled, &openssl_mod)?)?; openssl_mod.add_class::()?; - crate::backend::add_to_module(openssl_mod)?; - m.add_submodule(openssl_mod)?; + crate::backend::add_to_module(openssl_mod.clone().into_gil_ref())?; + m.add_submodule(openssl_mod.into_gil_ref())?; Ok(()) } From 07afd49006013157362f85beb1d90f1ea0084f00 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 17:07:25 +0200 Subject: [PATCH 0394/1462] Convert more of `src/pkcs7.rs` to new pyo3 APIs (#10741) --- src/rust/src/lib.rs | 2 +- src/rust/src/pkcs7.rs | 58 +++++++++++++++++++++++++++++-------------- 2 files changed, 41 insertions(+), 19 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 94137ce8c2c6..cade7d5e5869 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -97,7 +97,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> m.add_class::()?; m.add_submodule(asn1::create_submodule(py)?.into_gil_ref())?; - m.add_submodule(pkcs7::create_submodule(py)?)?; + m.add_submodule(pkcs7::create_submodule(py)?.into_gil_ref())?; m.add_submodule(pkcs12::create_submodule(py)?.into_gil_ref())?; m.add_submodule(exceptions::create_submodule(py)?.into_gil_ref())?; diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index b33d054b4ef8..e80a2406e2a2 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -11,6 +11,7 @@ use cryptography_x509::{common, oid, pkcs7}; use once_cell::sync::Lazy; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use openssl::pkcs7::Pkcs7; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use pyo3::IntoPy; @@ -43,7 +44,7 @@ static OIDS_TO_MIC_NAME: Lazy> = Lazy::ne fn serialize_certificates<'p>( py: pyo3::Python<'p>, py_certs: Vec>, - encoding: &'p pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { if py_certs.is_empty() { return Err(pyo3::exceptions::PyTypeError::new_err( @@ -75,15 +76,20 @@ fn serialize_certificates<'p>( }; let content_info_bytes = asn1::write_single(&content_info)?; - encode_der_data(py, "PKCS7".to_string(), content_info_bytes, encoding) + encode_der_data( + py, + "PKCS7".to_string(), + content_info_bytes, + encoding.clone().into_gil_ref(), + ) } #[pyo3::prelude::pyfunction] fn sign_and_serialize<'p>( py: pyo3::Python<'p>, - builder: &'p pyo3::PyAny, - encoding: &'p pyo3::PyAny, - options: &'p pyo3::types::PyList, + builder: &pyo3::Bound<'p, pyo3::PyAny>, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + options: &pyo3::Bound<'p, pyo3::types::PyList>, ) -> CryptographyResult> { let raw_data: CffiBuf<'p> = builder.getattr(pyo3::intern!(py, "_data"))?.extract()?; let text_mode = options.contains(types::PKCS7_TEXT.get(py)?)?; @@ -258,7 +264,12 @@ fn sign_and_serialize<'p>( .extract()?) } else { // Handles the DER, PEM, and error cases - encode_der_data(py, "PKCS7".to_string(), ci_bytes, encoding) + encode_der_data( + py, + "PKCS7".to_string(), + ci_bytes, + encoding.clone().into_gil_ref(), + ) } } @@ -320,7 +331,7 @@ fn smime_canonicalize(data: &[u8], text_mode: bool) -> (Cow<'_, [u8]>, Cow<'_, [ fn load_pkcs7_certificates( py: pyo3::Python<'_>, pkcs7: Pkcs7, -) -> CryptographyResult<&pyo3::types::PyList> { +) -> CryptographyResult> { let nid = pkcs7.type_().map(|t| t.nid()); if nid != Some(openssl::nid::Nid::PKCS7_SIGNED) { let nid_string = nid.map_or("empty".to_string(), |n| n.as_raw().to_string()); @@ -340,9 +351,9 @@ fn load_pkcs7_certificates( ), )), Some(certificates) => { - let result = pyo3::types::PyList::empty(py); + let result = pyo3::types::PyList::empty_bound(py); for c in certificates { - let cert_der = pyo3::types::PyBytes::new(py, c.to_der()?.as_slice()).into_py(py); + let cert_der = pyo3::types::PyBytes::new_bound(py, c.to_der()?.as_slice()).unbind(); let cert = load_der_x509_certificate(py, cert_der, None)?; result.append(cert.into_py(py))?; } @@ -355,7 +366,7 @@ fn load_pkcs7_certificates( fn load_pem_pkcs7_certificates<'p>( py: pyo3::Python<'p>, data: &[u8], -) -> CryptographyResult<&'p pyo3::types::PyList> { +) -> CryptographyResult> { cfg_if::cfg_if! { if #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] { let pkcs7_decoded = openssl::pkcs7::Pkcs7::from_pem(data).map_err(|_| { @@ -381,7 +392,7 @@ fn load_pem_pkcs7_certificates<'p>( fn load_der_pkcs7_certificates<'p>( py: pyo3::Python<'p>, data: &[u8], -) -> CryptographyResult<&'p pyo3::types::PyList> { +) -> CryptographyResult> { cfg_if::cfg_if! { if #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] { let pkcs7_decoded = openssl::pkcs7::Pkcs7::from_der(data).map_err(|_| { @@ -403,13 +414,24 @@ fn load_der_pkcs7_certificates<'p>( } } -pub(crate) fn create_submodule(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let submod = pyo3::prelude::PyModule::new(py, "pkcs7")?; - - submod.add_function(pyo3::wrap_pyfunction!(serialize_certificates, submod)?)?; - submod.add_function(pyo3::wrap_pyfunction!(sign_and_serialize, submod)?)?; - submod.add_function(pyo3::wrap_pyfunction!(load_pem_pkcs7_certificates, submod)?)?; - submod.add_function(pyo3::wrap_pyfunction!(load_der_pkcs7_certificates, submod)?)?; +pub(crate) fn create_submodule( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let submod = pyo3::prelude::PyModule::new_bound(py, "pkcs7")?; + + submod.add_function(pyo3::wrap_pyfunction_bound!( + serialize_certificates, + &submod + )?)?; + submod.add_function(pyo3::wrap_pyfunction_bound!(sign_and_serialize, &submod)?)?; + submod.add_function(pyo3::wrap_pyfunction_bound!( + load_pem_pkcs7_certificates, + &submod + )?)?; + submod.add_function(pyo3::wrap_pyfunction_bound!( + load_der_pkcs7_certificates, + &submod + )?)?; Ok(submod) } From 22bd720f61ce1db76216a711e38f00d3d6d92cdc Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 17:33:21 +0200 Subject: [PATCH 0395/1462] Convert more of `src/x509/ocsp_req.rs` to new pyo3 APIs (#10743) --- src/rust/src/x509/ocsp_req.rs | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 5d6674d04b3f..846fefae6c8b 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -7,7 +7,7 @@ use cryptography_x509::{ ocsp_req::{self, OCSPRequest as RawOCSPRequest}, oid, }; -use pyo3::IntoPy; +use pyo3::prelude::{PyAnyMethods, PyListMethods}; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; @@ -132,7 +132,7 @@ impl OCSPRequest { } oid::ACCEPTABLE_RESPONSES_OID => { let oids = ext.value::>()?; - let py_oids = pyo3::types::PyList::empty(py); + let py_oids = pyo3::types::PyList::empty_bound(py); for oid in oids { py_oids.append(oid_to_py_oid(py, &oid)?)?; } @@ -152,23 +152,23 @@ impl OCSPRequest { fn public_bytes<'p>( &self, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - if !encoding.is(types::ENCODING_DER.get(py)?) { + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + ) -> CryptographyResult> { + if !encoding.is(&types::ENCODING_DER.get_bound(py)?) { return Err(pyo3::exceptions::PyValueError::new_err( "The only allowed encoding value is Encoding.DER", ) .into()); } let result = asn1::write_single(self.raw.borrow_dependent())?; - Ok(pyo3::types::PyBytes::new(py, &result)) + Ok(pyo3::types::PyBytes::new_bound(py, &result)) } } #[pyo3::prelude::pyfunction] fn create_ocsp_request( py: pyo3::Python<'_>, - builder: &pyo3::PyAny, + builder: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { let builder_request = builder.getattr(pyo3::intern!(py, "_request"))?; @@ -209,7 +209,10 @@ fn create_ocsp_request( let extensions = x509::common::encode_extensions( py, - builder.getattr(pyo3::intern!(py, "_extensions"))?, + builder + .getattr(pyo3::intern!(py, "_extensions"))? + .clone() + .into_gil_ref(), extensions::encode_extension, )?; let reqs = [ocsp_req::Request { @@ -228,7 +231,7 @@ fn create_ocsp_request( optional_signature: None, }; let data = asn1::write_single(&ocsp_req)?; - load_der_ocsp_request(py, pyo3::types::PyBytes::new(py, &data).into_py(py)) + load_der_ocsp_request(py, pyo3::types::PyBytes::new_bound(py, &data).unbind()) } pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { From 2a6ea3cb5b014471cd11f0c57bed0721ca03bdba Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 13:39:59 -0400 Subject: [PATCH 0396/1462] Convert more module creation to new pyo3 APIs (#10742) --- src/rust/src/lib.rs | 16 ++++++++-------- src/rust/src/x509/certificate.rs | 24 ++++++++++++++++++------ src/rust/src/x509/common.rs | 11 +++++++---- src/rust/src/x509/crl.rs | 10 +++++----- src/rust/src/x509/csr.rs | 10 +++++----- src/rust/src/x509/verify.rs | 4 ++-- 6 files changed, 45 insertions(+), 30 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index cade7d5e5869..2fe5777b7d8f 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -101,14 +101,14 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> m.add_submodule(pkcs12::create_submodule(py)?.into_gil_ref())?; m.add_submodule(exceptions::create_submodule(py)?.into_gil_ref())?; - let x509_mod = pyo3::prelude::PyModule::new(py, "x509")?; - crate::x509::certificate::add_to_module(x509_mod)?; - crate::x509::common::add_to_module(x509_mod)?; - crate::x509::crl::add_to_module(x509_mod)?; - crate::x509::csr::add_to_module(x509_mod)?; - crate::x509::sct::add_to_module(&x509_mod.as_borrowed())?; - crate::x509::verify::add_to_module(x509_mod)?; - m.add_submodule(x509_mod)?; + let x509_mod = pyo3::prelude::PyModule::new_bound(py, "x509")?; + crate::x509::certificate::add_to_module(&x509_mod)?; + crate::x509::common::add_to_module(&x509_mod)?; + crate::x509::crl::add_to_module(&x509_mod)?; + crate::x509::csr::add_to_module(&x509_mod)?; + crate::x509::sct::add_to_module(&x509_mod)?; + crate::x509::verify::add_to_module(&x509_mod)?; + m.add_submodule(x509_mod.into_gil_ref())?; let ocsp_mod = pyo3::prelude::PyModule::new(py, "ocsp")?; crate::x509::ocsp_req::add_to_module(ocsp_mod)?; diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 7ee3f8709920..f8cb944894f8 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -17,7 +17,7 @@ use cryptography_x509::extensions::{ use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; use cryptography_x509::{common, oid}; use cryptography_x509_verification::ops::CryptoOps; -use pyo3::prelude::{PyAnyMethods, PyListMethods}; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::{IntoPy, PyNativeType, ToPyObject}; use crate::asn1::{ @@ -999,11 +999,23 @@ pub(crate) fn set_bit(vals: &mut [u8], n: usize, set: bool) { } } -pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction!(load_der_x509_certificate, module)?)?; - module.add_function(pyo3::wrap_pyfunction!(load_pem_x509_certificate, module)?)?; - module.add_function(pyo3::wrap_pyfunction!(load_pem_x509_certificates, module)?)?; - module.add_function(pyo3::wrap_pyfunction!(create_x509_certificate, module)?)?; +pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { + module.add_function(pyo3::wrap_pyfunction_bound!( + load_der_x509_certificate, + module + )?)?; + module.add_function(pyo3::wrap_pyfunction_bound!( + load_pem_x509_certificate, + module + )?)?; + module.add_function(pyo3::wrap_pyfunction_bound!( + load_pem_x509_certificates, + module + )?)?; + module.add_function(pyo3::wrap_pyfunction_bound!( + create_x509_certificate, + module + )?)?; module.add_class::()?; diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index b8cf6a3e7246..4d4951821ca2 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -7,7 +7,7 @@ use cryptography_x509::extensions::{ AccessDescription, DuplicateExtensionsError, Extension, Extensions, RawExtensions, }; use cryptography_x509::name::{GeneralName, Name, NameReadable, OtherName, UnvalidatedIA5String}; -use pyo3::prelude::{PyAnyMethods, PyListMethods}; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::types::IntoPyDict; use pyo3::{IntoPy, PyNativeType, ToPyObject}; @@ -554,9 +554,12 @@ pub(crate) fn datetime_now(py: pyo3::Python<'_>) -> pyo3::PyResult pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction!(encode_extension_value, module)?)?; - module.add_function(pyo3::wrap_pyfunction!(encode_name_bytes, module)?)?; +pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { + module.add_function(pyo3::wrap_pyfunction_bound!( + encode_extension_value, + module + )?)?; + module.add_function(pyo3::wrap_pyfunction_bound!(encode_name_bytes, module)?)?; Ok(()) } diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index c776a7178285..3a02eb6788b7 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -13,7 +13,7 @@ use cryptography_x509::{ }, name, oid, }; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PySliceMethods}; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods, PySliceMethods}; use pyo3::{PyNativeType, ToPyObject}; use crate::asn1::{ @@ -715,10 +715,10 @@ fn create_x509_crl( ) } -pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction!(load_der_x509_crl, module)?)?; - module.add_function(pyo3::wrap_pyfunction!(load_pem_x509_crl, module)?)?; - module.add_function(pyo3::wrap_pyfunction!(create_x509_crl, module)?)?; +pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { + module.add_function(pyo3::wrap_pyfunction_bound!(load_der_x509_crl, module)?)?; + module.add_function(pyo3::wrap_pyfunction_bound!(load_pem_x509_crl, module)?)?; + module.add_function(pyo3::wrap_pyfunction_bound!(create_x509_crl, module)?)?; module.add_class::()?; module.add_class::()?; diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 55031adf0418..66b365115043 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -8,7 +8,7 @@ use std::hash::{Hash, Hasher}; use asn1::SimpleAsn1Readable; use cryptography_x509::csr::{check_attribute_length, Attribute, CertificationRequestInfo, Csr}; use cryptography_x509::{common, oid}; -use pyo3::prelude::{PyAnyMethods, PyListMethods}; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::IntoPy; use crate::asn1::{encode_der_data, oid_to_py_oid, py_oid_to_oid}; @@ -385,10 +385,10 @@ fn create_x509_csr( ) } -pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction!(load_der_x509_csr, module)?)?; - module.add_function(pyo3::wrap_pyfunction!(load_pem_x509_csr, module)?)?; - module.add_function(pyo3::wrap_pyfunction!(create_x509_csr, module)?)?; +pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { + module.add_function(pyo3::wrap_pyfunction_bound!(load_der_x509_csr, module)?)?; + module.add_function(pyo3::wrap_pyfunction_bound!(load_pem_x509_csr, module)?)?; + module.add_function(pyo3::wrap_pyfunction_bound!(create_x509_csr, module)?)?; module.add_class::()?; diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index c5babda8ea76..e327a09eb4c9 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -11,7 +11,7 @@ use cryptography_x509_verification::{ trust_store::Store, types::{DNSName, IPAddress}, }; -use pyo3::prelude::{PyAnyMethods, PyListMethods}; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; use crate::backend::keys; use crate::error::{CryptographyError, CryptographyResult}; @@ -457,7 +457,7 @@ impl PyStore { } } -pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { +pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { module.add_class::()?; module.add_class::()?; module.add_class::()?; From d00ef6a4515fc14a46df442b889229a358fd2e28 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 13:41:59 -0400 Subject: [PATCH 0397/1462] Convert portions of `ocsp_resp.rs` to new pyo3 APIs (#10740) --- src/rust/src/x509/ocsp_resp.rs | 88 ++++++++++++++++++++++------------ 1 file changed, 58 insertions(+), 30 deletions(-) diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 1ea7cf19b055..df1ce0dd3fbc 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -10,7 +10,8 @@ use cryptography_x509::{ ocsp_resp::{self, OCSPResponse as RawOCSPResponse, SingleResponse as RawSingleResponse}, oid, }; -use pyo3::{IntoPy, PyNativeType}; +use pyo3::prelude::{PyAnyMethods, PyListMethods}; +use pyo3::PyNativeType; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid}; use crate::error::{CryptographyError, CryptographyResult}; @@ -144,24 +145,30 @@ impl OCSPResponse { } #[getter] - fn responder_name<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn responder_name<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; match resp.tbs_response_data.responder_id { ocsp_resp::ResponderId::ByName(ref name) => { - Ok(x509::parse_name(py, name.unwrap_read())?.into_gil_ref()) + Ok(x509::parse_name(py, name.unwrap_read())?) } - ocsp_resp::ResponderId::ByKey(_) => Ok(py.None().into_ref(py)), + ocsp_resp::ResponderId::ByKey(_) => Ok(py.None().into_bound(py)), } } #[getter] - fn responder_key_hash<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn responder_key_hash<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; match resp.tbs_response_data.responder_id { ocsp_resp::ResponderId::ByKey(key_hash) => { - Ok(pyo3::types::PyBytes::new(py, key_hash).as_ref()) + Ok(pyo3::types::PyBytes::new_bound(py, key_hash).into_any()) } - ocsp_resp::ResponderId::ByName(_) => Ok(py.None().into_ref(py)), + ocsp_resp::ResponderId::ByName(_) => Ok(py.None().into_bound(py)), } } @@ -208,25 +215,34 @@ impl OCSPResponse { } #[getter] - fn signature<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::types::PyBytes> { + fn signature<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; - Ok(pyo3::types::PyBytes::new(py, resp.signature.as_bytes())) + Ok(pyo3::types::PyBytes::new_bound( + py, + resp.signature.as_bytes(), + )) } #[getter] fn tbs_response_bytes<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let resp = self.requires_successful_response()?; let result = asn1::write_single(&resp.tbs_response_data)?; - Ok(pyo3::types::PyBytes::new(py, &result)) + Ok(pyo3::types::PyBytes::new_bound(py, &result)) } #[getter] - fn certificates<'p>(&self, py: pyo3::Python<'p>) -> Result<&'p pyo3::PyAny, CryptographyError> { + fn certificates<'p>( + &self, + py: pyo3::Python<'p>, + ) -> CryptographyResult> { let resp = self.requires_successful_response()?; - let py_certs = pyo3::types::PyList::empty(py); + let py_certs = pyo3::types::PyList::empty_bound(py); let certs = match &resp.certs { Some(certs) => certs.unwrap_read(), None => return Ok(py_certs), @@ -247,7 +263,7 @@ impl OCSPResponse { .nth(i) .unwrap() }); - py_certs.append(pyo3::PyCell::new( + py_certs.append(pyo3::Bound::new( py, x509::certificate::Certificate { raw: raw_cert, @@ -293,7 +309,10 @@ impl OCSPResponse { } #[getter] - fn certificate_status<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn certificate_status<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_certificate_status(&single_resp, py) @@ -310,7 +329,10 @@ impl OCSPResponse { } #[getter] - fn revocation_reason<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { + fn revocation_reason<'p>( + &self, + py: pyo3::Python<'p>, + ) -> CryptographyResult> { let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_revocation_reason(&single_resp, py) @@ -407,16 +429,16 @@ impl OCSPResponse { fn public_bytes<'p>( &self, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - if !encoding.is(types::ENCODING_DER.get(py)?) { + encoding: pyo3::Bound<'_, pyo3::PyAny>, + ) -> CryptographyResult> { + if !encoding.is(&types::ENCODING_DER.get_bound(py)?) { return Err(pyo3::exceptions::PyValueError::new_err( "The only allowed encoding value is Encoding.DER", ) .into()); } let result = asn1::write_single(self.raw.borrow_dependent())?; - Ok(pyo3::types::PyBytes::new(py, &result)) + Ok(pyo3::types::PyBytes::new_bound(py, &result)) } } @@ -483,13 +505,13 @@ fn singleresp_py_serial_number<'p>( fn singleresp_py_certificate_status<'p>( resp: &ocsp_resp::SingleResponse<'_>, py: pyo3::Python<'p>, -) -> pyo3::PyResult<&'p pyo3::PyAny> { +) -> pyo3::PyResult> { let attr = match resp.cert_status { ocsp_resp::CertStatus::Good(_) => pyo3::intern!(py, "GOOD"), ocsp_resp::CertStatus::Revoked(_) => pyo3::intern!(py, "REVOKED"), ocsp_resp::CertStatus::Unknown(_) => pyo3::intern!(py, "UNKNOWN"), }; - types::OCSP_CERT_STATUS.get(py)?.getattr(attr) + types::OCSP_CERT_STATUS.get_bound(py)?.getattr(attr) } fn singleresp_py_hash_algorithm<'p>( @@ -527,14 +549,14 @@ fn singleresp_py_next_update<'p>( fn singleresp_py_revocation_reason<'p>( resp: &ocsp_resp::SingleResponse<'_>, py: pyo3::Python<'p>, -) -> CryptographyResult<&'p pyo3::PyAny> { +) -> CryptographyResult> { match &resp.cert_status { ocsp_resp::CertStatus::Revoked(revoked_info) => match revoked_info.revocation_reason { - Some(ref v) => Ok(crl::parse_crl_reason_flags(py, v)?.into_gil_ref()), - None => Ok(py.None().into_ref(py)), + Some(ref v) => Ok(crl::parse_crl_reason_flags(py, v)?), + None => Ok(py.None().into_bound(py)), }, ocsp_resp::CertStatus::Good(_) | ocsp_resp::CertStatus::Unknown(_) => { - Ok(py.None().into_ref(py)) + Ok(py.None().into_bound(py)) } } } @@ -579,7 +601,7 @@ fn create_ocsp_response( .extract()?; let py_cert_hash_algorithm = py_single_resp.getattr(pyo3::intern!(py, "_algorithm"))?; let (responder_cert, responder_encoding): ( - &pyo3::PyCell, + pyo3::Bound<'_, x509::certificate::Certificate>, &pyo3::PyAny, ) = builder .getattr(pyo3::intern!(py, "_responder_id"))? @@ -735,7 +757,7 @@ fn create_ocsp_response( response_bytes, }; let data = asn1::write_single(&resp)?; - load_der_ocsp_response(py, pyo3::types::PyBytes::new(py, &data).into_py(py)) + load_der_ocsp_response(py, pyo3::types::PyBytes::new_bound(py, &data).unbind()) } pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { @@ -830,7 +852,10 @@ impl OCSPSingleResponse { } #[getter] - fn certificate_status<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn certificate_status<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let single_resp = self.single_response(); singleresp_py_certificate_status(single_resp, py) } @@ -845,7 +870,10 @@ impl OCSPSingleResponse { } #[getter] - fn revocation_reason<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { + fn revocation_reason<'p>( + &self, + py: pyo3::Python<'p>, + ) -> CryptographyResult> { let single_resp = self.single_response(); singleresp_py_revocation_reason(single_resp, py) } From 4acc8eddd004b71a85f89e7986822eb9f637ad96 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 13:53:33 -0400 Subject: [PATCH 0398/1462] Convert more sign functions to new pyo3 APIs (#10734) --- src/rust/src/pkcs7.rs | 24 ++++++++--- src/rust/src/x509/certificate.rs | 12 +++--- src/rust/src/x509/crl.rs | 21 ++++++--- src/rust/src/x509/csr.rs | 14 +++--- src/rust/src/x509/ocsp_resp.rs | 12 +++--- src/rust/src/x509/sign.rs | 73 ++++++++++++++++---------------- src/rust/src/x509/verify.rs | 2 +- 7 files changed, 90 insertions(+), 68 deletions(-) diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index e80a2406e2a2..d817b4d48b80 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -14,6 +14,7 @@ use openssl::pkcs7::Pkcs7; use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use pyo3::IntoPy; +use pyo3::PyNativeType; use crate::asn1::encode_der_data; use crate::buf::CffiBuf; @@ -140,9 +141,9 @@ fn sign_and_serialize<'p>( None, x509::sign::sign_data( py, - py_private_key, - py_hash_alg, - rsa_padding, + py_private_key.as_borrowed().to_owned(), + py_hash_alg.as_borrowed().to_owned(), + rsa_padding.as_borrowed().to_owned(), &data_with_header, )?, ) @@ -189,7 +190,13 @@ fn sign_and_serialize<'p>( Some(common::Asn1ReadableOrWritable::new_write( asn1::SetOfWriter::new(authenticated_attrs), )), - x509::sign::sign_data(py, py_private_key, py_hash_alg, rsa_padding, &signed_data)?, + x509::sign::sign_data( + py, + py_private_key.as_borrowed().to_owned(), + py_hash_alg.as_borrowed().to_owned(), + rsa_padding.as_borrowed().to_owned(), + &signed_data, + )?, ) }; @@ -279,7 +286,7 @@ fn compute_pkcs7_signature_algorithm<'p>( hash_algorithm: &'p pyo3::PyAny, rsa_padding: &'p pyo3::PyAny, ) -> pyo3::PyResult> { - let key_type = x509::sign::identify_key_type(py, private_key)?; + let key_type = x509::sign::identify_key_type(py, private_key.as_borrowed().to_owned())?; let has_pss_padding = rsa_padding.is_instance(types::PSS.get(py)?)?; // For RSA signatures (with no PSS padding), the OID is always the same no matter the // digest algorithm. See RFC 3370 (section 3.2). @@ -289,7 +296,12 @@ fn compute_pkcs7_signature_algorithm<'p>( params: common::AlgorithmParameters::Rsa(Some(())), }) } else { - x509::sign::compute_signature_algorithm(py, private_key, hash_algorithm, rsa_padding) + x509::sign::compute_signature_algorithm( + py, + private_key.as_borrowed().to_owned(), + hash_algorithm.as_borrowed().to_owned(), + rsa_padding.as_borrowed().to_owned(), + ) } } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index f8cb944894f8..d6751b7d0861 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -924,9 +924,9 @@ fn create_x509_certificate( ) -> CryptographyResult { let sigalg = x509::sign::compute_signature_algorithm( py, - private_key.clone().into_gil_ref(), - hash_algorithm.clone().into_gil_ref(), - rsa_padding.clone().into_gil_ref(), + private_key.clone(), + hash_algorithm.clone(), + rsa_padding.clone(), )?; let der = types::ENCODING_DER.get(py)?; @@ -974,9 +974,9 @@ fn create_x509_certificate( let tbs_bytes = asn1::write_single(&tbs_cert)?; let signature = x509::sign::sign_data( py, - private_key.clone().into_gil_ref(), - hash_algorithm.clone().into_gil_ref(), - rsa_padding.clone().into_gil_ref(), + private_key.clone(), + hash_algorithm.clone(), + rsa_padding.clone(), &tbs_bytes, )?; let data = asn1::write_single(&cryptography_x509::certificate::Certificate { diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 3a02eb6788b7..888fb114966b 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -433,11 +433,11 @@ impl CertificateRevocationList { // Error on invalid public key -- below we treat any error as just // being an invalid signature. - sign::identify_public_key_type(py, public_key.clone().into_gil_ref())?; + sign::identify_public_key_type(py, public_key.clone())?; Ok(sign::verify_signature_with_signature_algorithm( py, - public_key.into_gil_ref(), + public_key, &slf.owned.borrow_dependent().signature_algorithm, slf.owned.borrow_dependent().signature_value.as_bytes(), &asn1::write_single(&slf.owned.borrow_dependent().tbs_cert_list)?, @@ -646,8 +646,12 @@ fn create_x509_crl( hash_algorithm: &pyo3::PyAny, rsa_padding: &pyo3::PyAny, ) -> CryptographyResult { - let sigalg = - x509::sign::compute_signature_algorithm(py, private_key, hash_algorithm, rsa_padding)?; + let sigalg = x509::sign::compute_signature_algorithm( + py, + private_key.as_borrowed().to_owned(), + hash_algorithm.as_borrowed().to_owned(), + rsa_padding.as_borrowed().to_owned(), + )?; let mut revoked_certs = vec![]; for py_revoked_cert in builder .getattr(pyo3::intern!(py, "_revoked_certificates"))? @@ -701,8 +705,13 @@ fn create_x509_crl( }; let tbs_bytes = asn1::write_single(&tbs_cert_list)?; - let signature = - x509::sign::sign_data(py, private_key, hash_algorithm, rsa_padding, &tbs_bytes)?; + let signature = x509::sign::sign_data( + py, + private_key.as_borrowed().to_owned(), + hash_algorithm.as_borrowed().to_owned(), + rsa_padding.as_borrowed().to_owned(), + &tbs_bytes, + )?; let data = asn1::write_single(&crl::CertificateRevocationList { tbs_cert_list, signature_algorithm: sigalg, diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 66b365115043..f79c84fd84b2 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -234,7 +234,7 @@ impl CertificateSigningRequest { let public_key = slf.public_key(py)?; Ok(sign::verify_signature_with_signature_algorithm( py, - public_key.bind(py).clone().into_gil_ref(), + public_key.bind(py).clone(), &slf.raw.borrow_dependent().signature_alg, slf.raw.borrow_dependent().signature.as_bytes(), &asn1::write_single(&slf.raw.borrow_dependent().csr_info)?, @@ -301,9 +301,9 @@ fn create_x509_csr( ) -> CryptographyResult { let sigalg = x509::sign::compute_signature_algorithm( py, - private_key.clone().into_gil_ref(), - hash_algorithm.clone().into_gil_ref(), - rsa_padding.clone().into_gil_ref(), + private_key.clone(), + hash_algorithm.clone(), + rsa_padding.clone(), )?; let der = types::ENCODING_DER.get(py)?; @@ -368,9 +368,9 @@ fn create_x509_csr( let tbs_bytes = asn1::write_single(&csr_info)?; let signature = x509::sign::sign_data( py, - private_key.clone().into_gil_ref(), - hash_algorithm.clone().into_gil_ref(), - rsa_padding.clone().into_gil_ref(), + private_key.clone(), + hash_algorithm.clone(), + rsa_padding.clone(), &tbs_bytes, )?; let data = asn1::write_single(&Csr { diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index df1ce0dd3fbc..c83f5600afbb 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -704,16 +704,16 @@ fn create_ocsp_response( let sigalg = x509::sign::compute_signature_algorithm( py, - private_key, - hash_algorithm, - py.None().into_ref(py), + private_key.as_borrowed().to_owned(), + hash_algorithm.as_borrowed().to_owned(), + py.None().into_bound(py), )?; let tbs_bytes = asn1::write_single(&tbs_response_data)?; let signature = x509::sign::sign_data( py, - private_key, - hash_algorithm, - py.None().into_ref(py), + private_key.as_borrowed().to_owned(), + hash_algorithm.as_borrowed().to_owned(), + py.None().into_bound(py), &tbs_bytes, )?; diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index e1d2b877938c..72938687791e 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -52,17 +52,17 @@ enum HashType { pub(crate) fn identify_key_type( py: pyo3::Python<'_>, - private_key: &pyo3::PyAny, + private_key: pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult { - if private_key.is_instance(types::RSA_PRIVATE_KEY.get(py)?)? { + if private_key.is_instance(&types::RSA_PRIVATE_KEY.get_bound(py)?)? { Ok(KeyType::Rsa) - } else if private_key.is_instance(types::DSA_PRIVATE_KEY.get(py)?)? { + } else if private_key.is_instance(&types::DSA_PRIVATE_KEY.get_bound(py)?)? { Ok(KeyType::Dsa) - } else if private_key.is_instance(types::ELLIPTIC_CURVE_PRIVATE_KEY.get(py)?)? { + } else if private_key.is_instance(&types::ELLIPTIC_CURVE_PRIVATE_KEY.get_bound(py)?)? { Ok(KeyType::Ec) - } else if private_key.is_instance(types::ED25519_PRIVATE_KEY.get(py)?)? { + } else if private_key.is_instance(&types::ED25519_PRIVATE_KEY.get_bound(py)?)? { Ok(KeyType::Ed25519) - } else if private_key.is_instance(types::ED448_PRIVATE_KEY.get(py)?)? { + } else if private_key.is_instance(&types::ED448_PRIVATE_KEY.get_bound(py)?)? { Ok(KeyType::Ed448) } else { Err(pyo3::exceptions::PyTypeError::new_err( @@ -73,13 +73,13 @@ pub(crate) fn identify_key_type( fn identify_hash_type( py: pyo3::Python<'_>, - hash_algorithm: &pyo3::PyAny, + hash_algorithm: pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult { if hash_algorithm.is_none() { return Ok(HashType::None); } - if !hash_algorithm.is_instance(types::HASH_ALGORITHM.get(py)?)? { + if !hash_algorithm.is_instance(&types::HASH_ALGORITHM.get_bound(py)?)? { return Err(pyo3::exceptions::PyTypeError::new_err( "Algorithm must be a registered hash algorithm.", )); @@ -105,17 +105,17 @@ fn identify_hash_type( fn compute_pss_salt_length<'p>( py: pyo3::Python<'p>, - private_key: &'p pyo3::PyAny, - hash_algorithm: &'p pyo3::PyAny, - rsa_padding: &'p pyo3::PyAny, + private_key: pyo3::Bound<'p, pyo3::PyAny>, + hash_algorithm: pyo3::Bound<'p, pyo3::PyAny>, + rsa_padding: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult { let py_saltlen = rsa_padding.getattr(pyo3::intern!(py, "_salt_length"))?; - if py_saltlen.is_instance(types::PADDING_MAX_LENGTH.get(py)?)? { + if py_saltlen.is_instance(&types::PADDING_MAX_LENGTH.get_bound(py)?)? { types::CALCULATE_MAX_PSS_SALT_LENGTH - .get(py)? + .get_bound(py)? .call1((private_key, hash_algorithm))? .extract::() - } else if py_saltlen.is_instance(types::PADDING_DIGEST_LENGTH.get(py)?)? { + } else if py_saltlen.is_instance(&types::PADDING_DIGEST_LENGTH.get_bound(py)?)? { hash_algorithm .getattr(pyo3::intern!(py, "digest_size"))? .extract::() @@ -130,26 +130,27 @@ fn compute_pss_salt_length<'p>( pub(crate) fn compute_signature_algorithm<'p>( py: pyo3::Python<'p>, - private_key: &'p pyo3::PyAny, - hash_algorithm: &'p pyo3::PyAny, - rsa_padding: &'p pyo3::PyAny, + private_key: pyo3::Bound<'p, pyo3::PyAny>, + hash_algorithm: pyo3::Bound<'p, pyo3::PyAny>, + rsa_padding: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult> { - let key_type = identify_key_type(py, private_key)?; - let hash_type = identify_hash_type(py, hash_algorithm)?; + let key_type = identify_key_type(py, private_key.clone())?; + let hash_type = identify_hash_type(py, hash_algorithm.clone())?; // If this is RSA-PSS we need to compute the signature algorithm from the // parameters provided in rsa_padding. - if rsa_padding.is_instance(types::PSS.get(py)?)? { + if rsa_padding.is_instance(&types::PSS.get_bound(py)?)? { let hash_alg_params = identify_alg_params_for_hash_type(hash_type)?; let hash_algorithm_id = common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), params: hash_alg_params, }; - let salt_length = compute_pss_salt_length(py, private_key, hash_algorithm, rsa_padding)?; + let salt_length = + compute_pss_salt_length(py, private_key, hash_algorithm, rsa_padding.clone())?; let py_mgf_alg = rsa_padding .getattr(pyo3::intern!(py, "_mgf"))? .getattr(pyo3::intern!(py, "_algorithm"))?; - let mgf_hash_type = identify_hash_type(py, py_mgf_alg)?; + let mgf_hash_type = identify_hash_type(py, py_mgf_alg.as_borrowed().to_owned())?; let mgf_alg = common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), params: identify_alg_params_for_hash_type(mgf_hash_type)?, @@ -281,25 +282,25 @@ pub(crate) fn compute_signature_algorithm<'p>( pub(crate) fn sign_data<'p>( py: pyo3::Python<'p>, - private_key: &'p pyo3::PyAny, - hash_algorithm: &'p pyo3::PyAny, - rsa_padding: &'p pyo3::PyAny, + private_key: pyo3::Bound<'p, pyo3::PyAny>, + hash_algorithm: pyo3::Bound<'p, pyo3::PyAny>, + rsa_padding: pyo3::Bound<'p, pyo3::PyAny>, data: &[u8], ) -> pyo3::PyResult<&'p [u8]> { - let key_type = identify_key_type(py, private_key)?; + let key_type = identify_key_type(py, private_key.clone())?; let signature = match key_type { KeyType::Ed25519 | KeyType::Ed448 => { private_key.call_method1(pyo3::intern!(py, "sign"), (data,))? } KeyType::Ec => { - let ecdsa = types::ECDSA.get(py)?.call1((hash_algorithm,))?; + let ecdsa = types::ECDSA.get_bound(py)?.call1((hash_algorithm,))?; private_key.call_method1(pyo3::intern!(py, "sign"), (data, ecdsa))? } KeyType::Rsa => { let mut padding = rsa_padding; if padding.is_none() { - padding = types::PKCS1V15.get(py)?.call0()?; + padding = types::PKCS1V15.get_bound(py)?.call0()?; } private_key.call_method1(pyo3::intern!(py, "sign"), (data, padding, hash_algorithm))? } @@ -312,12 +313,12 @@ pub(crate) fn sign_data<'p>( pub(crate) fn verify_signature_with_signature_algorithm<'p>( py: pyo3::Python<'p>, - issuer_public_key: &'p pyo3::PyAny, + issuer_public_key: pyo3::Bound<'p, pyo3::PyAny>, signature_algorithm: &common::AlgorithmIdentifier<'_>, signature: &[u8], data: &[u8], ) -> CryptographyResult<()> { - let key_type = identify_public_key_type(py, issuer_public_key)?; + let key_type = identify_public_key_type(py, issuer_public_key.clone())?; let sig_key_type = identify_key_type_for_algorithm_params(&signature_algorithm.params)?; if key_type != sig_key_type { return Err(CryptographyError::from( @@ -356,17 +357,17 @@ pub(crate) fn verify_signature_with_signature_algorithm<'p>( pub(crate) fn identify_public_key_type( py: pyo3::Python<'_>, - public_key: &pyo3::PyAny, + public_key: pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult { - if public_key.is_instance(types::RSA_PUBLIC_KEY.get(py)?)? { + if public_key.is_instance(&types::RSA_PUBLIC_KEY.get_bound(py)?)? { Ok(KeyType::Rsa) - } else if public_key.is_instance(types::DSA_PUBLIC_KEY.get(py)?)? { + } else if public_key.is_instance(&types::DSA_PUBLIC_KEY.get_bound(py)?)? { Ok(KeyType::Dsa) - } else if public_key.is_instance(types::ELLIPTIC_CURVE_PUBLIC_KEY.get(py)?)? { + } else if public_key.is_instance(&types::ELLIPTIC_CURVE_PUBLIC_KEY.get_bound(py)?)? { Ok(KeyType::Ec) - } else if public_key.is_instance(types::ED25519_PUBLIC_KEY.get(py)?)? { + } else if public_key.is_instance(&types::ED25519_PUBLIC_KEY.get_bound(py)?)? { Ok(KeyType::Ed25519) - } else if public_key.is_instance(types::ED448_PUBLIC_KEY.get(py)?)? { + } else if public_key.is_instance(&types::ED448_PUBLIC_KEY.get_bound(py)?)? { Ok(KeyType::Ed448) } else { Err(pyo3::exceptions::PyTypeError::new_err( diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index e327a09eb4c9..570184cc1882 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -39,7 +39,7 @@ impl CryptoOps for PyCryptoOps { pyo3::Python::with_gil(|py| -> CryptographyResult<()> { sign::verify_signature_with_signature_algorithm( py, - key.as_ref(py), + key.bind(py).clone(), &cert.signature_alg, cert.signature.as_bytes(), &asn1::write_single(&cert.tbs_cert)?, From 6e58a58f80fb7def82f754007b4db0c45039a1a0 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 20:45:49 +0200 Subject: [PATCH 0399/1462] Convert `src/x509/crl.rs` to new pyo3 APIs (#10744) --- src/rust/src/x509/crl.rs | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 888fb114966b..4a68cb028e10 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -14,7 +14,7 @@ use cryptography_x509::{ name, oid, }; use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods, PySliceMethods}; -use pyo3::{PyNativeType, ToPyObject}; +use pyo3::ToPyObject; use crate::asn1::{ big_byte_slice_to_py_int, encode_der_data, oid_to_py_oid, py_uint_to_big_endian_bytes, @@ -641,16 +641,16 @@ pub fn parse_crl_entry_ext<'p>( #[pyo3::prelude::pyfunction] fn create_x509_crl( py: pyo3::Python<'_>, - builder: &pyo3::PyAny, - private_key: &pyo3::PyAny, - hash_algorithm: &pyo3::PyAny, - rsa_padding: &pyo3::PyAny, + builder: &pyo3::Bound<'_, pyo3::PyAny>, + private_key: &pyo3::Bound<'_, pyo3::PyAny>, + hash_algorithm: &pyo3::Bound<'_, pyo3::PyAny>, + rsa_padding: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { let sigalg = x509::sign::compute_signature_algorithm( py, - private_key.as_borrowed().to_owned(), - hash_algorithm.as_borrowed().to_owned(), - rsa_padding.as_borrowed().to_owned(), + private_key.to_owned(), + hash_algorithm.to_owned(), + rsa_padding.to_owned(), )?; let mut revoked_certs = vec![]; for py_revoked_cert in builder @@ -672,7 +672,10 @@ fn create_x509_crl( )?, raw_crl_entry_extensions: x509::common::encode_extensions( py, - py_revoked_cert.getattr(pyo3::intern!(py, "extensions"))?, + py_revoked_cert + .getattr(pyo3::intern!(py, "extensions"))? + .clone() + .into_gil_ref(), extensions::encode_extension, )?, }); @@ -699,7 +702,10 @@ fn create_x509_crl( }, raw_crl_extensions: x509::common::encode_extensions( py, - builder.getattr(pyo3::intern!(py, "_extensions"))?, + builder + .getattr(pyo3::intern!(py, "_extensions"))? + .clone() + .into_gil_ref(), extensions::encode_extension, )?, }; From 1868ba1a3cc34956ca28d36f59461f20d4597ce9 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 21:52:24 +0200 Subject: [PATCH 0400/1462] Convert module-related code to new pyo3 APIs (#10745) --- src/rust/src/backend/mod.rs | 38 +++++++++++++++++++--------------- src/rust/src/lib.rs | 36 ++++++++++++++++++-------------- src/rust/src/x509/ocsp_req.rs | 10 +++++---- src/rust/src/x509/ocsp_resp.rs | 13 ++++++++---- 4 files changed, 57 insertions(+), 40 deletions(-) diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 062b9a85ecf5..dd7620c19e2c 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -2,6 +2,8 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use pyo3::prelude::PyModuleMethods; + pub(crate) mod aead; pub(crate) mod cipher_registry; pub(crate) mod ciphers; @@ -23,29 +25,31 @@ pub(crate) mod x25519; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] pub(crate) mod x448; -pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { - module.add_submodule(aead::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(ciphers::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(cmac::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(dh::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(dsa::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(ec::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(keys::create_module(module.py())?.into_gil_ref())?; +pub(crate) fn add_to_module( + module: &pyo3::Bound<'_, pyo3::prelude::PyModule>, +) -> pyo3::PyResult<()> { + module.add_submodule(&aead::create_module(module.py())?)?; + module.add_submodule(&ciphers::create_module(module.py())?)?; + module.add_submodule(&cmac::create_module(module.py())?)?; + module.add_submodule(&dh::create_module(module.py())?)?; + module.add_submodule(&dsa::create_module(module.py())?)?; + module.add_submodule(&ec::create_module(module.py())?)?; + module.add_submodule(&keys::create_module(module.py())?)?; - module.add_submodule(ed25519::create_module(module.py())?.into_gil_ref())?; + module.add_submodule(&ed25519::create_module(module.py())?)?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] - module.add_submodule(ed448::create_module(module.py())?.into_gil_ref())?; + module.add_submodule(&ed448::create_module(module.py())?)?; - module.add_submodule(x25519::create_module(module.py())?.into_gil_ref())?; + module.add_submodule(&x25519::create_module(module.py())?)?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] - module.add_submodule(x448::create_module(module.py())?.into_gil_ref())?; + module.add_submodule(&x448::create_module(module.py())?)?; - module.add_submodule(poly1305::create_module(module.py())?.into_gil_ref())?; + module.add_submodule(&poly1305::create_module(module.py())?)?; - module.add_submodule(hashes::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(hmac::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(kdf::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(rsa::create_module(module.py())?.into_gil_ref())?; + module.add_submodule(&hashes::create_module(module.py())?)?; + module.add_submodule(&hmac::create_module(module.py())?)?; + module.add_submodule(&kdf::create_module(module.py())?)?; + module.add_submodule(&rsa::create_module(module.py())?)?; Ok(()) } diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 2fe5777b7d8f..ac076e667f4e 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -91,15 +91,21 @@ fn enable_fips(providers: &mut LoadedProviders) -> CryptographyResult<()> { } #[pyo3::prelude::pymodule] -fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> { - m.add_function(pyo3::wrap_pyfunction!(padding::check_pkcs7_padding, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(padding::check_ansix923_padding, m)?)?; +fn _rust(py: pyo3::Python<'_>, m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { + m.add_function(pyo3::wrap_pyfunction_bound!( + padding::check_pkcs7_padding, + m + )?)?; + m.add_function(pyo3::wrap_pyfunction_bound!( + padding::check_ansix923_padding, + m + )?)?; m.add_class::()?; - m.add_submodule(asn1::create_submodule(py)?.into_gil_ref())?; - m.add_submodule(pkcs7::create_submodule(py)?.into_gil_ref())?; - m.add_submodule(pkcs12::create_submodule(py)?.into_gil_ref())?; - m.add_submodule(exceptions::create_submodule(py)?.into_gil_ref())?; + m.add_submodule(&asn1::create_submodule(py)?)?; + m.add_submodule(&pkcs7::create_submodule(py)?)?; + m.add_submodule(&pkcs12::create_submodule(py)?)?; + m.add_submodule(&exceptions::create_submodule(py)?)?; let x509_mod = pyo3::prelude::PyModule::new_bound(py, "x509")?; crate::x509::certificate::add_to_module(&x509_mod)?; @@ -108,14 +114,14 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> crate::x509::csr::add_to_module(&x509_mod)?; crate::x509::sct::add_to_module(&x509_mod)?; crate::x509::verify::add_to_module(&x509_mod)?; - m.add_submodule(x509_mod.into_gil_ref())?; + m.add_submodule(&x509_mod)?; - let ocsp_mod = pyo3::prelude::PyModule::new(py, "ocsp")?; - crate::x509::ocsp_req::add_to_module(ocsp_mod)?; - crate::x509::ocsp_resp::add_to_module(ocsp_mod)?; - m.add_submodule(ocsp_mod)?; + let ocsp_mod = pyo3::prelude::PyModule::new_bound(py, "ocsp")?; + crate::x509::ocsp_req::add_to_module(&ocsp_mod)?; + crate::x509::ocsp_resp::add_to_module(&ocsp_mod)?; + m.add_submodule(&ocsp_mod)?; - m.add_submodule(cryptography_cffi::create_module(py)?.into_gil_ref())?; + m.add_submodule(&cryptography_cffi::create_module(py)?)?; let openssl_mod = pyo3::prelude::PyModule::new_bound(py, "openssl")?; openssl_mod.add( @@ -161,8 +167,8 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> )?)?; openssl_mod.add_function(pyo3::wrap_pyfunction_bound!(is_fips_enabled, &openssl_mod)?)?; openssl_mod.add_class::()?; - crate::backend::add_to_module(openssl_mod.clone().into_gil_ref())?; - m.add_submodule(openssl_mod.into_gil_ref())?; + crate::backend::add_to_module(&openssl_mod)?; + m.add_submodule(&openssl_mod)?; Ok(()) } diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 846fefae6c8b..d5c1d071d27f 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -7,7 +7,7 @@ use cryptography_x509::{ ocsp_req::{self, OCSPRequest as RawOCSPRequest}, oid, }; -use pyo3::prelude::{PyAnyMethods, PyListMethods}; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; @@ -234,9 +234,11 @@ fn create_ocsp_request( load_der_ocsp_request(py, pyo3::types::PyBytes::new_bound(py, &data).unbind()) } -pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction!(load_der_ocsp_request, module)?)?; - module.add_function(pyo3::wrap_pyfunction!(create_ocsp_request, module)?)?; +pub(crate) fn add_to_module( + module: &pyo3::Bound<'_, pyo3::prelude::PyModule>, +) -> pyo3::PyResult<()> { + module.add_function(pyo3::wrap_pyfunction_bound!(load_der_ocsp_request, module)?)?; + module.add_function(pyo3::wrap_pyfunction_bound!(create_ocsp_request, module)?)?; Ok(()) } diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index c83f5600afbb..b70f55b684c0 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -10,7 +10,7 @@ use cryptography_x509::{ ocsp_resp::{self, OCSPResponse as RawOCSPResponse, SingleResponse as RawSingleResponse}, oid, }; -use pyo3::prelude::{PyAnyMethods, PyListMethods}; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::PyNativeType; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid}; @@ -760,9 +760,14 @@ fn create_ocsp_response( load_der_ocsp_response(py, pyo3::types::PyBytes::new_bound(py, &data).unbind()) } -pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction!(load_der_ocsp_response, module)?)?; - module.add_function(pyo3::wrap_pyfunction!(create_ocsp_response, module)?)?; +pub(crate) fn add_to_module( + module: &pyo3::Bound<'_, pyo3::prelude::PyModule>, +) -> pyo3::PyResult<()> { + module.add_function(pyo3::wrap_pyfunction_bound!( + load_der_ocsp_response, + module + )?)?; + module.add_function(pyo3::wrap_pyfunction_bound!(create_ocsp_response, module)?)?; Ok(()) } From 5b50868544cbe32c03668f9cb5054a141c7b2b4d Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 22:38:43 +0200 Subject: [PATCH 0401/1462] Misc oscp pyo3 migrations (#10748) * Misc. migrations for `x509/ocsp*.rs` files to new pyo3 APIs * Fix parameter to be Bound and run cargo fmt --- src/rust/src/pkcs7.rs | 118 +++++++++++++++++---------------- src/rust/src/x509/ocsp.rs | 8 +-- src/rust/src/x509/ocsp_req.rs | 3 +- src/rust/src/x509/ocsp_resp.rs | 20 +++--- 4 files changed, 77 insertions(+), 72 deletions(-) diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index d817b4d48b80..085d5e891528 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -134,71 +134,73 @@ fn sign_and_serialize<'p>( .map(|p| p.raw.borrow_dependent()) .collect::>(); for (cert, py_private_key, py_hash_alg, rsa_padding) in &py_signers { - let (authenticated_attrs, signature) = if options - .contains(types::PKCS7_NO_ATTRIBUTES.get(py)?)? - { - ( - None, - x509::sign::sign_data( + let (authenticated_attrs, signature) = + if options.contains(types::PKCS7_NO_ATTRIBUTES.get(py)?)? { + ( + None, + x509::sign::sign_data( + py, + py_private_key.as_borrowed().to_owned(), + py_hash_alg.as_borrowed().to_owned(), + rsa_padding.as_borrowed().to_owned(), + &data_with_header, + )?, + ) + } else { + let mut authenticated_attrs = vec![ + Attribute { + type_id: PKCS7_CONTENT_TYPE_OID, + values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new( + [asn1::parse_single(&content_type_bytes).unwrap()], + )), + }, + Attribute { + type_id: PKCS7_SIGNING_TIME_OID, + values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new( + [asn1::parse_single(&signing_time_bytes).unwrap()], + )), + }, + ]; + + let digest = asn1::write_single(&x509::ocsp::hash_data( py, - py_private_key.as_borrowed().to_owned(), - py_hash_alg.as_borrowed().to_owned(), - rsa_padding.as_borrowed().to_owned(), + &py_hash_alg.as_borrowed(), &data_with_header, - )?, - ) - } else { - let mut authenticated_attrs = vec![ - Attribute { - type_id: PKCS7_CONTENT_TYPE_OID, - values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([ - asn1::parse_single(&content_type_bytes).unwrap(), - ])), - }, - Attribute { - type_id: PKCS7_SIGNING_TIME_OID, - values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([ - asn1::parse_single(&signing_time_bytes).unwrap(), - ])), - }, - ]; - - let digest = - asn1::write_single(&x509::ocsp::hash_data(py, py_hash_alg, &data_with_header)?)?; - // Gross hack: copy to PyBytes to extend the lifetime to 'p - let digest_bytes = pyo3::types::PyBytes::new(py, &digest); - authenticated_attrs.push(Attribute { - type_id: PKCS7_MESSAGE_DIGEST_OID, - values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([ - asn1::parse_single(digest_bytes.as_bytes()).unwrap(), - ])), - }); - - if !options.contains(types::PKCS7_NO_CAPABILITIES.get(py)?)? { + )?)?; + // Gross hack: copy to PyBytes to extend the lifetime to 'p + let digest_bytes = pyo3::types::PyBytes::new(py, &digest); authenticated_attrs.push(Attribute { - type_id: PKCS7_SMIME_CAP_OID, + type_id: PKCS7_MESSAGE_DIGEST_OID, values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([ - asn1::parse_single(&smime_cap_bytes).unwrap(), + asn1::parse_single(digest_bytes.as_bytes()).unwrap(), ])), }); - } - - let signed_data = - asn1::write_single(&asn1::SetOfWriter::new(authenticated_attrs.as_slice()))?; - ( - Some(common::Asn1ReadableOrWritable::new_write( - asn1::SetOfWriter::new(authenticated_attrs), - )), - x509::sign::sign_data( - py, - py_private_key.as_borrowed().to_owned(), - py_hash_alg.as_borrowed().to_owned(), - rsa_padding.as_borrowed().to_owned(), - &signed_data, - )?, - ) - }; + if !options.contains(types::PKCS7_NO_CAPABILITIES.get(py)?)? { + authenticated_attrs.push(Attribute { + type_id: PKCS7_SMIME_CAP_OID, + values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new( + [asn1::parse_single(&smime_cap_bytes).unwrap()], + )), + }); + } + + let signed_data = + asn1::write_single(&asn1::SetOfWriter::new(authenticated_attrs.as_slice()))?; + + ( + Some(common::Asn1ReadableOrWritable::new_write( + asn1::SetOfWriter::new(authenticated_attrs), + )), + x509::sign::sign_data( + py, + py_private_key.as_borrowed().to_owned(), + py_hash_alg.as_borrowed().to_owned(), + rsa_padding.as_borrowed().to_owned(), + &signed_data, + )?, + ) + }; let digest_alg = x509::ocsp::HASH_NAME_TO_ALGORITHM_IDENTIFIERS[py_hash_alg .getattr(pyo3::intern!(py, "name"))? diff --git a/src/rust/src/x509/ocsp.rs b/src/rust/src/x509/ocsp.rs index 10590354b8df..0dbdb4b4eeb6 100644 --- a/src/rust/src/x509/ocsp.rs +++ b/src/rust/src/x509/ocsp.rs @@ -7,7 +7,7 @@ use std::collections::HashMap; use cryptography_x509::common; use cryptography_x509::ocsp_req::CertID; use once_cell::sync::Lazy; -use pyo3::PyNativeType; +use pyo3::prelude::PyAnyMethods; use crate::backend::hashes::Hash; use crate::error::CryptographyResult; @@ -76,7 +76,7 @@ pub(crate) fn certid_new<'p>( py: pyo3::Python<'p>, cert: &'p Certificate, issuer: &'p Certificate, - hash_algorithm: &'p pyo3::PyAny, + hash_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { let issuer_der = asn1::write_single(&cert.raw.borrow_dependent().tbs_cert.issuer)?; let issuer_name_hash = hash_data(py, hash_algorithm, &issuer_der)?; @@ -123,10 +123,10 @@ pub(crate) fn certid_new_from_hash<'p>( pub(crate) fn hash_data<'p>( py: pyo3::Python<'p>, - py_hash_alg: &'p pyo3::PyAny, + py_hash_alg: &pyo3::Bound<'p, pyo3::PyAny>, data: &[u8], ) -> pyo3::PyResult<&'p [u8]> { - let mut h = Hash::new(py, &py_hash_alg.as_borrowed(), None)?; + let mut h = Hash::new(py, py_hash_alg, None)?; h.update_bytes(data)?; Ok(h.finalize(py)?.into_gil_ref().as_bytes()) } diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index d5c1d071d27f..32cb7e6a2e22 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -8,6 +8,7 @@ use cryptography_x509::{ oid, }; use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::PyNativeType; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; @@ -187,7 +188,7 @@ fn create_ocsp_request( py_cert = tuple.0; py_issuer = tuple.1; py_hash = tuple.2; - ocsp::certid_new(py, &py_cert, &py_issuer, py_hash)? + ocsp::certid_new(py, &py_cert, &py_issuer, &py_hash.as_borrowed())? } else { let (issuer_name_hash, issuer_key_hash, py_serial, py_hash): ( &[u8], diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index b70f55b684c0..394c3bdea577 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -11,7 +11,6 @@ use cryptography_x509::{ oid, }; use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; -use pyo3::PyNativeType; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid}; use crate::error::{CryptographyError, CryptographyResult}; @@ -578,10 +577,10 @@ fn singleresp_py_revocation_time<'p>( #[pyo3::prelude::pyfunction] fn create_ocsp_response( py: pyo3::Python<'_>, - status: &pyo3::PyAny, - builder: &pyo3::PyAny, - private_key: &pyo3::PyAny, - hash_algorithm: &pyo3::PyAny, + status: &pyo3::Bound<'_, pyo3::PyAny>, + builder: &pyo3::Bound<'_, pyo3::PyAny>, + private_key: &pyo3::Bound<'_, pyo3::PyAny>, + hash_algorithm: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { let response_status = status .getattr(pyo3::intern!(py, "value"))? @@ -656,7 +655,7 @@ fn create_ocsp_response( )?)?; let responses = vec![SingleResponse { - cert_id: ocsp::certid_new(py, &py_cert, &py_issuer, py_cert_hash_algorithm)?, + cert_id: ocsp::certid_new(py, &py_cert, &py_issuer, &py_cert_hash_algorithm)?, cert_status, next_update, this_update, @@ -665,10 +664,10 @@ fn create_ocsp_response( borrowed_cert = responder_cert.borrow(); let responder_id = if responder_encoding.is(types::OCSP_RESPONDER_ENCODING_HASH.get(py)?) { - let sha1 = types::SHA1.get(py)?.call0()?; + let sha1 = types::SHA1.get_bound(py)?.call0()?; ocsp_resp::ResponderId::ByKey(ocsp::hash_data( py, - sha1, + &sha1, borrowed_cert .raw .borrow_dependent() @@ -697,7 +696,10 @@ fn create_ocsp_response( )), raw_response_extensions: x509::common::encode_extensions( py, - builder.getattr(pyo3::intern!(py, "_extensions"))?, + builder + .getattr(pyo3::intern!(py, "_extensions"))? + .clone() + .into_gil_ref(), extensions::encode_extension, )?, }; From 2e345f26d4826d14366ff02bfd0760e3417d1963 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 23:41:55 +0200 Subject: [PATCH 0402/1462] Migrate more `x509/extensions.rs` APIs to new pyo3 APIs (and other migrations) (#10749) * Migrate `encode_der_data` to new pyo3 APIs * Convert more `x509/extensions.rs` APIs to the new pyo3 APIs * Remove redundant function calls --- src/rust/src/asn1.rs | 2 +- src/rust/src/backend/dh.rs | 2 +- src/rust/src/pkcs7.rs | 14 ++----------- src/rust/src/x509/certificate.rs | 14 ++----------- src/rust/src/x509/common.rs | 12 +++++------ src/rust/src/x509/crl.rs | 12 +++-------- src/rust/src/x509/csr.rs | 11 ++-------- src/rust/src/x509/extensions.rs | 35 ++++++++++++++++++-------------- src/rust/src/x509/ocsp_req.rs | 5 +---- src/rust/src/x509/ocsp_resp.rs | 5 +---- 10 files changed, 39 insertions(+), 73 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 62cbd069bfd9..35de6049382a 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -97,7 +97,7 @@ pub(crate) fn encode_der_data<'p>( py: pyo3::Python<'p>, pem_tag: String, data: Vec, - encoding: &'p pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { if encoding.is(&types::ENCODING_DER.get_bound(py)?) { Ok(pyo3::types::PyBytes::new_bound(py, &data)) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index e52b8760212c..9d597b9ec216 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -369,7 +369,7 @@ impl DHParameters { } else { "X9.42 DH PARAMETERS" }; - encode_der_data(py, tag.to_string(), data, encoding.into_gil_ref()) + encode_der_data(py, tag.to_string(), data, &encoding) } } diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 085d5e891528..977d0c912eed 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -77,12 +77,7 @@ fn serialize_certificates<'p>( }; let content_info_bytes = asn1::write_single(&content_info)?; - encode_der_data( - py, - "PKCS7".to_string(), - content_info_bytes, - encoding.clone().into_gil_ref(), - ) + encode_der_data(py, "PKCS7".to_string(), content_info_bytes, encoding) } #[pyo3::prelude::pyfunction] @@ -273,12 +268,7 @@ fn sign_and_serialize<'p>( .extract()?) } else { // Handles the DER, PEM, and error cases - encode_der_data( - py, - "PKCS7".to_string(), - ci_bytes, - encoding.clone().into_gil_ref(), - ) + encode_der_data(py, "PKCS7".to_string(), ci_bytes, encoding) } } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index d6751b7d0861..02c3f857636d 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -103,14 +103,7 @@ impl Certificate { ) -> CryptographyResult> { let result = asn1::write_single(self.raw.borrow_dependent())?; - Ok(encode_der_data( - py, - "CERTIFICATE".to_string(), - result, - encoding.clone().into_gil_ref(), - )? - .as_borrowed() - .to_owned()) + encode_der_data(py, "CERTIFICATE".to_string(), result, encoding) } #[getter] @@ -963,10 +956,7 @@ fn create_x509_certificate( subject_unique_id: None, raw_extensions: x509::common::encode_extensions( py, - builder - .getattr(pyo3::intern!(py, "_extensions"))? - .clone() - .into_gil_ref(), + &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?, }; diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 4d4951821ca2..ee4b0a3e408c 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -9,7 +9,7 @@ use cryptography_x509::extensions::{ use cryptography_x509::name::{GeneralName, Name, NameReadable, OtherName, UnvalidatedIA5String}; use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::types::IntoPyDict; -use pyo3::{IntoPy, PyNativeType, ToPyObject}; +use pyo3::{IntoPy, ToPyObject}; use crate::asn1::{oid_to_py_oid, py_oid_to_oid}; use crate::error::{CryptographyError, CryptographyResult}; @@ -418,11 +418,11 @@ pub(crate) fn encode_extensions< F: Fn( pyo3::Python<'_>, &asn1::ObjectIdentifier, - &pyo3::PyAny, + &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult>>, >( py: pyo3::Python<'p>, - py_exts: &'p pyo3::PyAny, + py_exts: &pyo3::Bound<'p, pyo3::PyAny>, encode_ext: F, ) -> pyo3::PyResult>> { let mut exts = vec![]; @@ -435,7 +435,7 @@ pub(crate) fn encode_extensions< let oid = py_oid_to_oid(py_oid)?; let ext_val = py_ext.getattr(pyo3::intern!(py, "value"))?; - if ext_val.is_instance(types::UNRECOGNIZED_EXTENSION.get(py)?)? { + if ext_val.is_instance(&types::UNRECOGNIZED_EXTENSION.get_bound(py)?)? { exts.push(Extension { extn_id: oid, critical: py_ext.getattr(pyo3::intern!(py, "critical"))?.extract()?, @@ -445,7 +445,7 @@ pub(crate) fn encode_extensions< }); continue; } - match encode_ext(py, &oid, ext_val)? { + match encode_ext(py, &oid, &ext_val)? { Some(data) => { // TODO: extra copy let py_data = pyo3::types::PyBytes::new_bound(py, &data); @@ -477,7 +477,7 @@ fn encode_extension_value<'p>( ) -> pyo3::PyResult> { let oid = py_oid_to_oid(py_ext.getattr(pyo3::intern!(py, "oid"))?)?; - if let Some(data) = x509::extensions::encode_extension(py, &oid, py_ext.into_gil_ref())? { + if let Some(data) = x509::extensions::encode_extension(py, &oid, &py_ext)? { // TODO: extra copy let py_data = pyo3::types::PyBytes::new_bound(py, &data); return Ok(py_data); diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 4a68cb028e10..c57917709414 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -239,7 +239,7 @@ impl CertificateRevocationList { ) -> CryptographyResult> { let result = asn1::write_single(&self.owned.borrow_dependent())?; - encode_der_data(py, "X509 CRL".to_string(), result, encoding.into_gil_ref()) + encode_der_data(py, "X509 CRL".to_string(), result, &encoding) } #[getter] @@ -672,10 +672,7 @@ fn create_x509_crl( )?, raw_crl_entry_extensions: x509::common::encode_extensions( py, - py_revoked_cert - .getattr(pyo3::intern!(py, "extensions"))? - .clone() - .into_gil_ref(), + &py_revoked_cert.getattr(pyo3::intern!(py, "extensions"))?, extensions::encode_extension, )?, }); @@ -702,10 +699,7 @@ fn create_x509_crl( }, raw_crl_extensions: x509::common::encode_extensions( py, - builder - .getattr(pyo3::intern!(py, "_extensions"))? - .clone() - .into_gil_ref(), + &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?, }; diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index f79c84fd84b2..6049a5be2d51 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -123,12 +123,7 @@ impl CertificateSigningRequest { ) -> CryptographyResult> { let result = asn1::write_single(self.raw.borrow_dependent())?; - encode_der_data( - py, - "CERTIFICATE REQUEST".to_string(), - result, - encoding.clone().into_gil_ref(), - ) + encode_der_data(py, "CERTIFICATE REQUEST".to_string(), result, encoding) } fn get_attribute_for_oid<'p>( @@ -317,9 +312,7 @@ fn create_x509_csr( let ext_bytes; if let Some(exts) = x509::common::encode_extensions( py, - builder - .getattr(pyo3::intern!(py, "_extensions"))? - .into_gil_ref(), + &builder.getattr(pyo3::intern!(py, "_extensions"))?, x509::extensions::encode_extension, )? { ext_bytes = asn1::write_single(&exts)?; diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index bbba8170d416..3e0b7ec83822 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -13,7 +13,7 @@ use pyo3::PyNativeType; fn encode_general_subtrees<'a>( py: pyo3::Python<'a>, - subtrees: &'a pyo3::PyAny, + subtrees: &pyo3::Bound<'a, pyo3::PyAny>, ) -> Result>, CryptographyError> { if subtrees.is_none() { Ok(None) @@ -35,7 +35,7 @@ fn encode_general_subtrees<'a>( pub(crate) fn encode_authority_key_identifier<'a>( py: pyo3::Python<'a>, - py_aki: &'a pyo3::PyAny, + py_aki: &pyo3::Bound<'a, pyo3::PyAny>, ) -> CryptographyResult> { #[derive(pyo3::prelude::FromPyObject)] struct PyAuthorityKeyIdentifier<'a> { @@ -68,7 +68,7 @@ pub(crate) fn encode_authority_key_identifier<'a>( pub(crate) fn encode_distribution_points<'p>( py: pyo3::Python<'p>, - py_dps: &'p pyo3::PyAny, + py_dps: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { #[derive(pyo3::prelude::FromPyObject)] struct PyDistributionPoint<'a> { @@ -123,7 +123,7 @@ pub(crate) fn encode_distribution_points<'p>( Ok(asn1::write_single(&asn1::SequenceOfWriter::new(dps))?) } -fn encode_basic_constraints(ext: &pyo3::PyAny) -> CryptographyResult> { +fn encode_basic_constraints(ext: &pyo3::Bound<'_, pyo3::PyAny>) -> CryptographyResult> { #[derive(pyo3::prelude::FromPyObject)] struct PyBasicConstraints { ca: bool, @@ -137,7 +137,10 @@ fn encode_basic_constraints(ext: &pyo3::PyAny) -> CryptographyResult> { Ok(asn1::write_single(&bc)?) } -fn encode_key_usage(py: pyo3::Python<'_>, ext: &pyo3::PyAny) -> CryptographyResult> { +fn encode_key_usage( + py: pyo3::Python<'_>, + ext: &pyo3::Bound<'_, pyo3::PyAny>, +) -> CryptographyResult> { let mut bs = [0, 0]; certificate::set_bit( &mut bs, @@ -212,7 +215,7 @@ fn encode_key_usage(py: pyo3::Python<'_>, ext: &pyo3::PyAny) -> CryptographyResu fn encode_certificate_policies( py: pyo3::Python<'_>, - ext: &pyo3::PyAny, + ext: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { let mut policy_informations = vec![]; for py_policy_info in ext.iter()? { @@ -303,7 +306,7 @@ fn encode_certificate_policies( fn encode_issuing_distribution_point( py: pyo3::Python<'_>, - ext: &pyo3::PyAny, + ext: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { let only_some_reasons = if ext .getattr(pyo3::intern!(py, "only_some_reasons"))? @@ -328,8 +331,7 @@ fn encode_issuing_distribution_point( { let mut name_entries = vec![]; for py_name_entry in ext.getattr(pyo3::intern!(py, "relative_name"))?.iter()? { - let bound_name_entry = &py_name_entry?.as_borrowed(); - name_entries.push(x509::common::encode_name_entry(ext.py(), bound_name_entry)?); + name_entries.push(x509::common::encode_name_entry(ext.py(), &py_name_entry?)?); } Some(extensions::DistributionPointName::NameRelativeToCRLIssuer( common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(name_entries)), @@ -355,7 +357,7 @@ fn encode_issuing_distribution_point( Ok(asn1::write_single(&idp)?) } -fn encode_oid_sequence(ext: &pyo3::PyAny) -> CryptographyResult> { +fn encode_oid_sequence(ext: &pyo3::Bound<'_, pyo3::PyAny>) -> CryptographyResult> { let mut oids = vec![]; for el in ext.iter()? { let oid = py_oid_to_oid(el?.as_borrowed().to_owned())?; @@ -364,7 +366,10 @@ fn encode_oid_sequence(ext: &pyo3::PyAny) -> CryptographyResult> { Ok(asn1::write_single(&asn1::SequenceOfWriter::new(oids))?) } -fn encode_tls_features(py: pyo3::Python<'_>, ext: &pyo3::PyAny) -> CryptographyResult> { +fn encode_tls_features( + py: pyo3::Python<'_>, + ext: &pyo3::Bound<'_, pyo3::PyAny>, +) -> CryptographyResult> { // Ideally we'd skip building up a vec and just write directly into the // writer. This isn't possible at the moment because the callback to write // an asn1::Sequence can't return an error, and we need to handle errors @@ -377,7 +382,7 @@ fn encode_tls_features(py: pyo3::Python<'_>, ext: &pyo3::PyAny) -> CryptographyR Ok(asn1::write_single(&asn1::SequenceOfWriter::new(els))?) } -fn encode_scts(ext: &pyo3::PyAny) -> CryptographyResult> { +fn encode_scts(ext: &pyo3::Bound<'_, pyo3::PyAny>) -> CryptographyResult> { let mut length = 0; for sct in ext.iter()? { let sct = sct?.as_borrowed().downcast::()?.clone(); @@ -397,7 +402,7 @@ fn encode_scts(ext: &pyo3::PyAny) -> CryptographyResult> { pub(crate) fn encode_extension( py: pyo3::Python<'_>, oid: &asn1::ObjectIdentifier, - ext: &pyo3::PyAny, + ext: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult>> { match oid { &oid::BASIC_CONSTRAINTS_OID => { @@ -441,8 +446,8 @@ pub(crate) fn encode_extension( let permitted = ext.getattr(pyo3::intern!(py, "permitted_subtrees"))?; let excluded = ext.getattr(pyo3::intern!(py, "excluded_subtrees"))?; let nc = extensions::NameConstraints { - permitted_subtrees: encode_general_subtrees(ext.py(), permitted)?, - excluded_subtrees: encode_general_subtrees(ext.py(), excluded)?, + permitted_subtrees: encode_general_subtrees(ext.py(), &permitted)?, + excluded_subtrees: encode_general_subtrees(ext.py(), &excluded)?, }; Ok(Some(asn1::write_single(&nc)?)) } diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 32cb7e6a2e22..d74f33947312 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -210,10 +210,7 @@ fn create_ocsp_request( let extensions = x509::common::encode_extensions( py, - builder - .getattr(pyo3::intern!(py, "_extensions"))? - .clone() - .into_gil_ref(), + &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?; let reqs = [ocsp_req::Request { diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 394c3bdea577..3b9e11531f94 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -696,10 +696,7 @@ fn create_ocsp_response( )), raw_response_extensions: x509::common::encode_extensions( py, - builder - .getattr(pyo3::intern!(py, "_extensions"))? - .clone() - .into_gil_ref(), + &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?, }; From 6633a4ded4636aa2079eb5de436d5b9899022b24 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 17:43:57 -0400 Subject: [PATCH 0403/1462] Fixed lifetime/scoping error with gil-refs disabled (#10747) --- src/rust/src/x509/ocsp_req.rs | 32 +++++++++++--------------------- 1 file changed, 11 insertions(+), 21 deletions(-) diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index d74f33947312..ec59ffdaf188 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -8,7 +8,6 @@ use cryptography_x509::{ oid, }; use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; -use pyo3::PyNativeType; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; @@ -174,37 +173,28 @@ fn create_ocsp_request( let builder_request = builder.getattr(pyo3::intern!(py, "_request"))?; // Declare outside the if-block so the lifetimes are right. - let (py_cert, py_issuer, py_hash): ( + let (py_cert, py_issuer, py_hash, issuer_name_hash, issuer_key_hash): ( pyo3::PyRef<'_, x509::certificate::Certificate>, pyo3::PyRef<'_, x509::certificate::Certificate>, - &pyo3::PyAny, + pyo3::Bound<'_, pyo3::PyAny>, + pyo3::pybacked::PyBackedBytes, + pyo3::pybacked::PyBackedBytes, ); let req_cert = if !builder_request.is_none() { - let tuple = builder_request.extract::<( - pyo3::PyRef<'_, x509::certificate::Certificate>, - pyo3::PyRef<'_, x509::certificate::Certificate>, - &pyo3::PyAny, - )>()?; - py_cert = tuple.0; - py_issuer = tuple.1; - py_hash = tuple.2; - ocsp::certid_new(py, &py_cert, &py_issuer, &py_hash.as_borrowed())? + (py_cert, py_issuer, py_hash) = builder_request.extract()?; + ocsp::certid_new(py, &py_cert, &py_issuer, &py_hash)? } else { - let (issuer_name_hash, issuer_key_hash, py_serial, py_hash): ( - &[u8], - &[u8], - pyo3::Bound<'_, pyo3::types::PyLong>, - &pyo3::PyAny, - ) = builder + let py_serial: pyo3::Bound<'_, pyo3::types::PyLong>; + (issuer_name_hash, issuer_key_hash, py_serial, py_hash) = builder .getattr(pyo3::intern!(py, "_request_hash"))? .extract()?; let serial_number = asn1::BigInt::new(py_uint_to_big_endian_bytes(py, py_serial)?).unwrap(); ocsp::certid_new_from_hash( py, - issuer_name_hash, - issuer_key_hash, + &issuer_name_hash, + &issuer_key_hash, serial_number, - py_hash, + py_hash.into_gil_ref(), )? }; From 28beda0d53749d1b7958cf38aabe163db43dcf85 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 17:44:12 -0400 Subject: [PATCH 0404/1462] Fix three more warnings in OCSP (#10746) --- src/rust/src/x509/ocsp_resp.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 3b9e11531f94..5038a2b0c994 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -703,15 +703,15 @@ fn create_ocsp_response( let sigalg = x509::sign::compute_signature_algorithm( py, - private_key.as_borrowed().to_owned(), - hash_algorithm.as_borrowed().to_owned(), + private_key.clone(), + hash_algorithm.clone(), py.None().into_bound(py), )?; let tbs_bytes = asn1::write_single(&tbs_response_data)?; let signature = x509::sign::sign_data( py, - private_key.as_borrowed().to_owned(), - hash_algorithm.as_borrowed().to_owned(), + private_key.clone(), + hash_algorithm.clone(), py.None().into_bound(py), &tbs_bytes, )?; From e41f97d314da54315f581da8b163e52c719df399 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 6 Apr 2024 00:15:49 +0000 Subject: [PATCH 0405/1462] Bump BoringSSL and/or OpenSSL in CI (#10753) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2f5973b153f6..e0f8828ff63e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Apr 05, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f94f3ed3965ea033001fb9ae006084eee408b861"}} - # Latest commit on the OpenSSL master branch, as of Apr 05, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a19553cd872047289d6fc730a864bf9d984283ce"}} + # Latest commit on the OpenSSL master branch, as of Apr 06, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0d2a5f600c7b6bef6fa6cf720204876560a6194b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 15b11864d1350aea6767884bb4c030a62892df77 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 23:21:22 -0400 Subject: [PATCH 0406/1462] Fix lifetimes for CSR attribtues with gil-refs disabled (#10752) --- src/rust/src/x509/csr.rs | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 6049a5be2d51..cc4b2dcbe9c5 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -324,14 +324,18 @@ fn create_x509_csr( }); } + let mut attr_values = vec![]; for py_attr in builder.getattr(pyo3::intern!(py, "_attributes"))?.iter()? { - let (py_oid, value, tag): (pyo3::Bound<'_, pyo3::PyAny>, &[u8], Option) = - py_attr?.extract()?; + let (py_oid, value, tag): ( + pyo3::Bound<'_, pyo3::PyAny>, + pyo3::pybacked::PyBackedBytes, + Option, + ) = py_attr?.extract()?; let oid = py_oid_to_oid(py_oid)?; let tag = if let Some(tag) = tag { asn1::Tag::from_bytes(&[tag])?.0 } else { - if std::str::from_utf8(value).is_err() { + if std::str::from_utf8(&value).is_err() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "Attribute values must be valid utf-8.", @@ -341,10 +345,14 @@ fn create_x509_csr( asn1::Utf8String::TAG }; + attr_values.push((oid, tag, value)); + } + + for (oid, tag, value) in &attr_values { attrs.push(Attribute { - type_id: oid, + type_id: oid.clone(), values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([ - common::RawTlv::new(tag, value), + common::RawTlv::new(*tag, value), ])), }); } From 85cc4e43112160876a6279613d763bb1080a6b92 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 23:41:14 -0400 Subject: [PATCH 0407/1462] Resolve new clippy warnings (#10755) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The fixes themselves are of marginal value 🙃 --- src/rust/src/x509/crl.rs | 17 ++++++++++++----- src/rust/src/x509/ocsp_resp.rs | 23 +++++++++++++++++------ 2 files changed, 29 insertions(+), 11 deletions(-) diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index c57917709414..7fb591d38506 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -471,11 +471,18 @@ fn try_map_arc_data_mut_crl_iterator( ) -> Result, E>, ) -> Result { OwnedRevokedCertificate::try_new(Arc::clone(it.borrow_owner()), |inner_it| { - // SAFETY: This is safe because `Arc::clone` ensures the data is - // alive, but Rust doesn't understand the lifetime relationship it - // produces. Open-coded implementation of the API discussed in - // https://github.com/joshua-maros/ouroboros/issues/38 - it.with_dependent_mut(|_, value| f(inner_it, unsafe { std::mem::transmute(value) })) + it.with_dependent_mut(|_, value| { + // SAFETY: This is safe because `Arc::clone` ensures the data is + // alive, but Rust doesn't understand the lifetime relationship it + // produces. Open-coded implementation of the API discussed in + // https://github.com/joshua-maros/ouroboros/issues/38 + f(inner_it, unsafe { + std::mem::transmute::< + &mut Option>>, + &mut Option>>, + >(value) + }) + }) }) } diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 5038a2b0c994..8fd58e93616f 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -457,7 +457,11 @@ fn map_arc_data_ocsp_response( // alive, but Rust doesn't understand the lifetime relationship it // produces. Open-coded implementation of the API discussed in // https://github.com/joshua-maros/ouroboros/issues/38 - f(inner_it.as_bytes(py), unsafe { std::mem::transmute(value) }) + f(inner_it.as_bytes(py), unsafe { + std::mem::transmute::<&ocsp_resp::OCSPResponse<'_>, &ocsp_resp::OCSPResponse<'_>>( + value, + ) + }) }) }) } @@ -469,11 +473,18 @@ fn try_map_arc_data_mut_ocsp_response_iterator( ) -> Result, E>, ) -> Result { OwnedSingleResponse::try_new(Arc::clone(it.borrow_owner()), |inner_it| { - // SAFETY: This is safe because `Arc::clone` ensures the data is - // alive, but Rust doesn't understand the lifetime relationship it - // produces. Open-coded implementation of the API discussed in - // https://github.com/joshua-maros/ouroboros/issues/38 - it.with_dependent_mut(|_, value| f(inner_it, unsafe { std::mem::transmute(value) })) + it.with_dependent_mut(|_, value| { + // SAFETY: This is safe because `Arc::clone` ensures the data is + // alive, but Rust doesn't understand the lifetime relationship it + // produces. Open-coded implementation of the API discussed in + // https://github.com/joshua-maros/ouroboros/issues/38 + f(inner_it, unsafe { + std::mem::transmute::< + &mut asn1::SequenceOf<'_, ocsp_resp::SingleResponse<'_>>, + &mut asn1::SequenceOf<'_, ocsp_resp::SingleResponse<'_>>, + >(value) + }) + }) }) } From b93e165615217f0359992b333fa33fcf6f5cecf4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 23:41:57 -0400 Subject: [PATCH 0408/1462] Convert some types usage to bound (#10750) --- src/rust/src/backend/aead.rs | 39 +++++++++++++++++++++++++----------- src/rust/src/backend/dh.rs | 6 +++--- 2 files changed, 30 insertions(+), 15 deletions(-) diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 55ac8b842dca..16ea74f20030 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -532,8 +532,8 @@ impl ChaCha20Poly1305 { } #[staticmethod] - fn generate_key(py: pyo3::Python<'_>) -> CryptographyResult<&pyo3::PyAny> { - Ok(types::OS_URANDOM.get(py)?.call1((32,))?) + fn generate_key(py: pyo3::Python<'_>) -> CryptographyResult> { + Ok(types::OS_URANDOM.get_bound(py)?.call1((32,))?) } fn encrypt<'p>( @@ -638,14 +638,17 @@ impl AesGcm { } #[staticmethod] - fn generate_key(py: pyo3::Python<'_>, bit_length: usize) -> CryptographyResult<&pyo3::PyAny> { + fn generate_key( + py: pyo3::Python<'_>, + bit_length: usize, + ) -> CryptographyResult> { if bit_length != 128 && bit_length != 192 && bit_length != 256 { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("bit_length must be 128, 192, or 256"), )); } - Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) + Ok(types::OS_URANDOM.get_bound(py)?.call1((bit_length / 8,))?) } fn encrypt<'p>( @@ -746,14 +749,17 @@ impl AesCcm { } #[staticmethod] - fn generate_key(py: pyo3::Python<'_>, bit_length: usize) -> CryptographyResult<&pyo3::PyAny> { + fn generate_key( + py: pyo3::Python<'_>, + bit_length: usize, + ) -> CryptographyResult> { if bit_length != 128 && bit_length != 192 && bit_length != 256 { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("bit_length must be 128, 192, or 256"), )); } - Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) + Ok(types::OS_URANDOM.get_bound(py)?.call1((bit_length / 8,))?) } fn encrypt<'p>( @@ -876,14 +882,17 @@ impl AesSiv { } #[staticmethod] - fn generate_key(py: pyo3::Python<'_>, bit_length: usize) -> CryptographyResult<&pyo3::PyAny> { + fn generate_key( + py: pyo3::Python<'_>, + bit_length: usize, + ) -> CryptographyResult> { if bit_length != 256 && bit_length != 384 && bit_length != 512 { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("bit_length must be 256, 384, or 512"), )); } - Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) + Ok(types::OS_URANDOM.get_bound(py)?.call1((bit_length / 8,))?) } #[pyo3(signature = (data, associated_data))] @@ -970,14 +979,17 @@ impl AesOcb3 { } #[staticmethod] - fn generate_key(py: pyo3::Python<'_>, bit_length: usize) -> CryptographyResult<&pyo3::PyAny> { + fn generate_key( + py: pyo3::Python<'_>, + bit_length: usize, + ) -> CryptographyResult> { if bit_length != 128 && bit_length != 192 && bit_length != 256 { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("bit_length must be 128, 192, or 256"), )); } - Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) + Ok(types::OS_URANDOM.get_bound(py)?.call1((bit_length / 8,))?) } #[pyo3(signature = (nonce, data, associated_data))] @@ -1076,14 +1088,17 @@ impl AesGcmSiv { } #[staticmethod] - fn generate_key(py: pyo3::Python<'_>, bit_length: usize) -> CryptographyResult<&pyo3::PyAny> { + fn generate_key( + py: pyo3::Python<'_>, + bit_length: usize, + ) -> CryptographyResult> { if bit_length != 128 && bit_length != 192 && bit_length != 256 { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("bit_length must be 128, 192, or 256"), )); } - Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) + Ok(types::OS_URANDOM.get_bound(py)?.call1((bit_length / 8,))?) } #[pyo3(signature = (nonce, data, associated_data))] diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 9d597b9ec216..70a57d50b57b 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -229,7 +229,7 @@ impl DHPrivateKey { format: &pyo3::Bound<'p, pyo3::PyAny>, encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - if !format.is(types::PRIVATE_FORMAT_PKCS8.get(py)?) { + if !format.is(&types::PRIVATE_FORMAT_PKCS8.get_bound(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "DH private keys support only PKCS8 serialization", @@ -263,7 +263,7 @@ impl DHPublicKey { encoding: &pyo3::Bound<'p, pyo3::PyAny>, format: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - if !format.is(types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?) { + if !format.is(&types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get_bound(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "DH public keys support only SubjectPublicKeyInfo serialization", @@ -345,7 +345,7 @@ impl DHParameters { encoding: pyo3::Bound<'p, pyo3::PyAny>, format: pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - if !format.is(types::PARAMETER_FORMAT_PKCS3.get(py)?) { + if !format.is(&types::PARAMETER_FORMAT_PKCS3.get_bound(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("Only PKCS3 serialization is supported"), )); From 5f19fad7be68f75a4522ec88624114306f35294d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 23:44:01 -0400 Subject: [PATCH 0409/1462] Fix lifetimes for PKCS#7 digests with gil-refs disabled (#10751) --- src/rust/src/pkcs7.rs | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 977d0c912eed..58f36ec1a81f 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -128,9 +128,21 @@ fn sign_and_serialize<'p>( .iter() .map(|p| p.raw.borrow_dependent()) .collect::>(); - for (cert, py_private_key, py_hash_alg, rsa_padding) in &py_signers { + + let mut digests = vec![]; + if !options.contains(&types::PKCS7_NO_ATTRIBUTES.get_bound(py)?)? { + for (_, _, py_hash_alg, _) in &py_signers { + let digest = asn1::write_single(&x509::ocsp::hash_data( + py, + &py_hash_alg.as_borrowed(), + &data_with_header, + )?)?; + digests.push(digest); + } + } + for (i, (cert, py_private_key, py_hash_alg, rsa_padding)) in py_signers.iter().enumerate() { let (authenticated_attrs, signature) = - if options.contains(types::PKCS7_NO_ATTRIBUTES.get(py)?)? { + if options.contains(&types::PKCS7_NO_ATTRIBUTES.get_bound(py)?)? { ( None, x509::sign::sign_data( @@ -157,17 +169,10 @@ fn sign_and_serialize<'p>( }, ]; - let digest = asn1::write_single(&x509::ocsp::hash_data( - py, - &py_hash_alg.as_borrowed(), - &data_with_header, - )?)?; - // Gross hack: copy to PyBytes to extend the lifetime to 'p - let digest_bytes = pyo3::types::PyBytes::new(py, &digest); authenticated_attrs.push(Attribute { type_id: PKCS7_MESSAGE_DIGEST_OID, values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([ - asn1::parse_single(digest_bytes.as_bytes()).unwrap(), + asn1::parse_single(&digests[i]).unwrap(), ])), }); From 070ebf2d929f4fc3e96607a153fbad1600c36887 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 6 Apr 2024 08:14:36 -0400 Subject: [PATCH 0410/1462] Fixed lifetime error in `csr.rs` with `gil-refs` disabled (#10756) --- src/rust/src/x509/csr.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index cc4b2dcbe9c5..5ee6c25e2a7b 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -306,7 +306,7 @@ fn create_x509_csr( let spki_bytes = private_key .call_method0(pyo3::intern!(py, "public_key"))? .call_method1(pyo3::intern!(py, "public_bytes"), (der, spki))? - .extract::<&[u8]>()?; + .extract::()?; let mut attrs = vec![]; let ext_bytes; @@ -362,7 +362,7 @@ fn create_x509_csr( let csr_info = CertificationRequestInfo { version: 0, subject: x509::common::encode_name(py, &py_subject_name.as_borrowed())?, - spki: asn1::parse_single(spki_bytes)?, + spki: asn1::parse_single(&spki_bytes)?, attributes: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(attrs)), }; From 5303b8d4213b6602b3cd30217165aa6319b33093 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 6 Apr 2024 08:32:51 -0400 Subject: [PATCH 0411/1462] Fixed lifetime errors in `ec.rs` with `gil-refs` disabled (#10757) --- src/rust/src/backend/ec.rs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index a562bbf74e3b..30a36dd1ebf8 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -44,8 +44,8 @@ fn curve_from_py_curve( } } - let curve_name = py_curve.getattr(pyo3::intern!(py, "name"))?.extract()?; - let nid = match curve_name { + let py_curve_name = py_curve.getattr(pyo3::intern!(py, "name"))?; + let nid = match py_curve_name.extract()? { "secp192r1" => openssl::nid::Nid::X9_62_PRIME192V1, "secp224r1" => openssl::nid::Nid::SECP224R1, "secp256r1" => openssl::nid::Nid::X9_62_PRIME256V1, @@ -74,7 +74,7 @@ fn curve_from_py_curve( #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] "brainpoolP512r1" => openssl::nid::Nid::BRAINPOOL_P512R1, - _ => { + curve_name => { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( format!("Curve {curve_name} is not supported"), @@ -292,8 +292,8 @@ impl ECPrivateKey { if deterministic { let hash_function_name = algo .getattr(pyo3::intern!(py, "name"))? - .extract::<&str>()?; - let hash_function = openssl::md::Md::fetch(None, hash_function_name, None)?; + .extract::()?; + let hash_function = openssl::md::Md::fetch(None, &hash_function_name, None)?; // Setting a deterministic nonce type requires to explicitly set the hash function. // See https://github.com/openssl/openssl/issues/23205 signer.set_signature_md(&hash_function)?; From dc14634f2090405b75880d9e824d358e8bda9766 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 6 Apr 2024 09:28:34 -0400 Subject: [PATCH 0412/1462] Fixed lifetime error in `pkcs12.rs` with `gil-refs` disabled (#10758) --- src/rust/src/pkcs12.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 084cee6660bc..3fc765017710 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -57,8 +57,12 @@ impl PKCS12Certificate { } fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { + let py_friendly_name_repr; let friendly_name_repr = match &self.friendly_name { - Some(v) => v.bind(py).repr()?.extract()?, + Some(v) => { + py_friendly_name_repr = v.bind(py).repr()?; + py_friendly_name_repr.extract()? + } None => "None", }; Ok(format!( From 2ab8b23dd67295fb3ab8a1348c06535bc8040f33 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 6 Apr 2024 09:29:37 -0400 Subject: [PATCH 0413/1462] Convert `src/types.rs` to new pyo3 APIs (#10754) --- src/rust/src/types.rs | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index c3590948bf90..6200801be28b 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -2,6 +2,8 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use pyo3::prelude::PyAnyMethods; + pub struct LazyPyImport { module: &'static str, names: &'static [&'static str], @@ -26,11 +28,11 @@ impl LazyPyImport { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { let p = self.value.get_or_try_init(py, || { - let mut obj = py.import(self.module)?.as_ref(); + let mut obj = py.import_bound(self.module)?.into_any(); for name in self.names { obj = obj.getattr(*name)?; } - obj.extract() + Ok::<_, pyo3::PyErr>(obj.unbind()) })?; Ok(p.clone().into_bound(py)) From a63af2fcf397a35c32a35766561ea28bfe03f676 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 6 Apr 2024 11:34:25 -0400 Subject: [PATCH 0414/1462] Fixed lifetime errors in `certificate.rs` with `gil-refs` disabled (#10760) --- src/rust/src/x509/certificate.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 02c3f857636d..cbc8007fb0ea 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -58,7 +58,7 @@ impl Certificate { fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { let subject = self.subject(py)?; - let subject_repr = subject.repr()?.extract::<&str>()?; + let subject_repr = subject.repr()?.extract::()?; Ok(format!("")) } @@ -927,7 +927,7 @@ fn create_x509_certificate( let spki_bytes = builder .getattr(pyo3::intern!(py, "_public_key"))? .call_method1(pyo3::intern!(py, "public_bytes"), (der, spki))? - .extract::<&[u8]>()?; + .extract::()?; let py_serial = builder .getattr(pyo3::intern!(py, "_serial_number"))? @@ -951,7 +951,7 @@ fn create_x509_certificate( not_after: time_from_py(py, &py_not_after)?, }, subject: x509::common::encode_name(py, &py_subject_name)?, - spki: asn1::parse_single(spki_bytes)?, + spki: asn1::parse_single(&spki_bytes)?, issuer_unique_id: None, subject_unique_id: None, raw_extensions: x509::common::encode_extensions( From 3505402383072199fa9b608e13db1e6d173df19a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 6 Apr 2024 11:39:39 -0400 Subject: [PATCH 0415/1462] Fixed lifetime errors in `utils.rs` with `gil-refs` disabled (#10761) --- src/rust/src/backend/utils.rs | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index d3cc3b24b580..a3f60d851cdc 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -17,11 +17,11 @@ pub(crate) fn py_int_to_bn( .extract::()? / 8 + 1; - let bytes: &[u8] = v + let bytes = v .call_method1(pyo3::intern!(py, "to_bytes"), (n, pyo3::intern!(py, "big")))? - .extract()?; + .extract::()?; - Ok(openssl::bn::BigNum::from_slice(bytes)?) + Ok(openssl::bn::BigNum::from_slice(&bytes)?) } pub(crate) fn bn_to_py_int<'p>( @@ -90,17 +90,19 @@ pub(crate) fn pkey_private_bytes<'p>( return Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)); } + let py_password; let password = if encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get_bound(py)?)? { - b"" + b"" as &[u8] } else if encryption_algorithm.is_instance(&types::BEST_AVAILABLE_ENCRYPTION.get_bound(py)?)? || (encryption_algorithm.is_instance(&types::ENCRYPTION_BUILDER.get_bound(py)?)? && encryption_algorithm .getattr(pyo3::intern!(py, "_format"))? .is(format)) { - encryption_algorithm + py_password = encryption_algorithm .getattr(pyo3::intern!(py, "password"))? - .extract::<&[u8]>()? + .extract::()?; + &py_password } else { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("Unsupported encryption type"), From c588f578d37cab272b7a16ed50da3a622bd9597e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 6 Apr 2024 13:05:27 -0400 Subject: [PATCH 0416/1462] Fixed two lifetime errors in `extensions.rs` with `gil-refs` disabled (#10762) --- src/rust/src/x509/extensions.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 3e0b7ec83822..cd1da1417494 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -412,8 +412,8 @@ pub(crate) fn encode_extension( &oid::SUBJECT_KEY_IDENTIFIER_OID => { let digest = ext .getattr(pyo3::intern!(py, "digest"))? - .extract::<&[u8]>()?; - Ok(Some(asn1::write_single(&digest)?)) + .extract::()?; + Ok(Some(asn1::write_single(&digest.as_ref())?)) } &oid::KEY_USAGE_OID => { let der = encode_key_usage(py, ext)?; @@ -522,8 +522,8 @@ pub(crate) fn encode_extension( &oid::NONCE_OID => { let nonce = ext .getattr(pyo3::intern!(py, "nonce"))? - .extract::<&[u8]>()?; - Ok(Some(asn1::write_single(&nonce)?)) + .extract::()?; + Ok(Some(asn1::write_single(&nonce.as_ref())?)) } &oid::MS_CERTIFICATE_TEMPLATE => { let py_template_id = ext.getattr(pyo3::intern!(py, "template_id"))?; From 3bcbbe7adfa8a6569bcffb1230048dc3a05cc082 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 6 Apr 2024 16:43:21 -0400 Subject: [PATCH 0417/1462] Fixed lifetime error in `hashes.rs` with `gil-refs` disabled (#10759) --- src/rust/src/backend/hashes.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/src/backend/hashes.rs b/src/rust/src/backend/hashes.rs index c97171689863..ac989024e849 100644 --- a/src/rust/src/backend/hashes.rs +++ b/src/rust/src/backend/hashes.rs @@ -51,14 +51,14 @@ pub(crate) fn message_digest_from_algorithm( let name = algorithm .getattr(pyo3::intern!(py, "name"))? - .extract::<&str>()?; + .extract::()?; let openssl_name = if name == "blake2b" || name == "blake2s" { let digest_size = algorithm .getattr(pyo3::intern!(py, "digest_size"))? .extract::()?; Cow::Owned(format!("{}{}", name, digest_size * 8)) } else { - Cow::Borrowed(name) + Cow::Borrowed(name.as_ref()) }; match openssl::hash::MessageDigest::from_name(&openssl_name) { From 3d02b96c3c11725972202f542c0e878399a5c013 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 7 Apr 2024 07:57:23 -0400 Subject: [PATCH 0418/1462] Simplify OCSP response generating code (#10763) Wrapping nearly the entire function body with an `if` made it less readable --- src/rust/src/x509/ocsp_resp.rs | 296 +++++++++++++++++---------------- 1 file changed, 149 insertions(+), 147 deletions(-) diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 8fd58e93616f..488aff625bc3 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -601,169 +601,171 @@ fn create_ocsp_response( let py_issuer: pyo3::PyRef<'_, x509::certificate::Certificate>; let borrowed_cert; let py_certs: Option>>; - let response_bytes = if response_status == SUCCESSFUL_RESPONSE { - let py_single_resp = builder.getattr(pyo3::intern!(py, "_response"))?; - py_cert = py_single_resp - .getattr(pyo3::intern!(py, "_cert"))? - .extract()?; - py_issuer = py_single_resp - .getattr(pyo3::intern!(py, "_issuer"))? - .extract()?; - let py_cert_hash_algorithm = py_single_resp.getattr(pyo3::intern!(py, "_algorithm"))?; - let (responder_cert, responder_encoding): ( - pyo3::Bound<'_, x509::certificate::Certificate>, - &pyo3::PyAny, - ) = builder - .getattr(pyo3::intern!(py, "_responder_id"))? - .extract()?; - - let py_cert_status = py_single_resp.getattr(pyo3::intern!(py, "_cert_status"))?; - let cert_status = if py_cert_status.is(types::OCSP_CERT_STATUS_GOOD.get(py)?) { - ocsp_resp::CertStatus::Good(()) - } else if py_cert_status.is(types::OCSP_CERT_STATUS_UNKNOWN.get(py)?) { - ocsp_resp::CertStatus::Unknown(()) - } else { - let revocation_reason = if !py_single_resp - .getattr(pyo3::intern!(py, "_revocation_reason"))? - .is_none() - { - let value = types::CRL_ENTRY_REASON_ENUM_TO_CODE - .get(py)? - .get_item(py_single_resp.getattr(pyo3::intern!(py, "_revocation_reason"))?)? - .extract::()?; - Some(asn1::Enumerated::new(value)) - } else { - None - }; - // REVOKED - let py_revocation_time = - py_single_resp.getattr(pyo3::intern!(py, "_revocation_time"))?; - let revocation_time = asn1::GeneralizedTime::new(py_to_datetime( - py, - py_revocation_time.as_borrowed().to_owned(), - )?)?; - ocsp_resp::CertStatus::Revoked(ocsp_resp::RevokedInfo { - revocation_time, - revocation_reason, - }) + if response_status != SUCCESSFUL_RESPONSE { + let resp = ocsp_resp::OCSPResponse { + response_status: asn1::Enumerated::new(response_status), + response_bytes: None, }; - let next_update = if !py_single_resp - .getattr(pyo3::intern!(py, "_next_update"))? + let data = asn1::write_single(&resp)?; + return load_der_ocsp_response(py, pyo3::types::PyBytes::new_bound(py, &data).unbind()); + } + + let py_single_resp = builder.getattr(pyo3::intern!(py, "_response"))?; + py_cert = py_single_resp + .getattr(pyo3::intern!(py, "_cert"))? + .extract()?; + py_issuer = py_single_resp + .getattr(pyo3::intern!(py, "_issuer"))? + .extract()?; + let py_cert_hash_algorithm = py_single_resp.getattr(pyo3::intern!(py, "_algorithm"))?; + let (responder_cert, responder_encoding): ( + pyo3::Bound<'_, x509::certificate::Certificate>, + &pyo3::PyAny, + ) = builder + .getattr(pyo3::intern!(py, "_responder_id"))? + .extract()?; + + let py_cert_status = py_single_resp.getattr(pyo3::intern!(py, "_cert_status"))?; + let cert_status = if py_cert_status.is(types::OCSP_CERT_STATUS_GOOD.get(py)?) { + ocsp_resp::CertStatus::Good(()) + } else if py_cert_status.is(types::OCSP_CERT_STATUS_UNKNOWN.get(py)?) { + ocsp_resp::CertStatus::Unknown(()) + } else { + let revocation_reason = if !py_single_resp + .getattr(pyo3::intern!(py, "_revocation_reason"))? .is_none() { - let py_next_update = py_single_resp.getattr(pyo3::intern!(py, "_next_update"))?; - Some(asn1::GeneralizedTime::new(py_to_datetime( - py, - py_next_update.as_borrowed().to_owned(), - )?)?) + let value = types::CRL_ENTRY_REASON_ENUM_TO_CODE + .get(py)? + .get_item(py_single_resp.getattr(pyo3::intern!(py, "_revocation_reason"))?)? + .extract::()?; + Some(asn1::Enumerated::new(value)) } else { None }; - let py_this_update = py_single_resp.getattr(pyo3::intern!(py, "_this_update"))?; - let this_update = asn1::GeneralizedTime::new(py_to_datetime( + // REVOKED + let py_revocation_time = py_single_resp.getattr(pyo3::intern!(py, "_revocation_time"))?; + let revocation_time = asn1::GeneralizedTime::new(py_to_datetime( py, - py_this_update.as_borrowed().to_owned(), + py_revocation_time.as_borrowed().to_owned(), )?)?; - - let responses = vec![SingleResponse { - cert_id: ocsp::certid_new(py, &py_cert, &py_issuer, &py_cert_hash_algorithm)?, - cert_status, - next_update, - this_update, - raw_single_extensions: None, - }]; - - borrowed_cert = responder_cert.borrow(); - let responder_id = if responder_encoding.is(types::OCSP_RESPONDER_ENCODING_HASH.get(py)?) { - let sha1 = types::SHA1.get_bound(py)?.call0()?; - ocsp_resp::ResponderId::ByKey(ocsp::hash_data( - py, - &sha1, - borrowed_cert - .raw - .borrow_dependent() - .tbs_cert - .spki - .subject_public_key - .as_bytes(), - )?) - } else { - ocsp_resp::ResponderId::ByName( - borrowed_cert - .raw - .borrow_dependent() - .tbs_cert - .subject - .clone(), - ) - }; - - let tbs_response_data = ocsp_resp::ResponseData { - version: 0, - produced_at: asn1::GeneralizedTime::new(x509::common::datetime_now(py)?)?, - responder_id, - responses: common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new( - responses, - )), - raw_response_extensions: x509::common::encode_extensions( - py, - &builder.getattr(pyo3::intern!(py, "_extensions"))?, - extensions::encode_extension, - )?, - }; - - let sigalg = x509::sign::compute_signature_algorithm( + ocsp_resp::CertStatus::Revoked(ocsp_resp::RevokedInfo { + revocation_time, + revocation_reason, + }) + }; + let next_update = if !py_single_resp + .getattr(pyo3::intern!(py, "_next_update"))? + .is_none() + { + let py_next_update = py_single_resp.getattr(pyo3::intern!(py, "_next_update"))?; + Some(asn1::GeneralizedTime::new(py_to_datetime( py, - private_key.clone(), - hash_algorithm.clone(), - py.None().into_bound(py), - )?; - let tbs_bytes = asn1::write_single(&tbs_response_data)?; - let signature = x509::sign::sign_data( + py_next_update.as_borrowed().to_owned(), + )?)?) + } else { + None + }; + let py_this_update = py_single_resp.getattr(pyo3::intern!(py, "_this_update"))?; + let this_update = + asn1::GeneralizedTime::new(py_to_datetime(py, py_this_update.as_borrowed().to_owned())?)?; + + let responses = vec![SingleResponse { + cert_id: ocsp::certid_new(py, &py_cert, &py_issuer, &py_cert_hash_algorithm)?, + cert_status, + next_update, + this_update, + raw_single_extensions: None, + }]; + + borrowed_cert = responder_cert.borrow(); + let responder_id = if responder_encoding.is(types::OCSP_RESPONDER_ENCODING_HASH.get(py)?) { + let sha1 = types::SHA1.get_bound(py)?.call0()?; + ocsp_resp::ResponderId::ByKey(ocsp::hash_data( py, - private_key.clone(), - hash_algorithm.clone(), - py.None().into_bound(py), - &tbs_bytes, - )?; + &sha1, + borrowed_cert + .raw + .borrow_dependent() + .tbs_cert + .spki + .subject_public_key + .as_bytes(), + )?) + } else { + ocsp_resp::ResponderId::ByName( + borrowed_cert + .raw + .borrow_dependent() + .tbs_cert + .subject + .clone(), + ) + }; - if !responder_cert - .call_method0(pyo3::intern!(py, "public_key"))? - .eq(private_key.call_method0(pyo3::intern!(py, "public_key"))?)? - { - return Err(CryptographyError::from( - pyo3::exceptions::PyValueError::new_err( - "Certificate public key and provided private key do not match", - ), - )); - } + let tbs_response_data = ocsp_resp::ResponseData { + version: 0, + produced_at: asn1::GeneralizedTime::new(x509::common::datetime_now(py)?)?, + responder_id, + responses: common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new( + responses, + )), + raw_response_extensions: x509::common::encode_extensions( + py, + &builder.getattr(pyo3::intern!(py, "_extensions"))?, + extensions::encode_extension, + )?, + }; - py_certs = builder.getattr(pyo3::intern!(py, "_certs"))?.extract()?; - let certs = py_certs.as_ref().map(|py_certs| { - common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new( - py_certs - .iter() - .map(|c| c.raw.borrow_dependent().clone()) - .collect(), - )) - }); + let sigalg = x509::sign::compute_signature_algorithm( + py, + private_key.clone(), + hash_algorithm.clone(), + py.None().into_bound(py), + )?; + let tbs_bytes = asn1::write_single(&tbs_response_data)?; + let signature = x509::sign::sign_data( + py, + private_key.clone(), + hash_algorithm.clone(), + py.None().into_bound(py), + &tbs_bytes, + )?; + + if !responder_cert + .call_method0(pyo3::intern!(py, "public_key"))? + .eq(private_key.call_method0(pyo3::intern!(py, "public_key"))?)? + { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Certificate public key and provided private key do not match", + ), + )); + } - let basic_resp = ocsp_resp::BasicOCSPResponse { - tbs_response_data, - signature: asn1::BitString::new(signature, 0).unwrap(), - signature_algorithm: sigalg, - certs, - }; - Some(ocsp_resp::ResponseBytes { - response_type: (BASIC_RESPONSE_OID).clone(), - response: asn1::OctetStringEncoded::new(basic_resp), - }) - } else { - None + py_certs = builder.getattr(pyo3::intern!(py, "_certs"))?.extract()?; + let certs = py_certs.as_ref().map(|py_certs| { + common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new( + py_certs + .iter() + .map(|c| c.raw.borrow_dependent().clone()) + .collect(), + )) + }); + + let basic_resp = ocsp_resp::BasicOCSPResponse { + tbs_response_data, + signature: asn1::BitString::new(signature, 0).unwrap(), + signature_algorithm: sigalg, + certs, }; + let response_bytes = Some(ocsp_resp::ResponseBytes { + response_type: (BASIC_RESPONSE_OID).clone(), + response: asn1::OctetStringEncoded::new(basic_resp), + }); let resp = ocsp_resp::OCSPResponse { - response_status: asn1::Enumerated::new(response_status), + response_status: asn1::Enumerated::new(SUCCESSFUL_RESPONSE), response_bytes, }; let data = asn1::write_single(&resp)?; From 030f70f9188009e596638edd68b4a986cfd059ca Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Apr 2024 11:09:20 +0000 Subject: [PATCH 0419/1462] Bump typing-extensions from 4.10.0 to 4.11.0 (#10768) Bumps [typing-extensions](https://github.com/python/typing_extensions) from 4.10.0 to 4.11.0. - [Release notes](https://github.com/python/typing_extensions/releases) - [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md) - [Commits](https://github.com/python/typing_extensions/compare/4.10.0...4.11.0) --- updated-dependencies: - dependency-name: typing-extensions dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 702299344a67..c3621cda6549 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -146,7 +146,7 @@ tomli==2.0.1 # mypy # pyproject-hooks # pytest -typing-extensions==4.10.0; python_version >= "3.8" +typing-extensions==4.11.0; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests From a2b37ceeaed10956813a6973809b6f0a9d978eef Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Apr 2024 11:11:49 +0000 Subject: [PATCH 0420/1462] Bump cc from 1.0.90 to 1.0.91 in /src/rust (#10769) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.90 to 1.0.91. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.90...1.0.91) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 91ac810df5c2..5290d2b20c6c 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,9 +48,9 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.90" +version = "1.0.91" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8cd6604a82acf3039f1144f54b8eb34e91ffba622051189e71b781822d5ee1f5" +checksum = "1fd97381a8cc6493395a5afc4c691c1084b3768db713b73aa215217aa245d153" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 3251e6622d1d..98491ea1f633 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.21.1", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.90" +cc = "1.0.91" From 2cd75bdbd72f952750dbcaf84095360e69d5fd96 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Apr 2024 11:13:56 +0000 Subject: [PATCH 0421/1462] Bump typing-extensions from 4.10.0 to 4.11.0 in /.github/requirements (#10765) * Bump typing-extensions from 4.10.0 to 4.11.0 in /.github/requirements Bumps [typing-extensions](https://github.com/python/typing_extensions) from 4.10.0 to 4.11.0. - [Release notes](https://github.com/python/typing_extensions/releases) - [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md) - [Commits](https://github.com/python/typing_extensions/compare/4.10.0...4.11.0) --- updated-dependencies: - dependency-name: typing-extensions dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 2444daad6f2f..b358f8822a59 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -568,9 +568,9 @@ twine==5.0.0 \ --hash=sha256:89b0cc7d370a4b66421cc6102f269aa910fe0f1861c124f573cf2ddedbc10cf4 \ --hash=sha256:a262933de0b484c53408f9edae2e7821c1c45a3314ff2df9bdd343aa7ab8edc0 # via -r publish-requirements.in -typing-extensions==4.10.0 \ - --hash=sha256:69b1a937c3a517342112fb4c6df7e72fc39a38e7891a5730ed4985b5214b5475 \ - --hash=sha256:b0abd7c89e8fb96f98db18d86106ff1d90ab692004eb746cf6eda2682f91b3cb +typing-extensions==4.11.0 \ + --hash=sha256:83f085bd5ca59c80295fc2a82ab5dac679cbe02b9f33f7d83af68e241bea51b0 \ + --hash=sha256:c1f94d72897edaf4ce775bb7558d5b79d8126906a14ea5ed1635921406c0387a # via # pydantic # pydantic-core From 68e0836bdd7662f754f16811530a72aef21e3bf1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Apr 2024 11:19:33 +0000 Subject: [PATCH 0422/1462] Bump jaraco-context from 5.1.0 to 5.3.0 in /.github/requirements (#10766) * Bump jaraco-context from 5.1.0 to 5.3.0 in /.github/requirements Bumps [jaraco-context](https://github.com/jaraco/jaraco.context) from 5.1.0 to 5.3.0. - [Release notes](https://github.com/jaraco/jaraco.context/releases) - [Changelog](https://github.com/jaraco/jaraco.context/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/jaraco.context/compare/v5.1.0...v5.3.0) --- updated-dependencies: - dependency-name: jaraco-context dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index b358f8822a59..20c50a03244f 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -12,6 +12,10 @@ appdirs==1.4.4 \ --hash=sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41 \ --hash=sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128 # via sigstore +backports-tarfile==1.0.0 \ + --hash=sha256:2688f159c21afd56a07b75f01306f9f52c79aebcc5f4a117fb8fbb4445352c75 \ + --hash=sha256:bcd36290d9684beb524d3fe74f4a2db056824c47746583f090b8e55daf0776e4 + # via jaraco-context betterproto==2.0.0b6 \ --hash=sha256:720ae92697000f6fcf049c69267d957f0871654c8b0d7458906607685daee784 \ --hash=sha256:a0839ec165d110a69d0d116f4d0e2bec8d186af4db826257931f0831dab73fcf @@ -250,9 +254,9 @@ jaraco-classes==3.4.0 \ --hash=sha256:47a024b51d0239c0dd8c8540c6c7f484be3b8fcf0b2d85c13825780d3b3f3acd \ --hash=sha256:f662826b6bed8cace05e7ff873ce0f9283b5c924470fe664fff1c2f00f581790 # via keyring -jaraco-context==5.1.0 \ - --hash=sha256:0e4161ebbaeead78850b4ca5465b5853217cf23ad74ec82d00ebfb69d8ea5fcb \ - --hash=sha256:24ec1f739aec2c5766c68027ccc70d91d7b0cb931699442f5c7ed93515b955e7 +jaraco-context==5.3.0 \ + --hash=sha256:3e16388f7da43d384a1a7cd3452e72e14732ac9fe459678773a3608a812bf266 \ + --hash=sha256:c2f67165ce1f9be20f32f650f25d8edfc1646a8aeee48ae06fb35f90763576d2 # via keyring jaraco-functools==4.0.0 \ --hash=sha256:c279cb24c93d694ef7270f970d499cab4d3813f4e08273f95398651a634f0925 \ From 3c964ca7a0098161f121bf519786e7bcf338dace Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Apr 2024 11:29:24 +0000 Subject: [PATCH 0423/1462] Bump execnet from 2.0.2 to 2.1.1 (#10767) * Bump execnet from 2.0.2 to 2.1.1 Bumps [execnet](https://github.com/pytest-dev/execnet) from 2.0.2 to 2.1.1. - [Changelog](https://github.com/pytest-dev/execnet/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/execnet/compare/v2.0.2...v2.1.1) --- updated-dependencies: - dependency-name: execnet dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update ci-constraints-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c3621cda6549..cad42aaaff17 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -38,7 +38,7 @@ docutils==0.20.1 # sphinx-rtd-theme exceptiongroup==1.2.0 # via pytest -execnet==2.0.2 +execnet==2.1.1; python_version >= "3.8" # via pytest-xdist filelock==3.13.3; python_version >= "3.8" # via virtualenv From 5d7dcf62f71c3396186f9515a1700a0aaa368f7d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Apr 2024 21:53:32 +0000 Subject: [PATCH 0424/1462] Bump pem from 3.0.3 to 3.0.4 in /src/rust (#10772) Bumps [pem](https://github.com/jcreekmore/pem-rs) from 3.0.3 to 3.0.4. - [Changelog](https://github.com/jcreekmore/pem-rs/blob/master/CHANGELOG.md) - [Commits](https://github.com/jcreekmore/pem-rs/compare/v3.0.3...v3.0.4) --- updated-dependencies: - dependency-name: pem dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 5290d2b20c6c..b362357cf490 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -30,9 +30,9 @@ checksum = "f1fdabc7756949593fe60f30ec81974b613357de856987752631dea1e3394c80" [[package]] name = "base64" -version = "0.21.7" +version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567" +checksum = "9475866fec1451be56a3c2400fd081ff546538961565ccb5b7142cbd22bc7a51" [[package]] name = "bitflags" @@ -248,9 +248,9 @@ dependencies = [ [[package]] name = "pem" -version = "3.0.3" +version = "3.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1b8fcc794035347fb64beda2d3b462595dd2753e3f268d89c5aae77e8cf2c310" +checksum = "8e459365e590736a54c3fa561947c84837534b8e9af6fc5bf781307e82658fae" dependencies = [ "base64", ] From 659dda1395cad7ae9b3fcede80d32ecf61946fa7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Apr 2024 22:15:40 +0000 Subject: [PATCH 0425/1462] Bump cc from 1.0.91 to 1.0.92 in /src/rust (#10773) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.91 to 1.0.92. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.91...1.0.92) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index b362357cf490..879be6b55bbf 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,9 +48,9 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.91" +version = "1.0.92" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1fd97381a8cc6493395a5afc4c691c1084b3768db713b73aa215217aa245d153" +checksum = "2678b2e3449475e95b0aa6f9b506a28e61b3dc8996592b983695e8ebb58a8b41" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 98491ea1f633..f22d8e4b07a0 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.21.1", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.91" +cc = "1.0.92" From 42192fab0a96b484089021148ed1eaa12053f7ed Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 9 Apr 2024 00:18:40 +0000 Subject: [PATCH 0426/1462] Bump BoringSSL and/or OpenSSL in CI (#10775) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e0f8828ff63e..8d9b87fa7566 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Apr 05, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f94f3ed3965ea033001fb9ae006084eee408b861"}} - # Latest commit on the OpenSSL master branch, as of Apr 06, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0d2a5f600c7b6bef6fa6cf720204876560a6194b"}} + # Latest commit on the OpenSSL master branch, as of Apr 09, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4a3e8f08306c64366318e26162ae0a0eb7b1a006"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 99ac2da221b709b6cae9d585b041c69573689941 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 9 Apr 2024 00:32:06 +0000 Subject: [PATCH 0427/1462] Bump x509-limbo and/or wycheproof in CI (#10776) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index b152b7af5c1c..4a6973e7581c 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -9,12 +9,12 @@ runs: with: repository: "C2SP/wycheproof" path: "wycheproof" - # Latest commit on the wycheproof master branch, as of Mar 27, 2024. - ref: "507bb993e90a87d0a62591a5284bc34a3f1c5c22" # wycheproof-ref + # Latest commit on the wycheproof master branch, as of Apr 09, 2024. + ref: "cd27d6419bedd83cbd24611ec54b6d4bfdb0cdca" # wycheproof-ref - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Apr 02, 2024. - ref: "daf8dd36c0f7457d2b9ea006a514b30a4d49b6c1" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Apr 09, 2024. + ref: "038dccdb57fc4c5fbec6ad090f24ae868e15f88f" # x509-limbo-ref From a45f694febdffa2de149ff4c63f7ef45fbc78f55 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 9 Apr 2024 05:52:24 -0400 Subject: [PATCH 0428/1462] Bump sigstore from 2.1.3 to 2.1.5 in /.github/requirements (#10774) * Bump sigstore from 2.1.3 to 2.1.5 in /.github/requirements Bumps [sigstore](https://github.com/sigstore/sigstore-python) from 2.1.3 to 2.1.5. - [Release notes](https://github.com/sigstore/sigstore-python/releases) - [Changelog](https://github.com/sigstore/sigstore-python/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/sigstore-python/compare/v2.1.3...v2.1.5) --- updated-dependencies: - dependency-name: sigstore dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 20c50a03244f..13839120ca3c 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -548,9 +548,9 @@ securesystemslib==0.31.0 \ # via # sigstore # tuf -sigstore==2.1.3 \ - --hash=sha256:7a0c1252cb7974024aee87c8e0f0f6247604af16e8b5a8e3d0a9e1201e330aa2 \ - --hash=sha256:f3aaa564c0d48a62fb40c103615bba01af787eaf9fda3b6e1a3e1dc5abc2d311 +sigstore==2.1.5 \ + --hash=sha256:7771153c5ac5a51d6556481f4680dfb602cb5c32c94fe56f87ff1801b8a8f243 \ + --hash=sha256:86d3ba41135004818c20d09d120140d59d4bd535a092690ff46478047bb8df5b # via -r publish-requirements.in sigstore-protobuf-specs==0.3.1 \ --hash=sha256:c40b61975b957ae906eb29a5bc7040ec015b68b6b46005cc5805e629493e8dec \ From 1278eaa16cfcf2d213b9e2ae0fc99f2949ad5549 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 9 Apr 2024 12:44:13 -0400 Subject: [PATCH 0429/1462] openssl 3.3 (#10779) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8d9b87fa7566..1292d0197a95 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,7 +36,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.13"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.5"}} - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} - - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.3.0-beta1"}} + - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.3.0"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.5"}} From dde87830d3e8f7f8b6aa048be1a9c88515f1e359 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 10 Apr 2024 00:17:09 +0000 Subject: [PATCH 0430/1462] Bump BoringSSL and/or OpenSSL in CI (#10781) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1292d0197a95..f845d63bcc30 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Apr 05, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f94f3ed3965ea033001fb9ae006084eee408b861"}} - # Latest commit on the OpenSSL master branch, as of Apr 09, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4a3e8f08306c64366318e26162ae0a0eb7b1a006"}} + # Latest commit on the OpenSSL master branch, as of Apr 10, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "309c7ffd17334a9f9f5b04286892f10a9aca8a2e"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 1b4f37615775521b081abaf293749dbe3af46eef Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 10 Apr 2024 00:28:44 +0000 Subject: [PATCH 0431/1462] Bump x509-limbo and/or wycheproof in CI (#10782) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 4a6973e7581c..c7d18e3acb39 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Apr 09, 2024. - ref: "038dccdb57fc4c5fbec6ad090f24ae868e15f88f" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Apr 10, 2024. + ref: "7861a8249dcce920d887e6e27adc9657c1be8319" # x509-limbo-ref From 10cd4642018eb7b1e9c12c48cfae298e84fa1b54 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Apr 2024 06:41:28 -0400 Subject: [PATCH 0432/1462] Bump filelock from 3.13.3 to 3.13.4 (#10784) Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.13.3 to 3.13.4. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](https://github.com/tox-dev/py-filelock/compare/3.13.3...3.13.4) --- updated-dependencies: - dependency-name: filelock dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index cad42aaaff17..b93f1e69d2c7 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -40,7 +40,7 @@ exceptiongroup==1.2.0 # via pytest execnet==2.1.1; python_version >= "3.8" # via pytest-xdist -filelock==3.13.3; python_version >= "3.8" +filelock==3.13.4; python_version >= "3.8" # via virtualenv idna==3.6 # via requests From c929515c99b0e8c4db549fd8a027a443591f6e9a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Apr 2024 07:06:37 -0400 Subject: [PATCH 0433/1462] Bump quote from 1.0.35 to 1.0.36 in /src/rust (#10786) Bumps [quote](https://github.com/dtolnay/quote) from 1.0.35 to 1.0.36. - [Release notes](https://github.com/dtolnay/quote/releases) - [Commits](https://github.com/dtolnay/quote/compare/1.0.35...1.0.36) --- updated-dependencies: - dependency-name: quote dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 879be6b55bbf..9a335a8616a0 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -341,9 +341,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.35" +version = "1.0.36" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "291ec9ab5efd934aaf503a6466c5d5251535d108ee747472c3977cc5acc868ef" +checksum = "0fa76aaf39101c457836aec0ce2316dbdc3ab723cdda1c6bd4e6ad4208acaca7" dependencies = [ "proc-macro2", ] From c794cf7a77ee0abe96f1269efd7b3ecd9971fc29 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Apr 2024 07:56:48 -0500 Subject: [PATCH 0434/1462] Bump docutils from 0.20.1 to 0.21 in /.github/requirements (#10785) * Bump docutils from 0.20.1 to 0.21 in /.github/requirements Bumps [docutils](https://docutils.sourceforge.io) from 0.20.1 to 0.21. --- updated-dependencies: - dependency-name: docutils dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 13839120ca3c..2fb18b95763b 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -211,9 +211,9 @@ dnspython==2.6.1 \ --hash=sha256:5ef3b9680161f6fa89daf8ad451b5f1a33b18ae8a1c6778cdf4b43f08c0a6e50 \ --hash=sha256:e8f0f9c23a7b7cb99ded64e6c3a6f3e701d78f50c55e002b839dea7225cff7cc # via email-validator -docutils==0.20.1 \ - --hash=sha256:96f387a2c5562db4476f09f13bbab2192e764cac08ebbf3a34a95d9b1e4a59d6 \ - --hash=sha256:f08a4e276c3a1583a86dce3e34aba3fe04d02bba2dd51ed16106244e8a923e3b +docutils==0.21 \ + --hash=sha256:518e29081124e7d8159550958e6de240622562aa824f945f501ec3d3c5b67d19 \ + --hash=sha256:c26e17ca4915b9df42a4ce2ccca1b25b8b896f33caedb1a558684f0789d0783e # via readme-renderer email-validator==2.1.1 \ --hash=sha256:200a70680ba08904be6d1eef729205cc0d687634399a5924d842533efb824b84 \ From 17eb49f36bdd7a30487471a44c337aa3b3ec9a71 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 10 Apr 2024 20:17:36 -0400 Subject: [PATCH 0435/1462] Bump BoringSSL and/or OpenSSL in CI (#10787) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f845d63bcc30..e608860723ce 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 05, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f94f3ed3965ea033001fb9ae006084eee408b861"}} - # Latest commit on the OpenSSL master branch, as of Apr 10, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "309c7ffd17334a9f9f5b04286892f10a9aca8a2e"}} + # Latest commit on the BoringSSL master branch, as of Apr 11, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "89f097740e6376521926eb56a61b25f639c473ac"}} + # Latest commit on the OpenSSL master branch, as of Apr 11, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8cd3f34758b292e137ce112a09f566821549115d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From c12aaac750b06eb44d3261f4fcae0ba873549e29 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Apr 2024 06:53:40 -0400 Subject: [PATCH 0436/1462] Bump idna from 3.6 to 3.7 (#10789) Bumps [idna](https://github.com/kjd/idna) from 3.6 to 3.7. - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](https://github.com/kjd/idna/compare/v3.6...v3.7) --- updated-dependencies: - dependency-name: idna dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b93f1e69d2c7..38e5685df1df 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -42,7 +42,7 @@ execnet==2.1.1; python_version >= "3.8" # via pytest-xdist filelock==3.13.4; python_version >= "3.8" # via virtualenv -idna==3.6 +idna==3.7 # via requests imagesize==1.4.1 # via sphinx From f36de7c2da9cc349acb0a645f757196ef5f702d9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Apr 2024 07:28:44 -0500 Subject: [PATCH 0437/1462] Bump idna from 3.6 to 3.7 in /.github/requirements (#10791) * Bump idna from 3.6 to 3.7 in /.github/requirements Bumps [idna](https://github.com/kjd/idna) from 3.6 to 3.7. - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](https://github.com/kjd/idna/compare/v3.6...v3.7) --- updated-dependencies: - dependency-name: idna dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 2fb18b95763b..99349572e699 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -238,9 +238,9 @@ id==1.3.0 \ --hash=sha256:c5dbb6048a469466054f065e92dba9b202a57d718cf12a0f24a082d0df988e18 \ --hash=sha256:da320bc6d6e612a2c16364ca95bb905e87c74332d4fc9b34850a26c304790694 # via sigstore -idna==3.6 \ - --hash=sha256:9ecdbbd083b06798ae1e86adcbfe8ab1479cf864e4ee30fe4e46a003d12491ca \ - --hash=sha256:c05567e9c24a6b9faaa835c4821bad0590fbb9d5779e7caa6e1cc4978e7eb24f +idna==3.7 \ + --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ + --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 # via # email-validator # requests From b3dfcf32c0ac65e8928d6a51911a919cb55bf481 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Apr 2024 07:29:21 -0500 Subject: [PATCH 0438/1462] Bump docutils from 0.21 to 0.21.1 in /.github/requirements (#10792) * Bump docutils from 0.21 to 0.21.1 in /.github/requirements Bumps [docutils](https://docutils.sourceforge.io) from 0.21 to 0.21.1. --- updated-dependencies: - dependency-name: docutils dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 99349572e699..28107d1f36bb 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -211,9 +211,9 @@ dnspython==2.6.1 \ --hash=sha256:5ef3b9680161f6fa89daf8ad451b5f1a33b18ae8a1c6778cdf4b43f08c0a6e50 \ --hash=sha256:e8f0f9c23a7b7cb99ded64e6c3a6f3e701d78f50c55e002b839dea7225cff7cc # via email-validator -docutils==0.21 \ - --hash=sha256:518e29081124e7d8159550958e6de240622562aa824f945f501ec3d3c5b67d19 \ - --hash=sha256:c26e17ca4915b9df42a4ce2ccca1b25b8b896f33caedb1a558684f0789d0783e +docutils==0.21.1 \ + --hash=sha256:14c8d34a55b46c88f9f714adb29cefbdd69fb82f3fef825e59c5faab935390d8 \ + --hash=sha256:65249d8a5345bc95e0f40f280ba63c98eb24de35c6c8f5b662e3e8948adea83f # via readme-renderer email-validator==2.1.1 \ --hash=sha256:200a70680ba08904be6d1eef729205cc0d687634399a5924d842533efb824b84 \ From 2263d8575c0e0af05e7a539aba719cf118aca202 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 11 Apr 2024 08:29:59 -0400 Subject: [PATCH 0439/1462] Cleanup a few uses of `into_gil_refs` (#10793) --- src/rust/src/x509/crl.rs | 5 ++--- src/rust/src/x509/csr.rs | 5 ++--- src/rust/src/x509/ocsp.rs | 10 +++++----- src/rust/src/x509/ocsp_req.rs | 2 +- 4 files changed, 10 insertions(+), 12 deletions(-) diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 7fb591d38506..9cc0861c021d 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -243,7 +243,7 @@ impl CertificateRevocationList { } #[getter] - fn issuer<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn issuer<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { Ok(x509::parse_name( py, self.owned @@ -251,8 +251,7 @@ impl CertificateRevocationList { .tbs_cert_list .issuer .unwrap_read(), - )? - .into_gil_ref()) + )?) } #[getter] diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 5ee6c25e2a7b..c38968743447 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -67,12 +67,11 @@ impl CertificateSigningRequest { } #[getter] - fn subject<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn subject<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { Ok(x509::parse_name( py, self.raw.borrow_dependent().csr_info.subject.unwrap_read(), - )? - .into_gil_ref()) + )?) } #[getter] diff --git a/src/rust/src/x509/ocsp.rs b/src/rust/src/x509/ocsp.rs index 0dbdb4b4eeb6..64c6ee2a66bb 100644 --- a/src/rust/src/x509/ocsp.rs +++ b/src/rust/src/x509/ocsp.rs @@ -108,13 +108,13 @@ pub(crate) fn certid_new_from_hash<'p>( issuer_name_hash: &'p [u8], issuer_key_hash: &'p [u8], serial_number: asn1::BigInt<'p>, - hash_algorithm: &'p pyo3::PyAny, + hash_algorithm: pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { + let hash_name = hash_algorithm + .getattr(pyo3::intern!(py, "name"))? + .extract::()?; Ok(CertID { - hash_algorithm: HASH_NAME_TO_ALGORITHM_IDENTIFIERS[hash_algorithm - .getattr(pyo3::intern!(py, "name"))? - .extract::<&str>()?] - .clone(), + hash_algorithm: HASH_NAME_TO_ALGORITHM_IDENTIFIERS[&*hash_name].clone(), issuer_name_hash, issuer_key_hash, serial_number, diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index ec59ffdaf188..9d6ecea71ba9 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -194,7 +194,7 @@ fn create_ocsp_request( &issuer_name_hash, &issuer_key_hash, serial_number, - py_hash.into_gil_ref(), + py_hash, )? }; From 0a671cba6608f7ec876ed88f616f6da4116519f4 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 12 Apr 2024 00:15:55 +0000 Subject: [PATCH 0440/1462] Bump BoringSSL and/or OpenSSL in CI (#10795) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e608860723ce..57bce58850cc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 11, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "89f097740e6376521926eb56a61b25f639c473ac"}} - # Latest commit on the OpenSSL master branch, as of Apr 11, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8cd3f34758b292e137ce112a09f566821549115d"}} + # Latest commit on the BoringSSL master branch, as of Apr 12, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "bdb7b19c3cd336b9e44086f677a0e37402c4bf13"}} + # Latest commit on the OpenSSL master branch, as of Apr 12, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8e5918fb8eb90289a0c89f6a4c6d623ecf49cf43"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 1844ab3bfd881e80da1c652a5583a8f85cde5709 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 11 Apr 2024 20:31:47 -0400 Subject: [PATCH 0441/1462] Cleanup a few uses of `as_borrowed` (#10794) --- src/rust/src/pkcs7.rs | 41 +++++++++++++++----------------- src/rust/src/x509/certificate.rs | 30 ++++++++++------------- 2 files changed, 32 insertions(+), 39 deletions(-) diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 58f36ec1a81f..ffb0df18b975 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -14,7 +14,6 @@ use openssl::pkcs7::Pkcs7; use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use pyo3::IntoPy; -use pyo3::PyNativeType; use crate::asn1::encode_der_data; use crate::buf::CffiBuf; @@ -111,11 +110,12 @@ fn sign_and_serialize<'p>( &asn1::SequenceOfWriter::new([AES_128_CBC_OID]), ]))?; + #[allow(clippy::type_complexity)] let py_signers: Vec<( pyo3::PyRef<'p, x509::certificate::Certificate>, - &pyo3::PyAny, - &pyo3::PyAny, - &pyo3::PyAny, + pyo3::Bound<'_, pyo3::PyAny>, + pyo3::Bound<'_, pyo3::PyAny>, + pyo3::Bound<'_, pyo3::PyAny>, )> = builder.getattr(pyo3::intern!(py, "_signers"))?.extract()?; let py_certs: Vec> = builder @@ -132,11 +132,8 @@ fn sign_and_serialize<'p>( let mut digests = vec![]; if !options.contains(&types::PKCS7_NO_ATTRIBUTES.get_bound(py)?)? { for (_, _, py_hash_alg, _) in &py_signers { - let digest = asn1::write_single(&x509::ocsp::hash_data( - py, - &py_hash_alg.as_borrowed(), - &data_with_header, - )?)?; + let digest = + asn1::write_single(&x509::ocsp::hash_data(py, py_hash_alg, &data_with_header)?)?; digests.push(digest); } } @@ -147,9 +144,9 @@ fn sign_and_serialize<'p>( None, x509::sign::sign_data( py, - py_private_key.as_borrowed().to_owned(), - py_hash_alg.as_borrowed().to_owned(), - rsa_padding.as_borrowed().to_owned(), + py_private_key.clone(), + py_hash_alg.clone(), + rsa_padding.clone(), &data_with_header, )?, ) @@ -194,9 +191,9 @@ fn sign_and_serialize<'p>( )), x509::sign::sign_data( py, - py_private_key.as_borrowed().to_owned(), - py_hash_alg.as_borrowed().to_owned(), - rsa_padding.as_borrowed().to_owned(), + py_private_key.clone(), + py_hash_alg.clone(), + rsa_padding.clone(), &signed_data, )?, ) @@ -222,9 +219,9 @@ fn sign_and_serialize<'p>( authenticated_attributes: authenticated_attrs, digest_encryption_algorithm: compute_pkcs7_signature_algorithm( py, - py_private_key, - py_hash_alg, - rsa_padding, + py_private_key.clone(), + py_hash_alg.clone(), + rsa_padding.clone(), )?, encrypted_digest: signature, unauthenticated_attributes: None, @@ -279,12 +276,12 @@ fn sign_and_serialize<'p>( fn compute_pkcs7_signature_algorithm<'p>( py: pyo3::Python<'p>, - private_key: &'p pyo3::PyAny, - hash_algorithm: &'p pyo3::PyAny, - rsa_padding: &'p pyo3::PyAny, + private_key: pyo3::Bound<'p, pyo3::PyAny>, + hash_algorithm: pyo3::Bound<'p, pyo3::PyAny>, + rsa_padding: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult> { let key_type = x509::sign::identify_key_type(py, private_key.as_borrowed().to_owned())?; - let has_pss_padding = rsa_padding.is_instance(types::PSS.get(py)?)?; + let has_pss_padding = rsa_padding.is_instance(&types::PSS.get_bound(py)?)?; // For RSA signatures (with no PSS padding), the OID is always the same no matter the // digest algorithm. See RFC 3370 (section 3.2). if key_type == x509::sign::KeyType::Rsa && !has_pss_padding { diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index cbc8007fb0ea..ca07e79cfae2 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -18,7 +18,7 @@ use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; use cryptography_x509::{common, oid}; use cryptography_x509_verification::ops::CryptoOps; use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; -use pyo3::{IntoPy, PyNativeType, ToPyObject}; +use pyo3::{IntoPy, ToPyObject}; use crate::asn1::{ big_byte_slice_to_py_int, encode_der_data, oid_to_py_oid, py_uint_to_big_endian_bytes, @@ -91,7 +91,7 @@ impl Certificate { ) -> CryptographyResult> { let serialized = asn1::write_single(&self.raw.borrow_dependent())?; - let mut h = hashes::Hash::new(py, &algorithm.as_borrowed(), None)?; + let mut h = hashes::Hash::new(py, algorithm, None)?; h.update_bytes(&serialized)?; Ok(h.finalize(py)?.into_any()) } @@ -128,17 +128,13 @@ impl Certificate { #[getter] fn issuer<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { Ok(x509::parse_name(py, self.raw.borrow_dependent().issuer()) - .map_err(|e| e.add_location(asn1::ParseLocation::Field("issuer")))? - .as_borrowed() - .to_owned()) + .map_err(|e| e.add_location(asn1::ParseLocation::Field("issuer")))?) } #[getter] fn subject<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { Ok(x509::parse_name(py, self.raw.borrow_dependent().subject()) - .map_err(|e| e.add_location(asn1::ParseLocation::Field("subject")))? - .as_borrowed() - .to_owned()) + .map_err(|e| e.add_location(asn1::ParseLocation::Field("subject")))?) } #[getter] @@ -218,7 +214,7 @@ impl Certificate { .validity .not_before .as_datetime(); - Ok(x509::datetime_to_py(py, dt)?.as_borrowed().to_owned()) + x509::datetime_to_py(py, dt) } #[getter] @@ -233,7 +229,7 @@ impl Certificate { .validity .not_before .as_datetime(); - Ok(x509::datetime_to_py_utc(py, dt)?.as_borrowed().to_owned()) + x509::datetime_to_py_utc(py, dt) } #[getter] @@ -255,7 +251,7 @@ impl Certificate { .validity .not_after .as_datetime(); - Ok(x509::datetime_to_py(py, dt)?.as_borrowed().to_owned()) + x509::datetime_to_py(py, dt) } #[getter] @@ -270,7 +266,7 @@ impl Certificate { .validity .not_after .as_datetime(); - Ok(x509::datetime_to_py_utc(py, dt)?.as_borrowed().to_owned()) + x509::datetime_to_py_utc(py, dt) } #[getter] @@ -712,11 +708,11 @@ pub(crate) fn parse_authority_key_identifier<'p>( Some(aci) => x509::parse_general_names(py, aci.unwrap_read())?, None => py.None(), }; - Ok(types::AUTHORITY_KEY_IDENTIFIER - .get(py)? - .call1((aki.key_identifier, issuer, serial))? - .as_borrowed() - .to_owned()) + Ok(types::AUTHORITY_KEY_IDENTIFIER.get_bound(py)?.call1(( + aki.key_identifier, + issuer, + serial, + ))?) } pub(crate) fn parse_access_descriptions( From 1642d60f436aa8d96916265ef41a826e54a15b6d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 11 Apr 2024 23:13:29 -0400 Subject: [PATCH 0442/1462] Cleanup almost all remaining `&pyo3::PyAny` refs (#10796) --- src/rust/src/backend/ec.rs | 8 ++++---- src/rust/src/oid.rs | 10 +++++----- src/rust/src/x509/crl.rs | 16 +++++++++------- src/rust/src/x509/extensions.rs | 12 +++++------- src/rust/src/x509/ocsp_req.rs | 7 +++++-- src/rust/src/x509/ocsp_resp.rs | 26 ++++++++++++++++---------- src/rust/src/x509/sct.rs | 21 ++++++++++++--------- 7 files changed, 56 insertions(+), 44 deletions(-) diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 30a36dd1ebf8..7a86f8a8d88c 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -5,7 +5,7 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; +use pyo3::prelude::{PyAnyMethods, PyDictMethods, PyModuleMethods}; use pyo3::ToPyObject; use crate::backend::utils; @@ -90,7 +90,7 @@ fn curve_from_py_curve( fn py_curve_from_curve<'p>( py: pyo3::Python<'p>, curve: &openssl::ec::EcGroupRef, -) -> CryptographyResult<&'p pyo3::PyAny> { +) -> CryptographyResult> { if curve.asn1_flag() == openssl::ec::Asn1Flag::EXPLICIT_CURVE { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -102,8 +102,8 @@ fn py_curve_from_curve<'p>( let name = curve.curve_name().unwrap().short_name()?; types::CURVE_TYPES - .get(py)? - .extract::<&pyo3::types::PyDict>()? + .get_bound(py)? + .extract::>()? .get_item(name)? .ok_or_else(|| { CryptographyError::from(exceptions::UnsupportedAlgorithm::new_err(( diff --git a/src/rust/src/oid.rs b/src/rust/src/oid.rs index 18f3be654f1e..5735ef0ce704 100644 --- a/src/rust/src/oid.rs +++ b/src/rust/src/oid.rs @@ -2,11 +2,11 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use std::collections::hash_map::DefaultHasher; -use std::hash::{Hash, Hasher}; - use crate::error::CryptographyResult; use crate::types; +use pyo3::prelude::PyAnyMethods; +use std::collections::hash_map::DefaultHasher; +use std::hash::{Hash, Hasher}; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")] pub(crate) struct ObjectIdentifier { @@ -31,9 +31,9 @@ impl ObjectIdentifier { fn _name<'p>( slf: pyo3::PyRef<'_, Self>, py: pyo3::Python<'p>, - ) -> pyo3::PyResult<&'p pyo3::PyAny> { + ) -> pyo3::PyResult> { types::OID_NAMES - .get(py)? + .get_bound(py)? .call_method1(pyo3::intern!(py, "get"), (slf, "Unknown OID")) } diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 9cc0861c021d..8b7b63481a06 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -196,9 +196,9 @@ impl CertificateRevocationList { fn signature_hash_algorithm<'p>( &self, py: pyo3::Python<'p>, - ) -> pyo3::PyResult<&'p pyo3::PyAny> { + ) -> pyo3::PyResult> { let oid = self.signature_algorithm_oid(py)?; - match types::SIG_OIDS_TO_HASH.get(py)?.get_item(oid) { + match types::SIG_OIDS_TO_HASH.get_bound(py)?.get_item(oid) { Ok(v) => Ok(v), Err(_) => Err(exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", @@ -590,7 +590,7 @@ impl RevokedCertificate { py, &self.cached_extensions, &self.owned.borrow_dependent().raw_crl_entry_extensions, - |ext| parse_crl_entry_ext(py, ext), + |ext| parse_crl_entry_ext(py, ext).map(|v| v.map(|v| v.into_gil_ref())), ) } } @@ -624,21 +624,23 @@ pub(crate) fn parse_crl_reason_flags<'p>( pub fn parse_crl_entry_ext<'p>( py: pyo3::Python<'p>, ext: &Extension<'_>, -) -> CryptographyResult> { +) -> CryptographyResult>> { match ext.extn_id { oid::CRL_REASON_OID => { let flags = parse_crl_reason_flags(py, &ext.value::()?)?; - Ok(Some(types::CRL_REASON.get(py)?.call1((flags,))?)) + Ok(Some(types::CRL_REASON.get_bound(py)?.call1((flags,))?)) } oid::CERTIFICATE_ISSUER_OID => { let gn_seq = ext.value::>>()?; let gns = x509::parse_general_names(py, &gn_seq)?; - Ok(Some(types::CERTIFICATE_ISSUER.get(py)?.call1((gns,))?)) + Ok(Some( + types::CERTIFICATE_ISSUER.get_bound(py)?.call1((gns,))?, + )) } oid::INVALIDITY_DATE_OID => { let time = ext.value::()?; let py_dt = x509::datetime_to_py(py, time.as_datetime())?; - Ok(Some(types::INVALIDITY_DATE.get(py)?.call1((py_dt,))?)) + Ok(Some(types::INVALIDITY_DATE.get_bound(py)?.call1((py_dt,))?)) } _ => Ok(None), } diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index cd1da1417494..22f2da338fab 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -9,7 +9,6 @@ use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, sct}; use crate::{types, x509}; use pyo3::prelude::PyAnyMethods; -use pyo3::PyNativeType; fn encode_general_subtrees<'a>( py: pyo3::Python<'a>, @@ -72,10 +71,10 @@ pub(crate) fn encode_distribution_points<'p>( ) -> CryptographyResult> { #[derive(pyo3::prelude::FromPyObject)] struct PyDistributionPoint<'a> { - crl_issuer: Option<&'a pyo3::PyAny>, - full_name: Option<&'a pyo3::PyAny>, - relative_name: Option<&'a pyo3::PyAny>, - reasons: Option<&'a pyo3::PyAny>, + crl_issuer: Option>, + full_name: Option>, + relative_name: Option>, + reasons: Option>, } let mut dps = vec![]; @@ -98,8 +97,7 @@ pub(crate) fn encode_distribution_points<'p>( } else if let Some(py_relative_name) = py_dp.relative_name { let mut name_entries = vec![]; for py_name_entry in py_relative_name.iter()? { - let bound_name_entry = &py_name_entry?.as_borrowed(); - name_entries.push(x509::common::encode_name_entry(py, bound_name_entry)?); + name_entries.push(x509::common::encode_name_entry(py, &py_name_entry?)?); } Some(extensions::DistributionPointName::NameRelativeToCRLIssuer( common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(name_entries)), diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 9d6ecea71ba9..6e0005c4ced6 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -87,11 +87,14 @@ impl OCSPRequest { fn hash_algorithm<'p>( &self, py: pyo3::Python<'p>, - ) -> Result<&'p pyo3::PyAny, CryptographyError> { + ) -> Result, CryptographyError> { let cert_id = self.cert_id(); match ocsp::ALGORITHM_PARAMETERS_TO_HASH.get(&cert_id.hash_algorithm.params) { - Some(alg_name) => Ok(types::HASHES_MODULE.get(py)?.getattr(*alg_name)?.call0()?), + Some(alg_name) => Ok(types::HASHES_MODULE + .get_bound(py)? + .getattr(*alg_name)? + .call0()?), None => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 488aff625bc3..715a97330316 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -124,7 +124,10 @@ impl OCSPResponse { } #[getter] - fn response_status<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn response_status<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let status = self.raw.borrow_dependent().response_status.value(); let attr = if status == SUCCESSFUL_RESPONSE { "SUCCESSFUL" @@ -140,7 +143,7 @@ impl OCSPResponse { assert_eq!(status, UNAUTHORIZED_RESPONSE); "UNAUTHORIZED" }; - types::OCSP_RESPONSE_STATUS.get(py)?.getattr(attr) + types::OCSP_RESPONSE_STATUS.get_bound(py)?.getattr(attr) } #[getter] @@ -193,9 +196,9 @@ impl OCSPResponse { fn signature_hash_algorithm<'p>( &self, py: pyo3::Python<'p>, - ) -> Result<&'p pyo3::PyAny, CryptographyError> { + ) -> Result, CryptographyError> { let hash_alg = types::SIG_OIDS_TO_HASH - .get(py)? + .get_bound(py)? .get_item(self.signature_algorithm_oid(py)?); match hash_alg { Ok(data) => Ok(data), @@ -301,7 +304,7 @@ impl OCSPResponse { fn hash_algorithm<'p>( &self, py: pyo3::Python<'p>, - ) -> Result<&'p pyo3::PyAny, CryptographyError> { + ) -> Result, CryptographyError> { let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_hash_algorithm(&single_resp, py) @@ -420,7 +423,7 @@ impl OCSPResponse { .call1((scts,))?, )) } - _ => crl::parse_crl_entry_ext(py, ext), + _ => crl::parse_crl_entry_ext(py, ext).map(|v| v.map(|v| v.into_gil_ref())), }, ) } @@ -527,9 +530,12 @@ fn singleresp_py_certificate_status<'p>( fn singleresp_py_hash_algorithm<'p>( resp: &ocsp_resp::SingleResponse<'_>, py: pyo3::Python<'p>, -) -> Result<&'p pyo3::PyAny, CryptographyError> { +) -> Result, CryptographyError> { match ocsp::ALGORITHM_PARAMETERS_TO_HASH.get(&resp.cert_id.hash_algorithm.params) { - Some(alg_name) => Ok(types::HASHES_MODULE.get(py)?.getattr(*alg_name)?.call0()?), + Some(alg_name) => Ok(types::HASHES_MODULE + .get_bound(py)? + .getattr(*alg_name)? + .call0()?), None => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", @@ -620,7 +626,7 @@ fn create_ocsp_response( let py_cert_hash_algorithm = py_single_resp.getattr(pyo3::intern!(py, "_algorithm"))?; let (responder_cert, responder_encoding): ( pyo3::Bound<'_, x509::certificate::Certificate>, - &pyo3::PyAny, + pyo3::Bound<'_, pyo3::PyAny>, ) = builder .getattr(pyo3::intern!(py, "_responder_id"))? .extract()?; @@ -863,7 +869,7 @@ impl OCSPSingleResponse { fn hash_algorithm<'p>( &self, py: pyo3::Python<'p>, - ) -> Result<&'p pyo3::PyAny, CryptographyError> { + ) -> Result, CryptographyError> { let single_resp = self.single_response(); singleresp_py_hash_algorithm(single_resp, py) } diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index a7bfbb5eb472..f531a3738599 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -154,8 +154,8 @@ impl Sct { } #[getter] - fn version<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - types::CERTIFICATE_TRANSPARENCY_VERSION_V1.get(py) + fn version<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { + types::CERTIFICATE_TRANSPARENCY_VERSION_V1.get_bound(py) } #[getter] @@ -181,10 +181,10 @@ impl Sct { } #[getter] - fn entry_type<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn entry_type<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { Ok(match self.entry_type { - LogEntryType::Certificate => types::LOG_ENTRY_TYPE_X509_CERTIFICATE.get(py)?, - LogEntryType::PreCertificate => types::LOG_ENTRY_TYPE_PRE_CERTIFICATE.get(py)?, + LogEntryType::Certificate => types::LOG_ENTRY_TYPE_X509_CERTIFICATE.get_bound(py)?, + LogEntryType::PreCertificate => types::LOG_ENTRY_TYPE_PRE_CERTIFICATE.get_bound(py)?, }) } @@ -192,16 +192,19 @@ impl Sct { fn signature_hash_algorithm<'p>( &self, py: pyo3::Python<'p>, - ) -> pyo3::PyResult<&'p pyo3::PyAny> { + ) -> pyo3::PyResult> { types::HASHES_MODULE - .get(py)? + .get_bound(py)? .call_method0(self.hash_algorithm.to_attr()) } #[getter] - fn signature_algorithm<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn signature_algorithm<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { types::SIGNATURE_ALGORITHM - .get(py)? + .get_bound(py)? .getattr(self.signature_algorithm.to_attr()) } From 18bc7ef6bd2628122245f6a60ebaf049e137c16a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Apr 2024 07:06:17 -0400 Subject: [PATCH 0443/1462] Bump peter-evans/create-pull-request from 6.0.2 to 6.0.3 (#10798) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 6.0.2 to 6.0.3. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/70a41aba780001da0a30141984ae2a0c95d8704e...c55203cfde3e5c11a452d352b4393e68b85b4533) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index cfe495d2652a..c496f81f3d15 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -58,7 +58,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@70a41aba780001da0a30141984ae2a0c95d8704e # v6.0.2 + uses: peter-evans/create-pull-request@c55203cfde3e5c11a452d352b4393e68b85b4533 # v6.0.3 with: branch: "bump-openssl-boringssl" commit-message: "Bump BoringSSL and/or OpenSSL in CI" diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 225a8d37538c..fb3f532f5e85 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -57,7 +57,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@70a41aba780001da0a30141984ae2a0c95d8704e # v6.0.2 + uses: peter-evans/create-pull-request@c55203cfde3e5c11a452d352b4393e68b85b4533 # v6.0.3 with: branch: "bump-vectors" commit-message: "Bump x509-limbo and/or wycheproof in CI" From d5434c27c8161d1113b1ad77e7bffa95bad85063 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Apr 2024 07:06:35 -0400 Subject: [PATCH 0444/1462] Bump ruff from 0.3.5 to 0.3.7 (#10799) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.3.5 to 0.3.7. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.3.5...v0.3.7) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 38e5685df1df..ccd015582b2c 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.3.5 +ruff==0.3.7 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 0edb94a0c1b3bff6cf60a7a782ef6a96f7394ac5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 12 Apr 2024 10:28:54 -0400 Subject: [PATCH 0445/1462] Cleanup remaining `&pyo3::PyAny` refs (#10800) --- src/rust/src/x509/certificate.rs | 6 ++--- src/rust/src/x509/common.rs | 13 +++++----- src/rust/src/x509/crl.rs | 44 +++++++++++++++++++------------- src/rust/src/x509/csr.rs | 2 +- src/rust/src/x509/ocsp_req.rs | 4 +-- src/rust/src/x509/ocsp_resp.rs | 6 ++--- 6 files changed, 42 insertions(+), 33 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index ca07e79cfae2..cd32c4802dd6 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -305,18 +305,18 @@ impl Certificate { |ext| match ext.extn_id { oid::PRECERT_POISON_OID => { ext.value::<()>()?; - Ok(Some(types::PRECERT_POISON.get(py)?.call0()?)) + Ok(Some(types::PRECERT_POISON.get_bound(py)?.call0()?)) } oid::PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS_OID => { let contents = ext.value::<&[u8]>()?; let scts = sct::parse_scts(py, contents, sct::LogEntryType::PreCertificate)?; Ok(Some( types::PRECERTIFICATE_SIGNED_CERTIFICATE_TIMESTAMPS - .get(py)? + .get_bound(py)? .call1((scts,))?, )) } - _ => parse_cert_ext(py, ext).map(|x| x.map(|y| y.into_gil_ref())), + _ => parse_cert_ext(py, ext), }, ) } diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index ee4b0a3e408c..67d952fbcc7c 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -372,7 +372,7 @@ fn ipv6_netmask(num: u128) -> Result { pub(crate) fn parse_and_cache_extensions< 'p, - F: Fn(&Extension<'_>) -> Result, CryptographyError>, + F: Fn(&Extension<'_>) -> Result>, CryptographyError>, >( py: pyo3::Python<'p>, cached_extensions: &pyo3::sync::GILOnceCell, @@ -399,13 +399,14 @@ pub(crate) fn parse_and_cache_extensions< let extn_value = match parse_ext(&raw_ext)? { Some(e) => e, None => types::UNRECOGNIZED_EXTENSION - .get(py)? + .get_bound(py)? .call1((oid_obj.clone(), raw_ext.extn_value))?, }; - let ext_obj = - types::EXTENSION - .get(py)? - .call1((oid_obj, raw_ext.critical, extn_value))?; + let ext_obj = types::EXTENSION.get_bound(py)?.call1(( + oid_obj, + raw_ext.critical, + extn_value, + ))?; exts.append(ext_obj)?; } Ok(types::EXTENSIONS.get(py)?.call1((exts,))?.to_object(py)) diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 8b7b63481a06..05dcc3eb8766 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -334,29 +334,35 @@ impl CertificateRevocationList { oid::CRL_NUMBER_OID => { let bignum = ext.value::>()?; let pynum = big_byte_slice_to_py_int(py, bignum.as_bytes())?; - Ok(Some(types::CRL_NUMBER.get(py)?.call1((pynum,))?)) + Ok(Some(types::CRL_NUMBER.get_bound(py)?.call1((pynum,))?)) } oid::DELTA_CRL_INDICATOR_OID => { let bignum = ext.value::>()?; let pynum = big_byte_slice_to_py_int(py, bignum.as_bytes())?; - Ok(Some(types::DELTA_CRL_INDICATOR.get(py)?.call1((pynum,))?)) + Ok(Some( + types::DELTA_CRL_INDICATOR.get_bound(py)?.call1((pynum,))?, + )) } oid::ISSUER_ALTERNATIVE_NAME_OID => { let gn_seq = ext.value::>()?; let ians = x509::parse_general_names(py, &gn_seq)?; Ok(Some( - types::ISSUER_ALTERNATIVE_NAME.get(py)?.call1((ians,))?, + types::ISSUER_ALTERNATIVE_NAME + .get_bound(py)? + .call1((ians,))?, )) } oid::AUTHORITY_INFORMATION_ACCESS_OID => { let ads = certificate::parse_access_descriptions(py, ext)?; Ok(Some( - types::AUTHORITY_INFORMATION_ACCESS.get(py)?.call1((ads,))?, + types::AUTHORITY_INFORMATION_ACCESS + .get_bound(py)? + .call1((ads,))?, )) } - oid::AUTHORITY_KEY_IDENTIFIER_OID => Ok(Some( - certificate::parse_authority_key_identifier(py, ext)?.into_gil_ref(), - )), + oid::AUTHORITY_KEY_IDENTIFIER_OID => { + Ok(Some(certificate::parse_authority_key_identifier(py, ext)?)) + } oid::ISSUING_DISTRIBUTION_POINT_OID => { let idp = ext.value::>()?; let (full_name, relative_name) = match idp.distribution_point { @@ -371,19 +377,21 @@ impl CertificateRevocationList { } else { py.None() }; - Ok(Some(types::ISSUING_DISTRIBUTION_POINT.get(py)?.call1(( - full_name, - relative_name, - idp.only_contains_user_certs, - idp.only_contains_ca_certs, - py_reasons, - idp.indirect_crl, - idp.only_contains_attribute_certs, - ))?)) + Ok(Some( + types::ISSUING_DISTRIBUTION_POINT.get_bound(py)?.call1(( + full_name, + relative_name, + idp.only_contains_user_certs, + idp.only_contains_ca_certs, + py_reasons, + idp.indirect_crl, + idp.only_contains_attribute_certs, + ))?, + )) } oid::FRESHEST_CRL_OID => { let dp = certificate::parse_distribution_points(py, ext)?; - Ok(Some(types::FRESHEST_CRL.get(py)?.call1((dp,))?)) + Ok(Some(types::FRESHEST_CRL.get_bound(py)?.call1((dp,))?)) } _ => Ok(None), }, @@ -590,7 +598,7 @@ impl RevokedCertificate { py, &self.cached_extensions, &self.owned.borrow_dependent().raw_crl_entry_extensions, - |ext| parse_crl_entry_ext(py, ext).map(|v| v.map(|v| v.into_gil_ref())), + |ext| parse_crl_entry_ext(py, ext), ) } } diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index c38968743447..43fad223fc04 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -216,7 +216,7 @@ impl CertificateSigningRequest { })?; x509::parse_and_cache_extensions(py, &self.cached_extensions, &raw_exts, |ext| { - certificate::parse_cert_ext(py, ext).map(|x| x.map(|y| y.into_gil_ref())) + certificate::parse_cert_ext(py, ext) }) } diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 6e0005c4ced6..5ee9e2097016 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -131,7 +131,7 @@ impl OCSPRequest { // the nonce. So we try parsing as a TLV and fall back to just using // the raw value. let nonce = ext.value::<&[u8]>().unwrap_or(ext.extn_value); - Ok(Some(types::OCSP_NONCE.get(py)?.call1((nonce,))?)) + Ok(Some(types::OCSP_NONCE.get_bound(py)?.call1((nonce,))?)) } oid::ACCEPTABLE_RESPONSES_OID => { let oids = ext.value::>()?; @@ -142,7 +142,7 @@ impl OCSPRequest { Ok(Some( types::OCSP_ACCEPTABLE_RESPONSES - .get(py)? + .get_bound(py)? .call1((py_oids,))?, )) } diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 715a97330316..4c6b00cbeee8 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -388,7 +388,7 @@ impl OCSPResponse { // the nonce. So we try parsing as a TLV and fall back to just using // the raw value. let nonce = ext.value::<&[u8]>().unwrap_or(ext.extn_value); - Ok(Some(types::OCSP_NONCE.get(py)?.call1((nonce,))?)) + Ok(Some(types::OCSP_NONCE.get_bound(py)?.call1((nonce,))?)) } _ => Ok(None), } @@ -419,11 +419,11 @@ impl OCSPResponse { let scts = sct::parse_scts(py, contents, sct::LogEntryType::Certificate)?; Ok(Some( types::SIGNED_CERTIFICATE_TIMESTAMPS - .get(py)? + .get_bound(py)? .call1((scts,))?, )) } - _ => crl::parse_crl_entry_ext(py, ext).map(|v| v.map(|v| v.into_gil_ref())), + _ => crl::parse_crl_entry_ext(py, ext), }, ) } From 1d04970f372adeee3b86650698a020fd4c323210 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 12 Apr 2024 10:50:40 -0400 Subject: [PATCH 0446/1462] Remove all remaining uses of `as_borrowed()` (#10801) --- src/rust/src/backend/dsa.rs | 6 ++--- src/rust/src/backend/ec.rs | 4 +-- src/rust/src/backend/hmac.rs | 2 +- src/rust/src/backend/rsa.rs | 21 +++------------- src/rust/src/backend/utils.rs | 2 +- src/rust/src/pkcs7.rs | 9 ++----- src/rust/src/x509/common.rs | 22 ++++------------- src/rust/src/x509/crl.rs | 34 +++++++++----------------- src/rust/src/x509/csr.rs | 2 +- src/rust/src/x509/extensions.rs | 43 ++++++++++++++------------------- src/rust/src/x509/ocsp_resp.rs | 10 +++----- src/rust/src/x509/sign.rs | 7 +++--- 12 files changed, 52 insertions(+), 110 deletions(-) diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index 8db405c87533..06143428c7e8 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -72,8 +72,7 @@ impl DsaPrivateKey { data: CffiBuf<'_>, algorithm: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { - let (data, _) = - utils::calculate_digest_and_algorithm(py, data.as_bytes(), &algorithm.as_borrowed())?; + let (data, _) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), &algorithm)?; let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; signer.sign_init()?; @@ -159,8 +158,7 @@ impl DsaPublicKey { data: CffiBuf<'_>, algorithm: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult<()> { - let (data, _) = - utils::calculate_digest_and_algorithm(py, data.as_bytes(), &algorithm.as_borrowed())?; + let (data, _) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), &algorithm)?; let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; verifier.verify_init()?; diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 7a86f8a8d88c..41cd8e057d88 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -403,9 +403,7 @@ impl ECPublicKey { let (data, _) = utils::calculate_digest_and_algorithm( py, data.as_bytes(), - &signature_algorithm - .as_borrowed() - .getattr(pyo3::intern!(py, "algorithm"))?, + &signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, )?; let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; diff --git a/src/rust/src/backend/hmac.rs b/src/rust/src/backend/hmac.rs index f7718ad55d90..5f08ff117167 100644 --- a/src/rust/src/backend/hmac.rs +++ b/src/rust/src/backend/hmac.rs @@ -24,7 +24,7 @@ impl Hmac { key: &[u8], algorithm: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - let md = message_digest_from_algorithm(py, &algorithm.as_borrowed())?; + let md = message_digest_from_algorithm(py, algorithm)?; let ctx = cryptography_openssl::hmac::Hmac::new(key, md).map_err(|_| { exceptions::UnsupportedAlgorithm::new_err(( "Digest is not supported for HMAC", diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 0a279f7fdc30..c1af3879eb98 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -10,7 +10,6 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; -use pyo3::PyNativeType; #[pyo3::prelude::pyclass( frozen, @@ -295,14 +294,7 @@ impl RsaPrivateKey { ctx.sign_init().map_err(|_| { pyo3::exceptions::PyValueError::new_err("Unable to sign/verify with this key") })?; - setup_signature_ctx( - py, - &mut ctx, - padding, - &algorithm.as_borrowed(), - self.pkey.size(), - true, - )?; + setup_signature_ctx(py, &mut ctx, padding, &algorithm, self.pkey.size(), true)?; let length = ctx.sign(data, None)?; Ok(pyo3::types::PyBytes::new_bound_with(py, length, |b| { @@ -440,14 +432,7 @@ impl RsaPublicKey { let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.verify_init()?; - setup_signature_ctx( - py, - &mut ctx, - padding, - &algorithm.as_borrowed(), - self.pkey.size(), - false, - )?; + setup_signature_ctx(py, &mut ctx, padding, &algorithm, self.pkey.size(), false)?; let valid = ctx.verify(data, signature.as_bytes()).unwrap_or(false); if !valid { @@ -487,7 +472,7 @@ impl RsaPublicKey { padding: &pyo3::Bound<'_, pyo3::PyAny>, algorithm: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { - if algorithm.is_instance(&types::PREHASHED.get(py)?.as_borrowed())? { + if algorithm.is_instance(&types::PREHASHED.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Prehashed is only supported in the sign and verify methods. It cannot be used with recover_data_from_signature.", diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index a3f60d851cdc..827f56f688f0 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -365,7 +365,7 @@ pub(crate) fn calculate_digest_and_algorithm<'p>( } else { // Potential optimization: rather than allocate a PyBytes in // `h.finalize()`, have a way to get the `DigestBytes` directly. - let mut h = Hash::new(py, &algorithm.as_borrowed(), None)?; + let mut h = Hash::new(py, algorithm, None)?; h.update_bytes(data)?; data = h.finalize(py)?.into_gil_ref().as_bytes(); } diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index ffb0df18b975..2daee2a9ca4b 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -280,7 +280,7 @@ fn compute_pkcs7_signature_algorithm<'p>( hash_algorithm: pyo3::Bound<'p, pyo3::PyAny>, rsa_padding: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult> { - let key_type = x509::sign::identify_key_type(py, private_key.as_borrowed().to_owned())?; + let key_type = x509::sign::identify_key_type(py, private_key.clone())?; let has_pss_padding = rsa_padding.is_instance(&types::PSS.get_bound(py)?)?; // For RSA signatures (with no PSS padding), the OID is always the same no matter the // digest algorithm. See RFC 3370 (section 3.2). @@ -290,12 +290,7 @@ fn compute_pkcs7_signature_algorithm<'p>( params: common::AlgorithmParameters::Rsa(Some(())), }) } else { - x509::sign::compute_signature_algorithm( - py, - private_key.as_borrowed().to_owned(), - hash_algorithm.as_borrowed().to_owned(), - rsa_padding.as_borrowed().to_owned(), - ) + x509::sign::compute_signature_algorithm(py, private_key, hash_algorithm, rsa_padding) } } diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 67d952fbcc7c..c17208820a0d 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -76,10 +76,7 @@ pub(crate) fn encode_name_entry<'p>( .getattr(pyo3::intern!(py, "value"))? .extract()? }; - let py_oid = py_name_entry - .getattr(pyo3::intern!(py, "oid"))? - .as_borrowed() - .to_owned(); + let py_oid = py_name_entry.getattr(pyo3::intern!(py, "oid"))?; let oid = py_oid_to_oid(py_oid)?; Ok(AttributeTypeValue { @@ -129,10 +126,7 @@ pub(crate) fn encode_general_name<'a>( let name = encode_name(py, &gn_value)?; Ok(GeneralName::DirectoryName(name)) } else if gn_type.is(types::OTHER_NAME.get(py)?) { - let py_oid = gn - .getattr(pyo3::intern!(py, "type_id"))? - .as_borrowed() - .to_owned(); + let py_oid = gn.getattr(pyo3::intern!(py, "type_id"))?; Ok(GeneralName::OtherName(OtherName { type_id: py_oid_to_oid(py_oid)?, value: asn1::parse_single(gn_value.extract::<&[u8]>()?).map_err(|e| { @@ -151,7 +145,7 @@ pub(crate) fn encode_general_name<'a>( .extract::<&[u8]>()?, )) } else if gn_type.is(types::REGISTERED_ID.get(py)?) { - let oid = py_oid_to_oid(gn_value.as_borrowed().to_owned())?; + let oid = py_oid_to_oid(gn_value)?; Ok(GeneralName::RegisteredID(oid)) } else { Err(CryptographyError::from( @@ -167,10 +161,7 @@ pub(crate) fn encode_access_descriptions<'a>( let mut ads = vec![]; for py_ad in py_ads.iter()? { let py_ad = py_ad?; - let py_oid = py_ad - .getattr(pyo3::intern!(py, "access_method"))? - .as_borrowed() - .to_owned(); + let py_oid = py_ad.getattr(pyo3::intern!(py, "access_method"))?; let access_method = py_oid_to_oid(py_oid)?; let access_location = encode_general_name(py, &py_ad.getattr(pyo3::intern!(py, "access_location"))?)?; @@ -429,10 +420,7 @@ pub(crate) fn encode_extensions< let mut exts = vec![]; for py_ext in py_exts.iter()? { let py_ext = py_ext?; - let py_oid = py_ext - .getattr(pyo3::intern!(py, "oid"))? - .as_borrowed() - .to_owned(); + let py_oid = py_ext.getattr(pyo3::intern!(py, "oid"))?; let oid = py_oid_to_oid(py_oid)?; let ext_val = py_ext.getattr(pyo3::intern!(py, "value"))?; diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 05dcc3eb8766..b00858e27500 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -179,7 +179,7 @@ impl CertificateRevocationList { ) -> pyo3::PyResult> { let data = self.public_bytes_der()?; - let mut h = Hash::new(py, &algorithm.as_borrowed(), None)?; + let mut h = Hash::new(py, &algorithm, None)?; h.update_bytes(&data)?; Ok(h.finalize(py)?) } @@ -295,16 +295,14 @@ impl CertificateRevocationList { "Properties that return a naïve datetime object have been deprecated. Please switch to last_update_utc.", 1, )?; - Ok(x509::datetime_to_py( + x509::datetime_to_py( py, self.owned .borrow_dependent() .tbs_cert_list .this_update .as_datetime(), - )? - .as_borrowed() - .to_owned()) + ) } #[getter] @@ -573,12 +571,10 @@ impl RevokedCertificate { "Properties that return a naïve datetime object have been deprecated. Please switch to revocation_date_utc.", 1, )?; - Ok(x509::datetime_to_py( + x509::datetime_to_py( py, self.owned.borrow_dependent().revocation_date.as_datetime(), - )? - .as_borrowed() - .to_owned()) + ) } #[getter] @@ -682,10 +678,7 @@ fn create_x509_crl( revoked_certs.push(crl::RevokedCertificate { user_certificate: asn1::BigUint::new(py_uint_to_big_endian_bytes(py, serial_number)?) .unwrap(), - revocation_date: x509::certificate::time_from_py( - py, - &py_revocation_date.as_borrowed(), - )?, + revocation_date: x509::certificate::time_from_py(py, &py_revocation_date)?, raw_crl_entry_extensions: x509::common::encode_extensions( py, &py_revoked_cert.getattr(pyo3::intern!(py, "extensions"))?, @@ -700,12 +693,9 @@ fn create_x509_crl( let tbs_cert_list = crl::TBSCertList { version: Some(1), signature: sigalg.clone(), - issuer: x509::common::encode_name(py, &py_issuer_name.as_borrowed())?, - this_update: x509::certificate::time_from_py(py, &py_this_update.as_borrowed())?, - next_update: Some(x509::certificate::time_from_py( - py, - &py_next_update.as_borrowed(), - )?), + issuer: x509::common::encode_name(py, &py_issuer_name)?, + this_update: x509::certificate::time_from_py(py, &py_this_update)?, + next_update: Some(x509::certificate::time_from_py(py, &py_next_update)?), revoked_certificates: if revoked_certs.is_empty() { None } else { @@ -723,9 +713,9 @@ fn create_x509_crl( let tbs_bytes = asn1::write_single(&tbs_cert_list)?; let signature = x509::sign::sign_data( py, - private_key.as_borrowed().to_owned(), - hash_algorithm.as_borrowed().to_owned(), - rsa_padding.as_borrowed().to_owned(), + private_key.clone(), + hash_algorithm.clone(), + rsa_padding.clone(), &tbs_bytes, )?; let data = asn1::write_single(&crl::CertificateRevocationList { diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 43fad223fc04..4f6a0d46c045 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -360,7 +360,7 @@ fn create_x509_csr( let csr_info = CertificationRequestInfo { version: 0, - subject: x509::common::encode_name(py, &py_subject_name.as_borrowed())?, + subject: x509::common::encode_name(py, &py_subject_name)?, spki: asn1::parse_single(&spki_bytes)?, attributes: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(attrs)), }; diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 22f2da338fab..94eb495bc7a0 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -19,7 +19,7 @@ fn encode_general_subtrees<'a>( } else { let mut subtree_seq = vec![]; for name in subtrees.iter()? { - let gn = x509::common::encode_general_name(py, &name?.as_borrowed())?; + let gn = x509::common::encode_general_name(py, &name?)?; subtree_seq.push(extensions::GeneralSubtree { base: gn, minimum: 0, @@ -44,7 +44,7 @@ pub(crate) fn encode_authority_key_identifier<'a>( } let aki = py_aki.extract::>()?; let authority_cert_issuer = if let Some(authority_cert_issuer) = aki.authority_cert_issuer { - let gns = x509::common::encode_general_names(py, &authority_cert_issuer.as_borrowed())?; + let gns = x509::common::encode_general_names(py, &authority_cert_issuer)?; Some(common::Asn1ReadableOrWritable::new_write( asn1::SequenceOfWriter::new(gns), )) @@ -82,7 +82,7 @@ pub(crate) fn encode_distribution_points<'p>( let py_dp = py_dp?.extract::>()?; let crl_issuer = if let Some(py_crl_issuer) = py_dp.crl_issuer { - let gns = x509::common::encode_general_names(py, &py_crl_issuer.as_borrowed())?; + let gns = x509::common::encode_general_names(py, &py_crl_issuer)?; Some(common::Asn1ReadableOrWritable::new_write( asn1::SequenceOfWriter::new(gns), )) @@ -90,7 +90,7 @@ pub(crate) fn encode_distribution_points<'p>( None }; let distribution_point = if let Some(py_full_name) = py_dp.full_name { - let gns = x509::common::encode_general_names(py, &py_full_name.as_borrowed())?; + let gns = x509::common::encode_general_names(py, &py_full_name)?; Some(extensions::DistributionPointName::FullName( common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(gns)), )) @@ -106,8 +106,7 @@ pub(crate) fn encode_distribution_points<'p>( None }; let reasons = if let Some(py_reasons) = py_dp.reasons { - let reasons = - certificate::encode_distribution_point_reasons(py, &py_reasons.as_borrowed())?; + let reasons = certificate::encode_distribution_point_reasons(py, &py_reasons)?; Some(common::Asn1ReadableOrWritable::new_write(reasons)) } else { None @@ -293,7 +292,7 @@ fn encode_certificate_policies( }; let py_policy_id = py_policy_info.getattr(pyo3::intern!(py, "policy_identifier"))?; policy_informations.push(extensions::PolicyInformation { - policy_identifier: py_oid_to_oid(py_policy_id.as_borrowed().to_owned())?, + policy_identifier: py_oid_to_oid(py_policy_id)?, policy_qualifiers: qualifiers, }); } @@ -311,15 +310,14 @@ fn encode_issuing_distribution_point( .is_truthy()? { let py_reasons = ext.getattr(pyo3::intern!(py, "only_some_reasons"))?; - let reasons = - certificate::encode_distribution_point_reasons(ext.py(), &py_reasons.as_borrowed())?; + let reasons = certificate::encode_distribution_point_reasons(ext.py(), &py_reasons)?; Some(common::Asn1ReadableOrWritable::new_write(reasons)) } else { None }; let distribution_point = if ext.getattr(pyo3::intern!(py, "full_name"))?.is_truthy()? { let py_full_name = ext.getattr(pyo3::intern!(py, "full_name"))?; - let gns = x509::common::encode_general_names(ext.py(), &py_full_name.as_borrowed())?; + let gns = x509::common::encode_general_names(ext.py(), &py_full_name)?; Some(extensions::DistributionPointName::FullName( common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(gns)), )) @@ -358,7 +356,7 @@ fn encode_issuing_distribution_point( fn encode_oid_sequence(ext: &pyo3::Bound<'_, pyo3::PyAny>) -> CryptographyResult> { let mut oids = vec![]; for el in ext.iter()? { - let oid = py_oid_to_oid(el?.as_borrowed().to_owned())?; + let oid = py_oid_to_oid(el?)?; oids.push(oid); } Ok(asn1::write_single(&asn1::SequenceOfWriter::new(oids))?) @@ -383,14 +381,14 @@ fn encode_tls_features( fn encode_scts(ext: &pyo3::Bound<'_, pyo3::PyAny>) -> CryptographyResult> { let mut length = 0; for sct in ext.iter()? { - let sct = sct?.as_borrowed().downcast::()?.clone(); + let sct = sct?.downcast::()?.clone(); length += sct.get().sct_data.len() + 2; } let mut result = vec![]; result.extend_from_slice(&(length as u16).to_be_bytes()); for sct in ext.iter()? { - let sct = sct?.as_borrowed().downcast::()?.clone(); + let sct = sct?.downcast::()?.clone(); result.extend_from_slice(&(sct.get().sct_data.len() as u16).to_be_bytes()); result.extend_from_slice(&sct.get().sct_data); } @@ -418,7 +416,7 @@ pub(crate) fn encode_extension( Ok(Some(der)) } &oid::AUTHORITY_INFORMATION_ACCESS_OID | &oid::SUBJECT_INFORMATION_ACCESS_OID => { - let der = x509::common::encode_access_descriptions(ext.py(), &ext.as_borrowed())?; + let der = x509::common::encode_access_descriptions(ext.py(), ext)?; Ok(Some(der)) } &oid::EXTENDED_KEY_USAGE_OID | &oid::ACCEPTABLE_RESPONSES_OID => { @@ -452,16 +450,15 @@ pub(crate) fn encode_extension( &oid::INHIBIT_ANY_POLICY_OID => { let intval = ext .getattr(pyo3::intern!(py, "skip_certs"))? - .as_borrowed() .downcast::()? .clone(); - let bytes = py_uint_to_big_endian_bytes(ext.py(), intval.as_borrowed().to_owned())?; + let bytes = py_uint_to_big_endian_bytes(ext.py(), intval)?; Ok(Some(asn1::write_single( &asn1::BigUint::new(bytes).unwrap(), )?)) } &oid::ISSUER_ALTERNATIVE_NAME_OID | &oid::SUBJECT_ALTERNATIVE_NAME_OID => { - let gns = x509::common::encode_general_names(ext.py(), &ext.as_borrowed())?; + let gns = x509::common::encode_general_names(ext.py(), ext)?; Ok(Some(asn1::write_single(&asn1::SequenceOfWriter::new(gns))?)) } &oid::AUTHORITY_KEY_IDENTIFIER_OID => { @@ -491,24 +488,20 @@ pub(crate) fn encode_extension( Ok(Some(asn1::write_single(&asn1::Enumerated::new(value))?)) } &oid::CERTIFICATE_ISSUER_OID => { - let gns = x509::common::encode_general_names(ext.py(), &ext.as_borrowed())?; + let gns = x509::common::encode_general_names(ext.py(), ext)?; Ok(Some(asn1::write_single(&asn1::SequenceOfWriter::new(gns))?)) } &oid::INVALIDITY_DATE_OID => { - let py_dt = ext - .getattr(pyo3::intern!(py, "invalidity_date"))? - .as_borrowed() - .to_owned(); + let py_dt = ext.getattr(pyo3::intern!(py, "invalidity_date"))?; let dt = x509::py_to_datetime(py, py_dt)?; Ok(Some(asn1::write_single(&asn1::GeneralizedTime::new(dt)?)?)) } &oid::CRL_NUMBER_OID | &oid::DELTA_CRL_INDICATOR_OID => { let intval = ext .getattr(pyo3::intern!(py, "crl_number"))? - .as_borrowed() .downcast::()? .clone(); - let bytes = py_uint_to_big_endian_bytes(ext.py(), intval.as_borrowed().to_owned())?; + let bytes = py_uint_to_big_endian_bytes(ext.py(), intval)?; Ok(Some(asn1::write_single( &asn1::BigUint::new(bytes).unwrap(), )?)) @@ -526,7 +519,7 @@ pub(crate) fn encode_extension( &oid::MS_CERTIFICATE_TEMPLATE => { let py_template_id = ext.getattr(pyo3::intern!(py, "template_id"))?; let mstpl = extensions::MSCertificateTemplate { - template_id: py_oid_to_oid(py_template_id.as_borrowed().to_owned())?, + template_id: py_oid_to_oid(py_template_id)?, major_version: ext.getattr(pyo3::intern!(py, "major_version"))?.extract()?, minor_version: ext.getattr(pyo3::intern!(py, "minor_version"))?.extract()?, }; diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 4c6b00cbeee8..47623a77dd08 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -651,10 +651,7 @@ fn create_ocsp_response( }; // REVOKED let py_revocation_time = py_single_resp.getattr(pyo3::intern!(py, "_revocation_time"))?; - let revocation_time = asn1::GeneralizedTime::new(py_to_datetime( - py, - py_revocation_time.as_borrowed().to_owned(), - )?)?; + let revocation_time = asn1::GeneralizedTime::new(py_to_datetime(py, py_revocation_time)?)?; ocsp_resp::CertStatus::Revoked(ocsp_resp::RevokedInfo { revocation_time, revocation_reason, @@ -667,14 +664,13 @@ fn create_ocsp_response( let py_next_update = py_single_resp.getattr(pyo3::intern!(py, "_next_update"))?; Some(asn1::GeneralizedTime::new(py_to_datetime( py, - py_next_update.as_borrowed().to_owned(), + py_next_update, )?)?) } else { None }; let py_this_update = py_single_resp.getattr(pyo3::intern!(py, "_this_update"))?; - let this_update = - asn1::GeneralizedTime::new(py_to_datetime(py, py_this_update.as_borrowed().to_owned())?)?; + let this_update = asn1::GeneralizedTime::new(py_to_datetime(py, py_this_update)?)?; let responses = vec![SingleResponse { cert_id: ocsp::certid_new(py, &py_cert, &py_issuer, &py_cert_hash_algorithm)?, diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index 72938687791e..2a8ec2953b74 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -7,7 +7,6 @@ use std::collections::HashMap; use cryptography_x509::{common, oid}; use once_cell::sync::Lazy; use pyo3::prelude::PyAnyMethods; -use pyo3::PyNativeType; use crate::asn1::oid_to_py_oid; use crate::error::{CryptographyError, CryptographyResult}; @@ -150,7 +149,7 @@ pub(crate) fn compute_signature_algorithm<'p>( let py_mgf_alg = rsa_padding .getattr(pyo3::intern!(py, "_mgf"))? .getattr(pyo3::intern!(py, "_algorithm"))?; - let mgf_hash_type = identify_hash_type(py, py_mgf_alg.as_borrowed().to_owned())?; + let mgf_hash_type = identify_hash_type(py, py_mgf_alg)?; let mgf_alg = common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), params: identify_alg_params_for_hash_type(mgf_hash_type)?, @@ -449,7 +448,7 @@ pub(crate) fn identify_signature_hash_algorithm<'p>( py: pyo3::Python<'p>, signature_algorithm: &common::AlgorithmIdentifier<'_>, ) -> CryptographyResult> { - let sig_oids_to_hash = types::SIG_OIDS_TO_HASH.get(py)?; + let sig_oids_to_hash = types::SIG_OIDS_TO_HASH.get_bound(py)?; match &signature_algorithm.params { common::AlgorithmParameters::RsaPss(opt_pss) => { let pss = opt_pss.as_ref().ok_or_else(|| { @@ -461,7 +460,7 @@ pub(crate) fn identify_signature_hash_algorithm<'p>( let py_sig_alg_oid = oid_to_py_oid(py, signature_algorithm.oid())?; let hash_alg = sig_oids_to_hash.get_item(py_sig_alg_oid); match hash_alg { - Ok(data) => Ok(data.as_borrowed().to_owned()), + Ok(data) => Ok(data), Err(_) => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", From 0acc56b7d422e59637656accd4c1c843d6470555 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 12 Apr 2024 13:47:15 -0400 Subject: [PATCH 0447/1462] Introduce a keepalive abstraction (#10764) This effectively emulates what pyo3's old GIL pool was doing, but we'll use it in a far more targetted manner. --- src/rust/Cargo.lock | 5 +++ src/rust/Cargo.toml | 2 ++ src/rust/cryptography-keepalive/Cargo.toml | 10 ++++++ src/rust/cryptography-keepalive/src/lib.rs | 40 ++++++++++++++++++++++ src/rust/src/pkcs7.rs | 18 +++++----- 5 files changed, 65 insertions(+), 10 deletions(-) create mode 100644 src/rust/cryptography-keepalive/Cargo.toml create mode 100644 src/rust/cryptography-keepalive/src/lib.rs diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 9a335a8616a0..176a323fe5d7 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -67,6 +67,10 @@ dependencies = [ "pyo3", ] +[[package]] +name = "cryptography-keepalive" +version = "0.1.0" + [[package]] name = "cryptography-key-parsing" version = "0.1.0" @@ -96,6 +100,7 @@ dependencies = [ "asn1", "cfg-if", "cryptography-cffi", + "cryptography-keepalive", "cryptography-key-parsing", "cryptography-openssl", "cryptography-x509", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index e8a26cfd53ae..a9229587b1ef 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -13,6 +13,7 @@ cfg-if = "1" pyo3 = { version = "0.21.1", features = ["abi3", "gil-refs"] } asn1 = { version = "0.16.1", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } +cryptography-keepalive = { path = "cryptography-keepalive" } cryptography-key-parsing = { path = "cryptography-key-parsing" } cryptography-x509 = { path = "cryptography-x509" } cryptography-x509-verification = { path = "cryptography-x509-verification" } @@ -37,6 +38,7 @@ overflow-checks = true [workspace] members = [ "cryptography-cffi", + "cryptography-keepalive", "cryptography-key-parsing", "cryptography-openssl", "cryptography-x509", diff --git a/src/rust/cryptography-keepalive/Cargo.toml b/src/rust/cryptography-keepalive/Cargo.toml new file mode 100644 index 000000000000..241369773f39 --- /dev/null +++ b/src/rust/cryptography-keepalive/Cargo.toml @@ -0,0 +1,10 @@ +[package] +name = "cryptography-keepalive" +version = "0.1.0" +authors = ["The cryptography developers "] +edition = "2021" +publish = false +# This specifies the MSRV +rust-version = "1.65.0" + +[dependencies] diff --git a/src/rust/cryptography-keepalive/src/lib.rs b/src/rust/cryptography-keepalive/src/lib.rs new file mode 100644 index 000000000000..a33baba3c4bf --- /dev/null +++ b/src/rust/cryptography-keepalive/src/lib.rs @@ -0,0 +1,40 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +#![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] + +use std::cell::UnsafeCell; +use std::ops::Deref; + +pub struct KeepAlive { + values: UnsafeCell>, +} + +/// # Safety +/// Implementors of this trait must ensure that the value returned by +/// `deref()` must remain valid, even if `self` is moved. +pub unsafe trait StableDeref: Deref {} +// SAFETY: `Vec`'s data is on the heap, so as long as it's not mutated, the +// slice returned by `deref` remains valid. +unsafe impl StableDeref for Vec {} + +#[allow(clippy::new_without_default)] +impl KeepAlive { + pub fn new() -> Self { + KeepAlive { + values: UnsafeCell::new(vec![]), + } + } + + pub fn add(&self, v: T) -> &T::Target { + // SAFETY: We only ever append to `self.values`, which, when combined + // with the invariants of `StableDeref`, means that the result of + // `deref()` will always be valid for the lifetime of `&self`. + unsafe { + let values = &mut *self.values.get(); + values.push(v); + values.last().unwrap().deref() + } + } +} diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 2daee2a9ca4b..07b8bf01d8af 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -129,15 +129,8 @@ fn sign_and_serialize<'p>( .map(|p| p.raw.borrow_dependent()) .collect::>(); - let mut digests = vec![]; - if !options.contains(&types::PKCS7_NO_ATTRIBUTES.get_bound(py)?)? { - for (_, _, py_hash_alg, _) in &py_signers { - let digest = - asn1::write_single(&x509::ocsp::hash_data(py, py_hash_alg, &data_with_header)?)?; - digests.push(digest); - } - } - for (i, (cert, py_private_key, py_hash_alg, rsa_padding)) in py_signers.iter().enumerate() { + let ka = cryptography_keepalive::KeepAlive::new(); + for (cert, py_private_key, py_hash_alg, rsa_padding) in py_signers.iter() { let (authenticated_attrs, signature) = if options.contains(&types::PKCS7_NO_ATTRIBUTES.get_bound(py)?)? { ( @@ -166,10 +159,15 @@ fn sign_and_serialize<'p>( }, ]; + let digest = ka.add(asn1::write_single(&x509::ocsp::hash_data( + py, + py_hash_alg, + &data_with_header, + )?)?); authenticated_attrs.push(Attribute { type_id: PKCS7_MESSAGE_DIGEST_OID, values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([ - asn1::parse_single(&digests[i]).unwrap(), + asn1::parse_single(digest).unwrap(), ])), }); From 5c559e00f4409f04da1fc4e04c9877fadfa13fee Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 12 Apr 2024 13:56:36 -0400 Subject: [PATCH 0448/1462] Finish converting all `get()` calls to `get_bound()` (#10802) A follow up commit will rename it back. --- src/rust/src/backend/cipher_registry.rs | 2 +- src/rust/src/backend/utils.rs | 58 ++++++++++++------------- src/rust/src/buf.rs | 2 +- src/rust/src/pkcs7.rs | 14 +++--- src/rust/src/types.rs | 6 +-- src/rust/src/x509/certificate.rs | 23 +++++----- src/rust/src/x509/common.rs | 45 +++++++++++-------- src/rust/src/x509/csr.rs | 4 +- src/rust/src/x509/extensions.rs | 2 +- src/rust/src/x509/ocsp_resp.rs | 9 ++-- src/rust/src/x509/sct.rs | 2 +- src/rust/src/x509/sign.rs | 2 +- 12 files changed, 89 insertions(+), 80 deletions(-) diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index ee95e6539540..0f8dd1d2e9c4 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -265,7 +265,7 @@ fn get_cipher_registry( // this should't be necessary but OpenSSL 3 will return an EVP_CIPHER // even when the cipher is unavailable. if cfg!(not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)) - || types::LEGACY_PROVIDER_LOADED.get(py)?.is_truthy()? + || types::LEGACY_PROVIDER_LOADED.get_bound(py)?.is_truthy()? { #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] { diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 827f56f688f0..2acd1aa43f9f 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -75,11 +75,11 @@ pub(crate) fn pkey_private_bytes<'p>( } if raw_allowed - && (encoding.is(types::ENCODING_RAW.get(py)?) - || format.is(types::PRIVATE_FORMAT_RAW.get(py)?)) + && (encoding.is(&types::ENCODING_RAW.get_bound(py)?) + || format.is(&types::PRIVATE_FORMAT_RAW.get_bound(py)?)) { - if !encoding.is(types::ENCODING_RAW.get(py)?) - || !format.is(types::PRIVATE_FORMAT_RAW.get(py)?) + if !encoding.is(&types::ENCODING_RAW.get_bound(py)?) + || !format.is(&types::PRIVATE_FORMAT_RAW.get_bound(py)?) || !encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get_bound(py)?)? { return Err(CryptographyError::from(pyo3::exceptions::PyValueError::new_err( @@ -117,8 +117,8 @@ pub(crate) fn pkey_private_bytes<'p>( )); } - if format.is(types::PRIVATE_FORMAT_PKCS8.get(py)?) { - if encoding.is(types::ENCODING_PEM.get(py)?) { + if format.is(&types::PRIVATE_FORMAT_PKCS8.get_bound(py)?) { + if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { let pem_bytes = if password.is_empty() { pkey.private_key_to_pem_pkcs8()? } else { @@ -128,7 +128,7 @@ pub(crate) fn pkey_private_bytes<'p>( )? }; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(types::ENCODING_DER.get(py)?) { + } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { let der_bytes = if password.is_empty() { pkey.private_key_to_pkcs8()? } else { @@ -144,7 +144,7 @@ pub(crate) fn pkey_private_bytes<'p>( )); } - if format.is(types::PRIVATE_FORMAT_TRADITIONAL_OPENSSL.get(py)?) { + if format.is(&types::PRIVATE_FORMAT_TRADITIONAL_OPENSSL.get_bound(py)?) { if let Ok(rsa) = pkey.rsa() { if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { let pem_bytes = if password.is_empty() { @@ -192,7 +192,7 @@ pub(crate) fn pkey_private_bytes<'p>( return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } } else if let Ok(ec) = pkey.ec_key() { - if encoding.is(types::ENCODING_PEM.get(py)?) { + if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { let pem_bytes = if password.is_empty() { ec.private_key_to_pem()? } else { @@ -202,7 +202,7 @@ pub(crate) fn pkey_private_bytes<'p>( )? }; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(types::ENCODING_DER.get(py)?) { + } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { if !password.is_empty() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -218,10 +218,10 @@ pub(crate) fn pkey_private_bytes<'p>( } // OpenSSH + PEM - if openssh_allowed && format.is(types::PRIVATE_FORMAT_OPENSSH.get(py)?) { - if encoding.is(types::ENCODING_PEM.get(py)?) { + if openssh_allowed && format.is(&types::PRIVATE_FORMAT_OPENSSH.get_bound(py)?) { + if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { return Ok(types::SERIALIZE_SSH_PRIVATE_KEY - .get(py)? + .get_bound(py)? .call1((key_obj, password, encryption_algorithm))? .extract()?); } @@ -263,11 +263,11 @@ pub(crate) fn pkey_public_bytes<'p>( } if raw_allowed - && (encoding.is(types::ENCODING_RAW.get(py)?) - || format.is(types::PUBLIC_FORMAT_RAW.get(py)?)) + && (encoding.is(&types::ENCODING_RAW.get_bound(py)?) + || format.is(&types::PUBLIC_FORMAT_RAW.get_bound(py)?)) { - if !encoding.is(types::ENCODING_RAW.get(py)?) - || !format.is(types::PUBLIC_FORMAT_RAW.get(py)?) + if !encoding.is(&types::ENCODING_RAW.get_bound(py)?) + || !format.is(&types::PUBLIC_FORMAT_RAW.get_bound(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -280,11 +280,11 @@ pub(crate) fn pkey_public_bytes<'p>( } // SubjectPublicKeyInfo + PEM/DER - if format.is(types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?) { - if encoding.is(types::ENCODING_PEM.get(py)?) { + if format.is(&types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get_bound(py)?) { + if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { let pem_bytes = pkey.public_key_to_pem()?; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(types::ENCODING_DER.get(py)?) { + } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { let der_bytes = pkey.public_key_to_der()?; return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } @@ -296,10 +296,10 @@ pub(crate) fn pkey_public_bytes<'p>( } if let Ok(ec) = pkey.ec_key() { - if encoding.is(types::ENCODING_X962.get(py)?) { - let point_form = if format.is(types::PUBLIC_FORMAT_UNCOMPRESSED_POINT.get(py)?) { + if encoding.is(&types::ENCODING_X962.get_bound(py)?) { + let point_form = if format.is(&types::PUBLIC_FORMAT_UNCOMPRESSED_POINT.get_bound(py)?) { openssl::ec::PointConversionForm::UNCOMPRESSED - } else if format.is(types::PUBLIC_FORMAT_COMPRESSED_POINT.get(py)?) { + } else if format.is(&types::PUBLIC_FORMAT_COMPRESSED_POINT.get_bound(py)?) { openssl::ec::PointConversionForm::COMPRESSED } else { return Err(CryptographyError::from( @@ -317,11 +317,11 @@ pub(crate) fn pkey_public_bytes<'p>( } if let Ok(rsa) = pkey.rsa() { - if format.is(types::PUBLIC_FORMAT_PKCS1.get(py)?) { - if encoding.is(types::ENCODING_PEM.get(py)?) { + if format.is(&types::PUBLIC_FORMAT_PKCS1.get_bound(py)?) { + if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { let pem_bytes = rsa.public_key_to_pem_pkcs1()?; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(types::ENCODING_DER.get(py)?) { + } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { let der_bytes = rsa.public_key_to_der_pkcs1()?; return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } @@ -334,10 +334,10 @@ pub(crate) fn pkey_public_bytes<'p>( } // OpenSSH + OpenSSH - if openssh_allowed && format.is(types::PUBLIC_FORMAT_OPENSSH.get(py)?) { - if encoding.is(types::ENCODING_OPENSSH.get(py)?) { + if openssh_allowed && format.is(&types::PUBLIC_FORMAT_OPENSSH.get_bound(py)?) { + if encoding.is(&types::ENCODING_OPENSSH.get_bound(py)?) { return Ok(types::SERIALIZE_SSH_PUBLIC_KEY - .get(py)? + .get_bound(py)? .call1((key_obj,))? .extract()?); } diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs index c480216147ff..e71086da87ea 100644 --- a/src/rust/src/buf.rs +++ b/src/rust/src/buf.rs @@ -27,7 +27,7 @@ fn _extract_buffer_length<'p>( types::FFI_FROM_BUFFER.get_bound(py)?.call1((pyobj,))? }; let ptrval = types::FFI_CAST - .get(py)? + .get_bound(py)? .call1((pyo3::intern!(py, "uintptr_t"), bufobj.clone()))? .call_method0(pyo3::intern!(py, "__int__"))? .extract::()?; diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 07b8bf01d8af..d59f6e5edc80 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -87,9 +87,9 @@ fn sign_and_serialize<'p>( options: &pyo3::Bound<'p, pyo3::types::PyList>, ) -> CryptographyResult> { let raw_data: CffiBuf<'p> = builder.getattr(pyo3::intern!(py, "_data"))?.extract()?; - let text_mode = options.contains(types::PKCS7_TEXT.get(py)?)?; + let text_mode = options.contains(types::PKCS7_TEXT.get_bound(py)?)?; let (data_with_header, data_without_header) = - if options.contains(types::PKCS7_BINARY.get(py)?)? { + if options.contains(types::PKCS7_BINARY.get_bound(py)?)? { ( Cow::Borrowed(raw_data.as_bytes()), Cow::Borrowed(raw_data.as_bytes()), @@ -171,7 +171,7 @@ fn sign_and_serialize<'p>( ])), }); - if !options.contains(types::PKCS7_NO_CAPABILITIES.get(py)?)? { + if !options.contains(types::PKCS7_NO_CAPABILITIES.get_bound(py)?)? { authenticated_attrs.push(Attribute { type_id: PKCS7_SMIME_CAP_OID, values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new( @@ -227,7 +227,7 @@ fn sign_and_serialize<'p>( } let data_tlv_bytes; - let content = if options.contains(types::PKCS7_DETACHED_SIGNATURE.get(py)?)? { + let content = if options.contains(types::PKCS7_DETACHED_SIGNATURE.get_bound(py)?)? { None } else { data_tlv_bytes = asn1::write_single(&data_with_header.deref())?; @@ -241,7 +241,7 @@ fn sign_and_serialize<'p>( _content_type: asn1::DefinedByMarker::marker(), content: pkcs7::Content::Data(content.map(asn1::Explicit::new)), }, - certificates: if options.contains(types::PKCS7_NO_CERTS.get(py)?)? { + certificates: if options.contains(types::PKCS7_NO_CERTS.get_bound(py)?)? { None } else { Some(asn1::SetOfWriter::new(&certs)) @@ -256,14 +256,14 @@ fn sign_and_serialize<'p>( }; let ci_bytes = asn1::write_single(&content_info)?; - if encoding.is(types::ENCODING_SMIME.get(py)?) { + if encoding.is(&types::ENCODING_SMIME.get_bound(py)?) { let mic_algs = digest_algs .iter() .map(|d| OIDS_TO_MIC_NAME[&d.oid()]) .collect::>() .join(","); Ok(types::SMIME_ENCODE - .get(py)? + .get_bound(py)? .call1((&*data_without_header, &*ci_bytes, mic_algs, text_mode))? .extract()?) } else { diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 6200801be28b..df6102f187a2 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -19,10 +19,6 @@ impl LazyPyImport { } } - pub fn get<'p>(&'p self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - Ok(self.get_bound(py)?.into_gil_ref()) - } - pub fn get_bound<'p>( &'p self, py: pyo3::Python<'p>, @@ -567,7 +563,7 @@ mod tests { let v = LazyPyImport::new("foo", &["bar"]); pyo3::Python::with_gil(|py| { - assert!(v.get(py).is_err()); + assert!(v.get_bound(py).is_err()); }); } } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index cd32c4802dd6..ef65139d7229 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -530,13 +530,16 @@ fn parse_user_notice( numbers.append(big_byte_slice_to_py_int(py, num.as_bytes())?.to_object(py))?; } types::NOTICE_REFERENCE - .get(py)? + .get_bound(py)? .call1((org, numbers))? .to_object(py) } None => py.None(), }; - Ok(types::USER_NOTICE.get(py)?.call1((nr, et))?.to_object(py)) + Ok(types::USER_NOTICE + .get_bound(py)? + .call1((nr, et))? + .to_object(py)) } fn parse_policy_qualifiers<'a>( @@ -588,7 +591,7 @@ fn parse_cp( None => py.None(), }; let pi = types::POLICY_INFORMATION - .get(py)? + .get_bound(py)? .call1((pi_oid, py_pqis))? .to_object(py); certificate_policies.append(pi)?; @@ -637,7 +640,7 @@ fn parse_distribution_point( None => py.None(), }; Ok(types::DISTRIBUTION_POINT - .get(py)? + .get_bound(py)? .call1((full_name, relative_name, reasons, crl_issuer))? .to_object(py)) } @@ -659,7 +662,7 @@ pub(crate) fn parse_distribution_point_reasons( py: pyo3::Python<'_>, reasons: Option<&asn1::BitString<'_>>, ) -> Result { - let reason_bit_mapping = types::REASON_BIT_MAPPING.get(py)?; + let reason_bit_mapping = types::REASON_BIT_MAPPING.get_bound(py)?; Ok(match reasons { Some(bs) => { @@ -679,7 +682,7 @@ pub(crate) fn encode_distribution_point_reasons( py: pyo3::Python<'_>, py_reasons: &pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult { - let reason_flag_mapping = types::CRL_REASON_FLAGS.get(py)?; + let reason_flag_mapping = types::CRL_REASON_FLAGS.get_bound(py)?; let mut bits = vec![0, 0]; for py_reason in py_reasons.iter()? { @@ -725,7 +728,7 @@ pub(crate) fn parse_access_descriptions( let py_oid = oid_to_py_oid(py, &access.access_method)?.to_object(py); let gn = x509::parse_general_name(py, access.access_location)?; let ad = types::ACCESS_DESCRIPTION - .get(py)? + .get_bound(py)? .call1((py_oid, gn))? .to_object(py); ads.append(ad)?; @@ -757,7 +760,7 @@ pub fn parse_cert_ext<'p>( )) } oid::TLS_FEATURE_OID => { - let tls_feature_type_to_enum = types::TLS_FEATURE_TYPE_TO_ENUM.get(py)?; + let tls_feature_type_to_enum = types::TLS_FEATURE_TYPE_TO_ENUM.get_bound(py)?; let features = pyo3::types::PyList::empty_bound(py); for feature in ext.value::>()? { @@ -918,8 +921,8 @@ fn create_x509_certificate( rsa_padding.clone(), )?; - let der = types::ENCODING_DER.get(py)?; - let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?; + let der = types::ENCODING_DER.get_bound(py)?; + let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get_bound(py)?; let spki_bytes = builder .getattr(pyo3::intern!(py, "_public_key"))? .call_method1(pyo3::intern!(py, "public_bytes"), (der, spki))? diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index c17208820a0d..2215c2425915 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -59,10 +59,10 @@ pub(crate) fn encode_name_entry<'p>( let tag = attr_type .getattr(pyo3::intern!(py, "value"))? .extract::()?; - let value: &[u8] = if !attr_type.is(types::ASN1_TYPE_BIT_STRING.get(py)?) { - let encoding = if attr_type.is(types::ASN1_TYPE_BMP_STRING.get(py)?) { + let value: &[u8] = if !attr_type.is(&types::ASN1_TYPE_BIT_STRING.get_bound(py)?) { + let encoding = if attr_type.is(&types::ASN1_TYPE_BMP_STRING.get_bound(py)?) { "utf_16_be" - } else if attr_type.is(types::ASN1_TYPE_UNIVERSAL_STRING.get(py)?) { + } else if attr_type.is(&types::ASN1_TYPE_UNIVERSAL_STRING.get_bound(py)?) { "utf_32_be" } else { "utf8" @@ -114,18 +114,18 @@ pub(crate) fn encode_general_name<'a>( let gn_type = gn.get_type(); let gn_value = gn.getattr(pyo3::intern!(py, "value"))?; - if gn_type.is(types::DNS_NAME.get(py)?) { + if gn_type.is(&types::DNS_NAME.get_bound(py)?) { Ok(GeneralName::DNSName(UnvalidatedIA5String( gn_value.extract::<&str>()?, ))) - } else if gn_type.is(types::RFC822_NAME.get(py)?) { + } else if gn_type.is(&types::RFC822_NAME.get_bound(py)?) { Ok(GeneralName::RFC822Name(UnvalidatedIA5String( gn_value.extract::<&str>()?, ))) - } else if gn_type.is(types::DIRECTORY_NAME.get(py)?) { + } else if gn_type.is(&types::DIRECTORY_NAME.get_bound(py)?) { let name = encode_name(py, &gn_value)?; Ok(GeneralName::DirectoryName(name)) - } else if gn_type.is(types::OTHER_NAME.get(py)?) { + } else if gn_type.is(&types::OTHER_NAME.get_bound(py)?) { let py_oid = gn.getattr(pyo3::intern!(py, "type_id"))?; Ok(GeneralName::OtherName(OtherName { type_id: py_oid_to_oid(py_oid)?, @@ -135,16 +135,16 @@ pub(crate) fn encode_general_name<'a>( )) })?, })) - } else if gn_type.is(types::UNIFORM_RESOURCE_IDENTIFIER.get(py)?) { + } else if gn_type.is(&types::UNIFORM_RESOURCE_IDENTIFIER.get_bound(py)?) { Ok(GeneralName::UniformResourceIdentifier( UnvalidatedIA5String(gn_value.extract::<&str>()?), )) - } else if gn_type.is(types::IP_ADDRESS.get(py)?) { + } else if gn_type.is(&types::IP_ADDRESS.get_bound(py)?) { Ok(GeneralName::IPAddress( gn.call_method0(pyo3::intern!(py, "_packed"))? .extract::<&[u8]>()?, )) - } else if gn_type.is(types::REGISTERED_ID.get(py)?) { + } else if gn_type.is(&types::REGISTERED_ID.get_bound(py)?) { let oid = py_oid_to_oid(gn_value)?; Ok(GeneralName::RegisteredID(oid)) } else { @@ -200,7 +200,7 @@ fn parse_name_attribute( )) })? .to_object(py); - let py_tag = types::ASN1_TYPE_TO_ENUM.get(py)?.get_item(tag_val)?; + let py_tag = types::ASN1_TYPE_TO_ENUM.get_bound(py)?.get_item(tag_val)?; let py_data = match attribute.value.tag().as_u8() { // BitString tag value Some(3) => pyo3::types::PyBytes::new_bound(py, attribute.value.data()).into_any(), @@ -237,7 +237,7 @@ pub(crate) fn parse_rdn<'a>( py_attrs.append(na)?; } Ok(types::RELATIVE_DISTINGUISHED_NAME - .get(py)? + .get_bound(py)? .call1((py_attrs,))? .to_object(py)) } @@ -275,7 +275,7 @@ pub(crate) fn parse_general_name( .to_object(py), GeneralName::IPAddress(data) => { if data.len() == 4 || data.len() == 16 { - let addr = types::IPADDRESS_IPADDRESS.get(py)?.call1((data,))?; + let addr = types::IPADDRESS_IPADDRESS.get_bound(py)?.call1((data,))?; types::IP_ADDRESS .get_bound(py)? .call1((addr,))? @@ -288,7 +288,10 @@ pub(crate) fn parse_general_name( } GeneralName::RegisteredID(data) => { let oid = oid_to_py_oid(py, &data)?.to_object(py); - types::REGISTERED_ID.get(py)?.call1((oid,))?.to_object(py) + types::REGISTERED_ID + .get_bound(py)? + .call1((oid,))? + .to_object(py) } _ => { return Err(CryptographyError::from( @@ -331,7 +334,7 @@ fn create_ip_network( ))), }; let base = types::IPADDRESS_IPADDRESS - .get(py)? + .get_bound(py)? .call1((pyo3::types::PyBytes::new_bound(py, &data[..data.len() / 2]),))?; let net = format!( "{}/{}", @@ -339,8 +342,11 @@ fn create_ip_network( .extract::<&str>()?, prefix? ); - let addr = types::IPADDRESS_IPNETWORK.get(py)?.call1((net,))?; - Ok(types::IP_ADDRESS.get(py)?.call1((addr,))?.to_object(py)) + let addr = types::IPADDRESS_IPNETWORK.get_bound(py)?.call1((net,))?; + Ok(types::IP_ADDRESS + .get_bound(py)? + .call1((addr,))? + .to_object(py)) } fn ipv4_netmask(num: u32) -> Result { @@ -400,7 +406,10 @@ pub(crate) fn parse_and_cache_extensions< ))?; exts.append(ext_obj)?; } - Ok(types::EXTENSIONS.get(py)?.call1((exts,))?.to_object(py)) + Ok(types::EXTENSIONS + .get_bound(py)? + .call1((exts,))? + .to_object(py)) }) .map(|p| p.clone_ref(py)) } diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 4f6a0d46c045..bedc28607418 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -300,8 +300,8 @@ fn create_x509_csr( rsa_padding.clone(), )?; - let der = types::ENCODING_DER.get(py)?; - let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?; + let der = types::ENCODING_DER.get_bound(py)?; + let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get_bound(py)?; let spki_bytes = private_key .call_method0(pyo3::intern!(py, "public_key"))? .call_method1(pyo3::intern!(py, "public_bytes"), (der, spki))? diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 94eb495bc7a0..152d6e17706d 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -482,7 +482,7 @@ pub(crate) fn encode_extension( } &oid::CRL_REASON_OID => { let value = types::CRL_ENTRY_REASON_ENUM_TO_CODE - .get(ext.py())? + .get_bound(ext.py())? .get_item(ext.getattr(pyo3::intern!(py, "reason"))?)? .extract::()?; Ok(Some(asn1::write_single(&asn1::Enumerated::new(value))?)) diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 47623a77dd08..37b5d75d5a74 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -632,9 +632,9 @@ fn create_ocsp_response( .extract()?; let py_cert_status = py_single_resp.getattr(pyo3::intern!(py, "_cert_status"))?; - let cert_status = if py_cert_status.is(types::OCSP_CERT_STATUS_GOOD.get(py)?) { + let cert_status = if py_cert_status.is(&types::OCSP_CERT_STATUS_GOOD.get_bound(py)?) { ocsp_resp::CertStatus::Good(()) - } else if py_cert_status.is(types::OCSP_CERT_STATUS_UNKNOWN.get(py)?) { + } else if py_cert_status.is(&types::OCSP_CERT_STATUS_UNKNOWN.get_bound(py)?) { ocsp_resp::CertStatus::Unknown(()) } else { let revocation_reason = if !py_single_resp @@ -642,7 +642,7 @@ fn create_ocsp_response( .is_none() { let value = types::CRL_ENTRY_REASON_ENUM_TO_CODE - .get(py)? + .get_bound(py)? .get_item(py_single_resp.getattr(pyo3::intern!(py, "_revocation_reason"))?)? .extract::()?; Some(asn1::Enumerated::new(value)) @@ -681,7 +681,8 @@ fn create_ocsp_response( }]; borrowed_cert = responder_cert.borrow(); - let responder_id = if responder_encoding.is(types::OCSP_RESPONDER_ENCODING_HASH.get(py)?) { + let responder_id = if responder_encoding.is(&types::OCSP_RESPONDER_ENCODING_HASH.get_bound(py)?) + { let sha1 = types::SHA1.get_bound(py)?.call0()?; ocsp_resp::ResponderId::ByKey(ocsp::hash_data( py, diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index f531a3738599..cc3680e8e064 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -165,7 +165,7 @@ impl Sct { #[getter] fn timestamp<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { - let utc = types::DATETIME_TIMEZONE_UTC.get(py)?; + let utc = types::DATETIME_TIMEZONE_UTC.get_bound(py)?; let kwargs = pyo3::types::PyDict::new_bound(py); kwargs.set_item("microsecond", self.timestamp % 1000 * 1000)?; diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index 2a8ec2953b74..2789c508dbc6 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -491,7 +491,7 @@ pub(crate) fn identify_signature_algorithm_parameters<'p>( } let py_mask_gen_hash_alg = hash_oid_py_hash(py, pss.mask_gen_algorithm.params.oid().clone())?; - let py_mgf = types::MGF1.get(py)?.call1((py_mask_gen_hash_alg,))?; + let py_mgf = types::MGF1.get_bound(py)?.call1((py_mask_gen_hash_alg,))?; Ok(types::PSS.get_bound(py)?.call1((py_mgf, pss.salt_length))?) } common::AlgorithmParameters::RsaWithSha1(_) From 8d36296920aca5eef31369fba32f19f91b221780 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 12 Apr 2024 15:40:23 -0400 Subject: [PATCH 0449/1462] Rename `get_bound` back to `get` (#10803) --- src/rust/src/asn1.rs | 4 +- src/rust/src/backend/aead.rs | 12 +-- src/rust/src/backend/cipher_registry.rs | 44 +++++----- src/rust/src/backend/ciphers.rs | 63 +++++++------- src/rust/src/backend/cmac.rs | 4 +- src/rust/src/backend/dh.rs | 6 +- src/rust/src/backend/ec.rs | 14 ++-- src/rust/src/backend/hashes.rs | 4 +- src/rust/src/backend/rsa.rs | 26 +++--- src/rust/src/backend/utils.rs | 86 +++++++++---------- src/rust/src/buf.rs | 6 +- src/rust/src/oid.rs | 2 +- src/rust/src/pkcs12.rs | 8 +- src/rust/src/pkcs7.rs | 18 ++-- src/rust/src/types.rs | 7 +- src/rust/src/x509/certificate.rs | 105 ++++++++++-------------- src/rust/src/x509/common.rs | 89 +++++++++----------- src/rust/src/x509/crl.rs | 54 +++++------- src/rust/src/x509/csr.rs | 12 ++- src/rust/src/x509/extensions.rs | 2 +- src/rust/src/x509/ocsp_req.rs | 11 +-- src/rust/src/x509/ocsp_resp.rs | 28 +++---- src/rust/src/x509/sct.rs | 14 ++-- src/rust/src/x509/sign.rs | 51 ++++++------ src/rust/src/x509/verify.rs | 4 +- 25 files changed, 304 insertions(+), 370 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 35de6049382a..ba3eba7e235c 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -99,9 +99,9 @@ pub(crate) fn encode_der_data<'p>( data: Vec, encoding: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - if encoding.is(&types::ENCODING_DER.get_bound(py)?) { + if encoding.is(&types::ENCODING_DER.get(py)?) { Ok(pyo3::types::PyBytes::new_bound(py, &data)) - } else if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { + } else if encoding.is(&types::ENCODING_PEM.get(py)?) { Ok(pyo3::types::PyBytes::new_bound( py, &pem::encode_config( diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 16ea74f20030..e9dbcab652bd 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -533,7 +533,7 @@ impl ChaCha20Poly1305 { #[staticmethod] fn generate_key(py: pyo3::Python<'_>) -> CryptographyResult> { - Ok(types::OS_URANDOM.get_bound(py)?.call1((32,))?) + Ok(types::OS_URANDOM.get(py)?.call1((32,))?) } fn encrypt<'p>( @@ -648,7 +648,7 @@ impl AesGcm { )); } - Ok(types::OS_URANDOM.get_bound(py)?.call1((bit_length / 8,))?) + Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) } fn encrypt<'p>( @@ -759,7 +759,7 @@ impl AesCcm { )); } - Ok(types::OS_URANDOM.get_bound(py)?.call1((bit_length / 8,))?) + Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) } fn encrypt<'p>( @@ -892,7 +892,7 @@ impl AesSiv { )); } - Ok(types::OS_URANDOM.get_bound(py)?.call1((bit_length / 8,))?) + Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) } #[pyo3(signature = (data, associated_data))] @@ -989,7 +989,7 @@ impl AesOcb3 { )); } - Ok(types::OS_URANDOM.get_bound(py)?.call1((bit_length / 8,))?) + Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) } #[pyo3(signature = (nonce, data, associated_data))] @@ -1098,7 +1098,7 @@ impl AesGcmSiv { )); } - Ok(types::OS_URANDOM.get_bound(py)?.call1((bit_length / 8,))?) + Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) } #[pyo3(signature = (nonce, data, associated_data))] diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index 0f8dd1d2e9c4..40ae826014b4 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -119,38 +119,38 @@ fn get_cipher_registry( REGISTRY.get_or_try_init(py, || { let mut m = RegistryBuilder::new(py); - let aes = types::AES.get_bound(py)?; - let aes128 = types::AES128.get_bound(py)?; - let aes256 = types::AES256.get_bound(py)?; - let triple_des = types::TRIPLE_DES.get_bound(py)?; + let aes = types::AES.get(py)?; + let aes128 = types::AES128.get(py)?; + let aes256 = types::AES256.get(py)?; + let triple_des = types::TRIPLE_DES.get(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] - let camellia = types::CAMELLIA.get_bound(py)?; + let camellia = types::CAMELLIA.get(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] - let blowfish = types::BLOWFISH.get_bound(py)?; + let blowfish = types::BLOWFISH.get(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAST"))] - let cast5 = types::CAST5.get_bound(py)?; + let cast5 = types::CAST5.get(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_IDEA"))] - let idea = types::IDEA.get_bound(py)?; + let idea = types::IDEA.get(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SM4"))] - let sm4 = types::SM4.get_bound(py)?; + let sm4 = types::SM4.get(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] - let seed = types::SEED.get_bound(py)?; - let arc4 = types::ARC4.get_bound(py)?; + let seed = types::SEED.get(py)?; + let arc4 = types::ARC4.get(py)?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - let chacha20 = types::CHACHA20.get_bound(py)?; - let rc2 = types::RC2.get_bound(py)?; + let chacha20 = types::CHACHA20.get(py)?; + let rc2 = types::RC2.get(py)?; - let cbc = types::CBC.get_bound(py)?; + let cbc = types::CBC.get(py)?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - let cfb = types::CFB.get_bound(py)?; + let cfb = types::CFB.get(py)?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - let cfb8 = types::CFB8.get_bound(py)?; - let ofb = types::OFB.get_bound(py)?; - let ecb = types::ECB.get_bound(py)?; - let ctr = types::CTR.get_bound(py)?; - let gcm = types::GCM.get_bound(py)?; + let cfb8 = types::CFB8.get(py)?; + let ofb = types::OFB.get(py)?; + let ecb = types::ECB.get(py)?; + let ctr = types::CTR.get(py)?; + let gcm = types::GCM.get(py)?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - let xts = types::XTS.get_bound(py)?; + let xts = types::XTS.get(py)?; let none = py.None(); let none_type = none.bind(py).get_type(); @@ -265,7 +265,7 @@ fn get_cipher_registry( // this should't be necessary but OpenSSL 3 will return an EVP_CIPHER // even when the cipher is unavailable. if cfg!(not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)) - || types::LEGACY_PROVIDER_LOADED.get_bound(py)?.is_truthy()? + || types::LEGACY_PROVIDER_LOADED.get(py)?.is_truthy()? { #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] { diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index 5677e0fbba3d..9fe9550b34c9 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -43,31 +43,30 @@ impl CipherContext { } }; - let iv_nonce = - if mode.is_instance(&types::MODE_WITH_INITIALIZATION_VECTOR.get_bound(py)?)? { - Some( - mode.getattr(pyo3::intern!(py, "initialization_vector"))? - .extract::>()?, - ) - } else if mode.is_instance(&types::MODE_WITH_TWEAK.get_bound(py)?)? { - Some( - mode.getattr(pyo3::intern!(py, "tweak"))? - .extract::>()?, - ) - } else if mode.is_instance(&types::MODE_WITH_NONCE.get_bound(py)?)? { - Some( - mode.getattr(pyo3::intern!(py, "nonce"))? - .extract::>()?, - ) - } else if algorithm.is_instance(&types::CHACHA20.get_bound(py)?)? { - Some( - algorithm - .getattr(pyo3::intern!(py, "nonce"))? - .extract::>()?, - ) - } else { - None - }; + let iv_nonce = if mode.is_instance(&types::MODE_WITH_INITIALIZATION_VECTOR.get(py)?)? { + Some( + mode.getattr(pyo3::intern!(py, "initialization_vector"))? + .extract::>()?, + ) + } else if mode.is_instance(&types::MODE_WITH_TWEAK.get(py)?)? { + Some( + mode.getattr(pyo3::intern!(py, "tweak"))? + .extract::>()?, + ) + } else if mode.is_instance(&types::MODE_WITH_NONCE.get(py)?)? { + Some( + mode.getattr(pyo3::intern!(py, "nonce"))? + .extract::>()?, + ) + } else if algorithm.is_instance(&types::CHACHA20.get(py)?)? { + Some( + algorithm + .getattr(pyo3::intern!(py, "nonce"))? + .extract::>()?, + ) + } else { + None + }; let key = algorithm .getattr(pyo3::intern!(py, "key"))? @@ -88,7 +87,7 @@ impl CipherContext { } } - if mode.is_instance(&types::XTS.get_bound(py)?)? { + if mode.is_instance(&types::XTS.get(py)?)? { init_op( &mut ctx, None, @@ -146,11 +145,7 @@ impl CipherContext { for chunk in buf.chunks(1 << 29) { // SAFETY: We ensure that outbuf is sufficiently large above. unsafe { - let n = if self - .py_mode - .bind(py) - .is_instance(&types::XTS.get_bound(py)?)? - { + let n = if self.py_mode.bind(py).is_instance(&types::XTS.get(py)?)? { self.ctx.cipher_update_unchecked(chunk, Some(&mut out_buf[total_written..])).map_err(|_| { pyo3::exceptions::PyValueError::new_err( "In XTS mode you must supply at least a full block in the first update call. For AES this is 16 bytes." @@ -182,7 +177,7 @@ impl CipherContext { && self .py_mode .bind(py) - .is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get_bound(py)?)? + .is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? { return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); } @@ -483,7 +478,7 @@ fn create_encryption_ctx( ) -> CryptographyResult { let ctx = CipherContext::new(py, algorithm, mode.clone(), openssl::symm::Mode::Encrypt)?; - if mode.is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get_bound(py)?)? { + if mode.is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? { Ok(PyAEADEncryptionContext { ctx: Some(ctx), tag: None, @@ -509,7 +504,7 @@ fn create_decryption_ctx( ) -> CryptographyResult { let mut ctx = CipherContext::new(py, algorithm, mode.clone(), openssl::symm::Mode::Decrypt)?; - if mode.is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get_bound(py)?)? { + if mode.is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? { if let Some(tag) = mode .getattr(pyo3::intern!(py, "tag"))? .extract::>()? diff --git a/src/rust/src/backend/cmac.rs b/src/rust/src/backend/cmac.rs index 599a1ee4bf27..0d9d9ec0fdf4 100644 --- a/src/rust/src/backend/cmac.rs +++ b/src/rust/src/backend/cmac.rs @@ -43,7 +43,7 @@ impl Cmac { ) -> CryptographyResult { let _ = backend; - if !algorithm.is_instance(&types::BLOCK_CIPHER_ALGORITHM.get_bound(py)?)? { + if !algorithm.is_instance(&types::BLOCK_CIPHER_ALGORITHM.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Expected instance of BlockCipherAlgorithm.", @@ -51,7 +51,7 @@ impl Cmac { )); } - let cipher = cipher_registry::get_cipher(py, algorithm.clone(), types::CBC.get_bound(py)?)? + let cipher = cipher_registry::get_cipher(py, algorithm.clone(), types::CBC.get(py)?)? .ok_or_else(|| { exceptions::UnsupportedAlgorithm::new_err(( "CMAC is not supported with this algorithm", diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 70a57d50b57b..008f0674a07b 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -229,7 +229,7 @@ impl DHPrivateKey { format: &pyo3::Bound<'p, pyo3::PyAny>, encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - if !format.is(&types::PRIVATE_FORMAT_PKCS8.get_bound(py)?) { + if !format.is(&types::PRIVATE_FORMAT_PKCS8.get(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "DH private keys support only PKCS8 serialization", @@ -263,7 +263,7 @@ impl DHPublicKey { encoding: &pyo3::Bound<'p, pyo3::PyAny>, format: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - if !format.is(&types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get_bound(py)?) { + if !format.is(&types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "DH public keys support only SubjectPublicKeyInfo serialization", @@ -345,7 +345,7 @@ impl DHParameters { encoding: pyo3::Bound<'p, pyo3::PyAny>, format: pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - if !format.is(&types::PARAMETER_FORMAT_PKCS3.get_bound(py)?) { + if !format.is(&types::PARAMETER_FORMAT_PKCS3.get(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("Only PKCS3 serialization is supported"), )); diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 41cd8e057d88..ccba52857621 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -32,9 +32,9 @@ fn curve_from_py_curve( py_curve: pyo3::Bound<'_, pyo3::PyAny>, allow_curve_class: bool, ) -> CryptographyResult { - if !py_curve.is_instance(&types::ELLIPTIC_CURVE.get_bound(py)?)? { + if !py_curve.is_instance(&types::ELLIPTIC_CURVE.get(py)?)? { if allow_curve_class { - let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + let warning_cls = types::DEPRECATED_IN_42.get(py)?; let warning_msg = "Curve argument must be an instance of an EllipticCurve class. Did you pass a class by mistake? This will be an exception in a future version of cryptography."; pyo3::PyErr::warn_bound(py, &warning_cls, warning_msg, 1)?; } else { @@ -102,7 +102,7 @@ fn py_curve_from_curve<'p>( let name = curve.curve_name().unwrap().short_name()?; types::CURVE_TYPES - .get_bound(py)? + .get(py)? .extract::>()? .get_item(name)? .ok_or_else(|| { @@ -231,7 +231,7 @@ impl ECPrivateKey { algorithm: pyo3::Bound<'_, pyo3::PyAny>, peer_public_key: &ECPublicKey, ) -> CryptographyResult> { - if !algorithm.is_instance(&types::ECDH.get_bound(py)?)? { + if !algorithm.is_instance(&types::ECDH.get(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "Unsupported EC exchange algorithm", @@ -270,7 +270,7 @@ impl ECPrivateKey { data: CffiBuf<'_>, signature_algorithm: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { - if !signature_algorithm.is_instance(&types::ECDSA.get_bound(py)?)? { + if !signature_algorithm.is_instance(&types::ECDSA.get(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "Unsupported elliptic curve signature algorithm", @@ -391,7 +391,7 @@ impl ECPublicKey { data: CffiBuf<'_>, signature_algorithm: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult<()> { - if !signature_algorithm.is_instance(&types::ECDSA.get_bound(py)?)? { + if !signature_algorithm.is_instance(&types::ECDSA.get(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "Unsupported elliptic curve signature algorithm", @@ -588,7 +588,7 @@ impl EllipticCurvePublicNumbers { ) -> CryptographyResult { if !curve .bind(py) - .is_instance(&types::ELLIPTIC_CURVE.get_bound(py)?)? + .is_instance(&types::ELLIPTIC_CURVE.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( diff --git a/src/rust/src/backend/hashes.rs b/src/rust/src/backend/hashes.rs index ac989024e849..bc2c42016de3 100644 --- a/src/rust/src/backend/hashes.rs +++ b/src/rust/src/backend/hashes.rs @@ -43,7 +43,7 @@ pub(crate) fn message_digest_from_algorithm( py: pyo3::Python<'_>, algorithm: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - if !algorithm.is_instance(&types::HASH_ALGORITHM.get_bound(py)?)? { + if !algorithm.is_instance(&types::HASH_ALGORITHM.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err("Expected instance of hashes.HashAlgorithm."), )); @@ -111,7 +111,7 @@ impl Hash { { let algorithm = self.algorithm.clone_ref(py); let algorithm = algorithm.bind(py); - if algorithm.is_instance(&types::EXTENDABLE_OUTPUT_FUNCTION.get_bound(py)?)? { + if algorithm.is_instance(&types::EXTENDABLE_OUTPUT_FUNCTION.get(py)?)? { let ctx = self.get_mut_ctx()?; let digest_size = algorithm .getattr(pyo3::intern!(py, "digest_size"))? diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index c1af3879eb98..0cff56d1efba 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -82,7 +82,7 @@ fn setup_encryption_ctx( ctx: &mut openssl::pkey_ctx::PkeyCtx, padding: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult<()> { - if !padding.is_instance(&types::ASYMMETRIC_PADDING.get_bound(py)?)? { + if !padding.is_instance(&types::ASYMMETRIC_PADDING.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Padding must be an instance of AsymmetricPadding.", @@ -90,12 +90,12 @@ fn setup_encryption_ctx( )); } - let padding_enum = if padding.is_instance(&types::PKCS1V15.get_bound(py)?)? { + let padding_enum = if padding.is_instance(&types::PKCS1V15.get(py)?)? { openssl::rsa::Padding::PKCS1 - } else if padding.is_instance(&types::OAEP.get_bound(py)?)? { + } else if padding.is_instance(&types::OAEP.get(py)?)? { if !padding .getattr(pyo3::intern!(py, "_mgf"))? - .is_instance(&types::MGF1.get_bound(py)?)? + .is_instance(&types::MGF1.get(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( @@ -165,7 +165,7 @@ fn setup_signature_ctx( key_size: usize, is_signing: bool, ) -> CryptographyResult<()> { - if !padding.is_instance(&types::ASYMMETRIC_PADDING.get_bound(py)?)? { + if !padding.is_instance(&types::ASYMMETRIC_PADDING.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Padding must be an instance of AsymmetricPadding.", @@ -173,12 +173,12 @@ fn setup_signature_ctx( )); } - let padding_enum = if padding.is_instance(&types::PKCS1V15.get_bound(py)?)? { + let padding_enum = if padding.is_instance(&types::PKCS1V15.get(py)?)? { openssl::rsa::Padding::PKCS1 - } else if padding.is_instance(&types::PSS.get_bound(py)?)? { + } else if padding.is_instance(&types::PSS.get(py)?)? { if !padding .getattr(pyo3::intern!(py, "_mgf"))? - .is_instance(&types::MGF1.get_bound(py)?)? + .is_instance(&types::MGF1.get(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( @@ -189,7 +189,7 @@ fn setup_signature_ctx( } // PSS padding requires a hash algorithm - if !algorithm.is_instance(&types::HASH_ALGORITHM.get_bound(py)?)? { + if !algorithm.is_instance(&types::HASH_ALGORITHM.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Expected instance of hashes.HashAlgorithm.", @@ -250,11 +250,11 @@ fn setup_signature_ctx( if padding_enum == openssl::rsa::Padding::PKCS1_PSS { let salt = padding.getattr(pyo3::intern!(py, "_salt_length"))?; - if salt.is_instance(&types::PADDING_MAX_LENGTH.get_bound(py)?)? { + if salt.is_instance(&types::PADDING_MAX_LENGTH.get(py)?)? { ctx.set_rsa_pss_saltlen(openssl::sign::RsaPssSaltlen::MAXIMUM_LENGTH)?; - } else if salt.is_instance(&types::PADDING_DIGEST_LENGTH.get_bound(py)?)? { + } else if salt.is_instance(&types::PADDING_DIGEST_LENGTH.get(py)?)? { ctx.set_rsa_pss_saltlen(openssl::sign::RsaPssSaltlen::DIGEST_LENGTH)?; - } else if salt.is_instance(&types::PADDING_AUTO.get_bound(py)?)? { + } else if salt.is_instance(&types::PADDING_AUTO.get(py)?)? { if is_signing { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -472,7 +472,7 @@ impl RsaPublicKey { padding: &pyo3::Bound<'_, pyo3::PyAny>, algorithm: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { - if algorithm.is_instance(&types::PREHASHED.get_bound(py)?)? { + if algorithm.is_instance(&types::PREHASHED.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Prehashed is only supported in the sign and verify methods. It cannot be used with recover_data_from_signature.", diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 2acd1aa43f9f..a583a71f196d 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -52,21 +52,21 @@ pub(crate) fn pkey_private_bytes<'p>( openssh_allowed: bool, raw_allowed: bool, ) -> CryptographyResult> { - if !encoding.is_instance(&types::ENCODING.get_bound(py)?)? { + if !encoding.is_instance(&types::ENCODING.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "encoding must be an item from the Encoding enum", ), )); } - if !format.is_instance(&types::PRIVATE_FORMAT.get_bound(py)?)? { + if !format.is_instance(&types::PRIVATE_FORMAT.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "format must be an item from the PrivateFormat enum", ), )); } - if !encryption_algorithm.is_instance(&types::KEY_SERIALIZATION_ENCRYPTION.get_bound(py)?)? { + if !encryption_algorithm.is_instance(&types::KEY_SERIALIZATION_ENCRYPTION.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Encryption algorithm must be a KeySerializationEncryption instance", @@ -75,12 +75,12 @@ pub(crate) fn pkey_private_bytes<'p>( } if raw_allowed - && (encoding.is(&types::ENCODING_RAW.get_bound(py)?) - || format.is(&types::PRIVATE_FORMAT_RAW.get_bound(py)?)) + && (encoding.is(&types::ENCODING_RAW.get(py)?) + || format.is(&types::PRIVATE_FORMAT_RAW.get(py)?)) { - if !encoding.is(&types::ENCODING_RAW.get_bound(py)?) - || !format.is(&types::PRIVATE_FORMAT_RAW.get_bound(py)?) - || !encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get_bound(py)?)? + if !encoding.is(&types::ENCODING_RAW.get(py)?) + || !format.is(&types::PRIVATE_FORMAT_RAW.get(py)?) + || !encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get(py)?)? { return Err(CryptographyError::from(pyo3::exceptions::PyValueError::new_err( "When using Raw both encoding and format must be Raw and encryption_algorithm must be NoEncryption()" @@ -91,10 +91,10 @@ pub(crate) fn pkey_private_bytes<'p>( } let py_password; - let password = if encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get_bound(py)?)? { + let password = if encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get(py)?)? { b"" as &[u8] - } else if encryption_algorithm.is_instance(&types::BEST_AVAILABLE_ENCRYPTION.get_bound(py)?)? - || (encryption_algorithm.is_instance(&types::ENCRYPTION_BUILDER.get_bound(py)?)? + } else if encryption_algorithm.is_instance(&types::BEST_AVAILABLE_ENCRYPTION.get(py)?)? + || (encryption_algorithm.is_instance(&types::ENCRYPTION_BUILDER.get(py)?)? && encryption_algorithm .getattr(pyo3::intern!(py, "_format"))? .is(format)) @@ -117,8 +117,8 @@ pub(crate) fn pkey_private_bytes<'p>( )); } - if format.is(&types::PRIVATE_FORMAT_PKCS8.get_bound(py)?) { - if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { + if format.is(&types::PRIVATE_FORMAT_PKCS8.get(py)?) { + if encoding.is(&types::ENCODING_PEM.get(py)?) { let pem_bytes = if password.is_empty() { pkey.private_key_to_pem_pkcs8()? } else { @@ -128,7 +128,7 @@ pub(crate) fn pkey_private_bytes<'p>( )? }; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { + } else if encoding.is(&types::ENCODING_DER.get(py)?) { let der_bytes = if password.is_empty() { pkey.private_key_to_pkcs8()? } else { @@ -144,9 +144,9 @@ pub(crate) fn pkey_private_bytes<'p>( )); } - if format.is(&types::PRIVATE_FORMAT_TRADITIONAL_OPENSSL.get_bound(py)?) { + if format.is(&types::PRIVATE_FORMAT_TRADITIONAL_OPENSSL.get(py)?) { if let Ok(rsa) = pkey.rsa() { - if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { + if encoding.is(&types::ENCODING_PEM.get(py)?) { let pem_bytes = if password.is_empty() { rsa.private_key_to_pem()? } else { @@ -156,7 +156,7 @@ pub(crate) fn pkey_private_bytes<'p>( )? }; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { + } else if encoding.is(&types::ENCODING_DER.get(py)?) { if !password.is_empty() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -169,7 +169,7 @@ pub(crate) fn pkey_private_bytes<'p>( return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } } else if let Ok(dsa) = pkey.dsa() { - if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { + if encoding.is(&types::ENCODING_PEM.get(py)?) { let pem_bytes = if password.is_empty() { dsa.private_key_to_pem()? } else { @@ -179,7 +179,7 @@ pub(crate) fn pkey_private_bytes<'p>( )? }; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { + } else if encoding.is(&types::ENCODING_DER.get(py)?) { if !password.is_empty() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -192,7 +192,7 @@ pub(crate) fn pkey_private_bytes<'p>( return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } } else if let Ok(ec) = pkey.ec_key() { - if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { + if encoding.is(&types::ENCODING_PEM.get(py)?) { let pem_bytes = if password.is_empty() { ec.private_key_to_pem()? } else { @@ -202,7 +202,7 @@ pub(crate) fn pkey_private_bytes<'p>( )? }; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { + } else if encoding.is(&types::ENCODING_DER.get(py)?) { if !password.is_empty() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -218,10 +218,10 @@ pub(crate) fn pkey_private_bytes<'p>( } // OpenSSH + PEM - if openssh_allowed && format.is(&types::PRIVATE_FORMAT_OPENSSH.get_bound(py)?) { - if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { + if openssh_allowed && format.is(&types::PRIVATE_FORMAT_OPENSSH.get(py)?) { + if encoding.is(&types::ENCODING_PEM.get(py)?) { return Ok(types::SERIALIZE_SSH_PRIVATE_KEY - .get_bound(py)? + .get(py)? .call1((key_obj, password, encryption_algorithm))? .extract()?); } @@ -247,14 +247,14 @@ pub(crate) fn pkey_public_bytes<'p>( openssh_allowed: bool, raw_allowed: bool, ) -> CryptographyResult> { - if !encoding.is_instance(&types::ENCODING.get_bound(py)?)? { + if !encoding.is_instance(&types::ENCODING.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "encoding must be an item from the Encoding enum", ), )); } - if !format.is_instance(&types::PUBLIC_FORMAT.get_bound(py)?)? { + if !format.is_instance(&types::PUBLIC_FORMAT.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "format must be an item from the PublicFormat enum", @@ -263,11 +263,11 @@ pub(crate) fn pkey_public_bytes<'p>( } if raw_allowed - && (encoding.is(&types::ENCODING_RAW.get_bound(py)?) - || format.is(&types::PUBLIC_FORMAT_RAW.get_bound(py)?)) + && (encoding.is(&types::ENCODING_RAW.get(py)?) + || format.is(&types::PUBLIC_FORMAT_RAW.get(py)?)) { - if !encoding.is(&types::ENCODING_RAW.get_bound(py)?) - || !format.is(&types::PUBLIC_FORMAT_RAW.get_bound(py)?) + if !encoding.is(&types::ENCODING_RAW.get(py)?) + || !format.is(&types::PUBLIC_FORMAT_RAW.get(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -280,11 +280,11 @@ pub(crate) fn pkey_public_bytes<'p>( } // SubjectPublicKeyInfo + PEM/DER - if format.is(&types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get_bound(py)?) { - if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { + if format.is(&types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?) { + if encoding.is(&types::ENCODING_PEM.get(py)?) { let pem_bytes = pkey.public_key_to_pem()?; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { + } else if encoding.is(&types::ENCODING_DER.get(py)?) { let der_bytes = pkey.public_key_to_der()?; return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } @@ -296,10 +296,10 @@ pub(crate) fn pkey_public_bytes<'p>( } if let Ok(ec) = pkey.ec_key() { - if encoding.is(&types::ENCODING_X962.get_bound(py)?) { - let point_form = if format.is(&types::PUBLIC_FORMAT_UNCOMPRESSED_POINT.get_bound(py)?) { + if encoding.is(&types::ENCODING_X962.get(py)?) { + let point_form = if format.is(&types::PUBLIC_FORMAT_UNCOMPRESSED_POINT.get(py)?) { openssl::ec::PointConversionForm::UNCOMPRESSED - } else if format.is(&types::PUBLIC_FORMAT_COMPRESSED_POINT.get_bound(py)?) { + } else if format.is(&types::PUBLIC_FORMAT_COMPRESSED_POINT.get(py)?) { openssl::ec::PointConversionForm::COMPRESSED } else { return Err(CryptographyError::from( @@ -317,11 +317,11 @@ pub(crate) fn pkey_public_bytes<'p>( } if let Ok(rsa) = pkey.rsa() { - if format.is(&types::PUBLIC_FORMAT_PKCS1.get_bound(py)?) { - if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { + if format.is(&types::PUBLIC_FORMAT_PKCS1.get(py)?) { + if encoding.is(&types::ENCODING_PEM.get(py)?) { let pem_bytes = rsa.public_key_to_pem_pkcs1()?; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { + } else if encoding.is(&types::ENCODING_DER.get(py)?) { let der_bytes = rsa.public_key_to_der_pkcs1()?; return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } @@ -334,10 +334,10 @@ pub(crate) fn pkey_public_bytes<'p>( } // OpenSSH + OpenSSH - if openssh_allowed && format.is(&types::PUBLIC_FORMAT_OPENSSH.get_bound(py)?) { - if encoding.is(&types::ENCODING_OPENSSH.get_bound(py)?) { + if openssh_allowed && format.is(&types::PUBLIC_FORMAT_OPENSSH.get(py)?) { + if encoding.is(&types::ENCODING_OPENSSH.get(py)?) { return Ok(types::SERIALIZE_SSH_PUBLIC_KEY - .get_bound(py)? + .get(py)? .call1((key_obj,))? .extract()?); } @@ -360,7 +360,7 @@ pub(crate) fn calculate_digest_and_algorithm<'p>( algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult<(&'p [u8], pyo3::Bound<'p, pyo3::PyAny>)> { let mut algorithm_result = algorithm.clone(); - if algorithm.is_instance(&types::PREHASHED.get_bound(py)?)? { + if algorithm.is_instance(&types::PREHASHED.get(py)?)? { algorithm_result = algorithm.getattr("_algorithm")?; } else { // Potential optimization: rather than allocate a PyBytes in diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs index e71086da87ea..e07793257496 100644 --- a/src/rust/src/buf.rs +++ b/src/rust/src/buf.rs @@ -21,13 +21,13 @@ fn _extract_buffer_length<'p>( let bufobj = if mutable { let kwargs = [(pyo3::intern!(py, "require_writable"), true)].into_py_dict_bound(py); types::FFI_FROM_BUFFER - .get_bound(py)? + .get(py)? .call((pyobj,), Some(&kwargs))? } else { - types::FFI_FROM_BUFFER.get_bound(py)?.call1((pyobj,))? + types::FFI_FROM_BUFFER.get(py)?.call1((pyobj,))? }; let ptrval = types::FFI_CAST - .get_bound(py)? + .get(py)? .call1((pyo3::intern!(py, "uintptr_t"), bufobj.clone()))? .call_method0(pyo3::intern!(py, "__int__"))? .extract::()?; diff --git a/src/rust/src/oid.rs b/src/rust/src/oid.rs index 5735ef0ce704..075b7fb9adbe 100644 --- a/src/rust/src/oid.rs +++ b/src/rust/src/oid.rs @@ -33,7 +33,7 @@ impl ObjectIdentifier { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { types::OID_NAMES - .get_bound(py)? + .get(py)? .call_method1(pyo3::intern!(py, "get"), (slf, "Unknown OID")) } diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 3fc765017710..225b929864e4 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -305,11 +305,9 @@ fn load_pkcs12<'p>( } } - Ok(types::PKCS12KEYANDCERTIFICATES.get_bound(py)?.call1(( - private_key, - cert, - additional_certs, - ))?) + Ok(types::PKCS12KEYANDCERTIFICATES + .get(py)? + .call1((private_key, cert, additional_certs))?) } pub(crate) fn create_submodule( diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index d59f6e5edc80..8442587b407f 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -87,9 +87,9 @@ fn sign_and_serialize<'p>( options: &pyo3::Bound<'p, pyo3::types::PyList>, ) -> CryptographyResult> { let raw_data: CffiBuf<'p> = builder.getattr(pyo3::intern!(py, "_data"))?.extract()?; - let text_mode = options.contains(types::PKCS7_TEXT.get_bound(py)?)?; + let text_mode = options.contains(types::PKCS7_TEXT.get(py)?)?; let (data_with_header, data_without_header) = - if options.contains(types::PKCS7_BINARY.get_bound(py)?)? { + if options.contains(types::PKCS7_BINARY.get(py)?)? { ( Cow::Borrowed(raw_data.as_bytes()), Cow::Borrowed(raw_data.as_bytes()), @@ -132,7 +132,7 @@ fn sign_and_serialize<'p>( let ka = cryptography_keepalive::KeepAlive::new(); for (cert, py_private_key, py_hash_alg, rsa_padding) in py_signers.iter() { let (authenticated_attrs, signature) = - if options.contains(&types::PKCS7_NO_ATTRIBUTES.get_bound(py)?)? { + if options.contains(&types::PKCS7_NO_ATTRIBUTES.get(py)?)? { ( None, x509::sign::sign_data( @@ -171,7 +171,7 @@ fn sign_and_serialize<'p>( ])), }); - if !options.contains(types::PKCS7_NO_CAPABILITIES.get_bound(py)?)? { + if !options.contains(types::PKCS7_NO_CAPABILITIES.get(py)?)? { authenticated_attrs.push(Attribute { type_id: PKCS7_SMIME_CAP_OID, values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new( @@ -227,7 +227,7 @@ fn sign_and_serialize<'p>( } let data_tlv_bytes; - let content = if options.contains(types::PKCS7_DETACHED_SIGNATURE.get_bound(py)?)? { + let content = if options.contains(types::PKCS7_DETACHED_SIGNATURE.get(py)?)? { None } else { data_tlv_bytes = asn1::write_single(&data_with_header.deref())?; @@ -241,7 +241,7 @@ fn sign_and_serialize<'p>( _content_type: asn1::DefinedByMarker::marker(), content: pkcs7::Content::Data(content.map(asn1::Explicit::new)), }, - certificates: if options.contains(types::PKCS7_NO_CERTS.get_bound(py)?)? { + certificates: if options.contains(types::PKCS7_NO_CERTS.get(py)?)? { None } else { Some(asn1::SetOfWriter::new(&certs)) @@ -256,14 +256,14 @@ fn sign_and_serialize<'p>( }; let ci_bytes = asn1::write_single(&content_info)?; - if encoding.is(&types::ENCODING_SMIME.get_bound(py)?) { + if encoding.is(&types::ENCODING_SMIME.get(py)?) { let mic_algs = digest_algs .iter() .map(|d| OIDS_TO_MIC_NAME[&d.oid()]) .collect::>() .join(","); Ok(types::SMIME_ENCODE - .get_bound(py)? + .get(py)? .call1((&*data_without_header, &*ci_bytes, mic_algs, text_mode))? .extract()?) } else { @@ -279,7 +279,7 @@ fn compute_pkcs7_signature_algorithm<'p>( rsa_padding: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult> { let key_type = x509::sign::identify_key_type(py, private_key.clone())?; - let has_pss_padding = rsa_padding.is_instance(&types::PSS.get_bound(py)?)?; + let has_pss_padding = rsa_padding.is_instance(&types::PSS.get(py)?)?; // For RSA signatures (with no PSS padding), the OID is always the same no matter the // digest algorithm. See RFC 3370 (section 3.2). if key_type == x509::sign::KeyType::Rsa && !has_pss_padding { diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index df6102f187a2..d60c50ea6960 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -19,10 +19,7 @@ impl LazyPyImport { } } - pub fn get_bound<'p>( - &'p self, - py: pyo3::Python<'p>, - ) -> pyo3::PyResult> { + pub fn get<'p>(&'p self, py: pyo3::Python<'p>) -> pyo3::PyResult> { let p = self.value.get_or_try_init(py, || { let mut obj = py.import_bound(self.module)?.into_any(); for name in self.names { @@ -563,7 +560,7 @@ mod tests { let v = LazyPyImport::new("foo", &["bar"]); pyo3::Python::with_gil(|py| { - assert!(v.get_bound(py).is_err()); + assert!(v.get(py).is_err()); }); } } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index ef65139d7229..30be711a7760 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -200,7 +200,7 @@ impl Certificate { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { - let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + let warning_cls = types::DEPRECATED_IN_42.get(py)?; pyo3::PyErr::warn_bound( py, &warning_cls, @@ -237,7 +237,7 @@ impl Certificate { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { - let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + let warning_cls = types::DEPRECATED_IN_42.get(py)?; pyo3::PyErr::warn_bound( py, &warning_cls, @@ -305,14 +305,14 @@ impl Certificate { |ext| match ext.extn_id { oid::PRECERT_POISON_OID => { ext.value::<()>()?; - Ok(Some(types::PRECERT_POISON.get_bound(py)?.call0()?)) + Ok(Some(types::PRECERT_POISON.get(py)?.call0()?)) } oid::PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS_OID => { let contents = ext.value::<&[u8]>()?; let scts = sct::parse_scts(py, contents, sct::LogEntryType::PreCertificate)?; Ok(Some( types::PRECERTIFICATE_SIGNED_CERTIFICATE_TIMESTAMPS - .get_bound(py)? + .get(py)? .call1((scts,))?, )) } @@ -353,8 +353,8 @@ fn cert_version( version: u8, ) -> Result, CryptographyError> { match version { - 0 => Ok(types::CERTIFICATE_VERSION_V1.get_bound(py)?), - 2 => Ok(types::CERTIFICATE_VERSION_V3.get_bound(py)?), + 0 => Ok(types::CERTIFICATE_VERSION_V1.get(py)?), + 2 => Ok(types::CERTIFICATE_VERSION_V3.get(py)?), _ => Err(CryptographyError::from( exceptions::InvalidVersion::new_err(( format!("{version} is not a valid X509 version"), @@ -441,7 +441,7 @@ pub(crate) fn load_der_x509_certificate( fn warn_if_negative_serial(py: pyo3::Python<'_>, bytes: &'_ [u8]) -> pyo3::PyResult<()> { if bytes[0] & 0x80 != 0 { - let warning_cls = types::DEPRECATED_IN_36.get_bound(py)?; + let warning_cls = types::DEPRECATED_IN_36.get(py)?; pyo3::PyErr::warn_bound( py, &warning_cls, @@ -465,7 +465,7 @@ fn warn_if_invalid_params( | AlgorithmParameters::DsaWithSha256(Some(..)) | AlgorithmParameters::DsaWithSha384(Some(..)) | AlgorithmParameters::DsaWithSha512(Some(..)) => { - let warning_cls = types::DEPRECATED_IN_41.get_bound(py)?; + let warning_cls = types::DEPRECATED_IN_41.get(py)?; pyo3::PyErr::warn_bound( py, &warning_cls, @@ -491,7 +491,7 @@ fn parse_display_text( } DisplayText::VisibleString(o) => { if asn1::VisibleString::new(o.as_str()).is_none() { - let warning_cls = types::DEPRECATED_IN_41.get_bound(py)?; + let warning_cls = types::DEPRECATED_IN_41.get(py)?; pyo3::PyErr::warn_bound( py, &warning_cls, @@ -530,16 +530,13 @@ fn parse_user_notice( numbers.append(big_byte_slice_to_py_int(py, num.as_bytes())?.to_object(py))?; } types::NOTICE_REFERENCE - .get_bound(py)? + .get(py)? .call1((org, numbers))? .to_object(py) } None => py.None(), }; - Ok(types::USER_NOTICE - .get_bound(py)? - .call1((nr, et))? - .to_object(py)) + Ok(types::USER_NOTICE.get(py)?.call1((nr, et))?.to_object(py)) } fn parse_policy_qualifiers<'a>( @@ -591,7 +588,7 @@ fn parse_cp( None => py.None(), }; let pi = types::POLICY_INFORMATION - .get_bound(py)? + .get(py)? .call1((pi_oid, py_pqis))? .to_object(py); certificate_policies.append(pi)?; @@ -640,7 +637,7 @@ fn parse_distribution_point( None => py.None(), }; Ok(types::DISTRIBUTION_POINT - .get_bound(py)? + .get(py)? .call1((full_name, relative_name, reasons, crl_issuer))? .to_object(py)) } @@ -662,7 +659,7 @@ pub(crate) fn parse_distribution_point_reasons( py: pyo3::Python<'_>, reasons: Option<&asn1::BitString<'_>>, ) -> Result { - let reason_bit_mapping = types::REASON_BIT_MAPPING.get_bound(py)?; + let reason_bit_mapping = types::REASON_BIT_MAPPING.get(py)?; Ok(match reasons { Some(bs) => { @@ -682,7 +679,7 @@ pub(crate) fn encode_distribution_point_reasons( py: pyo3::Python<'_>, py_reasons: &pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult { - let reason_flag_mapping = types::CRL_REASON_FLAGS.get_bound(py)?; + let reason_flag_mapping = types::CRL_REASON_FLAGS.get(py)?; let mut bits = vec![0, 0]; for py_reason in py_reasons.iter()? { @@ -711,11 +708,9 @@ pub(crate) fn parse_authority_key_identifier<'p>( Some(aci) => x509::parse_general_names(py, aci.unwrap_read())?, None => py.None(), }; - Ok(types::AUTHORITY_KEY_IDENTIFIER.get_bound(py)?.call1(( - aki.key_identifier, - issuer, - serial, - ))?) + Ok(types::AUTHORITY_KEY_IDENTIFIER + .get(py)? + .call1((aki.key_identifier, issuer, serial))?) } pub(crate) fn parse_access_descriptions( @@ -728,7 +723,7 @@ pub(crate) fn parse_access_descriptions( let py_oid = oid_to_py_oid(py, &access.access_method)?.to_object(py); let gn = x509::parse_general_name(py, access.access_location)?; let ad = types::ACCESS_DESCRIPTION - .get_bound(py)? + .get(py)? .call1((py_oid, gn))? .to_object(py); ads.append(ad)?; @@ -745,35 +740,31 @@ pub fn parse_cert_ext<'p>( let gn_seq = ext.value::>()?; let sans = x509::parse_general_names(py, &gn_seq)?; Ok(Some( - types::SUBJECT_ALTERNATIVE_NAME - .get_bound(py)? - .call1((sans,))?, + types::SUBJECT_ALTERNATIVE_NAME.get(py)?.call1((sans,))?, )) } oid::ISSUER_ALTERNATIVE_NAME_OID => { let gn_seq = ext.value::>()?; let ians = x509::parse_general_names(py, &gn_seq)?; Ok(Some( - types::ISSUER_ALTERNATIVE_NAME - .get_bound(py)? - .call1((ians,))?, + types::ISSUER_ALTERNATIVE_NAME.get(py)?.call1((ians,))?, )) } oid::TLS_FEATURE_OID => { - let tls_feature_type_to_enum = types::TLS_FEATURE_TYPE_TO_ENUM.get_bound(py)?; + let tls_feature_type_to_enum = types::TLS_FEATURE_TYPE_TO_ENUM.get(py)?; let features = pyo3::types::PyList::empty_bound(py); for feature in ext.value::>()? { let py_feature = tls_feature_type_to_enum.get_item(feature.to_object(py))?; features.append(py_feature)?; } - Ok(Some(types::TLS_FEATURE.get_bound(py)?.call1((features,))?)) + Ok(Some(types::TLS_FEATURE.get(py)?.call1((features,))?)) } oid::SUBJECT_KEY_IDENTIFIER_OID => { let identifier = ext.value::<&[u8]>()?; Ok(Some( types::SUBJECT_KEY_IDENTIFIER - .get_bound(py)? + .get(py)? .call1((identifier,))?, )) } @@ -783,14 +774,12 @@ pub fn parse_cert_ext<'p>( let oid_obj = oid_to_py_oid(py, &oid)?; ekus.append(oid_obj)?; } - Ok(Some( - types::EXTENDED_KEY_USAGE.get_bound(py)?.call1((ekus,))?, - )) + Ok(Some(types::EXTENDED_KEY_USAGE.get(py)?.call1((ekus,))?)) } oid::KEY_USAGE_OID => { let kus = ext.value::>()?; - Ok(Some(types::KEY_USAGE.get_bound(py)?.call1(( + Ok(Some(types::KEY_USAGE.get(py)?.call1(( kus.digital_signature(), kus.content_comitment(), kus.key_encipherment(), @@ -805,61 +794,51 @@ pub fn parse_cert_ext<'p>( oid::AUTHORITY_INFORMATION_ACCESS_OID => { let ads = parse_access_descriptions(py, ext)?; Ok(Some( - types::AUTHORITY_INFORMATION_ACCESS - .get_bound(py)? - .call1((ads,))?, + types::AUTHORITY_INFORMATION_ACCESS.get(py)?.call1((ads,))?, )) } oid::SUBJECT_INFORMATION_ACCESS_OID => { let ads = parse_access_descriptions(py, ext)?; Ok(Some( - types::SUBJECT_INFORMATION_ACCESS - .get_bound(py)? - .call1((ads,))?, + types::SUBJECT_INFORMATION_ACCESS.get(py)?.call1((ads,))?, )) } oid::CERTIFICATE_POLICIES_OID => { let cp = parse_cp(py, ext)?; - Ok(Some( - types::CERTIFICATE_POLICIES.get_bound(py)?.call1((cp,))?, - )) + Ok(Some(types::CERTIFICATE_POLICIES.get(py)?.call1((cp,))?)) } oid::POLICY_CONSTRAINTS_OID => { let pc = ext.value::()?; - Ok(Some(types::POLICY_CONSTRAINTS.get_bound(py)?.call1(( + Ok(Some(types::POLICY_CONSTRAINTS.get(py)?.call1(( pc.require_explicit_policy, pc.inhibit_policy_mapping, ))?)) } oid::OCSP_NO_CHECK_OID => { ext.value::<()>()?; - Ok(Some(types::OCSP_NO_CHECK.get_bound(py)?.call0()?)) + Ok(Some(types::OCSP_NO_CHECK.get(py)?.call0()?)) } oid::INHIBIT_ANY_POLICY_OID => { let bignum = ext.value::>()?; let pynum = big_byte_slice_to_py_int(py, bignum.as_bytes())?; - Ok(Some( - types::INHIBIT_ANY_POLICY.get_bound(py)?.call1((pynum,))?, - )) + Ok(Some(types::INHIBIT_ANY_POLICY.get(py)?.call1((pynum,))?)) } oid::BASIC_CONSTRAINTS_OID => { let bc = ext.value::()?; Ok(Some( types::BASIC_CONSTRAINTS - .get_bound(py)? + .get(py)? .call1((bc.ca, bc.path_length))?, )) } oid::AUTHORITY_KEY_IDENTIFIER_OID => Ok(Some(parse_authority_key_identifier(py, ext)?)), oid::CRL_DISTRIBUTION_POINTS_OID => { let dp = parse_distribution_points(py, ext)?; - Ok(Some( - types::CRL_DISTRIBUTION_POINTS.get_bound(py)?.call1((dp,))?, - )) + Ok(Some(types::CRL_DISTRIBUTION_POINTS.get(py)?.call1((dp,))?)) } oid::FRESHEST_CRL_OID => { let dp = parse_distribution_points(py, ext)?; - Ok(Some(types::FRESHEST_CRL.get_bound(py)?.call1((dp,))?)) + Ok(Some(types::FRESHEST_CRL.get(py)?.call1((dp,))?)) } oid::NAME_CONSTRAINTS_OID => { let nc = ext.value::>()?; @@ -873,16 +852,18 @@ pub fn parse_cert_ext<'p>( }; Ok(Some( types::NAME_CONSTRAINTS - .get_bound(py)? + .get(py)? .call1((permitted_subtrees, excluded_subtrees))?, )) } oid::MS_CERTIFICATE_TEMPLATE => { let ms_cert_tpl = ext.value::()?; let py_oid = oid_to_py_oid(py, &ms_cert_tpl.template_id)?; - Ok(Some(types::MS_CERTIFICATE_TEMPLATE.get_bound(py)?.call1( - (py_oid, ms_cert_tpl.major_version, ms_cert_tpl.minor_version), - )?)) + Ok(Some(types::MS_CERTIFICATE_TEMPLATE.get(py)?.call1(( + py_oid, + ms_cert_tpl.major_version, + ms_cert_tpl.minor_version, + ))?)) } _ => Ok(None), } @@ -921,8 +902,8 @@ fn create_x509_certificate( rsa_padding.clone(), )?; - let der = types::ENCODING_DER.get_bound(py)?; - let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get_bound(py)?; + let der = types::ENCODING_DER.get(py)?; + let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?; let spki_bytes = builder .getattr(pyo3::intern!(py, "_public_key"))? .call_method1(pyo3::intern!(py, "public_bytes"), (der, spki))? diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 2215c2425915..6b115e81a1e6 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -59,10 +59,10 @@ pub(crate) fn encode_name_entry<'p>( let tag = attr_type .getattr(pyo3::intern!(py, "value"))? .extract::()?; - let value: &[u8] = if !attr_type.is(&types::ASN1_TYPE_BIT_STRING.get_bound(py)?) { - let encoding = if attr_type.is(&types::ASN1_TYPE_BMP_STRING.get_bound(py)?) { + let value: &[u8] = if !attr_type.is(&types::ASN1_TYPE_BIT_STRING.get(py)?) { + let encoding = if attr_type.is(&types::ASN1_TYPE_BMP_STRING.get(py)?) { "utf_16_be" - } else if attr_type.is(&types::ASN1_TYPE_UNIVERSAL_STRING.get_bound(py)?) { + } else if attr_type.is(&types::ASN1_TYPE_UNIVERSAL_STRING.get(py)?) { "utf_32_be" } else { "utf8" @@ -114,18 +114,18 @@ pub(crate) fn encode_general_name<'a>( let gn_type = gn.get_type(); let gn_value = gn.getattr(pyo3::intern!(py, "value"))?; - if gn_type.is(&types::DNS_NAME.get_bound(py)?) { + if gn_type.is(&types::DNS_NAME.get(py)?) { Ok(GeneralName::DNSName(UnvalidatedIA5String( gn_value.extract::<&str>()?, ))) - } else if gn_type.is(&types::RFC822_NAME.get_bound(py)?) { + } else if gn_type.is(&types::RFC822_NAME.get(py)?) { Ok(GeneralName::RFC822Name(UnvalidatedIA5String( gn_value.extract::<&str>()?, ))) - } else if gn_type.is(&types::DIRECTORY_NAME.get_bound(py)?) { + } else if gn_type.is(&types::DIRECTORY_NAME.get(py)?) { let name = encode_name(py, &gn_value)?; Ok(GeneralName::DirectoryName(name)) - } else if gn_type.is(&types::OTHER_NAME.get_bound(py)?) { + } else if gn_type.is(&types::OTHER_NAME.get(py)?) { let py_oid = gn.getattr(pyo3::intern!(py, "type_id"))?; Ok(GeneralName::OtherName(OtherName { type_id: py_oid_to_oid(py_oid)?, @@ -135,16 +135,16 @@ pub(crate) fn encode_general_name<'a>( )) })?, })) - } else if gn_type.is(&types::UNIFORM_RESOURCE_IDENTIFIER.get_bound(py)?) { + } else if gn_type.is(&types::UNIFORM_RESOURCE_IDENTIFIER.get(py)?) { Ok(GeneralName::UniformResourceIdentifier( UnvalidatedIA5String(gn_value.extract::<&str>()?), )) - } else if gn_type.is(&types::IP_ADDRESS.get_bound(py)?) { + } else if gn_type.is(&types::IP_ADDRESS.get(py)?) { Ok(GeneralName::IPAddress( gn.call_method0(pyo3::intern!(py, "_packed"))? .extract::<&[u8]>()?, )) - } else if gn_type.is(&types::REGISTERED_ID.get_bound(py)?) { + } else if gn_type.is(&types::REGISTERED_ID.get(py)?) { let oid = py_oid_to_oid(gn_value)?; Ok(GeneralName::RegisteredID(oid)) } else { @@ -182,7 +182,7 @@ pub(crate) fn parse_name<'p>( let py_rdn = parse_rdn(py, &rdn)?; py_rdns.append(py_rdn)?; } - Ok(types::NAME.get_bound(py)?.call1((py_rdns,))?) + Ok(types::NAME.get(py)?.call1((py_rdns,))?) } fn parse_name_attribute( @@ -200,7 +200,7 @@ fn parse_name_attribute( )) })? .to_object(py); - let py_tag = types::ASN1_TYPE_TO_ENUM.get_bound(py)?.get_item(tag_val)?; + let py_tag = types::ASN1_TYPE_TO_ENUM.get(py)?.get_item(tag_val)?; let py_data = match attribute.value.tag().as_u8() { // BitString tag value Some(3) => pyo3::types::PyBytes::new_bound(py, attribute.value.data()).into_any(), @@ -222,7 +222,7 @@ fn parse_name_attribute( }; let kwargs = [(pyo3::intern!(py, "_validate"), false)].into_py_dict_bound(py); Ok(types::NAME_ATTRIBUTE - .get_bound(py)? + .get(py)? .call((oid, py_data, py_tag), Some(&kwargs))? .to_object(py)) } @@ -237,7 +237,7 @@ pub(crate) fn parse_rdn<'a>( py_attrs.append(na)?; } Ok(types::RELATIVE_DISTINGUISHED_NAME - .get_bound(py)? + .get(py)? .call1((py_attrs,))? .to_object(py)) } @@ -250,36 +250,33 @@ pub(crate) fn parse_general_name( GeneralName::OtherName(data) => { let oid = oid_to_py_oid(py, &data.type_id)?.to_object(py); types::OTHER_NAME - .get_bound(py)? + .get(py)? .call1((oid, data.value.full_data()))? .to_object(py) } GeneralName::RFC822Name(data) => types::RFC822_NAME - .get_bound(py)? + .get(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? .to_object(py), GeneralName::DNSName(data) => types::DNS_NAME - .get_bound(py)? + .get(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? .to_object(py), GeneralName::DirectoryName(data) => { let py_name = parse_name(py, data.unwrap_read())?; types::DIRECTORY_NAME - .get_bound(py)? + .get(py)? .call1((py_name,))? .to_object(py) } GeneralName::UniformResourceIdentifier(data) => types::UNIFORM_RESOURCE_IDENTIFIER - .get_bound(py)? + .get(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? .to_object(py), GeneralName::IPAddress(data) => { if data.len() == 4 || data.len() == 16 { - let addr = types::IPADDRESS_IPADDRESS.get_bound(py)?.call1((data,))?; - types::IP_ADDRESS - .get_bound(py)? - .call1((addr,))? - .to_object(py) + let addr = types::IPADDRESS_IPADDRESS.get(py)?.call1((data,))?; + types::IP_ADDRESS.get(py)?.call1((addr,))?.to_object(py) } else { // if it's not an IPv4 or IPv6 we assume it's an IPNetwork and // verify length in this function. @@ -288,10 +285,7 @@ pub(crate) fn parse_general_name( } GeneralName::RegisteredID(data) => { let oid = oid_to_py_oid(py, &data)?.to_object(py); - types::REGISTERED_ID - .get_bound(py)? - .call1((oid,))? - .to_object(py) + types::REGISTERED_ID.get(py)?.call1((oid,))?.to_object(py) } _ => { return Err(CryptographyError::from( @@ -334,7 +328,7 @@ fn create_ip_network( ))), }; let base = types::IPADDRESS_IPADDRESS - .get_bound(py)? + .get(py)? .call1((pyo3::types::PyBytes::new_bound(py, &data[..data.len() / 2]),))?; let net = format!( "{}/{}", @@ -342,11 +336,8 @@ fn create_ip_network( .extract::<&str>()?, prefix? ); - let addr = types::IPADDRESS_IPNETWORK.get_bound(py)?.call1((net,))?; - Ok(types::IP_ADDRESS - .get_bound(py)? - .call1((addr,))? - .to_object(py)) + let addr = types::IPADDRESS_IPNETWORK.get(py)?.call1((net,))?; + Ok(types::IP_ADDRESS.get(py)?.call1((addr,))?.to_object(py)) } fn ipv4_netmask(num: u32) -> Result { @@ -396,20 +387,16 @@ pub(crate) fn parse_and_cache_extensions< let extn_value = match parse_ext(&raw_ext)? { Some(e) => e, None => types::UNRECOGNIZED_EXTENSION - .get_bound(py)? + .get(py)? .call1((oid_obj.clone(), raw_ext.extn_value))?, }; - let ext_obj = types::EXTENSION.get_bound(py)?.call1(( - oid_obj, - raw_ext.critical, - extn_value, - ))?; + let ext_obj = + types::EXTENSION + .get(py)? + .call1((oid_obj, raw_ext.critical, extn_value))?; exts.append(ext_obj)?; } - Ok(types::EXTENSIONS - .get_bound(py)? - .call1((exts,))? - .to_object(py)) + Ok(types::EXTENSIONS.get(py)?.call1((exts,))?.to_object(py)) }) .map(|p| p.clone_ref(py)) } @@ -433,7 +420,7 @@ pub(crate) fn encode_extensions< let oid = py_oid_to_oid(py_oid)?; let ext_val = py_ext.getattr(pyo3::intern!(py, "value"))?; - if ext_val.is_instance(&types::UNRECOGNIZED_EXTENSION.get_bound(py)?)? { + if ext_val.is_instance(&types::UNRECOGNIZED_EXTENSION.get(py)?)? { exts.push(Extension { extn_id: oid, critical: py_ext.getattr(pyo3::intern!(py, "critical"))?.extract()?, @@ -490,7 +477,7 @@ pub(crate) fn datetime_to_py<'p>( py: pyo3::Python<'p>, dt: &asn1::DateTime, ) -> pyo3::PyResult> { - types::DATETIME_DATETIME.get_bound(py)?.call1(( + types::DATETIME_DATETIME.get(py)?.call1(( dt.year(), dt.month(), dt.day(), @@ -504,8 +491,8 @@ pub(crate) fn datetime_to_py_utc<'p>( py: pyo3::Python<'p>, dt: &asn1::DateTime, ) -> pyo3::PyResult> { - let timezone = types::DATETIME_TIMEZONE_UTC.get_bound(py)?; - types::DATETIME_DATETIME.get_bound(py)?.call1(( + let timezone = types::DATETIME_TIMEZONE_UTC.get(py)?; + types::DATETIME_DATETIME.get(py)?.call1(( dt.year(), dt.month(), dt.day(), @@ -526,7 +513,7 @@ pub(crate) fn py_to_datetime( let val_utc = if val.getattr(pyo3::intern!(py, "tzinfo"))?.is_none() { val } else { - let utc = types::DATETIME_TIMEZONE_UTC.get_bound(py)?; + let utc = types::DATETIME_TIMEZONE_UTC.get(py)?; val.call_method1(pyo3::intern!(py, "astimezone"), (utc,))? }; @@ -542,12 +529,12 @@ pub(crate) fn py_to_datetime( } pub(crate) fn datetime_now(py: pyo3::Python<'_>) -> pyo3::PyResult { - let utc = types::DATETIME_TIMEZONE_UTC.get_bound(py)?; + let utc = types::DATETIME_TIMEZONE_UTC.get(py)?; py_to_datetime( py, types::DATETIME_DATETIME - .get_bound(py)? + .get(py)? .call_method1(pyo3::intern!(py, "now"), (utc,))?, ) } diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index b00858e27500..4decb291c20d 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -198,7 +198,7 @@ impl CertificateRevocationList { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { let oid = self.signature_algorithm_oid(py)?; - match types::SIG_OIDS_TO_HASH.get_bound(py)?.get_item(oid) { + match types::SIG_OIDS_TO_HASH.get(py)?.get_item(oid) { Ok(v) => Ok(v), Err(_) => Err(exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", @@ -259,7 +259,7 @@ impl CertificateRevocationList { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { - let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + let warning_cls = types::DEPRECATED_IN_42.get(py)?; pyo3::PyErr::warn_bound( py, &warning_cls, @@ -288,7 +288,7 @@ impl CertificateRevocationList { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { - let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + let warning_cls = types::DEPRECATED_IN_42.get(py)?; pyo3::PyErr::warn_bound( py, &warning_cls, @@ -332,30 +332,24 @@ impl CertificateRevocationList { oid::CRL_NUMBER_OID => { let bignum = ext.value::>()?; let pynum = big_byte_slice_to_py_int(py, bignum.as_bytes())?; - Ok(Some(types::CRL_NUMBER.get_bound(py)?.call1((pynum,))?)) + Ok(Some(types::CRL_NUMBER.get(py)?.call1((pynum,))?)) } oid::DELTA_CRL_INDICATOR_OID => { let bignum = ext.value::>()?; let pynum = big_byte_slice_to_py_int(py, bignum.as_bytes())?; - Ok(Some( - types::DELTA_CRL_INDICATOR.get_bound(py)?.call1((pynum,))?, - )) + Ok(Some(types::DELTA_CRL_INDICATOR.get(py)?.call1((pynum,))?)) } oid::ISSUER_ALTERNATIVE_NAME_OID => { let gn_seq = ext.value::>()?; let ians = x509::parse_general_names(py, &gn_seq)?; Ok(Some( - types::ISSUER_ALTERNATIVE_NAME - .get_bound(py)? - .call1((ians,))?, + types::ISSUER_ALTERNATIVE_NAME.get(py)?.call1((ians,))?, )) } oid::AUTHORITY_INFORMATION_ACCESS_OID => { let ads = certificate::parse_access_descriptions(py, ext)?; Ok(Some( - types::AUTHORITY_INFORMATION_ACCESS - .get_bound(py)? - .call1((ads,))?, + types::AUTHORITY_INFORMATION_ACCESS.get(py)?.call1((ads,))?, )) } oid::AUTHORITY_KEY_IDENTIFIER_OID => { @@ -375,21 +369,19 @@ impl CertificateRevocationList { } else { py.None() }; - Ok(Some( - types::ISSUING_DISTRIBUTION_POINT.get_bound(py)?.call1(( - full_name, - relative_name, - idp.only_contains_user_certs, - idp.only_contains_ca_certs, - py_reasons, - idp.indirect_crl, - idp.only_contains_attribute_certs, - ))?, - )) + Ok(Some(types::ISSUING_DISTRIBUTION_POINT.get(py)?.call1(( + full_name, + relative_name, + idp.only_contains_user_certs, + idp.only_contains_ca_certs, + py_reasons, + idp.indirect_crl, + idp.only_contains_attribute_certs, + ))?)) } oid::FRESHEST_CRL_OID => { let dp = certificate::parse_distribution_points(py, ext)?; - Ok(Some(types::FRESHEST_CRL.get_bound(py)?.call1((dp,))?)) + Ok(Some(types::FRESHEST_CRL.get(py)?.call1((dp,))?)) } _ => Ok(None), }, @@ -564,7 +556,7 @@ impl RevokedCertificate { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { - let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + let warning_cls = types::DEPRECATED_IN_42.get(py)?; pyo3::PyErr::warn_bound( py, &warning_cls, @@ -622,7 +614,7 @@ pub(crate) fn parse_crl_reason_flags<'p>( )) } }; - Ok(types::REASON_FLAGS.get_bound(py)?.getattr(flag_name)?) + Ok(types::REASON_FLAGS.get(py)?.getattr(flag_name)?) } pub fn parse_crl_entry_ext<'p>( @@ -632,19 +624,17 @@ pub fn parse_crl_entry_ext<'p>( match ext.extn_id { oid::CRL_REASON_OID => { let flags = parse_crl_reason_flags(py, &ext.value::()?)?; - Ok(Some(types::CRL_REASON.get_bound(py)?.call1((flags,))?)) + Ok(Some(types::CRL_REASON.get(py)?.call1((flags,))?)) } oid::CERTIFICATE_ISSUER_OID => { let gn_seq = ext.value::>>()?; let gns = x509::parse_general_names(py, &gn_seq)?; - Ok(Some( - types::CERTIFICATE_ISSUER.get_bound(py)?.call1((gns,))?, - )) + Ok(Some(types::CERTIFICATE_ISSUER.get(py)?.call1((gns,))?)) } oid::INVALIDITY_DATE_OID => { let time = ext.value::()?; let py_dt = x509::datetime_to_py(py, time.as_datetime())?; - Ok(Some(types::INVALIDITY_DATE.get_bound(py)?.call1((py_dt,))?)) + Ok(Some(types::INVALIDITY_DATE.get(py)?.call1((py_dt,))?)) } _ => Ok(None), } diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index bedc28607418..789004a60bb9 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -130,7 +130,7 @@ impl CertificateSigningRequest { py: pyo3::Python<'p>, oid: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult> { - let warning_cls = types::DEPRECATED_IN_36.get_bound(py)?; + let warning_cls = types::DEPRECATED_IN_36.get(py)?; let warning_msg = "CertificateSigningRequest.get_attribute_for_oid has been deprecated. Please switch to request.attributes.get_attribute_for_oid."; pyo3::PyErr::warn_bound(py, &warning_cls, warning_msg, 1)?; @@ -194,12 +194,10 @@ impl CertificateSigningRequest { "Long-form tags are not supported in CSR attribute values", )) })?; - let pyattr = types::ATTRIBUTE - .get_bound(py)? - .call1((oid, serialized, tag))?; + let pyattr = types::ATTRIBUTE.get(py)?.call1((oid, serialized, tag))?; pyattrs.append(pyattr)?; } - types::ATTRIBUTES.get_bound(py)?.call1((pyattrs,)) + types::ATTRIBUTES.get(py)?.call1((pyattrs,)) } #[getter] @@ -300,8 +298,8 @@ fn create_x509_csr( rsa_padding.clone(), )?; - let der = types::ENCODING_DER.get_bound(py)?; - let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get_bound(py)?; + let der = types::ENCODING_DER.get(py)?; + let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?; let spki_bytes = private_key .call_method0(pyo3::intern!(py, "public_key"))? .call_method1(pyo3::intern!(py, "public_bytes"), (der, spki))? diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 152d6e17706d..94eb495bc7a0 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -482,7 +482,7 @@ pub(crate) fn encode_extension( } &oid::CRL_REASON_OID => { let value = types::CRL_ENTRY_REASON_ENUM_TO_CODE - .get_bound(ext.py())? + .get(ext.py())? .get_item(ext.getattr(pyo3::intern!(py, "reason"))?)? .extract::()?; Ok(Some(asn1::write_single(&asn1::Enumerated::new(value))?)) diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 5ee9e2097016..7687f7af4317 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -91,10 +91,7 @@ impl OCSPRequest { let cert_id = self.cert_id(); match ocsp::ALGORITHM_PARAMETERS_TO_HASH.get(&cert_id.hash_algorithm.params) { - Some(alg_name) => Ok(types::HASHES_MODULE - .get_bound(py)? - .getattr(*alg_name)? - .call0()?), + Some(alg_name) => Ok(types::HASHES_MODULE.get(py)?.getattr(*alg_name)?.call0()?), None => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", @@ -131,7 +128,7 @@ impl OCSPRequest { // the nonce. So we try parsing as a TLV and fall back to just using // the raw value. let nonce = ext.value::<&[u8]>().unwrap_or(ext.extn_value); - Ok(Some(types::OCSP_NONCE.get_bound(py)?.call1((nonce,))?)) + Ok(Some(types::OCSP_NONCE.get(py)?.call1((nonce,))?)) } oid::ACCEPTABLE_RESPONSES_OID => { let oids = ext.value::>()?; @@ -142,7 +139,7 @@ impl OCSPRequest { Ok(Some( types::OCSP_ACCEPTABLE_RESPONSES - .get_bound(py)? + .get(py)? .call1((py_oids,))?, )) } @@ -157,7 +154,7 @@ impl OCSPRequest { py: pyo3::Python<'p>, encoding: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - if !encoding.is(&types::ENCODING_DER.get_bound(py)?) { + if !encoding.is(&types::ENCODING_DER.get(py)?) { return Err(pyo3::exceptions::PyValueError::new_err( "The only allowed encoding value is Encoding.DER", ) diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 37b5d75d5a74..e27c5d583afa 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -143,7 +143,7 @@ impl OCSPResponse { assert_eq!(status, UNAUTHORIZED_RESPONSE); "UNAUTHORIZED" }; - types::OCSP_RESPONSE_STATUS.get_bound(py)?.getattr(attr) + types::OCSP_RESPONSE_STATUS.get(py)?.getattr(attr) } #[getter] @@ -198,7 +198,7 @@ impl OCSPResponse { py: pyo3::Python<'p>, ) -> Result, CryptographyError> { let hash_alg = types::SIG_OIDS_TO_HASH - .get_bound(py)? + .get(py)? .get_item(self.signature_algorithm_oid(py)?); match hash_alg { Ok(data) => Ok(data), @@ -388,7 +388,7 @@ impl OCSPResponse { // the nonce. So we try parsing as a TLV and fall back to just using // the raw value. let nonce = ext.value::<&[u8]>().unwrap_or(ext.extn_value); - Ok(Some(types::OCSP_NONCE.get_bound(py)?.call1((nonce,))?)) + Ok(Some(types::OCSP_NONCE.get(py)?.call1((nonce,))?)) } _ => Ok(None), } @@ -419,7 +419,7 @@ impl OCSPResponse { let scts = sct::parse_scts(py, contents, sct::LogEntryType::Certificate)?; Ok(Some( types::SIGNED_CERTIFICATE_TIMESTAMPS - .get_bound(py)? + .get(py)? .call1((scts,))?, )) } @@ -433,7 +433,7 @@ impl OCSPResponse { py: pyo3::Python<'p>, encoding: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { - if !encoding.is(&types::ENCODING_DER.get_bound(py)?) { + if !encoding.is(&types::ENCODING_DER.get(py)?) { return Err(pyo3::exceptions::PyValueError::new_err( "The only allowed encoding value is Encoding.DER", ) @@ -524,7 +524,7 @@ fn singleresp_py_certificate_status<'p>( ocsp_resp::CertStatus::Revoked(_) => pyo3::intern!(py, "REVOKED"), ocsp_resp::CertStatus::Unknown(_) => pyo3::intern!(py, "UNKNOWN"), }; - types::OCSP_CERT_STATUS.get_bound(py)?.getattr(attr) + types::OCSP_CERT_STATUS.get(py)?.getattr(attr) } fn singleresp_py_hash_algorithm<'p>( @@ -532,10 +532,7 @@ fn singleresp_py_hash_algorithm<'p>( py: pyo3::Python<'p>, ) -> Result, CryptographyError> { match ocsp::ALGORITHM_PARAMETERS_TO_HASH.get(&resp.cert_id.hash_algorithm.params) { - Some(alg_name) => Ok(types::HASHES_MODULE - .get_bound(py)? - .getattr(*alg_name)? - .call0()?), + Some(alg_name) => Ok(types::HASHES_MODULE.get(py)?.getattr(*alg_name)?.call0()?), None => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", @@ -632,9 +629,9 @@ fn create_ocsp_response( .extract()?; let py_cert_status = py_single_resp.getattr(pyo3::intern!(py, "_cert_status"))?; - let cert_status = if py_cert_status.is(&types::OCSP_CERT_STATUS_GOOD.get_bound(py)?) { + let cert_status = if py_cert_status.is(&types::OCSP_CERT_STATUS_GOOD.get(py)?) { ocsp_resp::CertStatus::Good(()) - } else if py_cert_status.is(&types::OCSP_CERT_STATUS_UNKNOWN.get_bound(py)?) { + } else if py_cert_status.is(&types::OCSP_CERT_STATUS_UNKNOWN.get(py)?) { ocsp_resp::CertStatus::Unknown(()) } else { let revocation_reason = if !py_single_resp @@ -642,7 +639,7 @@ fn create_ocsp_response( .is_none() { let value = types::CRL_ENTRY_REASON_ENUM_TO_CODE - .get_bound(py)? + .get(py)? .get_item(py_single_resp.getattr(pyo3::intern!(py, "_revocation_reason"))?)? .extract::()?; Some(asn1::Enumerated::new(value)) @@ -681,9 +678,8 @@ fn create_ocsp_response( }]; borrowed_cert = responder_cert.borrow(); - let responder_id = if responder_encoding.is(&types::OCSP_RESPONDER_ENCODING_HASH.get_bound(py)?) - { - let sha1 = types::SHA1.get_bound(py)?.call0()?; + let responder_id = if responder_encoding.is(&types::OCSP_RESPONDER_ENCODING_HASH.get(py)?) { + let sha1 = types::SHA1.get(py)?.call0()?; ocsp_resp::ResponderId::ByKey(ocsp::hash_data( py, &sha1, diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index cc3680e8e064..0cc8c4644690 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -155,7 +155,7 @@ impl Sct { #[getter] fn version<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { - types::CERTIFICATE_TRANSPARENCY_VERSION_V1.get_bound(py) + types::CERTIFICATE_TRANSPARENCY_VERSION_V1.get(py) } #[getter] @@ -165,14 +165,14 @@ impl Sct { #[getter] fn timestamp<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { - let utc = types::DATETIME_TIMEZONE_UTC.get_bound(py)?; + let utc = types::DATETIME_TIMEZONE_UTC.get(py)?; let kwargs = pyo3::types::PyDict::new_bound(py); kwargs.set_item("microsecond", self.timestamp % 1000 * 1000)?; kwargs.set_item("tzinfo", None::>)?; types::DATETIME_DATETIME - .get_bound(py)? + .get(py)? .call_method1( pyo3::intern!(py, "fromtimestamp"), (self.timestamp / 1000, utc), @@ -183,8 +183,8 @@ impl Sct { #[getter] fn entry_type<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { Ok(match self.entry_type { - LogEntryType::Certificate => types::LOG_ENTRY_TYPE_X509_CERTIFICATE.get_bound(py)?, - LogEntryType::PreCertificate => types::LOG_ENTRY_TYPE_PRE_CERTIFICATE.get_bound(py)?, + LogEntryType::Certificate => types::LOG_ENTRY_TYPE_X509_CERTIFICATE.get(py)?, + LogEntryType::PreCertificate => types::LOG_ENTRY_TYPE_PRE_CERTIFICATE.get(py)?, }) } @@ -194,7 +194,7 @@ impl Sct { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { types::HASHES_MODULE - .get_bound(py)? + .get(py)? .call_method0(self.hash_algorithm.to_attr()) } @@ -204,7 +204,7 @@ impl Sct { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { types::SIGNATURE_ALGORITHM - .get_bound(py)? + .get(py)? .getattr(self.signature_algorithm.to_attr()) } diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index 2789c508dbc6..9483a06e5034 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -53,15 +53,15 @@ pub(crate) fn identify_key_type( py: pyo3::Python<'_>, private_key: pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult { - if private_key.is_instance(&types::RSA_PRIVATE_KEY.get_bound(py)?)? { + if private_key.is_instance(&types::RSA_PRIVATE_KEY.get(py)?)? { Ok(KeyType::Rsa) - } else if private_key.is_instance(&types::DSA_PRIVATE_KEY.get_bound(py)?)? { + } else if private_key.is_instance(&types::DSA_PRIVATE_KEY.get(py)?)? { Ok(KeyType::Dsa) - } else if private_key.is_instance(&types::ELLIPTIC_CURVE_PRIVATE_KEY.get_bound(py)?)? { + } else if private_key.is_instance(&types::ELLIPTIC_CURVE_PRIVATE_KEY.get(py)?)? { Ok(KeyType::Ec) - } else if private_key.is_instance(&types::ED25519_PRIVATE_KEY.get_bound(py)?)? { + } else if private_key.is_instance(&types::ED25519_PRIVATE_KEY.get(py)?)? { Ok(KeyType::Ed25519) - } else if private_key.is_instance(&types::ED448_PRIVATE_KEY.get_bound(py)?)? { + } else if private_key.is_instance(&types::ED448_PRIVATE_KEY.get(py)?)? { Ok(KeyType::Ed448) } else { Err(pyo3::exceptions::PyTypeError::new_err( @@ -78,7 +78,7 @@ fn identify_hash_type( return Ok(HashType::None); } - if !hash_algorithm.is_instance(&types::HASH_ALGORITHM.get_bound(py)?)? { + if !hash_algorithm.is_instance(&types::HASH_ALGORITHM.get(py)?)? { return Err(pyo3::exceptions::PyTypeError::new_err( "Algorithm must be a registered hash algorithm.", )); @@ -109,12 +109,12 @@ fn compute_pss_salt_length<'p>( rsa_padding: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult { let py_saltlen = rsa_padding.getattr(pyo3::intern!(py, "_salt_length"))?; - if py_saltlen.is_instance(&types::PADDING_MAX_LENGTH.get_bound(py)?)? { + if py_saltlen.is_instance(&types::PADDING_MAX_LENGTH.get(py)?)? { types::CALCULATE_MAX_PSS_SALT_LENGTH - .get_bound(py)? + .get(py)? .call1((private_key, hash_algorithm))? .extract::() - } else if py_saltlen.is_instance(&types::PADDING_DIGEST_LENGTH.get_bound(py)?)? { + } else if py_saltlen.is_instance(&types::PADDING_DIGEST_LENGTH.get(py)?)? { hash_algorithm .getattr(pyo3::intern!(py, "digest_size"))? .extract::() @@ -138,7 +138,7 @@ pub(crate) fn compute_signature_algorithm<'p>( // If this is RSA-PSS we need to compute the signature algorithm from the // parameters provided in rsa_padding. - if rsa_padding.is_instance(&types::PSS.get_bound(py)?)? { + if rsa_padding.is_instance(&types::PSS.get(py)?)? { let hash_alg_params = identify_alg_params_for_hash_type(hash_type)?; let hash_algorithm_id = common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), @@ -293,13 +293,13 @@ pub(crate) fn sign_data<'p>( private_key.call_method1(pyo3::intern!(py, "sign"), (data,))? } KeyType::Ec => { - let ecdsa = types::ECDSA.get_bound(py)?.call1((hash_algorithm,))?; + let ecdsa = types::ECDSA.get(py)?.call1((hash_algorithm,))?; private_key.call_method1(pyo3::intern!(py, "sign"), (data, ecdsa))? } KeyType::Rsa => { let mut padding = rsa_padding; if padding.is_none() { - padding = types::PKCS1V15.get_bound(py)?.call0()?; + padding = types::PKCS1V15.get(py)?.call0()?; } private_key.call_method1(pyo3::intern!(py, "sign"), (data, padding, hash_algorithm))? } @@ -358,15 +358,15 @@ pub(crate) fn identify_public_key_type( py: pyo3::Python<'_>, public_key: pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult { - if public_key.is_instance(&types::RSA_PUBLIC_KEY.get_bound(py)?)? { + if public_key.is_instance(&types::RSA_PUBLIC_KEY.get(py)?)? { Ok(KeyType::Rsa) - } else if public_key.is_instance(&types::DSA_PUBLIC_KEY.get_bound(py)?)? { + } else if public_key.is_instance(&types::DSA_PUBLIC_KEY.get(py)?)? { Ok(KeyType::Dsa) - } else if public_key.is_instance(&types::ELLIPTIC_CURVE_PUBLIC_KEY.get_bound(py)?)? { + } else if public_key.is_instance(&types::ELLIPTIC_CURVE_PUBLIC_KEY.get(py)?)? { Ok(KeyType::Ec) - } else if public_key.is_instance(&types::ED25519_PUBLIC_KEY.get_bound(py)?)? { + } else if public_key.is_instance(&types::ED25519_PUBLIC_KEY.get(py)?)? { Ok(KeyType::Ed25519) - } else if public_key.is_instance(&types::ED448_PUBLIC_KEY.get_bound(py)?)? { + } else if public_key.is_instance(&types::ED448_PUBLIC_KEY.get(py)?)? { Ok(KeyType::Ed448) } else { Err(pyo3::exceptions::PyTypeError::new_err( @@ -431,10 +431,7 @@ fn hash_oid_py_hash( oid: asn1::ObjectIdentifier, ) -> CryptographyResult> { match HASH_OIDS_TO_HASH.get(&oid) { - Some(alg_name) => Ok(types::HASHES_MODULE - .get_bound(py)? - .getattr(*alg_name)? - .call0()?), + Some(alg_name) => Ok(types::HASHES_MODULE.get(py)?.getattr(*alg_name)?.call0()?), None => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", @@ -448,7 +445,7 @@ pub(crate) fn identify_signature_hash_algorithm<'p>( py: pyo3::Python<'p>, signature_algorithm: &common::AlgorithmIdentifier<'_>, ) -> CryptographyResult> { - let sig_oids_to_hash = types::SIG_OIDS_TO_HASH.get_bound(py)?; + let sig_oids_to_hash = types::SIG_OIDS_TO_HASH.get(py)?; match &signature_algorithm.params { common::AlgorithmParameters::RsaPss(opt_pss) => { let pss = opt_pss.as_ref().ok_or_else(|| { @@ -491,8 +488,8 @@ pub(crate) fn identify_signature_algorithm_parameters<'p>( } let py_mask_gen_hash_alg = hash_oid_py_hash(py, pss.mask_gen_algorithm.params.oid().clone())?; - let py_mgf = types::MGF1.get_bound(py)?.call1((py_mask_gen_hash_alg,))?; - Ok(types::PSS.get_bound(py)?.call1((py_mgf, pss.salt_length))?) + let py_mgf = types::MGF1.get(py)?.call1((py_mask_gen_hash_alg,))?; + Ok(types::PSS.get(py)?.call1((py_mgf, pss.salt_length))?) } common::AlgorithmParameters::RsaWithSha1(_) | common::AlgorithmParameters::RsaWithSha1Alt(_) @@ -504,7 +501,7 @@ pub(crate) fn identify_signature_algorithm_parameters<'p>( | common::AlgorithmParameters::RsaWithSha3_256(_) | common::AlgorithmParameters::RsaWithSha3_384(_) | common::AlgorithmParameters::RsaWithSha3_512(_) => { - Ok(types::PKCS1V15.get_bound(py)?.call0()?) + Ok(types::PKCS1V15.get(py)?.call0()?) } common::AlgorithmParameters::EcDsaWithSha224(_) | common::AlgorithmParameters::EcDsaWithSha256(_) @@ -517,9 +514,7 @@ pub(crate) fn identify_signature_algorithm_parameters<'p>( let signature_hash_algorithm = identify_signature_hash_algorithm(py, signature_algorithm)?; - Ok(types::ECDSA - .get_bound(py)? - .call1((signature_hash_algorithm,))?) + Ok(types::ECDSA.get(py)?.call1((signature_hash_algorithm,))?) } _ => Ok(py.None().into_bound(py)), } diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 570184cc1882..9b1db24a5790 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -374,14 +374,14 @@ fn build_subject_owner( ) -> pyo3::PyResult { let subject = subject.bind(py); - if subject.is_instance(&types::DNS_NAME.get_bound(py)?)? { + if subject.is_instance(&types::DNS_NAME.get(py)?)? { let value = subject .getattr(pyo3::intern!(py, "value"))? // TODO: switch this to borrowing the string (using Bound::to_str) once our // minimum Python version is 3.10 .extract::()?; Ok(SubjectOwner::DNSName(value)) - } else if subject.is_instance(&types::IP_ADDRESS.get_bound(py)?)? { + } else if subject.is_instance(&types::IP_ADDRESS.get(py)?)? { let value = subject .getattr(pyo3::intern!(py, "_packed"))? .call0()? From 77c8656cbad2df26bda9ede075a95a93b65e250e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 13 Apr 2024 00:14:07 +0000 Subject: [PATCH 0450/1462] Bump BoringSSL and/or OpenSSL in CI (#10805) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 57bce58850cc..f8f19263872b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 12, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "bdb7b19c3cd336b9e44086f677a0e37402c4bf13"}} - # Latest commit on the OpenSSL master branch, as of Apr 12, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8e5918fb8eb90289a0c89f6a4c6d623ecf49cf43"}} + # Latest commit on the BoringSSL master branch, as of Apr 13, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "1c6e10495e4f69cf9e5fd4e363d580ff1fdb1a96"}} + # Latest commit on the OpenSSL master branch, as of Apr 13, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d4188f24866f88b4269110ce86f9545edd44c846"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From a70c92c01faf75a32abc0836fd525154d0583b9d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 12 Apr 2024 20:51:44 -0400 Subject: [PATCH 0451/1462] Fix lifetime error in `oid.rs` with `gil-refs` disabled (#10804) --- src/rust/src/oid.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/src/oid.rs b/src/rust/src/oid.rs index 075b7fb9adbe..0932dbc7935c 100644 --- a/src/rust/src/oid.rs +++ b/src/rust/src/oid.rs @@ -42,11 +42,11 @@ impl ObjectIdentifier { } fn __repr__(slf: &pyo3::Bound<'_, Self>, py: pyo3::Python<'_>) -> pyo3::PyResult { - let name = Self::_name(slf.borrow(), py)?.extract::<&str>()?; + let name = Self::_name(slf.borrow(), py)?; Ok(format!( "", slf.get().oid, - name + name.extract::<&str>()? )) } From 3074b56d34f9b7f6dc6a096e5f2db9f2450dc380 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 13 Apr 2024 17:08:09 +0000 Subject: [PATCH 0452/1462] Bump cc from 1.0.92 to 1.0.94 in /src/rust (#10809) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.92 to 1.0.94. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.92...1.0.94) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 176a323fe5d7..92e4d3674450 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,9 +48,9 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.92" +version = "1.0.94" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2678b2e3449475e95b0aa6f9b506a28e61b3dc8996592b983695e8ebb58a8b41" +checksum = "17f6e324229dc011159fcc089755d1e2e216a90d43a7dea6853ca740b84f35e7" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index f22d8e4b07a0..405fb7dc4836 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.21.1", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.92" +cc = "1.0.94" From 6fd5d73e04d1fe32c2f6dd0f7110997bc408016b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 13 Apr 2024 13:13:52 -0400 Subject: [PATCH 0453/1462] Bump setuptools from 69.2.0 to 69.5.0 in /.github/requirements (#10810) Bumps [setuptools](https://github.com/pypa/setuptools) from 69.2.0 to 69.5.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v69.2.0...v69.5.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 70fe56dc3ca1..149873f7f462 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -80,9 +80,9 @@ wheel==0.43.0 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==69.2.0 \ - --hash=sha256:0ff4183f8f42cd8fa3acea16c45205521a4ef28f73c6391d8a25e92893134f2e \ - --hash=sha256:c21c49fb1042386df081cb5d86759792ab89efca84cf114889191cd09aacc80c +setuptools==69.5.0 \ + --hash=sha256:3b2dbd8f63dcc6b7c327d0243c2d7dc8c96cc507c016f09221f3787e6e528719 \ + --hash=sha256:8d881f842bfc0e29e93bc98a2e650e8845609adff4d2989ba6c748e67b09d5be # via # -r build-requirements.in # setuptools-rust From bdb2d8b48e43a7e52a54e3ad68eed5e96781a545 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Sat, 13 Apr 2024 21:51:25 +0200 Subject: [PATCH 0454/1462] Fix lifetime errors in `asn1.rs` with `gil-refs` disabled (#10778) * Fix lifetime errors in `asn1.rs` with `gil-refs` disabled * Fix docstring and remove unneeded KeepAlive * Address review comments * Update src/rust/src/x509/ocsp_req.rs Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor --- src/rust/Cargo.lock | 3 +++ src/rust/cryptography-keepalive/Cargo.toml | 1 + src/rust/cryptography-keepalive/src/lib.rs | 5 +++++ src/rust/src/asn1.rs | 9 ++++++--- src/rust/src/x509/certificate.rs | 3 ++- src/rust/src/x509/crl.rs | 5 +++-- src/rust/src/x509/extensions.rs | 13 ++++++++----- src/rust/src/x509/ocsp_req.rs | 4 +++- 8 files changed, 31 insertions(+), 12 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 92e4d3674450..59bc8f6545e5 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -70,6 +70,9 @@ dependencies = [ [[package]] name = "cryptography-keepalive" version = "0.1.0" +dependencies = [ + "pyo3", +] [[package]] name = "cryptography-key-parsing" diff --git a/src/rust/cryptography-keepalive/Cargo.toml b/src/rust/cryptography-keepalive/Cargo.toml index 241369773f39..d37e8fa4fe9d 100644 --- a/src/rust/cryptography-keepalive/Cargo.toml +++ b/src/rust/cryptography-keepalive/Cargo.toml @@ -8,3 +8,4 @@ publish = false rust-version = "1.65.0" [dependencies] +pyo3 = { version = "0.21.1", features = ["abi3"] } diff --git a/src/rust/cryptography-keepalive/src/lib.rs b/src/rust/cryptography-keepalive/src/lib.rs index a33baba3c4bf..b367687912e2 100644 --- a/src/rust/cryptography-keepalive/src/lib.rs +++ b/src/rust/cryptography-keepalive/src/lib.rs @@ -4,6 +4,7 @@ #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +use pyo3::pybacked::PyBackedBytes; use std::cell::UnsafeCell; use std::ops::Deref; @@ -19,6 +20,10 @@ pub unsafe trait StableDeref: Deref {} // slice returned by `deref` remains valid. unsafe impl StableDeref for Vec {} +// SAFETY: `PyBackedBytes`'s data is on the heap and `bytes` objects in +// Python are immutable. +unsafe impl StableDeref for PyBackedBytes {} + #[allow(clippy::new_without_default)] impl KeepAlive { pub fn new() -> Self { diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index ba3eba7e235c..98f0190d6a6e 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -8,6 +8,7 @@ use cryptography_x509::common::{DssSignature, SubjectPublicKeyInfo, Time}; use cryptography_x509::name::Name; use pyo3::prelude::PyAnyMethods; use pyo3::prelude::PyModuleMethods; +use pyo3::pybacked::PyBackedBytes; use pyo3::types::IntoPyDict; use pyo3::ToPyObject; @@ -73,7 +74,7 @@ fn decode_dss_signature( pub(crate) fn py_uint_to_big_endian_bytes<'p>( py: pyo3::Python<'p>, v: pyo3::Bound<'p, pyo3::types::PyLong>, -) -> pyo3::PyResult<&'p [u8]> { +) -> pyo3::PyResult { let zero = (0).to_object(py); if v.lt(zero)? { return Err(pyo3::exceptions::PyValueError::new_err( @@ -124,9 +125,11 @@ fn encode_dss_signature<'p>( r: pyo3::Bound<'_, pyo3::types::PyLong>, s: pyo3::Bound<'_, pyo3::types::PyLong>, ) -> CryptographyResult> { + let r_bytes = py_uint_to_big_endian_bytes(py, r)?; + let s_bytes = py_uint_to_big_endian_bytes(py, s)?; let sig = DssSignature { - r: asn1::BigUint::new(py_uint_to_big_endian_bytes(py, r)?).unwrap(), - s: asn1::BigUint::new(py_uint_to_big_endian_bytes(py, s)?).unwrap(), + r: asn1::BigUint::new(&r_bytes).unwrap(), + s: asn1::BigUint::new(&s_bytes).unwrap(), }; let result = asn1::write_single(&sig)?; Ok(pyo3::types::PyBytes::new_bound(py, &result)) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 30be711a7760..388448133d71 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -918,12 +918,13 @@ fn create_x509_certificate( let py_not_before = builder.getattr(pyo3::intern!(py, "_not_valid_before"))?; let py_not_after = builder.getattr(pyo3::intern!(py, "_not_valid_after"))?; + let serial_bytes = py_uint_to_big_endian_bytes(py, py_serial)?; let tbs_cert = cryptography_x509::certificate::TbsCertificate { version: builder .getattr(pyo3::intern!(py, "_version"))? .getattr(pyo3::intern!(py, "value"))? .extract()?, - serial: asn1::BigInt::new(py_uint_to_big_endian_bytes(py, py_serial)?).unwrap(), + serial: asn1::BigInt::new(&serial_bytes).unwrap(), signature_alg: sigalg.clone(), issuer: x509::common::encode_name(py, &py_issuer_name)?, validity: cryptography_x509::certificate::Validity { diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 4decb291c20d..125f67792784 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -655,6 +655,7 @@ fn create_x509_crl( rsa_padding.to_owned(), )?; let mut revoked_certs = vec![]; + let ka = cryptography_keepalive::KeepAlive::new(); for py_revoked_cert in builder .getattr(pyo3::intern!(py, "_revoked_certificates"))? .iter()? @@ -665,9 +666,9 @@ fn create_x509_crl( .extract()?; let py_revocation_date = py_revoked_cert.getattr(pyo3::intern!(py, "revocation_date_utc"))?; + let serial_bytes = ka.add(py_uint_to_big_endian_bytes(py, serial_number)?); revoked_certs.push(crl::RevokedCertificate { - user_certificate: asn1::BigUint::new(py_uint_to_big_endian_bytes(py, serial_number)?) - .unwrap(), + user_certificate: asn1::BigUint::new(serial_bytes).unwrap(), revocation_date: x509::certificate::time_from_py(py, &py_revocation_date)?, raw_crl_entry_extensions: x509::common::encode_extensions( py, diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 94eb495bc7a0..929f17ce3575 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -51,10 +51,11 @@ pub(crate) fn encode_authority_key_identifier<'a>( } else { None }; + let serial_bytes; let authority_cert_serial_number = if let Some(authority_cert_serial_number) = aki.authority_cert_serial_number { - let serial_bytes = py_uint_to_big_endian_bytes(py, authority_cert_serial_number)?; - Some(asn1::BigUint::new(serial_bytes).unwrap()) + serial_bytes = py_uint_to_big_endian_bytes(py, authority_cert_serial_number)?; + Some(asn1::BigUint::new(&serial_bytes).unwrap()) } else { None }; @@ -215,6 +216,7 @@ fn encode_certificate_policies( ext: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { let mut policy_informations = vec![]; + let ka = cryptography_keepalive::KeepAlive::new(); for py_policy_info in ext.iter()? { let py_policy_info = py_policy_info?; let py_policy_qualifiers = @@ -245,7 +247,8 @@ fn encode_certificate_policies( .getattr(pyo3::intern!(py, "notice_numbers"))? .iter()? { - let bytes = py_uint_to_big_endian_bytes(ext.py(), py_num?.extract()?)?; + let bytes = + ka.add(py_uint_to_big_endian_bytes(ext.py(), py_num?.extract()?)?); notice_numbers.push(asn1::BigUint::new(bytes).unwrap()); } @@ -454,7 +457,7 @@ pub(crate) fn encode_extension( .clone(); let bytes = py_uint_to_big_endian_bytes(ext.py(), intval)?; Ok(Some(asn1::write_single( - &asn1::BigUint::new(bytes).unwrap(), + &asn1::BigUint::new(&bytes).unwrap(), )?)) } &oid::ISSUER_ALTERNATIVE_NAME_OID | &oid::SUBJECT_ALTERNATIVE_NAME_OID => { @@ -503,7 +506,7 @@ pub(crate) fn encode_extension( .clone(); let bytes = py_uint_to_big_endian_bytes(ext.py(), intval)?; Ok(Some(asn1::write_single( - &asn1::BigUint::new(bytes).unwrap(), + &asn1::BigUint::new(&bytes).unwrap(), )?)) } &oid::ISSUING_DISTRIBUTION_POINT_OID => { diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 7687f7af4317..6635259a2571 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -171,6 +171,7 @@ fn create_ocsp_request( builder: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { let builder_request = builder.getattr(pyo3::intern!(py, "_request"))?; + let serial_number_bytes; // Declare outside the if-block so the lifetimes are right. let (py_cert, py_issuer, py_hash, issuer_name_hash, issuer_key_hash): ( @@ -188,7 +189,8 @@ fn create_ocsp_request( (issuer_name_hash, issuer_key_hash, py_serial, py_hash) = builder .getattr(pyo3::intern!(py, "_request_hash"))? .extract()?; - let serial_number = asn1::BigInt::new(py_uint_to_big_endian_bytes(py, py_serial)?).unwrap(); + serial_number_bytes = py_uint_to_big_endian_bytes(py, py_serial)?; + let serial_number = asn1::BigInt::new(&serial_number_bytes).unwrap(); ocsp::certid_new_from_hash( py, &issuer_name_hash, From b75945c9349bd34fda63520a5aab7ed3235fa2cf Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Sat, 13 Apr 2024 22:14:15 +0200 Subject: [PATCH 0455/1462] Fix lifetime errors in `extensions.rs` and `sign.rs` with `gil-refs` disabled (#10780) * Fix lifetime errors in `extensions.rs` with `gil-refs` disabled * Fix lifetime errors in `sign.rs` with `gil-refs` disabled --- src/rust/cryptography-keepalive/src/lib.rs | 6 ++++- src/rust/src/pkcs7.rs | 7 +++--- src/rust/src/x509/certificate.rs | 2 +- src/rust/src/x509/crl.rs | 2 +- src/rust/src/x509/csr.rs | 2 +- src/rust/src/x509/extensions.rs | 27 +++++++++++++--------- src/rust/src/x509/ocsp_resp.rs | 2 +- src/rust/src/x509/sign.rs | 3 ++- 8 files changed, 31 insertions(+), 20 deletions(-) diff --git a/src/rust/cryptography-keepalive/src/lib.rs b/src/rust/cryptography-keepalive/src/lib.rs index b367687912e2..6c45cf9e81ee 100644 --- a/src/rust/cryptography-keepalive/src/lib.rs +++ b/src/rust/cryptography-keepalive/src/lib.rs @@ -4,7 +4,7 @@ #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] -use pyo3::pybacked::PyBackedBytes; +use pyo3::pybacked::{PyBackedBytes, PyBackedStr}; use std::cell::UnsafeCell; use std::ops::Deref; @@ -24,6 +24,10 @@ unsafe impl StableDeref for Vec {} // Python are immutable. unsafe impl StableDeref for PyBackedBytes {} +// SAFETY: `PyBackedStr`'s data is on the heap and `str` objects in +// Python are immutable. +unsafe impl StableDeref for PyBackedStr {} + #[allow(clippy::new_without_default)] impl KeepAlive { pub fn new() -> Self { diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 8442587b407f..e0bb14f0f3c5 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -129,7 +129,8 @@ fn sign_and_serialize<'p>( .map(|p| p.raw.borrow_dependent()) .collect::>(); - let ka = cryptography_keepalive::KeepAlive::new(); + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); for (cert, py_private_key, py_hash_alg, rsa_padding) in py_signers.iter() { let (authenticated_attrs, signature) = if options.contains(&types::PKCS7_NO_ATTRIBUTES.get(py)?)? { @@ -159,7 +160,7 @@ fn sign_and_serialize<'p>( }, ]; - let digest = ka.add(asn1::write_single(&x509::ocsp::hash_data( + let digest = ka_vec.add(asn1::write_single(&x509::ocsp::hash_data( py, py_hash_alg, &data_with_header, @@ -221,7 +222,7 @@ fn sign_and_serialize<'p>( py_hash_alg.clone(), rsa_padding.clone(), )?, - encrypted_digest: signature, + encrypted_digest: ka_bytes.add(signature), unauthenticated_attributes: None, }); } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 388448133d71..c8a2ac8b4d2f 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -953,7 +953,7 @@ fn create_x509_certificate( let data = asn1::write_single(&cryptography_x509::certificate::Certificate { tbs_cert, signature_alg: sigalg, - signature: asn1::BitString::new(signature, 0).unwrap(), + signature: asn1::BitString::new(&signature, 0).unwrap(), })?; load_der_x509_certificate( py, diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 125f67792784..4484efee87bf 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -712,7 +712,7 @@ fn create_x509_crl( let data = asn1::write_single(&crl::CertificateRevocationList { tbs_cert_list, signature_algorithm: sigalg, - signature_value: asn1::BitString::new(signature, 0).unwrap(), + signature_value: asn1::BitString::new(&signature, 0).unwrap(), })?; load_der_x509_crl( py, diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 789004a60bb9..1aab9d3a6b96 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -374,7 +374,7 @@ fn create_x509_csr( let data = asn1::write_single(&Csr { csr_info, signature_alg: sigalg, - signature: asn1::BitString::new(signature, 0).unwrap(), + signature: asn1::BitString::new(&signature, 0).unwrap(), })?; load_der_x509_csr( py, diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 929f17ce3575..6d1137c34c56 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -9,6 +9,7 @@ use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, sct}; use crate::{types, x509}; use pyo3::prelude::PyAnyMethods; +use pyo3::pybacked::PyBackedStr; fn encode_general_subtrees<'a>( py: pyo3::Python<'a>, @@ -216,7 +217,8 @@ fn encode_certificate_policies( ext: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { let mut policy_informations = vec![]; - let ka = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let ka_str = cryptography_keepalive::KeepAlive::new(); for py_policy_info in ext.iter()? { let py_policy_info = py_policy_info?; let py_policy_qualifiers = @@ -226,7 +228,8 @@ fn encode_certificate_policies( for py_qualifier in py_policy_qualifiers.iter()? { let py_qualifier = py_qualifier?; let qualifier = if py_qualifier.is_instance_of::() { - let cps_uri = match asn1::IA5String::new(py_qualifier.extract()?) { + let py_qualifier_str = ka_str.add(py_qualifier.extract::()?); + let cps_uri = match asn1::IA5String::new(py_qualifier_str) { Some(s) => s, None => { return Err(pyo3::exceptions::PyValueError::new_err( @@ -247,18 +250,18 @@ fn encode_certificate_policies( .getattr(pyo3::intern!(py, "notice_numbers"))? .iter()? { - let bytes = - ka.add(py_uint_to_big_endian_bytes(ext.py(), py_num?.extract()?)?); + let bytes = ka_bytes + .add(py_uint_to_big_endian_bytes(ext.py(), py_num?.extract()?)?); notice_numbers.push(asn1::BigUint::new(bytes).unwrap()); } - + let py_notice_str = ka_str.add( + py_notice + .getattr(pyo3::intern!(py, "organization"))? + .extract::()?, + ); Some(extensions::NoticeReference { organization: extensions::DisplayText::Utf8String( - asn1::Utf8String::new( - py_notice - .getattr(pyo3::intern!(py, "organization"))? - .extract()?, - ), + asn1::Utf8String::new(py_notice_str), ), notice_numbers: common::Asn1ReadableOrWritable::new_write( asn1::SequenceOfWriter::new(notice_numbers), @@ -270,8 +273,10 @@ fn encode_certificate_policies( let py_explicit_text = py_qualifier.getattr(pyo3::intern!(py, "explicit_text"))?; let explicit_text = if py_explicit_text.is_truthy()? { + let py_explicit_text_str = + ka_str.add(py_explicit_text.extract::()?); Some(extensions::DisplayText::Utf8String(asn1::Utf8String::new( - py_explicit_text.extract()?, + py_explicit_text_str, ))) } else { None diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index e27c5d583afa..4ec133a8e038 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -754,7 +754,7 @@ fn create_ocsp_response( let basic_resp = ocsp_resp::BasicOCSPResponse { tbs_response_data, - signature: asn1::BitString::new(signature, 0).unwrap(), + signature: asn1::BitString::new(&signature, 0).unwrap(), signature_algorithm: sigalg, certs, }; diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index 9483a06e5034..b0acbfa39763 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -7,6 +7,7 @@ use std::collections::HashMap; use cryptography_x509::{common, oid}; use once_cell::sync::Lazy; use pyo3::prelude::PyAnyMethods; +use pyo3::pybacked::PyBackedBytes; use crate::asn1::oid_to_py_oid; use crate::error::{CryptographyError, CryptographyResult}; @@ -285,7 +286,7 @@ pub(crate) fn sign_data<'p>( hash_algorithm: pyo3::Bound<'p, pyo3::PyAny>, rsa_padding: pyo3::Bound<'p, pyo3::PyAny>, data: &[u8], -) -> pyo3::PyResult<&'p [u8]> { +) -> pyo3::PyResult { let key_type = identify_key_type(py, private_key.clone())?; let signature = match key_type { From f61fc109fdce384ffbd2cf89f57e874b7fc4698c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 14 Apr 2024 18:51:08 -0400 Subject: [PATCH 0456/1462] Fixed two lifetime errors in `common.rs` with `gil-refs` disabled (#10811) --- src/rust/src/x509/certificate.rs | 5 +++++ src/rust/src/x509/common.rs | 10 ++++------ src/rust/src/x509/crl.rs | 9 +++++++-- src/rust/src/x509/csr.rs | 5 +++++ src/rust/src/x509/ocsp_req.rs | 5 +++++ src/rust/src/x509/ocsp_resp.rs | 5 +++++ 6 files changed, 31 insertions(+), 8 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index c8a2ac8b4d2f..0607eebaa656 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -918,6 +918,9 @@ fn create_x509_certificate( let py_not_before = builder.getattr(pyo3::intern!(py, "_not_valid_before"))?; let py_not_after = builder.getattr(pyo3::intern!(py, "_not_valid_after"))?; + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let serial_bytes = py_uint_to_big_endian_bytes(py, py_serial)?; let tbs_cert = cryptography_x509::certificate::TbsCertificate { version: builder @@ -937,6 +940,8 @@ fn create_x509_certificate( subject_unique_id: None, raw_extensions: x509::common::encode_extensions( py, + &ka_vec, + &ka_bytes, &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?, diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 6b115e81a1e6..17ff9693a305 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -410,6 +410,8 @@ pub(crate) fn encode_extensions< ) -> CryptographyResult>>, >( py: pyo3::Python<'p>, + ka_vec: &'p cryptography_keepalive::KeepAlive>, + ka_bytes: &'p cryptography_keepalive::KeepAlive, py_exts: &pyo3::Bound<'p, pyo3::PyAny>, encode_ext: F, ) -> pyo3::PyResult>> { @@ -424,20 +426,16 @@ pub(crate) fn encode_extensions< exts.push(Extension { extn_id: oid, critical: py_ext.getattr(pyo3::intern!(py, "critical"))?.extract()?, - extn_value: ext_val - .getattr(pyo3::intern!(py, "value"))? - .extract::<&[u8]>()?, + extn_value: ka_bytes.add(ext_val.getattr(pyo3::intern!(py, "value"))?.extract()?), }); continue; } match encode_ext(py, &oid, &ext_val)? { Some(data) => { - // TODO: extra copy - let py_data = pyo3::types::PyBytes::new_bound(py, &data); exts.push(Extension { extn_id: oid, critical: py_ext.getattr(pyo3::intern!(py, "critical"))?.extract()?, - extn_value: py_data.extract()?, + extn_value: ka_vec.add(data), }); } None => { diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 4484efee87bf..b3e37e967de7 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -655,7 +655,8 @@ fn create_x509_crl( rsa_padding.to_owned(), )?; let mut revoked_certs = vec![]; - let ka = cryptography_keepalive::KeepAlive::new(); + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); for py_revoked_cert in builder .getattr(pyo3::intern!(py, "_revoked_certificates"))? .iter()? @@ -666,12 +667,14 @@ fn create_x509_crl( .extract()?; let py_revocation_date = py_revoked_cert.getattr(pyo3::intern!(py, "revocation_date_utc"))?; - let serial_bytes = ka.add(py_uint_to_big_endian_bytes(py, serial_number)?); + let serial_bytes = ka_bytes.add(py_uint_to_big_endian_bytes(py, serial_number)?); revoked_certs.push(crl::RevokedCertificate { user_certificate: asn1::BigUint::new(serial_bytes).unwrap(), revocation_date: x509::certificate::time_from_py(py, &py_revocation_date)?, raw_crl_entry_extensions: x509::common::encode_extensions( py, + &ka_vec, + &ka_bytes, &py_revoked_cert.getattr(pyo3::intern!(py, "extensions"))?, extensions::encode_extension, )?, @@ -696,6 +699,8 @@ fn create_x509_crl( }, raw_crl_extensions: x509::common::encode_extensions( py, + &ka_vec, + &ka_bytes, &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?, diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 1aab9d3a6b96..240f7f5d6dac 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -305,10 +305,15 @@ fn create_x509_csr( .call_method1(pyo3::intern!(py, "public_bytes"), (der, spki))? .extract::()?; + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let mut attrs = vec![]; let ext_bytes; if let Some(exts) = x509::common::encode_extensions( py, + &ka_vec, + &ka_bytes, &builder.getattr(pyo3::intern!(py, "_extensions"))?, x509::extensions::encode_extension, )? { diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 6635259a2571..218939dfca75 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -200,8 +200,13 @@ fn create_ocsp_request( )? }; + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let extensions = x509::common::encode_extensions( py, + &ka_vec, + &ka_bytes, &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?; diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 4ec133a8e038..e4038af1aec0 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -702,6 +702,9 @@ fn create_ocsp_response( ) }; + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let tbs_response_data = ocsp_resp::ResponseData { version: 0, produced_at: asn1::GeneralizedTime::new(x509::common::datetime_now(py)?)?, @@ -711,6 +714,8 @@ fn create_ocsp_response( )), raw_response_extensions: x509::common::encode_extensions( py, + &ka_vec, + &ka_bytes, &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?, From 0fb841d70ec9ad5c4c65039200f71358869cb741 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 14 Apr 2024 18:53:18 -0400 Subject: [PATCH 0457/1462] Fixed two lifetime errors in `common.rs` with `gil-refs` disabled (#10807) --- src/rust/cryptography-keepalive/src/lib.rs | 2 - src/rust/src/x509/certificate.rs | 7 ++- src/rust/src/x509/common.rs | 63 ++++++++++++---------- src/rust/src/x509/crl.rs | 4 +- src/rust/src/x509/csr.rs | 4 +- src/rust/src/x509/extensions.rs | 35 +++++++----- 6 files changed, 69 insertions(+), 46 deletions(-) diff --git a/src/rust/cryptography-keepalive/src/lib.rs b/src/rust/cryptography-keepalive/src/lib.rs index 6c45cf9e81ee..46e9f3260d67 100644 --- a/src/rust/cryptography-keepalive/src/lib.rs +++ b/src/rust/cryptography-keepalive/src/lib.rs @@ -19,11 +19,9 @@ pub unsafe trait StableDeref: Deref {} // SAFETY: `Vec`'s data is on the heap, so as long as it's not mutated, the // slice returned by `deref` remains valid. unsafe impl StableDeref for Vec {} - // SAFETY: `PyBackedBytes`'s data is on the heap and `bytes` objects in // Python are immutable. unsafe impl StableDeref for PyBackedBytes {} - // SAFETY: `PyBackedStr`'s data is on the heap and `str` objects in // Python are immutable. unsafe impl StableDeref for PyBackedStr {} diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 0607eebaa656..79f1e72732bf 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -922,6 +922,9 @@ fn create_x509_certificate( let ka_bytes = cryptography_keepalive::KeepAlive::new(); let serial_bytes = py_uint_to_big_endian_bytes(py, py_serial)?; + + let ka = cryptography_keepalive::KeepAlive::new(); + let tbs_cert = cryptography_x509::certificate::TbsCertificate { version: builder .getattr(pyo3::intern!(py, "_version"))? @@ -929,12 +932,12 @@ fn create_x509_certificate( .extract()?, serial: asn1::BigInt::new(&serial_bytes).unwrap(), signature_alg: sigalg.clone(), - issuer: x509::common::encode_name(py, &py_issuer_name)?, + issuer: x509::common::encode_name(py, &ka, &py_issuer_name)?, validity: cryptography_x509::certificate::Validity { not_before: time_from_py(py, &py_not_before)?, not_after: time_from_py(py, &py_not_after)?, }, - subject: x509::common::encode_name(py, &py_subject_name)?, + subject: x509::common::encode_name(py, &ka, &py_subject_name)?, spki: asn1::parse_single(&spki_bytes)?, issuer_unique_id: None, subject_unique_id: None, diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 17ff9693a305..548c810a8db8 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -32,8 +32,9 @@ pub(crate) fn find_in_pem( } pub(crate) fn encode_name<'p>( - py: pyo3::Python<'p>, - py_name: &pyo3::Bound<'p, pyo3::PyAny>, + py: pyo3::Python<'_>, + ka: &'p cryptography_keepalive::KeepAlive, + py_name: &pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult> { let mut rdns = vec![]; @@ -42,7 +43,7 @@ pub(crate) fn encode_name<'p>( let mut attrs = vec![]; for py_attr in py_rdn.iter()? { - attrs.push(encode_name_entry(py, &py_attr?)?); + attrs.push(encode_name_entry(py, ka, &py_attr?)?); } rdns.push(asn1::SetOfWriter::new(attrs)); } @@ -52,36 +53,38 @@ pub(crate) fn encode_name<'p>( } pub(crate) fn encode_name_entry<'p>( - py: pyo3::Python<'p>, - py_name_entry: &pyo3::Bound<'p, pyo3::PyAny>, + py: pyo3::Python<'_>, + ka: &'p cryptography_keepalive::KeepAlive, + py_name_entry: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { let attr_type = py_name_entry.getattr(pyo3::intern!(py, "_type"))?; let tag = attr_type .getattr(pyo3::intern!(py, "value"))? .extract::()?; - let value: &[u8] = if !attr_type.is(&types::ASN1_TYPE_BIT_STRING.get(py)?) { - let encoding = if attr_type.is(&types::ASN1_TYPE_BMP_STRING.get(py)?) { - "utf_16_be" - } else if attr_type.is(&types::ASN1_TYPE_UNIVERSAL_STRING.get(py)?) { - "utf_32_be" + let value: pyo3::pybacked::PyBackedBytes = + if !attr_type.is(&types::ASN1_TYPE_BIT_STRING.get(py)?) { + let encoding = if attr_type.is(&types::ASN1_TYPE_BMP_STRING.get(py)?) { + "utf_16_be" + } else if attr_type.is(&types::ASN1_TYPE_UNIVERSAL_STRING.get(py)?) { + "utf_32_be" + } else { + "utf8" + }; + py_name_entry + .getattr(pyo3::intern!(py, "value"))? + .call_method1(pyo3::intern!(py, "encode"), (encoding,))? + .extract()? } else { - "utf8" + py_name_entry + .getattr(pyo3::intern!(py, "value"))? + .extract()? }; - py_name_entry - .getattr(pyo3::intern!(py, "value"))? - .call_method1(pyo3::intern!(py, "encode"), (encoding,))? - .extract()? - } else { - py_name_entry - .getattr(pyo3::intern!(py, "value"))? - .extract()? - }; let py_oid = py_name_entry.getattr(pyo3::intern!(py, "oid"))?; let oid = py_oid_to_oid(py_oid)?; Ok(AttributeTypeValue { type_id: oid, - value: RawTlv::new(asn1::Tag::from_bytes(&[tag])?.0, value), + value: RawTlv::new(asn1::Tag::from_bytes(&[tag])?.0, ka.add(value)), }) } @@ -90,25 +93,28 @@ fn encode_name_bytes<'p>( py: pyo3::Python<'p>, py_name: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - let name = encode_name(py, py_name)?; + let ka = cryptography_keepalive::KeepAlive::new(); + let name = encode_name(py, &ka, py_name)?; let result = asn1::write_single(&name)?; Ok(pyo3::types::PyBytes::new_bound(py, &result)) } pub(crate) fn encode_general_names<'a>( - py: pyo3::Python<'a>, + py: pyo3::Python<'_>, + ka: &'a cryptography_keepalive::KeepAlive, py_gns: &pyo3::Bound<'a, pyo3::PyAny>, ) -> Result>, CryptographyError> { let mut gns = vec![]; for el in py_gns.iter()? { - let gn = encode_general_name(py, &el?)?; + let gn = encode_general_name(py, ka, &el?)?; gns.push(gn); } Ok(gns) } pub(crate) fn encode_general_name<'a>( - py: pyo3::Python<'a>, + py: pyo3::Python<'_>, + ka: &'a cryptography_keepalive::KeepAlive, gn: &pyo3::Bound<'a, pyo3::PyAny>, ) -> Result, CryptographyError> { let gn_type = gn.get_type(); @@ -123,7 +129,7 @@ pub(crate) fn encode_general_name<'a>( gn_value.extract::<&str>()?, ))) } else if gn_type.is(&types::DIRECTORY_NAME.get(py)?) { - let name = encode_name(py, &gn_value)?; + let name = encode_name(py, ka, &gn_value)?; Ok(GeneralName::DirectoryName(name)) } else if gn_type.is(&types::OTHER_NAME.get(py)?) { let py_oid = gn.getattr(pyo3::intern!(py, "type_id"))?; @@ -159,12 +165,13 @@ pub(crate) fn encode_access_descriptions<'a>( py_ads: &pyo3::Bound<'a, pyo3::PyAny>, ) -> CryptographyResult> { let mut ads = vec![]; + let ka = cryptography_keepalive::KeepAlive::new(); for py_ad in py_ads.iter()? { let py_ad = py_ad?; let py_oid = py_ad.getattr(pyo3::intern!(py, "access_method"))?; let access_method = py_oid_to_oid(py_oid)?; - let access_location = - encode_general_name(py, &py_ad.getattr(pyo3::intern!(py, "access_location"))?)?; + let py_access_location = py_ad.getattr(pyo3::intern!(py, "access_location"))?; + let access_location = encode_general_name(py, &ka, &py_access_location)?; ads.push(AccessDescription { access_method, access_location, diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index b3e37e967de7..2d00c308de9a 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -681,13 +681,15 @@ fn create_x509_crl( }); } + let ka = cryptography_keepalive::KeepAlive::new(); + let py_issuer_name = builder.getattr(pyo3::intern!(py, "_issuer_name"))?; let py_this_update = builder.getattr(pyo3::intern!(py, "_last_update"))?; let py_next_update = builder.getattr(pyo3::intern!(py, "_next_update"))?; let tbs_cert_list = crl::TBSCertList { version: Some(1), signature: sigalg.clone(), - issuer: x509::common::encode_name(py, &py_issuer_name)?, + issuer: x509::common::encode_name(py, &ka, &py_issuer_name)?, this_update: x509::certificate::time_from_py(py, &py_this_update)?, next_update: Some(x509::certificate::time_from_py(py, &py_next_update)?), revoked_certificates: if revoked_certs.is_empty() { diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 240f7f5d6dac..03f49b5420b1 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -361,9 +361,11 @@ fn create_x509_csr( let py_subject_name = builder.getattr(pyo3::intern!(py, "_subject_name"))?; + let ka = cryptography_keepalive::KeepAlive::new(); + let csr_info = CertificationRequestInfo { version: 0, - subject: x509::common::encode_name(py, &py_subject_name)?, + subject: x509::common::encode_name(py, &ka, &py_subject_name)?, spki: asn1::parse_single(&spki_bytes)?, attributes: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(attrs)), }; diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 6d1137c34c56..ab5f6d06b847 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -12,7 +12,8 @@ use pyo3::prelude::PyAnyMethods; use pyo3::pybacked::PyBackedStr; fn encode_general_subtrees<'a>( - py: pyo3::Python<'a>, + py: pyo3::Python<'_>, + ka: &'a cryptography_keepalive::KeepAlive, subtrees: &pyo3::Bound<'a, pyo3::PyAny>, ) -> Result>, CryptographyError> { if subtrees.is_none() { @@ -20,7 +21,7 @@ fn encode_general_subtrees<'a>( } else { let mut subtree_seq = vec![]; for name in subtrees.iter()? { - let gn = x509::common::encode_general_name(py, &name?)?; + let gn = x509::common::encode_general_name(py, ka, &name?)?; subtree_seq.push(extensions::GeneralSubtree { base: gn, minimum: 0, @@ -44,8 +45,10 @@ pub(crate) fn encode_authority_key_identifier<'a>( authority_cert_serial_number: Option>, } let aki = py_aki.extract::>()?; + + let ka = cryptography_keepalive::KeepAlive::new(); let authority_cert_issuer = if let Some(authority_cert_issuer) = aki.authority_cert_issuer { - let gns = x509::common::encode_general_names(py, &authority_cert_issuer)?; + let gns = x509::common::encode_general_names(py, &ka, &authority_cert_issuer)?; Some(common::Asn1ReadableOrWritable::new_write( asn1::SequenceOfWriter::new(gns), )) @@ -79,12 +82,13 @@ pub(crate) fn encode_distribution_points<'p>( reasons: Option>, } + let ka = cryptography_keepalive::KeepAlive::new(); let mut dps = vec![]; for py_dp in py_dps.iter()? { let py_dp = py_dp?.extract::>()?; let crl_issuer = if let Some(py_crl_issuer) = py_dp.crl_issuer { - let gns = x509::common::encode_general_names(py, &py_crl_issuer)?; + let gns = x509::common::encode_general_names(py, &ka, &py_crl_issuer)?; Some(common::Asn1ReadableOrWritable::new_write( asn1::SequenceOfWriter::new(gns), )) @@ -92,14 +96,14 @@ pub(crate) fn encode_distribution_points<'p>( None }; let distribution_point = if let Some(py_full_name) = py_dp.full_name { - let gns = x509::common::encode_general_names(py, &py_full_name)?; + let gns = x509::common::encode_general_names(py, &ka, &py_full_name)?; Some(extensions::DistributionPointName::FullName( common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(gns)), )) } else if let Some(py_relative_name) = py_dp.relative_name { let mut name_entries = vec![]; for py_name_entry in py_relative_name.iter()? { - name_entries.push(x509::common::encode_name_entry(py, &py_name_entry?)?); + name_entries.push(x509::common::encode_name_entry(py, &ka, &py_name_entry?)?); } Some(extensions::DistributionPointName::NameRelativeToCRLIssuer( common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(name_entries)), @@ -313,6 +317,8 @@ fn encode_issuing_distribution_point( py: pyo3::Python<'_>, ext: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { + let ka = cryptography_keepalive::KeepAlive::new(); + let only_some_reasons = if ext .getattr(pyo3::intern!(py, "only_some_reasons"))? .is_truthy()? @@ -325,7 +331,7 @@ fn encode_issuing_distribution_point( }; let distribution_point = if ext.getattr(pyo3::intern!(py, "full_name"))?.is_truthy()? { let py_full_name = ext.getattr(pyo3::intern!(py, "full_name"))?; - let gns = x509::common::encode_general_names(ext.py(), &py_full_name)?; + let gns = x509::common::encode_general_names(ext.py(), &ka, &py_full_name)?; Some(extensions::DistributionPointName::FullName( common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(gns)), )) @@ -335,7 +341,8 @@ fn encode_issuing_distribution_point( { let mut name_entries = vec![]; for py_name_entry in ext.getattr(pyo3::intern!(py, "relative_name"))?.iter()? { - name_entries.push(x509::common::encode_name_entry(ext.py(), &py_name_entry?)?); + let name_entry = x509::common::encode_name_entry(ext.py(), &ka, &py_name_entry?)?; + name_entries.push(name_entry); } Some(extensions::DistributionPointName::NameRelativeToCRLIssuer( common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(name_entries)), @@ -447,11 +454,13 @@ pub(crate) fn encode_extension( Ok(Some(asn1::write_single(&pc)?)) } &oid::NAME_CONSTRAINTS_OID => { + let ka = cryptography_keepalive::KeepAlive::new(); + let permitted = ext.getattr(pyo3::intern!(py, "permitted_subtrees"))?; let excluded = ext.getattr(pyo3::intern!(py, "excluded_subtrees"))?; let nc = extensions::NameConstraints { - permitted_subtrees: encode_general_subtrees(ext.py(), &permitted)?, - excluded_subtrees: encode_general_subtrees(ext.py(), &excluded)?, + permitted_subtrees: encode_general_subtrees(ext.py(), &ka, &permitted)?, + excluded_subtrees: encode_general_subtrees(ext.py(), &ka, &excluded)?, }; Ok(Some(asn1::write_single(&nc)?)) } @@ -466,7 +475,8 @@ pub(crate) fn encode_extension( )?)) } &oid::ISSUER_ALTERNATIVE_NAME_OID | &oid::SUBJECT_ALTERNATIVE_NAME_OID => { - let gns = x509::common::encode_general_names(ext.py(), ext)?; + let ka = cryptography_keepalive::KeepAlive::new(); + let gns = x509::common::encode_general_names(ext.py(), &ka, ext)?; Ok(Some(asn1::write_single(&asn1::SequenceOfWriter::new(gns))?)) } &oid::AUTHORITY_KEY_IDENTIFIER_OID => { @@ -496,7 +506,8 @@ pub(crate) fn encode_extension( Ok(Some(asn1::write_single(&asn1::Enumerated::new(value))?)) } &oid::CERTIFICATE_ISSUER_OID => { - let gns = x509::common::encode_general_names(ext.py(), ext)?; + let ka = cryptography_keepalive::KeepAlive::new(); + let gns = x509::common::encode_general_names(ext.py(), &ka, ext)?; Ok(Some(asn1::write_single(&asn1::SequenceOfWriter::new(gns))?)) } &oid::INVALIDITY_DATE_OID => { From b48aabacb334e696d8448d6fcd7f03f19087fbb6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Apr 2024 07:02:24 -0400 Subject: [PATCH 0458/1462] Bump argcomplete from 3.2.3 to 3.3.0 (#10813) Bumps [argcomplete](https://github.com/kislyuk/argcomplete) from 3.2.3 to 3.3.0. - [Release notes](https://github.com/kislyuk/argcomplete/releases) - [Changelog](https://github.com/kislyuk/argcomplete/blob/develop/Changes.rst) - [Commits](https://github.com/kislyuk/argcomplete/compare/v3.2.3...v3.3.0) --- updated-dependencies: - dependency-name: argcomplete dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ccd015582b2c..d8981f7e7d19 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -7,7 +7,7 @@ alabaster==0.7.16 # via sphinx -argcomplete==3.2.3; python_version >= "3.8" +argcomplete==3.3.0; python_version >= "3.8" # via nox babel==2.14.0 # via sphinx From 34123efcc95ea4bb55a59472580316c48ade5fa5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Apr 2024 07:02:53 -0400 Subject: [PATCH 0459/1462] Bump setuptools from 69.5.0 to 69.5.1 in /.github/requirements (#10814) Bumps [setuptools](https://github.com/pypa/setuptools) from 69.5.0 to 69.5.1. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v69.5.0...v69.5.1) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 149873f7f462..1d3feb3e1960 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -80,9 +80,9 @@ wheel==0.43.0 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==69.5.0 \ - --hash=sha256:3b2dbd8f63dcc6b7c327d0243c2d7dc8c96cc507c016f09221f3787e6e528719 \ - --hash=sha256:8d881f842bfc0e29e93bc98a2e650e8845609adff4d2989ba6c748e67b09d5be +setuptools==69.5.1 \ + --hash=sha256:6c1fccdac05a97e598fb0ae3bbed5904ccb317337a51139dcd51453611bbb987 \ + --hash=sha256:c636ac361bc47580504644275c9ad802c50415c7522212252c033bd15f301f32 # via # -r build-requirements.in # setuptools-rust From b302955627a969533f8f19c36d07680306baede4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Apr 2024 07:03:08 -0400 Subject: [PATCH 0460/1462] Bump proc-macro2 from 1.0.79 to 1.0.80 in /src/rust (#10815) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.79 to 1.0.80. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.79...1.0.80) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 59bc8f6545e5..fa232467a975 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -277,9 +277,9 @@ checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" [[package]] name = "proc-macro2" -version = "1.0.79" +version = "1.0.80" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e835ff2298f5721608eb1a980ecaee1aef2c132bf95ecc026a11b7bf3c01c02e" +checksum = "a56dea16b0a29e94408b9aa5e2940a4eedbd128a1ba20e8f7ae60fd3d465af0e" dependencies = [ "unicode-ident", ] From e7a00232ec88eb4189994ae7943ac3e0b068602b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 15 Apr 2024 13:11:41 -0400 Subject: [PATCH 0461/1462] Remove one call to `into_gil_ref` (#10816) --- src/rust/src/pkcs7.rs | 11 ++++------- src/rust/src/x509/ocsp.rs | 16 +++++++++------- src/rust/src/x509/ocsp_req.rs | 8 ++++---- src/rust/src/x509/ocsp_resp.rs | 16 +++++++++------- 4 files changed, 26 insertions(+), 25 deletions(-) diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index e0bb14f0f3c5..88714e7b4994 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -11,7 +11,7 @@ use cryptography_x509::{common, oid, pkcs7}; use once_cell::sync::Lazy; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use openssl::pkcs7::Pkcs7; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::prelude::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use pyo3::IntoPy; @@ -160,15 +160,12 @@ fn sign_and_serialize<'p>( }, ]; - let digest = ka_vec.add(asn1::write_single(&x509::ocsp::hash_data( - py, - py_hash_alg, - &data_with_header, - )?)?); + let digest = x509::ocsp::hash_data(py, py_hash_alg, &data_with_header)?; + let digest_wrapped = ka_vec.add(asn1::write_single(&digest.as_bytes())?); authenticated_attrs.push(Attribute { type_id: PKCS7_MESSAGE_DIGEST_OID, values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([ - asn1::parse_single(digest).unwrap(), + asn1::parse_single(digest_wrapped).unwrap(), ])), }); diff --git a/src/rust/src/x509/ocsp.rs b/src/rust/src/x509/ocsp.rs index 64c6ee2a66bb..97b18bb20bae 100644 --- a/src/rust/src/x509/ocsp.rs +++ b/src/rust/src/x509/ocsp.rs @@ -74,13 +74,15 @@ pub(crate) static HASH_NAME_TO_ALGORITHM_IDENTIFIERS: Lazy< pub(crate) fn certid_new<'p>( py: pyo3::Python<'p>, + ka: &'p cryptography_keepalive::KeepAlive, cert: &'p Certificate, issuer: &'p Certificate, hash_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { let issuer_der = asn1::write_single(&cert.raw.borrow_dependent().tbs_cert.issuer)?; - let issuer_name_hash = hash_data(py, hash_algorithm, &issuer_der)?; - let issuer_key_hash = hash_data( + let issuer_name_hash = + pyo3::pybacked::PyBackedBytes::from(hash_data(py, hash_algorithm, &issuer_der)?); + let issuer_key_hash = pyo3::pybacked::PyBackedBytes::from(hash_data( py, hash_algorithm, issuer @@ -90,15 +92,15 @@ pub(crate) fn certid_new<'p>( .spki .subject_public_key .as_bytes(), - )?; + )?); Ok(CertID { hash_algorithm: HASH_NAME_TO_ALGORITHM_IDENTIFIERS[hash_algorithm .getattr(pyo3::intern!(py, "name"))? .extract::<&str>()?] .clone(), - issuer_name_hash, - issuer_key_hash, + issuer_name_hash: ka.add(issuer_name_hash), + issuer_key_hash: ka.add(issuer_key_hash), serial_number: cert.raw.borrow_dependent().tbs_cert.serial, }) } @@ -125,8 +127,8 @@ pub(crate) fn hash_data<'p>( py: pyo3::Python<'p>, py_hash_alg: &pyo3::Bound<'p, pyo3::PyAny>, data: &[u8], -) -> pyo3::PyResult<&'p [u8]> { +) -> pyo3::PyResult> { let mut h = Hash::new(py, py_hash_alg, None)?; h.update_bytes(data)?; - Ok(h.finalize(py)?.into_gil_ref().as_bytes()) + Ok(h.finalize(py)?) } diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 218939dfca75..dd4e5f77eb4d 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -173,6 +173,9 @@ fn create_ocsp_request( let builder_request = builder.getattr(pyo3::intern!(py, "_request"))?; let serial_number_bytes; + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + // Declare outside the if-block so the lifetimes are right. let (py_cert, py_issuer, py_hash, issuer_name_hash, issuer_key_hash): ( pyo3::PyRef<'_, x509::certificate::Certificate>, @@ -183,7 +186,7 @@ fn create_ocsp_request( ); let req_cert = if !builder_request.is_none() { (py_cert, py_issuer, py_hash) = builder_request.extract()?; - ocsp::certid_new(py, &py_cert, &py_issuer, &py_hash)? + ocsp::certid_new(py, &ka_bytes, &py_cert, &py_issuer, &py_hash)? } else { let py_serial: pyo3::Bound<'_, pyo3::types::PyLong>; (issuer_name_hash, issuer_key_hash, py_serial, py_hash) = builder @@ -200,9 +203,6 @@ fn create_ocsp_request( )? }; - let ka_vec = cryptography_keepalive::KeepAlive::new(); - let ka_bytes = cryptography_keepalive::KeepAlive::new(); - let extensions = x509::common::encode_extensions( py, &ka_vec, diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index e4038af1aec0..e5718079bcae 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -10,7 +10,7 @@ use cryptography_x509::{ ocsp_resp::{self, OCSPResponse as RawOCSPResponse, SingleResponse as RawSingleResponse}, oid, }; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::prelude::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid}; use crate::error::{CryptographyError, CryptographyResult}; @@ -669,8 +669,11 @@ fn create_ocsp_response( let py_this_update = py_single_resp.getattr(pyo3::intern!(py, "_this_update"))?; let this_update = asn1::GeneralizedTime::new(py_to_datetime(py, py_this_update)?)?; + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let responses = vec![SingleResponse { - cert_id: ocsp::certid_new(py, &py_cert, &py_issuer, &py_cert_hash_algorithm)?, + cert_id: ocsp::certid_new(py, &ka_bytes, &py_cert, &py_issuer, &py_cert_hash_algorithm)?, cert_status, next_update, this_update, @@ -678,9 +681,10 @@ fn create_ocsp_response( }]; borrowed_cert = responder_cert.borrow(); + let by_key_hash; let responder_id = if responder_encoding.is(&types::OCSP_RESPONDER_ENCODING_HASH.get(py)?) { let sha1 = types::SHA1.get(py)?.call0()?; - ocsp_resp::ResponderId::ByKey(ocsp::hash_data( + by_key_hash = ocsp::hash_data( py, &sha1, borrowed_cert @@ -690,7 +694,8 @@ fn create_ocsp_response( .spki .subject_public_key .as_bytes(), - )?) + )?; + ocsp_resp::ResponderId::ByKey(by_key_hash.as_bytes()) } else { ocsp_resp::ResponderId::ByName( borrowed_cert @@ -702,9 +707,6 @@ fn create_ocsp_response( ) }; - let ka_vec = cryptography_keepalive::KeepAlive::new(); - let ka_bytes = cryptography_keepalive::KeepAlive::new(); - let tbs_response_data = ocsp_resp::ResponseData { version: 0, produced_at: asn1::GeneralizedTime::new(x509::common::datetime_now(py)?)?, From fa4913e097db602eb73e06e936347206ea3dc9a0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 15 Apr 2024 13:39:06 -0400 Subject: [PATCH 0462/1462] Remove the final call to `into_gil_ref` (#10819) --- src/rust/src/backend/dsa.rs | 6 ++++-- src/rust/src/backend/ec.rs | 6 ++++-- src/rust/src/backend/rsa.rs | 8 +++++--- src/rust/src/backend/utils.rs | 36 +++++++++++++++++++++++++---------- 4 files changed, 39 insertions(+), 17 deletions(-) diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index 06143428c7e8..7615521c9cb4 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -77,7 +77,7 @@ impl DsaPrivateKey { let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; signer.sign_init()?; let mut sig = vec![]; - signer.sign_to_vec(data, &mut sig)?; + signer.sign_to_vec(data.as_bytes(), &mut sig)?; Ok(pyo3::types::PyBytes::new_bound(py, &sig)) } @@ -162,7 +162,9 @@ impl DsaPublicKey { let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; verifier.verify_init()?; - let valid = verifier.verify(data, signature.as_bytes()).unwrap_or(false); + let valid = verifier + .verify(data.as_bytes(), signature.as_bytes()) + .unwrap_or(false); if !valid { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err(()), diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index ccba52857621..57f3fadac97c 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -311,7 +311,7 @@ impl ECPrivateKey { // easily known a priori (if `r` or `s` has a leading 0, the signature // will be a byte or two shorter than the maximum possible length). let mut sig = vec![]; - signer.sign_to_vec(data, &mut sig)?; + signer.sign_to_vec(data.as_bytes(), &mut sig)?; Ok(pyo3::types::PyBytes::new_bound(py, &sig)) } @@ -408,7 +408,9 @@ impl ECPublicKey { let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; verifier.verify_init()?; - let valid = verifier.verify(data, signature.as_bytes()).unwrap_or(false); + let valid = verifier + .verify(data.as_bytes(), signature.as_bytes()) + .unwrap_or(false); if !valid { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err(()), diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 0cff56d1efba..448af2536ce3 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -296,9 +296,9 @@ impl RsaPrivateKey { })?; setup_signature_ctx(py, &mut ctx, padding, &algorithm, self.pkey.size(), true)?; - let length = ctx.sign(data, None)?; + let length = ctx.sign(data.as_bytes(), None)?; Ok(pyo3::types::PyBytes::new_bound_with(py, length, |b| { - let length = ctx.sign(data, Some(b)).map_err(|_| { + let length = ctx.sign(data.as_bytes(), Some(b)).map_err(|_| { pyo3::exceptions::PyValueError::new_err( "Digest or salt length too long for key size. Use a larger key or shorter salt length if you are specifying a PSS salt", ) @@ -434,7 +434,9 @@ impl RsaPublicKey { ctx.verify_init()?; setup_signature_ctx(py, &mut ctx, padding, &algorithm, self.pkey.size(), false)?; - let valid = ctx.verify(data, signature.as_bytes()).unwrap_or(false); + let valid = ctx + .verify(data.as_bytes(), signature.as_bytes()) + .unwrap_or(false); if !valid { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err(()), diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index a583a71f196d..21b47a044a67 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -5,7 +5,7 @@ use crate::backend::hashes::Hash; use crate::error::{CryptographyError, CryptographyResult}; use crate::{error, types}; -use pyo3::prelude::PyAnyMethods; +use pyo3::prelude::{PyAnyMethods, PyBytesMethods}; use pyo3::ToPyObject; pub(crate) fn py_int_to_bn( @@ -354,23 +354,39 @@ pub(crate) fn pkey_public_bytes<'p>( )) } +pub(crate) enum BytesOrPyBytes<'a> { + Bytes(&'a [u8]), + PyBytes(pyo3::Bound<'a, pyo3::types::PyBytes>), +} + +impl BytesOrPyBytes<'_> { + pub(crate) fn as_bytes(&self) -> &[u8] { + match self { + BytesOrPyBytes::Bytes(v) => v, + BytesOrPyBytes::PyBytes(v) => v.as_bytes(), + } + } +} + pub(crate) fn calculate_digest_and_algorithm<'p>( py: pyo3::Python<'p>, - mut data: &'p [u8], + data: &'p [u8], algorithm: &pyo3::Bound<'p, pyo3::PyAny>, -) -> CryptographyResult<(&'p [u8], pyo3::Bound<'p, pyo3::PyAny>)> { - let mut algorithm_result = algorithm.clone(); - if algorithm.is_instance(&types::PREHASHED.get(py)?)? { - algorithm_result = algorithm.getattr("_algorithm")?; +) -> CryptographyResult<(BytesOrPyBytes<'p>, pyo3::Bound<'p, pyo3::PyAny>)> { + let (algorithm, data) = if algorithm.is_instance(&types::PREHASHED.get(py)?)? { + ( + algorithm.getattr("_algorithm")?, + BytesOrPyBytes::Bytes(data), + ) } else { // Potential optimization: rather than allocate a PyBytes in // `h.finalize()`, have a way to get the `DigestBytes` directly. let mut h = Hash::new(py, algorithm, None)?; h.update_bytes(data)?; - data = h.finalize(py)?.into_gil_ref().as_bytes(); - } + (algorithm.clone(), BytesOrPyBytes::PyBytes(h.finalize(py)?)) + }; - if data.len() != algorithm.getattr("digest_size")?.extract()? { + if data.as_bytes().len() != algorithm.getattr("digest_size")?.extract()? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "The provided data must be the same length as the hash algorithm's digest size.", @@ -378,7 +394,7 @@ pub(crate) fn calculate_digest_and_algorithm<'p>( )); } - Ok((data, algorithm_result)) + Ok((data, algorithm)) } pub(crate) enum PasswordCallbackStatus { From 2334fc0fe9f4055d402a221237fab1d6fd6ee871 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 15 Apr 2024 14:39:20 -0400 Subject: [PATCH 0463/1462] Fix things for the removal of `gil-refs` on Python <3.10 (#10820) --- src/rust/src/backend/ec.rs | 2 +- src/rust/src/oid.rs | 2 +- src/rust/src/pkcs12.rs | 7 +++++-- src/rust/src/pkcs7.rs | 6 +++--- src/rust/src/x509/common.rs | 2 +- src/rust/src/x509/ocsp.rs | 6 +++--- src/rust/src/x509/sign.rs | 4 ++-- 7 files changed, 16 insertions(+), 13 deletions(-) diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 57f3fadac97c..237a57033dfe 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -45,7 +45,7 @@ fn curve_from_py_curve( } let py_curve_name = py_curve.getattr(pyo3::intern!(py, "name"))?; - let nid = match py_curve_name.extract()? { + let nid = match &*py_curve_name.extract::()? { "secp192r1" => openssl::nid::Nid::X9_62_PRIME192V1, "secp224r1" => openssl::nid::Nid::SECP224R1, "secp256r1" => openssl::nid::Nid::X9_62_PRIME256V1, diff --git a/src/rust/src/oid.rs b/src/rust/src/oid.rs index 0932dbc7935c..66aef8a882ab 100644 --- a/src/rust/src/oid.rs +++ b/src/rust/src/oid.rs @@ -46,7 +46,7 @@ impl ObjectIdentifier { Ok(format!( "", slf.get().oid, - name.extract::<&str>()? + name.extract::()? )) } diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 225b929864e4..ec2552425576 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -60,8 +60,11 @@ impl PKCS12Certificate { let py_friendly_name_repr; let friendly_name_repr = match &self.friendly_name { Some(v) => { - py_friendly_name_repr = v.bind(py).repr()?; - py_friendly_name_repr.extract()? + py_friendly_name_repr = v + .bind(py) + .repr()? + .extract::()?; + &*py_friendly_name_repr } None => "None", }; diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 88714e7b4994..4cfa3067ac20 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -195,10 +195,10 @@ fn sign_and_serialize<'p>( ) }; - let digest_alg = x509::ocsp::HASH_NAME_TO_ALGORITHM_IDENTIFIERS[py_hash_alg + let digest_alg = x509::ocsp::HASH_NAME_TO_ALGORITHM_IDENTIFIERS[&*py_hash_alg .getattr(pyo3::intern!(py, "name"))? - .extract::<&str>()?] - .clone(); + .extract::()?] + .clone(); // Technically O(n^2), but no one will have that many signers. if !digest_algs.contains(&digest_alg) { digest_algs.push(digest_alg.clone()); diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 548c810a8db8..896788a0c079 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -340,7 +340,7 @@ fn create_ip_network( let net = format!( "{}/{}", base.getattr(pyo3::intern!(py, "exploded"))? - .extract::<&str>()?, + .extract::()?, prefix? ); let addr = types::IPADDRESS_IPNETWORK.get(py)?.call1((net,))?; diff --git a/src/rust/src/x509/ocsp.rs b/src/rust/src/x509/ocsp.rs index 97b18bb20bae..4588c41aef39 100644 --- a/src/rust/src/x509/ocsp.rs +++ b/src/rust/src/x509/ocsp.rs @@ -95,10 +95,10 @@ pub(crate) fn certid_new<'p>( )?); Ok(CertID { - hash_algorithm: HASH_NAME_TO_ALGORITHM_IDENTIFIERS[hash_algorithm + hash_algorithm: HASH_NAME_TO_ALGORITHM_IDENTIFIERS[&*hash_algorithm .getattr(pyo3::intern!(py, "name"))? - .extract::<&str>()?] - .clone(), + .extract::()?] + .clone(), issuer_name_hash: ka.add(issuer_name_hash), issuer_key_hash: ka.add(issuer_key_hash), serial_number: cert.raw.borrow_dependent().tbs_cert.serial, diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index b0acbfa39763..f8068c9835dc 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -85,9 +85,9 @@ fn identify_hash_type( )); } - match hash_algorithm + match &*hash_algorithm .getattr(pyo3::intern!(py, "name"))? - .extract()? + .extract::()? { "sha224" => Ok(HashType::Sha224), "sha256" => Ok(HashType::Sha256), From 194570150d1d83c8b3e30dff4f2bf38c7fbecff8 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 15 Apr 2024 14:52:15 -0400 Subject: [PATCH 0464/1462] Finish removal of `gil-refs` feature from pyo3 (#10812) --- src/rust/Cargo.toml | 2 +- src/rust/src/x509/common.rs | 30 +++++++++--------- src/rust/src/x509/extensions.rs | 55 ++++++++++++++++++++++----------- 3 files changed, 54 insertions(+), 33 deletions(-) diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index a9229587b1ef..8fafedd8e136 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -10,7 +10,7 @@ rust-version = "1.65.0" [dependencies] once_cell = "1" cfg-if = "1" -pyo3 = { version = "0.21.1", features = ["abi3", "gil-refs"] } +pyo3 = { version = "0.21.1", features = ["abi3"] } asn1 = { version = "0.16.1", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-keepalive = { path = "cryptography-keepalive" } diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 896788a0c079..820bf91b69c6 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -101,12 +101,13 @@ fn encode_name_bytes<'p>( pub(crate) fn encode_general_names<'a>( py: pyo3::Python<'_>, - ka: &'a cryptography_keepalive::KeepAlive, + ka_bytes: &'a cryptography_keepalive::KeepAlive, + ka_str: &'a cryptography_keepalive::KeepAlive, py_gns: &pyo3::Bound<'a, pyo3::PyAny>, ) -> Result>, CryptographyError> { let mut gns = vec![]; for el in py_gns.iter()? { - let gn = encode_general_name(py, ka, &el?)?; + let gn = encode_general_name(py, ka_bytes, ka_str, &el?)?; gns.push(gn); } Ok(gns) @@ -114,7 +115,8 @@ pub(crate) fn encode_general_names<'a>( pub(crate) fn encode_general_name<'a>( py: pyo3::Python<'_>, - ka: &'a cryptography_keepalive::KeepAlive, + ka_bytes: &'a cryptography_keepalive::KeepAlive, + ka_str: &'a cryptography_keepalive::KeepAlive, gn: &pyo3::Bound<'a, pyo3::PyAny>, ) -> Result, CryptographyError> { let gn_type = gn.get_type(); @@ -122,20 +124,20 @@ pub(crate) fn encode_general_name<'a>( if gn_type.is(&types::DNS_NAME.get(py)?) { Ok(GeneralName::DNSName(UnvalidatedIA5String( - gn_value.extract::<&str>()?, + ka_str.add(gn_value.extract()?), ))) } else if gn_type.is(&types::RFC822_NAME.get(py)?) { Ok(GeneralName::RFC822Name(UnvalidatedIA5String( - gn_value.extract::<&str>()?, + ka_str.add(gn_value.extract()?), ))) } else if gn_type.is(&types::DIRECTORY_NAME.get(py)?) { - let name = encode_name(py, ka, &gn_value)?; + let name = encode_name(py, ka_bytes, &gn_value)?; Ok(GeneralName::DirectoryName(name)) } else if gn_type.is(&types::OTHER_NAME.get(py)?) { let py_oid = gn.getattr(pyo3::intern!(py, "type_id"))?; Ok(GeneralName::OtherName(OtherName { type_id: py_oid_to_oid(py_oid)?, - value: asn1::parse_single(gn_value.extract::<&[u8]>()?).map_err(|e| { + value: asn1::parse_single(ka_bytes.add(gn_value.extract()?)).map_err(|e| { pyo3::exceptions::PyValueError::new_err(format!( "OtherName value must be valid DER: {e:?}" )) @@ -143,13 +145,12 @@ pub(crate) fn encode_general_name<'a>( })) } else if gn_type.is(&types::UNIFORM_RESOURCE_IDENTIFIER.get(py)?) { Ok(GeneralName::UniformResourceIdentifier( - UnvalidatedIA5String(gn_value.extract::<&str>()?), + UnvalidatedIA5String(ka_str.add(gn_value.extract()?)), )) } else if gn_type.is(&types::IP_ADDRESS.get(py)?) { - Ok(GeneralName::IPAddress( - gn.call_method0(pyo3::intern!(py, "_packed"))? - .extract::<&[u8]>()?, - )) + Ok(GeneralName::IPAddress(ka_bytes.add( + gn.call_method0(pyo3::intern!(py, "_packed"))?.extract()?, + ))) } else if gn_type.is(&types::REGISTERED_ID.get(py)?) { let oid = py_oid_to_oid(gn_value)?; Ok(GeneralName::RegisteredID(oid)) @@ -165,13 +166,14 @@ pub(crate) fn encode_access_descriptions<'a>( py_ads: &pyo3::Bound<'a, pyo3::PyAny>, ) -> CryptographyResult> { let mut ads = vec![]; - let ka = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let ka_str = cryptography_keepalive::KeepAlive::new(); for py_ad in py_ads.iter()? { let py_ad = py_ad?; let py_oid = py_ad.getattr(pyo3::intern!(py, "access_method"))?; let access_method = py_oid_to_oid(py_oid)?; let py_access_location = py_ad.getattr(pyo3::intern!(py, "access_location"))?; - let access_location = encode_general_name(py, &ka, &py_access_location)?; + let access_location = encode_general_name(py, &ka_bytes, &ka_str, &py_access_location)?; ads.push(AccessDescription { access_method, access_location, diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index ab5f6d06b847..2e9f3d174eca 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -13,7 +13,8 @@ use pyo3::pybacked::PyBackedStr; fn encode_general_subtrees<'a>( py: pyo3::Python<'_>, - ka: &'a cryptography_keepalive::KeepAlive, + ka_bytes: &'a cryptography_keepalive::KeepAlive, + ka_str: &'a cryptography_keepalive::KeepAlive, subtrees: &pyo3::Bound<'a, pyo3::PyAny>, ) -> Result>, CryptographyError> { if subtrees.is_none() { @@ -21,7 +22,7 @@ fn encode_general_subtrees<'a>( } else { let mut subtree_seq = vec![]; for name in subtrees.iter()? { - let gn = x509::common::encode_general_name(py, ka, &name?)?; + let gn = x509::common::encode_general_name(py, ka_bytes, ka_str, &name?)?; subtree_seq.push(extensions::GeneralSubtree { base: gn, minimum: 0, @@ -46,9 +47,11 @@ pub(crate) fn encode_authority_key_identifier<'a>( } let aki = py_aki.extract::>()?; - let ka = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let ka_str = cryptography_keepalive::KeepAlive::new(); let authority_cert_issuer = if let Some(authority_cert_issuer) = aki.authority_cert_issuer { - let gns = x509::common::encode_general_names(py, &ka, &authority_cert_issuer)?; + let gns = + x509::common::encode_general_names(py, &ka_bytes, &ka_str, &authority_cert_issuer)?; Some(common::Asn1ReadableOrWritable::new_write( asn1::SequenceOfWriter::new(gns), )) @@ -82,13 +85,14 @@ pub(crate) fn encode_distribution_points<'p>( reasons: Option>, } - let ka = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let ka_str = cryptography_keepalive::KeepAlive::new(); let mut dps = vec![]; for py_dp in py_dps.iter()? { let py_dp = py_dp?.extract::>()?; let crl_issuer = if let Some(py_crl_issuer) = py_dp.crl_issuer { - let gns = x509::common::encode_general_names(py, &ka, &py_crl_issuer)?; + let gns = x509::common::encode_general_names(py, &ka_bytes, &ka_str, &py_crl_issuer)?; Some(common::Asn1ReadableOrWritable::new_write( asn1::SequenceOfWriter::new(gns), )) @@ -96,14 +100,15 @@ pub(crate) fn encode_distribution_points<'p>( None }; let distribution_point = if let Some(py_full_name) = py_dp.full_name { - let gns = x509::common::encode_general_names(py, &ka, &py_full_name)?; + let gns = x509::common::encode_general_names(py, &ka_bytes, &ka_str, &py_full_name)?; Some(extensions::DistributionPointName::FullName( common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(gns)), )) } else if let Some(py_relative_name) = py_dp.relative_name { let mut name_entries = vec![]; for py_name_entry in py_relative_name.iter()? { - name_entries.push(x509::common::encode_name_entry(py, &ka, &py_name_entry?)?); + let ne = x509::common::encode_name_entry(py, &ka_bytes, &py_name_entry?)?; + name_entries.push(ne); } Some(extensions::DistributionPointName::NameRelativeToCRLIssuer( common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(name_entries)), @@ -317,7 +322,8 @@ fn encode_issuing_distribution_point( py: pyo3::Python<'_>, ext: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { - let ka = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let ka_str = cryptography_keepalive::KeepAlive::new(); let only_some_reasons = if ext .getattr(pyo3::intern!(py, "only_some_reasons"))? @@ -331,7 +337,7 @@ fn encode_issuing_distribution_point( }; let distribution_point = if ext.getattr(pyo3::intern!(py, "full_name"))?.is_truthy()? { let py_full_name = ext.getattr(pyo3::intern!(py, "full_name"))?; - let gns = x509::common::encode_general_names(ext.py(), &ka, &py_full_name)?; + let gns = x509::common::encode_general_names(ext.py(), &ka_bytes, &ka_str, &py_full_name)?; Some(extensions::DistributionPointName::FullName( common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(gns)), )) @@ -341,7 +347,7 @@ fn encode_issuing_distribution_point( { let mut name_entries = vec![]; for py_name_entry in ext.getattr(pyo3::intern!(py, "relative_name"))?.iter()? { - let name_entry = x509::common::encode_name_entry(ext.py(), &ka, &py_name_entry?)?; + let name_entry = x509::common::encode_name_entry(ext.py(), &ka_bytes, &py_name_entry?)?; name_entries.push(name_entry); } Some(extensions::DistributionPointName::NameRelativeToCRLIssuer( @@ -454,13 +460,24 @@ pub(crate) fn encode_extension( Ok(Some(asn1::write_single(&pc)?)) } &oid::NAME_CONSTRAINTS_OID => { - let ka = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let ka_str = cryptography_keepalive::KeepAlive::new(); let permitted = ext.getattr(pyo3::intern!(py, "permitted_subtrees"))?; let excluded = ext.getattr(pyo3::intern!(py, "excluded_subtrees"))?; let nc = extensions::NameConstraints { - permitted_subtrees: encode_general_subtrees(ext.py(), &ka, &permitted)?, - excluded_subtrees: encode_general_subtrees(ext.py(), &ka, &excluded)?, + permitted_subtrees: encode_general_subtrees( + ext.py(), + &ka_bytes, + &ka_str, + &permitted, + )?, + excluded_subtrees: encode_general_subtrees( + ext.py(), + &ka_bytes, + &ka_str, + &excluded, + )?, }; Ok(Some(asn1::write_single(&nc)?)) } @@ -475,8 +492,9 @@ pub(crate) fn encode_extension( )?)) } &oid::ISSUER_ALTERNATIVE_NAME_OID | &oid::SUBJECT_ALTERNATIVE_NAME_OID => { - let ka = cryptography_keepalive::KeepAlive::new(); - let gns = x509::common::encode_general_names(ext.py(), &ka, ext)?; + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let ka_str = cryptography_keepalive::KeepAlive::new(); + let gns = x509::common::encode_general_names(ext.py(), &ka_bytes, &ka_str, ext)?; Ok(Some(asn1::write_single(&asn1::SequenceOfWriter::new(gns))?)) } &oid::AUTHORITY_KEY_IDENTIFIER_OID => { @@ -506,8 +524,9 @@ pub(crate) fn encode_extension( Ok(Some(asn1::write_single(&asn1::Enumerated::new(value))?)) } &oid::CERTIFICATE_ISSUER_OID => { - let ka = cryptography_keepalive::KeepAlive::new(); - let gns = x509::common::encode_general_names(ext.py(), &ka, ext)?; + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let ka_str = cryptography_keepalive::KeepAlive::new(); + let gns = x509::common::encode_general_names(ext.py(), &ka_bytes, &ka_str, ext)?; Ok(Some(asn1::write_single(&asn1::SequenceOfWriter::new(gns))?)) } &oid::INVALIDITY_DATE_OID => { From ce03d928e0ece36c6f9a898117fa36377b0b1c91 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 15 Apr 2024 15:37:49 -0400 Subject: [PATCH 0465/1462] Consistently use `wrap_pyfunction_bound` (#10821) --- src/rust/src/backend/ciphers.rs | 10 +++++----- src/rust/src/backend/rsa.rs | 2 +- src/rust/src/pkcs12.rs | 7 +++++-- 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index 9fe9550b34c9..bfcd91096b3b 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -559,12 +559,12 @@ pub(crate) fn create_module( py: pyo3::Python<'_>, ) -> pyo3::PyResult> { let m = pyo3::prelude::PyModule::new_bound(py, "ciphers")?; - m.add_function(pyo3::wrap_pyfunction!(create_encryption_ctx, &m)?)?; - m.add_function(pyo3::wrap_pyfunction!(create_decryption_ctx, &m)?)?; - m.add_function(pyo3::wrap_pyfunction!(cipher_supported, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(create_encryption_ctx, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(create_decryption_ctx, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(cipher_supported, &m)?)?; - m.add_function(pyo3::wrap_pyfunction!(_advance, &m)?)?; - m.add_function(pyo3::wrap_pyfunction!(_advance_aad, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(_advance, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(_advance_aad, &m)?)?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 448af2536ce3..20b61c718ff0 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -817,7 +817,7 @@ pub(crate) fn create_module( py: pyo3::Python<'_>, ) -> pyo3::PyResult> { let m = pyo3::prelude::PyModule::new_bound(py, "rsa")?; - m.add_function(pyo3::wrap_pyfunction!(generate_private_key, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(generate_private_key, &m)?)?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index ec2552425576..51116c52557e 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -318,8 +318,11 @@ pub(crate) fn create_submodule( ) -> pyo3::PyResult> { let submod = pyo3::prelude::PyModule::new_bound(py, "pkcs12")?; - submod.add_function(pyo3::wrap_pyfunction!(load_key_and_certificates, &submod)?)?; - submod.add_function(pyo3::wrap_pyfunction!(load_pkcs12, &submod)?)?; + submod.add_function(pyo3::wrap_pyfunction_bound!( + load_key_and_certificates, + &submod + )?)?; + submod.add_function(pyo3::wrap_pyfunction_bound!(load_pkcs12, &submod)?)?; submod.add_class::()?; From 4ad307c5f5dc282cc28c1f2b0c5d5b3cb3be15e6 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 16 Apr 2024 00:13:48 +0000 Subject: [PATCH 0466/1462] Bump BoringSSL and/or OpenSSL in CI (#10822) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f8f19263872b..50431840a02a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Apr 13, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "1c6e10495e4f69cf9e5fd4e363d580ff1fdb1a96"}} - # Latest commit on the OpenSSL master branch, as of Apr 13, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d4188f24866f88b4269110ce86f9545edd44c846"}} + # Latest commit on the OpenSSL master branch, as of Apr 16, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "bd73e1e62c4103e0faffb79cb3d34a2a92a95439"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From b2c893d9cb5ce0cf0a42a30509aef048d123f61f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 16 Apr 2024 00:58:47 +0000 Subject: [PATCH 0467/1462] Bump x509-limbo and/or wycheproof in CI (#10823) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index c7d18e3acb39..c383fd9d02fc 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Apr 10, 2024. - ref: "7861a8249dcce920d887e6e27adc9657c1be8319" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Apr 16, 2024. + ref: "de8f18fe4f00b67b3a3d1e50a1ef4ec6ff817ed2" # x509-limbo-ref From f3213354c70da0b96a75c737f1f998e0371a106c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Apr 2024 02:19:59 +0000 Subject: [PATCH 0468/1462] Bump nox from 2024.3.2 to 2024.4.15 (#10824) Bumps [nox](https://github.com/wntrblm/nox) from 2024.3.2 to 2024.4.15. - [Release notes](https://github.com/wntrblm/nox/releases) - [Changelog](https://github.com/wntrblm/nox/blob/main/CHANGELOG.md) - [Commits](https://github.com/wntrblm/nox/compare/2024.03.02...2024.04.15) --- updated-dependencies: - dependency-name: nox dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d8981f7e7d19..cf251904bb54 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -58,7 +58,7 @@ mypy-extensions==1.0.0 # via mypy nh3==0.2.17 # via readme-renderer -nox==2024.3.2 +nox==2024.4.15 # via cryptography (pyproject.toml) packaging==24.0 # via From a2354879d7c68f117770fb5a9cdcfef98873d6fb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Apr 2024 02:23:20 +0000 Subject: [PATCH 0469/1462] Bump syn from 2.0.58 to 2.0.59 in /src/rust (#10825) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.58 to 2.0.59. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.58...2.0.59) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index fa232467a975..5d3128cf7bc0 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -385,9 +385,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.58" +version = "2.0.59" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "44cfb93f38070beee36b3fef7d4f5a16f27751d94b187b666a5cc5e9b0d30687" +checksum = "4a6531ffc7b071655e4ce2e04bd464c4830bb585a61cabb96cf808f05172615a" dependencies = [ "proc-macro2", "quote", From 48751c89c1ef95eab79ddb2aa4d7b043abe4ab65 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Apr 2024 06:41:43 -0400 Subject: [PATCH 0470/1462] Bump pyo3 from 0.21.1 to 0.21.2 in /src/rust (#10827) Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.21.1 to 0.21.2. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/v0.21.2/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.21.1...v0.21.2) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 20 ++++++++++---------- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-keepalive/Cargo.toml | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 5d3128cf7bc0..b5419a3642f6 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -286,9 +286,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.21.1" +version = "0.21.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a7a8b1990bd018761768d5e608a13df8bd1ac5f678456e0f301bb93e5f3ea16b" +checksum = "a5e00b96a521718e08e03b1a622f01c8a8deb50719335de3f60b3b3950f069d8" dependencies = [ "cfg-if", "indoc", @@ -304,9 +304,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.21.1" +version = "0.21.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "650dca34d463b6cdbdb02b1d71bfd6eb6b6816afc708faebb3bac1380ff4aef7" +checksum = "7883df5835fafdad87c0d888b266c8ec0f4c9ca48a5bed6bbb592e8dedee1b50" dependencies = [ "once_cell", "target-lexicon", @@ -314,9 +314,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.21.1" +version = "0.21.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "09a7da8fc04a8a2084909b59f29e1b8474decac98b951d77b80b26dc45f046ad" +checksum = "01be5843dc60b916ab4dad1dca6d20b9b4e6ddc8e15f50c47fe6d85f1fb97403" dependencies = [ "libc", "pyo3-build-config", @@ -324,9 +324,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.21.1" +version = "0.21.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4b8a199fce11ebb28e3569387228836ea98110e43a804a530a9fd83ade36d513" +checksum = "77b34069fc0682e11b31dbd10321cbf94808394c56fd996796ce45217dfac53c" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -336,9 +336,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.21.1" +version = "0.21.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "93fbbfd7eb553d10036513cb122b888dcd362a945a00b06c165f2ab480d4cc3b" +checksum = "08260721f32db5e1a5beae69a55553f56b99bd0e1c3e6e0a5e8851a9d0f5a85c" dependencies = [ "heck", "proc-macro2", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 8fafedd8e136..c3a006aff3e6 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -10,7 +10,7 @@ rust-version = "1.65.0" [dependencies] once_cell = "1" cfg-if = "1" -pyo3 = { version = "0.21.1", features = ["abi3"] } +pyo3 = { version = "0.21.2", features = ["abi3"] } asn1 = { version = "0.16.1", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-keepalive = { path = "cryptography-keepalive" } diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 405fb7dc4836..0cdf9d949082 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.65.0" [dependencies] -pyo3 = { version = "0.21.1", features = ["abi3"] } +pyo3 = { version = "0.21.2", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] diff --git a/src/rust/cryptography-keepalive/Cargo.toml b/src/rust/cryptography-keepalive/Cargo.toml index d37e8fa4fe9d..c3a1c24e912d 100644 --- a/src/rust/cryptography-keepalive/Cargo.toml +++ b/src/rust/cryptography-keepalive/Cargo.toml @@ -8,4 +8,4 @@ publish = false rust-version = "1.65.0" [dependencies] -pyo3 = { version = "0.21.1", features = ["abi3"] } +pyo3 = { version = "0.21.2", features = ["abi3"] } From 3130e8d5c0891b40a69fde5b22cfad36cc2f9616 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 16 Apr 2024 08:13:48 -0400 Subject: [PATCH 0471/1462] Drop explicit OpenSSL 1.1.1, rely on distros (#10828) Distro is the only reason we care about 1.1.1 at this point, it's EOL from upstream --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 50431840a02a..a73a60763d59 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -32,7 +32,6 @@ jobs: - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} - {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"} - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1w"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.13"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.5"}} - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} From 126c144aeece8de9b9715932371d2cf220452ad4 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 16 Apr 2024 07:23:40 -0500 Subject: [PATCH 0472/1462] Update testing docs (#10829) --- docs/installation.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/installation.rst b/docs/installation.rst index c97dfaeab41c..2d74b158c61d 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -31,10 +31,10 @@ We test compiling with ``clang`` as well as ``gcc`` and use the following OpenSSL releases in addition to distribution provided releases from the above supported platforms: -* ``OpenSSL 1.1.1-latest`` * ``OpenSSL 3.0-latest`` * ``OpenSSL 3.1-latest`` * ``OpenSSL 3.2-latest`` +* ``OpenSSL 3.3-latest`` We also test against the latest commit of BoringSSL as well as versions of LibreSSL that are receiving security support at the time of a given From 29494e96ccfd54bbd4a2e9ab77a9c2d2a29d2626 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 16 Apr 2024 08:28:54 -0400 Subject: [PATCH 0473/1462] Add testing with Ubuntu 24.04 in advance of its release (#10830) --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a73a60763d59..dad2c1c050d5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -157,6 +157,7 @@ jobs: - {IMAGE: "sid", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "ubuntu-focal", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "ubuntu-jammy", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} + - {IMAGE: "ubuntu-noble", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "ubuntu-rolling", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "fedora", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "alpine", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} From 368e3505d583a358c4c52f43d19ed861493a8e5d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 16 Apr 2024 09:40:29 -0400 Subject: [PATCH 0474/1462] Document that we test with ubuntu 24.04 (#10831) --- docs/installation.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/installation.rst b/docs/installation.rst index 2d74b158c61d..979ae344332a 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -20,7 +20,7 @@ operating systems. * x86-64 CentOS 9 Stream * x86-64 Fedora (latest) * x86-64 macOS 13 Ventura and ARM64 macOS 14 Sonoma -* x86-64 Ubuntu 20.04, 22.04, rolling +* x86-64 Ubuntu 20.04, 22.04, 24.04, rolling * ARM64 Ubuntu 22.04 * x86-64 Debian Buster (10.x), Bullseye (11.x), Bookworm (12.x), Trixie (13.x), and Sid (unstable) From c48f2be91ff0240af4a62086381ec2d479bc9400 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 16 Apr 2024 18:17:25 -0400 Subject: [PATCH 0475/1462] Allow triggering benchmark job to compare against a different base (#10832) --- .github/workflows/benchmark.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 91de604df56f..3508b40bace5 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -5,6 +5,11 @@ on: - '.github/workflows/benchmark.yml' - 'src/**' - 'tests/**' + workflow_dispatch: + inputs: + base_commit: + description: The base commit to compare against + permissions: contents: read @@ -31,7 +36,7 @@ jobs: with: repository: "pyca/cryptography" path: "cryptography-base" - ref: "${{ github.base_ref }}" + ref: "${{ github.event.inputs.version || github.base_ref }}" - name: Clone test vectors timeout-minutes: 2 uses: ./cryptography-base/.github/actions/fetch-vectors From 3297ff9a728190668bdfd3d1a13cfe797e8d46e9 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 16 Apr 2024 18:24:43 -0400 Subject: [PATCH 0476/1462] fix typo in benchmark.yml (#10833) --- .github/workflows/benchmark.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 3508b40bace5..b731d9188e1c 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -36,7 +36,7 @@ jobs: with: repository: "pyca/cryptography" path: "cryptography-base" - ref: "${{ github.event.inputs.version || github.base_ref }}" + ref: "${{ github.event.inputs.base_commit || github.base_ref }}" - name: Clone test vectors timeout-minutes: 2 uses: ./cryptography-base/.github/actions/fetch-vectors From 6ea3663381466acdfde45f0ce2fe28cd92c39b69 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 16 Apr 2024 20:25:55 -0400 Subject: [PATCH 0477/1462] Bump BoringSSL and/or OpenSSL in CI (#10834) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dad2c1c050d5..d3650608393a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Apr 13, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "1c6e10495e4f69cf9e5fd4e363d580ff1fdb1a96"}} - # Latest commit on the OpenSSL master branch, as of Apr 16, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "bd73e1e62c4103e0faffb79cb3d34a2a92a95439"}} + # Latest commit on the OpenSSL master branch, as of Apr 17, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c062403abd71550057b3647b01cc8af4cc2fc18c"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From ff79c37f07b32b6a285a7c2c19f3b38c0e9f97cc Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 17 Apr 2024 00:52:37 +0000 Subject: [PATCH 0478/1462] Bump x509-limbo and/or wycheproof in CI (#10835) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index c383fd9d02fc..ee4c29fa9d19 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Apr 16, 2024. - ref: "de8f18fe4f00b67b3a3d1e50a1ef4ec6ff817ed2" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Apr 17, 2024. + ref: "77e23f751aae6c914a906eface407ffd9762111a" # x509-limbo-ref From 782517b7df2da6fd06b36ad095464901f6401eba Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Apr 2024 10:37:01 +0000 Subject: [PATCH 0479/1462] Bump virtualenv from 20.25.1 to 20.25.2 (#10837) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.25.1 to 20.25.2. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.25.1...20.25.2) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index cf251904bb54..435032cca9ec 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -150,7 +150,7 @@ typing-extensions==4.11.0; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests -virtualenv==20.25.1 +virtualenv==20.25.2 # via nox # The following packages are considered to be unsafe in a requirements file: From bde2876a431253d53db9913dcb228ebb40f17f45 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Apr 2024 10:39:26 +0000 Subject: [PATCH 0480/1462] Bump sphinx from 7.2.6 to 7.3.5 (#10838) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 7.2.6 to 7.3.5. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v7.2.6...v7.3.5) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 435032cca9ec..ca8591dea974 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -109,7 +109,7 @@ ruff==0.3.7 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx -sphinx==7.2.6 +sphinx==7.3.5 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From c1aadae92e40183a6ab7824e2a4ec466fe8d2c0c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Apr 2024 11:06:09 +0000 Subject: [PATCH 0481/1462] Bump proc-macro2 from 1.0.80 to 1.0.81 in /src/rust (#10840) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.80 to 1.0.81. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.80...1.0.81) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index b5419a3642f6..57fbe1f0d435 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -277,9 +277,9 @@ checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" [[package]] name = "proc-macro2" -version = "1.0.80" +version = "1.0.81" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a56dea16b0a29e94408b9aa5e2940a4eedbd128a1ba20e8f7ae60fd3d465af0e" +checksum = "3d1597b0c024618f09a9c3b8655b7e430397a36d23fdafec26d6965e9eec3eba" dependencies = [ "unicode-ident", ] From 7bd2f635ca3552d054b7205f75bd35e4caefd00b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Apr 2024 10:42:00 -0600 Subject: [PATCH 0482/1462] Bump backports-tarfile from 1.0.0 to 1.1.0 in /.github/requirements (#10839) * Bump backports-tarfile from 1.0.0 to 1.1.0 in /.github/requirements Bumps [backports-tarfile](https://github.com/jaraco/backports.tarfile) from 1.0.0 to 1.1.0. - [Release notes](https://github.com/jaraco/backports.tarfile/releases) - [Changelog](https://github.com/jaraco/backports.tarfile/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/backports.tarfile/compare/v1.0.0...v1.1.0) --- updated-dependencies: - dependency-name: backports-tarfile dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 28107d1f36bb..b1247f45be04 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -12,9 +12,9 @@ appdirs==1.4.4 \ --hash=sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41 \ --hash=sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128 # via sigstore -backports-tarfile==1.0.0 \ - --hash=sha256:2688f159c21afd56a07b75f01306f9f52c79aebcc5f4a117fb8fbb4445352c75 \ - --hash=sha256:bcd36290d9684beb524d3fe74f4a2db056824c47746583f090b8e55daf0776e4 +backports-tarfile==1.1.0 \ + --hash=sha256:91d59138ea401ee2a95e8b839c1e2f51f3e9ca76bdba8b6a29f8d773564686a8 \ + --hash=sha256:b2f4df351db942d094db94588bbf2c6938697a5f190f44c934acc697da56008b # via jaraco-context betterproto==2.0.0b6 \ --hash=sha256:720ae92697000f6fcf049c69267d957f0871654c8b0d7458906607685daee784 \ From d4c3058e9cd4077d980edce1fa12ccf0a055035e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Apr 2024 20:23:41 +0000 Subject: [PATCH 0483/1462] Bump peter-evans/create-pull-request from 6.0.3 to 6.0.4 (#10842) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 6.0.3 to 6.0.4. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/c55203cfde3e5c11a452d352b4393e68b85b4533...9153d834b60caba6d51c9b9510b087acf9f33f83) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index c496f81f3d15..50e3a35a8ab8 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -58,7 +58,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@c55203cfde3e5c11a452d352b4393e68b85b4533 # v6.0.3 + uses: peter-evans/create-pull-request@9153d834b60caba6d51c9b9510b087acf9f33f83 # v6.0.4 with: branch: "bump-openssl-boringssl" commit-message: "Bump BoringSSL and/or OpenSSL in CI" diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index fb3f532f5e85..a3e3ff51f608 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -57,7 +57,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@c55203cfde3e5c11a452d352b4393e68b85b4533 # v6.0.3 + uses: peter-evans/create-pull-request@9153d834b60caba6d51c9b9510b087acf9f33f83 # v6.0.4 with: branch: "bump-vectors" commit-message: "Bump x509-limbo and/or wycheproof in CI" From 2f315bac4d2bed807369646389b21a9e5d6cb943 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Apr 2024 20:24:22 +0000 Subject: [PATCH 0484/1462] Bump syn from 2.0.59 to 2.0.60 in /src/rust (#10843) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.59 to 2.0.60. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.59...2.0.60) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 57fbe1f0d435..aff8763bc601 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -385,9 +385,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.59" +version = "2.0.60" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4a6531ffc7b071655e4ce2e04bd464c4830bb585a61cabb96cf808f05172615a" +checksum = "909518bc7b1c9b779f1bbf07f2929d35af9f0f37e47c6e9ef7f9dddc1e1821f3" dependencies = [ "proc-macro2", "quote", From d4f58e52191a78ef879c8686c075aa3457803aee Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Apr 2024 20:31:38 +0000 Subject: [PATCH 0485/1462] Bump virtualenv from 20.25.2 to 20.25.3 (#10844) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.25.2 to 20.25.3. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.25.2...20.25.3) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ca8591dea974..e8edcd9d9fbc 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -150,7 +150,7 @@ typing-extensions==4.11.0; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests -virtualenv==20.25.2 +virtualenv==20.25.3 # via nox # The following packages are considered to be unsafe in a requirements file: From 7e1b6e854a9e4ae69d43dacc1f02330813094864 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 18 Apr 2024 00:35:10 +0000 Subject: [PATCH 0486/1462] Bump BoringSSL and/or OpenSSL in CI (#10846) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d3650608393a..183194242c82 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 13, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "1c6e10495e4f69cf9e5fd4e363d580ff1fdb1a96"}} - # Latest commit on the OpenSSL master branch, as of Apr 17, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c062403abd71550057b3647b01cc8af4cc2fc18c"}} + # Latest commit on the BoringSSL master branch, as of Apr 18, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f374e1af18c25700923985f6613417847e8f6ab1"}} + # Latest commit on the OpenSSL master branch, as of Apr 18, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e1fd043ad7fa865a8ef9160c892b49a098d23c71"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 56cd2a2cfa9cfe698e1d4c7d6538b8fa4857f040 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Apr 2024 06:19:20 -0400 Subject: [PATCH 0487/1462] Bump sphinx from 7.3.5 to 7.3.6 (#10847) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 7.3.5 to 7.3.6. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v7.3.5...v7.3.6) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e8edcd9d9fbc..546d05971bd8 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -109,7 +109,7 @@ ruff==0.3.7 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx -sphinx==7.3.5 +sphinx==7.3.6 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From cc7101372a7388a8a43417bce7580a8062c37fed Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 18 Apr 2024 20:52:17 -0400 Subject: [PATCH 0488/1462] Bump BoringSSL and/or OpenSSL in CI (#10849) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 183194242c82..8a0abbd0db7f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 18, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f374e1af18c25700923985f6613417847e8f6ab1"}} - # Latest commit on the OpenSSL master branch, as of Apr 18, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e1fd043ad7fa865a8ef9160c892b49a098d23c71"}} + # Latest commit on the BoringSSL master branch, as of Apr 19, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "0aa300b9ba9d66b914793ad18c5b469163e58905"}} + # Latest commit on the OpenSSL master branch, as of Apr 19, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4e3c1e6206251c59855362d6d2edab4621c31dec"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 80f31c4a63bbb03a269b00d4be433ffa740ba40c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Apr 2024 07:48:50 -0400 Subject: [PATCH 0489/1462] Bump ruff from 0.3.7 to 0.4.0 (#10850) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.3.7 to 0.4.0. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.3.7...v0.4.0) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 546d05971bd8..30c36ad9c654 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.3.7 +ruff==0.4.0 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From db0f93460a708e4b1810aa29829c89886212de51 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Apr 2024 07:49:28 -0400 Subject: [PATCH 0490/1462] Bump sphinx from 7.3.6 to 7.3.7 (#10851) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 7.3.6 to 7.3.7. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v7.3.6...v7.3.7) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 30c36ad9c654..0ea359e91126 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -109,7 +109,7 @@ ruff==0.4.0 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx -sphinx==7.3.6 +sphinx==7.3.7 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From f8076daf75b045c7136477b0b8aed8103ef52f34 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Apr 2024 07:50:19 -0400 Subject: [PATCH 0491/1462] Bump exceptiongroup from 1.2.0 to 1.2.1 (#10852) Bumps [exceptiongroup](https://github.com/agronholm/exceptiongroup) from 1.2.0 to 1.2.1. - [Release notes](https://github.com/agronholm/exceptiongroup/releases) - [Changelog](https://github.com/agronholm/exceptiongroup/blob/main/CHANGES.rst) - [Commits](https://github.com/agronholm/exceptiongroup/compare/1.2.0...1.2.1) --- updated-dependencies: - dependency-name: exceptiongroup dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 0ea359e91126..bc89f2044108 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -36,7 +36,7 @@ docutils==0.20.1 # readme-renderer # sphinx # sphinx-rtd-theme -exceptiongroup==1.2.0 +exceptiongroup==1.2.1 # via pytest execnet==2.1.1; python_version >= "3.8" # via pytest-xdist From 8c3445cf703a5a1069e33fb89102f67b8a848ad5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Apr 2024 07:51:15 -0400 Subject: [PATCH 0492/1462] Bump actions/upload-artifact in /.github/actions/upload-coverage (#10854) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.1 to 4.3.2. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/5d5d22a31266ced268874388b861e4b58bb5c2f3...1746f4ab65b179e0ea60a494b83293b640dd5bba) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/upload-coverage/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/upload-coverage/action.yml b/.github/actions/upload-coverage/action.yml index 720cf904f821..4a331fd659d0 100644 --- a/.github/actions/upload-coverage/action.yml +++ b/.github/actions/upload-coverage/action.yml @@ -13,7 +13,7 @@ runs: fi id: coverage-uuid shell: bash - - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + - uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 with: name: coverage-data-${{ steps.coverage-uuid.outputs.COVERAGE_UUID }} path: | From 885865ec2c43a892a124766f6ad05dde6eca43d7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Apr 2024 06:30:30 -0700 Subject: [PATCH 0493/1462] Bump jaraco-functools from 4.0.0 to 4.0.1 in /.github/requirements (#10853) * Bump jaraco-functools from 4.0.0 to 4.0.1 in /.github/requirements Bumps [jaraco-functools](https://github.com/jaraco/jaraco.functools) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/jaraco/jaraco.functools/releases) - [Changelog](https://github.com/jaraco/jaraco.functools/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/jaraco.functools/compare/v4.0.0...v4.0.1) --- updated-dependencies: - dependency-name: jaraco-functools dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index b1247f45be04..87c6eeed2f95 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -258,9 +258,9 @@ jaraco-context==5.3.0 \ --hash=sha256:3e16388f7da43d384a1a7cd3452e72e14732ac9fe459678773a3608a812bf266 \ --hash=sha256:c2f67165ce1f9be20f32f650f25d8edfc1646a8aeee48ae06fb35f90763576d2 # via keyring -jaraco-functools==4.0.0 \ - --hash=sha256:c279cb24c93d694ef7270f970d499cab4d3813f4e08273f95398651a634f0925 \ - --hash=sha256:daf276ddf234bea897ef14f43c4e1bf9eefeac7b7a82a4dd69228ac20acff68d +jaraco-functools==4.0.1 \ + --hash=sha256:3b24ccb921d6b593bdceb56ce14799204f473976e2a9d4b15b04d0f2c2326664 \ + --hash=sha256:d33fa765374c0611b52f8b3a795f8900869aa88c84769d4d1746cd68fb28c3e8 # via keyring jeepney==0.8.0 \ --hash=sha256:5efe48d255973902f6badc3ce55e2aa6c5c3b3bc642059ef3a91247bcfcc5806 \ From 7c1b5121d0a905d85b27c2f7a43438ef0b098feb Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 20 Apr 2024 14:29:23 +0000 Subject: [PATCH 0494/1462] Bump BoringSSL and/or OpenSSL in CI (#10858) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8a0abbd0db7f..0607c648f9b8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Apr 19, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "0aa300b9ba9d66b914793ad18c5b469163e58905"}} - # Latest commit on the OpenSSL master branch, as of Apr 19, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4e3c1e6206251c59855362d6d2edab4621c31dec"}} + # Latest commit on the OpenSSL master branch, as of Apr 20, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6594baf6457c64f6fce3ec60cb2617f75d98d159"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 3a23052240677366d9e5296ebf53868eb9ef1e68 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Apr 2024 14:31:47 +0000 Subject: [PATCH 0495/1462] Bump ruff from 0.4.0 to 0.4.1 (#10862) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.0 to 0.4.1. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.0...v0.4.1) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index bc89f2044108..ba106e064cde 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.4.0 +ruff==0.4.1 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 67c33213785ed5df2b098f6a8376408e03d34b33 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Apr 2024 14:33:51 +0000 Subject: [PATCH 0496/1462] Bump actions/checkout in /.github/actions/fetch-vectors (#10859) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 4.1.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/b4ffde65f46336ab88eb53be808477a3936bae11...1d96c772d19495a3b5c517cd2bc0cb401ea0529f) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index ee4c29fa9d19..f66fd9c98a8b 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -5,14 +5,14 @@ runs: using: "composite" steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 with: repository: "C2SP/wycheproof" path: "wycheproof" # Latest commit on the wycheproof master branch, as of Apr 09, 2024. ref: "cd27d6419bedd83cbd24611ec54b6d4bfdb0cdca" # wycheproof-ref - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 with: repository: "C2SP/x509-limbo" path: "x509-limbo" From ad2427d43170a6df9774059eb6abf96fe3ff408a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Apr 2024 14:34:23 +0000 Subject: [PATCH 0497/1462] Bump cc from 1.0.94 to 1.0.95 in /src/rust (#10861) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.94 to 1.0.95. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.94...1.0.95) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index aff8763bc601..8dee9516b660 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,9 +48,9 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.94" +version = "1.0.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "17f6e324229dc011159fcc089755d1e2e216a90d43a7dea6853ca740b84f35e7" +checksum = "d32a725bc159af97c3e629873bb9f88fb8cf8a4867175f76dc987815ea07c83b" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 0cdf9d949082..34d16fb493a6 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.21.2", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.94" +cc = "1.0.95" From 83d90df3df4b3e858119348d06ffffd3c4cbd706 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Sun, 21 Apr 2024 21:09:12 +0200 Subject: [PATCH 0498/1462] Add timezone-aware API variant for `x509.InvalidityDate.invalidity_date` (#10848) --- CHANGELOG.rst | 3 +++ docs/x509/reference.rst | 8 ++++++++ src/cryptography/x509/extensions.py | 7 +++++++ src/rust/src/x509/extensions.rs | 2 +- tests/x509/test_x509_ext.py | 20 ++++++++++++++++++++ 5 files changed, 39 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 8a97f7d7da1a..e7153b215514 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -41,6 +41,9 @@ Changelog :attr:`~cryptography.x509.CertificateSigningRequest.public_key_algorithm_oid` to determine the :class:`~cryptography.hazmat._oid.PublicKeyAlgorithmOID` Object Identifier of the public key found inside the certificate. +* Added :attr:`~cryptography.x509.InvalidityDate.invalidity_date_utc`, a + timezone-aware alternative to the naïve ``datetime`` attribute + :attr:`~cryptography.x509.InvalidityDate.invalidity_date`. .. _v42-0-5: diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index 0d0db19fdee4..6aa0f6667ba2 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -3148,6 +3148,14 @@ These extensions are only valid within a :class:`RevokedCertificate` object. :type: :class:`datetime.datetime` + .. attribute:: invalidity_date_utc + + .. versionadded:: 43.0.0 + + :type: :class:`datetime.datetime` + + The invalidity date in UTC as a timezone-aware datetime object. + OCSP Extensions ~~~~~~~~~~~~~~~ diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index 1842a9e2b0c6..5e7486a594ed 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -1788,6 +1788,13 @@ def __hash__(self) -> int: def invalidity_date(self) -> datetime.datetime: return self._invalidity_date + @property + def invalidity_date_utc(self) -> datetime.datetime: + if self._invalidity_date.tzinfo is None: + return self._invalidity_date.replace(tzinfo=datetime.timezone.utc) + else: + return self._invalidity_date.astimezone(tz=datetime.timezone.utc) + def public_bytes(self) -> bytes: return rust_x509.encode_extension_value(self) diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 2e9f3d174eca..bb8e9a55cb95 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -530,7 +530,7 @@ pub(crate) fn encode_extension( Ok(Some(asn1::write_single(&asn1::SequenceOfWriter::new(gns))?)) } &oid::INVALIDITY_DATE_OID => { - let py_dt = ext.getattr(pyo3::intern!(py, "invalidity_date"))?; + let py_dt = ext.getattr(pyo3::intern!(py, "invalidity_date_utc"))?; let dt = x509::py_to_datetime(py, py_dt)?; Ok(Some(asn1::write_single(&asn1::GeneralizedTime::new(dt)?)?)) } diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index 491271ade526..44e8299046dc 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -444,6 +444,26 @@ def test_public_bytes(self): ext = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1)) assert ext.public_bytes() == b"\x18\x0f20150101010100Z" + def test_timezone_aware_api(self): + naive_date = datetime.datetime(2015, 1, 1, 1, 1) + ext_naive = x509.InvalidityDate(invalidity_date=naive_date) + assert ext_naive.invalidity_date_utc == datetime.datetime( + 2015, 1, 1, 1, 1, tzinfo=datetime.timezone.utc + ) + + tz_aware_date = datetime.datetime( + 2015, + 1, + 1, + 1, + 1, + tzinfo=datetime.timezone(datetime.timedelta(hours=-8)), + ) + ext_aware = x509.InvalidityDate(invalidity_date=tz_aware_date) + assert ext_aware.invalidity_date_utc == datetime.datetime( + 2015, 1, 1, 9, 1, tzinfo=datetime.timezone.utc + ) + class TestNoticeReference: def test_notice_numbers_not_all_int(self): From d5e1321ad50f2f7897f8293ecd98f5a5f1544e6d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Apr 2024 08:39:39 -0400 Subject: [PATCH 0499/1462] Bump pluggy from 1.4.0 to 1.5.0 (#10866) Bumps [pluggy](https://github.com/pytest-dev/pluggy) from 1.4.0 to 1.5.0. - [Changelog](https://github.com/pytest-dev/pluggy/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pluggy/compare/1.4.0...1.5.0) --- updated-dependencies: - dependency-name: pluggy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ba106e064cde..d2654466890a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -70,7 +70,7 @@ pathspec==0.12.1 # via check-sdist platformdirs==4.2.0; python_version >= "3.8" # via virtualenv -pluggy==1.4.0; python_version >= "3.8" +pluggy==1.5.0; python_version >= "3.8" # via pytest pretend==1.0.9 # via cryptography (pyproject.toml) From 7b3b882775b02b773b151316a0cd2b62fe252542 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 23 Apr 2024 00:16:33 +0000 Subject: [PATCH 0500/1462] Bump BoringSSL and/or OpenSSL in CI (#10867) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0607c648f9b8..18607325fe08 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 19, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "0aa300b9ba9d66b914793ad18c5b469163e58905"}} - # Latest commit on the OpenSSL master branch, as of Apr 20, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6594baf6457c64f6fce3ec60cb2617f75d98d159"}} + # Latest commit on the BoringSSL master branch, as of Apr 23, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d8d1c6a2d034df2a62bcf75604a4824f0e20e19e"}} + # Latest commit on the OpenSSL master branch, as of Apr 23, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "98161274636dca12e3bfafab7d2d2ac28f4d7c30"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 85f444a722ab46079aff332939990d1e002c5471 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 22 Apr 2024 21:50:10 -0400 Subject: [PATCH 0501/1462] Bump x509-limbo and/or wycheproof in CI (#10868) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index f66fd9c98a8b..2f49f2db3127 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Apr 17, 2024. - ref: "77e23f751aae6c914a906eface407ffd9762111a" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Apr 23, 2024. + ref: "b372833b8ce29da36ced2aec91e46bd157008a7d" # x509-limbo-ref From fa381af5c92fac06495a211bd67f41a4d32ec213 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Apr 2024 09:38:00 -0400 Subject: [PATCH 0502/1462] Bump actions/upload-artifact in /.github/actions/upload-coverage (#10871) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.2 to 4.3.3. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/1746f4ab65b179e0ea60a494b83293b640dd5bba...65462800fd760344b1a7b4382951275a0abb4808) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/upload-coverage/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/upload-coverage/action.yml b/.github/actions/upload-coverage/action.yml index 4a331fd659d0..227cac821f33 100644 --- a/.github/actions/upload-coverage/action.yml +++ b/.github/actions/upload-coverage/action.yml @@ -13,7 +13,7 @@ runs: fi id: coverage-uuid shell: bash - - uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: coverage-data-${{ steps.coverage-uuid.outputs.COVERAGE_UUID }} path: | From ecc9ef8377ddd92d74d7713aab2989937c5ba7cf Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 23 Apr 2024 21:02:29 -0400 Subject: [PATCH 0503/1462] Bump BoringSSL and/or OpenSSL in CI (#10874) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 18607325fe08..65fc5511c821 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 23, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d8d1c6a2d034df2a62bcf75604a4824f0e20e19e"}} - # Latest commit on the OpenSSL master branch, as of Apr 23, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "98161274636dca12e3bfafab7d2d2ac28f4d7c30"}} + # Latest commit on the BoringSSL master branch, as of Apr 24, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "54821d806d574dd8f2869a8c7f5725b65a67af42"}} + # Latest commit on the OpenSSL master branch, as of Apr 24, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "264ff64b9443e60c7c93af0ced2b22fdf622d179"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From b915cc7b9e86c7e66d5ea3211161bc8b93edc30e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Apr 2024 20:25:32 -0700 Subject: [PATCH 0504/1462] Bump backports-tarfile from 1.1.0 to 1.1.1 in /.github/requirements (#10872) * Bump backports-tarfile from 1.1.0 to 1.1.1 in /.github/requirements Bumps [backports-tarfile](https://github.com/jaraco/backports.tarfile) from 1.1.0 to 1.1.1. - [Release notes](https://github.com/jaraco/backports.tarfile/releases) - [Changelog](https://github.com/jaraco/backports.tarfile/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/backports.tarfile/compare/v1.1.0...v1.1.1) --- updated-dependencies: - dependency-name: backports-tarfile dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 87c6eeed2f95..695a394d49f6 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -12,9 +12,9 @@ appdirs==1.4.4 \ --hash=sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41 \ --hash=sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128 # via sigstore -backports-tarfile==1.1.0 \ - --hash=sha256:91d59138ea401ee2a95e8b839c1e2f51f3e9ca76bdba8b6a29f8d773564686a8 \ - --hash=sha256:b2f4df351db942d094db94588bbf2c6938697a5f190f44c934acc697da56008b +backports-tarfile==1.1.1 \ + --hash=sha256:73e0179647803d3726d82e76089d01d8549ceca9bace469953fcb4d97cf2d417 \ + --hash=sha256:9c2ef9696cb73374f7164e17fc761389393ca76777036f5aad42e8b93fcd8009 # via jaraco-context betterproto==2.0.0b6 \ --hash=sha256:720ae92697000f6fcf049c69267d957f0871654c8b0d7458906607685daee784 \ From ed1f1f00e19c943dd6fee3f0709cace0d014566d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 24 Apr 2024 03:35:42 +0000 Subject: [PATCH 0505/1462] Bump platformdirs from 4.2.0 to 4.2.1 (#10875) Bumps [platformdirs](https://github.com/platformdirs/platformdirs) from 4.2.0 to 4.2.1. - [Release notes](https://github.com/platformdirs/platformdirs/releases) - [Changelog](https://github.com/platformdirs/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/platformdirs/platformdirs/compare/4.2.0...4.2.1) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d2654466890a..b1708aeefec7 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -68,7 +68,7 @@ packaging==24.0 # sphinx pathspec==0.12.1 # via check-sdist -platformdirs==4.2.0; python_version >= "3.8" +platformdirs==4.2.1; python_version >= "3.8" # via virtualenv pluggy==1.5.0; python_version >= "3.8" # via pytest From f159765f83bc61343e0208a764c3cb1f4ad7084c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 24 Apr 2024 03:58:38 +0000 Subject: [PATCH 0506/1462] Bump virtualenv from 20.25.3 to 20.26.0 (#10878) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.25.3 to 20.26.0. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.25.3...20.26.0) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b1708aeefec7..6a6d8576e941 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -150,7 +150,7 @@ typing-extensions==4.11.0; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests -virtualenv==20.25.3 +virtualenv==20.26.0 # via nox # The following packages are considered to be unsafe in a requirements file: From 41ca4109076236a562b3e0ddeb523e1d3745935b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 24 Apr 2024 04:04:15 +0000 Subject: [PATCH 0507/1462] Bump coverage from 7.4.4 to 7.5.0 (#10879) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.4.4 to 7.5.0. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.4.4...7.5.0) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6a6d8576e941..546703b8930f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.2 # via nox -coverage==7.4.4; python_version >= "3.8" +coverage==7.5.0; python_version >= "3.8" # via # coverage # pytest-cov From 645931ca6e615d1e7212055d99644b77725e2b53 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 25 Apr 2024 00:15:00 +0000 Subject: [PATCH 0508/1462] Bump BoringSSL and/or OpenSSL in CI (#10882) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 65fc5511c821..c3e3dc282152 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Apr 24, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "54821d806d574dd8f2869a8c7f5725b65a67af42"}} - # Latest commit on the OpenSSL master branch, as of Apr 24, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "264ff64b9443e60c7c93af0ced2b22fdf622d179"}} + # Latest commit on the OpenSSL master branch, as of Apr 25, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c81b7b059f614a6c43ad6a6907b1a740b783fbfd"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 85815cac668ad975f079aa14f0f420043b8218da Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Apr 2024 07:11:36 -0400 Subject: [PATCH 0509/1462] Bump actions/checkout in /.github/actions/fetch-vectors (#10888) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.3 to 4.1.4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/1d96c772d19495a3b5c517cd2bc0cb401ea0529f...0ad4b8fadaa221de15dcec353f45205ec38ea70b) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 2f49f2db3127..390bff761eb2 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -5,14 +5,14 @@ runs: using: "composite" steps: - - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: "C2SP/wycheproof" path: "wycheproof" # Latest commit on the wycheproof master branch, as of Apr 09, 2024. ref: "cd27d6419bedd83cbd24611ec54b6d4bfdb0cdca" # wycheproof-ref - - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: "C2SP/x509-limbo" path: "x509-limbo" From 246b1df2a5575166bc231b4586bfae97d8835b3f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Apr 2024 11:12:07 +0000 Subject: [PATCH 0510/1462] Bump mypy from 1.9.0 to 1.10.0 (#10883) Bumps [mypy](https://github.com/python/mypy) from 1.9.0 to 1.10.0. - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](https://github.com/python/mypy/compare/1.9.0...v1.10.0) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 546703b8930f..93f60289b6dc 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -52,7 +52,7 @@ jinja2==3.1.3 # via sphinx markupsafe==2.1.5 # via jinja2 -mypy==1.9.0 +mypy==1.10.0 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via mypy From 2018f689cc9041a9986a33b82451c8dc9bad48a4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Apr 2024 11:18:37 +0000 Subject: [PATCH 0511/1462] Bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 (#10886) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 6.0.4 to 6.0.5. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/9153d834b60caba6d51c9b9510b087acf9f33f83...6d6857d36972b65feb161a90e484f2984215f83e) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 50e3a35a8ab8..63c5fbe6e7cc 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -58,7 +58,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@9153d834b60caba6d51c9b9510b087acf9f33f83 # v6.0.4 + uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 with: branch: "bump-openssl-boringssl" commit-message: "Bump BoringSSL and/or OpenSSL in CI" diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index a3e3ff51f608..9b48b09eedfd 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -57,7 +57,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@9153d834b60caba6d51c9b9510b087acf9f33f83 # v6.0.4 + uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 with: branch: "bump-vectors" commit-message: "Bump x509-limbo and/or wycheproof in CI" From daca5c3e926b511d31a23d797f15b97627e0169f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 25 Apr 2024 18:12:36 -0400 Subject: [PATCH 0512/1462] Handle errors on failing to import cffi module properly (#10890) --- src/rust/cryptography-cffi/src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-cffi/src/lib.rs b/src/rust/cryptography-cffi/src/lib.rs index 17d63c44c43f..b927fae370ac 100644 --- a/src/rust/cryptography-cffi/src/lib.rs +++ b/src/rust/cryptography-cffi/src/lib.rs @@ -26,7 +26,7 @@ pub fn create_module( // SAFETY: `PyInit__openssl` returns an owned reference. let openssl_mod = unsafe { let ptr = PyInit__openssl(); - pyo3::Py::from_owned_ptr(py, ptr).bind(py).clone() + pyo3::Py::from_owned_ptr_or_err(py, ptr)?.bind(py).clone() }; Ok(openssl_mod) From c65975377eb22d52ec58ad600f12fe0108048718 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 25 Apr 2024 18:51:24 -0400 Subject: [PATCH 0513/1462] fix for upcoming ruff lint (#10891) --- tests/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/utils.py b/tests/utils.py index c1aa34ef4d30..3a8a768cf115 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -620,7 +620,7 @@ def load_kasvs_ecdh_vectors(vector_data): if len(parm) == 2: names = parm[1].strip().split() for n in names: - tags.append("[%s]" % n) + tags.append(f"[{n}]") break # Sets Metadata From 7905cce3e425b5105fec20e83089f8096c8a1d1e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Apr 2024 16:00:51 -0700 Subject: [PATCH 0514/1462] Bump docutils from 0.21.1 to 0.21.2 in /.github/requirements (#10877) * Bump docutils from 0.21.1 to 0.21.2 in /.github/requirements Bumps [docutils](https://docutils.sourceforge.io) from 0.21.1 to 0.21.2. --- updated-dependencies: - dependency-name: docutils dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 695a394d49f6..9da1adf5e7e5 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -211,9 +211,9 @@ dnspython==2.6.1 \ --hash=sha256:5ef3b9680161f6fa89daf8ad451b5f1a33b18ae8a1c6778cdf4b43f08c0a6e50 \ --hash=sha256:e8f0f9c23a7b7cb99ded64e6c3a6f3e701d78f50c55e002b839dea7225cff7cc # via email-validator -docutils==0.21.1 \ - --hash=sha256:14c8d34a55b46c88f9f714adb29cefbdd69fb82f3fef825e59c5faab935390d8 \ - --hash=sha256:65249d8a5345bc95e0f40f280ba63c98eb24de35c6c8f5b662e3e8948adea83f +docutils==0.21.2 \ + --hash=sha256:3a6b18732edf182daa3cd12775bbb338cf5691468f91eeeb109deff6ebfa986f \ + --hash=sha256:dafca5b9e384f0e419294eb4d2ff9fa826435bf15f15b7bd45723e8ad76811b2 # via readme-renderer email-validator==2.1.1 \ --hash=sha256:200a70680ba08904be6d1eef729205cc0d687634399a5924d842533efb824b84 \ From dc657ba865d0d280230c8323387efbce611a3d91 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Apr 2024 16:01:36 -0700 Subject: [PATCH 0515/1462] Bump id from 1.3.0 to 1.4.0 in /.github/requirements (#10887) * Bump id from 1.3.0 to 1.4.0 in /.github/requirements Bumps [id](https://github.com/di/id) from 1.3.0 to 1.4.0. - [Release notes](https://github.com/di/id/releases) - [Changelog](https://github.com/di/id/blob/main/CHANGELOG.md) - [Commits](https://github.com/di/id/compare/v1.3.0...v1.4.0) --- updated-dependencies: - dependency-name: id dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 9da1adf5e7e5..34634da4b077 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -234,9 +234,9 @@ hyperframe==6.0.1 \ --hash=sha256:0ec6bafd80d8ad2195c4f03aacba3a8265e57bc4cff261e802bf39970ed02a15 \ --hash=sha256:ae510046231dc8e9ecb1a6586f63d2347bf4c8905914aa84ba585ae85f28a914 # via h2 -id==1.3.0 \ - --hash=sha256:c5dbb6048a469466054f065e92dba9b202a57d718cf12a0f24a082d0df988e18 \ - --hash=sha256:da320bc6d6e612a2c16364ca95bb905e87c74332d4fc9b34850a26c304790694 +id==1.4.0 \ + --hash=sha256:23c06772e8bd3e3a44ee3f167868bf5a8e385b0c1e2cc707ad36eb7486b4765b \ + --hash=sha256:a0391117c98fa9851ebd2b22df0dc6fd6aacbd89a4ec95c173f1311ca9bb7329 # via sigstore idna==3.7 \ --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ From 2c9a484ee759572931f0b983676a07c4f0bb2b84 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 26 Apr 2024 00:14:52 +0000 Subject: [PATCH 0516/1462] Bump BoringSSL and/or OpenSSL in CI (#10892) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c3e3dc282152..a5c56aae2827 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 24, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "54821d806d574dd8f2869a8c7f5725b65a67af42"}} - # Latest commit on the OpenSSL master branch, as of Apr 25, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c81b7b059f614a6c43ad6a6907b1a740b783fbfd"}} + # Latest commit on the BoringSSL master branch, as of Apr 26, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9eab28fb27dc90e0913bb82c62cfc49741bc494c"}} + # Latest commit on the OpenSSL master branch, as of Apr 26, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "15d6114d99d93468876697b62d543b0e2efd45d5"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 5b3dd286057435e4fdd1b8c408b1e76a1bdf8627 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 26 Apr 2024 02:42:23 +0000 Subject: [PATCH 0517/1462] Bump parking_lot from 0.12.1 to 0.12.2 in /src/rust (#10893) Bumps [parking_lot](https://github.com/Amanieu/parking_lot) from 0.12.1 to 0.12.2. - [Changelog](https://github.com/Amanieu/parking_lot/blob/master/CHANGELOG.md) - [Commits](https://github.com/Amanieu/parking_lot/compare/0.12.1...0.12.2) --- updated-dependencies: - dependency-name: parking_lot dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 8dee9516b660..31f49252337d 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -233,9 +233,9 @@ dependencies = [ [[package]] name = "parking_lot" -version = "0.12.1" +version = "0.12.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f" +checksum = "7e4af0ca4f6caed20e900d564c242b8e5d4903fdacf31d3daf527b66fe6f42fb" dependencies = [ "lock_api", "parking_lot_core", From ff35c1a840edf0609778687d87ac270402b5dd1c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 26 Apr 2024 02:57:53 +0000 Subject: [PATCH 0518/1462] Bump ruff from 0.4.1 to 0.4.2 (#10895) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.1 to 0.4.2. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.1...v0.4.2) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 93f60289b6dc..028036766da7 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.4.1 +ruff==0.4.2 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From cbb9193560d13ea2a30eb99ca9cfbb913a21631a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 26 Apr 2024 03:01:29 +0000 Subject: [PATCH 0519/1462] Bump parking_lot_core from 0.9.9 to 0.9.10 in /src/rust (#10896) Bumps [parking_lot_core](https://github.com/Amanieu/parking_lot) from 0.9.9 to 0.9.10. - [Changelog](https://github.com/Amanieu/parking_lot/blob/master/CHANGELOG.md) - [Commits](https://github.com/Amanieu/parking_lot/compare/core-0.9.9...core-0.9.10) --- updated-dependencies: - dependency-name: parking_lot_core dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 57 +++++++++++++++++++++++---------------------- 1 file changed, 29 insertions(+), 28 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 31f49252337d..05eddd2f97d8 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -34,12 +34,6 @@ version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9475866fec1451be56a3c2400fd081ff546538961565ccb5b7142cbd22bc7a51" -[[package]] -name = "bitflags" -version = "1.3.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" - [[package]] name = "bitflags" version = "2.4.2" @@ -199,7 +193,7 @@ version = "0.10.64" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "95a0481286a310808298130d22dd1fef0fa571e05a8f44ec801801e84b216b1f" dependencies = [ - "bitflags 2.4.2", + "bitflags", "cfg-if", "foreign-types", "libc", @@ -243,9 +237,9 @@ dependencies = [ [[package]] name = "parking_lot_core" -version = "0.9.9" +version = "0.9.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4c42a9226546d68acdd9c0a280d17ce19bfe27a46bf68784e4066115788d008e" +checksum = "1e401f977ab385c9e4e3ab30627d6f26d00e2c73eef317493c4ec6d468726cf8" dependencies = [ "cfg-if", "libc", @@ -358,11 +352,11 @@ dependencies = [ [[package]] name = "redox_syscall" -version = "0.4.1" +version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4722d768eff46b75989dd134e5c353f0d6296e5aaa3132e776cbdb56be7731aa" +checksum = "469052894dcb553421e483e4209ee581a45100d31b4018de03e5a7ad86374a7e" dependencies = [ - "bitflags 1.3.2", + "bitflags", ] [[package]] @@ -420,13 +414,14 @@ checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" [[package]] name = "windows-targets" -version = "0.48.5" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c" +checksum = "6f0713a46559409d202e70e28227288446bf7841d3211583a4b53e3f6d96e7eb" dependencies = [ "windows_aarch64_gnullvm", "windows_aarch64_msvc", "windows_i686_gnu", + "windows_i686_gnullvm", "windows_i686_msvc", "windows_x86_64_gnu", "windows_x86_64_gnullvm", @@ -435,42 +430,48 @@ dependencies = [ [[package]] name = "windows_aarch64_gnullvm" -version = "0.48.5" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" +checksum = "7088eed71e8b8dda258ecc8bac5fb1153c5cffaf2578fc8ff5d61e23578d3263" [[package]] name = "windows_aarch64_msvc" -version = "0.48.5" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" +checksum = "9985fd1504e250c615ca5f281c3f7a6da76213ebd5ccc9561496568a2752afb6" [[package]] name = "windows_i686_gnu" -version = "0.48.5" +version = "0.52.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "88ba073cf16d5372720ec942a8ccbf61626074c6d4dd2e745299726ce8b89670" + +[[package]] +name = "windows_i686_gnullvm" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e" +checksum = "87f4261229030a858f36b459e748ae97545d6f1ec60e5e0d6a3d32e0dc232ee9" [[package]] name = "windows_i686_msvc" -version = "0.48.5" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" +checksum = "db3c2bf3d13d5b658be73463284eaf12830ac9a26a90c717b7f771dfe97487bf" [[package]] name = "windows_x86_64_gnu" -version = "0.48.5" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" +checksum = "4e4246f76bdeff09eb48875a0fd3e2af6aada79d409d33011886d3e1581517d9" [[package]] name = "windows_x86_64_gnullvm" -version = "0.48.5" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" +checksum = "852298e482cd67c356ddd9570386e2862b5673c85bd5f88df9ab6802b334c596" [[package]] name = "windows_x86_64_msvc" -version = "0.48.5" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538" +checksum = "bec47e5bfd1bff0eeaf6d8b485cc1074891a197ab4225d504cb7a1ab88b02bf0" From c11c3d2a7f2a037b020895d812453900b182207d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Apr 2024 23:04:45 -0400 Subject: [PATCH 0520/1462] Bump lock_api from 0.4.11 to 0.4.12 in /src/rust (#10894) Bumps [lock_api](https://github.com/Amanieu/parking_lot) from 0.4.11 to 0.4.12. - [Changelog](https://github.com/Amanieu/parking_lot/blob/master/CHANGELOG.md) - [Commits](https://github.com/Amanieu/parking_lot/compare/lock_api-0.4.11...lock_api-0.4.12) --- updated-dependencies: - dependency-name: lock_api dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 05eddd2f97d8..c92e518b8a5c 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -164,9 +164,9 @@ checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd" [[package]] name = "lock_api" -version = "0.4.11" +version = "0.4.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3c168f8615b12bc01f9c17e2eb0cc07dcae1940121185446edc3744920e8ef45" +checksum = "07af8b9cdd281b7915f413fa73f29ebd5d55d0d3f0155584dade1ff18cea1b17" dependencies = [ "autocfg", "scopeguard", From 0b2b5f9df3d074bb36a8e6d216d321968b57afd2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 26 Apr 2024 03:15:15 +0000 Subject: [PATCH 0521/1462] Bump bitflags from 2.4.2 to 2.5.0 in /src/rust (#10898) Bumps [bitflags](https://github.com/bitflags/bitflags) from 2.4.2 to 2.5.0. - [Release notes](https://github.com/bitflags/bitflags/releases) - [Changelog](https://github.com/bitflags/bitflags/blob/main/CHANGELOG.md) - [Commits](https://github.com/bitflags/bitflags/compare/2.4.2...2.5.0) --- updated-dependencies: - dependency-name: bitflags dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index c92e518b8a5c..010ebe1b4ff0 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -36,9 +36,9 @@ checksum = "9475866fec1451be56a3c2400fd081ff546538961565ccb5b7142cbd22bc7a51" [[package]] name = "bitflags" -version = "2.4.2" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" +checksum = "cf4b9d6a944f767f8e5e0db018570623c85f3d925ac718db4e06d0187adb21c1" [[package]] name = "cc" From 07642cfe48aa0940be9ad7ef77dd27b1cc48d8d5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 25 Apr 2024 23:32:32 -0400 Subject: [PATCH 0522/1462] Test on rolling for arm64 (#10897) * Test on rolling for arm64 * Update installation.rst --- .github/workflows/ci.yml | 2 +- docs/installation.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a5c56aae2827..b1333e53dcc8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -164,7 +164,7 @@ jobs: - {IMAGE: "centos-stream9", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "centos-stream9-fips", NOXSESSION: "tests", RUNNER: "ubuntu-latest", FIPS: true} - - {IMAGE: "ubuntu-jammy:aarch64", NOXSESSION: "tests", RUNNER: [self-hosted, Linux, ARM64]} + - {IMAGE: "ubuntu-rolling:aarch64", NOXSESSION: "tests", RUNNER: [self-hosted, Linux, ARM64]} - {IMAGE: "alpine:aarch64", NOXSESSION: "tests", RUNNER: [self-hosted, Linux, ARM64]} timeout-minutes: 15 env: diff --git a/docs/installation.rst b/docs/installation.rst index 979ae344332a..cc6e32beafe4 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -21,7 +21,7 @@ operating systems. * x86-64 Fedora (latest) * x86-64 macOS 13 Ventura and ARM64 macOS 14 Sonoma * x86-64 Ubuntu 20.04, 22.04, 24.04, rolling -* ARM64 Ubuntu 22.04 +* ARM64 Ubuntu rolling * x86-64 Debian Buster (10.x), Bullseye (11.x), Bookworm (12.x), Trixie (13.x), and Sid (unstable) * x86-64 and ARM64 Alpine (latest) From 56fcdb3ac4a574aadf61a7338d010751333d00eb Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 27 Apr 2024 00:15:04 +0000 Subject: [PATCH 0523/1462] Bump BoringSSL and/or OpenSSL in CI (#10900) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b1333e53dcc8..f4227d1451d8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 26, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9eab28fb27dc90e0913bb82c62cfc49741bc494c"}} - # Latest commit on the OpenSSL master branch, as of Apr 26, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "15d6114d99d93468876697b62d543b0e2efd45d5"}} + # Latest commit on the BoringSSL master branch, as of Apr 27, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d69e8b46184b6fd844a4a92b4a6f4347d08ee439"}} + # Latest commit on the OpenSSL master branch, as of Apr 27, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "933f57dfe21657f7aba8f13e0cdb3b02dd64fcc3"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 66cf834fadae8d1353c5322014b4d3a64361b36b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Apr 2024 12:44:04 -0400 Subject: [PATCH 0524/1462] Begin migrating PKCS#12 serialization to Rust (#10616) For now, only handle unencrypted cert-only PKCS#12. --- .../hazmat/bindings/_rust/pkcs12.pyi | 5 + .../hazmat/primitives/serialization/pkcs12.py | 5 + src/rust/cryptography-x509/src/common.rs | 19 ++ src/rust/cryptography-x509/src/pkcs12.rs | 37 ++-- src/rust/cryptography-x509/src/pkcs7.rs | 2 +- src/rust/src/pkcs12.rs | 169 +++++++++++++++++- src/rust/src/types.rs | 2 + tests/hazmat/primitives/test_pkcs12.py | 3 - 8 files changed, 216 insertions(+), 26 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi b/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi index 109ae4fce5d8..76dd0194c40a 100644 --- a/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi +++ b/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi @@ -33,3 +33,8 @@ def load_pkcs12( password: bytes | None, backend: typing.Any = None, ) -> PKCS12KeyAndCertificates: ... +def serialize_key_and_certificates( + name: bytes | None, + cert: x509.Certificate | None, + cas: typing.Iterable[x509.Certificate | PKCS12Certificate] | None, +) -> bytes: ... diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs12.py b/src/cryptography/hazmat/primitives/serialization/pkcs12.py index 8ed5f1e0872b..0d37145eb943 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs12.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs12.py @@ -167,6 +167,11 @@ def serialize_key_and_certificates( if key is None and cert is None and not cas: raise ValueError("You must supply at least one of key, cert, or cas") + if key is None and isinstance( + encryption_algorithm, serialization.NoEncryption + ): + return rust_pkcs12.serialize_key_and_certificates(name, cert, cas) + from cryptography.hazmat.backends.openssl.backend import backend return backend.serialize_key_and_certificates_to_pkcs12( diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index 77cebc30464e..9eea5ff7bca8 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -414,6 +414,25 @@ impl<'a> asn1::SimpleAsn1Writable for UnvalidatedVisibleString<'a> { } } +/// A BMPString ASN.1 element, where it is stored as a UTF-8 string in memory. +pub struct Utf8StoredBMPString<'a>(pub &'a str); + +impl<'a> Utf8StoredBMPString<'a> { + pub fn new(s: &'a str) -> Self { + Utf8StoredBMPString(s) + } +} + +impl<'a> asn1::SimpleAsn1Writable for Utf8StoredBMPString<'a> { + const TAG: asn1::Tag = asn1::BMPString::TAG; + fn write_data(&self, writer: &mut asn1::WriteBuf) -> asn1::WriteResult { + for ch in self.0.encode_utf16() { + writer.push_slice(&ch.to_be_bytes())?; + } + Ok(()) + } +} + #[derive(Clone)] pub struct WithTlv<'a, T> { tlv: asn1::Tlv<'a>, diff --git a/src/rust/cryptography-x509/src/pkcs12.rs b/src/rust/cryptography-x509/src/pkcs12.rs index 328961fce053..4fea62179846 100644 --- a/src/rust/cryptography-x509/src/pkcs12.rs +++ b/src/rust/cryptography-x509/src/pkcs12.rs @@ -2,6 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use crate::common::Utf8StoredBMPString; use crate::pkcs7; pub const CERT_BAG_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 12, 10, 1, 3); @@ -9,60 +10,60 @@ pub const KEY_BAG_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, pub const X509_CERTIFICATE_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 22, 1); pub const FRIENDLY_NAME_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 20); -// #[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write)] pub struct Pfx<'a> { pub version: u8, pub auth_safe: pkcs7::ContentInfo<'a>, pub mac_data: Option>, } -// #[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write)] pub struct MacData<'a> { pub mac: pkcs7::DigestInfo<'a>, pub salt: &'a [u8], - // #[default(1u64)] + #[default(1u64)] pub iterations: u64, } -// #[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write)] pub struct SafeBag<'a> { pub _bag_id: asn1::DefinedByMarker, - // #[defined_by(_bag_id)] + #[defined_by(_bag_id)] pub bag_value: asn1::Explicit, 0>, - // pub attributes: Option>>, + pub attributes: Option, Vec>>>, } -// #[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write)] pub struct Attribute<'a> { pub _attr_id: asn1::DefinedByMarker, - // #[defined_by(_attr_id)] + #[defined_by(_attr_id)] pub attr_values: AttributeSet<'a>, } -// #[derive(asn1::Asn1DefinedByWrite)] +#[derive(asn1::Asn1DefinedByWrite)] pub enum AttributeSet<'a> { - // #[defined_by(FRIENDLY_NAME_OID)] - FriendlyName(asn1::SetOfWriter<'a, asn1::BMPString<'a>>), + #[defined_by(FRIENDLY_NAME_OID)] + FriendlyName(asn1::SetOfWriter<'a, Utf8StoredBMPString<'a>, [Utf8StoredBMPString<'a>; 1]>), } -// #[derive(asn1::Asn1DefinedByWrite)] +#[derive(asn1::Asn1DefinedByWrite)] pub enum BagValue<'a> { - // #[defined_by(CERT_BAG_OID)] + #[defined_by(CERT_BAG_OID)] CertBag(CertBag<'a>), - // #[defined_by(KEY_BAG_OID)] + #[defined_by(KEY_BAG_OID)] KeyBag(asn1::Tlv<'a>), } -// #[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write)] pub struct CertBag<'a> { pub _cert_id: asn1::DefinedByMarker, - // #[defined_by(_cert_id)] + #[defined_by(_cert_id)] pub cert_value: asn1::Explicit, 0>, } -// #[derive(asn1::Asn1DefinedByWrite)] +#[derive(asn1::Asn1DefinedByWrite)] pub enum CertType<'a> { - // #[defined_by(X509_CERTIFICATE_OID)] + #[defined_by(X509_CERTIFICATE_OID)] X509(asn1::OctetStringEncoded>), } diff --git a/src/rust/cryptography-x509/src/pkcs7.rs b/src/rust/cryptography-x509/src/pkcs7.rs index e1581a0e069a..9df323696ac3 100644 --- a/src/rust/cryptography-x509/src/pkcs7.rs +++ b/src/rust/cryptography-x509/src/pkcs7.rs @@ -59,7 +59,7 @@ pub struct IssuerAndSerialNumber<'a> { pub serial_number: asn1::BigInt<'a>, } -// #[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write)] pub struct DigestInfo<'a> { pub algorithm: common::AlgorithmIdentifier<'a>, pub digest: &'a [u8], diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 51116c52557e..1b1b6ceb9f28 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -2,12 +2,13 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::backend::keys; +use crate::backend::{hashes, hmac, keys}; use crate::buf::CffiBuf; use crate::error::CryptographyResult; use crate::x509::certificate::Certificate; use crate::{types, x509}; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use cryptography_x509::common::Utf8StoredBMPString; +use pyo3::prelude::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; use pyo3::IntoPy; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; @@ -80,9 +81,8 @@ impl PKCS12Certificate { const KDF_ENCRYPTION_KEY_ID: u8 = 1; #[allow(dead_code)] const KDF_IV_ID: u8 = 2; -#[allow(dead_code)] const KDF_MAC_KEY_ID: u8 = 3; -#[allow(dead_code)] + fn pkcs12_kdf( pass: &[u8], salt: &[u8], @@ -183,6 +183,163 @@ fn pkcs12_kdf( Ok(result) } +fn friendly_name_attributes( + friendly_name: Option<&[u8]>, +) -> CryptographyResult< + Option< + asn1::SetOfWriter< + '_, + cryptography_x509::pkcs12::Attribute<'_>, + Vec>, + >, + >, +> { + if let Some(name) = friendly_name { + let name_str = std::str::from_utf8(name).map_err(|_| { + pyo3::exceptions::PyValueError::new_err("friendly_name must be valid UTF-8") + })?; + + Ok(Some(asn1::SetOfWriter::new(vec![ + cryptography_x509::pkcs12::Attribute { + _attr_id: asn1::DefinedByMarker::marker(), + attr_values: cryptography_x509::pkcs12::AttributeSet::FriendlyName( + asn1::SetOfWriter::new([Utf8StoredBMPString::new(name_str)]), + ), + }, + ]))) + } else { + Ok(None) + } +} + +fn cert_to_bag<'a>( + cert: &'a Certificate, + friendly_name: Option<&'a [u8]>, +) -> CryptographyResult> { + Ok(cryptography_x509::pkcs12::SafeBag { + _bag_id: asn1::DefinedByMarker::marker(), + bag_value: asn1::Explicit::new(cryptography_x509::pkcs12::BagValue::CertBag( + cryptography_x509::pkcs12::CertBag { + _cert_id: asn1::DefinedByMarker::marker(), + cert_value: asn1::Explicit::new(cryptography_x509::pkcs12::CertType::X509( + asn1::OctetStringEncoded::new(cert.raw.borrow_dependent().clone()), + )), + }, + )), + attributes: friendly_name_attributes(friendly_name)?, + }) +} + +fn decode_encryption_algorithm( + py: pyo3::Python<'_>, +) -> CryptographyResult<(&[u8], pyo3::Bound<'_, pyo3::PyAny>, u64)> { + let default_hmac_alg = types::SHA256.get(py)?.call0()?; + let default_hmac_kdf_iter = 2048; + + Ok((b"", default_hmac_alg, default_hmac_kdf_iter)) +} + +#[derive(pyo3::FromPyObject)] +enum CertificateOrPKCS12Certificate { + Certificate(pyo3::Py), + PKCS12Certificate(pyo3::Py), +} + +#[pyo3::prelude::pyfunction] +#[pyo3(signature = (name, cert, cas))] +fn serialize_key_and_certificates<'p>( + py: pyo3::Python<'p>, + name: Option<&[u8]>, + cert: Option<&Certificate>, + cas: Option>, +) -> CryptographyResult> { + let (password, mac_algorithm, mac_kdf_iter) = decode_encryption_algorithm(py)?; + + let mut auth_safe_contents = vec![]; + let cert_bag_contents; + let mut ca_certs = vec![]; + assert!(cert.is_some() || cas.is_some()); + { + let mut cert_bags = vec![]; + + if let Some(cert) = cert { + cert_bags.push(cert_to_bag(cert, name)?); + } + + if let Some(cas) = cas { + for cert in cas.iter()? { + ca_certs.push(cert?.extract::()?); + } + + for cert in &ca_certs { + let bag = match cert { + CertificateOrPKCS12Certificate::Certificate(c) => cert_to_bag(c.get(), None)?, + CertificateOrPKCS12Certificate::PKCS12Certificate(c) => cert_to_bag( + c.get().certificate.get(), + c.get().friendly_name.as_ref().map(|v| v.as_bytes(py)), + )?, + }; + cert_bags.push(bag); + } + } + + cert_bag_contents = asn1::write_single(&asn1::SequenceOfWriter::new(cert_bags))?; + auth_safe_contents.push(cryptography_x509::pkcs7::ContentInfo { + _content_type: asn1::DefinedByMarker::marker(), + content: cryptography_x509::pkcs7::Content::Data(Some(asn1::Explicit::new( + &cert_bag_contents, + ))), + }); + } + let auth_safe_content = asn1::write_single(&asn1::SequenceOfWriter::new(auth_safe_contents))?; + + let salt = types::OS_URANDOM + .get(py)? + .call1((8,))? + .extract::()?; + let mac_algorithm_md = hashes::message_digest_from_algorithm(py, &mac_algorithm)?; + let mac_key = pkcs12_kdf( + password, + &salt, + KDF_MAC_KEY_ID, + mac_kdf_iter, + mac_algorithm_md.size(), + mac_algorithm_md, + )?; + let mac_digest = { + let mut h = hmac::Hmac::new_bytes(py, &mac_key, &mac_algorithm)?; + h.update_bytes(&auth_safe_content)?; + h.finalize(py)? + }; + let mac_algorithm_identifier = crate::x509::ocsp::HASH_NAME_TO_ALGORITHM_IDENTIFIERS + [&*mac_algorithm + .getattr(pyo3::intern!(py, "name"))? + .extract::()?] + .clone(); + + let p12 = cryptography_x509::pkcs12::Pfx { + version: 3, + auth_safe: cryptography_x509::pkcs7::ContentInfo { + _content_type: asn1::DefinedByMarker::marker(), + content: cryptography_x509::pkcs7::Content::Data(Some(asn1::Explicit::new( + &auth_safe_content, + ))), + }, + mac_data: Some(cryptography_x509::pkcs12::MacData { + mac: cryptography_x509::pkcs7::DigestInfo { + algorithm: mac_algorithm_identifier, + digest: mac_digest.as_bytes(), + }, + salt: &salt, + iterations: mac_kdf_iter, + }), + }; + Ok(pyo3::types::PyBytes::new_bound( + py, + &asn1::write_single(&p12)?, + )) +} + fn decode_p12( data: CffiBuf<'_>, password: Option>, @@ -323,6 +480,10 @@ pub(crate) fn create_submodule( &submod )?)?; submod.add_function(pyo3::wrap_pyfunction_bound!(load_pkcs12, &submod)?)?; + submod.add_function(pyo3::wrap_pyfunction_bound!( + serialize_key_and_certificates, + &submod + )?)?; submod.add_class::()?; diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index d60c50ea6960..3b21ec1f1ad3 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -345,6 +345,8 @@ pub static EXTENDABLE_OUTPUT_FUNCTION: LazyPyImport = LazyPyImport::new( ); pub static SHA1: LazyPyImport = LazyPyImport::new("cryptography.hazmat.primitives.hashes", &["SHA1"]); +pub static SHA256: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.hashes", &["SHA256"]); pub static PREHASHED: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.asymmetric.utils", diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 9217e4eca5f2..3230718c4120 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -544,9 +544,6 @@ def test_generate_cert_only_none_cas(self, backend): assert parsed_more_certs == [cert] def test_invalid_utf8_friendly_name(self, backend): - if rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL: - pytest.skip("Temporarily doesn't work on LibreSSL") - cert, _ = _load_ca(backend) with pytest.raises(ValueError): serialize_key_and_certificates( From 46db48e54cfdef50596e0cc003e43d2dddf04493 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Apr 2024 11:32:12 +0000 Subject: [PATCH 0525/1462] Bump pytest from 8.1.1 to 8.2.0 (#10903) Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.1.1 to 8.2.0. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/8.1.1...8.2.0) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 028036766da7..4440df9fb998 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -86,7 +86,7 @@ pygments==2.17.2 # sphinx pyproject-hooks==1.0.0 # via build -pytest==8.1.1; python_version >= "3.8" +pytest==8.2.0; python_version >= "3.8" # via # cryptography (pyproject.toml) # pytest-benchmark From 091bae8cbd9ec18406ed3b054452d8217fa2a941 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Apr 2024 11:32:52 +0000 Subject: [PATCH 0526/1462] Bump pyproject-hooks from 1.0.0 to 1.1.0 (#10904) Bumps [pyproject-hooks](https://github.com/pypa/pyproject-hooks) from 1.0.0 to 1.1.0. - [Changelog](https://github.com/pypa/pyproject-hooks/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/pyproject-hooks/compare/v1.0.0...v1.1.0) --- updated-dependencies: - dependency-name: pyproject-hooks dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 4440df9fb998..7dcf5295dfda 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -84,7 +84,7 @@ pygments==2.17.2 # via # readme-renderer # sphinx -pyproject-hooks==1.0.0 +pyproject-hooks==1.1.0 # via build pytest==8.2.0; python_version >= "3.8" # via From 8e7a10487c5db87d61156455367691a2137e34ab Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Apr 2024 05:50:21 -0700 Subject: [PATCH 0527/1462] Bump pytest-xdist from 3.5.0 to 3.6.1 (#10905) * Bump pytest-xdist from 3.5.0 to 3.6.1 Bumps [pytest-xdist](https://github.com/pytest-dev/pytest-xdist) from 3.5.0 to 3.6.1. - [Release notes](https://github.com/pytest-dev/pytest-xdist/releases) - [Changelog](https://github.com/pytest-dev/pytest-xdist/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest-xdist/compare/v3.5.0...v3.6.1) --- updated-dependencies: - dependency-name: pytest-xdist dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update ci-constraints-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 7dcf5295dfda..cd9556013ac4 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -99,7 +99,7 @@ pytest-cov==5.0.0; python_version >= "3.8" # via cryptography (pyproject.toml) pytest-randomly==3.15.0 # via cryptography (pyproject.toml) -pytest-xdist==3.5.0 +pytest-xdist==3.6.1; python_version >= "3.8" # via cryptography (pyproject.toml) readme-renderer==43.0 # via cryptography (pyproject.toml) From 13fbef6d520f728660d63cc039be745333b24574 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Apr 2024 05:50:44 -0700 Subject: [PATCH 0528/1462] Bump keyring from 25.1.0 to 25.2.0 in /.github/requirements (#10906) * Bump keyring from 25.1.0 to 25.2.0 in /.github/requirements Bumps [keyring](https://github.com/jaraco/keyring) from 25.1.0 to 25.2.0. - [Release notes](https://github.com/jaraco/keyring/releases) - [Changelog](https://github.com/jaraco/keyring/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/keyring/compare/v25.1.0...v25.2.0) --- updated-dependencies: - dependency-name: keyring dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 34634da4b077..5076db558de1 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -268,9 +268,9 @@ jeepney==0.8.0 \ # via # keyring # secretstorage -keyring==25.1.0 \ - --hash=sha256:26fc12e6a329d61d24aa47b22a7c5c3f35753df7d8f2860973cf94f4e1fb3427 \ - --hash=sha256:7230ea690525133f6ad536a9b5def74a4bd52642abe594761028fc044d7c7893 +keyring==25.2.0 \ + --hash=sha256:19f17d40335444aab84b19a0d16a77ec0758a9c384e3446ae2ed8bd6d53b67a5 \ + --hash=sha256:7045f367268ce42dba44745050164b431e46f6e92f99ef2937dfadaef368d8cf # via twine markdown-it-py==3.0.0 \ --hash=sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1 \ From d5a3984a9a4f80d547a18ff06180864ff39ab9b5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 29 Apr 2024 11:04:56 -0400 Subject: [PATCH 0529/1462] Added additional PKCS#12 tests (#10902) --- tests/hazmat/primitives/test_pkcs12.py | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 3230718c4120..5b97121b2c1e 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -419,12 +419,20 @@ def test_generate_cas_friendly_names(self, backend): assert cas[1].certificate == cert3 assert cas[1].friendly_name is None - def test_generate_cas_friendly_names_no_key(self, backend): + @pytest.mark.parametrize( + ("encryption_algorithm", "password"), + [ + (serialization.BestAvailableEncryption(b"password"), b"password"), + (serialization.NoEncryption(), None), + ], + ) + def test_generate_cas_friendly_names_no_key( + self, backend, encryption_algorithm, password + ): cert2 = _load_cert( backend, os.path.join("x509", "custom", "dsa_selfsigned_ca.pem") ) cert3 = _load_cert(backend, os.path.join("x509", "letsencryptx3.pem")) - encryption = serialization.NoEncryption() p12 = serialize_key_and_certificates( None, None, @@ -433,10 +441,10 @@ def test_generate_cas_friendly_names_no_key(self, backend): PKCS12Certificate(cert2, b"cert2"), PKCS12Certificate(cert3, None), ], - encryption, + encryption_algorithm, ) - p12_cert = load_pkcs12(p12, None, backend) + p12_cert = load_pkcs12(p12, password, backend) cas = p12_cert.additional_certs assert cas[0].certificate == cert2 assert cas[0].friendly_name == b"cert2" From c46cc3ec5372289d5d0fee742244d3ddcf274f58 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Apr 2024 22:44:14 +0000 Subject: [PATCH 0530/1462] Bump libc from 0.2.153 to 0.2.154 in /src/rust (#10907) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.153 to 0.2.154. - [Release notes](https://github.com/rust-lang/libc/releases) - [Commits](https://github.com/rust-lang/libc/compare/0.2.153...0.2.154) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 010ebe1b4ff0..59ffe141ab1a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -158,9 +158,9 @@ checksum = "b248f5224d1d606005e02c97f5aa4e88eeb230488bcc03bc9ca4d7991399f2b5" [[package]] name = "libc" -version = "0.2.153" +version = "0.2.154" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd" +checksum = "ae743338b92ff9146ce83992f766a31066a91a8c84a45e0e9f21e7cf6de6d346" [[package]] name = "lock_api" From 5f50167f81695d6c0ab5e289c647e2afe9634993 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Apr 2024 22:45:51 +0000 Subject: [PATCH 0531/1462] Bump virtualenv from 20.26.0 to 20.26.1 (#10908) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.26.0 to 20.26.1. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.26.0...20.26.1) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index cd9556013ac4..d8d8347bb92a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -150,7 +150,7 @@ typing-extensions==4.11.0; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests -virtualenv==20.26.0 +virtualenv==20.26.1 # via nox # The following packages are considered to be unsafe in a requirements file: From 8e33035d0e4ff6595094562775407794d8b89b8b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Apr 2024 22:46:10 +0000 Subject: [PATCH 0532/1462] Bump filelock from 3.13.4 to 3.14.0 (#10909) Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.13.4 to 3.14.0. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](https://github.com/tox-dev/py-filelock/compare/3.13.4...3.14.0) --- updated-dependencies: - dependency-name: filelock dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d8d8347bb92a..f448ab641f04 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -40,7 +40,7 @@ exceptiongroup==1.2.1 # via pytest execnet==2.1.1; python_version >= "3.8" # via pytest-xdist -filelock==3.13.4; python_version >= "3.8" +filelock==3.14.0; python_version >= "3.8" # via virtualenv idna==3.7 # via requests From 071d9942397861d30d9d32edba261fe05c8aa76f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 30 Apr 2024 00:15:24 +0000 Subject: [PATCH 0533/1462] Bump BoringSSL and/or OpenSSL in CI (#10910) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f4227d1451d8..5313d5190cca 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 27, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d69e8b46184b6fd844a4a92b4a6f4347d08ee439"}} - # Latest commit on the OpenSSL master branch, as of Apr 27, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "933f57dfe21657f7aba8f13e0cdb3b02dd64fcc3"}} + # Latest commit on the BoringSSL master branch, as of Apr 30, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "2db0eb3f96a5756298dcd7f9319e56a98585bd10"}} + # Latest commit on the OpenSSL master branch, as of Apr 30, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6a4a714045415be6720f4165c4d70a0ff229a26a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From d796f447b4f5259ceae7186ab9f77ae9f609e063 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 30 Apr 2024 00:29:28 +0000 Subject: [PATCH 0534/1462] Bump x509-limbo and/or wycheproof in CI (#10911) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 390bff761eb2..c5ab5577bdfb 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Apr 23, 2024. - ref: "b372833b8ce29da36ced2aec91e46bd157008a7d" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Apr 30, 2024. + ref: "4b12b2196d770bb0f7c312c51a1bfbda13d49a57" # x509-limbo-ref From 302372be4f82e9615baca05e824484f532448d19 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 30 Apr 2024 10:17:14 -0400 Subject: [PATCH 0535/1462] Fixes for ruff in preview mode (#10912) --- src/cryptography/__about__.py | 2 +- src/cryptography/__init__.py | 2 +- .../bindings/_rust/openssl/__init__.pyi | 12 +- .../hazmat/primitives/ciphers/__init__.py | 8 +- .../hazmat/primitives/ciphers/aead.py | 2 +- src/cryptography/hazmat/primitives/hashes.py | 24 ++-- .../primitives/serialization/__init__.py | 30 ++-- .../hazmat/primitives/serialization/pkcs12.py | 2 +- .../hazmat/primitives/serialization/ssh.py | 4 +- src/cryptography/x509/__init__.py | 134 +++++++++--------- src/cryptography/x509/verification.py | 8 +- 11 files changed, 114 insertions(+), 114 deletions(-) diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index 5d65d977a08a..0087b1720f0e 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -5,9 +5,9 @@ from __future__ import annotations __all__ = [ - "__version__", "__author__", "__copyright__", + "__version__", ] __version__ = "43.0.0.dev1" diff --git a/src/cryptography/__init__.py b/src/cryptography/__init__.py index 86b9a25726d1..d374f752dfd5 100644 --- a/src/cryptography/__init__.py +++ b/src/cryptography/__init__.py @@ -7,7 +7,7 @@ from cryptography.__about__ import __author__, __copyright__, __version__ __all__ = [ - "__version__", "__author__", "__copyright__", + "__version__", ] diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index e4e742bdfedf..1e66d3331030 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -24,23 +24,23 @@ from cryptography.hazmat.bindings._rust.openssl import ( ) __all__ = [ - "openssl_version", - "openssl_version_text", - "raise_openssl_error", "aead", "ciphers", "cmac", "dh", "dsa", "ec", + "ed448", + "ed25519", "hashes", "hmac", "kdf", "keys", - "ed448", - "ed25519", - "rsa", + "openssl_version", + "openssl_version_text", "poly1305", + "raise_openssl_error", + "rsa", "x448", "x25519", ] diff --git a/src/cryptography/hazmat/primitives/ciphers/__init__.py b/src/cryptography/hazmat/primitives/ciphers/__init__.py index cc88fbf2c4c3..10c15d0f5cb3 100644 --- a/src/cryptography/hazmat/primitives/ciphers/__init__.py +++ b/src/cryptography/hazmat/primitives/ciphers/__init__.py @@ -17,11 +17,11 @@ ) __all__ = [ - "Cipher", - "CipherAlgorithm", - "BlockCipherAlgorithm", - "CipherContext", "AEADCipherContext", "AEADDecryptionContext", "AEADEncryptionContext", + "BlockCipherAlgorithm", + "Cipher", + "CipherAlgorithm", + "CipherContext", ] diff --git a/src/cryptography/hazmat/primitives/ciphers/aead.py b/src/cryptography/hazmat/primitives/ciphers/aead.py index f82a05685e02..c8a582d7844d 100644 --- a/src/cryptography/hazmat/primitives/ciphers/aead.py +++ b/src/cryptography/hazmat/primitives/ciphers/aead.py @@ -7,12 +7,12 @@ from cryptography.hazmat.bindings._rust import openssl as rust_openssl __all__ = [ - "ChaCha20Poly1305", "AESCCM", "AESGCM", "AESGCMSIV", "AESOCB3", "AESSIV", + "ChaCha20Poly1305", ] AESGCM = rust_openssl.aead.AESGCM diff --git a/src/cryptography/hazmat/primitives/hashes.py b/src/cryptography/hazmat/primitives/hashes.py index c5be0c8eadc0..b819e399287e 100644 --- a/src/cryptography/hazmat/primitives/hashes.py +++ b/src/cryptography/hazmat/primitives/hashes.py @@ -9,27 +9,27 @@ from cryptography.hazmat.bindings._rust import openssl as rust_openssl __all__ = [ - "HashAlgorithm", - "HashContext", - "Hash", - "ExtendableOutputFunction", + "MD5", "SHA1", - "SHA512_224", - "SHA512_256", - "SHA224", - "SHA256", - "SHA384", - "SHA512", "SHA3_224", "SHA3_256", "SHA3_384", "SHA3_512", + "SHA224", + "SHA256", + "SHA384", + "SHA512", + "SHA512_224", + "SHA512_256", "SHAKE128", "SHAKE256", - "MD5", + "SM3", "BLAKE2b", "BLAKE2s", - "SM3", + "ExtendableOutputFunction", + "Hash", + "HashAlgorithm", + "HashContext", ] diff --git a/src/cryptography/hazmat/primitives/serialization/__init__.py b/src/cryptography/hazmat/primitives/serialization/__init__.py index b6c9a5cdc520..07b2264b9a51 100644 --- a/src/cryptography/hazmat/primitives/serialization/__init__.py +++ b/src/cryptography/hazmat/primitives/serialization/__init__.py @@ -36,6 +36,21 @@ ) __all__ = [ + "BestAvailableEncryption", + "Encoding", + "KeySerializationEncryption", + "NoEncryption", + "ParameterFormat", + "PrivateFormat", + "PublicFormat", + "SSHCertPrivateKeyTypes", + "SSHCertPublicKeyTypes", + "SSHCertificate", + "SSHCertificateBuilder", + "SSHCertificateType", + "SSHPrivateKeyTypes", + "SSHPublicKeyTypes", + "_KeySerializationEncryption", "load_der_parameters", "load_der_private_key", "load_der_public_key", @@ -45,19 +60,4 @@ "load_ssh_private_key", "load_ssh_public_identity", "load_ssh_public_key", - "Encoding", - "PrivateFormat", - "PublicFormat", - "ParameterFormat", - "KeySerializationEncryption", - "BestAvailableEncryption", - "NoEncryption", - "_KeySerializationEncryption", - "SSHCertificateBuilder", - "SSHCertificate", - "SSHCertificateType", - "SSHCertPublicKeyTypes", - "SSHCertPrivateKeyTypes", - "SSHPrivateKeyTypes", - "SSHPublicKeyTypes", ] diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs12.py b/src/cryptography/hazmat/primitives/serialization/pkcs12.py index 0d37145eb943..17e03fbbe15c 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs12.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs12.py @@ -21,9 +21,9 @@ __all__ = [ "PBES", - "PKCS12PrivateKeyTypes", "PKCS12Certificate", "PKCS12KeyAndCertificates", + "PKCS12PrivateKeyTypes", "load_key_and_certificates", "load_pkcs12", "serialize_key_and_certificates", diff --git a/src/cryptography/hazmat/primitives/serialization/ssh.py b/src/cryptography/hazmat/primitives/serialization/ssh.py index fc9fbf42584f..51cddab47377 100644 --- a/src/cryptography/hazmat/primitives/serialization/ssh.py +++ b/src/cryptography/hazmat/primitives/serialization/ssh.py @@ -603,7 +603,7 @@ def load_public( ) -> tuple[ed25519.Ed25519PublicKey, memoryview]: """Make Ed25519 public key from data.""" public_key, data = _lookup_kformat(_SSH_ED25519).load_public(data) - application, data = load_application(data) + _, data = load_application(data) return public_key, data @@ -622,7 +622,7 @@ def load_public( ) -> tuple[ec.EllipticCurvePublicKey, memoryview]: """Make Ed25519 public key from data.""" public_key, data = _lookup_kformat(_ECDSA_NISTP256).load_public(data) - application, data = load_application(data) + _, data = load_application(data) return public_key, data diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py index e73e527fc4a0..26c6444c511f 100644 --- a/src/cryptography/x509/__init__.py +++ b/src/cryptography/x509/__init__.py @@ -171,89 +171,89 @@ OID_OCSP = AuthorityInformationAccessOID.OCSP __all__ = [ - "certificate_transparency", - "verification", - "load_pem_x509_certificate", - "load_pem_x509_certificates", - "load_der_x509_certificate", - "load_pem_x509_csr", - "load_der_x509_csr", - "load_pem_x509_crl", - "load_der_x509_crl", - "random_serial_number", - "verification", + "OID_CA_ISSUERS", + "OID_OCSP", + "AccessDescription", "Attribute", "AttributeNotFound", "Attributes", - "InvalidVersion", + "AuthorityInformationAccess", + "AuthorityKeyIdentifier", + "BasicConstraints", + "CRLDistributionPoints", + "CRLNumber", + "CRLReason", + "Certificate", + "CertificateBuilder", + "CertificateIssuer", + "CertificatePolicies", + "CertificateRevocationList", + "CertificateRevocationListBuilder", + "CertificateSigningRequest", + "CertificateSigningRequestBuilder", + "DNSName", "DeltaCRLIndicator", + "DirectoryName", + "DistributionPoint", "DuplicateExtension", + "ExtendedKeyUsage", + "Extension", "ExtensionNotFound", - "UnsupportedGeneralNameType", - "NameAttribute", - "Name", - "RelativeDistinguishedName", - "ObjectIdentifier", "ExtensionType", "Extensions", - "Extension", - "ExtendedKeyUsage", "FreshestCRL", + "GeneralName", + "GeneralNames", + "IPAddress", + "InhibitAnyPolicy", + "InvalidVersion", + "InvalidityDate", + "IssuerAlternativeName", "IssuingDistributionPoint", - "TLSFeature", - "TLSFeatureType", + "KeyUsage", + "MSCertificateTemplate", + "Name", + "NameAttribute", + "NameConstraints", + "NameOID", + "NoticeReference", "OCSPAcceptableResponses", "OCSPNoCheck", - "BasicConstraints", - "CRLNumber", - "KeyUsage", - "AuthorityInformationAccess", - "SubjectInformationAccess", - "AccessDescription", - "CertificatePolicies", + "OCSPNonce", + "ObjectIdentifier", + "OtherName", + "PolicyConstraints", "PolicyInformation", - "UserNotice", - "NoticeReference", - "SubjectKeyIdentifier", - "NameConstraints", - "CRLDistributionPoints", - "DistributionPoint", - "ReasonFlags", - "InhibitAnyPolicy", - "SubjectAlternativeName", - "IssuerAlternativeName", - "AuthorityKeyIdentifier", - "GeneralNames", - "GeneralName", + "PrecertPoison", + "PrecertificateSignedCertificateTimestamps", + "PublicKeyAlgorithmOID", "RFC822Name", - "DNSName", - "UniformResourceIdentifier", + "ReasonFlags", "RegisteredID", - "DirectoryName", - "IPAddress", - "OtherName", - "Certificate", - "CertificateRevocationList", - "CertificateRevocationListBuilder", - "CertificateSigningRequest", + "RelativeDistinguishedName", "RevokedCertificate", "RevokedCertificateBuilder", - "CertificateSigningRequestBuilder", - "CertificateBuilder", - "Version", - "OID_CA_ISSUERS", - "OID_OCSP", - "CertificateIssuer", - "CRLReason", - "InvalidityDate", - "UnrecognizedExtension", - "PolicyConstraints", - "PrecertificateSignedCertificateTimestamps", - "PrecertPoison", - "OCSPNonce", - "PublicKeyAlgorithmOID", - "SignedCertificateTimestamps", "SignatureAlgorithmOID", - "NameOID", - "MSCertificateTemplate", + "SignedCertificateTimestamps", + "SubjectAlternativeName", + "SubjectInformationAccess", + "SubjectKeyIdentifier", + "TLSFeature", + "TLSFeatureType", + "UniformResourceIdentifier", + "UnrecognizedExtension", + "UnsupportedGeneralNameType", + "UserNotice", + "Version", + "certificate_transparency", + "load_der_x509_certificate", + "load_der_x509_crl", + "load_der_x509_csr", + "load_pem_x509_certificate", + "load_pem_x509_certificates", + "load_pem_x509_crl", + "load_pem_x509_csr", + "random_serial_number", + "verification", + "verification", ] diff --git a/src/cryptography/x509/verification.py b/src/cryptography/x509/verification.py index 191705e8352b..b83650681237 100644 --- a/src/cryptography/x509/verification.py +++ b/src/cryptography/x509/verification.py @@ -10,13 +10,13 @@ from cryptography.x509.general_name import DNSName, IPAddress __all__ = [ - "Store", - "Subject", - "VerifiedClient", "ClientVerifier", - "ServerVerifier", "PolicyBuilder", + "ServerVerifier", + "Store", + "Subject", "VerificationError", + "VerifiedClient", ] Store = rust_x509.Store From ec4be85c8901faf310eebb02ff1ce9b0f4251852 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 1 May 2024 00:21:35 +0000 Subject: [PATCH 0536/1462] Bump BoringSSL and/or OpenSSL in CI (#10913) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5313d5190cca..28204d64c1f5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Apr 30, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "2db0eb3f96a5756298dcd7f9319e56a98585bd10"}} - # Latest commit on the OpenSSL master branch, as of Apr 30, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6a4a714045415be6720f4165c4d70a0ff229a26a"}} + # Latest commit on the OpenSSL master branch, as of May 01, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "af75373eeab6040aba243dd7629fb6f8244f2f5d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 05d44a8d9d8eedf4d1278cdff67ddc32b2af45c0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 May 2024 11:15:08 +0000 Subject: [PATCH 0537/1462] Bump base64 from 0.22.0 to 0.22.1 in /src/rust (#10914) Bumps [base64](https://github.com/marshallpierce/rust-base64) from 0.22.0 to 0.22.1. - [Changelog](https://github.com/marshallpierce/rust-base64/blob/master/RELEASE-NOTES.md) - [Commits](https://github.com/marshallpierce/rust-base64/compare/v0.22.0...v0.22.1) --- updated-dependencies: - dependency-name: base64 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 59ffe141ab1a..1048af74dad3 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -30,9 +30,9 @@ checksum = "f1fdabc7756949593fe60f30ec81974b613357de856987752631dea1e3394c80" [[package]] name = "base64" -version = "0.22.0" +version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9475866fec1451be56a3c2400fd081ff546538961565ccb5b7142cbd22bc7a51" +checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" [[package]] name = "bitflags" From b4ca965b0f8186b95e7c3f1389205628a0cf2502 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 2 May 2024 00:55:41 -0400 Subject: [PATCH 0538/1462] Ensure curves are supported in determinisic ECDSA tests (#10917) * Ensure curves are supported in determinisic ECDSA tests * x25519/x448 isnt fips anymore i guess --- .../hazmat/backends/openssl/backend.py | 12 ++--------- tests/hazmat/primitives/test_ec.py | 20 +++++++++++++++++++ tests/utils.py | 1 + 3 files changed, 23 insertions(+), 10 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 42ec1a2c9519..d00d1e4b072a 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -325,20 +325,12 @@ def dh_x942_serialization_supported(self) -> bool: return self._lib.Cryptography_HAS_EVP_PKEY_DHX == 1 def x25519_supported(self) -> bool: - # Beginning with OpenSSL 3.2.0, X25519 is considered FIPS. - if ( - self._fips_enabled - and not rust_openssl.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER - ): + if self._fips_enabled: return False return True def x448_supported(self) -> bool: - # Beginning with OpenSSL 3.2.0, X448 is considered FIPS. - if ( - self._fips_enabled - and not rust_openssl.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER - ): + if self._fips_enabled: return False return ( not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index b0e29b3803e6..08178c232466 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -535,6 +535,23 @@ def test_deterministic_nonce(self, backend, subtests): "SHA384": hashes.SHA384(), "SHA512": hashes.SHA512(), } + curves = { + "B-163": ec.SECT163R2(), + "B-233": ec.SECT233R1(), + "B-283": ec.SECT283R1(), + "B-409": ec.SECT409R1(), + "B-571": ec.SECT571R1(), + "K-163": ec.SECT163K1(), + "K-233": ec.SECT233K1(), + "K-283": ec.SECT283K1(), + "K-409": ec.SECT409K1(), + "K-571": ec.SECT571K1(), + "P-192": ec.SECP192R1(), + "P-224": ec.SECP224R1(), + "P-256": ec.SECP256R1(), + "P-384": ec.SECP384R1(), + "P-521": ec.SECP521R1(), + } vectors = load_vectors_from_file( os.path.join( "asymmetric", "ECDSA", "RFC6979", "evppkey_ecdsa_rfc6979.txt" @@ -547,6 +564,9 @@ def test_deterministic_nonce(self, backend, subtests): input = bytes(vector["input"], "utf-8") output = bytes.fromhex(vector["output"]) key = bytes("\n".join(vector["key"]), "utf-8") + curve = curves[vector["key_name"].split("_")[0]] + _skip_curve_unsupported(backend, curve) + if "digest_sign" in vector: algorithm = vector["digest_sign"] hash_algorithm = supported_hash_algorithms[algorithm] diff --git a/tests/utils.py b/tests/utils.py index 3a8a768cf115..b9734a6dc5ac 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -734,6 +734,7 @@ def load_rfc6979_vectors(vector_data): key_name = line.split("=")[1].strip() assert key_name in keys data["key"] = keys[key_name] + data["key_name"] = key_name elif line.startswith("NonceType = "): nonce_type = line.split("=")[1].strip() data["deterministic_nonce"] = nonce_type == "deterministic" From 30722682e60f3a337b2751d158a8e262e2d63d14 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 2 May 2024 11:01:04 +0000 Subject: [PATCH 0539/1462] Bump BoringSSL and/or OpenSSL in CI (#10916) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 28204d64c1f5..b54636424373 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 30, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "2db0eb3f96a5756298dcd7f9319e56a98585bd10"}} - # Latest commit on the OpenSSL master branch, as of May 01, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "af75373eeab6040aba243dd7629fb6f8244f2f5d"}} + # Latest commit on the BoringSSL master branch, as of May 02, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "783ae722ed307a3b3782cd253fd4ffb387f38767"}} + # Latest commit on the OpenSSL master branch, as of May 02, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a380ae85be287045b1eaa64d23942101a426c080"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 7a5d7e6df83e1dee7eca48ec3cd5a0011322c356 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 2 May 2024 11:02:57 +0000 Subject: [PATCH 0540/1462] Bump cc from 1.0.95 to 1.0.96 in /src/rust (#10915) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.95 to 1.0.96. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.95...1.0.96) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 1048af74dad3..048fe7ee095b 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "cf4b9d6a944f767f8e5e0db018570623c85f3d925ac718db4e06d0187adb21c1" [[package]] name = "cc" -version = "1.0.95" +version = "1.0.96" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d32a725bc159af97c3e629873bb9f88fb8cf8a4867175f76dc987815ea07c83b" +checksum = "065a29261d53ba54260972629f9ca6bffa69bac13cd1fed61420f7fa68b9f8bd" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 34d16fb493a6..41783da0d891 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.21.2", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.95" +cc = "1.0.96" From 8fff982138b5b82bbc94e3182a088564414b6b78 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 3 May 2024 00:17:04 +0000 Subject: [PATCH 0541/1462] Bump BoringSSL and/or OpenSSL in CI (#10920) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b54636424373..72639afa13f2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 02, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "783ae722ed307a3b3782cd253fd4ffb387f38767"}} - # Latest commit on the OpenSSL master branch, as of May 02, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a380ae85be287045b1eaa64d23942101a426c080"}} + # Latest commit on the BoringSSL master branch, as of May 03, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d2e3212de29bac1ceed33ca8ab8bbff3f41a2459"}} + # Latest commit on the OpenSSL master branch, as of May 03, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "067fbc01b9e867b31c71091d62f0f9012dc9e41a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 00491bef0da413246a5a55d47018dcc1506aeb35 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 3 May 2024 16:19:12 -0400 Subject: [PATCH 0542/1462] Consolidate dependabot configuration with multi-directory (#10921) --- .github/dependabot.yml | 43 ++++++++---------------------------------- 1 file changed, 8 insertions(+), 35 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 225922bd21a6..1678833c2a9b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,29 +1,11 @@ version: 2 updates: - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" - time: "06:00" - timezone: "America/New_York" - open-pull-requests-limit: 1024 - - - package-ecosystem: "github-actions" - directory: "/.github/actions/cache/" - schedule: - interval: "daily" - time: "06:00" - timezone: "America/New_York" - open-pull-requests-limit: 1024 - - package-ecosystem: "github-actions" - directory: "/.github/actions/upload-coverage/" - schedule: - interval: "daily" - time: "06:00" - timezone: "America/New_York" - open-pull-requests-limit: 1024 - - package-ecosystem: "github-actions" - directory: "/.github/actions/fetch-vectors/" + directories: + - "/" + - "/.github/actions/cache/" + - "/.github/actions/upload-coverage/" + - "/.github/actions/fetch-vectors/" schedule: interval: "daily" time: "06:00" @@ -42,18 +24,9 @@ updates: open-pull-requests-limit: 1024 - package-ecosystem: pip - directory: "/" - schedule: - interval: daily - time: "06:00" - timezone: "America/New_York" - allow: - # Also update indirect dependencies - - dependency-type: all - open-pull-requests-limit: 1024 - - - package-ecosystem: pip - directory: "/.github/requirements/" + directories: + - "/" + - "/.github/requirements/" schedule: interval: daily time: "06:00" From 192c69aff76bd9e77cb7aef7f9378394b1495c54 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 3 May 2024 20:36:33 +0000 Subject: [PATCH 0543/1462] Bump autocfg from 1.2.0 to 1.3.0 in /src/rust (#10926) Bumps [autocfg](https://github.com/cuviper/autocfg) from 1.2.0 to 1.3.0. - [Commits](https://github.com/cuviper/autocfg/commits) --- updated-dependencies: - dependency-name: autocfg dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 048fe7ee095b..f3cb40009983 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -24,9 +24,9 @@ dependencies = [ [[package]] name = "autocfg" -version = "1.2.0" +version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1fdabc7756949593fe60f30ec81974b613357de856987752631dea1e3394c80" +checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0" [[package]] name = "base64" From d06bb7089a84889b3cd8f9ae84748e95afb455b5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 3 May 2024 20:39:12 +0000 Subject: [PATCH 0544/1462] Bump self_cell from 1.0.3 to 1.0.4 in /src/rust (#10927) Bumps [self_cell](https://github.com/Voultapher/self_cell) from 1.0.3 to 1.0.4. - [Release notes](https://github.com/Voultapher/self_cell/releases) - [Commits](https://github.com/Voultapher/self_cell/compare/v1.0.3...v1.0.4) --- updated-dependencies: - dependency-name: self_cell dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index f3cb40009983..1a0583fd051f 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -367,9 +367,9 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" [[package]] name = "self_cell" -version = "1.0.3" +version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "58bf37232d3bb9a2c4e641ca2a11d83b5062066f88df7fed36c28772046d65ba" +checksum = "d369a96f978623eb3dc28807c4852d6cc617fed53da5d3c400feff1ef34a714a" [[package]] name = "smallvec" From 39aee4f8b7bd14fd44542cb84dd45d75a86026cd Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 4 May 2024 01:09:25 +0000 Subject: [PATCH 0545/1462] Bump BoringSSL and/or OpenSSL in CI (#10928) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 72639afa13f2..9df593888083 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 03, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d2e3212de29bac1ceed33ca8ab8bbff3f41a2459"}} + # Latest commit on the BoringSSL master branch, as of May 04, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "3e89a7e8db8139db356b892ca9993172346c80cf"}} # Latest commit on the OpenSSL master branch, as of May 03, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "067fbc01b9e867b31c71091d62f0f9012dc9e41a"}} # Builds with various Rust versions. Includes MSRV and next From 95131abed8f3cf0a45ed8b8ff948a36926c6c6b3 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 4 May 2024 11:38:10 -0400 Subject: [PATCH 0546/1462] forward port 42.0.6 changelog (#10930) --- CHANGELOG.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index e7153b215514..c78e05bb3249 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -45,6 +45,13 @@ Changelog timezone-aware alternative to the naïve ``datetime`` attribute :attr:`~cryptography.x509.InvalidityDate.invalidity_date`. +.. _v42-0-6: + +42.0.6 - 2024-05-04 +~~~~~~~~~~~~~~~~~~~ + +* Fixed compilation when using LibreSSL 3.9.1. + .. _v42-0-5: 42.0.5 - 2024-02-23 From 49711bab0a6e511b0e5ae0814185fd17d5696abe Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 5 May 2024 11:34:26 -0400 Subject: [PATCH 0547/1462] Fix build with Rust nightly (#10936) --- src/rust/build.rs | 6 ++++++ src/rust/cryptography-cffi/build.rs | 2 ++ src/rust/cryptography-key-parsing/build.rs | 3 +++ src/rust/cryptography-openssl/build.rs | 5 +++++ 4 files changed, 16 insertions(+) diff --git a/src/rust/build.rs b/src/rust/build.rs index d4dca24c4566..5abe0ce3e536 100644 --- a/src/rust/build.rs +++ b/src/rust/build.rs @@ -6,6 +6,12 @@ use std::env; #[allow(clippy::unusual_byte_groupings)] fn main() { + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)"); + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)"); + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_IS_LIBRESSL)"); + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_IS_BORINGSSL)"); + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_OSSLCONF, values(\"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_SM4\"))"); + if let Ok(version) = env::var("DEP_OPENSSL_VERSION_NUMBER") { let version = u64::from_str_radix(&version, 16).unwrap(); diff --git a/src/rust/cryptography-cffi/build.rs b/src/rust/cryptography-cffi/build.rs index 13eae0f49df4..8a2c968e2b68 100644 --- a/src/rust/cryptography-cffi/build.rs +++ b/src/rust/cryptography-cffi/build.rs @@ -7,6 +7,8 @@ use std::path::Path; use std::process::Command; fn main() { + println!("cargo:rustc-check-cfg=cfg(python_implementation, values(\"CPython\", \"PyPy\"))"); + let target = env::var("TARGET").unwrap(); let openssl_static = env::var("OPENSSL_STATIC") .map(|x| x == "1") diff --git a/src/rust/cryptography-key-parsing/build.rs b/src/rust/cryptography-key-parsing/build.rs index cd318b35ff35..15f34f38b4dd 100644 --- a/src/rust/cryptography-key-parsing/build.rs +++ b/src/rust/cryptography-key-parsing/build.rs @@ -5,6 +5,9 @@ use std::env; fn main() { + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_IS_LIBRESSL)"); + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_IS_BORINGSSL)"); + if env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER").is_ok() { println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_LIBRESSL"); } diff --git a/src/rust/cryptography-openssl/build.rs b/src/rust/cryptography-openssl/build.rs index 87e1fa528b22..00e1df1326d1 100644 --- a/src/rust/cryptography-openssl/build.rs +++ b/src/rust/cryptography-openssl/build.rs @@ -6,6 +6,11 @@ use std::env; #[allow(clippy::unusual_byte_groupings)] fn main() { + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)"); + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)"); + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_IS_LIBRESSL)"); + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_IS_BORINGSSL)"); + if let Ok(version) = env::var("DEP_OPENSSL_VERSION_NUMBER") { let version = u64::from_str_radix(&version, 16).unwrap(); From 43e905b5254176ebecb1e33a318abd24e9c6367b Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos Orfanos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Sun, 5 May 2024 18:04:32 +0200 Subject: [PATCH 0548/1462] Use raw string for literal backslashes (#10934) --- src/_cffi_src/openssl/cryptography.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index 11afbdc182f0..fc23960613b0 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -4,7 +4,7 @@ from __future__ import annotations -INCLUDES = """ +INCLUDES = r""" /* define our OpenSSL API compatibility level to 1.1.0. Any symbols older than that will raise an error during compilation. */ #define OPENSSL_API_COMPAT 0x10100000L From 9321740c2aaab4e07d7c028cef014dc410424047 Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos Orfanos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Sun, 5 May 2024 18:11:26 +0200 Subject: [PATCH 0549/1462] Apply ruff/flake8-implicit-str-concat rule ISC001 (#10932) ISC001 Implicitly concatenated string literals on one line This rule is currently disabled because it conflicts with the formatter: https://github.com/astral-sh/ruff/issues/8272 --- src/cryptography/hazmat/primitives/kdf/kbkdf.py | 2 +- src/cryptography/x509/base.py | 10 +++++----- tests/test_utils.py | 8 ++++---- tests/x509/test_ocsp.py | 4 ++-- tests/x509/test_x509_ext.py | 2 +- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/cryptography/hazmat/primitives/kdf/kbkdf.py b/src/cryptography/hazmat/primitives/kdf/kbkdf.py index 2f41db9260ec..9ae817d4e6ae 100644 --- a/src/cryptography/hazmat/primitives/kdf/kbkdf.py +++ b/src/cryptography/hazmat/primitives/kdf/kbkdf.py @@ -75,7 +75,7 @@ def __init__( if (label or context) and fixed: raise ValueError( - "When supplying fixed data, " "label and context are ignored." + "When supplying fixed data, label and context are ignored." ) if rlen is None or not self._valid_byte_length(rlen): diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index c035cbb70b4b..6ed41e6694c6 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -869,7 +869,7 @@ def serial_number(self, number: int) -> CertificateBuilder: # zero. if number.bit_length() >= 160: # As defined in RFC 5280 raise ValueError( - "The serial number should not be more than 159 " "bits." + "The serial number should not be more than 159 bits." ) return CertificateBuilder( self._issuer_name, @@ -1047,7 +1047,7 @@ def last_update( last_update = _convert_to_naive_utc_time(last_update) if last_update < _EARLIEST_UTC_TIME: raise ValueError( - "The last update date must be on or after" " 1950 January 1." + "The last update date must be on or after 1950 January 1." ) if self._next_update is not None and last_update > self._next_update: raise ValueError( @@ -1071,7 +1071,7 @@ def next_update( next_update = _convert_to_naive_utc_time(next_update) if next_update < _EARLIEST_UTC_TIME: raise ValueError( - "The last update date must be on or after" " 1950 January 1." + "The last update date must be on or after 1950 January 1." ) if self._last_update is not None and next_update < self._last_update: raise ValueError( @@ -1172,7 +1172,7 @@ def serial_number(self, number: int) -> RevokedCertificateBuilder: # zero. if number.bit_length() >= 160: # As defined in RFC 5280 raise ValueError( - "The serial number should not be more than 159 " "bits." + "The serial number should not be more than 159 bits." ) return RevokedCertificateBuilder( number, self._revocation_date, self._extensions @@ -1188,7 +1188,7 @@ def revocation_date( time = _convert_to_naive_utc_time(time) if time < _EARLIEST_UTC_TIME: raise ValueError( - "The revocation date must be on or after" " 1950 January 1." + "The revocation date must be on or after 1950 January 1." ) return RevokedCertificateBuilder( self._serial_number, time, self._extensions diff --git a/tests/test_utils.py b/tests/test_utils.py index 9f6e271500cc..191cc913a472 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -2721,7 +2721,7 @@ def test_load_fips_ecdsa_key_pair_vectors(): { "curve": "sect233k1", "d": int( - "1da7422b50e3ff051f2aaaed10acea6cbf6110c517da2f4e" "aca8b5b87", + "1da7422b50e3ff051f2aaaed10acea6cbf6110c517da2f4eaca8b5b87", 16, ), "x": int( @@ -2738,7 +2738,7 @@ def test_load_fips_ecdsa_key_pair_vectors(): { "curve": "sect233k1", "d": int( - "530951158f7b1586978c196603c12d25607d2cb0557efadb" "23cd0ce8", + "530951158f7b1586978c196603c12d25607d2cb0557efadb23cd0ce8", 16, ), "x": int( @@ -3776,7 +3776,7 @@ def test_load_kasvs_ecdh_vectors(): ), }, "Z": int( - "b1259ceedfb663d9515089cf727e7024fb3d86cbcec611b4" "ba0b4ab6", + "b1259ceedfb663d9515089cf727e7024fb3d86cbcec611b4ba0b4ab6", 16, ), "curve": "secp224r1", @@ -4015,7 +4015,7 @@ def test_load_kasvs_ecdh_kdf_vectors(): 16, ), "Z": int( - "43f23b2c760d686fc99cc008b63aea92f866e224265af60d" "2d8ae540", + "43f23b2c760d686fc99cc008b63aea92f866e224265af60d2d8ae540", 16, ), "DKM": int("ad65fa2d12541c3a21f3cd223efb", 16), diff --git a/tests/x509/test_ocsp.py b/tests/x509/test_ocsp.py index 335694c7f9a9..8f5948bc171b 100644 --- a/tests/x509/test_ocsp.py +++ b/tests/x509/test_ocsp.py @@ -79,10 +79,10 @@ def test_load_request(self): ocsp.load_der_ocsp_request, ) assert req.issuer_name_hash == ( - b"8\xcaF\x8c\x07D\x8d\xf4\x81\x96" b"\xc7mmLpQ\x9e`\xa7\xbd" + b"8\xcaF\x8c\x07D\x8d\xf4\x81\x96\xc7mmLpQ\x9e`\xa7\xbd" ) assert req.issuer_key_hash == ( - b"yu\xbb\x84:\xcb,\xdez\t\xbe1" b"\x1bC\xbc\x1c*MSX" + b"yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX" ) assert isinstance(req.hash_algorithm, hashes.SHA1) assert req.serial_number == int( diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index 44e8299046dc..d11225fb3077 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -2520,7 +2520,7 @@ def test_uri(self, backend): assert ext is not None uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier) assert uri == [ - "gopher://xn--80ato2c.cryptography:70/path?q=s#hel" "lo", + "gopher://xn--80ato2c.cryptography:70/path?q=s#hello", "http://someregulardomain.com", ] From 1ce23d008ac445116649a0af4769885d3f522571 Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos Orfanos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Sun, 5 May 2024 18:12:27 +0200 Subject: [PATCH 0550/1462] Fix more misspellings (#10933) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fix more misspellings * Apply codespell suggestion: implementor → implementer This is not exactly a misspelling, but: * From Garner's Modern English Usage (4 ed.) Although the variant spelling ✳implementor predominated for much of the late 20th century, today implementer is considered standard. * The Google Ngram Viewer shows a ratio of almost 10:1 in 2019. --- docs/glossary.rst | 2 +- docs/spelling_wordlist.txt | 1 - src/rust/cryptography-keepalive/src/lib.rs | 2 +- src/rust/src/backend/cipher_registry.rs | 2 +- 4 files changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/glossary.rst b/docs/glossary.rst index 86718cc0d675..3c2272a4da7c 100644 --- a/docs/glossary.rst +++ b/docs/glossary.rst @@ -94,7 +94,7 @@ Glossary A bytes-like object contains binary data and supports the `buffer protocol`_. This includes ``bytes``, ``bytearray``, and ``memoryview`` objects. It is :term:`unsafe` to pass a mutable object - (e.g., a ``bytearray`` or other implementor of the buffer protocol) + (e.g., a ``bytearray`` or other implementer of the buffer protocol) and to `mutate it concurrently`_ with the operation it has been provided for. diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 9be4a107a70d..e7e9afd1cbaf 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -62,7 +62,6 @@ hazmat Homebrew hostname hostnames -implementor incrementing indistinguishability initialisms diff --git a/src/rust/cryptography-keepalive/src/lib.rs b/src/rust/cryptography-keepalive/src/lib.rs index 46e9f3260d67..9542f9efc24c 100644 --- a/src/rust/cryptography-keepalive/src/lib.rs +++ b/src/rust/cryptography-keepalive/src/lib.rs @@ -13,7 +13,7 @@ pub struct KeepAlive { } /// # Safety -/// Implementors of this trait must ensure that the value returned by +/// Implementers of this trait must ensure that the value returned by /// `deref()` must remain valid, even if `self` is moved. pub unsafe trait StableDeref: Deref {} // SAFETY: `Vec`'s data is on the heap, so as long as it's not mutated, the diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index 40ae826014b4..fb829c093731 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -262,7 +262,7 @@ fn get_cipher_registry( m.add(&chacha20, none_type.as_any(), None, Cipher::chacha20())?; // Don't register legacy ciphers if they're unavailable. In theory - // this should't be necessary but OpenSSL 3 will return an EVP_CIPHER + // this shouldn't be necessary but OpenSSL 3 will return an EVP_CIPHER // even when the cipher is unavailable. if cfg!(not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)) || types::LEGACY_PROVIDER_LOADED.get(py)?.is_truthy()? From a140fc334742dcbc1190fb5b92ad0354629f22ae Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 5 May 2024 13:20:27 -0400 Subject: [PATCH 0551/1462] Switch from sigstore to github's attestations (#10931) --- .github/requirements/publish-requirements.in | 1 - .github/requirements/publish-requirements.txt | 257 ------------------ .github/workflows/pypi-publish.yml | 12 +- 3 files changed, 7 insertions(+), 263 deletions(-) diff --git a/.github/requirements/publish-requirements.in b/.github/requirements/publish-requirements.in index dd98b8990e7b..1b92e685d4ab 100644 --- a/.github/requirements/publish-requirements.in +++ b/.github/requirements/publish-requirements.in @@ -1,6 +1,5 @@ twine requests -sigstore # WARN: changing the requirements here DOES NOT update the dependencies used for publishing at the github workflow, as the process used publish-requirements.txt # To update publish-requirements.txt according to the dependencies here, run pip-compile --allow-unsafe --generate-hashes publish-requirements.in \ No newline at end of file diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 5076db558de1..e951e6874d72 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -4,22 +4,10 @@ # # pip-compile --generate-hashes publish-requirements.in # -annotated-types==0.6.0 \ - --hash=sha256:0641064de18ba7a25dee8f96403ebc39113d0cb953a01429249d5c7564666a43 \ - --hash=sha256:563339e807e53ffd9c267e99fc6d9ea23eb8443c08f112651963e24e22f84a5d - # via pydantic -appdirs==1.4.4 \ - --hash=sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41 \ - --hash=sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128 - # via sigstore backports-tarfile==1.1.1 \ --hash=sha256:73e0179647803d3726d82e76089d01d8549ceca9bace469953fcb4d97cf2d417 \ --hash=sha256:9c2ef9696cb73374f7164e17fc761389393ca76777036f5aad42e8b93fcd8009 # via jaraco-context -betterproto==2.0.0b6 \ - --hash=sha256:720ae92697000f6fcf049c69267d957f0871654c8b0d7458906607685daee784 \ - --hash=sha256:a0839ec165d110a69d0d116f4d0e2bec8d186af4db826257931f0831dab73fcf - # via sigstore-protobuf-specs certifi==2024.2.2 \ --hash=sha256:0569859f95fc761b18b45ef421b1290a0f65f147e92a1e5eb3e635f9a5e4e66f \ --hash=sha256:dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1 @@ -204,9 +192,7 @@ cryptography==42.0.5 \ --hash=sha256:f12764b8fffc7a123f641d7d049d382b73f96a34117e0b637b80643169cec8ac \ --hash=sha256:f8837fe1d6ac4a8052a9a8ddab256bc006242696f03368a4009be7ee3075cdb7 # via - # pyopenssl # secretstorage - # sigstore dnspython==2.6.1 \ --hash=sha256:5ef3b9680161f6fa89daf8ad451b5f1a33b18ae8a1c6778cdf4b43f08c0a6e50 \ --hash=sha256:e8f0f9c23a7b7cb99ded64e6c3a6f3e701d78f50c55e002b839dea7225cff7cc @@ -215,17 +201,6 @@ docutils==0.21.2 \ --hash=sha256:3a6b18732edf182daa3cd12775bbb338cf5691468f91eeeb109deff6ebfa986f \ --hash=sha256:dafca5b9e384f0e419294eb4d2ff9fa826435bf15f15b7bd45723e8ad76811b2 # via readme-renderer -email-validator==2.1.1 \ - --hash=sha256:200a70680ba08904be6d1eef729205cc0d687634399a5924d842533efb824b84 \ - --hash=sha256:97d882d174e2a65732fb43bfce81a3a834cbc1bde8bf419e30ef5ea976370a05 - # via pydantic -grpclib==0.4.7 \ - --hash=sha256:2988ef57c02b22b7a2e8e961792c41ccf97efc2ace91ae7a5b0de03c363823c3 - # via betterproto -h2==4.1.0 \ - --hash=sha256:03a46bcf682256c95b5fd9e9a99c1323584c3eec6440d379b9903d709476bc6d \ - --hash=sha256:a83aca08fbe7aacb79fec788c9c0bac936343560ed9ec18b82a13a12c28d2abb - # via grpclib hpack==4.0.0 \ --hash=sha256:84a076fad3dc9a9f8063ccb8041ef100867b1878b25ef0ee63847a5d53818a6c \ --hash=sha256:fc41de0c63e687ebffde81187a948221294896f6bdc0ae2312708df339430095 @@ -234,10 +209,6 @@ hyperframe==6.0.1 \ --hash=sha256:0ec6bafd80d8ad2195c4f03aacba3a8265e57bc4cff261e802bf39970ed02a15 \ --hash=sha256:ae510046231dc8e9ecb1a6586f63d2347bf4c8905914aa84ba585ae85f28a914 # via h2 -id==1.4.0 \ - --hash=sha256:23c06772e8bd3e3a44ee3f167868bf5a8e385b0c1e2cc707ad36eb7486b4765b \ - --hash=sha256:a0391117c98fa9851ebd2b22df0dc6fd6aacbd89a4ec95c173f1311ca9bb7329 - # via sigstore idna==3.7 \ --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 @@ -286,98 +257,6 @@ more-itertools==10.2.0 \ # via # jaraco-classes # jaraco-functools -multidict==6.0.5 \ - --hash=sha256:01265f5e40f5a17f8241d52656ed27192be03bfa8764d88e8220141d1e4b3556 \ - --hash=sha256:0275e35209c27a3f7951e1ce7aaf93ce0d163b28948444bec61dd7badc6d3f8c \ - --hash=sha256:04bde7a7b3de05732a4eb39c94574db1ec99abb56162d6c520ad26f83267de29 \ - --hash=sha256:04da1bb8c8dbadf2a18a452639771951c662c5ad03aefe4884775454be322c9b \ - --hash=sha256:09a892e4a9fb47331da06948690ae38eaa2426de97b4ccbfafbdcbe5c8f37ff8 \ - --hash=sha256:0d63c74e3d7ab26de115c49bffc92cc77ed23395303d496eae515d4204a625e7 \ - --hash=sha256:107c0cdefe028703fb5dafe640a409cb146d44a6ae201e55b35a4af8e95457dd \ - --hash=sha256:141b43360bfd3bdd75f15ed811850763555a251e38b2405967f8e25fb43f7d40 \ - --hash=sha256:14c2976aa9038c2629efa2c148022ed5eb4cb939e15ec7aace7ca932f48f9ba6 \ - --hash=sha256:19fe01cea168585ba0f678cad6f58133db2aa14eccaf22f88e4a6dccadfad8b3 \ - --hash=sha256:1d147090048129ce3c453f0292e7697d333db95e52616b3793922945804a433c \ - --hash=sha256:1d9ea7a7e779d7a3561aade7d596649fbecfa5c08a7674b11b423783217933f9 \ - --hash=sha256:215ed703caf15f578dca76ee6f6b21b7603791ae090fbf1ef9d865571039ade5 \ - --hash=sha256:21fd81c4ebdb4f214161be351eb5bcf385426bf023041da2fd9e60681f3cebae \ - --hash=sha256:220dd781e3f7af2c2c1053da9fa96d9cf3072ca58f057f4c5adaaa1cab8fc442 \ - --hash=sha256:228b644ae063c10e7f324ab1ab6b548bdf6f8b47f3ec234fef1093bc2735e5f9 \ - --hash=sha256:29bfeb0dff5cb5fdab2023a7a9947b3b4af63e9c47cae2a10ad58394b517fddc \ - --hash=sha256:2f4848aa3baa109e6ab81fe2006c77ed4d3cd1e0ac2c1fbddb7b1277c168788c \ - --hash=sha256:2faa5ae9376faba05f630d7e5e6be05be22913782b927b19d12b8145968a85ea \ - --hash=sha256:2ffc42c922dbfddb4a4c3b438eb056828719f07608af27d163191cb3e3aa6cc5 \ - --hash=sha256:37b15024f864916b4951adb95d3a80c9431299080341ab9544ed148091b53f50 \ - --hash=sha256:3cc2ad10255f903656017363cd59436f2111443a76f996584d1077e43ee51182 \ - --hash=sha256:3d25f19500588cbc47dc19081d78131c32637c25804df8414463ec908631e453 \ - --hash=sha256:403c0911cd5d5791605808b942c88a8155c2592e05332d2bf78f18697a5fa15e \ - --hash=sha256:411bf8515f3be9813d06004cac41ccf7d1cd46dfe233705933dd163b60e37600 \ - --hash=sha256:425bf820055005bfc8aa9a0b99ccb52cc2f4070153e34b701acc98d201693733 \ - --hash=sha256:435a0984199d81ca178b9ae2c26ec3d49692d20ee29bc4c11a2a8d4514c67eda \ - --hash=sha256:4a6a4f196f08c58c59e0b8ef8ec441d12aee4125a7d4f4fef000ccb22f8d7241 \ - --hash=sha256:4cc0ef8b962ac7a5e62b9e826bd0cd5040e7d401bc45a6835910ed699037a461 \ - --hash=sha256:51d035609b86722963404f711db441cf7134f1889107fb171a970c9701f92e1e \ - --hash=sha256:53689bb4e102200a4fafa9de9c7c3c212ab40a7ab2c8e474491914d2305f187e \ - --hash=sha256:55205d03e8a598cfc688c71ca8ea5f66447164efff8869517f175ea632c7cb7b \ - --hash=sha256:5c0631926c4f58e9a5ccce555ad7747d9a9f8b10619621f22f9635f069f6233e \ - --hash=sha256:5cb241881eefd96b46f89b1a056187ea8e9ba14ab88ba632e68d7a2ecb7aadf7 \ - --hash=sha256:60d698e8179a42ec85172d12f50b1668254628425a6bd611aba022257cac1386 \ - --hash=sha256:612d1156111ae11d14afaf3a0669ebf6c170dbb735e510a7438ffe2369a847fd \ - --hash=sha256:6214c5a5571802c33f80e6c84713b2c79e024995b9c5897f794b43e714daeec9 \ - --hash=sha256:6939c95381e003f54cd4c5516740faba40cf5ad3eeff460c3ad1d3e0ea2549bf \ - --hash=sha256:69db76c09796b313331bb7048229e3bee7928eb62bab5e071e9f7fcc4879caee \ - --hash=sha256:6bf7a982604375a8d49b6cc1b781c1747f243d91b81035a9b43a2126c04766f5 \ - --hash=sha256:766c8f7511df26d9f11cd3a8be623e59cca73d44643abab3f8c8c07620524e4a \ - --hash=sha256:76c0de87358b192de7ea9649beb392f107dcad9ad27276324c24c91774ca5271 \ - --hash=sha256:76f067f5121dcecf0d63a67f29080b26c43c71a98b10c701b0677e4a065fbd54 \ - --hash=sha256:7901c05ead4b3fb75113fb1dd33eb1253c6d3ee37ce93305acd9d38e0b5f21a4 \ - --hash=sha256:79660376075cfd4b2c80f295528aa6beb2058fd289f4c9252f986751a4cd0496 \ - --hash=sha256:79a6d2ba910adb2cbafc95dad936f8b9386e77c84c35bc0add315b856d7c3abb \ - --hash=sha256:7afcdd1fc07befad18ec4523a782cde4e93e0a2bf71239894b8d61ee578c1319 \ - --hash=sha256:7be7047bd08accdb7487737631d25735c9a04327911de89ff1b26b81745bd4e3 \ - --hash=sha256:7c6390cf87ff6234643428991b7359b5f59cc15155695deb4eda5c777d2b880f \ - --hash=sha256:7df704ca8cf4a073334e0427ae2345323613e4df18cc224f647f251e5e75a527 \ - --hash=sha256:85f67aed7bb647f93e7520633d8f51d3cbc6ab96957c71272b286b2f30dc70ed \ - --hash=sha256:896ebdcf62683551312c30e20614305f53125750803b614e9e6ce74a96232604 \ - --hash=sha256:92d16a3e275e38293623ebf639c471d3e03bb20b8ebb845237e0d3664914caef \ - --hash=sha256:99f60d34c048c5c2fabc766108c103612344c46e35d4ed9ae0673d33c8fb26e8 \ - --hash=sha256:9fe7b0653ba3d9d65cbe7698cca585bf0f8c83dbbcc710db9c90f478e175f2d5 \ - --hash=sha256:a3145cb08d8625b2d3fee1b2d596a8766352979c9bffe5d7833e0503d0f0b5e5 \ - --hash=sha256:aeaf541ddbad8311a87dd695ed9642401131ea39ad7bc8cf3ef3967fd093b626 \ - --hash=sha256:b55358304d7a73d7bdf5de62494aaf70bd33015831ffd98bc498b433dfe5b10c \ - --hash=sha256:b82cc8ace10ab5bd93235dfaab2021c70637005e1ac787031f4d1da63d493c1d \ - --hash=sha256:c0868d64af83169e4d4152ec612637a543f7a336e4a307b119e98042e852ad9c \ - --hash=sha256:c1c1496e73051918fcd4f58ff2e0f2f3066d1c76a0c6aeffd9b45d53243702cc \ - --hash=sha256:c9bf56195c6bbd293340ea82eafd0071cb3d450c703d2c93afb89f93b8386ccc \ - --hash=sha256:cbebcd5bcaf1eaf302617c114aa67569dd3f090dd0ce8ba9e35e9985b41ac35b \ - --hash=sha256:cd6c8fca38178e12c00418de737aef1261576bd1b6e8c6134d3e729a4e858b38 \ - --hash=sha256:ceb3b7e6a0135e092de86110c5a74e46bda4bd4fbfeeb3a3bcec79c0f861e450 \ - --hash=sha256:cf590b134eb70629e350691ecca88eac3e3b8b3c86992042fb82e3cb1830d5e1 \ - --hash=sha256:d3eb1ceec286eba8220c26f3b0096cf189aea7057b6e7b7a2e60ed36b373b77f \ - --hash=sha256:d65f25da8e248202bd47445cec78e0025c0fe7582b23ec69c3b27a640dd7a8e3 \ - --hash=sha256:d6f6d4f185481c9669b9447bf9d9cf3b95a0e9df9d169bbc17e363b7d5487755 \ - --hash=sha256:d84a5c3a5f7ce6db1f999fb9438f686bc2e09d38143f2d93d8406ed2dd6b9226 \ - --hash=sha256:d946b0a9eb8aaa590df1fe082cee553ceab173e6cb5b03239716338629c50c7a \ - --hash=sha256:dce1c6912ab9ff5f179eaf6efe7365c1f425ed690b03341911bf4939ef2f3046 \ - --hash=sha256:de170c7b4fe6859beb8926e84f7d7d6c693dfe8e27372ce3b76f01c46e489fcf \ - --hash=sha256:e02021f87a5b6932fa6ce916ca004c4d441509d33bbdbeca70d05dff5e9d2479 \ - --hash=sha256:e030047e85cbcedbfc073f71836d62dd5dadfbe7531cae27789ff66bc551bd5e \ - --hash=sha256:e0e79d91e71b9867c73323a3444724d496c037e578a0e1755ae159ba14f4f3d1 \ - --hash=sha256:e4428b29611e989719874670fd152b6625500ad6c686d464e99f5aaeeaca175a \ - --hash=sha256:e4972624066095e52b569e02b5ca97dbd7a7ddd4294bf4e7247d52635630dd83 \ - --hash=sha256:e7be68734bd8c9a513f2b0cfd508802d6609da068f40dc57d4e3494cefc92929 \ - --hash=sha256:e8e94e6912639a02ce173341ff62cc1201232ab86b8a8fcc05572741a5dc7d93 \ - --hash=sha256:ea1456df2a27c73ce51120fa2f519f1bea2f4a03a917f4a43c8707cf4cbbae1a \ - --hash=sha256:ebd8d160f91a764652d3e51ce0d2956b38efe37c9231cd82cfc0bed2e40b581c \ - --hash=sha256:eca2e9d0cc5a889850e9bbd68e98314ada174ff6ccd1129500103df7a94a7a44 \ - --hash=sha256:edd08e6f2f1a390bf137080507e44ccc086353c8e98c657e666c017718561b89 \ - --hash=sha256:f285e862d2f153a70586579c15c44656f888806ed0e5b56b64489afe4a2dbfba \ - --hash=sha256:f2a1dee728b52b33eebff5072817176c172050d44d67befd681609b4746e1c2e \ - --hash=sha256:f7e301075edaf50500f0b341543c41194d8df3ae5caf4702f2095f3ca73dd8da \ - --hash=sha256:fb616be3538599e797a2017cccca78e354c767165e8858ab5116813146041a24 \ - --hash=sha256:fce28b3c8a81b6b36dfac9feb1de115bab619b3c13905b419ec71d03a3fc1423 \ - --hash=sha256:fe5d7785250541f7f5019ab9cba2c71169dc7d74d0f45253f8313f436458a4ef - # via grpclib nh3==0.2.17 \ --hash=sha256:0316c25b76289cf23be6b66c77d3608a4fdf537b35426280032f432f14291b9a \ --hash=sha256:1a814dd7bba1cb0aba5bcb9bebcc88fd801b63e21e2450ae6c52d3b3336bc911 \ @@ -404,112 +283,12 @@ pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc # via cffi -pydantic[email]==2.6.4 \ - --hash=sha256:b1704e0847db01817624a6b86766967f552dd9dbf3afba4004409f908dcc84e6 \ - --hash=sha256:cc46fce86607580867bdc3361ad462bab9c222ef042d3da86f2fb333e1d916c5 - # via - # id - # sigstore - # sigstore-rekor-types -pydantic-core==2.16.3 \ - --hash=sha256:00ee1c97b5364b84cb0bd82e9bbf645d5e2871fb8c58059d158412fee2d33d8a \ - --hash=sha256:0d32576b1de5a30d9a97f300cc6a3f4694c428d956adbc7e6e2f9cad279e45ed \ - --hash=sha256:0df446663464884297c793874573549229f9eca73b59360878f382a0fc085979 \ - --hash=sha256:0f56ae86b60ea987ae8bcd6654a887238fd53d1384f9b222ac457070b7ac4cff \ - --hash=sha256:13dcc4802961b5f843a9385fc821a0b0135e8c07fc3d9949fd49627c1a5e6ae5 \ - --hash=sha256:162e498303d2b1c036b957a1278fa0899d02b2842f1ff901b6395104c5554a45 \ - --hash=sha256:1b662180108c55dfbf1280d865b2d116633d436cfc0bba82323554873967b340 \ - --hash=sha256:1cac689f80a3abab2d3c0048b29eea5751114054f032a941a32de4c852c59cad \ - --hash=sha256:21b888c973e4f26b7a96491c0965a8a312e13be108022ee510248fe379a5fa23 \ - --hash=sha256:287073c66748f624be4cef893ef9174e3eb88fe0b8a78dc22e88eca4bc357ca6 \ - --hash=sha256:2a1ef6a36fdbf71538142ed604ad19b82f67b05749512e47f247a6ddd06afdc7 \ - --hash=sha256:2a72fb9963cba4cd5793854fd12f4cfee731e86df140f59ff52a49b3552db241 \ - --hash=sha256:2acca2be4bb2f2147ada8cac612f8a98fc09f41c89f87add7256ad27332c2fda \ - --hash=sha256:2f583bd01bbfbff4eaee0868e6fc607efdfcc2b03c1c766b06a707abbc856187 \ - --hash=sha256:33809aebac276089b78db106ee692bdc9044710e26f24a9a2eaa35a0f9fa70ba \ - --hash=sha256:36fa178aacbc277bc6b62a2c3da95226520da4f4e9e206fdf076484363895d2c \ - --hash=sha256:4204e773b4b408062960e65468d5346bdfe139247ee5f1ca2a378983e11388a2 \ - --hash=sha256:4384a8f68ddb31a0b0c3deae88765f5868a1b9148939c3f4121233314ad5532c \ - --hash=sha256:456855f57b413f077dff513a5a28ed838dbbb15082ba00f80750377eed23d132 \ - --hash=sha256:49d5d58abd4b83fb8ce763be7794d09b2f50f10aa65c0f0c1696c677edeb7cbf \ - --hash=sha256:4ac6b4ce1e7283d715c4b729d8f9dab9627586dafce81d9eaa009dd7f25dd972 \ - --hash=sha256:4df8a199d9f6afc5ae9a65f8f95ee52cae389a8c6b20163762bde0426275b7db \ - --hash=sha256:500960cb3a0543a724a81ba859da816e8cf01b0e6aaeedf2c3775d12ee49cade \ - --hash=sha256:519ae0312616026bf4cedc0fe459e982734f3ca82ee8c7246c19b650b60a5ee4 \ - --hash=sha256:578114bc803a4c1ff9946d977c221e4376620a46cf78da267d946397dc9514a8 \ - --hash=sha256:5c5cbc703168d1b7a838668998308018a2718c2130595e8e190220238addc96f \ - --hash=sha256:6162f8d2dc27ba21027f261e4fa26f8bcb3cf9784b7f9499466a311ac284b5b9 \ - --hash=sha256:704d35ecc7e9c31d48926150afada60401c55efa3b46cd1ded5a01bdffaf1d48 \ - --hash=sha256:716b542728d4c742353448765aa7cdaa519a7b82f9564130e2b3f6766018c9ec \ - --hash=sha256:72282ad4892a9fb2da25defeac8c2e84352c108705c972db82ab121d15f14e6d \ - --hash=sha256:7233d65d9d651242a68801159763d09e9ec96e8a158dbf118dc090cd77a104c9 \ - --hash=sha256:732da3243e1b8d3eab8c6ae23ae6a58548849d2e4a4e03a1924c8ddf71a387cb \ - --hash=sha256:75b81e678d1c1ede0785c7f46690621e4c6e63ccd9192af1f0bd9d504bbb6bf4 \ - --hash=sha256:75f76ee558751746d6a38f89d60b6228fa174e5172d143886af0f85aa306fd89 \ - --hash=sha256:7ee8d5f878dccb6d499ba4d30d757111847b6849ae07acdd1205fffa1fc1253c \ - --hash=sha256:7f752826b5b8361193df55afcdf8ca6a57d0232653494ba473630a83ba50d8c9 \ - --hash=sha256:86b3d0033580bd6bbe07590152007275bd7af95f98eaa5bd36f3da219dcd93da \ - --hash=sha256:8d62da299c6ecb04df729e4b5c52dc0d53f4f8430b4492b93aa8de1f541c4aac \ - --hash=sha256:8e47755d8152c1ab5b55928ab422a76e2e7b22b5ed8e90a7d584268dd49e9c6b \ - --hash=sha256:9091632a25b8b87b9a605ec0e61f241c456e9248bfdcf7abdf344fdb169c81cf \ - --hash=sha256:936e5db01dd49476fa8f4383c259b8b1303d5dd5fb34c97de194560698cc2c5e \ - --hash=sha256:99b6add4c0b39a513d323d3b93bc173dac663c27b99860dd5bf491b240d26137 \ - --hash=sha256:9c865a7ee6f93783bd5d781af5a4c43dadc37053a5b42f7d18dc019f8c9d2bd1 \ - --hash=sha256:a425479ee40ff021f8216c9d07a6a3b54b31c8267c6e17aa88b70d7ebd0e5e5b \ - --hash=sha256:a4b2bf78342c40b3dc830880106f54328928ff03e357935ad26c7128bbd66ce8 \ - --hash=sha256:a6b1bb0827f56654b4437955555dc3aeeebeddc47c2d7ed575477f082622c49e \ - --hash=sha256:aaf09e615a0bf98d406657e0008e4a8701b11481840be7d31755dc9f97c44053 \ - --hash=sha256:b1f6f5938d63c6139860f044e2538baeee6f0b251a1816e7adb6cbce106a1f01 \ - --hash=sha256:b29eeb887aa931c2fcef5aa515d9d176d25006794610c264ddc114c053bf96fe \ - --hash=sha256:b3992a322a5617ded0a9f23fd06dbc1e4bd7cf39bc4ccf344b10f80af58beacd \ - --hash=sha256:b5b6079cc452a7c53dd378c6f881ac528246b3ac9aae0f8eef98498a75657805 \ - --hash=sha256:b60cc1a081f80a2105a59385b92d82278b15d80ebb3adb200542ae165cd7d183 \ - --hash=sha256:b926dd38db1519ed3043a4de50214e0d600d404099c3392f098a7f9d75029ff8 \ - --hash=sha256:bd87f48924f360e5d1c5f770d6155ce0e7d83f7b4e10c2f9ec001c73cf475c99 \ - --hash=sha256:bda1ee3e08252b8d41fa5537413ffdddd58fa73107171a126d3b9ff001b9b820 \ - --hash=sha256:be0ec334369316fa73448cc8c982c01e5d2a81c95969d58b8f6e272884df0074 \ - --hash=sha256:c6119dc90483a5cb50a1306adb8d52c66e447da88ea44f323e0ae1a5fcb14256 \ - --hash=sha256:c9803edf8e29bd825f43481f19c37f50d2b01899448273b3a7758441b512acf8 \ - --hash=sha256:c9bd22a2a639e26171068f8ebb5400ce2c1bc7d17959f60a3b753ae13c632975 \ - --hash=sha256:cbcc558401de90a746d02ef330c528f2e668c83350f045833543cd57ecead1ad \ - --hash=sha256:cf6204fe865da605285c34cf1172879d0314ff267b1c35ff59de7154f35fdc2e \ - --hash=sha256:d33dd21f572545649f90c38c227cc8631268ba25c460b5569abebdd0ec5974ca \ - --hash=sha256:d89ca19cdd0dd5f31606a9329e309d4fcbb3df860960acec32630297d61820df \ - --hash=sha256:d8f99b147ff3fcf6b3cc60cb0c39ea443884d5559a30b1481e92495f2310ff2b \ - --hash=sha256:d937653a696465677ed583124b94a4b2d79f5e30b2c46115a68e482c6a591c8a \ - --hash=sha256:dcca5d2bf65c6fb591fff92da03f94cd4f315972f97c21975398bd4bd046854a \ - --hash=sha256:ded1c35f15c9dea16ead9bffcde9bb5c7c031bff076355dc58dcb1cb436c4721 \ - --hash=sha256:e3e70c94a0c3841e6aa831edab1619ad5c511199be94d0c11ba75fe06efe107a \ - --hash=sha256:e56f8186d6210ac7ece503193ec84104da7ceb98f68ce18c07282fcc2452e76f \ - --hash=sha256:e7774b570e61cb998490c5235740d475413a1f6de823169b4cf94e2fe9e9f6b2 \ - --hash=sha256:e7c6ed0dc9d8e65f24f5824291550139fe6f37fac03788d4580da0d33bc00c97 \ - --hash=sha256:ec08be75bb268473677edb83ba71e7e74b43c008e4a7b1907c6d57e940bf34b6 \ - --hash=sha256:ecdf6bf5f578615f2e985a5e1f6572e23aa632c4bd1dc67f8f406d445ac115ed \ - --hash=sha256:ed25e1835c00a332cb10c683cd39da96a719ab1dfc08427d476bce41b92531fc \ - --hash=sha256:f4cb85f693044e0f71f394ff76c98ddc1bc0953e48c061725e540396d5c8a2e1 \ - --hash=sha256:f53aace168a2a10582e570b7736cc5bef12cae9cf21775e3eafac597e8551fbe \ - --hash=sha256:f651dd19363c632f4abe3480a7c87a9773be27cfe1341aef06e8759599454120 \ - --hash=sha256:fc4ad7f7ee1a13d9cb49d8198cd7d7e3aa93e425f371a68235f784e99741561f \ - --hash=sha256:fee427241c2d9fb7192b658190f9f5fd6dfe41e02f3c1489d2ec1e6a5ab1e04a - # via pydantic pygments==2.17.2 \ --hash=sha256:b27c2826c47d0f3219f29554824c30c5e8945175d888647acd804ddd04af846c \ --hash=sha256:da46cec9fd2de5be3a8a784f434e4c4ab670b4ff54d605c4c2717e9d49c4c367 # via # readme-renderer # rich -pyjwt==2.8.0 \ - --hash=sha256:57e28d156e3d5c10088e0c68abb90bfac3df82b40a71bd0daa20c65ccd5c23de \ - --hash=sha256:59127c392cc44c2da5bb3192169a91f429924e17aff6534d70fdc02ab3e04320 - # via sigstore -pyopenssl==24.1.0 \ - --hash=sha256:17ed5be5936449c5418d1cd269a1a9e9081bc54c17aed272b45856a3d3dc86ad \ - --hash=sha256:cabed4bfaa5df9f1a16c0ef64a0cb65318b5cd077a7eda7d6970131ca2f41a6f - # via sigstore -python-dateutil==2.9.0.post0 \ - --hash=sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3 \ - --hash=sha256:a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427 - # via betterproto readme-renderer==43.0 \ --hash=sha256:1818dd28140813509eeed8d62687f7cd4f7bad90d4db586001c5dc09d4fde311 \ --hash=sha256:19db308d86ecd60e5affa3b2a98f017af384678c63c88e5d4556a380e674f3f9 @@ -519,10 +298,7 @@ requests==2.31.0 \ --hash=sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1 # via # -r publish-requirements.in - # id # requests-toolbelt - # sigstore - # tuf # twine requests-toolbelt==1.0.0 \ --hash=sha256:7681a0a3d047012b5bdc0ee37d7f8f07ebe76ab08caeccfc3921ce23c88d5bc6 \ @@ -536,48 +312,15 @@ rich==13.7.1 \ --hash=sha256:4edbae314f59eb482f54e9e30bf00d33350aaa94f4bfcd4e9e3110e64d0d7222 \ --hash=sha256:9be308cb1fe2f1f57d67ce99e95af38a1e2bc71ad9813b0e247cf7ffbcc3a432 # via - # sigstore # twine secretstorage==3.3.3 \ --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ --hash=sha256:f356e6628222568e3af06f2eba8df495efa13b3b63081dafd4f7d9a7b7bc9f99 # via keyring -securesystemslib==0.31.0 \ - --hash=sha256:549d70f7be6460252d016f03edc5ec0128fee56af55d2b863a5db14541ddbf18 \ - --hash=sha256:c1594afbcd5db198ec90c487e1720154afb71743d9f4bccf3dfda84de650c478 - # via - # sigstore - # tuf -sigstore==2.1.5 \ - --hash=sha256:7771153c5ac5a51d6556481f4680dfb602cb5c32c94fe56f87ff1801b8a8f243 \ - --hash=sha256:86d3ba41135004818c20d09d120140d59d4bd535a092690ff46478047bb8df5b - # via -r publish-requirements.in -sigstore-protobuf-specs==0.3.1 \ - --hash=sha256:c40b61975b957ae906eb29a5bc7040ec015b68b6b46005cc5805e629493e8dec \ - --hash=sha256:ea6d7325af70019b6639e0fd16ef6f78511645d46dd3f9876fb008641d80a125 - # via sigstore -sigstore-rekor-types==0.0.11 \ - --hash=sha256:791a696eccd5d07c933cc11d46dea22983efedaf5f1068734263ce0f25695bba \ - --hash=sha256:b63b4dc6dd70a3f69b236575146a18c357a3743172a03e8ceb18bbc25ef2563b - # via sigstore -six==1.16.0 \ - --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \ - --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254 - # via python-dateutil -tuf==3.1.1 \ - --hash=sha256:73b3c89a0acdfe90434bba3118c90c584ef1c56bc0c4565852e917408b774130 \ - --hash=sha256:d6441d11bc9a928cb82cf571519bb99e70ed3ea6fd5a52ce116a8e121023f7ef - # via sigstore twine==5.0.0 \ --hash=sha256:89b0cc7d370a4b66421cc6102f269aa910fe0f1861c124f573cf2ddedbc10cf4 \ --hash=sha256:a262933de0b484c53408f9edae2e7821c1c45a3314ff2df9bdd343aa7ab8edc0 # via -r publish-requirements.in -typing-extensions==4.11.0 \ - --hash=sha256:83f085bd5ca59c80295fc2a82ab5dac679cbe02b9f33f7d83af68e241bea51b0 \ - --hash=sha256:c1f94d72897edaf4ce775bb7558d5b79d8126906a14ea5ed1635921406c0387a - # via - # pydantic - # pydantic-core urllib3==2.2.1 \ --hash=sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d \ --hash=sha256:d0570876c61ab9e520d776c38acbbb5b05a776d3f9ff98a5c8fd5162a444cf19 diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 90e3ad79608f..62fcc4bcd468 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -30,6 +30,7 @@ jobs: if: github.event_name == 'workflow_dispatch' || (github.event.workflow_run.event == 'push' && github.event.workflow_run.conclusion == 'success') permissions: id-token: "write" + attestations: "write" steps: - run: echo "$EVENT_CONTEXT" env: @@ -89,9 +90,10 @@ jobs: - run: twine upload --skip-existing $(find dist/ -type f -name 'cryptography*') - # Do not perform sigstore signatures for things for TestPyPI. This is - # because there's nothing that would prevent a malicious PyPI from - # serving a signed TestPyPI asset in place of a release intended for - # PyPI. - - run: sigstore sign $(find dist/ -type f -name 'cryptography*') + # Do not perform attestation for things for TestPyPI. This is because + # there's nothing that would prevent a malicious PyPI from serving a + # signed TestPyPI asset in place of a release intended for PyPI. + - uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0 + with: + subject-path: 'dist/**/cryptography*' if: env.TWINE_REPOSITORY == 'pypi' From e519e6b5a6457e5974b843bbdaba7e17267e01f6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 5 May 2024 13:36:53 -0400 Subject: [PATCH 0552/1462] trim a few more deps from publish-requirements.txt (#10937) --- .github/requirements/publish-requirements.txt | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index e951e6874d72..f142d90bfeb1 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -193,27 +193,14 @@ cryptography==42.0.5 \ --hash=sha256:f8837fe1d6ac4a8052a9a8ddab256bc006242696f03368a4009be7ee3075cdb7 # via # secretstorage -dnspython==2.6.1 \ - --hash=sha256:5ef3b9680161f6fa89daf8ad451b5f1a33b18ae8a1c6778cdf4b43f08c0a6e50 \ - --hash=sha256:e8f0f9c23a7b7cb99ded64e6c3a6f3e701d78f50c55e002b839dea7225cff7cc - # via email-validator docutils==0.21.2 \ --hash=sha256:3a6b18732edf182daa3cd12775bbb338cf5691468f91eeeb109deff6ebfa986f \ --hash=sha256:dafca5b9e384f0e419294eb4d2ff9fa826435bf15f15b7bd45723e8ad76811b2 # via readme-renderer -hpack==4.0.0 \ - --hash=sha256:84a076fad3dc9a9f8063ccb8041ef100867b1878b25ef0ee63847a5d53818a6c \ - --hash=sha256:fc41de0c63e687ebffde81187a948221294896f6bdc0ae2312708df339430095 - # via h2 -hyperframe==6.0.1 \ - --hash=sha256:0ec6bafd80d8ad2195c4f03aacba3a8265e57bc4cff261e802bf39970ed02a15 \ - --hash=sha256:ae510046231dc8e9ecb1a6586f63d2347bf4c8905914aa84ba585ae85f28a914 - # via h2 idna==3.7 \ --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 # via - # email-validator # requests importlib-metadata==7.1.0 \ --hash=sha256:30962b96c0c223483ed6cc7280e7f0199feb01a0e40cfae4d4450fc6fab1f570 \ From 4d796867daf67a8c249eaf768d7b371c65a19fcb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 5 May 2024 14:03:45 -0400 Subject: [PATCH 0553/1462] Bump ruff from 0.4.2 to 0.4.3 (#10941) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.2 to 0.4.3. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.2...v0.4.3) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index f448ab641f04..d05f9dc9c337 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.4.2 +ruff==0.4.3 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 617d82242415447f5e80caa2ebc29f46c58d9d93 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 5 May 2024 14:05:28 -0400 Subject: [PATCH 0554/1462] Bump babel from 2.14.0 to 2.15.0 (#10940) Bumps [babel](https://github.com/python-babel/babel) from 2.14.0 to 2.15.0. - [Release notes](https://github.com/python-babel/babel/releases) - [Changelog](https://github.com/python-babel/babel/blob/master/CHANGES.rst) - [Commits](https://github.com/python-babel/babel/compare/v2.14.0...v2.15.0) --- updated-dependencies: - dependency-name: babel dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d05f9dc9c337..315047435fa8 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -9,7 +9,7 @@ alabaster==0.7.16 # via sphinx argcomplete==3.3.0; python_version >= "3.8" # via nox -babel==2.14.0 +babel==2.15.0 # via sphinx build==1.2.1 # via From 7694ff08a9a1401c64873568162271a90f70b437 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 5 May 2024 14:06:20 -0400 Subject: [PATCH 0555/1462] Bump coverage from 7.5.0 to 7.5.1 (#10939) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.5.0 to 7.5.1. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.5.0...7.5.1) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 315047435fa8..959d7d3d0217 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.2 # via nox -coverage==7.5.0; python_version >= "3.8" +coverage==7.5.1; python_version >= "3.8" # via # coverage # pytest-cov From b22aa88d3a169682896bdd9e963a5c63b98a79b1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 5 May 2024 18:16:35 +0000 Subject: [PATCH 0556/1462] Bump pygments from 2.17.2 to 2.18.0 (#10938) Bumps [pygments](https://github.com/pygments/pygments) from 2.17.2 to 2.18.0. - [Release notes](https://github.com/pygments/pygments/releases) - [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES) - [Commits](https://github.com/pygments/pygments/compare/2.17.2...2.18.0) --- updated-dependencies: - dependency-name: pygments dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 959d7d3d0217..69039d31c576 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -80,7 +80,7 @@ pyenchant==3.2.2 # via # cryptography (pyproject.toml) # sphinxcontrib-spelling -pygments==2.17.2 +pygments==2.18.0 # via # readme-renderer # sphinx From 9e3043504aa0289d1b41a66760746c3b6d0b78bc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 5 May 2024 18:22:29 +0000 Subject: [PATCH 0557/1462] Bump cryptography from 42.0.5 to 42.0.6 in /.github/requirements (#10942) Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.5 to 42.0.6. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/42.0.5...42.0.6) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 75 +++++++++---------- 1 file changed, 36 insertions(+), 39 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index f142d90bfeb1..e8d42e5e086a 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -158,41 +158,40 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==42.0.5 \ - --hash=sha256:0270572b8bd2c833c3981724b8ee9747b3ec96f699a9665470018594301439ee \ - --hash=sha256:111a0d8553afcf8eb02a4fea6ca4f59d48ddb34497aa8706a6cf536f1a5ec576 \ - --hash=sha256:16a48c23a62a2f4a285699dba2e4ff2d1cff3115b9df052cdd976a18856d8e3d \ - --hash=sha256:1b95b98b0d2af784078fa69f637135e3c317091b615cd0905f8b8a087e86fa30 \ - --hash=sha256:1f71c10d1e88467126f0efd484bd44bca5e14c664ec2ede64c32f20875c0d413 \ - --hash=sha256:2424ff4c4ac7f6b8177b53c17ed5d8fa74ae5955656867f5a8affaca36a27abb \ - --hash=sha256:2bce03af1ce5a5567ab89bd90d11e7bbdff56b8af3acbbec1faded8f44cb06da \ - --hash=sha256:329906dcc7b20ff3cad13c069a78124ed8247adcac44b10bea1130e36caae0b4 \ - --hash=sha256:37dd623507659e08be98eec89323469e8c7b4c1407c85112634ae3dbdb926fdd \ - --hash=sha256:3eaafe47ec0d0ffcc9349e1708be2aaea4c6dd4978d76bf6eb0cb2c13636c6fc \ - --hash=sha256:5e6275c09d2badf57aea3afa80d975444f4be8d3bc58f7f80d2a484c6f9485c8 \ - --hash=sha256:6fe07eec95dfd477eb9530aef5bead34fec819b3aaf6c5bd6d20565da607bfe1 \ - --hash=sha256:7367d7b2eca6513681127ebad53b2582911d1736dc2ffc19f2c3ae49997496bc \ - --hash=sha256:7cde5f38e614f55e28d831754e8a3bacf9ace5d1566235e39d91b35502d6936e \ - --hash=sha256:9481ffe3cf013b71b2428b905c4f7a9a4f76ec03065b05ff499bb5682a8d9ad8 \ - --hash=sha256:98d8dc6d012b82287f2c3d26ce1d2dd130ec200c8679b6213b3c73c08b2b7940 \ - --hash=sha256:a011a644f6d7d03736214d38832e030d8268bcff4a41f728e6030325fea3e400 \ - --hash=sha256:a2913c5375154b6ef2e91c10b5720ea6e21007412f6437504ffea2109b5a33d7 \ - --hash=sha256:a30596bae9403a342c978fb47d9b0ee277699fa53bbafad14706af51fe543d16 \ - --hash=sha256:b03c2ae5d2f0fc05f9a2c0c997e1bc18c8229f392234e8a0194f202169ccd278 \ - --hash=sha256:b6cd2203306b63e41acdf39aa93b86fb566049aeb6dc489b70e34bcd07adca74 \ - --hash=sha256:b7ffe927ee6531c78f81aa17e684e2ff617daeba7f189f911065b2ea2d526dec \ - --hash=sha256:b8cac287fafc4ad485b8a9b67d0ee80c66bf3574f655d3b97ef2e1082360faf1 \ - --hash=sha256:ba334e6e4b1d92442b75ddacc615c5476d4ad55cc29b15d590cc6b86efa487e2 \ - --hash=sha256:ba3e4a42397c25b7ff88cdec6e2a16c2be18720f317506ee25210f6d31925f9c \ - --hash=sha256:c41fb5e6a5fe9ebcd58ca3abfeb51dffb5d83d6775405305bfa8715b76521922 \ - --hash=sha256:cd2030f6650c089aeb304cf093f3244d34745ce0cfcc39f20c6fbfe030102e2a \ - --hash=sha256:cd65d75953847815962c84a4654a84850b2bb4aed3f26fadcc1c13892e1e29f6 \ - --hash=sha256:e4985a790f921508f36f81831817cbc03b102d643b5fcb81cd33df3fa291a1a1 \ - --hash=sha256:e807b3188f9eb0eaa7bbb579b462c5ace579f1cedb28107ce8b48a9f7ad3679e \ - --hash=sha256:f12764b8fffc7a123f641d7d049d382b73f96a34117e0b637b80643169cec8ac \ - --hash=sha256:f8837fe1d6ac4a8052a9a8ddab256bc006242696f03368a4009be7ee3075cdb7 - # via - # secretstorage +cryptography==42.0.6 \ + --hash=sha256:00c0faa5b021457848d031ecff041262211cc1e2bce5f6e6e6c8108018f6b44a \ + --hash=sha256:073104df012fc815eed976cd7d0a386c8725d0d0947cf9c37f6c36a6c20feb1b \ + --hash=sha256:076c92b08dd1ab88108bc84545187e10d3693a9299c593f98c4ea195a0b0ead7 \ + --hash=sha256:089aeb297ff89615934b22c7631448598495ffd775b7d540a55cfee35a677bf4 \ + --hash=sha256:3b750279f3e7715df6f68050707a0cee7cbe81ba2eeb2f21d081bd205885ffed \ + --hash=sha256:43e521f21c2458038d72e8cdfd4d4d9f1d00906a7b6636c4272e35f650d1699b \ + --hash=sha256:4bdb39ecbf05626e4bfa1efd773bb10346af297af14fb3f4c7cb91a1d2f34a46 \ + --hash=sha256:5967e3632f42b0c0f9dc2c9da88c79eabdda317860b246d1fbbde4a8bbbc3b44 \ + --hash=sha256:65d529c31bd65d54ce6b926a01e1b66eacf770b7e87c0622516a840e400ec732 \ + --hash=sha256:6981acac509cc9415344cb5bfea8130096ea6ebcc917e75503143a1e9e829160 \ + --hash=sha256:81dbe47e28b703bc4711ac74a64ef8b758a0cf056ce81d08e39116ab4bc126fa \ + --hash=sha256:8b90c57b3cd6128e0863b894ce77bd36fcb5f430bf2377bc3678c2f56e232316 \ + --hash=sha256:9184aff0856261ecb566a3eb26a05dfe13a292c85ce5c59b04e4aa09e5814187 \ + --hash=sha256:945a43ebf036dd4b43ebfbbd6b0f2db29ad3d39df824fb77476ca5777a9dde33 \ + --hash=sha256:97eeacae9aa526ddafe68b9202a535f581e21d78f16688a84c8dcc063618e121 \ + --hash=sha256:9f1a3bc2747166b0643b00e0b56cd9b661afc9d5ff963acaac7a9c7b2b1ef638 \ + --hash=sha256:9ff75b88a4d273c06d968ad535e6cb6a039dd32db54fe36f05ed62ac3ef64a44 \ + --hash=sha256:aeb6f56b004e898df5530fa873e598ec78eb338ba35f6fa1449970800b1d97c2 \ + --hash=sha256:b16b90605c62bcb3aa7755d62cf5e746828cfc3f965a65211849e00c46f8348d \ + --hash=sha256:b99831397fdc6e6e0aa088b060c278c6e635d25c0d4d14bdf045bf81792fda0a \ + --hash=sha256:bc954251edcd8a952eeaec8ae989fec7fe48109ab343138d537b7ea5bb41071a \ + --hash=sha256:c05230d8aaaa6b8ab3ab41394dc06eb3d916131df1c9dcb4c94e8f041f704b74 \ + --hash=sha256:d16a310c770cc49908c500c2ceb011f2840674101a587d39fa3ea828915b7e83 \ + --hash=sha256:d93080d2b01b292e7ee4d247bf93ed802b0100f5baa3fa5fd6d374716fa480d4 \ + --hash=sha256:e1f5f15c5ddadf6ee4d1d624a2ae940f14bd74536230b0056ccb28bb6248e42a \ + --hash=sha256:e3442601d276bd9e961d618b799761b4e5d892f938e8a4fe1efbe2752be90455 \ + --hash=sha256:e85f433230add2aa26b66d018e21134000067d210c9c68ef7544ba65fc52e3eb \ + --hash=sha256:eecca86813c6a923cabff284b82ff4d73d9e91241dc176250192c3a9b9902a54 \ + --hash=sha256:f1e933b238978ccfa77b1fee0a297b3c04983f4cb84ae1c33b0ea4ae08266cc9 \ + --hash=sha256:f4cece02478d73dacd52be57a521d168af64ae03d2a567c0c4eb6f189c3b9d79 \ + --hash=sha256:f567a82b7c2b99257cca2a1c902c1b129787278ff67148f188784245c7ed5495 \ + --hash=sha256:f987a244dfb0333fbd74a691c36000a2569eaf7c7cc2ac838f85f59f0588ddc9 + # via secretstorage docutils==0.21.2 \ --hash=sha256:3a6b18732edf182daa3cd12775bbb338cf5691468f91eeeb109deff6ebfa986f \ --hash=sha256:dafca5b9e384f0e419294eb4d2ff9fa826435bf15f15b7bd45723e8ad76811b2 @@ -200,8 +199,7 @@ docutils==0.21.2 \ idna==3.7 \ --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 - # via - # requests + # via requests importlib-metadata==7.1.0 \ --hash=sha256:30962b96c0c223483ed6cc7280e7f0199feb01a0e40cfae4d4450fc6fab1f570 \ --hash=sha256:b78938b926ee8d5f020fc4772d487045805a55ddbad2ecf21c6d60938dc7fcd2 @@ -298,8 +296,7 @@ rfc3986==2.0.0 \ rich==13.7.1 \ --hash=sha256:4edbae314f59eb482f54e9e30bf00d33350aaa94f4bfcd4e9e3110e64d0d7222 \ --hash=sha256:9be308cb1fe2f1f57d67ce99e95af38a1e2bc71ad9813b0e247cf7ffbcc3a432 - # via - # twine + # via twine secretstorage==3.3.3 \ --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ --hash=sha256:f356e6628222568e3af06f2eba8df495efa13b3b63081dafd4f7d9a7b7bc9f99 From 115719d2d1fdc717e1e7302829a7588e9055b1ca Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 00:19:28 +0000 Subject: [PATCH 0558/1462] Bump BoringSSL and/or OpenSSL in CI (#10943) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9df593888083..8dec8d62990e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of May 04, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "3e89a7e8db8139db356b892ca9993172346c80cf"}} - # Latest commit on the OpenSSL master branch, as of May 03, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "067fbc01b9e867b31c71091d62f0f9012dc9e41a"}} + # Latest commit on the OpenSSL master branch, as of May 06, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fedbfff42d790c7b7824351c35b4823c75da6417"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 9c2fdaa919d8c8adbe4724b5dea550b33f8cb0b0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 11:13:35 +0000 Subject: [PATCH 0559/1462] Bump jinja2 from 3.1.3 to 3.1.4 (#10946) Bumps [jinja2](https://github.com/pallets/jinja) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/pallets/jinja/releases) - [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst) - [Commits](https://github.com/pallets/jinja/compare/3.1.3...3.1.4) --- updated-dependencies: - dependency-name: jinja2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 69039d31c576..267e87cfa6dd 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -48,7 +48,7 @@ imagesize==1.4.1 # via sphinx iniconfig==2.0.0 # via pytest -jinja2==3.1.3 +jinja2==3.1.4 # via sphinx markupsafe==2.1.5 # via jinja2 From 611e408ba6ca3161f45d5920a9c942708aecc3bd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 11:15:33 +0000 Subject: [PATCH 0560/1462] Bump cc from 1.0.96 to 1.0.97 in /src/rust (#10945) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.96 to 1.0.97. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.96...1.0.97) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 1a0583fd051f..a561aaefb76e 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "cf4b9d6a944f767f8e5e0db018570623c85f3d925ac718db4e06d0187adb21c1" [[package]] name = "cc" -version = "1.0.96" +version = "1.0.97" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "065a29261d53ba54260972629f9ca6bffa69bac13cd1fed61420f7fa68b9f8bd" +checksum = "099a5357d84c4c61eb35fc8eafa9a79a902c2f76911e5747ced4e032edd8d9b4" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 41783da0d891..75ebabb72847 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.21.2", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.96" +cc = "1.0.97" From f1ab35bd702ceeaf6e02b13f37f9a1f3d77eaa3c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 07:21:56 -0400 Subject: [PATCH 0561/1462] Bump pygments from 2.17.2 to 2.18.0 in /.github/requirements (#10947) Bumps [pygments](https://github.com/pygments/pygments) from 2.17.2 to 2.18.0. - [Release notes](https://github.com/pygments/pygments/releases) - [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES) - [Commits](https://github.com/pygments/pygments/compare/2.17.2...2.18.0) --- updated-dependencies: - dependency-name: pygments dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index e8d42e5e086a..cbeb323ddf6e 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -268,9 +268,9 @@ pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc # via cffi -pygments==2.17.2 \ - --hash=sha256:b27c2826c47d0f3219f29554824c30c5e8945175d888647acd804ddd04af846c \ - --hash=sha256:da46cec9fd2de5be3a8a784f434e4c4ab670b4ff54d605c4c2717e9d49c4c367 +pygments==2.18.0 \ + --hash=sha256:786ff802f32e91311bff3889f6e9a86e81505fe99f2735bb6d60ae0c5004f199 \ + --hash=sha256:b8e6aca0523f3ab76fee51799c488e38782ac06eafcf95e7ba832985c8e7b13a # via # readme-renderer # rich From 26e7d9e042fdec8cd60a0edb44ea37992a008575 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 6 May 2024 10:00:13 -0700 Subject: [PATCH 0562/1462] forward port 42.0.7 changelog (#10950) --- CHANGELOG.rst | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index c78e05bb3249..600da955f8e7 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -45,6 +45,16 @@ Changelog timezone-aware alternative to the naïve ``datetime`` attribute :attr:`~cryptography.x509.InvalidityDate.invalidity_date`. +.. _v42-0-7: + +42.0.7 - 2024-05-06 +~~~~~~~~~~~~~~~~~~~ + +* Restored Windows 7 compatibility for our pre-built wheels. Note that we do + not test on Windows 7 and wheels for our next release will not support it. + Microsoft no longer provides support for Windows 7 and users are encouraged + to upgrade. + .. _v42-0-6: 42.0.6 - 2024-05-04 From 34c17bfc983d6b21c1b5c773bd453e6999d59315 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 15:49:07 -0400 Subject: [PATCH 0563/1462] Bump actions/attest-build-provenance from 1.0.0 to 1.1.0 (#10951) Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.0.0 to 1.1.0. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/897ed5eab6ed058a474202017ada7f40bfa52940...f8d5ea8082b0d9f5ab855907be308fbd7eefb155) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 62fcc4bcd468..4d1436f79170 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -93,7 +93,7 @@ jobs: # Do not perform attestation for things for TestPyPI. This is because # there's nothing that would prevent a malicious PyPI from serving a # signed TestPyPI asset in place of a release intended for PyPI. - - uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0 + - uses: actions/attest-build-provenance@f8d5ea8082b0d9f5ab855907be308fbd7eefb155 # v1.1.0 with: subject-path: 'dist/**/cryptography*' if: env.TWINE_REPOSITORY == 'pypi' From da1b66ade61f14f75649d6dbfdc4b7a74fcbf01a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 16:03:06 -0400 Subject: [PATCH 0564/1462] Bump cryptography from 42.0.6 to 42.0.7 in /.github/requirements (#10953) Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.6 to 42.0.7. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/42.0.6...42.0.7) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index cbeb323ddf6e..64e29237ce54 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -158,39 +158,39 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==42.0.6 \ - --hash=sha256:00c0faa5b021457848d031ecff041262211cc1e2bce5f6e6e6c8108018f6b44a \ - --hash=sha256:073104df012fc815eed976cd7d0a386c8725d0d0947cf9c37f6c36a6c20feb1b \ - --hash=sha256:076c92b08dd1ab88108bc84545187e10d3693a9299c593f98c4ea195a0b0ead7 \ - --hash=sha256:089aeb297ff89615934b22c7631448598495ffd775b7d540a55cfee35a677bf4 \ - --hash=sha256:3b750279f3e7715df6f68050707a0cee7cbe81ba2eeb2f21d081bd205885ffed \ - --hash=sha256:43e521f21c2458038d72e8cdfd4d4d9f1d00906a7b6636c4272e35f650d1699b \ - --hash=sha256:4bdb39ecbf05626e4bfa1efd773bb10346af297af14fb3f4c7cb91a1d2f34a46 \ - --hash=sha256:5967e3632f42b0c0f9dc2c9da88c79eabdda317860b246d1fbbde4a8bbbc3b44 \ - --hash=sha256:65d529c31bd65d54ce6b926a01e1b66eacf770b7e87c0622516a840e400ec732 \ - --hash=sha256:6981acac509cc9415344cb5bfea8130096ea6ebcc917e75503143a1e9e829160 \ - --hash=sha256:81dbe47e28b703bc4711ac74a64ef8b758a0cf056ce81d08e39116ab4bc126fa \ - --hash=sha256:8b90c57b3cd6128e0863b894ce77bd36fcb5f430bf2377bc3678c2f56e232316 \ - --hash=sha256:9184aff0856261ecb566a3eb26a05dfe13a292c85ce5c59b04e4aa09e5814187 \ - --hash=sha256:945a43ebf036dd4b43ebfbbd6b0f2db29ad3d39df824fb77476ca5777a9dde33 \ - --hash=sha256:97eeacae9aa526ddafe68b9202a535f581e21d78f16688a84c8dcc063618e121 \ - --hash=sha256:9f1a3bc2747166b0643b00e0b56cd9b661afc9d5ff963acaac7a9c7b2b1ef638 \ - --hash=sha256:9ff75b88a4d273c06d968ad535e6cb6a039dd32db54fe36f05ed62ac3ef64a44 \ - --hash=sha256:aeb6f56b004e898df5530fa873e598ec78eb338ba35f6fa1449970800b1d97c2 \ - --hash=sha256:b16b90605c62bcb3aa7755d62cf5e746828cfc3f965a65211849e00c46f8348d \ - --hash=sha256:b99831397fdc6e6e0aa088b060c278c6e635d25c0d4d14bdf045bf81792fda0a \ - --hash=sha256:bc954251edcd8a952eeaec8ae989fec7fe48109ab343138d537b7ea5bb41071a \ - --hash=sha256:c05230d8aaaa6b8ab3ab41394dc06eb3d916131df1c9dcb4c94e8f041f704b74 \ - --hash=sha256:d16a310c770cc49908c500c2ceb011f2840674101a587d39fa3ea828915b7e83 \ - --hash=sha256:d93080d2b01b292e7ee4d247bf93ed802b0100f5baa3fa5fd6d374716fa480d4 \ - --hash=sha256:e1f5f15c5ddadf6ee4d1d624a2ae940f14bd74536230b0056ccb28bb6248e42a \ - --hash=sha256:e3442601d276bd9e961d618b799761b4e5d892f938e8a4fe1efbe2752be90455 \ - --hash=sha256:e85f433230add2aa26b66d018e21134000067d210c9c68ef7544ba65fc52e3eb \ - --hash=sha256:eecca86813c6a923cabff284b82ff4d73d9e91241dc176250192c3a9b9902a54 \ - --hash=sha256:f1e933b238978ccfa77b1fee0a297b3c04983f4cb84ae1c33b0ea4ae08266cc9 \ - --hash=sha256:f4cece02478d73dacd52be57a521d168af64ae03d2a567c0c4eb6f189c3b9d79 \ - --hash=sha256:f567a82b7c2b99257cca2a1c902c1b129787278ff67148f188784245c7ed5495 \ - --hash=sha256:f987a244dfb0333fbd74a691c36000a2569eaf7c7cc2ac838f85f59f0588ddc9 +cryptography==42.0.7 \ + --hash=sha256:02c0eee2d7133bdbbc5e24441258d5d2244beb31da5ed19fbb80315f4bbbff55 \ + --hash=sha256:0d563795db98b4cd57742a78a288cdbdc9daedac29f2239793071fe114f13785 \ + --hash=sha256:16268d46086bb8ad5bf0a2b5544d8a9ed87a0e33f5e77dd3c3301e63d941a83b \ + --hash=sha256:1a58839984d9cb34c855197043eaae2c187d930ca6d644612843b4fe8513c886 \ + --hash=sha256:2954fccea107026512b15afb4aa664a5640cd0af630e2ee3962f2602693f0c82 \ + --hash=sha256:2e47577f9b18723fa294b0ea9a17d5e53a227867a0a4904a1a076d1646d45ca1 \ + --hash=sha256:31adb7d06fe4383226c3e963471f6837742889b3c4caa55aac20ad951bc8ffda \ + --hash=sha256:3577d029bc3f4827dd5bf8bf7710cac13527b470bbf1820a3f394adb38ed7d5f \ + --hash=sha256:36017400817987670037fbb0324d71489b6ead6231c9604f8fc1f7d008087c68 \ + --hash=sha256:362e7197754c231797ec45ee081f3088a27a47c6c01eff2ac83f60f85a50fe60 \ + --hash=sha256:3de9a45d3b2b7d8088c3fbf1ed4395dfeff79d07842217b38df14ef09ce1d8d7 \ + --hash=sha256:4f698edacf9c9e0371112792558d2f705b5645076cc0aaae02f816a0171770fd \ + --hash=sha256:5482e789294854c28237bba77c4c83be698be740e31a3ae5e879ee5444166582 \ + --hash=sha256:5e44507bf8d14b36b8389b226665d597bc0f18ea035d75b4e53c7b1ea84583cc \ + --hash=sha256:779245e13b9a6638df14641d029add5dc17edbef6ec915688f3acb9e720a5858 \ + --hash=sha256:789caea816c6704f63f6241a519bfa347f72fbd67ba28d04636b7c6b7da94b0b \ + --hash=sha256:7f8b25fa616d8b846aef64b15c606bb0828dbc35faf90566eb139aa9cff67af2 \ + --hash=sha256:8cb8ce7c3347fcf9446f201dc30e2d5a3c898d009126010cbd1f443f28b52678 \ + --hash=sha256:93a3209f6bb2b33e725ed08ee0991b92976dfdcf4e8b38646540674fc7508e13 \ + --hash=sha256:a3a5ac8b56fe37f3125e5b72b61dcde43283e5370827f5233893d461b7360cd4 \ + --hash=sha256:a47787a5e3649008a1102d3df55424e86606c9bae6fb77ac59afe06d234605f8 \ + --hash=sha256:a79165431551042cc9d1d90e6145d5d0d3ab0f2d66326c201d9b0e7f5bf43604 \ + --hash=sha256:a987f840718078212fdf4504d0fd4c6effe34a7e4740378e59d47696e8dfb477 \ + --hash=sha256:a9bc127cdc4ecf87a5ea22a2556cab6c7eda2923f84e4f3cc588e8470ce4e42e \ + --hash=sha256:bd13b5e9b543532453de08bcdc3cc7cebec6f9883e886fd20a92f26940fd3e7a \ + --hash=sha256:c65f96dad14f8528a447414125e1fc8feb2ad5a272b8f68477abbcc1ea7d94b9 \ + --hash=sha256:d8e3098721b84392ee45af2dd554c947c32cc52f862b6a3ae982dbb90f577f14 \ + --hash=sha256:e6b79d0adb01aae87e8a44c2b64bc3f3fe59515280e00fb6d57a7267a2583cda \ + --hash=sha256:e6b8f1881dac458c34778d0a424ae5769de30544fc678eac51c1c8bb2183e9da \ + --hash=sha256:e9b2a6309f14c0497f348d08a065d52f3020656f675819fc405fb63bbcd26562 \ + --hash=sha256:ecbfbc00bf55888edda9868a4cf927205de8499e7fabe6c050322298382953f2 \ + --hash=sha256:efd0bf5205240182e0f13bcaea41be4fdf5c22c5129fc7ced4a0282ac86998c9 # via secretstorage docutils==0.21.2 \ --hash=sha256:3a6b18732edf182daa3cd12775bbb338cf5691468f91eeeb109deff6ebfa986f \ From 54725c1120114e47cb552ef9f324d50908f43bac Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 7 May 2024 00:16:47 +0000 Subject: [PATCH 0565/1462] Bump BoringSSL and/or OpenSSL in CI (#10954) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8dec8d62990e..abdbb1f6e925 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of May 04, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "3e89a7e8db8139db356b892ca9993172346c80cf"}} - # Latest commit on the OpenSSL master branch, as of May 06, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fedbfff42d790c7b7824351c35b4823c75da6417"}} + # Latest commit on the OpenSSL master branch, as of May 07, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1c4f9684696bad3a602b388a414f2051f0365b3d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 0a044fd23e04a5fb7d88f19d9b7a63e29cf7bc87 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 18:53:28 -0700 Subject: [PATCH 0566/1462] Bump x509-limbo and/or wycheproof in CI (#10955) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index c5ab5577bdfb..0ce8ea05913c 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Apr 30, 2024. - ref: "4b12b2196d770bb0f7c312c51a1bfbda13d49a57" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of May 07, 2024. + ref: "64ef92fe6f3655776e1381b6d2fe5a455dae41df" # x509-limbo-ref From 9a2babd2f96794410733495a9a2fe647fe71733a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 7 May 2024 07:19:18 -0400 Subject: [PATCH 0567/1462] Bump proc-macro2 from 1.0.81 to 1.0.82 in /src/rust (#10956) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.81 to 1.0.82. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.81...1.0.82) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index a561aaefb76e..60dfea8255cb 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -271,9 +271,9 @@ checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" [[package]] name = "proc-macro2" -version = "1.0.81" +version = "1.0.82" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3d1597b0c024618f09a9c3b8655b7e430397a36d23fdafec26d6965e9eec3eba" +checksum = "8ad3d49ab951a01fbaafe34f2ec74122942fe18a3f9814c3268f1bb72042131b" dependencies = [ "unicode-ident", ] From 4434939c372245a02f9ec4539b7eeadba6f24d1c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 7 May 2024 11:22:00 +0000 Subject: [PATCH 0568/1462] Bump syn from 2.0.60 to 2.0.61 in /src/rust (#10957) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.60 to 2.0.61. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.60...2.0.61) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 60dfea8255cb..bc07f4a0b0d0 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -379,9 +379,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.60" +version = "2.0.61" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "909518bc7b1c9b779f1bbf07f2929d35af9f0f37e47c6e9ef7f9dddc1e1821f3" +checksum = "c993ed8ccba56ae856363b1845da7266a7cb78e1d146c8a32d54b45a8b831fc9" dependencies = [ "proc-macro2", "quote", From 233ca1c05c48071698fe89a5cb1c4c9ac3d037fd Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 7 May 2024 21:37:50 -0400 Subject: [PATCH 0569/1462] Bump BoringSSL and/or OpenSSL in CI (#10959) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index abdbb1f6e925..4f23174581d8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 04, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "3e89a7e8db8139db356b892ca9993172346c80cf"}} - # Latest commit on the OpenSSL master branch, as of May 07, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1c4f9684696bad3a602b388a414f2051f0365b3d"}} + # Latest commit on the BoringSSL master branch, as of May 08, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "6ab7c1482bf4cdc91c87bc512aaf68ffb18975ec"}} + # Latest commit on the OpenSSL master branch, as of May 08, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "deaa83af700113c99835a1db7d45d33baba05bd3"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From f03d2df1160b8c26275a32364956675b791d9b17 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 7 May 2024 21:38:11 -0400 Subject: [PATCH 0570/1462] Bump x509-limbo and/or wycheproof in CI (#10960) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 0ce8ea05913c..5a71365209ab 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of May 07, 2024. - ref: "64ef92fe6f3655776e1381b6d2fe5a455dae41df" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of May 08, 2024. + ref: "57a33f504fec127823985c8d394beaca77920e4d" # x509-limbo-ref From 8a9709e8c15068f742646264a88d7c5def6f66af Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 9 May 2024 00:15:41 +0000 Subject: [PATCH 0571/1462] Bump BoringSSL and/or OpenSSL in CI (#10963) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4f23174581d8..c8729ac5a87a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 08, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "6ab7c1482bf4cdc91c87bc512aaf68ffb18975ec"}} - # Latest commit on the OpenSSL master branch, as of May 08, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "deaa83af700113c99835a1db7d45d33baba05bd3"}} + # Latest commit on the BoringSSL master branch, as of May 09, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "8e6aa7f39f4357a6ad15944884f72db8d25b9dff"}} + # Latest commit on the OpenSSL master branch, as of May 09, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f6ce48f5b8ad4d8d748ea87d2490cbed08db9936"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From acc3226faabfad4ce1036722b88871171bd03439 Mon Sep 17 00:00:00 2001 From: Marti Raudsepp Date: Thu, 9 May 2024 16:54:49 +0300 Subject: [PATCH 0572/1462] Support empty string in `Name.from_rfc4514_string()` (#10964) Empty string is a valid result from RFC4514 serialization, and should parse successfully. According to https://datatracker.ietf.org/doc/html/rfc4514#section-2.1 > If the RDNSequence is an empty sequence, the result is the empty or zero-length string. --- CHANGELOG.rst | 2 ++ src/cryptography/x509/name.py | 4 ++++ tests/x509/test_name.py | 1 + tests/x509/test_x509.py | 3 +++ 4 files changed, 10 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 600da955f8e7..524262e120bf 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -44,6 +44,8 @@ Changelog * Added :attr:`~cryptography.x509.InvalidityDate.invalidity_date_utc`, a timezone-aware alternative to the naïve ``datetime`` attribute :attr:`~cryptography.x509.InvalidityDate.invalidity_date`. +* Added support for parsing empty DN string in + :meth:`~cryptography.x509.Name.from_rfc4514_string`. .. _v42-0-7: diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py index 1edfc2b4f598..451338a3a930 100644 --- a/src/cryptography/x509/name.py +++ b/src/cryptography/x509/name.py @@ -414,6 +414,10 @@ def parse(self) -> Name: we parse it, we need to reverse again to get the RDNs on the correct order. """ + + if not self._has_data(): + return Name([]) + rdns = [self._parse_rdn()] while self._has_data(): diff --git a/tests/x509/test_name.py b/tests/x509/test_name.py index 4c9ccc3b791c..a1ceffce6556 100644 --- a/tests/x509/test_name.py +++ b/tests/x509/test_name.py @@ -159,6 +159,7 @@ def test_valid(self, subtests): "2.5.4.10=abc", Name([NameAttribute(NameOID.ORGANIZATION_NAME, "abc")]), ), + ("", Name([])), ]: with subtests.test(): result = Name.from_rfc4514_string(value) diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index 40686e4eb7c2..29e611d72901 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -5885,6 +5885,9 @@ def test_distinguished_name_custom_attrs(self): {NameOID.COMMON_NAME: "CommonName", NameOID.EMAIL_ADDRESS: "E"} ) == ("CommonName=Santa Claus,E=santa@north.pole") + def test_empty_name(self): + assert x509.Name([]).rfc4514_string() == "" + def test_empty_value(self): na = x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "") assert na.rfc4514_string() == r"ST=" From 75b1de3bbb0ae7d8977f161696ba4ead4c82f88a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 10 May 2024 00:16:13 +0000 Subject: [PATCH 0573/1462] Bump BoringSSL and/or OpenSSL in CI (#10965) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c8729ac5a87a..58d3e48bfd8f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 09, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "8e6aa7f39f4357a6ad15944884f72db8d25b9dff"}} - # Latest commit on the OpenSSL master branch, as of May 09, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f6ce48f5b8ad4d8d748ea87d2490cbed08db9936"}} + # Latest commit on the BoringSSL master branch, as of May 10, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "4d50a595b49a2e7b7017060a4d402c4ee9fe28a2"}} + # Latest commit on the OpenSSL master branch, as of May 10, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d3184110196b690d314424ac55404278d98eda32"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 8a37c1c6d064cebba10fe86281b2719d5144e77a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 May 2024 07:34:00 -0400 Subject: [PATCH 0574/1462] Bump ruff from 0.4.3 to 0.4.4 (#10966) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.3 to 0.4.4. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.3...v0.4.4) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 267e87cfa6dd..3071970a0d73 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.4.3 +ruff==0.4.4 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 0e5de8607f354cf8371fe1083c2a28124b2e8d02 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 11 May 2024 00:17:08 +0000 Subject: [PATCH 0575/1462] Bump BoringSSL and/or OpenSSL in CI (#10967) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 58d3e48bfd8f..1faaae0c64f3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 10, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "4d50a595b49a2e7b7017060a4d402c4ee9fe28a2"}} - # Latest commit on the OpenSSL master branch, as of May 10, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d3184110196b690d314424ac55404278d98eda32"}} + # Latest commit on the BoringSSL master branch, as of May 11, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "03d1b7c544851d9f44df1e9ff21839742e08c819"}} + # Latest commit on the OpenSSL master branch, as of May 11, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "87314d24c4f025df1ebf47dc527cc8a96bef354a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 2077a54146e8c2ee6e2128ab02384752e43d6681 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 12 May 2024 00:16:46 +0000 Subject: [PATCH 0576/1462] Bump BoringSSL and/or OpenSSL in CI (#10968) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1faaae0c64f3..5f207b12312f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 11, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "03d1b7c544851d9f44df1e9ff21839742e08c819"}} + # Latest commit on the BoringSSL master branch, as of May 12, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b6bca9c6dde177f641137d2991aa677997c54c67"}} # Latest commit on the OpenSSL master branch, as of May 11, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "87314d24c4f025df1ebf47dc527cc8a96bef354a"}} # Builds with various Rust versions. Includes MSRV and next From 17d0bcf5345df768b34f2429d24d3fc5346295d0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 12 May 2024 23:05:32 -0400 Subject: [PATCH 0577/1462] remove a comment that barely makes sense (#10971) --- .readthedocs.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.readthedocs.yml b/.readthedocs.yml index 8a37ec36404d..7ef04db29181 100644 --- a/.readthedocs.yml +++ b/.readthedocs.yml @@ -11,7 +11,6 @@ formats: - pdf build: - # readdocs master now includes a rust toolchain os: "ubuntu-22.04" tools: python: "3.11" From 3954d93c5d410cbbbf2e48de94be39cf3c96968d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 12 May 2024 23:07:08 -0400 Subject: [PATCH 0578/1462] libressl 3.9.2 (#10970) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5f207b12312f..363c54ddbf4c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -41,7 +41,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.5"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of May 12, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b6bca9c6dde177f641137d2991aa677997c54c67"}} From cd7a4d0683043880b979634168546cd0a30790d6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 May 2024 07:15:14 -0400 Subject: [PATCH 0579/1462] Bump syn from 2.0.61 to 2.0.63 in /src/rust (#10973) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.61 to 2.0.63. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.61...2.0.63) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index bc07f4a0b0d0..656c1ba058f2 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -379,9 +379,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.61" +version = "2.0.63" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c993ed8ccba56ae856363b1845da7266a7cb78e1d146c8a32d54b45a8b831fc9" +checksum = "bf5be731623ca1a1fb7d8be6f261a3be6d3e2337b8a1f97be944d020c8fcb704" dependencies = [ "proc-macro2", "quote", From ea71c070d275e7f9dbeddadbe3121701cc8d5c95 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 May 2024 11:18:40 +0000 Subject: [PATCH 0580/1462] Bump actions/attest-build-provenance from 1.1.0 to 1.1.1 (#10972) Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.1.0 to 1.1.1. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/f8d5ea8082b0d9f5ab855907be308fbd7eefb155...951c0c5f8e375ad4efad33405ab77f7ded2358e4) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 4d1436f79170..54cb62784a75 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -93,7 +93,7 @@ jobs: # Do not perform attestation for things for TestPyPI. This is because # there's nothing that would prevent a malicious PyPI from serving a # signed TestPyPI asset in place of a release intended for PyPI. - - uses: actions/attest-build-provenance@f8d5ea8082b0d9f5ab855907be308fbd7eefb155 # v1.1.0 + - uses: actions/attest-build-provenance@951c0c5f8e375ad4efad33405ab77f7ded2358e4 # v1.1.1 with: subject-path: 'dist/**/cryptography*' if: env.TWINE_REPOSITORY == 'pypi' From 34095d0f472d560a7f0227f0c1e9d69902e5ee0e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 13 May 2024 20:53:09 -0400 Subject: [PATCH 0581/1462] Bump x509-limbo and/or wycheproof in CI (#10975) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 5a71365209ab..4535120cf3c8 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of May 08, 2024. - ref: "57a33f504fec127823985c8d394beaca77920e4d" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of May 14, 2024. + ref: "b8282def2c03640ecdd62759c5466bb1d27b9641" # x509-limbo-ref From 1167f0c03d1b43dadddc920229e44a7870f65ebc Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 13 May 2024 20:53:21 -0400 Subject: [PATCH 0582/1462] Bump BoringSSL and/or OpenSSL in CI (#10974) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 363c54ddbf4c..f5626a6e5561 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of May 12, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b6bca9c6dde177f641137d2991aa677997c54c67"}} - # Latest commit on the OpenSSL master branch, as of May 11, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "87314d24c4f025df1ebf47dc527cc8a96bef354a"}} + # Latest commit on the OpenSSL master branch, as of May 14, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fa338aa7cd1e893679c3e1c47465dcb11f90abfb"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From f7108871a0029b0828dd9bd7dcf57f40c284c7b8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 14 May 2024 18:51:44 -0400 Subject: [PATCH 0583/1462] Bump virtualenv from 20.26.1 to 20.26.2 (#10977) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.26.1 to 20.26.2. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.26.1...20.26.2) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3071970a0d73..88f303a0175c 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -150,7 +150,7 @@ typing-extensions==4.11.0; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests -virtualenv==20.26.1 +virtualenv==20.26.2 # via nox # The following packages are considered to be unsafe in a requirements file: From 3d6ab4dc35e970b8d91319154fc9bf6c99817f4e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 14 May 2024 18:52:06 -0400 Subject: [PATCH 0584/1462] Bump keyring from 25.2.0 to 25.2.1 in /.github/requirements (#10978) Bumps [keyring](https://github.com/jaraco/keyring) from 25.2.0 to 25.2.1. - [Release notes](https://github.com/jaraco/keyring/releases) - [Changelog](https://github.com/jaraco/keyring/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/keyring/compare/v25.2.0...v25.2.1) --- updated-dependencies: - dependency-name: keyring dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 64e29237ce54..ee9ad52829d4 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -224,9 +224,9 @@ jeepney==0.8.0 \ # via # keyring # secretstorage -keyring==25.2.0 \ - --hash=sha256:19f17d40335444aab84b19a0d16a77ec0758a9c384e3446ae2ed8bd6d53b67a5 \ - --hash=sha256:7045f367268ce42dba44745050164b431e46f6e92f99ef2937dfadaef368d8cf +keyring==25.2.1 \ + --hash=sha256:2458681cdefc0dbc0b7eb6cf75d0b98e59f9ad9b2d4edd319d18f68bdca95e50 \ + --hash=sha256:daaffd42dbda25ddafb1ad5fec4024e5bbcfe424597ca1ca452b299861e49f1b # via twine markdown-it-py==3.0.0 \ --hash=sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1 \ From e8ea275aa8f696438dffe180ed3760f3a0404034 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 14 May 2024 20:24:27 -0400 Subject: [PATCH 0585/1462] Bump BoringSSL and/or OpenSSL in CI (#10979) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f5626a6e5561..12861cd46df5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 12, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b6bca9c6dde177f641137d2991aa677997c54c67"}} - # Latest commit on the OpenSSL master branch, as of May 14, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fa338aa7cd1e893679c3e1c47465dcb11f90abfb"}} + # Latest commit on the BoringSSL master branch, as of May 15, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b8912d713cb82a748bbe63f28f28b17632c70964"}} + # Latest commit on the OpenSSL master branch, as of May 15, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f6e469808501f52c7e8f8679d6c3290cf1c258b3"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From df45ea2fc4a8934f75eb51fd5a64f79154d947db Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 14 May 2024 20:33:12 -0400 Subject: [PATCH 0586/1462] Bump x509-limbo and/or wycheproof in CI (#10980) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 4535120cf3c8..79c7a27cce07 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of May 14, 2024. - ref: "b8282def2c03640ecdd62759c5466bb1d27b9641" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of May 15, 2024. + ref: "fed2bc2b3901c737cb125f62d571a613d502916c" # x509-limbo-ref From 45f2ce8dbbf2170a3d89a6be3c99c916eabd8616 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 May 2024 07:03:49 -0400 Subject: [PATCH 0587/1462] Bump platformdirs from 4.2.1 to 4.2.2 (#10982) Bumps [platformdirs](https://github.com/platformdirs/platformdirs) from 4.2.1 to 4.2.2. - [Release notes](https://github.com/platformdirs/platformdirs/releases) - [Changelog](https://github.com/platformdirs/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/platformdirs/platformdirs/compare/4.2.1...4.2.2) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 88f303a0175c..f408bfb405d9 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -68,7 +68,7 @@ packaging==24.0 # sphinx pathspec==0.12.1 # via check-sdist -platformdirs==4.2.1; python_version >= "3.8" +platformdirs==4.2.2; python_version >= "3.8" # via virtualenv pluggy==1.5.0; python_version >= "3.8" # via pytest From f082cb135cf6b8935459d853e536604c603562d3 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 15 May 2024 20:24:39 -0400 Subject: [PATCH 0588/1462] Bump BoringSSL and/or OpenSSL in CI (#10983) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 12861cd46df5..725feea0823c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 15, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b8912d713cb82a748bbe63f28f28b17632c70964"}} - # Latest commit on the OpenSSL master branch, as of May 15, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f6e469808501f52c7e8f8679d6c3290cf1c258b3"}} + # Latest commit on the BoringSSL master branch, as of May 16, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "0355048ce0302fdeb4744dae4b8a156a38496150"}} + # Latest commit on the OpenSSL master branch, as of May 16, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a6afe2b29a7b77956ef888653849f8cc38e39106"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From e862b71c2c7b3f884eae12ab05a247a14e96cae1 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 16 May 2024 13:59:24 +0200 Subject: [PATCH 0589/1462] use statically linked nodejs in manylinux builders (#10986) * use statically linked nodejs in manylinux builders * word ordering * guessing, need sleep * make mac/win work too --- .github/workflows/wheel-builder.yml | 33 +++++++++++++++++------------ 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 18579f6c60fc..3dbae90b96ca 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest name: sdists steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -40,11 +40,11 @@ jobs: run: .venv/bin/python -m build --sdist - name: Make sdist and wheel (vectors) run: cd vectors/ && ../.venv/bin/python -m build - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: "cryptography-sdist" path: dist/cryptography* - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: "vectors-sdist-wheel" path: vectors/dist/cryptography* @@ -52,7 +52,11 @@ jobs: manylinux: needs: [sdist] runs-on: ${{ matrix.MANYLINUX.RUNNER }} - container: ghcr.io/pyca/${{ matrix.MANYLINUX.CONTAINER }} + container: + image: ghcr.io/pyca/${{ matrix.MANYLINUX.CONTAINER }} + volumes: + - /staticnodehost:/staticnodecontainer:rw,rshared + - /staticnodehost:/__e/node20:ro,rshared strategy: fail-fast: false matrix: @@ -102,6 +106,9 @@ jobs: MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]} name: "${{ matrix.PYTHON.VERSION }} for ${{ matrix.MANYLINUX.NAME }}" steps: + - name: Ridiculous-er workaround for static node20 + run: | + cp -R /staticnode/* /staticnodecontainer/ - name: Ridiculous alpine workaround for actions support on arm64 run: | # This modifies /etc/os-release so the JS actions @@ -112,7 +119,7 @@ jobs: if: startsWith(matrix.MANYLINUX.NAME, 'musllinux') && endsWith(matrix.MANYLINUX.NAME, 'aarch64') - name: Get build-requirements.txt from repository - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -124,7 +131,7 @@ jobs: - name: Install Python dependencies run: .venv/bin/pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: cryptography-sdist - run: mkdir tmpwheelhouse @@ -153,7 +160,7 @@ jobs: .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - run: mkdir cryptography-wheelhouse - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: cryptography-wheelhouse/ @@ -212,7 +219,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -250,7 +257,7 @@ jobs: - name: Install Python dependencies run: venv/bin/pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: cryptography-sdist - run: mkdir wheelhouse @@ -278,7 +285,7 @@ jobs: - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - run: | echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls cryptography-wheelhouse/cryptography*.whl))" >> $GITHUB_ENV - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: "${{ env.CRYPTOGRAPHY_WHEEL_NAME }}" path: cryptography-wheelhouse/ @@ -306,7 +313,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -315,7 +322,7 @@ jobs: ${{ env.BUILD_REQUIREMENTS_PATH }} sparse-checkout-cone-mode: false - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: cryptography-sdist @@ -360,7 +367,7 @@ jobs: - run: mkdir cryptography-wheelhouse - run: move wheelhouse\cryptography*.whl cryptography-wheelhouse\ - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: cryptography-wheelhouse\ From bada526017f9bf31cb3c3d8eab8c3b9dacf0cd81 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 May 2024 08:19:49 -0400 Subject: [PATCH 0590/1462] Bump zipp from 3.18.1 to 3.18.2 in /.github/requirements (#10985) Bumps [zipp](https://github.com/jaraco/zipp) from 3.18.1 to 3.18.2. - [Release notes](https://github.com/jaraco/zipp/releases) - [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/zipp/compare/v3.18.1...v3.18.2) --- updated-dependencies: - dependency-name: zipp dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index ee9ad52829d4..18bcc3eb4f18 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -311,7 +311,7 @@ urllib3==2.2.1 \ # via # requests # twine -zipp==3.18.1 \ - --hash=sha256:206f5a15f2af3dbaee80769fb7dc6f249695e940acca08dfb2a4769fe61e538b \ - --hash=sha256:2884ed22e7d8961de1c9a05142eb69a247f120291bc0206a00a7642f09b5b715 +zipp==3.18.2 \ + --hash=sha256:6278d9ddbcfb1f1089a88fde84481528b07b0e10474e09dcfe53dad4069fa059 \ + --hash=sha256:dce197b859eb796242b0622af1b8beb0a722d52aa2f57133ead08edd5bf5374e # via importlib-metadata From 34c8808112322f103e673c16697b70d51adbcacd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 May 2024 08:28:34 -0400 Subject: [PATCH 0591/1462] Bump actions/upload-artifact from 3.1.3 to 4.3.3 (#10922) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.3 to 4.3.3. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v3.1.3...65462800fd760344b1a7b4382951275a0abb4808) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 725feea0823c..6da76d9ddc97 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -475,14 +475,14 @@ jobs: run: python -m coverage html if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload HTML report. - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: _html-report path: htmlcov if-no-files-found: ignore if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload rust HTML report. - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: _html-rust-report path: rust-coverage From 3529e6196f1f431d6fb0adac06d1a6cf964c7379 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 May 2024 08:28:49 -0400 Subject: [PATCH 0592/1462] Bump actions/checkout from 3.6.0 to 4.1.5 (#10952) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.6.0 to 4.1.5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3.6.0...44c2b7a8a4ea60a981eaca3cf939b5f4305c123b) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 4 ++-- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/ci.yml | 12 ++++++------ .github/workflows/linkcheck.yml | 2 +- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index b731d9188e1c..70ffe107a071 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -26,12 +26,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 timeout-minutes: 3 with: persist-credentials: false path: "cryptography-pr" - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 timeout-minutes: 3 with: repository: "pyca/cryptography" diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 63c5fbe6e7cc..b88d1f789ea6 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - id: check-sha-boring run: | SHA=$(git ls-remote https://boringssl.googlesource.com/boringssl refs/heads/master | cut -f1) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6da76d9ddc97..531f841356b4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -54,7 +54,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "nightly"} timeout-minutes: 15 steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 timeout-minutes: 3 with: persist-credentials: false @@ -179,7 +179,7 @@ jobs: sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release if: matrix.IMAGE.IMAGE == 'alpine:aarch64' - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 timeout-minutes: 3 with: persist-credentials: false @@ -230,7 +230,7 @@ jobs: RUNNER: {OS: 'macos-14', ARCH: 'arm64'} timeout-minutes: 15 steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 timeout-minutes: 3 with: persist-credentials: false @@ -294,7 +294,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests"} timeout-minutes: 15 steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 timeout-minutes: 3 with: persist-credentials: false @@ -368,7 +368,7 @@ jobs: name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" timeout-minutes: 15 steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 timeout-minutes: 3 with: persist-credentials: false @@ -412,7 +412,7 @@ jobs: if: ${{ always() }} timeout-minutes: 3 steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 timeout-minutes: 3 with: persist-credentials: false diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index b06da096537f..ec684fbe053c 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -20,7 +20,7 @@ jobs: name: "linkcheck" timeout-minutes: 10 steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: persist-credentials: false - name: Setup python diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 54cb62784a75..7277c5abfe41 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -39,7 +39,7 @@ jobs: with: python-version: "3.11" - name: Get publish-requirements.txt from repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: sparse-checkout: | ${{ env.PUBLISH_REQUIREMENTS_PATH }} diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 9b48b09eedfd..af42930dbdeb 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - id: check-sha-x509-limbo run: | SHA=$(git ls-remote https://github.com/C2SP/x509-limbo refs/heads/main | cut -f1) From aed6fefbe614881f7ddb396c93209c62b9acce48 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 May 2024 08:29:49 -0400 Subject: [PATCH 0593/1462] Bump actions/download-artifact from 3.0.2 to 4.1.7 (#10924) Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3.0.2 to 4.1.7. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/v3.0.2...65a9edc5881444af0b9093a5e628f2fe47ea3b2e) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 531f841356b4..06509cb526d7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -432,7 +432,7 @@ jobs: if: ${{ always() }} - name: Download coverage data if: ${{ always() }} - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: pattern: coverage-data-* merge-multiple: true From 38852224f455af1915a628542b930ad11d2a884c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 17 May 2024 00:18:09 +0000 Subject: [PATCH 0594/1462] Bump BoringSSL and/or OpenSSL in CI (#10987) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 06509cb526d7..d120106f76c4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 16, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "0355048ce0302fdeb4744dae4b8a156a38496150"}} - # Latest commit on the OpenSSL master branch, as of May 16, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a6afe2b29a7b77956ef888653849f8cc38e39106"}} + # Latest commit on the BoringSSL master branch, as of May 17, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "2fb5f9cb8feec2234952f6999af941ac48555710"}} + # Latest commit on the OpenSSL master branch, as of May 17, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "85ccbab216da245cf9a6503dd327072f21950d9b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 92696eceab23a87e90ca7c82161a9874540e796b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 17 May 2024 07:05:23 -0400 Subject: [PATCH 0595/1462] Bump twine from 5.0.0 to 5.1.0 in /.github/requirements (#10992) Bumps [twine](https://github.com/pypa/twine) from 5.0.0 to 5.1.0. - [Release notes](https://github.com/pypa/twine/releases) - [Changelog](https://github.com/pypa/twine/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/twine/compare/5.0.0...5.1.0) --- updated-dependencies: - dependency-name: twine dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 18bcc3eb4f18..205e63929cc3 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -301,9 +301,9 @@ secretstorage==3.3.3 \ --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ --hash=sha256:f356e6628222568e3af06f2eba8df495efa13b3b63081dafd4f7d9a7b7bc9f99 # via keyring -twine==5.0.0 \ - --hash=sha256:89b0cc7d370a4b66421cc6102f269aa910fe0f1861c124f573cf2ddedbc10cf4 \ - --hash=sha256:a262933de0b484c53408f9edae2e7821c1c45a3314ff2df9bdd343aa7ab8edc0 +twine==5.1.0 \ + --hash=sha256:4d74770c88c4fcaf8134d2a6a9d863e40f08255ff7d8e2acb3cbbd57d25f6e9d \ + --hash=sha256:fe1d814395bfe50cfbe27783cb74efe93abeac3f66deaeb6c8390e4e92bacb43 # via -r publish-requirements.in urllib3==2.2.1 \ --hash=sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d \ From bc29d67490523be0fb8792bf677ff5c1e72e19a0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 17 May 2024 07:05:40 -0400 Subject: [PATCH 0596/1462] Bump actions/checkout from 4.1.5 to 4.1.6 (#10991) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.5 to 4.1.6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/44c2b7a8a4ea60a981eaca3cf939b5f4305c123b...a5ac7e51b41094c92402da3b24376905380afc29) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 4 ++-- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/ci.yml | 12 ++++++------ .github/workflows/linkcheck.yml | 2 +- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 8 ++++---- .github/workflows/x509-limbo-version-bump.yml | 2 +- 7 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 70ffe107a071..83f0fd24e59a 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -26,12 +26,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 timeout-minutes: 3 with: persist-credentials: false path: "cryptography-pr" - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 timeout-minutes: 3 with: repository: "pyca/cryptography" diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index b88d1f789ea6..84d260c3cc32 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - id: check-sha-boring run: | SHA=$(git ls-remote https://boringssl.googlesource.com/boringssl refs/heads/master | cut -f1) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d120106f76c4..15fc938c1cf4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -54,7 +54,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "nightly"} timeout-minutes: 15 steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 timeout-minutes: 3 with: persist-credentials: false @@ -179,7 +179,7 @@ jobs: sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release if: matrix.IMAGE.IMAGE == 'alpine:aarch64' - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 timeout-minutes: 3 with: persist-credentials: false @@ -230,7 +230,7 @@ jobs: RUNNER: {OS: 'macos-14', ARCH: 'arm64'} timeout-minutes: 15 steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 timeout-minutes: 3 with: persist-credentials: false @@ -294,7 +294,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests"} timeout-minutes: 15 steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 timeout-minutes: 3 with: persist-credentials: false @@ -368,7 +368,7 @@ jobs: name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" timeout-minutes: 15 steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 timeout-minutes: 3 with: persist-credentials: false @@ -412,7 +412,7 @@ jobs: if: ${{ always() }} timeout-minutes: 3 steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 timeout-minutes: 3 with: persist-credentials: false diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index ec684fbe053c..cb6261e988f8 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -20,7 +20,7 @@ jobs: name: "linkcheck" timeout-minutes: 10 steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: persist-credentials: false - name: Setup python diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 7277c5abfe41..63b9313e38be 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -39,7 +39,7 @@ jobs: with: python-version: "3.11" - name: Get publish-requirements.txt from repository - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: | ${{ env.PUBLISH_REQUIREMENTS_PATH }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 3dbae90b96ca..b69a7a94a312 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest name: sdists steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -119,7 +119,7 @@ jobs: if: startsWith(matrix.MANYLINUX.NAME, 'musllinux') && endsWith(matrix.MANYLINUX.NAME, 'aarch64') - name: Get build-requirements.txt from repository - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -219,7 +219,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -313,7 +313,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index af42930dbdeb..424dae0c46b5 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - id: check-sha-x509-limbo run: | SHA=$(git ls-remote https://github.com/C2SP/x509-limbo refs/heads/main | cut -f1) From cddacf3f97421da99e2c5a2c612f70c27d21424b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 17 May 2024 07:06:00 -0400 Subject: [PATCH 0597/1462] Bump actions/attest-build-provenance from 1.1.1 to 1.1.2 (#10990) Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.1.1 to 1.1.2. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/951c0c5f8e375ad4efad33405ab77f7ded2358e4...173725a1209d09b31f9d30a3890cf2757ebbff0d) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 63b9313e38be..77524b95cdf0 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -93,7 +93,7 @@ jobs: # Do not perform attestation for things for TestPyPI. This is because # there's nothing that would prevent a malicious PyPI from serving a # signed TestPyPI asset in place of a release intended for PyPI. - - uses: actions/attest-build-provenance@951c0c5f8e375ad4efad33405ab77f7ded2358e4 # v1.1.1 + - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2 with: subject-path: 'dist/**/cryptography*' if: env.TWINE_REPOSITORY == 'pypi' From 844c4099d7b0d6e7b4cf03c2a9140e3efc1afdd2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 17 May 2024 07:06:28 -0400 Subject: [PATCH 0598/1462] Bump syn from 2.0.63 to 2.0.64 in /src/rust (#10989) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.63 to 2.0.64. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.63...2.0.64) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 656c1ba058f2..9a96e96544ac 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -379,9 +379,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.63" +version = "2.0.64" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf5be731623ca1a1fb7d8be6f261a3be6d3e2337b8a1f97be944d020c8fcb704" +checksum = "7ad3dee41f36859875573074334c200d1add8e4a87bb37113ebd31d926b7b11f" dependencies = [ "proc-macro2", "quote", From 0b2a62f77db6ad1c2d9297ec3c4569aea4712a43 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 17 May 2024 21:12:06 -0400 Subject: [PATCH 0599/1462] Bump BoringSSL and/or OpenSSL in CI (#10993) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 15fc938c1cf4..377912a5387a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 17, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "2fb5f9cb8feec2234952f6999af941ac48555710"}} - # Latest commit on the OpenSSL master branch, as of May 17, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "85ccbab216da245cf9a6503dd327072f21950d9b"}} + # Latest commit on the BoringSSL master branch, as of May 18, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ba62c812f01fb379f49f94a08a2d1282ce46e678"}} + # Latest commit on the OpenSSL master branch, as of May 18, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "45f5d51b72a262bf85c4461fbded91485ce6b9da"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 83a74a8a49508b312771e8329a626af4c1607b69 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 18 May 2024 18:31:23 +0000 Subject: [PATCH 0600/1462] Bump actions/checkout in /.github/actions/fetch-vectors (#10994) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.4 to 4.1.6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/0ad4b8fadaa221de15dcec353f45205ec38ea70b...a5ac7e51b41094c92402da3b24376905380afc29) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 79c7a27cce07..cfd5d62dd7b2 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -5,14 +5,14 @@ runs: using: "composite" steps: - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: "C2SP/wycheproof" path: "wycheproof" # Latest commit on the wycheproof master branch, as of Apr 09, 2024. ref: "cd27d6419bedd83cbd24611ec54b6d4bfdb0cdca" # wycheproof-ref - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: "C2SP/x509-limbo" path: "x509-limbo" From 0885eb3038c2efc96ddcc9bce28f653f7ed72121 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 18 May 2024 18:32:58 +0000 Subject: [PATCH 0601/1462] Bump libc from 0.2.154 to 0.2.155 in /src/rust (#10995) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.154 to 0.2.155. - [Release notes](https://github.com/rust-lang/libc/releases) - [Commits](https://github.com/rust-lang/libc/compare/0.2.154...0.2.155) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 9a96e96544ac..fc2501a58051 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -158,9 +158,9 @@ checksum = "b248f5224d1d606005e02c97f5aa4e88eeb230488bcc03bc9ca4d7991399f2b5" [[package]] name = "libc" -version = "0.2.154" +version = "0.2.155" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ae743338b92ff9146ce83992f766a31066a91a8c84a45e0e9f21e7cf6de6d346" +checksum = "97b3888a4aecf77e811145cadf6eef5901f4782c53886191b2f693f24761847c" [[package]] name = "lock_api" From 80467e70ff87fd4e61a25c44d7ce5deaa3bef499 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 19 May 2024 17:50:29 +0000 Subject: [PATCH 0602/1462] Bump cc from 1.0.97 to 1.0.98 in /src/rust (#10997) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.97 to 1.0.98. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.97...1.0.98) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index fc2501a58051..716834fcb2dd 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "cf4b9d6a944f767f8e5e0db018570623c85f3d925ac718db4e06d0187adb21c1" [[package]] name = "cc" -version = "1.0.97" +version = "1.0.98" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "099a5357d84c4c61eb35fc8eafa9a79a902c2f76911e5747ced4e032edd8d9b4" +checksum = "41c270e7540d725e65ac7f1b212ac8ce349719624d7bcff99f8e2e488e8cf03f" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 75ebabb72847..1d1e059d4e73 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.21.2", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.97" +cc = "1.0.98" From 3becd183df8b3ef18da252d20e5657776f9fa464 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 May 2024 11:25:02 +0000 Subject: [PATCH 0603/1462] Bump syn from 2.0.64 to 2.0.65 in /src/rust (#10998) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.64 to 2.0.65. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.64...2.0.65) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 716834fcb2dd..6c115698b298 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -379,9 +379,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.64" +version = "2.0.65" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7ad3dee41f36859875573074334c200d1add8e4a87bb37113ebd31d926b7b11f" +checksum = "d2863d96a84c6439701d7a38f9de935ec562c8832cc55d1dde0f513b52fad106" dependencies = [ "proc-macro2", "quote", From 52f6487d7b62a89412fdf1bb32ddc517f864ef3c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 May 2024 11:25:20 +0000 Subject: [PATCH 0604/1462] Bump proc-macro2 from 1.0.82 to 1.0.83 in /src/rust (#10999) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.82 to 1.0.83. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.82...1.0.83) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 6c115698b298..4eb8d766431f 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -271,9 +271,9 @@ checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" [[package]] name = "proc-macro2" -version = "1.0.82" +version = "1.0.83" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8ad3d49ab951a01fbaafe34f2ec74122942fe18a3f9814c3268f1bb72042131b" +checksum = "0b33eb56c327dec362a9e55b3ad14f9d2f0904fb5a5b03b513ab5465399e9f43" dependencies = [ "unicode-ident", ] From fa34f9b62e8a44e274cc3bba6e3e537674bcc305 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 May 2024 11:25:50 +0000 Subject: [PATCH 0605/1462] Bump pytest from 8.2.0 to 8.2.1 (#11000) Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.2.0 to 8.2.1. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/8.2.0...8.2.1) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index f408bfb405d9..6b544b7f8d67 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -86,7 +86,7 @@ pygments==2.18.0 # sphinx pyproject-hooks==1.1.0 # via build -pytest==8.2.0; python_version >= "3.8" +pytest==8.2.1; python_version >= "3.8" # via # cryptography (pyproject.toml) # pytest-benchmark From 8642d4e7db432a2bda4b57336a406370715ae0d8 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 21 May 2024 00:15:06 +0000 Subject: [PATCH 0606/1462] Bump BoringSSL and/or OpenSSL in CI (#11001) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 377912a5387a..48d17989fe86 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 18, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ba62c812f01fb379f49f94a08a2d1282ce46e678"}} + # Latest commit on the BoringSSL master branch, as of May 21, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "58745d61afe244a37941d391f5dec3ab08f5cf2c"}} # Latest commit on the OpenSSL master branch, as of May 18, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "45f5d51b72a262bf85c4461fbded91485ce6b9da"}} # Builds with various Rust versions. Includes MSRV and next From 6e66965a1fa65a81efc9c6a3222738d0b855a764 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 May 2024 21:09:49 -0400 Subject: [PATCH 0607/1462] --- (#11002) updated-dependencies: - dependency-name: requests dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6b544b7f8d67..bd9f4bf692e6 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -103,7 +103,7 @@ pytest-xdist==3.6.1; python_version >= "3.8" # via cryptography (pyproject.toml) readme-renderer==43.0 # via cryptography (pyproject.toml) -requests==2.31.0 +requests==2.32.0 # via sphinx ruff==0.4.4 # via cryptography (pyproject.toml) From 7229c02e63c6715f60b19058abe2a1f2b23e683f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 May 2024 11:05:16 +0000 Subject: [PATCH 0608/1462] --- (#11003) updated-dependencies: - dependency-name: requests dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index bd9f4bf692e6..d49cc1fa0f27 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -103,7 +103,7 @@ pytest-xdist==3.6.1; python_version >= "3.8" # via cryptography (pyproject.toml) readme-renderer==43.0 # via cryptography (pyproject.toml) -requests==2.32.0 +requests==2.32.1 # via sphinx ruff==0.4.4 # via cryptography (pyproject.toml) From 55ab336921f59ea3cb4a00f06022e900dd8185df Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 22 May 2024 00:04:49 +0000 Subject: [PATCH 0609/1462] --- (#11004) updated-dependencies: - dependency-name: requests dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d49cc1fa0f27..f832649c94b6 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -103,7 +103,7 @@ pytest-xdist==3.6.1; python_version >= "3.8" # via cryptography (pyproject.toml) readme-renderer==43.0 # via cryptography (pyproject.toml) -requests==2.32.1 +requests==2.32.2 # via sphinx ruff==0.4.4 # via cryptography (pyproject.toml) From 6eb66960a05da2ac4aef1f4eaca9abfa5e5558fe Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 22 May 2024 00:14:22 +0000 Subject: [PATCH 0610/1462] Bump BoringSSL and/or OpenSSL in CI (#11006) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 48d17989fe86..fc3f61c658ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 21, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "58745d61afe244a37941d391f5dec3ab08f5cf2c"}} + # Latest commit on the BoringSSL master branch, as of May 22, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "bfcab2aa518899ce71e7ffbc23bb22c4ef51858f"}} # Latest commit on the OpenSSL master branch, as of May 18, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "45f5d51b72a262bf85c4461fbded91485ce6b9da"}} # Builds with various Rust versions. Includes MSRV and next From f9ee70a1556bc834f0b31edf533ad0a055e85c7f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 May 2024 20:16:59 -0400 Subject: [PATCH 0611/1462] --- (#11005) updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 1d3feb3e1960..6474acf80afd 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -80,9 +80,9 @@ wheel==0.43.0 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==69.5.1 \ - --hash=sha256:6c1fccdac05a97e598fb0ae3bbed5904ccb317337a51139dcd51453611bbb987 \ - --hash=sha256:c636ac361bc47580504644275c9ad802c50415c7522212252c033bd15f301f32 +setuptools==70.0.0 \ + --hash=sha256:54faa7f2e8d2d11bcd2c07bed282eef1046b5c080d1c32add737d7b5817b1ad4 \ + --hash=sha256:f211a66637b8fa059bb28183da127d4e86396c991a942b028c6650d4319c3fd0 # via # -r build-requirements.in # setuptools-rust From 2dca2003b87b0d02d65feb65331fc9c12ceb219a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 22 May 2024 00:29:42 +0000 Subject: [PATCH 0612/1462] Bump x509-limbo and/or wycheproof in CI (#11007) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index cfd5d62dd7b2..1cb4b84f45a1 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of May 15, 2024. - ref: "fed2bc2b3901c737cb125f62d571a613d502916c" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of May 22, 2024. + ref: "713f7425c115d360111ddfe1cb35348a804cc3b8" # x509-limbo-ref From ef03fd949572c3551cfc2cf2bdd1f7513971bc2c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 22 May 2024 07:35:34 -0400 Subject: [PATCH 0613/1462] --- (#11010) updated-dependencies: - dependency-name: requests dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 205e63929cc3..d4b74ff445a0 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -278,9 +278,9 @@ readme-renderer==43.0 \ --hash=sha256:1818dd28140813509eeed8d62687f7cd4f7bad90d4db586001c5dc09d4fde311 \ --hash=sha256:19db308d86ecd60e5affa3b2a98f017af384678c63c88e5d4556a380e674f3f9 # via twine -requests==2.31.0 \ - --hash=sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f \ - --hash=sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1 +requests==2.32.2 \ + --hash=sha256:dd951ff5ecf3e3b3aa26b40703ba77495dab41da839ae72ef3c8e5d8e2433289 \ + --hash=sha256:fc06670dd0ed212426dfeb94fc1b983d917c4f9847c863f313c9dfaaffb7c23c # via # -r publish-requirements.in # requests-toolbelt From 6ebed7589db5be40e153ac44bd19ffa107488183 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 22 May 2024 07:45:07 -0400 Subject: [PATCH 0614/1462] Stop building x86-64 macOS wheels, only build universal2 (#11011) The original motivation for building both universal and x86-64 wheels was for metrics. I can now report that universal2 are about 99% of the wheel downloads for 42.0.5 --- .github/workflows/wheel-builder.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index b69a7a94a312..cb99a4ee5351 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -196,16 +196,6 @@ jobs: # This will change in the future as we change the base Python we # build against _PYTHON_HOST_PLATFORM: 'macosx-10.9-universal2' - - VERSION: '3.11' - ABI_VERSION: 'cp37' - DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.3/python-3.11.3-macos11.pkg' - BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.11/bin/python3' - DEPLOYMENT_TARGET: '10.12' - # We continue to build a non-universal2 for a bit to see metrics on - # download counts (this is a proxy for pip version since universal2 - # requires a 21.x pip) - ARCHFLAGS: '-arch x86_64' - _PYTHON_HOST_PLATFORM: 'macosx-10.9-x86_64' - VERSION: 'pypy-3.9' BIN_PATH: 'pypy3' DEPLOYMENT_TARGET: '10.12' From 760bc828245220b7d4f4cacf2dac5a1f50f9cb7b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 22 May 2024 09:26:30 -0400 Subject: [PATCH 0615/1462] Stop building musllinux 1.1 wheels, only build 1.2 (#11012) Over 96% of our musl downloads are 1.2. The last version of alpine linux that shipped 1.1 was alpine 3.12, which has been EOL for 2 years. --- .github/workflows/wheel-builder.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index cb99a4ee5351..0f16ae6be96f 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -68,24 +68,13 @@ jobs: MANYLINUX: - { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest" } - { NAME: "manylinux_2_28_x86_64", CONTAINER: "cryptography-manylinux_2_28:x86_64", RUNNER: "ubuntu-latest"} - - { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"} - { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} - { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64] } - { NAME: "manylinux_2_28_aarch64", CONTAINER: "cryptography-manylinux_2_28:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - - { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} exclude: # There are no readily available musllinux PyPy distributions - - PYTHON: { VERSION: "pp39-pypy39_pp73" } - MANYLINUX: { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"} - - PYTHON: { VERSION: "pp310-pypy310_pp73" } - MANYLINUX: { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"} - - PYTHON: { VERSION: "pp39-pypy39_pp73" } - MANYLINUX: { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - - PYTHON: { VERSION: "pp310-pypy310_pp73" } - MANYLINUX: { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - - PYTHON: { VERSION: "pp39-pypy39_pp73" } MANYLINUX: { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} - PYTHON: { VERSION: "pp310-pypy310_pp73" } From 916ddfc2990ca339b95da158c16ec40f2ac191f7 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 23 May 2024 00:16:04 +0000 Subject: [PATCH 0616/1462] Bump BoringSSL and/or OpenSSL in CI (#11013) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fc3f61c658ac..a9577a9bd0e8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 22, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "bfcab2aa518899ce71e7ffbc23bb22c4ef51858f"}} - # Latest commit on the OpenSSL master branch, as of May 18, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "45f5d51b72a262bf85c4461fbded91485ce6b9da"}} + # Latest commit on the BoringSSL master branch, as of May 23, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d7278cebad5b8eda0901246f2215344cffece4f4"}} + # Latest commit on the OpenSSL master branch, as of May 23, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b9e084f139c53ce133e66aba2f523c680141c0e6"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From f914ccfe992156ba99d9b01d1f39dfe3634398b0 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 22 May 2024 21:16:11 -0400 Subject: [PATCH 0617/1462] Bump x509-limbo and/or wycheproof in CI (#11014) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 1cb4b84f45a1..671b966a3833 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of May 22, 2024. - ref: "713f7425c115d360111ddfe1cb35348a804cc3b8" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of May 23, 2024. + ref: "d879dc2a91836aebe9f558f4cc5bf183e3d19552" # x509-limbo-ref From 63ab0d402ce2ff9a1877174927ddec26b0141312 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 23 May 2024 06:50:36 -0400 Subject: [PATCH 0618/1462] Bump ruff from 0.4.4 to 0.4.5 (#11015) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.4 to 0.4.5. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.4...v0.4.5) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index f832649c94b6..9a85d944b6db 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.2 # via sphinx -ruff==0.4.4 +ruff==0.4.5 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 5c1aab37f149eb8891837abc9641a64139cf65c1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 24 May 2024 00:21:57 +0000 Subject: [PATCH 0619/1462] Bump BoringSSL and/or OpenSSL in CI (#11016) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a9577a9bd0e8..e343d4beb693 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 23, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d7278cebad5b8eda0901246f2215344cffece4f4"}} + # Latest commit on the BoringSSL master branch, as of May 24, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "03982b4cfadca0e650b384c9539b2fdb5f8aa012"}} # Latest commit on the OpenSSL master branch, as of May 23, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b9e084f139c53ce133e66aba2f523c680141c0e6"}} # Builds with various Rust versions. Includes MSRV and next From b15b9013dc25cdad83ca19d654c4f12d394e9058 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 24 May 2024 00:37:51 -0400 Subject: [PATCH 0620/1462] Remove various pointless to_object calls (#11017) --- src/rust/src/asn1.rs | 3 +-- src/rust/src/backend/ec.rs | 4 +--- src/rust/src/x509/certificate.rs | 14 +++++--------- src/rust/src/x509/common.rs | 21 ++++++++------------- 4 files changed, 15 insertions(+), 27 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 98f0190d6a6e..07fcf72c46c2 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -75,8 +75,7 @@ pub(crate) fn py_uint_to_big_endian_bytes<'p>( py: pyo3::Python<'p>, v: pyo3::Bound<'p, pyo3::types::PyLong>, ) -> pyo3::PyResult { - let zero = (0).to_object(py); - if v.lt(zero)? { + if v.lt(0)? { return Err(pyo3::exceptions::PyValueError::new_err( "Negative integers are not supported", )); diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 237a57033dfe..d808a275eb06 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -6,7 +6,6 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; use pyo3::prelude::{PyAnyMethods, PyDictMethods, PyModuleMethods}; -use pyo3::ToPyObject; use crate::backend::utils; use crate::buf::CffiBuf; @@ -482,8 +481,7 @@ fn public_key_from_numbers( numbers: &EllipticCurvePublicNumbers, curve: &openssl::ec::EcGroupRef, ) -> CryptographyResult> { - let zero = (0).to_object(py); - if numbers.x.bind(py).lt(&zero)? || numbers.y.bind(py).lt(&zero)? { + if numbers.x.bind(py).lt(0)? || numbers.y.bind(py).lt(0)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "Invalid EC key. Both x and y must be non-negative.", diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 79f1e72732bf..88eb15e637d1 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -527,7 +527,7 @@ fn parse_user_notice( let org = parse_display_text(py, data.organization)?; let numbers = pyo3::types::PyList::empty_bound(py); for num in data.notice_numbers.unwrap_read().clone() { - numbers.append(big_byte_slice_to_py_int(py, num.as_bytes())?.to_object(py))?; + numbers.append(big_byte_slice_to_py_int(py, num.as_bytes())?)?; } types::NOTICE_REFERENCE .get(py)? @@ -580,7 +580,7 @@ fn parse_cp( let cp = ext.value::>>()?; let certificate_policies = pyo3::types::PyList::empty_bound(py); for policyinfo in cp { - let pi_oid = oid_to_py_oid(py, &policyinfo.policy_identifier)?.to_object(py); + let pi_oid = oid_to_py_oid(py, &policyinfo.policy_identifier)?; let py_pqis = match policyinfo.policy_qualifiers { Some(policy_qualifiers) => { parse_policy_qualifiers(py, policy_qualifiers.unwrap_read())? @@ -589,8 +589,7 @@ fn parse_cp( }; let pi = types::POLICY_INFORMATION .get(py)? - .call1((pi_oid, py_pqis))? - .to_object(py); + .call1((pi_oid, py_pqis))?; certificate_policies.append(pi)?; } Ok(certificate_policies.to_object(py)) @@ -722,10 +721,7 @@ pub(crate) fn parse_access_descriptions( for access in parsed.unwrap_read().clone() { let py_oid = oid_to_py_oid(py, &access.access_method)?.to_object(py); let gn = x509::parse_general_name(py, access.access_location)?; - let ad = types::ACCESS_DESCRIPTION - .get(py)? - .call1((py_oid, gn))? - .to_object(py); + let ad = types::ACCESS_DESCRIPTION.get(py)?.call1((py_oid, gn))?; ads.append(ad)?; } Ok(ads.to_object(py)) @@ -755,7 +751,7 @@ pub fn parse_cert_ext<'p>( let features = pyo3::types::PyList::empty_bound(py); for feature in ext.value::>()? { - let py_feature = tls_feature_type_to_enum.get_item(feature.to_object(py))?; + let py_feature = tls_feature_type_to_enum.get_item(feature)?; features.append(py_feature)?; } Ok(Some(types::TLS_FEATURE.get(py)?.call1((features,))?)) diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 820bf91b69c6..89baee082673 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -198,17 +198,12 @@ fn parse_name_attribute( py: pyo3::Python<'_>, attribute: AttributeTypeValue<'_>, ) -> Result { - let oid = oid_to_py_oid(py, &attribute.type_id)?.to_object(py); - let tag_val = attribute - .value - .tag() - .as_u8() - .ok_or_else(|| { - CryptographyError::from(pyo3::exceptions::PyValueError::new_err( - "Long-form tags are not supported in NameAttribute values", - )) - })? - .to_object(py); + let oid = oid_to_py_oid(py, &attribute.type_id)?; + let tag_val = attribute.value.tag().as_u8().ok_or_else(|| { + CryptographyError::from(pyo3::exceptions::PyValueError::new_err( + "Long-form tags are not supported in NameAttribute values", + )) + })?; let py_tag = types::ASN1_TYPE_TO_ENUM.get(py)?.get_item(tag_val)?; let py_data = match attribute.value.tag().as_u8() { // BitString tag value @@ -257,7 +252,7 @@ pub(crate) fn parse_general_name( ) -> Result { let py_gn = match gn { GeneralName::OtherName(data) => { - let oid = oid_to_py_oid(py, &data.type_id)?.to_object(py); + let oid = oid_to_py_oid(py, &data.type_id)?; types::OTHER_NAME .get(py)? .call1((oid, data.value.full_data()))? @@ -293,7 +288,7 @@ pub(crate) fn parse_general_name( } } GeneralName::RegisteredID(data) => { - let oid = oid_to_py_oid(py, &data)?.to_object(py); + let oid = oid_to_py_oid(py, &data)?; types::REGISTERED_ID.get(py)?.call1((oid,))?.to_object(py) } _ => { From 8da12c89d8ba8d1442181b408c75339cf43dc14a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 24 May 2024 13:37:28 +0300 Subject: [PATCH 0621/1462] Bump syn from 2.0.65 to 2.0.66 in /src/rust (#11018) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.65 to 2.0.66. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.65...2.0.66) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 4eb8d766431f..6098d7e1d606 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -379,9 +379,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.65" +version = "2.0.66" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d2863d96a84c6439701d7a38f9de935ec562c8832cc55d1dde0f513b52fad106" +checksum = "c42f3f41a2de00b01c0aaad383c5a45241efc8b2d1eda5661812fda5f3cdcff5" dependencies = [ "proc-macro2", "quote", From 6a95dbbb358f2942c283b996c112f9c833dca319 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 24 May 2024 07:15:38 -0400 Subject: [PATCH 0622/1462] Bump typing-extensions from 4.11.0 to 4.12.0 (#11019) Bumps [typing-extensions](https://github.com/python/typing_extensions) from 4.11.0 to 4.12.0. - [Release notes](https://github.com/python/typing_extensions/releases) - [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md) - [Commits](https://github.com/python/typing_extensions/compare/4.11.0...4.12.0) --- updated-dependencies: - dependency-name: typing-extensions dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 9a85d944b6db..0d20b76fa087 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -146,7 +146,7 @@ tomli==2.0.1 # mypy # pyproject-hooks # pytest -typing-extensions==4.11.0; python_version >= "3.8" +typing-extensions==4.12.0; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests From 8d41b3227b09068d088e8e2668f6249ca68150f1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 24 May 2024 20:49:01 -0400 Subject: [PATCH 0623/1462] Bump BoringSSL and/or OpenSSL in CI (#11020) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e343d4beb693..662299f022f1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 24, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "03982b4cfadca0e650b384c9539b2fdb5f8aa012"}} - # Latest commit on the OpenSSL master branch, as of May 23, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b9e084f139c53ce133e66aba2f523c680141c0e6"}} + # Latest commit on the BoringSSL master branch, as of May 25, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "afd52e91dfed27ab7193be040f067900947b14ac"}} + # Latest commit on the OpenSSL master branch, as of May 25, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "05faa4ffee7f20fcee129f77d153f2dcc609bdc8"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 84c489db9a4576379ad61d6dc022d6c8a2eb6a0b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 25 May 2024 12:48:43 +0000 Subject: [PATCH 0624/1462] Bump parking_lot from 0.12.2 to 0.12.3 in /src/rust (#11021) Bumps [parking_lot](https://github.com/Amanieu/parking_lot) from 0.12.2 to 0.12.3. - [Changelog](https://github.com/Amanieu/parking_lot/blob/master/CHANGELOG.md) - [Commits](https://github.com/Amanieu/parking_lot/compare/0.12.2...0.12.3) --- updated-dependencies: - dependency-name: parking_lot dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 6098d7e1d606..2ebf6fda979e 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -227,9 +227,9 @@ dependencies = [ [[package]] name = "parking_lot" -version = "0.12.2" +version = "0.12.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7e4af0ca4f6caed20e900d564c242b8e5d4903fdacf31d3daf527b66fe6f42fb" +checksum = "f1bf18183cf54e8d6059647fc3063646a1801cf30896933ec2311622cc4b9a27" dependencies = [ "lock_api", "parking_lot_core", From 0e003c58ea4247f9599072cebeb5d7d28c207560 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 26 May 2024 00:10:47 +0000 Subject: [PATCH 0625/1462] Bump proc-macro2 from 1.0.83 to 1.0.84 in /src/rust (#11024) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.83 to 1.0.84. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.83...1.0.84) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 2ebf6fda979e..03d6df0e2415 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -271,9 +271,9 @@ checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" [[package]] name = "proc-macro2" -version = "1.0.83" +version = "1.0.84" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0b33eb56c327dec362a9e55b3ad14f9d2f0904fb5a5b03b513ab5465399e9f43" +checksum = "ec96c6a92621310b51366f1e28d05ef11489516e93be030060e5fc12024a49d6" dependencies = [ "unicode-ident", ] From 3d4f58c5f5016a98f6855f301914c2c0e18f1383 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 May 2024 11:16:53 +0000 Subject: [PATCH 0626/1462] Bump coverage from 7.5.1 to 7.5.2 (#11028) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.5.1 to 7.5.2. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.5.1...7.5.2) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 0d20b76fa087..959f26831fbd 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.2 # via nox -coverage==7.5.1; python_version >= "3.8" +coverage==7.5.2; python_version >= "3.8" # via # coverage # pytest-cov From a7444220875afd1ff7e83e3adb5366ba6853c2ef Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 May 2024 11:19:26 +0000 Subject: [PATCH 0627/1462] Bump zipp from 3.18.2 to 3.19.0 in /.github/requirements (#11029) Bumps [zipp](https://github.com/jaraco/zipp) from 3.18.2 to 3.19.0. - [Release notes](https://github.com/jaraco/zipp/releases) - [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/zipp/compare/v3.18.2...v3.19.0) --- updated-dependencies: - dependency-name: zipp dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index d4b74ff445a0..df9c95e55004 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -311,7 +311,7 @@ urllib3==2.2.1 \ # via # requests # twine -zipp==3.18.2 \ - --hash=sha256:6278d9ddbcfb1f1089a88fde84481528b07b0e10474e09dcfe53dad4069fa059 \ - --hash=sha256:dce197b859eb796242b0622af1b8beb0a722d52aa2f57133ead08edd5bf5374e +zipp==3.19.0 \ + --hash=sha256:952df858fb3164426c976d9338d3961e8e8b3758e2e059e0f754b8c4262625ee \ + --hash=sha256:96dc6ad62f1441bcaccef23b274ec471518daf4fbbc580341204936a5a3dddec # via importlib-metadata From 5dc620daa44a084e5b0d025c9472abec6047487f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 27 May 2024 16:00:44 +0300 Subject: [PATCH 0628/1462] document creating a CA hierarchy: root -> int -> ee (#11031) * document creating a CA hierarchy: root -> int -> ee * fix things --- docs/x509/tutorial.rst | 192 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 192 insertions(+) diff --git a/docs/x509/tutorial.rst b/docs/x509/tutorial.rst index 45729f28ce15..a71ed1e64f79 100644 --- a/docs/x509/tutorial.rst +++ b/docs/x509/tutorial.rst @@ -150,6 +150,198 @@ Then we generate the certificate itself: And now we have a private key and certificate that can be used for local testing. +Creating a CA hierarchy +----------------------- + +When building your own root hierarchy you need to generate a CA and then +issue certificates (typically intermediates) using it. This example shows +how to generate a root CA, a signing intermediate, and issues a leaf +certificate off that intermediate. X.509 is a complex specification so +this example will require adaptation (typically different extensions) +for specific operating environments. + +Note that this example does not add CRL distribution point or OCSP AIA +extensions, nor does it save the key/certs to persistent storage. + +.. doctest:: + + >>> import datetime + >>> from cryptography.hazmat.primitives.asymmetric import ec + >>> from cryptography.hazmat.primitives import hashes + >>> from cryptography.x509.oid import NameOID + >>> from cryptography import x509 + >>> # Generate our key + >>> root_key = ec.generate_private_key(ec.SECP256R1()) + >>> subject = issuer = x509.Name([ + ... x509.NameAttribute(NameOID.COUNTRY_NAME, "US"), + ... x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "California"), + ... x509.NameAttribute(NameOID.LOCALITY_NAME, "San Francisco"), + ... x509.NameAttribute(NameOID.ORGANIZATION_NAME, "My Company"), + ... x509.NameAttribute(NameOID.COMMON_NAME, "PyCA Docs Root CA"), + ... ]) + >>> root_cert = x509.CertificateBuilder().subject_name( + ... subject + ... ).issuer_name( + ... issuer + ... ).public_key( + ... root_key.public_key() + ... ).serial_number( + ... x509.random_serial_number() + ... ).not_valid_before( + ... datetime.datetime.now(datetime.timezone.utc) + ... ).not_valid_after( + ... # Our certificate will be valid for ~10 years + ... datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=365*10) + ... ).add_extension( + ... x509.BasicConstraints(ca=True, path_length=None), + ... critical=True, + ... ).add_extension( + ... x509.KeyUsage( + ... digital_signature=True, + ... content_commitment=False, + ... key_encipherment=False, + ... data_encipherment=False, + ... key_agreement=False, + ... key_cert_sign=True, + ... crl_sign=True, + ... encipher_only=False, + ... decipher_only=False, + ... ), + ... critical=True, + ... ).add_extension( + ... x509.SubjectKeyIdentifier.from_public_key(root_key.public_key()), + ... critical=False, + ... ).sign(root_key, hashes.SHA256()) + +With a root certificate created we now want to create our intermediate. + +.. doctest:: + + >>> # Generate our intermediate key + >>> int_key = ec.generate_private_key(ec.SECP256R1()) + >>> subject = x509.Name([ + ... x509.NameAttribute(NameOID.COUNTRY_NAME, "US"), + ... x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "California"), + ... x509.NameAttribute(NameOID.LOCALITY_NAME, "San Francisco"), + ... x509.NameAttribute(NameOID.ORGANIZATION_NAME, "My Company"), + ... x509.NameAttribute(NameOID.COMMON_NAME, "PyCA Docs Intermediate CA"), + ... ]) + >>> int_cert = x509.CertificateBuilder().subject_name( + ... subject + ... ).issuer_name( + ... root_cert.subject + ... ).public_key( + ... int_key.public_key() + ... ).serial_number( + ... x509.random_serial_number() + ... ).not_valid_before( + ... datetime.datetime.now(datetime.timezone.utc) + ... ).not_valid_after( + ... # Our intermediate will be valid for ~3 years + ... datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=365*3) + ... ).add_extension( + ... # Allow no further intermediates (path length 0) + ... x509.BasicConstraints(ca=True, path_length=0), + ... critical=True, + ... ).add_extension( + ... x509.KeyUsage( + ... digital_signature=True, + ... content_commitment=False, + ... key_encipherment=False, + ... data_encipherment=False, + ... key_agreement=False, + ... key_cert_sign=True, + ... crl_sign=True, + ... encipher_only=False, + ... decipher_only=False, + ... ), + ... critical=True, + ... ).add_extension( + ... x509.SubjectKeyIdentifier.from_public_key(int_key.public_key()), + ... critical=False, + ... ).add_extension( + ... x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( + ... root_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value + ... ), + ... critical=False, + ... ).sign(root_key, hashes.SHA256()) + +Now we can issue an end entity certificate off this chain. + +.. doctest:: + + >>> ee_key = ec.generate_private_key(ec.SECP256R1()) + >>> subject = x509.Name([ + ... x509.NameAttribute(NameOID.COUNTRY_NAME, "US"), + ... x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "California"), + ... x509.NameAttribute(NameOID.LOCALITY_NAME, "San Francisco"), + ... x509.NameAttribute(NameOID.ORGANIZATION_NAME, "My Company"), + ... ]) + >>> ee_cert = x509.CertificateBuilder().subject_name( + ... subject + ... ).issuer_name( + ... int_cert.subject + ... ).public_key( + ... ee_key.public_key() + ... ).serial_number( + ... x509.random_serial_number() + ... ).not_valid_before( + ... datetime.datetime.now(datetime.timezone.utc) + ... ).not_valid_after( + ... # Our cert will be valid for 10 days + ... datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=10) + ... ).add_extension( + ... x509.SubjectAlternativeName([ + ... # Describe what sites we want this certificate for. + ... x509.DNSName("cryptography.io"), + ... x509.DNSName("www.cryptography.io"), + ... ]), + ... critical=False, + ... ).add_extension( + ... x509.BasicConstraints(ca=False, path_length=None), + ... critical=True, + ... ).add_extension( + ... x509.KeyUsage( + ... digital_signature=True, + ... content_commitment=False, + ... key_encipherment=True, + ... data_encipherment=False, + ... key_agreement=False, + ... key_cert_sign=False, + ... crl_sign=True, + ... encipher_only=False, + ... decipher_only=False, + ... ), + ... critical=True, + ... ).add_extension( + ... x509.ExtendedKeyUsage([ + ... x509.ExtendedKeyUsageOID.CLIENT_AUTH, + ... x509.ExtendedKeyUsageOID.SERVER_AUTH, + ... ]), + ... critical=False, + ... ).add_extension( + ... x509.SubjectKeyIdentifier.from_public_key(ee_key.public_key()), + ... critical=False, + ... ).add_extension( + ... x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( + ... int_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value + ... ), + ... critical=False, + ... ).sign(int_key, hashes.SHA256()) + +And finally we use the verification APIs to validate the chain. + +.. doctest:: + + >>> from cryptography.x509 import DNSName + >>> from cryptography.x509.verification import PolicyBuilder, Store + >>> store = Store([root_cert]) + >>> builder = PolicyBuilder().store(store) + >>> verifier = builder.build_server_verifier(DNSName("cryptography.io")) + >>> chain = verifier.verify(ee_cert, [int_cert]) + >>> len(chain) + 3 + Determining Certificate or Certificate Signing Request Key Type --------------------------------------------------------------- From 7f515fc43cbd59c0b55cea3f0aa90cb00de972e1 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 27 May 2024 16:09:56 +0300 Subject: [PATCH 0629/1462] re-add branch we dropped in the past (#11030) * re-add branch we dropped in the past * add the test * test all key types * Update src/rust/src/backend/utils.rs Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor --- src/rust/src/backend/utils.rs | 7 +++++++ tests/hazmat/primitives/test_ec.py | 18 ++++++++++++++++++ tests/hazmat/primitives/test_rsa.py | 15 +++++++++++++++ 3 files changed, 40 insertions(+) diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 21b47a044a67..264ccf67053b 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -145,6 +145,13 @@ pub(crate) fn pkey_private_bytes<'p>( } if format.is(&types::PRIVATE_FORMAT_TRADITIONAL_OPENSSL.get(py)?) { + if cryptography_openssl::fips::is_enabled() && !password.is_empty() { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Encrypted traditional OpenSSL format is not supported in FIPS mode", + ), + )); + } if let Ok(rsa) = pkey.rsa() { if encoding.is(&types::ENCODING_PEM.get(py)?) { let pem_bytes = if password.is_empty() { diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 08178c232466..d33fd104cd53 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -773,6 +773,24 @@ def test_private_bytes_encrypted_pem(self, backend, fmt, password): priv_num = key.private_numbers() assert loaded_priv_num == priv_num + @pytest.mark.supported( + only_if=lambda backend: backend._fips_enabled, + skip_message="Requires FIPS", + ) + def test_traditional_serialization_fips(self, backend): + key_bytes = load_vectors_from_file( + os.path.join("asymmetric", "PKCS8", "ec_private_key.pem"), + lambda pemfile: pemfile.read().encode(), + ) + key = serialization.load_pem_private_key(key_bytes, None, backend) + assert isinstance(key, ec.EllipticCurvePrivateKey) + with pytest.raises(ValueError): + key.private_bytes( + serialization.Encoding.PEM, + serialization.PrivateFormat.TraditionalOpenSSL, + serialization.BestAvailableEncryption(b"password"), + ) + @pytest.mark.parametrize( ("encoding", "fmt"), [ diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 3ce55b48c10c..ddd1dad5c41f 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -2432,6 +2432,21 @@ def test_private_bytes_encrypted_pem( priv_num = key.private_numbers() assert loaded_priv_num == priv_num + @pytest.mark.supported( + only_if=lambda backend: backend._fips_enabled, + skip_message="Requires FIPS", + ) + def test_traditional_serialization_fips( + self, rsa_key_2048: rsa.RSAPrivateKey, backend + ): + key = rsa_key_2048 + with pytest.raises(ValueError): + key.private_bytes( + serialization.Encoding.PEM, + serialization.PrivateFormat.TraditionalOpenSSL, + serialization.BestAvailableEncryption(b"password"), + ) + @pytest.mark.parametrize( ("encoding", "fmt"), [ From 97e7d54ecd6b3f51c226eaf54507dedd0478b325 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 29 May 2024 00:16:22 +0000 Subject: [PATCH 0630/1462] Bump BoringSSL and/or OpenSSL in CI (#11032) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 662299f022f1..67c394c3e82f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 25, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "afd52e91dfed27ab7193be040f067900947b14ac"}} - # Latest commit on the OpenSSL master branch, as of May 25, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "05faa4ffee7f20fcee129f77d153f2dcc609bdc8"}} + # Latest commit on the BoringSSL master branch, as of May 29, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e09fcf8302f75dc50afcfe40f0d59a92b40a3c2e"}} + # Latest commit on the OpenSSL master branch, as of May 29, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "36ba419286843bcaeb497b3451540ab7587cf9d2"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 00588efa0c56283e848a3aa1131a6dce4c5dc638 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 29 May 2024 02:59:27 +0000 Subject: [PATCH 0631/1462] Bump ruff from 0.4.5 to 0.4.6 (#11033) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.5 to 0.4.6. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.5...v0.4.6) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 959f26831fbd..a739015a4a8c 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.2 # via sphinx -ruff==0.4.5 +ruff==0.4.6 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From da5d6e73d82e6a3acb682399e7049ca6f0af9eaa Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 29 May 2024 03:00:02 +0000 Subject: [PATCH 0632/1462] Bump coverage from 7.5.2 to 7.5.3 (#11034) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.5.2 to 7.5.3. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.5.2...7.5.3) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index a739015a4a8c..27e66e3aec3f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.2 # via nox -coverage==7.5.2; python_version >= "3.8" +coverage==7.5.3; python_version >= "3.8" # via # coverage # pytest-cov From 34f394b6811371da8fec4260062492148f46be5e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 28 May 2024 23:04:54 -0400 Subject: [PATCH 0633/1462] Bump backports-tarfile from 1.1.1 to 1.2.0 in /.github/requirements (#11035) Bumps [backports-tarfile](https://github.com/jaraco/backports.tarfile) from 1.1.1 to 1.2.0. - [Release notes](https://github.com/jaraco/backports.tarfile/releases) - [Changelog](https://github.com/jaraco/backports.tarfile/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/backports.tarfile/compare/v1.1.1...v1.2.0) --- updated-dependencies: - dependency-name: backports-tarfile dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index df9c95e55004..23b7a6e46721 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -4,9 +4,9 @@ # # pip-compile --generate-hashes publish-requirements.in # -backports-tarfile==1.1.1 \ - --hash=sha256:73e0179647803d3726d82e76089d01d8549ceca9bace469953fcb4d97cf2d417 \ - --hash=sha256:9c2ef9696cb73374f7164e17fc761389393ca76777036f5aad42e8b93fcd8009 +backports-tarfile==1.2.0 \ + --hash=sha256:77e284d754527b01fb1e6fa8a1afe577858ebe4e9dad8919e34c862cb399bc34 \ + --hash=sha256:d75e02c268746e1b8144c278978b6e98e85de6ad16f8e4b0844a154557eca991 # via jaraco-context certifi==2024.2.2 \ --hash=sha256:0569859f95fc761b18b45ef421b1290a0f65f147e92a1e5eb3e635f9a5e4e66f \ From fac1188ea8e27cce98d6d555cc2a5a00aaaa1e42 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 30 May 2024 00:18:08 +0000 Subject: [PATCH 0634/1462] Bump BoringSSL and/or OpenSSL in CI (#11039) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 67c394c3e82f..519439a5de1a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 29, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e09fcf8302f75dc50afcfe40f0d59a92b40a3c2e"}} - # Latest commit on the OpenSSL master branch, as of May 29, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "36ba419286843bcaeb497b3451540ab7587cf9d2"}} + # Latest commit on the BoringSSL master branch, as of May 30, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9540c0452343e684f94515288880b6b35655f792"}} + # Latest commit on the OpenSSL master branch, as of May 30, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f6b307d860832d3a76be20a693b92a71c83a3055"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From fdfc524dd8c94a65d75a7033eb96ee992b7bd6ab Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 29 May 2024 22:18:36 -0400 Subject: [PATCH 0635/1462] Fixes #11037 -- work around RFC 4055's inane notions of DER (#11038) --- .../src/policy/mod.rs | 6 +++--- src/rust/cryptography-x509/src/common.rs | 13 +++++++++++-- src/rust/src/x509/sign.rs | 2 +- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 22f5a13dc0aa..5616a83a8ceb 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -97,7 +97,7 @@ static RSASSA_PSS_SHA256: Lazy> = Lazy::new(|| Algorithm hash_algorithm: PSS_SHA256_HASH_ALG, mask_gen_algorithm: PSS_SHA256_MASK_GEN_ALG, salt_length: 32, - _trailer_field: 1, + _trailer_field: None, }))), }); @@ -108,7 +108,7 @@ static RSASSA_PSS_SHA384: Lazy> = Lazy::new(|| Algorithm hash_algorithm: PSS_SHA384_HASH_ALG, mask_gen_algorithm: PSS_SHA384_MASK_GEN_ALG, salt_length: 48, - _trailer_field: 1, + _trailer_field: None, }))), }); @@ -119,7 +119,7 @@ static RSASSA_PSS_SHA512: Lazy> = Lazy::new(|| Algorithm hash_algorithm: PSS_SHA512_HASH_ALG, mask_gen_algorithm: PSS_SHA512_MASK_GEN_ALG, salt_length: 64, - _trailer_field: 1, + _trailer_field: None, }))), }); diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index 9eea5ff7bca8..fa7e3ec77098 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -367,9 +367,18 @@ pub struct RsaPssParameters<'a> { #[explicit(2)] #[default(20u16)] pub salt_length: u16, + // While the RFC describes this field as `DEFAULT 1`, it also states that + // parsers must accept this field being encoded with a value of 1, in + // conflict with DER's requirement that field DEFAULT values not be + // encoded. Thus we just treat this as an optional field. + // + // Users of this struct should supply `None` to indicate the DEFAULT value + // of 1, or `Some` to indicate a different value. Note that if you supply + // `Some(1)` this will result in encoding a violation of the DER rules, + // thus this should never be done except to round-trip an existing + // structure. #[explicit(3)] - #[default(1u8)] - pub _trailer_field: u8, + pub _trailer_field: Option, } // https://datatracker.ietf.org/doc/html/rfc3279#section-2.3.2 diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index f8068c9835dc..a97627cd215e 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -163,7 +163,7 @@ pub(crate) fn compute_signature_algorithm<'p>( params: mgf_alg, }, salt_length, - _trailer_field: 1, + _trailer_field: None, }))); return Ok(common::AlgorithmIdentifier { From 300f48352b774827b52ba3d14819fa1876d9c2e6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 30 May 2024 11:22:29 +0000 Subject: [PATCH 0636/1462] Bump requests from 2.32.2 to 2.32.3 (#11040) Bumps [requests](https://github.com/psf/requests) from 2.32.2 to 2.32.3. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](https://github.com/psf/requests/compare/v2.32.2...v2.32.3) --- updated-dependencies: - dependency-name: requests dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 27e66e3aec3f..891e51475b79 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -103,7 +103,7 @@ pytest-xdist==3.6.1; python_version >= "3.8" # via cryptography (pyproject.toml) readme-renderer==43.0 # via cryptography (pyproject.toml) -requests==2.32.2 +requests==2.32.3 # via sphinx ruff==0.4.6 # via cryptography (pyproject.toml) From ee4b371eeb6819fc8c6a8233afd8904d33dbb479 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 30 May 2024 19:38:22 -0700 Subject: [PATCH 0637/1462] Bump BoringSSL and/or OpenSSL in CI (#11041) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 519439a5de1a..5b93e6ab4a7b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 30, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9540c0452343e684f94515288880b6b35655f792"}} - # Latest commit on the OpenSSL master branch, as of May 30, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f6b307d860832d3a76be20a693b92a71c83a3055"}} + # Latest commit on the BoringSSL master branch, as of May 31, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "261579f08b2f8aa7959670df1e928c1c305a632c"}} + # Latest commit on the OpenSSL master branch, as of May 31, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9fcf57b45985336b04579dd317d0dc990a9c062b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 5cefe95cb74b2a38c1fd2836c5d4dbe60ad2f738 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 31 May 2024 14:43:09 +0200 Subject: [PATCH 0638/1462] Bump requests from 2.32.2 to 2.32.3 in /.github/requirements (#11043) Bumps [requests](https://github.com/psf/requests) from 2.32.2 to 2.32.3. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](https://github.com/psf/requests/compare/v2.32.2...v2.32.3) --- updated-dependencies: - dependency-name: requests dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 23b7a6e46721..e6eeabbb09ec 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -278,9 +278,9 @@ readme-renderer==43.0 \ --hash=sha256:1818dd28140813509eeed8d62687f7cd4f7bad90d4db586001c5dc09d4fde311 \ --hash=sha256:19db308d86ecd60e5affa3b2a98f017af384678c63c88e5d4556a380e674f3f9 # via twine -requests==2.32.2 \ - --hash=sha256:dd951ff5ecf3e3b3aa26b40703ba77495dab41da839ae72ef3c8e5d8e2433289 \ - --hash=sha256:fc06670dd0ed212426dfeb94fc1b983d917c4f9847c863f313c9dfaaffb7c23c +requests==2.32.3 \ + --hash=sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760 \ + --hash=sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6 # via # -r publish-requirements.in # requests-toolbelt From bac21b3fbfe3ff5d70e3a103cfedf7d05bc32187 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 31 May 2024 07:19:00 -0700 Subject: [PATCH 0639/1462] Migrate PKCS#12 serialization with keys to Rust (#10901) --- .../hazmat/backends/openssl/backend.py | 10 +---- .../hazmat/bindings/_rust/pkcs12.pyi | 2 + .../hazmat/primitives/serialization/pkcs12.py | 6 +-- src/rust/src/pkcs12.rs | 37 +++++++++++++++++-- 4 files changed, 39 insertions(+), 16 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index d00d1e4b072a..0da03896974f 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -398,14 +398,8 @@ def serialize_key_and_certificates_to_pkcs12( if name is not None: utils._check_bytes("name", name) - if isinstance(encryption_algorithm, serialization.NoEncryption): - nid_cert = -1 - nid_key = -1 - pkcs12_iter = 0 - # mac_iter of 0 uses OpenSSL's default value - mac_iter = 0 - mac_alg = self._ffi.NULL - elif isinstance( + assert not isinstance(encryption_algorithm, serialization.NoEncryption) + if isinstance( encryption_algorithm, serialization.BestAvailableEncryption ): # PKCS12 encryption is hopeless trash and can never be fixed. diff --git a/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi b/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi index 76dd0194c40a..dcb3fca8cf1b 100644 --- a/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi +++ b/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi @@ -8,6 +8,7 @@ from cryptography import x509 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes from cryptography.hazmat.primitives.serialization.pkcs12 import ( PKCS12KeyAndCertificates, + PKCS12PrivateKeyTypes, ) class PKCS12Certificate: @@ -35,6 +36,7 @@ def load_pkcs12( ) -> PKCS12KeyAndCertificates: ... def serialize_key_and_certificates( name: bytes | None, + key: PKCS12PrivateKeyTypes | None, cert: x509.Certificate | None, cas: typing.Iterable[x509.Certificate | PKCS12Certificate] | None, ) -> bytes: ... diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs12.py b/src/cryptography/hazmat/primitives/serialization/pkcs12.py index 17e03fbbe15c..2294b54322f9 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs12.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs12.py @@ -167,10 +167,8 @@ def serialize_key_and_certificates( if key is None and cert is None and not cas: raise ValueError("You must supply at least one of key, cert, or cas") - if key is None and isinstance( - encryption_algorithm, serialization.NoEncryption - ): - return rust_pkcs12.serialize_key_and_certificates(name, cert, cas) + if isinstance(encryption_algorithm, serialization.NoEncryption): + return rust_pkcs12.serialize_key_and_certificates(name, key, cert, cas) from cryptography.hazmat.backends.openssl.backend import backend diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 1b1b6ceb9f28..919c40c2ad19 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -246,20 +246,20 @@ enum CertificateOrPKCS12Certificate { } #[pyo3::prelude::pyfunction] -#[pyo3(signature = (name, cert, cas))] +#[pyo3(signature = (name, key, cert, cas))] fn serialize_key_and_certificates<'p>( py: pyo3::Python<'p>, name: Option<&[u8]>, + key: Option>, cert: Option<&Certificate>, cas: Option>, ) -> CryptographyResult> { let (password, mac_algorithm, mac_kdf_iter) = decode_encryption_algorithm(py)?; let mut auth_safe_contents = vec![]; - let cert_bag_contents; + let (cert_bag_contents, key_bag_contents); let mut ca_certs = vec![]; - assert!(cert.is_some() || cas.is_some()); - { + if cert.is_some() || cas.is_some() { let mut cert_bags = vec![]; if let Some(cert) = cert { @@ -291,6 +291,35 @@ fn serialize_key_and_certificates<'p>( ))), }); } + + if let Some(key) = key { + let der = types::ENCODING_DER.get(py)?; + let pkcs8 = types::PRIVATE_FORMAT_PKCS8.get(py)?; + let no_encryption = types::NO_ENCRYPTION.get(py)?.call0()?; + + let pkcs8_bytes = key + .call_method1( + pyo3::intern!(py, "private_bytes"), + (der, pkcs8, no_encryption), + )? + .extract::()?; + let pkcs8_tlv = asn1::parse_single(&pkcs8_bytes)?; + + let key_bag = cryptography_x509::pkcs12::SafeBag { + _bag_id: asn1::DefinedByMarker::marker(), + bag_value: asn1::Explicit::new(cryptography_x509::pkcs12::BagValue::KeyBag(pkcs8_tlv)), + attributes: friendly_name_attributes(name)?, + }; + + key_bag_contents = asn1::write_single(&asn1::SequenceOfWriter::new([key_bag]))?; + auth_safe_contents.push(cryptography_x509::pkcs7::ContentInfo { + _content_type: asn1::DefinedByMarker::marker(), + content: cryptography_x509::pkcs7::Content::Data(Some(asn1::Explicit::new( + &key_bag_contents, + ))), + }); + } + let auth_safe_content = asn1::write_single(&asn1::SequenceOfWriter::new(auth_safe_contents))?; let salt = types::OS_URANDOM From 5fbb323a1050b8f37a6348072b1b0c15be6cbd63 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 31 May 2024 22:19:25 -0400 Subject: [PATCH 0640/1462] Bump BoringSSL and/or OpenSSL in CI (#11044) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5b93e6ab4a7b..8a650b899ab2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 31, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "261579f08b2f8aa7959670df1e928c1c305a632c"}} - # Latest commit on the OpenSSL master branch, as of May 31, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9fcf57b45985336b04579dd317d0dc990a9c062b"}} + # Latest commit on the BoringSSL master branch, as of Jun 01, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c8100f0f0d05c5185d58113e12a867ae0771a6c9"}} + # Latest commit on the OpenSSL master branch, as of Jun 01, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0285160ffa3b8c2b5491222243042593808298c4"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From b154a1bdf14069d13d3b085157b7807a4fd8d7d6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 1 Jun 2024 09:15:45 -0700 Subject: [PATCH 0641/1462] Added OID for PKCS7 encrypted data (#11047) --- src/rust/cryptography-x509/src/pkcs7.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/rust/cryptography-x509/src/pkcs7.rs b/src/rust/cryptography-x509/src/pkcs7.rs index 9df323696ac3..bd553cb89def 100644 --- a/src/rust/cryptography-x509/src/pkcs7.rs +++ b/src/rust/cryptography-x509/src/pkcs7.rs @@ -6,6 +6,7 @@ use crate::{certificate, common, csr, name}; pub const PKCS7_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 7, 1); pub const PKCS7_SIGNED_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 7, 2); +pub const PKCS7_ENCRYPTED_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 7, 6); #[derive(asn1::Asn1Write)] pub struct ContentInfo<'a> { From 654be3419721a4db02150255bbe58654aa64a912 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 1 Jun 2024 09:32:58 -0700 Subject: [PATCH 0642/1462] Fix a few typos (#11048) --- src/rust/cryptography-x509/src/extensions.rs | 4 ++-- src/rust/src/x509/certificate.rs | 2 +- src/rust/src/x509/ocsp_resp.rs | 10 +++++----- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index 1a1e13484272..f674b965144c 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -253,7 +253,7 @@ impl KeyUsage<'_> { self.0.has_bit_set(0) } - pub fn content_comitment(&self) -> bool { + pub fn content_commitment(&self) -> bool { self.0.has_bit_set(1) } @@ -364,7 +364,7 @@ mod tests { let ku: KeyUsage<'_> = asn1::parse_single(&asn1).unwrap(); assert!(!ku.is_zeroed()); assert!(ku.digital_signature()); - assert!(ku.content_comitment()); + assert!(ku.content_commitment()); assert!(ku.key_encipherment()); assert!(ku.data_encipherment()); assert!(ku.key_agreement()); diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 88eb15e637d1..0ac0e4d8e0ff 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -777,7 +777,7 @@ pub fn parse_cert_ext<'p>( Ok(Some(types::KEY_USAGE.get(py)?.call1(( kus.digital_signature(), - kus.content_comitment(), + kus.content_commitment(), kus.key_encipherment(), kus.data_encipherment(), kus.key_agreement(), diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index e5718079bcae..e9af29054466 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -46,7 +46,7 @@ fn load_der_ocsp_response( )) } }, - MALFORMED_REQUEST_RESPOSNE + MALFORMED_REQUEST_RESPONSE | INTERNAL_ERROR_RESPONSE | TRY_LATER_RESPONSE | SIG_REQUIRED_RESPONSE @@ -92,7 +92,7 @@ impl OCSPResponse { } const SUCCESSFUL_RESPONSE: u32 = 0; -const MALFORMED_REQUEST_RESPOSNE: u32 = 1; +const MALFORMED_REQUEST_RESPONSE: u32 = 1; const INTERNAL_ERROR_RESPONSE: u32 = 2; const TRY_LATER_RESPONSE: u32 = 3; // 4 is unused @@ -131,7 +131,7 @@ impl OCSPResponse { let status = self.raw.borrow_dependent().response_status.value(); let attr = if status == SUCCESSFUL_RESPONSE { "SUCCESSFUL" - } else if status == MALFORMED_REQUEST_RESPOSNE { + } else if status == MALFORMED_REQUEST_RESPONSE { "MALFORMED_REQUEST" } else if status == INTERNAL_ERROR_RESPONSE { "INTERNAL_ERROR" @@ -203,14 +203,14 @@ impl OCSPResponse { match hash_alg { Ok(data) => Ok(data), Err(_) => { - let exc_messsage = format!( + let exc_message = format!( "Signature algorithm OID: {} not recognized", self.requires_successful_response()? .signature_algorithm .oid() ); Err(CryptographyError::from( - exceptions::UnsupportedAlgorithm::new_err(exc_messsage), + exceptions::UnsupportedAlgorithm::new_err(exc_message), )) } } From 8844b2781db29e54cc314b2857220c9352e16947 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Jun 2024 02:56:47 +0000 Subject: [PATCH 0643/1462] Bump certifi from 2024.2.2 to 2024.6.2 (#11049) Bumps [certifi](https://github.com/certifi/python-certifi) from 2024.2.2 to 2024.6.2. - [Commits](https://github.com/certifi/python-certifi/compare/2024.02.02...2024.06.02) --- updated-dependencies: - dependency-name: certifi dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 891e51475b79..11135dd04507 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -15,7 +15,7 @@ build==1.2.1 # via # check-sdist # cryptography (pyproject.toml) -certifi==2024.2.2 +certifi==2024.6.2 # via requests charset-normalizer==3.3.2 # via requests From b06aaa1689f66636d4a83fbad7e5475584167e9f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Jun 2024 02:57:04 +0000 Subject: [PATCH 0644/1462] Bump typing-extensions from 4.12.0 to 4.12.1 (#11050) Bumps [typing-extensions](https://github.com/python/typing_extensions) from 4.12.0 to 4.12.1. - [Release notes](https://github.com/python/typing_extensions/releases) - [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md) - [Commits](https://github.com/python/typing_extensions/compare/4.12.0...4.12.1) --- updated-dependencies: - dependency-name: typing-extensions dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 11135dd04507..965940a44de5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -146,7 +146,7 @@ tomli==2.0.1 # mypy # pyproject-hooks # pytest -typing-extensions==4.12.0; python_version >= "3.8" +typing-extensions==4.12.1; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests From 940bb658adc3c2da434a1a9570ae73d6e011fce3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Jun 2024 03:01:23 +0000 Subject: [PATCH 0645/1462] Bump ruff from 0.4.6 to 0.4.7 (#11051) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.6 to 0.4.7. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.6...v0.4.7) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 965940a44de5..b70e9ae52c8f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.4.6 +ruff==0.4.7 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 46a2c210818de202347a983d6df59042a0d8da80 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 1 Jun 2024 23:02:08 -0400 Subject: [PATCH 0646/1462] Bump zipp from 3.19.0 to 3.19.1 in /.github/requirements (#11052) Bumps [zipp](https://github.com/jaraco/zipp) from 3.19.0 to 3.19.1. - [Release notes](https://github.com/jaraco/zipp/releases) - [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/zipp/compare/v3.19.0...v3.19.1) --- updated-dependencies: - dependency-name: zipp dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index e6eeabbb09ec..5f6974c8076f 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -311,7 +311,7 @@ urllib3==2.2.1 \ # via # requests # twine -zipp==3.19.0 \ - --hash=sha256:952df858fb3164426c976d9338d3961e8e8b3758e2e059e0f754b8c4262625ee \ - --hash=sha256:96dc6ad62f1441bcaccef23b274ec471518daf4fbbc580341204936a5a3dddec +zipp==3.19.1 \ + --hash=sha256:2828e64edb5386ea6a52e7ba7cdb17bb30a73a858f5eb6eb93d8d36f5ea26091 \ + --hash=sha256:35427f6d5594f4acf82d25541438348c26736fa9b3afa2754bcd63cdb99d8e8f # via importlib-metadata From 88541546d182e8e27d279e94384115d600d87d31 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 1 Jun 2024 23:07:08 -0400 Subject: [PATCH 0647/1462] Bump pkginfo from 1.10.0 to 1.11.0 in /.github/requirements (#11053) Bumps [pkginfo](https://code.launchpad.net/~tseaver/pkginfo/trunk) from 1.10.0 to 1.11.0. --- updated-dependencies: - dependency-name: pkginfo dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 5f6974c8076f..b1a8064b0dd8 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -260,9 +260,9 @@ nh3==0.2.17 \ --hash=sha256:c790769152308421283679a142dbdb3d1c46c79c823008ecea8e8141db1a2062 \ --hash=sha256:d7a25fd8c86657f5d9d576268e3b3767c5cd4f42867c9383618be8517f0f022a # via readme-renderer -pkginfo==1.10.0 \ - --hash=sha256:5df73835398d10db79f8eecd5cd86b1f6d29317589ea70796994d49399af6297 \ - --hash=sha256:889a6da2ed7ffc58ab5b900d888ddce90bce912f2d2de1dc1c26f4cb9fe65097 +pkginfo==1.11.0 \ + --hash=sha256:6d4998d1cd42c297af72cc0eab5f5bab1d356fb8a55b828fa914173f8bc1ba05 \ + --hash=sha256:dba885aa82e31e80d615119874384923f4e011c2a39b0c4b7104359e36cb7087 # via twine pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ From b6623ea110142845a7e91fad06e39f47549eb121 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Jun 2024 13:16:10 +0000 Subject: [PATCH 0648/1462] Bump proc-macro2 from 1.0.84 to 1.0.85 in /src/rust (#11055) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.84 to 1.0.85. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.84...1.0.85) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 03d6df0e2415..f3d6193e9e34 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -271,9 +271,9 @@ checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" [[package]] name = "proc-macro2" -version = "1.0.84" +version = "1.0.85" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ec96c6a92621310b51366f1e28d05ef11489516e93be030060e5fc12024a49d6" +checksum = "22244ce15aa966053a896d1accb3a6e68469b97c7f33f284b99f0d576879fc23" dependencies = [ "unicode-ident", ] From 49de9e9491d2aab3f8dc2ccb8ed8118b559d3d14 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Jun 2024 09:23:45 -0400 Subject: [PATCH 0649/1462] Bump certifi from 2024.2.2 to 2024.6.2 in /.github/requirements (#11056) Bumps [certifi](https://github.com/certifi/python-certifi) from 2024.2.2 to 2024.6.2. - [Commits](https://github.com/certifi/python-certifi/compare/2024.02.02...2024.06.02) --- updated-dependencies: - dependency-name: certifi dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index b1a8064b0dd8..bf14501bfc6e 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -8,9 +8,9 @@ backports-tarfile==1.2.0 \ --hash=sha256:77e284d754527b01fb1e6fa8a1afe577858ebe4e9dad8919e34c862cb399bc34 \ --hash=sha256:d75e02c268746e1b8144c278978b6e98e85de6ad16f8e4b0844a154557eca991 # via jaraco-context -certifi==2024.2.2 \ - --hash=sha256:0569859f95fc761b18b45ef421b1290a0f65f147e92a1e5eb3e635f9a5e4e66f \ - --hash=sha256:dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1 +certifi==2024.6.2 \ + --hash=sha256:3cd43f1c6fa7dedc5899d69d3ad0398fd018ad1a17fba83ddaf78aa46c747516 \ + --hash=sha256:ddc6c8ce995e6987e7faf5e3f1b02b302836a0e5d98ece18392cb1a36c72ad56 # via requests cffi==1.16.0 \ --hash=sha256:0c9ef6ff37e974b73c25eecc13952c55bceed9112be2d9d938ded8e856138bcc \ From 4bd89e4ace7bf57855fdb16a461d90a2572dd276 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Jun 2024 19:21:43 +0000 Subject: [PATCH 0650/1462] Bump asn1 from 0.16.1 to 0.16.2 in /src/rust (#11057) Bumps [asn1](https://github.com/alex/rust-asn1) from 0.16.1 to 0.16.2. - [Commits](https://github.com/alex/rust-asn1/compare/0.16.1...0.16.2) --- updated-dependencies: - dependency-name: asn1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 8 ++++---- src/rust/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- src/rust/cryptography-x509-verification/Cargo.toml | 2 +- src/rust/cryptography-x509/Cargo.toml | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index f3d6193e9e34..14bba00dc40b 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -4,18 +4,18 @@ version = 3 [[package]] name = "asn1" -version = "0.16.1" +version = "0.16.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "889adc8fd6c1344619926529e605cccad1f832b3a2a5a3fe6d7c8557c8f05368" +checksum = "532ceda058281b62096b2add4ab00ab3a453d30dee28b8890f62461a0109ebbd" dependencies = [ "asn1_derive", ] [[package]] name = "asn1_derive" -version = "0.16.1" +version = "0.16.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e2271cec9b830009b9c3b9e21767083c553f51f996b690c476c27f541199aa99" +checksum = "56e6076d38cc17cc22b0f65f31170a2ee1975e6b07f0012893aefd86ce19c987" dependencies = [ "proc-macro2", "quote", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index c3a006aff3e6..9f49dc9c6e92 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -11,7 +11,7 @@ rust-version = "1.65.0" once_cell = "1" cfg-if = "1" pyo3 = { version = "0.21.2", features = ["abi3"] } -asn1 = { version = "0.16.1", default-features = false } +asn1 = { version = "0.16.2", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-keepalive = { path = "cryptography-keepalive" } cryptography-key-parsing = { path = "cryptography-key-parsing" } diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index 2b2313453269..9d4e5d00fbdf 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.65.0" [dependencies] -asn1 = { version = "0.16.1", default-features = false } +asn1 = { version = "0.16.2", default-features = false } cfg-if = "1" openssl = "0.10.64" openssl-sys = "0.9.102" diff --git a/src/rust/cryptography-x509-verification/Cargo.toml b/src/rust/cryptography-x509-verification/Cargo.toml index 2ffa8e3d273e..086332bd4529 100644 --- a/src/rust/cryptography-x509-verification/Cargo.toml +++ b/src/rust/cryptography-x509-verification/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.65.0" [dependencies] -asn1 = { version = "0.16.1", default-features = false } +asn1 = { version = "0.16.2", default-features = false } cryptography-x509 = { path = "../cryptography-x509" } cryptography-key-parsing = { path = "../cryptography-key-parsing" } once_cell = "1" diff --git a/src/rust/cryptography-x509/Cargo.toml b/src/rust/cryptography-x509/Cargo.toml index 2332756b2275..8da775c34647 100644 --- a/src/rust/cryptography-x509/Cargo.toml +++ b/src/rust/cryptography-x509/Cargo.toml @@ -8,4 +8,4 @@ publish = false rust-version = "1.65.0" [dependencies] -asn1 = { version = "0.16.1", default-features = false } +asn1 = { version = "0.16.2", default-features = false } From 9fc01fdbadcfe3e19a63ba51003b07c3d314dc33 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Jun 2024 19:22:08 +0000 Subject: [PATCH 0651/1462] Bump asn1_derive from 0.16.1 to 0.16.2 in /src/rust (#11058) Bumps [asn1_derive](https://github.com/alex/rust-asn1) from 0.16.1 to 0.16.2. - [Commits](https://github.com/alex/rust-asn1/compare/0.16.1...0.16.2) --- updated-dependencies: - dependency-name: asn1_derive dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> From 78c9fcbac6814f42d30538db71abe44357ebb908 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 2 Jun 2024 23:30:50 -0400 Subject: [PATCH 0652/1462] Added several OIDs that are used in PBESv2 encoding (#11046) --- src/rust/cryptography-x509/src/oid.rs | 10 ++++++++++ src/rust/src/pkcs7.rs | 10 +++------- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/src/rust/cryptography-x509/src/oid.rs b/src/rust/cryptography-x509/src/oid.rs index bf5d0ba29689..85fb543e6e85 100644 --- a/src/rust/cryptography-x509/src/oid.rs +++ b/src/rust/cryptography-x509/src/oid.rs @@ -147,3 +147,13 @@ pub const EKU_OCSP_SIGNING_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, pub const EKU_ANY_KEY_USAGE_OID: asn1::ObjectIdentifier = asn1::oid!(2, 5, 29, 37, 0); pub const EKU_CERTIFICATE_TRANSPARENCY_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 4, 1, 11129, 2, 4, 4); + +pub const PBES2_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 5, 13); +pub const PBKDF2_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 5, 12); + +pub const AES_256_CBC_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 1, 42); +pub const AES_192_CBC_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 1, 22); +pub const AES_128_CBC_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 1, 2); + +pub const HMAC_WITH_SHA1_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 2, 7); +pub const HMAC_WITH_SHA256_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 2, 9); diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 4cfa3067ac20..c2dcbc94974f 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -27,10 +27,6 @@ const PKCS7_MESSAGE_DIGEST_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 1 const PKCS7_SIGNING_TIME_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 5); const PKCS7_SMIME_CAP_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 15); -const AES_256_CBC_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 1, 42); -const AES_192_CBC_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 1, 22); -const AES_128_CBC_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 1, 2); - static OIDS_TO_MIC_NAME: Lazy> = Lazy::new(|| { let mut h = HashMap::new(); h.insert(&oid::SHA224_OID, "sha-224"); @@ -105,9 +101,9 @@ fn sign_and_serialize<'p>( // Subset of values OpenSSL provides: // https://github.com/openssl/openssl/blob/667a8501f0b6e5705fd611d5bb3ca24848b07154/crypto/pkcs7/pk7_smime.c#L150 // removing all the ones that are bad cryptography - &asn1::SequenceOfWriter::new([AES_256_CBC_OID]), - &asn1::SequenceOfWriter::new([AES_192_CBC_OID]), - &asn1::SequenceOfWriter::new([AES_128_CBC_OID]), + &asn1::SequenceOfWriter::new([oid::AES_256_CBC_OID]), + &asn1::SequenceOfWriter::new([oid::AES_192_CBC_OID]), + &asn1::SequenceOfWriter::new([oid::AES_128_CBC_OID]), ]))?; #[allow(clippy::type_complexity)] From 99de528c1229363f4435eac25f54abac4ba65072 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 3 Jun 2024 08:08:11 -0400 Subject: [PATCH 0653/1462] fixes #11062 -- register OCSP implementations with interfaces (#11063) --- .../hazmat/bindings/_rust/ocsp.pyi | 25 +++++++++--------- src/cryptography/x509/ocsp.py | 4 +++ src/rust/src/x509/ocsp_req.rs | 2 ++ src/rust/src/x509/ocsp_resp.rs | 26 ++++++++++--------- tests/x509/test_ocsp.py | 2 ++ 5 files changed, 34 insertions(+), 25 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/ocsp.pyi b/src/cryptography/hazmat/bindings/_rust/ocsp.pyi index b15628f8d46b..29c4372bcfb5 100644 --- a/src/cryptography/hazmat/bindings/_rust/ocsp.pyi +++ b/src/cryptography/hazmat/bindings/_rust/ocsp.pyi @@ -4,20 +4,19 @@ from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes -from cryptography.x509.ocsp import ( - OCSPRequest, - OCSPRequestBuilder, - OCSPResponse, - OCSPResponseBuilder, - OCSPResponseStatus, -) +from cryptography.x509 import ocsp -def load_der_ocsp_request(data: bytes) -> OCSPRequest: ... -def load_der_ocsp_response(data: bytes) -> OCSPResponse: ... -def create_ocsp_request(builder: OCSPRequestBuilder) -> OCSPRequest: ... +class OCSPRequest: ... +class OCSPResponse: ... + +def load_der_ocsp_request(data: bytes) -> ocsp.OCSPRequest: ... +def load_der_ocsp_response(data: bytes) -> ocsp.OCSPResponse: ... +def create_ocsp_request( + builder: ocsp.OCSPRequestBuilder, +) -> ocsp.OCSPRequest: ... def create_ocsp_response( - status: OCSPResponseStatus, - builder: OCSPResponseBuilder | None, + status: ocsp.OCSPResponseStatus, + builder: ocsp.OCSPResponseBuilder | None, private_key: PrivateKeyTypes | None, hash_algorithm: hashes.HashAlgorithm | None, -) -> OCSPResponse: ... +) -> ocsp.OCSPResponse: ... diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py index 9751ceaf9655..ec2f2dab9e11 100644 --- a/src/cryptography/x509/ocsp.py +++ b/src/cryptography/x509/ocsp.py @@ -402,6 +402,10 @@ def public_bytes(self, encoding: serialization.Encoding) -> bytes: """ +OCSPRequest.register(ocsp.OCSPRequest) +OCSPResponse.register(ocsp.OCSPResponse) + + class OCSPRequestBuilder: def __init__( self, diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index dd4e5f77eb4d..a411904b2588 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -235,5 +235,7 @@ pub(crate) fn add_to_module( module.add_function(pyo3::wrap_pyfunction_bound!(load_der_ocsp_request, module)?)?; module.add_function(pyo3::wrap_pyfunction_bound!(create_ocsp_request, module)?)?; + module.add_class::()?; + Ok(()) } diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index e9af29054466..99cbe582ab98 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -778,18 +778,6 @@ fn create_ocsp_response( load_der_ocsp_response(py, pyo3::types::PyBytes::new_bound(py, &data).unbind()) } -pub(crate) fn add_to_module( - module: &pyo3::Bound<'_, pyo3::prelude::PyModule>, -) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction_bound!( - load_der_ocsp_response, - module - )?)?; - module.add_function(pyo3::wrap_pyfunction_bound!(create_ocsp_response, module)?)?; - - Ok(()) -} - type RawOCSPResponseIterator<'a> = asn1::SequenceOf<'a, SingleResponse<'a>>; self_cell::self_cell!( @@ -919,3 +907,17 @@ impl OCSPSingleResponse { singleresp_py_next_update(single_resp, py) } } + +pub(crate) fn add_to_module( + module: &pyo3::Bound<'_, pyo3::prelude::PyModule>, +) -> pyo3::PyResult<()> { + module.add_function(pyo3::wrap_pyfunction_bound!( + load_der_ocsp_response, + module + )?)?; + module.add_function(pyo3::wrap_pyfunction_bound!(create_ocsp_response, module)?)?; + + module.add_class::()?; + + Ok(()) +} diff --git a/tests/x509/test_ocsp.py b/tests/x509/test_ocsp.py index 8f5948bc171b..31e04f6d75ed 100644 --- a/tests/x509/test_ocsp.py +++ b/tests/x509/test_ocsp.py @@ -78,6 +78,7 @@ def test_load_request(self): os.path.join("x509", "ocsp", "req-sha1.der"), ocsp.load_der_ocsp_request, ) + assert isinstance(req, ocsp.OCSPRequest) assert req.issuer_name_hash == ( b"8\xcaF\x8c\x07D\x8d\xf4\x81\x96\xc7mmLpQ\x9e`\xa7\xbd" ) @@ -1120,6 +1121,7 @@ def test_load_response(self): os.path.join("x509", "letsencryptx3.pem"), x509.load_pem_x509_certificate, ) + assert isinstance(resp, ocsp.OCSPResponse) assert resp.response_status == ocsp.OCSPResponseStatus.SUCCESSFUL assert ( resp.signature_algorithm_oid From 064a463eae1a67d4a4fcdc5305fc115c98f207f9 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 3 Jun 2024 08:23:51 -0400 Subject: [PATCH 0654/1462] added tests for PKCS12Certificate with encryption builder (#11060) --- tests/hazmat/primitives/test_pkcs12.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 5b97121b2c1e..8397750ec264 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -423,6 +423,12 @@ def test_generate_cas_friendly_names(self, backend): ("encryption_algorithm", "password"), [ (serialization.BestAvailableEncryption(b"password"), b"password"), + ( + serialization.PrivateFormat.PKCS12.encryption_builder().build( + b"not a password" + ), + b"not a password", + ), (serialization.NoEncryption(), None), ], ) From 4184b80ab6385b7987d047b8f4948f2a2f32c705 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 3 Jun 2024 08:28:15 -0400 Subject: [PATCH 0655/1462] Added shrouded key bag oid (#11061) --- src/rust/cryptography-x509/src/pkcs12.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/rust/cryptography-x509/src/pkcs12.rs b/src/rust/cryptography-x509/src/pkcs12.rs index 4fea62179846..dce1c41726eb 100644 --- a/src/rust/cryptography-x509/src/pkcs12.rs +++ b/src/rust/cryptography-x509/src/pkcs12.rs @@ -7,6 +7,8 @@ use crate::pkcs7; pub const CERT_BAG_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 12, 10, 1, 3); pub const KEY_BAG_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 12, 10, 1, 1); +pub const SHROUDED_KEY_BAG_OID: asn1::ObjectIdentifier = + asn1::oid!(1, 2, 840, 113549, 1, 12, 10, 1, 2); pub const X509_CERTIFICATE_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 22, 1); pub const FRIENDLY_NAME_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 20); From fe1f9f48039197637e5e4ec1bb42bda856f53796 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 3 Jun 2024 08:46:21 -0400 Subject: [PATCH 0656/1462] Pass encryption algorithm to Rust in PKCS#12 (#11064) Extracted from #11059 --- .../hazmat/bindings/_rust/pkcs12.pyi | 4 +++ .../hazmat/primitives/serialization/pkcs12.py | 4 ++- src/rust/src/pkcs12.rs | 26 ++++++++++++++----- 3 files changed, 26 insertions(+), 8 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi b/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi index dcb3fca8cf1b..40514c4623d5 100644 --- a/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi +++ b/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi @@ -6,6 +6,9 @@ import typing from cryptography import x509 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes +from cryptography.hazmat.primitives.serialization import ( + KeySerializationEncryption, +) from cryptography.hazmat.primitives.serialization.pkcs12 import ( PKCS12KeyAndCertificates, PKCS12PrivateKeyTypes, @@ -39,4 +42,5 @@ def serialize_key_and_certificates( key: PKCS12PrivateKeyTypes | None, cert: x509.Certificate | None, cas: typing.Iterable[x509.Certificate | PKCS12Certificate] | None, + encryption_algorithm: KeySerializationEncryption, ) -> bytes: ... diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs12.py b/src/cryptography/hazmat/primitives/serialization/pkcs12.py index 2294b54322f9..d1fc460d7296 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs12.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs12.py @@ -168,7 +168,9 @@ def serialize_key_and_certificates( raise ValueError("You must supply at least one of key, cert, or cas") if isinstance(encryption_algorithm, serialization.NoEncryption): - return rust_pkcs12.serialize_key_and_certificates(name, key, cert, cas) + return rust_pkcs12.serialize_key_and_certificates( + name, key, cert, cas, encryption_algorithm + ) from cryptography.hazmat.backends.openssl.backend import backend diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 919c40c2ad19..4663b91c4e8a 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -230,13 +230,23 @@ fn cert_to_bag<'a>( }) } -fn decode_encryption_algorithm( - py: pyo3::Python<'_>, -) -> CryptographyResult<(&[u8], pyo3::Bound<'_, pyo3::PyAny>, u64)> { +fn decode_encryption_algorithm<'a>( + py: pyo3::Python<'a>, + encryption_algorithm: pyo3::Bound<'a, pyo3::PyAny>, +) -> CryptographyResult<( + pyo3::pybacked::PyBackedBytes, + pyo3::Bound<'a, pyo3::PyAny>, + u64, +)> { let default_hmac_alg = types::SHA256.get(py)?.call0()?; let default_hmac_kdf_iter = 2048; - Ok((b"", default_hmac_alg, default_hmac_kdf_iter)) + assert!(encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get(py)?)?); + Ok(( + pyo3::types::PyBytes::new_bound(py, b"").extract()?, + default_hmac_alg, + default_hmac_kdf_iter, + )) } #[derive(pyo3::FromPyObject)] @@ -246,15 +256,17 @@ enum CertificateOrPKCS12Certificate { } #[pyo3::prelude::pyfunction] -#[pyo3(signature = (name, key, cert, cas))] +#[pyo3(signature = (name, key, cert, cas, encryption_algorithm))] fn serialize_key_and_certificates<'p>( py: pyo3::Python<'p>, name: Option<&[u8]>, key: Option>, cert: Option<&Certificate>, cas: Option>, + encryption_algorithm: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { - let (password, mac_algorithm, mac_kdf_iter) = decode_encryption_algorithm(py)?; + let (password, mac_algorithm, mac_kdf_iter) = + decode_encryption_algorithm(py, encryption_algorithm)?; let mut auth_safe_contents = vec![]; let (cert_bag_contents, key_bag_contents); @@ -328,7 +340,7 @@ fn serialize_key_and_certificates<'p>( .extract::()?; let mac_algorithm_md = hashes::message_digest_from_algorithm(py, &mac_algorithm)?; let mac_key = pkcs12_kdf( - password, + &password, &salt, KDF_MAC_KEY_ID, mac_kdf_iter, From 0419242d00a1ffbbf7ea0ee0135a9a3e60ef2298 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 3 Jun 2024 09:32:07 -0400 Subject: [PATCH 0657/1462] Added a few new AlgorithmParameter types (#11065) split out from #11059 --- src/rust/cryptography-x509/src/common.rs | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index fa7e3ec77098..84608c870123 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -125,6 +125,14 @@ pub enum AlgorithmParameters<'a> { #[defined_by(oid::DH_KEY_AGREEMENT_OID)] DhKeyAgreement(BasicDHParams<'a>), + #[defined_by(oid::HMAC_WITH_SHA1_OID)] + HmacWithSha1(asn1::Null), + #[defined_by(oid::HMAC_WITH_SHA256_OID)] + HmacWithSha256(asn1::Null), + + #[defined_by(oid::AES_256_CBC_OID)] + Aes256Cbc([u8; 16]), + #[default] Other(asn1::ObjectIdentifier, Option>), } From d54d67353b5384bee303024cbc55b1392a87ee6d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 3 Jun 2024 09:32:28 -0400 Subject: [PATCH 0658/1462] Register OCSPSingleResponse implementation with interface (#11066) --- src/cryptography/hazmat/bindings/_rust/ocsp.pyi | 1 + src/cryptography/x509/ocsp.py | 1 + src/rust/src/x509/ocsp_resp.rs | 1 + tests/x509/test_ocsp.py | 1 + 4 files changed, 4 insertions(+) diff --git a/src/cryptography/hazmat/bindings/_rust/ocsp.pyi b/src/cryptography/hazmat/bindings/_rust/ocsp.pyi index 29c4372bcfb5..5e02145d86a5 100644 --- a/src/cryptography/hazmat/bindings/_rust/ocsp.pyi +++ b/src/cryptography/hazmat/bindings/_rust/ocsp.pyi @@ -8,6 +8,7 @@ from cryptography.x509 import ocsp class OCSPRequest: ... class OCSPResponse: ... +class OCSPSingleResponse: ... def load_der_ocsp_request(data: bytes) -> ocsp.OCSPRequest: ... def load_der_ocsp_response(data: bytes) -> ocsp.OCSPResponse: ... diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py index ec2f2dab9e11..9b2adc8601cc 100644 --- a/src/cryptography/x509/ocsp.py +++ b/src/cryptography/x509/ocsp.py @@ -404,6 +404,7 @@ def public_bytes(self, encoding: serialization.Encoding) -> bytes: OCSPRequest.register(ocsp.OCSPRequest) OCSPResponse.register(ocsp.OCSPResponse) +OCSPSingleResponse.register(ocsp.OCSPSingleResponse) class OCSPRequestBuilder: diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 99cbe582ab98..3233d0b4d9a1 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -918,6 +918,7 @@ pub(crate) fn add_to_module( module.add_function(pyo3::wrap_pyfunction_bound!(create_ocsp_response, module)?)?; module.add_class::()?; + module.add_class::()?; Ok(()) } diff --git a/tests/x509/test_ocsp.py b/tests/x509/test_ocsp.py index 31e04f6d75ed..1d155bb97029 100644 --- a/tests/x509/test_ocsp.py +++ b/tests/x509/test_ocsp.py @@ -1179,6 +1179,7 @@ def test_load_multi_valued_response(self): with pytest.raises(ValueError): resp.serial_number + assert isinstance(next(resp.responses), ocsp.OCSPSingleResponse) assert len(list(resp.responses)) == 20 def test_multi_valued_responses(self): From e2b5c513aa90a127d6e86d7c2b77d1b4251e035d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 4 Jun 2024 06:59:09 -0400 Subject: [PATCH 0659/1462] Bump dawidd6/action-download-artifact from 3.1.4 to 5 (#11069) Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 3.1.4 to 5. - [Release notes](https://github.com/dawidd6/action-download-artifact/releases) - [Commits](https://github.com/dawidd6/action-download-artifact/compare/09f2f74827fd3a8607589e5ad7f9398816f540fe...deb3bb83256a78589fef6a7b942e5f2573ad7c13) --- updated-dependencies: - dependency-name: dawidd6/action-download-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8a650b899ab2..d7beaa8f0c38 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -255,7 +255,7 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/fetch-vectors - - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 + - uses: dawidd6/action-download-artifact@deb3bb83256a78589fef6a7b942e5f2573ad7c13 # v5 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -315,7 +315,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - run: python -m pip install -c ci-constraints-requirements.txt "nox" "tomli; python_version < '3.11'" - - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 + - uses: dawidd6/action-download-artifact@deb3bb83256a78589fef6a7b942e5f2573ad7c13 # v5 with: repo: pyca/infra workflow: build-windows-openssl.yml diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 77524b95cdf0..281e17d43044 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -48,7 +48,7 @@ jobs: - name: Install Python dependencies run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }} - - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 + - uses: dawidd6/action-download-artifact@deb3bb83256a78589fef6a7b942e5f2573ad7c13 # v5 with: path: dist/ run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 0f16ae6be96f..97f5dc0879ec 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -218,7 +218,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') - - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 + - uses: dawidd6/action-download-artifact@deb3bb83256a78589fef6a7b942e5f2573ad7c13 # v5 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -315,7 +315,7 @@ jobs: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} - - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 + - uses: dawidd6/action-download-artifact@deb3bb83256a78589fef6a7b942e5f2573ad7c13 # v5 with: repo: pyca/infra workflow: build-windows-openssl.yml From 73526a338c04959f5c47e008ee296f1a6acaa0d7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 4 Jun 2024 06:59:34 -0400 Subject: [PATCH 0660/1462] Bump actions/attest-build-provenance from 1.1.2 to 1.2.0 (#11068) Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.1.2 to 1.2.0. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/173725a1209d09b31f9d30a3890cf2757ebbff0d...49df96e17e918a15956db358890b08e61c704919) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 281e17d43044..29f678a4369c 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -93,7 +93,7 @@ jobs: # Do not perform attestation for things for TestPyPI. This is because # there's nothing that would prevent a malicious PyPI from serving a # signed TestPyPI asset in place of a release intended for PyPI. - - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2 + - uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0 with: subject-path: 'dist/**/cryptography*' if: env.TWINE_REPOSITORY == 'pypi' From 98c63e3fd912bff9f3bcde377a315cd1dee7b38b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 4 Jun 2024 09:16:33 -0700 Subject: [PATCH 0661/1462] update openssl in CI (#11071) --- .github/workflows/ci.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d7beaa8f0c38..8902cb9a9bb7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,17 +29,17 @@ jobs: PYTHON: - {VERSION: "3.12", NOXSESSION: "flake"} - {VERSION: "3.12", NOXSESSION: "rust"} - - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} + - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.2"}} - {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"} - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.13"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.5"}} - - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} - - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.3.0"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.5"}} - - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.14"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.6"}} + - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.2"}} + - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.3.1"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.2", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.2", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} + - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.6"}} + - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} From 16da190cac22722c96ca3714d57351c02c56d265 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 4 Jun 2024 14:02:41 -0700 Subject: [PATCH 0662/1462] port 42.0.8 changelog (#11073) * port 42.0.8 changelog * Update build_openssl.sh --- .github/workflows/build_openssl.sh | 4 ++-- CHANGELOG.rst | 7 +++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_openssl.sh b/.github/workflows/build_openssl.sh index abdd09cf3e55..9b4cd2a29782 100755 --- a/.github/workflows/build_openssl.sh +++ b/.github/workflows/build_openssl.sh @@ -20,7 +20,7 @@ if [[ "${TYPE}" == "openssl" ]]; then pushd openssl git checkout "${VERSION}" else - curl -O "https://www.openssl.org/source/openssl-${VERSION}.tar.gz" + curl -LO "https://www.openssl.org/source/openssl-${VERSION}.tar.gz" tar zxf "openssl-${VERSION}.tar.gz" pushd "openssl-${VERSION}" fi @@ -57,7 +57,7 @@ if [[ "${TYPE}" == "openssl" ]]; then fi popd elif [[ "${TYPE}" == "libressl" ]]; then - curl -O "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${VERSION}.tar.gz" + curl -LO "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${VERSION}.tar.gz" tar zxf "libressl-${VERSION}.tar.gz" pushd "libressl-${VERSION}" cmake -B build -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DBUILD_SHARED_LIBS=OFF -DCMAKE_INSTALL_PREFIX="${OSSL_PATH}" diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 524262e120bf..d543896aed28 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -47,6 +47,13 @@ Changelog * Added support for parsing empty DN string in :meth:`~cryptography.x509.Name.from_rfc4514_string`. +.. _v42-0-8: + +42.0.8 - 2024-06-04 +~~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.2. + .. _v42-0-7: 42.0.7 - 2024-05-06 From 007c28fd60a8a4c5ba2453e11190908fa94c6cf4 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 5 Jun 2024 00:17:43 +0000 Subject: [PATCH 0663/1462] Bump BoringSSL and/or OpenSSL in CI (#11074) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8902cb9a9bb7..0ce50283f95d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 01, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c8100f0f0d05c5185d58113e12a867ae0771a6c9"}} - # Latest commit on the OpenSSL master branch, as of Jun 01, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0285160ffa3b8c2b5491222243042593808298c4"}} + # Latest commit on the BoringSSL master branch, as of Jun 05, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "fb1c75caf8ba5d45a0f2c52facd36e4ad9289549"}} + # Latest commit on the OpenSSL master branch, as of Jun 05, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0e2567d7293d3204de66acca0ed55bda4f0c0768"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From acf51227246d8a6d2ef6ca5de322b2833fcf4668 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 5 Jun 2024 07:02:59 -0400 Subject: [PATCH 0664/1462] Bump pytest from 8.2.1 to 8.2.2 (#11075) Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.2.1 to 8.2.2. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/8.2.1...8.2.2) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b70e9ae52c8f..a11c924c2fd5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -86,7 +86,7 @@ pygments==2.18.0 # sphinx pyproject-hooks==1.1.0 # via build -pytest==8.2.1; python_version >= "3.8" +pytest==8.2.2; python_version >= "3.8" # via # cryptography (pyproject.toml) # pytest-benchmark From f4753533b4f199545a1661e4c05290c9eab99888 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 5 Jun 2024 07:03:29 -0400 Subject: [PATCH 0665/1462] Bump zipp from 3.19.1 to 3.19.2 in /.github/requirements (#11076) Bumps [zipp](https://github.com/jaraco/zipp) from 3.19.1 to 3.19.2. - [Release notes](https://github.com/jaraco/zipp/releases) - [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/zipp/compare/v3.19.1...v3.19.2) --- updated-dependencies: - dependency-name: zipp dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index bf14501bfc6e..3a07eaa4b224 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -311,7 +311,7 @@ urllib3==2.2.1 \ # via # requests # twine -zipp==3.19.1 \ - --hash=sha256:2828e64edb5386ea6a52e7ba7cdb17bb30a73a858f5eb6eb93d8d36f5ea26091 \ - --hash=sha256:35427f6d5594f4acf82d25541438348c26736fa9b3afa2754bcd63cdb99d8e8f +zipp==3.19.2 \ + --hash=sha256:bf1dcf6450f873a13e952a29504887c89e6de7506209e5b1bcc3460135d4de19 \ + --hash=sha256:f091755f667055f2d02b32c53771a7a6c8b47e1fdbc4b72a8b9072b3eef8015c # via importlib-metadata From 21f129af73b1e3e5a9452891ce46cba1a8c9025b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 5 Jun 2024 07:29:35 -0400 Subject: [PATCH 0666/1462] Bump cryptography from 42.0.7 to 42.0.8 in /.github/requirements (#11077) Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.7 to 42.0.8. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/42.0.7...42.0.8) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 3a07eaa4b224..7ad866adab4a 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -158,39 +158,39 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==42.0.7 \ - --hash=sha256:02c0eee2d7133bdbbc5e24441258d5d2244beb31da5ed19fbb80315f4bbbff55 \ - --hash=sha256:0d563795db98b4cd57742a78a288cdbdc9daedac29f2239793071fe114f13785 \ - --hash=sha256:16268d46086bb8ad5bf0a2b5544d8a9ed87a0e33f5e77dd3c3301e63d941a83b \ - --hash=sha256:1a58839984d9cb34c855197043eaae2c187d930ca6d644612843b4fe8513c886 \ - --hash=sha256:2954fccea107026512b15afb4aa664a5640cd0af630e2ee3962f2602693f0c82 \ - --hash=sha256:2e47577f9b18723fa294b0ea9a17d5e53a227867a0a4904a1a076d1646d45ca1 \ - --hash=sha256:31adb7d06fe4383226c3e963471f6837742889b3c4caa55aac20ad951bc8ffda \ - --hash=sha256:3577d029bc3f4827dd5bf8bf7710cac13527b470bbf1820a3f394adb38ed7d5f \ - --hash=sha256:36017400817987670037fbb0324d71489b6ead6231c9604f8fc1f7d008087c68 \ - --hash=sha256:362e7197754c231797ec45ee081f3088a27a47c6c01eff2ac83f60f85a50fe60 \ - --hash=sha256:3de9a45d3b2b7d8088c3fbf1ed4395dfeff79d07842217b38df14ef09ce1d8d7 \ - --hash=sha256:4f698edacf9c9e0371112792558d2f705b5645076cc0aaae02f816a0171770fd \ - --hash=sha256:5482e789294854c28237bba77c4c83be698be740e31a3ae5e879ee5444166582 \ - --hash=sha256:5e44507bf8d14b36b8389b226665d597bc0f18ea035d75b4e53c7b1ea84583cc \ - --hash=sha256:779245e13b9a6638df14641d029add5dc17edbef6ec915688f3acb9e720a5858 \ - --hash=sha256:789caea816c6704f63f6241a519bfa347f72fbd67ba28d04636b7c6b7da94b0b \ - --hash=sha256:7f8b25fa616d8b846aef64b15c606bb0828dbc35faf90566eb139aa9cff67af2 \ - --hash=sha256:8cb8ce7c3347fcf9446f201dc30e2d5a3c898d009126010cbd1f443f28b52678 \ - --hash=sha256:93a3209f6bb2b33e725ed08ee0991b92976dfdcf4e8b38646540674fc7508e13 \ - --hash=sha256:a3a5ac8b56fe37f3125e5b72b61dcde43283e5370827f5233893d461b7360cd4 \ - --hash=sha256:a47787a5e3649008a1102d3df55424e86606c9bae6fb77ac59afe06d234605f8 \ - --hash=sha256:a79165431551042cc9d1d90e6145d5d0d3ab0f2d66326c201d9b0e7f5bf43604 \ - --hash=sha256:a987f840718078212fdf4504d0fd4c6effe34a7e4740378e59d47696e8dfb477 \ - --hash=sha256:a9bc127cdc4ecf87a5ea22a2556cab6c7eda2923f84e4f3cc588e8470ce4e42e \ - --hash=sha256:bd13b5e9b543532453de08bcdc3cc7cebec6f9883e886fd20a92f26940fd3e7a \ - --hash=sha256:c65f96dad14f8528a447414125e1fc8feb2ad5a272b8f68477abbcc1ea7d94b9 \ - --hash=sha256:d8e3098721b84392ee45af2dd554c947c32cc52f862b6a3ae982dbb90f577f14 \ - --hash=sha256:e6b79d0adb01aae87e8a44c2b64bc3f3fe59515280e00fb6d57a7267a2583cda \ - --hash=sha256:e6b8f1881dac458c34778d0a424ae5769de30544fc678eac51c1c8bb2183e9da \ - --hash=sha256:e9b2a6309f14c0497f348d08a065d52f3020656f675819fc405fb63bbcd26562 \ - --hash=sha256:ecbfbc00bf55888edda9868a4cf927205de8499e7fabe6c050322298382953f2 \ - --hash=sha256:efd0bf5205240182e0f13bcaea41be4fdf5c22c5129fc7ced4a0282ac86998c9 +cryptography==42.0.8 \ + --hash=sha256:013629ae70b40af70c9a7a5db40abe5d9054e6f4380e50ce769947b73bf3caad \ + --hash=sha256:2346b911eb349ab547076f47f2e035fc8ff2c02380a7cbbf8d87114fa0f1c583 \ + --hash=sha256:2f66d9cd9147ee495a8374a45ca445819f8929a3efcd2e3df6428e46c3cbb10b \ + --hash=sha256:2f88d197e66c65be5e42cd72e5c18afbfae3f741742070e3019ac8f4ac57262c \ + --hash=sha256:31f721658a29331f895a5a54e7e82075554ccfb8b163a18719d342f5ffe5ecb1 \ + --hash=sha256:343728aac38decfdeecf55ecab3264b015be68fc2816ca800db649607aeee648 \ + --hash=sha256:5226d5d21ab681f432a9c1cf8b658c0cb02533eece706b155e5fbd8a0cdd3949 \ + --hash=sha256:57080dee41209e556a9a4ce60d229244f7a66ef52750f813bfbe18959770cfba \ + --hash=sha256:5a94eccb2a81a309806027e1670a358b99b8fe8bfe9f8d329f27d72c094dde8c \ + --hash=sha256:6b7c4f03ce01afd3b76cf69a5455caa9cfa3de8c8f493e0d3ab7d20611c8dae9 \ + --hash=sha256:7016f837e15b0a1c119d27ecd89b3515f01f90a8615ed5e9427e30d9cdbfed3d \ + --hash=sha256:81884c4d096c272f00aeb1f11cf62ccd39763581645b0812e99a91505fa48e0c \ + --hash=sha256:81d8a521705787afe7a18d5bfb47ea9d9cc068206270aad0b96a725022e18d2e \ + --hash=sha256:8d09d05439ce7baa8e9e95b07ec5b6c886f548deb7e0f69ef25f64b3bce842f2 \ + --hash=sha256:961e61cefdcb06e0c6d7e3a1b22ebe8b996eb2bf50614e89384be54c48c6b63d \ + --hash=sha256:9c0c1716c8447ee7dbf08d6db2e5c41c688544c61074b54fc4564196f55c25a7 \ + --hash=sha256:a0608251135d0e03111152e41f0cc2392d1e74e35703960d4190b2e0f4ca9c70 \ + --hash=sha256:a0c5b2b0585b6af82d7e385f55a8bc568abff8923af147ee3c07bd8b42cda8b2 \ + --hash=sha256:ad803773e9df0b92e0a817d22fd8a3675493f690b96130a5e24f1b8fabbea9c7 \ + --hash=sha256:b297f90c5723d04bcc8265fc2a0f86d4ea2e0f7ab4b6994459548d3a6b992a14 \ + --hash=sha256:ba4f0a211697362e89ad822e667d8d340b4d8d55fae72cdd619389fb5912eefe \ + --hash=sha256:c4783183f7cb757b73b2ae9aed6599b96338eb957233c58ca8f49a49cc32fd5e \ + --hash=sha256:c9bb2ae11bfbab395bdd072985abde58ea9860ed84e59dbc0463a5d0159f5b71 \ + --hash=sha256:cafb92b2bc622cd1aa6a1dce4b93307792633f4c5fe1f46c6b97cf67073ec961 \ + --hash=sha256:d45b940883a03e19e944456a558b67a41160e367a719833c53de6911cabba2b7 \ + --hash=sha256:dc0fdf6787f37b1c6b08e6dfc892d9d068b5bdb671198c72072828b80bd5fe4c \ + --hash=sha256:dea567d1b0e8bc5764b9443858b673b734100c2871dc93163f58c46a97a83d28 \ + --hash=sha256:dec9b018df185f08483f294cae6ccac29e7a6e0678996587363dc352dc65c842 \ + --hash=sha256:e3ec3672626e1b9e55afd0df6d774ff0e953452886e06e0f1eb7eb0c832e8902 \ + --hash=sha256:e599b53fd95357d92304510fb7bda8523ed1f79ca98dce2f43c115950aa78801 \ + --hash=sha256:fa76fbb7596cc5839320000cdd5d0955313696d9511debab7ee7278fc8b5c84a \ + --hash=sha256:fff12c88a672ab9c9c1cf7b0c80e3ad9e2ebd9d828d955c126be4fd3e5578c9e # via secretstorage docutils==0.21.2 \ --hash=sha256:3a6b18732edf182daa3cd12775bbb338cf5691468f91eeeb109deff6ebfa986f \ From 2d4241870d1cd41707dbd777ed81581bd8b8dabe Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 5 Jun 2024 20:28:35 -0400 Subject: [PATCH 0667/1462] Bump BoringSSL and/or OpenSSL in CI (#11078) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0ce50283f95d..18cba060801d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 05, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "fb1c75caf8ba5d45a0f2c52facd36e4ad9289549"}} - # Latest commit on the OpenSSL master branch, as of Jun 05, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0e2567d7293d3204de66acca0ed55bda4f0c0768"}} + # Latest commit on the BoringSSL master branch, as of Jun 06, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c1d9ac02514a138129872a036e3f8a1074dcb8bd"}} + # Latest commit on the OpenSSL master branch, as of Jun 06, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5bbdbce856c7ca132e039a24a315618484874c81"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 22802f855adaa449c76f30d9a9a5449c0d7f91b1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 6 Jun 2024 00:31:12 +0000 Subject: [PATCH 0668/1462] Bump x509-limbo and/or wycheproof in CI (#11079) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 671b966a3833..ef19150b79e7 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of May 23, 2024. - ref: "d879dc2a91836aebe9f558f4cc5bf183e3d19552" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jun 06, 2024. + ref: "b29820ae7ebe3280d2efcaae7d77222dc8101967" # x509-limbo-ref From 3b333d5b537297062a07b4702ba9385c6346324d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 6 Jun 2024 07:11:15 -0400 Subject: [PATCH 0669/1462] Bump ruff from 0.4.7 to 0.4.8 (#11081) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.7 to 0.4.8. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.7...v0.4.8) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index a11c924c2fd5..df8e8926b040 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.4.7 +ruff==0.4.8 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 749d2638368e2365a9243a5adda8d3e228cf86c2 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 7 Jun 2024 00:16:24 +0000 Subject: [PATCH 0670/1462] Bump BoringSSL and/or OpenSSL in CI (#11082) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 18cba060801d..d57796b47954 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 06, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c1d9ac02514a138129872a036e3f8a1074dcb8bd"}} - # Latest commit on the OpenSSL master branch, as of Jun 06, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5bbdbce856c7ca132e039a24a315618484874c81"}} + # Latest commit on the BoringSSL master branch, as of Jun 07, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "dec5989b793c56ad4dd32173bd2d8595ca78b398"}} + # Latest commit on the OpenSSL master branch, as of Jun 07, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "417dad1e370b19f94682d1006cb54d10ac90b8ec"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 5c44374056f7f07318153a1685d3980785d1bbc9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 7 Jun 2024 11:43:28 +0000 Subject: [PATCH 0671/1462] Bump cc from 1.0.98 to 1.0.99 in /src/rust (#11084) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.98 to 1.0.99. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.98...1.0.99) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 14bba00dc40b..4cac2c7fc3e3 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "cf4b9d6a944f767f8e5e0db018570623c85f3d925ac718db4e06d0187adb21c1" [[package]] name = "cc" -version = "1.0.98" +version = "1.0.99" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "41c270e7540d725e65ac7f1b212ac8ce349719624d7bcff99f8e2e488e8cf03f" +checksum = "96c51067fd44124faa7f870b4b1c969379ad32b2ba805aa959430ceaa384f695" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 1d1e059d4e73..b0794661054f 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.21.2", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.98" +cc = "1.0.99" From 1f02723e70b356a1efd0f303d6cb44f79a272210 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 8 Jun 2024 00:17:33 +0000 Subject: [PATCH 0672/1462] Bump BoringSSL and/or OpenSSL in CI (#11086) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d57796b47954..37d6cd7ad3a6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 07, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "dec5989b793c56ad4dd32173bd2d8595ca78b398"}} - # Latest commit on the OpenSSL master branch, as of Jun 07, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "417dad1e370b19f94682d1006cb54d10ac90b8ec"}} + # Latest commit on the BoringSSL master branch, as of Jun 08, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "29223ac349c144a4d0babc281644c0410dd1e313"}} + # Latest commit on the OpenSSL master branch, as of Jun 08, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d4700c0b237c05315e3bf14fc416abcbdfe51ff2"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 77f880246c1532a796fb146b13cfee7f54a5ce84 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 7 Jun 2024 17:33:27 -0700 Subject: [PATCH 0673/1462] Bump x509-limbo and/or wycheproof in CI (#11087) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index ef19150b79e7..cd53f58cc4c8 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jun 06, 2024. - ref: "b29820ae7ebe3280d2efcaae7d77222dc8101967" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jun 08, 2024. + ref: "8b32fa5893b1ebb30f7bb085ed39318177563e99" # x509-limbo-ref From f3b0e165f00c061f2151da23cd3973d5cd0d2e01 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 8 Jun 2024 10:52:13 -0400 Subject: [PATCH 0674/1462] Added a benchmark for fernet (#11088) This tests many different primitives --- tests/bench/test_fernet.py | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 tests/bench/test_fernet.py diff --git a/tests/bench/test_fernet.py b/tests/bench/test_fernet.py new file mode 100644 index 000000000000..c550aa78920c --- /dev/null +++ b/tests/bench/test_fernet.py @@ -0,0 +1,10 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from cryptography import fernet + + +def test_fernet_encrypt(benchmark): + f = fernet.Fernet(fernet.Fernet.generate_key()) + benchmark(f.encrypt, b"\x00" * 256) From 5e99c52bb2087022bae7194b95aff20ebf6df948 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 8 Jun 2024 20:25:55 -0400 Subject: [PATCH 0675/1462] Bump BoringSSL and/or OpenSSL in CI (#11090) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 37d6cd7ad3a6..4e5457fe8f51 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 08, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "29223ac349c144a4d0babc281644c0410dd1e313"}} + # Latest commit on the BoringSSL master branch, as of Jun 09, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "56fb43a204e57af68e00f4561c108a7004381aa3"}} # Latest commit on the OpenSSL master branch, as of Jun 08, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d4700c0b237c05315e3bf14fc416abcbdfe51ff2"}} # Builds with various Rust versions. Includes MSRV and next From c27084e34736a6db491f06909f183a9b1153ad2a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Jun 2024 07:18:54 -0400 Subject: [PATCH 0676/1462] Bump typing-extensions from 4.12.1 to 4.12.2 (#11091) Bumps [typing-extensions](https://github.com/python/typing_extensions) from 4.12.1 to 4.12.2. - [Release notes](https://github.com/python/typing_extensions/releases) - [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md) - [Commits](https://github.com/python/typing_extensions/compare/4.12.1...4.12.2) --- updated-dependencies: - dependency-name: typing-extensions dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index df8e8926b040..ad9451795c16 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -146,7 +146,7 @@ tomli==2.0.1 # mypy # pyproject-hooks # pytest -typing-extensions==4.12.1; python_version >= "3.8" +typing-extensions==4.12.2; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests From 2a12c65219af5b116e98846f7362ee0473c54363 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Jun 2024 07:29:02 -0400 Subject: [PATCH 0677/1462] Bump pkginfo from 1.11.0 to 1.11.1 in /.github/requirements (#11093) Bumps [pkginfo](https://code.launchpad.net/~tseaver/pkginfo/trunk) from 1.11.0 to 1.11.1. --- updated-dependencies: - dependency-name: pkginfo dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 7ad866adab4a..e4d52c8b1801 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -260,9 +260,9 @@ nh3==0.2.17 \ --hash=sha256:c790769152308421283679a142dbdb3d1c46c79c823008ecea8e8141db1a2062 \ --hash=sha256:d7a25fd8c86657f5d9d576268e3b3767c5cd4f42867c9383618be8517f0f022a # via readme-renderer -pkginfo==1.11.0 \ - --hash=sha256:6d4998d1cd42c297af72cc0eab5f5bab1d356fb8a55b828fa914173f8bc1ba05 \ - --hash=sha256:dba885aa82e31e80d615119874384923f4e011c2a39b0c4b7104359e36cb7087 +pkginfo==1.11.1 \ + --hash=sha256:2e0dca1cf4c8e39644eed32408ea9966ee15e0d324c62ba899a393b3c6b467aa \ + --hash=sha256:bfa76a714fdfc18a045fcd684dbfc3816b603d9d075febef17cb6582bea29573 # via twine pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ From 92b8aff88dd44601c071d02837e5f9576debe064 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Jun 2024 06:51:58 -0500 Subject: [PATCH 0678/1462] Bump packaging from 24.0 to 24.1 (#11092) * Bump packaging from 24.0 to 24.1 Bumps [packaging](https://github.com/pypa/packaging) from 24.0 to 24.1. - [Release notes](https://github.com/pypa/packaging/releases) - [Changelog](https://github.com/pypa/packaging/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pypa/packaging/compare/24.0...24.1) --- updated-dependencies: - dependency-name: packaging dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update ci-constraints-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ad9451795c16..9a92c2b44218 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -60,7 +60,7 @@ nh3==0.2.17 # via readme-renderer nox==2024.4.15 # via cryptography (pyproject.toml) -packaging==24.0 +packaging==24.1; python_version >= "3.8" # via # build # nox From da45641e462cae84ea21aae936a8b280f339b664 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 10 Jun 2024 12:22:36 -0400 Subject: [PATCH 0679/1462] Convert `PKCS7PaddingContext` to Rust (#11089) --- docs/hazmat/primitives/padding.rst | 10 +--- .../hazmat/bindings/_rust/__init__.pyi | 7 +++ src/cryptography/hazmat/primitives/padding.py | 31 ++---------- src/rust/src/buf.rs | 10 ++-- src/rust/src/lib.rs | 1 + src/rust/src/padding.rs | 49 +++++++++++++++++++ tests/hazmat/primitives/test_padding.py | 4 +- 7 files changed, 73 insertions(+), 39 deletions(-) diff --git a/docs/hazmat/primitives/padding.rst b/docs/hazmat/primitives/padding.rst index ecd70e6d5084..a1be2abf968f 100644 --- a/docs/hazmat/primitives/padding.rst +++ b/docs/hazmat/primitives/padding.rst @@ -24,16 +24,13 @@ multiple of the block size. >>> from cryptography.hazmat.primitives import padding >>> padder = padding.PKCS7(128).padder() >>> padded_data = padder.update(b"11111111111111112222222222") - >>> padded_data - b'1111111111111111' >>> padded_data += padder.finalize() >>> padded_data b'11111111111111112222222222\x06\x06\x06\x06\x06\x06' >>> unpadder = padding.PKCS7(128).unpadder() >>> data = unpadder.update(padded_data) + >>> data += unpadder.finalize() >>> data - b'1111111111111111' - >>> data + unpadder.finalize() b'11111111111111112222222222' :param block_size: The size of the block in :term:`bits` that the data is @@ -67,16 +64,13 @@ multiple of the block size. >>> padder = padding.ANSIX923(128).padder() >>> padded_data = padder.update(b"11111111111111112222222222") - >>> padded_data - b'1111111111111111' >>> padded_data += padder.finalize() >>> padded_data b'11111111111111112222222222\x00\x00\x00\x00\x00\x06' >>> unpadder = padding.ANSIX923(128).unpadder() >>> data = unpadder.update(padded_data) + >>> data += unpadder.finalize() >>> data - b'1111111111111111' - >>> data + unpadder.finalize() b'11111111111111112222222222' :param block_size: The size of the block in :term:`bits` that the data is diff --git a/src/cryptography/hazmat/bindings/_rust/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/__init__.pyi index 18a6fb87b628..c0ea0a5405ca 100644 --- a/src/cryptography/hazmat/bindings/_rust/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/__init__.pyi @@ -4,9 +4,16 @@ import typing +from cryptography.hazmat.primitives import padding + def check_pkcs7_padding(data: bytes) -> bool: ... def check_ansix923_padding(data: bytes) -> bool: ... +class PKCS7PaddingContext(padding.PaddingContext): + def __init__(self, block_size: int) -> None: ... + def update(self, data: bytes) -> bytes: ... + def finalize(self) -> bytes: ... + class ObjectIdentifier: def __init__(self, val: str) -> None: ... @property diff --git a/src/cryptography/hazmat/primitives/padding.py b/src/cryptography/hazmat/primitives/padding.py index baceaf381880..d1ca775f33d0 100644 --- a/src/cryptography/hazmat/primitives/padding.py +++ b/src/cryptography/hazmat/primitives/padding.py @@ -10,6 +10,7 @@ from cryptography import utils from cryptography.exceptions import AlreadyFinalized from cryptography.hazmat.bindings._rust import ( + PKCS7PaddingContext, check_ansix923_padding, check_pkcs7_padding, ) @@ -111,37 +112,12 @@ def __init__(self, block_size: int): self.block_size = block_size def padder(self) -> PaddingContext: - return _PKCS7PaddingContext(self.block_size) + return PKCS7PaddingContext(self.block_size) def unpadder(self) -> PaddingContext: return _PKCS7UnpaddingContext(self.block_size) -class _PKCS7PaddingContext(PaddingContext): - _buffer: bytes | None - - def __init__(self, block_size: int): - self.block_size = block_size - # TODO: more copies than necessary, we should use zero-buffer (#193) - self._buffer = b"" - - def update(self, data: bytes) -> bytes: - self._buffer, result = _byte_padding_update( - self._buffer, data, self.block_size - ) - return result - - def _padding(self, size: int) -> bytes: - return bytes([size]) * size - - def finalize(self) -> bytes: - result = _byte_padding_pad( - self._buffer, self.block_size, self._padding - ) - self._buffer = None - return result - - class _PKCS7UnpaddingContext(PaddingContext): _buffer: bytes | None @@ -164,6 +140,9 @@ def finalize(self) -> bytes: return result +PaddingContext.register(PKCS7PaddingContext) + + class ANSIX923: def __init__(self, block_size: int): _byte_padding_check(block_size) diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs index e07793257496..ff9ca0c3d7e5 100644 --- a/src/rust/src/buf.rs +++ b/src/rust/src/buf.rs @@ -8,7 +8,7 @@ use pyo3::types::IntoPyDict; use std::slice; pub(crate) struct CffiBuf<'p> { - _pyobj: pyo3::Bound<'p, pyo3::PyAny>, + pyobj: pyo3::Bound<'p, pyo3::PyAny>, _bufobj: pyo3::Bound<'p, pyo3::PyAny>, buf: &'p [u8], } @@ -34,10 +34,14 @@ fn _extract_buffer_length<'p>( Ok((bufobj, ptrval)) } -impl CffiBuf<'_> { +impl<'a> CffiBuf<'a> { pub(crate) fn as_bytes(&self) -> &[u8] { self.buf } + + pub(crate) fn into_pyobj(self) -> pyo3::Bound<'a, pyo3::PyAny> { + self.pyobj + } } impl<'a> pyo3::conversion::FromPyObject<'a> for CffiBuf<'a> { @@ -59,7 +63,7 @@ impl<'a> pyo3::conversion::FromPyObject<'a> for CffiBuf<'a> { }; Ok(CffiBuf { - _pyobj: pyobj.clone(), + pyobj: pyobj.clone(), _bufobj: bufobj, buf, }) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index ac076e667f4e..da929fee603f 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -100,6 +100,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> py padding::check_ansix923_padding, m )?)?; + m.add_class::()?; m.add_class::()?; m.add_submodule(&asn1::create_submodule(py)?)?; diff --git a/src/rust/src/padding.rs b/src/rust/src/padding.rs index 523fe85a5718..c4396c26f258 100644 --- a/src/rust/src/padding.rs +++ b/src/rust/src/padding.rs @@ -2,6 +2,10 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use crate::buf::CffiBuf; +use crate::error::{CryptographyError, CryptographyResult}; +use crate::exceptions; + /// Returns the value of the input with the most-significant-bit copied to all /// of the bits. fn duplicate_msb_to_all(a: u8) -> u8 { @@ -63,6 +67,51 @@ pub(crate) fn check_ansix923_padding(data: &[u8]) -> bool { (mismatch & 1) == 0 } +#[pyo3::prelude::pyclass] +pub(crate) struct PKCS7PaddingContext { + block_size: usize, + length_seen: Option, +} + +#[pyo3::prelude::pymethods] +impl PKCS7PaddingContext { + #[new] + fn new(block_size: usize) -> PKCS7PaddingContext { + PKCS7PaddingContext { + block_size: block_size / 8, + length_seen: Some(0), + } + } + + fn update<'a>(&mut self, buf: CffiBuf<'a>) -> CryptographyResult> { + match self.length_seen.as_mut() { + Some(v) => { + *v += buf.as_bytes().len(); + Ok(buf.into_pyobj()) + } + None => Err(CryptographyError::from( + exceptions::AlreadyFinalized::new_err("Context was already finalized."), + )), + } + } + + fn finalize<'p>( + &mut self, + py: pyo3::Python<'p>, + ) -> CryptographyResult> { + match self.length_seen.take() { + Some(v) => { + let pad_size = self.block_size - (v % self.block_size); + let pad = vec![pad_size as u8; pad_size]; + Ok(pyo3::types::PyBytes::new_bound(py, &pad)) + } + None => Err(CryptographyError::from( + exceptions::AlreadyFinalized::new_err("Context was already finalized."), + )), + } + } +} + #[cfg(test)] mod tests { use super::constant_time_lt; diff --git a/tests/hazmat/primitives/test_padding.py b/tests/hazmat/primitives/test_padding.py index 2e20363f6f75..0ab1125f5bfb 100644 --- a/tests/hazmat/primitives/test_padding.py +++ b/tests/hazmat/primitives/test_padding.py @@ -47,9 +47,9 @@ def __str__(self): str(mybytes()) padder = padding.PKCS7(128).padder() - padder.update(mybytes(b"abc")) + data = padder.update(mybytes(b"abc")) + padder.finalize() unpadder = padding.PKCS7(128).unpadder() - unpadder.update(mybytes(padder.finalize())) + unpadder.update(mybytes(data)) assert unpadder.finalize() == b"abc" @pytest.mark.parametrize( From 4df6c01ac3c6243f04e6d10433f689191f7aec4d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 11 Jun 2024 00:15:41 +0000 Subject: [PATCH 0680/1462] Bump BoringSSL and/or OpenSSL in CI (#11094) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4e5457fe8f51..076425e8bdd4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 09, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "56fb43a204e57af68e00f4561c108a7004381aa3"}} - # Latest commit on the OpenSSL master branch, as of Jun 08, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d4700c0b237c05315e3bf14fc416abcbdfe51ff2"}} + # Latest commit on the BoringSSL master branch, as of Jun 11, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "a220a6024f66c123019b5c080f6bd8bcaf75448c"}} + # Latest commit on the OpenSSL master branch, as of Jun 11, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1977c00f00ad0546421a5ec0b40c1326aee4cddb"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 71976f6f7806ad7a7ebfcd3bce32d843df5a2303 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 11 Jun 2024 00:30:44 +0000 Subject: [PATCH 0681/1462] Bump x509-limbo and/or wycheproof in CI (#11095) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index cd53f58cc4c8..7a12ecdd7875 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jun 08, 2024. - ref: "8b32fa5893b1ebb30f7bb085ed39318177563e99" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jun 11, 2024. + ref: "257adafb03cd4023e6f273a0337444982d344eda" # x509-limbo-ref From 372ca87896becd029daa86ac0d758380ebfef083 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 11 Jun 2024 07:07:52 -0400 Subject: [PATCH 0682/1462] Bump more-itertools from 10.2.0 to 10.3.0 in /.github/requirements (#11096) Bumps [more-itertools](https://github.com/more-itertools/more-itertools) from 10.2.0 to 10.3.0. - [Release notes](https://github.com/more-itertools/more-itertools/releases) - [Commits](https://github.com/more-itertools/more-itertools/compare/v10.2.0...v10.3.0) --- updated-dependencies: - dependency-name: more-itertools dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index e4d52c8b1801..b6c5b7baaf1d 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -236,9 +236,9 @@ mdurl==0.1.2 \ --hash=sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8 \ --hash=sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba # via markdown-it-py -more-itertools==10.2.0 \ - --hash=sha256:686b06abe565edfab151cb8fd385a05651e1fdf8f0a14191e4439283421f8684 \ - --hash=sha256:8fccb480c43d3e99a00087634c06dd02b0d50fbf088b380de5a41a015ec239e1 +more-itertools==10.3.0 \ + --hash=sha256:e5d93ef411224fbcef366a6e8ddc4c5781bc6359d43412a65dd5964e46111463 \ + --hash=sha256:ea6a02e24a9161e51faad17a8782b92a0df82c12c1c8886fec7f0c3fa1a1b320 # via # jaraco-classes # jaraco-functools From 3720c39e59e1954a1bcd3ca8578244d527cefeb7 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 12 Jun 2024 00:16:25 +0000 Subject: [PATCH 0683/1462] Bump BoringSSL and/or OpenSSL in CI (#11098) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 076425e8bdd4..195d7fe4a6d0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 11, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "a220a6024f66c123019b5c080f6bd8bcaf75448c"}} + # Latest commit on the BoringSSL master branch, as of Jun 12, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "962432c687f67f8df1aa6e3dd364fbc88fea4ed8"}} # Latest commit on the OpenSSL master branch, as of Jun 11, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1977c00f00ad0546421a5ec0b40c1326aee4cddb"}} # Builds with various Rust versions. Includes MSRV and next From ae5d3a2c068868b6e824a5eec0c455d32da8aa1a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 13 Jun 2024 00:15:30 +0000 Subject: [PATCH 0684/1462] Bump BoringSSL and/or OpenSSL in CI (#11100) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 195d7fe4a6d0..f8dfb609afc5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 12, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "962432c687f67f8df1aa6e3dd364fbc88fea4ed8"}} + # Latest commit on the BoringSSL master branch, as of Jun 13, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9cac8a6b38c1cbd45c77aee108411d588da006fe"}} # Latest commit on the OpenSSL master branch, as of Jun 11, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1977c00f00ad0546421a5ec0b40c1326aee4cddb"}} # Builds with various Rust versions. Includes MSRV and next From f44f5ffd72891e1aa0be995639254829cd8bb35f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 13 Jun 2024 07:03:20 -0400 Subject: [PATCH 0685/1462] Bump filelock from 3.14.0 to 3.15.1 (#11101) Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.14.0 to 3.15.1. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](https://github.com/tox-dev/py-filelock/compare/3.14.0...3.15.1) --- updated-dependencies: - dependency-name: filelock dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 9a92c2b44218..e65c95b57f37 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -40,7 +40,7 @@ exceptiongroup==1.2.1 # via pytest execnet==2.1.1; python_version >= "3.8" # via pytest-xdist -filelock==3.14.0; python_version >= "3.8" +filelock==3.15.1; python_version >= "3.8" # via virtualenv idna==3.7 # via requests From 8a44ae6fa2e6520e090c8ce55f046a538e75a6e4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 13 Jun 2024 07:29:33 -0400 Subject: [PATCH 0686/1462] Bump actions/checkout from 4.1.6 to 4.1.7 (#11103) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.6 to 4.1.7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/a5ac7e51b41094c92402da3b24376905380afc29...692973e3d937129bcbf40652eb9f2f61becf3332) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 4 ++-- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/ci.yml | 12 ++++++------ .github/workflows/linkcheck.yml | 2 +- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 8 ++++---- .github/workflows/x509-limbo-version-bump.yml | 2 +- 7 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 83f0fd24e59a..f1b963c366b2 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -26,12 +26,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 timeout-minutes: 3 with: persist-credentials: false path: "cryptography-pr" - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 timeout-minutes: 3 with: repository: "pyca/cryptography" diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 84d260c3cc32..e2897ad02df4 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: check-sha-boring run: | SHA=$(git ls-remote https://boringssl.googlesource.com/boringssl refs/heads/master | cut -f1) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f8dfb609afc5..f08a9aa5f431 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -54,7 +54,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "nightly"} timeout-minutes: 15 steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 timeout-minutes: 3 with: persist-credentials: false @@ -179,7 +179,7 @@ jobs: sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release if: matrix.IMAGE.IMAGE == 'alpine:aarch64' - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 timeout-minutes: 3 with: persist-credentials: false @@ -230,7 +230,7 @@ jobs: RUNNER: {OS: 'macos-14', ARCH: 'arm64'} timeout-minutes: 15 steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 timeout-minutes: 3 with: persist-credentials: false @@ -294,7 +294,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests"} timeout-minutes: 15 steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 timeout-minutes: 3 with: persist-credentials: false @@ -368,7 +368,7 @@ jobs: name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" timeout-minutes: 15 steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 timeout-minutes: 3 with: persist-credentials: false @@ -412,7 +412,7 @@ jobs: if: ${{ always() }} timeout-minutes: 3 steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 timeout-minutes: 3 with: persist-credentials: false diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index cb6261e988f8..d33ee2097787 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -20,7 +20,7 @@ jobs: name: "linkcheck" timeout-minutes: 10 steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: persist-credentials: false - name: Setup python diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 29f678a4369c..9b417d4f7d7f 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -39,7 +39,7 @@ jobs: with: python-version: "3.11" - name: Get publish-requirements.txt from repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: sparse-checkout: | ${{ env.PUBLISH_REQUIREMENTS_PATH }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 97f5dc0879ec..f414af96b72d 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest name: sdists steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -108,7 +108,7 @@ jobs: if: startsWith(matrix.MANYLINUX.NAME, 'musllinux') && endsWith(matrix.MANYLINUX.NAME, 'aarch64') - name: Get build-requirements.txt from repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -198,7 +198,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -292,7 +292,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 424dae0c46b5..45a4835050f9 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: check-sha-x509-limbo run: | SHA=$(git ls-remote https://github.com/C2SP/x509-limbo refs/heads/main | cut -f1) From ffd613217d7e58b84a47148a3d2687eaaf143413 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 13 Jun 2024 07:30:24 -0400 Subject: [PATCH 0687/1462] Bump dawidd6/action-download-artifact from 5 to 6 (#11102) Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 5 to 6. - [Release notes](https://github.com/dawidd6/action-download-artifact/releases) - [Commits](https://github.com/dawidd6/action-download-artifact/compare/deb3bb83256a78589fef6a7b942e5f2573ad7c13...bf251b5aa9c2f7eeb574a96ee720e24f801b7c11) --- updated-dependencies: - dependency-name: dawidd6/action-download-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f08a9aa5f431..905111a22dc6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -255,7 +255,7 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/fetch-vectors - - uses: dawidd6/action-download-artifact@deb3bb83256a78589fef6a7b942e5f2573ad7c13 # v5 + - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -315,7 +315,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - run: python -m pip install -c ci-constraints-requirements.txt "nox" "tomli; python_version < '3.11'" - - uses: dawidd6/action-download-artifact@deb3bb83256a78589fef6a7b942e5f2573ad7c13 # v5 + - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 with: repo: pyca/infra workflow: build-windows-openssl.yml diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 9b417d4f7d7f..c2821fb627bc 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -48,7 +48,7 @@ jobs: - name: Install Python dependencies run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }} - - uses: dawidd6/action-download-artifact@deb3bb83256a78589fef6a7b942e5f2573ad7c13 # v5 + - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 with: path: dist/ run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index f414af96b72d..b7627cb438cd 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -218,7 +218,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') - - uses: dawidd6/action-download-artifact@deb3bb83256a78589fef6a7b942e5f2573ad7c13 # v5 + - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -315,7 +315,7 @@ jobs: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} - - uses: dawidd6/action-download-artifact@deb3bb83256a78589fef6a7b942e5f2573ad7c13 # v5 + - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 with: repo: pyca/infra workflow: build-windows-openssl.yml From a12db35a0a8e8d265fd6fd310192c5447a694f2e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 13 Jun 2024 23:30:59 +0000 Subject: [PATCH 0688/1462] Bump actions/attest-build-provenance from 1.2.0 to 1.3.1 (#11104) Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.2.0 to 1.3.1. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/49df96e17e918a15956db358890b08e61c704919...534b352d658f90498fd148d231fdbf88f3886a3a) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index c2821fb627bc..4a51a1eb5a0b 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -93,7 +93,7 @@ jobs: # Do not perform attestation for things for TestPyPI. This is because # there's nothing that would prevent a malicious PyPI from serving a # signed TestPyPI asset in place of a release intended for PyPI. - - uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0 + - uses: actions/attest-build-provenance@534b352d658f90498fd148d231fdbf88f3886a3a # v1.3.1 with: subject-path: 'dist/**/cryptography*' if: env.TWINE_REPOSITORY == 'pypi' From 120158c08d152bef48db16a9d2778891efc7f666 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 13 Jun 2024 23:31:24 +0000 Subject: [PATCH 0689/1462] Bump actions/checkout in /.github/actions/fetch-vectors (#11105) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.6 to 4.1.7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/a5ac7e51b41094c92402da3b24376905380afc29...692973e3d937129bcbf40652eb9f2f61becf3332) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 7a12ecdd7875..70fbf4593f6c 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -5,14 +5,14 @@ runs: using: "composite" steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: repository: "C2SP/wycheproof" path: "wycheproof" # Latest commit on the wycheproof master branch, as of Apr 09, 2024. ref: "cd27d6419bedd83cbd24611ec54b6d4bfdb0cdca" # wycheproof-ref - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: repository: "C2SP/x509-limbo" path: "x509-limbo" From 6e6ad6ef98cd5b4f99498bafc1d067399a764514 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Jun 2024 14:35:12 +0000 Subject: [PATCH 0690/1462] Bump redox_syscall from 0.5.1 to 0.5.2 in /src/rust (#11106) Bumps redox_syscall from 0.5.1 to 0.5.2. --- updated-dependencies: - dependency-name: redox_syscall dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 4cac2c7fc3e3..7e5c989cbdfe 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -352,9 +352,9 @@ dependencies = [ [[package]] name = "redox_syscall" -version = "0.5.1" +version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "469052894dcb553421e483e4209ee581a45100d31b4018de03e5a7ad86374a7e" +checksum = "c82cf8cff14456045f55ec4241383baeff27af886adb72ffb2162f99911de0fd" dependencies = [ "bitflags", ] From 3c08dd5b1142c0c96afa6f3f589ff8ee6a751a3e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 16 Jun 2024 00:16:09 +0000 Subject: [PATCH 0691/1462] Bump BoringSSL and/or OpenSSL in CI (#11108) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 905111a22dc6..598f50f8df7b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 13, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9cac8a6b38c1cbd45c77aee108411d588da006fe"}} - # Latest commit on the OpenSSL master branch, as of Jun 11, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1977c00f00ad0546421a5ec0b40c1326aee4cddb"}} + # Latest commit on the OpenSSL master branch, as of Jun 16, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6e01d3114b77c82cf83a2bfe53f7ba97840fbe36"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 2c62bdc432d7a8bd3bb637091e1bcc226a96feb4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 16 Jun 2024 00:29:04 +0000 Subject: [PATCH 0692/1462] Bump ruff from 0.4.8 to 0.4.9 (#11109) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.8 to 0.4.9. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.8...v0.4.9) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e65c95b57f37..3630e62548a2 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.4.8 +ruff==0.4.9 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 5c5dae906ec1f330f7a4e83563324fb7451f18f6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 16 Jun 2024 11:54:10 +0000 Subject: [PATCH 0693/1462] Bump argcomplete from 3.3.0 to 3.4.0 (#11110) Bumps [argcomplete](https://github.com/kislyuk/argcomplete) from 3.3.0 to 3.4.0. - [Release notes](https://github.com/kislyuk/argcomplete/releases) - [Changelog](https://github.com/kislyuk/argcomplete/blob/develop/Changes.rst) - [Commits](https://github.com/kislyuk/argcomplete/compare/v3.3.0...v3.4.0) --- updated-dependencies: - dependency-name: argcomplete dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3630e62548a2..81ff1f52ca6a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -7,7 +7,7 @@ alabaster==0.7.16 # via sphinx -argcomplete==3.3.0; python_version >= "3.8" +argcomplete==3.4.0; python_version >= "3.8" # via nox babel==2.15.0 # via sphinx From 056f488bca57f22ead49d74629b8bb6ff249b6cc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Jun 2024 22:59:35 +0000 Subject: [PATCH 0694/1462] Bump urllib3 from 2.2.1 to 2.2.2 (#11112) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.2.1 to 2.2.2. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.2.1...2.2.2) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 81ff1f52ca6a..6cc890454abd 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -148,7 +148,7 @@ tomli==2.0.1 # pytest typing-extensions==4.12.2; python_version >= "3.8" # via mypy -urllib3==2.2.1 +urllib3==2.2.2 # via requests virtualenv==20.26.2 # via nox From 28aefb2fa04bd083cd9bbc51312f612595a73296 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 18 Jun 2024 00:15:58 +0000 Subject: [PATCH 0695/1462] Bump BoringSSL and/or OpenSSL in CI (#11113) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 598f50f8df7b..4b50a23f0cc7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 13, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9cac8a6b38c1cbd45c77aee108411d588da006fe"}} - # Latest commit on the OpenSSL master branch, as of Jun 16, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6e01d3114b77c82cf83a2bfe53f7ba97840fbe36"}} + # Latest commit on the BoringSSL master branch, as of Jun 18, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e1d209d4432846d28c31d84f269f4edcb9a63509"}} + # Latest commit on the OpenSSL master branch, as of Jun 18, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "58301e24f66aa74b13b85a171dd14e6088c35662"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From fd171b1ba04e29f53c16069e6b96b6b53f09c964 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 18 Jun 2024 00:31:33 +0000 Subject: [PATCH 0696/1462] Bump x509-limbo and/or wycheproof in CI (#11114) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 70fbf4593f6c..95e11dbdfde4 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jun 11, 2024. - ref: "257adafb03cd4023e6f273a0337444982d344eda" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jun 18, 2024. + ref: "bd88042508ccfde351b2fee293aebda8971fbebb" # x509-limbo-ref From adc74b3a82f8429259218b6a47443bb6b81456cd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Jun 2024 13:07:11 +0200 Subject: [PATCH 0697/1462] Bump actions/attest-build-provenance from 1.3.1 to 1.3.2 (#11115) Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.3.1 to 1.3.2. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/534b352d658f90498fd148d231fdbf88f3886a3a...bdd51370e0416ac948727f861e03c2f05d32d78e) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 4a51a1eb5a0b..1a6fec6c988b 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -93,7 +93,7 @@ jobs: # Do not perform attestation for things for TestPyPI. This is because # there's nothing that would prevent a malicious PyPI from serving a # signed TestPyPI asset in place of a release intended for PyPI. - - uses: actions/attest-build-provenance@534b352d658f90498fd148d231fdbf88f3886a3a # v1.3.1 + - uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2 with: subject-path: 'dist/**/cryptography*' if: env.TWINE_REPOSITORY == 'pypi' From c91352e3dde465f56dba67d4709ceaf5012637fd Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 18 Jun 2024 20:23:18 -0400 Subject: [PATCH 0698/1462] Bump BoringSSL and/or OpenSSL in CI (#11116) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4b50a23f0cc7..cd02df5b8ea5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 18, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e1d209d4432846d28c31d84f269f4edcb9a63509"}} - # Latest commit on the OpenSSL master branch, as of Jun 18, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "58301e24f66aa74b13b85a171dd14e6088c35662"}} + # Latest commit on the BoringSSL master branch, as of Jun 19, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c6c0b650091e90e6206a361c14a73223f54d42c1"}} + # Latest commit on the OpenSSL master branch, as of Jun 19, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5aec3f4a72604d76970581f1ea445b331beda608"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From d3ff595cccb610753c2cf947197748a8b05cdcbe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Jun 2024 20:37:00 -0400 Subject: [PATCH 0699/1462] Bump urllib3 from 2.2.1 to 2.2.2 in /.github/requirements (#11117) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.2.1 to 2.2.2. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.2.1...2.2.2) --- updated-dependencies: - dependency-name: urllib3 dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index b6c5b7baaf1d..a43cf0a7c1d9 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -305,9 +305,9 @@ twine==5.1.0 \ --hash=sha256:4d74770c88c4fcaf8134d2a6a9d863e40f08255ff7d8e2acb3cbbd57d25f6e9d \ --hash=sha256:fe1d814395bfe50cfbe27783cb74efe93abeac3f66deaeb6c8390e4e92bacb43 # via -r publish-requirements.in -urllib3==2.2.1 \ - --hash=sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d \ - --hash=sha256:d0570876c61ab9e520d776c38acbbb5b05a776d3f9ff98a5c8fd5162a444cf19 +urllib3==2.2.2 \ + --hash=sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472 \ + --hash=sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168 # via # requests # twine From c161a6892a17796624926b97a7cc27ffb9efdaa8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 19 Jun 2024 07:14:38 -0400 Subject: [PATCH 0700/1462] Bump peter-evans/create-pull-request from 6.0.5 to 6.1.0 (#11119) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 6.0.5 to 6.1.0. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/6d6857d36972b65feb161a90e484f2984215f83e...c5a7806660adbe173f04e3e038b0ccdcd758773c) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index e2897ad02df4..64925545d1a4 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -58,7 +58,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 with: branch: "bump-openssl-boringssl" commit-message: "Bump BoringSSL and/or OpenSSL in CI" diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 45a4835050f9..eb2114e7e873 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -57,7 +57,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 with: branch: "bump-vectors" commit-message: "Bump x509-limbo and/or wycheproof in CI" From fc6cc42e4f1bc308481c3538ce57d0d8e208ecb2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 19 Jun 2024 10:53:21 -0400 Subject: [PATCH 0701/1462] pin python version for downstream tests due to twisted/python bug (#11121) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cd02df5b8ea5..58dc04617521 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -364,7 +364,7 @@ jobs: - mitmproxy - scapy PYTHON: - - '3.12' + - '3.12.3' name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" timeout-minutes: 15 steps: From cb6587df388a59d449a3dbda9a153744bdb5a621 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 19 Jun 2024 11:11:45 -0400 Subject: [PATCH 0702/1462] Bump setuptools from 70.0.0 to 70.1.0 in /.github/requirements (#11120) Bumps [setuptools](https://github.com/pypa/setuptools) from 70.0.0 to 70.1.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v70.0.0...v70.1.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 6474acf80afd..2e3ccf055388 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -80,9 +80,9 @@ wheel==0.43.0 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==70.0.0 \ - --hash=sha256:54faa7f2e8d2d11bcd2c07bed282eef1046b5c080d1c32add737d7b5817b1ad4 \ - --hash=sha256:f211a66637b8fa059bb28183da127d4e86396c991a942b028c6650d4319c3fd0 +setuptools==70.1.0 \ + --hash=sha256:01a1e793faa5bd89abc851fa15d0a0db26f160890c7102cd8dce643e886b47f5 \ + --hash=sha256:d9b8b771455a97c8a9f3ab3448ebe0b29b5e105f1228bba41028be116985a267 # via # -r build-requirements.in # setuptools-rust From 51970d4e0b11d8ed4615485c0fc5cfd82fb04ff4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 19 Jun 2024 14:43:32 -0400 Subject: [PATCH 0703/1462] =?UTF-8?q?Revert=20"pin=20python=20version=20fo?= =?UTF-8?q?r=20downstream=20tests=20due=20to=20twisted/python=20bug=20(#1?= =?UTF-8?q?=E2=80=A6"=20(#11124)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit fc6cc42e4f1bc308481c3538ce57d0d8e208ecb2. --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 58dc04617521..cd02df5b8ea5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -364,7 +364,7 @@ jobs: - mitmproxy - scapy PYTHON: - - '3.12.3' + - '3.12' name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" timeout-minutes: 15 steps: From 1c013650e7eadb99b62490b6b8a30310ceb5ce7e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 19 Jun 2024 20:49:39 +0000 Subject: [PATCH 0704/1462] Bump filelock from 3.15.1 to 3.15.3 (#11125) Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.15.1 to 3.15.3. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](https://github.com/tox-dev/py-filelock/compare/3.15.1...3.15.3) --- updated-dependencies: - dependency-name: filelock dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6cc890454abd..df49bb53059f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -40,7 +40,7 @@ exceptiongroup==1.2.1 # via pytest execnet==2.1.1; python_version >= "3.8" # via pytest-xdist -filelock==3.15.1; python_version >= "3.8" +filelock==3.15.3; python_version >= "3.8" # via virtualenv idna==3.7 # via requests From 8f7db777136efe9b31c4c4b1168f7efdb79087bd Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 20 Jun 2024 00:16:23 +0000 Subject: [PATCH 0705/1462] Bump BoringSSL and/or OpenSSL in CI (#11127) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cd02df5b8ea5..3201afba82fc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 19, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c6c0b650091e90e6206a361c14a73223f54d42c1"}} - # Latest commit on the OpenSSL master branch, as of Jun 19, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5aec3f4a72604d76970581f1ea445b331beda608"}} + # Latest commit on the BoringSSL master branch, as of Jun 20, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "84dc9bb624b47bda0bf802ae9e04a6eecb40865c"}} + # Latest commit on the OpenSSL master branch, as of Jun 20, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d5412c94a399d3923b2dec2431ead60288d857c8"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 604594fc123ce0797ee45417ed315871922562fe Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 20 Jun 2024 03:23:19 -0400 Subject: [PATCH 0706/1462] Use workspace inheritance to reduce duplication (#11126) This relies on Rust 1.65 --- src/rust/Cargo.toml | 11 +++++++++-- src/rust/cryptography-cffi/Cargo.toml | 11 +++++------ src/rust/cryptography-keepalive/Cargo.toml | 11 +++++------ src/rust/cryptography-key-parsing/Cargo.toml | 11 +++++------ src/rust/cryptography-openssl/Cargo.toml | 11 +++++------ src/rust/cryptography-x509-verification/Cargo.toml | 11 +++++------ 6 files changed, 34 insertions(+), 32 deletions(-) diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 9f49dc9c6e92..86f93db552c0 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -1,5 +1,4 @@ -[package] -name = "cryptography-rust" +[workspace.package] version = "0.1.0" authors = ["The cryptography developers "] edition = "2021" @@ -7,6 +6,14 @@ publish = false # This specifies the MSRV rust-version = "1.65.0" +[package] +name = "cryptography-rust" +version.workspace = true +authors.workspace = true +edition.workspace = true +publish.workspace = true +rust-version.workspace = true + [dependencies] once_cell = "1" cfg-if = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index b0794661054f..e019d4029dd4 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -1,11 +1,10 @@ [package] name = "cryptography-cffi" -version = "0.1.0" -authors = ["The cryptography developers "] -edition = "2021" -publish = false -# This specifies the MSRV -rust-version = "1.65.0" +version.workspace = true +authors.workspace = true +edition.workspace = true +publish.workspace = true +rust-version.workspace = true [dependencies] pyo3 = { version = "0.21.2", features = ["abi3"] } diff --git a/src/rust/cryptography-keepalive/Cargo.toml b/src/rust/cryptography-keepalive/Cargo.toml index c3a1c24e912d..18a214e9a744 100644 --- a/src/rust/cryptography-keepalive/Cargo.toml +++ b/src/rust/cryptography-keepalive/Cargo.toml @@ -1,11 +1,10 @@ [package] name = "cryptography-keepalive" -version = "0.1.0" -authors = ["The cryptography developers "] -edition = "2021" -publish = false -# This specifies the MSRV -rust-version = "1.65.0" +version.workspace = true +authors.workspace = true +edition.workspace = true +publish.workspace = true +rust-version.workspace = true [dependencies] pyo3 = { version = "0.21.2", features = ["abi3"] } diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index 9d4e5d00fbdf..6a9d6797b982 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -1,11 +1,10 @@ [package] name = "cryptography-key-parsing" -version = "0.1.0" -authors = ["The cryptography developers "] -edition = "2021" -publish = false -# This specifies the MSRV -rust-version = "1.65.0" +version.workspace = true +authors.workspace = true +edition.workspace = true +publish.workspace = true +rust-version.workspace = true [dependencies] asn1 = { version = "0.16.2", default-features = false } diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 04bef373ca35..f2dc5100e6fd 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -1,11 +1,10 @@ [package] name = "cryptography-openssl" -version = "0.1.0" -authors = ["The cryptography developers "] -edition = "2021" -publish = false -# This specifies the MSRV -rust-version = "1.65.0" +version.workspace = true +authors.workspace = true +edition.workspace = true +publish.workspace = true +rust-version.workspace = true [dependencies] cfg-if = "1" diff --git a/src/rust/cryptography-x509-verification/Cargo.toml b/src/rust/cryptography-x509-verification/Cargo.toml index 086332bd4529..2e1e7495af0a 100644 --- a/src/rust/cryptography-x509-verification/Cargo.toml +++ b/src/rust/cryptography-x509-verification/Cargo.toml @@ -1,11 +1,10 @@ [package] name = "cryptography-x509-verification" -version = "0.1.0" -authors = ["The cryptography developers "] -edition = "2021" -publish = false -# This specifies the MSRV -rust-version = "1.65.0" +version.workspace = true +authors.workspace = true +edition.workspace = true +publish.workspace = true +rust-version.workspace = true [dependencies] asn1 = { version = "0.16.2", default-features = false } From 320314cc4a35a22a2ec95a6fa95edea8b017cb54 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 20 Jun 2024 03:27:42 -0400 Subject: [PATCH 0707/1462] See if wheel dep is required (#11122) The setuptools changelog sort of implies its not anymore --- .github/requirements/build-requirements.in | 1 - .github/requirements/build-requirements.txt | 4 ---- pyproject.toml | 1 - 3 files changed, 6 deletions(-) diff --git a/.github/requirements/build-requirements.in b/.github/requirements/build-requirements.in index 564eacec8d48..4b916ef1ca97 100644 --- a/.github/requirements/build-requirements.in +++ b/.github/requirements/build-requirements.in @@ -1,6 +1,5 @@ # Must be kept sync with build-system.requires at pyproject.toml setuptools>=61.0.0 -wheel cffi>=1.12; platform_python_implementation != 'PyPy' setuptools-rust>=1.7.0 diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 2e3ccf055388..fbf31d477a47 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -74,10 +74,6 @@ tomli==2.0.1 \ --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \ --hash=sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f # via setuptools-rust -wheel==0.43.0 \ - --hash=sha256:465ef92c69fa5c5da2d1cf8ac40559a8c940886afcef87dcf14b9470862f1d85 \ - --hash=sha256:55c570405f142630c6b9f72fe09d9b67cf1477fcf543ae5b8dcb1f5b7377da81 - # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: setuptools==70.1.0 \ diff --git a/pyproject.toml b/pyproject.toml index 64e33aac8aca..186ca1d6b27c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,6 @@ requires = [ # First version of setuptools to support pyproject.toml configuration "setuptools>=61.0.0", - "wheel", # Must be kept in sync with `project.dependencies` "cffi>=1.12; platform_python_implementation != 'PyPy'", "setuptools-rust>=1.7.0", From ca6597c448ece36bbd368b9ea7a587ec1a5357c4 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 21 Jun 2024 00:16:11 +0000 Subject: [PATCH 0708/1462] Bump BoringSSL and/or OpenSSL in CI (#11130) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3201afba82fc..ebf914c3b549 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 20, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "84dc9bb624b47bda0bf802ae9e04a6eecb40865c"}} - # Latest commit on the OpenSSL master branch, as of Jun 20, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d5412c94a399d3923b2dec2431ead60288d857c8"}} + # Latest commit on the BoringSSL master branch, as of Jun 21, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d1e6d3b4af50c9490cc6210e2763b3c45ba14b07"}} + # Latest commit on the OpenSSL master branch, as of Jun 21, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a7ed61ce8b0565483e6b0e44ed9b13682305e609"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 737de4377cb133f11a60ae75ac20d708f7a7d83b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 21 Jun 2024 03:56:59 +0000 Subject: [PATCH 0709/1462] Bump ruff from 0.4.9 to 0.4.10 (#11131) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.9 to 0.4.10. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.9...v0.4.10) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index df49bb53059f..c2f2fd40a40b 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.4.9 +ruff==0.4.10 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 60e81c1d73d235519e1c558b1be093dbb57d8bd7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 21 Jun 2024 03:59:52 +0000 Subject: [PATCH 0710/1462] Bump proc-macro2 from 1.0.85 to 1.0.86 in /src/rust (#11132) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.85 to 1.0.86. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.85...1.0.86) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 7e5c989cbdfe..0c6459c89a7a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -271,9 +271,9 @@ checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" [[package]] name = "proc-macro2" -version = "1.0.85" +version = "1.0.86" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22244ce15aa966053a896d1accb3a6e68469b97c7f33f284b99f0d576879fc23" +checksum = "5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77" dependencies = [ "unicode-ident", ] From 2d69b8634055489d5246ab9b4c38704bf66b6fdb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 21 Jun 2024 04:00:01 +0000 Subject: [PATCH 0711/1462] Bump syn from 2.0.66 to 2.0.67 in /src/rust (#11133) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.66 to 2.0.67. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.66...2.0.67) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 0c6459c89a7a..81d38c1975a8 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -379,9 +379,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.66" +version = "2.0.67" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c42f3f41a2de00b01c0aaad383c5a45241efc8b2d1eda5661812fda5f3cdcff5" +checksum = "ff8655ed1d86f3af4ee3fd3263786bc14245ad17c4c7e85ba7187fb3ae028c90" dependencies = [ "proc-macro2", "quote", From b8dc9ddddcca12a0eab2caf6a4d3bd7f1b78b135 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 21 Jun 2024 00:02:31 -0400 Subject: [PATCH 0712/1462] Bump importlib-metadata from 7.1.0 to 7.2.0 in /.github/requirements (#11134) Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 7.1.0 to 7.2.0. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v7.1.0...v7.2.0) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index a43cf0a7c1d9..6a1a5ff2a41a 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -200,9 +200,9 @@ idna==3.7 \ --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 # via requests -importlib-metadata==7.1.0 \ - --hash=sha256:30962b96c0c223483ed6cc7280e7f0199feb01a0e40cfae4d4450fc6fab1f570 \ - --hash=sha256:b78938b926ee8d5f020fc4772d487045805a55ddbad2ecf21c6d60938dc7fcd2 +importlib-metadata==7.2.0 \ + --hash=sha256:04e4aad329b8b948a5711d394fa8759cb80f009225441b4f2a02bd4d8e5f426c \ + --hash=sha256:3ff4519071ed42740522d494d04819b666541b9752c43012f85afb2cc220fcc6 # via # keyring # twine From 5440f1dfec3845ec16db4eaa6e360181ccba6f80 Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Thu, 20 Jun 2024 22:33:19 -0700 Subject: [PATCH 0713/1462] Fix docstring for _SSHFormatSKECDSA.load_public (#11135) Correct a small mistake from copy-pasting the docstring of `_SSHFormatSKEd25519.load_public` as noted in https://github.com/pyca/cryptography/commit/51a6dd28ccbb7587fff9e951299b17aac39ee5cc#r143361696. --- src/cryptography/hazmat/primitives/serialization/ssh.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cryptography/hazmat/primitives/serialization/ssh.py b/src/cryptography/hazmat/primitives/serialization/ssh.py index 51cddab47377..321519f3e596 100644 --- a/src/cryptography/hazmat/primitives/serialization/ssh.py +++ b/src/cryptography/hazmat/primitives/serialization/ssh.py @@ -620,7 +620,7 @@ class _SSHFormatSKECDSA: def load_public( self, data: memoryview ) -> tuple[ec.EllipticCurvePublicKey, memoryview]: - """Make Ed25519 public key from data.""" + """Make ECDSA public key from data.""" public_key, data = _lookup_kformat(_ECDSA_NISTP256).load_public(data) _, data = load_application(data) return public_key, data From ebbfd84dc8709f1d8c5283d1350a8d9127596931 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 22 Jun 2024 00:16:03 +0000 Subject: [PATCH 0714/1462] Bump BoringSSL and/or OpenSSL in CI (#11136) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ebf914c3b549..4b0271579b94 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 21, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d1e6d3b4af50c9490cc6210e2763b3c45ba14b07"}} - # Latest commit on the OpenSSL master branch, as of Jun 21, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a7ed61ce8b0565483e6b0e44ed9b13682305e609"}} + # Latest commit on the BoringSSL master branch, as of Jun 22, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "45db24b36a030ec54464ea7a26c362f3c82305ee"}} + # Latest commit on the OpenSSL master branch, as of Jun 22, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7d2c0a4b1feb152ee1190dfedc65dfd1c928f9e5"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 73717542c4153e8fb845a62db478a7bc0b310d29 Mon Sep 17 00:00:00 2001 From: Nathan Easton Date: Sat, 22 Jun 2024 09:16:50 -0400 Subject: [PATCH 0715/1462] Update reference.rst (#11137) * Update reference.rst This code snippet works when importing the extension oid * Apply suggestions from code review Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor --- docs/x509/reference.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index 6aa0f6667ba2..c3de5e6dcb58 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -2405,6 +2405,7 @@ X.509 Extensions >>> from cryptography import x509 >>> from cryptography.hazmat.primitives import hashes + >>> from cryptography.x509.oid import ExtensionOID >>> cert = x509.load_pem_x509_certificate(cryptography_cert_pem) >>> # Get the subjectAltName extension from the certificate >>> ext = cert.extensions.get_extension_for_oid(ExtensionOID.SUBJECT_ALTERNATIVE_NAME) From 77e9c04f972a60b8aa76c279ffdbe77acc37cee8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 22 Jun 2024 21:05:24 +0000 Subject: [PATCH 0716/1462] Bump filelock from 3.15.3 to 3.15.4 (#11138) Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.15.3 to 3.15.4. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](https://github.com/tox-dev/py-filelock/compare/3.15.3...3.15.4) --- updated-dependencies: - dependency-name: filelock dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c2f2fd40a40b..3d57deaaa8a7 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -40,7 +40,7 @@ exceptiongroup==1.2.1 # via pytest execnet==2.1.1; python_version >= "3.8" # via pytest-xdist -filelock==3.15.3; python_version >= "3.8" +filelock==3.15.4; python_version >= "3.8" # via virtualenv idna==3.7 # via requests From 1288fec3618d8239b1aed7000efc67101ceb9427 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 22 Jun 2024 21:12:42 +0000 Subject: [PATCH 0717/1462] Bump virtualenv from 20.26.2 to 20.26.3 (#11139) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.26.2 to 20.26.3. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.26.2...20.26.3) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3d57deaaa8a7..bbc3ee3ddc89 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -150,7 +150,7 @@ typing-extensions==4.12.2; python_version >= "3.8" # via mypy urllib3==2.2.2 # via requests -virtualenv==20.26.2 +virtualenv==20.26.3 # via nox # The following packages are considered to be unsafe in a requirements file: From a728550819df356bb39c92c2253c08d41dfcb663 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 22 Jun 2024 22:06:29 -0400 Subject: [PATCH 0718/1462] Bump BoringSSL and/or OpenSSL in CI (#11140) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4b0271579b94..1e83f463206e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 22, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "45db24b36a030ec54464ea7a26c362f3c82305ee"}} - # Latest commit on the OpenSSL master branch, as of Jun 22, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7d2c0a4b1feb152ee1190dfedc65dfd1c928f9e5"}} + # Latest commit on the OpenSSL master branch, as of Jun 23, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b23cd39f0a4e3cfe142694402a5246a498a3574f"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From fbf6a9da0f4267c520677f7d8f7650202b0a28f3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 23 Jun 2024 15:40:52 +0000 Subject: [PATCH 0719/1462] Bump cc from 1.0.99 to 1.0.100 in /src/rust (#11141) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.99 to 1.0.100. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.99...cc-v1.0.100) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 81d38c1975a8..54b2f879f112 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "cf4b9d6a944f767f8e5e0db018570623c85f3d925ac718db4e06d0187adb21c1" [[package]] name = "cc" -version = "1.0.99" +version = "1.0.100" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "96c51067fd44124faa7f870b4b1c969379ad32b2ba805aa959430ceaa384f695" +checksum = "c891175c3fb232128f48de6590095e59198bbeb8620c310be349bfc3afd12c7b" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index e019d4029dd4..64f4bb63f7da 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.21.2", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.99" +cc = "1.0.100" From e93978ed8786ae4337bee4901b31be6765af3d25 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 23 Jun 2024 15:41:35 +0000 Subject: [PATCH 0720/1462] Bump coverage from 7.5.3 to 7.5.4 (#11142) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.5.3 to 7.5.4. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.5.3...7.5.4) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index bbc3ee3ddc89..b61efa28b051 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.2 # via nox -coverage==7.5.3; python_version >= "3.8" +coverage==7.5.4; python_version >= "3.8" # via # coverage # pytest-cov From e0b7e77039d940f5872308551b67c110c3fbeeec Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 23 Jun 2024 11:49:56 -0400 Subject: [PATCH 0721/1462] Bump importlib-metadata from 7.2.0 to 7.2.1 in /.github/requirements (#11143) Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 7.2.0 to 7.2.1. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v7.2.0...v7.2.1) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 6a1a5ff2a41a..688680a343a2 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -200,9 +200,9 @@ idna==3.7 \ --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 # via requests -importlib-metadata==7.2.0 \ - --hash=sha256:04e4aad329b8b948a5711d394fa8759cb80f009225441b4f2a02bd4d8e5f426c \ - --hash=sha256:3ff4519071ed42740522d494d04819b666541b9752c43012f85afb2cc220fcc6 +importlib-metadata==7.2.1 \ + --hash=sha256:509ecb2ab77071db5137c655e24ceb3eee66e7bbc6574165d0d114d9fc4bbe68 \ + --hash=sha256:ffef94b0b66046dd8ea2d619b701fe978d9264d38f3998bc4c27ec3b146a87c8 # via # keyring # twine From 0095293a49a479c62dfbd49bfc05216ef096588c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 24 Jun 2024 00:17:23 +0000 Subject: [PATCH 0722/1462] Bump BoringSSL and/or OpenSSL in CI (#11144) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1e83f463206e..9aeb7f4cbb78 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 22, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "45db24b36a030ec54464ea7a26c362f3c82305ee"}} - # Latest commit on the OpenSSL master branch, as of Jun 23, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b23cd39f0a4e3cfe142694402a5246a498a3574f"}} + # Latest commit on the OpenSSL master branch, as of Jun 24, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "89c9c3b857b5d68d835c3c3d371dc74a26f568fd"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 94aeb6cbaee6fa2178e398b622a61e23373be6c9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Jun 2024 01:13:14 +0000 Subject: [PATCH 0723/1462] Bump syn from 2.0.67 to 2.0.68 in /src/rust (#11145) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.67 to 2.0.68. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.67...2.0.68) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 54b2f879f112..bb06e38a5950 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -379,9 +379,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.67" +version = "2.0.68" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ff8655ed1d86f3af4ee3fd3263786bc14245ad17c4c7e85ba7187fb3ae028c90" +checksum = "901fa70d88b9d6c98022e23b4136f9f3e54e4662c3bc1bd1d84a42a9a0f0c1e9" dependencies = [ "proc-macro2", "quote", From 428b384c5096d0e2730bee580a3189adf1cd2962 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 25 Jun 2024 00:16:06 +0000 Subject: [PATCH 0724/1462] Bump BoringSSL and/or OpenSSL in CI (#11151) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9aeb7f4cbb78..8b6da567ba3f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 22, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "45db24b36a030ec54464ea7a26c362f3c82305ee"}} - # Latest commit on the OpenSSL master branch, as of Jun 24, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "89c9c3b857b5d68d835c3c3d371dc74a26f568fd"}} + # Latest commit on the BoringSSL master branch, as of Jun 25, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "12f0f4bec2a6db53a53748dd6001d1aacaae26ba"}} + # Latest commit on the OpenSSL master branch, as of Jun 25, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "42a8ef844e5fca55abb608beb62695abe80c6b6d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 8b9a316af64d9b5ba25f5b4523c24ad9353c3c99 Mon Sep 17 00:00:00 2001 From: Peter Gessler Date: Mon, 24 Jun 2024 22:27:23 -0500 Subject: [PATCH 0725/1462] Align `cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates` ASN.1 structure to `openssl crl2pkcs7 -nocrl -certfile ...` (#11123) * align PKCS7 serialize certificates with openssl behavior * replace pkcs7 test vectors --- CHANGELOG.rst | 2 + src/rust/src/pkcs7.rs | 2 +- .../pkcs7/amazon-roots.der | Bin 1842 -> 1838 bytes vectors/cryptography_vectors/pkcs7/isrg.pem | 61 +++++++++--------- 4 files changed, 33 insertions(+), 32 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index d543896aed28..4218ab776d02 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -15,6 +15,8 @@ Changelog * :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key` now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still considered insecure, users should generally use a key size of 2048-bits. +* :func:`~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates` + now has consistent ASN.1 structure to ``openssl crl2pkcs7 -nocrl -certfile ...``. * Added new :doc:`/hazmat/decrepit/index` module which contains outdated and insecure cryptographic primitives. :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`, diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index c2dcbc94974f..e08a67e73a2f 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -59,7 +59,7 @@ fn serialize_certificates<'p>( digest_algorithms: asn1::SetOfWriter::new(&[]), content_info: pkcs7::ContentInfo { _content_type: asn1::DefinedByMarker::marker(), - content: pkcs7::Content::Data(Some(asn1::Explicit::new(b""))), + content: pkcs7::Content::Data(None), }, certificates: Some(asn1::SetOfWriter::new(&raw_certs)), crls: None, diff --git a/vectors/cryptography_vectors/pkcs7/amazon-roots.der b/vectors/cryptography_vectors/pkcs7/amazon-roots.der index f9eab5c17771f5745d68d2098b920e07b344e442..cba6154224c6f631850aa39e2bb20e580df09ab8 100644 GIT binary patch delta 50 wcmdnQw~kNKpov|JjZ>@5qwPB{BRkWACU$9{kT??~qalL@5qwPB{BRkWACU$wCkTeq`qalLvf A;s5{u diff --git a/vectors/cryptography_vectors/pkcs7/isrg.pem b/vectors/cryptography_vectors/pkcs7/isrg.pem index 63698aa11348..3f7d54956644 100644 --- a/vectors/cryptography_vectors/pkcs7/isrg.pem +++ b/vectors/cryptography_vectors/pkcs7/isrg.pem @@ -1,33 +1,32 @@ -----BEGIN PKCS7----- -MIIFngYJKoZIhvcNAQcCoIIFjzCCBYsCAQExADAPBgkqhkiG9w0BBwGgAgQAoIIF -bzCCBWswggNToAMCAQICEQCCEM+w0kDjWURj4LtjgosAMA0GCSqGSIb3DQEBCwUA -ME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBTZWN1cml0eSBSZXNl -YXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgxMB4XDTE1MDYwNDExMDQz -OFoXDTM1MDYwNDExMDQzOFowTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVy -bmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3Qg -WDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1co -HIe+3LffOJCMbjzmV6B493XCov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZsh -ftEzPLpI9d1537O4/xLxIZpLwYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+ -lAOf00eXfJlII1PoOK5PCm+DLtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vr -Fk/CjhFLfs8L6P+1dy70sntK4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6s -hweU9GNx7C7ib1uYgeGJXDR5bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98fl -AgeYjzYIlefiN5YNNnWe+w5ysR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81 -LygXbNKYwagJZHduRze6zqxZXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1 -pzpRboY7nn1ypxIFeFntPlF4FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0 -544fAQjQMNRbcTa0B7rBMDBcSLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K2 -8Kh8hjtGqEgqiNx2mna/H2qlPRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdw -iK1O5tmLOsbdJ1Fu/7xk9TNDTwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD -VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJ -KoZIhvcNAQELBQADggIBAFUfWKm8sqhQ0Ayx2BppICcpCKxhdVyKbviC5Wkv1fZW -S7m4cxBZ0yGXfudMcfuy0mCtOagL6hchVoXxUA5Z687gWem6yRXvhp2PhID25OmR -kNwXm2IbRfBmldJ8b8LqO+8fz8vWrifxqbDIrv19fpr6IgTr/9l/6pErIrEXDo/y -ijRbWNj8AclUubgmzIqIM4lMLYQ8gt/ullcFuiy798S3x047gr4xyCJzc5LRwoCk -OTkQMyOCTDyfhrJVmB2+KYaMIpue4ms7VzqCcE3cCceJywoHTWzoXY7J786rx7u1 -K05F1krQJszlcsoIaqWV4xWh96TtySxfpfv/rCgCLr7Xe7vjcXuQFtMHXkZTfDcH -QozTxJac1Zm1KuCVGoBIrkw5B87MR6RSlSu6uPut0jNTfeUdTW3VobHHQm/mQCc1 -XKMotweN540zkOcjn/tQnHlsRtW0FbOWbn6bDJY6uFItP9Zb4fsIwoT+JKijidqs -auEYKrGoQ2Fb0x/cO4128i3ojXXfFzNsPVP7e8tBX//cotBhOOGWuKxdizfXddUz -wJkRrp1BwXJ1hL4CQUJfZyRIlNGbJ74HP7m4T4F0UeF6t+2dI+K+4NUoBBM8MQOe -3Xpsj8YHGMZ/3keOPyieBAbPpVQ0d73siZvpF0PfW9tf/o4eV6LNQJ1+YiLa3hgn -MQA= +MIIFmgYJKoZIhvcNAQcCoIIFizCCBYcCAQExADALBgkqhkiG9w0BBwGgggVvMIIF +azCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAwTzEL +MAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNo +IEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4WhcN +MzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQg +U2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTCC +AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygch77c +t984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+0TM8 +ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6UA5/T +R5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sWT8KO +EUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyHB5T0 +Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UCB5iP +NgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUvKBds +0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWnOlFu +hjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTnjh8B +CNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbwqHyG +O0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CIrU7m +2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB +Af8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkqhkiG +9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZLubhz +EFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ3Beb +YhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KKNFtY +2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5ORAz +I4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7UrTkXW +StAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdCjNPE +lpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVcoyi3 +B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq4Rgq +sahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPAmRGu +nUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57demyP +xgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCcxAA== -----END PKCS7----- From 4a25070cc91cc6f5540b225c5cdd781b90fc004f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 25 Jun 2024 00:49:53 -0400 Subject: [PATCH 0726/1462] Remove the requirement for VerificationCertificate to be Clone (#11149) This is done by passing around references, rather than owned copies. Necessary for the pyo3 0.22 upgrade. --- .../cryptography-x509-verification/src/lib.rs | 38 ++++++++-------- .../cryptography-x509-verification/src/ops.rs | 7 +-- .../src/trust_store.rs | 9 ++-- src/rust/src/x509/verify.rs | 44 +++++++++++++------ 4 files changed, 55 insertions(+), 43 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 169226c908ea..3649890c8cd1 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -213,22 +213,22 @@ impl<'a, 'chain> NameChain<'a, 'chain> { } } -pub type Chain<'c, B> = Vec>; +pub type Chain<'a, 'c, B> = Vec<&'a VerificationCertificate<'c, B>>; -pub fn verify<'chain, B: CryptoOps>( - leaf: &VerificationCertificate<'chain, B>, - intermediates: impl IntoIterator>, - policy: &Policy<'_, B>, - store: &Store<'chain, B>, -) -> Result, ValidationError> { - let builder = ChainBuilder::new(intermediates.into_iter().collect(), policy, store); +pub fn verify<'a, 'chain: 'a, B: CryptoOps>( + leaf: &'a VerificationCertificate<'chain, B>, + intermediates: &'a [&'a VerificationCertificate<'chain, B>], + policy: &'a Policy<'_, B>, + store: &'a Store<'chain, B>, +) -> Result, ValidationError> { + let builder = ChainBuilder::new(intermediates, policy, store); let mut budget = Budget::new(); builder.build_chain(leaf, &mut budget) } struct ChainBuilder<'a, 'chain, B: CryptoOps> { - intermediates: Vec>, + intermediates: &'a [&'a VerificationCertificate<'chain, B>], policy: &'a Policy<'a, B>, store: &'a Store<'chain, B>, } @@ -252,9 +252,9 @@ impl ApplyNameConstraintStatus { } } -impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { +impl<'a, 'chain: 'a, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn new( - intermediates: Vec>, + intermediates: &'a [&'a VerificationCertificate<'chain, B>], policy: &'a Policy<'a, B>, store: &'a Store<'chain, B>, ) -> Self { @@ -266,7 +266,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { } fn potential_issuers( - &'a self, + &self, cert: &'a VerificationCertificate<'chain, B>, ) -> impl Iterator> + '_ { // TODO: Optimizations: @@ -274,19 +274,19 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { self.store .get_by_subject(&cert.certificate().tbs_cert.issuer) .iter() - .chain(self.intermediates.iter().filter(|&candidate| { + .chain(self.intermediates.iter().copied().filter(|&candidate| { candidate.certificate().subject() == cert.certificate().issuer() })) } fn build_chain_inner( &self, - working_cert: &VerificationCertificate<'chain, B>, + working_cert: &'a VerificationCertificate<'chain, B>, current_depth: u8, working_cert_extensions: &Extensions<'chain>, name_chain: NameChain<'_, 'chain>, budget: &mut Budget, - ) -> Result, ValidationError> { + ) -> Result, ValidationError> { if let Some(nc) = working_cert_extensions.get_extension(&NAME_CONSTRAINTS_OID) { name_chain.evaluate_constraints(&nc.value()?, budget)?; } @@ -294,7 +294,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // Look in the store's root set to see if the working cert is listed. // If it is, we've reached the end. if self.store.contains(working_cert) { - return Ok(vec![working_cert.clone()]); + return Ok(vec![working_cert]); } // Check that our current depth does not exceed our policy-configured @@ -357,7 +357,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { budget, ) { Ok(mut chain) => { - chain.push(working_cert.clone()); + chain.push(working_cert); return Ok(chain); } // Immediately return on fatal error. @@ -387,9 +387,9 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn build_chain( &self, - leaf: &VerificationCertificate<'chain, B>, + leaf: &'a VerificationCertificate<'chain, B>, budget: &mut Budget, - ) -> Result, ValidationError> { + ) -> Result, ValidationError> { // Before anything else, check whether the given leaf cert // is well-formed according to our policy (and its underlying // certificate profile). diff --git a/src/rust/cryptography-x509-verification/src/ops.rs b/src/rust/cryptography-x509-verification/src/ops.rs index 807bce5dff93..1b2f593ccc0b 100644 --- a/src/rust/cryptography-x509-verification/src/ops.rs +++ b/src/rust/cryptography-x509-verification/src/ops.rs @@ -39,11 +39,6 @@ impl PartialEq for VerificationCertificate<'_, B> { } } impl Eq for VerificationCertificate<'_, B> {} -impl Clone for VerificationCertificate<'_, B> { - fn clone(&self) -> Self { - VerificationCertificate::new(self.cert.clone(), self.extra.clone()) - } -} pub trait CryptoOps { /// A public key type for this cryptographic backend. @@ -53,7 +48,7 @@ pub trait CryptoOps { type Err; /// Extra data that's passed around with the certificate. - type CertificateExtra: Clone; + type CertificateExtra; /// Extracts the public key from the given `Certificate` in /// a `Key` format known by the cryptographic backend, or `None` diff --git a/src/rust/cryptography-x509-verification/src/trust_store.rs b/src/rust/cryptography-x509-verification/src/trust_store.rs index 462b81965df4..1d76bd584a5a 100644 --- a/src/rust/cryptography-x509-verification/src/trust_store.rs +++ b/src/rust/cryptography-x509-verification/src/trust_store.rs @@ -22,7 +22,7 @@ impl<'a, B: CryptoOps> Store<'a, B> { by_subject .entry(cert.certificate().tbs_cert.subject.clone()) .or_default() - .push(cert.clone()); + .push(cert); } Store { by_subject } } @@ -51,9 +51,10 @@ mod tests { #[test] fn test_store() { let cert_pem = v1_cert_pem(); - let cert = VerificationCertificate::new(cert(&cert_pem), ()); - let store = Store::<'_, PublicKeyErrorOps>::new([cert.clone()]); + let cert1 = VerificationCertificate::new(cert(&cert_pem), ()); + let cert2 = VerificationCertificate::new(cert(&cert_pem), ()); + let store = Store::<'_, PublicKeyErrorOps>::new([cert1]); - assert!(store.contains(&cert)); + assert!(store.contains(&cert2)); } } diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 9b1db24a5790..284809525794 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -260,17 +260,25 @@ impl PyClientVerifier { let policy = self.as_policy(); let store = self.store.get(); - let chain = cryptography_x509_verification::verify( - &VerificationCertificate::new( - leaf.get().raw.borrow_dependent().clone(), - leaf.clone_ref(py), - ), - intermediates.iter().map(|i| { + let intermediates = intermediates + .iter() + .map(|i| { VerificationCertificate::new( i.get().raw.borrow_dependent().clone(), i.clone_ref(py), ) - }), + }) + .collect::>(); + let intermediate_refs = intermediates.iter().collect::>(); + + let v = VerificationCertificate::new( + leaf.get().raw.borrow_dependent().clone(), + leaf.clone_ref(py), + ); + + let chain = cryptography_x509_verification::verify( + &v, + &intermediate_refs, policy, store.raw.borrow_dependent(), ) @@ -344,17 +352,25 @@ impl PyServerVerifier { let policy = self.as_policy(); let store = self.store.get(); - let chain = cryptography_x509_verification::verify( - &VerificationCertificate::new( - leaf.get().raw.borrow_dependent().clone(), - leaf.clone_ref(py), - ), - intermediates.iter().map(|i| { + let intermediates = intermediates + .iter() + .map(|i| { VerificationCertificate::new( i.get().raw.borrow_dependent().clone(), i.clone_ref(py), ) - }), + }) + .collect::>(); + let intermediate_refs = intermediates.iter().collect::>(); + + let v = VerificationCertificate::new( + leaf.get().raw.borrow_dependent().clone(), + leaf.clone_ref(py), + ); + + let chain = cryptography_x509_verification::verify( + &v, + &intermediate_refs, policy, store.raw.borrow_dependent(), ) From 61a5e672e6f0ed9e0159e9a20512b03539f79314 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 25 Jun 2024 01:00:12 -0400 Subject: [PATCH 0727/1462] fixed rst syntax in test-vectors.rst (#11153) --- docs/development/test-vectors.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index e0746ab792b2..3605c06af9eb 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -780,7 +780,7 @@ Custom PKCS12 Test Vectors * ``pkcs12/name-2-3-pwd.p12`` - A PKCS12 file containing a cert (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``), as well as two additional certificates (``x509/cryptography.io.pem`` - and ``x509/letsencryptx3.pem``) with friendly names ``name2` and + and ``x509/letsencryptx3.pem``) with friendly names ``name2`` and ``name3`` respectively, encrypted via AES 256 CBC with the password ``cryptography``. * ``pkcs12/name-2-pwd.p12`` - A PKCS12 file containing a cert From 70d808e3d9ced4884bd2833a125be2d30155bcb8 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 25 Jun 2024 01:00:32 -0400 Subject: [PATCH 0728/1462] Cleanup changelog grammar (#11152) --- CHANGELOG.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 4218ab776d02..3a1ea97886a2 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -16,7 +16,7 @@ Changelog now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still considered insecure, users should generally use a key size of 2048-bits. * :func:`~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates` - now has consistent ASN.1 structure to ``openssl crl2pkcs7 -nocrl -certfile ...``. + now emits ASN.1 that more closely follows the recommendations in :rfc:`2315`. * Added new :doc:`/hazmat/decrepit/index` module which contains outdated and insecure cryptographic primitives. :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`, From 3cc725df5addae2f86ac75c8ec0a17a7f3c4c449 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Jun 2024 06:44:11 -0400 Subject: [PATCH 0729/1462] Bump bitflags from 2.5.0 to 2.6.0 in /src/rust (#11154) Bumps [bitflags](https://github.com/bitflags/bitflags) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/bitflags/bitflags/releases) - [Changelog](https://github.com/bitflags/bitflags/blob/main/CHANGELOG.md) - [Commits](https://github.com/bitflags/bitflags/compare/2.5.0...2.6.0) --- updated-dependencies: - dependency-name: bitflags dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index bb06e38a5950..fb028defc5e9 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -36,9 +36,9 @@ checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" [[package]] name = "bitflags" -version = "2.5.0" +version = "2.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cf4b9d6a944f767f8e5e0db018570623c85f3d925ac718db4e06d0187adb21c1" +checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" From cf7ce65b7ad90a5e32bf3e3b60eb8b6d245e509d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Jun 2024 11:12:10 +0000 Subject: [PATCH 0730/1462] Bump mypy from 1.10.0 to 1.10.1 (#11155) Bumps [mypy](https://github.com/python/mypy) from 1.10.0 to 1.10.1. - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](https://github.com/python/mypy/compare/v1.10.0...v1.10.1) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b61efa28b051..60df244084bb 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -52,7 +52,7 @@ jinja2==3.1.4 # via sphinx markupsafe==2.1.5 # via jinja2 -mypy==1.10.0 +mypy==1.10.1 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via mypy From afc90a805c6ed995fb146cda37cbdd2cb2427ee1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Jun 2024 07:18:45 -0400 Subject: [PATCH 0731/1462] Bump setuptools from 70.1.0 to 70.1.1 in /.github/requirements (#11156) Bumps [setuptools](https://github.com/pypa/setuptools) from 70.1.0 to 70.1.1. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v70.1.0...v70.1.1) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index fbf31d477a47..c56db6aefcfa 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -76,9 +76,9 @@ tomli==2.0.1 \ # via setuptools-rust # The following packages are considered to be unsafe in a requirements file: -setuptools==70.1.0 \ - --hash=sha256:01a1e793faa5bd89abc851fa15d0a0db26f160890c7102cd8dce643e886b47f5 \ - --hash=sha256:d9b8b771455a97c8a9f3ab3448ebe0b29b5e105f1228bba41028be116985a267 +setuptools==70.1.1 \ + --hash=sha256:937a48c7cdb7a21eb53cd7f9b59e525503aa8abaf3584c730dc5f7a5bec3a650 \ + --hash=sha256:a58a8fde0541dab0419750bcc521fbdf8585f6e5cb41909df3a472ef7b81ca95 # via # -r build-requirements.in # setuptools-rust From 47aced28c8f27b4dbb61f4fc79af444a18279463 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 25 Jun 2024 13:40:46 -0400 Subject: [PATCH 0732/1462] Bump pyo3 to 0.22 (#11150) * Bump pyo3 from 0.21.2 to 0.22.0 in /src/rust Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.21.2 to 0.22.0. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/main/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.21.2...v0.22.0) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Fix compilation errors in building for pyo3 0.22 --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 144 ++------------------- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-keepalive/Cargo.toml | 2 +- src/rust/src/backend/aead.rs | 7 + src/rust/src/backend/cmac.rs | 1 + src/rust/src/backend/dh.rs | 7 + src/rust/src/backend/dsa.rs | 3 + src/rust/src/backend/ec.rs | 3 + src/rust/src/backend/keys.rs | 2 + src/rust/src/backend/rsa.rs | 1 + src/rust/src/exceptions.rs | 2 + src/rust/src/lib.rs | 1 + src/rust/src/pkcs12.rs | 5 +- src/rust/src/types.rs | 2 +- src/rust/src/x509/certificate.rs | 2 + src/rust/src/x509/crl.rs | 2 + src/rust/src/x509/csr.rs | 2 + src/rust/src/x509/sct.rs | 2 +- 19 files changed, 55 insertions(+), 137 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index fb028defc5e9..495d8f72e002 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -146,9 +146,9 @@ checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" [[package]] name = "heck" -version = "0.4.1" +version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8" +checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea" [[package]] name = "indoc" @@ -162,16 +162,6 @@ version = "0.2.155" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "97b3888a4aecf77e811145cadf6eef5901f4782c53886191b2f693f24761847c" -[[package]] -name = "lock_api" -version = "0.4.12" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "07af8b9cdd281b7915f413fa73f29ebd5d55d0d3f0155584dade1ff18cea1b17" -dependencies = [ - "autocfg", - "scopeguard", -] - [[package]] name = "memoffset" version = "0.9.1" @@ -225,29 +215,6 @@ dependencies = [ "vcpkg", ] -[[package]] -name = "parking_lot" -version = "0.12.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1bf18183cf54e8d6059647fc3063646a1801cf30896933ec2311622cc4b9a27" -dependencies = [ - "lock_api", - "parking_lot_core", -] - -[[package]] -name = "parking_lot_core" -version = "0.9.10" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e401f977ab385c9e4e3ab30627d6f26d00e2c73eef317493c4ec6d468726cf8" -dependencies = [ - "cfg-if", - "libc", - "redox_syscall", - "smallvec", - "windows-targets", -] - [[package]] name = "pem" version = "3.0.4" @@ -280,15 +247,15 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.21.2" +version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a5e00b96a521718e08e03b1a622f01c8a8deb50719335de3f60b3b3950f069d8" +checksum = "1962a33ed2a201c637fc14a4e0fd4e06e6edfdeee6a5fede0dab55507ad74cf7" dependencies = [ "cfg-if", "indoc", "libc", "memoffset", - "parking_lot", + "once_cell", "portable-atomic", "pyo3-build-config", "pyo3-ffi", @@ -298,9 +265,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.21.2" +version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7883df5835fafdad87c0d888b266c8ec0f4c9ca48a5bed6bbb592e8dedee1b50" +checksum = "ab7164b2202753bd33afc7f90a10355a719aa973d1f94502c50d06f3488bc420" dependencies = [ "once_cell", "target-lexicon", @@ -308,9 +275,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.21.2" +version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "01be5843dc60b916ab4dad1dca6d20b9b4e6ddc8e15f50c47fe6d85f1fb97403" +checksum = "c6424906ca49013c0829c5c1ed405e20e2da2dc78b82d198564880a704e6a7b7" dependencies = [ "libc", "pyo3-build-config", @@ -318,9 +285,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.21.2" +version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "77b34069fc0682e11b31dbd10321cbf94808394c56fd996796ce45217dfac53c" +checksum = "82b2f19e153122d64afd8ce7aaa72f06a00f52e34e1d1e74b6d71baea396460a" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -330,9 +297,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.21.2" +version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "08260721f32db5e1a5beae69a55553f56b99bd0e1c3e6e0a5e8851a9d0f5a85c" +checksum = "dd698c04cac17cf0fe63d47790ab311b8b25542f5cb976b65c374035c50f1eef" dependencies = [ "heck", "proc-macro2", @@ -350,33 +317,12 @@ dependencies = [ "proc-macro2", ] -[[package]] -name = "redox_syscall" -version = "0.5.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c82cf8cff14456045f55ec4241383baeff27af886adb72ffb2162f99911de0fd" -dependencies = [ - "bitflags", -] - -[[package]] -name = "scopeguard" -version = "1.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" - [[package]] name = "self_cell" version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d369a96f978623eb3dc28807c4852d6cc617fed53da5d3c400feff1ef34a714a" -[[package]] -name = "smallvec" -version = "1.13.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" - [[package]] name = "syn" version = "2.0.68" @@ -411,67 +357,3 @@ name = "vcpkg" version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" - -[[package]] -name = "windows-targets" -version = "0.52.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6f0713a46559409d202e70e28227288446bf7841d3211583a4b53e3f6d96e7eb" -dependencies = [ - "windows_aarch64_gnullvm", - "windows_aarch64_msvc", - "windows_i686_gnu", - "windows_i686_gnullvm", - "windows_i686_msvc", - "windows_x86_64_gnu", - "windows_x86_64_gnullvm", - "windows_x86_64_msvc", -] - -[[package]] -name = "windows_aarch64_gnullvm" -version = "0.52.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7088eed71e8b8dda258ecc8bac5fb1153c5cffaf2578fc8ff5d61e23578d3263" - -[[package]] -name = "windows_aarch64_msvc" -version = "0.52.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9985fd1504e250c615ca5f281c3f7a6da76213ebd5ccc9561496568a2752afb6" - -[[package]] -name = "windows_i686_gnu" -version = "0.52.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "88ba073cf16d5372720ec942a8ccbf61626074c6d4dd2e745299726ce8b89670" - -[[package]] -name = "windows_i686_gnullvm" -version = "0.52.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "87f4261229030a858f36b459e748ae97545d6f1ec60e5e0d6a3d32e0dc232ee9" - -[[package]] -name = "windows_i686_msvc" -version = "0.52.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "db3c2bf3d13d5b658be73463284eaf12830ac9a26a90c717b7f771dfe97487bf" - -[[package]] -name = "windows_x86_64_gnu" -version = "0.52.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4e4246f76bdeff09eb48875a0fd3e2af6aada79d409d33011886d3e1581517d9" - -[[package]] -name = "windows_x86_64_gnullvm" -version = "0.52.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "852298e482cd67c356ddd9570386e2862b5673c85bd5f88df9ab6802b334c596" - -[[package]] -name = "windows_x86_64_msvc" -version = "0.52.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bec47e5bfd1bff0eeaf6d8b485cc1074891a197ab4225d504cb7a1ab88b02bf0" diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 86f93db552c0..49c0b73dd100 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -17,7 +17,7 @@ rust-version.workspace = true [dependencies] once_cell = "1" cfg-if = "1" -pyo3 = { version = "0.21.2", features = ["abi3"] } +pyo3 = { version = "0.22.0", features = ["abi3"] } asn1 = { version = "0.16.2", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-keepalive = { path = "cryptography-keepalive" } diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 64f4bb63f7da..5a16a12c355e 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -7,7 +7,7 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.21.2", features = ["abi3"] } +pyo3 = { version = "0.22.0", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] diff --git a/src/rust/cryptography-keepalive/Cargo.toml b/src/rust/cryptography-keepalive/Cargo.toml index 18a214e9a744..9c5e92c8e683 100644 --- a/src/rust/cryptography-keepalive/Cargo.toml +++ b/src/rust/cryptography-keepalive/Cargo.toml @@ -7,4 +7,4 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.21.2", features = ["abi3"] } +pyo3 = { version = "0.22.0", features = ["abi3"] } diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index e9dbcab652bd..ab011c206470 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -536,6 +536,7 @@ impl ChaCha20Poly1305 { Ok(types::OS_URANDOM.get(py)?.call1((32,))?) } + #[pyo3(signature = (nonce, data, associated_data))] fn encrypt<'p>( &self, py: pyo3::Python<'p>, @@ -556,6 +557,7 @@ impl ChaCha20Poly1305 { .encrypt(py, data.as_bytes(), aad, Some(nonce_bytes)) } + #[pyo3(signature = (nonce, data, associated_data))] fn decrypt<'p>( &self, py: pyo3::Python<'p>, @@ -651,6 +653,7 @@ impl AesGcm { Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) } + #[pyo3(signature = (nonce, data, associated_data))] fn encrypt<'p>( &self, py: pyo3::Python<'p>, @@ -671,6 +674,7 @@ impl AesGcm { .encrypt(py, data.as_bytes(), aad, Some(nonce_bytes)) } + #[pyo3(signature = (nonce, data, associated_data))] fn decrypt<'p>( &self, py: pyo3::Python<'p>, @@ -704,6 +708,7 @@ struct AesCcm { #[pyo3::prelude::pymethods] impl AesCcm { #[new] + #[pyo3(signature = (key, tag_length=None))] fn new( py: pyo3::Python<'_>, key: pyo3::Py, @@ -762,6 +767,7 @@ impl AesCcm { Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) } + #[pyo3(signature = (nonce, data, associated_data))] fn encrypt<'p>( &self, py: pyo3::Python<'p>, @@ -795,6 +801,7 @@ impl AesCcm { self.ctx.encrypt(py, data_bytes, aad, Some(nonce_bytes)) } + #[pyo3(signature = (nonce, data, associated_data))] fn decrypt<'p>( &self, py: pyo3::Python<'p>, diff --git a/src/rust/src/backend/cmac.rs b/src/rust/src/backend/cmac.rs index 0d9d9ec0fdf4..646394cd67f5 100644 --- a/src/rust/src/backend/cmac.rs +++ b/src/rust/src/backend/cmac.rs @@ -36,6 +36,7 @@ impl Cmac { #[pyo3::pymethods] impl Cmac { #[new] + #[pyo3(signature = (algorithm, backend=None))] fn new( py: pyo3::Python<'_>, algorithm: pyo3::Bound<'_, pyo3::PyAny>, diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 008f0674a07b..afa5a3a1c69f 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -28,6 +28,7 @@ struct DHParameters { } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (generator, key_size, backend=None))] fn generate_parameters( generator: u32, key_size: u32, @@ -87,6 +88,7 @@ fn pkey_from_dh( } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, backend=None))] fn from_der_parameters( data: &[u8], backend: Option>, @@ -107,6 +109,7 @@ fn from_der_parameters( } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, backend=None))] fn from_pem_parameters( data: &[u8], backend: Option>, @@ -410,6 +413,7 @@ impl DHPrivateNumbers { } #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + #[pyo3(signature = (backend=None))] fn private_key( &self, py: pyo3::Python<'_>, @@ -462,6 +466,7 @@ impl DHPublicNumbers { } #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + #[pyo3(signature = (backend=None))] fn public_key( &self, py: pyo3::Python<'_>, @@ -494,6 +499,7 @@ impl DHPublicNumbers { #[pyo3::prelude::pymethods] impl DHParameterNumbers { #[new] + #[pyo3(signature = (p, g, q=None))] fn new( py: pyo3::Python<'_>, p: pyo3::Py, @@ -520,6 +526,7 @@ impl DHParameterNumbers { Ok(DHParameterNumbers { p, g, q }) } + #[pyo3(signature = (backend=None))] fn parameters( &self, py: pyo3::Python<'_>, diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index 7615521c9cb4..4e82bbdd45ac 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -356,6 +356,7 @@ impl DsaPrivateNumbers { DsaPrivateNumbers { x, public_numbers } } + #[pyo3(signature = (backend=None))] fn private_key( &self, py: pyo3::Python<'_>, @@ -406,6 +407,7 @@ impl DsaPublicNumbers { } } + #[pyo3(signature = (backend=None))] fn public_key( &self, py: pyo3::Python<'_>, @@ -460,6 +462,7 @@ impl DsaParameterNumbers { DsaParameterNumbers { p, q, g } } + #[pyo3(signature = (backend=None))] fn parameters( &self, py: pyo3::Python<'_>, diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index d808a275eb06..c83943539cc0 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -155,6 +155,7 @@ pub(crate) fn public_key_from_pkey( }) } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (curve, backend=None))] fn generate_private_key( py: pyo3::Python<'_>, curve: pyo3::Bound<'_, pyo3::PyAny>, @@ -518,6 +519,7 @@ impl EllipticCurvePrivateNumbers { } } + #[pyo3(signature = (backend=None))] fn private_key( &self, py: pyo3::Python<'_>, @@ -600,6 +602,7 @@ impl EllipticCurvePublicNumbers { Ok(EllipticCurvePublicNumbers { x, y, curve }) } + #[pyo3(signature = (backend=None))] fn public_key( &self, py: pyo3::Python<'_>, diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index 2113ecec3cac..974f07bb22f1 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -117,6 +117,7 @@ pub(crate) fn private_key_from_pkey( } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, backend=None))] fn load_der_public_key( py: pyo3::Python<'_>, data: CffiBuf<'_>, @@ -145,6 +146,7 @@ pub(crate) fn load_der_public_key_bytes( } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, backend=None))] fn load_pem_public_key( py: pyo3::Python<'_>, data: CffiBuf<'_>, diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 20b61c718ff0..461e6a7a345e 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -773,6 +773,7 @@ impl RsaPublicNumbers { RsaPublicNumbers { e, n } } + #[pyo3(signature = (backend=None))] fn public_key( &self, py: pyo3::Python<'_>, diff --git a/src/rust/src/exceptions.rs b/src/rust/src/exceptions.rs index 95600faf08bd..d6d7afb060a0 100644 --- a/src/rust/src/exceptions.rs +++ b/src/rust/src/exceptions.rs @@ -6,10 +6,12 @@ use pyo3::prelude::PyModuleMethods; #[pyo3::prelude::pyclass( frozen, + eq, module = "cryptography.hazmat.bindings._rust.exceptions", name = "_Reasons" )] #[allow(non_camel_case_types)] +#[derive(PartialEq)] pub(crate) enum Reasons { BACKEND_MISSING_INTERFACE, UNSUPPORTED_HASH, diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index da929fee603f..383716764961 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -9,6 +9,7 @@ use crate::error::CryptographyResult; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use openssl::provider; +use pyo3::prelude::PyModuleMethods; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use std::env; diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 4663b91c4e8a..1ccf21377402 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -24,6 +24,7 @@ struct PKCS12Certificate { #[pyo3::prelude::pymethods] impl PKCS12Certificate { #[new] + #[pyo3(signature = (cert, friendly_name=None))] fn new( cert: pyo3::Py, friendly_name: Option>, @@ -40,7 +41,7 @@ impl PKCS12Certificate { other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { let friendly_name_eq = match (&self.friendly_name, &other.friendly_name) { - (Some(a), Some(b)) => a.bind(py).eq(b.bind(py))?, + (Some(a), Some(b)) => a.bind(py).as_bytes() == b.bind(py).as_bytes(), (None, None) => true, _ => false, }; @@ -406,6 +407,7 @@ fn decode_p12( } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, password, backend=None))] fn load_key_and_certificates<'p>( py: pyo3::Python<'p>, data: CffiBuf<'_>, @@ -456,6 +458,7 @@ fn load_key_and_certificates<'p>( } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, password, backend=None))] fn load_pkcs12<'p>( py: pyo3::Python<'p>, data: CffiBuf<'_>, diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 3b21ec1f1ad3..d64b521a1887 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -28,7 +28,7 @@ impl LazyPyImport { Ok::<_, pyo3::PyErr>(obj.unbind()) })?; - Ok(p.clone().into_bound(py)) + Ok(p.clone_ref(py).into_bound(py)) } } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 0ac0e4d8e0ff..0b5e89bd37bf 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -365,6 +365,7 @@ fn cert_version( } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, backend=None))] fn load_pem_x509_certificate( py: pyo3::Python<'_>, data: &[u8], @@ -411,6 +412,7 @@ fn load_pem_x509_certificates( } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, backend=None))] pub(crate) fn load_der_x509_certificate( py: pyo3::Python<'_>, data: pyo3::Py, diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 2d00c308de9a..52cadde0e24c 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -25,6 +25,7 @@ use crate::x509::{certificate, extensions, sign}; use crate::{exceptions, types, x509}; #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, backend=None))] fn load_der_x509_crl( py: pyo3::Python<'_>, data: pyo3::Py, @@ -54,6 +55,7 @@ fn load_der_x509_crl( } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, backend=None))] fn load_pem_x509_crl( py: pyo3::Python<'_>, data: &[u8], diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 03f49b5420b1..a9823f2c2fc5 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -236,6 +236,7 @@ impl CertificateSigningRequest { } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, backend=None))] fn load_pem_x509_csr( py: pyo3::Python<'_>, data: &[u8], @@ -258,6 +259,7 @@ fn load_pem_x509_csr( } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, backend=None))] fn load_der_x509_csr( py: pyo3::Python<'_>, data: pyo3::Py, diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index 0cc8c4644690..a5b2d920a84c 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -169,7 +169,7 @@ impl Sct { let kwargs = pyo3::types::PyDict::new_bound(py); kwargs.set_item("microsecond", self.timestamp % 1000 * 1000)?; - kwargs.set_item("tzinfo", None::>)?; + kwargs.set_item("tzinfo", None::>)?; types::DATETIME_DATETIME .get(py)? From ae3b2a07e2f92288d5029b1de49bf340d0617c90 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 26 Jun 2024 00:15:34 +0000 Subject: [PATCH 0733/1462] Bump BoringSSL and/or OpenSSL in CI (#11164) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8b6da567ba3f..6da1473a348d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 25, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "12f0f4bec2a6db53a53748dd6001d1aacaae26ba"}} - # Latest commit on the OpenSSL master branch, as of Jun 25, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "42a8ef844e5fca55abb608beb62695abe80c6b6d"}} + # Latest commit on the OpenSSL master branch, as of Jun 26, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "30dc37d798a0428fd477d3763086e7e97b3d596f"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From f370b0981099adf6b267e31015b202c72f9782ea Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 25 Jun 2024 21:51:24 -0400 Subject: [PATCH 0734/1462] policy/extension: improve extension policy errors (#11162) * policy/extension: improve extension policy errors * verification: ValidationError::ExtensionError variant Begin cleaning things up. * policy/extension: remove redundant clone * ensure that we render the ext OID * lib: coverage for other display arms * relocate custom vector * test-vectors: typo --- docs/development/test-vectors.rst | 2 + .../cryptography-x509-verification/src/lib.rs | 76 ++++++++++++++++--- .../src/policy/extension.rs | 40 +++++----- src/rust/src/x509/verify.rs | 2 +- tests/x509/verification/test_verification.py | 32 +++++++- .../x509/custom/ekucrit-testuser-cert.pem | 23 ++++++ 6 files changed, 143 insertions(+), 32 deletions(-) create mode 100644 vectors/cryptography_vectors/x509/custom/ekucrit-testuser-cert.pem diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 3605c06af9eb..4f564d79b24f 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -528,6 +528,8 @@ Custom X.509 Vectors algorithm parameters. This encoding is invalid, but was generated by Java 11. * ``dsa_null_alg_params.pem`` - A certificate with a DSA signature with ``NULL`` algorithm parameters. This encoding is invalid, but was generated by Java 20. +* ``ekucrit-testuser-cert.pem`` - A leaf certificate containing a critical EKU. + This is an invalid certificate per CA/B 7.1.2.7.6. Custom X.509 Request Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 3649890c8cd1..d21827ce9695 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -12,8 +12,10 @@ pub mod policy; pub mod trust_store; pub mod types; +use std::fmt::Display; use std::vec; +use asn1::ObjectIdentifier; use cryptography_x509::extensions::{DuplicateExtensionsError, Extensions}; use cryptography_x509::{ extensions::{NameConstraints, SubjectAlternativeName}, @@ -35,10 +37,45 @@ pub enum ValidationError { CandidatesExhausted(Box), Malformed(asn1::ParseError), DuplicateExtension(DuplicateExtensionsError), + ExtensionError { + oid: ObjectIdentifier, + reason: &'static str, + }, FatalError(&'static str), Other(String), } +impl From for ValidationError { + fn from(value: asn1::ParseError) -> Self { + Self::Malformed(value) + } +} + +impl From for ValidationError { + fn from(value: DuplicateExtensionsError) -> Self { + Self::DuplicateExtension(value) + } +} + +impl Display for ValidationError { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + match self { + ValidationError::CandidatesExhausted(inner) => { + write!(f, "candidates exhausted: {inner}") + } + ValidationError::Malformed(err) => err.fmt(f), + ValidationError::DuplicateExtension(DuplicateExtensionsError(oid)) => { + write!(f, "malformed certificate: duplicate extension: {oid}") + } + ValidationError::ExtensionError { oid, reason } => { + write!(f, "invalid extension: {oid}: {reason}") + } + ValidationError::FatalError(err) => write!(f, "fatal error: {err}"), + ValidationError::Other(err) => write!(f, "{err}"), + } + } +} + struct Budget { name_constraint_checks: usize, } @@ -64,18 +101,6 @@ impl Budget { } } -impl From for ValidationError { - fn from(value: asn1::ParseError) -> Self { - Self::Malformed(value) - } -} - -impl From for ValidationError { - fn from(value: DuplicateExtensionsError) -> Self { - Self::DuplicateExtension(value) - } -} - struct NameChain<'a, 'chain> { child: Option<&'a NameChain<'a, 'chain>>, sans: SubjectAlternativeName<'chain>, @@ -412,3 +437,30 @@ impl<'a, 'chain: 'a, B: CryptoOps> ChainBuilder<'a, 'chain, B> { Ok(chain) } } + +#[cfg(test)] +mod tests { + use asn1::ParseError; + use cryptography_x509::{ + extensions::DuplicateExtensionsError, oid::SUBJECT_ALTERNATIVE_NAME_OID, + }; + + use crate::ValidationError; + + #[test] + fn test_validationerror_display() { + let err = ValidationError::Malformed(ParseError::new(asn1::ParseErrorKind::InvalidLength)); + assert_eq!(err.to_string(), "ASN.1 parsing error: invalid length"); + + let err = ValidationError::DuplicateExtension(DuplicateExtensionsError( + SUBJECT_ALTERNATIVE_NAME_OID, + )); + assert_eq!( + err.to_string(), + "malformed certificate: duplicate extension: 2.5.29.17" + ); + + let err = ValidationError::FatalError("oops"); + assert_eq!(err.to_string(), "fatal error: oops"); + } +} diff --git a/src/rust/cryptography-x509-verification/src/policy/extension.rs b/src/rust/cryptography-x509-verification/src/policy/extension.rs index a707b0d8d65f..1c8ae00679e1 100644 --- a/src/rust/cryptography-x509-verification/src/policy/extension.rs +++ b/src/rust/cryptography-x509-verification/src/policy/extension.rs @@ -81,10 +81,10 @@ impl ExtensionPolicy { self.extended_key_usage.permits(policy, cert, Some(&ext))?; } _ if ext.critical => { - return Err(ValidationError::Other(format!( - "certificate contains unaccounted-for critical extensions: {}", - ext.extn_id - ))); + return Err(ValidationError::ExtensionError { + oid: ext.extn_id, + reason: "certificate contains unaccounted-for critical extensions", + }); } _ => {} } @@ -205,9 +205,10 @@ impl ExtensionValidator { // Extension MUST NOT be present and isn't; OK. (ExtensionValidator::NotPresent, None) => Ok(()), // Extension MUST NOT be present but is; NOT OK. - (ExtensionValidator::NotPresent, Some(_)) => Err(ValidationError::Other( - "Certificate contains prohibited extension".to_string(), - )), + (ExtensionValidator::NotPresent, Some(extn)) => Err(ValidationError::ExtensionError { + oid: extn.extn_id.clone(), + reason: "Certificate contains prohibited extension", + }), // Extension MUST be present but is not; NOT OK. (ExtensionValidator::Present { .. }, None) => Err(ValidationError::Other( "Certificate is missing required extension".to_string(), @@ -221,9 +222,10 @@ impl ExtensionValidator { Some(extn), ) => { if !criticality.permits(extn.critical) { - return Err(ValidationError::Other( - "Certificate extension has incorrect criticality".to_string(), - )); + return Err(ValidationError::ExtensionError { + oid: extn.extn_id.clone(), + reason: "Certificate extension has incorrect criticality", + }); } // If a custom validator is supplied, apply it. @@ -237,15 +239,17 @@ impl ExtensionValidator { }, extn, ) => { - // If the extension is present, apply our criticality check. - if extn.map_or(false, |extn| !criticality.permits(extn.critical)) { - return Err(ValidationError::Other( - "Certificate extension has incorrect criticality".to_string(), - )); + match extn { + // If the extension is present, apply our criticality check. + Some(extn) if !criticality.permits(extn.critical) => { + Err(ValidationError::ExtensionError { + oid: extn.extn_id.clone(), + reason: "Certificate extension has incorrect criticality", + }) + } + // If a custom validator is supplied, apply it. + _ => validator.map_or(Ok(()), |v| v(policy, cert, extn)), } - - // If a custom validator is supplied, apply it. - validator.map_or(Ok(()), |v| v(policy, cert, extn)) } } } diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 284809525794..73f354544685 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -282,7 +282,7 @@ impl PyClientVerifier { policy, store.raw.borrow_dependent(), ) - .map_err(|e| VerificationError::new_err(format!("validation failed: {e:?}")))?; + .map_err(|e| VerificationError::new_err(format!("validation failed: {e}")))?; let py_chain = pyo3::types::PyList::empty_bound(py); for c in &chain { diff --git a/tests/x509/verification/test_verification.py b/tests/x509/verification/test_verification.py index 409f6f9b6408..f5e70bab3538 100644 --- a/tests/x509/verification/test_verification.py +++ b/tests/x509/verification/test_verification.py @@ -11,7 +11,11 @@ from cryptography import x509 from cryptography.x509.general_name import DNSName, IPAddress -from cryptography.x509.verification import PolicyBuilder, Store +from cryptography.x509.verification import ( + PolicyBuilder, + Store, + VerificationError, +) from tests.x509.test_x509 import _load_cert @@ -139,6 +143,32 @@ def test_verify(self): assert x509.DNSName("cryptography.io") in verified_client.subjects assert len(verified_client.subjects) == 2 + def test_verify_fails_renders_oid(self): + leaf = _load_cert( + os.path.join("x509", "custom", "ekucrit-testuser-cert.pem"), + x509.load_pem_x509_certificate, + ) + + store = Store([leaf]) + + validation_time = datetime.datetime.fromisoformat( + "2024-06-26T00:00:00+00:00" + ) + + builder = PolicyBuilder().store(store) + builder = builder.time(validation_time) + verifier = builder.build_client_verifier() + + pattern = ( + r"invalid extension: 2\.5\.29\.37: " + r"Certificate extension has incorrect criticality" + ) + with pytest.raises( + VerificationError, + match=pattern, + ): + verifier.verify(leaf, []) + class TestServerVerifier: @pytest.mark.parametrize( diff --git a/vectors/cryptography_vectors/x509/custom/ekucrit-testuser-cert.pem b/vectors/cryptography_vectors/x509/custom/ekucrit-testuser-cert.pem new file mode 100644 index 000000000000..907fc7bc3fd2 --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/ekucrit-testuser-cert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDyTCCArGgAwIBAgIUQWZSqoDvybWdo39pxRgeN0bLh8QwDQYJKoZIhvcNAQEL +BQAwLDEUMBIGA1UECgwLVGVzdCBJc3N1ZXIxFDASBgNVBAMMC2V4YW1wbGUubmV0 +MB4XDTI0MDYyNTIyNTY0MFoXDTI0MDkyMzIyNTY0MFowLzEtMCsGA1UEAwwkZTBk +Y2JmNTEtMDIyNC00MzYzLWI3NWUtYjZjZmIxODE3NzUzMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAwq9wRSIpDGjEfRSOHxcfaOQmi1QR2AV0m1Exu8RW +WwE+SycflSQOcPxNWn1B0dvVAIAmp5fSBram+6fdB+qgP/fz9/mHBBvP1+J7lLue +1CUUDkci6P136HQ+kSsEDqrwMXzPESVNJk6b0FusF0gCEGTe01pgHKd82mpXK62W +tSYFOYEFV4kB7u0ckkWEhiKGTKQ+zI5GSeApy23ao8q+oHDdBcD91ViYwgoWwKMY +mYhZyLFZHh4D7axi275HjqVZZ1AmCy0bSLMgxwgHKEeFRmR3Yaoz3TkTi0fAUs4e +w6Rdtor/PMecunp6atiHVUj9FWraAafGzVrM8Wfj6t88FwIDAQABo4HfMIHcMGQG +A1UdEQRdMFuGKnVybjpwdWJsaWNpZDpJRE4rZXhhbXBsZS5uZXQrdXNlcit0ZXN0 +dXNlcoYtdXJuOnV1aWQ6ZTBkY2JmNTEtMDIyNC00MzYzLWI3NWUtYjZjZmIxODE3 +NzUzMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjAMBgNV +HRMBAf8EAjAAMB0GA1UdDgQWBBQOeL5d5FUOQeZD99n1nxTvFMmN6DAfBgNVHSME +GDAWgBQOeL5d5FUOQeZD99n1nxTvFMmN6DANBgkqhkiG9w0BAQsFAAOCAQEAjL4c +TUCEYWDWW03AWskf7GGeUb2wehWOoH7cw5dtZa4UC1JghuPs+HbMLxRvy6/NsnrV +7ZzzXiutTQEbE5EBQBhJAjuh34uogNe1itRvCFq8xUTQ+e8xP1nXCfZ2UMD0rb1F +kvpqm4cFpX9AizjhnwOi4X7/svnv79yovfwGKPgUMfVb3Vbnd6aMeZbBh34hSSBn +Emigl7tmS2KOs/eD+O2zQFu4NgUe4HH+jdE0+FDBkYwIOhLPGL2pCmdb7kM60Oo4 +W4yvwiQSJkfn1u4xvBoONsp8lNVkpYfFHWotuwCrHchVgCyaXcp7fEFUrl6mb+CY +s4x++eieNDpxzcFsuw== +-----END CERTIFICATE----- From 887ed1b33c96fa3a57adff80d12b8977db09b908 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 26 Jun 2024 07:11:57 -0400 Subject: [PATCH 0735/1462] Bump cc from 1.0.100 to 1.0.101 in /src/rust (#11166) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.100 to 1.0.101. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.0.100...cc-v1.0.101) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 495d8f72e002..ba5223e54c0f 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.0.100" +version = "1.0.101" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c891175c3fb232128f48de6590095e59198bbeb8620c310be349bfc3afd12c7b" +checksum = "ac367972e516d45567c7eafc73d24e1c193dcf200a8d94e9db7b3d38b349572d" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 5a16a12c355e..e06baab70c05 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.0", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.100" +cc = "1.0.101" From 84d14143fdab1ba8d01fe2612fd313323c013809 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 26 Jun 2024 08:36:08 -0400 Subject: [PATCH 0736/1462] Stop importing things from prelude (#11168) import them from teh right places --- src/rust/src/asn1.rs | 18 ++++++------- src/rust/src/backend/aead.rs | 30 ++++++++++----------- src/rust/src/backend/cipher_registry.rs | 2 +- src/rust/src/backend/ciphers.rs | 28 +++++++++---------- src/rust/src/backend/cmac.rs | 8 +++--- src/rust/src/backend/dh.rs | 36 ++++++++++++------------- src/rust/src/backend/dsa.rs | 34 +++++++++++------------ src/rust/src/backend/ec.rs | 30 ++++++++++----------- src/rust/src/backend/ed25519.rs | 20 +++++++------- src/rust/src/backend/ed448.rs | 20 +++++++------- src/rust/src/backend/hashes.rs | 8 +++--- src/rust/src/backend/hmac.rs | 8 +++--- src/rust/src/backend/kdf.rs | 10 +++---- src/rust/src/backend/keys.rs | 14 +++++----- src/rust/src/backend/mod.rs | 6 ++--- src/rust/src/backend/poly1305.rs | 8 +++--- src/rust/src/backend/rsa.rs | 24 ++++++++--------- src/rust/src/backend/utils.rs | 2 +- src/rust/src/backend/x25519.rs | 20 +++++++------- src/rust/src/backend/x448.rs | 20 +++++++------- src/rust/src/buf.rs | 2 +- src/rust/src/error.rs | 8 +++--- src/rust/src/exceptions.rs | 8 +++--- src/rust/src/lib.rs | 20 +++++++------- src/rust/src/oid.rs | 4 +-- src/rust/src/padding.rs | 8 +++--- src/rust/src/pkcs12.rs | 16 +++++------ src/rust/src/pkcs7.rs | 14 +++++----- src/rust/src/types.rs | 2 +- src/rust/src/x509/certificate.rs | 14 +++++----- src/rust/src/x509/common.rs | 6 ++--- src/rust/src/x509/crl.rs | 20 +++++++------- src/rust/src/x509/csr.rs | 12 ++++----- src/rust/src/x509/extensions.rs | 8 +++--- src/rust/src/x509/ocsp.rs | 2 +- src/rust/src/x509/ocsp_req.rs | 14 +++++----- src/rust/src/x509/ocsp_resp.rs | 22 +++++++-------- src/rust/src/x509/sct.rs | 10 +++---- src/rust/src/x509/sign.rs | 2 +- src/rust/src/x509/verify.rs | 2 +- 40 files changed, 266 insertions(+), 274 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 07fcf72c46c2..8a6e86a5141f 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -6,10 +6,10 @@ use asn1::SimpleAsn1Readable; use cryptography_x509::certificate::Certificate; use cryptography_x509::common::{DssSignature, SubjectPublicKeyInfo, Time}; use cryptography_x509::name::Name; -use pyo3::prelude::PyAnyMethods; -use pyo3::prelude::PyModuleMethods; use pyo3::pybacked::PyBackedBytes; use pyo3::types::IntoPyDict; +use pyo3::types::PyAnyMethods; +use pyo3::types::PyModuleMethods; use pyo3::ToPyObject; use crate::error::{CryptographyError, CryptographyResult}; @@ -32,7 +32,7 @@ pub(crate) fn oid_to_py_oid<'p>( Ok(pyo3::Bound::new(py, crate::oid::ObjectIdentifier { oid: oid.clone() })?.into_any()) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn parse_spki_for_data<'p>( py: pyo3::Python<'p>, data: &[u8], @@ -57,7 +57,7 @@ pub(crate) fn big_byte_slice_to_py_int<'p>( int_type.call_method(pyo3::intern!(py, "from_bytes"), (v, "big"), Some(&kwargs)) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn decode_dss_signature( py: pyo3::Python<'_>, data: &[u8], @@ -118,7 +118,7 @@ pub(crate) fn encode_der_data<'p>( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn encode_dss_signature<'p>( py: pyo3::Python<'p>, r: pyo3::Bound<'_, pyo3::types::PyLong>, @@ -134,7 +134,7 @@ fn encode_dss_signature<'p>( Ok(pyo3::types::PyBytes::new_bound(py, &result)) } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.asn1")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.asn1")] struct TestCertificate { #[pyo3(get)] not_before_tag: u8, @@ -164,7 +164,7 @@ fn time_tag(t: &Time) -> u8 { } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn test_parse_certificate(data: &[u8]) -> Result { let cert = asn1::parse_single::>(data)?; @@ -178,8 +178,8 @@ fn test_parse_certificate(data: &[u8]) -> Result, -) -> pyo3::PyResult> { - let submod = pyo3::prelude::PyModule::new_bound(py, "asn1")?; +) -> pyo3::PyResult> { + let submod = pyo3::types::PyModule::new_bound(py, "asn1")?; submod.add_function(pyo3::wrap_pyfunction_bound!(parse_spki_for_data, &submod)?)?; submod.add_function(pyo3::wrap_pyfunction_bound!(decode_dss_signature, &submod)?)?; diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index ab011c206470..34be02f5efce 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -5,7 +5,7 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; fn check_length(data: &[u8]) -> CryptographyResult<()> { if data.len() > (i32::MAX as usize) { @@ -444,7 +444,7 @@ impl EvpAead { } } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead")] struct ChaCha20Poly1305 { #[cfg(CRYPTOGRAPHY_IS_BORINGSSL)] ctx: EvpAead, @@ -466,7 +466,7 @@ struct ChaCha20Poly1305 { ctx: LazyEvpCipherAead, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl ChaCha20Poly1305 { #[new] fn new(py: pyo3::Python<'_>, key: pyo3::Py) -> CryptographyResult { @@ -579,7 +579,7 @@ impl ChaCha20Poly1305 { } } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead", name = "AESGCM" @@ -602,7 +602,7 @@ struct AesGcm { ctx: LazyEvpCipherAead, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl AesGcm { #[new] fn new(py: pyo3::Python<'_>, key: pyo3::Py) -> CryptographyResult { @@ -696,7 +696,7 @@ impl AesGcm { } } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead", name = "AESCCM" @@ -705,7 +705,7 @@ struct AesCcm { ctx: LazyEvpCipherAead, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl AesCcm { #[new] #[pyo3(signature = (key, tag_length=None))] @@ -834,7 +834,7 @@ impl AesCcm { } } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead", name = "AESSIV" @@ -843,7 +843,7 @@ struct AesSiv { ctx: EvpCipherAead, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl AesSiv { #[new] fn new(key: CffiBuf<'_>) -> CryptographyResult { @@ -932,7 +932,7 @@ impl AesSiv { } } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead", name = "AESOCB3" @@ -941,7 +941,7 @@ struct AesOcb3 { ctx: EvpCipherAead, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl AesOcb3 { #[new] fn new(key: CffiBuf<'_>) -> CryptographyResult { @@ -1042,7 +1042,7 @@ impl AesOcb3 { } } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead", name = "AESGCMSIV" @@ -1051,7 +1051,7 @@ struct AesGcmSiv { ctx: EvpCipherAead, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl AesGcmSiv { #[new] fn new(key: CffiBuf<'_>) -> CryptographyResult { @@ -1155,8 +1155,8 @@ impl AesGcmSiv { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "aead")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "aead")?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index fb829c093731..6157010c0652 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -5,7 +5,7 @@ use std::collections::HashMap; use openssl::cipher::Cipher; -use pyo3::prelude::PyAnyMethods; +use pyo3::types::PyAnyMethods; use crate::error::CryptographyResult; use crate::types; diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index bfcd91096b3b..2d5501835640 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -7,7 +7,7 @@ use crate::buf::{CffiBuf, CffiMutBuf}; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; use crate::types; -use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyModuleMethods}; use pyo3::IntoPy; struct CipherContext { @@ -191,7 +191,7 @@ impl CipherContext { } } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.ciphers", name = "CipherContext" )] @@ -199,7 +199,7 @@ struct PyCipherContext { ctx: Option, } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.ciphers", name = "AEADEncryptionContext" )] @@ -211,7 +211,7 @@ struct PyAEADEncryptionContext { aad_bytes_remaining: u64, } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.ciphers", name = "AEADDecryptionContext" )] @@ -226,7 +226,7 @@ fn get_mut_ctx(ctx: Option<&mut CipherContext>) -> pyo3::PyResult<&mut CipherCon ctx.ok_or_else(|| exceptions::AlreadyFinalized::new_err("Context was already finalized.")) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl PyCipherContext { fn update<'p>( &mut self, @@ -255,7 +255,7 @@ impl PyCipherContext { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl PyAEADEncryptionContext { fn update<'p>( &mut self, @@ -342,7 +342,7 @@ impl PyAEADEncryptionContext { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl PyAEADDecryptionContext { fn update<'p>( &mut self, @@ -470,7 +470,7 @@ impl PyAEADDecryptionContext { } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn create_encryption_ctx( py: pyo3::Python<'_>, algorithm: pyo3::Bound<'_, pyo3::PyAny>, @@ -496,7 +496,7 @@ fn create_encryption_ctx( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn create_decryption_ctx( py: pyo3::Python<'_>, algorithm: pyo3::Bound<'_, pyo3::PyAny>, @@ -528,7 +528,7 @@ fn create_decryption_ctx( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn cipher_supported( py: pyo3::Python<'_>, algorithm: pyo3::Bound<'_, pyo3::PyAny>, @@ -537,7 +537,7 @@ fn cipher_supported( Ok(cipher_registry::get_cipher(py, algorithm, mode.get_type().into_any())?.is_some()) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn _advance(ctx: pyo3::Bound<'_, pyo3::PyAny>, n: u64) { if let Ok(c) = ctx.downcast::() { c.borrow_mut().bytes_remaining -= n; @@ -546,7 +546,7 @@ fn _advance(ctx: pyo3::Bound<'_, pyo3::PyAny>, n: u64) { } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn _advance_aad(ctx: pyo3::Bound<'_, pyo3::PyAny>, n: u64) { if let Ok(c) = ctx.downcast::() { c.borrow_mut().aad_bytes_remaining -= n; @@ -557,8 +557,8 @@ fn _advance_aad(ctx: pyo3::Bound<'_, pyo3::PyAny>, n: u64) { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "ciphers")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "ciphers")?; m.add_function(pyo3::wrap_pyfunction_bound!(create_encryption_ctx, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(create_decryption_ctx, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(cipher_supported, &m)?)?; diff --git a/src/rust/src/backend/cmac.rs b/src/rust/src/backend/cmac.rs index 646394cd67f5..dd30be2bec68 100644 --- a/src/rust/src/backend/cmac.rs +++ b/src/rust/src/backend/cmac.rs @@ -7,9 +7,9 @@ use crate::backend::hashes::already_finalized_error; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use pyo3::prelude::{PyAnyMethods, PyBytesMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyBytesMethods, PyModuleMethods}; -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.cmac", name = "CMAC" )] @@ -102,8 +102,8 @@ impl Cmac { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "cmac")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "cmac")?; m.add_class::()?; diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index afa5a3a1c69f..e615d623ffa3 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -8,26 +8,26 @@ use crate::asn1::encode_der_data; use crate::backend::utils; use crate::error::{CryptographyError, CryptographyResult}; use crate::{types, x509}; -use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyModuleMethods}; const MIN_MODULUS_SIZE: u32 = 512; -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.dh")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.dh")] pub(crate) struct DHPrivateKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.dh")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.dh")] pub(crate) struct DHPublicKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.dh")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.dh")] struct DHParameters { dh: openssl::dh::Dh, } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (generator, key_size, backend=None))] fn generate_parameters( generator: u32, @@ -87,7 +87,7 @@ fn pkey_from_dh( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] fn from_der_parameters( data: &[u8], @@ -108,7 +108,7 @@ fn from_der_parameters( }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] fn from_pem_parameters( data: &[u8], @@ -148,7 +148,7 @@ fn clone_dh( Ok(openssl::dh::Dh::from_pqg(p, q, g)?) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DHPrivateKey { #[getter] fn key_size(&self) -> i32 { @@ -253,7 +253,7 @@ impl DHPrivateKey { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DHPublicKey { #[getter] fn key_size(&self) -> i32 { @@ -316,7 +316,7 @@ impl DHPublicKey { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DHParameters { #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] fn generate_private_key(&self) -> CryptographyResult { @@ -376,7 +376,7 @@ impl DHParameters { } } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.dh")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.dh")] struct DHPrivateNumbers { #[pyo3(get)] x: pyo3::Py, @@ -384,7 +384,7 @@ struct DHPrivateNumbers { public_numbers: pyo3::Py, } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.dh")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.dh")] struct DHPublicNumbers { #[pyo3(get)] y: pyo3::Py, @@ -392,7 +392,7 @@ struct DHPublicNumbers { parameter_numbers: pyo3::Py, } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.dh")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.dh")] struct DHParameterNumbers { #[pyo3(get)] p: pyo3::Py, @@ -402,7 +402,7 @@ struct DHParameterNumbers { q: Option>, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DHPrivateNumbers { #[new] fn new( @@ -452,7 +452,7 @@ impl DHPrivateNumbers { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DHPublicNumbers { #[new] fn new( @@ -496,7 +496,7 @@ impl DHPublicNumbers { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DHParameterNumbers { #[new] #[pyo3(signature = (p, g, q=None))] @@ -556,8 +556,8 @@ impl DHParameterNumbers { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "dh")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "dh")?; m.add_function(pyo3::wrap_pyfunction_bound!(generate_parameters, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(from_der_parameters, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(from_pem_parameters, &m)?)?; diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index 4e82bbdd45ac..d0218d45ba98 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -6,10 +6,10 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use pyo3::prelude::PyAnyMethods; -use pyo3::prelude::PyModuleMethods; +use pyo3::types::PyAnyMethods; +use pyo3::types::PyModuleMethods; -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.dsa", name = "DSAPrivateKey" @@ -18,7 +18,7 @@ pub(crate) struct DsaPrivateKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.dsa", name = "DSAPublicKey" @@ -27,7 +27,7 @@ pub(crate) struct DsaPublicKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.dsa", name = "DSAParameters" @@ -52,7 +52,7 @@ pub(crate) fn public_key_from_pkey( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn generate_parameters(key_size: u32) -> CryptographyResult { let dsa = openssl::dsa::Dsa::generate_params(key_size)?; Ok(DsaParameters { dsa }) @@ -64,7 +64,7 @@ fn clone_dsa_params( openssl::dsa::Dsa::from_pqg(d.p().to_owned()?, d.q().to_owned()?, d.g().to_owned()?) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DsaPrivateKey { fn sign<'p>( &self, @@ -149,7 +149,7 @@ impl DsaPrivateKey { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DsaPublicKey { fn verify( &self, @@ -222,7 +222,7 @@ impl DsaPublicKey { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DsaParameters { fn generate_private_key(&self) -> CryptographyResult { let dsa = clone_dsa_params(&self.dsa)?.generate_key()?; @@ -308,7 +308,7 @@ fn check_dsa_private_numbers( Ok(()) } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.primitives.asymmetric.dsa", name = "DSAPrivateNumbers" @@ -320,7 +320,7 @@ struct DsaPrivateNumbers { public_numbers: pyo3::Py, } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.primitives.asymmetric.dsa", name = "DSAPublicNumbers" @@ -332,7 +332,7 @@ struct DsaPublicNumbers { parameter_numbers: pyo3::Py, } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.primitives.asymmetric.dsa", name = "DSAParameterNumbers" @@ -346,7 +346,7 @@ struct DsaParameterNumbers { g: pyo3::Py, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DsaPrivateNumbers { #[new] fn new( @@ -394,7 +394,7 @@ impl DsaPrivateNumbers { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DsaPublicNumbers { #[new] fn new( @@ -451,7 +451,7 @@ impl DsaPublicNumbers { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DsaParameterNumbers { #[new] fn new( @@ -501,8 +501,8 @@ impl DsaParameterNumbers { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "dsa")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "dsa")?; m.add_function(pyo3::wrap_pyfunction_bound!(generate_parameters, &m)?)?; m.add_class::()?; diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index c83943539cc0..6410add35cbe 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -5,21 +5,21 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -use pyo3::prelude::{PyAnyMethods, PyDictMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyDictMethods, PyModuleMethods}; use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ec")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ec")] pub(crate) struct ECPrivateKey { pkey: openssl::pkey::PKey, #[pyo3(get)] curve: pyo3::Py, } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ec")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ec")] pub(crate) struct ECPublicKey { pkey: openssl::pkey::PKey, #[pyo3(get)] @@ -125,7 +125,7 @@ fn check_key_infinity( Ok(()) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn curve_supported(py: pyo3::Python<'_>, py_curve: pyo3::Bound<'_, pyo3::PyAny>) -> bool { curve_from_py_curve(py, py_curve, false).is_ok() } @@ -154,7 +154,7 @@ pub(crate) fn public_key_from_pkey( curve: curve.into(), }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (curve, backend=None))] fn generate_private_key( py: pyo3::Python<'_>, @@ -172,7 +172,7 @@ fn generate_private_key( }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn derive_private_key( py: pyo3::Python<'_>, py_private_value: &pyo3::Bound<'_, pyo3::types::PyLong>, @@ -195,7 +195,7 @@ fn derive_private_key( }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn from_public_bytes( py: pyo3::Python<'_>, py_curve: pyo3::Bound<'_, pyo3::PyAny>, @@ -215,7 +215,7 @@ fn from_public_bytes( }) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl ECPrivateKey { #[getter] fn key_size<'p>( @@ -374,7 +374,7 @@ impl ECPrivateKey { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl ECPublicKey { #[getter] fn key_size<'p>( @@ -459,7 +459,7 @@ impl ECPublicKey { } } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.ec")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.ec")] struct EllipticCurvePrivateNumbers { #[pyo3(get)] private_value: pyo3::Py, @@ -467,7 +467,7 @@ struct EllipticCurvePrivateNumbers { public_numbers: pyo3::Py, } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.ec")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.ec")] struct EllipticCurvePublicNumbers { #[pyo3(get)] x: pyo3::Py, @@ -506,7 +506,7 @@ fn public_key_from_numbers( Ok(openssl::ec::EcKey::from_public_key(curve, &point)?) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl EllipticCurvePrivateNumbers { #[new] fn new( @@ -579,7 +579,7 @@ impl EllipticCurvePrivateNumbers { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl EllipticCurvePublicNumbers { #[new] fn new( @@ -672,8 +672,8 @@ impl EllipticCurvePublicNumbers { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "ec")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "ec")?; m.add_function(pyo3::wrap_pyfunction_bound!(curve_supported, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(generate_private_key, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(derive_private_key, &m)?)?; diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index 565f839f7096..ab800d637af8 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -6,19 +6,19 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use pyo3::prelude::PyModuleMethods; +use pyo3::types::PyModuleMethods; -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed25519")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed25519")] pub(crate) struct Ed25519PrivateKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed25519")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed25519")] pub(crate) struct Ed25519PublicKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn generate_key() -> CryptographyResult { Ok(Ed25519PrivateKey { pkey: openssl::pkey::PKey::generate_ed25519()?, @@ -41,7 +41,7 @@ pub(crate) fn public_key_from_pkey( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn from_private_bytes(data: CffiBuf<'_>) -> pyo3::PyResult { let pkey = openssl::pkey::PKey::private_key_from_raw_bytes( data.as_bytes(), @@ -53,7 +53,7 @@ fn from_private_bytes(data: CffiBuf<'_>) -> pyo3::PyResult { Ok(Ed25519PrivateKey { pkey }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn from_public_bytes(data: &[u8]) -> pyo3::PyResult { let pkey = openssl::pkey::PKey::public_key_from_raw_bytes(data, openssl::pkey::Id::ED25519) .map_err(|_| { @@ -62,7 +62,7 @@ fn from_public_bytes(data: &[u8]) -> pyo3::PyResult { Ok(Ed25519PublicKey { pkey }) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl Ed25519PrivateKey { fn sign<'p>( &self, @@ -118,7 +118,7 @@ impl Ed25519PrivateKey { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl Ed25519PublicKey { fn verify(&self, signature: CffiBuf<'_>, data: CffiBuf<'_>) -> CryptographyResult<()> { let valid = openssl::sign::Verifier::new_without_digest(&self.pkey)? @@ -162,8 +162,8 @@ impl Ed25519PublicKey { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "ed25519")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "ed25519")?; m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index ef6c193e1fa7..27b716ee5f2e 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -6,19 +6,19 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use pyo3::prelude::PyModuleMethods; +use pyo3::types::PyModuleMethods; -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed448")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed448")] pub(crate) struct Ed448PrivateKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed448")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed448")] pub(crate) struct Ed448PublicKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn generate_key() -> CryptographyResult { Ok(Ed448PrivateKey { pkey: openssl::pkey::PKey::generate_ed448()?, @@ -41,7 +41,7 @@ pub(crate) fn public_key_from_pkey( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn from_private_bytes(data: CffiBuf<'_>) -> pyo3::PyResult { let pkey = openssl::pkey::PKey::private_key_from_raw_bytes(data.as_bytes(), openssl::pkey::Id::ED448) @@ -51,7 +51,7 @@ fn from_private_bytes(data: CffiBuf<'_>) -> pyo3::PyResult { Ok(Ed448PrivateKey { pkey }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn from_public_bytes(data: &[u8]) -> pyo3::PyResult { let pkey = openssl::pkey::PKey::public_key_from_raw_bytes(data, openssl::pkey::Id::ED448) .map_err(|_| { @@ -60,7 +60,7 @@ fn from_public_bytes(data: &[u8]) -> pyo3::PyResult { Ok(Ed448PublicKey { pkey }) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl Ed448PrivateKey { fn sign<'p>( &self, @@ -116,7 +116,7 @@ impl Ed448PrivateKey { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl Ed448PublicKey { fn verify(&self, signature: CffiBuf<'_>, data: CffiBuf<'_>) -> CryptographyResult<()> { let valid = openssl::sign::Verifier::new_without_digest(&self.pkey)? @@ -159,8 +159,8 @@ impl Ed448PublicKey { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "ed448")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "ed448")?; m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; diff --git a/src/rust/src/backend/hashes.rs b/src/rust/src/backend/hashes.rs index bc2c42016de3..4b33e024fc27 100644 --- a/src/rust/src/backend/hashes.rs +++ b/src/rust/src/backend/hashes.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyModuleMethods}; use pyo3::IntoPy; use std::borrow::Cow; @@ -10,7 +10,7 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.hashes")] +#[pyo3::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.hashes")] pub(crate) struct Hash { #[pyo3(get)] algorithm: pyo3::Py, @@ -140,8 +140,8 @@ impl Hash { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "hashes")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "hashes")?; m.add_class::()?; Ok(m) diff --git a/src/rust/src/backend/hmac.rs b/src/rust/src/backend/hmac.rs index 5f08ff117167..4488753b91e0 100644 --- a/src/rust/src/backend/hmac.rs +++ b/src/rust/src/backend/hmac.rs @@ -6,9 +6,9 @@ use crate::backend::hashes::{already_finalized_error, message_digest_from_algori use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use pyo3::prelude::{PyBytesMethods, PyModuleMethods}; +use pyo3::types::{PyBytesMethods, PyModuleMethods}; -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.hmac", name = "HMAC" )] @@ -108,8 +108,8 @@ impl Hmac { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "hmac")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "hmac")?; m.add_class::()?; Ok(m) diff --git a/src/rust/src/backend/kdf.rs b/src/rust/src/backend/kdf.rs index efdd89804f20..52ccd10e9e3d 100644 --- a/src/rust/src/backend/kdf.rs +++ b/src/rust/src/backend/kdf.rs @@ -5,9 +5,9 @@ use crate::backend::hashes; use crate::buf::CffiBuf; use crate::error::CryptographyResult; -use pyo3::prelude::PyModuleMethods; +use pyo3::types::PyModuleMethods; -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn derive_pbkdf2_hmac<'p>( py: pyo3::Python<'p>, key_material: CffiBuf<'_>, @@ -25,7 +25,7 @@ fn derive_pbkdf2_hmac<'p>( } #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[allow(clippy::too_many_arguments)] fn derive_scrypt<'p>( py: pyo3::Python<'p>, @@ -51,8 +51,8 @@ fn derive_scrypt<'p>( pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "kdf")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "kdf")?; m.add_function(pyo3::wrap_pyfunction_bound!(derive_pbkdf2_hmac, &m)?)?; #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index 974f07bb22f1..7240f98c1c3e 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::prelude::PyModuleMethods; +use pyo3::types::PyModuleMethods; use pyo3::IntoPy; use crate::backend::utils; @@ -10,7 +10,7 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, password, backend=None, *, unsafe_skip_rsa_key_validation=false))] fn load_der_private_key( py: pyo3::Python<'_>, @@ -41,7 +41,7 @@ fn load_der_private_key( private_key_from_pkey(py, &pkey, unsafe_skip_rsa_key_validation) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, password, backend=None, *, unsafe_skip_rsa_key_validation=false))] fn load_pem_private_key( py: pyo3::Python<'_>, @@ -116,7 +116,7 @@ pub(crate) fn private_key_from_pkey( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] fn load_der_public_key( py: pyo3::Python<'_>, @@ -145,7 +145,7 @@ pub(crate) fn load_der_public_key_bytes( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] fn load_pem_public_key( py: pyo3::Python<'_>, @@ -221,8 +221,8 @@ fn public_key_from_pkey( pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "keys")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "keys")?; m.add_function(pyo3::wrap_pyfunction_bound!(load_pem_private_key, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(load_der_private_key, &m)?)?; diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index dd7620c19e2c..1f703485b970 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::prelude::PyModuleMethods; +use pyo3::types::PyModuleMethods; pub(crate) mod aead; pub(crate) mod cipher_registry; @@ -25,9 +25,7 @@ pub(crate) mod x25519; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] pub(crate) mod x448; -pub(crate) fn add_to_module( - module: &pyo3::Bound<'_, pyo3::prelude::PyModule>, -) -> pyo3::PyResult<()> { +pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { module.add_submodule(&aead::create_module(module.py())?)?; module.add_submodule(&ciphers::create_module(module.py())?)?; module.add_submodule(&cmac::create_module(module.py())?)?; diff --git a/src/rust/src/backend/poly1305.rs b/src/rust/src/backend/poly1305.rs index b1c3698700a4..4d07985407af 100644 --- a/src/rust/src/backend/poly1305.rs +++ b/src/rust/src/backend/poly1305.rs @@ -6,7 +6,7 @@ use crate::backend::hashes::already_finalized_error; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use pyo3::prelude::{PyBytesMethods, PyModuleMethods}; +use pyo3::types::{PyBytesMethods, PyModuleMethods}; #[cfg(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_LIBRESSL))] struct Poly1305Boring { @@ -88,7 +88,7 @@ impl Poly1305Open { } } -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.poly1305")] +#[pyo3::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.poly1305")] struct Poly1305 { #[cfg(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_LIBRESSL))] inner: Option, @@ -167,8 +167,8 @@ impl Poly1305 { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "poly1305")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "poly1305")?; m.add_class::()?; diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 461e6a7a345e..6636ab695a7c 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -9,9 +9,9 @@ use crate::backend::{hashes, utils}; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyModuleMethods}; -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.rsa", name = "RSAPrivateKey" @@ -20,7 +20,7 @@ pub(crate) struct RsaPrivateKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.rsa", name = "RSAPublicKey" @@ -61,7 +61,7 @@ pub(crate) fn public_key_from_pkey( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResult { let e = openssl::bn::BigNum::from_u32(public_exponent)?; let rsa = openssl::rsa::Rsa::generate_with_e(key_size, &e)?; @@ -278,7 +278,7 @@ fn setup_signature_ctx( Ok(()) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl RsaPrivateKey { fn sign<'p>( &self, @@ -417,7 +417,7 @@ impl RsaPrivateKey { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl RsaPublicKey { fn verify( &self, @@ -530,7 +530,7 @@ impl RsaPublicKey { } } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.primitives.asymmetric.rsa", name = "RSAPrivateNumbers" @@ -552,7 +552,7 @@ struct RsaPrivateNumbers { public_numbers: pyo3::Py, } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.primitives.asymmetric.rsa", name = "RSAPublicNumbers" @@ -650,7 +650,7 @@ fn check_private_key_components( Ok(()) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl RsaPrivateNumbers { #[new] fn new( @@ -766,7 +766,7 @@ fn check_public_key_components( Ok(()) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl RsaPublicNumbers { #[new] fn new(e: pyo3::Py, n: pyo3::Py) -> RsaPublicNumbers { @@ -816,8 +816,8 @@ impl RsaPublicNumbers { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "rsa")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "rsa")?; m.add_function(pyo3::wrap_pyfunction_bound!(generate_private_key, &m)?)?; m.add_class::()?; diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 264ccf67053b..616ace7cb0d4 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -5,7 +5,7 @@ use crate::backend::hashes::Hash; use crate::error::{CryptographyError, CryptographyResult}; use crate::{error, types}; -use pyo3::prelude::{PyAnyMethods, PyBytesMethods}; +use pyo3::types::{PyAnyMethods, PyBytesMethods}; use pyo3::ToPyObject; pub(crate) fn py_int_to_bn( diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index 045aa909596c..9e22c0ab998d 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -5,19 +5,19 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::CryptographyResult; -use pyo3::prelude::PyModuleMethods; +use pyo3::types::PyModuleMethods; -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x25519")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x25519")] pub(crate) struct X25519PrivateKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x25519")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x25519")] pub(crate) struct X25519PublicKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn generate_key() -> CryptographyResult { Ok(X25519PrivateKey { pkey: openssl::pkey::PKey::generate_x25519()?, @@ -40,7 +40,7 @@ pub(crate) fn public_key_from_pkey( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn from_private_bytes(data: CffiBuf<'_>) -> pyo3::PyResult { let pkey = openssl::pkey::PKey::private_key_from_raw_bytes(data.as_bytes(), openssl::pkey::Id::X25519) @@ -52,7 +52,7 @@ fn from_private_bytes(data: CffiBuf<'_>) -> pyo3::PyResult { Ok(X25519PrivateKey { pkey }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn from_public_bytes(data: &[u8]) -> pyo3::PyResult { let pkey = openssl::pkey::PKey::public_key_from_raw_bytes(data, openssl::pkey::Id::X25519) .map_err(|_| { @@ -61,7 +61,7 @@ fn from_public_bytes(data: &[u8]) -> pyo3::PyResult { Ok(X25519PublicKey { pkey }) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl X25519PrivateKey { fn exchange<'p>( &self, @@ -122,7 +122,7 @@ impl X25519PrivateKey { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl X25519PublicKey { fn public_bytes_raw<'p>( &self, @@ -152,8 +152,8 @@ impl X25519PublicKey { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "x25519")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "x25519")?; m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index 1d8d9e5837cc..4b88035d3226 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -5,19 +5,19 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::CryptographyResult; -use pyo3::prelude::PyModuleMethods; +use pyo3::types::PyModuleMethods; -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x448")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x448")] pub(crate) struct X448PrivateKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x448")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x448")] pub(crate) struct X448PublicKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn generate_key() -> CryptographyResult { Ok(X448PrivateKey { pkey: openssl::pkey::PKey::generate_x448()?, @@ -40,7 +40,7 @@ pub(crate) fn public_key_from_pkey( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn from_private_bytes(data: CffiBuf<'_>) -> pyo3::PyResult { let pkey = openssl::pkey::PKey::private_key_from_raw_bytes(data.as_bytes(), openssl::pkey::Id::X448) @@ -51,7 +51,7 @@ fn from_private_bytes(data: CffiBuf<'_>) -> pyo3::PyResult { })?; Ok(X448PrivateKey { pkey }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn from_public_bytes(data: &[u8]) -> pyo3::PyResult { let pkey = openssl::pkey::PKey::public_key_from_raw_bytes(data, openssl::pkey::Id::X448) .map_err(|_| { @@ -60,7 +60,7 @@ fn from_public_bytes(data: &[u8]) -> pyo3::PyResult { Ok(X448PublicKey { pkey }) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl X448PrivateKey { fn exchange<'p>( &self, @@ -121,7 +121,7 @@ impl X448PrivateKey { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl X448PublicKey { fn public_bytes_raw<'p>( &self, @@ -151,8 +151,8 @@ impl X448PublicKey { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "x448")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "x448")?; m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs index ff9ca0c3d7e5..15ace0442bbc 100644 --- a/src/rust/src/buf.rs +++ b/src/rust/src/buf.rs @@ -3,8 +3,8 @@ // for complete details. use crate::types; -use pyo3::prelude::PyAnyMethods; use pyo3::types::IntoPyDict; +use pyo3::types::PyAnyMethods; use std::slice; pub(crate) struct CffiBuf<'p> { diff --git a/src/rust/src/error.rs b/src/rust/src/error.rs index 380531c65509..81901e1ad91e 100644 --- a/src/rust/src/error.rs +++ b/src/rust/src/error.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::prelude::PyListMethods; +use pyo3::types::PyListMethods; use pyo3::ToPyObject; use crate::exceptions; @@ -148,12 +148,12 @@ impl CryptographyError { // https://github.com/pyca/cryptography/pull/6173 pub(crate) type CryptographyResult = Result; -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] pub(crate) fn raise_openssl_error() -> crate::error::CryptographyResult<()> { Err(openssl::error::ErrorStack::get().into()) } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl")] pub(crate) struct OpenSSLError { e: openssl::error::Error, } @@ -186,7 +186,7 @@ impl OpenSSLError { } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] pub(crate) fn capture_error_stack( py: pyo3::Python<'_>, ) -> pyo3::PyResult> { diff --git a/src/rust/src/exceptions.rs b/src/rust/src/exceptions.rs index d6d7afb060a0..ff789105447b 100644 --- a/src/rust/src/exceptions.rs +++ b/src/rust/src/exceptions.rs @@ -2,9 +2,9 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::prelude::PyModuleMethods; +use pyo3::types::PyModuleMethods; -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, eq, module = "cryptography.hazmat.bindings._rust.exceptions", @@ -41,8 +41,8 @@ pyo3::import_exception_bound!(cryptography.x509, InvalidVersion); pub(crate) fn create_submodule( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let submod = pyo3::prelude::PyModule::new_bound(py, "exceptions")?; +) -> pyo3::PyResult> { + let submod = pyo3::types::PyModule::new_bound(py, "exceptions")?; submod.add_class::()?; diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 383716764961..bed02d09e235 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -9,7 +9,7 @@ use crate::error::CryptographyResult; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use openssl::provider; -use pyo3::prelude::PyModuleMethods; +use pyo3::types::PyModuleMethods; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use std::env; @@ -26,7 +26,7 @@ pub(crate) mod types; mod x509; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust")] +#[pyo3::pyclass(module = "cryptography.hazmat.bindings._rust")] struct LoadedProviders { legacy: Option, _default: provider::Provider, @@ -34,17 +34,17 @@ struct LoadedProviders { fips: Option, } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn openssl_version() -> i64 { openssl::version::number() } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn openssl_version_text() -> &'static str { openssl::version::version() } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn is_fips_enabled() -> bool { cryptography_openssl::fips::is_enabled() } @@ -84,14 +84,14 @@ fn _legacy_provider_error(success: bool) -> pyo3::PyResult<()> { } #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn enable_fips(providers: &mut LoadedProviders) -> CryptographyResult<()> { providers.fips = Some(provider::Provider::load(None, "fips")?); cryptography_openssl::fips::enable()?; Ok(()) } -#[pyo3::prelude::pymodule] +#[pyo3::pymodule] fn _rust(py: pyo3::Python<'_>, m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { m.add_function(pyo3::wrap_pyfunction_bound!( padding::check_pkcs7_padding, @@ -109,7 +109,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> py m.add_submodule(&pkcs12::create_submodule(py)?)?; m.add_submodule(&exceptions::create_submodule(py)?)?; - let x509_mod = pyo3::prelude::PyModule::new_bound(py, "x509")?; + let x509_mod = pyo3::types::PyModule::new_bound(py, "x509")?; crate::x509::certificate::add_to_module(&x509_mod)?; crate::x509::common::add_to_module(&x509_mod)?; crate::x509::crl::add_to_module(&x509_mod)?; @@ -118,14 +118,14 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> py crate::x509::verify::add_to_module(&x509_mod)?; m.add_submodule(&x509_mod)?; - let ocsp_mod = pyo3::prelude::PyModule::new_bound(py, "ocsp")?; + let ocsp_mod = pyo3::types::PyModule::new_bound(py, "ocsp")?; crate::x509::ocsp_req::add_to_module(&ocsp_mod)?; crate::x509::ocsp_resp::add_to_module(&ocsp_mod)?; m.add_submodule(&ocsp_mod)?; m.add_submodule(&cryptography_cffi::create_module(py)?)?; - let openssl_mod = pyo3::prelude::PyModule::new_bound(py, "openssl")?; + let openssl_mod = pyo3::types::PyModule::new_bound(py, "openssl")?; openssl_mod.add( "CRYPTOGRAPHY_OPENSSL_300_OR_GREATER", cfg!(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), diff --git a/src/rust/src/oid.rs b/src/rust/src/oid.rs index 66aef8a882ab..fb64837b6bff 100644 --- a/src/rust/src/oid.rs +++ b/src/rust/src/oid.rs @@ -4,11 +4,11 @@ use crate::error::CryptographyResult; use crate::types; -use pyo3::prelude::PyAnyMethods; +use pyo3::types::PyAnyMethods; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")] pub(crate) struct ObjectIdentifier { pub(crate) oid: asn1::ObjectIdentifier, } diff --git a/src/rust/src/padding.rs b/src/rust/src/padding.rs index c4396c26f258..f6a13572f622 100644 --- a/src/rust/src/padding.rs +++ b/src/rust/src/padding.rs @@ -20,7 +20,7 @@ fn constant_time_lt(a: u8, b: u8) -> u8 { duplicate_msb_to_all(a ^ ((a ^ b) | (a.wrapping_sub(b) ^ b))) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] pub(crate) fn check_pkcs7_padding(data: &[u8]) -> bool { let mut mismatch = 0; let pad_size = *data.last().unwrap(); @@ -43,7 +43,7 @@ pub(crate) fn check_pkcs7_padding(data: &[u8]) -> bool { (mismatch & 1) == 0 } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] pub(crate) fn check_ansix923_padding(data: &[u8]) -> bool { let mut mismatch = 0; let pad_size = *data.last().unwrap(); @@ -67,13 +67,13 @@ pub(crate) fn check_ansix923_padding(data: &[u8]) -> bool { (mismatch & 1) == 0 } -#[pyo3::prelude::pyclass] +#[pyo3::pyclass] pub(crate) struct PKCS7PaddingContext { block_size: usize, length_seen: Option, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl PKCS7PaddingContext { #[new] fn new(block_size: usize) -> PKCS7PaddingContext { diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 1ccf21377402..7436146bcacb 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -8,12 +8,12 @@ use crate::error::CryptographyResult; use crate::x509::certificate::Certificate; use crate::{types, x509}; use cryptography_x509::common::Utf8StoredBMPString; -use pyo3::prelude::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; use pyo3::IntoPy; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -#[pyo3::prelude::pyclass(frozen)] +#[pyo3::pyclass(frozen)] struct PKCS12Certificate { #[pyo3(get)] certificate: pyo3::Py, @@ -21,7 +21,7 @@ struct PKCS12Certificate { friendly_name: Option>, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl PKCS12Certificate { #[new] #[pyo3(signature = (cert, friendly_name=None))] @@ -256,7 +256,7 @@ enum CertificateOrPKCS12Certificate { PKCS12Certificate(pyo3::Py), } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (name, key, cert, cas, encryption_algorithm))] fn serialize_key_and_certificates<'p>( py: pyo3::Python<'p>, @@ -406,7 +406,7 @@ fn decode_p12( Ok(parsed) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, password, backend=None))] fn load_key_and_certificates<'p>( py: pyo3::Python<'p>, @@ -457,7 +457,7 @@ fn load_key_and_certificates<'p>( Ok((private_key, cert, additional_certs)) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, password, backend=None))] fn load_pkcs12<'p>( py: pyo3::Python<'p>, @@ -516,8 +516,8 @@ fn load_pkcs12<'p>( pub(crate) fn create_submodule( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let submod = pyo3::prelude::PyModule::new_bound(py, "pkcs12")?; +) -> pyo3::PyResult> { + let submod = pyo3::types::PyModule::new_bound(py, "pkcs12")?; submod.add_function(pyo3::wrap_pyfunction_bound!( load_key_and_certificates, diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index e08a67e73a2f..86ef48cc4de4 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -11,7 +11,7 @@ use cryptography_x509::{common, oid, pkcs7}; use once_cell::sync::Lazy; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use openssl::pkcs7::Pkcs7; -use pyo3::prelude::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use pyo3::IntoPy; @@ -36,7 +36,7 @@ static OIDS_TO_MIC_NAME: Lazy> = Lazy::ne h }); -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn serialize_certificates<'p>( py: pyo3::Python<'p>, py_certs: Vec>, @@ -75,7 +75,7 @@ fn serialize_certificates<'p>( encode_der_data(py, "PKCS7".to_string(), content_info_bytes, encoding) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn sign_and_serialize<'p>( py: pyo3::Python<'p>, builder: &pyo3::Bound<'p, pyo3::PyAny>, @@ -355,7 +355,7 @@ fn load_pkcs7_certificates( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn load_pem_pkcs7_certificates<'p>( py: pyo3::Python<'p>, data: &[u8], @@ -381,7 +381,7 @@ fn load_pem_pkcs7_certificates<'p>( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn load_der_pkcs7_certificates<'p>( py: pyo3::Python<'p>, data: &[u8], @@ -409,8 +409,8 @@ fn load_der_pkcs7_certificates<'p>( pub(crate) fn create_submodule( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let submod = pyo3::prelude::PyModule::new_bound(py, "pkcs7")?; +) -> pyo3::PyResult> { + let submod = pyo3::types::PyModule::new_bound(py, "pkcs7")?; submod.add_function(pyo3::wrap_pyfunction_bound!( serialize_certificates, diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index d64b521a1887..7b3fb35392e2 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::prelude::PyAnyMethods; +use pyo3::types::PyAnyMethods; pub struct LazyPyImport { module: &'static str, diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 0b5e89bd37bf..2bf3b4406fe3 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -17,7 +17,7 @@ use cryptography_x509::extensions::{ use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; use cryptography_x509::{common, oid}; use cryptography_x509_verification::ops::CryptoOps; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::{IntoPy, ToPyObject}; use crate::asn1::{ @@ -38,13 +38,13 @@ self_cell::self_cell!( } ); -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] pub(crate) struct Certificate { pub(crate) raw: OwnedCertificate, pub(crate) cached_extensions: pyo3::sync::GILOnceCell, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl Certificate { fn __hash__(&self) -> u64 { let mut hasher = DefaultHasher::new(); @@ -364,7 +364,7 @@ fn cert_version( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] fn load_pem_x509_certificate( py: pyo3::Python<'_>, @@ -387,7 +387,7 @@ fn load_pem_x509_certificate( ) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn load_pem_x509_certificates( py: pyo3::Python<'_>, data: &[u8], @@ -411,7 +411,7 @@ fn load_pem_x509_certificates( Ok(certs) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] pub(crate) fn load_der_x509_certificate( py: pyo3::Python<'_>, @@ -885,7 +885,7 @@ pub(crate) fn time_from_datetime(dt: asn1::DateTime) -> CryptographyResult, builder: &pyo3::Bound<'_, pyo3::PyAny>, diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 89baee082673..98d4b2e71bfb 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -7,8 +7,8 @@ use cryptography_x509::extensions::{ AccessDescription, DuplicateExtensionsError, Extension, Extensions, RawExtensions, }; use cryptography_x509::name::{GeneralName, Name, NameReadable, OtherName, UnvalidatedIA5String}; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::types::IntoPyDict; +use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::{IntoPy, ToPyObject}; use crate::asn1::{oid_to_py_oid, py_oid_to_oid}; @@ -88,7 +88,7 @@ pub(crate) fn encode_name_entry<'p>( }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn encode_name_bytes<'p>( py: pyo3::Python<'p>, py_name: &pyo3::Bound<'p, pyo3::PyAny>, @@ -457,7 +457,7 @@ pub(crate) fn encode_extensions< ))) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn encode_extension_value<'p>( py: pyo3::Python<'p>, py_ext: pyo3::Bound<'p, pyo3::PyAny>, diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 52cadde0e24c..c4d683ba1c1b 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -13,7 +13,7 @@ use cryptography_x509::{ }, name, oid, }; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods, PySliceMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods, PySliceMethods}; use pyo3::ToPyObject; use crate::asn1::{ @@ -24,7 +24,7 @@ use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, extensions, sign}; use crate::{exceptions, types, x509}; -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] fn load_der_x509_crl( py: pyo3::Python<'_>, @@ -54,7 +54,7 @@ fn load_der_x509_crl( }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] fn load_pem_x509_crl( py: pyo3::Python<'_>, @@ -83,7 +83,7 @@ self_cell::self_cell!( } ); -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] struct CertificateRevocationList { owned: Arc, @@ -113,7 +113,7 @@ impl CertificateRevocationList { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl CertificateRevocationList { fn __eq__(&self, other: pyo3::PyRef<'_, CertificateRevocationList>) -> bool { self.owned.borrow_dependent() == other.owned.borrow_dependent() @@ -455,7 +455,7 @@ self_cell::self_cell!( } ); -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.x509")] +#[pyo3::pyclass(module = "cryptography.hazmat.bindings._rust.x509")] struct CRLIterator { contents: OwnedCRLIteratorData, } @@ -485,7 +485,7 @@ fn try_map_arc_data_mut_crl_iterator( }) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl CRLIterator { fn __len__(&self) -> usize { self.contents @@ -534,13 +534,13 @@ impl Clone for OwnedRevokedCertificate { } } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] struct RevokedCertificate { owned: OwnedRevokedCertificate, cached_extensions: pyo3::sync::GILOnceCell, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl RevokedCertificate { #[getter] fn serial_number<'p>( @@ -642,7 +642,7 @@ pub fn parse_crl_entry_ext<'p>( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn create_x509_crl( py: pyo3::Python<'_>, builder: &pyo3::Bound<'_, pyo3::PyAny>, diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index a9823f2c2fc5..61d0809d404d 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -8,7 +8,7 @@ use std::hash::{Hash, Hasher}; use asn1::SimpleAsn1Readable; use cryptography_x509::csr::{check_attribute_length, Attribute, CertificationRequestInfo, Csr}; use cryptography_x509::{common, oid}; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::IntoPy; use crate::asn1::{encode_der_data, oid_to_py_oid, py_oid_to_oid}; @@ -26,13 +26,13 @@ self_cell::self_cell!( } ); -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] struct CertificateSigningRequest { raw: OwnedCsr, cached_extensions: pyo3::sync::GILOnceCell, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl CertificateSigningRequest { fn __hash__(&self, py: pyo3::Python<'_>) -> u64 { let mut hasher = DefaultHasher::new(); @@ -235,7 +235,7 @@ impl CertificateSigningRequest { } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] fn load_pem_x509_csr( py: pyo3::Python<'_>, @@ -258,7 +258,7 @@ fn load_pem_x509_csr( ) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] fn load_der_x509_csr( py: pyo3::Python<'_>, @@ -285,7 +285,7 @@ fn load_der_x509_csr( }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn create_x509_csr( py: pyo3::Python<'_>, builder: &pyo3::Bound<'_, pyo3::PyAny>, diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index bb8e9a55cb95..9bd942542393 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -8,8 +8,8 @@ use crate::asn1::{py_oid_to_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, sct}; use crate::{types, x509}; -use pyo3::prelude::PyAnyMethods; use pyo3::pybacked::PyBackedStr; +use pyo3::types::PyAnyMethods; fn encode_general_subtrees<'a>( py: pyo3::Python<'_>, @@ -39,7 +39,7 @@ pub(crate) fn encode_authority_key_identifier<'a>( py: pyo3::Python<'a>, py_aki: &pyo3::Bound<'a, pyo3::PyAny>, ) -> CryptographyResult> { - #[derive(pyo3::prelude::FromPyObject)] + #[derive(pyo3::FromPyObject)] struct PyAuthorityKeyIdentifier<'a> { key_identifier: Option, authority_cert_issuer: Option>, @@ -77,7 +77,7 @@ pub(crate) fn encode_distribution_points<'p>( py: pyo3::Python<'p>, py_dps: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - #[derive(pyo3::prelude::FromPyObject)] + #[derive(pyo3::FromPyObject)] struct PyDistributionPoint<'a> { crl_issuer: Option>, full_name: Option>, @@ -132,7 +132,7 @@ pub(crate) fn encode_distribution_points<'p>( } fn encode_basic_constraints(ext: &pyo3::Bound<'_, pyo3::PyAny>) -> CryptographyResult> { - #[derive(pyo3::prelude::FromPyObject)] + #[derive(pyo3::FromPyObject)] struct PyBasicConstraints { ca: bool, path_length: Option, diff --git a/src/rust/src/x509/ocsp.rs b/src/rust/src/x509/ocsp.rs index 4588c41aef39..b632532f1573 100644 --- a/src/rust/src/x509/ocsp.rs +++ b/src/rust/src/x509/ocsp.rs @@ -7,7 +7,7 @@ use std::collections::HashMap; use cryptography_x509::common; use cryptography_x509::ocsp_req::CertID; use once_cell::sync::Lazy; -use pyo3::prelude::PyAnyMethods; +use pyo3::types::PyAnyMethods; use crate::backend::hashes::Hash; use crate::error::CryptographyResult; diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index a411904b2588..d56ed0823ee9 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -7,7 +7,7 @@ use cryptography_x509::{ ocsp_req::{self, OCSPRequest as RawOCSPRequest}, oid, }; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; @@ -22,7 +22,7 @@ self_cell::self_cell!( } ); -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn load_der_ocsp_request( py: pyo3::Python<'_>, data: pyo3::Py, @@ -50,7 +50,7 @@ fn load_der_ocsp_request( }) } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] struct OCSPRequest { raw: OwnedOCSPRequest, @@ -71,7 +71,7 @@ impl OCSPRequest { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl OCSPRequest { #[getter] fn issuer_name_hash(&self) -> &[u8] { @@ -165,7 +165,7 @@ impl OCSPRequest { } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn create_ocsp_request( py: pyo3::Python<'_>, builder: &pyo3::Bound<'_, pyo3::PyAny>, @@ -229,9 +229,7 @@ fn create_ocsp_request( load_der_ocsp_request(py, pyo3::types::PyBytes::new_bound(py, &data).unbind()) } -pub(crate) fn add_to_module( - module: &pyo3::Bound<'_, pyo3::prelude::PyModule>, -) -> pyo3::PyResult<()> { +pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { module.add_function(pyo3::wrap_pyfunction_bound!(load_der_ocsp_request, module)?)?; module.add_function(pyo3::wrap_pyfunction_bound!(create_ocsp_request, module)?)?; diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 3233d0b4d9a1..2250decae428 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -10,7 +10,7 @@ use cryptography_x509::{ ocsp_resp::{self, OCSPResponse as RawOCSPResponse, SingleResponse as RawSingleResponse}, oid, }; -use pyo3::prelude::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid}; use crate::error::{CryptographyError, CryptographyResult}; @@ -19,7 +19,7 @@ use crate::{exceptions, types, x509}; const BASIC_RESPONSE_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 5, 5, 7, 48, 1, 1); -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn load_der_ocsp_response( py: pyo3::Python<'_>, data: pyo3::Py, @@ -72,7 +72,7 @@ self_cell::self_cell!( } ); -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] struct OCSPResponse { raw: Arc, @@ -99,7 +99,7 @@ const TRY_LATER_RESPONSE: u32 = 3; const SIG_REQUIRED_RESPONSE: u32 = 5; const UNAUTHORIZED_RESPONSE: u32 = 6; -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl OCSPResponse { #[getter] fn responses(&self) -> Result { @@ -588,7 +588,7 @@ fn singleresp_py_revocation_time<'p>( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn create_ocsp_response( py: pyo3::Python<'_>, status: &pyo3::Bound<'_, pyo3::PyAny>, @@ -788,12 +788,12 @@ self_cell::self_cell!( } ); -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.ocsp")] +#[pyo3::pyclass(module = "cryptography.hazmat.bindings._rust.ocsp")] struct OCSPResponseIterator { contents: OwnedOCSPResponseIteratorData, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl OCSPResponseIterator { fn __iter__(slf: pyo3::PyRef<'_, Self>) -> pyo3::PyRef<'_, Self> { slf @@ -820,7 +820,7 @@ self_cell::self_cell!( } ); -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] struct OCSPSingleResponse { raw: OwnedSingleResponse, } @@ -831,7 +831,7 @@ impl OCSPSingleResponse { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl OCSPSingleResponse { #[getter] fn serial_number<'p>( @@ -908,9 +908,7 @@ impl OCSPSingleResponse { } } -pub(crate) fn add_to_module( - module: &pyo3::Bound<'_, pyo3::prelude::PyModule>, -) -> pyo3::PyResult<()> { +pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { module.add_function(pyo3::wrap_pyfunction_bound!( load_der_ocsp_response, module diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index a5b2d920a84c..54315cdcc412 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -5,7 +5,7 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -use pyo3::prelude::{PyAnyMethods, PyDictMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyDictMethods, PyListMethods, PyModuleMethods}; use pyo3::ToPyObject; use crate::error::CryptographyError; @@ -128,7 +128,7 @@ impl TryFrom for SignatureAlgorithm { } } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] pub(crate) struct Sct { log_id: [u8; 32], timestamp: u64, @@ -141,7 +141,7 @@ pub(crate) struct Sct { pub(crate) sct_data: Vec, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl Sct { fn __eq__(&self, other: pyo3::PyRef<'_, Sct>) -> bool { self.sct_data == other.sct_data @@ -259,9 +259,7 @@ pub(crate) fn parse_scts( Ok(py_scts.to_object(py)) } -pub(crate) fn add_to_module( - module: &pyo3::Bound<'_, pyo3::prelude::PyModule>, -) -> pyo3::PyResult<()> { +pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { module.add_class::()?; Ok(()) diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index a97627cd215e..4e96b8a8e02d 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -6,8 +6,8 @@ use std::collections::HashMap; use cryptography_x509::{common, oid}; use once_cell::sync::Lazy; -use pyo3::prelude::PyAnyMethods; use pyo3::pybacked::PyBackedBytes; +use pyo3::types::PyAnyMethods; use crate::asn1::oid_to_py_oid; use crate::error::{CryptographyError, CryptographyResult}; diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 73f354544685..0b3a83552a06 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -11,7 +11,7 @@ use cryptography_x509_verification::{ trust_store::Store, types::{DNSName, IPAddress}, }; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; use crate::backend::keys; use crate::error::{CryptographyError, CryptographyResult}; From 986a6c22231bc5f587e9aab89d5a564b0aa80c63 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 27 Jun 2024 00:16:10 +0000 Subject: [PATCH 0737/1462] Bump BoringSSL and/or OpenSSL in CI (#11169) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6da1473a348d..30284deabd22 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 25, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "12f0f4bec2a6db53a53748dd6001d1aacaae26ba"}} - # Latest commit on the OpenSSL master branch, as of Jun 26, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "30dc37d798a0428fd477d3763086e7e97b3d596f"}} + # Latest commit on the OpenSSL master branch, as of Jun 27, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b76a6c26a254b4cc428275fc0ced56759dd5088a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From c7b7c627c8717f3628664071cdb0c38f6bfcb1ce Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 27 Jun 2024 07:15:24 -0400 Subject: [PATCH 0738/1462] Bump twine from 5.1.0 to 5.1.1 in /.github/requirements (#11171) Bumps [twine](https://github.com/pypa/twine) from 5.1.0 to 5.1.1. - [Release notes](https://github.com/pypa/twine/releases) - [Changelog](https://github.com/pypa/twine/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/twine/compare/5.1.0...v5.1.1) --- updated-dependencies: - dependency-name: twine dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 688680a343a2..0f49d56e0404 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -260,9 +260,9 @@ nh3==0.2.17 \ --hash=sha256:c790769152308421283679a142dbdb3d1c46c79c823008ecea8e8141db1a2062 \ --hash=sha256:d7a25fd8c86657f5d9d576268e3b3767c5cd4f42867c9383618be8517f0f022a # via readme-renderer -pkginfo==1.11.1 \ - --hash=sha256:2e0dca1cf4c8e39644eed32408ea9966ee15e0d324c62ba899a393b3c6b467aa \ - --hash=sha256:bfa76a714fdfc18a045fcd684dbfc3816b603d9d075febef17cb6582bea29573 +pkginfo==1.10.0 \ + --hash=sha256:5df73835398d10db79f8eecd5cd86b1f6d29317589ea70796994d49399af6297 \ + --hash=sha256:889a6da2ed7ffc58ab5b900d888ddce90bce912f2d2de1dc1c26f4cb9fe65097 # via twine pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ @@ -301,9 +301,9 @@ secretstorage==3.3.3 \ --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ --hash=sha256:f356e6628222568e3af06f2eba8df495efa13b3b63081dafd4f7d9a7b7bc9f99 # via keyring -twine==5.1.0 \ - --hash=sha256:4d74770c88c4fcaf8134d2a6a9d863e40f08255ff7d8e2acb3cbbd57d25f6e9d \ - --hash=sha256:fe1d814395bfe50cfbe27783cb74efe93abeac3f66deaeb6c8390e4e92bacb43 +twine==5.1.1 \ + --hash=sha256:215dbe7b4b94c2c50a7315c0275d2258399280fbb7d04182c7e55e24b5f93997 \ + --hash=sha256:9aa0825139c02b3434d913545c7b847a21c835e11597f5255842d457da2322db # via -r publish-requirements.in urllib3==2.2.2 \ --hash=sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472 \ From 541beda62fde26ee16f98092e553a17cac8e8943 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 27 Jun 2024 07:15:37 -0400 Subject: [PATCH 0739/1462] Bump importlib-metadata from 7.2.1 to 8.0.0 in /.github/requirements (#11167) Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 7.2.1 to 8.0.0. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v7.2.1...v8.0.0) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 0f49d56e0404..72c2c1b5f011 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -200,9 +200,9 @@ idna==3.7 \ --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 # via requests -importlib-metadata==7.2.1 \ - --hash=sha256:509ecb2ab77071db5137c655e24ceb3eee66e7bbc6574165d0d114d9fc4bbe68 \ - --hash=sha256:ffef94b0b66046dd8ea2d619b701fe978d9264d38f3998bc4c27ec3b146a87c8 +importlib-metadata==8.0.0 \ + --hash=sha256:15584cf2b1bf449d98ff8a6ff1abef57bf20f3ac6454f431736cd3e660921b2f \ + --hash=sha256:188bd24e4c346d3f0a933f275c2fec67050326a856b9a359881d7c2a697e8812 # via # keyring # twine From 3288b9a1667c89ce7dc327c03911b379ae8f9a7f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 28 Jun 2024 04:32:21 +0300 Subject: [PATCH 0740/1462] Bump BoringSSL and/or OpenSSL in CI (#11174) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 30284deabd22..e079452ff2c6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 25, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "12f0f4bec2a6db53a53748dd6001d1aacaae26ba"}} - # Latest commit on the OpenSSL master branch, as of Jun 27, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b76a6c26a254b4cc428275fc0ced56759dd5088a"}} + # Latest commit on the OpenSSL master branch, as of Jun 28, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fbd6609bb21b125c9454d07c484d166a33b4815b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 4a1dcfa8b584d17b19d4bb3084b5c87e4c1038ab Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 28 Jun 2024 07:02:49 -0400 Subject: [PATCH 0741/1462] Bump ruff from 0.4.10 to 0.5.0 (#11176) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.10 to 0.5.0. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.10...0.5.0) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 60df244084bb..ae6896d7daac 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.4.10 +ruff==0.5.0 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 17711c14aec0ac76276d986b2f40ccae89ad96ef Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 29 Jun 2024 00:15:22 +0000 Subject: [PATCH 0742/1462] Bump BoringSSL and/or OpenSSL in CI (#11179) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e079452ff2c6..d30e1a1c7eed 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 25, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "12f0f4bec2a6db53a53748dd6001d1aacaae26ba"}} - # Latest commit on the OpenSSL master branch, as of Jun 28, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fbd6609bb21b125c9454d07c484d166a33b4815b"}} + # Latest commit on the OpenSSL master branch, as of Jun 29, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7afa7731e924d5ac10fc992d8cd777f407d33af9"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 56933bf61a4539a1306534a196e67e40c5084719 Mon Sep 17 00:00:00 2001 From: David Buchanan Date: Sat, 29 Jun 2024 16:23:57 +0100 Subject: [PATCH 0743/1462] utils.int_to_bytes: guard against zero-length (#11173) * utils: guard against zero-length int_to_bytes * add tests for HBKDF with llen=0 * kbkdf: guard against llen==0 * test that kbkdf rejects llen==0 at __init__ * add standalone test for zero-length int_to_bytes * Update src/cryptography/hazmat/primitives/kdf/kbkdf.py typo Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor --- .../hazmat/primitives/kdf/kbkdf.py | 3 ++ src/cryptography/utils.py | 2 ++ tests/hazmat/primitives/test_kbkdf.py | 30 +++++++++++++++++++ tests/test_utils.py | 7 +++++ 4 files changed, 42 insertions(+) diff --git a/src/cryptography/hazmat/primitives/kdf/kbkdf.py b/src/cryptography/hazmat/primitives/kdf/kbkdf.py index 9ae817d4e6ae..802b484c72ae 100644 --- a/src/cryptography/hazmat/primitives/kdf/kbkdf.py +++ b/src/cryptography/hazmat/primitives/kdf/kbkdf.py @@ -87,6 +87,9 @@ def __init__( if llen is not None and not isinstance(llen, int): raise TypeError("llen must be an integer") + if llen == 0: + raise ValueError("llen must be non-zero") + if label is None: label = b"" diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py index b3f6e736918a..706d0ae4cbd7 100644 --- a/src/cryptography/utils.py +++ b/src/cryptography/utils.py @@ -41,6 +41,8 @@ def _check_byteslike(name: str, value: bytes) -> None: def int_to_bytes(integer: int, length: int | None = None) -> bytes: + if length == 0: + raise ValueError("length argument can't be 0") return integer.to_bytes( length or (integer.bit_length() + 7) // 8 or 1, "big" ) diff --git a/tests/hazmat/primitives/test_kbkdf.py b/tests/hazmat/primitives/test_kbkdf.py index 965075d2ce2d..e812b464ce93 100644 --- a/tests/hazmat/primitives/test_kbkdf.py +++ b/tests/hazmat/primitives/test_kbkdf.py @@ -159,6 +159,21 @@ def test_r_type(self, backend): backend=backend, ) + def test_zero_llen(self, backend): + with pytest.raises(ValueError): + KBKDFHMAC( + hashes.SHA256(), + Mode.CounterMode, + 32, + 4, + 0, + CounterLocation.BeforeFixed, + b"label", + b"context", + None, + backend=backend, + ) + def test_l_type(self, backend): with pytest.raises(TypeError): KBKDFHMAC( @@ -615,6 +630,21 @@ def test_r_type(self, backend): backend=backend, ) + def test_zero_llen(self, backend): + with pytest.raises(ValueError): + KBKDFCMAC( + algorithms.AES, + Mode.CounterMode, + 32, + 4, + 0, + CounterLocation.BeforeFixed, + b"label", + b"context", + None, + backend=backend, + ) + def test_l_type(self, backend): with pytest.raises(TypeError): KBKDFCMAC( diff --git a/tests/test_utils.py b/tests/test_utils.py index 191cc913a472..5e5f506f82b1 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -39,6 +39,13 @@ ) +def test_int_to_bytes_rejects_zero_length(): + with pytest.raises(ValueError): + cryptography.utils.int_to_bytes(123, 0) + with pytest.raises(ValueError): + cryptography.utils.int_to_bytes(0, 0) + + def test_check_backend_support_skip(): supported = pretend.stub( kwargs={"only_if": lambda backend: False, "skip_message": "Nope"} From 564c7980adee96bc691ce598ddbeee6f7d372e9a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 29 Jun 2024 20:09:01 +0000 Subject: [PATCH 0744/1462] Bump cc from 1.0.101 to 1.0.102 in /src/rust (#11180) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.101 to 1.0.102. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.0.101...cc-v1.0.102) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index ba5223e54c0f..9db12395438b 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.0.101" +version = "1.0.102" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ac367972e516d45567c7eafc73d24e1c193dcf200a8d94e9db7b3d38b349572d" +checksum = "779e6b7d17797c0b42023d417228c02889300190e700cb074c3438d9c541d332" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index e06baab70c05..4942aca6c77a 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.0", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.101" +cc = "1.0.102" From 6d2d8c2e37e0ea8843b77e3e34f767a960165e74 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 30 Jun 2024 00:22:08 +0000 Subject: [PATCH 0745/1462] Bump BoringSSL and/or OpenSSL in CI (#11181) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d30e1a1c7eed..4c87d60ac77f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 25, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "12f0f4bec2a6db53a53748dd6001d1aacaae26ba"}} - # Latest commit on the OpenSSL master branch, as of Jun 29, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7afa7731e924d5ac10fc992d8cd777f407d33af9"}} + # Latest commit on the OpenSSL master branch, as of Jun 30, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5a9c90b1e59b2c368876229862fbff29f2bcf006"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 95e57bf5c5763cf9f700ef339cad3aa7bb5799a4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 30 Jun 2024 07:06:05 -0400 Subject: [PATCH 0746/1462] fixes #11175 -- improve error message when loading PEM public key with no BEGIN PUBLIC KEY (#11177) --- src/rust/src/backend/keys.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index 7240f98c1c3e..649bea38cbeb 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -176,7 +176,9 @@ fn load_pem_public_key( } } "PUBLIC KEY" => cryptography_key_parsing::spki::parse_public_key(p.contents())?, - _ => return Err(CryptographyError::from(pem::PemError::MalformedFraming)), + _ => return Err(CryptographyError::from(pyo3::exceptions::PyValueError::new_err( + "Valid PEM but no BEGIN PUBLIC KEY/END PUBLIC KEY delimiters. Are you sure this is a public key?" + ))), }; public_key_from_pkey(py, &pkey, pkey.id()) } From 85fba50add6b7129898f69d69a2338475de2aae5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 30 Jun 2024 07:07:09 -0400 Subject: [PATCH 0747/1462] Remove buster from CI (#11182) * Remove buster from CI It is EOL * Update installation.rst --- .github/workflows/ci.yml | 1 - docs/installation.rst | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4c87d60ac77f..ee445d30f623 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -150,7 +150,6 @@ jobs: IMAGE: - {IMAGE: "rhel8", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "rhel8-fips", NOXSESSION: "tests", RUNNER: "ubuntu-latest", FIPS: true} - - {IMAGE: "buster", NOXSESSION: "tests-nocoverage", RUNNER: "ubuntu-latest"} - {IMAGE: "bullseye", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "bookworm", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "trixie", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} diff --git a/docs/installation.rst b/docs/installation.rst index cc6e32beafe4..8e5af7dd54c3 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -22,8 +22,8 @@ operating systems. * x86-64 macOS 13 Ventura and ARM64 macOS 14 Sonoma * x86-64 Ubuntu 20.04, 22.04, 24.04, rolling * ARM64 Ubuntu rolling -* x86-64 Debian Buster (10.x), Bullseye (11.x), Bookworm (12.x), - Trixie (13.x), and Sid (unstable) +* x86-64 Debian Bullseye (11.x), Bookworm (12.x), Trixie (13.x), and + Sid (unstable) * x86-64 and ARM64 Alpine (latest) * 32-bit and 64-bit Python on 64-bit Windows Server 2022 From eae331491c53ce99be8eb8da40cbedf244fa3390 Mon Sep 17 00:00:00 2001 From: Magnus Watn Date: Sun, 30 Jun 2024 18:08:56 +0200 Subject: [PATCH 0748/1462] Add _utc datetime methods to x509.ocsp (#11183) Fixes #11170. --- CHANGELOG.rst | 10 ++ docs/x509/ocsp.rst | 122 ++++++++++++++++++++++++ src/cryptography/x509/ocsp.py | 58 +++++++++++ src/rust/src/types.rs | 2 + src/rust/src/x509/ocsp_resp.rs | 146 ++++++++++++++++++++++++++++ tests/x509/test_ocsp.py | 169 +++++++++++++++++++++++++-------- 6 files changed, 470 insertions(+), 37 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 3a1ea97886a2..58a827719e65 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -48,6 +48,16 @@ Changelog :attr:`~cryptography.x509.InvalidityDate.invalidity_date`. * Added support for parsing empty DN string in :meth:`~cryptography.x509.Name.from_rfc4514_string`. +* Added the following properties that return timezone-aware ``datetime`` objects: + :meth:`~cryptography.x509.ocsp.OCSPResponse.produced_at_utc`, + :meth:`~cryptography.x509.ocsp.OCSPResponse.revocation_time_utc`, + :meth:`~cryptography.x509.ocsp.OCSPResponse.this_update_utc`, + :meth:`~cryptography.x509.ocsp.OCSPResponse.next_update_utc`, + :meth:`~cryptography.x509.ocsp.OCSPSingleResponse.revocation_time_utc`, + :meth:`~cryptography.x509.ocsp.OCSPSingleResponse.this_update_utc`, + :meth:`~cryptography.x509.ocsp.OCSPSingleResponse.next_update_utc`, + These are timezone-aware variants of existing properties that return naïve + ``datetime`` objects. .. _v42-0-8: diff --git a/docs/x509/ocsp.rst b/docs/x509/ocsp.rst index 94605c2e499f..beaa3537cc2c 100644 --- a/docs/x509/ocsp.rst +++ b/docs/x509/ocsp.rst @@ -539,11 +539,28 @@ Interfaces :type: :class:`datetime.datetime` + .. warning:: + + This property is deprecated and will be removed in a future + version. Please switch to the timezone-aware variant + :meth:`~cryptography.x509.ocsp.OCSPResponse.produced_at_utc`. + A naïve datetime representing the time when the response was produced. :raises ValueError: If ``response_status`` is not :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. + .. attribute:: produced_at_utc + + .. versionadded:: 43.0.0 + + :type: :class:`datetime.datetime` + + A timezone-aware datetime representing the time when the response was produced. + + :raises ValueError: If ``response_status`` is not + :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. + .. attribute:: certificate_status :type: :class:`~cryptography.x509.ocsp.OCSPCertStatus` @@ -558,6 +575,12 @@ Interfaces :type: :class:`datetime.datetime` or None + .. warning:: + + This property is deprecated and will be removed in a future + version. Please switch to the timezone-aware variant + :meth:`~cryptography.x509.ocsp.OCSPResponse.revocation_time_utc`. + A naïve datetime representing the time when the certificate was revoked or ``None`` if the certificate has not been revoked. @@ -565,6 +588,20 @@ Interfaces :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or if multiple SINGLERESPs are present. + .. attribute:: revocation_time_utc + + .. versionadded:: 43.0.0 + + :type: :class:`datetime.datetime` or None + + A timezone-aware datetime representing the time when the certificate was + revoked or ``None`` if the certificate has not been revoked. + + :raises ValueError: If ``response_status`` is not + :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or + if multiple SINGLERESPs are present. + + .. attribute:: revocation_reason :type: :class:`~cryptography.x509.ReasonFlags` or None @@ -580,6 +617,12 @@ Interfaces :type: :class:`datetime.datetime` + .. warning:: + + This property is deprecated and will be removed in a future + version. Please switch to the timezone-aware variant + :meth:`~cryptography.x509.ocsp.OCSPResponse.this_update_utc`. + A naïve datetime representing the most recent time at which the status being indicated is known by the responder to have been correct. @@ -587,10 +630,29 @@ Interfaces :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or if multiple SINGLERESPs are present. + .. attribute:: this_update_utc + + .. versionadded:: 43.0.0 + + :type: :class:`datetime.datetime` + + A timezone-aware datetime representing the most recent time at which the status + being indicated is known by the responder to have been correct. + + :raises ValueError: If ``response_status`` is not + :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or + if multiple SINGLERESPs are present. + .. attribute:: next_update :type: :class:`datetime.datetime` + .. warning:: + + This property is deprecated and will be removed in a future + version. Please switch to the timezone-aware variant + :meth:`~cryptography.x509.ocsp.OCSPResponse.next_update_utc`. + A naïve datetime representing the time when newer information will be available. @@ -598,6 +660,21 @@ Interfaces :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or if multiple SINGLERESPs are present. + + .. attribute:: next_update_utc + + .. versionadded:: 43.0.0 + + :type: :class:`datetime.datetime` + + A timezone-aware datetime representing the time when newer information will + be available. + + :raises ValueError: If ``response_status`` is not + :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or + if multiple SINGLERESPs are present. + + .. attribute:: issuer_key_hash :type: bytes @@ -759,9 +836,24 @@ Interfaces :type: :class:`datetime.datetime` or None + .. warning:: + + This property is deprecated and will be removed in a future + version. Please switch to the timezone-aware variant + :meth:`~cryptography.x509.ocsp.OCSPSingleResponse.revocation_time_utc`. + A naïve datetime representing the time when the certificate was revoked or ``None`` if the certificate has not been revoked. + .. attribute:: revocation_time_utc + + .. versionadded:: 43.0.0 + + :type: :class:`datetime.datetime` or None + + A timezone-aware datetime representing the time when the certificate was revoked + or ``None`` if the certificate has not been revoked. + .. attribute:: revocation_reason :type: :class:`~cryptography.x509.ReasonFlags` or None @@ -773,16 +865,46 @@ Interfaces :type: :class:`datetime.datetime` + .. warning:: + + This property is deprecated and will be removed in a future + version. Please switch to the timezone-aware variant + :meth:`~cryptography.x509.ocsp.OCSPSingleResponse.this_update_utc`. + A naïve datetime representing the most recent time at which the status being indicated is known by the responder to have been correct. + .. attribute:: this_update_utc + + .. versionadded:: 43.0.0 + + :type: :class:`datetime.datetime` + + A timezone-aware datetime representing the most recent time at which the status + being indicated is known by the responder to have been correct. + .. attribute:: next_update :type: :class:`datetime.datetime` + .. warning:: + + This property is deprecated and will be removed in a future + version. Please switch to the timezone-aware variant + :meth:`~cryptography.x509.ocsp.OCSPSingleResponse.next_update_utc`. + A naïve datetime representing the time when newer information will be available. + .. attribute:: next_update_utc + + .. versionadded:: 43.0.0 + + :type: :class:`datetime.datetime` + + A timezone-aware datetime representing the time when newer information will + be available. + .. attribute:: issuer_key_hash :type: bytes diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py index 9b2adc8601cc..dbb475db2ab2 100644 --- a/src/cryptography/x509/ocsp.py +++ b/src/cryptography/x509/ocsp.py @@ -186,6 +186,14 @@ def revocation_time(self) -> datetime.datetime | None: revoked. """ + @property + @abc.abstractmethod + def revocation_time_utc(self) -> datetime.datetime | None: + """ + The date of when the certificate was revoked or None if not + revoked. Represented as a non-naive UTC datetime. + """ + @property @abc.abstractmethod def revocation_reason(self) -> x509.ReasonFlags | None: @@ -202,6 +210,15 @@ def this_update(self) -> datetime.datetime: the responder to have been correct """ + @property + @abc.abstractmethod + def this_update_utc(self) -> datetime.datetime: + """ + The most recent time at which the status being indicated is known by + the responder to have been correct. Represented as a non-naive UTC + datetime. + """ + @property @abc.abstractmethod def next_update(self) -> datetime.datetime | None: @@ -209,6 +226,14 @@ def next_update(self) -> datetime.datetime | None: The time when newer information will be available """ + @property + @abc.abstractmethod + def next_update_utc(self) -> datetime.datetime | None: + """ + The time when newer information will be available. Represented as a + non-naive UTC datetime. + """ + @property @abc.abstractmethod def issuer_key_hash(self) -> bytes: @@ -315,6 +340,14 @@ def produced_at(self) -> datetime.datetime: The time the response was produced """ + @property + @abc.abstractmethod + def produced_at_utc(self) -> datetime.datetime: + """ + The time the response was produced. Represented as a non-naive UTC + datetime. + """ + @property @abc.abstractmethod def certificate_status(self) -> OCSPCertStatus: @@ -330,6 +363,14 @@ def revocation_time(self) -> datetime.datetime | None: revoked. """ + @property + @abc.abstractmethod + def revocation_time_utc(self) -> datetime.datetime | None: + """ + The date of when the certificate was revoked or None if not + revoked. Represented as a non-naive UTC datetime. + """ + @property @abc.abstractmethod def revocation_reason(self) -> x509.ReasonFlags | None: @@ -346,6 +387,15 @@ def this_update(self) -> datetime.datetime: the responder to have been correct """ + @property + @abc.abstractmethod + def this_update_utc(self) -> datetime.datetime: + """ + The most recent time at which the status being indicated is known by + the responder to have been correct. Represented as a non-naive UTC + datetime. + """ + @property @abc.abstractmethod def next_update(self) -> datetime.datetime | None: @@ -353,6 +403,14 @@ def next_update(self) -> datetime.datetime | None: The time when newer information will be available """ + @property + @abc.abstractmethod + def next_update_utc(self) -> datetime.datetime | None: + """ + The time when newer information will be available. Represented as a + non-naive UTC datetime. + """ + @property @abc.abstractmethod def issuer_key_hash(self) -> bytes: diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 7b3fb35392e2..95ab3c7cea64 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -45,6 +45,8 @@ pub static DEPRECATED_IN_41: LazyPyImport = LazyPyImport::new("cryptography.utils", &["DeprecatedIn41"]); pub static DEPRECATED_IN_42: LazyPyImport = LazyPyImport::new("cryptography.utils", &["DeprecatedIn42"]); +pub static DEPRECATED_IN_43: LazyPyImport = + LazyPyImport::new("cryptography.utils", &["DeprecatedIn43"]); pub static ENCODING: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.serialization", diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 2250decae428..302f3b333762 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -179,10 +179,26 @@ impl OCSPResponse { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_43.get(py)?; + pyo3::PyErr::warn_bound( + py, + &warning_cls, + "Properties that return a naïve datetime object have been deprecated. Please switch to produced_at_utc.", + 1, + )?; let resp = self.requires_successful_response()?; x509::datetime_to_py(py, resp.tbs_response_data.produced_at.as_datetime()) } + #[getter] + fn produced_at_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let resp = self.requires_successful_response()?; + x509::datetime_to_py_utc(py, resp.tbs_response_data.produced_at.as_datetime()) + } + #[getter] fn signature_algorithm_oid<'p>( &self, @@ -325,11 +341,28 @@ impl OCSPResponse { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_43.get(py)?; + pyo3::PyErr::warn_bound( + py, + &warning_cls, + "Properties that return a naïve datetime object have been deprecated. Please switch to revocation_time_utc.", + 1, + )?; let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_revocation_time(&single_resp, py) } + #[getter] + fn revocation_time_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let resp = self.requires_successful_response()?; + let single_resp = single_response(resp)?; + singleresp_py_revocation_time_utc(&single_resp, py) + } + #[getter] fn revocation_reason<'p>( &self, @@ -345,21 +378,55 @@ impl OCSPResponse { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_43.get(py)?; + pyo3::PyErr::warn_bound( + py, + &warning_cls, + "Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.", + 1, + )?; let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_this_update(&single_resp, py) } + #[getter] + fn this_update_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let resp = self.requires_successful_response()?; + let single_resp = single_response(resp)?; + singleresp_py_this_update_utc(&single_resp, py) + } + #[getter] fn next_update<'p>( &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_43.get(py)?; + pyo3::PyErr::warn_bound( + py, + &warning_cls, + "Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc.", + 1, + )?; let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_next_update(&single_resp, py) } + #[getter] + fn next_update_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let resp = self.requires_successful_response()?; + let single_resp = single_response(resp)?; + singleresp_py_next_update_utc(&single_resp, py) + } + #[getter] fn extensions(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { self.requires_successful_response()?; @@ -549,6 +616,13 @@ fn singleresp_py_this_update<'p>( x509::datetime_to_py(py, resp.this_update.as_datetime()) } +fn singleresp_py_this_update_utc<'p>( + resp: &ocsp_resp::SingleResponse<'_>, + py: pyo3::Python<'p>, +) -> pyo3::PyResult> { + x509::datetime_to_py_utc(py, resp.this_update.as_datetime()) +} + fn singleresp_py_next_update<'p>( resp: &ocsp_resp::SingleResponse<'_>, py: pyo3::Python<'p>, @@ -559,6 +633,16 @@ fn singleresp_py_next_update<'p>( } } +fn singleresp_py_next_update_utc<'p>( + resp: &ocsp_resp::SingleResponse<'_>, + py: pyo3::Python<'p>, +) -> pyo3::PyResult> { + match &resp.next_update { + Some(v) => x509::datetime_to_py_utc(py, v.as_datetime()), + None => Ok(py.None().into_bound(py)), + } +} + fn singleresp_py_revocation_reason<'p>( resp: &ocsp_resp::SingleResponse<'_>, py: pyo3::Python<'p>, @@ -588,6 +672,20 @@ fn singleresp_py_revocation_time<'p>( } } +fn singleresp_py_revocation_time_utc<'p>( + resp: &ocsp_resp::SingleResponse<'_>, + py: pyo3::Python<'p>, +) -> pyo3::PyResult> { + match &resp.cert_status { + ocsp_resp::CertStatus::Revoked(revoked_info) => { + x509::datetime_to_py_utc(py, revoked_info.revocation_time.as_datetime()) + } + ocsp_resp::CertStatus::Good(_) | ocsp_resp::CertStatus::Unknown(_) => { + Ok(py.None().into_bound(py)) + } + } +} + #[pyo3::pyfunction] fn create_ocsp_response( py: pyo3::Python<'_>, @@ -876,10 +974,26 @@ impl OCSPSingleResponse { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_43.get(py)?; + pyo3::PyErr::warn_bound( + py, + &warning_cls, + "Properties that return a naïve datetime object have been deprecated. Please switch to revocation_time_utc.", + 1, + )?; let single_resp = self.single_response(); singleresp_py_revocation_time(single_resp, py) } + #[getter] + fn revocation_time_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let single_resp = self.single_response(); + singleresp_py_revocation_time_utc(single_resp, py) + } + #[getter] fn revocation_reason<'p>( &self, @@ -894,18 +1008,50 @@ impl OCSPSingleResponse { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_43.get(py)?; + pyo3::PyErr::warn_bound( + py, + &warning_cls, + "Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.", + 1, + )?; let single_resp = self.single_response(); singleresp_py_this_update(single_resp, py) } + #[getter] + fn this_update_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let single_resp = self.single_response(); + singleresp_py_this_update_utc(single_resp, py) + } + #[getter] fn next_update<'p>( &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_43.get(py)?; + pyo3::PyErr::warn_bound( + py, + &warning_cls, + "Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc.", + 1, + )?; let single_resp = self.single_response(); singleresp_py_next_update(single_resp, py) } + + #[getter] + fn next_update_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let single_resp = self.single_response(); + singleresp_py_next_update_utc(single_resp, py) + } } pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { diff --git a/tests/x509/test_ocsp.py b/tests/x509/test_ocsp.py index 1d155bb97029..d7723b288cf5 100644 --- a/tests/x509/test_ocsp.py +++ b/tests/x509/test_ocsp.py @@ -6,10 +6,11 @@ import base64 import datetime import os +from typing import Optional import pytest -from cryptography import x509 +from cryptography import utils, x509 from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ec, ed448, ed25519, rsa @@ -68,6 +69,35 @@ def _generate_root(private_key=None, algorithm=hashes.SHA256()): return cert, private_key +def _check_ocsp_response_times( + ocsp_resp: ocsp.OCSPResponse, + this_update: datetime.datetime, + next_update: Optional[datetime.datetime], + revocation_time: Optional[datetime.datetime], +) -> None: + with pytest.warns(utils.DeprecatedIn43): + assert ocsp_resp.this_update == this_update + assert ocsp_resp.this_update_utc == this_update.replace( + tzinfo=datetime.timezone.utc + ) + + with pytest.warns(utils.DeprecatedIn43): + assert ocsp_resp.next_update == next_update + assert ocsp_resp.next_update_utc == ( + next_update.replace(tzinfo=datetime.timezone.utc) + if next_update is not None + else None + ) + + with pytest.warns(utils.DeprecatedIn43): + assert ocsp_resp.revocation_time == revocation_time + assert ocsp_resp.revocation_time_utc == ( + revocation_time.replace(tzinfo=datetime.timezone.utc) + if revocation_time is not None + else None + ) + + class TestOCSPRequest: def test_bad_request(self): with pytest.raises(ValueError): @@ -634,16 +664,26 @@ def test_sign_good_cert(self): resp = builder.sign(private_key, hashes.SHA256()) assert resp.responder_name == root_cert.subject assert resp.responder_key_hash is None - assert (current_time - resp.produced_at).total_seconds() < 10 + with pytest.warns(utils.DeprecatedIn43): + assert (current_time - resp.produced_at).total_seconds() < 10 + assert ( + current_time.replace(tzinfo=datetime.timezone.utc) + - resp.produced_at_utc + ).total_seconds() < 10 assert ( resp.signature_algorithm_oid == x509.SignatureAlgorithmOID.ECDSA_WITH_SHA256 ) assert resp.certificate_status == ocsp.OCSPCertStatus.GOOD - assert resp.revocation_time is None assert resp.revocation_reason is None - assert resp.this_update == this_update - assert resp.next_update == next_update + + _check_ocsp_response_times( + resp, + this_update=this_update, + next_update=next_update, + revocation_time=None, + ) + private_key.public_key().verify( resp.signature, resp.tbs_response_bytes, ec.ECDSA(hashes.SHA256()) ) @@ -674,10 +714,13 @@ def test_sign_revoked_cert(self): ) resp = builder.sign(private_key, hashes.SHA256()) assert resp.certificate_status == ocsp.OCSPCertStatus.REVOKED - assert resp.revocation_time == revoked_date assert resp.revocation_reason is None - assert resp.this_update == this_update - assert resp.next_update == next_update + _check_ocsp_response_times( + resp, + this_update=this_update, + next_update=next_update, + revocation_time=revoked_date, + ) private_key.public_key().verify( resp.signature, resp.tbs_response_bytes, ec.ECDSA(hashes.SHA256()) ) @@ -707,8 +750,12 @@ def test_sign_unknown_cert(self): ) resp = builder.sign(private_key, hashes.SHA384()) assert resp.certificate_status == ocsp.OCSPCertStatus.UNKNOWN - assert resp.this_update == this_update - assert resp.next_update == next_update + _check_ocsp_response_times( + resp, + this_update=this_update, + next_update=next_update, + revocation_time=None, + ) private_key.public_key().verify( resp.signature, resp.tbs_response_bytes, ec.ECDSA(hashes.SHA384()) ) @@ -766,10 +813,13 @@ def test_sign_revoked_no_next_update(self): ) resp = builder.sign(private_key, hashes.SHA256()) assert resp.certificate_status == ocsp.OCSPCertStatus.REVOKED - assert resp.revocation_time == revoked_date assert resp.revocation_reason is None - assert resp.this_update == this_update - assert resp.next_update is None + _check_ocsp_response_times( + resp, + this_update=this_update, + next_update=None, + revocation_time=revoked_date, + ) private_key.public_key().verify( resp.signature, resp.tbs_response_bytes, ec.ECDSA(hashes.SHA256()) ) @@ -800,10 +850,13 @@ def test_sign_revoked_with_reason(self): ) resp = builder.sign(private_key, hashes.SHA256()) assert resp.certificate_status == ocsp.OCSPCertStatus.REVOKED - assert resp.revocation_time == revoked_date assert resp.revocation_reason is x509.ReasonFlags.key_compromise - assert resp.this_update == this_update - assert resp.next_update == next_update + _check_ocsp_response_times( + resp, + this_update=this_update, + next_update=next_update, + revocation_time=revoked_date, + ) private_key.public_key().verify( resp.signature, resp.tbs_response_bytes, ec.ECDSA(hashes.SHA256()) ) @@ -1154,12 +1207,19 @@ def test_load_response(self): assert resp.certificates == [] assert resp.responder_key_hash is None assert resp.responder_name == issuer.subject - assert resp.produced_at == datetime.datetime(2018, 8, 30, 11, 15) + with pytest.warns(utils.DeprecatedIn43): + assert resp.produced_at == datetime.datetime(2018, 8, 30, 11, 15) + assert resp.produced_at_utc == datetime.datetime( + 2018, 8, 30, 11, 15, tzinfo=datetime.timezone.utc + ) assert resp.certificate_status == ocsp.OCSPCertStatus.GOOD - assert resp.revocation_time is None assert resp.revocation_reason is None - assert resp.this_update == datetime.datetime(2018, 8, 30, 11, 0) - assert resp.next_update == datetime.datetime(2018, 9, 6, 11, 0) + _check_ocsp_response_times( + resp, + this_update=datetime.datetime(2018, 8, 30, 11, 0), + next_update=datetime.datetime(2018, 9, 6, 11, 0), + revocation_time=None, + ) assert resp.issuer_key_hash == ( b"\xa8Jjc\x04}\xdd\xba\xe6\xd19\xb7\xa6Ee\xef\xf3\xa8\xec\xa1" ) @@ -1215,9 +1275,20 @@ def test_multi_valued_responses(self): ) assert elem.certificate_status == ocsp.OCSPCertStatus.GOOD - - assert elem.this_update == datetime.datetime(2020, 2, 22, 0, 0) - assert elem.next_update == datetime.datetime(2020, 2, 29, 1, 0) + with pytest.warns(utils.DeprecatedIn43): + assert elem.this_update == datetime.datetime( + 2020, 2, 22, 0, 0 + ) + assert elem.this_update_utc == datetime.datetime( + 2020, 2, 22, 0, 0, tzinfo=datetime.timezone.utc + ) + with pytest.warns(utils.DeprecatedIn43): + assert elem.next_update == datetime.datetime( + 2020, 2, 29, 1, 0 + ) + assert elem.next_update_utc == datetime.datetime( + 2020, 2, 29, 1, 0, tzinfo=datetime.timezone.utc + ) elif req_revoked.serial_number == serial: assert elem.certificate_status == ocsp.OCSPCertStatus.REVOKED @@ -1225,8 +1296,12 @@ def test_multi_valued_responses(self): elem.revocation_reason == x509.ReasonFlags.cessation_of_operation ) - assert elem.revocation_time == datetime.datetime( - 2018, 5, 30, 14, 1, 39 + with pytest.warns(utils.DeprecatedIn43): + assert elem.revocation_time == datetime.datetime( + 2018, 5, 30, 14, 1, 39 + ) + assert elem.revocation_time_utc == datetime.datetime( + 2018, 5, 30, 14, 1, 39, tzinfo=datetime.timezone.utc ) def test_load_unauthorized(self): @@ -1249,18 +1324,26 @@ def test_load_unauthorized(self): resp.responder_key_hash with pytest.raises(ValueError): resp.responder_name - with pytest.raises(ValueError): + with pytest.raises(ValueError), pytest.warns(utils.DeprecatedIn43): resp.produced_at with pytest.raises(ValueError): - resp.certificate_status + resp.produced_at_utc with pytest.raises(ValueError): + resp.certificate_status + with pytest.raises(ValueError), pytest.warns(utils.DeprecatedIn43): resp.revocation_time with pytest.raises(ValueError): - resp.revocation_reason + resp.revocation_time_utc with pytest.raises(ValueError): + resp.revocation_reason + with pytest.raises(ValueError), pytest.warns(utils.DeprecatedIn43): resp.this_update with pytest.raises(ValueError): + resp.this_update_utc + with pytest.raises(ValueError), pytest.warns(utils.DeprecatedIn43): resp.next_update + with pytest.raises(ValueError): + resp.next_update_utc with pytest.raises(ValueError): resp.issuer_key_hash with pytest.raises(ValueError): @@ -1278,8 +1361,12 @@ def test_load_revoked(self): ocsp.load_der_ocsp_response, ) assert resp.certificate_status == ocsp.OCSPCertStatus.REVOKED - assert resp.revocation_time == datetime.datetime( - 2016, 9, 2, 21, 28, 48 + with pytest.warns(utils.DeprecatedIn43): + assert resp.revocation_time == datetime.datetime( + 2016, 9, 2, 21, 28, 48 + ) + assert resp.revocation_time_utc == datetime.datetime( + 2016, 9, 2, 21, 28, 48, tzinfo=datetime.timezone.utc ) assert resp.revocation_reason is None @@ -1334,7 +1421,9 @@ def test_load_revoked_no_next_update(self): ocsp.load_der_ocsp_response, ) assert resp.serial_number == 16160 - assert resp.next_update is None + with pytest.warns(utils.DeprecatedIn43): + assert resp.next_update is None + assert resp.next_update_utc is None def test_response_extensions(self): resp = _load_data( @@ -1499,10 +1588,13 @@ def test_sign_ed25519(self, backend): ) resp = builder.sign(private_key, None) assert resp.certificate_status == ocsp.OCSPCertStatus.REVOKED - assert resp.revocation_time == revoked_date assert resp.revocation_reason is x509.ReasonFlags.key_compromise - assert resp.this_update == this_update - assert resp.next_update == next_update + _check_ocsp_response_times( + resp, + this_update=this_update, + next_update=next_update, + revocation_time=revoked_date, + ) assert resp.signature_hash_algorithm is None assert ( resp.signature_algorithm_oid == x509.SignatureAlgorithmOID.ED25519 @@ -1542,10 +1634,13 @@ def test_sign_ed448(self, backend): ) resp = builder.sign(private_key, None) assert resp.certificate_status == ocsp.OCSPCertStatus.REVOKED - assert resp.revocation_time == revoked_date assert resp.revocation_reason is x509.ReasonFlags.key_compromise - assert resp.this_update == this_update - assert resp.next_update == next_update + _check_ocsp_response_times( + resp, + this_update=this_update, + next_update=next_update, + revocation_time=revoked_date, + ) assert resp.signature_hash_algorithm is None assert resp.signature_algorithm_oid == x509.SignatureAlgorithmOID.ED448 private_key.public_key().verify( From 7bc172ab09a6f19ee4b1b457910051737191fa74 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 30 Jun 2024 17:14:18 +0000 Subject: [PATCH 0749/1462] Bump cc from 1.0.102 to 1.0.103 in /src/rust (#11184) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.102 to 1.0.103. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.0.102...cc-v1.0.103) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 9db12395438b..23bd21c3247f 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.0.102" +version = "1.0.103" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "779e6b7d17797c0b42023d417228c02889300190e700cb074c3438d9c541d332" +checksum = "2755ff20a1d93490d26ba33a6f092a38a508398a5320df5d4b3014fcccce9410" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 4942aca6c77a..4e9f2d9fffd9 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.0", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.102" +cc = "1.0.103" From cb306615f8b44050f055267c27aa2d949d8a993d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 30 Jun 2024 20:22:42 -0400 Subject: [PATCH 0750/1462] Bump BoringSSL and/or OpenSSL in CI (#11186) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ee445d30f623..922c62723094 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 25, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "12f0f4bec2a6db53a53748dd6001d1aacaae26ba"}} - # Latest commit on the OpenSSL master branch, as of Jun 30, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5a9c90b1e59b2c368876229862fbff29f2bcf006"}} + # Latest commit on the OpenSSL master branch, as of Jul 01, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f96563297ee04d57efd45f56bd6b897d809214b4"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 5cea5004c82690d03c3faa2d977d1bb305a376b6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Jul 2024 07:06:46 -0400 Subject: [PATCH 0751/1462] Bump cc from 1.0.103 to 1.0.104 in /src/rust (#11187) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.103 to 1.0.104. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.0.103...cc-v1.0.104) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 23bd21c3247f..acbfb1764207 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.0.103" +version = "1.0.104" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2755ff20a1d93490d26ba33a6f092a38a508398a5320df5d4b3014fcccce9410" +checksum = "74b6a57f98764a267ff415d50a25e6e166f3831a5071af4995296ea97d210490" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 4e9f2d9fffd9..414236180a65 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.0", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.103" +cc = "1.0.104" From 6de3533c98acfbf0b491c358a293e78d6076b34b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 1 Jul 2024 20:22:25 -0400 Subject: [PATCH 0752/1462] Bump BoringSSL and/or OpenSSL in CI (#11188) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 922c62723094..766305b014aa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 25, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "12f0f4bec2a6db53a53748dd6001d1aacaae26ba"}} - # Latest commit on the OpenSSL master branch, as of Jul 01, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f96563297ee04d57efd45f56bd6b897d809214b4"}} + # Latest commit on the OpenSSL master branch, as of Jul 02, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "16311dbf53c464726d73b76d77ecf6275c9f9d08"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From e0de37cad019193640c741d5a6dc9950c02175af Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 2 Jul 2024 00:32:02 +0000 Subject: [PATCH 0753/1462] Bump x509-limbo and/or wycheproof in CI (#11189) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 95e11dbdfde4..fe3fcaedcfab 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jun 18, 2024. - ref: "bd88042508ccfde351b2fee293aebda8971fbebb" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jul 02, 2024. + ref: "e75d8a9e2b75fe603282e19b90d585bb3d62ba9c" # x509-limbo-ref From d356d7e25c09856b2c36bdcbf9b31956529bcea6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Jul 2024 07:05:12 -0400 Subject: [PATCH 0754/1462] Bump setuptools from 70.1.1 to 70.2.0 in /.github/requirements (#11190) Bumps [setuptools](https://github.com/pypa/setuptools) from 70.1.1 to 70.2.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v70.1.1...v70.2.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index c56db6aefcfa..2c2b48c6e2ef 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -76,9 +76,9 @@ tomli==2.0.1 \ # via setuptools-rust # The following packages are considered to be unsafe in a requirements file: -setuptools==70.1.1 \ - --hash=sha256:937a48c7cdb7a21eb53cd7f9b59e525503aa8abaf3584c730dc5f7a5bec3a650 \ - --hash=sha256:a58a8fde0541dab0419750bcc521fbdf8585f6e5cb41909df3a472ef7b81ca95 +setuptools==70.2.0 \ + --hash=sha256:b8b8060bb426838fbe942479c90296ce976249451118ef566a5a0b7d8b78fb05 \ + --hash=sha256:bd63e505105011b25c3c11f753f7e3b8465ea739efddaccef8f0efac2137bac1 # via # -r build-requirements.in # setuptools-rust From ba177e9bd4df88df99d9fca26bf703637c3ddafa Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 3 Jul 2024 00:16:54 +0000 Subject: [PATCH 0755/1462] Bump BoringSSL and/or OpenSSL in CI (#11191) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 766305b014aa..240387812ac3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 25, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "12f0f4bec2a6db53a53748dd6001d1aacaae26ba"}} - # Latest commit on the OpenSSL master branch, as of Jul 02, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "16311dbf53c464726d73b76d77ecf6275c9f9d08"}} + # Latest commit on the OpenSSL master branch, as of Jul 03, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b1e7bc5bdfc73ef841afa30ac321975b0d63219a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 2021ed21a4c17a8c6a1adf9a7158fa315d931b33 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 3 Jul 2024 00:31:33 +0000 Subject: [PATCH 0756/1462] Bump x509-limbo and/or wycheproof in CI (#11192) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index fe3fcaedcfab..306ca460a02e 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jul 02, 2024. - ref: "e75d8a9e2b75fe603282e19b90d585bb3d62ba9c" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jul 03, 2024. + ref: "74e0b06dc4c5ee3707fa7f45ea0adb11ddb8de33" # x509-limbo-ref From 5dbf9bab261470f00f856ddb1c7317e84e899c8f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 4 Jul 2024 00:15:04 +0000 Subject: [PATCH 0757/1462] Bump BoringSSL and/or OpenSSL in CI (#11194) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 240387812ac3..6589803f5c1b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 25, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "12f0f4bec2a6db53a53748dd6001d1aacaae26ba"}} - # Latest commit on the OpenSSL master branch, as of Jul 03, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b1e7bc5bdfc73ef841afa30ac321975b0d63219a"}} + # Latest commit on the BoringSSL master branch, as of Jul 04, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7c2b62e93487b772990fddc1905f22d4cfaee4a4"}} + # Latest commit on the OpenSSL master branch, as of Jul 04, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3f4da93678497fe64d262d03c388932f7ecfe74e"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 9a1c4007bf873b372c0d1504268e8afff4ff8473 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Jul 2024 08:05:52 -0400 Subject: [PATCH 0758/1462] Bump certifi from 2024.6.2 to 2024.7.4 (#11196) Bumps [certifi](https://github.com/certifi/python-certifi) from 2024.6.2 to 2024.7.4. - [Commits](https://github.com/certifi/python-certifi/compare/2024.06.02...2024.07.04) --- updated-dependencies: - dependency-name: certifi dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ae6896d7daac..5c2f1a63fa97 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -15,7 +15,7 @@ build==1.2.1 # via # check-sdist # cryptography (pyproject.toml) -certifi==2024.6.2 +certifi==2024.7.4 # via requests charset-normalizer==3.3.2 # via requests From 41033b491462722119ff8c92b35670be5c8d4a69 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Jul 2024 10:22:27 -0400 Subject: [PATCH 0759/1462] Use wildcard in dependabot.yml (#11185) --- .github/dependabot.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1678833c2a9b..1634f6e54726 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,9 +3,7 @@ updates: - package-ecosystem: "github-actions" directories: - "/" - - "/.github/actions/cache/" - - "/.github/actions/upload-coverage/" - - "/.github/actions/fetch-vectors/" + - "/.github/actions/*/" schedule: interval: "daily" time: "06:00" From 6d9e324dde0b6867186cca0c2c6a5ef71cd2c83a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Jul 2024 10:33:38 -0400 Subject: [PATCH 0760/1462] Bump certifi from 2024.6.2 to 2024.7.4 in /.github/requirements (#11197) Bumps [certifi](https://github.com/certifi/python-certifi) from 2024.6.2 to 2024.7.4. - [Commits](https://github.com/certifi/python-certifi/compare/2024.06.02...2024.07.04) --- updated-dependencies: - dependency-name: certifi dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 72c2c1b5f011..ae5b3ff3c2b4 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -8,9 +8,9 @@ backports-tarfile==1.2.0 \ --hash=sha256:77e284d754527b01fb1e6fa8a1afe577858ebe4e9dad8919e34c862cb399bc34 \ --hash=sha256:d75e02c268746e1b8144c278978b6e98e85de6ad16f8e4b0844a154557eca991 # via jaraco-context -certifi==2024.6.2 \ - --hash=sha256:3cd43f1c6fa7dedc5899d69d3ad0398fd018ad1a17fba83ddaf78aa46c747516 \ - --hash=sha256:ddc6c8ce995e6987e7faf5e3f1b02b302836a0e5d98ece18392cb1a36c72ad56 +certifi==2024.7.4 \ + --hash=sha256:5a1e7645bc0ec61a09e26c36f6106dd4cf40c6db3a1fb6352b0244e7fb057c7b \ + --hash=sha256:c198e21b1289c2ab85ee4e67bb4b4ef3ead0892059901a8d5b622f24a1101e90 # via requests cffi==1.16.0 \ --hash=sha256:0c9ef6ff37e974b73c25eecc13952c55bceed9112be2d9d938ded8e856138bcc \ From ed136bd720ab27e297d8f6f1c525f1a4bd84d9e0 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 4 Jul 2024 17:27:50 -0700 Subject: [PATCH 0761/1462] Bump BoringSSL and/or OpenSSL in CI (#11198) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6589803f5c1b..51398eebb299 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 04, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7c2b62e93487b772990fddc1905f22d4cfaee4a4"}} - # Latest commit on the OpenSSL master branch, as of Jul 04, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3f4da93678497fe64d262d03c388932f7ecfe74e"}} + # Latest commit on the OpenSSL master branch, as of Jul 05, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "59c415a45f47cb34147427e46c78d945919b1da2"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 124dca5d69e73a0edb2b26869e45d7d985a2ba8a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Jul 2024 13:45:59 -0400 Subject: [PATCH 0762/1462] Implement encrypted PKCS#12 serialization in Rust (#11059) --- .../hazmat/backends/openssl/backend.py | 21 +- .../hazmat/primitives/serialization/pkcs12.py | 5 +- src/rust/cryptography-x509/src/common.rs | 28 +++ src/rust/cryptography-x509/src/pkcs12.rs | 11 +- src/rust/cryptography-x509/src/pkcs7.rs | 16 ++ src/rust/src/backend/ciphers.rs | 8 +- src/rust/src/backend/kdf.rs | 2 +- src/rust/src/buf.rs | 8 + src/rust/src/padding.rs | 9 +- src/rust/src/pkcs12.rs | 206 ++++++++++++++++-- 10 files changed, 264 insertions(+), 50 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 0da03896974f..88d01f93b3ad 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -398,26 +398,7 @@ def serialize_key_and_certificates_to_pkcs12( if name is not None: utils._check_bytes("name", name) - assert not isinstance(encryption_algorithm, serialization.NoEncryption) - if isinstance( - encryption_algorithm, serialization.BestAvailableEncryption - ): - # PKCS12 encryption is hopeless trash and can never be fixed. - # OpenSSL 3 supports PBESv2, but Libre and Boring do not, so - # we use PBESv1 with 3DES on the older paths. - if rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: - nid_cert = self._lib.NID_aes_256_cbc - nid_key = self._lib.NID_aes_256_cbc - else: - nid_cert = self._lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC - nid_key = self._lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC - # At least we can set this higher than OpenSSL's default - pkcs12_iter = 20000 - mac_iter = 0 - # MAC algorithm can only be set on OpenSSL 3.0.0+ - mac_alg = self._ffi.NULL - password = encryption_algorithm.password - elif ( + if ( isinstance( encryption_algorithm, serialization._KeySerializationEncryption ) diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs12.py b/src/cryptography/hazmat/primitives/serialization/pkcs12.py index d1fc460d7296..28fab3ca6f61 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs12.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs12.py @@ -167,7 +167,10 @@ def serialize_key_and_certificates( if key is None and cert is None and not cas: raise ValueError("You must supply at least one of key, cert, or cas") - if isinstance(encryption_algorithm, serialization.NoEncryption): + if isinstance( + encryption_algorithm, + (serialization.NoEncryption, serialization.BestAvailableEncryption), + ): return rust_pkcs12.serialize_key_and_certificates( name, key, cert, cas, encryption_algorithm ) diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index 84608c870123..b0827a74501a 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -125,6 +125,12 @@ pub enum AlgorithmParameters<'a> { #[defined_by(oid::DH_KEY_AGREEMENT_OID)] DhKeyAgreement(BasicDHParams<'a>), + #[defined_by(oid::PBES2_OID)] + Pbes2(PBES2Params<'a>), + + #[defined_by(oid::PBKDF2_OID)] + Pbkdf2(PBKDF2Params<'a>), + #[defined_by(oid::HMAC_WITH_SHA1_OID)] HmacWithSha1(asn1::Null), #[defined_by(oid::HMAC_WITH_SHA256_OID)] @@ -403,6 +409,28 @@ pub struct DssParams<'a> { pub g: asn1::BigUint<'a>, } +#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash, Clone, Debug)] +pub struct PBES2Params<'a> { + pub key_derivation_func: Box>, + pub encryption_scheme: Box>, +} + +const HMAC_SHA1_ALG: AlgorithmIdentifier<'static> = AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::HmacWithSha1(()), +}; + +#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash, Clone, Debug)] +pub struct PBKDF2Params<'a> { + // This is technically a CHOICE that can be an otherSource. We don't + // support that. + pub salt: &'a [u8], + pub iteration_count: u64, + pub key_length: Option, + #[default(HMAC_SHA1_ALG)] + pub prf: Box>, +} + /// A VisibleString ASN.1 element whose contents is not validated as meeting the /// requirements (visible characters of IA5), and instead is only known to be /// valid UTF-8. diff --git a/src/rust/cryptography-x509/src/pkcs12.rs b/src/rust/cryptography-x509/src/pkcs12.rs index dce1c41726eb..fdcbc91ef802 100644 --- a/src/rust/cryptography-x509/src/pkcs12.rs +++ b/src/rust/cryptography-x509/src/pkcs12.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::common::Utf8StoredBMPString; +use crate::common::{AlgorithmIdentifier, Utf8StoredBMPString}; use crate::pkcs7; pub const CERT_BAG_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 12, 10, 1, 3); @@ -55,6 +55,9 @@ pub enum BagValue<'a> { #[defined_by(KEY_BAG_OID)] KeyBag(asn1::Tlv<'a>), + + #[defined_by(SHROUDED_KEY_BAG_OID)] + ShroudedKeyBag(EncryptedPrivateKeyInfo<'a>), } #[derive(asn1::Asn1Write)] @@ -69,3 +72,9 @@ pub enum CertType<'a> { #[defined_by(X509_CERTIFICATE_OID)] X509(asn1::OctetStringEncoded>), } + +#[derive(asn1::Asn1Write)] +pub struct EncryptedPrivateKeyInfo<'a> { + pub encryption_algorithm: AlgorithmIdentifier<'a>, + pub encrypted_data: &'a [u8], +} diff --git a/src/rust/cryptography-x509/src/pkcs7.rs b/src/rust/cryptography-x509/src/pkcs7.rs index bd553cb89def..31c7d097bab2 100644 --- a/src/rust/cryptography-x509/src/pkcs7.rs +++ b/src/rust/cryptography-x509/src/pkcs7.rs @@ -22,6 +22,8 @@ pub enum Content<'a> { SignedData(asn1::Explicit>, 0>), #[defined_by(PKCS7_DATA_OID)] Data(Option>), + #[defined_by(PKCS7_ENCRYPTED_DATA_OID)] + EncryptedData(asn1::Explicit, 0>), } #[derive(asn1::Asn1Write)] @@ -60,6 +62,20 @@ pub struct IssuerAndSerialNumber<'a> { pub serial_number: asn1::BigInt<'a>, } +#[derive(asn1::Asn1Write)] +pub struct EncryptedData<'a> { + pub version: u8, + pub encrypted_content_info: EncryptedContentInfo<'a>, +} + +#[derive(asn1::Asn1Write)] +pub struct EncryptedContentInfo<'a> { + pub content_type: asn1::ObjectIdentifier, + pub content_encryption_algorithm: common::AlgorithmIdentifier<'a>, + #[implicit(0)] + pub encrypted_content: Option<&'a [u8]>, +} + #[derive(asn1::Asn1Write)] pub struct DigestInfo<'a> { pub algorithm: common::AlgorithmIdentifier<'a>, diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index 2d5501835640..83d222256fbd 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -10,13 +10,13 @@ use crate::types; use pyo3::types::{PyAnyMethods, PyModuleMethods}; use pyo3::IntoPy; -struct CipherContext { +pub(crate) struct CipherContext { ctx: openssl::cipher_ctx::CipherCtx, py_mode: pyo3::PyObject, } impl CipherContext { - fn new( + pub(crate) fn new( py: pyo3::Python<'_>, algorithm: pyo3::Bound<'_, pyo3::PyAny>, mode: pyo3::Bound<'_, pyo3::PyAny>, @@ -126,7 +126,7 @@ impl CipherContext { Ok(pyo3::types::PyBytes::new_bound(py, &out_buf[..n])) } - fn update_into( + pub(crate) fn update_into( &mut self, py: pyo3::Python<'_>, buf: &[u8], @@ -167,7 +167,7 @@ impl CipherContext { Ok(()) } - fn finalize<'p>( + pub(crate) fn finalize<'p>( &mut self, py: pyo3::Python<'p>, ) -> CryptographyResult> { diff --git a/src/rust/src/backend/kdf.rs b/src/rust/src/backend/kdf.rs index 52ccd10e9e3d..d8c3858a6331 100644 --- a/src/rust/src/backend/kdf.rs +++ b/src/rust/src/backend/kdf.rs @@ -8,7 +8,7 @@ use crate::error::CryptographyResult; use pyo3::types::PyModuleMethods; #[pyo3::pyfunction] -fn derive_pbkdf2_hmac<'p>( +pub(crate) fn derive_pbkdf2_hmac<'p>( py: pyo3::Python<'p>, key_material: CffiBuf<'_>, algorithm: &pyo3::Bound<'_, pyo3::PyAny>, diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs index 15ace0442bbc..303e5ff86fe7 100644 --- a/src/rust/src/buf.rs +++ b/src/rust/src/buf.rs @@ -35,6 +35,14 @@ fn _extract_buffer_length<'p>( } impl<'a> CffiBuf<'a> { + pub(crate) fn from_bytes(py: pyo3::Python<'a>, buf: &'a [u8]) -> Self { + CffiBuf { + pyobj: py.None().into_bound(py), + _bufobj: py.None().into_bound(py), + buf, + } + } + pub(crate) fn as_bytes(&self) -> &[u8] { self.buf } diff --git a/src/rust/src/padding.rs b/src/rust/src/padding.rs index f6a13572f622..92da0a65af40 100644 --- a/src/rust/src/padding.rs +++ b/src/rust/src/padding.rs @@ -76,14 +76,17 @@ pub(crate) struct PKCS7PaddingContext { #[pyo3::pymethods] impl PKCS7PaddingContext { #[new] - fn new(block_size: usize) -> PKCS7PaddingContext { + pub(crate) fn new(block_size: usize) -> PKCS7PaddingContext { PKCS7PaddingContext { block_size: block_size / 8, length_seen: Some(0), } } - fn update<'a>(&mut self, buf: CffiBuf<'a>) -> CryptographyResult> { + pub(crate) fn update<'a>( + &mut self, + buf: CffiBuf<'a>, + ) -> CryptographyResult> { match self.length_seen.as_mut() { Some(v) => { *v += buf.as_bytes().len(); @@ -95,7 +98,7 @@ impl PKCS7PaddingContext { } } - fn finalize<'p>( + pub(crate) fn finalize<'p>( &mut self, py: pyo3::Python<'p>, ) -> CryptographyResult> { diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 7436146bcacb..153c2a6d0cfd 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -2,9 +2,10 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::backend::{hashes, hmac, keys}; +use crate::backend::{ciphers, hashes, hmac, kdf, keys}; use crate::buf::CffiBuf; use crate::error::CryptographyResult; +use crate::padding::PKCS7PaddingContext; use crate::x509::certificate::Certificate; use crate::{types, x509}; use cryptography_x509::common::Utf8StoredBMPString; @@ -78,6 +79,94 @@ impl PKCS12Certificate { } } +enum EncryptionAlgorithm { + PBESv2SHA256AndAES256CBC, +} + +impl EncryptionAlgorithm { + fn algorithm_identifier<'a>( + &self, + salt: &'a [u8], + iv: &'a [u8], + ) -> cryptography_x509::common::AlgorithmIdentifier<'a> { + match self { + EncryptionAlgorithm::PBESv2SHA256AndAES256CBC => { + let kdf_algorithm_identifier = cryptography_x509::common::AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: cryptography_x509::common::AlgorithmParameters::Pbkdf2( + cryptography_x509::common::PBKDF2Params { + salt, + iteration_count: 20000, + key_length: None, + prf: Box::new(cryptography_x509::common::AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: + cryptography_x509::common::AlgorithmParameters::HmacWithSha256( + (), + ), + }), + }, + ), + }; + let encryption_algorithm_identifier = + cryptography_x509::common::AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: cryptography_x509::common::AlgorithmParameters::Aes256Cbc( + iv[..16].try_into().unwrap(), + ), + }; + + cryptography_x509::common::AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: cryptography_x509::common::AlgorithmParameters::Pbes2( + cryptography_x509::common::PBES2Params { + key_derivation_func: Box::new(kdf_algorithm_identifier), + encryption_scheme: Box::new(encryption_algorithm_identifier), + }, + ), + } + } + } + } + + fn encrypt( + &self, + py: pyo3::Python<'_>, + password: &[u8], + salt: &[u8], + iv: &[u8], + data: &[u8], + ) -> CryptographyResult> { + match self { + EncryptionAlgorithm::PBESv2SHA256AndAES256CBC => { + let pass_buf = CffiBuf::from_bytes(py, password); + let sha256 = types::SHA256.get(py)?.call0()?; + + let key = kdf::derive_pbkdf2_hmac(py, pass_buf, &sha256, salt, 20000, 32)?; + + let aes256 = types::AES256.get(py)?.call1((key,))?; + let cbc = types::CBC.get(py)?.call1((iv,))?; + let mut cipher = + ciphers::CipherContext::new(py, aes256, cbc, openssl::symm::Mode::Encrypt)?; + + let mut ciphertext = vec![0; data.len() + 32]; + let n = cipher.update_into(py, data, &mut ciphertext)?; + + let mut padder = PKCS7PaddingContext::new(128); + assert!(padder.update(CffiBuf::from_bytes(py, data))?.is_none()); + let padding = padder.finalize(py)?; + + let pad_n = cipher.update_into(py, padding.as_bytes(), &mut ciphertext[n..])?; + let final_block = cipher.finalize(py)?; + assert!(final_block.as_bytes().is_empty()); + ciphertext.truncate(n + pad_n); + + Ok(ciphertext) + } + } + } +} + #[allow(dead_code)] const KDF_ENCRYPTION_KEY_ID: u8 = 1; #[allow(dead_code)] @@ -238,16 +327,29 @@ fn decode_encryption_algorithm<'a>( pyo3::pybacked::PyBackedBytes, pyo3::Bound<'a, pyo3::PyAny>, u64, + Option, )> { let default_hmac_alg = types::SHA256.get(py)?.call0()?; let default_hmac_kdf_iter = 2048; - assert!(encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get(py)?)?); - Ok(( - pyo3::types::PyBytes::new_bound(py, b"").extract()?, - default_hmac_alg, - default_hmac_kdf_iter, - )) + if encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get(py)?)? { + Ok(( + pyo3::types::PyBytes::new_bound(py, b"").extract()?, + default_hmac_alg, + default_hmac_kdf_iter, + None, + )) + } else { + assert!(encryption_algorithm.is_instance(&types::BEST_AVAILABLE_ENCRYPTION.get(py)?)?); + Ok(( + encryption_algorithm + .getattr(pyo3::intern!(py, "password"))? + .extract()?, + default_hmac_alg, + default_hmac_kdf_iter, + Some(EncryptionAlgorithm::PBESv2SHA256AndAES256CBC), + )) + } } #[derive(pyo3::FromPyObject)] @@ -266,11 +368,20 @@ fn serialize_key_and_certificates<'p>( cas: Option>, encryption_algorithm: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { - let (password, mac_algorithm, mac_kdf_iter) = + let (password, mac_algorithm, mac_kdf_iter, encryption_algorithm) = decode_encryption_algorithm(py, encryption_algorithm)?; let mut auth_safe_contents = vec![]; - let (cert_bag_contents, key_bag_contents); + let ( + cert_bag_contents, + cert_salt, + cert_iv, + cert_ciphertext, + key_bag_contents, + key_salt, + key_iv, + key_ciphertext, + ); let mut ca_certs = vec![]; if cert.is_some() || cas.is_some() { let mut cert_bags = vec![]; @@ -297,12 +408,39 @@ fn serialize_key_and_certificates<'p>( } cert_bag_contents = asn1::write_single(&asn1::SequenceOfWriter::new(cert_bags))?; - auth_safe_contents.push(cryptography_x509::pkcs7::ContentInfo { - _content_type: asn1::DefinedByMarker::marker(), - content: cryptography_x509::pkcs7::Content::Data(Some(asn1::Explicit::new( - &cert_bag_contents, - ))), - }); + if let Some(e) = &encryption_algorithm { + cert_salt = types::OS_URANDOM + .get(py)? + .call1((16,))? + .extract::()?; + cert_iv = types::OS_URANDOM + .get(py)? + .call1((16,))? + .extract::()?; + cert_ciphertext = e.encrypt(py, &password, &cert_salt, &cert_iv, &cert_bag_contents)?; + + auth_safe_contents.push(cryptography_x509::pkcs7::ContentInfo { + _content_type: asn1::DefinedByMarker::marker(), + content: cryptography_x509::pkcs7::Content::EncryptedData(asn1::Explicit::new( + cryptography_x509::pkcs7::EncryptedData { + version: 0, + encrypted_content_info: cryptography_x509::pkcs7::EncryptedContentInfo { + content_type: cryptography_x509::pkcs7::PKCS7_DATA_OID, + content_encryption_algorithm: e + .algorithm_identifier(&cert_salt, &cert_iv), + encrypted_content: Some(&cert_ciphertext), + }, + }, + )), + }) + } else { + auth_safe_contents.push(cryptography_x509::pkcs7::ContentInfo { + _content_type: asn1::DefinedByMarker::marker(), + content: cryptography_x509::pkcs7::Content::Data(Some(asn1::Explicit::new( + &cert_bag_contents, + ))), + }); + } } if let Some(key) = key { @@ -316,12 +454,40 @@ fn serialize_key_and_certificates<'p>( (der, pkcs8, no_encryption), )? .extract::()?; - let pkcs8_tlv = asn1::parse_single(&pkcs8_bytes)?; - let key_bag = cryptography_x509::pkcs12::SafeBag { - _bag_id: asn1::DefinedByMarker::marker(), - bag_value: asn1::Explicit::new(cryptography_x509::pkcs12::BagValue::KeyBag(pkcs8_tlv)), - attributes: friendly_name_attributes(name)?, + let key_bag = if let Some(e) = encryption_algorithm { + key_salt = types::OS_URANDOM + .get(py)? + .call1((16,))? + .extract::()?; + key_iv = types::OS_URANDOM + .get(py)? + .call1((16,))? + .extract::()?; + key_ciphertext = e.encrypt(py, &password, &key_salt, &key_iv, &pkcs8_bytes)?; + + cryptography_x509::pkcs12::SafeBag { + _bag_id: asn1::DefinedByMarker::marker(), + bag_value: asn1::Explicit::new( + cryptography_x509::pkcs12::BagValue::ShroudedKeyBag( + cryptography_x509::pkcs12::EncryptedPrivateKeyInfo { + encryption_algorithm: e.algorithm_identifier(&key_salt, &key_iv), + encrypted_data: &key_ciphertext, + }, + ), + ), + attributes: friendly_name_attributes(name)?, + } + } else { + let pkcs8_tlv = asn1::parse_single(&pkcs8_bytes)?; + + cryptography_x509::pkcs12::SafeBag { + _bag_id: asn1::DefinedByMarker::marker(), + bag_value: asn1::Explicit::new(cryptography_x509::pkcs12::BagValue::KeyBag( + pkcs8_tlv, + )), + attributes: friendly_name_attributes(name)?, + } }; key_bag_contents = asn1::write_single(&asn1::SequenceOfWriter::new([key_bag]))?; From a5fb2d42d4c2b5f970427867379052f9e0722d4a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Jul 2024 14:32:09 -0400 Subject: [PATCH 0763/1462] Convert the remainder of PKCS#12 encryption to Rust (#11200) --- .../hazmat/backends/openssl/backend.py | 210 +----------------- .../hazmat/primitives/serialization/pkcs12.py | 12 +- src/rust/cryptography-x509/src/common.rs | 9 + src/rust/cryptography-x509/src/oid.rs | 3 + src/rust/src/pkcs12.rs | 179 +++++++++++++-- src/rust/src/types.rs | 13 ++ src/rust/src/x509/certificate.rs | 2 +- tests/hazmat/primitives/test_pkcs12.py | 58 ----- tests/hazmat/primitives/test_pkcs7.py | 2 + 9 files changed, 196 insertions(+), 292 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 88d01f93b3ad..e4cfe6216f8d 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -5,11 +5,9 @@ from __future__ import annotations import collections -import contextlib import typing -from cryptography import utils, x509 -from cryptography.exceptions import UnsupportedAlgorithm +from cryptography import x509 from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.bindings.openssl import binding from cryptography.hazmat.primitives import hashes, serialization @@ -32,12 +30,6 @@ CBC, Mode, ) -from cryptography.hazmat.primitives.serialization.pkcs12 import ( - PBES, - PKCS12Certificate, - PKCS12PrivateKeyTypes, - _PKCS12CATypes, -) _MemoryBIO = collections.namedtuple("_MemoryBIO", ["bio", "char_ptr"]) @@ -126,11 +118,6 @@ def _evp_md_from_algorithm(self, algorithm: hashes.HashAlgorithm): evp_md = self._lib.EVP_get_digestbyname(alg) return evp_md - def _evp_md_non_null_from_algorithm(self, algorithm: hashes.HashAlgorithm): - evp_md = self._evp_md_from_algorithm(algorithm) - self.openssl_assert(evp_md != self._ffi.NULL) - return evp_md - def hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool: if self._fips_enabled and not isinstance(algorithm, self._fips_hashes): return False @@ -199,17 +186,6 @@ def _create_mem_bio_gc(self): bio = self._ffi.gc(bio, self._lib.BIO_free) return bio - def _read_mem_bio(self, bio) -> bytes: - """ - Reads a memory BIO. This only works on memory BIOs. - """ - buf = self._ffi.new("char **") - buf_len = self._lib.BIO_get_mem_data(bio, buf) - self.openssl_assert(buf_len > 0) - self.openssl_assert(buf[0] != self._ffi.NULL) - bio_data = self._ffi.buffer(buf[0], buf_len)[:] - return bio_data - def _oaep_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool: if self._fips_enabled and isinstance(algorithm, hashes.SHA1): return False @@ -274,21 +250,6 @@ def _cert2ossl(self, cert: x509.Certificate) -> typing.Any: x509 = self._ffi.gc(x509, self._lib.X509_free) return x509 - def _key2ossl(self, key: PKCS12PrivateKeyTypes) -> typing.Any: - data = key.private_bytes( - serialization.Encoding.DER, - serialization.PrivateFormat.PKCS8, - serialization.NoEncryption(), - ) - mem_bio = self._bytes_to_bio(data) - - evp_pkey = self._lib.d2i_PrivateKey_bio( - mem_bio.bio, - self._ffi.NULL, - ) - self.openssl_assert(evp_pkey != self._ffi.NULL) - return self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - def elliptic_curve_supported(self, curve: ec.EllipticCurve) -> bool: if self._fips_enabled and not isinstance( curve, self._fips_ecdh_curves @@ -356,175 +317,6 @@ def ecdsa_deterministic_supported(self) -> bool: and not self._fips_enabled ) - def _zero_data(self, data, length: int) -> None: - # We clear things this way because at the moment we're not - # sure of a better way that can guarantee it overwrites the - # memory of a bytearray and doesn't just replace the underlying char *. - for i in range(length): - data[i] = 0 - - @contextlib.contextmanager - def _zeroed_null_terminated_buf(self, data): - """ - This method takes bytes, which can be a bytestring or a mutable - buffer like a bytearray, and yields a null-terminated version of that - data. This is required because PKCS12_parse doesn't take a length with - its password char * and ffi.from_buffer doesn't provide null - termination. So, to support zeroing the data via bytearray we - need to build this ridiculous construct that copies the memory, but - zeroes it after use. - """ - if data is None: - yield self._ffi.NULL - else: - data_len = len(data) - buf = self._ffi.new("char[]", data_len + 1) - self._ffi.memmove(buf, data, data_len) - try: - yield buf - finally: - # Cast to a uint8_t * so we can assign by integer - self._zero_data(self._ffi.cast("uint8_t *", buf), data_len) - - def serialize_key_and_certificates_to_pkcs12( - self, - name: bytes | None, - key: PKCS12PrivateKeyTypes | None, - cert: x509.Certificate | None, - cas: list[_PKCS12CATypes] | None, - encryption_algorithm: serialization.KeySerializationEncryption, - ) -> bytes: - password = None - if name is not None: - utils._check_bytes("name", name) - - if ( - isinstance( - encryption_algorithm, serialization._KeySerializationEncryption - ) - and encryption_algorithm._format - is serialization.PrivateFormat.PKCS12 - ): - # Default to OpenSSL's defaults. Behavior will vary based on the - # version of OpenSSL cryptography is compiled against. - nid_cert = 0 - nid_key = 0 - # Use the default iters we use in best available - pkcs12_iter = 20000 - mac_iter = 0 - password = encryption_algorithm.password - keycertalg = encryption_algorithm._key_cert_algorithm - if keycertalg is PBES.PBESv1SHA1And3KeyTripleDESCBC: - nid_cert = self._lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC - nid_key = self._lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC - elif keycertalg is PBES.PBESv2SHA256AndAES256CBC: - if not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: - raise UnsupportedAlgorithm( - "PBESv2 is not supported by this version of OpenSSL" - ) - nid_cert = self._lib.NID_aes_256_cbc - nid_key = self._lib.NID_aes_256_cbc - else: - assert keycertalg is None - # We use OpenSSL's defaults - - if encryption_algorithm._hmac_hash is not None: - if not self._lib.Cryptography_HAS_PKCS12_SET_MAC: - raise UnsupportedAlgorithm( - "Setting MAC algorithm is not supported by this " - "version of OpenSSL." - ) - mac_alg = self._evp_md_non_null_from_algorithm( - encryption_algorithm._hmac_hash - ) - self.openssl_assert(mac_alg != self._ffi.NULL) - else: - mac_alg = self._ffi.NULL - - if encryption_algorithm._kdf_rounds is not None: - pkcs12_iter = encryption_algorithm._kdf_rounds - - else: - raise ValueError("Unsupported key encryption type") - - if cas is None or len(cas) == 0: - sk_x509 = self._ffi.NULL - else: - sk_x509 = self._lib.sk_X509_new_null() - sk_x509 = self._ffi.gc(sk_x509, self._lib.sk_X509_free) - - # This list is to keep the x509 values alive until end of function - ossl_cas = [] - for ca in cas: - if isinstance(ca, PKCS12Certificate): - ca_alias = ca.friendly_name - ossl_ca = self._cert2ossl(ca.certificate) - if ca_alias is None: - res = self._lib.X509_alias_set1( - ossl_ca, self._ffi.NULL, -1 - ) - else: - res = self._lib.X509_alias_set1( - ossl_ca, ca_alias, len(ca_alias) - ) - self.openssl_assert(res == 1) - else: - ossl_ca = self._cert2ossl(ca) - ossl_cas.append(ossl_ca) - res = self._lib.sk_X509_push(sk_x509, ossl_ca) - backend.openssl_assert(res >= 1) - - with self._zeroed_null_terminated_buf(password) as password_buf: - with self._zeroed_null_terminated_buf(name) as name_buf: - ossl_cert = self._cert2ossl(cert) if cert else self._ffi.NULL - ossl_pkey = ( - self._key2ossl(key) if key is not None else self._ffi.NULL - ) - - p12 = self._lib.PKCS12_create( - password_buf, - name_buf, - ossl_pkey, - ossl_cert, - sk_x509, - nid_key, - nid_cert, - pkcs12_iter, - mac_iter, - 0, - ) - if p12 == self._ffi.NULL: - errors = self._consume_errors() - raise ValueError( - ( - "Failed to create PKCS12 (does the key match the " - "certificate?)" - ), - errors, - ) - - if ( - self._lib.Cryptography_HAS_PKCS12_SET_MAC - and mac_alg != self._ffi.NULL - ): - self._lib.PKCS12_set_mac( - p12, - password_buf, - -1, - self._ffi.NULL, - 0, - mac_iter, - mac_alg, - ) - - self.openssl_assert(p12 != self._ffi.NULL) - p12 = self._ffi.gc(p12, self._lib.PKCS12_free) - - bio = self._create_mem_bio_gc() - res = self._lib.i2d_PKCS12_bio(bio, p12) - self.openssl_assert(res > 0) - return self._read_mem_bio(bio) - def poly1305_supported(self) -> bool: if self._fips_enabled: return False diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs12.py b/src/cryptography/hazmat/primitives/serialization/pkcs12.py index 28fab3ca6f61..a104986bf9ec 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs12.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs12.py @@ -167,16 +167,6 @@ def serialize_key_and_certificates( if key is None and cert is None and not cas: raise ValueError("You must supply at least one of key, cert, or cas") - if isinstance( - encryption_algorithm, - (serialization.NoEncryption, serialization.BestAvailableEncryption), - ): - return rust_pkcs12.serialize_key_and_certificates( - name, key, cert, cas, encryption_algorithm - ) - - from cryptography.hazmat.backends.openssl.backend import backend - - return backend.serialize_key_and_certificates_to_pkcs12( + return rust_pkcs12.serialize_key_and_certificates( name, key, cert, cas, encryption_algorithm ) diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index b0827a74501a..1816e07896b6 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -139,6 +139,9 @@ pub enum AlgorithmParameters<'a> { #[defined_by(oid::AES_256_CBC_OID)] Aes256Cbc([u8; 16]), + #[defined_by(oid::PBES1_WITH_SHA_AND_3KEY_TRIPLEDES_CBC)] + Pbes1WithShaAnd3KeyTripleDesCbc(PBES1Params), + #[default] Other(asn1::ObjectIdentifier, Option>), } @@ -431,6 +434,12 @@ pub struct PBKDF2Params<'a> { pub prf: Box>, } +#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash, Clone, Debug)] +pub struct PBES1Params { + pub salt: [u8; 8], + pub iterations: u64, +} + /// A VisibleString ASN.1 element whose contents is not validated as meeting the /// requirements (visible characters of IA5), and instead is only known to be /// valid UTF-8. diff --git a/src/rust/cryptography-x509/src/oid.rs b/src/rust/cryptography-x509/src/oid.rs index 85fb543e6e85..fbc440eea122 100644 --- a/src/rust/cryptography-x509/src/oid.rs +++ b/src/rust/cryptography-x509/src/oid.rs @@ -151,6 +151,9 @@ pub const EKU_CERTIFICATE_TRANSPARENCY_OID: asn1::ObjectIdentifier = pub const PBES2_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 5, 13); pub const PBKDF2_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 5, 12); +pub const PBES1_WITH_SHA_AND_3KEY_TRIPLEDES_CBC: asn1::ObjectIdentifier = + asn1::oid!(1, 2, 840, 113549, 1, 12, 1, 3); + pub const AES_256_CBC_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 1, 42); pub const AES_192_CBC_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 1, 22); pub const AES_128_CBC_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 1, 2); diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 153c2a6d0cfd..cdae36138e0a 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -4,7 +4,7 @@ use crate::backend::{ciphers, hashes, hmac, kdf, keys}; use crate::buf::CffiBuf; -use crate::error::CryptographyResult; +use crate::error::{CryptographyError, CryptographyResult}; use crate::padding::PKCS7PaddingContext; use crate::x509::certificate::Certificate; use crate::{types, x509}; @@ -80,23 +80,41 @@ impl PKCS12Certificate { } enum EncryptionAlgorithm { + PBESv1SHA1And3KeyTripleDESCBC, PBESv2SHA256AndAES256CBC, } impl EncryptionAlgorithm { + fn salt_length(&self) -> usize { + match self { + EncryptionAlgorithm::PBESv1SHA1And3KeyTripleDESCBC => 8, + EncryptionAlgorithm::PBESv2SHA256AndAES256CBC => 16, + } + } + fn algorithm_identifier<'a>( &self, + cipher_kdf_iter: u64, salt: &'a [u8], iv: &'a [u8], ) -> cryptography_x509::common::AlgorithmIdentifier<'a> { match self { + EncryptionAlgorithm::PBESv1SHA1And3KeyTripleDESCBC => { + cryptography_x509::common::AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: cryptography_x509::common::AlgorithmParameters::Pbes1WithShaAnd3KeyTripleDesCbc(cryptography_x509::common::PBES1Params{ + salt: salt[..8].try_into().unwrap(), + iterations: cipher_kdf_iter, + }), + } + } EncryptionAlgorithm::PBESv2SHA256AndAES256CBC => { let kdf_algorithm_identifier = cryptography_x509::common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), params: cryptography_x509::common::AlgorithmParameters::Pbkdf2( cryptography_x509::common::PBKDF2Params { salt, - iteration_count: 20000, + iteration_count: cipher_kdf_iter, key_length: None, prf: Box::new(cryptography_x509::common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), @@ -133,16 +151,65 @@ impl EncryptionAlgorithm { &self, py: pyo3::Python<'_>, password: &[u8], + cipher_kdf_iter: u64, salt: &[u8], iv: &[u8], data: &[u8], ) -> CryptographyResult> { match self { + EncryptionAlgorithm::PBESv1SHA1And3KeyTripleDESCBC => { + let key = pkcs12_kdf( + password, + salt, + KDF_ENCRYPTION_KEY_ID, + cipher_kdf_iter, + 24, + openssl::hash::MessageDigest::sha1(), + )?; + let iv = pkcs12_kdf( + password, + salt, + KDF_IV_ID, + cipher_kdf_iter, + 8, + openssl::hash::MessageDigest::sha1(), + )?; + + let triple_des = types::TRIPLE_DES + .get(py)? + .call1((pyo3::types::PyBytes::new_bound(py, &key),))?; + let cbc = types::CBC + .get(py)? + .call1((pyo3::types::PyBytes::new_bound(py, &iv),))?; + let mut cipher = + ciphers::CipherContext::new(py, triple_des, cbc, openssl::symm::Mode::Encrypt)?; + + let mut ciphertext = vec![0; data.len() + 16]; + let n = cipher.update_into(py, data, &mut ciphertext)?; + + let mut padder = PKCS7PaddingContext::new(64); + assert!(padder.update(CffiBuf::from_bytes(py, data))?.is_none()); + let padding = padder.finalize(py)?; + + let pad_n = cipher.update_into(py, padding.as_bytes(), &mut ciphertext[n..])?; + let final_block = cipher.finalize(py)?; + assert!(final_block.as_bytes().is_empty()); + ciphertext.truncate(n + pad_n); + + Ok(ciphertext) + } EncryptionAlgorithm::PBESv2SHA256AndAES256CBC => { let pass_buf = CffiBuf::from_bytes(py, password); let sha256 = types::SHA256.get(py)?.call0()?; - let key = kdf::derive_pbkdf2_hmac(py, pass_buf, &sha256, salt, 20000, 32)?; + let key = kdf::derive_pbkdf2_hmac( + py, + pass_buf, + &sha256, + salt, + cipher_kdf_iter.try_into().unwrap(), + 32, + )?; let aes256 = types::AES256.get(py)?.call1((key,))?; let cbc = types::CBC.get(py)?.call1((iv,))?; @@ -320,6 +387,7 @@ fn cert_to_bag<'a>( }) } +#[allow(clippy::type_complexity)] fn decode_encryption_algorithm<'a>( py: pyo3::Python<'a>, encryption_algorithm: pyo3::Bound<'a, pyo3::PyAny>, @@ -327,28 +395,78 @@ fn decode_encryption_algorithm<'a>( pyo3::pybacked::PyBackedBytes, pyo3::Bound<'a, pyo3::PyAny>, u64, + u64, Option, )> { let default_hmac_alg = types::SHA256.get(py)?.call0()?; let default_hmac_kdf_iter = 2048; + let default_cipher_kdf_iter = 20000; if encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get(py)?)? { Ok(( pyo3::types::PyBytes::new_bound(py, b"").extract()?, default_hmac_alg, default_hmac_kdf_iter, + default_cipher_kdf_iter, None, )) - } else { - assert!(encryption_algorithm.is_instance(&types::BEST_AVAILABLE_ENCRYPTION.get(py)?)?); + } else if encryption_algorithm.is_instance(&types::ENCRYPTION_BUILDER.get(py)?)? + && encryption_algorithm + .getattr(pyo3::intern!(py, "_format"))? + .is(&types::PRIVATE_FORMAT_PKCS12.get(py)?) + { + let key_cert_alg = + encryption_algorithm.getattr(pyo3::intern!(py, "_key_cert_algorithm"))?; + let cipher = if key_cert_alg.is(&types::PBES_PBESV1SHA1AND3KEYTRIPLEDESCBC.get(py)?) { + EncryptionAlgorithm::PBESv1SHA1And3KeyTripleDESCBC + } else if key_cert_alg.is(&types::PBES_PBESV2SHA256ANDAES256CBC.get(py)?) { + EncryptionAlgorithm::PBESv2SHA256AndAES256CBC + } else { + assert!(key_cert_alg.is_none()); + EncryptionAlgorithm::PBESv2SHA256AndAES256CBC + }; + + let hmac_alg = if let Some(v) = encryption_algorithm + .getattr(pyo3::intern!(py, "_hmac_hash"))? + .extract()? + { + v + } else { + default_hmac_alg + }; + + let cipher_kdf_iter = if let Some(v) = encryption_algorithm + .getattr(pyo3::intern!(py, "_kdf_rounds"))? + .extract()? + { + v + } else { + default_cipher_kdf_iter + }; + + Ok(( + encryption_algorithm + .getattr(pyo3::intern!(py, "password"))? + .extract()?, + hmac_alg, + default_hmac_kdf_iter, + cipher_kdf_iter, + Some(cipher), + )) + } else if encryption_algorithm.is_instance(&types::BEST_AVAILABLE_ENCRYPTION.get(py)?)? { Ok(( encryption_algorithm .getattr(pyo3::intern!(py, "password"))? .extract()?, default_hmac_alg, default_hmac_kdf_iter, + default_cipher_kdf_iter, Some(EncryptionAlgorithm::PBESv2SHA256AndAES256CBC), )) + } else { + Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Unsupported key encryption type"), + )) } } @@ -368,7 +486,7 @@ fn serialize_key_and_certificates<'p>( cas: Option>, encryption_algorithm: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { - let (password, mac_algorithm, mac_kdf_iter, encryption_algorithm) = + let (password, mac_algorithm, mac_kdf_iter, cipher_kdf_iter, encryption_algorithm) = decode_encryption_algorithm(py, encryption_algorithm)?; let mut auth_safe_contents = vec![]; @@ -387,6 +505,20 @@ fn serialize_key_and_certificates<'p>( let mut cert_bags = vec![]; if let Some(cert) = cert { + if let Some(ref key) = key { + if !cert + .public_key(py)? + .into_bound(py) + .eq(key.call_method0(pyo3::intern!(py, "public_key"))?)? + { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Certificate public key and provided private key do not match", + ), + )); + } + } + cert_bags.push(cert_to_bag(cert, name)?); } @@ -411,13 +543,20 @@ fn serialize_key_and_certificates<'p>( if let Some(e) = &encryption_algorithm { cert_salt = types::OS_URANDOM .get(py)? - .call1((16,))? + .call1((e.salt_length(),))? .extract::()?; cert_iv = types::OS_URANDOM .get(py)? .call1((16,))? .extract::()?; - cert_ciphertext = e.encrypt(py, &password, &cert_salt, &cert_iv, &cert_bag_contents)?; + cert_ciphertext = e.encrypt( + py, + &password, + cipher_kdf_iter, + &cert_salt, + &cert_iv, + &cert_bag_contents, + )?; auth_safe_contents.push(cryptography_x509::pkcs7::ContentInfo { _content_type: asn1::DefinedByMarker::marker(), @@ -426,8 +565,11 @@ fn serialize_key_and_certificates<'p>( version: 0, encrypted_content_info: cryptography_x509::pkcs7::EncryptedContentInfo { content_type: cryptography_x509::pkcs7::PKCS7_DATA_OID, - content_encryption_algorithm: e - .algorithm_identifier(&cert_salt, &cert_iv), + content_encryption_algorithm: e.algorithm_identifier( + cipher_kdf_iter, + &cert_salt, + &cert_iv, + ), encrypted_content: Some(&cert_ciphertext), }, }, @@ -458,20 +600,31 @@ fn serialize_key_and_certificates<'p>( let key_bag = if let Some(e) = encryption_algorithm { key_salt = types::OS_URANDOM .get(py)? - .call1((16,))? + .call1((e.salt_length(),))? .extract::()?; key_iv = types::OS_URANDOM .get(py)? .call1((16,))? .extract::()?; - key_ciphertext = e.encrypt(py, &password, &key_salt, &key_iv, &pkcs8_bytes)?; + key_ciphertext = e.encrypt( + py, + &password, + cipher_kdf_iter, + &key_salt, + &key_iv, + &pkcs8_bytes, + )?; cryptography_x509::pkcs12::SafeBag { _bag_id: asn1::DefinedByMarker::marker(), bag_value: asn1::Explicit::new( cryptography_x509::pkcs12::BagValue::ShroudedKeyBag( cryptography_x509::pkcs12::EncryptedPrivateKeyInfo { - encryption_algorithm: e.algorithm_identifier(&key_salt, &key_iv), + encryption_algorithm: e.algorithm_identifier( + cipher_kdf_iter, + &key_salt, + &key_iv, + ), encrypted_data: &key_ciphertext, }, ), diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 95ab3c7cea64..a6904398dfe8 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -89,6 +89,10 @@ pub static PRIVATE_FORMAT_PKCS8: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.serialization", &["PrivateFormat", "PKCS8"], ); +pub static PRIVATE_FORMAT_PKCS12: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["PrivateFormat", "PKCS12"], +); pub static PRIVATE_FORMAT_RAW: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.serialization", &["PrivateFormat", "Raw"], @@ -149,6 +153,15 @@ pub static ENCRYPTION_BUILDER: LazyPyImport = LazyPyImport::new( &["_KeySerializationEncryption"], ); +pub static PBES_PBESV1SHA1AND3KEYTRIPLEDESCBC: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.pkcs12", + &["PBES", "PBESv1SHA1And3KeyTripleDESCBC"], +); +pub static PBES_PBESV2SHA256ANDAES256CBC: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.pkcs12", + &["PBES", "PBESv2SHA256AndAES256CBC"], +); + pub static SERIALIZE_SSH_PRIVATE_KEY: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.serialization.ssh", &["_serialize_ssh_private_key"], diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 2bf3b4406fe3..2fb5d5af272e 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -66,7 +66,7 @@ impl Certificate { slf } - fn public_key(&self, py: pyo3::Python<'_>) -> CryptographyResult { + pub(crate) fn public_key(&self, py: pyo3::Python<'_>) -> CryptographyResult { keys::load_der_public_key_bytes( py, self.raw.borrow_dependent().tbs_cert.spki.tlv().full_data(), diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 8397750ec264..67a68152eb8f 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -9,7 +9,6 @@ import pytest from cryptography import x509 -from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.decrepit.ciphers.algorithms import RC2 from cryptography.hazmat.primitives import hashes, serialization @@ -636,12 +635,6 @@ def test_key_serialization_encryption( ) and not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: pytest.skip("PBESv2 is not supported on OpenSSL < 3.0") - if ( - mac_alg is not None - and not backend._lib.Cryptography_HAS_PKCS12_SET_MAC - ): - pytest.skip("PKCS12_set_mac is not supported (boring)") - builder = serialization.PrivateFormat.PKCS12.encryption_builder() if enc_alg is not None: builder = builder.key_cert_algorithm(enc_alg) @@ -688,57 +681,6 @@ def test_key_serialization_encryption( ) assert parsed_more_certs == [cacert] - @pytest.mark.supported( - only_if=lambda backend: ( - not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER - ), - skip_message="Requires OpenSSL < 3.0.0 (or Libre/Boring)", - ) - @pytest.mark.parametrize( - ("algorithm"), - [ - serialization.PrivateFormat.PKCS12.encryption_builder() - .key_cert_algorithm(PBES.PBESv2SHA256AndAES256CBC) - .build(b"password"), - ], - ) - def test_key_serialization_encryption_unsupported( - self, algorithm, backend - ): - cacert, cakey = _load_ca(backend) - with pytest.raises(UnsupportedAlgorithm): - serialize_key_and_certificates( - b"name", cakey, cacert, [], algorithm - ) - - @pytest.mark.supported( - only_if=lambda backend: ( - not backend._lib.Cryptography_HAS_PKCS12_SET_MAC - ), - skip_message="Requires OpenSSL without PKCS12_set_mac (boring only)", - ) - @pytest.mark.parametrize( - "algorithm", - [ - serialization.PrivateFormat.PKCS12.encryption_builder() - .key_cert_algorithm(PBES.PBESv1SHA1And3KeyTripleDESCBC) - .hmac_hash(hashes.SHA256()) - .build(b"password"), - ], - ) - def test_key_serialization_encryption_set_mac_unsupported( - self, algorithm, backend - ): - cacert, cakey = _load_ca(backend) - with pytest.raises(UnsupportedAlgorithm): - serialize_key_and_certificates( - b"name", cakey, cacert, [], algorithm - ) - - @pytest.mark.supported( - only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC, - skip_message="Requires OpenSSL with PKCS12_set_mac", - ) def test_set_mac_key_certificate_mismatch(self, backend): cacert, _ = _load_ca(backend) key = ec.generate_private_key(ec.SECP256R1()) diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 36abfae9c052..4c4c0aa7dd50 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -100,6 +100,8 @@ def test_load_pkcs7_empty_certificates(self): # We have no public verification API and won't be adding one until we get # some requirements from users so this function exists to give us basic # verification for the signing tests. +# +# This relies on a number of bindings that we'd otherwise like to remove. def _pkcs7_verify(encoding, sig, msg, certs, options, backend): sig_bio = backend._bytes_to_bio(sig) if encoding is serialization.Encoding.DER: From 5b23baae7e1a59ab16630e6f8eae13e2b8822ded Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Jul 2024 14:57:08 -0400 Subject: [PATCH 0764/1462] Switch to maturin. (#8815) It seems to be much faster at doing things locally. --- .github/requirements/build-requirements.in | 2 +- .github/requirements/build-requirements.txt | 26 +++++---- .github/workflows/wheel-builder.yml | 25 +++++---- MANIFEST.in | 24 --------- pyproject.toml | 60 ++++++++++++++------- 5 files changed, 75 insertions(+), 62 deletions(-) delete mode 100644 MANIFEST.in diff --git a/.github/requirements/build-requirements.in b/.github/requirements/build-requirements.in index 4b916ef1ca97..17c93da02a92 100644 --- a/.github/requirements/build-requirements.in +++ b/.github/requirements/build-requirements.in @@ -1,7 +1,7 @@ # Must be kept sync with build-system.requires at pyproject.toml setuptools>=61.0.0 cffi>=1.12; platform_python_implementation != 'PyPy' -setuptools-rust>=1.7.0 +maturin>=1,<2 # WARN: changing the requirements here DOES NOT update the dependencies used for building at the github workflow, as the build process used build-requirements.txt # To update build-requirements.txt according to the dependencies here, run pip-compile --allow-unsafe --generate-hashes build-requirements.in diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 2c2b48c6e2ef..8728b8600471 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -58,22 +58,29 @@ cffi==1.16.0 ; platform_python_implementation != "PyPy" \ --hash=sha256:fa3a0128b152627161ce47201262d3140edb5a5c3da88d73a1b790a959126956 \ --hash=sha256:fcc8eb6d5902bb1cf6dc4f187ee3ea80a1eba0a89aba40a5cb20a5087d961357 # via -r build-requirements.in +maturin==1.5.0 \ + --hash=sha256:0b976116b7cfaafbc8c3f0acfaec6702520c49e86e48ea80e2c282b7f8118c1a \ + --hash=sha256:1b29bf8771f27d2e6b2685c82de952b5732ee79e5c0030ffd5dab5ccb99137a1 \ + --hash=sha256:2e4c01370a5c10b6c4887bee66d3582bdb38c3805168c1393f072bd266da08d4 \ + --hash=sha256:76e3270ff87b5484976d23e3d88475cd64acf41b54f561263f253d8fca0baab3 \ + --hash=sha256:9cba3737cb92ce5c1bd82cbb9b1fde412b2aac8882ac38b8340980f5eb858d8c \ + --hash=sha256:a5c038ded82c7595d99e94a208aa8af2b5c94eef4c8fcf5ef6e841957e506201 \ + --hash=sha256:b3a499ff5960e46115488e68011809ce99857864ce3a91cf5d0fff3adbd89e8c \ + --hash=sha256:d277adf9b27143627ba7be7ea254513d3e85008fb16a94638b56884a41b4e5a2 \ + --hash=sha256:d6a314472e07b6bdfa4cdf97d24cda1defe008d36d4b75de2efd3383e7a2d7bf \ + --hash=sha256:e046ea2aed687991d58c42f6276dfcc0c037092934654f538b5877fd57dd3a9c \ + --hash=sha256:eb35dfe5994ad2c34d2874a73720847ecc2adb28f934e9a7cbcdb8826b240e60 \ + --hash=sha256:f271f315fb78d2ff5fdf60f8d3ada2a04a66ac6fbd3cbb318c4eb4e9766449bc \ + --hash=sha256:faa0d099a8045afc9977284cb3a1c26e5ebc9a7f0fe4d53b7ee17f62fd279f4a + # via -r build-requirements.in pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc # via cffi -semantic-version==2.10.0 \ - --hash=sha256:bdabb6d336998cbb378d4b9db3a4b56a1e3235701dc05ea2690d9a997ed5041c \ - --hash=sha256:de78a3b8e0feda74cabc54aab2da702113e33ac9d9eb9d2389bcf1f58b7d9177 - # via setuptools-rust -setuptools-rust==1.9.0 \ - --hash=sha256:409caf49dcf7ad9bd510b4bf4011fbad504e745fae98f57fe1c06f3a97719638 \ - --hash=sha256:704df0948f2e4cc60c2596ad6e840ea679f4f43e58ed4ad0c1857807240eab96 - # via -r build-requirements.in tomli==2.0.1 \ --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \ --hash=sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f - # via setuptools-rust + # via maturin # The following packages are considered to be unsafe in a requirements file: setuptools==70.2.0 \ @@ -81,4 +88,3 @@ setuptools==70.2.0 \ --hash=sha256:bd63e505105011b25c3c11f753f7e3b8465ea739efddaccef8f0efac2137bac1 # via # -r build-requirements.in - # setuptools-rust diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index b7627cb438cd..7ef8930fdfc5 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -61,8 +61,8 @@ jobs: fail-fast: false matrix: PYTHON: - - { VERSION: "cp311-cp311", ABI_VERSION: 'cp37' } - - { VERSION: "cp311-cp311", ABI_VERSION: 'cp39' } + - { VERSION: "cp311-cp311", ABI_VERSION: 'py37' } + - { VERSION: "cp311-cp311", ABI_VERSION: 'py39' } - { VERSION: "pp39-pypy39_pp73" } - { VERSION: "pp310-pypy310_pp73" } MANYLINUX: @@ -127,8 +127,12 @@ jobs: - name: Build the wheel run: | if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then - PY_LIMITED_API="--config-settings=--build-option=--py-limited-api=${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" + PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" fi + + # `maturin` has a binary that needs to be on the $PATH, so we + # activate the venv. + source .venv/bin/activate OPENSSL_DIR="/opt/pyca/cryptography/openssl" \ OPENSSL_STATIC=1 \ .venv/bin/python -m pip wheel -v --no-deps $PY_LIMITED_API cryptograph*.tar.gz -w dist/ && mv dist/cryptography*.whl tmpwheelhouse @@ -162,7 +166,7 @@ jobs: matrix: PYTHON: - VERSION: '3.11' - ABI_VERSION: 'cp37' + ABI_VERSION: 'py37' # Despite the name, this is built for the macOS 11 SDK on arm64 and 10.9+ on intel DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.3/python-3.11.3-macos11.pkg' BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.11/bin/python3' @@ -174,7 +178,7 @@ jobs: # build against _PYTHON_HOST_PLATFORM: 'macosx-10.9-universal2' - VERSION: '3.11' - ABI_VERSION: 'cp39' + ABI_VERSION: 'py39' # Despite the name, this is built for the macOS 11 SDK on arm64 and 10.9+ on intel DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.3/python-3.11.3-macos11.pkg' BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.11/bin/python3' @@ -243,9 +247,12 @@ jobs: - name: Build the wheel run: | if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then - PY_LIMITED_API="--config-settings=--build-option=--py-limited-api=${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" + PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" fi + # `maturin` has a binary that needs to be on the $PATH, so we + # activate the venv. + source venv/bin/activate OPENSSL_DIR="$(readlink -f ../openssl-macos-universal2/)" \ OPENSSL_STATIC=1 \ venv/bin/python -m pip wheel -v --no-deps $PY_LIMITED_API cryptograph*.tar.gz -w dist/ && mv dist/cryptography*.whl wheelhouse @@ -279,8 +286,8 @@ jobs: - {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc'} - {ARCH: 'x64', WINDOWS: 'win64', RUST_TRIPLE: 'x86_64-pc-windows-msvc'} PYTHON: - - {VERSION: "3.11", "ABI_VERSION": "cp37"} - - {VERSION: "3.11", "ABI_VERSION": "cp39"} + - {VERSION: "3.11", "ABI_VERSION": "py37"} + - {VERSION: "3.11", "ABI_VERSION": "py39"} - {VERSION: "pypy-3.9"} - {VERSION: "pypy-3.10"} exclude: @@ -334,7 +341,7 @@ jobs: - run: mkdir wheelhouse - run: | if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then - PY_LIMITED_API="--config-settings=--build-option=--py-limited-api=${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" + PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" fi python -m pip wheel -v --no-deps cryptography*.tar.gz $PY_LIMITED_API -w dist/ && mv dist/cryptography*.whl wheelhouse/ diff --git a/MANIFEST.in b/MANIFEST.in deleted file mode 100644 index dcffd6024d1c..000000000000 --- a/MANIFEST.in +++ /dev/null @@ -1,24 +0,0 @@ -include CHANGELOG.rst -include CONTRIBUTING.rst -include LICENSE -include LICENSE.APACHE -include LICENSE.BSD -include README.rst -include noxfile.py - -include pyproject.toml -recursive-include src py.typed *.pyi - -recursive-include docs * -recursive-include src/_cffi_src *.py *.c *.h -recursive-include src/rust Cargo.toml Cargo.lock *.rs -prune docs/_build -recursive-include tests *.py -exclude vectors -recursive-exclude vectors * -exclude src/rust/target -recursive-exclude src/rust/target * - -recursive-exclude .github * - -exclude release.py .readthedocs.yml ci-constraints-requirements.txt mypy.ini diff --git a/pyproject.toml b/pyproject.toml index 186ca1d6b27c..4cfc675e2556 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -2,13 +2,15 @@ # These requirements must be kept sync with the requirements in # ./github/requirements/build-requirements.{in,txt} requires = [ - # First version of setuptools to support pyproject.toml configuration - "setuptools>=61.0.0", + "maturin>=1,<2", + # Must be kept in sync with `project.dependencies` "cffi>=1.12; platform_python_implementation != 'PyPy'", - "setuptools-rust>=1.7.0", + # Needed because cffi imports distutils, and in Python 3.12, distutils has + # been removed from the stdlib, but installing setuptools puts it back. + "setuptools", ] -build-backend = "setuptools.build_meta" +build-backend = "maturin" [project] name = "cryptography" @@ -56,14 +58,6 @@ source = "https://github.com/pyca/cryptography/" issues = "https://github.com/pyca/cryptography/issues" changelog = "https://cryptography.io/en/latest/changelog/" -[tool.setuptools] -zip-safe = false -package-dir = {"" = "src"} - -[tool.setuptools.packages.find] -where = ["src"] -include = ["cryptography*"] - [project.optional-dependencies] ssh = ["bcrypt >=3.1.5"] @@ -85,12 +79,42 @@ sdist = ["build"] # `click` included because its needed to type check `release.py` pep8test = ["ruff", "mypy", "check-sdist", "click"] -[[tool.setuptools-rust.ext-modules]] -target = "cryptography.hazmat.bindings._rust" -path = "src/rust/Cargo.toml" -py-limited-api = "auto" -rust-version = ">=1.65.0" - +[tool.maturin] +python-source = "src" +python-packages = ["cryptography"] +manifest-path = "src/rust/Cargo.toml" +module-name = "cryptography.hazmat.bindings._rust" +locked = true +sdist-generator = "git" +features = ["pyo3/abi3-py37"] +include = [ + "CHANGELOG.rst", + "CONTRIBUTING.rst", + "LICENSE", + "LICENSE.APACHE", + "LICENSE.BSD", + + "docs/**/*", + + "src/_cffi_src/**/*.py", + "src/_cffi_src/**/*.c", + "src/_cffi_src/**/*.h", + + "src/rust/**/Cargo.toml", + "src/rust/**/Cargo.lock", + "src/rust/**/*.rs", + + "tests/**/*.py", +] +exclude = [ + "vectors/**/*", + "src/rust/target/**/*", + "docs/_build/**/*", + ".github/**/*", + ".readthedocs.yml", + "ci-constraints-requirements.txt", + "mypy.ini", +] [tool.pytest.ini_options] addopts = "-r s --capture=no --strict-markers --benchmark-disable" From 8a7f27be3dbf76dcf624ffb550bdbd13554acab0 Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Fri, 5 Jul 2024 15:14:04 -0700 Subject: [PATCH 0765/1462] Add rsa_recover_private_exponent function (#11193) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Given the RSA public exponent (`e`), and the RSA primes (`p`, `q`), it is possible to calculate the corresponding private exponent `d = e⁻¹ mod λ(n)` where `λ(n) = lcm(p-1, q-1)`. With this function added, it becomes possible to use the library to reconstruct an RSA private key given *only* `p`, `q`, and `e`: from cryptography.hazmat.primitives.asymmetric import rsa n = p * q d = rsa.rsa_recover_private_exponent(e, p, q) # newly-added piece iqmp = rsa.rsa_crt_iqmp(p, q) # preexisting dmp1 = rsa.rsa_crt_dmp1(d, p) # preexisting dmq1 = rsa.rsa_crt_dmq1(d, q) # preexisting assert rsa.rsa_recover_prime_factors(n, e, d) in ((p, q), (q, p)) # verify consistency privk = rsa.RSAPrivateNumbers(p, q, d, dmp1, dmq1, iqmp, rsa.RSAPublicNumbers(e, n)).private_key() Older RSA implementations, including the original RSA paper, often used the Euler totient function `ɸ(n) = (p-1) * (q-1)` instead of `λ(n)`. The private exponents generated by that method work equally well, but may be larger than strictly necessary (`λ(n)` always divides `ɸ(n)`). This commit additionally implements `_rsa_recover_euler_private_exponent`, so that tests of the internal structure of RSA private keys can allow for either the Euler or the Carmichael versions of the private exponents. It makes sense to expose only the more modern version (using the Carmichael totient function) for public usage, given that it is slightly more computationally efficient to use the keys in this form, and that some standards like FIPS 186-4 require this form. (See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf#page=63) --- CHANGELOG.rst | 2 ++ docs/hazmat/primitives/asymmetric/rsa.rst | 17 ++++++++++ docs/spelling_wordlist.txt | 3 ++ .../hazmat/primitives/asymmetric/rsa.py | 21 +++++++++++++ tests/hazmat/primitives/utils.py | 31 ++++++++++++++++++- 5 files changed, 73 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 58a827719e65..ea4210277567 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -58,6 +58,8 @@ Changelog :meth:`~cryptography.x509.ocsp.OCSPSingleResponse.next_update_utc`, These are timezone-aware variants of existing properties that return naïve ``datetime`` objects. +* Added + :func:`~cryptography.hazmat.primitives.asymmetric.rsa.rsa_recover_private_exponent` .. _v42-0-8: diff --git a/docs/hazmat/primitives/asymmetric/rsa.rst b/docs/hazmat/primitives/asymmetric/rsa.rst index 35230f7e982d..d712b2226459 100644 --- a/docs/hazmat/primitives/asymmetric/rsa.rst +++ b/docs/hazmat/primitives/asymmetric/rsa.rst @@ -554,6 +554,23 @@ this without having to do the math themselves. Computes the ``dmq1`` parameter from the RSA private exponent (``d``) and prime ``q``. +.. function:: rsa_recover_private_exponent(e, p, q) + + .. versionadded:: 43.0.0 + + Computes the RSA private_exponent (``d``) given the public exponent (``e``) + and the RSA primes ``p`` and ``q``. + + .. note:: + + This implementation uses the Carmichael totient function to return the + smallest working value of ``d``. Older RSA implementations, including the + original RSA paper, often used the Euler totient function, which results + in larger but equally functional private exponents. The private exponents + resulting from the Carmichael totient function, as returned here, are + slightly more computationally efficient to use, and some modern standards + require them. + .. function:: rsa_recover_prime_factors(n, e, d) .. versionadded:: 0.8 diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index e7e9afd1cbaf..2cf3167b1dbc 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -15,6 +15,7 @@ Botan Brainpool Bullseye Capitan +Carmichael CentOS changelog Changelog @@ -51,6 +52,7 @@ Docstrings El Encodings endian +Euler extendable facto fallback @@ -128,6 +130,7 @@ Thawte timestamp timestamps toolchain +totient Trixie tunable Ubuntu diff --git a/src/cryptography/hazmat/primitives/asymmetric/rsa.py b/src/cryptography/hazmat/primitives/asymmetric/rsa.py index 49c76af0de94..7a387b5ea55d 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/rsa.py +++ b/src/cryptography/hazmat/primitives/asymmetric/rsa.py @@ -190,6 +190,27 @@ def rsa_crt_dmq1(private_exponent: int, q: int) -> int: return private_exponent % (q - 1) +def rsa_recover_private_exponent(e: int, p: int, q: int) -> int: + """ + Compute the RSA private_exponent (d) given the public exponent (e) + and the RSA primes p and q. + + This uses the Carmichael totient function to generate the + smallest possible working value of the private exponent. + """ + # This lambda_n is the Carmichael totient function. + # The original RSA paper uses the Euler totient function + # here: phi_n = (p - 1) * (q - 1) + # Either version of the private exponent will work, but the + # one generated by the older formulation may be larger + # than necessary. (lambda_n always divides phi_n) + # + # TODO: Replace with lcm(p - 1, q - 1) once the minimum + # supported Python version is >= 3.9. + lambda_n = (p - 1) * (q - 1) // gcd(p - 1, q - 1) + return _modinv(e, lambda_n) + + # Controls the number of iterations rsa_recover_prime_factors will perform # to obtain the prime factors. Each iteration increments by 2 so the actual # maximum attempts is half this number. diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 9e119f0b636b..16dc612e528e 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -522,13 +522,42 @@ def rsa_verification_test(backend, params, hash_alg, pad_factory): public_key.verify(signature, msg, pad, hash_alg) +def _rsa_recover_euler_private_exponent(e: int, p: int, q: int) -> int: + """ + Compute the RSA private_exponent (d) given the public exponent (e) + and the RSA primes p and q, following the usage of the original + RSA paper. + + As in the original RSA paper, this uses the Euler totient function + instead of the Carmichael totient function, and thus may generate a + larger value of the private exponent than necessary. + + See cryptography.hazmat.primitives.asymmetric.rsa_recover_private_exponent + for the public-facing version of this function, which uses the + preferred Carmichael totient function. + """ + phi_n = (p - 1) * (q - 1) + return rsa._modinv(e, phi_n) + + def _check_rsa_private_numbers(skey): assert skey pkey = skey.public_numbers assert pkey assert pkey.e assert pkey.n - assert skey.d + + # Historically there have been two ways to calculate valid values of the + # private_exponent (d) given the public exponent (e): + # - using the Carmichael totient function (gives smaller and more + # computationally-efficient values, and is required by some standards) + # - using the Euler totient function (matching the original RSA paper) + # Allow for either here. + assert skey.d in ( + rsa.rsa_recover_private_exponent(pkey.e, skey.p, skey.q), + _rsa_recover_euler_private_exponent(pkey.e, skey.p, skey.q), + ) + assert skey.p * skey.q == pkey.n assert skey.dmp1 == rsa.rsa_crt_dmp1(skey.d, skey.p) assert skey.dmq1 == rsa.rsa_crt_dmq1(skey.d, skey.q) From 2b371f418b523369424dbd1de61900eb35cf90b1 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 5 Jul 2024 17:54:12 -0500 Subject: [PATCH 0766/1462] add support for CipherContext.update_nonce (#10437) * add support for CipherContext.reset_nonce This only supports ChaCha20 and ciphers in CTR mode. * expand tests to reset to different nonces --- CHANGELOG.rst | 3 + .../primitives/symmetric-encryption.rst | 21 +++++++ .../hazmat/primitives/ciphers/base.py | 8 +++ src/rust/src/backend/ciphers.rs | 49 +++++++++++++++ tests/hazmat/primitives/test_aes.py | 61 ++++++++++++++++++- tests/hazmat/primitives/test_aes_gcm.py | 16 ++++- tests/hazmat/primitives/test_chacha20.py | 49 +++++++++++++++ 7 files changed, 205 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index ea4210277567..aae8c9fc305c 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -60,6 +60,9 @@ Changelog ``datetime`` objects. * Added :func:`~cryptography.hazmat.primitives.asymmetric.rsa.rsa_recover_private_exponent` +* Added :meth:`~cryptography.hazmat.primitives.ciphers.CipherContext.reset_nonce` + for altering the ``nonce`` of a cipher context without initializing a new + instance. See the docs for additional restrictions. .. _v42-0-8: diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index 6eb769bb23b1..dd32c913a7dd 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -693,6 +693,27 @@ Interfaces :meth:`update` and :meth:`finalize` will raise an :class:`~cryptography.exceptions.AlreadyFinalized` exception. + .. method:: reset_nonce(nonce) + + .. versionadded:: 43.0.0 + + This method allows changing the nonce for an already existing context. + Normally the nonce is set when the context is created and internally + incremented as data as passed. However, in some scenarios the same key + is used repeatedly but the nonce changes non-sequentially (e.g. ``QUIC``), + which requires updating the context with the new nonce. + + This method only works for contexts using + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20` or + :class:`~cryptography.hazmat.primitives.ciphers.modes.CTR` mode. + + :param nonce: The nonce to update the context with. + :type data: :term:`bytes-like` + :raises cryptography.exceptions.UnsupportedAlgorithm: If the + algorithm does not support updating the nonce. + :raises ValueError: If the nonce is not the correct length for the + algorithm. + .. class:: AEADCipherContext When calling ``encryptor`` or ``decryptor`` on a ``Cipher`` object diff --git a/src/cryptography/hazmat/primitives/ciphers/base.py b/src/cryptography/hazmat/primitives/ciphers/base.py index a9fa2bf07b9d..ebfa8052c8da 100644 --- a/src/cryptography/hazmat/primitives/ciphers/base.py +++ b/src/cryptography/hazmat/primitives/ciphers/base.py @@ -33,6 +33,14 @@ def finalize(self) -> bytes: Returns the results of processing the final block as bytes. """ + @abc.abstractmethod + def reset_nonce(self, nonce: bytes) -> None: + """ + Resets the nonce for the cipher context to the provided value. + Raises an exception if it does not support reset or if the + provided nonce does not have a valid length. + """ + class AEADCipherContext(CipherContext, metaclass=abc.ABCMeta): @abc.abstractmethod diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index 83d222256fbd..14ac3d13c758 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -13,6 +13,8 @@ use pyo3::IntoPy; pub(crate) struct CipherContext { ctx: openssl::cipher_ctx::CipherCtx, py_mode: pyo3::PyObject, + py_algorithm: pyo3::PyObject, + side: openssl::symm::Mode, } impl CipherContext { @@ -113,9 +115,44 @@ impl CipherContext { Ok(CipherContext { ctx, py_mode: mode.into(), + py_algorithm: algorithm.into(), + side, }) } + fn reset_nonce(&mut self, py: pyo3::Python<'_>, nonce: CffiBuf<'_>) -> CryptographyResult<()> { + if !self + .py_mode + .bind(py) + .is_instance(&types::MODE_WITH_NONCE.get(py)?)? + && !self + .py_algorithm + .bind(py) + .is_instance(&types::CHACHA20.get(py)?)? + { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "This algorithm or mode does not support resetting the nonce.", + exceptions::Reasons::UNSUPPORTED_CIPHER, + )), + )); + } + if nonce.as_bytes().len() != self.ctx.iv_length() { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err(format!( + "Nonce must be {} bytes long", + self.ctx.iv_length() + )), + )); + } + let init_op = match self.side { + openssl::symm::Mode::Encrypt => openssl::cipher_ctx::CipherCtxRef::encrypt_init, + openssl::symm::Mode::Decrypt => openssl::cipher_ctx::CipherCtxRef::decrypt_init, + }; + init_op(&mut self.ctx, None, None, Some(nonce.as_bytes()))?; + Ok(()) + } + fn update<'p>( &mut self, py: pyo3::Python<'p>, @@ -236,6 +273,10 @@ impl PyCipherContext { get_mut_ctx(self.ctx.as_mut())?.update(py, buf.as_bytes()) } + fn reset_nonce(&mut self, py: pyo3::Python<'_>, nonce: CffiBuf<'_>) -> CryptographyResult<()> { + get_mut_ctx(self.ctx.as_mut())?.reset_nonce(py, nonce) + } + fn update_into( &mut self, py: pyo3::Python<'_>, @@ -340,6 +381,10 @@ impl PyAEADEncryptionContext { })? .clone_ref(py)) } + + fn reset_nonce(&mut self, py: pyo3::Python<'_>, nonce: CffiBuf<'_>) -> CryptographyResult<()> { + get_mut_ctx(self.ctx.as_mut())?.reset_nonce(py, nonce) + } } #[pyo3::pymethods] @@ -468,6 +513,10 @@ impl PyAEADDecryptionContext { self.ctx = None; Ok(result) } + + fn reset_nonce(&mut self, py: pyo3::Python<'_>, nonce: CffiBuf<'_>) -> CryptographyResult<()> { + get_mut_ctx(self.ctx.as_mut())?.reset_nonce(py, nonce) + } } #[pyo3::pyfunction] diff --git a/tests/hazmat/primitives/test_aes.py b/tests/hazmat/primitives/test_aes.py index 7b4b065cb2ce..64ec26687952 100644 --- a/tests/hazmat/primitives/test_aes.py +++ b/tests/hazmat/primitives/test_aes.py @@ -8,11 +8,12 @@ import pytest +from cryptography.exceptions import AlreadyFinalized, _Reasons from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives.ciphers import algorithms, base, modes from ...doubles import DummyMode -from ...utils import load_nist_vectors +from ...utils import load_nist_vectors, raises_unsupported_algorithm from .utils import _load_all_params, generate_encrypt_test @@ -305,3 +306,61 @@ def test_alternate_aes_classes(mode, alg_cls, backend): dec = cipher.decryptor() pt = dec.update(ct) + dec.finalize() assert pt == data + + +def test_reset_nonce(backend): + data = b"helloworld" * 10 + nonce = b"\x00" * 16 + nonce_alt = b"\xee" * 16 + cipher = base.Cipher( + algorithms.AES(b"\x00" * 16), + modes.CTR(nonce), + ) + cipher_alt = base.Cipher( + algorithms.AES(b"\x00" * 16), + modes.CTR(nonce_alt), + ) + enc = cipher.encryptor() + ct1 = enc.update(data) + assert len(ct1) == len(data) + for _ in range(2): + enc.reset_nonce(nonce) + assert enc.update(data) == ct1 + # Reset the nonce to a different value + # and check it matches with a different context + enc_alt = cipher_alt.encryptor() + ct2 = enc_alt.update(data) + enc.reset_nonce(nonce_alt) + assert enc.update(data) == ct2 + enc_alt.finalize() + enc.finalize() + with pytest.raises(AlreadyFinalized): + enc.reset_nonce(nonce) + dec = cipher.decryptor() + assert dec.update(ct1) == data + for _ in range(2): + dec.reset_nonce(nonce) + assert dec.update(ct1) == data + # Reset the nonce to a different value + # and check it matches with a different context + dec_alt = cipher_alt.decryptor() + dec.reset_nonce(nonce_alt) + assert dec.update(ct2) == dec_alt.update(ct2) + dec_alt.finalize() + dec.finalize() + with pytest.raises(AlreadyFinalized): + dec.reset_nonce(nonce) + + +def test_reset_nonce_invalid_mode(backend): + iv = b"\x00" * 16 + c = base.Cipher( + algorithms.AES(b"\x00" * 16), + modes.CBC(iv), + ) + enc = c.encryptor() + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): + enc.reset_nonce(iv) + dec = c.decryptor() + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): + dec.reset_nonce(iv) diff --git a/tests/hazmat/primitives/test_aes_gcm.py b/tests/hazmat/primitives/test_aes_gcm.py index 054327041358..30cf9ca07b36 100644 --- a/tests/hazmat/primitives/test_aes_gcm.py +++ b/tests/hazmat/primitives/test_aes_gcm.py @@ -8,10 +8,11 @@ import pytest +from cryptography.exceptions import _Reasons from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives.ciphers import algorithms, base, modes -from ...utils import load_nist_vectors +from ...utils import load_nist_vectors, raises_unsupported_algorithm from .utils import generate_aead_test @@ -230,3 +231,16 @@ def test_alternate_aes_classes(self, alg, backend): dec = cipher.decryptor() pt = dec.update(ct) + dec.finalize_with_tag(enc.tag) assert pt == data + + def test_reset_nonce_invalid_mode(self, backend): + nonce = b"\x00" * 12 + c = base.Cipher( + algorithms.AES(b"\x00" * 16), + modes.GCM(nonce), + ) + enc = c.encryptor() + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): + enc.reset_nonce(nonce) + dec = c.decryptor() + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): + dec.reset_nonce(nonce) diff --git a/tests/hazmat/primitives/test_chacha20.py b/tests/hazmat/primitives/test_chacha20.py index 7c52ad598d3c..3ade8b9e2eb1 100644 --- a/tests/hazmat/primitives/test_chacha20.py +++ b/tests/hazmat/primitives/test_chacha20.py @@ -9,6 +9,7 @@ import pytest +from cryptography.exceptions import AlreadyFinalized from cryptography.hazmat.primitives.ciphers import Cipher, algorithms from ...utils import load_nist_vectors @@ -90,3 +91,51 @@ def test_partial_blocks(self, backend): ct_partial_3 = enc_partial.update(pt[len_partial * 2 :]) assert ct_full == ct_partial_1 + ct_partial_2 + ct_partial_3 + + def test_reset_nonce(self, backend): + data = b"helloworld" * 10 + key = b"\x00" * 32 + nonce = b"\x00" * 16 + nonce_alt = b"\xee" * 16 + cipher = Cipher(algorithms.ChaCha20(key, nonce), None) + cipher_alt = Cipher(algorithms.ChaCha20(key, nonce_alt), None) + enc = cipher.encryptor() + ct1 = enc.update(data) + assert len(ct1) == len(data) + for _ in range(2): + enc.reset_nonce(nonce) + assert enc.update(data) == ct1 + # Reset the nonce to a different value + # and check it matches with a different context + enc_alt = cipher_alt.encryptor() + ct2 = enc_alt.update(data) + enc.reset_nonce(nonce_alt) + assert enc.update(data) == ct2 + enc_alt.finalize() + enc.finalize() + with pytest.raises(AlreadyFinalized): + enc.reset_nonce(nonce) + dec = cipher.decryptor() + assert dec.update(ct1) == data + for _ in range(2): + dec.reset_nonce(nonce) + assert dec.update(ct1) == data + # Reset the nonce to a different value + # and check it matches with a different context + dec_alt = cipher_alt.decryptor() + dec.reset_nonce(nonce_alt) + assert dec.update(ct2) == dec_alt.update(ct2) + dec_alt.finalize() + dec.finalize() + with pytest.raises(AlreadyFinalized): + dec.reset_nonce(nonce) + + def test_nonce_reset_invalid_length(self, backend): + key = b"\x00" * 32 + nonce = b"\x00" * 16 + cipher = Cipher(algorithms.ChaCha20(key, nonce), None) + enc = cipher.encryptor() + with pytest.raises(ValueError): + enc.reset_nonce(nonce[:-1]) + with pytest.raises(ValueError): + enc.reset_nonce(nonce + b"\x00") From 2c45811dab82df7d20c6f71c68758f30df0a02fb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Jul 2024 19:27:40 -0400 Subject: [PATCH 0767/1462] Enforce length for CommonName (#11201) fixes #10553 --- CHANGELOG.rst | 3 +++ src/cryptography/x509/name.py | 27 +++++++++++++++++---------- tests/x509/test_x509.py | 9 ++++++++- 3 files changed, 28 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index aae8c9fc305c..90af3bba7286 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -63,6 +63,9 @@ Changelog * Added :meth:`~cryptography.hazmat.primitives.ciphers.CipherContext.reset_nonce` for altering the ``nonce`` of a cipher context without initializing a new instance. See the docs for additional restrictions. +* :class:`~cryptography.x509.NameAttribute` now raises an exception when + attempting to create a common name whose length is shorter or longer than + :rfc:`5280` permits. .. _v42-0-8: diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py index 451338a3a930..1b6b89d12a97 100644 --- a/src/cryptography/x509/name.py +++ b/src/cryptography/x509/name.py @@ -59,6 +59,12 @@ class _ASN1Type(utils.Enum): } _NAME_TO_NAMEOID = {v: k for k, v in _NAMEOID_TO_NAME.items()} +_NAMEOID_LENGTH_LIMIT = { + NameOID.COUNTRY_NAME: (2, 2), + NameOID.JURISDICTION_COUNTRY_NAME: (2, 2), + NameOID.COMMON_NAME: (1, 64), +} + def _escape_dn_value(val: str | bytes) -> str: """Escape special characters in RFC4514 Distinguished Name value.""" @@ -132,19 +138,20 @@ def __init__( if not isinstance(value, str): raise TypeError("value argument must be a str") - if oid in (NameOID.COUNTRY_NAME, NameOID.JURISDICTION_COUNTRY_NAME): + length_limits = _NAMEOID_LENGTH_LIMIT.get(oid) + if length_limits is not None: + min_length, max_length = length_limits assert isinstance(value, str) c_len = len(value.encode("utf8")) - if c_len != 2 and _validate is True: - raise ValueError( - "Country name must be a 2 character country code" - ) - elif c_len != 2: - warnings.warn( - "Country names should be two characters, but the " - f"attribute is {c_len} characters in length.", - stacklevel=2, + if c_len < min_length or c_len > max_length: + msg = ( + f"Attribute's length must be >= {min_length} and " + f"<= {max_length}, but it was {c_len}" ) + if _validate is True: + raise ValueError(msg) + else: + warnings.warn(msg, stacklevel=2) # The appropriate ASN1 string type varies by OID and is defined across # multiple RFCs including 2459, 3280, and 5280. In general UTF8String diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index 29e611d72901..a4368833ca3f 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -5809,7 +5809,7 @@ def test_init_none_value(self): None, # type:ignore[arg-type] ) - def test_init_bad_country_code_value(self): + def test_init_bad_length(self): with pytest.raises(ValueError): x509.NameAttribute(NameOID.COUNTRY_NAME, "United States") @@ -5817,6 +5817,13 @@ def test_init_bad_country_code_value(self): with pytest.raises(ValueError): x509.NameAttribute(NameOID.COUNTRY_NAME, "\U0001f37a\U0001f37a") + with pytest.raises(ValueError): + x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, "Too Long") + with pytest.raises(ValueError): + x509.NameAttribute(NameOID.COMMON_NAME, "Too Long" * 10) + with pytest.raises(ValueError): + x509.NameAttribute(NameOID.COMMON_NAME, "") + def test_invalid_type(self): with pytest.raises(TypeError): x509.NameAttribute( From 5039dba01ca2bda98d70ed79f657b1621da3cff1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 5 Jul 2024 17:30:58 -0700 Subject: [PATCH 0768/1462] Bump BoringSSL and/or OpenSSL in CI (#11202) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 51398eebb299..3f3e93088ff7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 04, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7c2b62e93487b772990fddc1905f22d4cfaee4a4"}} - # Latest commit on the OpenSSL master branch, as of Jul 05, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "59c415a45f47cb34147427e46c78d945919b1da2"}} + # Latest commit on the OpenSSL master branch, as of Jul 06, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "29696af689df734cae05181d85ee04470c3839d3"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From fe5b0240b887b4ef1bf8f01f0cb1c4d452ab5625 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 6 Jul 2024 12:26:37 -0400 Subject: [PATCH 0769/1462] Special case nox -e local for maturin (#11203) This is way faster. --- noxfile.py | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/noxfile.py b/noxfile.py index c254b5e3685e..03f7b0d8aefe 100644 --- a/noxfile.py +++ b/noxfile.py @@ -294,14 +294,11 @@ def local(session): "noxfile.py", ) - install( - session, - # Needed until https://github.com/astral-sh/uv/issues/2152 is fixed - "--reinstall-package", - "cryptography", - "--refresh-package", - "cryptography", - ".", + session.run( + "maturin", + "develop", + "--release", + "--uv", ) if session.posargs: From cf14d750644d604f1e0fd3c6387870d29e86e0e7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Jul 2024 03:07:36 +0000 Subject: [PATCH 0770/1462] Bump syn from 2.0.68 to 2.0.69 in /src/rust (#11206) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.68 to 2.0.69. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.68...2.0.69) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index acbfb1764207..59f0c3fa2840 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -325,9 +325,9 @@ checksum = "d369a96f978623eb3dc28807c4852d6cc617fed53da5d3c400feff1ef34a714a" [[package]] name = "syn" -version = "2.0.68" +version = "2.0.69" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "901fa70d88b9d6c98022e23b4136f9f3e54e4662c3bc1bd1d84a42a9a0f0c1e9" +checksum = "201fcda3845c23e8212cd466bfebf0bd20694490fc0356ae8e428e0824a915a6" dependencies = [ "proc-macro2", "quote", From e1d50a27e0a9296128f82de77cca0076389e284a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 6 Jul 2024 23:08:36 -0400 Subject: [PATCH 0771/1462] Bump actions/download-artifact from 4.1.7 to 4.1.8 (#11204) Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.1.7 to 4.1.8. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/65a9edc5881444af0b9093a5e628f2fe47ea3b2e...fa0a91b85d4f404e444e00e005971372dc801d16) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- .github/workflows/wheel-builder.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3f3e93088ff7..577afae9cdef 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -431,7 +431,7 @@ jobs: if: ${{ always() }} - name: Download coverage data if: ${{ always() }} - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: pattern: coverage-data-* merge-multiple: true diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 7ef8930fdfc5..38540f1edf02 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -120,7 +120,7 @@ jobs: - name: Install Python dependencies run: .venv/bin/pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} - - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: cryptography-sdist - run: mkdir tmpwheelhouse @@ -240,7 +240,7 @@ jobs: - name: Install Python dependencies run: venv/bin/pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} - - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: cryptography-sdist - run: mkdir wheelhouse @@ -308,7 +308,7 @@ jobs: ${{ env.BUILD_REQUIREMENTS_PATH }} sparse-checkout-cone-mode: false - - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: cryptography-sdist From 6e44c1ae31c93fc0f70e7de97d457762a6ce0679 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Jul 2024 03:09:59 +0000 Subject: [PATCH 0772/1462] Bump ruff from 0.5.0 to 0.5.1 (#11207) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.5.0 to 0.5.1. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.5.0...0.5.1) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 5c2f1a63fa97..d801a0a3ee80 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.5.0 +ruff==0.5.1 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 1e99364f8bdfc79c796a0a8bdefae814fa281e9c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 6 Jul 2024 23:11:41 -0400 Subject: [PATCH 0773/1462] Bump actions/upload-artifact from 4.3.3 to 4.3.4 (#11205) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.3 to 4.3.4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/65462800fd760344b1a7b4382951275a0abb4808...0b2256b8c012f0828dc542b3febcab082c67f72b) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/wheel-builder.yml | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 577afae9cdef..3dcc30758ddc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -474,14 +474,14 @@ jobs: run: python -m coverage html if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload HTML report. - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: _html-report path: htmlcov if-no-files-found: ignore if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload rust HTML report. - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: _html-rust-report path: rust-coverage diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 38540f1edf02..4366432495ce 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -40,11 +40,11 @@ jobs: run: .venv/bin/python -m build --sdist - name: Make sdist and wheel (vectors) run: cd vectors/ && ../.venv/bin/python -m build - - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: "cryptography-sdist" path: dist/cryptography* - - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: "vectors-sdist-wheel" path: vectors/dist/cryptography* @@ -153,7 +153,7 @@ jobs: .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - run: mkdir cryptography-wheelhouse - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: cryptography-wheelhouse/ @@ -271,7 +271,7 @@ jobs: - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - run: | echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls cryptography-wheelhouse/cryptography*.whl))" >> $GITHUB_ENV - - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: "${{ env.CRYPTOGRAPHY_WHEEL_NAME }}" path: cryptography-wheelhouse/ @@ -353,7 +353,7 @@ jobs: - run: mkdir cryptography-wheelhouse - run: move wheelhouse\cryptography*.whl cryptography-wheelhouse\ - - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: cryptography-wheelhouse\ From 84a016833e2e1cc1159b7e5c63ee3eb64c614513 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 6 Jul 2024 23:24:10 -0400 Subject: [PATCH 0774/1462] Bump maturin from 1.5.0 to 1.7.0 in /.github/requirements (#11208) Bumps [maturin](https://github.com/pyo3/maturin) from 1.5.0 to 1.7.0. - [Release notes](https://github.com/pyo3/maturin/releases) - [Changelog](https://github.com/PyO3/maturin/blob/main/Changelog.md) - [Commits](https://github.com/pyo3/maturin/compare/v1.5.0...v1.7.0) --- updated-dependencies: - dependency-name: maturin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 31 ++++++++++----------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 8728b8600471..9371021df44b 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -58,20 +58,20 @@ cffi==1.16.0 ; platform_python_implementation != "PyPy" \ --hash=sha256:fa3a0128b152627161ce47201262d3140edb5a5c3da88d73a1b790a959126956 \ --hash=sha256:fcc8eb6d5902bb1cf6dc4f187ee3ea80a1eba0a89aba40a5cb20a5087d961357 # via -r build-requirements.in -maturin==1.5.0 \ - --hash=sha256:0b976116b7cfaafbc8c3f0acfaec6702520c49e86e48ea80e2c282b7f8118c1a \ - --hash=sha256:1b29bf8771f27d2e6b2685c82de952b5732ee79e5c0030ffd5dab5ccb99137a1 \ - --hash=sha256:2e4c01370a5c10b6c4887bee66d3582bdb38c3805168c1393f072bd266da08d4 \ - --hash=sha256:76e3270ff87b5484976d23e3d88475cd64acf41b54f561263f253d8fca0baab3 \ - --hash=sha256:9cba3737cb92ce5c1bd82cbb9b1fde412b2aac8882ac38b8340980f5eb858d8c \ - --hash=sha256:a5c038ded82c7595d99e94a208aa8af2b5c94eef4c8fcf5ef6e841957e506201 \ - --hash=sha256:b3a499ff5960e46115488e68011809ce99857864ce3a91cf5d0fff3adbd89e8c \ - --hash=sha256:d277adf9b27143627ba7be7ea254513d3e85008fb16a94638b56884a41b4e5a2 \ - --hash=sha256:d6a314472e07b6bdfa4cdf97d24cda1defe008d36d4b75de2efd3383e7a2d7bf \ - --hash=sha256:e046ea2aed687991d58c42f6276dfcc0c037092934654f538b5877fd57dd3a9c \ - --hash=sha256:eb35dfe5994ad2c34d2874a73720847ecc2adb28f934e9a7cbcdb8826b240e60 \ - --hash=sha256:f271f315fb78d2ff5fdf60f8d3ada2a04a66ac6fbd3cbb318c4eb4e9766449bc \ - --hash=sha256:faa0d099a8045afc9977284cb3a1c26e5ebc9a7f0fe4d53b7ee17f62fd279f4a +maturin==1.7.0 \ + --hash=sha256:0af4f2a4cfb99206d414dec138dd3aac3f506eb8928b7e38dfac570461b393d6 \ + --hash=sha256:15fe7920391a128897714f6ed38ebbc771150410b795a55cefca73f089d5aecb \ + --hash=sha256:1ba5277dd7832dc6181d69a005182b97b3520945825058484ffd9296f2efb59c \ + --hash=sha256:1f521ebe0344db8260df0d12779aefc06c1f763cd654151cf4a238fe14f65dc1 \ + --hash=sha256:29187d5c3e1e166c14eaadc63a8adc25b6bbb3e5b055d1bc87f6ca92b4b6e331 \ + --hash=sha256:2bd8227e020a9308c076253f29224c53b08b2a4ed41fcd94b4eb9349684fcfe7 \ + --hash=sha256:6fd312c56846d3cafa7c45e362d96b526170e79b9adb5b8ea02a10c88906069c \ + --hash=sha256:7460122333971b2492154c102d2981ae337ae0486dde7f4df7e645d724de59a5 \ + --hash=sha256:7c05226547778f31b73d48a19d11f57792bcc44f4047b84c73ea66cae2e62473 \ + --hash=sha256:87a1fae70f1a6ad694832c735abf9f010edc4971c5cf89d2e7a54651a1a3792a \ + --hash=sha256:928b82ceba924b1642c53f6684271e814b5ce5049cb4d35ff36bed078837eb83 \ + --hash=sha256:c1ae0b4162fb1152aea83098bf1b66a7bf6dd73fd1b108e6c4e22160118a997c \ + --hash=sha256:e9cd5b992b6c131c5f47c85e7bc266bf5bf94f29720856678431ce6c91b726df # via -r build-requirements.in pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ @@ -86,5 +86,4 @@ tomli==2.0.1 \ setuptools==70.2.0 \ --hash=sha256:b8b8060bb426838fbe942479c90296ce976249451118ef566a5a0b7d8b78fb05 \ --hash=sha256:bd63e505105011b25c3c11f753f7e3b8465ea739efddaccef8f0efac2137bac1 - # via - # -r build-requirements.in + # via -r build-requirements.in From 6e1df4dff53b9d5e5f14e967db433ae1faa5504d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Jul 2024 12:04:44 +0000 Subject: [PATCH 0775/1462] Bump actions/upload-artifact in /.github/actions/upload-coverage (#11209) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.3 to 4.3.4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/65462800fd760344b1a7b4382951275a0abb4808...0b2256b8c012f0828dc542b3febcab082c67f72b) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/upload-coverage/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/upload-coverage/action.yml b/.github/actions/upload-coverage/action.yml index 227cac821f33..196487d65970 100644 --- a/.github/actions/upload-coverage/action.yml +++ b/.github/actions/upload-coverage/action.yml @@ -13,7 +13,7 @@ runs: fi id: coverage-uuid shell: bash - - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: coverage-data-${{ steps.coverage-uuid.outputs.COVERAGE_UUID }} path: | From 80750e24fca0946c10dc36374158040a55804c24 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Jul 2024 12:06:48 +0000 Subject: [PATCH 0776/1462] Bump pyo3 from 0.22.0 to 0.22.1 in /src/rust (#11210) Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.22.0 to 0.22.1. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/main/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.22.0...v0.22.1) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 20 ++++++++++---------- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-keepalive/Cargo.toml | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 59f0c3fa2840..3da49cb21f16 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -247,9 +247,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.22.0" +version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1962a33ed2a201c637fc14a4e0fd4e06e6edfdeee6a5fede0dab55507ad74cf7" +checksum = "4e99090d12f6182924499253aaa1e73bf15c69cea8d2774c3c781e35badc3548" dependencies = [ "cfg-if", "indoc", @@ -265,9 +265,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.22.0" +version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ab7164b2202753bd33afc7f90a10355a719aa973d1f94502c50d06f3488bc420" +checksum = "7879eb018ac754bba32cb0eec7526391c02c14a093121857ed09fbf1d1057d41" dependencies = [ "once_cell", "target-lexicon", @@ -275,9 +275,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.22.0" +version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c6424906ca49013c0829c5c1ed405e20e2da2dc78b82d198564880a704e6a7b7" +checksum = "ce2baa5559a411fc1cf519295f24c34b53d5d725818bc96b5abf94762da09041" dependencies = [ "libc", "pyo3-build-config", @@ -285,9 +285,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.22.0" +version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "82b2f19e153122d64afd8ce7aaa72f06a00f52e34e1d1e74b6d71baea396460a" +checksum = "049621c20a23f2def20f4fe67978d1da8d8a883d64b9c21362f3b776e254edc7" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -297,9 +297,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.22.0" +version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dd698c04cac17cf0fe63d47790ab311b8b25542f5cb976b65c374035c50f1eef" +checksum = "0e969ee2e025435f1819d31a275ba4bb9cbbdf3ac535227fdbd85b9322ffe144" dependencies = [ "heck", "proc-macro2", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 49c0b73dd100..fc0ab7e11edf 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -17,7 +17,7 @@ rust-version.workspace = true [dependencies] once_cell = "1" cfg-if = "1" -pyo3 = { version = "0.22.0", features = ["abi3"] } +pyo3 = { version = "0.22.1", features = ["abi3"] } asn1 = { version = "0.16.2", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-keepalive = { path = "cryptography-keepalive" } diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 414236180a65..4aa01a438897 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -7,7 +7,7 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.22.0", features = ["abi3"] } +pyo3 = { version = "0.22.1", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] diff --git a/src/rust/cryptography-keepalive/Cargo.toml b/src/rust/cryptography-keepalive/Cargo.toml index 9c5e92c8e683..d2f503bbf209 100644 --- a/src/rust/cryptography-keepalive/Cargo.toml +++ b/src/rust/cryptography-keepalive/Cargo.toml @@ -7,4 +7,4 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.22.0", features = ["abi3"] } +pyo3 = { version = "0.22.1", features = ["abi3"] } From 82aed4a6cfb23f50cc2c36f2ebc54c65826b5e51 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Jul 2024 12:07:10 +0000 Subject: [PATCH 0777/1462] Bump nh3 from 0.2.17 to 0.2.18 (#11211) Bumps [nh3](https://github.com/messense/nh3) from 0.2.17 to 0.2.18. - [Release notes](https://github.com/messense/nh3/releases) - [Commits](https://github.com/messense/nh3/compare/v0.2.17...v0.2.18) --- updated-dependencies: - dependency-name: nh3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d801a0a3ee80..faee77b4d774 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -56,7 +56,7 @@ mypy==1.10.1 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via mypy -nh3==0.2.17 +nh3==0.2.18 # via readme-renderer nox==2024.4.15 # via cryptography (pyproject.toml) From 7c4a2e13bd8475b127e16e2b66f195cca986a386 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 7 Jul 2024 08:53:46 -0400 Subject: [PATCH 0778/1462] Remove typechecking that pyo3 does automatically (#11212) --- .../hazmat/primitives/serialization/pkcs12.py | 16 ---------------- tests/hazmat/primitives/test_pkcs12.py | 6 ++++-- 2 files changed, 4 insertions(+), 18 deletions(-) diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs12.py b/src/cryptography/hazmat/primitives/serialization/pkcs12.py index a104986bf9ec..549e1f992d39 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs12.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs12.py @@ -139,22 +139,6 @@ def serialize_key_and_certificates( "Key must be RSA, DSA, EllipticCurve, ED25519, or ED448" " private key, or None." ) - if cert is not None and not isinstance(cert, x509.Certificate): - raise TypeError("cert must be a certificate or None") - - if cas is not None: - cas = list(cas) - if not all( - isinstance( - val, - ( - x509.Certificate, - PKCS12Certificate, - ), - ) - for val in cas - ): - raise TypeError("all values in cas must be certificates") if not isinstance( encryption_algorithm, serialization.KeySerializationEncryption diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 67a68152eb8f..d0645d9e9941 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -470,7 +470,7 @@ def test_generate_wrong_types(self, backend): ) with pytest.raises(TypeError) as exc: serialize_key_and_certificates(b"name", key, key, None, encryption) - assert str(exc.value) == "cert must be a certificate or None" + assert "object cannot be converted to 'Certificate'" in str(exc.value) with pytest.raises(TypeError) as exc: serialize_key_and_certificates(b"name", key, cert, None, key) @@ -484,7 +484,9 @@ def test_generate_wrong_types(self, backend): with pytest.raises(TypeError) as exc: serialize_key_and_certificates(None, key, cert, [key], encryption) - assert str(exc.value) == "all values in cas must be certificates" + assert "failed to extract enum CertificateOrPKCS12Certificate" in str( + exc.value + ) def test_generate_no_cert(self, backend): _, key = _load_ca(backend) From 5acef953c11313500c030c575e51993e9efd518b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 7 Jul 2024 10:46:25 -0400 Subject: [PATCH 0779/1462] Make type signatures more explicit in internals (#11213) --- .../hazmat/primitives/serialization/ssh.py | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/cryptography/hazmat/primitives/serialization/ssh.py b/src/cryptography/hazmat/primitives/serialization/ssh.py index 321519f3e596..c01afb0ccdc9 100644 --- a/src/cryptography/hazmat/primitives/serialization/ssh.py +++ b/src/cryptography/hazmat/primitives/serialization/ssh.py @@ -311,7 +311,9 @@ class _SSHFormatRSA: mpint n, e, d, iqmp, p, q """ - def get_public(self, data: memoryview): + def get_public( + self, data: memoryview + ) -> tuple[tuple[int, int], memoryview]: """RSA public fields""" e, data = _get_mpint(data) n, data = _get_mpint(data) @@ -458,7 +460,9 @@ def __init__(self, ssh_curve_name: bytes, curve: ec.EllipticCurve): self.ssh_curve_name = ssh_curve_name self.curve = curve - def get_public(self, data: memoryview) -> tuple[tuple, memoryview]: + def get_public( + self, data: memoryview + ) -> tuple[tuple[memoryview, memoryview], memoryview]: """ECDSA public fields""" curve, data = _get_sshstr(data) point, data = _get_sshstr(data) @@ -521,7 +525,9 @@ class _SSHFormatEd25519: bytes secret_and_point """ - def get_public(self, data: memoryview) -> tuple[tuple, memoryview]: + def get_public( + self, data: memoryview + ) -> tuple[tuple[memoryview], memoryview]: """Ed25519 public fields""" point, data = _get_sshstr(data) return (point,), data From e8af858bcab19f34fa48b4f267fe2243fe8c099b Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sun, 7 Jul 2024 15:22:19 -0400 Subject: [PATCH 0780/1462] verification: remove an error variant (#11214) * verification: remove an error variant * lib: fix tests * lib: remove tests mod entirely Now redundant. * lib: re-add tests noxfile: mark vectors as an editable install * extensions: remove Debug impl ...requires an `ok()` in verify. --- noxfile.py | 1 + .../cryptography-x509-verification/src/lib.rs | 22 +++++++++---------- src/rust/cryptography-x509/src/extensions.rs | 1 - src/rust/src/x509/verify.rs | 1 + 4 files changed, 12 insertions(+), 13 deletions(-) diff --git a/noxfile.py b/noxfile.py index 03f7b0d8aefe..91fcb8710eb3 100644 --- a/noxfile.py +++ b/noxfile.py @@ -265,6 +265,7 @@ def local(session): *test_dependencies, *pyproject_data["project"]["optional-dependencies"]["ssh"], *pyproject_data["project"]["optional-dependencies"]["nox"], + "-e", "./vectors/", verbose=False, ) diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index d21827ce9695..5ae8ef90fe12 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -36,7 +36,6 @@ use crate::ApplyNameConstraintStatus::{Applied, Skipped}; pub enum ValidationError { CandidatesExhausted(Box), Malformed(asn1::ParseError), - DuplicateExtension(DuplicateExtensionsError), ExtensionError { oid: ObjectIdentifier, reason: &'static str, @@ -53,7 +52,10 @@ impl From for ValidationError { impl From for ValidationError { fn from(value: DuplicateExtensionsError) -> Self { - Self::DuplicateExtension(value) + Self::ExtensionError { + oid: value.0, + reason: "duplicate extension", + } } } @@ -64,9 +66,6 @@ impl Display for ValidationError { write!(f, "candidates exhausted: {inner}") } ValidationError::Malformed(err) => err.fmt(f), - ValidationError::DuplicateExtension(DuplicateExtensionsError(oid)) => { - write!(f, "malformed certificate: duplicate extension: {oid}") - } ValidationError::ExtensionError { oid, reason } => { write!(f, "invalid extension: {oid}: {reason}") } @@ -441,9 +440,7 @@ impl<'a, 'chain: 'a, B: CryptoOps> ChainBuilder<'a, 'chain, B> { #[cfg(test)] mod tests { use asn1::ParseError; - use cryptography_x509::{ - extensions::DuplicateExtensionsError, oid::SUBJECT_ALTERNATIVE_NAME_OID, - }; + use cryptography_x509::oid::SUBJECT_ALTERNATIVE_NAME_OID; use crate::ValidationError; @@ -452,12 +449,13 @@ mod tests { let err = ValidationError::Malformed(ParseError::new(asn1::ParseErrorKind::InvalidLength)); assert_eq!(err.to_string(), "ASN.1 parsing error: invalid length"); - let err = ValidationError::DuplicateExtension(DuplicateExtensionsError( - SUBJECT_ALTERNATIVE_NAME_OID, - )); + let err = ValidationError::ExtensionError { + oid: SUBJECT_ALTERNATIVE_NAME_OID, + reason: "duplicate extension", + }; assert_eq!( err.to_string(), - "malformed certificate: duplicate extension: 2.5.29.17" + "invalid extension: 2.5.29.17: duplicate extension" ); let err = ValidationError::FatalError("oops"); diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index f674b965144c..51df9fb0646b 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -8,7 +8,6 @@ use crate::common; use crate::crl; use crate::name; -#[derive(Debug)] pub struct DuplicateExtensionsError(pub asn1::ObjectIdentifier); pub type RawExtensions<'a> = common::Asn1ReadableOrWritable< diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 0b3a83552a06..52f179b871c5 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -295,6 +295,7 @@ impl PyClientVerifier { let leaf_san = &chain[0] .certificate() .extensions() + .ok() .unwrap() .get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) .unwrap(); From ccab692da0cdbfb94bfb05f280a653262cbe8fe9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jul 2024 07:03:35 -0400 Subject: [PATCH 0781/1462] Bump cc from 1.0.104 to 1.0.105 in /src/rust (#11215) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.104 to 1.0.105. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.0.104...cc-v1.0.105) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 3da49cb21f16..e67735a85f16 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.0.104" +version = "1.0.105" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "74b6a57f98764a267ff415d50a25e6e166f3831a5071af4995296ea97d210490" +checksum = "5208975e568d83b6b05cc0a063c8e7e9acc2b43bee6da15616a5b73e109d7437" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 4aa01a438897..ffdf71df0d73 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.1", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.104" +cc = "1.0.105" From 48df2eb8092dc5b51088ae53ab9c2d7a14c9f251 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jul 2024 07:04:02 -0400 Subject: [PATCH 0782/1462] Bump nh3 from 0.2.17 to 0.2.18 in /.github/requirements (#11216) Bumps [nh3](https://github.com/messense/nh3) from 0.2.17 to 0.2.18. - [Release notes](https://github.com/messense/nh3/releases) - [Commits](https://github.com/messense/nh3/compare/v0.2.17...v0.2.18) --- updated-dependencies: - dependency-name: nh3 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index ae5b3ff3c2b4..3b6ecfbc46cd 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -242,23 +242,23 @@ more-itertools==10.3.0 \ # via # jaraco-classes # jaraco-functools -nh3==0.2.17 \ - --hash=sha256:0316c25b76289cf23be6b66c77d3608a4fdf537b35426280032f432f14291b9a \ - --hash=sha256:1a814dd7bba1cb0aba5bcb9bebcc88fd801b63e21e2450ae6c52d3b3336bc911 \ - --hash=sha256:1aa52a7def528297f256de0844e8dd680ee279e79583c76d6fa73a978186ddfb \ - --hash=sha256:22c26e20acbb253a5bdd33d432a326d18508a910e4dcf9a3316179860d53345a \ - --hash=sha256:40015514022af31975c0b3bca4014634fa13cb5dc4dbcbc00570acc781316dcc \ - --hash=sha256:40d0741a19c3d645e54efba71cb0d8c475b59135c1e3c580f879ad5514cbf028 \ - --hash=sha256:551672fd71d06cd828e282abdb810d1be24e1abb7ae2543a8fa36a71c1006fe9 \ - --hash=sha256:66f17d78826096291bd264f260213d2b3905e3c7fae6dfc5337d49429f1dc9f3 \ - --hash=sha256:85cdbcca8ef10733bd31f931956f7fbb85145a4d11ab9e6742bbf44d88b7e351 \ - --hash=sha256:a3f55fabe29164ba6026b5ad5c3151c314d136fd67415a17660b4aaddacf1b10 \ - --hash=sha256:b4427ef0d2dfdec10b641ed0bdaf17957eb625b2ec0ea9329b3d28806c153d71 \ - --hash=sha256:ba73a2f8d3a1b966e9cdba7b211779ad8a2561d2dba9674b8a19ed817923f65f \ - --hash=sha256:c21bac1a7245cbd88c0b0e4a420221b7bfa838a2814ee5bb924e9c2f10a1120b \ - --hash=sha256:c551eb2a3876e8ff2ac63dff1585236ed5dfec5ffd82216a7a174f7c5082a78a \ - --hash=sha256:c790769152308421283679a142dbdb3d1c46c79c823008ecea8e8141db1a2062 \ - --hash=sha256:d7a25fd8c86657f5d9d576268e3b3767c5cd4f42867c9383618be8517f0f022a +nh3==0.2.18 \ + --hash=sha256:0411beb0589eacb6734f28d5497ca2ed379eafab8ad8c84b31bb5c34072b7164 \ + --hash=sha256:14c5a72e9fe82aea5fe3072116ad4661af5cf8e8ff8fc5ad3450f123e4925e86 \ + --hash=sha256:19aaba96e0f795bd0a6c56291495ff59364f4300d4a39b29a0abc9cb3774a84b \ + --hash=sha256:34c03fa78e328c691f982b7c03d4423bdfd7da69cd707fe572f544cf74ac23ad \ + --hash=sha256:36c95d4b70530b320b365659bb5034341316e6a9b30f0b25fa9c9eff4c27a204 \ + --hash=sha256:3a157ab149e591bb638a55c8c6bcb8cdb559c8b12c13a8affaba6cedfe51713a \ + --hash=sha256:42c64511469005058cd17cc1537578eac40ae9f7200bedcfd1fc1a05f4f8c200 \ + --hash=sha256:5f36b271dae35c465ef5e9090e1fdaba4a60a56f0bb0ba03e0932a66f28b9189 \ + --hash=sha256:6955369e4d9f48f41e3f238a9e60f9410645db7e07435e62c6a9ea6135a4907f \ + --hash=sha256:7b7c2a3c9eb1a827d42539aa64091640bd275b81e097cd1d8d82ef91ffa2e811 \ + --hash=sha256:8ce0f819d2f1933953fca255db2471ad58184a60508f03e6285e5114b6254844 \ + --hash=sha256:94a166927e53972a9698af9542ace4e38b9de50c34352b962f4d9a7d4c927af4 \ + --hash=sha256:a7f1b5b2c15866f2db413a3649a8fe4fd7b428ae58be2c0f6bca5eefd53ca2be \ + --hash=sha256:c8b3a1cebcba9b3669ed1a84cc65bf005728d2f0bc1ed2a6594a992e817f3a50 \ + --hash=sha256:de3ceed6e661954871d6cd78b410213bdcb136f79aafe22aa7182e028b8c7307 \ + --hash=sha256:f0eca9ca8628dbb4e916ae2491d72957fdd35f7a5d326b7032a345f111ac07fe # via readme-renderer pkginfo==1.10.0 \ --hash=sha256:5df73835398d10db79f8eecd5cd86b1f6d29317589ea70796994d49399af6297 \ From 204cba13369e280cf8a89063b8b1a5cf664d8d5c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 9 Jul 2024 00:16:23 +0000 Subject: [PATCH 0783/1462] Bump BoringSSL and/or OpenSSL in CI (#11219) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3dcc30758ddc..bc8efebe79e8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 04, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7c2b62e93487b772990fddc1905f22d4cfaee4a4"}} - # Latest commit on the OpenSSL master branch, as of Jul 06, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "29696af689df734cae05181d85ee04470c3839d3"}} + # Latest commit on the OpenSSL master branch, as of Jul 09, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c215d75f94fcaa598817e739221f33b71b53fb39"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 1d3f7adc5d9f23167ea15a6660fd487f1b90426f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 8 Jul 2024 20:22:54 -0400 Subject: [PATCH 0784/1462] Begin migrating to declarative modules (#11159) Refs #11158 --- src/rust/src/lib.rs | 164 +++++++++++++++++++++++--------------------- 1 file changed, 87 insertions(+), 77 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index bed02d09e235..eb27632328c5 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -9,7 +9,6 @@ use crate::error::CryptographyResult; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use openssl::provider; -use pyo3::types::PyModuleMethods; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use std::env; @@ -92,87 +91,98 @@ fn enable_fips(providers: &mut LoadedProviders) -> CryptographyResult<()> { } #[pyo3::pymodule] -fn _rust(py: pyo3::Python<'_>, m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - m.add_function(pyo3::wrap_pyfunction_bound!( - padding::check_pkcs7_padding, - m - )?)?; - m.add_function(pyo3::wrap_pyfunction_bound!( - padding::check_ansix923_padding, - m - )?)?; - m.add_class::()?; - m.add_class::()?; - - m.add_submodule(&asn1::create_submodule(py)?)?; - m.add_submodule(&pkcs7::create_submodule(py)?)?; - m.add_submodule(&pkcs12::create_submodule(py)?)?; - m.add_submodule(&exceptions::create_submodule(py)?)?; - - let x509_mod = pyo3::types::PyModule::new_bound(py, "x509")?; - crate::x509::certificate::add_to_module(&x509_mod)?; - crate::x509::common::add_to_module(&x509_mod)?; - crate::x509::crl::add_to_module(&x509_mod)?; - crate::x509::csr::add_to_module(&x509_mod)?; - crate::x509::sct::add_to_module(&x509_mod)?; - crate::x509::verify::add_to_module(&x509_mod)?; - m.add_submodule(&x509_mod)?; - - let ocsp_mod = pyo3::types::PyModule::new_bound(py, "ocsp")?; - crate::x509::ocsp_req::add_to_module(&ocsp_mod)?; - crate::x509::ocsp_resp::add_to_module(&ocsp_mod)?; - m.add_submodule(&ocsp_mod)?; - - m.add_submodule(&cryptography_cffi::create_module(py)?)?; - - let openssl_mod = pyo3::types::PyModule::new_bound(py, "openssl")?; - openssl_mod.add( - "CRYPTOGRAPHY_OPENSSL_300_OR_GREATER", - cfg!(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), - )?; - openssl_mod.add( - "CRYPTOGRAPHY_OPENSSL_320_OR_GREATER", - cfg!(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER), - )?; - - openssl_mod.add("CRYPTOGRAPHY_IS_LIBRESSL", cfg!(CRYPTOGRAPHY_IS_LIBRESSL))?; - openssl_mod.add("CRYPTOGRAPHY_IS_BORINGSSL", cfg!(CRYPTOGRAPHY_IS_BORINGSSL))?; - - cfg_if::cfg_if! { - if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] { - let providers = _initialize_providers()?; - if providers.legacy.is_some() { - openssl_mod.add("_legacy_provider_loaded", true)?; - } else { - openssl_mod.add("_legacy_provider_loaded", false)?; +mod _rust { + use pyo3::types::PyModuleMethods; + + #[pymodule_export] + use crate::oid::ObjectIdentifier; + #[pymodule_export] + use crate::padding::{check_ansix923_padding, check_pkcs7_padding, PKCS7PaddingContext}; + + #[pyo3::pymodule] + mod x509 { + #[pymodule_init] + fn init(x509_mod: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { + crate::x509::certificate::add_to_module(x509_mod)?; + crate::x509::common::add_to_module(x509_mod)?; + crate::x509::crl::add_to_module(x509_mod)?; + crate::x509::csr::add_to_module(x509_mod)?; + crate::x509::sct::add_to_module(x509_mod)?; + crate::x509::verify::add_to_module(x509_mod)?; + + Ok(()) + } + } + + #[pyo3::pymodule] + mod ocsp { + #[pymodule_init] + fn init(ocsp_mod: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { + crate::x509::ocsp_req::add_to_module(ocsp_mod)?; + crate::x509::ocsp_resp::add_to_module(ocsp_mod)?; + + Ok(()) + } + } + + #[pyo3::pymodule] + mod openssl { + use pyo3::prelude::PyModuleMethods; + + #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] + #[pymodule_export] + use super::super::enable_fips; + #[pymodule_export] + use super::super::{is_fips_enabled, openssl_version, openssl_version_text}; + #[pymodule_export] + use crate::error::{capture_error_stack, raise_openssl_error, OpenSSLError}; + + #[pymodule_init] + fn init(openssl_mod: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { + openssl_mod.add( + "CRYPTOGRAPHY_OPENSSL_300_OR_GREATER", + cfg!(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), + )?; + openssl_mod.add( + "CRYPTOGRAPHY_OPENSSL_320_OR_GREATER", + cfg!(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER), + )?; + + openssl_mod.add("CRYPTOGRAPHY_IS_LIBRESSL", cfg!(CRYPTOGRAPHY_IS_LIBRESSL))?; + openssl_mod.add("CRYPTOGRAPHY_IS_BORINGSSL", cfg!(CRYPTOGRAPHY_IS_BORINGSSL))?; + + cfg_if::cfg_if! { + if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] { + let providers = super::super::_initialize_providers()?; + if providers.legacy.is_some() { + openssl_mod.add("_legacy_provider_loaded", true)?; + } else { + openssl_mod.add("_legacy_provider_loaded", false)?; + } + openssl_mod.add("_providers", providers)?; + } else { + // default value for non-openssl 3+ + openssl_mod.add("_legacy_provider_loaded", false)?; + } } - openssl_mod.add("_providers", providers)?; - openssl_mod.add_function(pyo3::wrap_pyfunction_bound!(enable_fips, &openssl_mod)?)?; - } else { - // default value for non-openssl 3+ - openssl_mod.add("_legacy_provider_loaded", false)?; + crate::backend::add_to_module(openssl_mod)?; + + Ok(()) } } - openssl_mod.add_function(pyo3::wrap_pyfunction_bound!(openssl_version, &openssl_mod)?)?; - openssl_mod.add_function(pyo3::wrap_pyfunction_bound!( - openssl_version_text, - &openssl_mod - )?)?; - openssl_mod.add_function(pyo3::wrap_pyfunction_bound!( - error::raise_openssl_error, - &openssl_mod - )?)?; - openssl_mod.add_function(pyo3::wrap_pyfunction_bound!( - error::capture_error_stack, - &openssl_mod - )?)?; - openssl_mod.add_function(pyo3::wrap_pyfunction_bound!(is_fips_enabled, &openssl_mod)?)?; - openssl_mod.add_class::()?; - crate::backend::add_to_module(&openssl_mod)?; - m.add_submodule(&openssl_mod)?; - Ok(()) + #[pymodule_init] + fn init(m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { + m.add_submodule(&crate::asn1::create_submodule(m.py())?)?; + m.add_submodule(&crate::pkcs7::create_submodule(m.py())?)?; + m.add_submodule(&crate::pkcs12::create_submodule(m.py())?)?; + m.add_submodule(&crate::exceptions::create_submodule(m.py())?)?; + + m.add_submodule(&cryptography_cffi::create_module(m.py())?)?; + + Ok(()) + } } #[cfg(test)] From 48accf36231cc1998ad395bc2de95fd77b05d201 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 9 Jul 2024 00:31:03 +0000 Subject: [PATCH 0785/1462] Bump x509-limbo and/or wycheproof in CI (#11220) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 306ca460a02e..cc952ebeac71 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jul 03, 2024. - ref: "74e0b06dc4c5ee3707fa7f45ea0adb11ddb8de33" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jul 09, 2024. + ref: "c2cc9e19c5e9060054431cdabd64f603e4d79d6a" # x509-limbo-ref From 9913313dbe1ca9a900c3d476240979dd63335c3d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 8 Jul 2024 20:33:24 -0400 Subject: [PATCH 0786/1462] Migrate `exceptions` to declrative modules API (#11221) refs #11158 --- src/rust/src/exceptions.rs | 14 ++++---------- src/rust/src/lib.rs | 3 ++- 2 files changed, 6 insertions(+), 11 deletions(-) diff --git a/src/rust/src/exceptions.rs b/src/rust/src/exceptions.rs index ff789105447b..91824ef0422e 100644 --- a/src/rust/src/exceptions.rs +++ b/src/rust/src/exceptions.rs @@ -2,8 +2,6 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::types::PyModuleMethods; - #[pyo3::pyclass( frozen, eq, @@ -39,12 +37,8 @@ pyo3::import_exception_bound!(cryptography.x509, DuplicateExtension); pyo3::import_exception_bound!(cryptography.x509, UnsupportedGeneralNameType); pyo3::import_exception_bound!(cryptography.x509, InvalidVersion); -pub(crate) fn create_submodule( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let submod = pyo3::types::PyModule::new_bound(py, "exceptions")?; - - submod.add_class::()?; - - Ok(submod) +#[pyo3::pymodule] +pub(crate) mod exceptions { + #[pymodule_export] + use super::Reasons; } diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index eb27632328c5..ce9c8ca4cc46 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -94,6 +94,8 @@ fn enable_fips(providers: &mut LoadedProviders) -> CryptographyResult<()> { mod _rust { use pyo3::types::PyModuleMethods; + #[pymodule_export] + use crate::exceptions::exceptions; #[pymodule_export] use crate::oid::ObjectIdentifier; #[pymodule_export] @@ -177,7 +179,6 @@ mod _rust { m.add_submodule(&crate::asn1::create_submodule(m.py())?)?; m.add_submodule(&crate::pkcs7::create_submodule(m.py())?)?; m.add_submodule(&crate::pkcs12::create_submodule(m.py())?)?; - m.add_submodule(&crate::exceptions::create_submodule(m.py())?)?; m.add_submodule(&cryptography_cffi::create_module(m.py())?)?; From 8c7a560df74923540271a21e84762e976e1e642e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 8 Jul 2024 20:45:00 -0400 Subject: [PATCH 0787/1462] Migrate `pkcs12` to declrative modules API (#11222) refs #11158 --- src/rust/src/lib.rs | 3 ++- src/rust/src/pkcs12.rs | 26 +++++++------------------- 2 files changed, 9 insertions(+), 20 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index ce9c8ca4cc46..1e5ca7eaebaa 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -100,6 +100,8 @@ mod _rust { use crate::oid::ObjectIdentifier; #[pymodule_export] use crate::padding::{check_ansix923_padding, check_pkcs7_padding, PKCS7PaddingContext}; + #[pymodule_export] + use crate::pkcs12::pkcs12; #[pyo3::pymodule] mod x509 { @@ -178,7 +180,6 @@ mod _rust { fn init(m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { m.add_submodule(&crate::asn1::create_submodule(m.py())?)?; m.add_submodule(&crate::pkcs7::create_submodule(m.py())?)?; - m.add_submodule(&crate::pkcs12::create_submodule(m.py())?)?; m.add_submodule(&cryptography_cffi::create_module(m.py())?)?; diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index cdae36138e0a..ba3c230b565f 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -9,7 +9,7 @@ use crate::padding::PKCS7PaddingContext; use crate::x509::certificate::Certificate; use crate::{types, x509}; use cryptography_x509::common::Utf8StoredBMPString; -use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods}; use pyo3::IntoPy; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; @@ -833,24 +833,12 @@ fn load_pkcs12<'p>( .call1((private_key, cert, additional_certs))?) } -pub(crate) fn create_submodule( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let submod = pyo3::types::PyModule::new_bound(py, "pkcs12")?; - - submod.add_function(pyo3::wrap_pyfunction_bound!( - load_key_and_certificates, - &submod - )?)?; - submod.add_function(pyo3::wrap_pyfunction_bound!(load_pkcs12, &submod)?)?; - submod.add_function(pyo3::wrap_pyfunction_bound!( - serialize_key_and_certificates, - &submod - )?)?; - - submod.add_class::()?; - - Ok(submod) +#[pyo3::pymodule] +pub(crate) mod pkcs12 { + #[pymodule_export] + use super::{ + load_key_and_certificates, load_pkcs12, serialize_key_and_certificates, PKCS12Certificate, + }; } #[cfg(test)] From 6329ed06cfb3383c70fc287a6da6b4575ed80b87 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 9 Jul 2024 07:13:53 -0400 Subject: [PATCH 0788/1462] Bump syn from 2.0.69 to 2.0.70 in /src/rust (#11229) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.69 to 2.0.70. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.69...2.0.70) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index e67735a85f16..99395185e792 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -325,9 +325,9 @@ checksum = "d369a96f978623eb3dc28807c4852d6cc617fed53da5d3c400feff1ef34a714a" [[package]] name = "syn" -version = "2.0.69" +version = "2.0.70" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "201fcda3845c23e8212cd466bfebf0bd20694490fc0356ae8e428e0824a915a6" +checksum = "2f0209b68b3613b093e0ec905354eccaedcfe83b8cb37cbdeae64026c3064c16" dependencies = [ "proc-macro2", "quote", From 3c4b6de42fbca0d2b84283d115b8e76f0b7c0df6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 9 Jul 2024 11:19:20 +0000 Subject: [PATCH 0789/1462] Bump target-lexicon from 0.12.14 to 0.12.15 in /src/rust (#11227) Bumps [target-lexicon](https://github.com/bytecodealliance/target-lexicon) from 0.12.14 to 0.12.15. - [Commits](https://github.com/bytecodealliance/target-lexicon/compare/v0.12.14...v0.12.15) --- updated-dependencies: - dependency-name: target-lexicon dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 99395185e792..2586a0e4ddbb 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -336,9 +336,9 @@ dependencies = [ [[package]] name = "target-lexicon" -version = "0.12.14" +version = "0.12.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e1fc403891a21bcfb7c37834ba66a547a8f402146eba7265b5a6d88059c9ff2f" +checksum = "4873307b7c257eddcb50c9bedf158eb669578359fb28428bef438fec8e6ba7c2" [[package]] name = "unicode-ident" From be74177c9eacf4886b16814ce044c8c0d747fbff Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 9 Jul 2024 12:15:17 -0400 Subject: [PATCH 0790/1462] Migrate `verify` to declarative modules API (#11231) refs #11158 --- src/rust/src/lib.rs | 7 ++++++- src/rust/src/x509/verify.rs | 26 ++++++-------------------- 2 files changed, 12 insertions(+), 21 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 1e5ca7eaebaa..d5997764b9d5 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -105,6 +105,12 @@ mod _rust { #[pyo3::pymodule] mod x509 { + #[pymodule_export] + use crate::x509::verify::{ + PolicyBuilder, PyClientVerifier, PyServerVerifier, PyStore, PyVerifiedClient, + VerificationError, + }; + #[pymodule_init] fn init(x509_mod: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { crate::x509::certificate::add_to_module(x509_mod)?; @@ -112,7 +118,6 @@ mod _rust { crate::x509::crl::add_to_module(x509_mod)?; crate::x509::csr::add_to_module(x509_mod)?; crate::x509::sct::add_to_module(x509_mod)?; - crate::x509::verify::add_to_module(x509_mod)?; Ok(()) } diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 52f179b871c5..dbc9f18770af 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -11,7 +11,7 @@ use cryptography_x509_verification::{ trust_store::Store, types::{DNSName, IPAddress}, }; -use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods}; use crate::backend::keys; use crate::error::{CryptographyError, CryptographyResult}; @@ -55,7 +55,7 @@ pyo3::create_exception!( ); #[pyo3::pyclass(frozen, module = "cryptography.x509.verification")] -struct PolicyBuilder { +pub(crate) struct PolicyBuilder { time: Option, store: Option>, max_chain_depth: Option, @@ -212,7 +212,7 @@ self_cell::self_cell!( name = "VerifiedClient", module = "cryptography.hazmat.bindings._rust.x509" )] -struct PyVerifiedClient { +pub(crate) struct PyVerifiedClient { #[pyo3(get)] subjects: pyo3::Py, #[pyo3(get)] @@ -224,7 +224,7 @@ struct PyVerifiedClient { name = "ClientVerifier", module = "cryptography.hazmat.bindings._rust.x509" )] -struct PyClientVerifier { +pub(crate) struct PyClientVerifier { policy: PyCryptoPolicy<'static>, #[pyo3(get)] store: pyo3::Py, @@ -315,7 +315,7 @@ impl PyClientVerifier { name = "ServerVerifier", module = "cryptography.hazmat.bindings._rust.x509" )] -struct PyServerVerifier { +pub(crate) struct PyServerVerifier { #[pyo3(get, name = "subject")] py_subject: pyo3::Py, policy: OwnedPolicy, @@ -448,7 +448,7 @@ self_cell::self_cell!( name = "Store", module = "cryptography.hazmat.bindings._rust.x509" )] -struct PyStore { +pub(crate) struct PyStore { raw: RawPyStore, } @@ -473,17 +473,3 @@ impl PyStore { }) } } - -pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - module.add_class::()?; - module.add_class::()?; - module.add_class::()?; - module.add_class::()?; - module.add_class::()?; - module.add( - "VerificationError", - module.py().get_type_bound::(), - )?; - - Ok(()) -} From 55e81de228df1dd63f97fa00484fc9ae051a1b44 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 9 Jul 2024 12:16:18 -0400 Subject: [PATCH 0791/1462] Migrate `ocsp_req` to declrative modules API (#11230) refs #11158 --- src/rust/src/lib.rs | 4 +++- src/rust/src/x509/ocsp_req.rs | 17 ++++------------- 2 files changed, 7 insertions(+), 14 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index d5997764b9d5..11dd2362c465 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -125,9 +125,11 @@ mod _rust { #[pyo3::pymodule] mod ocsp { + #[pymodule_export] + use crate::x509::ocsp_req::{create_ocsp_request, load_der_ocsp_request, OCSPRequest}; + #[pymodule_init] fn init(ocsp_mod: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - crate::x509::ocsp_req::add_to_module(ocsp_mod)?; crate::x509::ocsp_resp::add_to_module(ocsp_mod)?; Ok(()) diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index d56ed0823ee9..7770fb9d6f40 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -7,7 +7,7 @@ use cryptography_x509::{ ocsp_req::{self, OCSPRequest as RawOCSPRequest}, oid, }; -use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods}; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; @@ -23,7 +23,7 @@ self_cell::self_cell!( ); #[pyo3::pyfunction] -fn load_der_ocsp_request( +pub(crate) fn load_der_ocsp_request( py: pyo3::Python<'_>, data: pyo3::Py, ) -> CryptographyResult { @@ -51,7 +51,7 @@ fn load_der_ocsp_request( } #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] -struct OCSPRequest { +pub(crate) struct OCSPRequest { raw: OwnedOCSPRequest, cached_extensions: pyo3::sync::GILOnceCell, @@ -166,7 +166,7 @@ impl OCSPRequest { } #[pyo3::pyfunction] -fn create_ocsp_request( +pub(crate) fn create_ocsp_request( py: pyo3::Python<'_>, builder: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { @@ -228,12 +228,3 @@ fn create_ocsp_request( let data = asn1::write_single(&ocsp_req)?; load_der_ocsp_request(py, pyo3::types::PyBytes::new_bound(py, &data).unbind()) } - -pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction_bound!(load_der_ocsp_request, module)?)?; - module.add_function(pyo3::wrap_pyfunction_bound!(create_ocsp_request, module)?)?; - - module.add_class::()?; - - Ok(()) -} From 67a52154a3f72255cd37b4b6be57b75664389090 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 9 Jul 2024 12:22:55 -0400 Subject: [PATCH 0792/1462] Migrate `asn1` to declrative modules API (#11224) refs #11158 --- src/rust/src/asn1.rs | 23 +++++++---------------- src/rust/src/lib.rs | 4 ++-- 2 files changed, 9 insertions(+), 18 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 8a6e86a5141f..c306104b8585 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -9,7 +9,6 @@ use cryptography_x509::name::Name; use pyo3::pybacked::PyBackedBytes; use pyo3::types::IntoPyDict; use pyo3::types::PyAnyMethods; -use pyo3::types::PyModuleMethods; use pyo3::ToPyObject; use crate::error::{CryptographyError, CryptographyResult}; @@ -176,19 +175,11 @@ fn test_parse_certificate(data: &[u8]) -> Result, -) -> pyo3::PyResult> { - let submod = pyo3::types::PyModule::new_bound(py, "asn1")?; - submod.add_function(pyo3::wrap_pyfunction_bound!(parse_spki_for_data, &submod)?)?; - - submod.add_function(pyo3::wrap_pyfunction_bound!(decode_dss_signature, &submod)?)?; - submod.add_function(pyo3::wrap_pyfunction_bound!(encode_dss_signature, &submod)?)?; - - submod.add_function(pyo3::wrap_pyfunction_bound!( - test_parse_certificate, - &submod - )?)?; - - Ok(submod) +#[pyo3::pymodule] +#[pyo3(name = "asn1")] +pub(crate) mod asn1_mod { + #[pymodule_export] + use super::{ + decode_dss_signature, encode_dss_signature, parse_spki_for_data, test_parse_certificate, + }; } diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 11dd2362c465..e4285fce2b98 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -94,6 +94,8 @@ fn enable_fips(providers: &mut LoadedProviders) -> CryptographyResult<()> { mod _rust { use pyo3::types::PyModuleMethods; + #[pymodule_export] + use crate::asn1::asn1_mod; #[pymodule_export] use crate::exceptions::exceptions; #[pymodule_export] @@ -185,9 +187,7 @@ mod _rust { #[pymodule_init] fn init(m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - m.add_submodule(&crate::asn1::create_submodule(m.py())?)?; m.add_submodule(&crate::pkcs7::create_submodule(m.py())?)?; - m.add_submodule(&cryptography_cffi::create_module(m.py())?)?; Ok(()) From e80a2ab7841927747cc42a955a84ba8f30b038eb Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 10 Jul 2024 00:34:11 +0000 Subject: [PATCH 0793/1462] Bump x509-limbo and/or wycheproof in CI (#11240) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index cc952ebeac71..10594d7b579f 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jul 09, 2024. - ref: "c2cc9e19c5e9060054431cdabd64f603e4d79d6a" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jul 10, 2024. + ref: "6e5500061c043941079d677af8e822dfed494fec" # x509-limbo-ref From 598681610fe932f2c89a53b29ca83912a5b9c771 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 9 Jul 2024 19:40:40 -0500 Subject: [PATCH 0794/1462] Bump BoringSSL and/or OpenSSL in CI (#11238) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bc8efebe79e8..ef242336eeb7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jul 04, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7c2b62e93487b772990fddc1905f22d4cfaee4a4"}} - # Latest commit on the OpenSSL master branch, as of Jul 09, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c215d75f94fcaa598817e739221f33b71b53fb39"}} + # Latest commit on the BoringSSL master branch, as of Jul 10, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "8934b1ef0857bc08626a2206a6f5f718942c14fc"}} + # Latest commit on the OpenSSL master branch, as of Jul 10, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d8def79838cd0d5e7c21d217aa26edb5229f0ab4"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 21a65208c8d70b46a0911f6e547a02185f7c6501 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Jul 2024 10:54:42 +0000 Subject: [PATCH 0795/1462] Bump actions/attest-build-provenance from 1.3.2 to 1.3.3 (#11241) Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.3.2 to 1.3.3. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/bdd51370e0416ac948727f861e03c2f05d32d78e...5e9cb68e95676991667494a6a4e59b8a2f13e1d0) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 1a6fec6c988b..f29065e0c54f 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -93,7 +93,7 @@ jobs: # Do not perform attestation for things for TestPyPI. This is because # there's nothing that would prevent a malicious PyPI from serving a # signed TestPyPI asset in place of a release intended for PyPI. - - uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2 + - uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3 with: subject-path: 'dist/**/cryptography*' if: env.TWINE_REPOSITORY == 'pypi' From 6169c6f139dd254e9ec411dd9726618fc539cad6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Jul 2024 06:56:12 -0400 Subject: [PATCH 0796/1462] Bump setuptools from 70.2.0 to 70.3.0 in /.github/requirements (#11242) Bumps [setuptools](https://github.com/pypa/setuptools) from 70.2.0 to 70.3.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v70.2.0...v70.3.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 9371021df44b..ceabc93499a6 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -83,7 +83,7 @@ tomli==2.0.1 \ # via maturin # The following packages are considered to be unsafe in a requirements file: -setuptools==70.2.0 \ - --hash=sha256:b8b8060bb426838fbe942479c90296ce976249451118ef566a5a0b7d8b78fb05 \ - --hash=sha256:bd63e505105011b25c3c11f753f7e3b8465ea739efddaccef8f0efac2137bac1 +setuptools==70.3.0 \ + --hash=sha256:f171bab1dfbc86b132997f26a119f6056a57950d058587841a0082e8830f9dc5 \ + --hash=sha256:fe384da74336c398e0d956d1cae0669bc02eed936cdb1d49b57de1990dc11ffc # via -r build-requirements.in From 69429a4642f94baf0fdebd0d18f44fe010fe1f5c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 10 Jul 2024 10:22:27 -0400 Subject: [PATCH 0797/1462] Migrate `ocsp_resp` to declrative modules API (#11225) refs #11158 --- src/rust/src/lib.rs | 11 ++++------- src/rust/src/x509/ocsp_resp.rs | 23 +++++------------------ 2 files changed, 9 insertions(+), 25 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index e4285fce2b98..d54779e321fc 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -129,13 +129,10 @@ mod _rust { mod ocsp { #[pymodule_export] use crate::x509::ocsp_req::{create_ocsp_request, load_der_ocsp_request, OCSPRequest}; - - #[pymodule_init] - fn init(ocsp_mod: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - crate::x509::ocsp_resp::add_to_module(ocsp_mod)?; - - Ok(()) - } + #[pymodule_export] + use crate::x509::ocsp_resp::{ + create_ocsp_response, load_der_ocsp_response, OCSPResponse, OCSPSingleResponse, + }; } #[pyo3::pymodule] diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 302f3b333762..955bf35a4c31 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -10,7 +10,7 @@ use cryptography_x509::{ ocsp_resp::{self, OCSPResponse as RawOCSPResponse, SingleResponse as RawSingleResponse}, oid, }; -use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods}; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid}; use crate::error::{CryptographyError, CryptographyResult}; @@ -20,7 +20,7 @@ use crate::{exceptions, types, x509}; const BASIC_RESPONSE_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 5, 5, 7, 48, 1, 1); #[pyo3::pyfunction] -fn load_der_ocsp_response( +pub(crate) fn load_der_ocsp_response( py: pyo3::Python<'_>, data: pyo3::Py, ) -> Result { @@ -73,7 +73,7 @@ self_cell::self_cell!( ); #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] -struct OCSPResponse { +pub(crate) struct OCSPResponse { raw: Arc, cached_extensions: pyo3::sync::GILOnceCell, @@ -687,7 +687,7 @@ fn singleresp_py_revocation_time_utc<'p>( } #[pyo3::pyfunction] -fn create_ocsp_response( +pub(crate) fn create_ocsp_response( py: pyo3::Python<'_>, status: &pyo3::Bound<'_, pyo3::PyAny>, builder: &pyo3::Bound<'_, pyo3::PyAny>, @@ -919,7 +919,7 @@ self_cell::self_cell!( ); #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] -struct OCSPSingleResponse { +pub(crate) struct OCSPSingleResponse { raw: OwnedSingleResponse, } @@ -1053,16 +1053,3 @@ impl OCSPSingleResponse { singleresp_py_next_update_utc(single_resp, py) } } - -pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction_bound!( - load_der_ocsp_response, - module - )?)?; - module.add_function(pyo3::wrap_pyfunction_bound!(create_ocsp_response, module)?)?; - - module.add_class::()?; - module.add_class::()?; - - Ok(()) -} From 721ab74912b3e1df41fed6b1014527561954f8ff Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 10 Jul 2024 10:22:52 -0400 Subject: [PATCH 0798/1462] Migrate `pkcs7` to declrative modules API (#11223) refs #11158 --- src/rust/src/lib.rs | 3 ++- src/rust/src/pkcs7.rs | 30 +++++++++--------------------- 2 files changed, 11 insertions(+), 22 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index d54779e321fc..f520cad4d3c1 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -104,6 +104,8 @@ mod _rust { use crate::padding::{check_ansix923_padding, check_pkcs7_padding, PKCS7PaddingContext}; #[pymodule_export] use crate::pkcs12::pkcs12; + #[pymodule_export] + use crate::pkcs7::pkcs7_mod; #[pyo3::pymodule] mod x509 { @@ -184,7 +186,6 @@ mod _rust { #[pymodule_init] fn init(m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - m.add_submodule(&crate::pkcs7::create_submodule(m.py())?)?; m.add_submodule(&cryptography_cffi::create_module(m.py())?)?; Ok(()) diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 86ef48cc4de4..ba6802aa8f71 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -11,7 +11,7 @@ use cryptography_x509::{common, oid, pkcs7}; use once_cell::sync::Lazy; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use openssl::pkcs7::Pkcs7; -use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods}; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use pyo3::IntoPy; @@ -407,26 +407,14 @@ fn load_der_pkcs7_certificates<'p>( } } -pub(crate) fn create_submodule( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let submod = pyo3::types::PyModule::new_bound(py, "pkcs7")?; - - submod.add_function(pyo3::wrap_pyfunction_bound!( - serialize_certificates, - &submod - )?)?; - submod.add_function(pyo3::wrap_pyfunction_bound!(sign_and_serialize, &submod)?)?; - submod.add_function(pyo3::wrap_pyfunction_bound!( - load_pem_pkcs7_certificates, - &submod - )?)?; - submod.add_function(pyo3::wrap_pyfunction_bound!( - load_der_pkcs7_certificates, - &submod - )?)?; - - Ok(submod) +#[pyo3::pymodule] +#[pyo3(name = "pkcs7")] +pub(crate) mod pkcs7_mod { + #[pymodule_export] + use super::{ + load_der_pkcs7_certificates, load_pem_pkcs7_certificates, serialize_certificates, + sign_and_serialize, + }; } #[cfg(test)] From f30c2dacab059400db3706c1a95c3cc081306b87 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 10 Jul 2024 10:23:39 -0400 Subject: [PATCH 0799/1462] Migrate `sct` to declarative modules API (#11234) refs #11158 --- src/rust/src/lib.rs | 3 ++- src/rust/src/x509/sct.rs | 8 +------- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index f520cad4d3c1..aad485d1afcc 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -109,6 +109,8 @@ mod _rust { #[pyo3::pymodule] mod x509 { + #[pymodule_export] + use crate::x509::sct::Sct; #[pymodule_export] use crate::x509::verify::{ PolicyBuilder, PyClientVerifier, PyServerVerifier, PyStore, PyVerifiedClient, @@ -121,7 +123,6 @@ mod _rust { crate::x509::common::add_to_module(x509_mod)?; crate::x509::crl::add_to_module(x509_mod)?; crate::x509::csr::add_to_module(x509_mod)?; - crate::x509::sct::add_to_module(x509_mod)?; Ok(()) } diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index 54315cdcc412..78985af4dfc0 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -5,7 +5,7 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -use pyo3::types::{PyAnyMethods, PyDictMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyDictMethods, PyListMethods}; use pyo3::ToPyObject; use crate::error::CryptographyError; @@ -259,12 +259,6 @@ pub(crate) fn parse_scts( Ok(py_scts.to_object(py)) } -pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - module.add_class::()?; - - Ok(()) -} - #[cfg(test)] mod tests { use super::*; From d67998f125d33d7d409f5a5a8a5db03566b4ec1e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 10 Jul 2024 10:23:55 -0400 Subject: [PATCH 0800/1462] Remove no longer required dead_code annotations (#11239) The code is not dead --- src/rust/src/pkcs12.rs | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index ba3c230b565f..88b5cea1c8ef 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -234,9 +234,7 @@ impl EncryptionAlgorithm { } } -#[allow(dead_code)] const KDF_ENCRYPTION_KEY_ID: u8 = 1; -#[allow(dead_code)] const KDF_IV_ID: u8 = 2; const KDF_MAC_KEY_ID: u8 = 3; From ccae9efeace2afaf484185689662162e3270cabf Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 10 Jul 2024 10:25:30 -0400 Subject: [PATCH 0801/1462] Migrate `keys` to declarative modules API (#11236) refs #11158 --- src/rust/src/backend/keys.rs | 18 ++++++------------ src/rust/src/backend/mod.rs | 1 - src/rust/src/lib.rs | 2 ++ 3 files changed, 8 insertions(+), 13 deletions(-) diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index 649bea38cbeb..c16ff8628c2c 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -2,7 +2,6 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::types::PyModuleMethods; use pyo3::IntoPy; use crate::backend::utils; @@ -221,17 +220,12 @@ fn public_key_from_pkey( } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "keys")?; - - m.add_function(pyo3::wrap_pyfunction_bound!(load_pem_private_key, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(load_der_private_key, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(load_der_public_key, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(load_pem_public_key, &m)?)?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod keys { + #[pymodule_export] + use super::{ + load_der_private_key, load_der_public_key, load_pem_private_key, load_pem_public_key, + }; } #[cfg(test)] diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 1f703485b970..5a035ed2c8be 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -32,7 +32,6 @@ pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> module.add_submodule(&dh::create_module(module.py())?)?; module.add_submodule(&dsa::create_module(module.py())?)?; module.add_submodule(&ec::create_module(module.py())?)?; - module.add_submodule(&keys::create_module(module.py())?)?; module.add_submodule(&ed25519::create_module(module.py())?)?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index aad485d1afcc..a3f24fac429a 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -148,6 +148,8 @@ mod _rust { #[pymodule_export] use super::super::{is_fips_enabled, openssl_version, openssl_version_text}; #[pymodule_export] + use crate::backend::keys::keys; + #[pymodule_export] use crate::error::{capture_error_stack, raise_openssl_error, OpenSSLError}; #[pymodule_init] From 1ed43fd1b5c115b0ee3578f74668e40bc73b5338 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 10 Jul 2024 11:02:00 -0500 Subject: [PATCH 0802/1462] move hashes, hmac, and kdf to declarative (#11244) * move hashes, hmac, and kdf to declarative * libre fix * unneeded pub --- src/rust/src/backend/hashes.rs | 13 +++++-------- src/rust/src/backend/hmac.rs | 13 +++++-------- src/rust/src/backend/kdf.rs | 16 ++++++---------- src/rust/src/backend/mod.rs | 3 --- src/rust/src/lib.rs | 6 ++++++ 5 files changed, 22 insertions(+), 29 deletions(-) diff --git a/src/rust/src/backend/hashes.rs b/src/rust/src/backend/hashes.rs index 4b33e024fc27..4226b4b7dbb9 100644 --- a/src/rust/src/backend/hashes.rs +++ b/src/rust/src/backend/hashes.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::types::{PyAnyMethods, PyModuleMethods}; +use pyo3::types::PyAnyMethods; use pyo3::IntoPy; use std::borrow::Cow; @@ -138,11 +138,8 @@ impl Hash { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "hashes")?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod hashes { + #[pymodule_export] + use super::Hash; } diff --git a/src/rust/src/backend/hmac.rs b/src/rust/src/backend/hmac.rs index 4488753b91e0..d70d499565a4 100644 --- a/src/rust/src/backend/hmac.rs +++ b/src/rust/src/backend/hmac.rs @@ -6,7 +6,7 @@ use crate::backend::hashes::{already_finalized_error, message_digest_from_algori use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use pyo3::types::{PyBytesMethods, PyModuleMethods}; +use pyo3::types::PyBytesMethods; #[pyo3::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.hmac", @@ -106,11 +106,8 @@ impl Hmac { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "hmac")?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod hmac { + #[pymodule_export] + use super::Hmac; } diff --git a/src/rust/src/backend/kdf.rs b/src/rust/src/backend/kdf.rs index d8c3858a6331..8c6a151a17d0 100644 --- a/src/rust/src/backend/kdf.rs +++ b/src/rust/src/backend/kdf.rs @@ -5,7 +5,6 @@ use crate::backend::hashes; use crate::buf::CffiBuf; use crate::error::CryptographyResult; -use pyo3::types::PyModuleMethods; #[pyo3::pyfunction] pub(crate) fn derive_pbkdf2_hmac<'p>( @@ -49,14 +48,11 @@ fn derive_scrypt<'p>( })?) } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "kdf")?; - - m.add_function(pyo3::wrap_pyfunction_bound!(derive_pbkdf2_hmac, &m)?)?; +#[pyo3::pymodule] +pub(crate) mod kdf { + #[pymodule_export] + use super::derive_pbkdf2_hmac; #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] - m.add_function(pyo3::wrap_pyfunction_bound!(derive_scrypt, &m)?)?; - - Ok(m) + #[pymodule_export] + use super::derive_scrypt; } diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 5a035ed2c8be..ea1e5f07f72b 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -43,9 +43,6 @@ pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> module.add_submodule(&poly1305::create_module(module.py())?)?; - module.add_submodule(&hashes::create_module(module.py())?)?; - module.add_submodule(&hmac::create_module(module.py())?)?; - module.add_submodule(&kdf::create_module(module.py())?)?; module.add_submodule(&rsa::create_module(module.py())?)?; Ok(()) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index a3f24fac429a..e40331887ef2 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -148,6 +148,12 @@ mod _rust { #[pymodule_export] use super::super::{is_fips_enabled, openssl_version, openssl_version_text}; #[pymodule_export] + use crate::backend::hashes::hashes; + #[pymodule_export] + use crate::backend::hmac::hmac; + #[pymodule_export] + use crate::backend::kdf::kdf; + #[pymodule_export] use crate::backend::keys::keys; #[pymodule_export] use crate::error::{capture_error_stack, raise_openssl_error, OpenSSLError}; From 7611404c510bf60f1a05878ade021a1f5ce5457e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 10 Jul 2024 12:34:55 -0500 Subject: [PATCH 0803/1462] migrate poly1305, x448/25519, ed448/25519 to declarative (#11245) --- src/rust/src/backend/ed25519.rs | 19 ++++++------------- src/rust/src/backend/ed448.rs | 19 ++++++------------- src/rust/src/backend/mod.rs | 10 ---------- src/rust/src/backend/poly1305.rs | 14 +++++--------- src/rust/src/backend/x25519.rs | 19 ++++++------------- src/rust/src/backend/x448.rs | 19 ++++++------------- src/rust/src/lib.rs | 12 ++++++++++++ 7 files changed, 41 insertions(+), 71 deletions(-) diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index ab800d637af8..3460640a1a53 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -6,7 +6,6 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use pyo3::types::PyModuleMethods; #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed25519")] pub(crate) struct Ed25519PrivateKey { @@ -160,16 +159,10 @@ impl Ed25519PublicKey { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "ed25519")?; - m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; - - m.add_class::()?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod ed25519 { + #[pymodule_export] + use super::{ + from_private_bytes, from_public_bytes, generate_key, Ed25519PrivateKey, Ed25519PublicKey, + }; } diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index 27b716ee5f2e..d27f6b361df3 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -6,7 +6,6 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use pyo3::types::PyModuleMethods; #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed448")] pub(crate) struct Ed448PrivateKey { @@ -157,16 +156,10 @@ impl Ed448PublicKey { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "ed448")?; - m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; - - m.add_class::()?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod ed448 { + #[pymodule_export] + use super::{ + from_private_bytes, from_public_bytes, generate_key, Ed448PrivateKey, Ed448PublicKey, + }; } diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index ea1e5f07f72b..4ee5f6bee124 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -33,16 +33,6 @@ pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> module.add_submodule(&dsa::create_module(module.py())?)?; module.add_submodule(&ec::create_module(module.py())?)?; - module.add_submodule(&ed25519::create_module(module.py())?)?; - #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] - module.add_submodule(&ed448::create_module(module.py())?)?; - - module.add_submodule(&x25519::create_module(module.py())?)?; - #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] - module.add_submodule(&x448::create_module(module.py())?)?; - - module.add_submodule(&poly1305::create_module(module.py())?)?; - module.add_submodule(&rsa::create_module(module.py())?)?; Ok(()) diff --git a/src/rust/src/backend/poly1305.rs b/src/rust/src/backend/poly1305.rs index 4d07985407af..e998a43aaff6 100644 --- a/src/rust/src/backend/poly1305.rs +++ b/src/rust/src/backend/poly1305.rs @@ -6,7 +6,7 @@ use crate::backend::hashes::already_finalized_error; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use pyo3::types::{PyBytesMethods, PyModuleMethods}; +use pyo3::types::PyBytesMethods; #[cfg(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_LIBRESSL))] struct Poly1305Boring { @@ -165,12 +165,8 @@ impl Poly1305 { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "poly1305")?; - - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod poly1305 { + #[pymodule_export] + use super::Poly1305; } diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index 9e22c0ab998d..84f355f49787 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -5,7 +5,6 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::CryptographyResult; -use pyo3::types::PyModuleMethods; #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x25519")] pub(crate) struct X25519PrivateKey { @@ -150,16 +149,10 @@ impl X25519PublicKey { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "x25519")?; - m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; - - m.add_class::()?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod x25519 { + #[pymodule_export] + use super::{ + from_private_bytes, from_public_bytes, generate_key, X25519PrivateKey, X25519PublicKey, + }; } diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index 4b88035d3226..0e9aa1c99194 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -5,7 +5,6 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::CryptographyResult; -use pyo3::types::PyModuleMethods; #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x448")] pub(crate) struct X448PrivateKey { @@ -149,16 +148,10 @@ impl X448PublicKey { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "x448")?; - m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; - - m.add_class::()?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod x448 { + #[pymodule_export] + use super::{ + from_private_bytes, from_public_bytes, generate_key, X448PrivateKey, X448PublicKey, + }; } diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index e40331887ef2..738c27f79c58 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -148,6 +148,11 @@ mod _rust { #[pymodule_export] use super::super::{is_fips_enabled, openssl_version, openssl_version_text}; #[pymodule_export] + use crate::backend::ed25519::ed25519; + #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] + #[pymodule_export] + use crate::backend::ed448::ed448; + #[pymodule_export] use crate::backend::hashes::hashes; #[pymodule_export] use crate::backend::hmac::hmac; @@ -156,6 +161,13 @@ mod _rust { #[pymodule_export] use crate::backend::keys::keys; #[pymodule_export] + use crate::backend::poly1305::poly1305; + #[pymodule_export] + use crate::backend::x25519::x25519; + #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] + #[pymodule_export] + use crate::backend::x448::x448; + #[pymodule_export] use crate::error::{capture_error_stack, raise_openssl_error, OpenSSLError}; #[pymodule_init] From c2cde15cde770e59f71e09429d9e34e597ea617b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 10 Jul 2024 12:36:09 -0500 Subject: [PATCH 0804/1462] move x509 common/crl/csr to declarative (#11246) --- src/rust/src/lib.rs | 14 +++++++++++--- src/rust/src/x509/common.rs | 16 +++------------- src/rust/src/x509/crl.rs | 23 ++++++----------------- src/rust/src/x509/csr.rs | 20 +++++--------------- 4 files changed, 25 insertions(+), 48 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 738c27f79c58..3f9568126f54 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -109,6 +109,17 @@ mod _rust { #[pyo3::pymodule] mod x509 { + #[pymodule_export] + use crate::x509::common::{encode_extension_value, encode_name_bytes}; + #[pymodule_export] + use crate::x509::crl::{ + create_x509_crl, load_der_x509_crl, load_pem_x509_crl, CertificateRevocationList, + RevokedCertificate, + }; + #[pymodule_export] + use crate::x509::csr::{ + create_x509_csr, load_der_x509_csr, load_pem_x509_csr, CertificateSigningRequest, + }; #[pymodule_export] use crate::x509::sct::Sct; #[pymodule_export] @@ -120,9 +131,6 @@ mod _rust { #[pymodule_init] fn init(x509_mod: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { crate::x509::certificate::add_to_module(x509_mod)?; - crate::x509::common::add_to_module(x509_mod)?; - crate::x509::crl::add_to_module(x509_mod)?; - crate::x509::csr::add_to_module(x509_mod)?; Ok(()) } diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 98d4b2e71bfb..cdb53a7b6553 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -8,7 +8,7 @@ use cryptography_x509::extensions::{ }; use cryptography_x509::name::{GeneralName, Name, NameReadable, OtherName, UnvalidatedIA5String}; use pyo3::types::IntoPyDict; -use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods}; use pyo3::{IntoPy, ToPyObject}; use crate::asn1::{oid_to_py_oid, py_oid_to_oid}; @@ -89,7 +89,7 @@ pub(crate) fn encode_name_entry<'p>( } #[pyo3::pyfunction] -fn encode_name_bytes<'p>( +pub(crate) fn encode_name_bytes<'p>( py: pyo3::Python<'p>, py_name: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { @@ -458,7 +458,7 @@ pub(crate) fn encode_extensions< } #[pyo3::pyfunction] -fn encode_extension_value<'p>( +pub(crate) fn encode_extension_value<'p>( py: pyo3::Python<'p>, py_ext: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult> { @@ -540,13 +540,3 @@ pub(crate) fn datetime_now(py: pyo3::Python<'_>) -> pyo3::PyResult) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction_bound!( - encode_extension_value, - module - )?)?; - module.add_function(pyo3::wrap_pyfunction_bound!(encode_name_bytes, module)?)?; - - Ok(()) -} diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index c4d683ba1c1b..58c22408557b 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -13,7 +13,7 @@ use cryptography_x509::{ }, name, oid, }; -use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods, PySliceMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods, PySliceMethods}; use pyo3::ToPyObject; use crate::asn1::{ @@ -26,7 +26,7 @@ use crate::{exceptions, types, x509}; #[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] -fn load_der_x509_crl( +pub(crate) fn load_der_x509_crl( py: pyo3::Python<'_>, data: pyo3::Py, backend: Option>, @@ -56,7 +56,7 @@ fn load_der_x509_crl( #[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] -fn load_pem_x509_crl( +pub(crate) fn load_pem_x509_crl( py: pyo3::Python<'_>, data: &[u8], backend: Option>, @@ -84,7 +84,7 @@ self_cell::self_cell!( ); #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] -struct CertificateRevocationList { +pub(crate) struct CertificateRevocationList { owned: Arc, revoked_certs: pyo3::sync::GILOnceCell>, @@ -535,7 +535,7 @@ impl Clone for OwnedRevokedCertificate { } #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] -struct RevokedCertificate { +pub(crate) struct RevokedCertificate { owned: OwnedRevokedCertificate, cached_extensions: pyo3::sync::GILOnceCell, } @@ -643,7 +643,7 @@ pub fn parse_crl_entry_ext<'p>( } #[pyo3::pyfunction] -fn create_x509_crl( +pub(crate) fn create_x509_crl( py: pyo3::Python<'_>, builder: &pyo3::Bound<'_, pyo3::PyAny>, private_key: &pyo3::Bound<'_, pyo3::PyAny>, @@ -729,14 +729,3 @@ fn create_x509_crl( None, ) } - -pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction_bound!(load_der_x509_crl, module)?)?; - module.add_function(pyo3::wrap_pyfunction_bound!(load_pem_x509_crl, module)?)?; - module.add_function(pyo3::wrap_pyfunction_bound!(create_x509_crl, module)?)?; - - module.add_class::()?; - module.add_class::()?; - - Ok(()) -} diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 61d0809d404d..9d4f81958c51 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -8,7 +8,7 @@ use std::hash::{Hash, Hasher}; use asn1::SimpleAsn1Readable; use cryptography_x509::csr::{check_attribute_length, Attribute, CertificationRequestInfo, Csr}; use cryptography_x509::{common, oid}; -use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods}; use pyo3::IntoPy; use crate::asn1::{encode_der_data, oid_to_py_oid, py_oid_to_oid}; @@ -27,7 +27,7 @@ self_cell::self_cell!( ); #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] -struct CertificateSigningRequest { +pub(crate) struct CertificateSigningRequest { raw: OwnedCsr, cached_extensions: pyo3::sync::GILOnceCell, } @@ -237,7 +237,7 @@ impl CertificateSigningRequest { #[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] -fn load_pem_x509_csr( +pub(crate) fn load_pem_x509_csr( py: pyo3::Python<'_>, data: &[u8], backend: Option>, @@ -260,7 +260,7 @@ fn load_pem_x509_csr( #[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] -fn load_der_x509_csr( +pub(crate) fn load_der_x509_csr( py: pyo3::Python<'_>, data: pyo3::Py, backend: Option>, @@ -286,7 +286,7 @@ fn load_der_x509_csr( } #[pyo3::pyfunction] -fn create_x509_csr( +pub(crate) fn create_x509_csr( py: pyo3::Python<'_>, builder: &pyo3::Bound<'_, pyo3::PyAny>, private_key: &pyo3::Bound<'_, pyo3::PyAny>, @@ -391,13 +391,3 @@ fn create_x509_csr( None, ) } - -pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction_bound!(load_der_x509_csr, module)?)?; - module.add_function(pyo3::wrap_pyfunction_bound!(load_pem_x509_csr, module)?)?; - module.add_function(pyo3::wrap_pyfunction_bound!(create_x509_csr, module)?)?; - - module.add_class::()?; - - Ok(()) -} From 6f09c973d9cad0dd897c34045fbf88168ea29717 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 10 Jul 2024 12:46:55 -0500 Subject: [PATCH 0805/1462] migrate dh, dsa, and ec to declarative (#11247) --- src/rust/src/backend/dh.rs | 25 ++++++++----------------- src/rust/src/backend/dsa.rs | 22 +++++++--------------- src/rust/src/backend/ec.rs | 24 ++++++++---------------- src/rust/src/backend/mod.rs | 3 --- src/rust/src/lib.rs | 6 ++++++ 5 files changed, 29 insertions(+), 51 deletions(-) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index e615d623ffa3..883277e35017 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -8,7 +8,7 @@ use crate::asn1::encode_der_data; use crate::backend::utils; use crate::error::{CryptographyError, CryptographyResult}; use crate::{types, x509}; -use pyo3::types::{PyAnyMethods, PyModuleMethods}; +use pyo3::types::PyAnyMethods; const MIN_MODULUS_SIZE: u32 = 512; @@ -554,20 +554,11 @@ impl DHParameterNumbers { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "dh")?; - m.add_function(pyo3::wrap_pyfunction_bound!(generate_parameters, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_der_parameters, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_pem_parameters, &m)?)?; - - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod dh { + #[pymodule_export] + use super::{ + from_der_parameters, from_pem_parameters, generate_parameters, DHParameterNumbers, + DHParameters, DHPrivateKey, DHPrivateNumbers, DHPublicKey, DHPublicNumbers, + }; } diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index d0218d45ba98..f46cb2860d33 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -7,7 +7,6 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; use pyo3::types::PyAnyMethods; -use pyo3::types::PyModuleMethods; #[pyo3::pyclass( frozen, @@ -499,18 +498,11 @@ impl DsaParameterNumbers { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "dsa")?; - m.add_function(pyo3::wrap_pyfunction_bound!(generate_parameters, &m)?)?; - - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod dsa { + #[pymodule_export] + use super::{ + generate_parameters, DsaParameterNumbers, DsaParameters, DsaPrivateKey, DsaPrivateNumbers, + DsaPublicKey, DsaPublicNumbers, + }; } diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 6410add35cbe..15735458d3a1 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -5,7 +5,7 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -use pyo3::types::{PyAnyMethods, PyDictMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyDictMethods}; use crate::backend::utils; use crate::buf::CffiBuf; @@ -670,19 +670,11 @@ impl EllipticCurvePublicNumbers { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "ec")?; - m.add_function(pyo3::wrap_pyfunction_bound!(curve_supported, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(generate_private_key, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(derive_private_key, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; - - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod ec { + #[pymodule_export] + use super::{ + curve_supported, derive_private_key, from_public_bytes, generate_private_key, ECPrivateKey, + ECPublicKey, EllipticCurvePrivateNumbers, EllipticCurvePublicNumbers, + }; } diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 4ee5f6bee124..0a36c4c70192 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -29,9 +29,6 @@ pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> module.add_submodule(&aead::create_module(module.py())?)?; module.add_submodule(&ciphers::create_module(module.py())?)?; module.add_submodule(&cmac::create_module(module.py())?)?; - module.add_submodule(&dh::create_module(module.py())?)?; - module.add_submodule(&dsa::create_module(module.py())?)?; - module.add_submodule(&ec::create_module(module.py())?)?; module.add_submodule(&rsa::create_module(module.py())?)?; diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 3f9568126f54..dbf497aa73a0 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -156,6 +156,12 @@ mod _rust { #[pymodule_export] use super::super::{is_fips_enabled, openssl_version, openssl_version_text}; #[pymodule_export] + use crate::backend::dh::dh; + #[pymodule_export] + use crate::backend::dsa::dsa; + #[pymodule_export] + use crate::backend::ec::ec; + #[pymodule_export] use crate::backend::ed25519::ed25519; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] #[pymodule_export] From 56bab5e8f85add4ca278142b582b6b1dbaf9c876 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 10 Jul 2024 13:47:45 -0500 Subject: [PATCH 0806/1462] migrate aead, ciphers, and cmac to declarative (#11248) --- src/rust/src/backend/aead.rs | 19 +++++-------------- src/rust/src/backend/ciphers.rs | 25 ++++++++----------------- src/rust/src/backend/cmac.rs | 14 +++++--------- src/rust/src/backend/mod.rs | 4 ---- src/rust/src/lib.rs | 6 ++++++ 5 files changed, 24 insertions(+), 44 deletions(-) diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 34be02f5efce..d67bae78b9ba 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -5,7 +5,7 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods}; fn check_length(data: &[u8]) -> CryptographyResult<()> { if data.len() > (i32::MAX as usize) { @@ -1153,17 +1153,8 @@ impl AesGcmSiv { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "aead")?; - - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod aead { + #[pymodule_export] + use super::{AesCcm, AesGcm, AesGcmSiv, AesOcb3, AesSiv, ChaCha20Poly1305}; } diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index 14ac3d13c758..b1a2c2474a0b 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -7,7 +7,7 @@ use crate::buf::{CffiBuf, CffiMutBuf}; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; use crate::types; -use pyo3::types::{PyAnyMethods, PyModuleMethods}; +use pyo3::types::PyAnyMethods; use pyo3::IntoPy; pub(crate) struct CipherContext { @@ -604,20 +604,11 @@ fn _advance_aad(ctx: pyo3::Bound<'_, pyo3::PyAny>, n: u64) { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "ciphers")?; - m.add_function(pyo3::wrap_pyfunction_bound!(create_encryption_ctx, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(create_decryption_ctx, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(cipher_supported, &m)?)?; - - m.add_function(pyo3::wrap_pyfunction_bound!(_advance, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(_advance_aad, &m)?)?; - - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod ciphers { + #[pymodule_export] + use super::{ + _advance, _advance_aad, cipher_supported, create_decryption_ctx, create_encryption_ctx, + PyAEADDecryptionContext, PyAEADEncryptionContext, PyCipherContext, + }; } diff --git a/src/rust/src/backend/cmac.rs b/src/rust/src/backend/cmac.rs index dd30be2bec68..6a8737964643 100644 --- a/src/rust/src/backend/cmac.rs +++ b/src/rust/src/backend/cmac.rs @@ -7,7 +7,7 @@ use crate::backend::hashes::already_finalized_error; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use pyo3::types::{PyAnyMethods, PyBytesMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyBytesMethods}; #[pyo3::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.cmac", @@ -100,12 +100,8 @@ impl Cmac { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "cmac")?; - - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod cmac { + #[pymodule_export] + use super::Cmac; } diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 0a36c4c70192..3cbf2e3b99b6 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -26,10 +26,6 @@ pub(crate) mod x25519; pub(crate) mod x448; pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - module.add_submodule(&aead::create_module(module.py())?)?; - module.add_submodule(&ciphers::create_module(module.py())?)?; - module.add_submodule(&cmac::create_module(module.py())?)?; - module.add_submodule(&rsa::create_module(module.py())?)?; Ok(()) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index dbf497aa73a0..766c9ed0d8e9 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -156,6 +156,12 @@ mod _rust { #[pymodule_export] use super::super::{is_fips_enabled, openssl_version, openssl_version_text}; #[pymodule_export] + use crate::backend::aead::aead; + #[pymodule_export] + use crate::backend::ciphers::ciphers; + #[pymodule_export] + use crate::backend::cmac::cmac; + #[pymodule_export] use crate::backend::dh::dh; #[pymodule_export] use crate::backend::dsa::dsa; From 0c2467a7d66f830a54b8d3435dc8b2d44c6b63be Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 10 Jul 2024 18:31:41 -0400 Subject: [PATCH 0807/1462] Migrate `rsa` to declarative modules API (#11235) refs #11158 --- src/rust/src/backend/mod.rs | 8 -------- src/rust/src/backend/rsa.rs | 20 +++++++------------- src/rust/src/lib.rs | 4 ++-- 3 files changed, 9 insertions(+), 23 deletions(-) diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 3cbf2e3b99b6..a447565d7229 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -2,8 +2,6 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::types::PyModuleMethods; - pub(crate) mod aead; pub(crate) mod cipher_registry; pub(crate) mod ciphers; @@ -24,9 +22,3 @@ pub(crate) mod utils; pub(crate) mod x25519; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] pub(crate) mod x448; - -pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - module.add_submodule(&rsa::create_module(module.py())?)?; - - Ok(()) -} diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 6636ab695a7c..3c01e74219fb 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -9,7 +9,7 @@ use crate::backend::{hashes, utils}; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use pyo3::types::{PyAnyMethods, PyModuleMethods}; +use pyo3::types::PyAnyMethods; #[pyo3::pyclass( frozen, @@ -814,16 +814,10 @@ impl RsaPublicNumbers { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "rsa")?; - m.add_function(pyo3::wrap_pyfunction_bound!(generate_private_key, &m)?)?; - - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod rsa { + #[pymodule_export] + use super::{ + generate_private_key, RsaPrivateKey, RsaPrivateNumbers, RsaPublicKey, RsaPublicNumbers, + }; } diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 766c9ed0d8e9..653df62705b9 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -183,6 +183,8 @@ mod _rust { #[pymodule_export] use crate::backend::poly1305::poly1305; #[pymodule_export] + use crate::backend::rsa::rsa; + #[pymodule_export] use crate::backend::x25519::x25519; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] #[pymodule_export] @@ -219,8 +221,6 @@ mod _rust { } } - crate::backend::add_to_module(openssl_mod)?; - Ok(()) } } From d3eda718f1fc9fc5510bfb80127f7f2649cbfea2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 10 Jul 2024 18:32:49 -0400 Subject: [PATCH 0808/1462] Migrate `certificate` to declarative modules API (#11237) refs #11158 --- src/rust/src/lib.rs | 12 +++++------- src/rust/src/x509/certificate.rs | 31 ++++--------------------------- 2 files changed, 9 insertions(+), 34 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 653df62705b9..8f6ecc053fe5 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -109,6 +109,11 @@ mod _rust { #[pyo3::pymodule] mod x509 { + #[pymodule_export] + use crate::x509::certificate::{ + create_x509_certificate, load_der_x509_certificate, load_pem_x509_certificate, + load_pem_x509_certificates, Certificate, + }; #[pymodule_export] use crate::x509::common::{encode_extension_value, encode_name_bytes}; #[pymodule_export] @@ -127,13 +132,6 @@ mod _rust { PolicyBuilder, PyClientVerifier, PyServerVerifier, PyStore, PyVerifiedClient, VerificationError, }; - - #[pymodule_init] - fn init(x509_mod: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - crate::x509::certificate::add_to_module(x509_mod)?; - - Ok(()) - } } #[pyo3::pymodule] diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 2fb5d5af272e..810d7aa991c6 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -17,7 +17,7 @@ use cryptography_x509::extensions::{ use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; use cryptography_x509::{common, oid}; use cryptography_x509_verification::ops::CryptoOps; -use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods}; use pyo3::{IntoPy, ToPyObject}; use crate::asn1::{ @@ -366,7 +366,7 @@ fn cert_version( #[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] -fn load_pem_x509_certificate( +pub(crate) fn load_pem_x509_certificate( py: pyo3::Python<'_>, data: &[u8], backend: Option>, @@ -388,7 +388,7 @@ fn load_pem_x509_certificate( } #[pyo3::pyfunction] -fn load_pem_x509_certificates( +pub(crate) fn load_pem_x509_certificates( py: pyo3::Python<'_>, data: &[u8], ) -> CryptographyResult> { @@ -886,7 +886,7 @@ pub(crate) fn time_from_datetime(dt: asn1::DateTime) -> CryptographyResult, builder: &pyo3::Bound<'_, pyo3::PyAny>, private_key: &pyo3::Bound<'_, pyo3::PyAny>, @@ -975,26 +975,3 @@ pub(crate) fn set_bit(vals: &mut [u8], n: usize, set: bool) { vals[idx] |= v; } } - -pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction_bound!( - load_der_x509_certificate, - module - )?)?; - module.add_function(pyo3::wrap_pyfunction_bound!( - load_pem_x509_certificate, - module - )?)?; - module.add_function(pyo3::wrap_pyfunction_bound!( - load_pem_x509_certificates, - module - )?)?; - module.add_function(pyo3::wrap_pyfunction_bound!( - create_x509_certificate, - module - )?)?; - - module.add_class::()?; - - Ok(()) -} From 869f9bb268277abaa18a9d7e67d0da026188178e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 11 Jul 2024 00:16:16 +0000 Subject: [PATCH 0809/1462] Bump BoringSSL and/or OpenSSL in CI (#11250) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ef242336eeb7..ad24081ce8c1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jul 10, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "8934b1ef0857bc08626a2206a6f5f718942c14fc"}} - # Latest commit on the OpenSSL master branch, as of Jul 10, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d8def79838cd0d5e7c21d217aa26edb5229f0ab4"}} + # Latest commit on the BoringSSL master branch, as of Jul 11, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b34976cae99f8d1b864dbab31e20fc00d06acb09"}} + # Latest commit on the OpenSSL master branch, as of Jul 11, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "06da14737369e7c90899aed4bb21cce9a0910d29"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 11a711afd45f2e54cdc0abe39b71105cba74cb07 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Jul 2024 11:10:35 +0000 Subject: [PATCH 0810/1462] Bump actions/setup-python from 5.1.0 to 5.1.1 (#11251) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.1.0 to 5.1.1. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/82c7e631bb3cdc910f68e0081d67478d79c6982d...39cd14951b08e74b54015e9e001cdefcf80e669f) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 2 +- .github/workflows/ci.yml | 10 +++++----- .github/workflows/linkcheck.yml | 2 +- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index f1b963c366b2..798a782824ad 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -43,7 +43,7 @@ jobs: - name: Setup python id: setup-python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: "3.11" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ad24081ce8c1..00d11006b4b6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -60,7 +60,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: ${{ matrix.PYTHON.VERSION }} cache: pip @@ -240,7 +240,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.PYTHON.VERSION }} - name: Setup python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: ${{ matrix.PYTHON.VERSION }} cache: pip @@ -299,7 +299,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} @@ -375,7 +375,7 @@ jobs: uses: ./.github/actions/cache timeout-minutes: 2 - name: Setup python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: ${{ matrix.PYTHON }} cache: pip @@ -421,7 +421,7 @@ jobs: jobs: ${{ toJSON(needs) }} - name: Setup python if: ${{ always() }} - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: '3.12' cache: pip diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index d33ee2097787..c8fa98b0ade9 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -25,7 +25,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: 3.11 - name: Cache rust and pip diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index f29065e0c54f..58313276fdd2 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -35,7 +35,7 @@ jobs: - run: echo "$EVENT_CONTEXT" env: EVENT_CONTEXT: ${{ toJson(github.event) }} - - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: "3.11" - name: Get publish-requirements.txt from repository diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 4366432495ce..74702bf9282f 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -218,7 +218,7 @@ jobs: PYTHON_DOWNLOAD_URL: ${{ matrix.PYTHON.DOWNLOAD_URL }} if: contains(matrix.PYTHON.VERSION, 'pypy') == false - name: Setup pypy - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') @@ -313,7 +313,7 @@ jobs: name: cryptography-sdist - name: Setup python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} From 49158c360e25417b6bd4775ee3d1fb119e44c5df Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 12 Jul 2024 00:15:51 +0000 Subject: [PATCH 0811/1462] Bump BoringSSL and/or OpenSSL in CI (#11252) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 00d11006b4b6..f039407f198a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 11, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b34976cae99f8d1b864dbab31e20fc00d06acb09"}} - # Latest commit on the OpenSSL master branch, as of Jul 11, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "06da14737369e7c90899aed4bb21cce9a0910d29"}} + # Latest commit on the OpenSSL master branch, as of Jul 12, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ad33d62396b7e9db04fdf060481ced394d391688"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From a2e87986412ac959386d59f37d81fcf1704e4a06 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Jul 2024 07:11:07 -0400 Subject: [PATCH 0812/1462] Bump coverage from 7.5.4 to 7.6.0 (#11254) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.5.4 to 7.6.0. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.5.4...7.6.0) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index faee77b4d774..4ecb883c045f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.2 # via nox -coverage==7.5.4; python_version >= "3.8" +coverage==7.6.0; python_version >= "3.8" # via # coverage # pytest-cov From 48dd1d3ba3103d077b845ce16c65b664f8121613 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 13 Jul 2024 00:15:35 +0000 Subject: [PATCH 0813/1462] Bump BoringSSL and/or OpenSSL in CI (#11255) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f039407f198a..db42ece2733b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 11, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b34976cae99f8d1b864dbab31e20fc00d06acb09"}} - # Latest commit on the OpenSSL master branch, as of Jul 12, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ad33d62396b7e9db04fdf060481ced394d391688"}} + # Latest commit on the OpenSSL master branch, as of Jul 13, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e8c7febc8f1b0ef9e5b62b0944748d2830b1a0b4"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From e5d0789faf90fa1aeb60c291c459383bcece21bc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 13 Jul 2024 12:13:49 +0000 Subject: [PATCH 0814/1462] Bump exceptiongroup from 1.2.1 to 1.2.2 (#11257) Bumps [exceptiongroup](https://github.com/agronholm/exceptiongroup) from 1.2.1 to 1.2.2. - [Release notes](https://github.com/agronholm/exceptiongroup/releases) - [Changelog](https://github.com/agronholm/exceptiongroup/blob/main/CHANGES.rst) - [Commits](https://github.com/agronholm/exceptiongroup/compare/1.2.1...1.2.2) --- updated-dependencies: - dependency-name: exceptiongroup dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 4ecb883c045f..c074b3b49d7d 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -36,7 +36,7 @@ docutils==0.20.1 # readme-renderer # sphinx # sphinx-rtd-theme -exceptiongroup==1.2.1 +exceptiongroup==1.2.2 # via pytest execnet==2.1.1; python_version >= "3.8" # via pytest-xdist From 0f8c05a0c8815f0a18c812f0f10b8592459387bb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 13 Jul 2024 12:17:22 +0000 Subject: [PATCH 0815/1462] Bump syn from 2.0.70 to 2.0.71 in /src/rust (#11258) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.70 to 2.0.71. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.70...2.0.71) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 2586a0e4ddbb..fb2d190de7b9 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -325,9 +325,9 @@ checksum = "d369a96f978623eb3dc28807c4852d6cc617fed53da5d3c400feff1ef34a714a" [[package]] name = "syn" -version = "2.0.70" +version = "2.0.71" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2f0209b68b3613b093e0ec905354eccaedcfe83b8cb37cbdeae64026c3064c16" +checksum = "b146dcf730474b4bcd16c311627b31ede9ab149045db4d6088b3becaea046462" dependencies = [ "proc-macro2", "quote", From 61d0b6741030881d7753f6cbd98d3a5d50cce836 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 09:49:04 -0400 Subject: [PATCH 0816/1462] Remove PKCS#12 bindings (#11259) They're no longer used! --- src/_cffi_src/build_openssl.py | 1 - src/_cffi_src/openssl/pkcs12.py | 38 ------------------- .../hazmat/bindings/openssl/_conditional.py | 5 --- 3 files changed, 44 deletions(-) delete mode 100644 src/_cffi_src/openssl/pkcs12.py diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py index 642b56ce490f..15ac1848493b 100644 --- a/src/_cffi_src/build_openssl.py +++ b/src/_cffi_src/build_openssl.py @@ -35,7 +35,6 @@ "objects", "opensslv", "pem", - "pkcs12", "rand", "rsa", "ssl", diff --git a/src/_cffi_src/openssl/pkcs12.py b/src/_cffi_src/openssl/pkcs12.py deleted file mode 100644 index 234f97b3ea65..000000000000 --- a/src/_cffi_src/openssl/pkcs12.py +++ /dev/null @@ -1,38 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import annotations - -INCLUDES = """ -#include -""" - -TYPES = """ -static const long Cryptography_HAS_PKCS12_SET_MAC; - -typedef ... PKCS12; -""" - -FUNCTIONS = """ -void PKCS12_free(PKCS12 *); - -PKCS12 *d2i_PKCS12_bio(BIO *, PKCS12 **); -int i2d_PKCS12_bio(BIO *, PKCS12 *); -int PKCS12_parse(PKCS12 *, const char *, EVP_PKEY **, X509 **, - Cryptography_STACK_OF_X509 **); -PKCS12 *PKCS12_create(char *, char *, EVP_PKEY *, X509 *, - Cryptography_STACK_OF_X509 *, int, int, int, int, int); -int PKCS12_set_mac(PKCS12 *, const char *, int, unsigned char *, int, int, - const EVP_MD *); -""" - -CUSTOMIZATIONS = """ -#if CRYPTOGRAPHY_IS_BORINGSSL -static const long Cryptography_HAS_PKCS12_SET_MAC = 0; -int (*PKCS12_set_mac)(PKCS12 *, const char *, int, unsigned char *, int, int, - const EVP_MD *) = NULL; -#else -static const long Cryptography_HAS_PKCS12_SET_MAC = 1; -#endif -""" diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 805991c560c3..ee47d1888d80 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -147,10 +147,6 @@ def cryptography_has_unexpected_eof_while_reading() -> list[str]: return ["SSL_R_UNEXPECTED_EOF_WHILE_READING"] -def cryptography_has_pkcs12_set_mac() -> list[str]: - return ["PKCS12_set_mac"] - - def cryptography_has_ssl_op_ignore_unexpected_eof() -> list[str]: return [ "SSL_OP_IGNORE_UNEXPECTED_EOF", @@ -188,7 +184,6 @@ def cryptography_has_get_extms_support() -> list[str]: "Cryptography_HAS_UNEXPECTED_EOF_WHILE_READING": ( cryptography_has_unexpected_eof_while_reading ), - "Cryptography_HAS_PKCS12_SET_MAC": cryptography_has_pkcs12_set_mac, "Cryptography_HAS_SSL_OP_IGNORE_UNEXPECTED_EOF": ( cryptography_has_ssl_op_ignore_unexpected_eof ), From 6b911a8b4d5177a4cbc8177f6c2793202fc56b17 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 09:49:24 -0400 Subject: [PATCH 0817/1462] Remove unused nid cffi definitions (#11260) --- src/_cffi_src/openssl/nid.py | 9 --------- 1 file changed, 9 deletions(-) diff --git a/src/_cffi_src/openssl/nid.py b/src/_cffi_src/openssl/nid.py index fe1cdda10137..9051977f0ab6 100644 --- a/src/_cffi_src/openssl/nid.py +++ b/src/_cffi_src/openssl/nid.py @@ -9,11 +9,7 @@ """ TYPES = """ -static const int Cryptography_HAS_ED448; - static const int NID_undef; -static const int NID_aes_256_cbc; -static const int NID_pbe_WithSHA1And3_Key_TripleDES_CBC; static const int NID_subject_alt_name; static const int NID_crl_reason; @@ -23,9 +19,4 @@ """ CUSTOMIZATIONS = """ -#ifndef NID_ED448 -static const long Cryptography_HAS_ED448 = 0; -#else -static const long Cryptography_HAS_ED448 = 1; -#endif """ From f28072ff88c1e901e754a5d08aae66b44dd8b953 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 09:49:43 -0400 Subject: [PATCH 0818/1462] Remove more unused cffi type definitions (#11263) --- src/_cffi_src/openssl/x509_vfy.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/_cffi_src/openssl/x509_vfy.py b/src/_cffi_src/openssl/x509_vfy.py index 26eed9974f82..57c8d870011e 100644 --- a/src/_cffi_src/openssl/x509_vfy.py +++ b/src/_cffi_src/openssl/x509_vfy.py @@ -14,12 +14,10 @@ * together with another opaque typedef for the same name in the TYPES section. * Note that the result is an opaque type. */ -typedef STACK_OF(ASN1_OBJECT) Cryptography_STACK_OF_ASN1_OBJECT; typedef STACK_OF(X509_OBJECT) Cryptography_STACK_OF_X509_OBJECT; """ TYPES = """ -typedef ... Cryptography_STACK_OF_ASN1_OBJECT; typedef ... Cryptography_STACK_OF_X509_OBJECT; typedef ... X509_OBJECT; From db3dd51d6d93c567f2ed6f0fe980bce0cdc9524c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 09:50:02 -0400 Subject: [PATCH 0819/1462] Remove unused cffi type definitions (#11262) --- src/_cffi_src/openssl/x509.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py index b43593543cee..140c39708b8c 100644 --- a/src/_cffi_src/openssl/x509.py +++ b/src/_cffi_src/openssl/x509.py @@ -15,17 +15,14 @@ * Note that the result is an opaque type. */ typedef STACK_OF(X509) Cryptography_STACK_OF_X509; -typedef STACK_OF(X509_CRL) Cryptography_STACK_OF_X509_CRL; typedef STACK_OF(X509_REVOKED) Cryptography_STACK_OF_X509_REVOKED; """ TYPES = """ typedef ... Cryptography_STACK_OF_X509; -typedef ... Cryptography_STACK_OF_X509_CRL; typedef ... Cryptography_STACK_OF_X509_REVOKED; typedef ... X509_ALGOR; -typedef ... X509_ATTRIBUTE; typedef ... X509_EXTENSION; typedef ... X509_EXTENSIONS; typedef ... X509_REQ; @@ -35,8 +32,6 @@ typedef ... NETSCAPE_SPKI; -typedef ... PKCS8_PRIV_KEY_INFO; - typedef void (*sk_X509_EXTENSION_freefunc)(X509_EXTENSION *); """ From 5aa51c5a52a139306dae0cb694ff906ae5dcb018 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 10:01:11 -0400 Subject: [PATCH 0820/1462] Remove NETSCAPE_SPKI cffi defintions (#11261) --- src/_cffi_src/openssl/x509.py | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py index 140c39708b8c..0c25c5d1aa87 100644 --- a/src/_cffi_src/openssl/x509.py +++ b/src/_cffi_src/openssl/x509.py @@ -30,8 +30,6 @@ typedef ... X509_CRL; typedef ... X509; -typedef ... NETSCAPE_SPKI; - typedef void (*sk_X509_EXTENSION_freefunc)(X509_EXTENSION *); """ @@ -103,14 +101,6 @@ int i2d_X509_CRL_bio(BIO *, X509_CRL *); void X509_CRL_free(X509_CRL *); -int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *, EVP_PKEY *); -int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *, EVP_PKEY *, const EVP_MD *); -char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *); -EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *); -int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *, EVP_PKEY *); -NETSCAPE_SPKI *NETSCAPE_SPKI_new(void); -void NETSCAPE_SPKI_free(NETSCAPE_SPKI *); - /* ASN1 serialization */ int i2d_X509_bio(BIO *, X509 *); X509 *d2i_X509_bio(BIO *, X509 **); From 83511f4d37ad9126df4193556ed82f3f9da584ae Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 12:05:20 -0400 Subject: [PATCH 0821/1462] Remove unused cffi bindings from x509v3.py (#11264) --- src/_cffi_src/openssl/x509v3.py | 9 --------- 1 file changed, 9 deletions(-) diff --git a/src/_cffi_src/openssl/x509v3.py b/src/_cffi_src/openssl/x509v3.py index 7f04a2cbce35..f110527e0259 100644 --- a/src/_cffi_src/openssl/x509v3.py +++ b/src/_cffi_src/openssl/x509v3.py @@ -6,18 +6,9 @@ INCLUDES = """ #include - -/* - * This is part of a work-around for the difficulty cffi has in dealing with - * `STACK_OF(foo)` as the name of a type. We invent a new, simpler name that - * will be an alias for this type and use the alias throughout. This works - * together with another opaque typedef for the same name in the TYPES section. - * Note that the result is an opaque type. - */ """ TYPES = """ -typedef ... EXTENDED_KEY_USAGE; typedef ... CONF; typedef struct { From 0df31f10f7a13d7bfb0669feb1d8bcd1d1e4d78e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 12:05:41 -0400 Subject: [PATCH 0822/1462] Remove unused cffi bindings from x509name.py (#11265) --- src/_cffi_src/openssl/x509name.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/_cffi_src/openssl/x509name.py b/src/_cffi_src/openssl/x509name.py index 5e0349e4846a..81d897d27255 100644 --- a/src/_cffi_src/openssl/x509name.py +++ b/src/_cffi_src/openssl/x509name.py @@ -11,11 +11,9 @@ * See the comment above Cryptography_STACK_OF_X509 in x509.py */ typedef STACK_OF(X509_NAME) Cryptography_STACK_OF_X509_NAME; -typedef STACK_OF(X509_NAME_ENTRY) Cryptography_STACK_OF_X509_NAME_ENTRY; """ TYPES = """ -typedef ... Cryptography_STACK_OF_X509_NAME_ENTRY; typedef ... X509_NAME; typedef ... X509_NAME_ENTRY; typedef ... Cryptography_STACK_OF_X509_NAME; From 3d968e7d221c23d70b67a30ff087a95e26546c9b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 18:20:12 -0400 Subject: [PATCH 0823/1462] Remove unused constant (#11266) --- src/_cffi_src/openssl/x509v3.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/_cffi_src/openssl/x509v3.py b/src/_cffi_src/openssl/x509v3.py index f110527e0259..9905982fff44 100644 --- a/src/_cffi_src/openssl/x509v3.py +++ b/src/_cffi_src/openssl/x509v3.py @@ -32,8 +32,6 @@ } d; ...; } GENERAL_NAME; - -static const long X509V3_EXT_ERROR_UNKNOWN; """ From 2910b40f0de39eadb45f5e882cb440220791acf6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 18:20:30 -0400 Subject: [PATCH 0824/1462] Remove unused cffi definition from rand.py (#11270) --- src/_cffi_src/openssl/rand.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/_cffi_src/openssl/rand.py b/src/_cffi_src/openssl/rand.py index ee00fe68d821..50fbeb279e45 100644 --- a/src/_cffi_src/openssl/rand.py +++ b/src/_cffi_src/openssl/rand.py @@ -9,7 +9,6 @@ """ TYPES = """ -typedef ... RAND_METHOD; """ FUNCTIONS = """ From 9b5bd40b49e119f88ec0649351438bd949bf99bf Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 18:21:45 -0400 Subject: [PATCH 0825/1462] Remove unused cffi definition from asn1.py (#11267) --- src/_cffi_src/openssl/asn1.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/_cffi_src/openssl/asn1.py b/src/_cffi_src/openssl/asn1.py index 16ce6b32f505..b1278f36f025 100644 --- a/src/_cffi_src/openssl/asn1.py +++ b/src/_cffi_src/openssl/asn1.py @@ -25,7 +25,6 @@ typedef struct asn1_string_st ASN1_TIME; typedef ... ASN1_OBJECT; typedef struct asn1_string_st ASN1_STRING; -typedef struct asn1_string_st ASN1_UTF8STRING; typedef ... ASN1_GENERALIZEDTIME; typedef ... ASN1_ENUMERATED; From 6aa829adeeb1163dcf5d8346b1c8a251ac536bd2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 18:22:06 -0400 Subject: [PATCH 0826/1462] Remove unused cffi definition from cryptography.py (#11268) --- src/_cffi_src/openssl/cryptography.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index fc23960613b0..e90a71b375ff 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -45,11 +45,6 @@ #if OPENSSL_VERSION_NUMBER < 0x10101050 #error "pyca/cryptography MUST be linked with Openssl 1.1.1e or later" #endif - -#define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \ - (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL) -#define CRYPTOGRAPHY_OPENSSL_320_OR_GREATER \ - (OPENSSL_VERSION_NUMBER >= 0x30200000 && !CRYPTOGRAPHY_IS_LIBRESSL) """ TYPES = """ From a56254daad3526112097b82fa477231f9b9ed85c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 18:22:26 -0400 Subject: [PATCH 0827/1462] Remove unused cffi definition from evp.py (#11269) --- src/_cffi_src/openssl/evp.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index 141b43ce0b3b..f25c9bb52a66 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -16,12 +16,9 @@ typedef ... EVP_PKEY; typedef ... EVP_PKEY_CTX; static const int EVP_PKEY_RSA; -static const int EVP_PKEY_RSA_PSS; static const int EVP_PKEY_DSA; static const int EVP_PKEY_DH; static const int EVP_PKEY_EC; -static const int EVP_PKEY_X25519; -static const int EVP_PKEY_ED25519; static const int EVP_MAX_MD_SIZE; static const int Cryptography_HAS_EVP_PKEY_DHX; From fbd5b053393d439037a2a94152e09dc3acbe2f37 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 13 Jul 2024 20:27:00 -0400 Subject: [PATCH 0828/1462] Bump BoringSSL and/or OpenSSL in CI (#11271) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index db42ece2733b..19dfd2679171 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 11, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b34976cae99f8d1b864dbab31e20fc00d06acb09"}} - # Latest commit on the OpenSSL master branch, as of Jul 13, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e8c7febc8f1b0ef9e5b62b0944748d2830b1a0b4"}} + # Latest commit on the OpenSSL master branch, as of Jul 14, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "42230f294ae97cbd50052038499e091d0060ba8e"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 8c6d37e0896671f5f92e7d31da2c3ec57795e157 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 14 Jul 2024 03:20:39 +0000 Subject: [PATCH 0829/1462] Bump cc from 1.0.105 to 1.1.3 in /src/rust (#11272) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.105 to 1.1.3. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.0.105...cc-v1.1.3) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index fb2d190de7b9..0e71fdec87b0 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.0.105" +version = "1.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5208975e568d83b6b05cc0a063c8e7e9acc2b43bee6da15616a5b73e109d7437" +checksum = "18e2d530f35b40a84124146478cd16f34225306a8441998836466a2e2961c950" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index ffdf71df0d73..d626ae6f6436 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.1", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.105" +cc = "1.1.3" From 67271cbab226327966582925477ba72bb29a9051 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 14 Jul 2024 22:04:51 -0400 Subject: [PATCH 0830/1462] Remove workaround for old libressl (#11274) * Remove workaround for old libressl * Update backend.py --- src/cryptography/hazmat/backends/openssl/backend.py | 11 ----------- tests/hazmat/primitives/test_pkcs7.py | 5 +---- 2 files changed, 1 insertion(+), 15 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index e4cfe6216f8d..d30efef650c2 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -175,17 +175,6 @@ def _bytes_to_bio(self, data: bytes) -> _MemoryBIO: return _MemoryBIO(self._ffi.gc(bio, self._lib.BIO_free), data_ptr) - def _create_mem_bio_gc(self): - """ - Creates an empty memory BIO. - """ - bio_method = self._lib.BIO_s_mem() - self.openssl_assert(bio_method != self._ffi.NULL) - bio = self._lib.BIO_new(bio_method) - self.openssl_assert(bio != self._ffi.NULL) - bio = self._ffi.gc(bio, self._lib.BIO_free) - return bio - def _oaep_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool: if self._fips_enabled and isinstance(algorithm, hashes.SHA1): return False diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 4c4c0aa7dd50..31eb01c57ed2 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -142,11 +142,8 @@ def _pkcs7_verify(encoding, sig, msg, certs, options, backend): ) else: msg_bio = backend._bytes_to_bio(msg) - # libressl 3.7.0 has a bug when NULL is passed as an `out_bio`. Work - # around it for now. - out_bio = backend._create_mem_bio_gc() res = backend._lib.PKCS7_verify( - p7, backend._ffi.NULL, store, msg_bio.bio, out_bio, flags + p7, backend._ffi.NULL, store, msg_bio.bio, backend._ffi.NULL, flags ) backend.openssl_assert(res == 1) # OpenSSL 3.0 leaves a random bio error on the stack: From 781e5631cf5ff4909368eb1c5bf54faf716a909c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Jul 2024 10:31:44 +0000 Subject: [PATCH 0831/1462] Bump cc from 1.1.3 to 1.1.5 in /src/rust (#11276) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.3 to 1.1.5. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.3...cc-v1.1.5) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 0e71fdec87b0..4da7c1609040 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.3" +version = "1.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "18e2d530f35b40a84124146478cd16f34225306a8441998836466a2e2961c950" +checksum = "324c74f2155653c90b04f25b2a47a8a631360cb908f92a772695f430c7e31052" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index d626ae6f6436..561d070c2276 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.1", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.1.3" +cc = "1.1.5" From e03d65dfd7f6dd758dd81ca8ff1a6595736c98e9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Jul 2024 11:11:24 +0000 Subject: [PATCH 0832/1462] Bump ruff from 0.5.1 to 0.5.2 (#11277) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.5.1 to 0.5.2. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.5.1...0.5.2) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c074b3b49d7d..6eb190f8d059 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.5.1 +ruff==0.5.2 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From b7d81540b146187230528b16080b13c467c7e9ff Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Jul 2024 07:20:26 -0400 Subject: [PATCH 0833/1462] Bump sphinx from 7.3.7 to 7.4.2 (#11279) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 7.3.7 to 7.4.2. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v7.3.7...v7.4.2) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6eb190f8d059..8b094e9bc8a4 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -109,7 +109,7 @@ ruff==0.5.2 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx -sphinx==7.3.7 +sphinx==7.4.2 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From e7935f212836ff0ecfa1fc3fe297b1652858a973 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 15 Jul 2024 15:10:26 -0400 Subject: [PATCH 0834/1462] Try removing a workaround for old OpenSSL (#11275) * Try removing a workaround for old OpenSSL * Update test_pkcs7.py --- tests/hazmat/primitives/test_pkcs7.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 31eb01c57ed2..96068809c15e 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -11,7 +11,6 @@ from cryptography import x509 from cryptography.exceptions import _Reasons -from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ed25519, padding, rsa from cryptography.hazmat.primitives.serialization import pkcs7 @@ -146,10 +145,6 @@ def _pkcs7_verify(encoding, sig, msg, certs, options, backend): p7, backend._ffi.NULL, store, msg_bio.bio, backend._ffi.NULL, flags ) backend.openssl_assert(res == 1) - # OpenSSL 3.0 leaves a random bio error on the stack: - # https://github.com/openssl/openssl/issues/16681 - if rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: - backend._consume_errors() def _load_cert_key(): From f45462c08cf8111a57daea2fe19bfd935cdf039a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 15 Jul 2024 15:15:08 -0400 Subject: [PATCH 0835/1462] Remove duplicated code in PKCS#12 symmetric encryption (#11273) --- src/rust/src/pkcs12.rs | 60 +++++++++++++++++++++--------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 88b5cea1c8ef..d9547edb7f4f 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -79,6 +79,34 @@ impl PKCS12Certificate { } } +fn symmetric_encrypt( + py: pyo3::Python<'_>, + algorithm: pyo3::Bound<'_, pyo3::PyAny>, + mode: pyo3::Bound<'_, pyo3::PyAny>, + data: &[u8], +) -> CryptographyResult> { + let block_size = algorithm + .getattr(pyo3::intern!(py, "block_size"))? + .extract()?; + + let mut cipher = + ciphers::CipherContext::new(py, algorithm, mode, openssl::symm::Mode::Encrypt)?; + + let mut ciphertext = vec![0; data.len() + (block_size / 8 * 2)]; + let n = cipher.update_into(py, data, &mut ciphertext)?; + + let mut padder = PKCS7PaddingContext::new(block_size); + assert!(padder.update(CffiBuf::from_bytes(py, data))?.is_none()); + let padding = padder.finalize(py)?; + + let pad_n = cipher.update_into(py, padding.as_bytes(), &mut ciphertext[n..])?; + let final_block = cipher.finalize(py)?; + assert!(final_block.as_bytes().is_empty()); + ciphertext.truncate(n + pad_n); + + Ok(ciphertext) +} + enum EncryptionAlgorithm { PBESv1SHA1And3KeyTripleDESCBC, PBESv2SHA256AndAES256CBC, @@ -181,22 +209,8 @@ impl EncryptionAlgorithm { let cbc = types::CBC .get(py)? .call1((pyo3::types::PyBytes::new_bound(py, &iv),))?; - let mut cipher = - ciphers::CipherContext::new(py, triple_des, cbc, openssl::symm::Mode::Encrypt)?; - - let mut ciphertext = vec![0; data.len() + 16]; - let n = cipher.update_into(py, data, &mut ciphertext)?; - - let mut padder = PKCS7PaddingContext::new(64); - assert!(padder.update(CffiBuf::from_bytes(py, data))?.is_none()); - let padding = padder.finalize(py)?; - - let pad_n = cipher.update_into(py, padding.as_bytes(), &mut ciphertext[n..])?; - let final_block = cipher.finalize(py)?; - assert!(final_block.as_bytes().is_empty()); - ciphertext.truncate(n + pad_n); - Ok(ciphertext) + symmetric_encrypt(py, triple_des, cbc, data) } EncryptionAlgorithm::PBESv2SHA256AndAES256CBC => { let pass_buf = CffiBuf::from_bytes(py, password); @@ -213,22 +227,8 @@ impl EncryptionAlgorithm { let aes256 = types::AES256.get(py)?.call1((key,))?; let cbc = types::CBC.get(py)?.call1((iv,))?; - let mut cipher = - ciphers::CipherContext::new(py, aes256, cbc, openssl::symm::Mode::Encrypt)?; - - let mut ciphertext = vec![0; data.len() + 32]; - let n = cipher.update_into(py, data, &mut ciphertext)?; - - let mut padder = PKCS7PaddingContext::new(128); - assert!(padder.update(CffiBuf::from_bytes(py, data))?.is_none()); - let padding = padder.finalize(py)?; - - let pad_n = cipher.update_into(py, padding.as_bytes(), &mut ciphertext[n..])?; - let final_block = cipher.finalize(py)?; - assert!(final_block.as_bytes().is_empty()); - ciphertext.truncate(n + pad_n); - Ok(ciphertext) + symmetric_encrypt(py, aes256, cbc, data) } } } From 485432f0bbcff6dceb557315d3a2dd8f96782957 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 15 Jul 2024 18:31:51 -0400 Subject: [PATCH 0836/1462] Move rust code that exists for our tests to its own module (#11280) * Move rust code that exists for our tests to its own module * Update src/rust/src/test_support.rs Co-authored-by: Paul Kehrer --------- Co-authored-by: Paul Kehrer --- .../hazmat/bindings/_rust/asn1.pyi | 7 --- .../hazmat/bindings/_rust/test_support.pyi | 11 ++++ src/rust/src/asn1.rs | 51 +---------------- src/rust/src/lib.rs | 3 + src/rust/src/test_support.rs | 57 +++++++++++++++++++ tests/x509/test_x509.py | 8 +-- 6 files changed, 77 insertions(+), 60 deletions(-) create mode 100644 src/cryptography/hazmat/bindings/_rust/test_support.pyi create mode 100644 src/rust/src/test_support.rs diff --git a/src/cryptography/hazmat/bindings/_rust/asn1.pyi b/src/cryptography/hazmat/bindings/_rust/asn1.pyi index 35652c6ada1c..3b5f208ecf09 100644 --- a/src/cryptography/hazmat/bindings/_rust/asn1.pyi +++ b/src/cryptography/hazmat/bindings/_rust/asn1.pyi @@ -2,13 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. -class TestCertificate: - not_after_tag: int - not_before_tag: int - issuer_value_tags: list[int] - subject_value_tags: list[int] - def decode_dss_signature(signature: bytes) -> tuple[int, int]: ... def encode_dss_signature(r: int, s: int) -> bytes: ... def parse_spki_for_data(data: bytes) -> bytes: ... -def test_parse_certificate(data: bytes) -> TestCertificate: ... diff --git a/src/cryptography/hazmat/bindings/_rust/test_support.pyi b/src/cryptography/hazmat/bindings/_rust/test_support.pyi new file mode 100644 index 000000000000..020c5951d2ab --- /dev/null +++ b/src/cryptography/hazmat/bindings/_rust/test_support.pyi @@ -0,0 +1,11 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +class TestCertificate: + not_after_tag: int + not_before_tag: int + issuer_value_tags: list[int] + subject_value_tags: list[int] + +def test_parse_certificate(data: bytes) -> TestCertificate: ... diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index c306104b8585..366fc69eacd6 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -2,10 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use asn1::SimpleAsn1Readable; -use cryptography_x509::certificate::Certificate; -use cryptography_x509::common::{DssSignature, SubjectPublicKeyInfo, Time}; -use cryptography_x509::name::Name; +use cryptography_x509::common::{DssSignature, SubjectPublicKeyInfo}; use pyo3::pybacked::PyBackedBytes; use pyo3::types::IntoPyDict; use pyo3::types::PyAnyMethods; @@ -133,53 +130,9 @@ fn encode_dss_signature<'p>( Ok(pyo3::types::PyBytes::new_bound(py, &result)) } -#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.asn1")] -struct TestCertificate { - #[pyo3(get)] - not_before_tag: u8, - #[pyo3(get)] - not_after_tag: u8, - #[pyo3(get)] - issuer_value_tags: Vec, - #[pyo3(get)] - subject_value_tags: Vec, -} - -fn parse_name_value_tags(rdns: &Name<'_>) -> Vec { - let mut tags = vec![]; - for rdn in rdns.unwrap_read().clone() { - let mut attributes = rdn.collect::>(); - assert_eq!(attributes.len(), 1); - - tags.push(attributes.pop().unwrap().value.tag().as_u8().unwrap()); - } - tags -} - -fn time_tag(t: &Time) -> u8 { - match t { - Time::UtcTime(_) => asn1::UtcTime::TAG.as_u8().unwrap(), - Time::GeneralizedTime(_) => asn1::GeneralizedTime::TAG.as_u8().unwrap(), - } -} - -#[pyo3::pyfunction] -fn test_parse_certificate(data: &[u8]) -> Result { - let cert = asn1::parse_single::>(data)?; - - Ok(TestCertificate { - not_before_tag: time_tag(&cert.tbs_cert.validity.not_before), - not_after_tag: time_tag(&cert.tbs_cert.validity.not_after), - issuer_value_tags: parse_name_value_tags(&cert.tbs_cert.issuer), - subject_value_tags: parse_name_value_tags(&cert.tbs_cert.subject), - }) -} - #[pyo3::pymodule] #[pyo3(name = "asn1")] pub(crate) mod asn1_mod { #[pymodule_export] - use super::{ - decode_dss_signature, encode_dss_signature, parse_spki_for_data, test_parse_certificate, - }; + use super::{decode_dss_signature, encode_dss_signature, parse_spki_for_data}; } diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 8f6ecc053fe5..cd7b99f1570a 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -21,6 +21,7 @@ pub(crate) mod oid; mod padding; mod pkcs12; mod pkcs7; +mod test_support; pub(crate) mod types; mod x509; @@ -106,6 +107,8 @@ mod _rust { use crate::pkcs12::pkcs12; #[pymodule_export] use crate::pkcs7::pkcs7_mod; + #[pymodule_export] + use crate::test_support::test_support; #[pyo3::pymodule] mod x509 { diff --git a/src/rust/src/test_support.rs b/src/rust/src/test_support.rs new file mode 100644 index 000000000000..5b42fec3b304 --- /dev/null +++ b/src/rust/src/test_support.rs @@ -0,0 +1,57 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use crate::error::CryptographyResult; +use asn1::SimpleAsn1Readable; +use cryptography_x509::certificate::Certificate; +use cryptography_x509::common::Time; +use cryptography_x509::name::Name; + +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.test_support")] +struct TestCertificate { + #[pyo3(get)] + not_before_tag: u8, + #[pyo3(get)] + not_after_tag: u8, + #[pyo3(get)] + issuer_value_tags: Vec, + #[pyo3(get)] + subject_value_tags: Vec, +} + +fn parse_name_value_tags(rdns: &Name<'_>) -> Vec { + let mut tags = vec![]; + for rdn in rdns.unwrap_read().clone() { + let mut attributes = rdn.collect::>(); + assert_eq!(attributes.len(), 1); + + tags.push(attributes.pop().unwrap().value.tag().as_u8().unwrap()); + } + tags +} + +fn time_tag(t: &Time) -> u8 { + match t { + Time::UtcTime(_) => asn1::UtcTime::TAG.as_u8().unwrap(), + Time::GeneralizedTime(_) => asn1::GeneralizedTime::TAG.as_u8().unwrap(), + } +} + +#[pyo3::pyfunction] +fn test_parse_certificate(data: &[u8]) -> CryptographyResult { + let cert = asn1::parse_single::>(data)?; + + Ok(TestCertificate { + not_before_tag: time_tag(&cert.tbs_cert.validity.not_before), + not_after_tag: time_tag(&cert.tbs_cert.validity.not_after), + issuer_value_tags: parse_name_value_tags(&cert.tbs_cert.issuer), + subject_value_tags: parse_name_value_tags(&cert.tbs_cert.subject), + }) +} + +#[pyo3::pymodule] +pub(crate) mod test_support { + #[pymodule_export] + use super::test_parse_certificate; +} diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index a4368833ca3f..91251d58c0a3 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -14,7 +14,7 @@ from cryptography import utils, x509 from cryptography.exceptions import InvalidSignature, UnsupportedAlgorithm -from cryptography.hazmat.bindings._rust import asn1 +from cryptography.hazmat.bindings._rust import test_support from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ( dh, @@ -2429,7 +2429,7 @@ def test_build_cert_printable_string_country_name( cert = builder.sign(issuer_private_key, hashes.SHA256(), backend) - parsed = asn1.test_parse_certificate( + parsed = test_support.test_parse_certificate( cert.public_bytes(serialization.Encoding.DER) ) @@ -2615,7 +2615,7 @@ def test_extreme_times( not_valid_before=not_valid_before, not_valid_after=not_valid_after, ) - parsed = asn1.test_parse_certificate( + parsed = test_support.test_parse_certificate( cert.public_bytes(serialization.Encoding.DER) ) # UTC TIME @@ -3088,7 +3088,7 @@ def test_earliest_time(self, rsa_key_2048: rsa.RSAPrivateKey, backend): ) cert = cert_builder.sign(private_key, hashes.SHA256(), backend) _check_cert_times(cert, not_valid_before=time, not_valid_after=time) - parsed = asn1.test_parse_certificate( + parsed = test_support.test_parse_certificate( cert.public_bytes(serialization.Encoding.DER) ) # UTC TIME From abae201d31e594e13bf10df3c16a099f8020ae1a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 16 Jul 2024 00:16:00 +0000 Subject: [PATCH 0837/1462] Bump BoringSSL and/or OpenSSL in CI (#11283) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 19dfd2679171..88cb4d8f6546 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 11, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b34976cae99f8d1b864dbab31e20fc00d06acb09"}} - # Latest commit on the OpenSSL master branch, as of Jul 14, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "42230f294ae97cbd50052038499e091d0060ba8e"}} + # Latest commit on the OpenSSL master branch, as of Jul 16, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5c6975bd44dce4bb342b7bc130de5aaefbe2c35b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 4616dbe63121cfd419296a1536a3ccc0da410b55 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 15 Jul 2024 20:29:17 -0400 Subject: [PATCH 0838/1462] Migrate PKCS#7 test_support function to Rust (#11282) --- src/_cffi_src/build_openssl.py | 1 - src/_cffi_src/openssl/pem.py | 4 - src/_cffi_src/openssl/pkcs7.py | 15 --- .../hazmat/backends/openssl/backend.py | 29 +---- .../hazmat/bindings/_rust/test_support.pyi | 11 ++ .../hazmat/bindings/openssl/_conditional.py | 8 -- src/rust/src/test_support.rs | 56 ++++++++++ tests/hazmat/primitives/test_pkcs7.py | 104 ++++-------------- 8 files changed, 87 insertions(+), 141 deletions(-) diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py index 15ac1848493b..7c3bab20f3a0 100644 --- a/src/_cffi_src/build_openssl.py +++ b/src/_cffi_src/build_openssl.py @@ -42,7 +42,6 @@ "x509name", "x509v3", "x509_vfy", - "pkcs7", ], ) diff --git a/src/_cffi_src/openssl/pem.py b/src/_cffi_src/openssl/pem.py index e069d6126999..04badc47af1b 100644 --- a/src/_cffi_src/openssl/pem.py +++ b/src/_cffi_src/openssl/pem.py @@ -22,8 +22,6 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *, EVP_PKEY **, pem_password_cb *, void *); -PKCS7 *d2i_PKCS7_bio(BIO *, PKCS7 **); - int PEM_write_bio_X509_REQ(BIO *, X509_REQ *); X509_REQ *PEM_read_bio_X509_REQ(BIO *, X509_REQ **, pem_password_cb *, void *); @@ -32,8 +30,6 @@ int PEM_write_bio_X509_CRL(BIO *, X509_CRL *); -PKCS7 *PEM_read_bio_PKCS7(BIO *, PKCS7 **, pem_password_cb *, void *); - DH *PEM_read_bio_DHparams(BIO *, DH **, pem_password_cb *, void *); EVP_PKEY *PEM_read_bio_PUBKEY(BIO *, EVP_PKEY **, pem_password_cb *, void *); diff --git a/src/_cffi_src/openssl/pkcs7.py b/src/_cffi_src/openssl/pkcs7.py index 8e93a61b4e60..27631f48c04d 100644 --- a/src/_cffi_src/openssl/pkcs7.py +++ b/src/_cffi_src/openssl/pkcs7.py @@ -9,28 +9,13 @@ """ TYPES = """ -static const long Cryptography_HAS_PKCS7_FUNCS; typedef ... PKCS7; -static const int PKCS7_TEXT; """ FUNCTIONS = """ void PKCS7_free(PKCS7 *); -/* Included verify due to external consumer, see - https://github.com/pyca/cryptography/issues/5433 */ -int PKCS7_verify(PKCS7 *, Cryptography_STACK_OF_X509 *, X509_STORE *, BIO *, - BIO *, int); PKCS7 *SMIME_read_PKCS7(BIO *, BIO **); """ CUSTOMIZATIONS = """ -#if CRYPTOGRAPHY_IS_BORINGSSL -static const long Cryptography_HAS_PKCS7_FUNCS = 0; - -int (*PKCS7_verify)(PKCS7 *, Cryptography_STACK_OF_X509 *, X509_STORE *, BIO *, - BIO *, int) = NULL; -PKCS7 *(*SMIME_read_PKCS7)(BIO *, BIO **) = NULL; -#else -static const long Cryptography_HAS_PKCS7_FUNCS = 1; -#endif """ diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index d30efef650c2..c87d3e848236 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -4,13 +4,9 @@ from __future__ import annotations -import collections -import typing - -from cryptography import x509 from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.bindings.openssl import binding -from cryptography.hazmat.primitives import hashes, serialization +from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives._asymmetric import AsymmetricPadding from cryptography.hazmat.primitives.asymmetric import ec from cryptography.hazmat.primitives.asymmetric import utils as asym_utils @@ -31,8 +27,6 @@ Mode, ) -_MemoryBIO = collections.namedtuple("_MemoryBIO", ["bio", "char_ptr"]) - class Backend: """ @@ -162,19 +156,6 @@ def pbkdf2_hmac_supported(self, algorithm: hashes.HashAlgorithm) -> bool: def _consume_errors(self) -> list[rust_openssl.OpenSSLError]: return rust_openssl.capture_error_stack() - def _bytes_to_bio(self, data: bytes) -> _MemoryBIO: - """ - Return a _MemoryBIO namedtuple of (BIO, char*). - - The char* is the storage for the BIO and it must stay alive until the - BIO is finished with. - """ - data_ptr = self._ffi.from_buffer(data) - bio = self._lib.BIO_new_mem_buf(data_ptr, len(data)) - self.openssl_assert(bio != self._ffi.NULL) - - return _MemoryBIO(self._ffi.gc(bio, self._lib.BIO_free), data_ptr) - def _oaep_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool: if self._fips_enabled and isinstance(algorithm, hashes.SHA1): return False @@ -231,14 +212,6 @@ def cmac_algorithm_supported(self, algorithm) -> bool: algorithm, CBC(b"\x00" * algorithm.block_size) ) - def _cert2ossl(self, cert: x509.Certificate) -> typing.Any: - data = cert.public_bytes(serialization.Encoding.DER) - mem_bio = self._bytes_to_bio(data) - x509 = self._lib.d2i_X509_bio(mem_bio.bio, self._ffi.NULL) - self.openssl_assert(x509 != self._ffi.NULL) - x509 = self._ffi.gc(x509, self._lib.X509_free) - return x509 - def elliptic_curve_supported(self, curve: ec.EllipticCurve) -> bool: if self._fips_enabled and not isinstance( curve, self._fips_ecdh_curves diff --git a/src/cryptography/hazmat/bindings/_rust/test_support.pyi b/src/cryptography/hazmat/bindings/_rust/test_support.pyi index 020c5951d2ab..ef9f779f2ee9 100644 --- a/src/cryptography/hazmat/bindings/_rust/test_support.pyi +++ b/src/cryptography/hazmat/bindings/_rust/test_support.pyi @@ -2,6 +2,10 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. +from cryptography import x509 +from cryptography.hazmat.primitives import serialization +from cryptography.hazmat.primitives.serialization import pkcs7 + class TestCertificate: not_after_tag: int not_before_tag: int @@ -9,3 +13,10 @@ class TestCertificate: subject_value_tags: list[int] def test_parse_certificate(data: bytes) -> TestCertificate: ... +def pkcs7_verify( + encoding: serialization.Encoding, + sig: bytes, + msg: bytes | None, + certs: list[x509.Certificate], + options: list[pkcs7.PKCS7Options], +) -> None: ... diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index ee47d1888d80..73c06f7d08ce 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -130,13 +130,6 @@ def cryptography_has_ssl_cookie() -> list[str]: ] -def cryptography_has_pkcs7_funcs() -> list[str]: - return [ - "PKCS7_verify", - "SMIME_read_PKCS7", - ] - - def cryptography_has_prime_checks() -> list[str]: return [ "BN_prime_checks_for_size", @@ -179,7 +172,6 @@ def cryptography_has_get_extms_support() -> list[str]: ), "Cryptography_HAS_DTLS_GET_DATA_MTU": cryptography_has_dtls_get_data_mtu, "Cryptography_HAS_SSL_COOKIE": cryptography_has_ssl_cookie, - "Cryptography_HAS_PKCS7_FUNCS": cryptography_has_pkcs7_funcs, "Cryptography_HAS_PRIME_CHECKS": cryptography_has_prime_checks, "Cryptography_HAS_UNEXPECTED_EOF_WHILE_READING": ( cryptography_has_unexpected_eof_while_reading diff --git a/src/rust/src/test_support.rs b/src/rust/src/test_support.rs index 5b42fec3b304..8f4599723680 100644 --- a/src/rust/src/test_support.rs +++ b/src/rust/src/test_support.rs @@ -2,11 +2,19 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +use crate::buf::CffiBuf; use crate::error::CryptographyResult; +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +use crate::types; +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +use crate::x509::certificate::Certificate as PyCertificate; use asn1::SimpleAsn1Readable; use cryptography_x509::certificate::Certificate; use cryptography_x509::common::Time; use cryptography_x509::name::Name; +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +use pyo3::prelude::PyAnyMethods; #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.test_support")] struct TestCertificate { @@ -50,8 +58,56 @@ fn test_parse_certificate(data: &[u8]) -> CryptographyResult { }) } +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +#[pyo3::pyfunction] +#[pyo3(signature = (encoding, sig, msg, certs, options))] +fn pkcs7_verify( + py: pyo3::Python<'_>, + encoding: pyo3::Bound<'_, pyo3::PyAny>, + sig: &[u8], + msg: Option>, + certs: Vec>, + options: pyo3::Bound<'_, pyo3::types::PyList>, +) -> CryptographyResult<()> { + let p7 = if encoding.is(&types::ENCODING_DER.get(py)?) { + openssl::pkcs7::Pkcs7::from_der(sig)? + } else if encoding.is(&types::ENCODING_PEM.get(py)?) { + openssl::pkcs7::Pkcs7::from_pem(sig)? + } else { + openssl::pkcs7::Pkcs7::from_smime(sig)?.0 + }; + + let mut flags = openssl::pkcs7::Pkcs7Flags::empty(); + if options.contains(types::PKCS7_TEXT.get(py)?)? { + flags |= openssl::pkcs7::Pkcs7Flags::TEXT; + } + + let store = { + let mut b = openssl::x509::store::X509StoreBuilder::new()?; + for cert in &certs { + let der = asn1::write_single(cert.get().raw.borrow_dependent())?; + b.add_cert(openssl::x509::X509::from_der(&der)?)?; + } + b.build() + }; + let certs = openssl::stack::Stack::new()?; + + p7.verify( + &certs, + &store, + msg.as_ref().map(|m| m.as_bytes()), + None, + flags, + )?; + + Ok(()) +} + #[pyo3::pymodule] pub(crate) mod test_support { + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + #[pymodule_export] + use super::pkcs7_verify; #[pymodule_export] use super::test_parse_certificate; } diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 96068809c15e..3842fd3ff616 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -11,6 +11,7 @@ from cryptography import x509 from cryptography.exceptions import _Reasons +from cryptography.hazmat.bindings._rust import test_support from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ed25519, padding, rsa from cryptography.hazmat.primitives.serialization import pkcs7 @@ -96,57 +97,6 @@ def test_load_pkcs7_empty_certificates(self): pkcs7.load_der_pkcs7_certificates(der) -# We have no public verification API and won't be adding one until we get -# some requirements from users so this function exists to give us basic -# verification for the signing tests. -# -# This relies on a number of bindings that we'd otherwise like to remove. -def _pkcs7_verify(encoding, sig, msg, certs, options, backend): - sig_bio = backend._bytes_to_bio(sig) - if encoding is serialization.Encoding.DER: - p7 = backend._lib.d2i_PKCS7_bio(sig_bio.bio, backend._ffi.NULL) - elif encoding is serialization.Encoding.PEM: - p7 = backend._lib.PEM_read_bio_PKCS7( - sig_bio.bio, - backend._ffi.NULL, - backend._ffi.NULL, - backend._ffi.NULL, - ) - else: - p7 = backend._lib.SMIME_read_PKCS7(sig_bio.bio, backend._ffi.NULL) - backend.openssl_assert(p7 != backend._ffi.NULL) - p7 = backend._ffi.gc(p7, backend._lib.PKCS7_free) - flags = 0 - for option in options: - if option is pkcs7.PKCS7Options.Text: - flags |= backend._lib.PKCS7_TEXT - store = backend._lib.X509_STORE_new() - backend.openssl_assert(store != backend._ffi.NULL) - store = backend._ffi.gc(store, backend._lib.X509_STORE_free) - # This list is to keep the x509 values alive until end of function - ossl_certs = [] - for cert in certs: - ossl_cert = backend._cert2ossl(cert) - ossl_certs.append(ossl_cert) - res = backend._lib.X509_STORE_add_cert(store, ossl_cert) - backend.openssl_assert(res == 1) - if msg is None: - res = backend._lib.PKCS7_verify( - p7, - backend._ffi.NULL, - store, - backend._ffi.NULL, - backend._ffi.NULL, - flags, - ) - else: - msg_bio = backend._bytes_to_bio(msg) - res = backend._lib.PKCS7_verify( - p7, backend._ffi.NULL, store, msg_bio.bio, backend._ffi.NULL, flags - ) - backend.openssl_assert(res == 1) - - def _load_cert_key(): key = load_vectors_from_file( os.path.join("x509", "custom", "ca", "ca_key.pem"), @@ -315,22 +265,20 @@ def test_smime_sign_detached(self, backend): assert isinstance(payload[0], email.message.Message) signed_data = payload[0].get_payload() assert isinstance(signed_data, str) - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.SMIME, sig, signed_data.encode(), [cert], options, - backend, ) assert data not in sig_binary - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig_binary, data, [cert], options, - backend, ) def test_sign_byteslike(self, backend): @@ -345,13 +293,12 @@ def test_sign_byteslike(self, backend): sig = builder.sign(serialization.Encoding.SMIME, options) assert bytes(data) in sig - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.SMIME, sig, data, [cert], options, - backend, ) data = bytearray(b"") @@ -362,13 +309,12 @@ def test_sign_byteslike(self, backend): ) sig = builder.sign(serialization.Encoding.SMIME, options) - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.SMIME, sig, data, [cert], options, - backend, ) def test_sign_pem(self, backend): @@ -382,13 +328,12 @@ def test_sign_pem(self, backend): ) sig = builder.sign(serialization.Encoding.PEM, options) - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.PEM, sig, None, [cert], options, - backend, ) @pytest.mark.parametrize( @@ -412,8 +357,8 @@ def test_sign_alternate_digests_der( options: typing.List[pkcs7.PKCS7Options] = [] sig = builder.sign(serialization.Encoding.DER, options) assert expected_value in sig - _pkcs7_verify( - serialization.Encoding.DER, sig, None, [cert], options, backend + test_support.pkcs7_verify( + serialization.Encoding.DER, sig, None, [cert], options ) @pytest.mark.parametrize( @@ -454,13 +399,12 @@ def test_sign_attached(self, backend): # When not passing detached signature the signed data is embedded into # the PKCS7 structure itself assert data in sig_binary - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig_binary, None, [cert], options, - backend, ) def test_sign_binary(self, backend): @@ -480,22 +424,20 @@ def test_sign_binary(self, backend): # so data should not be present in sig_no_binary, but should be present # in sig_binary assert data not in sig_no_binary - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig_no_binary, None, [cert], options, - backend, ) assert data in sig_binary - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig_binary, None, [cert], options, - backend, ) def test_sign_smime_canonicalization(self, backend): @@ -513,13 +455,12 @@ def test_sign_smime_canonicalization(self, backend): # so data should not be present in the sig assert data not in sig_binary assert b"hello\r\nworld" in sig_binary - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig_binary, None, [cert], options, - backend, ) def test_sign_text(self, backend): @@ -550,13 +491,12 @@ def test_sign_text(self, backend): signed_data = payload[0].as_bytes( policy=message.policy.clone(linesep="\r\n") ) - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.SMIME, sig_pem, signed_data, [cert], options, - backend, ) def test_smime_capabilities(self, backend): @@ -594,13 +534,12 @@ def test_smime_capabilities(self, backend): len_oid = len(oid).to_bytes(length=1, byteorder="big") assert sequence_identifier + len_oid + oid in sig_binary - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig_binary, None, [cert], [], - backend, ) def test_sign_no_capabilities(self, backend): @@ -623,13 +562,12 @@ def test_sign_no_capabilities(self, backend): assert b"\x06\t*\x86H\x86\xf7\r\x01\t\x0f" not in sig_binary # 1.2.840.113549.1.9.5 signingTime as an ASN.1 DER encoded OID assert b"\x06\t*\x86H\x86\xf7\r\x01\t\x05" in sig_binary - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig_binary, None, [cert], options, - backend, ) def test_sign_no_attributes(self, backend): @@ -650,13 +588,12 @@ def test_sign_no_attributes(self, backend): assert b"\x06\t*\x86H\x86\xf7\r\x01\t\x0f" not in sig_binary # 1.2.840.113549.1.9.5 signingTime as an ASN.1 DER encoded OID assert b"\x06\t*\x86H\x86\xf7\r\x01\t\x05" not in sig_binary - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig_binary, None, [cert], options, - backend, ) def test_sign_no_certs(self, backend): @@ -733,13 +670,12 @@ def test_rsa_pkcs_padding_options(self, pad, backend): assert ( sig.count(b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01") == 2 ) - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig, None, [rsa_cert], options, - backend, ) def test_not_rsa_key_with_padding(self, backend): @@ -801,13 +737,12 @@ def test_multiple_signers(self, backend): sig = builder.sign(serialization.Encoding.DER, options) # There should be three SHA512 OIDs in this structure assert sig.count(b"\x06\t`\x86H\x01e\x03\x04\x02\x03") == 3 - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig, None, [cert, rsa_cert], options, - backend, ) def test_multiple_signers_different_hash_algs(self, backend): @@ -839,13 +774,12 @@ def test_multiple_signers_different_hash_algs(self, backend): # There should be two SHA384 and two SHA512 OIDs in this structure assert sig.count(b"\x06\t`\x86H\x01e\x03\x04\x02\x02") == 2 assert sig.count(b"\x06\t`\x86H\x01e\x03\x04\x02\x03") == 2 - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig, None, [cert, rsa_cert], options, - backend, ) def test_add_additional_cert_not_a_cert(self, backend): From a4eb4ef99437aac182fe0f542a77bf1d84c93e85 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 16 Jul 2024 00:32:29 +0000 Subject: [PATCH 0839/1462] Bump x509-limbo and/or wycheproof in CI (#11284) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 10594d7b579f..069197d1a1b0 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jul 10, 2024. - ref: "6e5500061c043941079d677af8e822dfed494fec" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jul 16, 2024. + ref: "8815322a268ad32918d21c44805e8cb37c9fd7b2" # x509-limbo-ref From 3e65042197dd7d2bb35ac081ee298983e7e1a84a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jul 2024 06:29:41 -0400 Subject: [PATCH 0840/1462] Bump sphinx from 7.4.2 to 7.4.4 (#11285) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 7.4.2 to 7.4.4. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v7.4.2...v7.4.4) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 8b094e9bc8a4..21f0296be5f7 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -109,7 +109,7 @@ ruff==0.5.2 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx -sphinx==7.4.2 +sphinx==7.4.4 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From 0787dc5e89b20b8abd351050481a248483a17e40 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 17 Jul 2024 00:16:43 +0000 Subject: [PATCH 0841/1462] Bump BoringSSL and/or OpenSSL in CI (#11286) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 88cb4d8f6546..6656fedc03c9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jul 11, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b34976cae99f8d1b864dbab31e20fc00d06acb09"}} - # Latest commit on the OpenSSL master branch, as of Jul 16, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5c6975bd44dce4bb342b7bc130de5aaefbe2c35b"}} + # Latest commit on the BoringSSL master branch, as of Jul 17, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d274b1bacdca36f3941bf78e43dc38acf676a1a8"}} + # Latest commit on the OpenSSL master branch, as of Jul 17, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2dd74d3acb9425251a2028504f07623bd97bfe87"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From a9bc879d6140ad377bda5159cc196cd3df6bcd58 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 16 Jul 2024 22:27:37 -0400 Subject: [PATCH 0842/1462] Bump vectors (#11288) * Bump x509-limbo and/or wycheproof in CI * test_limbo: allow build_server_verifier to fail ...in a predictable way. * test_limbo: remove assert * test_limbo: return early when exceptional --------- Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- tests/x509/verification/test_limbo.py | 8 +++++++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 069197d1a1b0..bfa92a923487 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jul 16, 2024. - ref: "8815322a268ad32918d21c44805e8cb37c9fd7b2" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jul 17, 2024. + ref: "fb3e03cd0e686ed06a6a118e372df709f480d6a4" # x509-limbo-ref diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index 2675ca735475..50881eb9410b 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -133,7 +133,13 @@ def _limbo_testcase(id_, testcase): "extended_key_usage" ] == ["serverAuth"] peer_name = _get_limbo_peer(testcase["expected_peer_name"]) - verifier = builder.build_server_verifier(peer_name) + # Some tests exercise invalid leaf SANs, which get caught before + # validation even begins. + try: + verifier = builder.build_server_verifier(peer_name) + except ValueError: + assert not should_pass + return else: assert testcase["extended_key_usage"] == ["clientAuth"] verifier = builder.build_client_verifier() From 3c7a5e07387434ced26e377994cd1a8553997c53 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Jul 2024 10:59:21 +0000 Subject: [PATCH 0843/1462] Bump sphinx from 7.4.4 to 7.4.5 (#11289) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 7.4.4 to 7.4.5. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v7.4.4...v7.4.5) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 21f0296be5f7..a8103c276da4 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -109,7 +109,7 @@ ruff==0.5.2 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx -sphinx==7.4.4 +sphinx==7.4.5 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From 783223f5f65a326d2bea9978300cd81a658c8f00 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Wed, 17 Jul 2024 23:07:37 +0200 Subject: [PATCH 0844/1462] docs: Add instructions to build the docs (#11290) * docs: Add instructions to build the docs * docs: Fix single backticks * docs: remove troubleshooting section * Update docs/development/getting-started.rst Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor --- docs/development/getting-started.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/development/getting-started.rst b/docs/development/getting-started.rst index 2cb1bb478bff..d074718f4183 100644 --- a/docs/development/getting-started.rst +++ b/docs/development/getting-started.rst @@ -41,6 +41,17 @@ You can also specify a subset of tests to run as positional arguments: $ # run the whole x509 testsuite, plus the fernet tests $ nox -e local -- tests/x509/ tests/test_fernet.py +Building the docs +----------------- + +Building the docs on non-Windows platforms requires manually installing +the C library ``libenchant`` (`installation instructions`_). +The docs can be built using ``nox``: + +.. code-block:: console + + $ nox -e docs + .. _`Homebrew`: https://brew.sh .. _`MacPorts`: https://www.macports.org @@ -50,3 +61,4 @@ You can also specify a subset of tests to run as positional arguments: .. _`virtualenv`: https://pypi.org/project/virtualenv/ .. _`pip`: https://pypi.org/project/pip/ .. _`as documented here`: https://docs.rs/openssl/latest/openssl/#automatic +.. _`installation instructions`: https://pyenchant.github.io/pyenchant/install.html#installing-the-enchant-c-library \ No newline at end of file From df3ed7b71ea8846363e1f72d11d93651869434e9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Jul 2024 21:56:41 +0000 Subject: [PATCH 0845/1462] Bump pyo3 from 0.22.1 to 0.22.2 in /src/rust (#11292) Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.22.1 to 0.22.2. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/v0.22.2/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.22.1...v0.22.2) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 20 ++++++++++---------- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-keepalive/Cargo.toml | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 4da7c1609040..93a0cdd29c5a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -247,9 +247,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.22.1" +version = "0.22.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4e99090d12f6182924499253aaa1e73bf15c69cea8d2774c3c781e35badc3548" +checksum = "831e8e819a138c36e212f3af3fd9eeffed6bf1510a805af35b0edee5ffa59433" dependencies = [ "cfg-if", "indoc", @@ -265,9 +265,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.22.1" +version = "0.22.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7879eb018ac754bba32cb0eec7526391c02c14a093121857ed09fbf1d1057d41" +checksum = "1e8730e591b14492a8945cdff32f089250b05f5accecf74aeddf9e8272ce1fa8" dependencies = [ "once_cell", "target-lexicon", @@ -275,9 +275,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.22.1" +version = "0.22.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ce2baa5559a411fc1cf519295f24c34b53d5d725818bc96b5abf94762da09041" +checksum = "5e97e919d2df92eb88ca80a037969f44e5e70356559654962cbb3316d00300c6" dependencies = [ "libc", "pyo3-build-config", @@ -285,9 +285,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.22.1" +version = "0.22.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "049621c20a23f2def20f4fe67978d1da8d8a883d64b9c21362f3b776e254edc7" +checksum = "eb57983022ad41f9e683a599f2fd13c3664d7063a3ac5714cae4b7bee7d3f206" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -297,9 +297,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.22.1" +version = "0.22.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0e969ee2e025435f1819d31a275ba4bb9cbbdf3ac535227fdbd85b9322ffe144" +checksum = "ec480c0c51ddec81019531705acac51bcdbeae563557c982aa8263bb96880372" dependencies = [ "heck", "proc-macro2", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index fc0ab7e11edf..e3263a9ecbfa 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -17,7 +17,7 @@ rust-version.workspace = true [dependencies] once_cell = "1" cfg-if = "1" -pyo3 = { version = "0.22.1", features = ["abi3"] } +pyo3 = { version = "0.22.2", features = ["abi3"] } asn1 = { version = "0.16.2", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-keepalive = { path = "cryptography-keepalive" } diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 561d070c2276..38122b95b75c 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -7,7 +7,7 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.22.1", features = ["abi3"] } +pyo3 = { version = "0.22.2", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] diff --git a/src/rust/cryptography-keepalive/Cargo.toml b/src/rust/cryptography-keepalive/Cargo.toml index d2f503bbf209..d281a1b0867e 100644 --- a/src/rust/cryptography-keepalive/Cargo.toml +++ b/src/rust/cryptography-keepalive/Cargo.toml @@ -7,4 +7,4 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.22.1", features = ["abi3"] } +pyo3 = { version = "0.22.2", features = ["abi3"] } From 7d408e8acc1b9d7e52192abbebbf0af5c20d6bd4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Jul 2024 18:06:57 -0400 Subject: [PATCH 0846/1462] Bump setuptools from 70.3.0 to 71.0.0 in /.github/requirements (#11293) Bumps [setuptools](https://github.com/pypa/setuptools) from 70.3.0 to 71.0.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v70.3.0...v71.0.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index ceabc93499a6..85359be67516 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -83,7 +83,7 @@ tomli==2.0.1 \ # via maturin # The following packages are considered to be unsafe in a requirements file: -setuptools==70.3.0 \ - --hash=sha256:f171bab1dfbc86b132997f26a119f6056a57950d058587841a0082e8830f9dc5 \ - --hash=sha256:fe384da74336c398e0d956d1cae0669bc02eed936cdb1d49b57de1990dc11ffc +setuptools==71.0.0 \ + --hash=sha256:98da3b8aca443b9848a209ae4165e2edede62633219afa493a58fbba57f72e2e \ + --hash=sha256:f06fbe978a91819d250a30e0dc4ca79df713d909e24438a42d0ec300fc52247f # via -r build-requirements.in From 14772c2e5fa312966411ee96b3c2dfc4090e4a23 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 18 Jul 2024 00:15:20 +0000 Subject: [PATCH 0847/1462] Bump BoringSSL and/or OpenSSL in CI (#11294) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6656fedc03c9..78fdf4e6c543 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jul 17, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d274b1bacdca36f3941bf78e43dc38acf676a1a8"}} - # Latest commit on the OpenSSL master branch, as of Jul 17, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2dd74d3acb9425251a2028504f07623bd97bfe87"}} + # Latest commit on the BoringSSL master branch, as of Jul 18, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "82f9853fc7d7360ae44f1e1357a6422c5244bbd8"}} + # Latest commit on the OpenSSL master branch, as of Jul 18, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "cf3d65b8664f11904ad34f21fe78a6694f23ae62"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From ccb3a3277c7f6dafae2ce4bcfaa635693dec39e8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Jul 2024 07:07:00 -0400 Subject: [PATCH 0848/1462] Bump setuptools from 71.0.0 to 71.0.1 in /.github/requirements (#11295) Bumps [setuptools](https://github.com/pypa/setuptools) from 71.0.0 to 71.0.1. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v71.0.0...v71.0.1) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 85359be67516..2aebb5ca4e6c 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -83,7 +83,7 @@ tomli==2.0.1 \ # via maturin # The following packages are considered to be unsafe in a requirements file: -setuptools==71.0.0 \ - --hash=sha256:98da3b8aca443b9848a209ae4165e2edede62633219afa493a58fbba57f72e2e \ - --hash=sha256:f06fbe978a91819d250a30e0dc4ca79df713d909e24438a42d0ec300fc52247f +setuptools==71.0.1 \ + --hash=sha256:1eb8ef012efae7f6acbc53ec0abde4bc6746c43087fd215ee09e1df48998711f \ + --hash=sha256:c51d7fd29843aa18dad362d4b4ecd917022131425438251f4e3d766c964dd1ad # via -r build-requirements.in From 0faaffc2f5844cf55af57b3eccb6bb7ab5c58aae Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Thu, 18 Jul 2024 17:52:09 +0200 Subject: [PATCH 0849/1462] Add support for encrypting S/MIME messages (#10889) * Add support for encrypting S/MIME messages * Move PKCS7 decrypt test function to Rust * Use symmetric encryption function from PKCS12 * Remove debug file write from tests * Remove unneeded backend parameter * docs and changelog --- CHANGELOG.rst | 2 + .../primitives/asymmetric/serialization.rst | 94 ++++++- .../hazmat/bindings/_rust/pkcs7.pyi | 5 + .../hazmat/bindings/_rust/test_support.pyi | 7 + .../hazmat/primitives/serialization/pkcs7.py | 105 +++++++- src/rust/cryptography-x509/src/common.rs | 10 + src/rust/cryptography-x509/src/pkcs7.rs | 18 ++ src/rust/src/pkcs12.rs | 2 +- src/rust/src/pkcs7.rs | 93 ++++++- src/rust/src/test_support.rs | 47 ++++ src/rust/src/types.rs | 9 +- tests/hazmat/primitives/test_pkcs7.py | 249 +++++++++++++++++- 12 files changed, 632 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 90af3bba7286..ea62a5351efd 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -66,6 +66,8 @@ Changelog * :class:`~cryptography.x509.NameAttribute` now raises an exception when attempting to create a common name whose length is shorter or longer than :rfc:`5280` permits. +* Added basic support for PKCS7 encryption (including SMIME) via + :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7EnvelopeBuilder`. .. _v42-0-8: diff --git a/docs/hazmat/primitives/asymmetric/serialization.rst b/docs/hazmat/primitives/asymmetric/serialization.rst index 402915c45540..42cc83c84687 100644 --- a/docs/hazmat/primitives/asymmetric/serialization.rst +++ b/docs/hazmat/primitives/asymmetric/serialization.rst @@ -1095,6 +1095,37 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``, -----END CERTIFICATE----- """.strip() + ca_cert_rsa = b""" + -----BEGIN CERTIFICATE----- + MIIExzCCAq+gAwIBAgIJAOcS06ClbtbJMA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNV + BAMMD2NyeXB0b2dyYXBoeSBDQTAeFw0yMDA5MTQyMTQwNDJaFw00ODAxMzEyMTQw + NDJaMBoxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeSBDQTCCAiIwDQYJKoZIhvcNAQEB + BQADggIPADCCAgoCggIBANBIheRc1HT4MzV5GvUbDk9CFU6DTomRApNqRmizriRq + m6OY4Ht3d71BXog6/IBkqAnZ4/XJQ40G4sVDb52k11oPvfJ/F5pc+6UqPBL+QGzY + GkJoubAqXFpI6ow0qayFNQLv0T9o4yh0QQOoGvgCmv91qmitLrZNXu4U9S76G+Di + GST+QyMkMxj+VsGRsRRBufV1urcnvFWjU6Q2+cr2cp0mMAG96NTyIskYiJ8vL03W + z4DX4klO4X47fPmDnU/OMn4SbvMZ896j1L0J04S+uVThTkxQWcFcqXhX5qM8kzcj + JUmybFlbf150j3WiucW48K/j7fJ0x9q3iUo4Gva0coScglJWcgo/BBCwFDw8NVba + 7npxSRMiaS3qTv0dEFcRnvByc+7hyGxxlWdTE9tHisUI1eZVk9P9ziqNOZKscY8Z + X1+/C4M9X69Y7A8I74F5dO27IRycEgOrSo2z1NhfSwbqJr9a2TBtRsFinn8rjKBI + zNn0E5p9jO1WjxtkcjHfXXpLN8FFMvoYI9l/K+ZWDm9sboaF8jrgozSc004AFemA + H79mmCGVRKXn1vDAo4DLC6p3NiBFYQcYbW9V+beGD6srsF6xJtuY/UwtPROLWSzu + CCrZ/4BlmpNsR0ehIFFvzEKjX6rR2yp3YKlguDbMBMKMpfSGxAFwcZ7OiaxR20UH + AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBADSveDS4 + y2V/N6Li2n9ChGNdCMr/45M0cl+GpL55aA36AWYMRLv0wip7MWV3yOj4mkjGBlTE + awKHH1FtetsE6B4a7M2hHhOXyXE60uUdptEx6ckGrJ1iyqu5cQUX1P+VnXbmOxfF + bl+Ugzjbgirx239rA4ezkDRuOvKcCbDOFV/gw3ZHfJ/IQeRXIQRl/y51wcnFUvFM + JEESYiijeDbEcY8r1/phmVQL0CO7WLMmTxlFj4X/TR3MTZWJQIap9GiLs5+n3QiO + jsZ3GuFOomB8oTebYkXniwbNu5hgLP/seRQzGA7B9VDZryAhCtvGgjtQh0eW2Qxt + sgmDJGOPKnKT3O5U0v3+IPLEYpe8JSzgAhhh6H1rAJRUNwP2gRcO4eOUJSkdl218 + fRNT0ILzosuWxwprER9ciMQF8q0JJKMhcfHRMH0S5mWVJAIkj68KY05oCy2zNyYa + oruopKSWXe0Bzr40znm40P7xIkui2BGQMlDPpbCaEfLsLqyctfbdmMlxac/QgIfY + TltrbqmI3MNy5uqGViGFpWPCB+kD8EsJF9nlKJXlu/i55qgUr/2/2CdeWlZDBP8A + 1fdzmpYpWnwhE0KobzLS2z3AwDxiY/RSWUfypLZA0K/lpaEtYB6UHMDZ0/8WqgZV + gNucCuty0cA4Kf7eX1TlAKVwH8hTkVmJc2rX + -----END CERTIFICATE----- + """.strip() + .. class:: PKCS7SignatureBuilder @@ -1174,11 +1205,72 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``, :returns bytes: The signed PKCS7 message. +.. class:: PKCS7EnvelopeBuilder + + The PKCS7 envelope builder can create encrypted S/MIME messages, + which are commonly used in email. S/MIME has multiple versions, + but this implements a subset of :rfc:`5751`, also known as S/MIME + Version 3.2. + + .. versionadded:: 43.0.0 + + .. doctest:: + + >>> from cryptography import x509 + >>> from cryptography.hazmat.primitives import serialization + >>> from cryptography.hazmat.primitives.serialization import pkcs7 + >>> cert = x509.load_pem_x509_certificate(ca_cert_rsa) + >>> options = [pkcs7.PKCS7Options.Text] + >>> pkcs7.PKCS7EnvelopeBuilder().set_data( + ... b"data to encrypt" + ... ).add_recipient( + ... cert + ... ).encrypt( + ... serialization.Encoding.SMIME, options + ... ) + b'...' + + .. method:: set_data(data) + + :param data: The data to be encrypted. + :type data: :term:`bytes-like` + + .. method:: add_recipient(certificate) + + Add a recipient for the message. Recipients will be able to use their private keys + to decrypt the message. This method may be called multiple times to add as many recipients + as desired. + + :param certificate: A :class:`~cryptography.x509.Certificate` for an intended + recipient of the encrypted message. Only certificates with public RSA keys + are currently supported. + + .. method:: encrypt(encoding, options) + + The message is encrypted using AES-128-CBC. The encryption key used is included in + the envelope, encrypted using the recipient's public RSA key. If multiple recipients + are specified, the key is encrypted once with each recipient's public key, and all + encrypted keys are included in the envelope (one per recipient). + + :param encoding: :attr:`~cryptography.hazmat.primitives.serialization.Encoding.PEM`, + :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`, + or :attr:`~cryptography.hazmat.primitives.serialization.Encoding.SMIME`. + + :param options: A list of + :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options`. For + this operation only + :attr:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options.Text` and + :attr:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options.Binary` + are supported. + + :returns bytes: The enveloped PKCS7 message. + + .. class:: PKCS7Options .. versionadded:: 3.2 - An enumeration of options for PKCS7 signature creation. + An enumeration of options for PKCS7 signature and envelope creation. .. attribute:: Text diff --git a/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi b/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi index f7f9883eb311..a72120a762ec 100644 --- a/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi +++ b/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi @@ -12,6 +12,11 @@ def serialize_certificates( certs: list[x509.Certificate], encoding: serialization.Encoding, ) -> bytes: ... +def encrypt_and_serialize( + builder: pkcs7.PKCS7EnvelopeBuilder, + encoding: serialization.Encoding, + options: typing.Iterable[pkcs7.PKCS7Options], +) -> bytes: ... def sign_and_serialize( builder: pkcs7.PKCS7SignatureBuilder, encoding: serialization.Encoding, diff --git a/src/cryptography/hazmat/bindings/_rust/test_support.pyi b/src/cryptography/hazmat/bindings/_rust/test_support.pyi index ef9f779f2ee9..a53ee25dd752 100644 --- a/src/cryptography/hazmat/bindings/_rust/test_support.pyi +++ b/src/cryptography/hazmat/bindings/_rust/test_support.pyi @@ -13,6 +13,13 @@ class TestCertificate: subject_value_tags: list[int] def test_parse_certificate(data: bytes) -> TestCertificate: ... +def pkcs7_decrypt( + encoding: serialization.Encoding, + msg: bytes, + pkey: serialization.pkcs7.PKCS7PrivateKeyTypes, + cert_recipient: x509.Certificate, + options: list[pkcs7.PKCS7Options], +) -> bytes: ... def pkcs7_verify( encoding: serialization.Encoding, sig: bytes, diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs7.py b/src/cryptography/hazmat/primitives/serialization/pkcs7.py index bae35c5f5988..97ea9db8e171 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs7.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs7.py @@ -12,6 +12,7 @@ import typing from cryptography import utils, x509 +from cryptography.exceptions import UnsupportedAlgorithm, _Reasons from cryptography.hazmat.bindings._rust import pkcs7 as rust_pkcs7 from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ec, padding, rsa @@ -177,7 +178,92 @@ def sign( return rust_pkcs7.sign_and_serialize(self, encoding, options) -def _smime_encode( +class PKCS7EnvelopeBuilder: + def __init__( + self, + *, + _data: bytes | None = None, + _recipients: list[x509.Certificate] | None = None, + ): + from cryptography.hazmat.backends.openssl.backend import ( + backend as ossl, + ) + + if not ossl.rsa_encryption_supported(padding=padding.PKCS1v15()): + raise UnsupportedAlgorithm( + "RSA with PKCS1 v1.5 padding is not supported by this version" + " of OpenSSL.", + _Reasons.UNSUPPORTED_PADDING, + ) + self._data = _data + self._recipients = _recipients if _recipients is not None else [] + + def set_data(self, data: bytes) -> PKCS7EnvelopeBuilder: + _check_byteslike("data", data) + if self._data is not None: + raise ValueError("data may only be set once") + + return PKCS7EnvelopeBuilder(_data=data, _recipients=self._recipients) + + def add_recipient( + self, + certificate: x509.Certificate, + ) -> PKCS7EnvelopeBuilder: + if not isinstance(certificate, x509.Certificate): + raise TypeError("certificate must be a x509.Certificate") + + if not isinstance(certificate.public_key(), rsa.RSAPublicKey): + raise TypeError("Only RSA keys are supported at this time.") + + return PKCS7EnvelopeBuilder( + _data=self._data, + _recipients=[ + *self._recipients, + certificate, + ], + ) + + def encrypt( + self, + encoding: serialization.Encoding, + options: typing.Iterable[PKCS7Options], + ) -> bytes: + if len(self._recipients) == 0: + raise ValueError("Must have at least one recipient") + if self._data is None: + raise ValueError("You must add data to encrypt") + options = list(options) + if not all(isinstance(x, PKCS7Options) for x in options): + raise ValueError("options must be from the PKCS7Options enum") + if encoding not in ( + serialization.Encoding.PEM, + serialization.Encoding.DER, + serialization.Encoding.SMIME, + ): + raise ValueError( + "Must be PEM, DER, or SMIME from the Encoding enum" + ) + + # Only allow options that make sense for encryption + if any( + opt not in [PKCS7Options.Text, PKCS7Options.Binary] + for opt in options + ): + raise ValueError( + "Only the following options are supported for encryption: " + "Text, Binary" + ) + elif PKCS7Options.Text in options and PKCS7Options.Binary in options: + # OpenSSL accepts both options at the same time, but ignores Text. + # We fail defensively to avoid unexpected outputs. + raise ValueError( + "Cannot use Binary and Text options at the same time" + ) + + return rust_pkcs7.encrypt_and_serialize(self, encoding, options) + + +def _smime_signed_encode( data: bytes, signature: bytes, micalg: str, text_mode: bool ) -> bytes: # This function works pretty hard to replicate what OpenSSL does @@ -225,6 +311,23 @@ def _smime_encode( return fp.getvalue() +def _smime_enveloped_encode(data: bytes) -> bytes: + m = email.message.Message() + m.add_header("MIME-Version", "1.0") + m.add_header("Content-Disposition", "attachment", filename="smime.p7m") + m.add_header( + "Content-Type", + "application/pkcs7-mime", + smime_type="enveloped-data", + name="smime.p7m", + ) + m.add_header("Content-Transfer-Encoding", "base64") + + m.set_payload(email.base64mime.body_encode(data, maxlinelen=65)) + + return m.as_bytes(policy=m.policy.clone(linesep="\n", max_line_length=0)) + + class OpenSSLMimePart(email.message.MIMEPart): # A MIMEPart subclass that replicates OpenSSL's behavior of not including # a newline if there are no headers. diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index 1816e07896b6..0b9555314224 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -136,6 +136,16 @@ pub enum AlgorithmParameters<'a> { #[defined_by(oid::HMAC_WITH_SHA256_OID)] HmacWithSha256(asn1::Null), + // Used only in PKCS#7 AlgorithmIdentifiers + // https://datatracker.ietf.org/doc/html/rfc3565#section-4.1 + // + // From RFC 3565 section 4.1: + // The AlgorithmIdentifier parameters field MUST be present, and the + // parameters field MUST contain a AES-IV: + // + // AES-IV ::= OCTET STRING (SIZE(16)) + #[defined_by(oid::AES_128_CBC_OID)] + Aes128Cbc([u8; 16]), #[defined_by(oid::AES_256_CBC_OID)] Aes256Cbc([u8; 16]), diff --git a/src/rust/cryptography-x509/src/pkcs7.rs b/src/rust/cryptography-x509/src/pkcs7.rs index 31c7d097bab2..aff6ee2ad818 100644 --- a/src/rust/cryptography-x509/src/pkcs7.rs +++ b/src/rust/cryptography-x509/src/pkcs7.rs @@ -6,6 +6,7 @@ use crate::{certificate, common, csr, name}; pub const PKCS7_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 7, 1); pub const PKCS7_SIGNED_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 7, 2); +pub const PKCS7_ENVELOPED_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 7, 3); pub const PKCS7_ENCRYPTED_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 7, 6); #[derive(asn1::Asn1Write)] @@ -18,6 +19,8 @@ pub struct ContentInfo<'a> { #[derive(asn1::Asn1DefinedByWrite)] pub enum Content<'a> { + #[defined_by(PKCS7_ENVELOPED_DATA_OID)] + EnvelopedData(asn1::Explicit>, 0>), #[defined_by(PKCS7_SIGNED_DATA_OID)] SignedData(asn1::Explicit>, 0>), #[defined_by(PKCS7_DATA_OID)] @@ -56,6 +59,21 @@ pub struct SignerInfo<'a> { pub unauthenticated_attributes: Option>, } +#[derive(asn1::Asn1Write)] +pub struct EnvelopedData<'a> { + pub version: u8, + pub recipient_infos: asn1::SetOfWriter<'a, RecipientInfo<'a>>, + pub encrypted_content_info: EncryptedContentInfo<'a>, +} + +#[derive(asn1::Asn1Write)] +pub struct RecipientInfo<'a> { + pub version: u8, + pub issuer_and_serial_number: IssuerAndSerialNumber<'a>, + pub key_encryption_algorithm: common::AlgorithmIdentifier<'a>, + pub encrypted_key: &'a [u8], +} + #[derive(asn1::Asn1Write)] pub struct IssuerAndSerialNumber<'a> { pub issuer: name::Name<'a>, diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index d9547edb7f4f..45f8855bacf3 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -79,7 +79,7 @@ impl PKCS12Certificate { } } -fn symmetric_encrypt( +pub(crate) fn symmetric_encrypt( py: pyo3::Python<'_>, algorithm: pyo3::Bound<'_, pyo3::PyAny>, mode: pyo3::Bound<'_, pyo3::PyAny>, diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index ba6802aa8f71..40fbd9b97a11 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -6,7 +6,9 @@ use std::borrow::Cow; use std::collections::HashMap; use std::ops::Deref; +use cryptography_x509::common::{AlgorithmIdentifier, AlgorithmParameters}; use cryptography_x509::csr::Attribute; +use cryptography_x509::pkcs7::PKCS7_DATA_OID; use cryptography_x509::{common, oid, pkcs7}; use once_cell::sync::Lazy; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] @@ -18,6 +20,7 @@ use pyo3::IntoPy; use crate::asn1::encode_der_data; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; +use crate::pkcs12::symmetric_encrypt; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use crate::x509::certificate::load_der_x509_certificate; use crate::{exceptions, types, x509}; @@ -75,6 +78,90 @@ fn serialize_certificates<'p>( encode_der_data(py, "PKCS7".to_string(), content_info_bytes, encoding) } +#[pyo3::pyfunction] +fn encrypt_and_serialize<'p>( + py: pyo3::Python<'p>, + builder: &pyo3::Bound<'p, pyo3::PyAny>, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + options: &pyo3::Bound<'p, pyo3::types::PyList>, +) -> CryptographyResult> { + let raw_data: CffiBuf<'p> = builder.getattr(pyo3::intern!(py, "_data"))?.extract()?; + let text_mode = options.contains(types::PKCS7_TEXT.get(py)?)?; + let data_with_header = if options.contains(types::PKCS7_BINARY.get(py)?)? { + Cow::Borrowed(raw_data.as_bytes()) + } else { + smime_canonicalize(raw_data.as_bytes(), text_mode).0 + }; + + // The message is encrypted with AES-128-CBC, which the S/MIME v3.2 RFC + // specifies as MUST support (https://datatracker.ietf.org/doc/html/rfc5751#section-2.7) + let key = types::OS_URANDOM.get(py)?.call1((16,))?; + let aes128_algorithm = types::AES128.get(py)?.call1((&key,))?; + let iv = types::OS_URANDOM.get(py)?.call1((16,))?; + let cbc_mode = types::CBC.get(py)?.call1((&iv,))?; + + let encrypted_content = symmetric_encrypt(py, aes128_algorithm, cbc_mode, &data_with_header)?; + + let py_recipients: Vec> = builder + .getattr(pyo3::intern!(py, "_recipients"))? + .extract()?; + + let mut recipient_infos = vec![]; + let padding = types::PKCS1V15.get(py)?.call0()?; + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + for cert in py_recipients.iter() { + // Currently, keys are encrypted with RSA (PKCS #1 v1.5), which the S/MIME v3.2 RFC + // specifies as MUST support (https://datatracker.ietf.org/doc/html/rfc5751#section-2.3) + let encrypted_key = cert + .call_method0(pyo3::intern!(py, "public_key"))? + .call_method1(pyo3::intern!(py, "encrypt"), (&key, &padding))? + .extract::()?; + + recipient_infos.push(pkcs7::RecipientInfo { + version: 0, + issuer_and_serial_number: pkcs7::IssuerAndSerialNumber { + issuer: cert.get().raw.borrow_dependent().tbs_cert.issuer.clone(), + serial_number: cert.get().raw.borrow_dependent().tbs_cert.serial, + }, + key_encryption_algorithm: AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::Rsa(Some(())), + }, + encrypted_key: ka_bytes.add(encrypted_key), + }); + } + + let enveloped_data = pkcs7::EnvelopedData { + version: 0, + recipient_infos: asn1::SetOfWriter::new(&recipient_infos), + + encrypted_content_info: pkcs7::EncryptedContentInfo { + content_type: PKCS7_DATA_OID, + content_encryption_algorithm: AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::Aes128Cbc(iv.extract()?), + }, + encrypted_content: Some(&encrypted_content), + }, + }; + + let content_info = pkcs7::ContentInfo { + _content_type: asn1::DefinedByMarker::marker(), + content: pkcs7::Content::EnvelopedData(asn1::Explicit::new(Box::new(enveloped_data))), + }; + let ci_bytes = asn1::write_single(&content_info)?; + + if encoding.is(&types::ENCODING_SMIME.get(py)?) { + Ok(types::SMIME_ENVELOPED_ENCODE + .get(py)? + .call1((&*ci_bytes,))? + .extract()?) + } else { + // Handles the DER, PEM, and error cases + encode_der_data(py, "PKCS7".to_string(), ci_bytes, encoding) + } +} + #[pyo3::pyfunction] fn sign_and_serialize<'p>( py: pyo3::Python<'p>, @@ -256,7 +343,7 @@ fn sign_and_serialize<'p>( .map(|d| OIDS_TO_MIC_NAME[&d.oid()]) .collect::>() .join(","); - Ok(types::SMIME_ENCODE + Ok(types::SMIME_SIGNED_ENCODE .get(py)? .call1((&*data_without_header, &*ci_bytes, mic_algs, text_mode))? .extract()?) @@ -412,8 +499,8 @@ fn load_der_pkcs7_certificates<'p>( pub(crate) mod pkcs7_mod { #[pymodule_export] use super::{ - load_der_pkcs7_certificates, load_pem_pkcs7_certificates, serialize_certificates, - sign_and_serialize, + encrypt_and_serialize, load_der_pkcs7_certificates, load_pem_pkcs7_certificates, + serialize_certificates, sign_and_serialize, }; } diff --git a/src/rust/src/test_support.rs b/src/rust/src/test_support.rs index 8f4599723680..9b37b6c51056 100644 --- a/src/rust/src/test_support.rs +++ b/src/rust/src/test_support.rs @@ -103,8 +103,55 @@ fn pkcs7_verify( Ok(()) } +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +#[pyo3::pyfunction] +#[pyo3(signature = (encoding, msg, pkey, cert_recipient, options))] +fn pkcs7_decrypt<'p>( + py: pyo3::Python<'p>, + encoding: pyo3::Bound<'p, pyo3::PyAny>, + msg: CffiBuf<'p>, + pkey: pyo3::Bound<'p, pyo3::PyAny>, + cert_recipient: pyo3::Bound<'p, PyCertificate>, + options: pyo3::Bound<'p, pyo3::types::PyList>, +) -> CryptographyResult> { + let p7 = if encoding.is(&types::ENCODING_DER.get(py)?) { + openssl::pkcs7::Pkcs7::from_der(msg.as_bytes())? + } else if encoding.is(&types::ENCODING_PEM.get(py)?) { + openssl::pkcs7::Pkcs7::from_pem(msg.as_bytes())? + } else { + openssl::pkcs7::Pkcs7::from_smime(msg.as_bytes())?.0 + }; + + let mut flags = openssl::pkcs7::Pkcs7Flags::empty(); + if options.contains(types::PKCS7_TEXT.get(py)?)? { + flags |= openssl::pkcs7::Pkcs7Flags::TEXT; + } + + let cert_der = asn1::write_single(cert_recipient.get().raw.borrow_dependent())?; + let cert_ossl = openssl::x509::X509::from_der(&cert_der)?; + + let der = types::ENCODING_DER.get(py)?; + let pkcs8 = types::PRIVATE_FORMAT_PKCS8.get(py)?; + let no_encryption = types::NO_ENCRYPTION.get(py)?.call0()?; + let pkey_bytes = pkey + .call_method1( + pyo3::intern!(py, "private_bytes"), + (der, pkcs8, no_encryption), + )? + .extract::()?; + + let pkey_ossl = openssl::pkey::PKey::private_key_from_der(&pkey_bytes)?; + + let result = p7.decrypt(&pkey_ossl, &cert_ossl, flags)?; + + Ok(pyo3::types::PyBytes::new_bound(py, &result)) +} + #[pyo3::pymodule] pub(crate) mod test_support { + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + #[pymodule_export] + use super::pkcs7_decrypt; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] #[pymodule_export] use super::pkcs7_verify; diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index a6904398dfe8..5a32fa57d135 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -339,9 +339,14 @@ pub static PKCS7_DETACHED_SIGNATURE: LazyPyImport = LazyPyImport::new( &["PKCS7Options", "DetachedSignature"], ); -pub static SMIME_ENCODE: LazyPyImport = LazyPyImport::new( +pub static SMIME_ENVELOPED_ENCODE: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.serialization.pkcs7", - &["_smime_encode"], + &["_smime_enveloped_encode"], +); + +pub static SMIME_SIGNED_ENCODE: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.pkcs7", + &["_smime_signed_encode"], ); pub static PKCS12KEYANDCERTIFICATES: LazyPyImport = LazyPyImport::new( diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 3842fd3ff616..186962eaef73 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -117,7 +117,7 @@ def _load_cert_key(): only_if=lambda backend: backend.pkcs7_supported(), skip_message="Requires OpenSSL with PKCS7 support", ) -class TestPKCS7Builder: +class TestPKCS7SignatureBuilder: def test_invalid_data(self, backend): builder = pkcs7.PKCS7SignatureBuilder() with pytest.raises(TypeError): @@ -834,6 +834,242 @@ def test_add_multiple_additional_certs(self, backend): ) +def _load_rsa_cert_key(): + key = load_vectors_from_file( + os.path.join("x509", "custom", "ca", "rsa_key.pem"), + lambda pemfile: serialization.load_pem_private_key( + pemfile.read(), None, unsafe_skip_rsa_key_validation=True + ), + mode="rb", + ) + cert = load_vectors_from_file( + os.path.join("x509", "custom", "ca", "rsa_ca.pem"), + loader=lambda pemfile: x509.load_pem_x509_certificate(pemfile.read()), + mode="rb", + ) + return cert, key + + +@pytest.mark.supported( + only_if=lambda backend: backend.pkcs7_supported() + and backend.rsa_encryption_supported(padding.PKCS1v15()), + skip_message="Requires OpenSSL with PKCS7 support and PKCS1 v1.5 padding " + "support", +) +class TestPKCS7EnvelopeBuilder: + def test_invalid_data(self, backend): + builder = pkcs7.PKCS7EnvelopeBuilder() + with pytest.raises(TypeError): + builder.set_data("not bytes") # type: ignore[arg-type] + + def test_set_data_twice(self, backend): + builder = pkcs7.PKCS7EnvelopeBuilder().set_data(b"test") + with pytest.raises(ValueError): + builder.set_data(b"test") + + def test_encrypt_no_recipient(self, backend): + builder = pkcs7.PKCS7EnvelopeBuilder().set_data(b"test") + with pytest.raises(ValueError): + builder.encrypt(serialization.Encoding.SMIME, []) + + def test_encrypt_no_data(self, backend): + cert, _ = _load_rsa_cert_key() + builder = pkcs7.PKCS7EnvelopeBuilder().add_recipient(cert) + with pytest.raises(ValueError): + builder.encrypt(serialization.Encoding.SMIME, []) + + def test_unsupported_encryption(self, backend): + cert_non_rsa, _ = _load_cert_key() + with pytest.raises(TypeError): + pkcs7.PKCS7EnvelopeBuilder().add_recipient(cert_non_rsa) + + def test_not_a_cert(self, backend): + with pytest.raises(TypeError): + pkcs7.PKCS7EnvelopeBuilder().add_recipient( + b"notacert", # type: ignore[arg-type] + ) + + def test_encrypt_invalid_options(self, backend): + cert, _ = _load_rsa_cert_key() + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(b"test").add_recipient(cert) + ) + with pytest.raises(ValueError): + builder.encrypt( + serialization.Encoding.SMIME, + [b"invalid"], # type: ignore[list-item] + ) + + def test_encrypt_invalid_encoding(self, backend): + cert, _ = _load_rsa_cert_key() + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(b"test").add_recipient(cert) + ) + with pytest.raises(ValueError): + builder.encrypt(serialization.Encoding.Raw, []) + + @pytest.mark.parametrize( + "invalid_options", + [ + [pkcs7.PKCS7Options.NoAttributes], + [pkcs7.PKCS7Options.NoCapabilities], + [pkcs7.PKCS7Options.NoCerts], + [pkcs7.PKCS7Options.DetachedSignature], + [pkcs7.PKCS7Options.Binary, pkcs7.PKCS7Options.Text], + ], + ) + def test_encrypt_invalid_encryption_options( + self, backend, invalid_options + ): + cert, _ = _load_rsa_cert_key() + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(b"test").add_recipient(cert) + ) + with pytest.raises(ValueError): + builder.encrypt(serialization.Encoding.DER, invalid_options) + + @pytest.mark.parametrize( + "options", + [ + [pkcs7.PKCS7Options.Text], + [pkcs7.PKCS7Options.Binary], + ], + ) + def test_smime_encrypt_smime_encoding(self, backend, options): + data = b"hello world\n" + cert, private_key = _load_rsa_cert_key() + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(data).add_recipient(cert) + ) + enveloped = builder.encrypt(serialization.Encoding.SMIME, options) + assert b"MIME-Version: 1.0\n" in enveloped + assert b"Content-Transfer-Encoding: base64\n" in enveloped + message = email.parser.BytesParser().parsebytes(enveloped) + assert message.get_content_disposition() == "attachment" + assert message.get_filename() == "smime.p7m" + assert message.get_content_type() == "application/pkcs7-mime" + assert message.get_param("smime-type") == "enveloped-data" + assert message.get_param("name") == "smime.p7m" + + payload = message.get_payload(decode=True) + assert isinstance(payload, bytes) + + # We want to know if we've serialized something that has the parameters + # we expect, so we match on specific byte strings of OIDs & DER values. + # OID 2.16.840.1.101.3.4.1.2 (aes128-CBC) + assert b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x02" in payload + # OID 1.2.840.113549.1.1.1 (rsaEncryption (PKCS #1)) + assert b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01" in payload + # cryptography CA (the recipient's Common Name) + assert ( + b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61\x70\x68\x79" + b"\x20\x43\x41" + ) in payload + + decrypted_bytes = test_support.pkcs7_decrypt( + serialization.Encoding.SMIME, + enveloped, + private_key, + cert, + options, + ) + # New lines are canonicalized to '\r\n' when not using Binary + expected_data = ( + data + if pkcs7.PKCS7Options.Binary in options + else data.replace(b"\n", b"\r\n") + ) + assert decrypted_bytes == expected_data + + @pytest.mark.parametrize( + "options", + [ + [pkcs7.PKCS7Options.Text], + [pkcs7.PKCS7Options.Binary], + ], + ) + def test_smime_encrypt_der_encoding(self, backend, options): + data = b"hello world\n" + cert, private_key = _load_rsa_cert_key() + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(data).add_recipient(cert) + ) + enveloped = builder.encrypt(serialization.Encoding.DER, options) + + # We want to know if we've serialized something that has the parameters + # we expect, so we match on specific byte strings of OIDs & DER values. + # OID 2.16.840.1.101.3.4.1.2 (aes128-CBC) + assert b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x02" in enveloped + # OID 1.2.840.113549.1.1.1 (rsaEncryption (PKCS #1)) + assert b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01" in enveloped + # cryptography CA (the recipient's Common Name) + assert ( + b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61\x70\x68\x79" + b"\x20\x43\x41" + ) in enveloped + + decrypted_bytes = test_support.pkcs7_decrypt( + serialization.Encoding.DER, + enveloped, + private_key, + cert, + options, + ) + # New lines are canonicalized to '\r\n' when not using Binary + expected_data = ( + data + if pkcs7.PKCS7Options.Binary in options + else data.replace(b"\n", b"\r\n") + ) + assert decrypted_bytes == expected_data + + @pytest.mark.parametrize( + "options", + [ + [pkcs7.PKCS7Options.Text], + [pkcs7.PKCS7Options.Binary], + ], + ) + def test_smime_encrypt_pem_encoding(self, backend, options): + data = b"hello world\n" + cert, private_key = _load_rsa_cert_key() + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(data).add_recipient(cert) + ) + enveloped = builder.encrypt(serialization.Encoding.PEM, options) + decrypted_bytes = test_support.pkcs7_decrypt( + serialization.Encoding.PEM, + enveloped, + private_key, + cert, + options, + ) + # New lines are canonicalized to '\r\n' when not using Binary + expected_data = ( + data + if pkcs7.PKCS7Options.Binary in options + else data.replace(b"\n", b"\r\n") + ) + assert decrypted_bytes == expected_data + + def test_smime_encrypt_multiple_recipients(self, backend): + data = b"hello world\n" + cert, private_key = _load_rsa_cert_key() + builder = ( + pkcs7.PKCS7EnvelopeBuilder() + .set_data(data) + .add_recipient(cert) + .add_recipient(cert) + ) + enveloped = builder.encrypt(serialization.Encoding.DER, []) + # cryptography CA (the recipient's Common Name) + common_name_bytes = ( + b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61" + b"\x70\x68\x79\x20\x43\x41" + ) + assert enveloped.count(common_name_bytes) == 2 + + @pytest.mark.supported( only_if=lambda backend: backend.pkcs7_supported(), skip_message="Requires OpenSSL with PKCS7 support", @@ -921,3 +1157,14 @@ def test_pkcs7_functions_unsupported(self): with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_SERIALIZATION): pkcs7.load_pem_pkcs7_certificates(b"nonsense") + + +@pytest.mark.supported( + only_if=lambda backend: backend.pkcs7_supported() + and not backend.rsa_encryption_supported(padding.PKCS1v15()), + skip_message="Requires OpenSSL with no PKCS1 v1.5 padding support", +) +class TestPKCS7EnvelopeBuilderUnsupported: + def test_envelope_builder_unsupported(self, backend): + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_PADDING): + pkcs7.PKCS7EnvelopeBuilder() From 6af06f339fa4d8150078c45041b04d124168275b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 19 Jul 2024 00:15:38 +0000 Subject: [PATCH 0850/1462] Bump BoringSSL and/or OpenSSL in CI (#11296) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 78fdf4e6c543..60ce535ff902 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 18, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "82f9853fc7d7360ae44f1e1357a6422c5244bbd8"}} - # Latest commit on the OpenSSL master branch, as of Jul 18, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "cf3d65b8664f11904ad34f21fe78a6694f23ae62"}} + # Latest commit on the OpenSSL master branch, as of Jul 19, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "50066236eb3b31c93aaa935ca38f5cc1ec056696"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From a8cf6b42e9b7b766b9310d841dd85de3bcb9ab5c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Jul 2024 07:04:16 -0400 Subject: [PATCH 0851/1462] Bump cc from 1.1.5 to 1.1.6 in /src/rust (#11297) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.5 to 1.1.6. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.5...cc-v1.1.6) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 93a0cdd29c5a..3b48a8027e9d 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.5" +version = "1.1.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "324c74f2155653c90b04f25b2a47a8a631360cb908f92a772695f430c7e31052" +checksum = "2aba8f4e9906c7ce3c73463f62a7f0c65183ada1a2d47e397cc8810827f9694f" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 38122b95b75c..1fe7f92e9e7b 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.2", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.1.5" +cc = "1.1.6" From 64acba749db6992e9c8202ea31682b3096cb909c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Jul 2024 07:21:05 -0400 Subject: [PATCH 0852/1462] Bump setuptools from 71.0.1 to 71.0.3 in /.github/requirements (#11300) Bumps [setuptools](https://github.com/pypa/setuptools) from 71.0.1 to 71.0.3. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v71.0.1...v71.0.3) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 2aebb5ca4e6c..cbcfc1f9f731 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -83,7 +83,7 @@ tomli==2.0.1 \ # via maturin # The following packages are considered to be unsafe in a requirements file: -setuptools==71.0.1 \ - --hash=sha256:1eb8ef012efae7f6acbc53ec0abde4bc6746c43087fd215ee09e1df48998711f \ - --hash=sha256:c51d7fd29843aa18dad362d4b4ecd917022131425438251f4e3d766c964dd1ad +setuptools==71.0.3 \ + --hash=sha256:3d8531791a27056f4a38cd3e54084d8b1c4228ff9cf3f2d7dd075ec99f9fd70d \ + --hash=sha256:f501b6e6db709818dc76882582d9c516bf3b67b948864c5fa1d1624c09a49207 # via -r build-requirements.in From cf8ac6da9e0974df32d30899db59fe9cc0eec3c3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Jul 2024 07:21:36 -0400 Subject: [PATCH 0853/1462] Bump sphinx from 7.4.5 to 7.4.6 (#11299) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 7.4.5 to 7.4.6. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v7.4.5...v7.4.6) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index a8103c276da4..93f6947e2c03 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -109,7 +109,7 @@ ruff==0.5.2 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx -sphinx==7.4.5 +sphinx==7.4.6 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From d6dd0f4ba9d8cd89356741fd003db2527d6ce224 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Jul 2024 11:28:57 +0000 Subject: [PATCH 0854/1462] Bump ruff from 0.5.2 to 0.5.3 (#11298) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.5.2 to 0.5.3. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.5.2...0.5.3) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 93f6947e2c03..6f668ef05061 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.5.2 +ruff==0.5.3 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 5fb13adf97e2fa68e71999e877deafeb80e83645 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 20 Jul 2024 00:15:47 +0000 Subject: [PATCH 0855/1462] Bump BoringSSL and/or OpenSSL in CI (#11301) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 60ce535ff902..71e32e2a3afe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 18, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "82f9853fc7d7360ae44f1e1357a6422c5244bbd8"}} - # Latest commit on the OpenSSL master branch, as of Jul 19, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "50066236eb3b31c93aaa935ca38f5cc1ec056696"}} + # Latest commit on the OpenSSL master branch, as of Jul 20, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "98afa01f3e02fba18f9203b2451113df8f247f7c"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 7249ccd5c658e2965909d970cc9735ae7f049d15 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Jul 2024 01:37:48 +0000 Subject: [PATCH 0856/1462] Bump portable-atomic from 1.6.0 to 1.7.0 in /src/rust (#11302) Bumps [portable-atomic](https://github.com/taiki-e/portable-atomic) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/taiki-e/portable-atomic/releases) - [Changelog](https://github.com/taiki-e/portable-atomic/blob/main/CHANGELOG.md) - [Commits](https://github.com/taiki-e/portable-atomic/compare/v1.6.0...v1.7.0) --- updated-dependencies: - dependency-name: portable-atomic dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 3b48a8027e9d..7a8f30f51a3c 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -232,9 +232,9 @@ checksum = "d231b230927b5e4ad203db57bbcbee2802f6bce620b1e4a9024a07d94e2907ec" [[package]] name = "portable-atomic" -version = "1.6.0" +version = "1.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" +checksum = "da544ee218f0d287a911e9c99a39a8c9bc8fcad3cb8db5959940044ecfc67265" [[package]] name = "proc-macro2" From ee24e827fc226ad8dc9edacf3dbe1823602d0a8b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Jul 2024 21:40:16 -0400 Subject: [PATCH 0857/1462] Bump setuptools from 71.0.3 to 71.0.4 in /.github/requirements (#11304) Bumps [setuptools](https://github.com/pypa/setuptools) from 71.0.3 to 71.0.4. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v71.0.3...v71.0.4) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index cbcfc1f9f731..39b8c2f5bf99 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -83,7 +83,7 @@ tomli==2.0.1 \ # via maturin # The following packages are considered to be unsafe in a requirements file: -setuptools==71.0.3 \ - --hash=sha256:3d8531791a27056f4a38cd3e54084d8b1c4228ff9cf3f2d7dd075ec99f9fd70d \ - --hash=sha256:f501b6e6db709818dc76882582d9c516bf3b67b948864c5fa1d1624c09a49207 +setuptools==71.0.4 \ + --hash=sha256:48297e5d393a62b7cb2a10b8f76c63a73af933bd809c9e0d0d6352a1a0135dd8 \ + --hash=sha256:ed2feca703be3bdbd94e6bb17365d91c6935c6b2a8d0bb09b66a2c435ba0b1a5 # via -r build-requirements.in From 2fe32b28b05d8918dda6f7a34e6d9d4148dde818 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Jul 2024 01:42:49 +0000 Subject: [PATCH 0858/1462] Bump mypy from 1.10.1 to 1.11.0 (#11303) Bumps [mypy](https://github.com/python/mypy) from 1.10.1 to 1.11.0. - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](https://github.com/python/mypy/compare/v1.10.1...v1.11) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6f668ef05061..818725867f3b 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -52,7 +52,7 @@ jinja2==3.1.4 # via sphinx markupsafe==2.1.5 # via jinja2 -mypy==1.10.1 +mypy==1.11.0 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via mypy From a8fcf18ee0bb0570bd4c9041cf387dc7a9c1968a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Jul 2024 13:42:57 +0000 Subject: [PATCH 0859/1462] Bump openssl-sys from 0.9.102 to 0.9.103 in /src/rust (#11305) Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.102 to 0.9.103. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.102...openssl-sys-v0.9.103) --- updated-dependencies: - dependency-name: openssl-sys dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 7a8f30f51a3c..a041c8f77405 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -205,9 +205,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.102" +version = "0.9.103" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c597637d56fbc83893a35eb0dd04b2b8e7a50c91e64e9493e398b5df4fb45fa2" +checksum = "7f9e8deee91df40a943c71b917e5874b951d32a802526c85721ce3b776c929d6" dependencies = [ "cc", "libc", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index e3263a9ecbfa..aecbe37fc7f7 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -27,7 +27,7 @@ cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.64" -openssl-sys = "0.9.102" +openssl-sys = "0.9.103" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 1fe7f92e9e7b..f983dbdda143 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -8,7 +8,7 @@ rust-version.workspace = true [dependencies] pyo3 = { version = "0.22.2", features = ["abi3"] } -openssl-sys = "0.9.102" +openssl-sys = "0.9.103" [build-dependencies] cc = "1.1.6" diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index 6a9d6797b982..fadf07cc9e62 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -10,5 +10,5 @@ rust-version.workspace = true asn1 = { version = "0.16.2", default-features = false } cfg-if = "1" openssl = "0.10.64" -openssl-sys = "0.9.102" +openssl-sys = "0.9.103" cryptography-x509 = { path = "../cryptography-x509" } From f66a9c4b4fe9b87825872fef7a36c319b823f322 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Jul 2024 13:44:07 +0000 Subject: [PATCH 0860/1462] Bump sphinxcontrib-htmlhelp from 2.0.5 to 2.0.6 (#11306) Bumps [sphinxcontrib-htmlhelp](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp) from 2.0.5 to 2.0.6. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/compare/2.0.5...2.0.6) --- updated-dependencies: - dependency-name: sphinxcontrib-htmlhelp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 818725867f3b..877d26c3f27d 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -126,7 +126,7 @@ sphinxcontrib-applehelp==1.0.8 # via sphinx sphinxcontrib-devhelp==1.0.6 # via sphinx -sphinxcontrib-htmlhelp==2.0.5 +sphinxcontrib-htmlhelp==2.0.6 # via sphinx sphinxcontrib-jquery==4.1 # via sphinx-rtd-theme From 4310c8727b50fa5f713a0e863ee3defc0c831921 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Jul 2024 13:44:45 +0000 Subject: [PATCH 0861/1462] Bump sphinxcontrib-qthelp from 1.0.7 to 1.0.8 (#11307) Bumps [sphinxcontrib-qthelp](https://github.com/sphinx-doc/sphinxcontrib-qthelp) from 1.0.7 to 1.0.8. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-qthelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-qthelp/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-qthelp/compare/1.0.7...1.0.8) --- updated-dependencies: - dependency-name: sphinxcontrib-qthelp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 877d26c3f27d..5470019ce0ef 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -132,7 +132,7 @@ sphinxcontrib-jquery==4.1 # via sphinx-rtd-theme sphinxcontrib-jsmath==1.0.1 # via sphinx -sphinxcontrib-qthelp==1.0.7 +sphinxcontrib-qthelp==1.0.8 # via sphinx sphinxcontrib-serializinghtml==1.1.10 # via sphinx From ccc66e6cdf92f4c29012f86f44ad183161eccaad Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Jul 2024 14:07:47 +0000 Subject: [PATCH 0862/1462] Bump openssl from 0.10.64 to 0.10.65 in /src/rust (#11308) Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.64 to 0.10.65. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.64...openssl-v0.10.65) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index a041c8f77405..fe3398f25393 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -179,9 +179,9 @@ checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" [[package]] name = "openssl" -version = "0.10.64" +version = "0.10.65" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95a0481286a310808298130d22dd1fef0fa571e05a8f44ec801801e84b216b1f" +checksum = "c2823eb4c6453ed64055057ea8bd416eda38c71018723869dd043a3b1186115e" dependencies = [ "bitflags", "cfg-if", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index aecbe37fc7f7..d58ee9e7ec28 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -26,7 +26,7 @@ cryptography-x509 = { path = "cryptography-x509" } cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } -openssl = "0.10.64" +openssl = "0.10.65" openssl-sys = "0.9.103" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index fadf07cc9e62..d1f945f961a0 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -9,6 +9,6 @@ rust-version.workspace = true [dependencies] asn1 = { version = "0.16.2", default-features = false } cfg-if = "1" -openssl = "0.10.64" +openssl = "0.10.65" openssl-sys = "0.9.103" cryptography-x509 = { path = "../cryptography-x509" } diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index f2dc5100e6fd..c0f3f5d72ce1 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -8,7 +8,7 @@ rust-version.workspace = true [dependencies] cfg-if = "1" -openssl = "0.10.64" +openssl = "0.10.65" ffi = { package = "openssl-sys", version = "0.9.101" } foreign-types = "0.3" foreign-types-shared = "0.1" From 2dbdfb8f3913cb9cef08218fcd48a9b4eaa8b57d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 20 Jul 2024 10:49:54 -0400 Subject: [PATCH 0863/1462] don't assign unused name (#11310) --- tests/hazmat/primitives/test_pkcs7.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 186962eaef73..63641d61d412 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -1054,7 +1054,7 @@ def test_smime_encrypt_pem_encoding(self, backend, options): def test_smime_encrypt_multiple_recipients(self, backend): data = b"hello world\n" - cert, private_key = _load_rsa_cert_key() + cert, _ = _load_rsa_cert_key() builder = ( pkcs7.PKCS7EnvelopeBuilder() .set_data(data) From 42788a0353e0ca0d922b6b8b9bde77cbb1c65984 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 20 Jul 2024 11:05:18 -0400 Subject: [PATCH 0864/1462] Fix exchange with keys that had Q automatically computed (#11309) fixes #10790 closes #10864 closes #11218 --- docs/development/test-vectors.rst | 4 +++ src/rust/cryptography-key-parsing/src/spki.rs | 8 +----- src/rust/src/backend/dh.rs | 26 ++++--------------- tests/hazmat/primitives/test_dh.py | 10 +++++++ .../asymmetric/DH/dhpub_cryptography_old.pem | 15 +++++++++++ 5 files changed, 35 insertions(+), 28 deletions(-) create mode 100644 vectors/cryptography_vectors/asymmetric/DH/dhpub_cryptography_old.pem diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 4f564d79b24f..c906f611ceff 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -224,6 +224,10 @@ Key exchange * ``vectors/cryptoraphy_vectors/asymmetric/ECDH/brainpool.txt`` contains Brainpool vectors from :rfc:`7027`. +* ``vectors/cryptography_vectors/asymmetric/DH/dhpub_cryptography_old.pem`` + contains a Diffie-Hellman public key generated with a previous version of + ``cryptography``. + X.509 ~~~~~ diff --git a/src/rust/cryptography-key-parsing/src/spki.rs b/src/rust/cryptography-key-parsing/src/spki.rs index 68f2f33e06e3..db4f69d94d10 100644 --- a/src/rust/cryptography-key-parsing/src/spki.rs +++ b/src/rust/cryptography-key-parsing/src/spki.rs @@ -114,13 +114,7 @@ pub fn parse_public_key( let pub_key = openssl::bn::BigNum::from_slice(pub_key_int.as_bytes())?; let dh = dh.set_public_key(pub_key)?; - cfg_if::cfg_if! { - if #[cfg(CRYPTOGRAPHY_IS_LIBRESSL)] { - Ok(openssl::pkey::PKey::from_dh(dh)?) - } else { - Ok(openssl::pkey::PKey::from_dhx(dh)?) - } - } + Ok(openssl::pkey::PKey::from_dh(dh)?) } #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] AlgorithmParameters::DhKeyAgreement(dh_params) => { diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 883277e35017..e6cdbb67c7c1 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -70,23 +70,6 @@ pub(crate) fn public_key_from_pkey( } } -#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] -fn pkey_from_dh( - dh: openssl::dh::Dh, -) -> CryptographyResult> { - cfg_if::cfg_if! { - if #[cfg(CRYPTOGRAPHY_IS_LIBRESSL)] { - Ok(openssl::pkey::PKey::from_dh(dh)?) - } else { - if dh.prime_q().is_some() { - Ok(openssl::pkey::PKey::from_dhx(dh)?) - } else { - Ok(openssl::pkey::PKey::from_dh(dh)?) - } - } - } -} - #[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] fn from_der_parameters( @@ -214,7 +197,8 @@ impl DHPrivateKey { let orig_dh = self.pkey.dh().unwrap(); let dh = clone_dh(&orig_dh)?; - let pkey = pkey_from_dh(dh.set_public_key(orig_dh.public_key().to_owned()?)?)?; + let pkey = + openssl::pkey::PKey::from_dh(dh.set_public_key(orig_dh.public_key().to_owned()?)?)?; Ok(DHPublicKey { pkey }) } @@ -322,7 +306,7 @@ impl DHParameters { fn generate_private_key(&self) -> CryptographyResult { let dh = clone_dh(&self.dh)?.generate_key()?; Ok(DHPrivateKey { - pkey: pkey_from_dh(dh)?, + pkey: openssl::pkey::PKey::from_dh(dh)?, }) } @@ -435,7 +419,7 @@ impl DHPrivateNumbers { )); } - let pkey = pkey_from_dh(dh)?; + let pkey = openssl::pkey::PKey::from_dh(dh)?; Ok(DHPrivateKey { pkey }) } @@ -478,7 +462,7 @@ impl DHPublicNumbers { let pub_key = utils::py_int_to_bn(py, self.y.bind(py))?; - let pkey = pkey_from_dh(dh.set_public_key(pub_key)?)?; + let pkey = openssl::pkey::PKey::from_dh(dh.set_public_key(pub_key)?)?; Ok(DHPublicKey { pkey }) } diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py index d287d29460ae..c1f847a212a1 100644 --- a/tests/hazmat/primitives/test_dh.py +++ b/tests/hazmat/primitives/test_dh.py @@ -441,6 +441,16 @@ def test_dh_vectors_with_q(self, backend, vector): assert int.from_bytes(symkey1, "big") == int(vector["z"], 16) assert int.from_bytes(symkey2, "big") == int(vector["z"], 16) + def test_exchange_old_key(self, backend): + k = load_vectors_from_file( + os.path.join("asymmetric", "DH", "dhpub_cryptography_old.pem"), + lambda f: serialization.load_pem_public_key(f.read()), + mode="rb", + ) + assert isinstance(k, dh.DHPublicKey) + # Ensure this doesn't raise. + k.parameters().generate_private_key().exchange(k) + def test_public_key_equality(self, backend): key_bytes = load_vectors_from_file( os.path.join("asymmetric", "DH", "dhpub.pem"), diff --git a/vectors/cryptography_vectors/asymmetric/DH/dhpub_cryptography_old.pem b/vectors/cryptography_vectors/asymmetric/DH/dhpub_cryptography_old.pem new file mode 100644 index 000000000000..22f9caaa13e0 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/DH/dhpub_cryptography_old.pem @@ -0,0 +1,15 @@ +-----BEGIN PUBLIC KEY----- +MIICJTCCARcGCSqGSIb3DQEDATCCAQgCggEBAP//////////yQ/aoiFowjTExmKL +gNwc0SkCTgiKZ8x0Agu+pjsTmyJRSgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVt +bVHCReSFtXZiXn7G9ExC6aY37WsL/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR +7ORbPcIAfLihY78FmNpINhxV05ppFj+o/STPX4NlXSPco62WHGLzViCFUrue1SkH +cJaWbWcMNU5KvJgE8XRsCMoYIXwykF5GLjbOO+OedywYDoY DmyeDouwHoo+1xV3w +b0xSyd4ry/aVWBcYOZVJfOqVauUV0iYYmPoFEBVyjlqKrKpo//////////8CAQID +ggEGAAKCAQEAoely6vSHw+/Q3zGYLaJj7eeQkfd25K8SvtC+FMY9D7jwS4g71pyr +U3FJ98Fi45Wdksh+d4u7U089trF5Xbgui29bZ0HcQZtfHEEz0Mh69tkipCm2/QIj +6eDlo6sPk9hhhvgg4MMGiWKhCtHrub3x1FHdmf7KjOhrGeb5apiudo7blGFzGhZ3 +NFnbff+ArVNd+rdVmSoZn0aMhXRConlDu/44IYe5/24VLl7G+BzZlIZO4P2M83fd +mBOvR13cmYssQjEFTbaZVQvQHa3t0+aywfdCgsXGmTTK6QDCBP8D+vf1bmhEswzs +oYn1GLtJ3VyYyMBPDBomd2ctchZgTzsX1w== +-----END PUBLIC KEY----- + From ebf14f2edc8536f36797979cb0e075e766d978c5 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 20 Jul 2024 09:28:42 -0700 Subject: [PATCH 0865/1462] bump for 43.0.0 and update changelog (#11311) * bump for 43.0.0 and update changelog * fix nox * fix flake and name better * more noxfile update --- CHANGELOG.rst | 7 +++---- noxfile.py | 13 ++++--------- pyproject.toml | 4 ++-- src/cryptography/__about__.py | 2 +- vectors/cryptography_vectors/__about__.py | 2 +- vectors/pyproject.toml | 2 +- 6 files changed, 12 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index ea62a5351efd..1dcf602eebf8 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -3,14 +3,13 @@ Changelog .. _v43-0-0: -43.0.0 - `main`_ -~~~~~~~~~~~~~~~~ - -.. note:: This version is not yet released and is under active development. +43.0.0 - 2024-07-20 +~~~~~~~~~~~~~~~~~~~ * **BACKWARDS INCOMPATIBLE:** Support for OpenSSL less than 1.1.1e has been removed. Users on older version of OpenSSL will need to upgrade. * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.8. +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.3.1. * Updated the minimum supported Rust version (MSRV) to 1.65.0, from 1.63.0. * :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key` now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still diff --git a/noxfile.py b/noxfile.py index 91fcb8710eb3..e3eb7274ae5a 100644 --- a/noxfile.py +++ b/noxfile.py @@ -65,8 +65,8 @@ def tests(session: nox.Session) -> None: } ) - install(session, f".[{extras}]") install(session, "-e", "./vectors") + install(session, f".[{extras}]") session.run("pip", "list") @@ -169,6 +169,7 @@ def flake(session: nox.Session) -> None: # TODO: Ideally there'd be a pip flag to install just our dependencies, # but not install us. pyproject_data = load_pyproject_toml() + install(session, "-e", "vectors/") install( session, *pyproject_data["build-system"]["requires"], @@ -177,7 +178,6 @@ def flake(session: nox.Session) -> None: *pyproject_data["project"]["optional-dependencies"]["ssh"], *pyproject_data["project"]["optional-dependencies"]["nox"], ) - install(session, "-e", "vectors/") session.run("ruff", "check", ".") session.run("ruff", "format", "--check", ".") @@ -254,19 +254,14 @@ def rust(session: nox.Session) -> None: @nox.session(venv_backend="uv") def local(session): pyproject_data = load_pyproject_toml() - test_dependencies = pyproject_data["project"]["optional-dependencies"][ - "test" - ] - test_dependencies.remove("cryptography_vectors") + install(session, "-e", "./vectors") install( session, *pyproject_data["build-system"]["requires"], *pyproject_data["project"]["optional-dependencies"]["pep8test"], - *test_dependencies, + *pyproject_data["project"]["optional-dependencies"]["test"], *pyproject_data["project"]["optional-dependencies"]["ssh"], *pyproject_data["project"]["optional-dependencies"]["nox"], - "-e", - "./vectors/", verbose=False, ) diff --git a/pyproject.toml b/pyproject.toml index 4cfc675e2556..5f1bcc75f511 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -14,7 +14,7 @@ build-backend = "maturin" [project] name = "cryptography" -version = "43.0.0.dev1" +version = "43.0.0" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] @@ -64,7 +64,7 @@ ssh = ["bcrypt >=3.1.5"] # All the following are used for our own testing. nox = ["nox"] test = [ - "cryptography_vectors", + "cryptography_vectors==43.0.0", "pytest >=6.2.0", "pytest-benchmark", "pytest-cov", diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index 0087b1720f0e..4362aed1edfa 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -10,7 +10,7 @@ "__version__", ] -__version__ = "43.0.0.dev1" +__version__ = "43.0.0" __author__ = "The Python Cryptographic Authority and individual contributors" diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py index 4f859faec08c..8115d70aaaa8 100644 --- a/vectors/cryptography_vectors/__about__.py +++ b/vectors/cryptography_vectors/__about__.py @@ -6,4 +6,4 @@ "__version__", ] -__version__ = "43.0.0.dev1" +__version__ = "43.0.0" diff --git a/vectors/pyproject.toml b/vectors/pyproject.toml index 99021511a0cd..c2ae77d2c684 100644 --- a/vectors/pyproject.toml +++ b/vectors/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi" [project] name = "cryptography_vectors" -version = "43.0.0.dev1" +version = "43.0.0" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] From 7e033c18a6ccc8cd5d7e3c6efdd1bc2bc9c6bce7 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 20 Jul 2024 09:55:35 -0700 Subject: [PATCH 0866/1462] reopen for 44 (#11312) --- CHANGELOG.rst | 8 ++++++++ pyproject.toml | 4 ++-- src/cryptography/__about__.py | 2 +- vectors/cryptography_vectors/__about__.py | 2 +- vectors/pyproject.toml | 2 +- 5 files changed, 13 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 1dcf602eebf8..ea0a119733af 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,14 @@ Changelog ========= +.. _v44-0-0: + +44.0.0 - `main`_ +~~~~~~~~~~~~~~~~ + +.. note:: This version is not yet released and is under active development. + + .. _v43-0-0: 43.0.0 - 2024-07-20 diff --git a/pyproject.toml b/pyproject.toml index 5f1bcc75f511..23338b2f2b70 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -14,7 +14,7 @@ build-backend = "maturin" [project] name = "cryptography" -version = "43.0.0" +version = "44.0.0.dev1" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] @@ -64,7 +64,7 @@ ssh = ["bcrypt >=3.1.5"] # All the following are used for our own testing. nox = ["nox"] test = [ - "cryptography_vectors==43.0.0", + "cryptography_vectors", "pytest >=6.2.0", "pytest-benchmark", "pytest-cov", diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index 4362aed1edfa..1cd38fc44d53 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -10,7 +10,7 @@ "__version__", ] -__version__ = "43.0.0" +__version__ = "44.0.0.dev1" __author__ = "The Python Cryptographic Authority and individual contributors" diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py index 8115d70aaaa8..64b3ee956012 100644 --- a/vectors/cryptography_vectors/__about__.py +++ b/vectors/cryptography_vectors/__about__.py @@ -6,4 +6,4 @@ "__version__", ] -__version__ = "43.0.0" +__version__ = "44.0.0.dev1" diff --git a/vectors/pyproject.toml b/vectors/pyproject.toml index c2ae77d2c684..eaa231e141fd 100644 --- a/vectors/pyproject.toml +++ b/vectors/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi" [project] name = "cryptography_vectors" -version = "43.0.0" +version = "44.0.0.dev1" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] From cf895444addee7aff668f5ecd8d9394502dedbe4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 20 Jul 2024 14:34:06 -0400 Subject: [PATCH 0867/1462] Disable verbosity when installing vectors in local noxfile (#11313) --- noxfile.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/noxfile.py b/noxfile.py index e3eb7274ae5a..1b57f444fb66 100644 --- a/noxfile.py +++ b/noxfile.py @@ -254,7 +254,7 @@ def rust(session: nox.Session) -> None: @nox.session(venv_backend="uv") def local(session): pyproject_data = load_pyproject_toml() - install(session, "-e", "./vectors") + install(session, "-e", "./vectors", verbose=False) install( session, *pyproject_data["build-system"]["requires"], From 7d86b98946198aaf34077242cc584f5f6fc74aa5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Jul 2024 20:21:11 +0000 Subject: [PATCH 0868/1462] Bump sphinx from 7.4.6 to 7.4.7 (#11314) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 7.4.6 to 7.4.7. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v7.4.6...v7.4.7) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 5470019ce0ef..5c3f0dbdd5e4 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -109,7 +109,7 @@ ruff==0.5.3 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx -sphinx==7.4.6 +sphinx==7.4.7 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From ce31feb8fc455234ff3f6544a4eeff067b519c98 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Jul 2024 20:21:29 +0000 Subject: [PATCH 0869/1462] Bump ruff from 0.5.3 to 0.5.4 (#11315) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.5.3 to 0.5.4. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.5.3...0.5.4) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 5c3f0dbdd5e4..9e904759748a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.5.3 +ruff==0.5.4 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 671e24a006bfd239107819280688deb364fc057c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Jul 2024 20:24:30 +0000 Subject: [PATCH 0870/1462] Bump pytest from 8.2.2 to 8.3.1 (#11316) Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.2.2 to 8.3.1. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/8.2.2...8.3.1) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 9e904759748a..7a1a9cc775f5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -86,7 +86,7 @@ pygments==2.18.0 # sphinx pyproject-hooks==1.1.0 # via build -pytest==8.2.2; python_version >= "3.8" +pytest==8.3.1; python_version >= "3.8" # via # cryptography (pyproject.toml) # pytest-benchmark From da28d05b48d8e06dd15e5ab6bb4803da6b475dd6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 20 Jul 2024 18:54:14 -0400 Subject: [PATCH 0871/1462] Migrate checking if a hash is supported to Rust (#11317) --- .../hazmat/backends/openssl/backend.py | 14 +------------- .../hazmat/bindings/_rust/openssl/hashes.pyi | 2 ++ src/rust/src/backend/hashes.rs | 7 ++++++- 3 files changed, 9 insertions(+), 14 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index c87d3e848236..d31b039add0e 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -101,23 +101,11 @@ def openssl_version_text(self) -> str: def openssl_version_number(self) -> int: return rust_openssl.openssl_version() - def _evp_md_from_algorithm(self, algorithm: hashes.HashAlgorithm): - if algorithm.name in ("blake2b", "blake2s"): - alg = f"{algorithm.name}{algorithm.digest_size * 8}".encode( - "ascii" - ) - else: - alg = algorithm.name.encode("ascii") - - evp_md = self._lib.EVP_get_digestbyname(alg) - return evp_md - def hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool: if self._fips_enabled and not isinstance(algorithm, self._fips_hashes): return False - evp_md = self._evp_md_from_algorithm(algorithm) - return evp_md != self._ffi.NULL + return rust_openssl.hashes.hash_supported(algorithm) def signature_hash_supported( self, algorithm: hashes.HashAlgorithm diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/hashes.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/hashes.pyi index ca5f42a00615..56f317001629 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/hashes.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/hashes.pyi @@ -15,3 +15,5 @@ class Hash(hashes.HashContext): def update(self, data: bytes) -> None: ... def finalize(self) -> bytes: ... def copy(self) -> Hash: ... + +def hash_supported(algorithm: hashes.HashAlgorithm) -> bool: ... diff --git a/src/rust/src/backend/hashes.rs b/src/rust/src/backend/hashes.rs index 4226b4b7dbb9..e6c86e92514c 100644 --- a/src/rust/src/backend/hashes.rs +++ b/src/rust/src/backend/hashes.rs @@ -72,6 +72,11 @@ pub(crate) fn message_digest_from_algorithm( } } +#[pyo3::pyfunction] +fn hash_supported(py: pyo3::Python<'_>, algorithm: pyo3::Bound<'_, pyo3::PyAny>) -> bool { + message_digest_from_algorithm(py, &algorithm).is_ok() +} + impl Hash { pub(crate) fn update_bytes(&mut self, data: &[u8]) -> CryptographyResult<()> { self.get_mut_ctx()?.update(data)?; @@ -141,5 +146,5 @@ impl Hash { #[pyo3::pymodule] pub(crate) mod hashes { #[pymodule_export] - use super::Hash; + use super::{hash_supported, Hash}; } From 0e175c7505ee9ede94c0b914727f0b0cde6a5769 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 20 Jul 2024 21:59:28 -0400 Subject: [PATCH 0872/1462] Remove unused bindings (#11318) --- src/_cffi_src/openssl/x509.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py index 0c25c5d1aa87..8527a85eeb9f 100644 --- a/src/_cffi_src/openssl/x509.py +++ b/src/_cffi_src/openssl/x509.py @@ -46,8 +46,6 @@ EVP_PKEY *X509_get_pubkey(X509 *); int X509_set_pubkey(X509 *, EVP_PKEY *); -unsigned char *X509_alias_get0(X509 *, int *); -int X509_alias_set1(X509 *, const unsigned char *, int); int X509_sign(X509 *, EVP_PKEY *, const EVP_MD *); int X509_digest(const X509 *, const EVP_MD *, unsigned char *, unsigned int *); From 9389c0a7bcfed3f0b31ca9b646d292ade8bc51d2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 21 Jul 2024 16:36:43 +0000 Subject: [PATCH 0873/1462] Bump openssl from 0.10.65 to 0.10.66 in /src/rust (#11320) Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.65 to 0.10.66. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.65...openssl-v0.10.66) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index fe3398f25393..c5a020fc8f10 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -179,9 +179,9 @@ checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" [[package]] name = "openssl" -version = "0.10.65" +version = "0.10.66" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c2823eb4c6453ed64055057ea8bd416eda38c71018723869dd043a3b1186115e" +checksum = "9529f4786b70a3e8c61e11179af17ab6188ad8d0ded78c5529441ed39d4bd9c1" dependencies = [ "bitflags", "cfg-if", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index d58ee9e7ec28..4a91705de96c 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -26,7 +26,7 @@ cryptography-x509 = { path = "cryptography-x509" } cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } -openssl = "0.10.65" +openssl = "0.10.66" openssl-sys = "0.9.103" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index d1f945f961a0..e88e3bc9e691 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -9,6 +9,6 @@ rust-version.workspace = true [dependencies] asn1 = { version = "0.16.2", default-features = false } cfg-if = "1" -openssl = "0.10.65" +openssl = "0.10.66" openssl-sys = "0.9.103" cryptography-x509 = { path = "../cryptography-x509" } diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index c0f3f5d72ce1..f340ed87cf53 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -8,7 +8,7 @@ rust-version.workspace = true [dependencies] cfg-if = "1" -openssl = "0.10.65" +openssl = "0.10.66" ffi = { package = "openssl-sys", version = "0.9.101" } foreign-types = "0.3" foreign-types-shared = "0.1" From ad28f564d84e1a9644b6bd8b42a9361a04557447 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 21 Jul 2024 12:42:35 -0400 Subject: [PATCH 0874/1462] Bump setuptools from 71.0.4 to 71.1.0 in /.github/requirements (#11321) Bumps [setuptools](https://github.com/pypa/setuptools) from 71.0.4 to 71.1.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v71.0.4...v71.1.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 39b8c2f5bf99..c2a0ed7c0429 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -83,7 +83,7 @@ tomli==2.0.1 \ # via maturin # The following packages are considered to be unsafe in a requirements file: -setuptools==71.0.4 \ - --hash=sha256:48297e5d393a62b7cb2a10b8f76c63a73af933bd809c9e0d0d6352a1a0135dd8 \ - --hash=sha256:ed2feca703be3bdbd94e6bb17365d91c6935c6b2a8d0bb09b66a2c435ba0b1a5 +setuptools==71.1.0 \ + --hash=sha256:032d42ee9fb536e33087fb66cac5f840eb9391ed05637b3f2a76a7c8fb477936 \ + --hash=sha256:33874fdc59b3188304b2e7c80d9029097ea31627180896fb549c578ceb8a0855 # via -r build-requirements.in From d2e277729e29ac8142b158236f668cce50ea0490 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 22 Jul 2024 00:16:51 +0000 Subject: [PATCH 0875/1462] Bump BoringSSL and/or OpenSSL in CI (#11326) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 71e32e2a3afe..b4c10864ed72 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 18, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "82f9853fc7d7360ae44f1e1357a6422c5244bbd8"}} - # Latest commit on the OpenSSL master branch, as of Jul 20, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "98afa01f3e02fba18f9203b2451113df8f247f7c"}} + # Latest commit on the OpenSSL master branch, as of Jul 22, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a4fd94851261c55f9ad020bf22d4f29bda0b58be"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From ad40369cca783cb324a00dfc7ca279741c1c958a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 22 Jul 2024 00:32:30 -0400 Subject: [PATCH 0876/1462] Remove unused bio binding (#11327) --- src/_cffi_src/openssl/bio.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/_cffi_src/openssl/bio.py b/src/_cffi_src/openssl/bio.py index 1742e348122a..7cd94e37fd15 100644 --- a/src/_cffi_src/openssl/bio.py +++ b/src/_cffi_src/openssl/bio.py @@ -29,7 +29,6 @@ int BIO_should_write(BIO *); int BIO_should_io_special(BIO *); int BIO_should_retry(BIO *); -int BIO_reset(BIO *); BIO_ADDR *BIO_ADDR_new(void); void BIO_ADDR_free(BIO_ADDR *); From ad7990293c129202eefc7147e528db805e100440 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jul 2024 11:10:42 +0000 Subject: [PATCH 0877/1462] Bump syn from 2.0.71 to 2.0.72 in /src/rust (#11330) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.71 to 2.0.72. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.71...2.0.72) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index c5a020fc8f10..254cbd5fd03f 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -325,9 +325,9 @@ checksum = "d369a96f978623eb3dc28807c4852d6cc617fed53da5d3c400feff1ef34a714a" [[package]] name = "syn" -version = "2.0.71" +version = "2.0.72" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b146dcf730474b4bcd16c311627b31ede9ab149045db4d6088b3becaea046462" +checksum = "dc4b9b9bf2add8093d3f2c0204471e951b2285580335de42f9d2534f3ae7a8af" dependencies = [ "proc-macro2", "quote", From a1ac7dd005e003255f83404d15d920e1f72c4f69 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 22 Jul 2024 14:18:02 -0400 Subject: [PATCH 0878/1462] Handle spaces in paths in pypi-publish.yml (#11334) --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 58313276fdd2..7d84714f173e 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -88,7 +88,7 @@ jobs: f.write(f"TWINE_PASSWORD={pypi_token}\n") shell: python - - run: twine upload --skip-existing $(find dist/ -type f -name 'cryptography*') + - run: find dist/ -type f -name 'cryptography*' -print0 | xargs -0 twine upload --skip-existing # Do not perform attestation for things for TestPyPI. This is because # there's nothing that would prevent a malicious PyPI from serving a From 2c5664b93bb422b88b693d3767d02dfb7e307e80 Mon Sep 17 00:00:00 2001 From: DandyDrop <94701539+DandyDrop@users.noreply.github.com> Date: Mon, 22 Jul 2024 21:40:21 +0300 Subject: [PATCH 0879/1462] Update fernet.rst (#11335) --- docs/fernet.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/fernet.rst b/docs/fernet.rst index b55ecea3206a..80e06db9341a 100644 --- a/docs/fernet.rst +++ b/docs/fernet.rst @@ -33,7 +33,7 @@ has support for implementing key rotation via :class:`MultiFernet`. Generates a fresh fernet key. Keep this some place safe! If you lose it you'll no longer be able to decrypt messages; if anyone else gains access to it, they'll be able to decrypt all of your messages, and - they'll also be able forge arbitrary messages that will be + they'll also be able to forge arbitrary messages that will be authenticated and decrypted. .. method:: encrypt(data) From 3f4130fc4abdc8cc8f925fa8c6240b4bb595a2fd Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 22 Jul 2024 17:30:10 -0700 Subject: [PATCH 0880/1462] Bump BoringSSL and/or OpenSSL in CI (#11336) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b4c10864ed72..3c64e3a88489 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jul 18, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "82f9853fc7d7360ae44f1e1357a6422c5244bbd8"}} - # Latest commit on the OpenSSL master branch, as of Jul 22, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a4fd94851261c55f9ad020bf22d4f29bda0b58be"}} + # Latest commit on the BoringSSL master branch, as of Jul 23, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9cffd74fdb65c69506a0ce1b19420a67ad0cb19e"}} + # Latest commit on the OpenSSL master branch, as of Jul 23, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "aececda752d182f271bf2263f5ef9020a64668c5"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 6eaf08da1a4e4e5b7ecf6b2c92b0c800cf476d51 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 23 Jul 2024 00:32:56 +0000 Subject: [PATCH 0881/1462] Bump x509-limbo and/or wycheproof in CI (#11337) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index bfa92a923487..27285a0424aa 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jul 17, 2024. - ref: "fb3e03cd0e686ed06a6a118e372df709f480d6a4" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jul 23, 2024. + ref: "2ee086bf51374c1f65eacd23d5241fa7daf8f2b3" # x509-limbo-ref From d34498eacfe96775c2ca49866fe3f4a152c1238a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 23 Jul 2024 20:24:47 -0700 Subject: [PATCH 0882/1462] Bump x509-limbo and/or wycheproof in CI (#11340) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 27285a0424aa..5a2d087f9ae1 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jul 23, 2024. - ref: "2ee086bf51374c1f65eacd23d5241fa7daf8f2b3" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jul 24, 2024. + ref: "74eb21a7e67e0275bdcaa703c6a2be21d5bec06f" # x509-limbo-ref From 4b339f51205488fa936550723edecced2967292d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 24 Jul 2024 00:32:19 -0400 Subject: [PATCH 0883/1462] Bump BoringSSL and/or OpenSSL in CI (#11339) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3c64e3a88489..509891f571fb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 23, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9cffd74fdb65c69506a0ce1b19420a67ad0cb19e"}} - # Latest commit on the OpenSSL master branch, as of Jul 23, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "aececda752d182f271bf2263f5ef9020a64668c5"}} + # Latest commit on the OpenSSL master branch, as of Jul 24, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4f619ca622b6c36626ddc9a04b0b8589d7802dc0"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From b22014b07e8569989eec0df29e12b76b03e2add0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 24 Jul 2024 06:47:36 -0400 Subject: [PATCH 0884/1462] Bump importlib-metadata from 8.0.0 to 8.1.0 in /.github/requirements (#11341) Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 8.0.0 to 8.1.0. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v8.0.0...v8.1.0) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 3b6ecfbc46cd..bea2dd568730 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -200,9 +200,9 @@ idna==3.7 \ --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 # via requests -importlib-metadata==8.0.0 \ - --hash=sha256:15584cf2b1bf449d98ff8a6ff1abef57bf20f3ac6454f431736cd3e660921b2f \ - --hash=sha256:188bd24e4c346d3f0a933f275c2fec67050326a856b9a359881d7c2a697e8812 +importlib-metadata==8.1.0 \ + --hash=sha256:3cd29f739ed65973840b068e3132135ce954c254d48b5b640484467ef7ab3c8c \ + --hash=sha256:fcdcb1d5ead7bdf3dd32657bb94ebe9d2aabfe89a19782ddc32da5041d6ebfb4 # via # keyring # twine From 180c880001eb771e7ce6d61d91a3d30d4ae287ff Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 24 Jul 2024 18:21:49 -0700 Subject: [PATCH 0885/1462] Bump BoringSSL and/or OpenSSL in CI (#11343) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 509891f571fb..2691485f1866 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 23, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9cffd74fdb65c69506a0ce1b19420a67ad0cb19e"}} - # Latest commit on the OpenSSL master branch, as of Jul 24, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4f619ca622b6c36626ddc9a04b0b8589d7802dc0"}} + # Latest commit on the OpenSSL master branch, as of Jul 25, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3c6e11495975a4eda4cc5886080afed6203711ac"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 3f32de6b7e3af6d9b9e2b10d2e9631d087c5bbd1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Jul 2024 07:54:16 -0400 Subject: [PATCH 0886/1462] Bump importlib-metadata from 8.1.0 to 8.2.0 in /.github/requirements (#11345) Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 8.1.0 to 8.2.0. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v8.1.0...v8.2.0) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index bea2dd568730..ef7eea26f78d 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -200,9 +200,9 @@ idna==3.7 \ --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 # via requests -importlib-metadata==8.1.0 \ - --hash=sha256:3cd29f739ed65973840b068e3132135ce954c254d48b5b640484467ef7ab3c8c \ - --hash=sha256:fcdcb1d5ead7bdf3dd32657bb94ebe9d2aabfe89a19782ddc32da5041d6ebfb4 +importlib-metadata==8.2.0 \ + --hash=sha256:11901fa0c2f97919b288679932bb64febaeacf289d18ac84dd68cb2e74213369 \ + --hash=sha256:72e8d4399996132204f9a16dcc751af254a48f8d1b20b9ff0f98d4a8f901e73d # via # keyring # twine From 3782008f99cf4aec930b0f625247d87d9bccca84 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Jul 2024 07:54:46 -0400 Subject: [PATCH 0887/1462] Bump pytest from 8.3.1 to 8.3.2 (#11344) Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.3.1 to 8.3.2. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/8.3.1...8.3.2) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 7a1a9cc775f5..93842c3e5ce7 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -86,7 +86,7 @@ pygments==2.18.0 # sphinx pyproject-hooks==1.1.0 # via build -pytest==8.3.1; python_version >= "3.8" +pytest==8.3.2; python_version >= "3.8" # via # cryptography (pyproject.toml) # pytest-benchmark From badd57e0ad8196b3aaefa209e6b5c37b5872223f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 26 Jul 2024 00:15:42 +0000 Subject: [PATCH 0888/1462] Bump BoringSSL and/or OpenSSL in CI (#11346) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2691485f1866..c48aef93f8b9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jul 23, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9cffd74fdb65c69506a0ce1b19420a67ad0cb19e"}} - # Latest commit on the OpenSSL master branch, as of Jul 25, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3c6e11495975a4eda4cc5886080afed6203711ac"}} + # Latest commit on the BoringSSL master branch, as of Jul 26, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7a6e828dc53ba9a56bd49915f2a0780d63af97d2"}} + # Latest commit on the OpenSSL master branch, as of Jul 26, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "85caa417e0915aaae9fa6f87ccfa6c4c79b41dbb"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 58668e1c4b72549f6120153ae5f194f379c49d7c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 26 Jul 2024 06:43:44 -0400 Subject: [PATCH 0889/1462] Bump ruff from 0.5.4 to 0.5.5 (#11347) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.5.4 to 0.5.5. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.5.4...0.5.5) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 93842c3e5ce7..794ced953123 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.5.4 +ruff==0.5.5 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 61c850c93cd39e46dacc2358325ef0dc0f2d1daa Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 26 Jul 2024 10:34:15 -0400 Subject: [PATCH 0890/1462] Delete src/_cffi_src/openssl/pkcs7.py (#11348) We already weren't building this (oops) --- src/_cffi_src/openssl/pkcs7.py | 21 --------------------- 1 file changed, 21 deletions(-) delete mode 100644 src/_cffi_src/openssl/pkcs7.py diff --git a/src/_cffi_src/openssl/pkcs7.py b/src/_cffi_src/openssl/pkcs7.py deleted file mode 100644 index 27631f48c04d..000000000000 --- a/src/_cffi_src/openssl/pkcs7.py +++ /dev/null @@ -1,21 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import annotations - -INCLUDES = """ -#include -""" - -TYPES = """ -typedef ... PKCS7; -""" - -FUNCTIONS = """ -void PKCS7_free(PKCS7 *); -PKCS7 *SMIME_read_PKCS7(BIO *, BIO **); -""" - -CUSTOMIZATIONS = """ -""" From 74d4e3346a01dcbc713977230586f0d53f6aa7a6 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 27 Jul 2024 13:19:04 +0000 Subject: [PATCH 0891/1462] Bump BoringSSL and/or OpenSSL in CI (#11350) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c48aef93f8b9..53741286400b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 26, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7a6e828dc53ba9a56bd49915f2a0780d63af97d2"}} - # Latest commit on the OpenSSL master branch, as of Jul 26, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "85caa417e0915aaae9fa6f87ccfa6c4c79b41dbb"}} + # Latest commit on the OpenSSL master branch, as of Jul 27, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "32185d513cf8732ee0a85875ac61ee4389a86bbb"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From edc43b1d69c7606fd2c7e7e1ace1b6312d8b9565 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 27 Jul 2024 17:56:25 -0700 Subject: [PATCH 0892/1462] Bump BoringSSL and/or OpenSSL in CI (#11351) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 53741286400b..6bbfb9a03804 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 26, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7a6e828dc53ba9a56bd49915f2a0780d63af97d2"}} - # Latest commit on the OpenSSL master branch, as of Jul 27, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "32185d513cf8732ee0a85875ac61ee4389a86bbb"}} + # Latest commit on the OpenSSL master branch, as of Jul 28, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4811efe12fd1af9554718ae15996470a5c2ecd70"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 95675b821a2e81cf6c90f3930c8965069c42fecc Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 00:16:45 +0000 Subject: [PATCH 0893/1462] Bump BoringSSL and/or OpenSSL in CI (#11353) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6bbfb9a03804..1264d6ebf893 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 26, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7a6e828dc53ba9a56bd49915f2a0780d63af97d2"}} - # Latest commit on the OpenSSL master branch, as of Jul 28, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4811efe12fd1af9554718ae15996470a5c2ecd70"}} + # Latest commit on the OpenSSL master branch, as of Jul 29, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9c57eb736e9f4d63380d31f37c6c2a1fa267df9b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From c7fcdf966233a5ce3525baf7d843e6c8b3495a27 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 07:08:04 -0400 Subject: [PATCH 0894/1462] Bump sphinxcontrib-serializinghtml from 1.1.10 to 2.0.0 (#11354) Bumps [sphinxcontrib-serializinghtml](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml) from 1.1.10 to 2.0.0. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml/compare/1.1.10...2.0.0) --- updated-dependencies: - dependency-name: sphinxcontrib-serializinghtml dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 794ced953123..bb60e4ddb200 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -134,7 +134,7 @@ sphinxcontrib-jsmath==1.0.1 # via sphinx sphinxcontrib-qthelp==1.0.8 # via sphinx -sphinxcontrib-serializinghtml==1.1.10 +sphinxcontrib-serializinghtml==2.0.0 # via sphinx sphinxcontrib-spelling==8.0.0 # via cryptography (pyproject.toml) From b57c82b4c7ae24f7a2be37c3e101ddcf5f3bb11b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 07:08:46 -0400 Subject: [PATCH 0895/1462] Bump sphinxcontrib-htmlhelp from 2.0.6 to 2.1.0 (#11355) Bumps [sphinxcontrib-htmlhelp](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp) from 2.0.6 to 2.1.0. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/compare/2.0.6...2.1.0) --- updated-dependencies: - dependency-name: sphinxcontrib-htmlhelp dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index bb60e4ddb200..fd33e8db1df3 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -126,7 +126,7 @@ sphinxcontrib-applehelp==1.0.8 # via sphinx sphinxcontrib-devhelp==1.0.6 # via sphinx -sphinxcontrib-htmlhelp==2.0.6 +sphinxcontrib-htmlhelp==2.1.0 # via sphinx sphinxcontrib-jquery==4.1 # via sphinx-rtd-theme From d13c8b5186ad94c7873fa4ab371506a1efac9028 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 07:12:08 -0400 Subject: [PATCH 0896/1462] Bump setuptools from 71.1.0 to 72.0.0 in /.github/requirements (#11360) Bumps [setuptools](https://github.com/pypa/setuptools) from 71.1.0 to 72.0.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v71.1.0...v72.0.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index c2a0ed7c0429..0db587795776 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -83,7 +83,7 @@ tomli==2.0.1 \ # via maturin # The following packages are considered to be unsafe in a requirements file: -setuptools==71.1.0 \ - --hash=sha256:032d42ee9fb536e33087fb66cac5f840eb9391ed05637b3f2a76a7c8fb477936 \ - --hash=sha256:33874fdc59b3188304b2e7c80d9029097ea31627180896fb549c578ceb8a0855 +setuptools==72.0.0 \ + --hash=sha256:5a0d9c6a2f332881a0153f629d8000118efd33255cfa802757924c53312c76da \ + --hash=sha256:98b4d786a12fadd34eabf69e8d014b84e5fc655981e4ff419994700434ace132 # via -r build-requirements.in From 773162c42a5615782772c37426ff59d4fc5794b5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 11:19:19 +0000 Subject: [PATCH 0897/1462] Bump sphinxcontrib-applehelp from 1.0.8 to 2.0.0 (#11358) Bumps [sphinxcontrib-applehelp](https://github.com/sphinx-doc/sphinxcontrib-applehelp) from 1.0.8 to 2.0.0. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-applehelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-applehelp/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-applehelp/compare/1.0.8...2.0.0) --- updated-dependencies: - dependency-name: sphinxcontrib-applehelp dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index fd33e8db1df3..c23f334f8049 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -122,7 +122,7 @@ sphinx==7.4.7 # sphinxcontrib-spelling sphinx-rtd-theme==2.0.0 # via cryptography (pyproject.toml) -sphinxcontrib-applehelp==1.0.8 +sphinxcontrib-applehelp==2.0.0 # via sphinx sphinxcontrib-devhelp==1.0.6 # via sphinx From f5981839d6f75a889a4ae819af2f4c18262914b9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 11:19:29 +0000 Subject: [PATCH 0898/1462] Bump sphinxcontrib-devhelp from 1.0.6 to 2.0.0 (#11356) Bumps [sphinxcontrib-devhelp](https://github.com/sphinx-doc/sphinxcontrib-devhelp) from 1.0.6 to 2.0.0. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-devhelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-devhelp/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-devhelp/compare/1.0.6...2.0.0) --- updated-dependencies: - dependency-name: sphinxcontrib-devhelp dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c23f334f8049..c73f54ea219f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -124,7 +124,7 @@ sphinx-rtd-theme==2.0.0 # via cryptography (pyproject.toml) sphinxcontrib-applehelp==2.0.0 # via sphinx -sphinxcontrib-devhelp==1.0.6 +sphinxcontrib-devhelp==2.0.0 # via sphinx sphinxcontrib-htmlhelp==2.1.0 # via sphinx From ba1892da5ab6815d384f3e5841be89733468f244 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 11:23:33 +0000 Subject: [PATCH 0899/1462] Bump sphinxcontrib-qthelp from 1.0.8 to 2.0.0 (#11357) Bumps [sphinxcontrib-qthelp](https://github.com/sphinx-doc/sphinxcontrib-qthelp) from 1.0.8 to 2.0.0. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-qthelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-qthelp/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-qthelp/compare/1.0.8...2.0.0) --- updated-dependencies: - dependency-name: sphinxcontrib-qthelp dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c73f54ea219f..e9e4c8e461d2 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -132,7 +132,7 @@ sphinxcontrib-jquery==4.1 # via sphinx-rtd-theme sphinxcontrib-jsmath==1.0.1 # via sphinx -sphinxcontrib-qthelp==1.0.8 +sphinxcontrib-qthelp==2.0.0 # via sphinx sphinxcontrib-serializinghtml==2.0.0 # via sphinx From e3523eab76d7f1a2e6d0c3be66fd4a422d50aa8c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 16:27:31 +0000 Subject: [PATCH 0900/1462] Bump cc from 1.1.6 to 1.1.7 in /src/rust (#11362) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.6 to 1.1.7. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.6...cc-v1.1.7) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 254cbd5fd03f..9c6111a1d55c 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.6" +version = "1.1.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2aba8f4e9906c7ce3c73463f62a7f0c65183ada1a2d47e397cc8810827f9694f" +checksum = "26a5c3fd7bfa1ce3897a3a3501d362b2d87b7f2583ebcb4a949ec25911025cbc" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index f983dbdda143..93f1712b9b57 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.2", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] -cc = "1.1.6" +cc = "1.1.7" From a5d43eefeb0b2858780d62b546bf2396fbd525db Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 12:28:59 -0400 Subject: [PATCH 0901/1462] Bump setuptools from 72.0.0 to 72.1.0 in /.github/requirements (#11363) Bumps [setuptools](https://github.com/pypa/setuptools) from 72.0.0 to 72.1.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v72.0.0...v72.1.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 0db587795776..37bd3968e640 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -83,7 +83,7 @@ tomli==2.0.1 \ # via maturin # The following packages are considered to be unsafe in a requirements file: -setuptools==72.0.0 \ - --hash=sha256:5a0d9c6a2f332881a0153f629d8000118efd33255cfa802757924c53312c76da \ - --hash=sha256:98b4d786a12fadd34eabf69e8d014b84e5fc655981e4ff419994700434ace132 +setuptools==72.1.0 \ + --hash=sha256:5a03e1860cf56bb6ef48ce186b0e557fdba433237481a9a625176c2831be15d1 \ + --hash=sha256:8d243eff56d095e5817f796ede6ae32941278f542e0f941867cc05ae52b162ec # via -r build-requirements.in From b372eb98515b42e31be81637236dc5712c66e713 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 30 Jul 2024 00:16:53 +0000 Subject: [PATCH 0902/1462] Bump BoringSSL and/or OpenSSL in CI (#11366) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1264d6ebf893..3325ca1b3a1f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 26, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7a6e828dc53ba9a56bd49915f2a0780d63af97d2"}} - # Latest commit on the OpenSSL master branch, as of Jul 29, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9c57eb736e9f4d63380d31f37c6c2a1fa267df9b"}} + # Latest commit on the OpenSSL master branch, as of Jul 30, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "07e4d7f4747005e3ce56423182ad047eb05d8e16"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 9078a13d4a9e8ca33d0bd6367889d049d3d93a2d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 30 Jul 2024 00:31:57 +0000 Subject: [PATCH 0903/1462] Bump x509-limbo and/or wycheproof in CI (#11367) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 5a2d087f9ae1..b29f0a5b2bb4 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jul 24, 2024. - ref: "74eb21a7e67e0275bdcaa703c6a2be21d5bec06f" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jul 30, 2024. + ref: "90654348f454dab05323a4c2f0d7b3dcbd94778c" # x509-limbo-ref From 7228536038d9863d7ef79033ae0e05cf209e3f62 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 29 Jul 2024 23:47:01 -0400 Subject: [PATCH 0904/1462] Use type alias for EKU (#11368) --- src/rust/src/x509/certificate.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 810d7aa991c6..075c258074ef 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -9,8 +9,8 @@ use cryptography_x509::certificate::Certificate as RawCertificate; use cryptography_x509::common::{AlgorithmParameters, Asn1ReadableOrWritable}; use cryptography_x509::extensions::{ AuthorityKeyIdentifier, BasicConstraints, DisplayText, DistributionPoint, - DistributionPointName, DuplicateExtensionsError, IssuerAlternativeName, KeyUsage, - MSCertificateTemplate, NameConstraints, PolicyConstraints, PolicyInformation, + DistributionPointName, DuplicateExtensionsError, ExtendedKeyUsage, IssuerAlternativeName, + KeyUsage, MSCertificateTemplate, NameConstraints, PolicyConstraints, PolicyInformation, PolicyQualifierInfo, Qualifier, RawExtensions, SequenceOfAccessDescriptions, SequenceOfSubtrees, UserNotice, }; @@ -768,7 +768,7 @@ pub fn parse_cert_ext<'p>( } oid::EXTENDED_KEY_USAGE_OID => { let ekus = pyo3::types::PyList::empty_bound(py); - for oid in ext.value::>()? { + for oid in ext.value::>()? { let oid_obj = oid_to_py_oid(py, &oid)?; ekus.append(oid_obj)?; } From 7d818e6e3321e6f05c27bd8440b55b0ef77f3f39 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 31 Jul 2024 00:15:59 +0000 Subject: [PATCH 0905/1462] Bump BoringSSL and/or OpenSSL in CI (#11371) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3325ca1b3a1f..df78eb58a1b9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 26, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7a6e828dc53ba9a56bd49915f2a0780d63af97d2"}} - # Latest commit on the OpenSSL master branch, as of Jul 30, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "07e4d7f4747005e3ce56423182ad047eb05d8e16"}} + # Latest commit on the OpenSSL master branch, as of Jul 31, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4f5febe2c684a803553171940634c1b6f4b7ba40"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 4d5253c17580485ed684b3c9e08c97a630f76c1a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 30 Jul 2024 18:20:30 -0700 Subject: [PATCH 0906/1462] Bump x509-limbo and/or wycheproof in CI (#11372) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index b29f0a5b2bb4..40fabe0b3c38 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jul 30, 2024. - ref: "90654348f454dab05323a4c2f0d7b3dcbd94778c" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jul 31, 2024. + ref: "3554c5db615a22b248a2928e89ea32e3e87f375f" # x509-limbo-ref From 623387f347cf43835e7bfd3608f3a5a77387d8e7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 31 Jul 2024 06:53:08 -0400 Subject: [PATCH 0907/1462] Bump mypy from 1.11.0 to 1.11.1 (#11373) Bumps [mypy](https://github.com/python/mypy) from 1.11.0 to 1.11.1. - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](https://github.com/python/mypy/compare/v1.11...v1.11.1) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e9e4c8e461d2..6ba8bf23fde9 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -52,7 +52,7 @@ jinja2==3.1.4 # via sphinx markupsafe==2.1.5 # via jinja2 -mypy==1.11.0 +mypy==1.11.1 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via mypy From cb064b8f81e20ce8aacb8e1be3c85ccadf2ba9b6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 31 Jul 2024 06:53:23 -0400 Subject: [PATCH 0908/1462] Bump target-lexicon from 0.12.15 to 0.12.16 in /src/rust (#11374) Bumps [target-lexicon](https://github.com/bytecodealliance/target-lexicon) from 0.12.15 to 0.12.16. - [Commits](https://github.com/bytecodealliance/target-lexicon/compare/v0.12.15...v0.12.16) --- updated-dependencies: - dependency-name: target-lexicon dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 9c6111a1d55c..dc11d64a3914 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -336,9 +336,9 @@ dependencies = [ [[package]] name = "target-lexicon" -version = "0.12.15" +version = "0.12.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4873307b7c257eddcb50c9bedf158eb669578359fb28428bef438fec8e6ba7c2" +checksum = "61c41af27dd6d1e27b1b16b489db798443478cef1f06a660c96db617ba5de3b1" [[package]] name = "unicode-ident" From bf9e7838c671d2123e2f896f498057b21a7ee0d0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 31 Jul 2024 11:15:06 +0000 Subject: [PATCH 0909/1462] Bump actions/attest-build-provenance from 1.3.3 to 1.4.0 (#11375) Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.3.3 to 1.4.0. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/5e9cb68e95676991667494a6a4e59b8a2f13e1d0...210c1913531870065f03ce1f9440dd87bc0938cd) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 7d84714f173e..f0bab7385dc2 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -93,7 +93,7 @@ jobs: # Do not perform attestation for things for TestPyPI. This is because # there's nothing that would prevent a malicious PyPI from serving a # signed TestPyPI asset in place of a release intended for PyPI. - - uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3 + - uses: actions/attest-build-provenance@210c1913531870065f03ce1f9440dd87bc0938cd # v1.4.0 with: subject-path: 'dist/**/cryptography*' if: env.TWINE_REPOSITORY == 'pypi' From 817a1f451508ec8306242ec81a1fba7c75e3e5f1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 31 Jul 2024 17:25:43 -0700 Subject: [PATCH 0910/1462] Bump BoringSSL and/or OpenSSL in CI (#11377) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index df78eb58a1b9..715aad888459 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 26, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7a6e828dc53ba9a56bd49915f2a0780d63af97d2"}} - # Latest commit on the OpenSSL master branch, as of Jul 31, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4f5febe2c684a803553171940634c1b6f4b7ba40"}} + # Latest commit on the OpenSSL master branch, as of Aug 01, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "96b59ec4b61e10b1b2eb705a4f8f06ea5f976d08"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From ae1d300f8b0774b95a365ebda4b1046010be2f1e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 Aug 2024 21:00:25 +0000 Subject: [PATCH 0911/1462] Bump asn1 from 0.16.2 to 0.17.0 in /src/rust (#11378) Bumps [asn1](https://github.com/alex/rust-asn1) from 0.16.2 to 0.17.0. - [Commits](https://github.com/alex/rust-asn1/compare/0.16.2...0.17.0) --- updated-dependencies: - dependency-name: asn1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 8 ++++---- src/rust/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- src/rust/cryptography-x509-verification/Cargo.toml | 2 +- src/rust/cryptography-x509/Cargo.toml | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index dc11d64a3914..fb141392928b 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -4,18 +4,18 @@ version = 3 [[package]] name = "asn1" -version = "0.16.2" +version = "0.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "532ceda058281b62096b2add4ab00ab3a453d30dee28b8890f62461a0109ebbd" +checksum = "147a10032de7d9e6f21c3f1cb1c9c0f94cf30ef67f38310588fe6cfa53e0d3f0" dependencies = [ "asn1_derive", ] [[package]] name = "asn1_derive" -version = "0.16.2" +version = "0.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "56e6076d38cc17cc22b0f65f31170a2ee1975e6b07f0012893aefd86ce19c987" +checksum = "3df30ecdcaf8338675a1413460a1b11df89789e1fcc6a10dc52f6e38b6982aa2" dependencies = [ "proc-macro2", "quote", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 4a91705de96c..c157ce70e1c0 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -18,7 +18,7 @@ rust-version.workspace = true once_cell = "1" cfg-if = "1" pyo3 = { version = "0.22.2", features = ["abi3"] } -asn1 = { version = "0.16.2", default-features = false } +asn1 = { version = "0.17.0", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-keepalive = { path = "cryptography-keepalive" } cryptography-key-parsing = { path = "cryptography-key-parsing" } diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index e88e3bc9e691..1dcaaf4e3f1c 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -7,7 +7,7 @@ publish.workspace = true rust-version.workspace = true [dependencies] -asn1 = { version = "0.16.2", default-features = false } +asn1 = { version = "0.17.0", default-features = false } cfg-if = "1" openssl = "0.10.66" openssl-sys = "0.9.103" diff --git a/src/rust/cryptography-x509-verification/Cargo.toml b/src/rust/cryptography-x509-verification/Cargo.toml index 2e1e7495af0a..4e1f713f2d7a 100644 --- a/src/rust/cryptography-x509-verification/Cargo.toml +++ b/src/rust/cryptography-x509-verification/Cargo.toml @@ -7,7 +7,7 @@ publish.workspace = true rust-version.workspace = true [dependencies] -asn1 = { version = "0.16.2", default-features = false } +asn1 = { version = "0.17.0", default-features = false } cryptography-x509 = { path = "../cryptography-x509" } cryptography-key-parsing = { path = "../cryptography-key-parsing" } once_cell = "1" diff --git a/src/rust/cryptography-x509/Cargo.toml b/src/rust/cryptography-x509/Cargo.toml index 8da775c34647..e6dc7b741b97 100644 --- a/src/rust/cryptography-x509/Cargo.toml +++ b/src/rust/cryptography-x509/Cargo.toml @@ -8,4 +8,4 @@ publish = false rust-version = "1.65.0" [dependencies] -asn1 = { version = "0.16.2", default-features = false } +asn1 = { version = "0.17.0", default-features = false } From 47278ad83c4b2f349f81880f560982712930ea0d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 Aug 2024 17:02:29 -0400 Subject: [PATCH 0912/1462] Bump jaraco-functools from 4.0.1 to 4.0.2 in /.github/requirements (#11379) Bumps [jaraco-functools](https://github.com/jaraco/jaraco.functools) from 4.0.1 to 4.0.2. - [Release notes](https://github.com/jaraco/jaraco.functools/releases) - [Changelog](https://github.com/jaraco/jaraco.functools/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/jaraco.functools/compare/v4.0.1...v4.0.2) --- updated-dependencies: - dependency-name: jaraco-functools dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index ef7eea26f78d..4fdc671d394f 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -214,9 +214,9 @@ jaraco-context==5.3.0 \ --hash=sha256:3e16388f7da43d384a1a7cd3452e72e14732ac9fe459678773a3608a812bf266 \ --hash=sha256:c2f67165ce1f9be20f32f650f25d8edfc1646a8aeee48ae06fb35f90763576d2 # via keyring -jaraco-functools==4.0.1 \ - --hash=sha256:3b24ccb921d6b593bdceb56ce14799204f473976e2a9d4b15b04d0f2c2326664 \ - --hash=sha256:d33fa765374c0611b52f8b3a795f8900869aa88c84769d4d1746cd68fb28c3e8 +jaraco-functools==4.0.2 \ + --hash=sha256:3460c74cd0d32bf82b9576bbb3527c4364d5b27a21f5158a62aed6c4b42e23f5 \ + --hash=sha256:c9d16a3ed4ccb5a889ad8e0b7a343401ee5b2a71cee6ed192d3f68bc351e94e3 # via keyring jeepney==0.8.0 \ --hash=sha256:5efe48d255973902f6badc3ce55e2aa6c5c3b3bc642059ef3a91247bcfcc5806 \ From 5f20b23dc6ed872568a7ab924d0c19c9dd391700 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 1 Aug 2024 17:12:01 -0400 Subject: [PATCH 0913/1462] Added additional notes to cert verification docs (#11380) Closes #11376 --- docs/x509/verification.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst index ab360417b482..b0e1daee2994 100644 --- a/docs/x509/verification.rst +++ b/docs/x509/verification.rst @@ -76,6 +76,9 @@ the root of trust: >>> with open(certifi.where(), "rb") as pems: ... store = Store(load_pem_x509_certificates(pems.read())) >>> builder = PolicyBuilder().store(store) + >>> # See the documentation on `time` below for more details. If + >>> # significant time passes between creating a verifier and performing a + >>> # verification, you may encounter issues with certificate expiration. >>> builder = builder.time(verification_time) >>> verifier = builder.build_server_verifier(DNSName("cryptography.io")) >>> # NOTE: peer and untrusted_intermediates are Certificate and From e1d545265e062ab83b03fc7eb95a558aff8b04ad Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 2 Aug 2024 00:17:25 +0000 Subject: [PATCH 0914/1462] Bump BoringSSL and/or OpenSSL in CI (#11381) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 715aad888459..aea4dbab8d4a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 26, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7a6e828dc53ba9a56bd49915f2a0780d63af97d2"}} - # Latest commit on the OpenSSL master branch, as of Aug 01, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "96b59ec4b61e10b1b2eb705a4f8f06ea5f976d08"}} + # Latest commit on the OpenSSL master branch, as of Aug 02, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ed7a8bfd7409ac4a516581f1711d98a9362a70d5"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 2315512c615cbe3336a44e21d592416a80d0aeb9 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 2 Aug 2024 10:24:50 -0400 Subject: [PATCH 0915/1462] Bump cryptography in publish-requirements.txt (#11382) For some reason dependabot is erroring on this --- .github/requirements/publish-requirements.txt | 61 +++++++++---------- 1 file changed, 28 insertions(+), 33 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 4fdc671d394f..f4110e5265e2 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -158,39 +158,34 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==42.0.8 \ - --hash=sha256:013629ae70b40af70c9a7a5db40abe5d9054e6f4380e50ce769947b73bf3caad \ - --hash=sha256:2346b911eb349ab547076f47f2e035fc8ff2c02380a7cbbf8d87114fa0f1c583 \ - --hash=sha256:2f66d9cd9147ee495a8374a45ca445819f8929a3efcd2e3df6428e46c3cbb10b \ - --hash=sha256:2f88d197e66c65be5e42cd72e5c18afbfae3f741742070e3019ac8f4ac57262c \ - --hash=sha256:31f721658a29331f895a5a54e7e82075554ccfb8b163a18719d342f5ffe5ecb1 \ - --hash=sha256:343728aac38decfdeecf55ecab3264b015be68fc2816ca800db649607aeee648 \ - --hash=sha256:5226d5d21ab681f432a9c1cf8b658c0cb02533eece706b155e5fbd8a0cdd3949 \ - --hash=sha256:57080dee41209e556a9a4ce60d229244f7a66ef52750f813bfbe18959770cfba \ - --hash=sha256:5a94eccb2a81a309806027e1670a358b99b8fe8bfe9f8d329f27d72c094dde8c \ - --hash=sha256:6b7c4f03ce01afd3b76cf69a5455caa9cfa3de8c8f493e0d3ab7d20611c8dae9 \ - --hash=sha256:7016f837e15b0a1c119d27ecd89b3515f01f90a8615ed5e9427e30d9cdbfed3d \ - --hash=sha256:81884c4d096c272f00aeb1f11cf62ccd39763581645b0812e99a91505fa48e0c \ - --hash=sha256:81d8a521705787afe7a18d5bfb47ea9d9cc068206270aad0b96a725022e18d2e \ - --hash=sha256:8d09d05439ce7baa8e9e95b07ec5b6c886f548deb7e0f69ef25f64b3bce842f2 \ - --hash=sha256:961e61cefdcb06e0c6d7e3a1b22ebe8b996eb2bf50614e89384be54c48c6b63d \ - --hash=sha256:9c0c1716c8447ee7dbf08d6db2e5c41c688544c61074b54fc4564196f55c25a7 \ - --hash=sha256:a0608251135d0e03111152e41f0cc2392d1e74e35703960d4190b2e0f4ca9c70 \ - --hash=sha256:a0c5b2b0585b6af82d7e385f55a8bc568abff8923af147ee3c07bd8b42cda8b2 \ - --hash=sha256:ad803773e9df0b92e0a817d22fd8a3675493f690b96130a5e24f1b8fabbea9c7 \ - --hash=sha256:b297f90c5723d04bcc8265fc2a0f86d4ea2e0f7ab4b6994459548d3a6b992a14 \ - --hash=sha256:ba4f0a211697362e89ad822e667d8d340b4d8d55fae72cdd619389fb5912eefe \ - --hash=sha256:c4783183f7cb757b73b2ae9aed6599b96338eb957233c58ca8f49a49cc32fd5e \ - --hash=sha256:c9bb2ae11bfbab395bdd072985abde58ea9860ed84e59dbc0463a5d0159f5b71 \ - --hash=sha256:cafb92b2bc622cd1aa6a1dce4b93307792633f4c5fe1f46c6b97cf67073ec961 \ - --hash=sha256:d45b940883a03e19e944456a558b67a41160e367a719833c53de6911cabba2b7 \ - --hash=sha256:dc0fdf6787f37b1c6b08e6dfc892d9d068b5bdb671198c72072828b80bd5fe4c \ - --hash=sha256:dea567d1b0e8bc5764b9443858b673b734100c2871dc93163f58c46a97a83d28 \ - --hash=sha256:dec9b018df185f08483f294cae6ccac29e7a6e0678996587363dc352dc65c842 \ - --hash=sha256:e3ec3672626e1b9e55afd0df6d774ff0e953452886e06e0f1eb7eb0c832e8902 \ - --hash=sha256:e599b53fd95357d92304510fb7bda8523ed1f79ca98dce2f43c115950aa78801 \ - --hash=sha256:fa76fbb7596cc5839320000cdd5d0955313696d9511debab7ee7278fc8b5c84a \ - --hash=sha256:fff12c88a672ab9c9c1cf7b0c80e3ad9e2ebd9d828d955c126be4fd3e5578c9e +cryptography==43.0.0 \ + --hash=sha256:0663585d02f76929792470451a5ba64424acc3cd5227b03921dab0e2f27b1709 \ + --hash=sha256:08a24a7070b2b6804c1940ff0f910ff728932a9d0e80e7814234269f9d46d069 \ + --hash=sha256:232ce02943a579095a339ac4b390fbbe97f5b5d5d107f8a08260ea2768be8cc2 \ + --hash=sha256:2905ccf93a8a2a416f3ec01b1a7911c3fe4073ef35640e7ee5296754e30b762b \ + --hash=sha256:299d3da8e00b7e2b54bb02ef58d73cd5f55fb31f33ebbf33bd00d9aa6807df7e \ + --hash=sha256:2c6d112bf61c5ef44042c253e4859b3cbbb50df2f78fa8fae6747a7814484a70 \ + --hash=sha256:31e44a986ceccec3d0498e16f3d27b2ee5fdf69ce2ab89b52eaad1d2f33d8778 \ + --hash=sha256:3d9a1eca329405219b605fac09ecfc09ac09e595d6def650a437523fcd08dd22 \ + --hash=sha256:3dcdedae5c7710b9f97ac6bba7e1052b95c7083c9d0e9df96e02a1932e777895 \ + --hash=sha256:47ca71115e545954e6c1d207dd13461ab81f4eccfcb1345eac874828b5e3eaaf \ + --hash=sha256:4a997df8c1c2aae1e1e5ac49c2e4f610ad037fc5a3aadc7b64e39dea42249431 \ + --hash=sha256:51956cf8730665e2bdf8ddb8da0056f699c1a5715648c1b0144670c1ba00b48f \ + --hash=sha256:5bcb8a5620008a8034d39bce21dc3e23735dfdb6a33a06974739bfa04f853947 \ + --hash=sha256:64c3f16e2a4fc51c0d06af28441881f98c5d91009b8caaff40cf3548089e9c74 \ + --hash=sha256:6e2b11c55d260d03a8cf29ac9b5e0608d35f08077d8c087be96287f43af3ccdc \ + --hash=sha256:7b3f5fe74a5ca32d4d0f302ffe6680fcc5c28f8ef0dc0ae8f40c0f3a1b4fca66 \ + --hash=sha256:844b6d608374e7d08f4f6e6f9f7b951f9256db41421917dfb2d003dde4cd6b66 \ + --hash=sha256:9a8d6802e0825767476f62aafed40532bd435e8a5f7d23bd8b4f5fd04cc80ecf \ + --hash=sha256:aae4d918f6b180a8ab8bf6511a419473d107df4dbb4225c7b48c5c9602c38c7f \ + --hash=sha256:ac1955ce000cb29ab40def14fd1bbfa7af2017cca696ee696925615cafd0dce5 \ + --hash=sha256:b88075ada2d51aa9f18283532c9f60e72170041bba88d7f37e49cbb10275299e \ + --hash=sha256:cb013933d4c127349b3948aa8aaf2f12c0353ad0eccd715ca789c8a0f671646f \ + --hash=sha256:cc70b4b581f28d0a254d006f26949245e3657d40d8857066c2ae22a61222ef55 \ + --hash=sha256:e9c5266c432a1e23738d178e51c2c7a5e2ddf790f248be939448c0ba2021f9d1 \ + --hash=sha256:ea9e57f8ea880eeea38ab5abf9fbe39f923544d7884228ec67d666abd60f5a47 \ + --hash=sha256:ee0c405832ade84d4de74b9029bedb7b31200600fa524d218fc29bfa371e97f5 \ + --hash=sha256:fdcb265de28585de5b859ae13e3846a8e805268a823a12a4da2597f1f5afc9f0 # via secretstorage docutils==0.21.2 \ --hash=sha256:3a6b18732edf182daa3cd12775bbb338cf5691468f91eeeb109deff6ebfa986f \ From 0db3ed870722b22754eaccf0d94e78a673e74ae1 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 2 Aug 2024 11:06:46 -0400 Subject: [PATCH 0916/1462] extensions: EKU must contain at least one member (#11383) * extensions: EKU must contain at least one member Signed-off-by: William Woodruff * record changes Signed-off-by: William Woodruff * empty EKU test vector Signed-off-by: William Woodruff * typo Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- CHANGELOG.rst | 2 ++ docs/development/test-vectors.rst | 2 ++ src/rust/cryptography-x509/src/extensions.rs | 2 +- tests/x509/test_x509.py | 10 ++++++++++ .../cryptography_vectors/x509/custom/empty-eku.pem | 11 +++++++++++ 5 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 vectors/cryptography_vectors/x509/custom/empty-eku.pem diff --git a/CHANGELOG.rst b/CHANGELOG.rst index ea0a119733af..9c7119c23a35 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -8,6 +8,8 @@ Changelog .. note:: This version is not yet released and is under active development. +* Enforce the :rfc:`5280` requirement that extended key usage extensions must + not be empty. .. _v43-0-0: diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index c906f611ceff..c8d0765fc854 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -534,6 +534,8 @@ Custom X.509 Vectors algorithm parameters. This encoding is invalid, but was generated by Java 20. * ``ekucrit-testuser-cert.pem`` - A leaf certificate containing a critical EKU. This is an invalid certificate per CA/B 7.1.2.7.6. +* ``empty-eku.pem`` - A leaf certificate containing an empty EKU extension. + This is an invalid certificate per :rfc:`5280` 4.2.1.12. Custom X.509 Request Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index 51df9fb0646b..1fddb3ecf83a 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -231,7 +231,7 @@ pub struct BasicConstraints { pub type SubjectAlternativeName<'a> = asn1::SequenceOf<'a, name::GeneralName<'a>>; pub type IssuerAlternativeName<'a> = asn1::SequenceOf<'a, name::GeneralName<'a>>; -pub type ExtendedKeyUsage<'a> = asn1::SequenceOf<'a, asn1::ObjectIdentifier>; +pub type ExtendedKeyUsage<'a> = asn1::SequenceOf<'a, asn1::ObjectIdentifier, 1>; pub struct KeyUsage<'a>(asn1::BitString<'a>); diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index 91251d58c0a3..b96c4dbfdc7a 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -31,6 +31,7 @@ from cryptography.hazmat.primitives.asymmetric.utils import ( decode_dss_signature, ) +from cryptography.x509.extensions import ExtendedKeyUsage from cryptography.x509.name import _ASN1Type from cryptography.x509.oid import ( AuthorityInformationAccessOID, @@ -5733,6 +5734,15 @@ def test_bad_time_in_validity(self, backend): x509.load_pem_x509_certificate, ) + def test_invalid_empty_eku(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "empty-eku.pem"), + x509.load_pem_x509_certificate, + ) + + with pytest.raises(ValueError, match="InvalidSize"): + cert.extensions.get_extension_for_class(ExtendedKeyUsage) + class TestNameAttribute: EXPECTED_TYPES: typing.ClassVar[ diff --git a/vectors/cryptography_vectors/x509/custom/empty-eku.pem b/vectors/cryptography_vectors/x509/custom/empty-eku.pem new file mode 100644 index 000000000000..d8f8880f4cad --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/empty-eku.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBpjCCAUygAwIBAgIUXbgOb3WRImMh6PjbldAK3smepIkwCgYIKoZIzj0EAwIw +GjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5 +NjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49 +AgEGCCqGSM49AwEHA0IABM3LPV6xuBpFrGXEPvnjF2VnXwhfqYbfIrWUSVQFf6Eb +TiPFZH96VPllxT176ftzTAHWMSG0oCdEduz2MFR0nqWjcjBwMB0GA1UdDgQWBBS+ +VOamU8j9i+62OkrB1PsJXEHTpTAfBgNVHSMEGDAWgBTrOA5ME/MKp4PpBUmEBQ6U +vTpcWjALBgNVHQ8EBAMCB4AwCQYDVR0lBAIwADAWBgNVHREEDzANggtleGFtcGxl +LmNvbTAKBggqhkjOPQQDAgNIADBFAiEAq8/MoJb/PyG710O0o/dAXYvsCbQgNNvg +CAcF/8JQGxUCIEJgYI2pX8slVoRke9RDDMKzNQ49qkKOd++v2tTb+rbh +-----END CERTIFICATE----- From b9d6cc9e19472cdc15c09c72be2ac7232422611a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 2 Aug 2024 20:20:46 -0400 Subject: [PATCH 0917/1462] Bump BoringSSL and/or OpenSSL in CI (#11384) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index aea4dbab8d4a..9e8d02fc4414 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jul 26, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7a6e828dc53ba9a56bd49915f2a0780d63af97d2"}} + # Latest commit on the BoringSSL master branch, as of Aug 03, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e23fe9b6eecc10e4f9ea1f0027fea5eaee7bd6b6"}} # Latest commit on the OpenSSL master branch, as of Aug 02, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ed7a8bfd7409ac4a516581f1711d98a9362a70d5"}} # Builds with various Rust versions. Includes MSRV and next From 8bd76d576e590e05c55757f095e77e9ba7487447 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 4 Aug 2024 00:15:51 +0000 Subject: [PATCH 0918/1462] Bump BoringSSL and/or OpenSSL in CI (#11385) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9e8d02fc4414..861eee173df5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Aug 03, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e23fe9b6eecc10e4f9ea1f0027fea5eaee7bd6b6"}} - # Latest commit on the OpenSSL master branch, as of Aug 02, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ed7a8bfd7409ac4a516581f1711d98a9362a70d5"}} + # Latest commit on the OpenSSL master branch, as of Aug 04, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ca1d2db291530a827555b40974ed81efb91c2d19"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 339bb6c352f129e9d79f7f2d286f047d4efce040 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 4 Aug 2024 14:50:38 -0400 Subject: [PATCH 0919/1462] fix weird 3-space indents (#11387) * fix weird 3-space indents * Update pyproject.toml --- pyproject.toml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 23338b2f2b70..177a3226f307 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -149,14 +149,14 @@ source = [ [tool.coverage.paths] source = [ - "src/cryptography", - "*.nox/*/lib*/python*/site-packages/cryptography", - "*.nox\\*\\Lib\\site-packages\\cryptography", - "*.nox/pypy/site-packages/cryptography", + "src/cryptography", + "*.nox/*/lib*/python*/site-packages/cryptography", + "*.nox\\*\\Lib\\site-packages\\cryptography", + "*.nox/pypy/site-packages/cryptography", ] -tests =[ - "tests/", - "*tests\\", +tests = [ + "tests/", + "*tests\\", ] [tool.coverage.report] From 95cf2d8c2c82aa0b34ea65e12ebc626b138e3e8b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 4 Aug 2024 17:34:17 -0700 Subject: [PATCH 0920/1462] Bump BoringSSL and/or OpenSSL in CI (#11388) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 861eee173df5..dc437250a094 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Aug 03, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e23fe9b6eecc10e4f9ea1f0027fea5eaee7bd6b6"}} - # Latest commit on the OpenSSL master branch, as of Aug 04, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ca1d2db291530a827555b40974ed81efb91c2d19"}} + # Latest commit on the OpenSSL master branch, as of Aug 05, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "aa3830c3fc0f087d65a05fd0ea4fc03e26add002"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 1dc9ac653070764208dfa8d92af7ddb272e7c433 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Aug 2024 07:04:58 -0400 Subject: [PATCH 0921/1462] Bump actions/upload-artifact from 4.3.4 to 4.3.5 (#11389) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.4 to 4.3.5. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/0b2256b8c012f0828dc542b3febcab082c67f72b...89ef406dd8d7e03cfd12d9e0a4a378f454709029) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/wheel-builder.yml | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dc437250a094..ae4b434ad0b0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -474,14 +474,14 @@ jobs: run: python -m coverage html if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload HTML report. - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 with: name: _html-report path: htmlcov if-no-files-found: ignore if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload rust HTML report. - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 with: name: _html-rust-report path: rust-coverage diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 74702bf9282f..4bba0abf5c92 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -40,11 +40,11 @@ jobs: run: .venv/bin/python -m build --sdist - name: Make sdist and wheel (vectors) run: cd vectors/ && ../.venv/bin/python -m build - - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 with: name: "cryptography-sdist" path: dist/cryptography* - - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 with: name: "vectors-sdist-wheel" path: vectors/dist/cryptography* @@ -153,7 +153,7 @@ jobs: .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - run: mkdir cryptography-wheelhouse - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: cryptography-wheelhouse/ @@ -271,7 +271,7 @@ jobs: - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - run: | echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls cryptography-wheelhouse/cryptography*.whl))" >> $GITHUB_ENV - - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 with: name: "${{ env.CRYPTOGRAPHY_WHEEL_NAME }}" path: cryptography-wheelhouse/ @@ -353,7 +353,7 @@ jobs: - run: mkdir cryptography-wheelhouse - run: move wheelhouse\cryptography*.whl cryptography-wheelhouse\ - - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: cryptography-wheelhouse\ From 7f65779519d73e733b20de44a85f122463d6452f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Aug 2024 07:05:11 -0400 Subject: [PATCH 0922/1462] Bump actions/upload-artifact in /.github/actions/upload-coverage (#11390) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.4 to 4.3.5. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/0b2256b8c012f0828dc542b3febcab082c67f72b...89ef406dd8d7e03cfd12d9e0a4a378f454709029) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/upload-coverage/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/upload-coverage/action.yml b/.github/actions/upload-coverage/action.yml index 196487d65970..2c45440c57b8 100644 --- a/.github/actions/upload-coverage/action.yml +++ b/.github/actions/upload-coverage/action.yml @@ -13,7 +13,7 @@ runs: fi id: coverage-uuid shell: bash - - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 with: name: coverage-data-${{ steps.coverage-uuid.outputs.COVERAGE_UUID }} path: | From 65638b0100be26069c6c1c574f5e440627d77621 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Aug 2024 07:05:25 -0400 Subject: [PATCH 0923/1462] Bump ruff from 0.5.5 to 0.5.6 (#11391) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.5.5 to 0.5.6. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.5.5...0.5.6) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6ba8bf23fde9..364945fd44f6 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.5.5 +ruff==0.5.6 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 3956f1bcf4b86ac58af275d52f124d3808423c22 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Aug 2024 07:07:01 -0400 Subject: [PATCH 0924/1462] Bump coverage from 7.6.0 to 7.6.1 (#11392) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.6.0 to 7.6.1. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.6.0...7.6.1) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 364945fd44f6..ba9b283481e8 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.2 # via nox -coverage==7.6.0; python_version >= "3.8" +coverage==7.6.1; python_version >= "3.8" # via # coverage # pytest-cov From 0924550c6f814017f9f649e8f8cfd88f784456b5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Aug 2024 07:07:48 -0400 Subject: [PATCH 0925/1462] Bump keyring from 25.2.1 to 25.3.0 in /.github/requirements (#11393) Bumps [keyring](https://github.com/jaraco/keyring) from 25.2.1 to 25.3.0. - [Release notes](https://github.com/jaraco/keyring/releases) - [Changelog](https://github.com/jaraco/keyring/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/keyring/compare/v25.2.1...v25.3.0) --- updated-dependencies: - dependency-name: keyring dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index f4110e5265e2..d5c54216d4b6 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -219,9 +219,9 @@ jeepney==0.8.0 \ # via # keyring # secretstorage -keyring==25.2.1 \ - --hash=sha256:2458681cdefc0dbc0b7eb6cf75d0b98e59f9ad9b2d4edd319d18f68bdca95e50 \ - --hash=sha256:daaffd42dbda25ddafb1ad5fec4024e5bbcfe424597ca1ca452b299861e49f1b +keyring==25.3.0 \ + --hash=sha256:8d85a1ea5d6db8515b59e1c5d1d1678b03cf7fc8b8dcfb1651e8c4a524eb42ef \ + --hash=sha256:8d963da00ccdf06e356acd9bf3b743208878751032d8599c6cc89eb51310ffae # via twine markdown-it-py==3.0.0 \ --hash=sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1 \ From 26f197f561f98a20a0fdfb1e6552402770784e31 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 5 Aug 2024 20:16:00 -0400 Subject: [PATCH 0926/1462] Bump BoringSSL and/or OpenSSL in CI (#11394) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ae4b434ad0b0..d47b0fdcaa4c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 03, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e23fe9b6eecc10e4f9ea1f0027fea5eaee7bd6b6"}} - # Latest commit on the OpenSSL master branch, as of Aug 05, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "aa3830c3fc0f087d65a05fd0ea4fc03e26add002"}} + # Latest commit on the BoringSSL master branch, as of Aug 06, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "1e8c35af5363c21f0f349b4e570dcccfb9ec3f74"}} + # Latest commit on the OpenSSL master branch, as of Aug 06, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "20bf3fe236d36734a17a08252ed19c9e1bc161cd"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From ee8731c36bd4a3ea074e26e083f7c54ffd427676 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 6 Aug 2024 00:31:04 +0000 Subject: [PATCH 0927/1462] Bump x509-limbo and/or wycheproof in CI (#11395) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 40fabe0b3c38..cb9cdc881542 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jul 31, 2024. - ref: "3554c5db615a22b248a2928e89ea32e3e87f375f" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Aug 06, 2024. + ref: "0311da5df054bb8821b80623a32de20394b30d3a" # x509-limbo-ref From 30546bb05b314a735376bf5fb545c2277d36d749 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 6 Aug 2024 15:09:24 -0400 Subject: [PATCH 0928/1462] Test on 3.13 (#11396) --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d47b0fdcaa4c..aff96c361d80 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,6 +30,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "flake"} - {VERSION: "3.12", NOXSESSION: "rust"} - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.2"}} + - {VERSION: "3.13-dev", NOXSESSION: "tests"} - {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"} - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.14"}} From 5d99cc5a37dc3a3975799b71cb26a270082beb80 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 6 Aug 2024 17:51:09 -0400 Subject: [PATCH 0929/1462] Bump actions/upload-artifact in /.github/actions/upload-coverage (#11398) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.5 to 4.3.6. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/89ef406dd8d7e03cfd12d9e0a4a378f454709029...834a144ee995460fba8ed112a2fc961b36a5ec5a) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/upload-coverage/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/upload-coverage/action.yml b/.github/actions/upload-coverage/action.yml index 2c45440c57b8..d425f16f1c28 100644 --- a/.github/actions/upload-coverage/action.yml +++ b/.github/actions/upload-coverage/action.yml @@ -13,7 +13,7 @@ runs: fi id: coverage-uuid shell: bash - - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 with: name: coverage-data-${{ steps.coverage-uuid.outputs.COVERAGE_UUID }} path: | From bfadd010d610c368fd619370427ce4fbc6083877 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 6 Aug 2024 17:51:17 -0400 Subject: [PATCH 0930/1462] Bump argcomplete from 3.4.0 to 3.5.0 (#11399) Bumps [argcomplete](https://github.com/kislyuk/argcomplete) from 3.4.0 to 3.5.0. - [Release notes](https://github.com/kislyuk/argcomplete/releases) - [Changelog](https://github.com/kislyuk/argcomplete/blob/develop/Changes.rst) - [Commits](https://github.com/kislyuk/argcomplete/compare/v3.4.0...v3.5.0) --- updated-dependencies: - dependency-name: argcomplete dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ba9b283481e8..17f7c774b4cc 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -7,7 +7,7 @@ alabaster==0.7.16 # via sphinx -argcomplete==3.4.0; python_version >= "3.8" +argcomplete==3.5.0; python_version >= "3.8" # via nox babel==2.15.0 # via sphinx From 1ea3865e15fdbf84192b893bf46a6ef3b7f1efbe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 6 Aug 2024 17:53:25 -0400 Subject: [PATCH 0931/1462] Bump actions/upload-artifact from 4.3.5 to 4.3.6 (#11397) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.5 to 4.3.6. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/89ef406dd8d7e03cfd12d9e0a4a378f454709029...834a144ee995460fba8ed112a2fc961b36a5ec5a) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/wheel-builder.yml | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index aff96c361d80..5836f63aecb4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -475,14 +475,14 @@ jobs: run: python -m coverage html if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload HTML report. - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 with: name: _html-report path: htmlcov if-no-files-found: ignore if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload rust HTML report. - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 with: name: _html-rust-report path: rust-coverage diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 4bba0abf5c92..e72144b3f787 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -40,11 +40,11 @@ jobs: run: .venv/bin/python -m build --sdist - name: Make sdist and wheel (vectors) run: cd vectors/ && ../.venv/bin/python -m build - - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 with: name: "cryptography-sdist" path: dist/cryptography* - - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 with: name: "vectors-sdist-wheel" path: vectors/dist/cryptography* @@ -153,7 +153,7 @@ jobs: .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - run: mkdir cryptography-wheelhouse - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: cryptography-wheelhouse/ @@ -271,7 +271,7 @@ jobs: - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - run: | echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls cryptography-wheelhouse/cryptography*.whl))" >> $GITHUB_ENV - - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 with: name: "${{ env.CRYPTOGRAPHY_WHEEL_NAME }}" path: cryptography-wheelhouse/ @@ -353,7 +353,7 @@ jobs: - run: mkdir cryptography-wheelhouse - run: move wheelhouse\cryptography*.whl cryptography-wheelhouse\ - - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: cryptography-wheelhouse\ From f9d720f469ebb0727dae589ea25bea5374e984e0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 6 Aug 2024 17:56:11 -0400 Subject: [PATCH 0932/1462] Bump cffi from 1.16.0 to 1.17.0 in /.github/requirements (#11400) Bumps [cffi](https://github.com/python-cffi/cffi) from 1.16.0 to 1.17.0. - [Release notes](https://github.com/python-cffi/cffi/releases) - [Commits](https://github.com/python-cffi/cffi/compare/v1.16.0...v1.17.0) --- updated-dependencies: - dependency-name: cffi dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 121 ++++++++++-------- .github/requirements/publish-requirements.txt | 121 ++++++++++-------- 2 files changed, 136 insertions(+), 106 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 37bd3968e640..c3fb99969de9 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -4,59 +4,74 @@ # # pip-compile --allow-unsafe --generate-hashes build-requirements.in # -cffi==1.16.0 ; platform_python_implementation != "PyPy" \ - --hash=sha256:0c9ef6ff37e974b73c25eecc13952c55bceed9112be2d9d938ded8e856138bcc \ - --hash=sha256:131fd094d1065b19540c3d72594260f118b231090295d8c34e19a7bbcf2e860a \ - --hash=sha256:1b8ebc27c014c59692bb2664c7d13ce7a6e9a629be20e54e7271fa696ff2b417 \ - --hash=sha256:2c56b361916f390cd758a57f2e16233eb4f64bcbeee88a4881ea90fca14dc6ab \ - --hash=sha256:2d92b25dbf6cae33f65005baf472d2c245c050b1ce709cc4588cdcdd5495b520 \ - --hash=sha256:31d13b0f99e0836b7ff893d37af07366ebc90b678b6664c955b54561fc36ef36 \ - --hash=sha256:32c68ef735dbe5857c810328cb2481e24722a59a2003018885514d4c09af9743 \ - --hash=sha256:3686dffb02459559c74dd3d81748269ffb0eb027c39a6fc99502de37d501faa8 \ - --hash=sha256:582215a0e9adbe0e379761260553ba11c58943e4bbe9c36430c4ca6ac74b15ed \ - --hash=sha256:5b50bf3f55561dac5438f8e70bfcdfd74543fd60df5fa5f62d94e5867deca684 \ - --hash=sha256:5bf44d66cdf9e893637896c7faa22298baebcd18d1ddb6d2626a6e39793a1d56 \ - --hash=sha256:6602bc8dc6f3a9e02b6c22c4fc1e47aa50f8f8e6d3f78a5e16ac33ef5fefa324 \ - --hash=sha256:673739cb539f8cdaa07d92d02efa93c9ccf87e345b9a0b556e3ecc666718468d \ - --hash=sha256:68678abf380b42ce21a5f2abde8efee05c114c2fdb2e9eef2efdb0257fba1235 \ - --hash=sha256:68e7c44931cc171c54ccb702482e9fc723192e88d25a0e133edd7aff8fcd1f6e \ - --hash=sha256:6b3d6606d369fc1da4fd8c357d026317fbb9c9b75d36dc16e90e84c26854b088 \ - --hash=sha256:748dcd1e3d3d7cd5443ef03ce8685043294ad6bd7c02a38d1bd367cfd968e000 \ - --hash=sha256:7651c50c8c5ef7bdb41108b7b8c5a83013bfaa8a935590c5d74627c047a583c7 \ - --hash=sha256:7b78010e7b97fef4bee1e896df8a4bbb6712b7f05b7ef630f9d1da00f6444d2e \ - --hash=sha256:7e61e3e4fa664a8588aa25c883eab612a188c725755afff6289454d6362b9673 \ - --hash=sha256:80876338e19c951fdfed6198e70bc88f1c9758b94578d5a7c4c91a87af3cf31c \ - --hash=sha256:8895613bcc094d4a1b2dbe179d88d7fb4a15cee43c052e8885783fac397d91fe \ - --hash=sha256:88e2b3c14bdb32e440be531ade29d3c50a1a59cd4e51b1dd8b0865c54ea5d2e2 \ - --hash=sha256:8f8e709127c6c77446a8c0a8c8bf3c8ee706a06cd44b1e827c3e6a2ee6b8c098 \ - --hash=sha256:9cb4a35b3642fc5c005a6755a5d17c6c8b6bcb6981baf81cea8bfbc8903e8ba8 \ - --hash=sha256:9f90389693731ff1f659e55c7d1640e2ec43ff725cc61b04b2f9c6d8d017df6a \ - --hash=sha256:a09582f178759ee8128d9270cd1344154fd473bb77d94ce0aeb2a93ebf0feaf0 \ - --hash=sha256:a6a14b17d7e17fa0d207ac08642c8820f84f25ce17a442fd15e27ea18d67c59b \ - --hash=sha256:a72e8961a86d19bdb45851d8f1f08b041ea37d2bd8d4fd19903bc3083d80c896 \ - --hash=sha256:abd808f9c129ba2beda4cfc53bde801e5bcf9d6e0f22f095e45327c038bfe68e \ - --hash=sha256:ac0f5edd2360eea2f1daa9e26a41db02dd4b0451b48f7c318e217ee092a213e9 \ - --hash=sha256:b29ebffcf550f9da55bec9e02ad430c992a87e5f512cd63388abb76f1036d8d2 \ - --hash=sha256:b2ca4e77f9f47c55c194982e10f058db063937845bb2b7a86c84a6cfe0aefa8b \ - --hash=sha256:b7be2d771cdba2942e13215c4e340bfd76398e9227ad10402a8767ab1865d2e6 \ - --hash=sha256:b84834d0cf97e7d27dd5b7f3aca7b6e9263c56308ab9dc8aae9784abb774d404 \ - --hash=sha256:b86851a328eedc692acf81fb05444bdf1891747c25af7529e39ddafaf68a4f3f \ - --hash=sha256:bcb3ef43e58665bbda2fb198698fcae6776483e0c4a631aa5647806c25e02cc0 \ - --hash=sha256:c0f31130ebc2d37cdd8e44605fb5fa7ad59049298b3f745c74fa74c62fbfcfc4 \ - --hash=sha256:c6a164aa47843fb1b01e941d385aab7215563bb8816d80ff3a363a9f8448a8dc \ - --hash=sha256:d8a9d3ebe49f084ad71f9269834ceccbf398253c9fac910c4fd7053ff1386936 \ - --hash=sha256:db8e577c19c0fda0beb7e0d4e09e0ba74b1e4c092e0e40bfa12fe05b6f6d75ba \ - --hash=sha256:dc9b18bf40cc75f66f40a7379f6a9513244fe33c0e8aa72e2d56b0196a7ef872 \ - --hash=sha256:e09f3ff613345df5e8c3667da1d918f9149bd623cd9070c983c013792a9a62eb \ - --hash=sha256:e4108df7fe9b707191e55f33efbcb2d81928e10cea45527879a4749cbe472614 \ - --hash=sha256:e6024675e67af929088fda399b2094574609396b1decb609c55fa58b028a32a1 \ - --hash=sha256:e70f54f1796669ef691ca07d046cd81a29cb4deb1e5f942003f401c0c4a2695d \ - --hash=sha256:e715596e683d2ce000574bae5d07bd522c781a822866c20495e52520564f0969 \ - --hash=sha256:e760191dd42581e023a68b758769e2da259b5d52e3103c6060ddc02c9edb8d7b \ - --hash=sha256:ed86a35631f7bfbb28e108dd96773b9d5a6ce4811cf6ea468bb6a359b256b1e4 \ - --hash=sha256:ee07e47c12890ef248766a6e55bd38ebfb2bb8edd4142d56db91b21ea68b7627 \ - --hash=sha256:fa3a0128b152627161ce47201262d3140edb5a5c3da88d73a1b790a959126956 \ - --hash=sha256:fcc8eb6d5902bb1cf6dc4f187ee3ea80a1eba0a89aba40a5cb20a5087d961357 +cffi==1.17.0 ; platform_python_implementation != "PyPy" \ + --hash=sha256:011aff3524d578a9412c8b3cfaa50f2c0bd78e03eb7af7aa5e0df59b158efb2f \ + --hash=sha256:0a048d4f6630113e54bb4b77e315e1ba32a5a31512c31a273807d0027a7e69ab \ + --hash=sha256:0bb15e7acf8ab35ca8b24b90af52c8b391690ef5c4aec3d31f38f0d37d2cc499 \ + --hash=sha256:0d46ee4764b88b91f16661a8befc6bfb24806d885e27436fdc292ed7e6f6d058 \ + --hash=sha256:0e60821d312f99d3e1569202518dddf10ae547e799d75aef3bca3a2d9e8ee693 \ + --hash=sha256:0fdacad9e0d9fc23e519efd5ea24a70348305e8d7d85ecbb1a5fa66dc834e7fb \ + --hash=sha256:14b9cbc8f7ac98a739558eb86fabc283d4d564dafed50216e7f7ee62d0d25377 \ + --hash=sha256:17c6d6d3260c7f2d94f657e6872591fe8733872a86ed1345bda872cfc8c74885 \ + --hash=sha256:1a2ddbac59dc3716bc79f27906c010406155031a1c801410f1bafff17ea304d2 \ + --hash=sha256:2404f3de742f47cb62d023f0ba7c5a916c9c653d5b368cc966382ae4e57da401 \ + --hash=sha256:24658baf6224d8f280e827f0a50c46ad819ec8ba380a42448e24459daf809cf4 \ + --hash=sha256:24aa705a5f5bd3a8bcfa4d123f03413de5d86e497435693b638cbffb7d5d8a1b \ + --hash=sha256:2770bb0d5e3cc0e31e7318db06efcbcdb7b31bcb1a70086d3177692a02256f59 \ + --hash=sha256:331ad15c39c9fe9186ceaf87203a9ecf5ae0ba2538c9e898e3a6967e8ad3db6f \ + --hash=sha256:3aa9d43b02a0c681f0bfbc12d476d47b2b2b6a3f9287f11ee42989a268a1833c \ + --hash=sha256:41f4915e09218744d8bae14759f983e466ab69b178de38066f7579892ff2a555 \ + --hash=sha256:4304d4416ff032ed50ad6bb87416d802e67139e31c0bde4628f36a47a3164bfa \ + --hash=sha256:435a22d00ec7d7ea533db494da8581b05977f9c37338c80bc86314bec2619424 \ + --hash=sha256:45f7cd36186db767d803b1473b3c659d57a23b5fa491ad83c6d40f2af58e4dbb \ + --hash=sha256:48b389b1fd5144603d61d752afd7167dfd205973a43151ae5045b35793232aa2 \ + --hash=sha256:4e67d26532bfd8b7f7c05d5a766d6f437b362c1bf203a3a5ce3593a645e870b8 \ + --hash=sha256:516a405f174fd3b88829eabfe4bb296ac602d6a0f68e0d64d5ac9456194a5b7e \ + --hash=sha256:5ba5c243f4004c750836f81606a9fcb7841f8874ad8f3bf204ff5e56332b72b9 \ + --hash=sha256:5bdc0f1f610d067c70aa3737ed06e2726fd9d6f7bfee4a351f4c40b6831f4e82 \ + --hash=sha256:6107e445faf057c118d5050560695e46d272e5301feffda3c41849641222a828 \ + --hash=sha256:6327b572f5770293fc062a7ec04160e89741e8552bf1c358d1a23eba68166759 \ + --hash=sha256:669b29a9eca6146465cc574659058ed949748f0809a2582d1f1a324eb91054dc \ + --hash=sha256:6ce01337d23884b21c03869d2f68c5523d43174d4fc405490eb0091057943118 \ + --hash=sha256:6d872186c1617d143969defeadac5a904e6e374183e07977eedef9c07c8953bf \ + --hash=sha256:6f76a90c345796c01d85e6332e81cab6d70de83b829cf1d9762d0a3da59c7932 \ + --hash=sha256:70d2aa9fb00cf52034feac4b913181a6e10356019b18ef89bc7c12a283bf5f5a \ + --hash=sha256:7cbc78dc018596315d4e7841c8c3a7ae31cc4d638c9b627f87d52e8abaaf2d29 \ + --hash=sha256:856bf0924d24e7f93b8aee12a3a1095c34085600aa805693fb7f5d1962393206 \ + --hash=sha256:8a98748ed1a1df4ee1d6f927e151ed6c1a09d5ec21684de879c7ea6aa96f58f2 \ + --hash=sha256:93a7350f6706b31f457c1457d3a3259ff9071a66f312ae64dc024f049055f72c \ + --hash=sha256:964823b2fc77b55355999ade496c54dde161c621cb1f6eac61dc30ed1b63cd4c \ + --hash=sha256:a003ac9edc22d99ae1286b0875c460351f4e101f8c9d9d2576e78d7e048f64e0 \ + --hash=sha256:a0ce71725cacc9ebf839630772b07eeec220cbb5f03be1399e0457a1464f8e1a \ + --hash=sha256:a47eef975d2b8b721775a0fa286f50eab535b9d56c70a6e62842134cf7841195 \ + --hash=sha256:a8b5b9712783415695663bd463990e2f00c6750562e6ad1d28e072a611c5f2a6 \ + --hash=sha256:a9015f5b8af1bb6837a3fcb0cdf3b874fe3385ff6274e8b7925d81ccaec3c5c9 \ + --hash=sha256:aec510255ce690d240f7cb23d7114f6b351c733a74c279a84def763660a2c3bc \ + --hash=sha256:b00e7bcd71caa0282cbe3c90966f738e2db91e64092a877c3ff7f19a1628fdcb \ + --hash=sha256:b50aaac7d05c2c26dfd50c3321199f019ba76bb650e346a6ef3616306eed67b0 \ + --hash=sha256:b7b6ea9e36d32582cda3465f54c4b454f62f23cb083ebc7a94e2ca6ef011c3a7 \ + --hash=sha256:bb9333f58fc3a2296fb1d54576138d4cf5d496a2cc118422bd77835e6ae0b9cb \ + --hash=sha256:c1c13185b90bbd3f8b5963cd8ce7ad4ff441924c31e23c975cb150e27c2bf67a \ + --hash=sha256:c3b8bd3133cd50f6b637bb4322822c94c5ce4bf0d724ed5ae70afce62187c492 \ + --hash=sha256:c5d97162c196ce54af6700949ddf9409e9833ef1003b4741c2b39ef46f1d9720 \ + --hash=sha256:c815270206f983309915a6844fe994b2fa47e5d05c4c4cef267c3b30e34dbe42 \ + --hash=sha256:cab2eba3830bf4f6d91e2d6718e0e1c14a2f5ad1af68a89d24ace0c6b17cced7 \ + --hash=sha256:d1df34588123fcc88c872f5acb6f74ae59e9d182a2707097f9e28275ec26a12d \ + --hash=sha256:d6bdcd415ba87846fd317bee0774e412e8792832e7805938987e4ede1d13046d \ + --hash=sha256:db9a30ec064129d605d0f1aedc93e00894b9334ec74ba9c6bdd08147434b33eb \ + --hash=sha256:dbc183e7bef690c9abe5ea67b7b60fdbca81aa8da43468287dae7b5c046107d4 \ + --hash=sha256:dca802c8db0720ce1c49cce1149ff7b06e91ba15fa84b1d59144fef1a1bc7ac2 \ + --hash=sha256:dec6b307ce928e8e112a6bb9921a1cb00a0e14979bf28b98e084a4b8a742bd9b \ + --hash=sha256:df8bb0010fdd0a743b7542589223a2816bdde4d94bb5ad67884348fa2c1c67e8 \ + --hash=sha256:e4094c7b464cf0a858e75cd14b03509e84789abf7b79f8537e6a72152109c76e \ + --hash=sha256:e4760a68cab57bfaa628938e9c2971137e05ce48e762a9cb53b76c9b569f1204 \ + --hash=sha256:eb09b82377233b902d4c3fbeeb7ad731cdab579c6c6fda1f763cd779139e47c3 \ + --hash=sha256:eb862356ee9391dc5a0b3cbc00f416b48c1b9a52d252d898e5b7696a5f9fe150 \ + --hash=sha256:ef9528915df81b8f4c7612b19b8628214c65c9b7f74db2e34a646a0a2a0da2d4 \ + --hash=sha256:f3157624b7558b914cb039fd1af735e5e8049a87c817cc215109ad1c8779df76 \ + --hash=sha256:f3e0992f23bbb0be00a921eae5363329253c3b86287db27092461c887b791e5e \ + --hash=sha256:f9338cc05451f1942d0d8203ec2c346c830f8e86469903d5126c1f0a13a2bcbb \ + --hash=sha256:ffef8fd58a36fb5f1196919638f73dd3ae0db1a878982b27a9a5a176ede4ba91 # via -r build-requirements.in maturin==1.7.0 \ --hash=sha256:0af4f2a4cfb99206d414dec138dd3aac3f506eb8928b7e38dfac570461b393d6 \ diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index d5c54216d4b6..a6ecd9466e2c 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -12,59 +12,74 @@ certifi==2024.7.4 \ --hash=sha256:5a1e7645bc0ec61a09e26c36f6106dd4cf40c6db3a1fb6352b0244e7fb057c7b \ --hash=sha256:c198e21b1289c2ab85ee4e67bb4b4ef3ead0892059901a8d5b622f24a1101e90 # via requests -cffi==1.16.0 \ - --hash=sha256:0c9ef6ff37e974b73c25eecc13952c55bceed9112be2d9d938ded8e856138bcc \ - --hash=sha256:131fd094d1065b19540c3d72594260f118b231090295d8c34e19a7bbcf2e860a \ - --hash=sha256:1b8ebc27c014c59692bb2664c7d13ce7a6e9a629be20e54e7271fa696ff2b417 \ - --hash=sha256:2c56b361916f390cd758a57f2e16233eb4f64bcbeee88a4881ea90fca14dc6ab \ - --hash=sha256:2d92b25dbf6cae33f65005baf472d2c245c050b1ce709cc4588cdcdd5495b520 \ - --hash=sha256:31d13b0f99e0836b7ff893d37af07366ebc90b678b6664c955b54561fc36ef36 \ - --hash=sha256:32c68ef735dbe5857c810328cb2481e24722a59a2003018885514d4c09af9743 \ - --hash=sha256:3686dffb02459559c74dd3d81748269ffb0eb027c39a6fc99502de37d501faa8 \ - --hash=sha256:582215a0e9adbe0e379761260553ba11c58943e4bbe9c36430c4ca6ac74b15ed \ - --hash=sha256:5b50bf3f55561dac5438f8e70bfcdfd74543fd60df5fa5f62d94e5867deca684 \ - --hash=sha256:5bf44d66cdf9e893637896c7faa22298baebcd18d1ddb6d2626a6e39793a1d56 \ - --hash=sha256:6602bc8dc6f3a9e02b6c22c4fc1e47aa50f8f8e6d3f78a5e16ac33ef5fefa324 \ - --hash=sha256:673739cb539f8cdaa07d92d02efa93c9ccf87e345b9a0b556e3ecc666718468d \ - --hash=sha256:68678abf380b42ce21a5f2abde8efee05c114c2fdb2e9eef2efdb0257fba1235 \ - --hash=sha256:68e7c44931cc171c54ccb702482e9fc723192e88d25a0e133edd7aff8fcd1f6e \ - --hash=sha256:6b3d6606d369fc1da4fd8c357d026317fbb9c9b75d36dc16e90e84c26854b088 \ - --hash=sha256:748dcd1e3d3d7cd5443ef03ce8685043294ad6bd7c02a38d1bd367cfd968e000 \ - --hash=sha256:7651c50c8c5ef7bdb41108b7b8c5a83013bfaa8a935590c5d74627c047a583c7 \ - --hash=sha256:7b78010e7b97fef4bee1e896df8a4bbb6712b7f05b7ef630f9d1da00f6444d2e \ - --hash=sha256:7e61e3e4fa664a8588aa25c883eab612a188c725755afff6289454d6362b9673 \ - --hash=sha256:80876338e19c951fdfed6198e70bc88f1c9758b94578d5a7c4c91a87af3cf31c \ - --hash=sha256:8895613bcc094d4a1b2dbe179d88d7fb4a15cee43c052e8885783fac397d91fe \ - --hash=sha256:88e2b3c14bdb32e440be531ade29d3c50a1a59cd4e51b1dd8b0865c54ea5d2e2 \ - --hash=sha256:8f8e709127c6c77446a8c0a8c8bf3c8ee706a06cd44b1e827c3e6a2ee6b8c098 \ - --hash=sha256:9cb4a35b3642fc5c005a6755a5d17c6c8b6bcb6981baf81cea8bfbc8903e8ba8 \ - --hash=sha256:9f90389693731ff1f659e55c7d1640e2ec43ff725cc61b04b2f9c6d8d017df6a \ - --hash=sha256:a09582f178759ee8128d9270cd1344154fd473bb77d94ce0aeb2a93ebf0feaf0 \ - --hash=sha256:a6a14b17d7e17fa0d207ac08642c8820f84f25ce17a442fd15e27ea18d67c59b \ - --hash=sha256:a72e8961a86d19bdb45851d8f1f08b041ea37d2bd8d4fd19903bc3083d80c896 \ - --hash=sha256:abd808f9c129ba2beda4cfc53bde801e5bcf9d6e0f22f095e45327c038bfe68e \ - --hash=sha256:ac0f5edd2360eea2f1daa9e26a41db02dd4b0451b48f7c318e217ee092a213e9 \ - --hash=sha256:b29ebffcf550f9da55bec9e02ad430c992a87e5f512cd63388abb76f1036d8d2 \ - --hash=sha256:b2ca4e77f9f47c55c194982e10f058db063937845bb2b7a86c84a6cfe0aefa8b \ - --hash=sha256:b7be2d771cdba2942e13215c4e340bfd76398e9227ad10402a8767ab1865d2e6 \ - --hash=sha256:b84834d0cf97e7d27dd5b7f3aca7b6e9263c56308ab9dc8aae9784abb774d404 \ - --hash=sha256:b86851a328eedc692acf81fb05444bdf1891747c25af7529e39ddafaf68a4f3f \ - --hash=sha256:bcb3ef43e58665bbda2fb198698fcae6776483e0c4a631aa5647806c25e02cc0 \ - --hash=sha256:c0f31130ebc2d37cdd8e44605fb5fa7ad59049298b3f745c74fa74c62fbfcfc4 \ - --hash=sha256:c6a164aa47843fb1b01e941d385aab7215563bb8816d80ff3a363a9f8448a8dc \ - --hash=sha256:d8a9d3ebe49f084ad71f9269834ceccbf398253c9fac910c4fd7053ff1386936 \ - --hash=sha256:db8e577c19c0fda0beb7e0d4e09e0ba74b1e4c092e0e40bfa12fe05b6f6d75ba \ - --hash=sha256:dc9b18bf40cc75f66f40a7379f6a9513244fe33c0e8aa72e2d56b0196a7ef872 \ - --hash=sha256:e09f3ff613345df5e8c3667da1d918f9149bd623cd9070c983c013792a9a62eb \ - --hash=sha256:e4108df7fe9b707191e55f33efbcb2d81928e10cea45527879a4749cbe472614 \ - --hash=sha256:e6024675e67af929088fda399b2094574609396b1decb609c55fa58b028a32a1 \ - --hash=sha256:e70f54f1796669ef691ca07d046cd81a29cb4deb1e5f942003f401c0c4a2695d \ - --hash=sha256:e715596e683d2ce000574bae5d07bd522c781a822866c20495e52520564f0969 \ - --hash=sha256:e760191dd42581e023a68b758769e2da259b5d52e3103c6060ddc02c9edb8d7b \ - --hash=sha256:ed86a35631f7bfbb28e108dd96773b9d5a6ce4811cf6ea468bb6a359b256b1e4 \ - --hash=sha256:ee07e47c12890ef248766a6e55bd38ebfb2bb8edd4142d56db91b21ea68b7627 \ - --hash=sha256:fa3a0128b152627161ce47201262d3140edb5a5c3da88d73a1b790a959126956 \ - --hash=sha256:fcc8eb6d5902bb1cf6dc4f187ee3ea80a1eba0a89aba40a5cb20a5087d961357 +cffi==1.17.0 \ + --hash=sha256:011aff3524d578a9412c8b3cfaa50f2c0bd78e03eb7af7aa5e0df59b158efb2f \ + --hash=sha256:0a048d4f6630113e54bb4b77e315e1ba32a5a31512c31a273807d0027a7e69ab \ + --hash=sha256:0bb15e7acf8ab35ca8b24b90af52c8b391690ef5c4aec3d31f38f0d37d2cc499 \ + --hash=sha256:0d46ee4764b88b91f16661a8befc6bfb24806d885e27436fdc292ed7e6f6d058 \ + --hash=sha256:0e60821d312f99d3e1569202518dddf10ae547e799d75aef3bca3a2d9e8ee693 \ + --hash=sha256:0fdacad9e0d9fc23e519efd5ea24a70348305e8d7d85ecbb1a5fa66dc834e7fb \ + --hash=sha256:14b9cbc8f7ac98a739558eb86fabc283d4d564dafed50216e7f7ee62d0d25377 \ + --hash=sha256:17c6d6d3260c7f2d94f657e6872591fe8733872a86ed1345bda872cfc8c74885 \ + --hash=sha256:1a2ddbac59dc3716bc79f27906c010406155031a1c801410f1bafff17ea304d2 \ + --hash=sha256:2404f3de742f47cb62d023f0ba7c5a916c9c653d5b368cc966382ae4e57da401 \ + --hash=sha256:24658baf6224d8f280e827f0a50c46ad819ec8ba380a42448e24459daf809cf4 \ + --hash=sha256:24aa705a5f5bd3a8bcfa4d123f03413de5d86e497435693b638cbffb7d5d8a1b \ + --hash=sha256:2770bb0d5e3cc0e31e7318db06efcbcdb7b31bcb1a70086d3177692a02256f59 \ + --hash=sha256:331ad15c39c9fe9186ceaf87203a9ecf5ae0ba2538c9e898e3a6967e8ad3db6f \ + --hash=sha256:3aa9d43b02a0c681f0bfbc12d476d47b2b2b6a3f9287f11ee42989a268a1833c \ + --hash=sha256:41f4915e09218744d8bae14759f983e466ab69b178de38066f7579892ff2a555 \ + --hash=sha256:4304d4416ff032ed50ad6bb87416d802e67139e31c0bde4628f36a47a3164bfa \ + --hash=sha256:435a22d00ec7d7ea533db494da8581b05977f9c37338c80bc86314bec2619424 \ + --hash=sha256:45f7cd36186db767d803b1473b3c659d57a23b5fa491ad83c6d40f2af58e4dbb \ + --hash=sha256:48b389b1fd5144603d61d752afd7167dfd205973a43151ae5045b35793232aa2 \ + --hash=sha256:4e67d26532bfd8b7f7c05d5a766d6f437b362c1bf203a3a5ce3593a645e870b8 \ + --hash=sha256:516a405f174fd3b88829eabfe4bb296ac602d6a0f68e0d64d5ac9456194a5b7e \ + --hash=sha256:5ba5c243f4004c750836f81606a9fcb7841f8874ad8f3bf204ff5e56332b72b9 \ + --hash=sha256:5bdc0f1f610d067c70aa3737ed06e2726fd9d6f7bfee4a351f4c40b6831f4e82 \ + --hash=sha256:6107e445faf057c118d5050560695e46d272e5301feffda3c41849641222a828 \ + --hash=sha256:6327b572f5770293fc062a7ec04160e89741e8552bf1c358d1a23eba68166759 \ + --hash=sha256:669b29a9eca6146465cc574659058ed949748f0809a2582d1f1a324eb91054dc \ + --hash=sha256:6ce01337d23884b21c03869d2f68c5523d43174d4fc405490eb0091057943118 \ + --hash=sha256:6d872186c1617d143969defeadac5a904e6e374183e07977eedef9c07c8953bf \ + --hash=sha256:6f76a90c345796c01d85e6332e81cab6d70de83b829cf1d9762d0a3da59c7932 \ + --hash=sha256:70d2aa9fb00cf52034feac4b913181a6e10356019b18ef89bc7c12a283bf5f5a \ + --hash=sha256:7cbc78dc018596315d4e7841c8c3a7ae31cc4d638c9b627f87d52e8abaaf2d29 \ + --hash=sha256:856bf0924d24e7f93b8aee12a3a1095c34085600aa805693fb7f5d1962393206 \ + --hash=sha256:8a98748ed1a1df4ee1d6f927e151ed6c1a09d5ec21684de879c7ea6aa96f58f2 \ + --hash=sha256:93a7350f6706b31f457c1457d3a3259ff9071a66f312ae64dc024f049055f72c \ + --hash=sha256:964823b2fc77b55355999ade496c54dde161c621cb1f6eac61dc30ed1b63cd4c \ + --hash=sha256:a003ac9edc22d99ae1286b0875c460351f4e101f8c9d9d2576e78d7e048f64e0 \ + --hash=sha256:a0ce71725cacc9ebf839630772b07eeec220cbb5f03be1399e0457a1464f8e1a \ + --hash=sha256:a47eef975d2b8b721775a0fa286f50eab535b9d56c70a6e62842134cf7841195 \ + --hash=sha256:a8b5b9712783415695663bd463990e2f00c6750562e6ad1d28e072a611c5f2a6 \ + --hash=sha256:a9015f5b8af1bb6837a3fcb0cdf3b874fe3385ff6274e8b7925d81ccaec3c5c9 \ + --hash=sha256:aec510255ce690d240f7cb23d7114f6b351c733a74c279a84def763660a2c3bc \ + --hash=sha256:b00e7bcd71caa0282cbe3c90966f738e2db91e64092a877c3ff7f19a1628fdcb \ + --hash=sha256:b50aaac7d05c2c26dfd50c3321199f019ba76bb650e346a6ef3616306eed67b0 \ + --hash=sha256:b7b6ea9e36d32582cda3465f54c4b454f62f23cb083ebc7a94e2ca6ef011c3a7 \ + --hash=sha256:bb9333f58fc3a2296fb1d54576138d4cf5d496a2cc118422bd77835e6ae0b9cb \ + --hash=sha256:c1c13185b90bbd3f8b5963cd8ce7ad4ff441924c31e23c975cb150e27c2bf67a \ + --hash=sha256:c3b8bd3133cd50f6b637bb4322822c94c5ce4bf0d724ed5ae70afce62187c492 \ + --hash=sha256:c5d97162c196ce54af6700949ddf9409e9833ef1003b4741c2b39ef46f1d9720 \ + --hash=sha256:c815270206f983309915a6844fe994b2fa47e5d05c4c4cef267c3b30e34dbe42 \ + --hash=sha256:cab2eba3830bf4f6d91e2d6718e0e1c14a2f5ad1af68a89d24ace0c6b17cced7 \ + --hash=sha256:d1df34588123fcc88c872f5acb6f74ae59e9d182a2707097f9e28275ec26a12d \ + --hash=sha256:d6bdcd415ba87846fd317bee0774e412e8792832e7805938987e4ede1d13046d \ + --hash=sha256:db9a30ec064129d605d0f1aedc93e00894b9334ec74ba9c6bdd08147434b33eb \ + --hash=sha256:dbc183e7bef690c9abe5ea67b7b60fdbca81aa8da43468287dae7b5c046107d4 \ + --hash=sha256:dca802c8db0720ce1c49cce1149ff7b06e91ba15fa84b1d59144fef1a1bc7ac2 \ + --hash=sha256:dec6b307ce928e8e112a6bb9921a1cb00a0e14979bf28b98e084a4b8a742bd9b \ + --hash=sha256:df8bb0010fdd0a743b7542589223a2816bdde4d94bb5ad67884348fa2c1c67e8 \ + --hash=sha256:e4094c7b464cf0a858e75cd14b03509e84789abf7b79f8537e6a72152109c76e \ + --hash=sha256:e4760a68cab57bfaa628938e9c2971137e05ce48e762a9cb53b76c9b569f1204 \ + --hash=sha256:eb09b82377233b902d4c3fbeeb7ad731cdab579c6c6fda1f763cd779139e47c3 \ + --hash=sha256:eb862356ee9391dc5a0b3cbc00f416b48c1b9a52d252d898e5b7696a5f9fe150 \ + --hash=sha256:ef9528915df81b8f4c7612b19b8628214c65c9b7f74db2e34a646a0a2a0da2d4 \ + --hash=sha256:f3157624b7558b914cb039fd1af735e5e8049a87c817cc215109ad1c8779df76 \ + --hash=sha256:f3e0992f23bbb0be00a921eae5363329253c3b86287db27092461c887b791e5e \ + --hash=sha256:f9338cc05451f1942d0d8203ec2c346c830f8e86469903d5126c1f0a13a2bcbb \ + --hash=sha256:ffef8fd58a36fb5f1196919638f73dd3ae0db1a878982b27a9a5a176ede4ba91 # via cryptography charset-normalizer==3.3.2 \ --hash=sha256:06435b539f889b1f6f4ac1758871aae42dc3a8c0e24ac9e60c2384973ad73027 \ From c1c71a2a3f04063307788474c2229bb9f6f9f6b5 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 6 Aug 2024 20:18:34 -0400 Subject: [PATCH 0933/1462] Bump BoringSSL and/or OpenSSL in CI (#11401) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5836f63aecb4..d4c72903dc74 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 06, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "1e8c35af5363c21f0f349b4e570dcccfb9ec3f74"}} - # Latest commit on the OpenSSL master branch, as of Aug 06, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "20bf3fe236d36734a17a08252ed19c9e1bc161cd"}} + # Latest commit on the BoringSSL master branch, as of Aug 07, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "5af122c3dfc163b5d1859f1f450756e8e320a142"}} + # Latest commit on the OpenSSL master branch, as of Aug 07, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f98e49b326fe1fda5efadc10e7905b09a394591c"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 95d0673225d49bf7ead2bfe37ad708c736f76d01 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 7 Aug 2024 11:28:16 +0000 Subject: [PATCH 0934/1462] Bump cc from 1.1.7 to 1.1.8 in /src/rust (#11402) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.7 to 1.1.8. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.7...cc-v1.1.8) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index fb141392928b..6fed400042e0 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.7" +version = "1.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26a5c3fd7bfa1ce3897a3a3501d362b2d87b7f2583ebcb4a949ec25911025cbc" +checksum = "504bdec147f2cc13c8b57ed9401fd8a147cc66b67ad5cb241394244f2c947549" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 93f1712b9b57..0ba6bfa257f5 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.2", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] -cc = "1.1.7" +cc = "1.1.8" From 4d619bac4c895f3101ad5acf0a2b6eac30444339 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 7 Aug 2024 20:42:55 -0400 Subject: [PATCH 0935/1462] Bump BoringSSL and/or OpenSSL in CI (#11404) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d4c72903dc74..6e181ec2d26b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 07, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "5af122c3dfc163b5d1859f1f450756e8e320a142"}} - # Latest commit on the OpenSSL master branch, as of Aug 07, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f98e49b326fe1fda5efadc10e7905b09a394591c"}} + # Latest commit on the BoringSSL master branch, as of Aug 08, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "1b40d99d6a90d0039e9021adde5ad4de743cf0ad"}} + # Latest commit on the OpenSSL master branch, as of Aug 08, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e77eb1dc0be75c98c53c932c861dd52e8896cc13"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From a429ec049f408ca7732359810e8f841744e5a206 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 8 Aug 2024 01:12:06 -0400 Subject: [PATCH 0936/1462] Added d2i_X509_NAME binding for pyOpenSSL (#11403) * Added d2i_X509_NAME binding for pyOpenSSL * Update x509name.py --- src/_cffi_src/openssl/x509name.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/_cffi_src/openssl/x509name.py b/src/_cffi_src/openssl/x509name.py index 81d897d27255..8c3c4de758dc 100644 --- a/src/_cffi_src/openssl/x509name.py +++ b/src/_cffi_src/openssl/x509name.py @@ -26,6 +26,7 @@ unsigned long X509_NAME_hash(X509_NAME *); int i2d_X509_NAME(X509_NAME *, unsigned char **); +X509_NAME *d2i_X509_NAME(X509_NAME **, const unsigned char **, long); X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *, int); void X509_NAME_ENTRY_free(X509_NAME_ENTRY *); int X509_NAME_get_index_by_NID(X509_NAME *, int, int); From b20e83ec2c12c596db3d5987bb961c428261b769 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 8 Aug 2024 07:05:52 -0400 Subject: [PATCH 0937/1462] Bump more-itertools from 10.3.0 to 10.4.0 in /.github/requirements (#11405) Bumps [more-itertools](https://github.com/more-itertools/more-itertools) from 10.3.0 to 10.4.0. - [Release notes](https://github.com/more-itertools/more-itertools/releases) - [Commits](https://github.com/more-itertools/more-itertools/compare/v10.3.0...v10.4.0) --- updated-dependencies: - dependency-name: more-itertools dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index a6ecd9466e2c..e1ded5c9564f 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -246,9 +246,9 @@ mdurl==0.1.2 \ --hash=sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8 \ --hash=sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba # via markdown-it-py -more-itertools==10.3.0 \ - --hash=sha256:e5d93ef411224fbcef366a6e8ddc4c5781bc6359d43412a65dd5964e46111463 \ - --hash=sha256:ea6a02e24a9161e51faad17a8782b92a0df82c12c1c8886fec7f0c3fa1a1b320 +more-itertools==10.4.0 \ + --hash=sha256:0f7d9f83a0a8dcfa8a2694a770590d98a67ea943e3d9f5298309a484758c4e27 \ + --hash=sha256:fe0e63c4ab068eac62410ab05cccca2dc71ec44ba8ef29916a0090df061cf923 # via # jaraco-classes # jaraco-functools From 00e4f00f96681b0bcf161ff6254f7a259dc6f2ad Mon Sep 17 00:00:00 2001 From: John Villalovos Date: Thu, 8 Aug 2024 10:09:45 -0700 Subject: [PATCH 0938/1462] chore: improve deprecation messages (#11407) There has been confusion regarding the current deprecation messages as some are reading them as the algorithms will be removed from the cryptography library. When in reality they are just being removed from the module. Make it more explicit about it being removed. An example of the confusion: https://github.com/paramiko/paramiko/pull/2421#issuecomment-2276253111 --- .../hazmat/primitives/ciphers/algorithms.py | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/cryptography/hazmat/primitives/ciphers/algorithms.py b/src/cryptography/hazmat/primitives/ciphers/algorithms.py index 1051ba323506..f9fa8a587ea5 100644 --- a/src/cryptography/hazmat/primitives/ciphers/algorithms.py +++ b/src/cryptography/hazmat/primitives/ciphers/algorithms.py @@ -82,7 +82,8 @@ def key_size(self) -> int: __name__, "ARC4 has been moved to " "cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and " - "will be removed from this module in 48.0.0.", + "will be removed from " + "cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.", utils.DeprecatedIn43, name="ARC4", ) @@ -93,7 +94,8 @@ def key_size(self) -> int: __name__, "TripleDES has been moved to " "cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and " - "will be removed from this module in 48.0.0.", + "will be removed from " + "cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.", utils.DeprecatedIn43, name="TripleDES", ) @@ -103,7 +105,8 @@ def key_size(self) -> int: __name__, "Blowfish has been moved to " "cryptography.hazmat.decrepit.ciphers.algorithms.Blowfish and " - "will be removed from this module in 45.0.0.", + "will be removed from " + "cryptography.hazmat.primitives.ciphers.algorithms in 45.0.0.", utils.DeprecatedIn37, name="Blowfish", ) @@ -114,7 +117,8 @@ def key_size(self) -> int: __name__, "CAST5 has been moved to " "cryptography.hazmat.decrepit.ciphers.algorithms.CAST5 and " - "will be removed from this module in 45.0.0.", + "will be removed from " + "cryptography.hazmat.primitives.ciphers.algorithms in 45.0.0.", utils.DeprecatedIn37, name="CAST5", ) @@ -125,7 +129,8 @@ def key_size(self) -> int: __name__, "IDEA has been moved to " "cryptography.hazmat.decrepit.ciphers.algorithms.IDEA and " - "will be removed from this module in 45.0.0.", + "will be removed from " + "cryptography.hazmat.primitives.ciphers.algorithms in 45.0.0.", utils.DeprecatedIn37, name="IDEA", ) @@ -136,7 +141,8 @@ def key_size(self) -> int: __name__, "SEED has been moved to " "cryptography.hazmat.decrepit.ciphers.algorithms.SEED and " - "will be removed from this module in 45.0.0.", + "will be removed from " + "cryptography.hazmat.primitives.ciphers.algorithms in 45.0.0.", utils.DeprecatedIn37, name="SEED", ) From d45cac8b0967e8f62766198586cc88cde63685de Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 8 Aug 2024 17:20:50 +0000 Subject: [PATCH 0939/1462] Bump ruff from 0.5.6 to 0.5.7 (#11408) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.5.6 to 0.5.7. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.5.6...0.5.7) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 17f7c774b4cc..ba4154f0da51 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.5.6 +ruff==0.5.7 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 33b9f5ea8a27db4b53bd81879f510c85ae467199 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 8 Aug 2024 17:25:35 +0000 Subject: [PATCH 0940/1462] Bump babel from 2.15.0 to 2.16.0 (#11409) Bumps [babel](https://github.com/python-babel/babel) from 2.15.0 to 2.16.0. - [Release notes](https://github.com/python-babel/babel/releases) - [Changelog](https://github.com/python-babel/babel/blob/master/CHANGES.rst) - [Commits](https://github.com/python-babel/babel/compare/v2.15.0...v2.16.0) --- updated-dependencies: - dependency-name: babel dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ba4154f0da51..e3b2fa345d61 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -9,7 +9,7 @@ alabaster==0.7.16 # via sphinx argcomplete==3.5.0; python_version >= "3.8" # via nox -babel==2.15.0 +babel==2.16.0 # via sphinx build==1.2.1 # via From e2633bc1e6de1bb7ad6c5adbf6151d059a8d3400 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 8 Aug 2024 18:07:15 -0400 Subject: [PATCH 0941/1462] Run Python tests in CI with debug rust builds (#11406) fixes #11322 --- .github/workflows/ci.yml | 1 + noxfile.py | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6e181ec2d26b..7161c72fa226 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -53,6 +53,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "beta"} - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "nightly"} + - {VERSION: "3.12", NOXSESSION: "tests-rust-debug"} timeout-minutes: 15 steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/noxfile.py b/noxfile.py index 1b57f444fb66..a2ff4db9a42b 100644 --- a/noxfile.py +++ b/noxfile.py @@ -46,6 +46,7 @@ def load_pyproject_toml() -> dict: @nox.session(name="tests-ssh") @nox.session(name="tests-randomorder") @nox.session(name="tests-nocoverage") +@nox.session(name="tests-rust-debug") def tests(session: nox.Session) -> None: extras = "test" if session.name == "tests-ssh": @@ -66,7 +67,14 @@ def tests(session: nox.Session) -> None: ) install(session, "-e", "./vectors") - install(session, f".[{extras}]") + if session.name == "tests-rust-debug": + install( + session, + "--config-settings=build-args=--profile=dev", + f".[{extras}]", + ) + else: + install(session, f".[{extras}]") session.run("pip", "list") From 2f925d9a4667f6e7a57f02e3a0cddcfb7e45864c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 9 Aug 2024 00:18:12 +0000 Subject: [PATCH 0942/1462] Bump BoringSSL and/or OpenSSL in CI (#11410) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7161c72fa226..09162f5aba13 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 08, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "1b40d99d6a90d0039e9021adde5ad4de743cf0ad"}} - # Latest commit on the OpenSSL master branch, as of Aug 08, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e77eb1dc0be75c98c53c932c861dd52e8896cc13"}} + # Latest commit on the BoringSSL master branch, as of Aug 09, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "369fe288e29ce8b2b39fccfc08441bdd7100a28a"}} + # Latest commit on the OpenSSL master branch, as of Aug 09, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "250a7adbea455051da09c24fdb669ef6133e493a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From aa5ab189ab8d66e61f8e83f0e8988c6b6b21566f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 10 Aug 2024 00:15:36 +0000 Subject: [PATCH 0943/1462] Bump BoringSSL and/or OpenSSL in CI (#11412) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 09162f5aba13..d650853b52e8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 09, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "369fe288e29ce8b2b39fccfc08441bdd7100a28a"}} - # Latest commit on the OpenSSL master branch, as of Aug 09, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "250a7adbea455051da09c24fdb669ef6133e493a"}} + # Latest commit on the BoringSSL master branch, as of Aug 10, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "aaf59e8d8d17308442d9211e670c7f9718362ceb"}} + # Latest commit on the OpenSSL master branch, as of Aug 10, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "11adb943ab9e82e2b2dd69c0b41ccb437304b186"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From cbaddf7dc9cf7d98de711d15ad9a10f3652173e2 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 11 Aug 2024 00:26:21 +0000 Subject: [PATCH 0944/1462] Bump BoringSSL and/or OpenSSL in CI (#11413) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d650853b52e8..eadb99ea382f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 10, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "aaf59e8d8d17308442d9211e670c7f9718362ceb"}} - # Latest commit on the OpenSSL master branch, as of Aug 10, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "11adb943ab9e82e2b2dd69c0b41ccb437304b186"}} + # Latest commit on the BoringSSL master branch, as of Aug 11, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "11f334121fd0d13830fefdf08041183da2d30ef3"}} + # Latest commit on the OpenSSL master branch, as of Aug 11, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3416c0bff9749fc3a4e654ce9919e318663e165d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 7e2252d4caaf2474a6aace878cce22f910cfe5da Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 11 Aug 2024 13:22:01 +0000 Subject: [PATCH 0945/1462] Bump actions/attest-build-provenance from 1.4.0 to 1.4.1 (#11414) Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.4.0 to 1.4.1. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/210c1913531870065f03ce1f9440dd87bc0938cd...310b0a4a3b0b78ef57ecda988ee04b132db73ef8) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index f0bab7385dc2..a8ae14a2e9d9 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -93,7 +93,7 @@ jobs: # Do not perform attestation for things for TestPyPI. This is because # there's nothing that would prevent a malicious PyPI from serving a # signed TestPyPI asset in place of a release intended for PyPI. - - uses: actions/attest-build-provenance@210c1913531870065f03ce1f9440dd87bc0938cd # v1.4.0 + - uses: actions/attest-build-provenance@310b0a4a3b0b78ef57ecda988ee04b132db73ef8 # v1.4.1 with: subject-path: 'dist/**/cryptography*' if: env.TWINE_REPOSITORY == 'pypi' From c96619ec828c55d3843e3660ea2912f004efc052 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 11 Aug 2024 13:25:20 +0000 Subject: [PATCH 0946/1462] Bump cc from 1.1.8 to 1.1.10 in /src/rust (#11415) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.8 to 1.1.10. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.8...cc-v1.1.10) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 6fed400042e0..2c2de182918e 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.8" +version = "1.1.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "504bdec147f2cc13c8b57ed9401fd8a147cc66b67ad5cb241394244f2c947549" +checksum = "e9e8aabfac534be767c909e0690571677d49f41bd8465ae876fe043d52ba5292" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 0ba6bfa257f5..c2610f5d382a 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.2", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] -cc = "1.1.8" +cc = "1.1.10" From 4c335395a31b12b4ae10405e6bade63b65d95813 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 11 Aug 2024 13:25:48 +0000 Subject: [PATCH 0947/1462] Bump syn from 2.0.72 to 2.0.73 in /src/rust (#11416) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.72 to 2.0.73. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.72...2.0.73) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 2c2de182918e..dc29ce6878bf 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -325,9 +325,9 @@ checksum = "d369a96f978623eb3dc28807c4852d6cc617fed53da5d3c400feff1ef34a714a" [[package]] name = "syn" -version = "2.0.72" +version = "2.0.73" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dc4b9b9bf2add8093d3f2c0204471e951b2285580335de42f9d2534f3ae7a8af" +checksum = "837a7e8026c6ce912ff01cefbe8cafc2f8010ac49682e2a3d9decc3bce1ecaaf" dependencies = [ "proc-macro2", "quote", From c1ba60c114a6adc54036f0df2c3b83b593b24411 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 11 Aug 2024 21:35:21 +0000 Subject: [PATCH 0948/1462] Bump syn from 2.0.73 to 2.0.74 in /src/rust (#11419) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.73 to 2.0.74. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.73...2.0.74) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index dc29ce6878bf..051d94e4520c 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -325,9 +325,9 @@ checksum = "d369a96f978623eb3dc28807c4852d6cc617fed53da5d3c400feff1ef34a714a" [[package]] name = "syn" -version = "2.0.73" +version = "2.0.74" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "837a7e8026c6ce912ff01cefbe8cafc2f8010ac49682e2a3d9decc3bce1ecaaf" +checksum = "1fceb41e3d546d0bd83421d3409b1460cc7444cd389341a4c880fe7a042cb3d7" dependencies = [ "proc-macro2", "quote", From 59796029b14170c09d51d71df21bd218d7bb5229 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 11 Aug 2024 17:37:59 -0400 Subject: [PATCH 0949/1462] Bump zipp from 3.19.2 to 3.20.0 in /.github/requirements (#11420) Bumps [zipp](https://github.com/jaraco/zipp) from 3.19.2 to 3.20.0. - [Release notes](https://github.com/jaraco/zipp/releases) - [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/zipp/compare/v3.19.2...v3.20.0) --- updated-dependencies: - dependency-name: zipp dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index e1ded5c9564f..bf5ade425684 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -321,7 +321,7 @@ urllib3==2.2.2 \ # via # requests # twine -zipp==3.19.2 \ - --hash=sha256:bf1dcf6450f873a13e952a29504887c89e6de7506209e5b1bcc3460135d4de19 \ - --hash=sha256:f091755f667055f2d02b32c53771a7a6c8b47e1fdbc4b72a8b9072b3eef8015c +zipp==3.20.0 \ + --hash=sha256:0145e43d89664cfe1a2e533adc75adafed82fe2da404b4bbb6b026c0157bdb31 \ + --hash=sha256:58da6168be89f0be59beb194da1250516fdaa062ccebd30127ac65d30045e10d # via importlib-metadata From 2b561de7dbc7a459c570a4977caa20a3b74f3878 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 12 Aug 2024 00:17:06 +0000 Subject: [PATCH 0950/1462] Bump BoringSSL and/or OpenSSL in CI (#11421) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index eadb99ea382f..19ce45afcc07 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Aug 11, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "11f334121fd0d13830fefdf08041183da2d30ef3"}} - # Latest commit on the OpenSSL master branch, as of Aug 11, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3416c0bff9749fc3a4e654ce9919e318663e165d"}} + # Latest commit on the OpenSSL master branch, as of Aug 12, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2f33265039cdbd0e4589c80970e02e208f3f94d2"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From ed078a08feb6ab59a8bbbedb0ca22d18669e9c89 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 13 Aug 2024 00:16:55 +0000 Subject: [PATCH 0951/1462] Bump BoringSSL and/or OpenSSL in CI (#11424) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 19ce45afcc07..e921b2b1db8f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 11, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "11f334121fd0d13830fefdf08041183da2d30ef3"}} - # Latest commit on the OpenSSL master branch, as of Aug 12, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2f33265039cdbd0e4589c80970e02e208f3f94d2"}} + # Latest commit on the BoringSSL master branch, as of Aug 13, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "5bcb626c847a10e2e631118b637c9db25593cdea"}} + # Latest commit on the OpenSSL master branch, as of Aug 13, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f3c03be3adb9bd0e37c2f0267f4b53d5e056b684"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 7fda121e69f40b16cc8bf46f9f7ea8cf217e88cb Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 13 Aug 2024 00:32:48 +0000 Subject: [PATCH 0952/1462] Bump x509-limbo and/or wycheproof in CI (#11425) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index cb9cdc881542..e7f4a8c3b537 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Aug 06, 2024. - ref: "0311da5df054bb8821b80623a32de20394b30d3a" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Aug 13, 2024. + ref: "8ac3f41f9ce1d6f24749d90a672b414348bc7282" # x509-limbo-ref From df8e11b95d479bf64e224bf73e4b7ac6743bc471 Mon Sep 17 00:00:00 2001 From: maxmelamed <50888194+maxmelamed@users.noreply.github.com> Date: Tue, 13 Aug 2024 11:42:35 -0400 Subject: [PATCH 0953/1462] Add support for extract_timestamp in MultiFernet (#11427) Co-authored-by: Max Melamed --- CHANGELOG.rst | 2 ++ src/cryptography/fernet.py | 8 ++++++++ tests/test_fernet.py | 31 +++++++++++++++++++++++++++++++ 3 files changed, 41 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 9c7119c23a35..9110fb78aeb3 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -10,6 +10,8 @@ Changelog * Enforce the :rfc:`5280` requirement that extended key usage extensions must not be empty. +* Added support for timestamp extraction to the + :class:`~cryptography.fernet.MultiFernet` class. .. _v43-0-0: diff --git a/src/cryptography/fernet.py b/src/cryptography/fernet.py index 35ce1131a921..868ecb277789 100644 --- a/src/cryptography/fernet.py +++ b/src/cryptography/fernet.py @@ -213,3 +213,11 @@ def decrypt_at_time( except InvalidToken: pass raise InvalidToken + + def extract_timestamp(self, msg: bytes | str) -> int: + for f in self._fernets: + try: + return f.extract_timestamp(msg) + except InvalidToken: + pass + raise InvalidToken diff --git a/tests/test_fernet.py b/tests/test_fernet.py index 7ebab3e59915..9e8b71f35ded 100644 --- a/tests/test_fernet.py +++ b/tests/test_fernet.py @@ -277,3 +277,34 @@ def test_rotate_decrypt_no_shared_keys(self, backend): with pytest.raises(InvalidToken): mf2.rotate(mf1.encrypt(b"abc")) + + def test_extract_timestamp_first_fernet_valid_token(self, backend): + f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend) + mf1 = MultiFernet([f1]) + current_time = 1526138327 + token = mf1.encrypt_at_time(b"encrypt me", current_time) + assert mf1.extract_timestamp(token) == current_time + + def test_extract_timestamp_second_fernet_valid_token(self, backend): + f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend) + f2 = Fernet(base64.urlsafe_b64encode(b"\x01" * 32), backend=backend) + mf1 = MultiFernet([f1, f2]) + current_time = 1526138327 + token = f2.encrypt_at_time(b"encrypt me", current_time) + assert mf1.extract_timestamp(token) == current_time + + def test_extract_timestamp_invalid_token(self, backend): + f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend) + mf1 = MultiFernet([f1]) + with pytest.raises(InvalidToken): + mf1.extract_timestamp(b"nonsensetoken") + with pytest.raises(InvalidToken): + mf1.extract_timestamp(b"\x80abc") + with pytest.raises(InvalidToken): + mf1.extract_timestamp(b"\x00") + with pytest.raises(InvalidToken): + mf1.extract_timestamp("nonsensetoken") + with pytest.raises(InvalidToken): + mf1.extract_timestamp("abc") + with pytest.raises(InvalidToken): + mf1.extract_timestamp("") From 55d17057d64aa722a075a3f148f2f43b072c145f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 13 Aug 2024 12:00:06 -0400 Subject: [PATCH 0954/1462] Allow DEP_OPENSSL_INCLUDE to not be set (#11418) This can happen on pkg-config builds if the headers are in the default include path, as it seems they happen on openbsd --- src/rust/cryptography-cffi/build.rs | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/rust/cryptography-cffi/build.rs b/src/rust/cryptography-cffi/build.rs index 8a2c968e2b68..858cc72c8a6f 100644 --- a/src/rust/cryptography-cffi/build.rs +++ b/src/rust/cryptography-cffi/build.rs @@ -59,14 +59,12 @@ fn main() { print(os.pathsep.join(b.include_dirs), end='')", ) .unwrap(); - let openssl_include = - std::env::var_os("DEP_OPENSSL_INCLUDE").expect("unable to find openssl include path"); let openssl_c = Path::new(&out_dir).join("_openssl.c"); let mut build = cc::Build::new(); build .file(openssl_c) - .include(openssl_include) + .includes(std::env::var_os("DEP_OPENSSL_INCLUDE")) .flag_if_supported("-Wconversion") .flag_if_supported("-Wno-error=sign-conversion") .flag_if_supported("-Wno-unused-parameter"); From 1679186fbc2289b9540aaecbf32c085e939fd5ec Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 13 Aug 2024 17:32:33 -0700 Subject: [PATCH 0955/1462] Bump BoringSSL and/or OpenSSL in CI (#11429) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e921b2b1db8f..b7ec9498f5f2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 13, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "5bcb626c847a10e2e631118b637c9db25593cdea"}} - # Latest commit on the OpenSSL master branch, as of Aug 13, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f3c03be3adb9bd0e37c2f0267f4b53d5e056b684"}} + # Latest commit on the BoringSSL master branch, as of Aug 14, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "84845ad316e4326ae47bda8483cce660c1d6c05e"}} + # Latest commit on the OpenSSL master branch, as of Aug 14, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "21bcae6561d73e629f11e19975f24283559d36c0"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 56736c6ce20def71b652be37c0693268837ed0ef Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Aug 2024 06:52:57 -0400 Subject: [PATCH 0956/1462] Bump setuptools from 72.1.0 to 72.2.0 in /.github/requirements (#11430) Bumps [setuptools](https://github.com/pypa/setuptools) from 72.1.0 to 72.2.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v72.1.0...v72.2.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index c3fb99969de9..fae3da37775c 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -98,7 +98,7 @@ tomli==2.0.1 \ # via maturin # The following packages are considered to be unsafe in a requirements file: -setuptools==72.1.0 \ - --hash=sha256:5a03e1860cf56bb6ef48ce186b0e557fdba433237481a9a625176c2831be15d1 \ - --hash=sha256:8d243eff56d095e5817f796ede6ae32941278f542e0f941867cc05ae52b162ec +setuptools==72.2.0 \ + --hash=sha256:80aacbf633704e9c8bfa1d99fa5dd4dc59573efcf9e4042c13d3bcef91ac2ef9 \ + --hash=sha256:f11dd94b7bae3a156a95ec151f24e4637fb4fa19c878e4d191bfb8b2d82728c4 # via -r build-requirements.in From 8671facf713c7e1a96d1e2a8b7b35fdc615847cd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Aug 2024 10:59:29 +0000 Subject: [PATCH 0957/1462] Bump cc from 1.1.10 to 1.1.11 in /src/rust (#11431) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.10 to 1.1.11. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.10...cc-v1.1.11) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 13 +++++++++++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 051d94e4520c..3027c7b9a75f 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,12 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.10" +version = "1.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e9e8aabfac534be767c909e0690571677d49f41bd8465ae876fe043d52ba5292" +checksum = "5fb8dd288a69fc53a1996d7ecfbf4a20d59065bff137ce7e56bbd620de191189" +dependencies = [ + "shlex", +] [[package]] name = "cfg-if" @@ -323,6 +326,12 @@ version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d369a96f978623eb3dc28807c4852d6cc617fed53da5d3c400feff1ef34a714a" +[[package]] +name = "shlex" +version = "1.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" + [[package]] name = "syn" version = "2.0.74" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index c2610f5d382a..f302585fdab5 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.2", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] -cc = "1.1.10" +cc = "1.1.11" From cd280f7b7c336a5b4f776107ba657cc07784bac1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 15 Aug 2024 00:16:37 +0000 Subject: [PATCH 0958/1462] Bump BoringSSL and/or OpenSSL in CI (#11432) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b7ec9498f5f2..7c7fe8d51699 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 14, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "84845ad316e4326ae47bda8483cce660c1d6c05e"}} - # Latest commit on the OpenSSL master branch, as of Aug 14, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "21bcae6561d73e629f11e19975f24283559d36c0"}} + # Latest commit on the BoringSSL master branch, as of Aug 15, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "942454eaf76539ecc32a537d260d59d44169fac0"}} + # Latest commit on the OpenSSL master branch, as of Aug 15, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8945f406a73a01862695a424679f9440f592604b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 3cc79eb7b707c88c8622f3bfe64e8c062ff3093c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 15 Aug 2024 11:23:54 +0000 Subject: [PATCH 0959/1462] Bump cc from 1.1.11 to 1.1.12 in /src/rust (#11433) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.11 to 1.1.12. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.11...cc-v1.1.12) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 3027c7b9a75f..f5cded6bf76a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.11" +version = "1.1.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5fb8dd288a69fc53a1996d7ecfbf4a20d59065bff137ce7e56bbd620de191189" +checksum = "68064e60dbf1f17005c2fde4d07c16d8baa506fd7ffed8ccab702d93617975c7" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index f302585fdab5..1822ee4587a1 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.2", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] -cc = "1.1.11" +cc = "1.1.12" From cc425a278a2b745e91a6b84917a96e76e6d0680d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 15 Aug 2024 14:16:50 +0000 Subject: [PATCH 0960/1462] Bump ruff from 0.5.7 to 0.6.0 (#11434) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.5.7 to 0.6.0. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.5.7...0.6.0) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e3b2fa345d61..6fc3b0effe4b 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.5.7 +ruff==0.6.0 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From e6cf6cab9999c9885155a961a80f91bb7d3158d1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 15 Aug 2024 12:45:08 -0400 Subject: [PATCH 0961/1462] fix preview ruff warning (#11435) --- docs/_ext/linkcode_res.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/_ext/linkcode_res.py b/docs/_ext/linkcode_res.py index 9b6f427d4e88..9239252935b9 100644 --- a/docs/_ext/linkcode_res.py +++ b/docs/_ext/linkcode_res.py @@ -94,7 +94,7 @@ def linkcode_resolve(domain, info): fn = os.path.relpath(fn, start=os.path.dirname(cryptography.__file__)) if lineno: - linespec = "#L%d-L%d" % (lineno, lineno + len(source) - 1) + linespec = f"#L{lineno}-L{lineno + len(source) - 1}" else: linespec = "" From 2352ce2bb6cb3489e851ea9011040bb44a37be18 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 16 Aug 2024 00:15:11 +0000 Subject: [PATCH 0962/1462] Bump BoringSSL and/or OpenSSL in CI (#11438) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7c7fe8d51699..4eaec23d68d9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 15, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "942454eaf76539ecc32a537d260d59d44169fac0"}} - # Latest commit on the OpenSSL master branch, as of Aug 15, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8945f406a73a01862695a424679f9440f592604b"}} + # Latest commit on the BoringSSL master branch, as of Aug 16, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "16f68ed0d16844f15b5cd6408a859cd5ffc80bc4"}} + # Latest commit on the OpenSSL master branch, as of Aug 16, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a595d624c896ace0eae017ad88268fa4c686b374"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 24e7f568032940d703a01f7ea0218ca9c4999361 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 16 Aug 2024 06:54:35 -0400 Subject: [PATCH 0963/1462] Bump cc from 1.1.12 to 1.1.13 in /src/rust (#11439) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.12 to 1.1.13. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.12...cc-v1.1.13) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index f5cded6bf76a..5f38153c5bec 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.12" +version = "1.1.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "68064e60dbf1f17005c2fde4d07c16d8baa506fd7ffed8ccab702d93617975c7" +checksum = "72db2f7947ecee9b03b510377e8bb9077afa27176fdbff55c51027e976fdcc48" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 1822ee4587a1..c535a440aa6d 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.2", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] -cc = "1.1.12" +cc = "1.1.13" From e31765a483bd026fd26acda65097dec5f2122e8f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 16 Aug 2024 06:54:55 -0400 Subject: [PATCH 0964/1462] Bump libc from 0.2.155 to 0.2.156 in /src/rust (#11440) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.155 to 0.2.156. - [Release notes](https://github.com/rust-lang/libc/releases) - [Changelog](https://github.com/rust-lang/libc/blob/0.2.156/CHANGELOG.md) - [Commits](https://github.com/rust-lang/libc/compare/0.2.155...0.2.156) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 5f38153c5bec..b543564534e2 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -161,9 +161,9 @@ checksum = "b248f5224d1d606005e02c97f5aa4e88eeb230488bcc03bc9ca4d7991399f2b5" [[package]] name = "libc" -version = "0.2.155" +version = "0.2.156" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "97b3888a4aecf77e811145cadf6eef5901f4782c53886191b2f693f24761847c" +checksum = "a5f43f184355eefb8d17fc948dbecf6c13be3c141f20d834ae842193a448c72a" [[package]] name = "memoffset" From 6b702dde25bbc52c291ef873ef56a92a28145fc7 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 16 Aug 2024 20:52:54 -0400 Subject: [PATCH 0965/1462] Bump BoringSSL and/or OpenSSL in CI (#11441) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4eaec23d68d9..3de0fbdfca5d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Aug 16, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "16f68ed0d16844f15b5cd6408a859cd5ffc80bc4"}} - # Latest commit on the OpenSSL master branch, as of Aug 16, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a595d624c896ace0eae017ad88268fa4c686b374"}} + # Latest commit on the OpenSSL master branch, as of Aug 17, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7c3c7374ce8676331770a8f9bbc1452bbdacf3be"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 2e53f56dceedc87dad01c30b348d0c16e637fe30 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Aug 2024 14:07:53 -0400 Subject: [PATCH 0966/1462] Make nox -e local work without uv (#11442) --- noxfile.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/noxfile.py b/noxfile.py index a2ff4db9a42b..8bd3968527f1 100644 --- a/noxfile.py +++ b/noxfile.py @@ -259,7 +259,7 @@ def rust(session: nox.Session) -> None: process_rust_coverage(session, rust_tests, prof_location) -@nox.session(venv_backend="uv") +@nox.session(venv_backend="uv|venv") def local(session): pyproject_data = load_pyproject_toml() install(session, "-e", "./vectors", verbose=False) @@ -302,7 +302,7 @@ def local(session): "maturin", "develop", "--release", - "--uv", + *(["--uv"] if session.venv_backend == "uv" else []), ) if session.posargs: From 8755923903f64332e95cde6a90d2f10e29ad6ee1 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sat, 17 Aug 2024 14:38:57 -0400 Subject: [PATCH 0967/1462] Bump RSA-512 test keys to RSA-2048 (#11443) * Bump RSA-512 test keys to RSA-2048 RSA-512 was broken in 1999. cryptography.io should not be requesting its backend library support it in 2024. * Update test-vectors.rst The replacement keys were generated fresh, and this document seems to just cite the external ones. * Document custom test vectors --- docs/development/test-vectors.rst | 18 ++++--- tests/hazmat/primitives/test_serialization.py | 45 ++++++++++++++---- .../asymmetric/DER_Serialization/testrsa.der | Bin 320 -> 1192 bytes .../key1.pem | 34 +++++++++---- .../key2.pem | 34 +++++++++---- .../testrsa-encrypted.pem | 34 +++++++++---- .../testrsa.pem | 32 ++++++++++--- 7 files changed, 151 insertions(+), 46 deletions(-) diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index c8d0765fc854..ff34844699b3 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -31,8 +31,6 @@ Asymmetric ciphers * FIPS 186-2 and FIPS 186-3 ECDSA test vectors from `NIST CAVP`_. * DH and ECDH and ECDH+KDF(17.4) test vectors from `NIST CAVP`_. * Ed25519 test vectors from the `Ed25519 website`_. -* OpenSSL PEM RSA serialization vectors from the `OpenSSL example key`_ and - `GnuTLS key parsing tests`_. * ``asymmetric/PEM_Serialization/rsa-bad-1025-q-is-2.pem`` from `badkeys`_. * OpenSSL PEM DSA serialization vectors from the `GnuTLS example keys`_. * PKCS #8 PEM serialization vectors from @@ -103,8 +101,7 @@ Custom asymmetric vectors * ``asymmetric/PKCS8/unenc-dsa-pkcs8.pub.pem`` and ``asymmetric/DER_Serialization/unenc-dsa-pkcs8.pub.der`` - Contains a DSA 2048 bit public key generated using OpenSSL from ``unenc-dsa-pkcs8.pem``. -* DER conversions of the `GnuTLS example keys`_ for DSA as well as the - `OpenSSL example key`_ for RSA. +* DER conversions of the `GnuTLS example keys`_ for DSA. * DER conversions of `enc-rsa-pkcs8.pem`_, `enc2-rsa-pkcs8.pem`_, and `unenc-rsa-pkcs8.pem`_. * ``asymmetric/public/PKCS1/rsa.pub.pem`` and @@ -175,6 +172,17 @@ Custom asymmetric vectors * ``asymmetric/PKCS8/rsa_pss_2048_hash_mask_salt.pem`` - A 2048-bit RSA PSS key with the hash (SHA256), mask algorithm (SHA256), and salt length (32) PSS parameters set. +* ``asymmetric/Traditional_OpenSSL_Serialization/testrsa.pem`` - A 2048-bit RSA + key, encoded as a "traditional" ``RSA PRIVATE KEY`` PEM block, rather than a + ``PRIVATE KEY`` block. +* ``asymmetric/Traditional_OpenSSL_Serialization/testrsa-encrypted.pem`` - The + above, encrypted at the PEM level with AES-128-CBC and password "password". +* ``asymmetric/Traditional_OpenSSL_Serialization/key1.pem`` - The above, + encrypted at the PEM level with DES-EDE3-CBC and password "123456". +* ``asymmetric/Traditional_OpenSSL_Serialization/key2.pem`` - The above, + encrypted at the PEM level with AES-128-CBC and password "a123456". +* ``asymmetric/DER_Serialization/testrsa.der`` - The above as a DER-encoded + RSAPrivateKey structure. Key exchange @@ -1069,8 +1077,6 @@ header format (substituting the correct information): .. _`draft RFC`: https://datatracker.ietf.org/doc/html/draft-josefsson-scrypt-kdf-01 .. _`Specification repository`: https://github.com/fernet/spec .. _`errata`: https://www.rfc-editor.org/errata_search.php?rfc=6238 -.. _`OpenSSL example key`: https://github.com/openssl/openssl/blob/d02b48c63a58ea4367a0e905979f140b7d090f86/test/testrsa.pem -.. _`GnuTLS key parsing tests`: https://gitlab.com/gnutls/gnutls/-/commit/f16ef39ef0303b02d7fa590a37820440c466ce8d .. _`enc-rsa-pkcs8.pem`: https://gitlab.com/gnutls/gnutls/blob/f8d943b38bf74eaaa11d396112daf43cb8aa82ae/tests/pkcs8-decode/encpkcs8.pem .. _`enc2-rsa-pkcs8.pem`: https://gitlab.com/gnutls/gnutls/blob/f8d943b38bf74eaaa11d396112daf43cb8aa82ae/tests/pkcs8-decode/enc2pkcs8.pem .. _`unenc-rsa-pkcs8.pem`: https://gitlab.com/gnutls/gnutls/blob/f8d943b38bf74eaaa11d396112daf43cb8aa82ae/tests/pkcs8-decode/unencpkcs8.pem diff --git a/tests/hazmat/primitives/test_serialization.py b/tests/hazmat/primitives/test_serialization.py index 51fcc3563d8a..32e0ded0ead5 100644 --- a/tests/hazmat/primitives/test_serialization.py +++ b/tests/hazmat/primitives/test_serialization.py @@ -608,34 +608,61 @@ def test_rsa_traditional_encrypted_values(self, backend): numbers = pkey.private_numbers() assert numbers.p == int( - "fb7d316fc51531b36d93adaefaf52db6ad5beb793d37c4cf9dfc1ddd17cfbafb", + "f8337fbcd4b54e14d4226889725d9dc713e40c87e62ce1886a517c729b3d133d" + "c519bfb026081788509d2b503bc0966bdc67c45771e41f9844cee1be968b3263" + "735d6c47d981dacfde1fe2110c4acbfe656599890b8f131c20d246891959f45d" + "06d4fadf205f94f9ea050c661efdc760d7471a1963bf16333837ef6dc4f8dbaf", 16, ) assert numbers.q == int( - "df98264e646de9a0fbeab094e31caad5bc7adceaaae3c800ca0275dd4bb307f5", + "bf8c2ad54acf67f8b687849f91ece4761901e8abc8b0bc8604f55e64ad413a62" + "02dbb28eac0463f87811c1ca826b0eeafb53d115b50de5a775f74c5e9cf8161b" + "fc030f5e402664388ea1ef7d0ade85559e4e68cef519cb4f582ec41f994249d8" + "b860a7433f0612322827a87b3cc0d785075811b76bccbc90ff153a11592fa307", 16, ) assert numbers.d == int( - "db4848c36f478dd5d38f35ae519643b6b810d404bcb76c00e44015e56ca1cab0" - "7bb7ae91f6b4b43fcfc82a47d7ed55b8c575152116994c2ce5325ec24313b911", + "09a768d21f58866d690aeb78f0d92732aa03fa843f960b0799dfc31e7d73f1e6" + "503953c582becd4de92d293b3a86a42b2837531fdfc54db75e0d30701801a85c" + "120e997bce2b19290234710e2fd4cbe750d3fdaab65893c539057a21b8a2201b" + "4e418b6dff47423905a8e0b17fdd14bd3b0834ccb0a7c203d8e62e6ab4c6552d" + "9b777847c874e743ac15942a21816bb177919215ee235064fb0a7b3baaafac14" + "92e29b2fc80dc16b633525d83eed73fa47a55a9894148a50358eb94c62b19e84" + "f3d7daf866cd6a606920d54ba41d7aa648e777d5269fe00b12a8cf5ccf823f62" + "c1e8dc442ec3a7e3356913f444919baa4a5c7299345817543b4add5f9c1a477f", 16, ) assert numbers.dmp1 == int( - "ce997f967192c2bcc3853186f1559fd355c190c58ddc15cbf5de9b6df954c727", + "e0cdcc51dd1b0648c9470d0608e710040359179c73778d2300a123a5ae43a84c" + "d75c1609d6b8978fe8ec2211febcd5c186151a79d57738c2b2f7eaf1b3eb09cd" + "97ed3328f4b1afdd7ca3c61f88d1aa6895b06b5afc742f6bd7b27d1eaa2e96ad" + "3785ea5ff4337e7cc9609f3553b6aa42655a4a225afcf57f98d8d8ecc46e5e93", 16, ) assert numbers.dmq1 == int( - "b018a57ab20ffaa3862435445d863369b852cf70a67c55058213e3fe10e3848d", + "904aeda559429e870c315025c88e9497a644fada154795ecbb657f6305e4c22f" + "3d09f51b66d7b3db63cfb49571e3660c7ba16b3b17f5cd0f765d0189b0636e7c" + "4c3e9de0192112944c560e8bba996005dc4822c9ec772ee1a9832938c881d811" + "4aeb7c74bad03efacba6fc5341b3df6695deb111e44209b68c819809a38eb017", 16, ) assert numbers.iqmp == int( - "6a8d830616924f5cf2d1bc1973f97fde6b63e052222ac7be06aa2532d10bac76", + "378a3ae1978c381dce3b486b038601cf06dfa77687fdcd2d56732380bff4f32e" + "ec20027034bcd53be80162e4054ab7fefdbc3e5fe923aa8130d2c9ab01d6a70f" + "da3615f066886ea610e06c29cf5c2e0649a40ca936f290b779cd9e2bc3b87095" + "26667f75a1016e268ae3b9501ae4696ec8c1af09dc567804151fdeb1486ee512", 16, ) assert numbers.public_numbers.e == 65537 assert numbers.public_numbers.n == int( - "dba786074f2f0350ce1d99f5aed5b520cfe0deb5429ec8f2a88563763f566e77" - "9814b7c310e5326edae31198eed439b845dd2db99eaa60f5c16a43f4be6bcf37", + "b9b651fefc4dd4c9b1c0312ee69f0803990d5a539785dd14f1f6880d9198ee1f" + "71b3babb1ebe977786b30bea170f24b7a0e7b116f2c6908cf374923984924187" + "86de9d4e0f5f3e56d7be9eb971d3f8a4f812057cf9f9053b829d1c54d1a340fe" + "5c90a6e228a5871da900770141b4c6e6f298409718cb16467a4f5ff63882b204" + "255028f49745dedc7ca4b5cba6d78acf32b650f06bf81862eda0856a14e8767e" + "d4086342284a6f9752e96435f7119a05cc3220a954774a931dbebe1f1ab0df9d" + "aeaedb132741c3b5c48e1a1426ccd954fb9b5140c14daec9a79be9c7c8e50610" + "dfb489c7539999cfc14ac75765bab4ae8a8df5d96c3de34c12435b1a02cf6ec9", 16, ) diff --git a/vectors/cryptography_vectors/asymmetric/DER_Serialization/testrsa.der b/vectors/cryptography_vectors/asymmetric/DER_Serialization/testrsa.der index 79cc1cec07353068a455850306c32c7fe2ffa647..4902784ce13d1b4d6f62915d4935db7f7fb0ae35 100644 GIT binary patch literal 1192 zcmV;Z1Xueof&`=j0RRGm0RaHHwo(54P1MP;z%ef7p9lk)4O&x|h20eK_J|FUnC>5O zv%0$;zL$4~vkU4M4p)A*$L5(Rwu z`2{0~wc5t;?eG9al`cS@5TzP=wC zu-~1ouGyIgLt7dG&u+;A0|5X50)hbm38!e%A6SNMX$tFj@YyFasss9jKb8vzncu@6 zeRJ{VP&re@g1*g7=`ATcI)Kn%KJ9b*N2OYrloX0k zHIBJVVzHit^Viz=X3c6~X&}{0q#b&uNauIeCZFI75~$By&w@W`af#Tmb_CI}aZP@OAKJHVD}+-JmBapWJEM9$&9mWwiDb6spl*@4>6-XG!-3`)!X zWo4O(3y%{VAks#O8CmpQ2GsiBAYYXE>IDpD9{tB)*GC!|W4{(NI5+QY#Q58<0)c@5 zzls zwGHK`b@xnOocI~}8Vse>sv$br}qO6z=d zy3juQ%clHOL9^dxmEN%t%As7Hd!VyW%h%{^{7WS#86?r{B(ehZq5H zP@l+7{TH>n0?J*`qaucevw+KVZ#=F{-^i|AJpuy(009C(XLl#fq1Q9^@foCf2^~?a zJ!%vX6@G*Th~fRX@?bHl0J?+(io?fM#zQH?uj2tA>-5N+0v85xB7)klM?12i0wDnR zAZIly-z8|E2B@O{6m4_ysCjUsp@A}~@7qjsk^Y$iApo%c0i1@AOwSUU_bDBm5GC22 z9C-#P3peaH@r$m)4fHfPMLXWQP=?Joi=l*B- zhF_8)pcobSaEq>TOvIaw;Pqn^j}!mUX-ePQ$jT^j0wDmKDV~H>Q_#!mTbw{B40}Ea SE%0?p!B||_yap(7G!2tEYmWf{ diff --git a/vectors/cryptography_vectors/asymmetric/Traditional_OpenSSL_Serialization/key1.pem b/vectors/cryptography_vectors/asymmetric/Traditional_OpenSSL_Serialization/key1.pem index 50ad95cfbf82..cf27f92c618c 100644 --- a/vectors/cryptography_vectors/asymmetric/Traditional_OpenSSL_Serialization/key1.pem +++ b/vectors/cryptography_vectors/asymmetric/Traditional_OpenSSL_Serialization/key1.pem @@ -1,12 +1,30 @@ -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED -DEK-Info: DES-EDE3-CBC,82B2F7684A1713F8 +DEK-Info: DES-EDE3-CBC,F277212EDBD61604 -1zzOuu89dfFc2UkFCtSJBsBeEFxV8wE84OSxoWu4aYkPhl1LR08BchaTbjeLTP0b -t961vVpva0ekJkwGDEgmqlGjmhJq9y2sJfq7IeYa8OdTilfGrG1xeJ1QGBi6SCfR -s/PhkMxwGBtrZ2Z7bEcLT5dQKmKRqsthnClQggmngvk7zX7bPk0hKQKvf+FDxt6x -hzEaF3k9juU6vAVVSakrZ4QDqk9MUuTGHx0ksTDcC4EESS0l3Ybuum/rAzR4lQKR -4OLmAeYBDl+l/PSMllfd5x/z1YXYoiAbkpT4ix0lyZJgHrvrYIeUtJk2ODiMHezL -9BbK7EobtOGmrDLUNVX5BpdaExkWMGkioqzs2QqD/VkKu8RcNSsHVGqkdWKuhzXo -wcczQ+RiHckN2uy/zApubEWZNLPeDQ499kaF+QdZ+h4RM6E1r1Gu+A== +18phyq8pG3Tgov4rWiT0moaDbzIOk7v4/4Jnw3sc6IuMFmAYnIKHRs75hQdlFAxG +uSXcAKzCzjhkzgSNyNaJ8ZgeDM+DskDTA109iQWCeSxKZkuHBm2Xux9p7ynEhrMf ++z0Dd5W36KRPs0PRwVoUAv/AYaLizBbAXaEx/e21uDB2cVnA2EhjEXEz7KZnqTWm +qbSEAv/IJos1Eh1IvLupxh5naaRxfrHZgKu638ybxuxzJx+zn2DeB7g9uqVf3lCp +B5bsoqumIhxBmIS7pKeWIq+GFVQuuHcDozRVolFuUvMkPdPfaGQjLI+ynaAfA9WH +MULcRcBL+S8cp4xv8jmyW0n4Elak0ixw1UJLjeSrIGYLB+ZkYXPiUjhYZPzbKzdE +rLstyGfFXH8Vjw6921P6iVH/JvskF9aj4NvYyZqxo9YznIN9nI8GWmqJgLyIYHET +Ur5mp1/O+KGLWMzfX09/fUVF/mXBibcnJ/sixGCH4yNZR5kpnas6H8SmaGgKE1zk +KYeuicGHm6nZ/uyjoL/AwvbUL1y9tHJ0vn816cCRdJ4ELZ5dotGPREPmkWzjv08A +ZeTmdsgsGuUY/5mKZdIqlWCgrSKaZvS81+5tYgf0qMLBsAbLPDJy9kzTwCsEYxmh +x9QxUeQ/UWVsMn6JqeBVp0B5z/sLcdx6GkFVGs9U2Al3aykVhrVq+0RUiYafluod +Mkz1AczAxFtqdgaQIJbrwEAXoMc8/l8dunbuYoRuuf1y259U61aTm6wcknnDUZKs +13sDVdcRZq1Lc1JI3B586Z7Jh0r/4HPiK1zearKLBPKZA6kEj4RzG3GUQVPxzpoD +NDP8FxVgMy022+gylWr2EwZ/QWigIKeop0qRCeuPgju44Fvf0Z300GmpIwOjsPWT +Ksmqw+erTT2UcN62z4+J0TvL44T9wpWbPcyxOe1r5HLpRkkBebMPNMlPZ4WGagsz +jn0ctw7GwsJbKgyqturB83ZfuJv9lGkrXHOjrjeQNCebYDmybHl/aag8BKKYOiFW +MkHmda+Jmq817aqcwVedMKs4CwdrE6frp2wgAIngzCILLVfyTa8v5HxpkezpKS3p +Lia3/xkSrJwzd9ncNe43OVDlFbTE6fm/ycES8vhvS2NotuL/gZ9WpLOFPKCFl2CZ +Cg6CUlTngEevd8kUrlt8BIEOPyhWqZOkxb1Q+Jr7PUQjgjQXmuxYoZ647xOYdIbd +RQZd3oEFjQYTXTT7hHOuB+FehaJPEfIqJDIxVSs0gVhETaCn7L7jcq3uko3W2IpV +qbVYBDv6+ae6Ia0dSTCtWGmqj0heIE1OOtMe7do0RijeeUz8snn6N7GYxVsQv+dg +0zeV/2RdPz/N898agdJZywjCUwxVPIKXl4MpFEy79rhGBq7q8aImDRlrdMZNy9BJ +nARaiDZ0ifmdh+smPWj/WuiAsYnuJBEFAQ88xECHbSXeJ6+Y/VS2jaJlMtL2tObW +mB/vq+Kfj6yfMxYaxtjOIpqBQfGZVlNwkq9BEeEwUcas5QBrRktUS5taU3/FlfyC +P3DsU4vseQILnqmEty7TWdHqw3up3Japzc3cTP9h4xxXuux+FmRuVdq0lfSPXB5E -----END RSA PRIVATE KEY----- diff --git a/vectors/cryptography_vectors/asymmetric/Traditional_OpenSSL_Serialization/key2.pem b/vectors/cryptography_vectors/asymmetric/Traditional_OpenSSL_Serialization/key2.pem index 6bd476d7593d..7fdd12338729 100644 --- a/vectors/cryptography_vectors/asymmetric/Traditional_OpenSSL_Serialization/key2.pem +++ b/vectors/cryptography_vectors/asymmetric/Traditional_OpenSSL_Serialization/key2.pem @@ -1,12 +1,30 @@ -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,2A57FF97B701B3F760145D7446929481 +DEK-Info: AES-128-CBC,5334E33DCBCAB62637BB26E3CD983AC1 -mGAPhSw48wZBnkHOhfMDg8yL2IBgMuTmeKE4xoHi7T6isHBNfkqMd0iJ+DJP/OKb -t+7lkKjj/xQ7w/bOBvBxlfRe4MW6+ejCdAFD9XSolW6WN6CEJPMI4UtmOK5inqcC -8l2l54f/VGrVN9uavU3KlXCjrd3Jp9B0Mu4Zh/UU4+EWs9rJAZfLIn+vHZ3OHetx -g74LdV7nC7lt/fjxc1caNIfgHs40dUt9FVrnJvAtkcNMtcjX/D+L8ZrLgQzIWFcs -WAbUZj7Me22mCli3RPET7Je37K59IzfWgbWFCGaNu3X02g5xtCfdcn/Uqy9eofH0 -YjKRhpgXPeGJCkoRqDeUHQNPpVP5HrzDZMVK3E4DC03C8qvgsYvuwYt3KkbG2fuA -F3bDyqlxSOm7uxF/K3YzI44v8/D8GGnLBTpN+ANBdiY= +7C3LlvoHTY/cpg8x875/vmWoV3mjePa0zUR1gwALdijlG3w+aQyzZWKlo8NSSAgt +i67PjT5dP6E842m1tOguLFuuBbu8jOuxQPMMUNECG6qot9wHikJ07UlnYhOEqW1v +v9tvTKkfLpK9lCNBPyDNgmF4n9MNePQonqLDqz0ezp6o7+mFkbtN1L21QIo7rafw +E2zoJ17Qx8zx36YxpO/DPF2x2YMgPsClLTRHVRYr6rNsH6r+feVMIrsAX4riL7pP +I0tQRGuLnK/n0AcMTnmwhp2jbbKdWVv7ptkEwrYNWGSBlvDUoxXOtw3HBjeyFpZw +2/8rZE07AG0Iek35eLZMwPsmERRyIX037x2vwHpsYnYHoAME6wqoxClo+0HnYOKM +1a8SCaocOvstNEKtllOfxyUSLpz/xXpHU9COUtVhuXZbF/x3+3uK/Qgo6zDpjz8J +6ghbBtuFcBxV5sBMau+6M3lXqzwRdAvcEEh3UVbVRI9Wm5IGo0lor7OVdoTxFCzu +nSin+IBTTzwlZNGoSS1PRq+Ta/BtC8pAT0JnL1yi5QO9Kbrwf5kxMMIkIsK0b3OH +MleHNwC08On9si9btnmpdQuFphL4I68N0NomYHPdZj77uAbTUlVSQ5Cm8IYmHT7/ +fiU2MwJLzMYwi3vAIgxKY89LqQLaUSj3H6OjusPlLHVxnpSPid8CDfCCE6bU0vru +XRnC1lEoES55N992+HSDHOyKFT4IdofehOw09mFB11yZGZb6ER2urEqzmjaAoeRv +0rFS7r61AaGRxtmIOhdXwovHfkxcF9dpU6hnEON/EaBS9NZv8RxuLMBv042eM0tJ +YxV8Q/w4YgQXHnPo3YNyKdSF1ZecZ0Si4LEL8vUHiQOF3k1PrPd4QO8G4wC/bv8a +zJzk3xEd3NyewU2v1S9fcbNIqT5NPjnF3EfYc0iORGYfcdrEuiGIbWut5h2GFnXX +gOFXjQfTkQzdOTxLIRKHLfB/Eo6pR/YymBk9QVt+YdGvPxrwiXIu9ZxErB2pArxX +m9RRt/Uwz1QygnmRZGxuMeO1HnbZ1ZujGnt347QQD5g6rJmPQBxM3eBLR0Arqif5 +qiuiCOSDAHym2g23cku1VK2/VBOQLZAe6MLSefw6KZJLSnmWFZU2Aat9oz/5dpt0 +BcX5DKUyPjF3goEfn+jfF3SNTZ/qBKpylQlDgJRxTOYwbMuNoBgJkrrp7ccPp+v4 +mytkxZbxXcGGjxL1NDRkIgZXNFxI9QHpRGIsAuYdGXWmOlI7rkZL8GtAHRV5ZZ9e +t99di0e5iNGwLqFTfSiUeaQNYXMxgbILYLNdHXUkYQ0tepQTTVGwOVYBhjTRiTpd +5e2IBOjugCfzaxAHJxotp0MhCoLoqKB10s2q4J+VxkPkOlyp9tzSsya2AD1HEACk +sT2f/9w4z4QfiEZrOn4aShsgA3XSrX2zw5CTWnxqsAN/7ki1hJMuzc/C3aq83jw4 +sWhzz3Q0JVTkSzQVERPZDHsSHTZ2D5Yw5ONOJ16umrvtGZIQeQwraHWYngbE5gfK +Hf0TvybJnNupQ4+lNQx1ee1KGTO83nOi17qCWseV3PJiocQ0/n+JMbYDJ2QG//ea -----END RSA PRIVATE KEY----- diff --git a/vectors/cryptography_vectors/asymmetric/Traditional_OpenSSL_Serialization/testrsa-encrypted.pem b/vectors/cryptography_vectors/asymmetric/Traditional_OpenSSL_Serialization/testrsa-encrypted.pem index cacab087c0f6..8bf362ecc319 100644 --- a/vectors/cryptography_vectors/asymmetric/Traditional_OpenSSL_Serialization/testrsa-encrypted.pem +++ b/vectors/cryptography_vectors/asymmetric/Traditional_OpenSSL_Serialization/testrsa-encrypted.pem @@ -1,12 +1,30 @@ -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,5E22A2BD85A653FB7A3ED20DE84F54CD +DEK-Info: AES-128-CBC,2371A6F3F6DEF67420EED171CA8434D6 -hAqtb5ZkTMGcs4BBDQ1SKZzdQThWRDzEDxM3qBfjvYa35KxZ54aic013mW/lwj2I -v5bbpOjrHYHNAiZYZ7RNb+ztbF6F/g5PA5g7mFwEq+LFBY0InIplYBSv9QtE+lot -Dy4AlZa/+NzJwgdKDb+JVfk5SddyD4ywnyeORnMPy4xXKvjXwmW+iLibZVKsjIgw -H8hSxcD+FhWyJm9h9uLtmpuqhQo0jTUYpnTezZx2xeVPB53Ev7YCxR9Nsgj5GsVf -9Z/hqLB7IFgM3pa0z3PQeUIZF/cEf72fISWIOBwwkzVrPUkXWfbuWeJXQXSs3amE -5A295jD9BQp9CY0nNFSsy+qiXWToq2xT3y5zVNEStmN0SCGNaIlUnJzL9IHW+oMI -kPmXZMnAYBWeeCF1gf3J3aE5lZInegHNfEI0+J0LazC2aNU5Dg/BNqrmRqKWEIo/ +PqAIAklz79i2dRUlG7yUZQ03i951enRysHzT8iaU+UNO5BJwqQX/menlS7Ct3y55 +unPcY+Jx1yVerEPgIjhe9DR/HuqqH5TlC+OvfCsdlzj1+QJE3S7pQ/hwsuShNslM +RCppzdpYBpFI9Hc5LUJB32J2VP//1Y112+Cw+gS27Q8ZiWhH3ljYZpa6pcD6irk8 +JKSbC1pITxAy/66Cnf7CSKDj1852vwr9anUOr3Rq4CaDao0gNgV9qI+afzGYK0is +fqmyCSlazjNE2j4+mq3DSZB4CWMKVtJnNYcyPor+Xsfa48idY4sFjcxgVTb9kUGe +GoZTWW0uDfC1SM2fRMvc2AUvZ1E9NCC79yvJ4/joiNU3On5I221IdVQHmVLde2Y+ +RXmu2B4STboFkaHz4VTJp5iZzYjS5qYOYnwCdidiqi1VplNKpVIKcx7bY/ZqSSSQ +JHX5bUhmMFZaIQfXdO6sZZYel93enurPf64Yo3yoyoe9X2FxvIWF0bcNH7WDmpDi +T15VafsNu/x6ZGqjoF3cqeuI/ymJZ4Sx1GpWjqp9QQEp0vRnAA/kge7zs+WC3X8v +IV6/Tq5zGvhekDS9eHu11dR541CDxbWnIdwnxj5yluQPyzPbHLvSGMi5Rp6QyuT9 +wl9G5PJQGbLExnSAT55aBvFxA/OYW1yn80LutqCq2Vw9CW7JcvV2XPqa6y6nxmMf +gwDR6lwOIVzxx5jd+jjck4S5LOyswA4egbtTTJ5NEXLVBGZKqHS6tAd92oPmonuB +FHfKcqGGoMUYW0CKnPzyI1iCSKqiMaoQ8Ihpw1kdU0X3dC3uFsoYwYpebhWYQhus +DVcdLFgkHNQPg6jZ84V15y1kvlj4h57bUysurxbTSSy1L7bEDu5NNKkpvotKwPTH +qdk8rW1FyXcNGmuz6hmEMatySvpkyyIT81BMHkiT69i6KHedKxitRg3d7czZVyUA +iucnuyKg3+YeOwuZx4agxPVgWcHjiPJkbipyaAKUYZ3pPjU5ZiFBnNhESToZ+MyS +jUJL00yc1OgKa3LmBM0DRjhMWOFrDBOLFlzz6q/FIkj25PfvHApjZvVtfu8lj5tf ++uIIGHx7tgizGPwht/ZD1ah4QTo/hBr4tInFm0DWyHVgbwcY5+f2naWswRk91V/f +VVBaFO7GrjOF1Ej8CcdlUAt/drTtUf1Oehla9F3r17qXjD6+QRMY3LFcrCP0szet +aq8QyB1Z8PqwfAPV5JdBKlTDwCRdoEMPEjnTq0t5AXWPkhRjTvumWE3rl/HYbZla +0D+uMhWiA1Z0YQie8hxI5ZflZkfLAEk+5IFrOzTYZcPM9KqKMnrF/lvAi/mPb1lD +sEQypp+6SxhVI34rFySwSDxb/Wg6DqPXhCEOciYpDLkrkMBLcHz73x1njPuZ3wVS +iaxhInMljtTNZFDMKlNGFd2tI6CWDffkU106dwSqJ0KiQWnkZuF41rIkYSVxHU1S +iRvCDGHpisx2hzF1m+ZEsR5WmNKoI7C+XCiN9cZPGVOy/Kv6WyZDRSp6x4n2Whp7 +7qWzffq+OPGJpsG92L7mKCpvdveJtkCilxi/thkDnRtLzkiuANTyoQ2re9pMADl5 -----END RSA PRIVATE KEY----- diff --git a/vectors/cryptography_vectors/asymmetric/Traditional_OpenSSL_Serialization/testrsa.pem b/vectors/cryptography_vectors/asymmetric/Traditional_OpenSSL_Serialization/testrsa.pem index aad21067a8f7..b8176670327f 100644 --- a/vectors/cryptography_vectors/asymmetric/Traditional_OpenSSL_Serialization/testrsa.pem +++ b/vectors/cryptography_vectors/asymmetric/Traditional_OpenSSL_Serialization/testrsa.pem @@ -1,9 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBPAIBAAJBAKrbeqkuRk8VcRmWFmtP+LviMB3+6dizWW3DwaffznyHGAFwUJ/I -Tv0XtbsCyl3QoyKGhrOAy3RvPK5M38iuXT0CAwEAAQJAZ3cnzaHXM/bxGaR5CR1R -rD1qFBAVfoQFiOH9uPJgMaoAuoQEisPHVcZDKcOv4wEg6/TInAIXBnEigtqvRzuy -oQIhAPcgZzUq3yVooAaoov8UbXPxqHlwo6GBMqnv20xzkf6ZAiEAsP4BnIaQTM8S -mvcpHZwQJdmdHHkGKAs37Dfxi67HbkUCIQCeZGliHXFa071Fp06ZeWlR2ADonTZz -rJBhdTe0v5pCeQIhAIZfkiGgGBX4cIuuckzEm43g9WMUjxP/0GlK39vIyihxAiEA -mymehFRT0MvqW5xAKAx7Pgkt8HVKwVhc2LwGKHE0DZM= +MIIEpAIBAAKCAQEAubZR/vxN1MmxwDEu5p8IA5kNWlOXhd0U8faIDZGY7h9xs7q7 +Hr6Xd4azC+oXDyS3oOexFvLGkIzzdJI5hJJBh4benU4PXz5W176euXHT+KT4EgV8 ++fkFO4KdHFTRo0D+XJCm4iilhx2pAHcBQbTG5vKYQJcYyxZGek9f9jiCsgQlUCj0 +l0Xe3Hyktcum14rPMrZQ8Gv4GGLtoIVqFOh2ftQIY0IoSm+XUulkNfcRmgXMMiCp +VHdKkx2+vh8asN+drq7bEydBw7XEjhoUJszZVPubUUDBTa7Jp5vpx8jlBhDftInH +U5mZz8FKx1dlurSuio312Ww940wSQ1saAs9uyQIDAQABAoIBAAmnaNIfWIZtaQrr +ePDZJzKqA/qEP5YLB5nfwx59c/HmUDlTxYK+zU3pLSk7OoakKyg3Ux/fxU23Xg0w +cBgBqFwSDpl7zisZKQI0cQ4v1MvnUNP9qrZYk8U5BXohuKIgG05Bi23/R0I5Bajg +sX/dFL07CDTMsKfCA9jmLmq0xlUtm3d4R8h050OsFZQqIYFrsXeRkhXuI1Bk+wp7 +O6qvrBSS4psvyA3Ba2M1Jdg+7XP6R6VamJQUilA1jrlMYrGehPPX2vhmzWpgaSDV +S6QdeqZI53fVJp/gCxKoz1zPgj9iwejcRC7Dp+M1aRP0RJGbqkpccpk0WBdUO0rd +X5waR38CgYEA+DN/vNS1ThTUImiJcl2dxxPkDIfmLOGIalF8cps9Ez3FGb+wJggX +iFCdK1A7wJZr3GfEV3HkH5hEzuG+losyY3NdbEfZgdrP3h/iEQxKy/5lZZmJC48T +HCDSRokZWfRdBtT63yBflPnqBQxmHv3HYNdHGhljvxYzODfvbcT4268CgYEAv4wq +1UrPZ/i2h4SfkezkdhkB6KvIsLyGBPVeZK1BOmIC27KOrARj+HgRwcqCaw7q+1PR +FbUN5ad190xenPgWG/wDD15AJmQ4jqHvfQrehVWeTmjO9RnLT1guxB+ZQknYuGCn +Qz8GEjIoJ6h7PMDXhQdYEbdrzLyQ/xU6EVkvowcCgYEA4M3MUd0bBkjJRw0GCOcQ +BANZF5xzd40jAKEjpa5DqEzXXBYJ1riXj+jsIhH+vNXBhhUaedV3OMKy9+rxs+sJ +zZftMyj0sa/dfKPGH4jRqmiVsGta/HQva9eyfR6qLpatN4XqX/QzfnzJYJ81U7aq +QmVaSiJa/PV/mNjY7MRuXpMCgYEAkErtpVlCnocMMVAlyI6Ul6ZE+toVR5Xsu2V/ +YwXkwi89CfUbZtez22PPtJVx42YMe6FrOxf1zQ92XQGJsGNufEw+neAZIRKUTFYO +i7qZYAXcSCLJ7Hcu4amDKTjIgdgRSut8dLrQPvrLpvxTQbPfZpXesRHkQgm2jIGY +CaOOsBcCgYA3ijrhl4w4Hc47SGsDhgHPBt+ndof9zS1WcyOAv/TzLuwgAnA0vNU7 +6AFi5AVKt/79vD5f6SOqgTDSyasB1qcP2jYV8GaIbqYQ4Gwpz1wuBkmkDKk28pC3 +ec2eK8O4cJUmZn91oQFuJorjuVAa5GluyMGvCdxWeAQVH96xSG7lEg== -----END RSA PRIVATE KEY----- From c2aad20ef8e5f0ff490197b67c29cbea0f98403d Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sat, 17 Aug 2024 15:48:58 -0400 Subject: [PATCH 0968/1462] Remove unnecessary test dependencies on RSA-512 (#11444) * Remove unnecessary test dependencies on RSA-512 test_unsupported_hash and test_prehashed_digest_mismatch work just fine with realistic RSA key sizes. (They also, as written, silently test nothing when the backend rejects RSA-512. As a reminder, RSA-512 was broken since 1999.) test_rsa_fips_small_key wants a small key, but I assume RSA-1024 is fine. * Keep using RSA-512 for test_rsa_fips_small_key as a RHEL-8 accommodation --- tests/hazmat/primitives/test_rsa.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index ddd1dad5c41f..2f4783cd92fd 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -821,8 +821,8 @@ def test_prehashed_digest_length( ), skip_message="Does not support PSS.", ) - def test_unsupported_hash(self, rsa_key_512: rsa.RSAPrivateKey, backend): - private_key = rsa_key_512 + def test_unsupported_hash(self, rsa_key_2048: rsa.RSAPrivateKey, backend): + private_key = rsa_key_2048 message = b"one little message" pss = padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=0) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH): @@ -850,9 +850,9 @@ def test_unsupported_hash_pss_mgf1(self, rsa_key_2048: rsa.RSAPrivateKey): skip_message="Does not support PSS.", ) def test_prehashed_digest_mismatch( - self, rsa_key_512: rsa.RSAPrivateKey, backend + self, rsa_key_2048: rsa.RSAPrivateKey, backend ): - private_key = rsa_key_512 + private_key = rsa_key_2048 message = b"one little message" h = hashes.Hash(hashes.SHA512(), backend) h.update(message) @@ -2137,6 +2137,8 @@ def test_rsa_encrypt_key_too_small(self, key_data, pad, backend): skip_message="Requires FIPS", ) def test_rsa_fips_small_key(self, rsa_key_512: rsa.RSAPrivateKey, backend): + # Ideally this would use a larger disallowed key like RSA-1024, but + # RHEL-8 thinks that RSA-1024 is allowed by FIPS. with pytest.raises(ValueError): rsa_key_512.sign(b"somedata", padding.PKCS1v15(), hashes.SHA512()) From 280b5d1ce32135554bfe9bc2e258e2f46842a0f1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 17 Aug 2024 20:24:55 -0400 Subject: [PATCH 0969/1462] Bump BoringSSL and/or OpenSSL in CI (#11445) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3de0fbdfca5d..05195c2f5ff7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 16, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "16f68ed0d16844f15b5cd6408a859cd5ffc80bc4"}} - # Latest commit on the OpenSSL master branch, as of Aug 17, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7c3c7374ce8676331770a8f9bbc1452bbdacf3be"}} + # Latest commit on the BoringSSL master branch, as of Aug 18, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f64d50dcd59e1758d4472fe2c6f5a717288f2138"}} + # Latest commit on the OpenSSL master branch, as of Aug 18, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "47645bf7c63aaf08b764bfeaaa611c6673bb03a8"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From d8db8a0ac54273cf925fa71eeaa81b9601e3bdfb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 18 Aug 2024 14:27:15 +0000 Subject: [PATCH 0970/1462] Bump syn from 2.0.74 to 2.0.75 in /src/rust (#11447) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.74 to 2.0.75. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.74...2.0.75) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index b543564534e2..9319e9895494 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -334,9 +334,9 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" [[package]] name = "syn" -version = "2.0.74" +version = "2.0.75" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1fceb41e3d546d0bd83421d3409b1460cc7444cd389341a4c880fe7a042cb3d7" +checksum = "f6af063034fc1935ede7be0122941bafa9bacb949334d090b77ca98b5817c7d9" dependencies = [ "proc-macro2", "quote", From 345ee18817b5e76305ba5fde17d33d2d0f667158 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 18 Aug 2024 14:28:52 +0000 Subject: [PATCH 0971/1462] Bump libc from 0.2.156 to 0.2.157 in /src/rust (#11448) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.156 to 0.2.157. - [Release notes](https://github.com/rust-lang/libc/releases) - [Changelog](https://github.com/rust-lang/libc/blob/0.2.157/CHANGELOG.md) - [Commits](https://github.com/rust-lang/libc/compare/0.2.156...0.2.157) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 9319e9895494..475d8626fb14 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -161,9 +161,9 @@ checksum = "b248f5224d1d606005e02c97f5aa4e88eeb230488bcc03bc9ca4d7991399f2b5" [[package]] name = "libc" -version = "0.2.156" +version = "0.2.157" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a5f43f184355eefb8d17fc948dbecf6c13be3c141f20d834ae842193a448c72a" +checksum = "374af5f94e54fa97cf75e945cce8a6b201e88a1a07e688b47dfd2a59c66dbd86" [[package]] name = "memoffset" From 45f0c8d274d3f2d6cbefdd8bebfb568cf16efbf7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 18 Aug 2024 14:31:16 +0000 Subject: [PATCH 0972/1462] Bump ruff from 0.6.0 to 0.6.1 (#11449) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.6.0 to 0.6.1. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.6.0...0.6.1) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6fc3b0effe4b..ad251d4590af 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.6.0 +ruff==0.6.1 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From b1ec50032618fe75cd389a8b36b4aab9140e2666 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 19 Aug 2024 00:15:47 +0000 Subject: [PATCH 0973/1462] Bump BoringSSL and/or OpenSSL in CI (#11451) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 05195c2f5ff7..a9cec7b8c929 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Aug 18, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f64d50dcd59e1758d4472fe2c6f5a717288f2138"}} - # Latest commit on the OpenSSL master branch, as of Aug 18, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "47645bf7c63aaf08b764bfeaaa611c6673bb03a8"}} + # Latest commit on the OpenSSL master branch, as of Aug 19, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "563c51cea0ad26f39a1acb5ef06f3c50c02fb265"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From c33b4417ec2efddace9b5d2ebee5b58d7cfdfcd2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Aug 2024 06:51:43 -0400 Subject: [PATCH 0974/1462] Bump libc from 0.2.157 to 0.2.158 in /src/rust (#11452) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.157 to 0.2.158. - [Release notes](https://github.com/rust-lang/libc/releases) - [Changelog](https://github.com/rust-lang/libc/blob/0.2.158/CHANGELOG.md) - [Commits](https://github.com/rust-lang/libc/compare/0.2.157...0.2.158) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 475d8626fb14..1f993013f7a0 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -161,9 +161,9 @@ checksum = "b248f5224d1d606005e02c97f5aa4e88eeb230488bcc03bc9ca4d7991399f2b5" [[package]] name = "libc" -version = "0.2.157" +version = "0.2.158" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "374af5f94e54fa97cf75e945cce8a6b201e88a1a07e688b47dfd2a59c66dbd86" +checksum = "d8adc4bb1803a324070e64a98ae98f38934d91957a99cfb3a43dcbc01bc56439" [[package]] name = "memoffset" From ffaf3697d809a77c910f4d86bd63d36e474858f5 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 20 Aug 2024 00:19:48 +0000 Subject: [PATCH 0975/1462] Bump BoringSSL and/or OpenSSL in CI (#11455) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a9cec7b8c929..5fa836fe37f7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 18, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f64d50dcd59e1758d4472fe2c6f5a717288f2138"}} - # Latest commit on the OpenSSL master branch, as of Aug 19, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "563c51cea0ad26f39a1acb5ef06f3c50c02fb265"}} + # Latest commit on the BoringSSL master branch, as of Aug 20, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "0ba200173353b3f9a3527254eb16903b93170342"}} + # Latest commit on the OpenSSL master branch, as of Aug 20, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e113a92e290b31aaeab9a3f24b2cd6011c5ee670"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 25084113522184b1d22a95bc82a09f472f00900d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 20 Aug 2024 00:31:14 +0000 Subject: [PATCH 0976/1462] Bump x509-limbo and/or wycheproof in CI (#11456) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index e7f4a8c3b537..8d2122d4918b 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Aug 13, 2024. - ref: "8ac3f41f9ce1d6f24749d90a672b414348bc7282" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Aug 20, 2024. + ref: "9cc4d0526d901b6121a1e975e6e21b273ddde8fd" # x509-limbo-ref From fe195d68831077267b42c486e320efd409f8fefb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Aug 2024 07:55:46 -0400 Subject: [PATCH 0977/1462] Bump setuptools from 72.2.0 to 73.0.0 in /.github/requirements (#11457) Bumps [setuptools](https://github.com/pypa/setuptools) from 72.2.0 to 73.0.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v72.2.0...v73.0.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index fae3da37775c..1aa15f155797 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -98,7 +98,7 @@ tomli==2.0.1 \ # via maturin # The following packages are considered to be unsafe in a requirements file: -setuptools==72.2.0 \ - --hash=sha256:80aacbf633704e9c8bfa1d99fa5dd4dc59573efcf9e4042c13d3bcef91ac2ef9 \ - --hash=sha256:f11dd94b7bae3a156a95ec151f24e4637fb4fa19c878e4d191bfb8b2d82728c4 +setuptools==73.0.0 \ + --hash=sha256:3c08705fadfc8c7c445cf4d98078f0fafb9225775b2b4e8447e40348f82597c0 \ + --hash=sha256:f2bfcce7ae1784d90b04c57c2802e8649e1976530bb25dc72c2b078d3ecf4864 # via -r build-requirements.in From a613cf6fa6f184f6f26afb07d0dd81c92337395a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Aug 2024 07:56:34 -0400 Subject: [PATCH 0978/1462] Bump jaraco-context from 5.3.0 to 6.0.1 in /.github/requirements (#11458) Bumps [jaraco-context](https://github.com/jaraco/jaraco.context) from 5.3.0 to 6.0.1. - [Release notes](https://github.com/jaraco/jaraco.context/releases) - [Changelog](https://github.com/jaraco/jaraco.context/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/jaraco.context/compare/v5.3.0...v6.0.1) --- updated-dependencies: - dependency-name: jaraco-context dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index bf5ade425684..9698614f8ab6 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -220,9 +220,9 @@ jaraco-classes==3.4.0 \ --hash=sha256:47a024b51d0239c0dd8c8540c6c7f484be3b8fcf0b2d85c13825780d3b3f3acd \ --hash=sha256:f662826b6bed8cace05e7ff873ce0f9283b5c924470fe664fff1c2f00f581790 # via keyring -jaraco-context==5.3.0 \ - --hash=sha256:3e16388f7da43d384a1a7cd3452e72e14732ac9fe459678773a3608a812bf266 \ - --hash=sha256:c2f67165ce1f9be20f32f650f25d8edfc1646a8aeee48ae06fb35f90763576d2 +jaraco-context==6.0.1 \ + --hash=sha256:9bae4ea555cf0b14938dc0aee7c9f32ed303aa20a3b73e7dc80111628792d1b3 \ + --hash=sha256:f797fc481b490edb305122c9181830a3a5b76d84ef6d1aef2fb9b47ab956f9e4 # via keyring jaraco-functools==4.0.2 \ --hash=sha256:3460c74cd0d32bf82b9576bbb3527c4364d5b27a21f5158a62aed6c4b42e23f5 \ From 932b8a3f67810140a6e178f7b676e1cb9c3585b1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Aug 2024 08:02:20 -0400 Subject: [PATCH 0979/1462] Bump importlib-metadata from 8.2.0 to 8.3.0 in /.github/requirements (#11459) Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 8.2.0 to 8.3.0. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v8.2.0...v8.3.0) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 9698614f8ab6..dd94f62e295f 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -210,9 +210,9 @@ idna==3.7 \ --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 # via requests -importlib-metadata==8.2.0 \ - --hash=sha256:11901fa0c2f97919b288679932bb64febaeacf289d18ac84dd68cb2e74213369 \ - --hash=sha256:72e8d4399996132204f9a16dcc751af254a48f8d1b20b9ff0f98d4a8f901e73d +importlib-metadata==8.3.0 \ + --hash=sha256:42817a4a0be5845d22c6e212db66a94ad261e2318d80b3e0d363894a79df2b67 \ + --hash=sha256:9c8fa6e8ea0f9516ad5c8db9246a731c948193c7754d3babb0114a05b27dd364 # via # keyring # twine From 4a2d9969aafc2c367e4db6141f1057d4d2ff972a Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 20 Aug 2024 11:42:56 -0400 Subject: [PATCH 0980/1462] Relax root CA AKI field checks (#11462) * Relax root CA AKI field checks Closes #11461. Signed-off-by: William Woodruff * CHANGELOG: record changes Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- CHANGELOG.rst | 3 +++ .../src/policy/extension.rs | 19 +++++++------------ tests/x509/verification/test_limbo.py | 6 ++++++ 3 files changed, 16 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 9110fb78aeb3..224747e3b712 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -12,6 +12,9 @@ Changelog not be empty. * Added support for timestamp extraction to the :class:`~cryptography.fernet.MultiFernet` class. +* Relax the Authority Key Identifier requirements on root CA certificates + during X.509 verification to allow fields permitted by :rfc:`5280` but + forbidden by the CA/Browser BRs. .. _v43-0-0: diff --git a/src/rust/cryptography-x509-verification/src/policy/extension.rs b/src/rust/cryptography-x509-verification/src/policy/extension.rs index 1c8ae00679e1..a01eb490122b 100644 --- a/src/rust/cryptography-x509-verification/src/policy/extension.rs +++ b/src/rust/cryptography-x509-verification/src/policy/extension.rs @@ -412,18 +412,13 @@ pub(crate) mod ca { )); } - // authorityCertIssuer and authorityCertSerialNumber MUST NOT be present. - if aki.authority_cert_issuer.is_some() { - return Err(ValidationError::Other( - "authorityKeyIdentifier must not contain authorityCertIssuer".to_string(), - )); - } - - if aki.authority_cert_serial_number.is_some() { - return Err(ValidationError::Other( - "authorityKeyIdentifier must not contain authorityCertSerialNumber".to_string(), - )); - } + // NOTE: CABF 7.1.2.1.3 says that Root CAs MUST NOT + // have authorityCertIdentifier or authorityCertSerialNumber, + // but these are present in practice in trust program bundles + // due to older roots that have been grandfathered in. + // Other validators are permissive of these being present, + // so we don't check for them. + // See #11461 for more information. } Ok(()) diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index 50881eb9410b..d0402c4ce30a 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -67,6 +67,12 @@ # forbidden under CABF. This is consistent with what # Go's crypto/x509 and Rust's webpki crate do. "webpki::aki::root-with-aki-ski-mismatch", + # We allow root CAs where the AKI contains fields other than keyIdentifier, + # which is technically forbidden under CABF. No other implementations + # enforce this requirement. + "webpki::aki::root-with-aki-authoritycertissuer", + "webpki::aki::root-with-aki-authoritycertserialnumber", + "webpki::aki::root-with-aki-all-fields", # We allow RSA keys that aren't divisible by 8, which is technically # forbidden under CABF. No other implementation checks this either. "webpki::forbidden-rsa-not-divisable-by-8-in-root", From 99dddf65bf3bd18963fe786141e4219d5b862045 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 21 Aug 2024 00:16:07 +0000 Subject: [PATCH 0981/1462] Bump BoringSSL and/or OpenSSL in CI (#11464) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5fa836fe37f7..496cbdfecf0c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 20, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "0ba200173353b3f9a3527254eb16903b93170342"}} - # Latest commit on the OpenSSL master branch, as of Aug 20, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e113a92e290b31aaeab9a3f24b2cd6011c5ee670"}} + # Latest commit on the BoringSSL master branch, as of Aug 21, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "74a51c6ab3c9c674a62bf02c904f12e5109761b8"}} + # Latest commit on the OpenSSL master branch, as of Aug 21, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1985ba60bba272d5780c498461f2b1171f10aa21"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From df75fee630f6396c5c21409263fde7e40821c7de Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 21 Aug 2024 07:06:12 -0400 Subject: [PATCH 0982/1462] Bump setuptools from 73.0.0 to 73.0.1 in /.github/requirements (#11466) Bumps [setuptools](https://github.com/pypa/setuptools) from 73.0.0 to 73.0.1. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v73.0.0...v73.0.1) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 1aa15f155797..421b7d82e30d 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -98,7 +98,7 @@ tomli==2.0.1 \ # via maturin # The following packages are considered to be unsafe in a requirements file: -setuptools==73.0.0 \ - --hash=sha256:3c08705fadfc8c7c445cf4d98078f0fafb9225775b2b4e8447e40348f82597c0 \ - --hash=sha256:f2bfcce7ae1784d90b04c57c2802e8649e1976530bb25dc72c2b078d3ecf4864 +setuptools==73.0.1 \ + --hash=sha256:b208925fcb9f7af924ed2dc04708ea89791e24bde0d3020b27df0e116088b34e \ + --hash=sha256:d59a3e788ab7e012ab2c4baed1b376da6366883ee20d7a5fc426816e3d7b1193 # via -r build-requirements.in From 04be15e03f290b0c10650eb23ac3ea5105ebf77b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 21 Aug 2024 07:09:27 -0400 Subject: [PATCH 0983/1462] Bump importlib-metadata from 8.3.0 to 8.4.0 in /.github/requirements (#11465) Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 8.3.0 to 8.4.0. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v8.3.0...v8.4.0) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index dd94f62e295f..f57235856f3b 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -210,9 +210,9 @@ idna==3.7 \ --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 # via requests -importlib-metadata==8.3.0 \ - --hash=sha256:42817a4a0be5845d22c6e212db66a94ad261e2318d80b3e0d363894a79df2b67 \ - --hash=sha256:9c8fa6e8ea0f9516ad5c8db9246a731c948193c7754d3babb0114a05b27dd364 +importlib-metadata==8.4.0 \ + --hash=sha256:66f342cc6ac9818fc6ff340576acd24d65ba0b3efabb2b4ac08b598965a4a2f1 \ + --hash=sha256:9a547d3bc3608b025f93d403fdd1aae741c24fbb8314df4b155675742ce303c5 # via # keyring # twine From 260b97eface79293e49e0b028d2ac106f2f7d583 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 22 Aug 2024 00:15:56 +0000 Subject: [PATCH 0984/1462] Bump BoringSSL and/or OpenSSL in CI (#11471) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 496cbdfecf0c..9ee26c0f94bc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 21, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "74a51c6ab3c9c674a62bf02c904f12e5109761b8"}} - # Latest commit on the OpenSSL master branch, as of Aug 21, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1985ba60bba272d5780c498461f2b1171f10aa21"}} + # Latest commit on the BoringSSL master branch, as of Aug 22, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "0ee584bb5134f8e6b5d2e90f5dc9334ae460a507"}} + # Latest commit on the OpenSSL master branch, as of Aug 22, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6c39d21a4844cab997164454ece9b21186881f2a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From be0bb4e2ba25db1e849e232e46dc8234d6f677f8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 22 Aug 2024 07:00:55 -0400 Subject: [PATCH 0985/1462] Bump maturin from 1.7.0 to 1.7.1 in /.github/requirements (#11474) Bumps [maturin](https://github.com/pyo3/maturin) from 1.7.0 to 1.7.1. - [Release notes](https://github.com/pyo3/maturin/releases) - [Changelog](https://github.com/PyO3/maturin/blob/main/Changelog.md) - [Commits](https://github.com/pyo3/maturin/compare/v1.7.0...v1.7.1) --- updated-dependencies: - dependency-name: maturin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 28 ++++++++++----------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 421b7d82e30d..ca043b971502 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -73,20 +73,20 @@ cffi==1.17.0 ; platform_python_implementation != "PyPy" \ --hash=sha256:f9338cc05451f1942d0d8203ec2c346c830f8e86469903d5126c1f0a13a2bcbb \ --hash=sha256:ffef8fd58a36fb5f1196919638f73dd3ae0db1a878982b27a9a5a176ede4ba91 # via -r build-requirements.in -maturin==1.7.0 \ - --hash=sha256:0af4f2a4cfb99206d414dec138dd3aac3f506eb8928b7e38dfac570461b393d6 \ - --hash=sha256:15fe7920391a128897714f6ed38ebbc771150410b795a55cefca73f089d5aecb \ - --hash=sha256:1ba5277dd7832dc6181d69a005182b97b3520945825058484ffd9296f2efb59c \ - --hash=sha256:1f521ebe0344db8260df0d12779aefc06c1f763cd654151cf4a238fe14f65dc1 \ - --hash=sha256:29187d5c3e1e166c14eaadc63a8adc25b6bbb3e5b055d1bc87f6ca92b4b6e331 \ - --hash=sha256:2bd8227e020a9308c076253f29224c53b08b2a4ed41fcd94b4eb9349684fcfe7 \ - --hash=sha256:6fd312c56846d3cafa7c45e362d96b526170e79b9adb5b8ea02a10c88906069c \ - --hash=sha256:7460122333971b2492154c102d2981ae337ae0486dde7f4df7e645d724de59a5 \ - --hash=sha256:7c05226547778f31b73d48a19d11f57792bcc44f4047b84c73ea66cae2e62473 \ - --hash=sha256:87a1fae70f1a6ad694832c735abf9f010edc4971c5cf89d2e7a54651a1a3792a \ - --hash=sha256:928b82ceba924b1642c53f6684271e814b5ce5049cb4d35ff36bed078837eb83 \ - --hash=sha256:c1ae0b4162fb1152aea83098bf1b66a7bf6dd73fd1b108e6c4e22160118a997c \ - --hash=sha256:e9cd5b992b6c131c5f47c85e7bc266bf5bf94f29720856678431ce6c91b726df +maturin==1.7.1 \ + --hash=sha256:00f0f8f5051f4c0d0f69bdd0c6297ea87e979f70fb78a377eb4277c932804e2d \ + --hash=sha256:07c8800603e551a45e16fe7ad1742977097ea43c18b28e491df74d4ca15c5857 \ + --hash=sha256:09cca3491c756d1bce6ffff13f004e8a10e67c72a1cba9579058f58220505881 \ + --hash=sha256:0df0a6aaf7e9ab92cce2490b03d80b8f5ecbfa0689747a2ea4dfb9e63877b79c \ + --hash=sha256:147754cb3d81177ee12d9baf575d93549e76121dacd3544ad6a50ab718de2b9c \ + --hash=sha256:372a141b31ae7396728d2dedc6061fe4522c1803ae1c05700d37008e1d1a2cc9 \ + --hash=sha256:49939608095d9bcdf19d081dfd6ac1e8f915c645115090514c7b86e1e382f241 \ + --hash=sha256:6eec984d26f707b18765478f4892e58ac72e777287cd2ba721d6e2ef6da1f66e \ + --hash=sha256:7bb184cfbac4e3c55ca21d322e4801e0f75e7932287e156c280c279eae60b69e \ + --hash=sha256:973126a36cfb9861b3207df579678c1bcd7c348578a41ccfbe80d811a84f1740 \ + --hash=sha256:acf9f539f53a7ad64d406a40b27b768f67d75e6e4e93cb04b29025144a74ef45 \ + --hash=sha256:c5e7e6d130072ca76956106daa276f24a66c3407cfe6cf64c196d4299fd4175c \ + --hash=sha256:e5e8e61468d7d79790f0b54f2ed24f2fefbce3518548bc4e1a1f0c7be5bad710 # via -r build-requirements.in pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ From 041ef8be0a762c7094a78fc57f5fded4da185dca Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 23 Aug 2024 00:19:46 +0000 Subject: [PATCH 0986/1462] Bump BoringSSL and/or OpenSSL in CI (#11476) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9ee26c0f94bc..a1dab00a254a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 22, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "0ee584bb5134f8e6b5d2e90f5dc9334ae460a507"}} - # Latest commit on the OpenSSL master branch, as of Aug 22, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6c39d21a4844cab997164454ece9b21186881f2a"}} + # Latest commit on the BoringSSL master branch, as of Aug 23, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e13f7e2ff5432205f09b4679c8a7715f1c130372"}} + # Latest commit on the OpenSSL master branch, as of Aug 23, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fe1ce91f7feb4a6be7ba1616dad442d5d7796b96"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From b5a312f99c3bc579fb945f2f6b3422e26d6ff600 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 22 Aug 2024 20:22:47 -0400 Subject: [PATCH 0987/1462] fixes #11453 -- include localKeyID when serializaing a key with a cert (#11454) --- src/rust/cryptography-x509/src/pkcs12.rs | 4 ++ src/rust/src/pkcs12.rs | 60 ++++++++++++++++-------- src/rust/src/x509/certificate.rs | 6 +-- tests/hazmat/primitives/test_pkcs12.py | 24 ++++++++++ 4 files changed, 72 insertions(+), 22 deletions(-) diff --git a/src/rust/cryptography-x509/src/pkcs12.rs b/src/rust/cryptography-x509/src/pkcs12.rs index fdcbc91ef802..f8f518a4b615 100644 --- a/src/rust/cryptography-x509/src/pkcs12.rs +++ b/src/rust/cryptography-x509/src/pkcs12.rs @@ -11,6 +11,7 @@ pub const SHROUDED_KEY_BAG_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 12, 10, 1, 2); pub const X509_CERTIFICATE_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 22, 1); pub const FRIENDLY_NAME_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 20); +pub const LOCAL_KEY_ID_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 21); #[derive(asn1::Asn1Write)] pub struct Pfx<'a> { @@ -46,6 +47,9 @@ pub struct Attribute<'a> { pub enum AttributeSet<'a> { #[defined_by(FRIENDLY_NAME_OID)] FriendlyName(asn1::SetOfWriter<'a, Utf8StoredBMPString<'a>, [Utf8StoredBMPString<'a>; 1]>), + + #[defined_by(LOCAL_KEY_ID_OID)] + LocalKeyId(asn1::SetOfWriter<'a, &'a [u8], [&'a [u8]; 1]>), } #[derive(asn1::Asn1DefinedByWrite)] diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 45f8855bacf3..c8d334ecfa29 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -338,38 +338,51 @@ fn pkcs12_kdf( Ok(result) } -fn friendly_name_attributes( - friendly_name: Option<&[u8]>, +fn pkcs12_attributes<'a>( + friendly_name: Option<&'a [u8]>, + local_key_id: Option<&'a [u8]>, ) -> CryptographyResult< Option< asn1::SetOfWriter< - '_, - cryptography_x509::pkcs12::Attribute<'_>, - Vec>, + 'a, + cryptography_x509::pkcs12::Attribute<'a>, + Vec>, >, >, > { + let mut attrs = vec![]; if let Some(name) = friendly_name { let name_str = std::str::from_utf8(name).map_err(|_| { pyo3::exceptions::PyValueError::new_err("friendly_name must be valid UTF-8") })?; - Ok(Some(asn1::SetOfWriter::new(vec![ - cryptography_x509::pkcs12::Attribute { - _attr_id: asn1::DefinedByMarker::marker(), - attr_values: cryptography_x509::pkcs12::AttributeSet::FriendlyName( - asn1::SetOfWriter::new([Utf8StoredBMPString::new(name_str)]), - ), - }, - ]))) - } else { + attrs.push(cryptography_x509::pkcs12::Attribute { + _attr_id: asn1::DefinedByMarker::marker(), + attr_values: cryptography_x509::pkcs12::AttributeSet::FriendlyName( + asn1::SetOfWriter::new([Utf8StoredBMPString::new(name_str)]), + ), + }); + } + if let Some(key_id) = local_key_id { + attrs.push(cryptography_x509::pkcs12::Attribute { + _attr_id: asn1::DefinedByMarker::marker(), + attr_values: cryptography_x509::pkcs12::AttributeSet::LocalKeyId( + asn1::SetOfWriter::new([key_id]), + ), + }); + } + + if attrs.is_empty() { Ok(None) + } else { + Ok(Some(asn1::SetOfWriter::new(attrs))) } } fn cert_to_bag<'a>( cert: &'a Certificate, friendly_name: Option<&'a [u8]>, + local_key_id: Option<&'a [u8]>, ) -> CryptographyResult> { Ok(cryptography_x509::pkcs12::SafeBag { _bag_id: asn1::DefinedByMarker::marker(), @@ -381,7 +394,7 @@ fn cert_to_bag<'a>( )), }, )), - attributes: friendly_name_attributes(friendly_name)?, + attributes: pkcs12_attributes(friendly_name, local_key_id)?, }) } @@ -499,6 +512,7 @@ fn serialize_key_and_certificates<'p>( key_ciphertext, ); let mut ca_certs = vec![]; + let mut key_id = None; if cert.is_some() || cas.is_some() { let mut cert_bags = vec![]; @@ -515,9 +529,14 @@ fn serialize_key_and_certificates<'p>( ), )); } + key_id = Some(cert.fingerprint(py, &types::SHA1.get(py)?.call0()?)?); } - cert_bags.push(cert_to_bag(cert, name)?); + cert_bags.push(cert_to_bag( + cert, + name, + key_id.as_ref().map(|v| v.as_bytes()), + )?); } if let Some(cas) = cas { @@ -527,10 +546,13 @@ fn serialize_key_and_certificates<'p>( for cert in &ca_certs { let bag = match cert { - CertificateOrPKCS12Certificate::Certificate(c) => cert_to_bag(c.get(), None)?, + CertificateOrPKCS12Certificate::Certificate(c) => { + cert_to_bag(c.get(), None, None)? + } CertificateOrPKCS12Certificate::PKCS12Certificate(c) => cert_to_bag( c.get().certificate.get(), c.get().friendly_name.as_ref().map(|v| v.as_bytes(py)), + None, )?, }; cert_bags.push(bag); @@ -627,7 +649,7 @@ fn serialize_key_and_certificates<'p>( }, ), ), - attributes: friendly_name_attributes(name)?, + attributes: pkcs12_attributes(name, key_id.as_ref().map(|v| v.as_bytes()))?, } } else { let pkcs8_tlv = asn1::parse_single(&pkcs8_bytes)?; @@ -637,7 +659,7 @@ fn serialize_key_and_certificates<'p>( bag_value: asn1::Explicit::new(cryptography_x509::pkcs12::BagValue::KeyBag( pkcs8_tlv, )), - attributes: friendly_name_attributes(name)?, + attributes: pkcs12_attributes(name, key_id.as_ref().map(|v| v.as_bytes()))?, } }; diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 075c258074ef..454f63ad5119 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -84,16 +84,16 @@ impl Certificate { ) } - fn fingerprint<'p>( + pub(crate) fn fingerprint<'p>( &self, py: pyo3::Python<'p>, algorithm: &pyo3::Bound<'p, pyo3::PyAny>, - ) -> CryptographyResult> { + ) -> CryptographyResult> { let serialized = asn1::write_single(&self.raw.borrow_dependent())?; let mut h = hashes::Hash::new(py, algorithm, None)?; h.update_bytes(&serialized)?; - Ok(h.finalize(py)?.into_any()) + h.finalize(py) } fn public_bytes<'p>( diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index d0645d9e9941..99bb122c1f1e 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -697,6 +697,30 @@ def test_set_mac_key_certificate_mismatch(self, backend): b"name", key, cacert, [], encryption ) + @pytest.mark.parametrize( + "encryption_algorithm", + [ + serialization.NoEncryption(), + serialization.BestAvailableEncryption(b"password"), + ], + ) + def test_generate_localkeyid(self, backend, encryption_algorithm): + cert, key = _load_ca(backend) + + p12 = serialize_key_and_certificates( + None, key, cert, None, encryption_algorithm + ) + # Dirty, but does the trick. Should be there: + # * 2x if unencrypted (once for the key and once for the cert) + # * 1x if encrypted (the cert one is encrypted, but the key one is + # plaintext) + count = ( + 2 + if isinstance(encryption_algorithm, serialization.NoEncryption) + else 1 + ) + assert p12.count(cert.fingerprint(hashes.SHA1())) == count + @pytest.mark.skip_fips( reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it." From e4757c48ab4fab72a4971729e4a6f76d938051c1 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 22 Aug 2024 19:53:08 -0500 Subject: [PATCH 0988/1462] webstore.ansi.org is now behind cloudflare (#11477) * webstore.ansi.org is now behind cloudflare * CMU is also bad at certificates --- docs/conf.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/conf.py b/docs/conf.py index cf0f25abcaa9..1a00ac736683 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -199,11 +199,14 @@ r"https://speakerdeck.com", r"https://\w+.stackexchange.com", r"https://stackoverflow.com", + r"https://webstore.ansi.org", # GitHub changed how they do page renders so anchor detection # no longer works in source view r"https://github.com/.*/blob/.*#L\d+", # Kuleuven struggles with the endless forward march of time r"https://www.cosic.esat.kuleuven.be", + # CMU doesn't know how to send intermediates + r"https://wiki.sei.cmu.edu", ] autosectionlabel_prefix_document = True From 1ea0b3d709a6e0420acaa9d322440919c14c0c77 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Aug 2024 07:06:49 -0400 Subject: [PATCH 0989/1462] Bump actions/attest-build-provenance from 1.4.1 to 1.4.2 (#11478) Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.4.1 to 1.4.2. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/310b0a4a3b0b78ef57ecda988ee04b132db73ef8...6149ea5740be74af77f260b9db67e633f6b0a9a1) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index a8ae14a2e9d9..bc81e3783efb 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -93,7 +93,7 @@ jobs: # Do not perform attestation for things for TestPyPI. This is because # there's nothing that would prevent a malicious PyPI from serving a # signed TestPyPI asset in place of a release intended for PyPI. - - uses: actions/attest-build-provenance@310b0a4a3b0b78ef57ecda988ee04b132db73ef8 # v1.4.1 + - uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 with: subject-path: 'dist/**/cryptography*' if: env.TWINE_REPOSITORY == 'pypi' From fd4cb41052a2b671f05452dbec729e47e4aab2e4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Aug 2024 07:07:06 -0400 Subject: [PATCH 0990/1462] Bump ruff from 0.6.1 to 0.6.2 (#11479) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.6.1 to 0.6.2. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.6.1...0.6.2) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ad251d4590af..b7de4a56ac5c 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.6.1 +ruff==0.6.2 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From e708122279f31a7e7a72d9ac7a8ce688807c9f91 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Aug 2024 07:07:39 -0400 Subject: [PATCH 0991/1462] Bump cc from 1.1.13 to 1.1.14 in /src/rust (#11480) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.13 to 1.1.14. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.13...cc-v1.1.14) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 1f993013f7a0..a50af8ab754e 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.13" +version = "1.1.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72db2f7947ecee9b03b510377e8bb9077afa27176fdbff55c51027e976fdcc48" +checksum = "50d2eb3cd3d1bf4529e31c215ee6f93ec5a3d536d9f578f93d9d33ee19562932" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index c535a440aa6d..69f14ab2b867 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.2", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] -cc = "1.1.13" +cc = "1.1.14" From 9f8a7caa45f9a596d9d584e7d177aefb523dea9d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Aug 2024 07:07:52 -0400 Subject: [PATCH 0992/1462] Bump quote from 1.0.36 to 1.0.37 in /src/rust (#11481) Bumps [quote](https://github.com/dtolnay/quote) from 1.0.36 to 1.0.37. - [Release notes](https://github.com/dtolnay/quote/releases) - [Commits](https://github.com/dtolnay/quote/compare/1.0.36...1.0.37) --- updated-dependencies: - dependency-name: quote dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index a50af8ab754e..79b256d8d51e 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -313,9 +313,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.36" +version = "1.0.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0fa76aaf39101c457836aec0ce2316dbdc3ab723cdda1c6bd4e6ad4208acaca7" +checksum = "b5b9d34b8991d19d98081b46eacdd8eb58c6f2b201139f7c5f643cc155a633af" dependencies = [ "proc-macro2", ] From 655b0ea74e6050ead7fdf59877127dfb8d799bcb Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 23 Aug 2024 18:02:02 -0700 Subject: [PATCH 0993/1462] Bump BoringSSL and/or OpenSSL in CI (#11482) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a1dab00a254a..e9b84d4c399b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 23, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e13f7e2ff5432205f09b4679c8a7715f1c130372"}} - # Latest commit on the OpenSSL master branch, as of Aug 23, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fe1ce91f7feb4a6be7ba1616dad442d5d7796b96"}} + # Latest commit on the BoringSSL master branch, as of Aug 24, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "da3cd90597c1a0da7f05f83e437d10b6a590e8ce"}} + # Latest commit on the OpenSSL master branch, as of Aug 24, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "32b43b9160cfcbb2940a0666869a680db827b892"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From a67cdfa28a67d1200cbdd112e0bf28cfd23bb190 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 25 Aug 2024 21:42:16 +0000 Subject: [PATCH 0994/1462] Bump idna from 3.7 to 3.8 (#11483) Bumps [idna](https://github.com/kjd/idna) from 3.7 to 3.8. - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](https://github.com/kjd/idna/compare/v3.7...v3.8) --- updated-dependencies: - dependency-name: idna dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b7de4a56ac5c..1e503596ba91 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -42,7 +42,7 @@ execnet==2.1.1; python_version >= "3.8" # via pytest-xdist filelock==3.15.4; python_version >= "3.8" # via virtualenv -idna==3.7 +idna==3.8 # via requests imagesize==1.4.1 # via sphinx From 1e183d9ec856f2edfbc1b30d7d3c055279055f69 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 25 Aug 2024 21:43:35 +0000 Subject: [PATCH 0995/1462] Bump syn from 2.0.75 to 2.0.76 in /src/rust (#11484) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.75 to 2.0.76. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.75...2.0.76) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 79b256d8d51e..275f1c75e901 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -334,9 +334,9 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" [[package]] name = "syn" -version = "2.0.75" +version = "2.0.76" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f6af063034fc1935ede7be0122941bafa9bacb949334d090b77ca98b5817c7d9" +checksum = "578e081a14e0cefc3279b0472138c513f37b41a08d5a3cca9b6e4e8ceb6cd525" dependencies = [ "proc-macro2", "quote", From cf1a9402b209b175e381c3d94055d8f9deafb7bd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 25 Aug 2024 21:46:09 +0000 Subject: [PATCH 0996/1462] Bump mypy from 1.11.1 to 1.11.2 (#11485) Bumps [mypy](https://github.com/python/mypy) from 1.11.1 to 1.11.2. - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](https://github.com/python/mypy/compare/v1.11.1...v1.11.2) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 1e503596ba91..8c6a941ccf07 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -52,7 +52,7 @@ jinja2==3.1.4 # via sphinx markupsafe==2.1.5 # via jinja2 -mypy==1.11.1 +mypy==1.11.2 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via mypy From f3bcd8d98af103bcda3e95413a58ead0cb28f1f0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 25 Aug 2024 22:03:09 +0000 Subject: [PATCH 0997/1462] Bump idna from 3.7 to 3.8 in /.github/requirements (#11486) Bumps [idna](https://github.com/kjd/idna) from 3.7 to 3.8. - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](https://github.com/kjd/idna/compare/v3.7...v3.8) --- updated-dependencies: - dependency-name: idna dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index f57235856f3b..c19a268456d0 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -206,9 +206,9 @@ docutils==0.21.2 \ --hash=sha256:3a6b18732edf182daa3cd12775bbb338cf5691468f91eeeb109deff6ebfa986f \ --hash=sha256:dafca5b9e384f0e419294eb4d2ff9fa826435bf15f15b7bd45723e8ad76811b2 # via readme-renderer -idna==3.7 \ - --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ - --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 +idna==3.8 \ + --hash=sha256:050b4e5baadcd44d760cedbd2b8e639f2ff89bbc7a5730fcc662954303377aac \ + --hash=sha256:d838c2c0ed6fced7693d5e8ab8e734d5f8fda53a039c0164afb0b82e771e3603 # via requests importlib-metadata==8.4.0 \ --hash=sha256:66f342cc6ac9818fc6ff340576acd24d65ba0b3efabb2b4ac08b598965a4a2f1 \ From 6bc06f292c9178edaebb424545245bd1de86b829 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 26 Aug 2024 00:15:38 +0000 Subject: [PATCH 0998/1462] Bump BoringSSL and/or OpenSSL in CI (#11488) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e9b84d4c399b..2be77644fce5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Aug 24, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "da3cd90597c1a0da7f05f83e437d10b6a590e8ce"}} - # Latest commit on the OpenSSL master branch, as of Aug 24, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "32b43b9160cfcbb2940a0666869a680db827b892"}} + # Latest commit on the OpenSSL master branch, as of Aug 26, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8e7f39e8830ccafb41e52fbea895cb9740cebaec"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 4703713644c021c375fedb6e73f94d9f9aef30cd Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 26 Aug 2024 18:40:06 -0400 Subject: [PATCH 0999/1462] Added shorter intro paragraphs to doc comments for clippy (#11492) --- src/rust/cryptography-x509-verification/src/types.rs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/rust/cryptography-x509-verification/src/types.rs b/src/rust/cryptography-x509-verification/src/types.rs index dfb05b9b52f2..0cd84489e089 100644 --- a/src/rust/cryptography-x509-verification/src/types.rs +++ b/src/rust/cryptography-x509-verification/src/types.rs @@ -10,6 +10,8 @@ use asn1::IA5String; // RFC 2822 3.2.4 static ATEXT_CHARS: &str = "!#$%&'*+-/=?^_`{|}~"; +/// Represents a DNS name can be used in X.509 name matching. +/// /// A `DNSName` is an `asn1::IA5String` with additional invariant preservations /// per [RFC 5280 4.2.1.6], which in turn uses the preferred name syntax defined /// in [RFC 1034 3.5] and amended in [RFC 1123 2.1]. @@ -100,6 +102,9 @@ impl PartialEq for DNSName<'_> { } } +/// Represents either a DNS name or a DNS wildcard for use in X.509 name +/// matching. +/// /// A `DNSPattern` represents a subset of the domain name wildcard matching /// behavior defined in [RFC 6125 6.4.3]. In particular, all DNS patterns /// must either be exact matches (post-normalization) *or* a single wildcard From b6f7fb1c3b5be02bdf6be03dee571e644e642010 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 26 Aug 2024 18:55:00 -0400 Subject: [PATCH 1000/1462] fixed typo in comment (#11490) --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 177a3226f307..007c1a869669 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [build-system] # These requirements must be kept sync with the requirements in -# ./github/requirements/build-requirements.{in,txt} +# ./.github/requirements/build-requirements.{in,txt} requires = [ "maturin>=1,<2", From c315d72cebf322234eb383d2803c09e1b7959e21 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 26 Aug 2024 18:55:34 -0400 Subject: [PATCH 1001/1462] added 3.13 trove classifier since we test on it (#11491) --- pyproject.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/pyproject.toml b/pyproject.toml index 007c1a869669..f1428167979d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -41,6 +41,7 @@ classifiers = [ "Programming Language :: Python :: 3.10", "Programming Language :: Python :: 3.11", "Programming Language :: Python :: 3.12", + "Programming Language :: Python :: 3.13", "Programming Language :: Python :: Implementation :: CPython", "Programming Language :: Python :: Implementation :: PyPy", "Topic :: Security :: Cryptography", From 2b9e9aa7b70f05badfcf3f46694a56da06cdc3a2 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 27 Aug 2024 00:15:36 +0000 Subject: [PATCH 1002/1462] Bump BoringSSL and/or OpenSSL in CI (#11493) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2be77644fce5..c3e98d9603d4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 24, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "da3cd90597c1a0da7f05f83e437d10b6a590e8ce"}} - # Latest commit on the OpenSSL master branch, as of Aug 26, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8e7f39e8830ccafb41e52fbea895cb9740cebaec"}} + # Latest commit on the BoringSSL master branch, as of Aug 27, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "0a2d3a4de0922411ce6c6296c6bbf1f62055d23d"}} + # Latest commit on the OpenSSL master branch, as of Aug 27, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c07a34e18b098b77ce7ecb14273b7c75f59b5871"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From e10c56758b7fb10a9ad83296715c858d5a24f15e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 27 Aug 2024 00:32:18 +0000 Subject: [PATCH 1003/1462] Bump x509-limbo and/or wycheproof in CI (#11495) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 8d2122d4918b..1e60f0da67ec 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Aug 20, 2024. - ref: "9cc4d0526d901b6121a1e975e6e21b273ddde8fd" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Aug 27, 2024. + ref: "6b9a21829ab580c2893ff0e6fd310fa94accd6c3" # x509-limbo-ref From e588cfd2505ab2d2d3ef0b4d28503c5fb7a67a65 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 26 Aug 2024 21:08:47 -0400 Subject: [PATCH 1004/1462] fixed a typo in a comment (#11494) --- src/rust/src/backend/ec.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 15735458d3a1..5a8efe7dac2e 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -241,7 +241,7 @@ impl ECPrivateKey { } let mut deriver = openssl::derive::Deriver::new(&self.pkey)?; - // If `set_peer_ex` is available, we don't valid the key. This is + // If `set_peer_ex` is available, we don't validate the key. This is // because we already validated it sufficiently when we created the // ECPublicKey object. #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] From cf356a1aa9b4190a56f3d73d6a12a717c55512da Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Aug 2024 07:01:36 -0400 Subject: [PATCH 1005/1462] Bump rich from 13.7.1 to 13.8.0 in /.github/requirements (#11496) Bumps [rich](https://github.com/Textualize/rich) from 13.7.1 to 13.8.0. - [Release notes](https://github.com/Textualize/rich/releases) - [Changelog](https://github.com/Textualize/rich/blob/master/CHANGELOG.md) - [Commits](https://github.com/Textualize/rich/compare/v13.7.1...v13.8.0) --- updated-dependencies: - dependency-name: rich dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index c19a268456d0..8d1000f532b3 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -303,9 +303,9 @@ rfc3986==2.0.0 \ --hash=sha256:50b1502b60e289cb37883f3dfd34532b8873c7de9f49bb546641ce9cbd256ebd \ --hash=sha256:97aacf9dbd4bfd829baad6e6309fa6573aaf1be3f6fa735c8ab05e46cecb261c # via twine -rich==13.7.1 \ - --hash=sha256:4edbae314f59eb482f54e9e30bf00d33350aaa94f4bfcd4e9e3110e64d0d7222 \ - --hash=sha256:9be308cb1fe2f1f57d67ce99e95af38a1e2bc71ad9813b0e247cf7ffbcc3a432 +rich==13.8.0 \ + --hash=sha256:2e85306a063b9492dffc86278197a60cbece75bcb766022f3436f567cae11bdc \ + --hash=sha256:a5ac1f1cd448ade0d59cc3356f7db7a7ccda2c8cbae9c7a90c28ff463d3e91f4 # via twine secretstorage==3.3.3 \ --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ From fdc8911819e4e34747427fbf59211d8ee01bcc5d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Aug 2024 07:02:09 -0400 Subject: [PATCH 1006/1462] Bump zipp from 3.20.0 to 3.20.1 in /.github/requirements (#11497) Bumps [zipp](https://github.com/jaraco/zipp) from 3.20.0 to 3.20.1. - [Release notes](https://github.com/jaraco/zipp/releases) - [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/zipp/compare/v3.20.0...v3.20.1) --- updated-dependencies: - dependency-name: zipp dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 8d1000f532b3..d8af0a071861 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -321,7 +321,7 @@ urllib3==2.2.2 \ # via # requests # twine -zipp==3.20.0 \ - --hash=sha256:0145e43d89664cfe1a2e533adc75adafed82fe2da404b4bbb6b026c0157bdb31 \ - --hash=sha256:58da6168be89f0be59beb194da1250516fdaa062ccebd30127ac65d30045e10d +zipp==3.20.1 \ + --hash=sha256:9960cd8967c8f85a56f920d5d507274e74f9ff813a0ab8889a5b5be2daf44064 \ + --hash=sha256:c22b14cc4763c5a5b04134207736c107db42e9d3ef2d9779d465f5f1bcba572b # via importlib-metadata From e79085a9a993fe5ade676748051704d6e09cda86 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Aug 2024 07:02:25 -0400 Subject: [PATCH 1007/1462] Bump cc from 1.1.14 to 1.1.15 in /src/rust (#11498) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.14 to 1.1.15. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.14...cc-v1.1.15) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 275f1c75e901..89180f731e26 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.14" +version = "1.1.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "50d2eb3cd3d1bf4529e31c215ee6f93ec5a3d536d9f578f93d9d33ee19562932" +checksum = "57b6a275aa2903740dc87da01c62040406b8812552e97129a63ea8850a17c6e6" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 69f14ab2b867..3cf116a1af99 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.2", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] -cc = "1.1.14" +cc = "1.1.15" From d5ec40515f6b5f4e8d1d15f9b97589587af5d32b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 28 Aug 2024 09:56:42 -0400 Subject: [PATCH 1008/1462] Restrict setuptools version to work around breakages (#11503) --- .github/requirements/build-requirements.in | 2 +- pyproject.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/requirements/build-requirements.in b/.github/requirements/build-requirements.in index 17c93da02a92..55ba1fa70184 100644 --- a/.github/requirements/build-requirements.in +++ b/.github/requirements/build-requirements.in @@ -1,5 +1,5 @@ # Must be kept sync with build-system.requires at pyproject.toml -setuptools>=61.0.0 +setuptools!=74.0.0 cffi>=1.12; platform_python_implementation != 'PyPy' maturin>=1,<2 diff --git a/pyproject.toml b/pyproject.toml index f1428167979d..d3115d1bf30a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -8,7 +8,7 @@ requires = [ "cffi>=1.12; platform_python_implementation != 'PyPy'", # Needed because cffi imports distutils, and in Python 3.12, distutils has # been removed from the stdlib, but installing setuptools puts it back. - "setuptools", + "setuptools!=74.0.0", ] build-backend = "maturin" From 467ffb0258c2a39d10080a3fdfc566d1160fc071 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 28 Aug 2024 17:58:43 -0700 Subject: [PATCH 1009/1462] Bump BoringSSL and/or OpenSSL in CI (#11501) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c3e98d9603d4..eaad8497183f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 27, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "0a2d3a4de0922411ce6c6296c6bbf1f62055d23d"}} - # Latest commit on the OpenSSL master branch, as of Aug 27, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c07a34e18b098b77ce7ecb14273b7c75f59b5871"}} + # Latest commit on the BoringSSL master branch, as of Aug 29, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "296ef284e51a687920a1975a1a34fd2ffce0a646"}} + # Latest commit on the OpenSSL master branch, as of Aug 29, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6dacee485fad2c4d334e08af48891636205ddb6b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From c0d077973ee98a5ed51a0966eb3e18fab2b23918 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 28 Aug 2024 23:09:28 -0400 Subject: [PATCH 1010/1462] Mark that check-sdist is a Python 3.8+ only dependency (#11499) It has no versions that support Python 3.7. This is necessary to support using `uv` to manage our ci-constraints file --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index d3115d1bf30a..2f7558d3383f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -78,7 +78,7 @@ docs = ["sphinx >=5.3.0", "sphinx-rtd-theme >=1.1.1"] docstest = ["pyenchant >=1.6.11", "readme-renderer", "sphinxcontrib-spelling >=4.0.1"] sdist = ["build"] # `click` included because its needed to type check `release.py` -pep8test = ["ruff", "mypy", "check-sdist", "click"] +pep8test = ["ruff", "mypy", "check-sdist; python_version >= '3.8'", "click"] [tool.maturin] python-source = "src" From 375ee121d7ddc9de23b2cc3fc5d40c6e8de0d71a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 29 Aug 2024 00:33:35 -0400 Subject: [PATCH 1011/1462] Remove pointless && in wheel-builder.yml (#11504) --- .github/workflows/wheel-builder.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index e72144b3f787..8224a8a308e7 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -135,7 +135,8 @@ jobs: source .venv/bin/activate OPENSSL_DIR="/opt/pyca/cryptography/openssl" \ OPENSSL_STATIC=1 \ - .venv/bin/python -m pip wheel -v --no-deps $PY_LIMITED_API cryptograph*.tar.gz -w dist/ && mv dist/cryptography*.whl tmpwheelhouse + .venv/bin/python -m pip wheel -v --no-deps $PY_LIMITED_API cryptograph*.tar.gz -w dist/ + mv dist/cryptography*.whl tmpwheelhouse env: RUSTUP_HOME: /root/.rustup - run: auditwheel repair --plat ${{ matrix.MANYLINUX.NAME }} tmpwheelhouse/cryptograph*.whl -w wheelhouse/ @@ -255,7 +256,8 @@ jobs: source venv/bin/activate OPENSSL_DIR="$(readlink -f ../openssl-macos-universal2/)" \ OPENSSL_STATIC=1 \ - venv/bin/python -m pip wheel -v --no-deps $PY_LIMITED_API cryptograph*.tar.gz -w dist/ && mv dist/cryptography*.whl wheelhouse + venv/bin/python -m pip wheel -v --no-deps $PY_LIMITED_API cryptograph*.tar.gz -w dist/ + mv dist/cryptography*.whl wheelhouse env: MACOSX_DEPLOYMENT_TARGET: ${{ matrix.PYTHON.DEPLOYMENT_TARGET }} ARCHFLAGS: ${{ matrix.PYTHON.ARCHFLAGS }} @@ -344,7 +346,8 @@ jobs: PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" fi - python -m pip wheel -v --no-deps cryptography*.tar.gz $PY_LIMITED_API -w dist/ && mv dist/cryptography*.whl wheelhouse/ + python -m pip wheel -v --no-deps cryptography*.tar.gz $PY_LIMITED_API -w dist/ + mv dist/cryptography*.whl wheelhouse/ shell: bash - run: pip install -f wheelhouse --no-index cryptography - name: Print the OpenSSL we built and linked against From 2869ff47b38bb2f12806c7ea5eee17f916ac8166 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 30 Aug 2024 00:22:29 +0000 Subject: [PATCH 1012/1462] Bump BoringSSL and/or OpenSSL in CI (#11506) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index eaad8497183f..7170ff4db232 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 29, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "296ef284e51a687920a1975a1a34fd2ffce0a646"}} - # Latest commit on the OpenSSL master branch, as of Aug 29, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6dacee485fad2c4d334e08af48891636205ddb6b"}} + # Latest commit on the BoringSSL master branch, as of Aug 30, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d8cd383938102c4533cc2bad78b02bd3a4de6a82"}} + # Latest commit on the OpenSSL master branch, as of Aug 30, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0b97a5505efa8833bb7b8cabae45894ad6d910a2"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 002419dcd65c895e514482fffc4d11751d8b9cc8 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 29 Aug 2024 22:35:46 -0500 Subject: [PATCH 1013/1462] properly document what key types raw works with (#11507) --- .../primitives/asymmetric/serialization.rst | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/docs/hazmat/primitives/asymmetric/serialization.rst b/docs/hazmat/primitives/asymmetric/serialization.rst index 42cc83c84687..b1d382f6ea30 100644 --- a/docs/hazmat/primitives/asymmetric/serialization.rst +++ b/docs/hazmat/primitives/asymmetric/serialization.rst @@ -1357,7 +1357,10 @@ Serialization Formats .. versionadded:: 2.5 - A raw format used by :doc:`/hazmat/primitives/asymmetric/x448`. It is a + A raw format used by :doc:`/hazmat/primitives/asymmetric/ed25519`, + :doc:`/hazmat/primitives/asymmetric/ed448`, + :doc:`/hazmat/primitives/asymmetric/x25519`, and + :doc:`/hazmat/primitives/asymmetric/x448`. It is a binary format and is invalid for other key types. .. attribute:: OpenSSH @@ -1471,7 +1474,10 @@ Serialization Formats .. versionadded:: 2.5 - A raw format used by :doc:`/hazmat/primitives/asymmetric/x448`. It is a + A raw format used by :doc:`/hazmat/primitives/asymmetric/ed25519`, + :doc:`/hazmat/primitives/asymmetric/ed448`, + :doc:`/hazmat/primitives/asymmetric/x25519`, and + :doc:`/hazmat/primitives/asymmetric/x448`. It is a binary format and is invalid for other key types. .. attribute:: CompressedPoint @@ -1544,7 +1550,10 @@ Serialization Encodings .. versionadded:: 2.5 - A raw format used by :doc:`/hazmat/primitives/asymmetric/x448`. It is a + A raw format used by :doc:`/hazmat/primitives/asymmetric/ed25519`, + :doc:`/hazmat/primitives/asymmetric/ed448`, + :doc:`/hazmat/primitives/asymmetric/x25519`, and + :doc:`/hazmat/primitives/asymmetric/x448`. It is a binary format and is invalid for other key types. .. attribute:: X962 From 6835f442c83aaa377ffa1070453df09d5cfc9686 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 30 Aug 2024 07:05:42 -0400 Subject: [PATCH 1014/1462] Bump ruff from 0.6.2 to 0.6.3 (#11508) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.6.2 to 0.6.3. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.6.2...0.6.3) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 8c6a941ccf07..8f17df8a1aed 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.6.2 +ruff==0.6.3 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From b3298be3a750d7ef9b5693b5eb0df9dfd360ee6b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 30 Aug 2024 07:06:04 -0400 Subject: [PATCH 1015/1462] Bump certifi from 2024.7.4 to 2024.8.30 (#11509) Bumps [certifi](https://github.com/certifi/python-certifi) from 2024.7.4 to 2024.8.30. - [Commits](https://github.com/certifi/python-certifi/compare/2024.07.04...2024.08.30) --- updated-dependencies: - dependency-name: certifi dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 8f17df8a1aed..2d0d8c0ea798 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -15,7 +15,7 @@ build==1.2.1 # via # check-sdist # cryptography (pyproject.toml) -certifi==2024.7.4 +certifi==2024.8.30 # via requests charset-normalizer==3.3.2 # via requests From 6533ee38a0b78569cbc560dc00b17a73eda557fd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 30 Aug 2024 07:12:28 -0400 Subject: [PATCH 1016/1462] Bump actions/setup-python from 5.1.1 to 5.2.0 (#11511) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.1.1 to 5.2.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/39cd14951b08e74b54015e9e001cdefcf80e669f...f677139bbe7f9c59b41e40162b753c062f5d49a3) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 2 +- .github/workflows/ci.yml | 10 +++++----- .github/workflows/linkcheck.yml | 2 +- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 798a782824ad..196e9905ac21 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -43,7 +43,7 @@ jobs: - name: Setup python id: setup-python - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: "3.11" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7170ff4db232..9eec4d0cf079 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -62,7 +62,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: ${{ matrix.PYTHON.VERSION }} cache: pip @@ -242,7 +242,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.PYTHON.VERSION }} - name: Setup python - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: ${{ matrix.PYTHON.VERSION }} cache: pip @@ -301,7 +301,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} @@ -377,7 +377,7 @@ jobs: uses: ./.github/actions/cache timeout-minutes: 2 - name: Setup python - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: ${{ matrix.PYTHON }} cache: pip @@ -423,7 +423,7 @@ jobs: jobs: ${{ toJSON(needs) }} - name: Setup python if: ${{ always() }} - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: '3.12' cache: pip diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index c8fa98b0ade9..3fee6f366845 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -25,7 +25,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: 3.11 - name: Cache rust and pip diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index bc81e3783efb..7a01112d4c2d 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -35,7 +35,7 @@ jobs: - run: echo "$EVENT_CONTEXT" env: EVENT_CONTEXT: ${{ toJson(github.event) }} - - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: "3.11" - name: Get publish-requirements.txt from repository diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 8224a8a308e7..68930e5978d7 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -219,7 +219,7 @@ jobs: PYTHON_DOWNLOAD_URL: ${{ matrix.PYTHON.DOWNLOAD_URL }} if: contains(matrix.PYTHON.VERSION, 'pypy') == false - name: Setup pypy - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') @@ -315,7 +315,7 @@ jobs: name: cryptography-sdist - name: Setup python - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} From 7b5c7febfc7ee800684d96a9422524c4e65c7674 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 30 Aug 2024 07:22:43 -0400 Subject: [PATCH 1017/1462] Bump certifi from 2024.7.4 to 2024.8.30 in /.github/requirements (#11510) Bumps [certifi](https://github.com/certifi/python-certifi) from 2024.7.4 to 2024.8.30. - [Commits](https://github.com/certifi/python-certifi/compare/2024.07.04...2024.08.30) --- updated-dependencies: - dependency-name: certifi dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index d8af0a071861..761064c7903e 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -8,9 +8,9 @@ backports-tarfile==1.2.0 \ --hash=sha256:77e284d754527b01fb1e6fa8a1afe577858ebe4e9dad8919e34c862cb399bc34 \ --hash=sha256:d75e02c268746e1b8144c278978b6e98e85de6ad16f8e4b0844a154557eca991 # via jaraco-context -certifi==2024.7.4 \ - --hash=sha256:5a1e7645bc0ec61a09e26c36f6106dd4cf40c6db3a1fb6352b0244e7fb057c7b \ - --hash=sha256:c198e21b1289c2ab85ee4e67bb4b4ef3ead0892059901a8d5b622f24a1101e90 +certifi==2024.8.30 \ + --hash=sha256:922820b53db7a7257ffbda3f597266d435245903d80737e34f8a45ff3e3230d8 \ + --hash=sha256:bec941d2aa8195e248a60b31ff9f0558284cf01a52591ceda73ea9afffd69fd9 # via requests cffi==1.17.0 \ --hash=sha256:011aff3524d578a9412c8b3cfaa50f2c0bd78e03eb7af7aa5e0df59b158efb2f \ From 0c79072d4103c749a346f2b9d369d6713395381f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 30 Aug 2024 13:20:55 -0400 Subject: [PATCH 1018/1462] Remove duplication of already_finalized_error (#11513) --- src/rust/src/backend/ciphers.rs | 4 ++-- src/rust/src/backend/cmac.rs | 5 ++--- src/rust/src/backend/hashes.rs | 10 ++-------- src/rust/src/backend/hmac.rs | 6 +++--- src/rust/src/backend/poly1305.rs | 9 ++++++--- src/rust/src/exceptions.rs | 6 ++++++ src/rust/src/padding.rs | 10 +++------- 7 files changed, 24 insertions(+), 26 deletions(-) diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index b1a2c2474a0b..142175eb2471 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -259,8 +259,8 @@ struct PyAEADDecryptionContext { aad_bytes_remaining: u64, } -fn get_mut_ctx(ctx: Option<&mut CipherContext>) -> pyo3::PyResult<&mut CipherContext> { - ctx.ok_or_else(|| exceptions::AlreadyFinalized::new_err("Context was already finalized.")) +fn get_mut_ctx(ctx: Option<&mut CipherContext>) -> CryptographyResult<&mut CipherContext> { + ctx.ok_or_else(exceptions::already_finalized_error) } #[pyo3::pymethods] diff --git a/src/rust/src/backend/cmac.rs b/src/rust/src/backend/cmac.rs index 6a8737964643..fe11f7495a33 100644 --- a/src/rust/src/backend/cmac.rs +++ b/src/rust/src/backend/cmac.rs @@ -3,7 +3,6 @@ // for complete details. use crate::backend::cipher_registry; -use crate::backend::hashes::already_finalized_error; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; @@ -22,14 +21,14 @@ impl Cmac { if let Some(ctx) = self.ctx.as_ref() { return Ok(ctx); }; - Err(already_finalized_error()) + Err(exceptions::already_finalized_error()) } fn get_mut_ctx(&mut self) -> CryptographyResult<&mut cryptography_openssl::cmac::Cmac> { if let Some(ctx) = self.ctx.as_mut() { return Ok(ctx); } - Err(already_finalized_error()) + Err(exceptions::already_finalized_error()) } } diff --git a/src/rust/src/backend/hashes.rs b/src/rust/src/backend/hashes.rs index e6c86e92514c..155ad6ec755c 100644 --- a/src/rust/src/backend/hashes.rs +++ b/src/rust/src/backend/hashes.rs @@ -17,25 +17,19 @@ pub(crate) struct Hash { ctx: Option, } -pub(crate) fn already_finalized_error() -> CryptographyError { - CryptographyError::from(exceptions::AlreadyFinalized::new_err( - "Context was already finalized.", - )) -} - impl Hash { fn get_ctx(&self) -> CryptographyResult<&openssl::hash::Hasher> { if let Some(ctx) = self.ctx.as_ref() { return Ok(ctx); }; - Err(already_finalized_error()) + Err(exceptions::already_finalized_error()) } fn get_mut_ctx(&mut self) -> CryptographyResult<&mut openssl::hash::Hasher> { if let Some(ctx) = self.ctx.as_mut() { return Ok(ctx); } - Err(already_finalized_error()) + Err(exceptions::already_finalized_error()) } } diff --git a/src/rust/src/backend/hmac.rs b/src/rust/src/backend/hmac.rs index d70d499565a4..cce3593fa782 100644 --- a/src/rust/src/backend/hmac.rs +++ b/src/rust/src/backend/hmac.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::backend::hashes::{already_finalized_error, message_digest_from_algorithm}; +use crate::backend::hashes::message_digest_from_algorithm; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; @@ -47,14 +47,14 @@ impl Hmac { if let Some(ctx) = self.ctx.as_ref() { return Ok(ctx); }; - Err(already_finalized_error()) + Err(exceptions::already_finalized_error()) } fn get_mut_ctx(&mut self) -> CryptographyResult<&mut cryptography_openssl::hmac::Hmac> { if let Some(ctx) = self.ctx.as_mut() { return Ok(ctx); } - Err(already_finalized_error()) + Err(exceptions::already_finalized_error()) } } diff --git a/src/rust/src/backend/poly1305.rs b/src/rust/src/backend/poly1305.rs index e998a43aaff6..d955a9a90338 100644 --- a/src/rust/src/backend/poly1305.rs +++ b/src/rust/src/backend/poly1305.rs @@ -2,7 +2,6 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::backend::hashes::already_finalized_error; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; @@ -136,7 +135,9 @@ impl Poly1305 { fn update(&mut self, data: CffiBuf<'_>) -> CryptographyResult<()> { self.inner .as_mut() - .map_or(Err(already_finalized_error()), |b| b.update(data)) + .map_or(Err(exceptions::already_finalized_error()), |b| { + b.update(data) + }) } fn finalize<'p>( @@ -146,7 +147,9 @@ impl Poly1305 { let res = self .inner .as_mut() - .map_or(Err(already_finalized_error()), |b| b.finalize(py)); + .map_or(Err(exceptions::already_finalized_error()), |b| { + b.finalize(py) + }); self.inner = None; res diff --git a/src/rust/src/exceptions.rs b/src/rust/src/exceptions.rs index 91824ef0422e..5e0a44f8cc78 100644 --- a/src/rust/src/exceptions.rs +++ b/src/rust/src/exceptions.rs @@ -2,6 +2,8 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use crate::error::CryptographyError; + #[pyo3::pyclass( frozen, eq, @@ -37,6 +39,10 @@ pyo3::import_exception_bound!(cryptography.x509, DuplicateExtension); pyo3::import_exception_bound!(cryptography.x509, UnsupportedGeneralNameType); pyo3::import_exception_bound!(cryptography.x509, InvalidVersion); +pub(crate) fn already_finalized_error() -> CryptographyError { + CryptographyError::from(AlreadyFinalized::new_err("Context was already finalized.")) +} + #[pyo3::pymodule] pub(crate) mod exceptions { #[pymodule_export] diff --git a/src/rust/src/padding.rs b/src/rust/src/padding.rs index 92da0a65af40..3a55039d3385 100644 --- a/src/rust/src/padding.rs +++ b/src/rust/src/padding.rs @@ -3,7 +3,7 @@ // for complete details. use crate::buf::CffiBuf; -use crate::error::{CryptographyError, CryptographyResult}; +use crate::error::CryptographyResult; use crate::exceptions; /// Returns the value of the input with the most-significant-bit copied to all @@ -92,9 +92,7 @@ impl PKCS7PaddingContext { *v += buf.as_bytes().len(); Ok(buf.into_pyobj()) } - None => Err(CryptographyError::from( - exceptions::AlreadyFinalized::new_err("Context was already finalized."), - )), + None => Err(exceptions::already_finalized_error()), } } @@ -108,9 +106,7 @@ impl PKCS7PaddingContext { let pad = vec![pad_size as u8; pad_size]; Ok(pyo3::types::PyBytes::new_bound(py, &pad)) } - None => Err(CryptographyError::from( - exceptions::AlreadyFinalized::new_err("Context was already finalized."), - )), + None => Err(exceptions::already_finalized_error()), } } } From d9b7610de76a7e2d98a6dada165d7e85e3de0c5d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 30 Aug 2024 17:22:31 -0700 Subject: [PATCH 1019/1462] Bump BoringSSL and/or OpenSSL in CI (#11515) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9eec4d0cf079..5f80dfd0f1ad 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 30, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d8cd383938102c4533cc2bad78b02bd3a4de6a82"}} - # Latest commit on the OpenSSL master branch, as of Aug 30, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0b97a5505efa8833bb7b8cabae45894ad6d910a2"}} + # Latest commit on the BoringSSL master branch, as of Aug 31, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "73030794f7aaf4f614486b511908841852807936"}} + # Latest commit on the OpenSSL master branch, as of Aug 31, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0cd9dd703ea575699b2d3cd74f1b8224447f4352"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From e343723356e29f22d74516e251c87ed829c59667 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 31 Aug 2024 17:15:18 -0400 Subject: [PATCH 1020/1462] Drop PyPy 3.9 (#11516) The latest PyPy release is 3.10 only --- .github/workflows/ci.yml | 1 - .github/workflows/wheel-builder.yml | 17 ----------------- 2 files changed, 18 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5f80dfd0f1ad..0c10b45b609a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,7 +31,6 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust"} - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.2"}} - {VERSION: "3.13-dev", NOXSESSION: "tests"} - - {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"} - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.14"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.6"}} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 68930e5978d7..5413c9d3f96b 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -63,7 +63,6 @@ jobs: PYTHON: - { VERSION: "cp311-cp311", ABI_VERSION: 'py37' } - { VERSION: "cp311-cp311", ABI_VERSION: 'py39' } - - { VERSION: "pp39-pypy39_pp73" } - { VERSION: "pp310-pypy310_pp73" } MANYLINUX: - { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest" } @@ -75,22 +74,14 @@ jobs: - { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} exclude: # There are no readily available musllinux PyPy distributions - - PYTHON: { VERSION: "pp39-pypy39_pp73" } - MANYLINUX: { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} - PYTHON: { VERSION: "pp310-pypy310_pp73" } MANYLINUX: { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} - - PYTHON: { VERSION: "pp39-pypy39_pp73" } - MANYLINUX: { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - PYTHON: { VERSION: "pp310-pypy310_pp73" } MANYLINUX: { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} # We also don't build pypy wheels for anything except the latest manylinux - - PYTHON: { VERSION: "pp39-pypy39_pp73" } - MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest"} - PYTHON: { VERSION: "pp310-pypy310_pp73" } MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest"} - - PYTHON: { VERSION: "pp39-pypy39_pp73" } - MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]} - PYTHON: { VERSION: "pp310-pypy310_pp73" } MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]} name: "${{ matrix.PYTHON.VERSION }} for ${{ matrix.MANYLINUX.NAME }}" @@ -190,11 +181,6 @@ jobs: # This will change in the future as we change the base Python we # build against _PYTHON_HOST_PLATFORM: 'macosx-10.9-universal2' - - VERSION: 'pypy-3.9' - BIN_PATH: 'pypy3' - DEPLOYMENT_TARGET: '10.12' - _PYTHON_HOST_PLATFORM: 'macosx-10.9-x86_64' - ARCHFLAGS: '-arch x86_64' - VERSION: 'pypy-3.10' BIN_PATH: 'pypy3' DEPLOYMENT_TARGET: '10.12' @@ -290,12 +276,9 @@ jobs: PYTHON: - {VERSION: "3.11", "ABI_VERSION": "py37"} - {VERSION: "3.11", "ABI_VERSION": "py39"} - - {VERSION: "pypy-3.9"} - {VERSION: "pypy-3.10"} exclude: # We need to exclude the below configuration because there is no 32-bit pypy3 - - WINDOWS: {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc'} - PYTHON: {VERSION: "pypy-3.9"} - WINDOWS: {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc'} PYTHON: {VERSION: "pypy-3.10"} name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}" From 3ab918f707e8ac5482be466f5291f813cf081b36 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 07:54:16 -0400 Subject: [PATCH 1021/1462] Bump syn from 2.0.76 to 2.0.77 in /src/rust (#11517) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.76 to 2.0.77. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.76...2.0.77) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 89180f731e26..cd9a9be072aa 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -334,9 +334,9 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" [[package]] name = "syn" -version = "2.0.76" +version = "2.0.77" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "578e081a14e0cefc3279b0472138c513f37b41a08d5a3cca9b6e4e8ceb6cd525" +checksum = "9f35bcdf61fd8e7be6caf75f429fdca8beb3ed76584befb503b1569faee373ed" dependencies = [ "proc-macro2", "quote", From e433172fc4f849ea509be5646c641f4a4d9e5e1d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 07:54:40 -0400 Subject: [PATCH 1022/1462] Bump actions/upload-artifact from 4.3.6 to 4.4.0 (#11518) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.6 to 4.4.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/834a144ee995460fba8ed112a2fc961b36a5ec5a...50769540e7f4bd5e21e526ee35c689e35e0d6874) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/wheel-builder.yml | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0c10b45b609a..3f69a548af4e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -475,14 +475,14 @@ jobs: run: python -m coverage html if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload HTML report. - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: _html-report path: htmlcov if-no-files-found: ignore if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload rust HTML report. - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: _html-rust-report path: rust-coverage diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 5413c9d3f96b..8204c478a712 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -40,11 +40,11 @@ jobs: run: .venv/bin/python -m build --sdist - name: Make sdist and wheel (vectors) run: cd vectors/ && ../.venv/bin/python -m build - - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: "cryptography-sdist" path: dist/cryptography* - - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: "vectors-sdist-wheel" path: vectors/dist/cryptography* @@ -145,7 +145,7 @@ jobs: .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - run: mkdir cryptography-wheelhouse - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: cryptography-wheelhouse/ @@ -259,7 +259,7 @@ jobs: - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - run: | echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls cryptography-wheelhouse/cryptography*.whl))" >> $GITHUB_ENV - - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: "${{ env.CRYPTOGRAPHY_WHEEL_NAME }}" path: cryptography-wheelhouse/ @@ -339,7 +339,7 @@ jobs: - run: mkdir cryptography-wheelhouse - run: move wheelhouse\cryptography*.whl cryptography-wheelhouse\ - - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: cryptography-wheelhouse\ From 2fbaffc79bdd7926f0f99c45c34c30f1e0354264 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 06:59:01 -0700 Subject: [PATCH 1023/1462] Bump actions/upload-artifact from 4.3.6 to 4.4.0 in /.github/actions/upload-coverage (#11519) * Bump actions/upload-artifact in /.github/actions/upload-coverage Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.6 to 4.4.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/834a144ee995460fba8ed112a2fc961b36a5ec5a...50769540e7f4bd5e21e526ee35c689e35e0d6874) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update action.yml --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/actions/upload-coverage/action.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/actions/upload-coverage/action.yml b/.github/actions/upload-coverage/action.yml index d425f16f1c28..90d258910e10 100644 --- a/.github/actions/upload-coverage/action.yml +++ b/.github/actions/upload-coverage/action.yml @@ -13,10 +13,11 @@ runs: fi id: coverage-uuid shell: bash - - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: coverage-data-${{ steps.coverage-uuid.outputs.COVERAGE_UUID }} path: | .coverage.* *.lcov if-no-files-found: ignore + include-hidden-files: true From e587837f6523447e5ee67efe970d470105063f33 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 2 Sep 2024 11:10:29 -0400 Subject: [PATCH 1024/1462] Use rc1 rtd sphinx theme (#11522) --- ci-constraints-requirements.txt | 2 +- pyproject.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 2d0d8c0ea798..c4b698127a83 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -120,7 +120,7 @@ sphinx==7.4.7 # sphinxcontrib-qthelp # sphinxcontrib-serializinghtml # sphinxcontrib-spelling -sphinx-rtd-theme==2.0.0 +sphinx-rtd-theme==3.0.0rc1 # via cryptography (pyproject.toml) sphinxcontrib-applehelp==2.0.0 # via sphinx diff --git a/pyproject.toml b/pyproject.toml index 2f7558d3383f..459196c8ddbd 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -74,7 +74,7 @@ test = [ "certifi", ] test-randomorder = ["pytest-randomly"] -docs = ["sphinx >=5.3.0", "sphinx-rtd-theme >=1.1.1"] +docs = ["sphinx >=5.3.0", "sphinx-rtd-theme >=3.0.0rc1"] docstest = ["pyenchant >=1.6.11", "readme-renderer", "sphinxcontrib-spelling >=4.0.1"] sdist = ["build"] # `click` included because its needed to type check `release.py` From 43d1c573399292768dbd56798ea7f6a0cbaff015 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 15:20:22 +0000 Subject: [PATCH 1025/1462] Bump docutils from 0.20.1 to 0.21.2 (#10925) Bumps [docutils](https://docutils.sourceforge.io) from 0.20.1 to 0.21.2. --- updated-dependencies: - dependency-name: docutils dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c4b698127a83..3e0085c00bb8 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -31,7 +31,7 @@ coverage==7.6.1; python_version >= "3.8" # pytest-cov distlib==0.3.8 # via virtualenv -docutils==0.20.1 +docutils==0.21.2 # via # readme-renderer # sphinx From c8924754d903a46c2a38f323d11178e4df5d4848 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 15:29:19 +0000 Subject: [PATCH 1026/1462] Bump sphinx from 7.4.7 to 8.0.2 (#11369) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 7.4.7 to 8.0.2. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v7.4.7...v8.0.2) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3e0085c00bb8..b21cc6029fcb 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -109,7 +109,7 @@ ruff==0.6.3 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx -sphinx==7.4.7 +sphinx==8.0.2 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From 2b725be98fa565aa0c4809341f1e82675b67d276 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 15:30:30 +0000 Subject: [PATCH 1027/1462] Bump readme-renderer from 43.0 to 44.0 (#11226) Bumps [readme-renderer](https://github.com/pypa/readme_renderer) from 43.0 to 44.0. - [Release notes](https://github.com/pypa/readme_renderer/releases) - [Changelog](https://github.com/pypa/readme_renderer/blob/main/CHANGES.rst) - [Commits](https://github.com/pypa/readme_renderer/compare/43.0...44.0) --- updated-dependencies: - dependency-name: readme-renderer dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b21cc6029fcb..2f5da67aafcf 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -101,7 +101,7 @@ pytest-randomly==3.15.0 # via cryptography (pyproject.toml) pytest-xdist==3.6.1; python_version >= "3.8" # via cryptography (pyproject.toml) -readme-renderer==43.0 +readme-renderer==44.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx From ba8d51fcee66f4bf86a0b4247cd0d9583c356d87 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 15:36:22 +0000 Subject: [PATCH 1028/1462] Bump alabaster from 0.7.16 to 1.0.0 (#11359) Bumps [alabaster](https://github.com/sphinx-doc/alabaster) from 0.7.16 to 1.0.0. - [Release notes](https://github.com/sphinx-doc/alabaster/releases) - [Changelog](https://github.com/sphinx-doc/alabaster/blob/master/docs/changelog.rst) - [Commits](https://github.com/sphinx-doc/alabaster/compare/0.7.16...1.0.0) --- updated-dependencies: - dependency-name: alabaster dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 2f5da67aafcf..8d7e4703ad90 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -5,7 +5,7 @@ # and then manually massaged to add version specifiers to packages whose # versions vary by Python version -alabaster==0.7.16 +alabaster==1.0.0 # via sphinx argcomplete==3.5.0; python_version >= "3.8" # via nox From 408b9f8a7a5289f58c48eb1d24a2caeb0172c140 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 2 Sep 2024 12:38:17 -0500 Subject: [PATCH 1029/1462] argon2id test vectors (#11523) --- docs/development/test-vectors.rst | 3 + docs/spelling_wordlist.txt | 2 + vectors/cryptography_vectors/KDF/argon2id.txt | 62 +++++++++++++++++++ 3 files changed, 67 insertions(+) create mode 100644 vectors/cryptography_vectors/KDF/argon2id.txt diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index ff34844699b3..dcbc93edf89f 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -963,6 +963,8 @@ Key derivation functions * X9.63 KDF from `NIST CAVP`_. * SP 800-108 Counter Mode KDF (HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, HMAC-SHA512) from `NIST CAVP`_. +* argon2id from :rfc:`9106`, OpenSSL's `evpkdf_argon2.txt`_, and the + argon2 command line application. Key wrapping ~~~~~~~~~~~~ @@ -1108,4 +1110,5 @@ header format (substituting the correct information): .. _`dkg's additional OCB3 vectors`: https://gitlab.com/dkg/ocb-test-vectors .. _`OpenSSL's OCB vectors`: https://github.com/openssl/openssl/commit/2f19ab18a29cf9c82cdd68bc8c7e5be5061b19be .. _`badkeys`: https://github.com/vcsjones/badkeys/tree/50f1cc5f8d13bf3a2046d689f6452decb15d9c3c +.. _`evpkdf_argon2.txt`: https://github.com/openssl/openssl/blob/01f4b44e075a796d62d3b007a80c5c04d0e77bfb/test/recipes/30-test_evp_data/evpkdf_argon2.txt .. _`OpenSSL's RFC 6979 test vectors`: https://github.com/openssl/openssl/blob/01690a7ff36c4d18c48b301cdf375c954105a1d9/test/recipes/30-test_evp_data/evppkey_ecdsa_rfc6979.txt diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 2cf3167b1dbc..6a0282266821 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -1,6 +1,8 @@ AArch accessor affine +argon2 +argon2id Authenticator authenticator backend diff --git a/vectors/cryptography_vectors/KDF/argon2id.txt b/vectors/cryptography_vectors/KDF/argon2id.txt new file mode 100644 index 000000000000..035e2a53ceb0 --- /dev/null +++ b/vectors/cryptography_vectors/KDF/argon2id.txt @@ -0,0 +1,62 @@ +# Test vectors from RFC 9106, +# https://github.com/openssl/openssl/blob/01f4b44e075a796d62d3b007a80c5c04d0e77bfb/test/recipes/30-test_evp_data/evpkdf_argon2.txt +# and the argon2 CLI tool. Adapted for the pyca/cryptography NIST loaders + +COUNT = 0 +length = 32 +lanes = 4 +iter = 3 +memcost = 32 +secret = 0303030303030303 +pass = 0101010101010101010101010101010101010101010101010101010101010101 +salt = 02020202020202020202020202020202 +ad = 040404040404040404040404 +output = 0d640df58d78766c08c037a34a8b53c9d01ef0452d75b65eb52520e96b01e659 + +COUNT = 1 +length = 32 +lanes = 4 +iter = 3 +memcost = 32 +pass = +salt = 02020202020202020202020202020202 +output = 0a34f1abde67086c82e785eaf17c68382259a264f4e61b91cd2763cb75ac189a + +COUNT = 2 +length = 32 +lanes = 4 +iter = 3 +memcost = 32 +pass = 0101010101010101010101010101010101010101010101010101010101010101 +salt = 02020202020202020202020202020202 +output = 03aab965c12001c9d7d0d2de33192c0494b684bb148196d73c1df1acaf6d0c2e + +# echo -n "password" | argon2 pycasalt -id -t 1 -k 131072 -p 2 -l 64 +COUNT = 3 +length = 64 +lanes = 2 +iter = 1 +memcost = 131072 +salt = 7079636173616c74 +pass = 70617373776f7264 +output = e9e42714a15947f6ce1fdabbb667dfc9fd1af7c473f021cc3402506bfa7750533f33aa44e3aebcf336680f4a2bdc371758574ad48470f05a9ee2ffd70c150b4c + +# echo -n "password" | argon2 pycasalt -id -t 4 -k 50 -p 4 -l 8 +COUNT = 4 +length = 8 +lanes = 4 +iter = 4 +memcost = 50 +salt = 7079636173616c74 +pass = 70617373776f7264 +output = e469b777841e543f + +# echo -n "password" | argon2 pycasalt -id -t 1 -k 8 -p 1 -l 4 +COUNT = 5 +length = 4 +lanes = 1 +iter = 1 +memcost = 8 +salt = 7079636173616c74 +pass = 70617373776f7264 +output = 009c7809 \ No newline at end of file From 709e9de7a7ebd34c1eb5969269e0cd48daf43419 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 2 Sep 2024 19:55:07 -0400 Subject: [PATCH 1030/1462] Another one bites the dust -- Queen (#11525) --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 459196c8ddbd..9be55f581af3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -8,7 +8,7 @@ requires = [ "cffi>=1.12; platform_python_implementation != 'PyPy'", # Needed because cffi imports distutils, and in Python 3.12, distutils has # been removed from the stdlib, but installing setuptools puts it back. - "setuptools!=74.0.0", + "setuptools!=74.0.0,!=74.1.0", ] build-backend = "maturin" From cab6a94c2d3f8bcc28ae34f98ddca81507acbfaf Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 00:18:24 +0000 Subject: [PATCH 1031/1462] Bump BoringSSL and/or OpenSSL in CI (#11527) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3f69a548af4e..14593a37d6ce 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Aug 31, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "73030794f7aaf4f614486b511908841852807936"}} - # Latest commit on the OpenSSL master branch, as of Aug 31, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0cd9dd703ea575699b2d3cd74f1b8224447f4352"}} + # Latest commit on the OpenSSL master branch, as of Sep 03, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "01f4b44e075a796d62d3b007a80c5c04d0e77bfb"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 850b98e9c5bdfe724937c7dc0f846e16f4433937 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 00:33:08 +0000 Subject: [PATCH 1032/1462] Bump x509-limbo and/or wycheproof in CI (#11528) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 1e60f0da67ec..f124518dc305 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Aug 27, 2024. - ref: "6b9a21829ab580c2893ff0e6fd310fa94accd6c3" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Sep 03, 2024. + ref: "c77f95adb01d2d0f1389c52530201b75b1e8c82c" # x509-limbo-ref From b816164dc95486f1cd9357fbe1cbd2c717b63423 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 07:34:17 -0400 Subject: [PATCH 1033/1462] Bump readme-renderer from 43.0 to 44.0 in /.github/requirements (#11529) Bumps [readme-renderer](https://github.com/pypa/readme_renderer) from 43.0 to 44.0. - [Release notes](https://github.com/pypa/readme_renderer/releases) - [Changelog](https://github.com/pypa/readme_renderer/blob/main/CHANGES.rst) - [Commits](https://github.com/pypa/readme_renderer/compare/43.0...44.0) --- updated-dependencies: - dependency-name: readme-renderer dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 761064c7903e..f4f43e1e4bea 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -284,9 +284,9 @@ pygments==2.18.0 \ # via # readme-renderer # rich -readme-renderer==43.0 \ - --hash=sha256:1818dd28140813509eeed8d62687f7cd4f7bad90d4db586001c5dc09d4fde311 \ - --hash=sha256:19db308d86ecd60e5affa3b2a98f017af384678c63c88e5d4556a380e674f3f9 +readme-renderer==44.0 \ + --hash=sha256:2fbca89b81a08526aadf1357a8c2ae889ec05fb03f5da67f9769c9a592166151 \ + --hash=sha256:8712034eabbfa6805cacf1402b4eeb2a73028f72d1166d6f5cb7f9c047c5d1e1 # via twine requests==2.32.3 \ --hash=sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760 \ From ffcbb5b1d53c83bcb9f24bc9e4c9472c4c5683fd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 07:35:58 -0400 Subject: [PATCH 1034/1462] Bump peter-evans/create-pull-request from 6.1.0 to 7.0.0 (#11531) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 6.1.0 to 7.0.0. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/c5a7806660adbe173f04e3e038b0ccdcd758773c...4320041ed380b20e97d388d56a7fb4f9b8c20e79) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 64925545d1a4..c3f2758402be 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -58,7 +58,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 + uses: peter-evans/create-pull-request@4320041ed380b20e97d388d56a7fb4f9b8c20e79 # v7.0.0 with: branch: "bump-openssl-boringssl" commit-message: "Bump BoringSSL and/or OpenSSL in CI" diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index eb2114e7e873..ed2b5fecd842 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -57,7 +57,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 + uses: peter-evans/create-pull-request@4320041ed380b20e97d388d56a7fb4f9b8c20e79 # v7.0.0 with: branch: "bump-vectors" commit-message: "Bump x509-limbo and/or wycheproof in CI" From 43897cbe22d304a93d6e8736fd386516baa9781d Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 3 Sep 2024 13:08:07 -0700 Subject: [PATCH 1035/1462] port 43.0.1 changelog (#11534) bonus deny another setuptool --- CHANGELOG.rst | 7 +++++++ pyproject.toml | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 224747e3b712..75b4a55f78d3 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -16,6 +16,13 @@ Changelog during X.509 verification to allow fields permitted by :rfc:`5280` but forbidden by the CA/Browser BRs. +.. _v43-0-1: + +43.0.1 - 2024-09-03 +~~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.3.2. + .. _v43-0-0: 43.0.0 - 2024-07-20 diff --git a/pyproject.toml b/pyproject.toml index 9be55f581af3..02689e0a55f3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -8,7 +8,7 @@ requires = [ "cffi>=1.12; platform_python_implementation != 'PyPy'", # Needed because cffi imports distutils, and in Python 3.12, distutils has # been removed from the stdlib, but installing setuptools puts it back. - "setuptools!=74.0.0,!=74.1.0", + "setuptools!=74.0.0,!=74.1.0,!=74.1.1", ] build-backend = "maturin" From 292e32f3c601e63b3b4e19b6216d9fef60ed6276 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 3 Sep 2024 13:55:07 -0700 Subject: [PATCH 1036/1462] bump openssl versions in CI (#11535) * bump openssl versions in CI * update openssl URL path here too --- .github/workflows/build_openssl.sh | 2 +- .github/workflows/ci.yml | 18 +++++++++--------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build_openssl.sh b/.github/workflows/build_openssl.sh index 9b4cd2a29782..72b06e0b8f3e 100755 --- a/.github/workflows/build_openssl.sh +++ b/.github/workflows/build_openssl.sh @@ -20,7 +20,7 @@ if [[ "${TYPE}" == "openssl" ]]; then pushd openssl git checkout "${VERSION}" else - curl -LO "https://www.openssl.org/source/openssl-${VERSION}.tar.gz" + curl -LO "https://github.com/openssl/openssl/releases/download/openssl-${VERSION}/openssl-${VERSION}.tar.gz" tar zxf "openssl-${VERSION}.tar.gz" pushd "openssl-${VERSION}" fi diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 14593a37d6ce..75aafd73c280 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,17 +29,17 @@ jobs: PYTHON: - {VERSION: "3.12", NOXSESSION: "flake"} - {VERSION: "3.12", NOXSESSION: "rust"} - - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.2"}} + - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.3"}} - {VERSION: "3.13-dev", NOXSESSION: "tests"} - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.14"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.6"}} - - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.2"}} - - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.3.1"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.2", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.2", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.6"}} - - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.2"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.15"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.7"}} + - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.3"}} + - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.3.2"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.3", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.3", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} + - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.7"}} + - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.3"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} From 61bfad1105d71d010a170a42e93cf59c7b132d32 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 4 Sep 2024 00:15:59 +0000 Subject: [PATCH 1037/1462] Bump BoringSSL and/or OpenSSL in CI (#11537) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 75aafd73c280..082666eda796 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Aug 31, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "73030794f7aaf4f614486b511908841852807936"}} - # Latest commit on the OpenSSL master branch, as of Sep 03, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "01f4b44e075a796d62d3b007a80c5c04d0e77bfb"}} + # Latest commit on the BoringSSL master branch, as of Sep 04, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "6763c954da6b9c7ff4e4c1a335c3833c55a0ec05"}} + # Latest commit on the OpenSSL master branch, as of Sep 04, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "bbe4571f570ec28b4709746b6d4d624ca5394cc6"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From aa3e70e086b1f36f55d58a0d84eae0b51dbe7dc6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 3 Sep 2024 20:19:02 -0400 Subject: [PATCH 1038/1462] allow sha1 in OAEP (#11536) fixes #11512 --- src/rust/src/backend/rsa.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 3c01e74219fb..066b1412af92 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -70,7 +70,7 @@ fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResu } fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool { - (!cryptography_openssl::fips::is_enabled() && md == &openssl::hash::MessageDigest::sha1()) + md == &openssl::hash::MessageDigest::sha1() || md == &openssl::hash::MessageDigest::sha224() || md == &openssl::hash::MessageDigest::sha256() || md == &openssl::hash::MessageDigest::sha384() From 8f2e524d09dca29d2c87dcfda11afb4272619d39 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 20:26:33 -0400 Subject: [PATCH 1039/1462] Bump cryptography from 43.0.0 to 43.0.1 in /.github/requirements (#11538) Bumps [cryptography](https://github.com/pyca/cryptography) from 43.0.0 to 43.0.1. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/43.0.0...43.0.1) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 56 +++++++++---------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index f4f43e1e4bea..4444be08cf8b 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -173,34 +173,34 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==43.0.0 \ - --hash=sha256:0663585d02f76929792470451a5ba64424acc3cd5227b03921dab0e2f27b1709 \ - --hash=sha256:08a24a7070b2b6804c1940ff0f910ff728932a9d0e80e7814234269f9d46d069 \ - --hash=sha256:232ce02943a579095a339ac4b390fbbe97f5b5d5d107f8a08260ea2768be8cc2 \ - --hash=sha256:2905ccf93a8a2a416f3ec01b1a7911c3fe4073ef35640e7ee5296754e30b762b \ - --hash=sha256:299d3da8e00b7e2b54bb02ef58d73cd5f55fb31f33ebbf33bd00d9aa6807df7e \ - --hash=sha256:2c6d112bf61c5ef44042c253e4859b3cbbb50df2f78fa8fae6747a7814484a70 \ - --hash=sha256:31e44a986ceccec3d0498e16f3d27b2ee5fdf69ce2ab89b52eaad1d2f33d8778 \ - --hash=sha256:3d9a1eca329405219b605fac09ecfc09ac09e595d6def650a437523fcd08dd22 \ - --hash=sha256:3dcdedae5c7710b9f97ac6bba7e1052b95c7083c9d0e9df96e02a1932e777895 \ - --hash=sha256:47ca71115e545954e6c1d207dd13461ab81f4eccfcb1345eac874828b5e3eaaf \ - --hash=sha256:4a997df8c1c2aae1e1e5ac49c2e4f610ad037fc5a3aadc7b64e39dea42249431 \ - --hash=sha256:51956cf8730665e2bdf8ddb8da0056f699c1a5715648c1b0144670c1ba00b48f \ - --hash=sha256:5bcb8a5620008a8034d39bce21dc3e23735dfdb6a33a06974739bfa04f853947 \ - --hash=sha256:64c3f16e2a4fc51c0d06af28441881f98c5d91009b8caaff40cf3548089e9c74 \ - --hash=sha256:6e2b11c55d260d03a8cf29ac9b5e0608d35f08077d8c087be96287f43af3ccdc \ - --hash=sha256:7b3f5fe74a5ca32d4d0f302ffe6680fcc5c28f8ef0dc0ae8f40c0f3a1b4fca66 \ - --hash=sha256:844b6d608374e7d08f4f6e6f9f7b951f9256db41421917dfb2d003dde4cd6b66 \ - --hash=sha256:9a8d6802e0825767476f62aafed40532bd435e8a5f7d23bd8b4f5fd04cc80ecf \ - --hash=sha256:aae4d918f6b180a8ab8bf6511a419473d107df4dbb4225c7b48c5c9602c38c7f \ - --hash=sha256:ac1955ce000cb29ab40def14fd1bbfa7af2017cca696ee696925615cafd0dce5 \ - --hash=sha256:b88075ada2d51aa9f18283532c9f60e72170041bba88d7f37e49cbb10275299e \ - --hash=sha256:cb013933d4c127349b3948aa8aaf2f12c0353ad0eccd715ca789c8a0f671646f \ - --hash=sha256:cc70b4b581f28d0a254d006f26949245e3657d40d8857066c2ae22a61222ef55 \ - --hash=sha256:e9c5266c432a1e23738d178e51c2c7a5e2ddf790f248be939448c0ba2021f9d1 \ - --hash=sha256:ea9e57f8ea880eeea38ab5abf9fbe39f923544d7884228ec67d666abd60f5a47 \ - --hash=sha256:ee0c405832ade84d4de74b9029bedb7b31200600fa524d218fc29bfa371e97f5 \ - --hash=sha256:fdcb265de28585de5b859ae13e3846a8e805268a823a12a4da2597f1f5afc9f0 +cryptography==43.0.1 \ + --hash=sha256:014f58110f53237ace6a408b5beb6c427b64e084eb451ef25a28308270086494 \ + --hash=sha256:1bbcce1a551e262dfbafb6e6252f1ae36a248e615ca44ba302df077a846a8806 \ + --hash=sha256:203e92a75716d8cfb491dc47c79e17d0d9207ccffcbcb35f598fbe463ae3444d \ + --hash=sha256:27e613d7077ac613e399270253259d9d53872aaf657471473ebfc9a52935c062 \ + --hash=sha256:2bd51274dcd59f09dd952afb696bf9c61a7a49dfc764c04dd33ef7a6b502a1e2 \ + --hash=sha256:38926c50cff6f533f8a2dae3d7f19541432610d114a70808f0926d5aaa7121e4 \ + --hash=sha256:511f4273808ab590912a93ddb4e3914dfd8a388fed883361b02dea3791f292e1 \ + --hash=sha256:58d4e9129985185a06d849aa6df265bdd5a74ca6e1b736a77959b498e0505b85 \ + --hash=sha256:5b43d1ea6b378b54a1dc99dd8a2b5be47658fe9a7ce0a58ff0b55f4b43ef2b84 \ + --hash=sha256:61ec41068b7b74268fa86e3e9e12b9f0c21fcf65434571dbb13d954bceb08042 \ + --hash=sha256:666ae11966643886c2987b3b721899d250855718d6d9ce41b521252a17985f4d \ + --hash=sha256:68aaecc4178e90719e95298515979814bda0cbada1256a4485414860bd7ab962 \ + --hash=sha256:7c05650fe8023c5ed0d46793d4b7d7e6cd9c04e68eabe5b0aeea836e37bdcec2 \ + --hash=sha256:80eda8b3e173f0f247f711eef62be51b599b5d425c429b5d4ca6a05e9e856baa \ + --hash=sha256:8385d98f6a3bf8bb2d65a73e17ed87a3ba84f6991c155691c51112075f9ffc5d \ + --hash=sha256:88cce104c36870d70c49c7c8fd22885875d950d9ee6ab54df2745f83ba0dc365 \ + --hash=sha256:9d3cdb25fa98afdd3d0892d132b8d7139e2c087da1712041f6b762e4f807cc96 \ + --hash=sha256:a575913fb06e05e6b4b814d7f7468c2c660e8bb16d8d5a1faf9b33ccc569dd47 \ + --hash=sha256:ac119bb76b9faa00f48128b7f5679e1d8d437365c5d26f1c2c3f0da4ce1b553d \ + --hash=sha256:c1332724be35d23a854994ff0b66530119500b6053d0bd3363265f7e5e77288d \ + --hash=sha256:d03a475165f3134f773d1388aeb19c2d25ba88b6a9733c5c590b9ff7bbfa2e0c \ + --hash=sha256:d75601ad10b059ec832e78823b348bfa1a59f6b8d545db3a24fd44362a1564cb \ + --hash=sha256:de41fd81a41e53267cb020bb3a7212861da53a7d39f863585d13ea11049cf277 \ + --hash=sha256:e710bf40870f4db63c3d7d929aa9e09e4e7ee219e703f949ec4073b4294f6172 \ + --hash=sha256:ea25acb556320250756e53f9e20a4177515f012c9eaea17eb7587a8c4d8ae034 \ + --hash=sha256:f98bf604c82c416bc829e490c700ca1553eafdf2912a91e23a79d97d9801372a \ + --hash=sha256:fba1007b3ef89946dbbb515aeeb41e30203b004f0b4b00e5e16078b518563289 # via secretstorage docutils==0.21.2 \ --hash=sha256:3a6b18732edf182daa3cd12775bbb338cf5691468f91eeeb109deff6ebfa986f \ From ea21ecbd11ecb4a57b0305afffe1ac4a0793da9e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 4 Sep 2024 00:33:25 +0000 Subject: [PATCH 1040/1462] Bump x509-limbo and/or wycheproof in CI (#11539) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index f124518dc305..43b3e629ffb8 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Sep 03, 2024. - ref: "c77f95adb01d2d0f1389c52530201b75b1e8c82c" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Sep 04, 2024. + ref: "21e4b22c4b1b69cc956bd6bb0db2c3e40c3f46e9" # x509-limbo-ref From 1ff529f2e05623f4c803539410a01c5f1b54422c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 5 Sep 2024 16:27:03 -0400 Subject: [PATCH 1041/1462] test on openssl 3.4.0-alpha1 (#11547) --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 082666eda796..f90b11cc1ff4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -40,6 +40,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.3", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.7"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.3"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.4.0-alpha1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} From 84d79e761c8946711d4a47dd7f5b4b6bfeff41d8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 5 Sep 2024 20:28:02 +0000 Subject: [PATCH 1042/1462] Bump peter-evans/create-pull-request from 7.0.0 to 7.0.1 (#11545) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 7.0.0 to 7.0.1. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/4320041ed380b20e97d388d56a7fb4f9b8c20e79...8867c4aba1b742c39f8d0ba35429c2dfa4b6cb20) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index c3f2758402be..7b90df1a76c5 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -58,7 +58,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@4320041ed380b20e97d388d56a7fb4f9b8c20e79 # v7.0.0 + uses: peter-evans/create-pull-request@8867c4aba1b742c39f8d0ba35429c2dfa4b6cb20 # v7.0.1 with: branch: "bump-openssl-boringssl" commit-message: "Bump BoringSSL and/or OpenSSL in CI" diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index ed2b5fecd842..b04510d674bb 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -57,7 +57,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@4320041ed380b20e97d388d56a7fb4f9b8c20e79 # v7.0.0 + uses: peter-evans/create-pull-request@8867c4aba1b742c39f8d0ba35429c2dfa4b6cb20 # v7.0.1 with: branch: "bump-vectors" commit-message: "Bump x509-limbo and/or wycheproof in CI" From 2267c39e72e9210a6efd6c48ece75b4823192bd0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 5 Sep 2024 20:28:27 +0000 Subject: [PATCH 1043/1462] Bump cc from 1.1.15 to 1.1.16 in /src/rust (#11542) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.15 to 1.1.16. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.15...cc-v1.1.16) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index cd9a9be072aa..7539222c90e7 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.15" +version = "1.1.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "57b6a275aa2903740dc87da01c62040406b8812552e97129a63ea8850a17c6e6" +checksum = "e9d013ecb737093c0e86b151a7b837993cf9ec6c502946cfb44bedc392421e0b" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 3cf116a1af99..2ef2c2fb1e12 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.2", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] -cc = "1.1.15" +cc = "1.1.16" From a807d4583256f7c09376e158aa3c861cb1900eb5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 5 Sep 2024 20:28:46 +0000 Subject: [PATCH 1044/1462] Bump cffi from 1.17.0 to 1.17.1 in /.github/requirements (#11544) Bumps [cffi](https://github.com/python-cffi/cffi) from 1.17.0 to 1.17.1. - [Release notes](https://github.com/python-cffi/cffi/releases) - [Commits](https://github.com/python-cffi/cffi/compare/v1.17.0...v1.17.1) --- updated-dependencies: - dependency-name: cffi dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 136 +++++++++--------- .github/requirements/publish-requirements.txt | 136 +++++++++--------- 2 files changed, 136 insertions(+), 136 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index ca043b971502..2ea9373ab879 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -4,74 +4,74 @@ # # pip-compile --allow-unsafe --generate-hashes build-requirements.in # -cffi==1.17.0 ; platform_python_implementation != "PyPy" \ - --hash=sha256:011aff3524d578a9412c8b3cfaa50f2c0bd78e03eb7af7aa5e0df59b158efb2f \ - --hash=sha256:0a048d4f6630113e54bb4b77e315e1ba32a5a31512c31a273807d0027a7e69ab \ - --hash=sha256:0bb15e7acf8ab35ca8b24b90af52c8b391690ef5c4aec3d31f38f0d37d2cc499 \ - --hash=sha256:0d46ee4764b88b91f16661a8befc6bfb24806d885e27436fdc292ed7e6f6d058 \ - --hash=sha256:0e60821d312f99d3e1569202518dddf10ae547e799d75aef3bca3a2d9e8ee693 \ - --hash=sha256:0fdacad9e0d9fc23e519efd5ea24a70348305e8d7d85ecbb1a5fa66dc834e7fb \ - --hash=sha256:14b9cbc8f7ac98a739558eb86fabc283d4d564dafed50216e7f7ee62d0d25377 \ - --hash=sha256:17c6d6d3260c7f2d94f657e6872591fe8733872a86ed1345bda872cfc8c74885 \ - --hash=sha256:1a2ddbac59dc3716bc79f27906c010406155031a1c801410f1bafff17ea304d2 \ - --hash=sha256:2404f3de742f47cb62d023f0ba7c5a916c9c653d5b368cc966382ae4e57da401 \ - --hash=sha256:24658baf6224d8f280e827f0a50c46ad819ec8ba380a42448e24459daf809cf4 \ - --hash=sha256:24aa705a5f5bd3a8bcfa4d123f03413de5d86e497435693b638cbffb7d5d8a1b \ - --hash=sha256:2770bb0d5e3cc0e31e7318db06efcbcdb7b31bcb1a70086d3177692a02256f59 \ - --hash=sha256:331ad15c39c9fe9186ceaf87203a9ecf5ae0ba2538c9e898e3a6967e8ad3db6f \ - --hash=sha256:3aa9d43b02a0c681f0bfbc12d476d47b2b2b6a3f9287f11ee42989a268a1833c \ - --hash=sha256:41f4915e09218744d8bae14759f983e466ab69b178de38066f7579892ff2a555 \ - --hash=sha256:4304d4416ff032ed50ad6bb87416d802e67139e31c0bde4628f36a47a3164bfa \ - --hash=sha256:435a22d00ec7d7ea533db494da8581b05977f9c37338c80bc86314bec2619424 \ - --hash=sha256:45f7cd36186db767d803b1473b3c659d57a23b5fa491ad83c6d40f2af58e4dbb \ - --hash=sha256:48b389b1fd5144603d61d752afd7167dfd205973a43151ae5045b35793232aa2 \ - --hash=sha256:4e67d26532bfd8b7f7c05d5a766d6f437b362c1bf203a3a5ce3593a645e870b8 \ - --hash=sha256:516a405f174fd3b88829eabfe4bb296ac602d6a0f68e0d64d5ac9456194a5b7e \ - --hash=sha256:5ba5c243f4004c750836f81606a9fcb7841f8874ad8f3bf204ff5e56332b72b9 \ - --hash=sha256:5bdc0f1f610d067c70aa3737ed06e2726fd9d6f7bfee4a351f4c40b6831f4e82 \ - --hash=sha256:6107e445faf057c118d5050560695e46d272e5301feffda3c41849641222a828 \ - --hash=sha256:6327b572f5770293fc062a7ec04160e89741e8552bf1c358d1a23eba68166759 \ - --hash=sha256:669b29a9eca6146465cc574659058ed949748f0809a2582d1f1a324eb91054dc \ - --hash=sha256:6ce01337d23884b21c03869d2f68c5523d43174d4fc405490eb0091057943118 \ - --hash=sha256:6d872186c1617d143969defeadac5a904e6e374183e07977eedef9c07c8953bf \ - --hash=sha256:6f76a90c345796c01d85e6332e81cab6d70de83b829cf1d9762d0a3da59c7932 \ - --hash=sha256:70d2aa9fb00cf52034feac4b913181a6e10356019b18ef89bc7c12a283bf5f5a \ - --hash=sha256:7cbc78dc018596315d4e7841c8c3a7ae31cc4d638c9b627f87d52e8abaaf2d29 \ - --hash=sha256:856bf0924d24e7f93b8aee12a3a1095c34085600aa805693fb7f5d1962393206 \ - --hash=sha256:8a98748ed1a1df4ee1d6f927e151ed6c1a09d5ec21684de879c7ea6aa96f58f2 \ - --hash=sha256:93a7350f6706b31f457c1457d3a3259ff9071a66f312ae64dc024f049055f72c \ - --hash=sha256:964823b2fc77b55355999ade496c54dde161c621cb1f6eac61dc30ed1b63cd4c \ - --hash=sha256:a003ac9edc22d99ae1286b0875c460351f4e101f8c9d9d2576e78d7e048f64e0 \ - --hash=sha256:a0ce71725cacc9ebf839630772b07eeec220cbb5f03be1399e0457a1464f8e1a \ - --hash=sha256:a47eef975d2b8b721775a0fa286f50eab535b9d56c70a6e62842134cf7841195 \ - --hash=sha256:a8b5b9712783415695663bd463990e2f00c6750562e6ad1d28e072a611c5f2a6 \ - --hash=sha256:a9015f5b8af1bb6837a3fcb0cdf3b874fe3385ff6274e8b7925d81ccaec3c5c9 \ - --hash=sha256:aec510255ce690d240f7cb23d7114f6b351c733a74c279a84def763660a2c3bc \ - --hash=sha256:b00e7bcd71caa0282cbe3c90966f738e2db91e64092a877c3ff7f19a1628fdcb \ - --hash=sha256:b50aaac7d05c2c26dfd50c3321199f019ba76bb650e346a6ef3616306eed67b0 \ - --hash=sha256:b7b6ea9e36d32582cda3465f54c4b454f62f23cb083ebc7a94e2ca6ef011c3a7 \ - --hash=sha256:bb9333f58fc3a2296fb1d54576138d4cf5d496a2cc118422bd77835e6ae0b9cb \ - --hash=sha256:c1c13185b90bbd3f8b5963cd8ce7ad4ff441924c31e23c975cb150e27c2bf67a \ - --hash=sha256:c3b8bd3133cd50f6b637bb4322822c94c5ce4bf0d724ed5ae70afce62187c492 \ - --hash=sha256:c5d97162c196ce54af6700949ddf9409e9833ef1003b4741c2b39ef46f1d9720 \ - --hash=sha256:c815270206f983309915a6844fe994b2fa47e5d05c4c4cef267c3b30e34dbe42 \ - --hash=sha256:cab2eba3830bf4f6d91e2d6718e0e1c14a2f5ad1af68a89d24ace0c6b17cced7 \ - --hash=sha256:d1df34588123fcc88c872f5acb6f74ae59e9d182a2707097f9e28275ec26a12d \ - --hash=sha256:d6bdcd415ba87846fd317bee0774e412e8792832e7805938987e4ede1d13046d \ - --hash=sha256:db9a30ec064129d605d0f1aedc93e00894b9334ec74ba9c6bdd08147434b33eb \ - --hash=sha256:dbc183e7bef690c9abe5ea67b7b60fdbca81aa8da43468287dae7b5c046107d4 \ - --hash=sha256:dca802c8db0720ce1c49cce1149ff7b06e91ba15fa84b1d59144fef1a1bc7ac2 \ - --hash=sha256:dec6b307ce928e8e112a6bb9921a1cb00a0e14979bf28b98e084a4b8a742bd9b \ - --hash=sha256:df8bb0010fdd0a743b7542589223a2816bdde4d94bb5ad67884348fa2c1c67e8 \ - --hash=sha256:e4094c7b464cf0a858e75cd14b03509e84789abf7b79f8537e6a72152109c76e \ - --hash=sha256:e4760a68cab57bfaa628938e9c2971137e05ce48e762a9cb53b76c9b569f1204 \ - --hash=sha256:eb09b82377233b902d4c3fbeeb7ad731cdab579c6c6fda1f763cd779139e47c3 \ - --hash=sha256:eb862356ee9391dc5a0b3cbc00f416b48c1b9a52d252d898e5b7696a5f9fe150 \ - --hash=sha256:ef9528915df81b8f4c7612b19b8628214c65c9b7f74db2e34a646a0a2a0da2d4 \ - --hash=sha256:f3157624b7558b914cb039fd1af735e5e8049a87c817cc215109ad1c8779df76 \ - --hash=sha256:f3e0992f23bbb0be00a921eae5363329253c3b86287db27092461c887b791e5e \ - --hash=sha256:f9338cc05451f1942d0d8203ec2c346c830f8e86469903d5126c1f0a13a2bcbb \ - --hash=sha256:ffef8fd58a36fb5f1196919638f73dd3ae0db1a878982b27a9a5a176ede4ba91 +cffi==1.17.1 ; platform_python_implementation != "PyPy" \ + --hash=sha256:045d61c734659cc045141be4bae381a41d89b741f795af1dd018bfb532fd0df8 \ + --hash=sha256:0984a4925a435b1da406122d4d7968dd861c1385afe3b45ba82b750f229811e2 \ + --hash=sha256:0e2b1fac190ae3ebfe37b979cc1ce69c81f4e4fe5746bb401dca63a9062cdaf1 \ + --hash=sha256:0f048dcf80db46f0098ccac01132761580d28e28bc0f78ae0d58048063317e15 \ + --hash=sha256:1257bdabf294dceb59f5e70c64a3e2f462c30c7ad68092d01bbbfb1c16b1ba36 \ + --hash=sha256:1c39c6016c32bc48dd54561950ebd6836e1670f2ae46128f67cf49e789c52824 \ + --hash=sha256:1d599671f396c4723d016dbddb72fe8e0397082b0a77a4fab8028923bec050e8 \ + --hash=sha256:28b16024becceed8c6dfbc75629e27788d8a3f9030691a1dbf9821a128b22c36 \ + --hash=sha256:2bb1a08b8008b281856e5971307cc386a8e9c5b625ac297e853d36da6efe9c17 \ + --hash=sha256:30c5e0cb5ae493c04c8b42916e52ca38079f1b235c2f8ae5f4527b963c401caf \ + --hash=sha256:31000ec67d4221a71bd3f67df918b1f88f676f1c3b535a7eb473255fdc0b83fc \ + --hash=sha256:386c8bf53c502fff58903061338ce4f4950cbdcb23e2902d86c0f722b786bbe3 \ + --hash=sha256:3edc8d958eb099c634dace3c7e16560ae474aa3803a5df240542b305d14e14ed \ + --hash=sha256:45398b671ac6d70e67da8e4224a065cec6a93541bb7aebe1b198a61b58c7b702 \ + --hash=sha256:46bf43160c1a35f7ec506d254e5c890f3c03648a4dbac12d624e4490a7046cd1 \ + --hash=sha256:4ceb10419a9adf4460ea14cfd6bc43d08701f0835e979bf821052f1805850fe8 \ + --hash=sha256:51392eae71afec0d0c8fb1a53b204dbb3bcabcb3c9b807eedf3e1e6ccf2de903 \ + --hash=sha256:5da5719280082ac6bd9aa7becb3938dc9f9cbd57fac7d2871717b1feb0902ab6 \ + --hash=sha256:610faea79c43e44c71e1ec53a554553fa22321b65fae24889706c0a84d4ad86d \ + --hash=sha256:636062ea65bd0195bc012fea9321aca499c0504409f413dc88af450b57ffd03b \ + --hash=sha256:6883e737d7d9e4899a8a695e00ec36bd4e5e4f18fabe0aca0efe0a4b44cdb13e \ + --hash=sha256:6b8b4a92e1c65048ff98cfe1f735ef8f1ceb72e3d5f0c25fdb12087a23da22be \ + --hash=sha256:6f17be4345073b0a7b8ea599688f692ac3ef23ce28e5df79c04de519dbc4912c \ + --hash=sha256:706510fe141c86a69c8ddc029c7910003a17353970cff3b904ff0686a5927683 \ + --hash=sha256:72e72408cad3d5419375fc87d289076ee319835bdfa2caad331e377589aebba9 \ + --hash=sha256:733e99bc2df47476e3848417c5a4540522f234dfd4ef3ab7fafdf555b082ec0c \ + --hash=sha256:7596d6620d3fa590f677e9ee430df2958d2d6d6de2feeae5b20e82c00b76fbf8 \ + --hash=sha256:78122be759c3f8a014ce010908ae03364d00a1f81ab5c7f4a7a5120607ea56e1 \ + --hash=sha256:805b4371bf7197c329fcb3ead37e710d1bca9da5d583f5073b799d5c5bd1eee4 \ + --hash=sha256:85a950a4ac9c359340d5963966e3e0a94a676bd6245a4b55bc43949eee26a655 \ + --hash=sha256:8f2cdc858323644ab277e9bb925ad72ae0e67f69e804f4898c070998d50b1a67 \ + --hash=sha256:9755e4345d1ec879e3849e62222a18c7174d65a6a92d5b346b1863912168b595 \ + --hash=sha256:98e3969bcff97cae1b2def8ba499ea3d6f31ddfdb7635374834cf89a1a08ecf0 \ + --hash=sha256:a08d7e755f8ed21095a310a693525137cfe756ce62d066e53f502a83dc550f65 \ + --hash=sha256:a1ed2dd2972641495a3ec98445e09766f077aee98a1c896dcb4ad0d303628e41 \ + --hash=sha256:a24ed04c8ffd54b0729c07cee15a81d964e6fee0e3d4d342a27b020d22959dc6 \ + --hash=sha256:a45e3c6913c5b87b3ff120dcdc03f6131fa0065027d0ed7ee6190736a74cd401 \ + --hash=sha256:a9b15d491f3ad5d692e11f6b71f7857e7835eb677955c00cc0aefcd0669adaf6 \ + --hash=sha256:ad9413ccdeda48c5afdae7e4fa2192157e991ff761e7ab8fdd8926f40b160cc3 \ + --hash=sha256:b2ab587605f4ba0bf81dc0cb08a41bd1c0a5906bd59243d56bad7668a6fc6c16 \ + --hash=sha256:b62ce867176a75d03a665bad002af8e6d54644fad99a3c70905c543130e39d93 \ + --hash=sha256:c03e868a0b3bc35839ba98e74211ed2b05d2119be4e8a0f224fba9384f1fe02e \ + --hash=sha256:c59d6e989d07460165cc5ad3c61f9fd8f1b4796eacbd81cee78957842b834af4 \ + --hash=sha256:c7eac2ef9b63c79431bc4b25f1cd649d7f061a28808cbc6c47b534bd789ef964 \ + --hash=sha256:c9c3d058ebabb74db66e431095118094d06abf53284d9c81f27300d0e0d8bc7c \ + --hash=sha256:ca74b8dbe6e8e8263c0ffd60277de77dcee6c837a3d0881d8c1ead7268c9e576 \ + --hash=sha256:caaf0640ef5f5517f49bc275eca1406b0ffa6aa184892812030f04c2abf589a0 \ + --hash=sha256:cdf5ce3acdfd1661132f2a9c19cac174758dc2352bfe37d98aa7512c6b7178b3 \ + --hash=sha256:d016c76bdd850f3c626af19b0542c9677ba156e4ee4fccfdd7848803533ef662 \ + --hash=sha256:d01b12eeeb4427d3110de311e1774046ad344f5b1a7403101878976ecd7a10f3 \ + --hash=sha256:d63afe322132c194cf832bfec0dc69a99fb9bb6bbd550f161a49e9e855cc78ff \ + --hash=sha256:da95af8214998d77a98cc14e3a3bd00aa191526343078b530ceb0bd710fb48a5 \ + --hash=sha256:dd398dbc6773384a17fe0d3e7eeb8d1a21c2200473ee6806bb5e6a8e62bb73dd \ + --hash=sha256:de2ea4b5833625383e464549fec1bc395c1bdeeb5f25c4a3a82b5a8c756ec22f \ + --hash=sha256:de55b766c7aa2e2a3092c51e0483d700341182f08e67c63630d5b6f200bb28e5 \ + --hash=sha256:df8b1c11f177bc2313ec4b2d46baec87a5f3e71fc8b45dab2ee7cae86d9aba14 \ + --hash=sha256:e03eab0a8677fa80d646b5ddece1cbeaf556c313dcfac435ba11f107ba117b5d \ + --hash=sha256:e221cf152cff04059d011ee126477f0d9588303eb57e88923578ace7baad17f9 \ + --hash=sha256:e31ae45bc2e29f6b2abd0de1cc3b9d5205aa847cafaecb8af1476a609a2f6eb7 \ + --hash=sha256:edae79245293e15384b51f88b00613ba9f7198016a5948b5dddf4917d4d26382 \ + --hash=sha256:f1e22e8c4419538cb197e4dd60acc919d7696e5ef98ee4da4e01d3f8cfa4cc5a \ + --hash=sha256:f3a2b4222ce6b60e2e8b337bb9596923045681d71e5a082783484d845390938e \ + --hash=sha256:f6a16c31041f09ead72d69f583767292f750d24913dadacf5756b966aacb3f1a \ + --hash=sha256:f75c7ab1f9e4aca5414ed4d8e5c0e303a34f4421f8a0d47a4d019ceff0ab6af4 \ + --hash=sha256:f79fc4fc25f1c8698ff97788206bb3c2598949bfe0fef03d299eb1b5356ada99 \ + --hash=sha256:f7f5baafcc48261359e14bcd6d9bff6d4b28d9103847c9e136694cb0501aef87 \ + --hash=sha256:fc48c783f9c87e60831201f2cce7f3b2e4846bf4d8728eabe54d60700b318a0b # via -r build-requirements.in maturin==1.7.1 \ --hash=sha256:00f0f8f5051f4c0d0f69bdd0c6297ea87e979f70fb78a377eb4277c932804e2d \ diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 4444be08cf8b..7f2e95cd5a31 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -12,74 +12,74 @@ certifi==2024.8.30 \ --hash=sha256:922820b53db7a7257ffbda3f597266d435245903d80737e34f8a45ff3e3230d8 \ --hash=sha256:bec941d2aa8195e248a60b31ff9f0558284cf01a52591ceda73ea9afffd69fd9 # via requests -cffi==1.17.0 \ - --hash=sha256:011aff3524d578a9412c8b3cfaa50f2c0bd78e03eb7af7aa5e0df59b158efb2f \ - --hash=sha256:0a048d4f6630113e54bb4b77e315e1ba32a5a31512c31a273807d0027a7e69ab \ - --hash=sha256:0bb15e7acf8ab35ca8b24b90af52c8b391690ef5c4aec3d31f38f0d37d2cc499 \ - --hash=sha256:0d46ee4764b88b91f16661a8befc6bfb24806d885e27436fdc292ed7e6f6d058 \ - --hash=sha256:0e60821d312f99d3e1569202518dddf10ae547e799d75aef3bca3a2d9e8ee693 \ - --hash=sha256:0fdacad9e0d9fc23e519efd5ea24a70348305e8d7d85ecbb1a5fa66dc834e7fb \ - --hash=sha256:14b9cbc8f7ac98a739558eb86fabc283d4d564dafed50216e7f7ee62d0d25377 \ - --hash=sha256:17c6d6d3260c7f2d94f657e6872591fe8733872a86ed1345bda872cfc8c74885 \ - --hash=sha256:1a2ddbac59dc3716bc79f27906c010406155031a1c801410f1bafff17ea304d2 \ - --hash=sha256:2404f3de742f47cb62d023f0ba7c5a916c9c653d5b368cc966382ae4e57da401 \ - --hash=sha256:24658baf6224d8f280e827f0a50c46ad819ec8ba380a42448e24459daf809cf4 \ - --hash=sha256:24aa705a5f5bd3a8bcfa4d123f03413de5d86e497435693b638cbffb7d5d8a1b \ - --hash=sha256:2770bb0d5e3cc0e31e7318db06efcbcdb7b31bcb1a70086d3177692a02256f59 \ - --hash=sha256:331ad15c39c9fe9186ceaf87203a9ecf5ae0ba2538c9e898e3a6967e8ad3db6f \ - --hash=sha256:3aa9d43b02a0c681f0bfbc12d476d47b2b2b6a3f9287f11ee42989a268a1833c \ - --hash=sha256:41f4915e09218744d8bae14759f983e466ab69b178de38066f7579892ff2a555 \ - --hash=sha256:4304d4416ff032ed50ad6bb87416d802e67139e31c0bde4628f36a47a3164bfa \ - --hash=sha256:435a22d00ec7d7ea533db494da8581b05977f9c37338c80bc86314bec2619424 \ - --hash=sha256:45f7cd36186db767d803b1473b3c659d57a23b5fa491ad83c6d40f2af58e4dbb \ - --hash=sha256:48b389b1fd5144603d61d752afd7167dfd205973a43151ae5045b35793232aa2 \ - --hash=sha256:4e67d26532bfd8b7f7c05d5a766d6f437b362c1bf203a3a5ce3593a645e870b8 \ - --hash=sha256:516a405f174fd3b88829eabfe4bb296ac602d6a0f68e0d64d5ac9456194a5b7e \ - --hash=sha256:5ba5c243f4004c750836f81606a9fcb7841f8874ad8f3bf204ff5e56332b72b9 \ - --hash=sha256:5bdc0f1f610d067c70aa3737ed06e2726fd9d6f7bfee4a351f4c40b6831f4e82 \ - --hash=sha256:6107e445faf057c118d5050560695e46d272e5301feffda3c41849641222a828 \ - --hash=sha256:6327b572f5770293fc062a7ec04160e89741e8552bf1c358d1a23eba68166759 \ - --hash=sha256:669b29a9eca6146465cc574659058ed949748f0809a2582d1f1a324eb91054dc \ - --hash=sha256:6ce01337d23884b21c03869d2f68c5523d43174d4fc405490eb0091057943118 \ - --hash=sha256:6d872186c1617d143969defeadac5a904e6e374183e07977eedef9c07c8953bf \ - --hash=sha256:6f76a90c345796c01d85e6332e81cab6d70de83b829cf1d9762d0a3da59c7932 \ - --hash=sha256:70d2aa9fb00cf52034feac4b913181a6e10356019b18ef89bc7c12a283bf5f5a \ - --hash=sha256:7cbc78dc018596315d4e7841c8c3a7ae31cc4d638c9b627f87d52e8abaaf2d29 \ - --hash=sha256:856bf0924d24e7f93b8aee12a3a1095c34085600aa805693fb7f5d1962393206 \ - --hash=sha256:8a98748ed1a1df4ee1d6f927e151ed6c1a09d5ec21684de879c7ea6aa96f58f2 \ - --hash=sha256:93a7350f6706b31f457c1457d3a3259ff9071a66f312ae64dc024f049055f72c \ - --hash=sha256:964823b2fc77b55355999ade496c54dde161c621cb1f6eac61dc30ed1b63cd4c \ - --hash=sha256:a003ac9edc22d99ae1286b0875c460351f4e101f8c9d9d2576e78d7e048f64e0 \ - --hash=sha256:a0ce71725cacc9ebf839630772b07eeec220cbb5f03be1399e0457a1464f8e1a \ - --hash=sha256:a47eef975d2b8b721775a0fa286f50eab535b9d56c70a6e62842134cf7841195 \ - --hash=sha256:a8b5b9712783415695663bd463990e2f00c6750562e6ad1d28e072a611c5f2a6 \ - --hash=sha256:a9015f5b8af1bb6837a3fcb0cdf3b874fe3385ff6274e8b7925d81ccaec3c5c9 \ - --hash=sha256:aec510255ce690d240f7cb23d7114f6b351c733a74c279a84def763660a2c3bc \ - --hash=sha256:b00e7bcd71caa0282cbe3c90966f738e2db91e64092a877c3ff7f19a1628fdcb \ - --hash=sha256:b50aaac7d05c2c26dfd50c3321199f019ba76bb650e346a6ef3616306eed67b0 \ - --hash=sha256:b7b6ea9e36d32582cda3465f54c4b454f62f23cb083ebc7a94e2ca6ef011c3a7 \ - --hash=sha256:bb9333f58fc3a2296fb1d54576138d4cf5d496a2cc118422bd77835e6ae0b9cb \ - --hash=sha256:c1c13185b90bbd3f8b5963cd8ce7ad4ff441924c31e23c975cb150e27c2bf67a \ - --hash=sha256:c3b8bd3133cd50f6b637bb4322822c94c5ce4bf0d724ed5ae70afce62187c492 \ - --hash=sha256:c5d97162c196ce54af6700949ddf9409e9833ef1003b4741c2b39ef46f1d9720 \ - --hash=sha256:c815270206f983309915a6844fe994b2fa47e5d05c4c4cef267c3b30e34dbe42 \ - --hash=sha256:cab2eba3830bf4f6d91e2d6718e0e1c14a2f5ad1af68a89d24ace0c6b17cced7 \ - --hash=sha256:d1df34588123fcc88c872f5acb6f74ae59e9d182a2707097f9e28275ec26a12d \ - --hash=sha256:d6bdcd415ba87846fd317bee0774e412e8792832e7805938987e4ede1d13046d \ - --hash=sha256:db9a30ec064129d605d0f1aedc93e00894b9334ec74ba9c6bdd08147434b33eb \ - --hash=sha256:dbc183e7bef690c9abe5ea67b7b60fdbca81aa8da43468287dae7b5c046107d4 \ - --hash=sha256:dca802c8db0720ce1c49cce1149ff7b06e91ba15fa84b1d59144fef1a1bc7ac2 \ - --hash=sha256:dec6b307ce928e8e112a6bb9921a1cb00a0e14979bf28b98e084a4b8a742bd9b \ - --hash=sha256:df8bb0010fdd0a743b7542589223a2816bdde4d94bb5ad67884348fa2c1c67e8 \ - --hash=sha256:e4094c7b464cf0a858e75cd14b03509e84789abf7b79f8537e6a72152109c76e \ - --hash=sha256:e4760a68cab57bfaa628938e9c2971137e05ce48e762a9cb53b76c9b569f1204 \ - --hash=sha256:eb09b82377233b902d4c3fbeeb7ad731cdab579c6c6fda1f763cd779139e47c3 \ - --hash=sha256:eb862356ee9391dc5a0b3cbc00f416b48c1b9a52d252d898e5b7696a5f9fe150 \ - --hash=sha256:ef9528915df81b8f4c7612b19b8628214c65c9b7f74db2e34a646a0a2a0da2d4 \ - --hash=sha256:f3157624b7558b914cb039fd1af735e5e8049a87c817cc215109ad1c8779df76 \ - --hash=sha256:f3e0992f23bbb0be00a921eae5363329253c3b86287db27092461c887b791e5e \ - --hash=sha256:f9338cc05451f1942d0d8203ec2c346c830f8e86469903d5126c1f0a13a2bcbb \ - --hash=sha256:ffef8fd58a36fb5f1196919638f73dd3ae0db1a878982b27a9a5a176ede4ba91 +cffi==1.17.1 \ + --hash=sha256:045d61c734659cc045141be4bae381a41d89b741f795af1dd018bfb532fd0df8 \ + --hash=sha256:0984a4925a435b1da406122d4d7968dd861c1385afe3b45ba82b750f229811e2 \ + --hash=sha256:0e2b1fac190ae3ebfe37b979cc1ce69c81f4e4fe5746bb401dca63a9062cdaf1 \ + --hash=sha256:0f048dcf80db46f0098ccac01132761580d28e28bc0f78ae0d58048063317e15 \ + --hash=sha256:1257bdabf294dceb59f5e70c64a3e2f462c30c7ad68092d01bbbfb1c16b1ba36 \ + --hash=sha256:1c39c6016c32bc48dd54561950ebd6836e1670f2ae46128f67cf49e789c52824 \ + --hash=sha256:1d599671f396c4723d016dbddb72fe8e0397082b0a77a4fab8028923bec050e8 \ + --hash=sha256:28b16024becceed8c6dfbc75629e27788d8a3f9030691a1dbf9821a128b22c36 \ + --hash=sha256:2bb1a08b8008b281856e5971307cc386a8e9c5b625ac297e853d36da6efe9c17 \ + --hash=sha256:30c5e0cb5ae493c04c8b42916e52ca38079f1b235c2f8ae5f4527b963c401caf \ + --hash=sha256:31000ec67d4221a71bd3f67df918b1f88f676f1c3b535a7eb473255fdc0b83fc \ + --hash=sha256:386c8bf53c502fff58903061338ce4f4950cbdcb23e2902d86c0f722b786bbe3 \ + --hash=sha256:3edc8d958eb099c634dace3c7e16560ae474aa3803a5df240542b305d14e14ed \ + --hash=sha256:45398b671ac6d70e67da8e4224a065cec6a93541bb7aebe1b198a61b58c7b702 \ + --hash=sha256:46bf43160c1a35f7ec506d254e5c890f3c03648a4dbac12d624e4490a7046cd1 \ + --hash=sha256:4ceb10419a9adf4460ea14cfd6bc43d08701f0835e979bf821052f1805850fe8 \ + --hash=sha256:51392eae71afec0d0c8fb1a53b204dbb3bcabcb3c9b807eedf3e1e6ccf2de903 \ + --hash=sha256:5da5719280082ac6bd9aa7becb3938dc9f9cbd57fac7d2871717b1feb0902ab6 \ + --hash=sha256:610faea79c43e44c71e1ec53a554553fa22321b65fae24889706c0a84d4ad86d \ + --hash=sha256:636062ea65bd0195bc012fea9321aca499c0504409f413dc88af450b57ffd03b \ + --hash=sha256:6883e737d7d9e4899a8a695e00ec36bd4e5e4f18fabe0aca0efe0a4b44cdb13e \ + --hash=sha256:6b8b4a92e1c65048ff98cfe1f735ef8f1ceb72e3d5f0c25fdb12087a23da22be \ + --hash=sha256:6f17be4345073b0a7b8ea599688f692ac3ef23ce28e5df79c04de519dbc4912c \ + --hash=sha256:706510fe141c86a69c8ddc029c7910003a17353970cff3b904ff0686a5927683 \ + --hash=sha256:72e72408cad3d5419375fc87d289076ee319835bdfa2caad331e377589aebba9 \ + --hash=sha256:733e99bc2df47476e3848417c5a4540522f234dfd4ef3ab7fafdf555b082ec0c \ + --hash=sha256:7596d6620d3fa590f677e9ee430df2958d2d6d6de2feeae5b20e82c00b76fbf8 \ + --hash=sha256:78122be759c3f8a014ce010908ae03364d00a1f81ab5c7f4a7a5120607ea56e1 \ + --hash=sha256:805b4371bf7197c329fcb3ead37e710d1bca9da5d583f5073b799d5c5bd1eee4 \ + --hash=sha256:85a950a4ac9c359340d5963966e3e0a94a676bd6245a4b55bc43949eee26a655 \ + --hash=sha256:8f2cdc858323644ab277e9bb925ad72ae0e67f69e804f4898c070998d50b1a67 \ + --hash=sha256:9755e4345d1ec879e3849e62222a18c7174d65a6a92d5b346b1863912168b595 \ + --hash=sha256:98e3969bcff97cae1b2def8ba499ea3d6f31ddfdb7635374834cf89a1a08ecf0 \ + --hash=sha256:a08d7e755f8ed21095a310a693525137cfe756ce62d066e53f502a83dc550f65 \ + --hash=sha256:a1ed2dd2972641495a3ec98445e09766f077aee98a1c896dcb4ad0d303628e41 \ + --hash=sha256:a24ed04c8ffd54b0729c07cee15a81d964e6fee0e3d4d342a27b020d22959dc6 \ + --hash=sha256:a45e3c6913c5b87b3ff120dcdc03f6131fa0065027d0ed7ee6190736a74cd401 \ + --hash=sha256:a9b15d491f3ad5d692e11f6b71f7857e7835eb677955c00cc0aefcd0669adaf6 \ + --hash=sha256:ad9413ccdeda48c5afdae7e4fa2192157e991ff761e7ab8fdd8926f40b160cc3 \ + --hash=sha256:b2ab587605f4ba0bf81dc0cb08a41bd1c0a5906bd59243d56bad7668a6fc6c16 \ + --hash=sha256:b62ce867176a75d03a665bad002af8e6d54644fad99a3c70905c543130e39d93 \ + --hash=sha256:c03e868a0b3bc35839ba98e74211ed2b05d2119be4e8a0f224fba9384f1fe02e \ + --hash=sha256:c59d6e989d07460165cc5ad3c61f9fd8f1b4796eacbd81cee78957842b834af4 \ + --hash=sha256:c7eac2ef9b63c79431bc4b25f1cd649d7f061a28808cbc6c47b534bd789ef964 \ + --hash=sha256:c9c3d058ebabb74db66e431095118094d06abf53284d9c81f27300d0e0d8bc7c \ + --hash=sha256:ca74b8dbe6e8e8263c0ffd60277de77dcee6c837a3d0881d8c1ead7268c9e576 \ + --hash=sha256:caaf0640ef5f5517f49bc275eca1406b0ffa6aa184892812030f04c2abf589a0 \ + --hash=sha256:cdf5ce3acdfd1661132f2a9c19cac174758dc2352bfe37d98aa7512c6b7178b3 \ + --hash=sha256:d016c76bdd850f3c626af19b0542c9677ba156e4ee4fccfdd7848803533ef662 \ + --hash=sha256:d01b12eeeb4427d3110de311e1774046ad344f5b1a7403101878976ecd7a10f3 \ + --hash=sha256:d63afe322132c194cf832bfec0dc69a99fb9bb6bbd550f161a49e9e855cc78ff \ + --hash=sha256:da95af8214998d77a98cc14e3a3bd00aa191526343078b530ceb0bd710fb48a5 \ + --hash=sha256:dd398dbc6773384a17fe0d3e7eeb8d1a21c2200473ee6806bb5e6a8e62bb73dd \ + --hash=sha256:de2ea4b5833625383e464549fec1bc395c1bdeeb5f25c4a3a82b5a8c756ec22f \ + --hash=sha256:de55b766c7aa2e2a3092c51e0483d700341182f08e67c63630d5b6f200bb28e5 \ + --hash=sha256:df8b1c11f177bc2313ec4b2d46baec87a5f3e71fc8b45dab2ee7cae86d9aba14 \ + --hash=sha256:e03eab0a8677fa80d646b5ddece1cbeaf556c313dcfac435ba11f107ba117b5d \ + --hash=sha256:e221cf152cff04059d011ee126477f0d9588303eb57e88923578ace7baad17f9 \ + --hash=sha256:e31ae45bc2e29f6b2abd0de1cc3b9d5205aa847cafaecb8af1476a609a2f6eb7 \ + --hash=sha256:edae79245293e15384b51f88b00613ba9f7198016a5948b5dddf4917d4d26382 \ + --hash=sha256:f1e22e8c4419538cb197e4dd60acc919d7696e5ef98ee4da4e01d3f8cfa4cc5a \ + --hash=sha256:f3a2b4222ce6b60e2e8b337bb9596923045681d71e5a082783484d845390938e \ + --hash=sha256:f6a16c31041f09ead72d69f583767292f750d24913dadacf5756b966aacb3f1a \ + --hash=sha256:f75c7ab1f9e4aca5414ed4d8e5c0e303a34f4421f8a0d47a4d019ceff0ab6af4 \ + --hash=sha256:f79fc4fc25f1c8698ff97788206bb3c2598949bfe0fef03d299eb1b5356ada99 \ + --hash=sha256:f7f5baafcc48261359e14bcd6d9bff6d4b28d9103847c9e136694cb0501aef87 \ + --hash=sha256:fc48c783f9c87e60831201f2cce7f3b2e4846bf4d8728eabe54d60700b318a0b # via cryptography charset-normalizer==3.3.2 \ --hash=sha256:06435b539f889b1f6f4ac1758871aae42dc3a8c0e24ac9e60c2384973ad73027 \ From 16cda324ab53c04ef0f655806bd86f353ea0fe85 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 5 Sep 2024 20:29:03 +0000 Subject: [PATCH 1045/1462] Bump BoringSSL and/or OpenSSL in CI (#11543) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f90b11cc1ff4..b749c16bbb28 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Sep 04, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "6763c954da6b9c7ff4e4c1a335c3833c55a0ec05"}} - # Latest commit on the OpenSSL master branch, as of Sep 04, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "bbe4571f570ec28b4709746b6d4d624ca5394cc6"}} + # Latest commit on the BoringSSL master branch, as of Sep 05, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9224e6d138f789b2db9f23b40dd016fffcdfd59e"}} + # Latest commit on the OpenSSL master branch, as of Sep 05, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c4a5d70d98cf57434cd4f7a1ae890a2e3d09c434"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 99f46d84eafb926d2cf2d0307666dc67023c7d91 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 5 Sep 2024 20:35:54 -0400 Subject: [PATCH 1046/1462] Bump BoringSSL and/or OpenSSL in CI (#11550) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b749c16bbb28..15f9fc43e34c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Sep 05, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9224e6d138f789b2db9f23b40dd016fffcdfd59e"}} - # Latest commit on the OpenSSL master branch, as of Sep 05, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c4a5d70d98cf57434cd4f7a1ae890a2e3d09c434"}} + # Latest commit on the BoringSSL master branch, as of Sep 06, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "70a7387c129d95e0d2f42f888743dd9a2225f51b"}} + # Latest commit on the OpenSSL master branch, as of Sep 06, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8af4c02ea952ca387691c4a077c260ba045fe285"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 056a5d7997619d2b48366151b059f0256cc0156c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 5 Sep 2024 20:36:17 -0400 Subject: [PATCH 1047/1462] Bump x509-limbo and/or wycheproof in CI (#11551) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 43b3e629ffb8..5f1307cf7afe 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Sep 04, 2024. - ref: "21e4b22c4b1b69cc956bd6bb0db2c3e40c3f46e9" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Sep 06, 2024. + ref: "ec0fc56b5ac4a1713dae4a0c62904395000fbfbf" # x509-limbo-ref From d44c37e95806ad756f018ff87f488697fa3e4287 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 6 Sep 2024 07:04:35 -0400 Subject: [PATCH 1048/1462] Bump ruff from 0.6.3 to 0.6.4 (#11552) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.6.3 to 0.6.4. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.6.3...0.6.4) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 8d7e4703ad90..04f7993764e1 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==44.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.6.3 +ruff==0.6.4 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 3ee06ba4783344a80e6a0f35c3fd5438575962d5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 6 Sep 2024 07:05:08 -0400 Subject: [PATCH 1049/1462] Bump actions/attest-build-provenance from 1.4.2 to 1.4.3 (#11554) Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.4.2 to 1.4.3. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/6149ea5740be74af77f260b9db67e633f6b0a9a1...1c608d11d69870c2092266b3f9a6f3abbf17002c) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 7a01112d4c2d..fd66a44ce065 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -93,7 +93,7 @@ jobs: # Do not perform attestation for things for TestPyPI. This is because # there's nothing that would prevent a malicious PyPI from serving a # signed TestPyPI asset in place of a release intended for PyPI. - - uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 + - uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 with: subject-path: 'dist/**/cryptography*' if: env.TWINE_REPOSITORY == 'pypi' From 516901101cd6df4b85f93275c8ce6afa195c62d2 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 7 Sep 2024 00:16:09 +0000 Subject: [PATCH 1050/1462] Bump BoringSSL and/or OpenSSL in CI (#11557) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 15f9fc43e34c..ccee4d68f56c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Sep 06, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "70a7387c129d95e0d2f42f888743dd9a2225f51b"}} - # Latest commit on the OpenSSL master branch, as of Sep 06, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8af4c02ea952ca387691c4a077c260ba045fe285"}} + # Latest commit on the BoringSSL master branch, as of Sep 07, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "01e1ae3687e391a076fe470471f096db1f6d6bb4"}} + # Latest commit on the OpenSSL master branch, as of Sep 07, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5c82588173d33222b33693f698bc9c7614675e9f"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 1627baa85f2d87ea8ba64b8f3f7de63071f3ddfd Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 6 Sep 2024 22:39:35 -0400 Subject: [PATCH 1051/1462] Use uv for building sdists (#11549) Hash-pin dependencies refs #11548 --- .github/requirements/build-requirements.in | 3 +++ .github/requirements/build-requirements.txt | 4 ++++ .github/workflows/wheel-builder.yml | 9 ++++----- pyproject.toml | 2 +- 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/requirements/build-requirements.in b/.github/requirements/build-requirements.in index 55ba1fa70184..fe9e9fb68d57 100644 --- a/.github/requirements/build-requirements.in +++ b/.github/requirements/build-requirements.in @@ -3,5 +3,8 @@ setuptools!=74.0.0 cffi>=1.12; platform_python_implementation != 'PyPy' maturin>=1,<2 +# Must be kept sync with build-system.requires at vectors/pyproject.toml +flit_core >=3.2,<4 + # WARN: changing the requirements here DOES NOT update the dependencies used for building at the github workflow, as the build process used build-requirements.txt # To update build-requirements.txt according to the dependencies here, run pip-compile --allow-unsafe --generate-hashes build-requirements.in diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 2ea9373ab879..953d2e709c6f 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -73,6 +73,10 @@ cffi==1.17.1 ; platform_python_implementation != "PyPy" \ --hash=sha256:f7f5baafcc48261359e14bcd6d9bff6d4b28d9103847c9e136694cb0501aef87 \ --hash=sha256:fc48c783f9c87e60831201f2cce7f3b2e4846bf4d8728eabe54d60700b318a0b # via -r build-requirements.in +flit-core==3.9.0 \ + --hash=sha256:72ad266176c4a3fcfab5f2930d76896059851240570ce9a98733b658cb786eba \ + --hash=sha256:7aada352fb0c7f5538c4fafeddf314d3a6a92ee8e2b1de70482329e42de70301 + # via -r build-requirements.in maturin==1.7.1 \ --hash=sha256:00f0f8f5051f4c0d0f69bdd0c6297ea87e979f70fb78a377eb4277c932804e2d \ --hash=sha256:07c8800603e551a45e16fe7ad1742977097ea43c18b28e491df74d4ca15c5857 \ diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 8204c478a712..7e34db123a93 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -33,13 +33,12 @@ jobs: ref: ${{ github.event.inputs.version || github.ref }} persist-credentials: false - - run: python -m venv .venv - - name: Install Python dependencies - run: .venv/bin/pip install -U pip build + - run: python -m pip install uv + - name: Make sdist (cryptography) - run: .venv/bin/python -m build --sdist + run: uv build --build-constraint=$BUILD_REQUIREMENTS_PATH --require-hashes --sdist - name: Make sdist and wheel (vectors) - run: cd vectors/ && ../.venv/bin/python -m build + run: uv build --build-constraint=$BUILD_REQUIREMENTS_PATH --require-hashes vectors/ - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: "cryptography-sdist" diff --git a/pyproject.toml b/pyproject.toml index 02689e0a55f3..44348415061a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -8,7 +8,7 @@ requires = [ "cffi>=1.12; platform_python_implementation != 'PyPy'", # Needed because cffi imports distutils, and in Python 3.12, distutils has # been removed from the stdlib, but installing setuptools puts it back. - "setuptools!=74.0.0,!=74.1.0,!=74.1.1", + "setuptools!=74.0.0,!=74.1.0,!=74.1.1,!=74.1.2", ] build-backend = "maturin" From d4452997ed290d76bae724cce0a5605b5ae8c243 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 6 Sep 2024 22:43:42 -0400 Subject: [PATCH 1052/1462] Use uv to build `ci-constraints-requirements.txt` which hopefully makes it more maintainable (#11505) --- ci-constraints-requirements.txt | 232 ++++++++++++++++++++++++-------- pyproject.toml | 7 +- 2 files changed, 184 insertions(+), 55 deletions(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 04f7993764e1..39dd2d6a3cfb 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -1,76 +1,134 @@ -# This is named ambigiously, but it's a pip constraints file, named like a -# requirements file so dependabot will update the pins. -# It was originally generated with; -# pip-compile --extra=docs --extra=docstest --extra=pep8test --extra=test --extra=test-randomorder --extra=nox --extra=sdist --resolver=backtracking --strip-extras --unsafe-package=cffi --unsafe-package=pycparser --unsafe-package=setuptools pyproject.toml -# and then manually massaged to add version specifiers to packages whose -# versions vary by Python version - -alabaster==1.0.0 +# This file was autogenerated by uv via the following command: +# uv pip compile --universal -p 3.7 --extra=docs --extra=docstest --extra=pep8test --extra=test --extra=test-randomorder --extra=nox --extra=sdist --unsafe-package=cffi --unsafe-package=pycparser --unsafe-package=setuptools --unsafe-package=cryptography-vectors pyproject.toml +alabaster==0.7.13 ; python_full_version < '3.10' + # via sphinx +alabaster==1.0.0 ; python_full_version >= '3.10' # via sphinx -argcomplete==3.5.0; python_version >= "3.8" +argcomplete==3.1.2 ; python_full_version < '3.8' + # via nox +argcomplete==3.5.0 ; python_full_version >= '3.8' # via nox -babel==2.16.0 +babel==2.14.0 ; python_full_version < '3.8' # via sphinx -build==1.2.1 +babel==2.16.0 ; python_full_version >= '3.8' + # via sphinx +bleach==6.0.0 ; python_full_version < '3.8' + # via readme-renderer +build==1.1.1 ; python_full_version < '3.8' + # via cryptography (pyproject.toml) +build==1.2.1 ; python_full_version >= '3.8' # via - # check-sdist # cryptography (pyproject.toml) + # check-sdist certifi==2024.8.30 - # via requests + # via + # cryptography (pyproject.toml) + # requests charset-normalizer==3.3.2 # via requests -check-sdist==0.1.3 +check-sdist==0.1.3 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) click==8.1.7 # via cryptography (pyproject.toml) +colorama==0.4.6 ; (platform_system != 'Windows' and sys_platform == 'win32') or platform_system == 'Windows' or os_name == 'nt' + # via + # build + # click + # colorlog + # pytest + # sphinx colorlog==6.8.2 # via nox -coverage==7.6.1; python_version >= "3.8" - # via - # coverage - # pytest-cov +coverage==7.2.7 ; python_full_version < '3.8' + # via pytest-cov +coverage==7.6.1 ; python_full_version >= '3.8' + # via pytest-cov distlib==0.3.8 # via virtualenv -docutils==0.21.2 +docutils==0.19 ; python_full_version < '3.8' + # via + # readme-renderer + # sphinx +docutils==0.20.1 ; python_full_version >= '3.8' and python_full_version < '3.10' # via # readme-renderer # sphinx # sphinx-rtd-theme -exceptiongroup==1.2.2 +docutils==0.21.2 ; python_full_version >= '3.10' + # via + # readme-renderer + # sphinx + # sphinx-rtd-theme +exceptiongroup==1.2.2 ; python_full_version < '3.11' # via pytest -execnet==2.1.1; python_version >= "3.8" +execnet==2.0.2 ; python_full_version < '3.8' # via pytest-xdist -filelock==3.15.4; python_version >= "3.8" +execnet==2.1.1 ; python_full_version >= '3.8' + # via pytest-xdist +filelock==3.12.2 ; python_full_version < '3.8' + # via virtualenv +filelock==3.15.4 ; python_full_version >= '3.8' # via virtualenv idna==3.8 # via requests imagesize==1.4.1 # via sphinx +importlib-metadata==6.7.0 ; python_full_version < '3.8' + # via + # argcomplete + # build + # click + # nox + # pluggy + # pytest + # pytest-randomly + # sphinx + # sphinxcontrib-spelling + # virtualenv +importlib-metadata==8.4.0 ; python_full_version >= '3.8' and python_full_version < '3.10.2' + # via + # build + # pytest-randomly + # sphinx +importlib-resources==6.4.4 ; python_full_version == '3.8.*' + # via check-sdist iniconfig==2.0.0 # via pytest jinja2==3.1.4 # via sphinx markupsafe==2.1.5 # via jinja2 -mypy==1.11.2 +mypy==1.4.1 ; python_full_version < '3.8' + # via cryptography (pyproject.toml) +mypy==1.11.2 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via mypy -nh3==0.2.18 +nh3==0.2.18 ; python_full_version >= '3.8' # via readme-renderer nox==2024.4.15 # via cryptography (pyproject.toml) -packaging==24.1; python_version >= "3.8" +packaging==24.0 ; python_full_version < '3.8' + # via + # build + # nox + # pytest + # sphinx +packaging==24.1 ; python_full_version >= '3.8' # via # build # nox # pytest # sphinx -pathspec==0.12.1 +pathspec==0.12.1 ; python_full_version >= '3.8' # via check-sdist -platformdirs==4.2.2; python_version >= "3.8" +platformdirs==4.0.0 ; python_full_version < '3.8' + # via virtualenv +platformdirs==4.2.2 ; python_full_version >= '3.8' # via virtualenv -pluggy==1.5.0; python_version >= "3.8" +pluggy==1.2.0 ; python_full_version < '3.8' + # via pytest +pluggy==1.5.0 ; python_full_version >= '3.8' # via pytest pretend==1.0.9 # via cryptography (pyproject.toml) @@ -80,13 +138,24 @@ pyenchant==3.2.2 # via # cryptography (pyproject.toml) # sphinxcontrib-spelling -pygments==2.18.0 +pygments==2.17.2 ; python_full_version < '3.8' + # via + # readme-renderer + # sphinx +pygments==2.18.0 ; python_full_version >= '3.8' # via # readme-renderer # sphinx pyproject-hooks==1.1.0 # via build -pytest==8.3.2; python_version >= "3.8" +pytest==7.4.4 ; python_full_version < '3.8' + # via + # cryptography (pyproject.toml) + # pytest-benchmark + # pytest-cov + # pytest-randomly + # pytest-xdist +pytest==8.3.2 ; python_full_version >= '3.8' # via # cryptography (pyproject.toml) # pytest-benchmark @@ -95,64 +164,119 @@ pytest==8.3.2; python_version >= "3.8" # pytest-xdist pytest-benchmark==4.0.0 # via cryptography (pyproject.toml) -pytest-cov==5.0.0; python_version >= "3.8" +pytest-cov==4.1.0 ; python_full_version < '3.8' + # via cryptography (pyproject.toml) +pytest-cov==5.0.0 ; python_full_version >= '3.8' + # via cryptography (pyproject.toml) +pytest-randomly==3.12.0 ; python_full_version < '3.8' + # via cryptography (pyproject.toml) +pytest-randomly==3.15.0 ; python_full_version >= '3.8' + # via cryptography (pyproject.toml) +pytest-xdist==3.5.0 ; python_full_version < '3.8' # via cryptography (pyproject.toml) -pytest-randomly==3.15.0 +pytest-xdist==3.6.1 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) -pytest-xdist==3.6.1; python_version >= "3.8" +pytz==2024.1 ; python_full_version < '3.9' + # via babel +readme-renderer==37.3 ; python_full_version < '3.8' # via cryptography (pyproject.toml) -readme-renderer==44.0 +readme-renderer==43.0 ; python_full_version >= '3.8' and python_full_version < '3.10' # via cryptography (pyproject.toml) -requests==2.32.3 +readme-renderer==44.0 ; python_full_version >= '3.10' + # via cryptography (pyproject.toml) +requests==2.31.0 ; python_full_version < '3.8' + # via sphinx +requests==2.32.3 ; python_full_version >= '3.8' # via sphinx ruff==0.6.4 # via cryptography (pyproject.toml) +six==1.16.0 ; python_full_version < '3.8' + # via bleach snowballstemmer==2.2.0 # via sphinx -sphinx==8.0.2 +sphinx==5.3.0 ; python_full_version < '3.8' + # via + # cryptography (pyproject.toml) + # sphinxcontrib-spelling +sphinx==7.1.2 ; python_full_version >= '3.8' and python_full_version < '3.10' # via # cryptography (pyproject.toml) # sphinx-rtd-theme - # sphinxcontrib-applehelp - # sphinxcontrib-devhelp - # sphinxcontrib-htmlhelp # sphinxcontrib-jquery - # sphinxcontrib-qthelp - # sphinxcontrib-serializinghtml # sphinxcontrib-spelling -sphinx-rtd-theme==3.0.0rc1 +sphinx==8.0.2 ; python_full_version >= '3.10' + # via + # cryptography (pyproject.toml) + # sphinx-rtd-theme + # sphinxcontrib-jquery + # sphinxcontrib-spelling +sphinx-rtd-theme==3.0.0rc1 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) -sphinxcontrib-applehelp==2.0.0 +sphinxcontrib-applehelp==1.0.2 ; python_full_version < '3.8' + # via sphinx +sphinxcontrib-applehelp==1.0.4 ; python_full_version >= '3.8' and python_full_version < '3.10' # via sphinx -sphinxcontrib-devhelp==2.0.0 +sphinxcontrib-applehelp==2.0.0 ; python_full_version >= '3.10' # via sphinx -sphinxcontrib-htmlhelp==2.1.0 +sphinxcontrib-devhelp==1.0.2 ; python_full_version < '3.10' # via sphinx -sphinxcontrib-jquery==4.1 +sphinxcontrib-devhelp==2.0.0 ; python_full_version >= '3.10' + # via sphinx +sphinxcontrib-htmlhelp==2.0.0 ; python_full_version < '3.8' + # via sphinx +sphinxcontrib-htmlhelp==2.0.1 ; python_full_version >= '3.8' and python_full_version < '3.10' + # via sphinx +sphinxcontrib-htmlhelp==2.1.0 ; python_full_version >= '3.10' + # via sphinx +sphinxcontrib-jquery==4.1 ; python_full_version >= '3.8' # via sphinx-rtd-theme sphinxcontrib-jsmath==1.0.1 # via sphinx -sphinxcontrib-qthelp==2.0.0 +sphinxcontrib-qthelp==1.0.3 ; python_full_version < '3.10' + # via sphinx +sphinxcontrib-qthelp==2.0.0 ; python_full_version >= '3.10' # via sphinx -sphinxcontrib-serializinghtml==2.0.0 +sphinxcontrib-serializinghtml==1.1.5 ; python_full_version < '3.10' + # via sphinx +sphinxcontrib-serializinghtml==2.0.0 ; python_full_version >= '3.10' # via sphinx sphinxcontrib-spelling==8.0.0 # via cryptography (pyproject.toml) -tomli==2.0.1 +tomli==2.0.1 ; python_full_version <= '3.11' # via # build - # check-manifest + # check-sdist # coverage # mypy - # pyproject-hooks + # nox # pytest -typing-extensions==4.12.2; python_version >= "3.8" + # sphinx +typed-ast==1.5.5 ; python_full_version < '3.8' + # via mypy +typing-extensions==4.7.1 ; python_full_version < '3.8' + # via + # importlib-metadata + # mypy + # nox + # platformdirs +typing-extensions==4.12.2 ; python_full_version >= '3.8' # via mypy -urllib3==2.2.2 +urllib3==2.0.7 ; python_full_version < '3.8' + # via requests +urllib3==2.2.2 ; python_full_version >= '3.8' # via requests virtualenv==20.26.3 # via nox +webencodings==0.5.1 ; python_full_version < '3.8' + # via bleach +zipp==3.15.0 ; python_full_version < '3.8' + # via importlib-metadata +zipp==3.20.1 ; python_full_version >= '3.8' and python_full_version < '3.10.2' + # via + # importlib-metadata + # importlib-resources -# The following packages are considered to be unsafe in a requirements file: +# The following packages were excluded from the output: # cffi # pycparser +# cryptography-vectors diff --git a/pyproject.toml b/pyproject.toml index 44348415061a..4f9fab38d563 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -74,7 +74,7 @@ test = [ "certifi", ] test-randomorder = ["pytest-randomly"] -docs = ["sphinx >=5.3.0", "sphinx-rtd-theme >=3.0.0rc1"] +docs = ["sphinx >=5.3.0", "sphinx-rtd-theme >=3.0.0rc1; python_version >= '3.8'"] docstest = ["pyenchant >=1.6.11", "readme-renderer", "sphinxcontrib-spelling >=4.0.1"] sdist = ["build"] # `click` included because its needed to type check `release.py` @@ -184,3 +184,8 @@ git-only = [ ".gitattributes", ".gitignore", ] + +[tool.uv] +# These cover all Python versions, but by expressing multiple environments we +# force uv's resolver to pick the latest versions of packages for each version. +environments = ["python_version >= '3.10'", "python_version >= '3.8' and python_version < '3.10'", "python_version < '3.8'"] From 36edeb57500666606f2adc3db44de347ee999d5a Mon Sep 17 00:00:00 2001 From: Quentin Retourne <32574188+nitneuqr@users.noreply.github.com> Date: Sat, 7 Sep 2024 14:28:06 +0200 Subject: [PATCH 1053/1462] Rustify PKCS7 unpadding (#11556) * refacto: Added rust PKCS7Unpadding refacto: removed check_pkcs7_padding function refacto: removed python _PKCS7Unpadding * took comment into account --- .../hazmat/bindings/_rust/__init__.pyi | 6 +- src/cryptography/hazmat/primitives/padding.py | 27 +-------- src/rust/src/lib.rs | 2 +- src/rust/src/padding.rs | 60 ++++++++++++++++++- tests/hazmat/primitives/test_padding.py | 2 + 5 files changed, 70 insertions(+), 27 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/__init__.pyi index c0ea0a5405ca..30b67d85597e 100644 --- a/src/cryptography/hazmat/bindings/_rust/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/__init__.pyi @@ -6,7 +6,6 @@ import typing from cryptography.hazmat.primitives import padding -def check_pkcs7_padding(data: bytes) -> bool: ... def check_ansix923_padding(data: bytes) -> bool: ... class PKCS7PaddingContext(padding.PaddingContext): @@ -14,6 +13,11 @@ class PKCS7PaddingContext(padding.PaddingContext): def update(self, data: bytes) -> bytes: ... def finalize(self) -> bytes: ... +class PKCS7UnpaddingContext(padding.PaddingContext): + def __init__(self, block_size: int) -> None: ... + def update(self, data: bytes) -> bytes: ... + def finalize(self) -> bytes: ... + class ObjectIdentifier: def __init__(self, val: str) -> None: ... @property diff --git a/src/cryptography/hazmat/primitives/padding.py b/src/cryptography/hazmat/primitives/padding.py index d1ca775f33d0..b2a3f1cfffaa 100644 --- a/src/cryptography/hazmat/primitives/padding.py +++ b/src/cryptography/hazmat/primitives/padding.py @@ -11,8 +11,8 @@ from cryptography.exceptions import AlreadyFinalized from cryptography.hazmat.bindings._rust import ( PKCS7PaddingContext, + PKCS7UnpaddingContext, check_ansix923_padding, - check_pkcs7_padding, ) @@ -115,32 +115,11 @@ def padder(self) -> PaddingContext: return PKCS7PaddingContext(self.block_size) def unpadder(self) -> PaddingContext: - return _PKCS7UnpaddingContext(self.block_size) - - -class _PKCS7UnpaddingContext(PaddingContext): - _buffer: bytes | None - - def __init__(self, block_size: int): - self.block_size = block_size - # TODO: more copies than necessary, we should use zero-buffer (#193) - self._buffer = b"" - - def update(self, data: bytes) -> bytes: - self._buffer, result = _byte_unpadding_update( - self._buffer, data, self.block_size - ) - return result - - def finalize(self) -> bytes: - result = _byte_unpadding_check( - self._buffer, self.block_size, check_pkcs7_padding - ) - self._buffer = None - return result + return PKCS7UnpaddingContext(self.block_size) PaddingContext.register(PKCS7PaddingContext) +PaddingContext.register(PKCS7UnpaddingContext) class ANSIX923: diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index cd7b99f1570a..e15fffa6d32e 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -102,7 +102,7 @@ mod _rust { #[pymodule_export] use crate::oid::ObjectIdentifier; #[pymodule_export] - use crate::padding::{check_ansix923_padding, check_pkcs7_padding, PKCS7PaddingContext}; + use crate::padding::{check_ansix923_padding, PKCS7PaddingContext, PKCS7UnpaddingContext}; #[pymodule_export] use crate::pkcs12::pkcs12; #[pymodule_export] diff --git a/src/rust/src/padding.rs b/src/rust/src/padding.rs index 3a55039d3385..0031f148ea15 100644 --- a/src/rust/src/padding.rs +++ b/src/rust/src/padding.rs @@ -20,7 +20,6 @@ fn constant_time_lt(a: u8, b: u8) -> u8 { duplicate_msb_to_all(a ^ ((a ^ b) | (a.wrapping_sub(b) ^ b))) } -#[pyo3::pyfunction] pub(crate) fn check_pkcs7_padding(data: &[u8]) -> bool { let mut mismatch = 0; let pad_size = *data.last().unwrap(); @@ -111,6 +110,65 @@ impl PKCS7PaddingContext { } } +#[pyo3::pyclass] +pub(crate) struct PKCS7UnpaddingContext { + block_size: usize, + buffer: Option>, +} + +#[pyo3::pymethods] +impl PKCS7UnpaddingContext { + #[new] + pub(crate) fn new(block_size: usize) -> PKCS7UnpaddingContext { + PKCS7UnpaddingContext { + block_size: block_size / 8, + buffer: Some(Vec::new()), + } + } + + pub(crate) fn update<'a>( + &mut self, + py: pyo3::Python<'a>, + buf: CffiBuf<'a>, + ) -> CryptographyResult> { + match self.buffer.as_mut() { + Some(v) => { + v.extend_from_slice(buf.as_bytes()); + let finished_blocks = (v.len() / self.block_size).saturating_sub(1); + let result_size = finished_blocks * self.block_size; + let result = v.drain(..result_size); + Ok(pyo3::types::PyBytes::new_bound(py, result.as_slice())) + } + None => Err(exceptions::already_finalized_error()), + } + } + + pub(crate) fn finalize<'p>( + &mut self, + py: pyo3::Python<'p>, + ) -> CryptographyResult> { + match self.buffer.take() { + Some(v) => { + if v.len() != self.block_size { + return Err( + pyo3::exceptions::PyValueError::new_err("Invalid padding bytes.").into(), + ); + } + if !check_pkcs7_padding(&v) { + return Err( + pyo3::exceptions::PyValueError::new_err("Invalid padding bytes.").into(), + ); + } + + let pad_size = *v.last().unwrap(); + let result = &v[..v.len() - pad_size as usize]; + Ok(pyo3::types::PyBytes::new_bound(py, result)) + } + None => Err(exceptions::already_finalized_error()), + } + } +} + #[cfg(test)] mod tests { use super::constant_time_lt; diff --git a/tests/hazmat/primitives/test_padding.py b/tests/hazmat/primitives/test_padding.py index 0ab1125f5bfb..df1ee4ec1131 100644 --- a/tests/hazmat/primitives/test_padding.py +++ b/tests/hazmat/primitives/test_padding.py @@ -80,6 +80,8 @@ def test_pad(self, size, unpadded, padded): b"111111111111111122222222222222", b"111111111111111122222222222222\x02\x02", ), + (128, b"1" * 16, b"1" * 16 + b"\x10" * 16), + (128, b"1" * 17, b"1" * 17 + b"\x0f" * 15), ], ) def test_unpad(self, size, unpadded, padded): From a12336d6f905fa4f9884a280a7b35431281ef41e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 7 Sep 2024 17:04:54 +0000 Subject: [PATCH 1054/1462] Bump filelock from 3.15.4 to 3.16.0 (#11563) Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.15.4 to 3.16.0. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](https://github.com/tox-dev/py-filelock/compare/3.15.4...3.16.0) --- updated-dependencies: - dependency-name: filelock dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 39dd2d6a3cfb..626c01062885 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -67,7 +67,7 @@ execnet==2.1.1 ; python_full_version >= '3.8' # via pytest-xdist filelock==3.12.2 ; python_full_version < '3.8' # via virtualenv -filelock==3.15.4 ; python_full_version >= '3.8' +filelock==3.16.0 ; python_full_version >= '3.8' # via virtualenv idna==3.8 # via requests From 9f559d4b9047a479d7aa21a62879931ef737ead9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 7 Sep 2024 17:05:08 +0000 Subject: [PATCH 1055/1462] Bump platformdirs from 4.2.2 to 4.3.1 (#11562) Bumps [platformdirs](https://github.com/platformdirs/platformdirs) from 4.2.2 to 4.3.1. - [Release notes](https://github.com/platformdirs/platformdirs/releases) - [Changelog](https://github.com/tox-dev/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/platformdirs/platformdirs/compare/4.2.2...4.3.1) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 626c01062885..aa2704164c00 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -124,7 +124,7 @@ pathspec==0.12.1 ; python_full_version >= '3.8' # via check-sdist platformdirs==4.0.0 ; python_full_version < '3.8' # via virtualenv -platformdirs==4.2.2 ; python_full_version >= '3.8' +platformdirs==4.3.1 ; python_full_version >= '3.8' # via virtualenv pluggy==1.2.0 ; python_full_version < '3.8' # via pytest From 2dde704a9e6ead51abc54bf17e2d646d592db229 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 7 Sep 2024 17:05:36 +0000 Subject: [PATCH 1056/1462] Bump build from 1.2.1 to 1.2.2 (#11564) Bumps [build](https://github.com/pypa/build) from 1.2.1 to 1.2.2. - [Release notes](https://github.com/pypa/build/releases) - [Changelog](https://github.com/pypa/build/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pypa/build/compare/1.2.1...1.2.2) --- updated-dependencies: - dependency-name: build dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index aa2704164c00..6e134309b211 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -16,7 +16,7 @@ bleach==6.0.0 ; python_full_version < '3.8' # via readme-renderer build==1.1.1 ; python_full_version < '3.8' # via cryptography (pyproject.toml) -build==1.2.1 ; python_full_version >= '3.8' +build==1.2.2 ; python_full_version >= '3.8' # via # cryptography (pyproject.toml) # check-sdist From 32a0e536de9f224026f5b6ad093f700ea5accfbf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 7 Sep 2024 13:13:06 -0400 Subject: [PATCH 1057/1462] Bump more-itertools from 10.4.0 to 10.5.0 in /.github/requirements (#11553) Bumps [more-itertools](https://github.com/more-itertools/more-itertools) from 10.4.0 to 10.5.0. - [Release notes](https://github.com/more-itertools/more-itertools/releases) - [Commits](https://github.com/more-itertools/more-itertools/commits) --- updated-dependencies: - dependency-name: more-itertools dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 7f2e95cd5a31..1c9054ca2a48 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -246,9 +246,9 @@ mdurl==0.1.2 \ --hash=sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8 \ --hash=sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba # via markdown-it-py -more-itertools==10.4.0 \ - --hash=sha256:0f7d9f83a0a8dcfa8a2694a770590d98a67ea943e3d9f5298309a484758c4e27 \ - --hash=sha256:fe0e63c4ab068eac62410ab05cccca2dc71ec44ba8ef29916a0090df061cf923 +more-itertools==10.5.0 \ + --hash=sha256:037b0d3203ce90cca8ab1defbbdac29d5f993fc20131f3664dc8d6acfa872aef \ + --hash=sha256:5482bfef7849c25dc3c6dd53a6173ae4795da2a41a80faea6700d9f5846c5da6 # via # jaraco-classes # jaraco-functools From 6aacdc1a2baf2343f2d48a35e7d1f24ca7be4052 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 7 Sep 2024 16:36:53 -0400 Subject: [PATCH 1058/1462] Use uv to build macos wheels (#11561) refs #11548 --- .github/workflows/wheel-builder.yml | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 7e34db123a93..f59a86b7174b 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -222,46 +222,41 @@ jobs: toolchain: stable # Add the arm64 target in addition to the native arch (x86_64) target: aarch64-apple-darwin - - run: ${{ matrix.PYTHON.BIN_PATH }} -m venv venv - - name: Install Python dependencies - run: venv/bin/pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} - - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: cryptography-sdist + + - run: ${{ matrix.PYTHON.BIN_PATH }} -m pip install uv - run: mkdir wheelhouse - name: Build the wheel run: | if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then - PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" + PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }}" fi - # `maturin` has a binary that needs to be on the $PATH, so we - # activate the venv. - source venv/bin/activate OPENSSL_DIR="$(readlink -f ../openssl-macos-universal2/)" \ OPENSSL_STATIC=1 \ - venv/bin/python -m pip wheel -v --no-deps $PY_LIMITED_API cryptograph*.tar.gz -w dist/ - mv dist/cryptography*.whl wheelhouse + uv build --wheel --require-hashes --build-constraint=$BUILD_REQUIREMENTS_PATH $PY_LIMITED_API cryptography*.tar.gz -o wheelhouse/ env: MACOSX_DEPLOYMENT_TARGET: ${{ matrix.PYTHON.DEPLOYMENT_TARGET }} ARCHFLAGS: ${{ matrix.PYTHON.ARCHFLAGS }} _PYTHON_HOST_PLATFORM: ${{ matrix.PYTHON._PYTHON_HOST_PLATFORM }} - - run: venv/bin/pip install -f wheelhouse/ --no-index cryptography + + - run: uv venv + - run: uv pip install --require-hashes -r $BUILD_REQUIREMENTS_PATH + - run: uv pip install cryptography --no-index -f wheelhouse/ - name: Show the wheel's minimum macOS SDK and architectures run: | - find venv/lib/*/site-packages/cryptography/hazmat/bindings -name '*.so' -exec vtool -show {} \; + find .venv/lib/*/site-packages/cryptography/hazmat/bindings -name '*.so' -exec vtool -show {} \; - run: | - venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" + .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - - run: mkdir cryptography-wheelhouse - - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - run: | - echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls cryptography-wheelhouse/cryptography*.whl))" >> $GITHUB_ENV + echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls wheelhouse/cryptography*.whl))" >> $GITHUB_ENV - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: "${{ env.CRYPTOGRAPHY_WHEEL_NAME }}" - path: cryptography-wheelhouse/ + path: wheelhouse/ windows: needs: [sdist] From 10a0af45a64e32583cd75ee5adffad1bd431cdaa Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 7 Sep 2024 16:38:15 -0400 Subject: [PATCH 1059/1462] Use uv to build windows wheels (#11558) refs #11548 --- .github/workflows/wheel-builder.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index f59a86b7174b..e7b22014735d 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -315,25 +315,25 @@ jobs: echo "OPENSSL_DIR=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}" >> $GITHUB_ENV echo "OPENSSL_STATIC=1" >> $GITHUB_ENV shell: bash - - name: Install Python dependencies - run: python -m pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} + + - run: pip install uv - run: mkdir wheelhouse - run: | if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then - PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" + PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }}" fi - python -m pip wheel -v --no-deps cryptography*.tar.gz $PY_LIMITED_API -w dist/ - mv dist/cryptography*.whl wheelhouse/ + uv build --wheel --require-hashes --build-constraint=$BUILD_REQUIREMENTS_PATH cryptography*.tar.gz $PY_LIMITED_API -o wheelhouse/ shell: bash - - run: pip install -f wheelhouse --no-index cryptography + + - run: uv venv + - run: uv pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} + - run: uv pip install cryptography --no-index -f wheelhouse/ - name: Print the OpenSSL we built and linked against run: | - python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" + .venv/Scripts/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - - run: mkdir cryptography-wheelhouse - - run: move wheelhouse\cryptography*.whl cryptography-wheelhouse\ - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" - path: cryptography-wheelhouse\ + path: wheelhouse\ From b6ff7bf0e15c5678241ca4e159bca100707d6fe7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 7 Sep 2024 17:09:16 -0400 Subject: [PATCH 1060/1462] Pin uv hashes in wheel builder (#11566) --- .github/requirements/uv-requirements.txt | 21 +++++++++++++++++++++ .github/workflows/wheel-builder.yml | 13 ++++++++----- 2 files changed, 29 insertions(+), 5 deletions(-) create mode 100644 .github/requirements/uv-requirements.txt diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt new file mode 100644 index 000000000000..1c52eda4f7e7 --- /dev/null +++ b/.github/requirements/uv-requirements.txt @@ -0,0 +1,21 @@ +# This file was autogenerated by uv via the following command: +# uv pip compile --universal -p 3.8 --generate-hashes - +uv==0.4.7 \ + --hash=sha256:00aa7299edefcc4069d73b988a7331d590e3fedd29f5695b1680905af1ccba04 \ + --hash=sha256:0fef80011c96dc8e284f4895b7ca92945e450fb517872115a557e72789c0e2c5 \ + --hash=sha256:106fc5449a63137da6b3c4fd25775e3eeda3b11c8cea12439d95201237a95484 \ + --hash=sha256:1357fb27047cff94422bb82cf9a82d7285ce8341a204fc1925b0b89c8d108249 \ + --hash=sha256:23283699e6035ef536b204f9094e7297093a527f958b86d4ce26613c603f564c \ + --hash=sha256:2ab5f6701046b373cdedca7334e20a8dc7726eb4c3e2f6e18297dbbda09afba9 \ + --hash=sha256:319a585f53c0b63b989526206383716e1d7c0f3483425058b94bf47402a81841 \ + --hash=sha256:54c3dde3c01d96fba484c2728e020c7c867e05a88de143ddb6df1091d1ffdfb7 \ + --hash=sha256:63b59e0cfa303a97ce5ba19fa8fc27a6339516561bc4b821cca52ed15721cbdb \ + --hash=sha256:904763380be165f5213dcbacb8d6c17d5cf138ea4bd24b4a37a1b6046b5650a1 \ + --hash=sha256:9356449439d4fa42419d17736d775cd1701b1b4a054ab445faf1477a6920a505 \ + --hash=sha256:a1850d93f78eeb6d0ace3dc0335e1bf141a4b6a26844ab75f00055de2a4817cd \ + --hash=sha256:ab7308c0604268f21b1a5bce4e1b61bcf56831f4aef59bee93c2b5815f4bc6a8 \ + --hash=sha256:bfbd6e28b0543b774db7d97d61963c384c70284e95056004c8f74252e69616c7 \ + --hash=sha256:d6c8e43bbdfa2f7910245335acb93fcb5a4e34995b7ce60de4e814071690b3c5 \ + --hash=sha256:e1f3285bebfeab6e076e651ec47f6adf7a83a4f014dd9d7e73efc034e77d42cd \ + --hash=sha256:e8bc35e30f2bb03f0e1812f1c0dce0e73d8ab01e90392d39f334da9d75e522b0 \ + --hash=sha256:ec49a00317799226d33135bf40e8da44262f44e3980a5bb9e6dae7250523c963 diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index e7b22014735d..1643b22b26a6 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -21,6 +21,7 @@ on: env: BUILD_REQUIREMENTS_PATH: .github/requirements/build-requirements.txt + UV_REQUIREMENTS_PATH: .github/requirements/uv-requirements.txt jobs: sdist: @@ -33,7 +34,7 @@ jobs: ref: ${{ github.event.inputs.version || github.ref }} persist-credentials: false - - run: python -m pip install uv + - run: python -m pip install -r $UV_REQUIREMENTS_PATH - name: Make sdist (cryptography) run: uv build --build-constraint=$BUILD_REQUIREMENTS_PATH --require-hashes --sdist @@ -195,6 +196,7 @@ jobs: persist-credentials: false sparse-checkout: | ${{ env.BUILD_REQUIREMENTS_PATH }} + ${{ env.UV_REQUIREMENTS_PATH }} sparse-checkout-cone-mode: false - name: Setup python run: | @@ -226,7 +228,7 @@ jobs: with: name: cryptography-sdist - - run: ${{ matrix.PYTHON.BIN_PATH }} -m pip install uv + - run: ${{ matrix.PYTHON.BIN_PATH }} -m pip install -r ${{ env.UV_REQUIREMENTS_PATH }} - run: mkdir wheelhouse - name: Build the wheel run: | @@ -249,7 +251,7 @@ jobs: run: | find .venv/lib/*/site-packages/cryptography/hazmat/bindings -name '*.so' -exec vtool -show {} \; - run: | - .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" + echo "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" | uv run - - run: | echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls wheelhouse/cryptography*.whl))" >> $GITHUB_ENV @@ -285,6 +287,7 @@ jobs: persist-credentials: false sparse-checkout: | ${{ env.BUILD_REQUIREMENTS_PATH }} + ${{ env.UV_REQUIREMENTS_PATH }} sparse-checkout-cone-mode: false - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 @@ -316,7 +319,7 @@ jobs: echo "OPENSSL_STATIC=1" >> $GITHUB_ENV shell: bash - - run: pip install uv + - run: pip install -r ${{ env.UV_REQUIREMENTS_PATH }} - run: mkdir wheelhouse - run: | if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then @@ -331,7 +334,7 @@ jobs: - run: uv pip install cryptography --no-index -f wheelhouse/ - name: Print the OpenSSL we built and linked against run: | - .venv/Scripts/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" + echo "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" | uv run - - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: From 914b1d22bcb022811a141ce8174e5888b3a39ae4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 7 Sep 2024 19:44:18 -0400 Subject: [PATCH 1061/1462] Use uv to build `publish-requirements.txt` (#11567) refs #11548 --- .github/requirements/publish-requirements.in | 7 +++-- .github/requirements/publish-requirements.txt | 28 +++++++++---------- 2 files changed, 19 insertions(+), 16 deletions(-) diff --git a/.github/requirements/publish-requirements.in b/.github/requirements/publish-requirements.in index 1b92e685d4ab..adfe8ec15086 100644 --- a/.github/requirements/publish-requirements.in +++ b/.github/requirements/publish-requirements.in @@ -1,5 +1,8 @@ twine requests -# WARN: changing the requirements here DOES NOT update the dependencies used for publishing at the github workflow, as the process used publish-requirements.txt -# To update publish-requirements.txt according to the dependencies here, run pip-compile --allow-unsafe --generate-hashes publish-requirements.in \ No newline at end of file +# WARN: changing the requirements here DOES NOT update the dependencies used +# for publishing at the github workflow, as the process uses +# `publish-requirements.txt`. +# To update `publish-requirements.txt`, run the command indicated in the +# header of that file. diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 1c9054ca2a48..c0b65124b350 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -1,10 +1,6 @@ -# -# This file is autogenerated by pip-compile with Python 3.11 -# by the following command: -# -# pip-compile --generate-hashes publish-requirements.in -# -backports-tarfile==1.2.0 \ +# This file was autogenerated by uv via the following command: +# uv pip compile --universal -p 3.11 --generate-hashes .github/requirements/publish-requirements.in +backports-tarfile==1.2.0 ; python_full_version < '3.12' \ --hash=sha256:77e284d754527b01fb1e6fa8a1afe577858ebe4e9dad8919e34c862cb399bc34 \ --hash=sha256:d75e02c268746e1b8144c278978b6e98e85de6ad16f8e4b0844a154557eca991 # via jaraco-context @@ -12,7 +8,7 @@ certifi==2024.8.30 \ --hash=sha256:922820b53db7a7257ffbda3f597266d435245903d80737e34f8a45ff3e3230d8 \ --hash=sha256:bec941d2aa8195e248a60b31ff9f0558284cf01a52591ceda73ea9afffd69fd9 # via requests -cffi==1.17.1 \ +cffi==1.17.1 ; platform_python_implementation != 'PyPy' and sys_platform == 'linux' \ --hash=sha256:045d61c734659cc045141be4bae381a41d89b741f795af1dd018bfb532fd0df8 \ --hash=sha256:0984a4925a435b1da406122d4d7968dd861c1385afe3b45ba82b750f229811e2 \ --hash=sha256:0e2b1fac190ae3ebfe37b979cc1ce69c81f4e4fe5746bb401dca63a9062cdaf1 \ @@ -173,7 +169,7 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==43.0.1 \ +cryptography==43.0.1 ; sys_platform == 'linux' \ --hash=sha256:014f58110f53237ace6a408b5beb6c427b64e084eb451ef25a28308270086494 \ --hash=sha256:1bbcce1a551e262dfbafb6e6252f1ae36a248e615ca44ba302df077a846a8806 \ --hash=sha256:203e92a75716d8cfb491dc47c79e17d0d9207ccffcbcb35f598fbe463ae3444d \ @@ -228,7 +224,7 @@ jaraco-functools==4.0.2 \ --hash=sha256:3460c74cd0d32bf82b9576bbb3527c4364d5b27a21f5158a62aed6c4b42e23f5 \ --hash=sha256:c9d16a3ed4ccb5a889ad8e0b7a343401ee5b2a71cee6ed192d3f68bc351e94e3 # via keyring -jeepney==0.8.0 \ +jeepney==0.8.0 ; sys_platform == 'linux' \ --hash=sha256:5efe48d255973902f6badc3ce55e2aa6c5c3b3bc642059ef3a91247bcfcc5806 \ --hash=sha256:c0a454ad016ca575060802ee4d590dd912e35c122fa04e70306de3d076cce755 # via @@ -274,7 +270,7 @@ pkginfo==1.10.0 \ --hash=sha256:5df73835398d10db79f8eecd5cd86b1f6d29317589ea70796994d49399af6297 \ --hash=sha256:889a6da2ed7ffc58ab5b900d888ddce90bce912f2d2de1dc1c26f4cb9fe65097 # via twine -pycparser==2.22 \ +pycparser==2.22 ; platform_python_implementation != 'PyPy' and sys_platform == 'linux' \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc # via cffi @@ -284,6 +280,10 @@ pygments==2.18.0 \ # via # readme-renderer # rich +pywin32-ctypes==0.2.3 ; sys_platform == 'win32' \ + --hash=sha256:8a1513379d709975552d202d942d9837758905c8d01eb82b8bcc30918929e7b8 \ + --hash=sha256:d162dc04946d704503b2edc4d55f3dba5c1d539ead017afa00142c38b9885755 + # via keyring readme-renderer==44.0 \ --hash=sha256:2fbca89b81a08526aadf1357a8c2ae889ec05fb03f5da67f9769c9a592166151 \ --hash=sha256:8712034eabbfa6805cacf1402b4eeb2a73028f72d1166d6f5cb7f9c047c5d1e1 @@ -292,7 +292,7 @@ requests==2.32.3 \ --hash=sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760 \ --hash=sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6 # via - # -r publish-requirements.in + # -r .github/requirements/publish-requirements.in # requests-toolbelt # twine requests-toolbelt==1.0.0 \ @@ -307,14 +307,14 @@ rich==13.8.0 \ --hash=sha256:2e85306a063b9492dffc86278197a60cbece75bcb766022f3436f567cae11bdc \ --hash=sha256:a5ac1f1cd448ade0d59cc3356f7db7a7ccda2c8cbae9c7a90c28ff463d3e91f4 # via twine -secretstorage==3.3.3 \ +secretstorage==3.3.3 ; sys_platform == 'linux' \ --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ --hash=sha256:f356e6628222568e3af06f2eba8df495efa13b3b63081dafd4f7d9a7b7bc9f99 # via keyring twine==5.1.1 \ --hash=sha256:215dbe7b4b94c2c50a7315c0275d2258399280fbb7d04182c7e55e24b5f93997 \ --hash=sha256:9aa0825139c02b3434d913545c7b847a21c835e11597f5255842d457da2322db - # via -r publish-requirements.in + # via -r .github/requirements/publish-requirements.in urllib3==2.2.2 \ --hash=sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472 \ --hash=sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168 From 8f8dc0866a770606c10b56c0c71102c5ab0817aa Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 8 Sep 2024 20:17:17 -0400 Subject: [PATCH 1062/1462] Bump BoringSSL and/or OpenSSL in CI (#11569) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ccee4d68f56c..bc2c2cb5aa6e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Sep 07, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "01e1ae3687e391a076fe470471f096db1f6d6bb4"}} - # Latest commit on the OpenSSL master branch, as of Sep 07, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5c82588173d33222b33693f698bc9c7614675e9f"}} + # Latest commit on the OpenSSL master branch, as of Sep 09, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7845ff7692ac3a2bc1f8bf1eb9fa1ec1119f9b79"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From dd9771cc5d2005acbdbc25ac8d681b6f9c21fe35 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Sep 2024 06:53:15 -0400 Subject: [PATCH 1063/1462] Bump cc from 1.1.16 to 1.1.18 in /src/rust (#11571) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.16 to 1.1.18. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.16...cc-v1.1.18) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 7539222c90e7..250a146c02aa 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.16" +version = "1.1.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e9d013ecb737093c0e86b151a7b837993cf9ec6c502946cfb44bedc392421e0b" +checksum = "b62ac837cdb5cb22e10a256099b4fc502b1dfe560cb282963a974d7abd80e476" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 2ef2c2fb1e12..50c6567df22c 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.2", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] -cc = "1.1.16" +cc = "1.1.18" From c47809bf8220c2a7f4fc92f82a683e075b8a434b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Sep 2024 11:07:44 +0000 Subject: [PATCH 1064/1462] Bump platformdirs from 4.3.1 to 4.3.2 (#11572) Bumps [platformdirs](https://github.com/platformdirs/platformdirs) from 4.3.1 to 4.3.2. - [Release notes](https://github.com/platformdirs/platformdirs/releases) - [Changelog](https://github.com/tox-dev/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/platformdirs/platformdirs/compare/4.3.1...4.3.2) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6e134309b211..ac63a61abe4e 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -124,7 +124,7 @@ pathspec==0.12.1 ; python_full_version >= '3.8' # via check-sdist platformdirs==4.0.0 ; python_full_version < '3.8' # via virtualenv -platformdirs==4.3.1 ; python_full_version >= '3.8' +platformdirs==4.3.2 ; python_full_version >= '3.8' # via virtualenv pluggy==1.2.0 ; python_full_version < '3.8' # via pytest From 706c0e70847a14d2189fc20fa8af4107538bfe18 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Sep 2024 11:17:58 +0000 Subject: [PATCH 1065/1462] Bump virtualenv from 20.26.3 to 20.26.4 (#11573) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.26.3 to 20.26.4. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.26.3...20.26.4) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ac63a61abe4e..dcd1a77ad2c7 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -265,7 +265,7 @@ urllib3==2.0.7 ; python_full_version < '3.8' # via requests urllib3==2.2.2 ; python_full_version >= '3.8' # via requests -virtualenv==20.26.3 +virtualenv==20.26.4 # via nox webencodings==0.5.1 ; python_full_version < '3.8' # via bleach From 65e4e3a599051b66827866bfd0f28865b961eef3 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 10 Sep 2024 00:17:13 +0000 Subject: [PATCH 1066/1462] Bump BoringSSL and/or OpenSSL in CI (#11575) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bc2c2cb5aa6e..c5105c2eec21 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Sep 07, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "01e1ae3687e391a076fe470471f096db1f6d6bb4"}} - # Latest commit on the OpenSSL master branch, as of Sep 09, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7845ff7692ac3a2bc1f8bf1eb9fa1ec1119f9b79"}} + # Latest commit on the BoringSSL master branch, as of Sep 10, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f10c1dc37174843c504a80e94c252e35b7b1eb61"}} + # Latest commit on the OpenSSL master branch, as of Sep 10, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c9e36a8221517c0083695a567c11e0c2208e1f8d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 14670d54831f8ad8c72a332568be4081b9e0b94f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 9 Sep 2024 20:34:03 -0400 Subject: [PATCH 1067/1462] Bump x509-limbo and/or wycheproof in CI (#11576) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 5f1307cf7afe..112666d27775 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Sep 06, 2024. - ref: "ec0fc56b5ac4a1713dae4a0c62904395000fbfbf" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Sep 10, 2024. + ref: "d82632e093600790dfb59ac4d0c2678f4eb58128" # x509-limbo-ref From a9535355740d929b5e9c5b8760dc198a8f68ada1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 10 Sep 2024 06:52:51 -0400 Subject: [PATCH 1068/1462] Bump importlib-resources from 6.4.4 to 6.4.5 (#11577) Bumps [importlib-resources](https://github.com/python/importlib_resources) from 6.4.4 to 6.4.5. - [Release notes](https://github.com/python/importlib_resources/releases) - [Changelog](https://github.com/python/importlib_resources/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_resources/compare/v6.4.4...v6.4.5) --- updated-dependencies: - dependency-name: importlib-resources dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index dcd1a77ad2c7..49cfbc5adc43 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -90,7 +90,7 @@ importlib-metadata==8.4.0 ; python_full_version >= '3.8' and python_full_version # build # pytest-randomly # sphinx -importlib-resources==6.4.4 ; python_full_version == '3.8.*' +importlib-resources==6.4.5 ; python_full_version == '3.8.*' # via check-sdist iniconfig==2.0.0 # via pytest From d3f794374ed9796f6e0f2a670a7ca63a920dcbdd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 10 Sep 2024 06:56:19 -0400 Subject: [PATCH 1069/1462] Bump uv from 0.4.7 to 0.4.8 in /.github/requirements (#11578) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.7 to 0.4.8. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.7...0.4.8) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 1c52eda4f7e7..4e3ad4916a3b 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.7 \ - --hash=sha256:00aa7299edefcc4069d73b988a7331d590e3fedd29f5695b1680905af1ccba04 \ - --hash=sha256:0fef80011c96dc8e284f4895b7ca92945e450fb517872115a557e72789c0e2c5 \ - --hash=sha256:106fc5449a63137da6b3c4fd25775e3eeda3b11c8cea12439d95201237a95484 \ - --hash=sha256:1357fb27047cff94422bb82cf9a82d7285ce8341a204fc1925b0b89c8d108249 \ - --hash=sha256:23283699e6035ef536b204f9094e7297093a527f958b86d4ce26613c603f564c \ - --hash=sha256:2ab5f6701046b373cdedca7334e20a8dc7726eb4c3e2f6e18297dbbda09afba9 \ - --hash=sha256:319a585f53c0b63b989526206383716e1d7c0f3483425058b94bf47402a81841 \ - --hash=sha256:54c3dde3c01d96fba484c2728e020c7c867e05a88de143ddb6df1091d1ffdfb7 \ - --hash=sha256:63b59e0cfa303a97ce5ba19fa8fc27a6339516561bc4b821cca52ed15721cbdb \ - --hash=sha256:904763380be165f5213dcbacb8d6c17d5cf138ea4bd24b4a37a1b6046b5650a1 \ - --hash=sha256:9356449439d4fa42419d17736d775cd1701b1b4a054ab445faf1477a6920a505 \ - --hash=sha256:a1850d93f78eeb6d0ace3dc0335e1bf141a4b6a26844ab75f00055de2a4817cd \ - --hash=sha256:ab7308c0604268f21b1a5bce4e1b61bcf56831f4aef59bee93c2b5815f4bc6a8 \ - --hash=sha256:bfbd6e28b0543b774db7d97d61963c384c70284e95056004c8f74252e69616c7 \ - --hash=sha256:d6c8e43bbdfa2f7910245335acb93fcb5a4e34995b7ce60de4e814071690b3c5 \ - --hash=sha256:e1f3285bebfeab6e076e651ec47f6adf7a83a4f014dd9d7e73efc034e77d42cd \ - --hash=sha256:e8bc35e30f2bb03f0e1812f1c0dce0e73d8ab01e90392d39f334da9d75e522b0 \ - --hash=sha256:ec49a00317799226d33135bf40e8da44262f44e3980a5bb9e6dae7250523c963 +uv==0.4.8 \ + --hash=sha256:0c4e4b5ec8aa789cbf4ec2a16494215ebb448aeecf5a2c43a31a904f9fecd327 \ + --hash=sha256:1e7329b862540a3a3987e79781acc2c7b0f4eb89d3f43930e21e7b85e4716bf0 \ + --hash=sha256:23dcb8c866dab0f7565c8e88e2c2ba185ab17182706260d53e9c640a96918818 \ + --hash=sha256:3ad38a03d1007152b9e7a4d262b81c24b95184f8921514d3475a4db6d84fdc78 \ + --hash=sha256:3dbff364ca85e8d52cbeae3bc9050d4e3080636b009bd577f58628a4b9561a26 \ + --hash=sha256:461597ddfd2132e2dea6779758e6e22cd39aaab8d86809f01e3fe45c29152f9a \ + --hash=sha256:484965360638a3ce422d2b61df52de94600d2cfce88eb1ca2dbcf4c8e60e5b37 \ + --hash=sha256:5487a86207edef7464cf78e52adb2bbe369332f3cea6043d1f0c8ee90dda90b3 \ + --hash=sha256:5e7c0428afdd90280f3f32272f0520430e93539c54ae806021c2b7c55caae908 \ + --hash=sha256:6ac13a6fa4f7d78fd44229ffcc5023a1a6627f142e00c896d7e28b041d9ff910 \ + --hash=sha256:7b4364b27dca2e11d99d7f1822a4650d48c5ec6d7f3332f2bc344d6262575ae9 \ + --hash=sha256:8e09e8e39548c7f9fb2c6e073eea6e4c3861539634ef768aa23e1ded10d41ca7 \ + --hash=sha256:a14de914254edce926c5c9afa0ddbfb45d0043c583a928fb614f9c5225f480c3 \ + --hash=sha256:a4e9b042cd1fdce94fa3ccbc79578b239ba1f186f296505e272d44e080892c18 \ + --hash=sha256:bfa6c08501d6c3b7355854a2d56f493ba89b126eb87090fcc31f79c81754d366 \ + --hash=sha256:cdf4b6afc99b0ff0ab1416fbcb25ac704bcf161b7c8d3d92a031097f60a60321 \ + --hash=sha256:e7ec102f9f3e9bd788dc94d271c7cfc7b0a968f799ab2cd9ba9d250563a28f81 \ + --hash=sha256:faa70d7f20adf457d8c584206da7b86b1ed0e0b0e286c19ba000795db8e8a06c From bd0e2644f903757d3c8e28a5cda8925c9481cfce Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 10 Sep 2024 12:00:40 +0000 Subject: [PATCH 1070/1462] Bump pytest from 8.3.2 to 8.3.3 (#11579) Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.3.2 to 8.3.3. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/8.3.2...8.3.3) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 49cfbc5adc43..30596a38a069 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -155,7 +155,7 @@ pytest==7.4.4 ; python_full_version < '3.8' # pytest-cov # pytest-randomly # pytest-xdist -pytest==8.3.2 ; python_full_version >= '3.8' +pytest==8.3.3 ; python_full_version >= '3.8' # via # cryptography (pyproject.toml) # pytest-benchmark From 54d109e965e669dfc17f5e7ee1ef8e82ae452017 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 11 Sep 2024 00:16:50 +0000 Subject: [PATCH 1071/1462] Bump BoringSSL and/or OpenSSL in CI (#11581) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c5105c2eec21..53cfa2c3121d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Sep 10, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f10c1dc37174843c504a80e94c252e35b7b1eb61"}} - # Latest commit on the OpenSSL master branch, as of Sep 10, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c9e36a8221517c0083695a567c11e0c2208e1f8d"}} + # Latest commit on the BoringSSL master branch, as of Sep 11, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "6abe18402eb2a5e9b00158c6459646a948c53060"}} + # Latest commit on the OpenSSL master branch, as of Sep 11, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2478d3b7f5c4c2da9828e05308b34a4b078035f8"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 75be11bbfbd0b4db0b23d7f87d17bc8a01095529 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 11 Sep 2024 00:33:27 +0000 Subject: [PATCH 1072/1462] Bump x509-limbo and/or wycheproof in CI (#11582) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 112666d27775..fa8a07b82231 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Sep 10, 2024. - ref: "d82632e093600790dfb59ac4d0c2678f4eb58128" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Sep 11, 2024. + ref: "c9d011c6b696074a5a636c7cd40df8e4bd3cd67b" # x509-limbo-ref From 60913069bb27d788c57687840a8b1b54904e9139 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 11 Sep 2024 07:05:42 -0400 Subject: [PATCH 1073/1462] Bump uv from 0.4.8 to 0.4.9 in /.github/requirements (#11584) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.8 to 0.4.9. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.8...0.4.9) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 4e3ad4916a3b..49d6eaddb5aa 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.8 \ - --hash=sha256:0c4e4b5ec8aa789cbf4ec2a16494215ebb448aeecf5a2c43a31a904f9fecd327 \ - --hash=sha256:1e7329b862540a3a3987e79781acc2c7b0f4eb89d3f43930e21e7b85e4716bf0 \ - --hash=sha256:23dcb8c866dab0f7565c8e88e2c2ba185ab17182706260d53e9c640a96918818 \ - --hash=sha256:3ad38a03d1007152b9e7a4d262b81c24b95184f8921514d3475a4db6d84fdc78 \ - --hash=sha256:3dbff364ca85e8d52cbeae3bc9050d4e3080636b009bd577f58628a4b9561a26 \ - --hash=sha256:461597ddfd2132e2dea6779758e6e22cd39aaab8d86809f01e3fe45c29152f9a \ - --hash=sha256:484965360638a3ce422d2b61df52de94600d2cfce88eb1ca2dbcf4c8e60e5b37 \ - --hash=sha256:5487a86207edef7464cf78e52adb2bbe369332f3cea6043d1f0c8ee90dda90b3 \ - --hash=sha256:5e7c0428afdd90280f3f32272f0520430e93539c54ae806021c2b7c55caae908 \ - --hash=sha256:6ac13a6fa4f7d78fd44229ffcc5023a1a6627f142e00c896d7e28b041d9ff910 \ - --hash=sha256:7b4364b27dca2e11d99d7f1822a4650d48c5ec6d7f3332f2bc344d6262575ae9 \ - --hash=sha256:8e09e8e39548c7f9fb2c6e073eea6e4c3861539634ef768aa23e1ded10d41ca7 \ - --hash=sha256:a14de914254edce926c5c9afa0ddbfb45d0043c583a928fb614f9c5225f480c3 \ - --hash=sha256:a4e9b042cd1fdce94fa3ccbc79578b239ba1f186f296505e272d44e080892c18 \ - --hash=sha256:bfa6c08501d6c3b7355854a2d56f493ba89b126eb87090fcc31f79c81754d366 \ - --hash=sha256:cdf4b6afc99b0ff0ab1416fbcb25ac704bcf161b7c8d3d92a031097f60a60321 \ - --hash=sha256:e7ec102f9f3e9bd788dc94d271c7cfc7b0a968f799ab2cd9ba9d250563a28f81 \ - --hash=sha256:faa70d7f20adf457d8c584206da7b86b1ed0e0b0e286c19ba000795db8e8a06c +uv==0.4.9 \ + --hash=sha256:0340d2c7bf9afe0098e3301c1885de10e317232cfa346f0ac16374cee284a4cb \ + --hash=sha256:060af185481ef46ab97008cad330f3cd7a7aa1ce3d219b67d27c5a2a551ac2ea \ + --hash=sha256:1a8acc7abb2174bd3c8f5fc98345f2bb602f31b7558e37f3d23bef99ddd58dec \ + --hash=sha256:34bce9f4892130b01a7605d27bbeb71395e9b031d793123c250b79187ee307ca \ + --hash=sha256:45bf0cead2436b1977f71669e945db19990ca70a7765111fb951545815467bb6 \ + --hash=sha256:52101bc8652b4284b78fac52ed7878f3bae414bc4076c377735962666b309dde \ + --hash=sha256:5422680436f4cebef945bb2e562e01c02a4fa0a95f85d1b8010f2ee868a0b8c1 \ + --hash=sha256:55cf2522262ef663114bda5d80375ddc7f7af0d054df89426372a0d494380875 \ + --hash=sha256:566d4d7a475aacd21dbb4aba053cd4f4f52d65acdef2c83c59bcdff08756701e \ + --hash=sha256:5b66a52cb60a2882a882bc5f13afa6daf3172a54fe9fb998529d19418d5aed18 \ + --hash=sha256:630a6fe215829f734278e618c1633c2bb88ee03dc6a92ae9890fabd98ee810a9 \ + --hash=sha256:69529b6bf5de6ec8fbe8e022f5bcbaef778e76136fc37fae6ec7a8b18b3f9024 \ + --hash=sha256:71e87038fcc9f61b2d6f66c4a92354c6d0abe4baae21bb90241693f161ddeaa1 \ + --hash=sha256:8869637ea6231f66fe643be22f9334874db3496844b3d8bfd8efd4227ded3d44 \ + --hash=sha256:9c9b70f016f28cc05633b564d8690cfdb7ebac4d2210d9158819947841e00347 \ + --hash=sha256:b54a9022e9e1fdbf3ae15ef340a0d1d1847dd739df5023896aa8d97d88af1efe \ + --hash=sha256:bf834f7f360a192372d879eda86f6a1dd94195faf68154dcf7c90247098d2bb2 \ + --hash=sha256:f50cbdfbc8399e1211c580e47f42650a184541ee398af95ad29bf9a2e977baba From 2bf6ed86853604da050ec81a11331567186a3adb Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 00:16:12 +0000 Subject: [PATCH 1074/1462] Bump BoringSSL and/or OpenSSL in CI (#11586) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 53cfa2c3121d..782fa01d687d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Sep 11, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "6abe18402eb2a5e9b00158c6459646a948c53060"}} - # Latest commit on the OpenSSL master branch, as of Sep 11, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2478d3b7f5c4c2da9828e05308b34a4b078035f8"}} + # Latest commit on the BoringSSL master branch, as of Sep 12, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e724ef02089bf2bb494203231fc5cb62acc2fad6"}} + # Latest commit on the OpenSSL master branch, as of Sep 12, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2a53df6947e195ac08bc04c9d2fec1fed977668f"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 1c32edcabc8363fe6dc401e6d2afe0788a136dc6 Mon Sep 17 00:00:00 2001 From: Quentin Retourne <32574188+nitneuqr@users.noreply.github.com> Date: Thu, 12 Sep 2024 02:43:26 +0200 Subject: [PATCH 1075/1462] Silencing mmap mypy warning on windows (#11570) * silencing the mmap mypy warning on windows even though the lib doesn't exist on this platform * better way without coverage issues * trying with pragma no cover :( * using type: ignore * another test with pragma: no cover * testing type: ignore with specific exclusions --- tests/hazmat/primitives/test_aead.py | 6 ++++-- tests/hazmat/primitives/test_ciphers.py | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index 2f0d52d82682..80850b689d35 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -37,8 +37,10 @@ def _aead_supported(cls): return False -def large_mmap(): - return mmap.mmap(-1, 2**32, prot=mmap.PROT_READ) +def large_mmap(length: int = 2**32): + # Silencing mypy prot argument warning on Windows, even though this + # function is only used in non-Windows-based tests. + return mmap.mmap(-1, length, prot=mmap.PROT_READ) # type: ignore[call-arg,attr-defined,unused-ignore] @pytest.mark.skipif( diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py index 5fef25b86c0e..20dcb54d1b1d 100644 --- a/tests/hazmat/primitives/test_ciphers.py +++ b/tests/hazmat/primitives/test_ciphers.py @@ -4,7 +4,6 @@ import binascii -import mmap import os import sys @@ -20,6 +19,7 @@ ) from ...utils import load_nist_vectors, load_vectors_from_file +from .test_aead import large_mmap def test_deprecated_ciphers_import_with_warning(): @@ -255,7 +255,7 @@ def test_update_into_buffer_too_small_gcm(self, backend): sys.platform not in {"linux", "darwin"}, reason="mmap required" ) def test_update_auto_chunking(): - large_data = mmap.mmap(-1, 2**29 + 2**20, prot=mmap.PROT_READ) + large_data = large_mmap(length=2**29 + 2**20) key = b"\x00" * 16 c = ciphers.Cipher(AES(key), modes.ECB()) From 4c54d399a6997e63e28212db96af5c1678a1422a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 12 Sep 2024 17:20:45 -0400 Subject: [PATCH 1076/1462] Use uv to build manylinux wheels (#11565) refs #11548 --- .github/workflows/wheel-builder.yml | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 1643b22b26a6..f1b92b5b9eca 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -107,9 +107,6 @@ jobs: sparse-checkout: | ${{ env.BUILD_REQUIREMENTS_PATH }} sparse-checkout-cone-mode: false - - run: /opt/python/${{ matrix.PYTHON.VERSION }}/bin/python -m venv .venv - - name: Install Python dependencies - run: .venv/bin/pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: @@ -118,19 +115,15 @@ jobs: - name: Build the wheel run: | if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then - PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" + PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }}" fi - # `maturin` has a binary that needs to be on the $PATH, so we - # activate the venv. - source .venv/bin/activate OPENSSL_DIR="/opt/pyca/cryptography/openssl" \ OPENSSL_STATIC=1 \ - .venv/bin/python -m pip wheel -v --no-deps $PY_LIMITED_API cryptograph*.tar.gz -w dist/ - mv dist/cryptography*.whl tmpwheelhouse + uv build --python=/opt/python/${{ matrix.PYTHON.VERSION }}/bin/python --wheel --require-hashes --build-constraint=$BUILD_REQUIREMENTS_PATH $PY_LIMITED_API cryptography*.tar.gz -o tmpwheelhouse/ env: RUSTUP_HOME: /root/.rustup - - run: auditwheel repair --plat ${{ matrix.MANYLINUX.NAME }} tmpwheelhouse/cryptograph*.whl -w wheelhouse/ + - run: auditwheel repair --plat ${{ matrix.MANYLINUX.NAME }} tmpwheelhouse/cryptography*.whl -w wheelhouse/ - run: unzip wheelhouse/*.whl -d execstack.check - run: | results=$(readelf -lW execstack.check/cryptography/hazmat/bindings/*.so) @@ -140,15 +133,17 @@ jobs: else exit 0 fi - - run: .venv/bin/pip install cryptography --no-index -f wheelhouse/ + + - run: uv venv --python=/opt/python/${{ matrix.PYTHON.VERSION }}/bin/python + - run: uv pip install --require-hashes -r $BUILD_REQUIREMENTS_PATH + - run: uv pip install cryptography --no-index -f wheelhouse/ - run: | - .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - - run: mkdir cryptography-wheelhouse - - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ + echo "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" | uv run - + - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" - path: cryptography-wheelhouse/ + path: wheelhouse/ macos: needs: [sdist] From 089d391254aba13cac9970aa20de088eba9a5bb1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 12 Sep 2024 17:23:35 -0400 Subject: [PATCH 1077/1462] Switch to using the official PyPA action for uploading to PyPI (#11574) --- .github/requirements/publish-requirements.in | 8 - .github/requirements/publish-requirements.txt | 327 ------------------ .github/workflows/pypi-publish.yml | 70 +--- 3 files changed, 17 insertions(+), 388 deletions(-) delete mode 100644 .github/requirements/publish-requirements.in delete mode 100644 .github/requirements/publish-requirements.txt diff --git a/.github/requirements/publish-requirements.in b/.github/requirements/publish-requirements.in deleted file mode 100644 index adfe8ec15086..000000000000 --- a/.github/requirements/publish-requirements.in +++ /dev/null @@ -1,8 +0,0 @@ -twine -requests - -# WARN: changing the requirements here DOES NOT update the dependencies used -# for publishing at the github workflow, as the process uses -# `publish-requirements.txt`. -# To update `publish-requirements.txt`, run the command indicated in the -# header of that file. diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt deleted file mode 100644 index c0b65124b350..000000000000 --- a/.github/requirements/publish-requirements.txt +++ /dev/null @@ -1,327 +0,0 @@ -# This file was autogenerated by uv via the following command: -# uv pip compile --universal -p 3.11 --generate-hashes .github/requirements/publish-requirements.in -backports-tarfile==1.2.0 ; python_full_version < '3.12' \ - --hash=sha256:77e284d754527b01fb1e6fa8a1afe577858ebe4e9dad8919e34c862cb399bc34 \ - --hash=sha256:d75e02c268746e1b8144c278978b6e98e85de6ad16f8e4b0844a154557eca991 - # via jaraco-context -certifi==2024.8.30 \ - --hash=sha256:922820b53db7a7257ffbda3f597266d435245903d80737e34f8a45ff3e3230d8 \ - --hash=sha256:bec941d2aa8195e248a60b31ff9f0558284cf01a52591ceda73ea9afffd69fd9 - # via requests -cffi==1.17.1 ; platform_python_implementation != 'PyPy' and sys_platform == 'linux' \ - --hash=sha256:045d61c734659cc045141be4bae381a41d89b741f795af1dd018bfb532fd0df8 \ - --hash=sha256:0984a4925a435b1da406122d4d7968dd861c1385afe3b45ba82b750f229811e2 \ - --hash=sha256:0e2b1fac190ae3ebfe37b979cc1ce69c81f4e4fe5746bb401dca63a9062cdaf1 \ - --hash=sha256:0f048dcf80db46f0098ccac01132761580d28e28bc0f78ae0d58048063317e15 \ - --hash=sha256:1257bdabf294dceb59f5e70c64a3e2f462c30c7ad68092d01bbbfb1c16b1ba36 \ - --hash=sha256:1c39c6016c32bc48dd54561950ebd6836e1670f2ae46128f67cf49e789c52824 \ - --hash=sha256:1d599671f396c4723d016dbddb72fe8e0397082b0a77a4fab8028923bec050e8 \ - --hash=sha256:28b16024becceed8c6dfbc75629e27788d8a3f9030691a1dbf9821a128b22c36 \ - --hash=sha256:2bb1a08b8008b281856e5971307cc386a8e9c5b625ac297e853d36da6efe9c17 \ - --hash=sha256:30c5e0cb5ae493c04c8b42916e52ca38079f1b235c2f8ae5f4527b963c401caf \ - --hash=sha256:31000ec67d4221a71bd3f67df918b1f88f676f1c3b535a7eb473255fdc0b83fc \ - --hash=sha256:386c8bf53c502fff58903061338ce4f4950cbdcb23e2902d86c0f722b786bbe3 \ - --hash=sha256:3edc8d958eb099c634dace3c7e16560ae474aa3803a5df240542b305d14e14ed \ - --hash=sha256:45398b671ac6d70e67da8e4224a065cec6a93541bb7aebe1b198a61b58c7b702 \ - --hash=sha256:46bf43160c1a35f7ec506d254e5c890f3c03648a4dbac12d624e4490a7046cd1 \ - --hash=sha256:4ceb10419a9adf4460ea14cfd6bc43d08701f0835e979bf821052f1805850fe8 \ - --hash=sha256:51392eae71afec0d0c8fb1a53b204dbb3bcabcb3c9b807eedf3e1e6ccf2de903 \ - --hash=sha256:5da5719280082ac6bd9aa7becb3938dc9f9cbd57fac7d2871717b1feb0902ab6 \ - --hash=sha256:610faea79c43e44c71e1ec53a554553fa22321b65fae24889706c0a84d4ad86d \ - --hash=sha256:636062ea65bd0195bc012fea9321aca499c0504409f413dc88af450b57ffd03b \ - --hash=sha256:6883e737d7d9e4899a8a695e00ec36bd4e5e4f18fabe0aca0efe0a4b44cdb13e \ - --hash=sha256:6b8b4a92e1c65048ff98cfe1f735ef8f1ceb72e3d5f0c25fdb12087a23da22be \ - --hash=sha256:6f17be4345073b0a7b8ea599688f692ac3ef23ce28e5df79c04de519dbc4912c \ - --hash=sha256:706510fe141c86a69c8ddc029c7910003a17353970cff3b904ff0686a5927683 \ - --hash=sha256:72e72408cad3d5419375fc87d289076ee319835bdfa2caad331e377589aebba9 \ - --hash=sha256:733e99bc2df47476e3848417c5a4540522f234dfd4ef3ab7fafdf555b082ec0c \ - --hash=sha256:7596d6620d3fa590f677e9ee430df2958d2d6d6de2feeae5b20e82c00b76fbf8 \ - --hash=sha256:78122be759c3f8a014ce010908ae03364d00a1f81ab5c7f4a7a5120607ea56e1 \ - --hash=sha256:805b4371bf7197c329fcb3ead37e710d1bca9da5d583f5073b799d5c5bd1eee4 \ - --hash=sha256:85a950a4ac9c359340d5963966e3e0a94a676bd6245a4b55bc43949eee26a655 \ - --hash=sha256:8f2cdc858323644ab277e9bb925ad72ae0e67f69e804f4898c070998d50b1a67 \ - --hash=sha256:9755e4345d1ec879e3849e62222a18c7174d65a6a92d5b346b1863912168b595 \ - --hash=sha256:98e3969bcff97cae1b2def8ba499ea3d6f31ddfdb7635374834cf89a1a08ecf0 \ - --hash=sha256:a08d7e755f8ed21095a310a693525137cfe756ce62d066e53f502a83dc550f65 \ - --hash=sha256:a1ed2dd2972641495a3ec98445e09766f077aee98a1c896dcb4ad0d303628e41 \ - --hash=sha256:a24ed04c8ffd54b0729c07cee15a81d964e6fee0e3d4d342a27b020d22959dc6 \ - --hash=sha256:a45e3c6913c5b87b3ff120dcdc03f6131fa0065027d0ed7ee6190736a74cd401 \ - --hash=sha256:a9b15d491f3ad5d692e11f6b71f7857e7835eb677955c00cc0aefcd0669adaf6 \ - --hash=sha256:ad9413ccdeda48c5afdae7e4fa2192157e991ff761e7ab8fdd8926f40b160cc3 \ - --hash=sha256:b2ab587605f4ba0bf81dc0cb08a41bd1c0a5906bd59243d56bad7668a6fc6c16 \ - --hash=sha256:b62ce867176a75d03a665bad002af8e6d54644fad99a3c70905c543130e39d93 \ - --hash=sha256:c03e868a0b3bc35839ba98e74211ed2b05d2119be4e8a0f224fba9384f1fe02e \ - --hash=sha256:c59d6e989d07460165cc5ad3c61f9fd8f1b4796eacbd81cee78957842b834af4 \ - --hash=sha256:c7eac2ef9b63c79431bc4b25f1cd649d7f061a28808cbc6c47b534bd789ef964 \ - --hash=sha256:c9c3d058ebabb74db66e431095118094d06abf53284d9c81f27300d0e0d8bc7c \ - --hash=sha256:ca74b8dbe6e8e8263c0ffd60277de77dcee6c837a3d0881d8c1ead7268c9e576 \ - --hash=sha256:caaf0640ef5f5517f49bc275eca1406b0ffa6aa184892812030f04c2abf589a0 \ - --hash=sha256:cdf5ce3acdfd1661132f2a9c19cac174758dc2352bfe37d98aa7512c6b7178b3 \ - --hash=sha256:d016c76bdd850f3c626af19b0542c9677ba156e4ee4fccfdd7848803533ef662 \ - --hash=sha256:d01b12eeeb4427d3110de311e1774046ad344f5b1a7403101878976ecd7a10f3 \ - --hash=sha256:d63afe322132c194cf832bfec0dc69a99fb9bb6bbd550f161a49e9e855cc78ff \ - --hash=sha256:da95af8214998d77a98cc14e3a3bd00aa191526343078b530ceb0bd710fb48a5 \ - --hash=sha256:dd398dbc6773384a17fe0d3e7eeb8d1a21c2200473ee6806bb5e6a8e62bb73dd \ - --hash=sha256:de2ea4b5833625383e464549fec1bc395c1bdeeb5f25c4a3a82b5a8c756ec22f \ - --hash=sha256:de55b766c7aa2e2a3092c51e0483d700341182f08e67c63630d5b6f200bb28e5 \ - --hash=sha256:df8b1c11f177bc2313ec4b2d46baec87a5f3e71fc8b45dab2ee7cae86d9aba14 \ - --hash=sha256:e03eab0a8677fa80d646b5ddece1cbeaf556c313dcfac435ba11f107ba117b5d \ - --hash=sha256:e221cf152cff04059d011ee126477f0d9588303eb57e88923578ace7baad17f9 \ - --hash=sha256:e31ae45bc2e29f6b2abd0de1cc3b9d5205aa847cafaecb8af1476a609a2f6eb7 \ - --hash=sha256:edae79245293e15384b51f88b00613ba9f7198016a5948b5dddf4917d4d26382 \ - --hash=sha256:f1e22e8c4419538cb197e4dd60acc919d7696e5ef98ee4da4e01d3f8cfa4cc5a \ - --hash=sha256:f3a2b4222ce6b60e2e8b337bb9596923045681d71e5a082783484d845390938e \ - --hash=sha256:f6a16c31041f09ead72d69f583767292f750d24913dadacf5756b966aacb3f1a \ - --hash=sha256:f75c7ab1f9e4aca5414ed4d8e5c0e303a34f4421f8a0d47a4d019ceff0ab6af4 \ - --hash=sha256:f79fc4fc25f1c8698ff97788206bb3c2598949bfe0fef03d299eb1b5356ada99 \ - --hash=sha256:f7f5baafcc48261359e14bcd6d9bff6d4b28d9103847c9e136694cb0501aef87 \ - --hash=sha256:fc48c783f9c87e60831201f2cce7f3b2e4846bf4d8728eabe54d60700b318a0b - # via cryptography -charset-normalizer==3.3.2 \ - --hash=sha256:06435b539f889b1f6f4ac1758871aae42dc3a8c0e24ac9e60c2384973ad73027 \ - --hash=sha256:06a81e93cd441c56a9b65d8e1d043daeb97a3d0856d177d5c90ba85acb3db087 \ - --hash=sha256:0a55554a2fa0d408816b3b5cedf0045f4b8e1a6065aec45849de2d6f3f8e9786 \ - --hash=sha256:0b2b64d2bb6d3fb9112bafa732def486049e63de9618b5843bcdd081d8144cd8 \ - --hash=sha256:10955842570876604d404661fbccbc9c7e684caf432c09c715ec38fbae45ae09 \ - --hash=sha256:122c7fa62b130ed55f8f285bfd56d5f4b4a5b503609d181f9ad85e55c89f4185 \ - --hash=sha256:1ceae2f17a9c33cb48e3263960dc5fc8005351ee19db217e9b1bb15d28c02574 \ - --hash=sha256:1d3193f4a680c64b4b6a9115943538edb896edc190f0b222e73761716519268e \ - --hash=sha256:1f79682fbe303db92bc2b1136016a38a42e835d932bab5b3b1bfcfbf0640e519 \ - --hash=sha256:2127566c664442652f024c837091890cb1942c30937add288223dc895793f898 \ - --hash=sha256:22afcb9f253dac0696b5a4be4a1c0f8762f8239e21b99680099abd9b2b1b2269 \ - --hash=sha256:25baf083bf6f6b341f4121c2f3c548875ee6f5339300e08be3f2b2ba1721cdd3 \ - --hash=sha256:2e81c7b9c8979ce92ed306c249d46894776a909505d8f5a4ba55b14206e3222f \ - --hash=sha256:3287761bc4ee9e33561a7e058c72ac0938c4f57fe49a09eae428fd88aafe7bb6 \ - --hash=sha256:34d1c8da1e78d2e001f363791c98a272bb734000fcef47a491c1e3b0505657a8 \ - --hash=sha256:37e55c8e51c236f95b033f6fb391d7d7970ba5fe7ff453dad675e88cf303377a \ - --hash=sha256:3d47fa203a7bd9c5b6cee4736ee84ca03b8ef23193c0d1ca99b5089f72645c73 \ - --hash=sha256:3e4d1f6587322d2788836a99c69062fbb091331ec940e02d12d179c1d53e25fc \ - --hash=sha256:42cb296636fcc8b0644486d15c12376cb9fa75443e00fb25de0b8602e64c1714 \ - --hash=sha256:45485e01ff4d3630ec0d9617310448a8702f70e9c01906b0d0118bdf9d124cf2 \ - --hash=sha256:4a78b2b446bd7c934f5dcedc588903fb2f5eec172f3d29e52a9096a43722adfc \ - --hash=sha256:4ab2fe47fae9e0f9dee8c04187ce5d09f48eabe611be8259444906793ab7cbce \ - --hash=sha256:4d0d1650369165a14e14e1e47b372cfcb31d6ab44e6e33cb2d4e57265290044d \ - --hash=sha256:549a3a73da901d5bc3ce8d24e0600d1fa85524c10287f6004fbab87672bf3e1e \ - --hash=sha256:55086ee1064215781fff39a1af09518bc9255b50d6333f2e4c74ca09fac6a8f6 \ - --hash=sha256:572c3763a264ba47b3cf708a44ce965d98555f618ca42c926a9c1616d8f34269 \ - --hash=sha256:573f6eac48f4769d667c4442081b1794f52919e7edada77495aaed9236d13a96 \ - --hash=sha256:5b4c145409bef602a690e7cfad0a15a55c13320ff7a3ad7ca59c13bb8ba4d45d \ - --hash=sha256:6463effa3186ea09411d50efc7d85360b38d5f09b870c48e4600f63af490e56a \ - --hash=sha256:65f6f63034100ead094b8744b3b97965785388f308a64cf8d7c34f2f2e5be0c4 \ - --hash=sha256:663946639d296df6a2bb2aa51b60a2454ca1cb29835324c640dafb5ff2131a77 \ - --hash=sha256:6897af51655e3691ff853668779c7bad41579facacf5fd7253b0133308cf000d \ - --hash=sha256:68d1f8a9e9e37c1223b656399be5d6b448dea850bed7d0f87a8311f1ff3dabb0 \ - --hash=sha256:6ac7ffc7ad6d040517be39eb591cac5ff87416c2537df6ba3cba3bae290c0fed \ - --hash=sha256:6b3251890fff30ee142c44144871185dbe13b11bab478a88887a639655be1068 \ - --hash=sha256:6c4caeef8fa63d06bd437cd4bdcf3ffefe6738fb1b25951440d80dc7df8c03ac \ - --hash=sha256:6ef1d82a3af9d3eecdba2321dc1b3c238245d890843e040e41e470ffa64c3e25 \ - --hash=sha256:753f10e867343b4511128c6ed8c82f7bec3bd026875576dfd88483c5c73b2fd8 \ - --hash=sha256:7cd13a2e3ddeed6913a65e66e94b51d80a041145a026c27e6bb76c31a853c6ab \ - --hash=sha256:7ed9e526742851e8d5cc9e6cf41427dfc6068d4f5a3bb03659444b4cabf6bc26 \ - --hash=sha256:7f04c839ed0b6b98b1a7501a002144b76c18fb1c1850c8b98d458ac269e26ed2 \ - --hash=sha256:802fe99cca7457642125a8a88a084cef28ff0cf9407060f7b93dca5aa25480db \ - --hash=sha256:80402cd6ee291dcb72644d6eac93785fe2c8b9cb30893c1af5b8fdd753b9d40f \ - --hash=sha256:8465322196c8b4d7ab6d1e049e4c5cb460d0394da4a27d23cc242fbf0034b6b5 \ - --hash=sha256:86216b5cee4b06df986d214f664305142d9c76df9b6512be2738aa72a2048f99 \ - --hash=sha256:87d1351268731db79e0f8e745d92493ee2841c974128ef629dc518b937d9194c \ - --hash=sha256:8bdb58ff7ba23002a4c5808d608e4e6c687175724f54a5dade5fa8c67b604e4d \ - --hash=sha256:8c622a5fe39a48f78944a87d4fb8a53ee07344641b0562c540d840748571b811 \ - --hash=sha256:8d756e44e94489e49571086ef83b2bb8ce311e730092d2c34ca8f7d925cb20aa \ - --hash=sha256:8f4a014bc36d3c57402e2977dada34f9c12300af536839dc38c0beab8878f38a \ - --hash=sha256:9063e24fdb1e498ab71cb7419e24622516c4a04476b17a2dab57e8baa30d6e03 \ - --hash=sha256:90d558489962fd4918143277a773316e56c72da56ec7aa3dc3dbbe20fdfed15b \ - --hash=sha256:923c0c831b7cfcb071580d3f46c4baf50f174be571576556269530f4bbd79d04 \ - --hash=sha256:95f2a5796329323b8f0512e09dbb7a1860c46a39da62ecb2324f116fa8fdc85c \ - --hash=sha256:96b02a3dc4381e5494fad39be677abcb5e6634bf7b4fa83a6dd3112607547001 \ - --hash=sha256:9f96df6923e21816da7e0ad3fd47dd8f94b2a5ce594e00677c0013018b813458 \ - --hash=sha256:a10af20b82360ab00827f916a6058451b723b4e65030c5a18577c8b2de5b3389 \ - --hash=sha256:a50aebfa173e157099939b17f18600f72f84eed3049e743b68ad15bd69b6bf99 \ - --hash=sha256:a981a536974bbc7a512cf44ed14938cf01030a99e9b3a06dd59578882f06f985 \ - --hash=sha256:a9a8e9031d613fd2009c182b69c7b2c1ef8239a0efb1df3f7c8da66d5dd3d537 \ - --hash=sha256:ae5f4161f18c61806f411a13b0310bea87f987c7d2ecdbdaad0e94eb2e404238 \ - --hash=sha256:aed38f6e4fb3f5d6bf81bfa990a07806be9d83cf7bacef998ab1a9bd660a581f \ - --hash=sha256:b01b88d45a6fcb69667cd6d2f7a9aeb4bf53760d7fc536bf679ec94fe9f3ff3d \ - --hash=sha256:b261ccdec7821281dade748d088bb6e9b69e6d15b30652b74cbbac25e280b796 \ - --hash=sha256:b2b0a0c0517616b6869869f8c581d4eb2dd83a4d79e0ebcb7d373ef9956aeb0a \ - --hash=sha256:b4a23f61ce87adf89be746c8a8974fe1c823c891d8f86eb218bb957c924bb143 \ - --hash=sha256:bd8f7df7d12c2db9fab40bdd87a7c09b1530128315d047a086fa3ae3435cb3a8 \ - --hash=sha256:beb58fe5cdb101e3a055192ac291b7a21e3b7ef4f67fa1d74e331a7f2124341c \ - --hash=sha256:c002b4ffc0be611f0d9da932eb0f704fe2602a9a949d1f738e4c34c75b0863d5 \ - --hash=sha256:c083af607d2515612056a31f0a8d9e0fcb5876b7bfc0abad3ecd275bc4ebc2d5 \ - --hash=sha256:c180f51afb394e165eafe4ac2936a14bee3eb10debc9d9e4db8958fe36afe711 \ - --hash=sha256:c235ebd9baae02f1b77bcea61bce332cb4331dc3617d254df3323aa01ab47bd4 \ - --hash=sha256:cd70574b12bb8a4d2aaa0094515df2463cb429d8536cfb6c7ce983246983e5a6 \ - --hash=sha256:d0eccceffcb53201b5bfebb52600a5fb483a20b61da9dbc885f8b103cbe7598c \ - --hash=sha256:d965bba47ddeec8cd560687584e88cf699fd28f192ceb452d1d7ee807c5597b7 \ - --hash=sha256:db364eca23f876da6f9e16c9da0df51aa4f104a972735574842618b8c6d999d4 \ - --hash=sha256:ddbb2551d7e0102e7252db79ba445cdab71b26640817ab1e3e3648dad515003b \ - --hash=sha256:deb6be0ac38ece9ba87dea880e438f25ca3eddfac8b002a2ec3d9183a454e8ae \ - --hash=sha256:e06ed3eb3218bc64786f7db41917d4e686cc4856944f53d5bdf83a6884432e12 \ - --hash=sha256:e27ad930a842b4c5eb8ac0016b0a54f5aebbe679340c26101df33424142c143c \ - --hash=sha256:e537484df0d8f426ce2afb2d0f8e1c3d0b114b83f8850e5f2fbea0e797bd82ae \ - --hash=sha256:eb00ed941194665c332bf8e078baf037d6c35d7c4f3102ea2d4f16ca94a26dc8 \ - --hash=sha256:eb6904c354526e758fda7167b33005998fb68c46fbc10e013ca97f21ca5c8887 \ - --hash=sha256:eb8821e09e916165e160797a6c17edda0679379a4be5c716c260e836e122f54b \ - --hash=sha256:efcb3f6676480691518c177e3b465bcddf57cea040302f9f4e6e191af91174d4 \ - --hash=sha256:f27273b60488abe721a075bcca6d7f3964f9f6f067c8c4c605743023d7d3944f \ - --hash=sha256:f30c3cb33b24454a82faecaf01b19c18562b1e89558fb6c56de4d9118a032fd5 \ - --hash=sha256:fb69256e180cb6c8a894fee62b3afebae785babc1ee98b81cdf68bbca1987f33 \ - --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ - --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 - # via requests -cryptography==43.0.1 ; sys_platform == 'linux' \ - --hash=sha256:014f58110f53237ace6a408b5beb6c427b64e084eb451ef25a28308270086494 \ - --hash=sha256:1bbcce1a551e262dfbafb6e6252f1ae36a248e615ca44ba302df077a846a8806 \ - --hash=sha256:203e92a75716d8cfb491dc47c79e17d0d9207ccffcbcb35f598fbe463ae3444d \ - --hash=sha256:27e613d7077ac613e399270253259d9d53872aaf657471473ebfc9a52935c062 \ - --hash=sha256:2bd51274dcd59f09dd952afb696bf9c61a7a49dfc764c04dd33ef7a6b502a1e2 \ - --hash=sha256:38926c50cff6f533f8a2dae3d7f19541432610d114a70808f0926d5aaa7121e4 \ - --hash=sha256:511f4273808ab590912a93ddb4e3914dfd8a388fed883361b02dea3791f292e1 \ - --hash=sha256:58d4e9129985185a06d849aa6df265bdd5a74ca6e1b736a77959b498e0505b85 \ - --hash=sha256:5b43d1ea6b378b54a1dc99dd8a2b5be47658fe9a7ce0a58ff0b55f4b43ef2b84 \ - --hash=sha256:61ec41068b7b74268fa86e3e9e12b9f0c21fcf65434571dbb13d954bceb08042 \ - --hash=sha256:666ae11966643886c2987b3b721899d250855718d6d9ce41b521252a17985f4d \ - --hash=sha256:68aaecc4178e90719e95298515979814bda0cbada1256a4485414860bd7ab962 \ - --hash=sha256:7c05650fe8023c5ed0d46793d4b7d7e6cd9c04e68eabe5b0aeea836e37bdcec2 \ - --hash=sha256:80eda8b3e173f0f247f711eef62be51b599b5d425c429b5d4ca6a05e9e856baa \ - --hash=sha256:8385d98f6a3bf8bb2d65a73e17ed87a3ba84f6991c155691c51112075f9ffc5d \ - --hash=sha256:88cce104c36870d70c49c7c8fd22885875d950d9ee6ab54df2745f83ba0dc365 \ - --hash=sha256:9d3cdb25fa98afdd3d0892d132b8d7139e2c087da1712041f6b762e4f807cc96 \ - --hash=sha256:a575913fb06e05e6b4b814d7f7468c2c660e8bb16d8d5a1faf9b33ccc569dd47 \ - --hash=sha256:ac119bb76b9faa00f48128b7f5679e1d8d437365c5d26f1c2c3f0da4ce1b553d \ - --hash=sha256:c1332724be35d23a854994ff0b66530119500b6053d0bd3363265f7e5e77288d \ - --hash=sha256:d03a475165f3134f773d1388aeb19c2d25ba88b6a9733c5c590b9ff7bbfa2e0c \ - --hash=sha256:d75601ad10b059ec832e78823b348bfa1a59f6b8d545db3a24fd44362a1564cb \ - --hash=sha256:de41fd81a41e53267cb020bb3a7212861da53a7d39f863585d13ea11049cf277 \ - --hash=sha256:e710bf40870f4db63c3d7d929aa9e09e4e7ee219e703f949ec4073b4294f6172 \ - --hash=sha256:ea25acb556320250756e53f9e20a4177515f012c9eaea17eb7587a8c4d8ae034 \ - --hash=sha256:f98bf604c82c416bc829e490c700ca1553eafdf2912a91e23a79d97d9801372a \ - --hash=sha256:fba1007b3ef89946dbbb515aeeb41e30203b004f0b4b00e5e16078b518563289 - # via secretstorage -docutils==0.21.2 \ - --hash=sha256:3a6b18732edf182daa3cd12775bbb338cf5691468f91eeeb109deff6ebfa986f \ - --hash=sha256:dafca5b9e384f0e419294eb4d2ff9fa826435bf15f15b7bd45723e8ad76811b2 - # via readme-renderer -idna==3.8 \ - --hash=sha256:050b4e5baadcd44d760cedbd2b8e639f2ff89bbc7a5730fcc662954303377aac \ - --hash=sha256:d838c2c0ed6fced7693d5e8ab8e734d5f8fda53a039c0164afb0b82e771e3603 - # via requests -importlib-metadata==8.4.0 \ - --hash=sha256:66f342cc6ac9818fc6ff340576acd24d65ba0b3efabb2b4ac08b598965a4a2f1 \ - --hash=sha256:9a547d3bc3608b025f93d403fdd1aae741c24fbb8314df4b155675742ce303c5 - # via - # keyring - # twine -jaraco-classes==3.4.0 \ - --hash=sha256:47a024b51d0239c0dd8c8540c6c7f484be3b8fcf0b2d85c13825780d3b3f3acd \ - --hash=sha256:f662826b6bed8cace05e7ff873ce0f9283b5c924470fe664fff1c2f00f581790 - # via keyring -jaraco-context==6.0.1 \ - --hash=sha256:9bae4ea555cf0b14938dc0aee7c9f32ed303aa20a3b73e7dc80111628792d1b3 \ - --hash=sha256:f797fc481b490edb305122c9181830a3a5b76d84ef6d1aef2fb9b47ab956f9e4 - # via keyring -jaraco-functools==4.0.2 \ - --hash=sha256:3460c74cd0d32bf82b9576bbb3527c4364d5b27a21f5158a62aed6c4b42e23f5 \ - --hash=sha256:c9d16a3ed4ccb5a889ad8e0b7a343401ee5b2a71cee6ed192d3f68bc351e94e3 - # via keyring -jeepney==0.8.0 ; sys_platform == 'linux' \ - --hash=sha256:5efe48d255973902f6badc3ce55e2aa6c5c3b3bc642059ef3a91247bcfcc5806 \ - --hash=sha256:c0a454ad016ca575060802ee4d590dd912e35c122fa04e70306de3d076cce755 - # via - # keyring - # secretstorage -keyring==25.3.0 \ - --hash=sha256:8d85a1ea5d6db8515b59e1c5d1d1678b03cf7fc8b8dcfb1651e8c4a524eb42ef \ - --hash=sha256:8d963da00ccdf06e356acd9bf3b743208878751032d8599c6cc89eb51310ffae - # via twine -markdown-it-py==3.0.0 \ - --hash=sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1 \ - --hash=sha256:e3f60a94fa066dc52ec76661e37c851cb232d92f9886b15cb560aaada2df8feb - # via rich -mdurl==0.1.2 \ - --hash=sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8 \ - --hash=sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba - # via markdown-it-py -more-itertools==10.5.0 \ - --hash=sha256:037b0d3203ce90cca8ab1defbbdac29d5f993fc20131f3664dc8d6acfa872aef \ - --hash=sha256:5482bfef7849c25dc3c6dd53a6173ae4795da2a41a80faea6700d9f5846c5da6 - # via - # jaraco-classes - # jaraco-functools -nh3==0.2.18 \ - --hash=sha256:0411beb0589eacb6734f28d5497ca2ed379eafab8ad8c84b31bb5c34072b7164 \ - --hash=sha256:14c5a72e9fe82aea5fe3072116ad4661af5cf8e8ff8fc5ad3450f123e4925e86 \ - --hash=sha256:19aaba96e0f795bd0a6c56291495ff59364f4300d4a39b29a0abc9cb3774a84b \ - --hash=sha256:34c03fa78e328c691f982b7c03d4423bdfd7da69cd707fe572f544cf74ac23ad \ - --hash=sha256:36c95d4b70530b320b365659bb5034341316e6a9b30f0b25fa9c9eff4c27a204 \ - --hash=sha256:3a157ab149e591bb638a55c8c6bcb8cdb559c8b12c13a8affaba6cedfe51713a \ - --hash=sha256:42c64511469005058cd17cc1537578eac40ae9f7200bedcfd1fc1a05f4f8c200 \ - --hash=sha256:5f36b271dae35c465ef5e9090e1fdaba4a60a56f0bb0ba03e0932a66f28b9189 \ - --hash=sha256:6955369e4d9f48f41e3f238a9e60f9410645db7e07435e62c6a9ea6135a4907f \ - --hash=sha256:7b7c2a3c9eb1a827d42539aa64091640bd275b81e097cd1d8d82ef91ffa2e811 \ - --hash=sha256:8ce0f819d2f1933953fca255db2471ad58184a60508f03e6285e5114b6254844 \ - --hash=sha256:94a166927e53972a9698af9542ace4e38b9de50c34352b962f4d9a7d4c927af4 \ - --hash=sha256:a7f1b5b2c15866f2db413a3649a8fe4fd7b428ae58be2c0f6bca5eefd53ca2be \ - --hash=sha256:c8b3a1cebcba9b3669ed1a84cc65bf005728d2f0bc1ed2a6594a992e817f3a50 \ - --hash=sha256:de3ceed6e661954871d6cd78b410213bdcb136f79aafe22aa7182e028b8c7307 \ - --hash=sha256:f0eca9ca8628dbb4e916ae2491d72957fdd35f7a5d326b7032a345f111ac07fe - # via readme-renderer -pkginfo==1.10.0 \ - --hash=sha256:5df73835398d10db79f8eecd5cd86b1f6d29317589ea70796994d49399af6297 \ - --hash=sha256:889a6da2ed7ffc58ab5b900d888ddce90bce912f2d2de1dc1c26f4cb9fe65097 - # via twine -pycparser==2.22 ; platform_python_implementation != 'PyPy' and sys_platform == 'linux' \ - --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ - --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc - # via cffi -pygments==2.18.0 \ - --hash=sha256:786ff802f32e91311bff3889f6e9a86e81505fe99f2735bb6d60ae0c5004f199 \ - --hash=sha256:b8e6aca0523f3ab76fee51799c488e38782ac06eafcf95e7ba832985c8e7b13a - # via - # readme-renderer - # rich -pywin32-ctypes==0.2.3 ; sys_platform == 'win32' \ - --hash=sha256:8a1513379d709975552d202d942d9837758905c8d01eb82b8bcc30918929e7b8 \ - --hash=sha256:d162dc04946d704503b2edc4d55f3dba5c1d539ead017afa00142c38b9885755 - # via keyring -readme-renderer==44.0 \ - --hash=sha256:2fbca89b81a08526aadf1357a8c2ae889ec05fb03f5da67f9769c9a592166151 \ - --hash=sha256:8712034eabbfa6805cacf1402b4eeb2a73028f72d1166d6f5cb7f9c047c5d1e1 - # via twine -requests==2.32.3 \ - --hash=sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760 \ - --hash=sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6 - # via - # -r .github/requirements/publish-requirements.in - # requests-toolbelt - # twine -requests-toolbelt==1.0.0 \ - --hash=sha256:7681a0a3d047012b5bdc0ee37d7f8f07ebe76ab08caeccfc3921ce23c88d5bc6 \ - --hash=sha256:cccfdd665f0a24fcf4726e690f65639d272bb0637b9b92dfd91a5568ccf6bd06 - # via twine -rfc3986==2.0.0 \ - --hash=sha256:50b1502b60e289cb37883f3dfd34532b8873c7de9f49bb546641ce9cbd256ebd \ - --hash=sha256:97aacf9dbd4bfd829baad6e6309fa6573aaf1be3f6fa735c8ab05e46cecb261c - # via twine -rich==13.8.0 \ - --hash=sha256:2e85306a063b9492dffc86278197a60cbece75bcb766022f3436f567cae11bdc \ - --hash=sha256:a5ac1f1cd448ade0d59cc3356f7db7a7ccda2c8cbae9c7a90c28ff463d3e91f4 - # via twine -secretstorage==3.3.3 ; sys_platform == 'linux' \ - --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ - --hash=sha256:f356e6628222568e3af06f2eba8df495efa13b3b63081dafd4f7d9a7b7bc9f99 - # via keyring -twine==5.1.1 \ - --hash=sha256:215dbe7b4b94c2c50a7315c0275d2258399280fbb7d04182c7e55e24b5f93997 \ - --hash=sha256:9aa0825139c02b3434d913545c7b847a21c835e11597f5255842d457da2322db - # via -r .github/requirements/publish-requirements.in -urllib3==2.2.2 \ - --hash=sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472 \ - --hash=sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168 - # via - # requests - # twine -zipp==3.20.1 \ - --hash=sha256:9960cd8967c8f85a56f920d5d507274e74f9ff813a0ab8889a5b5be2daf44064 \ - --hash=sha256:c22b14cc4763c5a5b04134207736c107db42e9d3ef2d9779d465f5f1bcba572b - # via importlib-metadata diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index fd66a44ce065..630442a75655 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -35,65 +35,29 @@ jobs: - run: echo "$EVENT_CONTEXT" env: EVENT_CONTEXT: ${{ toJson(github.event) }} - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 - with: - python-version: "3.11" - - name: Get publish-requirements.txt from repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - sparse-checkout: | - ${{ env.PUBLISH_REQUIREMENTS_PATH }} - sparse-checkout-cone-mode: false - persist-credentials: false - - name: Install Python dependencies - run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }} - - - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 - with: - path: dist/ - run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} - run: | - echo "OIDC_AUDIENCE=pypi" >> $GITHUB_ENV - echo "PYPI_DOMAIN=pypi.org" >> $GITHUB_ENV - echo "TWINE_REPOSITORY=pypi" >> $GITHUB_ENV - echo "TWINE_USERNAME=__token__" >> $GITHUB_ENV + echo "PYPI_URL=https://pypi.org/legacy/" >> $GITHUB_ENV if: github.event_name == 'workflow_run' || (github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'pypi') - run: | - echo "OIDC_AUDIENCE=testpypi" >> $GITHUB_ENV - echo "PYPI_DOMAIN=test.pypi.org" >> $GITHUB_ENV - echo "TWINE_REPOSITORY=testpypi" >> $GITHUB_ENV - echo "TWINE_USERNAME=__token__" >> $GITHUB_ENV + echo "PYPI_URL=https://test.pypi.org/legacy/" >> $GITHUB_ENV if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'testpypi' + - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 + with: + path: tmpdist/ + run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} + - run: mkdir dist/ - run: | - import os - - import requests - - response = requests.get( - os.environ["ACTIONS_ID_TOKEN_REQUEST_URL"], - params={"audience": os.environ["OIDC_AUDIENCE"]}, - headers={"Authorization": f"bearer {os.environ['ACTIONS_ID_TOKEN_REQUEST_TOKEN']}"} - ) - response.raise_for_status() - token = response.json()["value"] - - response = requests.post(f"https://{os.environ['PYPI_DOMAIN']}/_/oidc/mint-token", json={"token": token}) - response.raise_for_status() - pypi_token = response.json()["token"] - - with open(os.environ["GITHUB_ENV"], "a") as f: - print(f"::add-mask::{pypi_token}") - f.write(f"TWINE_PASSWORD={pypi_token}\n") - shell: python - - - run: find dist/ -type f -name 'cryptography*' -print0 | xargs -0 twine upload --skip-existing + find tmpdist/ -type f -name 'cryptography*' -exec mv {} dist/ \; - # Do not perform attestation for things for TestPyPI. This is because - # there's nothing that would prevent a malicious PyPI from serving a - # signed TestPyPI asset in place of a release intended for PyPI. - - uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 + - name: Publish package distributions to PyPI + uses: pypa/gh-action-pypi-publish@0ab0b79471669eb3a4d647e625009c62f9f3b241 # v1.10.1 with: - subject-path: 'dist/**/cryptography*' - if: env.TWINE_REPOSITORY == 'pypi' + repository-url: ${{ env.PYPI_URL }} + skip-existing: true + # Do not perform attestation for things for TestPyPI. This is + # because there's nothing that would prevent a malicious PyPI from + # serving a signed TestPyPI asset in place of a release intended for' + # PyPI. + attestations: ${{ env.PYPI_URL == 'https://pypi.org/legacy/' }} From 03e413bfcce320f423a5b49e79170c865c6bc0ca Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 12 Sep 2024 18:05:46 -0400 Subject: [PATCH 1078/1462] Added a README for vectors, for the benefit of twine check (#11589) --- noxfile.py | 8 ++++++++ vectors/README.rst | 5 +++++ vectors/pyproject.toml | 1 + 3 files changed, 14 insertions(+) create mode 100644 vectors/README.rst diff --git a/noxfile.py b/noxfile.py index 8bd3968527f1..691259d02868 100644 --- a/noxfile.py +++ b/noxfile.py @@ -161,6 +161,14 @@ def docs(session: nox.Session) -> None: session.run( "python3", "-m", "readme_renderer", "README.rst", "-o", "/dev/null" ) + session.run( + "python3", + "-m", + "readme_renderer", + "vectors/README.rst", + "-o", + "/dev/null", + ) @nox.session(name="docs-linkcheck") diff --git a/vectors/README.rst b/vectors/README.rst new file mode 100644 index 000000000000..e4e9191d4ec4 --- /dev/null +++ b/vectors/README.rst @@ -0,0 +1,5 @@ +pyca/cryptography vectors +========================= + +This package contains test vectors which are used in ``pyca/cryptography``'s +tests. diff --git a/vectors/pyproject.toml b/vectors/pyproject.toml index eaa231e141fd..d1b24e9c6535 100644 --- a/vectors/pyproject.toml +++ b/vectors/pyproject.toml @@ -9,6 +9,7 @@ authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] description = "Test vectors for the cryptography package." +readme = "README.rst" license = {text = "Apache-2.0 OR BSD-3-Clause"} [project.urls] From ff656303ebcfa3c70a9996bb431edb1d06d4075c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 21:02:54 -0400 Subject: [PATCH 1079/1462] Bump BoringSSL and/or OpenSSL in CI (#11590) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 782fa01d687d..7bcaa4af3e30 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Sep 12, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e724ef02089bf2bb494203231fc5cb62acc2fad6"}} - # Latest commit on the OpenSSL master branch, as of Sep 12, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2a53df6947e195ac08bc04c9d2fec1fed977668f"}} + # Latest commit on the OpenSSL master branch, as of Sep 13, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9cd4051e47c8da8398f93f42f0f56750552965f4"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 6f8dcc4a329851990b5505075bd68b78f7e7ba88 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 14 Sep 2024 03:01:48 +0000 Subject: [PATCH 1080/1462] Bump BoringSSL and/or OpenSSL in CI (#11595) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7bcaa4af3e30..c09208517f6f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Sep 12, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e724ef02089bf2bb494203231fc5cb62acc2fad6"}} - # Latest commit on the OpenSSL master branch, as of Sep 13, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9cd4051e47c8da8398f93f42f0f56750552965f4"}} + # Latest commit on the BoringSSL master branch, as of Sep 14, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "58f3bc83230d2958bb9710bc910972c4f5d382dc"}} + # Latest commit on the OpenSSL master branch, as of Sep 14, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0fdf965bf0b1f87d4a5d52c71994ffdda5235718"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 0ba5107e11994210a1a5a8a3cae8529da48f8b56 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 14 Sep 2024 03:02:16 +0000 Subject: [PATCH 1081/1462] Bump unicode-ident from 1.0.12 to 1.0.13 in /src/rust (#11594) Bumps [unicode-ident](https://github.com/dtolnay/unicode-ident) from 1.0.12 to 1.0.13. - [Release notes](https://github.com/dtolnay/unicode-ident/releases) - [Commits](https://github.com/dtolnay/unicode-ident/compare/1.0.12...1.0.13) --- updated-dependencies: - dependency-name: unicode-ident dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 250a146c02aa..930a1f0847ef 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -351,9 +351,9 @@ checksum = "61c41af27dd6d1e27b1b16b489db798443478cef1f06a660c96db617ba5de3b1" [[package]] name = "unicode-ident" -version = "1.0.12" +version = "1.0.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" +checksum = "e91b56cd4cadaeb79bbf1a5645f6b4f8dc5bde8834ad5894a8db35fda9efa1fe" [[package]] name = "unindent" From bcb141b6b2ce15f4cb56dd48b046430a88e824e9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 14 Sep 2024 03:02:40 +0000 Subject: [PATCH 1082/1462] Bump peter-evans/create-pull-request from 7.0.1 to 7.0.2 (#11592) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 7.0.1 to 7.0.2. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/8867c4aba1b742c39f8d0ba35429c2dfa4b6cb20...d121e62763d8cc35b5fb1710e887d6e69a52d3a4) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 7b90df1a76c5..9e150c3f662b 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -58,7 +58,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@8867c4aba1b742c39f8d0ba35429c2dfa4b6cb20 # v7.0.1 + uses: peter-evans/create-pull-request@d121e62763d8cc35b5fb1710e887d6e69a52d3a4 # v7.0.2 with: branch: "bump-openssl-boringssl" commit-message: "Bump BoringSSL and/or OpenSSL in CI" diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index b04510d674bb..e54a012d10b1 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -57,7 +57,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@8867c4aba1b742c39f8d0ba35429c2dfa4b6cb20 # v7.0.1 + uses: peter-evans/create-pull-request@d121e62763d8cc35b5fb1710e887d6e69a52d3a4 # v7.0.2 with: branch: "bump-vectors" commit-message: "Bump x509-limbo and/or wycheproof in CI" From defe0cd74ef354f72b0452f00744f09603480bf2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 14 Sep 2024 03:02:56 +0000 Subject: [PATCH 1083/1462] Bump urllib3 from 2.2.2 to 2.2.3 (#11593) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.2.2 to 2.2.3. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.2.2...2.2.3) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 30596a38a069..41c6c329afeb 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -263,7 +263,7 @@ typing-extensions==4.12.2 ; python_full_version >= '3.8' # via mypy urllib3==2.0.7 ; python_full_version < '3.8' # via requests -urllib3==2.2.2 ; python_full_version >= '3.8' +urllib3==2.2.3 ; python_full_version >= '3.8' # via requests virtualenv==20.26.4 # via nox From 5924a6bf0a5e03f70edfe039d0d11142637fb4e0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 14 Sep 2024 03:22:24 +0000 Subject: [PATCH 1084/1462] Bump once_cell from 1.19.0 to 1.20.0 in /src/rust (#11596) Bumps [once_cell](https://github.com/matklad/once_cell) from 1.19.0 to 1.20.0. - [Changelog](https://github.com/matklad/once_cell/blob/master/CHANGELOG.md) - [Commits](https://github.com/matklad/once_cell/compare/v1.19.0...v1.20.0) --- updated-dependencies: - dependency-name: once_cell dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 930a1f0847ef..15d701d0de57 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -176,9 +176,9 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.19.0" +version = "1.20.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" +checksum = "33ea5043e58958ee56f3e15a90aee535795cd7dfd319846288d93c5b57d85cbe" [[package]] name = "openssl" From 6c5291683028eefa0aa83e722ec51d0b27b433d6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 14 Sep 2024 03:22:50 +0000 Subject: [PATCH 1085/1462] Bump ruff from 0.6.4 to 0.6.5 (#11597) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.6.4 to 0.6.5. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.6.4...0.6.5) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 41c6c329afeb..3912dee5010d 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -188,7 +188,7 @@ requests==2.31.0 ; python_full_version < '3.8' # via sphinx requests==2.32.3 ; python_full_version >= '3.8' # via sphinx -ruff==0.6.4 +ruff==0.6.5 # via cryptography (pyproject.toml) six==1.16.0 ; python_full_version < '3.8' # via bleach From f1378b62e8a5c392b89b32a630ca67a7ca32bb84 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 14 Sep 2024 03:22:57 +0000 Subject: [PATCH 1086/1462] Bump idna from 3.8 to 3.9 (#11599) Bumps [idna](https://github.com/kjd/idna) from 3.8 to 3.9. - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](https://github.com/kjd/idna/compare/v3.8...v3.9) --- updated-dependencies: - dependency-name: idna dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3912dee5010d..2aceaf17b2f2 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -69,7 +69,7 @@ filelock==3.12.2 ; python_full_version < '3.8' # via virtualenv filelock==3.16.0 ; python_full_version >= '3.8' # via virtualenv -idna==3.8 +idna==3.9 # via requests imagesize==1.4.1 # via sphinx From 419d3ade129573b48428f6fd4dee5eed03a6905a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 14 Sep 2024 03:23:03 +0000 Subject: [PATCH 1087/1462] Bump platformdirs from 4.3.2 to 4.3.3 (#11598) Bumps [platformdirs](https://github.com/tox-dev/platformdirs) from 4.3.2 to 4.3.3. - [Release notes](https://github.com/tox-dev/platformdirs/releases) - [Changelog](https://github.com/tox-dev/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/tox-dev/platformdirs/compare/4.3.2...4.3.3) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 2aceaf17b2f2..a782f92e1e7c 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -124,7 +124,7 @@ pathspec==0.12.1 ; python_full_version >= '3.8' # via check-sdist platformdirs==4.0.0 ; python_full_version < '3.8' # via virtualenv -platformdirs==4.3.2 ; python_full_version >= '3.8' +platformdirs==4.3.3 ; python_full_version >= '3.8' # via virtualenv pluggy==1.2.0 ; python_full_version < '3.8' # via pytest From 44aa486fdd4a805c25d7aac536a9e775f3b4365a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 23:31:03 -0400 Subject: [PATCH 1088/1462] Bump uv from 0.4.9 to 0.4.10 in /.github/requirements (#11600) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.9 to 0.4.10. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.9...0.4.10) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 49d6eaddb5aa..37e1b3ac322a 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.9 \ - --hash=sha256:0340d2c7bf9afe0098e3301c1885de10e317232cfa346f0ac16374cee284a4cb \ - --hash=sha256:060af185481ef46ab97008cad330f3cd7a7aa1ce3d219b67d27c5a2a551ac2ea \ - --hash=sha256:1a8acc7abb2174bd3c8f5fc98345f2bb602f31b7558e37f3d23bef99ddd58dec \ - --hash=sha256:34bce9f4892130b01a7605d27bbeb71395e9b031d793123c250b79187ee307ca \ - --hash=sha256:45bf0cead2436b1977f71669e945db19990ca70a7765111fb951545815467bb6 \ - --hash=sha256:52101bc8652b4284b78fac52ed7878f3bae414bc4076c377735962666b309dde \ - --hash=sha256:5422680436f4cebef945bb2e562e01c02a4fa0a95f85d1b8010f2ee868a0b8c1 \ - --hash=sha256:55cf2522262ef663114bda5d80375ddc7f7af0d054df89426372a0d494380875 \ - --hash=sha256:566d4d7a475aacd21dbb4aba053cd4f4f52d65acdef2c83c59bcdff08756701e \ - --hash=sha256:5b66a52cb60a2882a882bc5f13afa6daf3172a54fe9fb998529d19418d5aed18 \ - --hash=sha256:630a6fe215829f734278e618c1633c2bb88ee03dc6a92ae9890fabd98ee810a9 \ - --hash=sha256:69529b6bf5de6ec8fbe8e022f5bcbaef778e76136fc37fae6ec7a8b18b3f9024 \ - --hash=sha256:71e87038fcc9f61b2d6f66c4a92354c6d0abe4baae21bb90241693f161ddeaa1 \ - --hash=sha256:8869637ea6231f66fe643be22f9334874db3496844b3d8bfd8efd4227ded3d44 \ - --hash=sha256:9c9b70f016f28cc05633b564d8690cfdb7ebac4d2210d9158819947841e00347 \ - --hash=sha256:b54a9022e9e1fdbf3ae15ef340a0d1d1847dd739df5023896aa8d97d88af1efe \ - --hash=sha256:bf834f7f360a192372d879eda86f6a1dd94195faf68154dcf7c90247098d2bb2 \ - --hash=sha256:f50cbdfbc8399e1211c580e47f42650a184541ee398af95ad29bf9a2e977baba +uv==0.4.10 \ + --hash=sha256:0784f75093a75390d8d480cc8a444516e78f08849db9a13c21791a5f651df4a1 \ + --hash=sha256:0f8b9ba4ecfbea343a00e46d509669606e55fe233d800752c4c25650473df358 \ + --hash=sha256:1b6b6c6b8cc0c4e54ab25e3b46e49d1e583e26c194572eb42bfeebf71b39cca2 \ + --hash=sha256:1ff5130b6f3af79c4e47f63db03215aed15e78cb4f1f51682af6f9949c2bcf00 \ + --hash=sha256:2ff29a2f55a697e78d787a41ab41d4b26421d200728289b88b6241d3b486c436 \ + --hash=sha256:30d1f8348a2b18e21a35c97ce42528781f242d0303881fc92fbacdcb653c8bca \ + --hash=sha256:3be73788db9ceacb94a521cf67ca5cc08bac512aef71145b904ab62a3acabdae \ + --hash=sha256:444e1cdb36d7ef103e52185f918800527c255dc369c9f90eb1f198dfa3f4d5bc \ + --hash=sha256:6ba1cc3070e5c63ce0a1421fbed28bd1b3ff520671d7badda11a501504c78394 \ + --hash=sha256:8fa510dfbbde4f8ad5cd2769568c7b0c3e867b74deaf4beabcca79e74e7550cc \ + --hash=sha256:97a1187e11a9df70d55bc577721ad4a19441cda56e4d69fb2f38d88c7650d2a0 \ + --hash=sha256:99954a94dd6c4bff8a9a963c05bc3988214ea39e7511a52fda35112e1a478447 \ + --hash=sha256:a9dc1f8fca5c4a2f73054d9f56c7397e9fc6ba43baefc503d6f0128d72ea662f \ + --hash=sha256:b89dfd213359a23797155ff8175e5202ed6b84aadeb20df92132127608d46acf \ + --hash=sha256:bc87d6c581cfed0979e0f5ee93383d46006c6d4a5e4eb9f43ef13bce61b50cc2 \ + --hash=sha256:bc99e6b45303f0881a8dc199f0b7ea8261dd1779e576e8477a7721ceeeaafcc7 \ + --hash=sha256:e99e3f761875962942e0743b868bd666021d5e14c3df494e820ef8f45fb88578 \ + --hash=sha256:ff9046a8c5e836e892ac7741e672ee016e92e55c659fa8195595df65a1f3accf From 132b6b37306302c637b5ea1f972b3f8f31493e30 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 14 Sep 2024 17:17:03 -0400 Subject: [PATCH 1089/1462] Fix linking against C++ runtime library on Windows, macOS (#11603) --- src/rust/cryptography-openssl/build.rs | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/rust/cryptography-openssl/build.rs b/src/rust/cryptography-openssl/build.rs index 00e1df1326d1..4f66b4970644 100644 --- a/src/rust/cryptography-openssl/build.rs +++ b/src/rust/cryptography-openssl/build.rs @@ -28,6 +28,11 @@ fn main() { if env::var("DEP_OPENSSL_BORINGSSL").is_ok() { println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_BORINGSSL"); - println!("cargo:rustc-link-lib=stdc++"); + if env::var_os("CARGO_CFG_UNIX").is_some() { + match env::var("CARGO_CFG_TARGET_OS").as_deref() { + Ok("macos") => println!("cargo:rustc-link-lib=c++"), + _ => println!("cargo:rustc-link-lib=stdc++"), + } + } } } From fcf2b396d88ff84aaa9f47840895f462f27127b5 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 00:17:18 +0000 Subject: [PATCH 1090/1462] Bump BoringSSL and/or OpenSSL in CI (#11604) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c09208517f6f..ff689e808dc3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Sep 14, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "58f3bc83230d2958bb9710bc910972c4f5d382dc"}} - # Latest commit on the OpenSSL master branch, as of Sep 14, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0fdf965bf0b1f87d4a5d52c71994ffdda5235718"}} + # Latest commit on the OpenSSL master branch, as of Sep 16, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d81709316fc8f5703768c2ab4957a58dcea27872"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 2a63cedda3dce1cb51db3e718b0e4dfb4d2fbb12 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 07:00:16 -0400 Subject: [PATCH 1091/1462] Bump pyo3 from 0.22.2 to 0.22.3 in /src/rust (#11605) Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.22.2 to 0.22.3. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/v0.22.3/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.22.2...v0.22.3) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 20 ++++++++++---------- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-keepalive/Cargo.toml | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 15d701d0de57..d9eefa4e2538 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -250,9 +250,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.22.2" +version = "0.22.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "831e8e819a138c36e212f3af3fd9eeffed6bf1510a805af35b0edee5ffa59433" +checksum = "15ee168e30649f7f234c3d49ef5a7a6cbf5134289bc46c29ff3155fa3221c225" dependencies = [ "cfg-if", "indoc", @@ -268,9 +268,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.22.2" +version = "0.22.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e8730e591b14492a8945cdff32f089250b05f5accecf74aeddf9e8272ce1fa8" +checksum = "e61cef80755fe9e46bb8a0b8f20752ca7676dcc07a5277d8b7768c6172e529b3" dependencies = [ "once_cell", "target-lexicon", @@ -278,9 +278,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.22.2" +version = "0.22.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5e97e919d2df92eb88ca80a037969f44e5e70356559654962cbb3316d00300c6" +checksum = "67ce096073ec5405f5ee2b8b31f03a68e02aa10d5d4f565eca04acc41931fa1c" dependencies = [ "libc", "pyo3-build-config", @@ -288,9 +288,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.22.2" +version = "0.22.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb57983022ad41f9e683a599f2fd13c3664d7063a3ac5714cae4b7bee7d3f206" +checksum = "2440c6d12bc8f3ae39f1e775266fa5122fd0c8891ce7520fa6048e683ad3de28" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -300,9 +300,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.22.2" +version = "0.22.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ec480c0c51ddec81019531705acac51bcdbeae563557c982aa8263bb96880372" +checksum = "1be962f0e06da8f8465729ea2cb71a416d2257dff56cbe40a70d3e62a93ae5d1" dependencies = [ "heck", "proc-macro2", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index c157ce70e1c0..47f992c2a9ce 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -17,7 +17,7 @@ rust-version.workspace = true [dependencies] once_cell = "1" cfg-if = "1" -pyo3 = { version = "0.22.2", features = ["abi3"] } +pyo3 = { version = "0.22.3", features = ["abi3"] } asn1 = { version = "0.17.0", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-keepalive = { path = "cryptography-keepalive" } diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 50c6567df22c..3e8181bd3939 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -7,7 +7,7 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.22.2", features = ["abi3"] } +pyo3 = { version = "0.22.3", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] diff --git a/src/rust/cryptography-keepalive/Cargo.toml b/src/rust/cryptography-keepalive/Cargo.toml index d281a1b0867e..f3cff5d25fcf 100644 --- a/src/rust/cryptography-keepalive/Cargo.toml +++ b/src/rust/cryptography-keepalive/Cargo.toml @@ -7,4 +7,4 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.22.2", features = ["abi3"] } +pyo3 = { version = "0.22.3", features = ["abi3"] } From fb753c37c801f5b6dc2cbb0e418341e2cb62fcaa Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 07:01:32 -0400 Subject: [PATCH 1092/1462] Bump peter-evans/create-pull-request from 7.0.2 to 7.0.3 (#11607) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 7.0.2 to 7.0.3. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/d121e62763d8cc35b5fb1710e887d6e69a52d3a4...6cd32fd93684475c31847837f87bb135d40a2b79) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 9e150c3f662b..28600f88f8f5 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -58,7 +58,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@d121e62763d8cc35b5fb1710e887d6e69a52d3a4 # v7.0.2 + uses: peter-evans/create-pull-request@6cd32fd93684475c31847837f87bb135d40a2b79 # v7.0.3 with: branch: "bump-openssl-boringssl" commit-message: "Bump BoringSSL and/or OpenSSL in CI" diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index e54a012d10b1..0e73415a7a73 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -57,7 +57,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@d121e62763d8cc35b5fb1710e887d6e69a52d3a4 # v7.0.2 + uses: peter-evans/create-pull-request@6cd32fd93684475c31847837f87bb135d40a2b79 # v7.0.3 with: branch: "bump-vectors" commit-message: "Bump x509-limbo and/or wycheproof in CI" From 4ed1e6e7b719509831c45dae70caef94ed8a181c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 11:11:57 +0000 Subject: [PATCH 1093/1462] Bump cc from 1.1.18 to 1.1.19 in /src/rust (#11606) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.18 to 1.1.19. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.18...cc-v1.1.19) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index d9eefa4e2538..b5c1059f80f8 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.18" +version = "1.1.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b62ac837cdb5cb22e10a256099b4fc502b1dfe560cb282963a974d7abd80e476" +checksum = "2d74707dde2ba56f86ae90effb3b43ddd369504387e718014de010cec7959800" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 3e8181bd3939..d112b1ab0b6d 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.3", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] -cc = "1.1.18" +cc = "1.1.19" From fe9d955a5fbc1d5f0475ae782305ce29d142461a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 11:12:23 +0000 Subject: [PATCH 1094/1462] Bump idna from 3.9 to 3.10 (#11608) Bumps [idna](https://github.com/kjd/idna) from 3.9 to 3.10. - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](https://github.com/kjd/idna/compare/v3.9...v3.10) --- updated-dependencies: - dependency-name: idna dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index a782f92e1e7c..3c1e7cf5fe84 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -69,7 +69,7 @@ filelock==3.12.2 ; python_full_version < '3.8' # via virtualenv filelock==3.16.0 ; python_full_version >= '3.8' # via virtualenv -idna==3.9 +idna==3.10 # via requests imagesize==1.4.1 # via sphinx From e2ef11f3d5f3301f9056d89d70379a0240abf052 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 16 Sep 2024 15:24:33 -0700 Subject: [PATCH 1095/1462] deprecate 3.7 (#11611) * deprecate 3.7 we don't have a timeline for removing support yet, but start warning * add coverage for a 3.7 builder --- .github/workflows/ci.yml | 4 ++-- CHANGELOG.rst | 3 +++ src/cryptography/__init__.py | 13 +++++++++++++ 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ff689e808dc3..794232b08dd4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -223,11 +223,11 @@ jobs: - {OS: 'macos-13', ARCH: 'x86_64'} - {OS: 'macos-14', ARCH: 'arm64'} PYTHON: - - {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} + - {VERSION: "3.7", NOXSESSION: "tests"} - {VERSION: "3.12", NOXSESSION: "tests"} exclude: # We only test latest Python on arm64. py37 won't work since there's no universal2 binary - - PYTHON: {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} + - PYTHON: {VERSION: "3.7", NOXSESSION: "tests"} RUNNER: {OS: 'macos-14', ARCH: 'arm64'} timeout-minutes: 15 steps: diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 75b4a55f78d3..b2e677dd219c 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -8,6 +8,9 @@ Changelog .. note:: This version is not yet released and is under active development. +* Deprecated Python 3.7 support. Python 3.7 is no longer supported by the + Python core team. Support for Python 3.7 will be removed in a future + ``cryptography`` release. * Enforce the :rfc:`5280` requirement that extended key usage extensions must not be empty. * Added support for timestamp extraction to the diff --git a/src/cryptography/__init__.py b/src/cryptography/__init__.py index d374f752dfd5..f37370e90a71 100644 --- a/src/cryptography/__init__.py +++ b/src/cryptography/__init__.py @@ -4,6 +4,10 @@ from __future__ import annotations +import sys +import warnings + +from cryptography import utils from cryptography.__about__ import __author__, __copyright__, __version__ __all__ = [ @@ -11,3 +15,12 @@ "__copyright__", "__version__", ] + +if sys.version_info[:2] == (3, 7): + warnings.warn( + "Python 3.7 is no longer supported by the Python core team " + "and support for it is deprecated in cryptography. A future " + "release of cryptography will remove support for Python 3.7.", + utils.CryptographyDeprecationWarning, + stacklevel=2, + ) From f53bc74c01c9048097b53b3b68c04a0aa25f8cc3 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 00:15:13 +0000 Subject: [PATCH 1096/1462] Bump BoringSSL and/or OpenSSL in CI (#11612) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 794232b08dd4..fee9c160d1d3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Sep 14, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "58f3bc83230d2958bb9710bc910972c4f5d382dc"}} - # Latest commit on the OpenSSL master branch, as of Sep 16, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d81709316fc8f5703768c2ab4957a58dcea27872"}} + # Latest commit on the BoringSSL master branch, as of Sep 17, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "2958490127dbe0df3adb72bc8ffb04ebca1f4bbf"}} + # Latest commit on the OpenSSL master branch, as of Sep 17, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "27abf142f640cf175e7690529660ebeb9a3875a9"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 658869facf4fc2bf70af9ce23fae089bb5b6439e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 00:31:11 +0000 Subject: [PATCH 1097/1462] Bump x509-limbo and/or wycheproof in CI (#11613) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index fa8a07b82231..06864eb41077 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Sep 11, 2024. - ref: "c9d011c6b696074a5a636c7cd40df8e4bd3cd67b" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Sep 17, 2024. + ref: "2ea77402d8ef7fbf8765c135f658f311e917ebf7" # x509-limbo-ref From 184aa0fe4c5e7f34d823868e25e045619b71a87b Mon Sep 17 00:00:00 2001 From: Gonzalo Atienza <38573982+gonatienza@users.noreply.github.com> Date: Tue, 17 Sep 2024 15:49:44 -0400 Subject: [PATCH 1098/1462] docs-chacha20-update (#11617) --- docs/hazmat/primitives/symmetric-encryption.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index dd32c913a7dd..a648238b6f36 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -174,6 +174,7 @@ Algorithms >>> import struct, os >>> from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes + >>> key = os.urandom(32) >>> nonce = os.urandom(8) >>> counter = 0 >>> full_nonce = struct.pack(" Date: Wed, 18 Sep 2024 00:16:52 +0000 Subject: [PATCH 1099/1462] Bump BoringSSL and/or OpenSSL in CI (#11618) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fee9c160d1d3..c4f86c1fea33 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Sep 17, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "2958490127dbe0df3adb72bc8ffb04ebca1f4bbf"}} - # Latest commit on the OpenSSL master branch, as of Sep 17, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "27abf142f640cf175e7690529660ebeb9a3875a9"}} + # Latest commit on the BoringSSL master branch, as of Sep 18, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "3d6f9f7f7a4d4642241fd20452ebffa32f7295ca"}} + # Latest commit on the OpenSSL master branch, as of Sep 18, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a57c6f84920bff522bca5fede73f1a3f132d7cff"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From be6e9eff5fe05be5730b61c352c32c1f295fba95 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 18 Sep 2024 00:34:55 +0000 Subject: [PATCH 1100/1462] Bump x509-limbo and/or wycheproof in CI (#11619) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 06864eb41077..3780ee21e422 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Sep 17, 2024. - ref: "2ea77402d8ef7fbf8765c135f658f311e917ebf7" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Sep 18, 2024. + ref: "d1478c0a1f98e97ae9c69112259edf3d50c345b6" # x509-limbo-ref From 71124f610fba5ca9a1d7c330609f670d398cd7eb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 18 Sep 2024 06:42:29 -0400 Subject: [PATCH 1101/1462] Bump uv from 0.4.10 to 0.4.11 in /.github/requirements (#11624) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.10 to 0.4.11. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.10...0.4.11) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 37e1b3ac322a..9921a90559ed 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.10 \ - --hash=sha256:0784f75093a75390d8d480cc8a444516e78f08849db9a13c21791a5f651df4a1 \ - --hash=sha256:0f8b9ba4ecfbea343a00e46d509669606e55fe233d800752c4c25650473df358 \ - --hash=sha256:1b6b6c6b8cc0c4e54ab25e3b46e49d1e583e26c194572eb42bfeebf71b39cca2 \ - --hash=sha256:1ff5130b6f3af79c4e47f63db03215aed15e78cb4f1f51682af6f9949c2bcf00 \ - --hash=sha256:2ff29a2f55a697e78d787a41ab41d4b26421d200728289b88b6241d3b486c436 \ - --hash=sha256:30d1f8348a2b18e21a35c97ce42528781f242d0303881fc92fbacdcb653c8bca \ - --hash=sha256:3be73788db9ceacb94a521cf67ca5cc08bac512aef71145b904ab62a3acabdae \ - --hash=sha256:444e1cdb36d7ef103e52185f918800527c255dc369c9f90eb1f198dfa3f4d5bc \ - --hash=sha256:6ba1cc3070e5c63ce0a1421fbed28bd1b3ff520671d7badda11a501504c78394 \ - --hash=sha256:8fa510dfbbde4f8ad5cd2769568c7b0c3e867b74deaf4beabcca79e74e7550cc \ - --hash=sha256:97a1187e11a9df70d55bc577721ad4a19441cda56e4d69fb2f38d88c7650d2a0 \ - --hash=sha256:99954a94dd6c4bff8a9a963c05bc3988214ea39e7511a52fda35112e1a478447 \ - --hash=sha256:a9dc1f8fca5c4a2f73054d9f56c7397e9fc6ba43baefc503d6f0128d72ea662f \ - --hash=sha256:b89dfd213359a23797155ff8175e5202ed6b84aadeb20df92132127608d46acf \ - --hash=sha256:bc87d6c581cfed0979e0f5ee93383d46006c6d4a5e4eb9f43ef13bce61b50cc2 \ - --hash=sha256:bc99e6b45303f0881a8dc199f0b7ea8261dd1779e576e8477a7721ceeeaafcc7 \ - --hash=sha256:e99e3f761875962942e0743b868bd666021d5e14c3df494e820ef8f45fb88578 \ - --hash=sha256:ff9046a8c5e836e892ac7741e672ee016e92e55c659fa8195595df65a1f3accf +uv==0.4.11 \ + --hash=sha256:10438b6987a2a07aa0bbaf1adcdcaf6c02b0470532e7fe85690099c8dc2d1805 \ + --hash=sha256:1b169c6d7e1cc2dfea7429b77a64b6ee6cd4669d14267cefeefc89a9b355a003 \ + --hash=sha256:1f334d0d55eb1593016b02f9b66e204716c32ad125cdcabde72154072e151cc4 \ + --hash=sha256:22711f73f9b0f88b88923096438af514d1cc3ba085dbae617ce6823fa2caecec \ + --hash=sha256:397368d30abb80797085074401ab6773282b2ca6a61bf624b6f1ec0b7431f79b \ + --hash=sha256:4ad6528d86f3c22701bd8bd429a37ab285bae23bd967edf261aedddc109ce8ab \ + --hash=sha256:59ef3ed1ff4d3db7bfe5582706dff78a723101311782a1ad41744459e83949d4 \ + --hash=sha256:737c848a47a3d494c168f67a2771b0dcc96ea6c3b9a28e6b34deebb12a916bd8 \ + --hash=sha256:844b89eec72680a8bb25ed28ca53fa989f9721bf9878af647cfaec77933445c1 \ + --hash=sha256:85199e9972019849b172d76b5f957fbf8f803a53c9cb61600cc783180786543a \ + --hash=sha256:96c06fa24a528483c70495ff53d18da420d468f8939041a31cfa95f99a6be6c3 \ + --hash=sha256:a37a9cad2d050f9d488efabdef6a6f2af8d3305e434062e0a5eb3354107b6817 \ + --hash=sha256:a91e6ca28a01481d5cfc064ae004a23710c2aab52f7757b03e3f8abaf1112ba8 \ + --hash=sha256:b5844a41eecbb6729f7cb3e0af45bf183a1a0af8c14dc8cf4afe99192c188e30 \ + --hash=sha256:c5f64d77720b86e3ff965a4f3613d55f16e9b29d8b01a1d8a9dfe127c130ef65 \ + --hash=sha256:d62089003a56a89a6f5842ec0bede90890fa234e1c330350b7940fa0a6d32e99 \ + --hash=sha256:e5245cce77982e35263c66f65e3f79291e927820b3da1b3fe271633046225a88 \ + --hash=sha256:f277f4522a4a3abae5744e8eb9a91d1445dba17dbf3681b66b76ebc0739538d7 From 852d0366d858e46394faf7f2da022fded2ae474c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 18 Sep 2024 06:43:15 -0400 Subject: [PATCH 1102/1462] Bump virtualenv from 20.26.4 to 20.26.5 (#11623) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.26.4 to 20.26.5. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.26.4...20.26.5) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3c1e7cf5fe84..e1b3d77b2ca0 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -265,7 +265,7 @@ urllib3==2.0.7 ; python_full_version < '3.8' # via requests urllib3==2.2.3 ; python_full_version >= '3.8' # via requests -virtualenv==20.26.4 +virtualenv==20.26.5 # via nox webencodings==0.5.1 ; python_full_version < '3.8' # via bleach From 0060613662e29ae279eb144d94b5ccc1b9713f15 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 18 Sep 2024 06:43:45 -0400 Subject: [PATCH 1103/1462] Bump filelock from 3.16.0 to 3.16.1 (#11622) Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.16.0 to 3.16.1. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](https://github.com/tox-dev/py-filelock/compare/3.16.0...3.16.1) --- updated-dependencies: - dependency-name: filelock dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e1b3d77b2ca0..8b76372b50c9 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -67,7 +67,7 @@ execnet==2.1.1 ; python_full_version >= '3.8' # via pytest-xdist filelock==3.12.2 ; python_full_version < '3.8' # via virtualenv -filelock==3.16.0 ; python_full_version >= '3.8' +filelock==3.16.1 ; python_full_version >= '3.8' # via virtualenv idna==3.10 # via requests From fd803322b4b1738e4beff76bd0976a1cb3b8cdc4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 18 Sep 2024 06:44:15 -0400 Subject: [PATCH 1104/1462] Bump platformdirs from 4.3.3 to 4.3.6 (#11621) Bumps [platformdirs](https://github.com/tox-dev/platformdirs) from 4.3.3 to 4.3.6. - [Release notes](https://github.com/tox-dev/platformdirs/releases) - [Changelog](https://github.com/tox-dev/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/tox-dev/platformdirs/compare/4.3.3...4.3.6) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 8b76372b50c9..3d7f12c9a8e8 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -124,7 +124,7 @@ pathspec==0.12.1 ; python_full_version >= '3.8' # via check-sdist platformdirs==4.0.0 ; python_full_version < '3.8' # via virtualenv -platformdirs==4.3.3 ; python_full_version >= '3.8' +platformdirs==4.3.6 ; python_full_version >= '3.8' # via virtualenv pluggy==1.2.0 ; python_full_version < '3.8' # via pytest From e5501472b47573cc20b5649a2897bd6fe318acbf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 18 Sep 2024 06:44:55 -0400 Subject: [PATCH 1105/1462] Bump cc from 1.1.19 to 1.1.21 in /src/rust (#11620) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.19 to 1.1.21. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.19...cc-v1.1.21) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index b5c1059f80f8..c77c76281fc9 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.19" +version = "1.1.21" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2d74707dde2ba56f86ae90effb3b43ddd369504387e718014de010cec7959800" +checksum = "07b1695e2c7e8fc85310cde85aeaab7e3097f593c91d209d3f9df76c928100f0" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index d112b1ab0b6d..0b9968301fe5 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.3", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] -cc = "1.1.19" +cc = "1.1.21" From cc6c1fcde2f6dde461a82d9d3ddac3c2c21e6648 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 18 Sep 2024 22:23:21 +0000 Subject: [PATCH 1106/1462] Bump peter-evans/create-pull-request from 7.0.3 to 7.0.5 (#11626) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 7.0.3 to 7.0.5. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/6cd32fd93684475c31847837f87bb135d40a2b79...5e914681df9dc83aa4e4905692ca88beb2f9e91f) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 28600f88f8f5..df4b7bb3ede9 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -58,7 +58,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@6cd32fd93684475c31847837f87bb135d40a2b79 # v7.0.3 + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 with: branch: "bump-openssl-boringssl" commit-message: "Bump BoringSSL and/or OpenSSL in CI" diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 0e73415a7a73..7c1566d59eac 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -57,7 +57,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@6cd32fd93684475c31847837f87bb135d40a2b79 # v7.0.3 + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 with: branch: "bump-vectors" commit-message: "Bump x509-limbo and/or wycheproof in CI" From 8131a75aa196e661de56cf30f3dc6b545e1518bb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 18 Sep 2024 22:26:53 +0000 Subject: [PATCH 1107/1462] Bump uv from 0.4.11 to 0.4.12 in /.github/requirements (#11627) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.11 to 0.4.12. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.11...0.4.12) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 9921a90559ed..53e9648147bf 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.11 \ - --hash=sha256:10438b6987a2a07aa0bbaf1adcdcaf6c02b0470532e7fe85690099c8dc2d1805 \ - --hash=sha256:1b169c6d7e1cc2dfea7429b77a64b6ee6cd4669d14267cefeefc89a9b355a003 \ - --hash=sha256:1f334d0d55eb1593016b02f9b66e204716c32ad125cdcabde72154072e151cc4 \ - --hash=sha256:22711f73f9b0f88b88923096438af514d1cc3ba085dbae617ce6823fa2caecec \ - --hash=sha256:397368d30abb80797085074401ab6773282b2ca6a61bf624b6f1ec0b7431f79b \ - --hash=sha256:4ad6528d86f3c22701bd8bd429a37ab285bae23bd967edf261aedddc109ce8ab \ - --hash=sha256:59ef3ed1ff4d3db7bfe5582706dff78a723101311782a1ad41744459e83949d4 \ - --hash=sha256:737c848a47a3d494c168f67a2771b0dcc96ea6c3b9a28e6b34deebb12a916bd8 \ - --hash=sha256:844b89eec72680a8bb25ed28ca53fa989f9721bf9878af647cfaec77933445c1 \ - --hash=sha256:85199e9972019849b172d76b5f957fbf8f803a53c9cb61600cc783180786543a \ - --hash=sha256:96c06fa24a528483c70495ff53d18da420d468f8939041a31cfa95f99a6be6c3 \ - --hash=sha256:a37a9cad2d050f9d488efabdef6a6f2af8d3305e434062e0a5eb3354107b6817 \ - --hash=sha256:a91e6ca28a01481d5cfc064ae004a23710c2aab52f7757b03e3f8abaf1112ba8 \ - --hash=sha256:b5844a41eecbb6729f7cb3e0af45bf183a1a0af8c14dc8cf4afe99192c188e30 \ - --hash=sha256:c5f64d77720b86e3ff965a4f3613d55f16e9b29d8b01a1d8a9dfe127c130ef65 \ - --hash=sha256:d62089003a56a89a6f5842ec0bede90890fa234e1c330350b7940fa0a6d32e99 \ - --hash=sha256:e5245cce77982e35263c66f65e3f79291e927820b3da1b3fe271633046225a88 \ - --hash=sha256:f277f4522a4a3abae5744e8eb9a91d1445dba17dbf3681b66b76ebc0739538d7 +uv==0.4.12 \ + --hash=sha256:0840d0141f54f64474c9dbd46787971859fac9deacc701091b44f1c47d066823 \ + --hash=sha256:0d548c090bf38fb76b6493c90bbfbad30bfc4b41365019953bffbc54d32394ed \ + --hash=sha256:0f00d15108af7b17f49d70714a31927eed27e192d5e5410822c098399d61196d \ + --hash=sha256:31f7689c6f49b0489dc727b1e6f0f008f7db21388c3cf374577a445bd7d727b8 \ + --hash=sha256:56901b53c9bcce81305826c89378058922b405d0fbfb5c2742dda7dc5fdf891c \ + --hash=sha256:649d2974da5d867ca0230a15aa75d6e4625c2a71eddc0abaeebe7a167038f56b \ + --hash=sha256:67327c5997a9c4531c0e13be8545aa6568a15c99a97770ac65f6dcc5600e8a9c \ + --hash=sha256:6922ca516056069a6c835f0cf60053241bb3438e4ccc0356c223d4f5c0d92254 \ + --hash=sha256:86635a9dd024d08499405c9e1c1087aa24ffbfe89eb6dde010e5a60855e661bc \ + --hash=sha256:8a102ee30a41909634b28cb9d7d5a03af2953aa86ff941e24916093f4a74d44f \ + --hash=sha256:8cbfa5ed4ea167291260416d71d54ffb949b0b98bcf945190adb8c65e30492be \ + --hash=sha256:9aa768f4b94335a4145d74e73ff4721cb1a3e1fd1269f4bb95187a9f8d41f8e1 \ + --hash=sha256:a1d2ada46563178cacfeb2ff8a3b2764381a953cee87002fad0b9181f4a35e0d \ + --hash=sha256:a3c1b7b4a6e5258c0b20079beb1d22c3d306f7695eab8a3d3aea93b37db01b3a \ + --hash=sha256:c081b13c7789b518a2077ed0c49d33c9d855e110a2f670e4f354696245089edc \ + --hash=sha256:c6861b3c92da1cdc2cb18c76b0e05004413ce1cc95782a4b34b7ee002006efb8 \ + --hash=sha256:dc638ff81e817a1c049c8bd51c623238dccf9bfbfb17e20878eaece6c74338bb \ + --hash=sha256:e931a2add4dfec717184164a54608b99d37e0000b9c151bb020a0a2dcc6d5cc1 From 698931ab87bee1485bfac11b91db2a37a76c5f25 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 18 Sep 2024 20:18:22 -0400 Subject: [PATCH 1108/1462] Bump BoringSSL and/or OpenSSL in CI (#11628) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c4f86c1fea33..83b5153936af 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Sep 18, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "3d6f9f7f7a4d4642241fd20452ebffa32f7295ca"}} - # Latest commit on the OpenSSL master branch, as of Sep 18, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a57c6f84920bff522bca5fede73f1a3f132d7cff"}} + # Latest commit on the BoringSSL master branch, as of Sep 19, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "59c222fcf123ec2026da450a0a8676436751a351"}} + # Latest commit on the OpenSSL master branch, as of Sep 19, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5ac48fd813768d7246529358bbee292e4632c4f9"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 44d56f758dd9132a93558d8354a4026ba9d73a4e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 20 Sep 2024 00:16:24 +0000 Subject: [PATCH 1109/1462] Bump BoringSSL and/or OpenSSL in CI (#11629) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 83b5153936af..a6db2c151296 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Sep 19, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "59c222fcf123ec2026da450a0a8676436751a351"}} - # Latest commit on the OpenSSL master branch, as of Sep 19, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5ac48fd813768d7246529358bbee292e4632c4f9"}} + # Latest commit on the BoringSSL master branch, as of Sep 20, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "0d9bb204ab04fd1e3eee9b3926c7449505ec6159"}} + # Latest commit on the OpenSSL master branch, as of Sep 20, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7f62adaf2b088de38ad2e534d0bfae2ff7ae01f2"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From ccd876e995cf1e7fb6bab83298c7fc19c077cb46 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 20 Sep 2024 00:34:29 -0400 Subject: [PATCH 1110/1462] Added a comment for a long-future MSRV (#11630) --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a6db2c151296..f5cd12e2efc6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -50,6 +50,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7f62adaf2b088de38ad2e534d0bfae2ff7ae01f2"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. + # - 1.80: LazyLock in std - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "beta"} - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "nightly"} From 52cc263eb9e7149fb5d669eedbd6ed263aa16669 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 20 Sep 2024 07:39:37 -0400 Subject: [PATCH 1111/1462] Bump uv from 0.4.12 to 0.4.13 in /.github/requirements (#11632) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.12 to 0.4.13. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.12...0.4.13) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 53e9648147bf..12186a9469be 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.12 \ - --hash=sha256:0840d0141f54f64474c9dbd46787971859fac9deacc701091b44f1c47d066823 \ - --hash=sha256:0d548c090bf38fb76b6493c90bbfbad30bfc4b41365019953bffbc54d32394ed \ - --hash=sha256:0f00d15108af7b17f49d70714a31927eed27e192d5e5410822c098399d61196d \ - --hash=sha256:31f7689c6f49b0489dc727b1e6f0f008f7db21388c3cf374577a445bd7d727b8 \ - --hash=sha256:56901b53c9bcce81305826c89378058922b405d0fbfb5c2742dda7dc5fdf891c \ - --hash=sha256:649d2974da5d867ca0230a15aa75d6e4625c2a71eddc0abaeebe7a167038f56b \ - --hash=sha256:67327c5997a9c4531c0e13be8545aa6568a15c99a97770ac65f6dcc5600e8a9c \ - --hash=sha256:6922ca516056069a6c835f0cf60053241bb3438e4ccc0356c223d4f5c0d92254 \ - --hash=sha256:86635a9dd024d08499405c9e1c1087aa24ffbfe89eb6dde010e5a60855e661bc \ - --hash=sha256:8a102ee30a41909634b28cb9d7d5a03af2953aa86ff941e24916093f4a74d44f \ - --hash=sha256:8cbfa5ed4ea167291260416d71d54ffb949b0b98bcf945190adb8c65e30492be \ - --hash=sha256:9aa768f4b94335a4145d74e73ff4721cb1a3e1fd1269f4bb95187a9f8d41f8e1 \ - --hash=sha256:a1d2ada46563178cacfeb2ff8a3b2764381a953cee87002fad0b9181f4a35e0d \ - --hash=sha256:a3c1b7b4a6e5258c0b20079beb1d22c3d306f7695eab8a3d3aea93b37db01b3a \ - --hash=sha256:c081b13c7789b518a2077ed0c49d33c9d855e110a2f670e4f354696245089edc \ - --hash=sha256:c6861b3c92da1cdc2cb18c76b0e05004413ce1cc95782a4b34b7ee002006efb8 \ - --hash=sha256:dc638ff81e817a1c049c8bd51c623238dccf9bfbfb17e20878eaece6c74338bb \ - --hash=sha256:e931a2add4dfec717184164a54608b99d37e0000b9c151bb020a0a2dcc6d5cc1 +uv==0.4.13 \ + --hash=sha256:06317f66c7a991775d2c761090e51c2ece6e1a448618643993394ef21a890192 \ + --hash=sha256:1d83f39d8cf9301dc30da6e597d51b0e9a92b28a302dd777299b586914453b02 \ + --hash=sha256:23d92c1f902344c0b1d8b6f260eb9b6599a04272f08ad9bf11421a846083f444 \ + --hash=sha256:25036e4b1492bf0ceaa4ffe3ddc39351da129078abe47479a6ffb3c5040f85cf \ + --hash=sha256:2aadbbba1cde9efd4fc0a864a2097cdbecdb6a7fa60e3168c0ba20cb617a317d \ + --hash=sha256:4a4e3d20696349a4abbe0297b524276d24b8503b9e5eef0e485cfeb705addc49 \ + --hash=sha256:4e7efaf65d2a67f91ff443fc42b2e8d901ad0091fe60278861ad17a2fb6f79ee \ + --hash=sha256:52b4be61f3f03a6093ff30371d8db9b26a1e3a85633576f505ebafd8c9aea7b8 \ + --hash=sha256:53c9570788ee4403486e9529722f65aa881f43f091989b7c01b798040877a967 \ + --hash=sha256:57e9963b2dd23def893e0321f979f6da84ed86cd0c9053fdb48c4592b89ec86d \ + --hash=sha256:692a361dd124d4e5d10dedede5d4d6d65f9ef32d0ef99b9354eb227a31769b5d \ + --hash=sha256:813b8b7ffc6425e1b67359c091306aeca335f751b02b301c8ac63d37ccce92c0 \ + --hash=sha256:8e170c738bb56911916ceb1c46d2062c6f77d0e87355b1adc51669fa8dfb21c0 \ + --hash=sha256:a6dfe55b7d26b396df30a22d73895e96070f4b952833ffbe4d286834be57148a \ + --hash=sha256:aa0c1668bd3bac445769c95524a429510b9fd635a1977be1155bc37948828c68 \ + --hash=sha256:ab3c811ed2e019c1cf86235cc698b301ce469df457407e3821d80abd1c090bec \ + --hash=sha256:c75d94d520bef8521bc6d232da91a014b7c5022bc89e0b415f2999aac0874997 \ + --hash=sha256:db8f85fff34177276fd8a7c595131179a00eb64eafe4f36edbbfd5ce6ab352f7 From 56d7dc33363f0709d5d55ca9c133cdaa693b7830 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 20 Sep 2024 07:39:53 -0400 Subject: [PATCH 1112/1462] Bump ruff from 0.6.5 to 0.6.6 (#11631) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.6.5 to 0.6.6. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.6.5...0.6.6) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3d7f12c9a8e8..f87a7240abda 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -188,7 +188,7 @@ requests==2.31.0 ; python_full_version < '3.8' # via sphinx requests==2.32.3 ; python_full_version >= '3.8' # via sphinx -ruff==0.6.5 +ruff==0.6.6 # via cryptography (pyproject.toml) six==1.16.0 ; python_full_version < '3.8' # via bleach From 60ead3465e8d2069510a70ef0c14e8b2a7b6d881 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 20 Sep 2024 22:23:54 +0000 Subject: [PATCH 1113/1462] Bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2 (#11633) Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.10.1 to 1.10.2. - [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases) - [Commits](https://github.com/pypa/gh-action-pypi-publish/compare/0ab0b79471669eb3a4d647e625009c62f9f3b241...897895f1e160c830e369f9779632ebc134688e1b) --- updated-dependencies: - dependency-name: pypa/gh-action-pypi-publish dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 630442a75655..10bd56c7064e 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -52,7 +52,7 @@ jobs: find tmpdist/ -type f -name 'cryptography*' -exec mv {} dist/ \; - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@0ab0b79471669eb3a4d647e625009c62f9f3b241 # v1.10.1 + uses: pypa/gh-action-pypi-publish@897895f1e160c830e369f9779632ebc134688e1b # v1.10.2 with: repository-url: ${{ env.PYPI_URL }} skip-existing: true From 3938fd510c1caabc4510243cc41ed94402ebe58b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 20 Sep 2024 22:25:35 +0000 Subject: [PATCH 1114/1462] Bump uv from 0.4.13 to 0.4.14 in /.github/requirements (#11634) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.13 to 0.4.14. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.13...0.4.14) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 12186a9469be..1bfa1ec4f937 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.13 \ - --hash=sha256:06317f66c7a991775d2c761090e51c2ece6e1a448618643993394ef21a890192 \ - --hash=sha256:1d83f39d8cf9301dc30da6e597d51b0e9a92b28a302dd777299b586914453b02 \ - --hash=sha256:23d92c1f902344c0b1d8b6f260eb9b6599a04272f08ad9bf11421a846083f444 \ - --hash=sha256:25036e4b1492bf0ceaa4ffe3ddc39351da129078abe47479a6ffb3c5040f85cf \ - --hash=sha256:2aadbbba1cde9efd4fc0a864a2097cdbecdb6a7fa60e3168c0ba20cb617a317d \ - --hash=sha256:4a4e3d20696349a4abbe0297b524276d24b8503b9e5eef0e485cfeb705addc49 \ - --hash=sha256:4e7efaf65d2a67f91ff443fc42b2e8d901ad0091fe60278861ad17a2fb6f79ee \ - --hash=sha256:52b4be61f3f03a6093ff30371d8db9b26a1e3a85633576f505ebafd8c9aea7b8 \ - --hash=sha256:53c9570788ee4403486e9529722f65aa881f43f091989b7c01b798040877a967 \ - --hash=sha256:57e9963b2dd23def893e0321f979f6da84ed86cd0c9053fdb48c4592b89ec86d \ - --hash=sha256:692a361dd124d4e5d10dedede5d4d6d65f9ef32d0ef99b9354eb227a31769b5d \ - --hash=sha256:813b8b7ffc6425e1b67359c091306aeca335f751b02b301c8ac63d37ccce92c0 \ - --hash=sha256:8e170c738bb56911916ceb1c46d2062c6f77d0e87355b1adc51669fa8dfb21c0 \ - --hash=sha256:a6dfe55b7d26b396df30a22d73895e96070f4b952833ffbe4d286834be57148a \ - --hash=sha256:aa0c1668bd3bac445769c95524a429510b9fd635a1977be1155bc37948828c68 \ - --hash=sha256:ab3c811ed2e019c1cf86235cc698b301ce469df457407e3821d80abd1c090bec \ - --hash=sha256:c75d94d520bef8521bc6d232da91a014b7c5022bc89e0b415f2999aac0874997 \ - --hash=sha256:db8f85fff34177276fd8a7c595131179a00eb64eafe4f36edbbfd5ce6ab352f7 +uv==0.4.14 \ + --hash=sha256:0e0a91f580e02fef0fc8d0d1aab7cbd4060e04cd0d051f55dcde513205039ef8 \ + --hash=sha256:130dfc5277bd6703c8e1e6ce1d33d232b28e0cb7f558066fe59512592b425d67 \ + --hash=sha256:1cb55f165841acc7300706b83191aad2e4a319d7d39f9088bd7ed01f7cfd27ca \ + --hash=sha256:2b56b959a6606d43bde9cb3c3e10c85daf7ce1411a46cb41bf11d135cd63d2b0 \ + --hash=sha256:4c5ed116d05c87e42da05e94b2eb7c0472acdd8b80dbfeb4c3b7846e6fbc02f6 \ + --hash=sha256:4deed108d697c8a2fd28ed849ccae2ff08cd06c2c2309b426d13ae695d27dfbc \ + --hash=sha256:57312d9fb4fb3bd69ed37ae99c66e7af0d582b78e9616d571b66d537ac08e850 \ + --hash=sha256:6902b1aad2751a7306589301e965f15975f8a3b63601d96624f580f3878b2793 \ + --hash=sha256:7484fcc38afd37880eaef89fc515f912fcdbd065da0ea986fc6ba84905063ab2 \ + --hash=sha256:7bf0ccb0955bb8ad5de87debfa2faf72262a88480b7b8b51679a895fbcdd517b \ + --hash=sha256:7c29199e163912812386e97107575e1aa5925fbac74d30c2b38f8ffa856a460e \ + --hash=sha256:bf623a1e328a67b419c9cbdf650d420d4beea23386ed91ffa540e84f0ac9d5d6 \ + --hash=sha256:c3ab8dc834860b194b490af43452cafd69c8298f20b9be664f9aef76ba6a7b05 \ + --hash=sha256:c531d6b5b777559a229b388bac6c4b05f9d4c39970625c683da20bc35f49ee77 \ + --hash=sha256:d429acdfdf9624348f43832113c9fcda6bfb5e080bf26e3a738e782964fb50cc \ + --hash=sha256:d6fb5ae34cbaf783f2d51ec12f351235f16bc2435707aa898d7a643d965b95b1 \ + --hash=sha256:e434d5714d2fcf86bc3039b1bf021d2b10189f09140b183fc0bd466de5e3d5c5 \ + --hash=sha256:f28a016a9d65b2e319d79125dd8e9f2313cd4d433653b01f6abe88a10c9bcfc7 From 1ff9e7b616f8e20723471b7a802e42ab47775bcc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 20 Sep 2024 22:27:38 +0000 Subject: [PATCH 1115/1462] Bump portable-atomic from 1.7.0 to 1.8.0 in /src/rust (#11635) Bumps [portable-atomic](https://github.com/taiki-e/portable-atomic) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/taiki-e/portable-atomic/releases) - [Changelog](https://github.com/taiki-e/portable-atomic/blob/main/CHANGELOG.md) - [Commits](https://github.com/taiki-e/portable-atomic/compare/v1.7.0...v1.8.0) --- updated-dependencies: - dependency-name: portable-atomic dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index c77c76281fc9..5cfaa691c4fd 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -235,9 +235,9 @@ checksum = "d231b230927b5e4ad203db57bbcbee2802f6bce620b1e4a9024a07d94e2907ec" [[package]] name = "portable-atomic" -version = "1.7.0" +version = "1.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "da544ee218f0d287a911e9c99a39a8c9bc8fcad3cb8db5959940044ecfc67265" +checksum = "d30538d42559de6b034bc76fd6dd4c38961b1ee5c6c56e3808c50128fdbc22ce" [[package]] name = "proc-macro2" From 0c9139f205c9a17798b8c7b3302fabbfa0b7323c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 21 Sep 2024 00:16:56 +0000 Subject: [PATCH 1116/1462] Bump BoringSSL and/or OpenSSL in CI (#11636) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f5cd12e2efc6..3e5822fd18fe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Sep 20, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "0d9bb204ab04fd1e3eee9b3926c7449505ec6159"}} + # Latest commit on the BoringSSL master branch, as of Sep 21, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "718900aeb84c601523e71abbd18fd70c9e2ad884"}} # Latest commit on the OpenSSL master branch, as of Sep 20, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7f62adaf2b088de38ad2e534d0bfae2ff7ae01f2"}} # Builds with various Rust versions. Includes MSRV and next From 8847c5638208ac8d396cac7cee68afdfae1aabb4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 22 Sep 2024 11:07:45 -0400 Subject: [PATCH 1117/1462] Fix various warnings from zizmor (#11639) --- .github/workflows/auto-close-stale.yml | 8 ++++---- .github/workflows/benchmark.yml | 1 + .github/workflows/boring-open-version-bump.yml | 3 +++ .github/workflows/lock.yml | 6 +++--- .github/workflows/x509-limbo-version-bump.yml | 3 +++ 5 files changed, 14 insertions(+), 7 deletions(-) diff --git a/.github/workflows/auto-close-stale.yml b/.github/workflows/auto-close-stale.yml index de269c8aceac..d982491e0352 100644 --- a/.github/workflows/auto-close-stale.yml +++ b/.github/workflows/auto-close-stale.yml @@ -4,14 +4,14 @@ on: schedule: - cron: '0 0 * * *' -permissions: - issues: "write" - pull-requests: "write" - jobs: auto-close: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest + permissions: + issues: "write" + pull-requests: "write" + steps: - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 196e9905ac21..6fa6f8c08ce2 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -34,6 +34,7 @@ jobs: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 timeout-minutes: 3 with: + persist-credentials: false repository: "pyca/cryptography" path: "cryptography-base" ref: "${{ github.event.inputs.base_commit || github.base_ref }}" diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index df4b7bb3ede9..e51fd7ccb488 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -14,6 +14,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + # Needed so we can push back to the repo + persist-credentials: true - id: check-sha-boring run: | SHA=$(git ls-remote https://boringssl.googlesource.com/boringssl refs/heads/master | cut -f1) diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index f037c6555c4f..f58867b59e2a 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -4,13 +4,13 @@ on: schedule: - cron: '0 3 * * *' -permissions: - issues: "write" - jobs: lock: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest + permissions: + issues: "write" + steps: - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1 with: diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 7c1566d59eac..46f42b64405c 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -14,6 +14,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + # Needed so we can push back to the repo + persist-credentials: true - id: check-sha-x509-limbo run: | SHA=$(git ls-remote https://github.com/C2SP/x509-limbo refs/heads/main | cut -f1) From 4392d2fcd1c8727bda8de8eea6e93559851c8474 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 22 Sep 2024 11:28:37 -0400 Subject: [PATCH 1118/1462] Another comment on a theoretical future MSRV (#11637) * Another comment on a theoretical future MSRV * Update ci.yml --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3e5822fd18fe..96c8704b4e74 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -50,6 +50,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7f62adaf2b088de38ad2e534d0bfae2ff7ae01f2"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. + # - 1.70: crates.io sparse protocol by default + # - 1.77: offset_of! in std (for pyo3) # - 1.80: LazyLock in std - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "beta"} From 306175e7c1440adc8e59c09a51c69ab2e6c3717b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 22 Sep 2024 11:31:44 -0400 Subject: [PATCH 1119/1462] Allow shell to expand variables, not GHA (#11640) * Allow shell to expand variables, not GHA This avoids theoretical shell injection risks (in reality there are none). * Update wheel-builder.yml * Update wheel-builder.yml --- .github/workflows/wheel-builder.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index f1b92b5b9eca..6a59485fe39c 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -223,7 +223,7 @@ jobs: with: name: cryptography-sdist - - run: ${{ matrix.PYTHON.BIN_PATH }} -m pip install -r ${{ env.UV_REQUIREMENTS_PATH }} + - run: ${{ matrix.PYTHON.BIN_PATH }} -m pip install -r "${UV_REQUIREMENTS_PATH}" - run: mkdir wheelhouse - name: Build the wheel run: | @@ -314,7 +314,8 @@ jobs: echo "OPENSSL_STATIC=1" >> $GITHUB_ENV shell: bash - - run: pip install -r ${{ env.UV_REQUIREMENTS_PATH }} + - run: pip install -r "${UV_REQUIREMENTS_PATH}" + shell: bash - run: mkdir wheelhouse - run: | if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then @@ -325,7 +326,8 @@ jobs: shell: bash - run: uv venv - - run: uv pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} + - run: uv pip install --require-hashes -r "${BUILD_REQUIREMENTS_PATH}" + shell: bash - run: uv pip install cryptography --no-index -f wheelhouse/ - name: Print the OpenSSL we built and linked against run: | From 933d0efe301fca6aa91050e461c8fc17f1184c29 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 22 Sep 2024 11:36:28 -0400 Subject: [PATCH 1120/1462] Use static metadata for cargo check-cfg (#11638) --- src/rust/Cargo.toml | 3 +++ src/rust/build.rs | 6 ------ src/rust/cryptography-cffi/Cargo.toml | 3 +++ src/rust/cryptography-cffi/build.rs | 2 -- src/rust/cryptography-key-parsing/Cargo.toml | 3 +++ src/rust/cryptography-key-parsing/build.rs | 3 --- src/rust/cryptography-openssl/Cargo.toml | 3 +++ src/rust/cryptography-openssl/build.rs | 5 ----- 8 files changed, 12 insertions(+), 16 deletions(-) diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 47f992c2a9ce..32bfde2e7803 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -51,3 +51,6 @@ members = [ "cryptography-x509", "cryptography-x509-verification", ] + +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_OSSLCONF, values("OPENSSL_NO_IDEA", "OPENSSL_NO_CAST", "OPENSSL_NO_BF", "OPENSSL_NO_CAMELLIA", "OPENSSL_NO_SEED", "OPENSSL_NO_SM4"))'] } diff --git a/src/rust/build.rs b/src/rust/build.rs index 5abe0ce3e536..d4dca24c4566 100644 --- a/src/rust/build.rs +++ b/src/rust/build.rs @@ -6,12 +6,6 @@ use std::env; #[allow(clippy::unusual_byte_groupings)] fn main() { - println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)"); - println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)"); - println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_IS_LIBRESSL)"); - println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_IS_BORINGSSL)"); - println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_OSSLCONF, values(\"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_SM4\"))"); - if let Ok(version) = env::var("DEP_OPENSSL_VERSION_NUMBER") { let version = u64::from_str_radix(&version, 16).unwrap(); diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 0b9968301fe5..7839bb7169cb 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,3 +12,6 @@ openssl-sys = "0.9.103" [build-dependencies] cc = "1.1.21" + +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(python_implementation, values("CPython", "PyPy"))'] } diff --git a/src/rust/cryptography-cffi/build.rs b/src/rust/cryptography-cffi/build.rs index 858cc72c8a6f..1243a8187a97 100644 --- a/src/rust/cryptography-cffi/build.rs +++ b/src/rust/cryptography-cffi/build.rs @@ -7,8 +7,6 @@ use std::path::Path; use std::process::Command; fn main() { - println!("cargo:rustc-check-cfg=cfg(python_implementation, values(\"CPython\", \"PyPy\"))"); - let target = env::var("TARGET").unwrap(); let openssl_static = env::var("OPENSSL_STATIC") .map(|x| x == "1") diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index 1dcaaf4e3f1c..b44f68d44aeb 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -12,3 +12,6 @@ cfg-if = "1" openssl = "0.10.66" openssl-sys = "0.9.103" cryptography-x509 = { path = "../cryptography-x509" } + +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)'] } diff --git a/src/rust/cryptography-key-parsing/build.rs b/src/rust/cryptography-key-parsing/build.rs index 15f34f38b4dd..cd318b35ff35 100644 --- a/src/rust/cryptography-key-parsing/build.rs +++ b/src/rust/cryptography-key-parsing/build.rs @@ -5,9 +5,6 @@ use std::env; fn main() { - println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_IS_LIBRESSL)"); - println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_IS_BORINGSSL)"); - if env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER").is_ok() { println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_LIBRESSL"); } diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index f340ed87cf53..8d0bf2fd831a 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -12,3 +12,6 @@ openssl = "0.10.66" ffi = { package = "openssl-sys", version = "0.9.101" } foreign-types = "0.3" foreign-types-shared = "0.1" + +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)'] } diff --git a/src/rust/cryptography-openssl/build.rs b/src/rust/cryptography-openssl/build.rs index 4f66b4970644..bed5a22111f1 100644 --- a/src/rust/cryptography-openssl/build.rs +++ b/src/rust/cryptography-openssl/build.rs @@ -6,11 +6,6 @@ use std::env; #[allow(clippy::unusual_byte_groupings)] fn main() { - println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)"); - println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)"); - println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_IS_LIBRESSL)"); - println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_IS_BORINGSSL)"); - if let Ok(version) = env::var("DEP_OPENSSL_VERSION_NUMBER") { let version = u64::from_str_radix(&version, 16).unwrap(); From d495503cc8effde97dcbe93203744faf11b72acb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 22 Sep 2024 12:22:55 -0400 Subject: [PATCH 1121/1462] Fix zizmor warnings about interpolating output into script (#11641) --- .github/workflows/boring-open-version-bump.yml | 8 ++++++-- .github/workflows/x509-limbo-version-bump.yml | 8 ++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index e51fd7ccb488..c858bf29c121 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -43,17 +43,21 @@ jobs: set -xe CURRENT_DATE=$(date "+%b %d, %Y") sed -E -i "s/Latest commit on the BoringSSL master branch.*/Latest commit on the BoringSSL master branch, as of ${CURRENT_DATE}./" .github/workflows/ci.yml - sed -E -i "s/TYPE: \"boringssl\", VERSION: \"[0-9a-f]{40}\"/TYPE: \"boringssl\", VERSION: \"${{ steps.check-sha-boring.outputs.COMMIT_SHA }}\"/" .github/workflows/ci.yml + sed -E -i "s/TYPE: \"boringssl\", VERSION: \"[0-9a-f]{40}\"/TYPE: \"boringssl\", VERSION: \"${COMMIT_SHA}\"/" .github/workflows/ci.yml git status if: steps.check-sha-boring.outputs.COMMIT_SHA + env: + COMMIT_SHA: ${{ steps.check-sha-boring.outputs.COMMIT_SHA }} - name: Update OpenSSL run: | set -xe CURRENT_DATE=$(date "+%b %d, %Y") sed -E -i "s/Latest commit on the OpenSSL master branch.*/Latest commit on the OpenSSL master branch, as of ${CURRENT_DATE}./" .github/workflows/ci.yml - sed -E -i "s/TYPE: \"openssl\", VERSION: \"[0-9a-f]{40}\"/TYPE: \"openssl\", VERSION: \"${{ steps.check-sha-openssl.outputs.COMMIT_SHA }}\"/" .github/workflows/ci.yml + sed -E -i "s/TYPE: \"openssl\", VERSION: \"[0-9a-f]{40}\"/TYPE: \"openssl\", VERSION: \"${COMMIT_SHA}\"/" .github/workflows/ci.yml git status if: steps.check-sha-openssl.outputs.COMMIT_SHA + env: + COMMIT_SHA: ${{ steps.check-sha-openssl.outputs.COMMIT_SHA }} - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 id: generate-token with: diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 46f42b64405c..fe4d94c86a13 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -32,9 +32,11 @@ jobs: set -xe CURRENT_DATE=$(date "+%b %d, %Y") sed -E -i "s/Latest commit on the x509-limbo main branch.*/Latest commit on the x509-limbo main branch, as of ${CURRENT_DATE}./" .github/actions/fetch-vectors/action.yml - sed -E -i "s/ref: \"[0-9a-f]{40}\" # x509-limbo-ref/ref: \"${{ steps.check-sha-x509-limbo.outputs.COMMIT_SHA }}\" # x509-limbo-ref/" .github/actions/fetch-vectors/action.yml + sed -E -i "s/ref: \"[0-9a-f]{40}\" # x509-limbo-ref/ref: \"${COMMIT_SHA}\" # x509-limbo-ref/" .github/actions/fetch-vectors/action.yml git status if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA + env: + COMMIT_SHA: ${{ steps.check-sha-x509-limbo.outputs.COMMIT_SHA }} - id: check-sha-wycheproof run: | SHA=$(git ls-remote https://github.com/C2SP/wycheproof refs/heads/master | cut -f1) @@ -50,9 +52,11 @@ jobs: set -xe CURRENT_DATE=$(date "+%b %d, %Y") sed -E -i "s/Latest commit on the wycheproof master branch.*/Latest commit on the wycheproof master branch, as of ${CURRENT_DATE}./" .github/actions/fetch-vectors/action.yml - sed -E -i "s/ref: \"[0-9a-f]{40}\" # wycheproof-ref/ref: \"${{ steps.check-sha-wycheproof.outputs.COMMIT_SHA }}\" # wycheproof-ref/" .github/actions/fetch-vectors/action.yml + sed -E -i "s/ref: \"[0-9a-f]{40}\" # wycheproof-ref/ref: \"${COMMIT_SHA}\" # wycheproof-ref/" .github/actions/fetch-vectors/action.yml git status if: steps.check-sha-wycheproof.outputs.COMMIT_SHA + env: + COMMIT_SHA: ${{ steps.check-sha-wycheproof.outputs.COMMIT_SHA }} - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 id: generate-token with: From 0341483f22915d7301e33437b8f6ea8a9410658c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 22 Sep 2024 16:49:07 +0000 Subject: [PATCH 1122/1462] Bump ruff from 0.6.6 to 0.6.7 (#11642) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.6.6 to 0.6.7. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.6.6...0.6.7) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index f87a7240abda..c45f0a0d1202 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -188,7 +188,7 @@ requests==2.31.0 ; python_full_version < '3.8' # via sphinx requests==2.32.3 ; python_full_version >= '3.8' # via sphinx -ruff==0.6.6 +ruff==0.6.7 # via cryptography (pyproject.toml) six==1.16.0 ; python_full_version < '3.8' # via bleach From e3629a27b7b379e89b32d39241392240a1010f58 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 22 Sep 2024 16:50:34 +0000 Subject: [PATCH 1123/1462] Bump uv from 0.4.14 to 0.4.15 in /.github/requirements (#11643) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.14 to 0.4.15. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.14...0.4.15) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 1bfa1ec4f937..dc81d7e188e1 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.14 \ - --hash=sha256:0e0a91f580e02fef0fc8d0d1aab7cbd4060e04cd0d051f55dcde513205039ef8 \ - --hash=sha256:130dfc5277bd6703c8e1e6ce1d33d232b28e0cb7f558066fe59512592b425d67 \ - --hash=sha256:1cb55f165841acc7300706b83191aad2e4a319d7d39f9088bd7ed01f7cfd27ca \ - --hash=sha256:2b56b959a6606d43bde9cb3c3e10c85daf7ce1411a46cb41bf11d135cd63d2b0 \ - --hash=sha256:4c5ed116d05c87e42da05e94b2eb7c0472acdd8b80dbfeb4c3b7846e6fbc02f6 \ - --hash=sha256:4deed108d697c8a2fd28ed849ccae2ff08cd06c2c2309b426d13ae695d27dfbc \ - --hash=sha256:57312d9fb4fb3bd69ed37ae99c66e7af0d582b78e9616d571b66d537ac08e850 \ - --hash=sha256:6902b1aad2751a7306589301e965f15975f8a3b63601d96624f580f3878b2793 \ - --hash=sha256:7484fcc38afd37880eaef89fc515f912fcdbd065da0ea986fc6ba84905063ab2 \ - --hash=sha256:7bf0ccb0955bb8ad5de87debfa2faf72262a88480b7b8b51679a895fbcdd517b \ - --hash=sha256:7c29199e163912812386e97107575e1aa5925fbac74d30c2b38f8ffa856a460e \ - --hash=sha256:bf623a1e328a67b419c9cbdf650d420d4beea23386ed91ffa540e84f0ac9d5d6 \ - --hash=sha256:c3ab8dc834860b194b490af43452cafd69c8298f20b9be664f9aef76ba6a7b05 \ - --hash=sha256:c531d6b5b777559a229b388bac6c4b05f9d4c39970625c683da20bc35f49ee77 \ - --hash=sha256:d429acdfdf9624348f43832113c9fcda6bfb5e080bf26e3a738e782964fb50cc \ - --hash=sha256:d6fb5ae34cbaf783f2d51ec12f351235f16bc2435707aa898d7a643d965b95b1 \ - --hash=sha256:e434d5714d2fcf86bc3039b1bf021d2b10189f09140b183fc0bd466de5e3d5c5 \ - --hash=sha256:f28a016a9d65b2e319d79125dd8e9f2313cd4d433653b01f6abe88a10c9bcfc7 +uv==0.4.15 \ + --hash=sha256:04858bfd551fabe1635127d9a0afe5c62e1e7d56cf309a9674840c90bfc1f21e \ + --hash=sha256:0e9b78f1a800a4cfdfbdc9ff4e5d4cce34af770f8a1f2b9416b161f294eb3703 \ + --hash=sha256:1401e73f0e8df62b4cfbf394e65a75f18b73bf8a94a6c5653a55bd6fdb8e1bc3 \ + --hash=sha256:1bb79cb06be9bb25a1bf8641bf34593f64a96b3ba66ebd8712954f647d9faa24 \ + --hash=sha256:21a3cedb2276d635543a10a11c61f75c6e387110e23e90cdb6c6dd2e1f3c9453 \ + --hash=sha256:27884429b7fed371fe1fcbe829659c4a259463d0ecacb7891d800e4754b5f24c \ + --hash=sha256:4e40deb2cf2cb403dbaf65209d49c45462ebbb1bff290d4c18b902b5b385cdc9 \ + --hash=sha256:6eef6881abf9b858020ffd23f4e5d77423329da2d4a1bc0af6613c2f698c369a \ + --hash=sha256:7fcf7f3812dd173d39273e99fb2abb0814be6133e7a721baa424cbcfd25b483b \ + --hash=sha256:8d45295757f66d1913e5917c06f1974745adad842403d419362491939be889a6 \ + --hash=sha256:8e36b8e07595fc6216d01e729c81a0b4ff029a93cc2ef987a73d3b650d6d559c \ + --hash=sha256:9822fa4db0d8d50abf5eebe081c01666a98120455090d0b71463d01d5d4153c1 \ + --hash=sha256:9e28141883c0aa8525ad5418e519d8791b7dd75f35020d3b1457db89346c5dc8 \ + --hash=sha256:a5920ff4d114025c51d3f925130ca3b0fad277631846b1109347c24948b29159 \ + --hash=sha256:be46b37b569e3c8ffb7d78022bcc0eadeb987109f709c1cec01b00c261ed9595 \ + --hash=sha256:cf7d554656bb8c5b7710300e04d86ab5137ebdd31fe309d66860a9d474b385f8 \ + --hash=sha256:d16ae6b97eb77f478dfe51d6eb3627048d3f47bd04282d3006e6a212e541dba0 \ + --hash=sha256:e32137ba8202b1291e879e8145113bfb543fcc992b5f043852a96d803788b83c From 9c11549e2ce9ada9b37bf4a94f69c963366c3133 Mon Sep 17 00:00:00 2001 From: Gonzalo Atienza <38573982+gonatienza@users.noreply.github.com> Date: Sun, 22 Sep 2024 21:23:47 -0400 Subject: [PATCH 1124/1462] mac-docs-updates (#11644) --- docs/hazmat/primitives/mac/cmac.rst | 1 + docs/hazmat/primitives/mac/poly1305.rst | 1 + 2 files changed, 2 insertions(+) diff --git a/docs/hazmat/primitives/mac/cmac.rst b/docs/hazmat/primitives/mac/cmac.rst index c7eabd9d953f..f5e8b59c0f4d 100644 --- a/docs/hazmat/primitives/mac/cmac.rst +++ b/docs/hazmat/primitives/mac/cmac.rst @@ -28,6 +28,7 @@ A subset of CMAC with the AES-128 algorithm is described in :rfc:`4493`. >>> from cryptography.hazmat.primitives import cmac >>> from cryptography.hazmat.primitives.ciphers import algorithms + >>> key = b"\x00" * 16 # A real key should come from os.urandom(16) >>> c = cmac.CMAC(algorithms.AES(key)) >>> c.update(b"message to authenticate") >>> c.finalize() diff --git a/docs/hazmat/primitives/mac/poly1305.rst b/docs/hazmat/primitives/mac/poly1305.rst index e3240f5baccf..cc7f9e2b7a58 100644 --- a/docs/hazmat/primitives/mac/poly1305.rst +++ b/docs/hazmat/primitives/mac/poly1305.rst @@ -31,6 +31,7 @@ messages allows an attacker to forge tags. Poly1305 is described in .. doctest:: >>> from cryptography.hazmat.primitives import poly1305 + >>> key = b"\x01" * 32 # A real key should come from os.urandom(32) >>> p = poly1305.Poly1305(key) >>> p.update(b"message to authenticate") >>> p.finalize() From e8194c5b681ef5e43c4433cd4f07c6f0c4efb5ca Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 07:26:41 -0400 Subject: [PATCH 1125/1462] Bump pkg-config from 0.3.30 to 0.3.31 in /src/rust (#11645) Bumps [pkg-config](https://github.com/rust-lang/pkg-config-rs) from 0.3.30 to 0.3.31. - [Changelog](https://github.com/rust-lang/pkg-config-rs/blob/master/CHANGELOG.md) - [Commits](https://github.com/rust-lang/pkg-config-rs/commits) --- updated-dependencies: - dependency-name: pkg-config dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 5cfaa691c4fd..537dfcb95a8c 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -229,9 +229,9 @@ dependencies = [ [[package]] name = "pkg-config" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d231b230927b5e4ad203db57bbcbee2802f6bce620b1e4a9024a07d94e2907ec" +checksum = "953ec861398dccce10c670dfeaf3ec4911ca479e9c02154b3a215178c5f566f2" [[package]] name = "portable-atomic" From c159b2a84f51c29c613d87c16cc9b9bab839bc16 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 07:27:53 -0400 Subject: [PATCH 1126/1462] Bump sphinx-rtd-theme from 3.0.0rc1 to 3.0.0rc2 (#11646) Bumps [sphinx-rtd-theme](https://github.com/readthedocs/sphinx_rtd_theme) from 3.0.0rc1 to 3.0.0rc2. - [Changelog](https://github.com/readthedocs/sphinx_rtd_theme/blob/master/docs/changelog.rst) - [Commits](https://github.com/readthedocs/sphinx_rtd_theme/compare/3.0.0rc1...3.0.0rc2) --- updated-dependencies: - dependency-name: sphinx-rtd-theme dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c45f0a0d1202..820557ba6449 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -210,7 +210,7 @@ sphinx==8.0.2 ; python_full_version >= '3.10' # sphinx-rtd-theme # sphinxcontrib-jquery # sphinxcontrib-spelling -sphinx-rtd-theme==3.0.0rc1 ; python_full_version >= '3.8' +sphinx-rtd-theme==3.0.0rc2 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) sphinxcontrib-applehelp==1.0.2 ; python_full_version < '3.8' # via sphinx From 128656ff45b0dc5e5eed01f1b0bfa3b9cd4e9e51 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 24 Sep 2024 00:17:54 +0000 Subject: [PATCH 1127/1462] Bump BoringSSL and/or OpenSSL in CI (#11647) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 96c8704b4e74..4445fdaed93c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Sep 21, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "718900aeb84c601523e71abbd18fd70c9e2ad884"}} - # Latest commit on the OpenSSL master branch, as of Sep 20, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7f62adaf2b088de38ad2e534d0bfae2ff7ae01f2"}} + # Latest commit on the BoringSSL master branch, as of Sep 24, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "62d8540fcc411558aed8457e1a92ea1f4e0d039e"}} + # Latest commit on the OpenSSL master branch, as of Sep 24, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e7abc2118f5d06d560b6de978f178e4b0537f06b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 531e2b44f069428b4e07d58aa42762e884f90844 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 24 Sep 2024 00:34:33 +0000 Subject: [PATCH 1128/1462] Bump x509-limbo and/or wycheproof in CI (#11648) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 3780ee21e422..116bd83cdffd 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Sep 18, 2024. - ref: "d1478c0a1f98e97ae9c69112259edf3d50c345b6" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Sep 24, 2024. + ref: "0afef011eda21c025631b6164b0b147d303360f7" # x509-limbo-ref From 06f3fdbfb3cdccf925712281c063af62eed67510 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 24 Sep 2024 10:21:01 -0400 Subject: [PATCH 1129/1462] fixed grammar in getting-started.rst (#11649) --- docs/development/getting-started.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/development/getting-started.rst b/docs/development/getting-started.rst index d074718f4183..c7cf265b8b22 100644 --- a/docs/development/getting-started.rst +++ b/docs/development/getting-started.rst @@ -19,7 +19,7 @@ handled by the use of ``nox``, which can be installed with ``pip``. OpenSSL on macOS ~~~~~~~~~~~~~~~~ -You must have installed `OpenSSL`_ (via `Homebrew`_ , `MacPorts`_) before +You must have installed `OpenSSL`_ (via `Homebrew`_ or `MacPorts`_) before invoking ``nox`` or else pip will fail to compile. Running tests @@ -61,4 +61,4 @@ The docs can be built using ``nox``: .. _`virtualenv`: https://pypi.org/project/virtualenv/ .. _`pip`: https://pypi.org/project/pip/ .. _`as documented here`: https://docs.rs/openssl/latest/openssl/#automatic -.. _`installation instructions`: https://pyenchant.github.io/pyenchant/install.html#installing-the-enchant-c-library \ No newline at end of file +.. _`installation instructions`: https://pyenchant.github.io/pyenchant/install.html#installing-the-enchant-c-library From c7591ce9195317a1ba3917c7577cadbc646aab58 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 25 Sep 2024 00:31:47 +0000 Subject: [PATCH 1130/1462] Bump BoringSSL and/or OpenSSL in CI (#11650) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4445fdaed93c..ec5e495ce7db 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Sep 24, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "62d8540fcc411558aed8457e1a92ea1f4e0d039e"}} - # Latest commit on the OpenSSL master branch, as of Sep 24, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e7abc2118f5d06d560b6de978f178e4b0537f06b"}} + # Latest commit on the BoringSSL master branch, as of Sep 25, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "5a94aff9aebcf9738c7bc464bc95fa4ac3a46ed7"}} + # Latest commit on the OpenSSL master branch, as of Sep 25, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "260ecea0d4e46d63464636405f9925ef65d0747e"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From ad95528f321181b29517cf891cd7a33617bb5d97 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 25 Sep 2024 00:35:17 +0000 Subject: [PATCH 1131/1462] Bump x509-limbo and/or wycheproof in CI (#11651) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 116bd83cdffd..95ab7b4ca30b 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Sep 24, 2024. - ref: "0afef011eda21c025631b6164b0b147d303360f7" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Sep 25, 2024. + ref: "4d87f8fcb080ca175389dab8fac34ccb3821ad01" # x509-limbo-ref From 3a6efdffd46206b1c70a3b016c142e4e874055a3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 25 Sep 2024 07:28:59 -0400 Subject: [PATCH 1132/1462] Bump libc from 0.2.158 to 0.2.159 in /src/rust (#11654) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.158 to 0.2.159. - [Release notes](https://github.com/rust-lang/libc/releases) - [Changelog](https://github.com/rust-lang/libc/blob/0.2.159/CHANGELOG.md) - [Commits](https://github.com/rust-lang/libc/compare/0.2.158...0.2.159) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 537dfcb95a8c..27b2a5c4b832 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -161,9 +161,9 @@ checksum = "b248f5224d1d606005e02c97f5aa4e88eeb230488bcc03bc9ca4d7991399f2b5" [[package]] name = "libc" -version = "0.2.158" +version = "0.2.159" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8adc4bb1803a324070e64a98ae98f38934d91957a99cfb3a43dcbc01bc56439" +checksum = "561d97a539a36e26a9a5fad1ea11a3039a67714694aaa379433e580854bc3dc5" [[package]] name = "memoffset" From 2106516974a822c18936cf74bc894b7e050413f6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 25 Sep 2024 07:29:30 -0400 Subject: [PATCH 1133/1462] Bump maturin from 1.7.1 to 1.7.2 in /.github/requirements (#11653) Bumps [maturin](https://github.com/pyo3/maturin) from 1.7.1 to 1.7.2. - [Release notes](https://github.com/pyo3/maturin/releases) - [Changelog](https://github.com/PyO3/maturin/blob/main/Changelog.md) - [Commits](https://github.com/pyo3/maturin/compare/v1.7.1...v1.7.2) --- updated-dependencies: - dependency-name: maturin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 28 ++++++++++----------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 953d2e709c6f..40de739dc648 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -77,20 +77,20 @@ flit-core==3.9.0 \ --hash=sha256:72ad266176c4a3fcfab5f2930d76896059851240570ce9a98733b658cb786eba \ --hash=sha256:7aada352fb0c7f5538c4fafeddf314d3a6a92ee8e2b1de70482329e42de70301 # via -r build-requirements.in -maturin==1.7.1 \ - --hash=sha256:00f0f8f5051f4c0d0f69bdd0c6297ea87e979f70fb78a377eb4277c932804e2d \ - --hash=sha256:07c8800603e551a45e16fe7ad1742977097ea43c18b28e491df74d4ca15c5857 \ - --hash=sha256:09cca3491c756d1bce6ffff13f004e8a10e67c72a1cba9579058f58220505881 \ - --hash=sha256:0df0a6aaf7e9ab92cce2490b03d80b8f5ecbfa0689747a2ea4dfb9e63877b79c \ - --hash=sha256:147754cb3d81177ee12d9baf575d93549e76121dacd3544ad6a50ab718de2b9c \ - --hash=sha256:372a141b31ae7396728d2dedc6061fe4522c1803ae1c05700d37008e1d1a2cc9 \ - --hash=sha256:49939608095d9bcdf19d081dfd6ac1e8f915c645115090514c7b86e1e382f241 \ - --hash=sha256:6eec984d26f707b18765478f4892e58ac72e777287cd2ba721d6e2ef6da1f66e \ - --hash=sha256:7bb184cfbac4e3c55ca21d322e4801e0f75e7932287e156c280c279eae60b69e \ - --hash=sha256:973126a36cfb9861b3207df579678c1bcd7c348578a41ccfbe80d811a84f1740 \ - --hash=sha256:acf9f539f53a7ad64d406a40b27b768f67d75e6e4e93cb04b29025144a74ef45 \ - --hash=sha256:c5e7e6d130072ca76956106daa276f24a66c3407cfe6cf64c196d4299fd4175c \ - --hash=sha256:e5e8e61468d7d79790f0b54f2ed24f2fefbce3518548bc4e1a1f0c7be5bad710 +maturin==1.7.2 \ + --hash=sha256:0ae225051d9883a25a715c72621c570a21c4c15da1bd401ddbf7dbe8e2b5aab5 \ + --hash=sha256:0c5efb3865995a1404a213ffefc01786770d877dd10f8749609c388f677010f4 \ + --hash=sha256:1b7201cfb9cd3668c6ddc03c01899b74e95009dc797ad29e701f7fa508f60e1f \ + --hash=sha256:35c9951ea2faa6b04d06f09aecb0013860370bf6c53d940bbf7b055405c0abb6 \ + --hash=sha256:3e2d4b747627302e3def9e619e30e95017a5a048b138b9a6368cc2e4a2409204 \ + --hash=sha256:421ca9e2e3969560c1e2d56bff1967e37d7284cc72f7bf3e404585fac7d7f92a \ + --hash=sha256:610484d4bc053e140275e85de9ce11e35d6643a218d534d93afd36f21dd75445 \ + --hash=sha256:7460e000012a707b2b09a7dc3906b6aa66fb033e71a2aedfbf6c72dbd24eee86 \ + --hash=sha256:7ff9394aa5fa09f9c315c843f41d53ee7aaafb96e6ae399f877fc88680b077da \ + --hash=sha256:a1cbf618a61bee5bad082be5df46c33c22ac199320387a8932295c2cdf9abf2e \ + --hash=sha256:ca06eafa9ec870b0175123a3554105deb62212d7974777edf98087f5af7c3f6d \ + --hash=sha256:d7728233c6c3ea908dda5adf957bcebe9a4f6999c38f0e52d4b13f2efbe2c55e \ + --hash=sha256:ea73137b9d68a54123c7ff3da5751bc8e50618589fa483772d4d8019b30f907d # via -r build-requirements.in pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ From 1710d02e4b3f790918b4da433a2d6fc96f3bcfa1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 25 Sep 2024 07:29:42 -0400 Subject: [PATCH 1134/1462] Bump uv from 0.4.15 to 0.4.16 in /.github/requirements (#11652) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.15 to 0.4.16. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.15...0.4.16) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index dc81d7e188e1..c731965c977a 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.15 \ - --hash=sha256:04858bfd551fabe1635127d9a0afe5c62e1e7d56cf309a9674840c90bfc1f21e \ - --hash=sha256:0e9b78f1a800a4cfdfbdc9ff4e5d4cce34af770f8a1f2b9416b161f294eb3703 \ - --hash=sha256:1401e73f0e8df62b4cfbf394e65a75f18b73bf8a94a6c5653a55bd6fdb8e1bc3 \ - --hash=sha256:1bb79cb06be9bb25a1bf8641bf34593f64a96b3ba66ebd8712954f647d9faa24 \ - --hash=sha256:21a3cedb2276d635543a10a11c61f75c6e387110e23e90cdb6c6dd2e1f3c9453 \ - --hash=sha256:27884429b7fed371fe1fcbe829659c4a259463d0ecacb7891d800e4754b5f24c \ - --hash=sha256:4e40deb2cf2cb403dbaf65209d49c45462ebbb1bff290d4c18b902b5b385cdc9 \ - --hash=sha256:6eef6881abf9b858020ffd23f4e5d77423329da2d4a1bc0af6613c2f698c369a \ - --hash=sha256:7fcf7f3812dd173d39273e99fb2abb0814be6133e7a721baa424cbcfd25b483b \ - --hash=sha256:8d45295757f66d1913e5917c06f1974745adad842403d419362491939be889a6 \ - --hash=sha256:8e36b8e07595fc6216d01e729c81a0b4ff029a93cc2ef987a73d3b650d6d559c \ - --hash=sha256:9822fa4db0d8d50abf5eebe081c01666a98120455090d0b71463d01d5d4153c1 \ - --hash=sha256:9e28141883c0aa8525ad5418e519d8791b7dd75f35020d3b1457db89346c5dc8 \ - --hash=sha256:a5920ff4d114025c51d3f925130ca3b0fad277631846b1109347c24948b29159 \ - --hash=sha256:be46b37b569e3c8ffb7d78022bcc0eadeb987109f709c1cec01b00c261ed9595 \ - --hash=sha256:cf7d554656bb8c5b7710300e04d86ab5137ebdd31fe309d66860a9d474b385f8 \ - --hash=sha256:d16ae6b97eb77f478dfe51d6eb3627048d3f47bd04282d3006e6a212e541dba0 \ - --hash=sha256:e32137ba8202b1291e879e8145113bfb543fcc992b5f043852a96d803788b83c +uv==0.4.16 \ + --hash=sha256:050715938e78c6d69d9bdd6a9bd536c92c9f516ac0ca252726c546e8dc7af30d \ + --hash=sha256:136f4b1f8d3a6f2e7f87d009cc4b75be1e52b8b9837ee97600fdd3b2db960a53 \ + --hash=sha256:1497dbb3a1b41c6c407e0dc7c6b40ca012796b3f9370f0dcbe4edf4dc098a2ec \ + --hash=sha256:2144995a87b161d063bd4ef8294b1e948677bd90d01f8394d0e3fca037bb847f \ + --hash=sha256:29fdf36b2e4de02e676bb2ae3ca25bccb97d457f8bbb5c5a58fc4f223df1e235 \ + --hash=sha256:2a566febc7cbe76e42ad83352c28dd2fe64290e6809f1dfd07f3f158ea5cc68d \ + --hash=sha256:43c7339114431565679f42d3c85b4c7ba5dfdf1d9ad5f89682c1177828161602 \ + --hash=sha256:5ee1c25c8296d932fa2f0629ad6d1b9b04e9f5f0a0f1e90e64d488d13861e533 \ + --hash=sha256:68390b39b36ddbfe48033f308f4e983879b49ce345de2105e5cf3d3baa22dfea \ + --hash=sha256:8147b2998bf9eb743d872de3e469bbe71622126be54ca377bfc0028042bfdad2 \ + --hash=sha256:87505d25163f6fe0afd85c7952ab66593aa1ecc77a41f65e910760e90bd53b4f \ + --hash=sha256:97529f45c0720cafa6870ae3d9a43449c34f6c762505249dcd033ca6d7b121ec \ + --hash=sha256:9de9bfd82d5ec1b0180976b1e5db389c7f13e59a2b08037faa93fef474c63517 \ + --hash=sha256:c390d0887e0bc918d96660460a89101368af28815c40ea26795ab801651d128e \ + --hash=sha256:c54b1725836e5a84168f705a395e21353bdbb2d47e77d645cb0622a77defcf04 \ + --hash=sha256:c92a1a2bf541a3f65b5b2502ca51f8709e8ac8bb85846c87c65d343e66ede622 \ + --hash=sha256:d1712f1c0df309f7682d7e40783ab55927cc1e7108e43847b2a0b795ea855c45 \ + --hash=sha256:d501b14f491057c102e2f6be92e5a1da973453b893fd727a552908fe8a8a1061 From 8fcb066edac8fa9e6f1515bc7c9addc2e75d5993 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 26 Sep 2024 00:17:00 +0000 Subject: [PATCH 1135/1462] Bump BoringSSL and/or OpenSSL in CI (#11655) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ec5e495ce7db..59fb34458dce 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Sep 25, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "5a94aff9aebcf9738c7bc464bc95fa4ac3a46ed7"}} + # Latest commit on the BoringSSL master branch, as of Sep 26, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "dec0800988062ab0b1d5ea5f3c9575f3392bcd37"}} # Latest commit on the OpenSSL master branch, as of Sep 25, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "260ecea0d4e46d63464636405f9925ef65d0747e"}} # Builds with various Rust versions. Includes MSRV and next From d4ec087ff442ea5dc69495348d8e2875126064da Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 26 Sep 2024 07:14:11 -0400 Subject: [PATCH 1136/1462] Bump maturin from 1.7.2 to 1.7.4 in /.github/requirements (#11656) Bumps [maturin](https://github.com/pyo3/maturin) from 1.7.2 to 1.7.4. - [Release notes](https://github.com/pyo3/maturin/releases) - [Changelog](https://github.com/PyO3/maturin/blob/main/Changelog.md) - [Commits](https://github.com/pyo3/maturin/compare/v1.7.2...v1.7.4) --- updated-dependencies: - dependency-name: maturin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 28 ++++++++++----------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 40de739dc648..07c6040dd9c2 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -77,20 +77,20 @@ flit-core==3.9.0 \ --hash=sha256:72ad266176c4a3fcfab5f2930d76896059851240570ce9a98733b658cb786eba \ --hash=sha256:7aada352fb0c7f5538c4fafeddf314d3a6a92ee8e2b1de70482329e42de70301 # via -r build-requirements.in -maturin==1.7.2 \ - --hash=sha256:0ae225051d9883a25a715c72621c570a21c4c15da1bd401ddbf7dbe8e2b5aab5 \ - --hash=sha256:0c5efb3865995a1404a213ffefc01786770d877dd10f8749609c388f677010f4 \ - --hash=sha256:1b7201cfb9cd3668c6ddc03c01899b74e95009dc797ad29e701f7fa508f60e1f \ - --hash=sha256:35c9951ea2faa6b04d06f09aecb0013860370bf6c53d940bbf7b055405c0abb6 \ - --hash=sha256:3e2d4b747627302e3def9e619e30e95017a5a048b138b9a6368cc2e4a2409204 \ - --hash=sha256:421ca9e2e3969560c1e2d56bff1967e37d7284cc72f7bf3e404585fac7d7f92a \ - --hash=sha256:610484d4bc053e140275e85de9ce11e35d6643a218d534d93afd36f21dd75445 \ - --hash=sha256:7460e000012a707b2b09a7dc3906b6aa66fb033e71a2aedfbf6c72dbd24eee86 \ - --hash=sha256:7ff9394aa5fa09f9c315c843f41d53ee7aaafb96e6ae399f877fc88680b077da \ - --hash=sha256:a1cbf618a61bee5bad082be5df46c33c22ac199320387a8932295c2cdf9abf2e \ - --hash=sha256:ca06eafa9ec870b0175123a3554105deb62212d7974777edf98087f5af7c3f6d \ - --hash=sha256:d7728233c6c3ea908dda5adf957bcebe9a4f6999c38f0e52d4b13f2efbe2c55e \ - --hash=sha256:ea73137b9d68a54123c7ff3da5751bc8e50618589fa483772d4d8019b30f907d +maturin==1.7.4 \ + --hash=sha256:0182a9638399c8835afd39d2aeacf56908e37cba3f7abb15816b9df6774fab81 \ + --hash=sha256:23fae44e345a2da5cb391ae878726fb793394826e2f97febe41710bd4099460e \ + --hash=sha256:2b349d742a07527d236f0b4b6cab26f53ebecad0ceabfc09ec4c6a396e3176f9 \ + --hash=sha256:35487a424467d1fda4567cbb02d21f09febb10eda22f5fd647b130bc0767dc61 \ + --hash=sha256:41a29c5b23f3ebdfe7633637e3de256579a1b2700c04cd68c16ed46934440c5a \ + --hash=sha256:71f668f19e719048605dbca6a1f4d0dc03b987c922ad9c4bf5be03b9b278e4c3 \ + --hash=sha256:7ccb66d0c5297cf06652c5f72cb398f447d3a332eccf5d1e73b3fe14dbc9498c \ + --hash=sha256:8b441521c151f0dbe70ed06fb1feb29b855d787bda038ff4330ca962e5d56641 \ + --hash=sha256:c179fcb2b494f19186781b667320e43d95b3e71fcb1c98fffad9ef6bd6e276b3 \ + --hash=sha256:eb7b7753b733ae302c08f80bca7b0c3fda1eea665c2b1922c58795f35a54c833 \ + --hash=sha256:f3d38a6d0c7fd7b04bec30dd470b2173cf9bd184ab6220c1acaf49df6b48faf5 \ + --hash=sha256:f70c1c8ec9bd4749a53c0f3ae8fdbb326ce45be4f1c5551985ee25a6d7150328 \ + --hash=sha256:fd5b4b95286f2f376437340f8a4908f4761587212170263084455be8099099a7 # via -r build-requirements.in pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ From c3a8ed182eefbfc92097bca932b12d9450e81d7a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 26 Sep 2024 07:17:38 -0400 Subject: [PATCH 1137/1462] Bump actions/checkout from 4.1.7 to 4.2.0 (#11657) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.7 to 4.2.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/692973e3d937129bcbf40652eb9f2f61becf3332...d632683dd7b4114ad314bca15554477dd762a938) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 4 ++-- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/ci.yml | 12 ++++++------ .github/workflows/linkcheck.yml | 2 +- .github/workflows/wheel-builder.yml | 8 ++++---- .github/workflows/x509-limbo-version-bump.yml | 2 +- 6 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 6fa6f8c08ce2..3275d57b2996 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -26,12 +26,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 timeout-minutes: 3 with: persist-credentials: false path: "cryptography-pr" - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 timeout-minutes: 3 with: persist-credentials: false diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index c858bf29c121..33652a071e65 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: # Needed so we can push back to the repo persist-credentials: true diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 59fb34458dce..b9f5c8553fb3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -59,7 +59,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-rust-debug"} timeout-minutes: 15 steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 timeout-minutes: 3 with: persist-credentials: false @@ -183,7 +183,7 @@ jobs: sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release if: matrix.IMAGE.IMAGE == 'alpine:aarch64' - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 timeout-minutes: 3 with: persist-credentials: false @@ -234,7 +234,7 @@ jobs: RUNNER: {OS: 'macos-14', ARCH: 'arm64'} timeout-minutes: 15 steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 timeout-minutes: 3 with: persist-credentials: false @@ -298,7 +298,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests"} timeout-minutes: 15 steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 timeout-minutes: 3 with: persist-credentials: false @@ -372,7 +372,7 @@ jobs: name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" timeout-minutes: 15 steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 timeout-minutes: 3 with: persist-credentials: false @@ -416,7 +416,7 @@ jobs: if: ${{ always() }} timeout-minutes: 3 steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 timeout-minutes: 3 with: persist-credentials: false diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index 3fee6f366845..da777fb02b38 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -20,7 +20,7 @@ jobs: name: "linkcheck" timeout-minutes: 10 steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: persist-credentials: false - name: Setup python diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 6a59485fe39c..b90a3dff66ff 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest name: sdists steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -99,7 +99,7 @@ jobs: if: startsWith(matrix.MANYLINUX.NAME, 'musllinux') && endsWith(matrix.MANYLINUX.NAME, 'aarch64') - name: Get build-requirements.txt from repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -184,7 +184,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -275,7 +275,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index fe4d94c86a13..512e2fda8f6a 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: # Needed so we can push back to the repo persist-credentials: true From 35258b4b5417cd3e2c42a5275def63fe741a99b3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 26 Sep 2024 07:17:56 -0400 Subject: [PATCH 1138/1462] Bump actions/checkout in /.github/actions/fetch-vectors (#11658) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.7 to 4.2.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/692973e3d937129bcbf40652eb9f2f61becf3332...d632683dd7b4114ad314bca15554477dd762a938) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 95ab7b4ca30b..64a83248d53e 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -5,14 +5,14 @@ runs: using: "composite" steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: repository: "C2SP/wycheproof" path: "wycheproof" # Latest commit on the wycheproof master branch, as of Apr 09, 2024. ref: "cd27d6419bedd83cbd24611ec54b6d4bfdb0cdca" # wycheproof-ref - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: repository: "C2SP/x509-limbo" path: "x509-limbo" From 34dff0b43d3d8f7555a1b7475fc71f602e56d476 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 27 Sep 2024 00:17:43 +0000 Subject: [PATCH 1139/1462] Bump BoringSSL and/or OpenSSL in CI (#11659) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b9f5c8553fb3..ac149fa90416 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Sep 26, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "dec0800988062ab0b1d5ea5f3c9575f3392bcd37"}} - # Latest commit on the OpenSSL master branch, as of Sep 25, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "260ecea0d4e46d63464636405f9925ef65d0747e"}} + # Latest commit on the BoringSSL master branch, as of Sep 27, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "40dd94116ba03678226443ba20c5887459c9bf16"}} + # Latest commit on the OpenSSL master branch, as of Sep 27, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3ef1b7426b05c18419ba0eb6495ec761c91834c1"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 0ef96151880ab40d2f27a3b40c0fd92ed6ebdaff Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 27 Sep 2024 07:23:21 -0400 Subject: [PATCH 1140/1462] Bump ruff from 0.6.7 to 0.6.8 (#11664) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.6.7 to 0.6.8. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.6.7...0.6.8) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 820557ba6449..ec3f946789cf 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -188,7 +188,7 @@ requests==2.31.0 ; python_full_version < '3.8' # via sphinx requests==2.32.3 ; python_full_version >= '3.8' # via sphinx -ruff==0.6.7 +ruff==0.6.8 # via cryptography (pyproject.toml) six==1.16.0 ; python_full_version < '3.8' # via bleach From 400732ebf02a36abbec67cedb05d907bb16cc970 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 27 Sep 2024 07:23:42 -0400 Subject: [PATCH 1141/1462] Bump sphinx-rtd-theme from 3.0.0rc2 to 3.0.0rc3 (#11663) Bumps [sphinx-rtd-theme](https://github.com/readthedocs/sphinx_rtd_theme) from 3.0.0rc2 to 3.0.0rc3. - [Changelog](https://github.com/readthedocs/sphinx_rtd_theme/blob/master/docs/changelog.rst) - [Commits](https://github.com/readthedocs/sphinx_rtd_theme/compare/3.0.0rc2...3.0.0rc3) --- updated-dependencies: - dependency-name: sphinx-rtd-theme dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ec3f946789cf..5d8488573191 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -210,7 +210,7 @@ sphinx==8.0.2 ; python_full_version >= '3.10' # sphinx-rtd-theme # sphinxcontrib-jquery # sphinxcontrib-spelling -sphinx-rtd-theme==3.0.0rc2 ; python_full_version >= '3.8' +sphinx-rtd-theme==3.0.0rc3 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) sphinxcontrib-applehelp==1.0.2 ; python_full_version < '3.8' # via sphinx From 87c6e14df26a20182527aea1c27da82f8f7d6b11 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 27 Sep 2024 07:24:38 -0400 Subject: [PATCH 1142/1462] Bump cc from 1.1.21 to 1.1.22 in /src/rust (#11662) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.21 to 1.1.22. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.21...cc-v1.1.22) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 27b2a5c4b832..57ceffb98929 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.21" +version = "1.1.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "07b1695e2c7e8fc85310cde85aeaab7e3097f593c91d209d3f9df76c928100f0" +checksum = "9540e661f81799159abee814118cc139a2004b3a3aa3ea37724a1b66530b90e0" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 7839bb7169cb..a2db8e1b68e3 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,7 +11,7 @@ pyo3 = { version = "0.22.3", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] -cc = "1.1.21" +cc = "1.1.22" [lints.rust] unexpected_cfgs = { level = "warn", check-cfg = ['cfg(python_implementation, values("CPython", "PyPy"))'] } From a848ae00bf8bac784d79615868d03e6aa47b1695 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 27 Sep 2024 07:24:53 -0400 Subject: [PATCH 1143/1462] Bump autocfg from 1.3.0 to 1.4.0 in /src/rust (#11661) Bumps [autocfg](https://github.com/cuviper/autocfg) from 1.3.0 to 1.4.0. - [Commits](https://github.com/cuviper/autocfg/compare/1.3.0...1.4.0) --- updated-dependencies: - dependency-name: autocfg dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 57ceffb98929..340a45f06d52 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -24,9 +24,9 @@ dependencies = [ [[package]] name = "autocfg" -version = "1.3.0" +version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0" +checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26" [[package]] name = "base64" From a5b1ffd2c4d90b1480819145ee8a0c7cd957a63b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 28 Sep 2024 00:26:14 +0000 Subject: [PATCH 1144/1462] Bump BoringSSL and/or OpenSSL in CI (#11665) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ac149fa90416..003dee19fc3a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Sep 27, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "40dd94116ba03678226443ba20c5887459c9bf16"}} - # Latest commit on the OpenSSL master branch, as of Sep 27, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3ef1b7426b05c18419ba0eb6495ec761c91834c1"}} + # Latest commit on the BoringSSL master branch, as of Sep 28, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "72a60506ded3407454d6ddc1d848c266020c0c82"}} + # Latest commit on the OpenSSL master branch, as of Sep 28, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ed6862328745c51c2afa2b6485cc3e275d543c4e"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From cb5ad845146af67ddeda1ce8fdf00e1755f86a82 Mon Sep 17 00:00:00 2001 From: Ivan Desiatov <76527282+deivse@users.noreply.github.com> Date: Sat, 28 Sep 2024 13:05:13 +0200 Subject: [PATCH 1145/1462] Reduce code duplication in PolicyBuilder already set checks. (#11666) --- src/rust/src/x509/verify.rs | 39 +++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index dbc9f18770af..dbe95a494267 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -54,6 +54,20 @@ pyo3::create_exception!( pyo3::exceptions::PyException ); +macro_rules! policy_builder_set_once_check { + ($self: ident, $property: ident, $human_readable_name: literal) => { + if $self.$property.is_some() { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err(concat!( + "The ", + $human_readable_name, + " may only be set once." + )), + )); + } + }; +} + #[pyo3::pyclass(frozen, module = "cryptography.x509.verification")] pub(crate) struct PolicyBuilder { time: Option, @@ -77,13 +91,8 @@ impl PolicyBuilder { py: pyo3::Python<'_>, new_time: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - if self.time.is_some() { - return Err(CryptographyError::from( - pyo3::exceptions::PyValueError::new_err( - "The validation time may only be set once.", - ), - )); - } + policy_builder_set_once_check!(self, time, "validation time"); + Ok(PolicyBuilder { time: Some(py_to_datetime(py, new_time)?), store: self.store.as_ref().map(|s| s.clone_ref(py)), @@ -92,11 +101,8 @@ impl PolicyBuilder { } fn store(&self, new_store: pyo3::Py) -> CryptographyResult { - if self.store.is_some() { - return Err(CryptographyError::from( - pyo3::exceptions::PyValueError::new_err("The trust store may only be set once."), - )); - } + policy_builder_set_once_check!(self, store, "trust store"); + Ok(PolicyBuilder { time: self.time.clone(), store: Some(new_store), @@ -109,13 +115,8 @@ impl PolicyBuilder { py: pyo3::Python<'_>, new_max_chain_depth: u8, ) -> CryptographyResult { - if self.max_chain_depth.is_some() { - return Err(CryptographyError::from( - pyo3::exceptions::PyValueError::new_err( - "The maximum chain depth may only be set once.", - ), - )); - } + policy_builder_set_once_check!(self, max_chain_depth, "maximum chain depth"); + Ok(PolicyBuilder { time: self.time.clone(), store: self.store.as_ref().map(|s| s.clone_ref(py)), From 35c9423400a495eda8b1b3b3a36a2a1ae5c9caab Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 07:20:19 -0400 Subject: [PATCH 1146/1462] Bump syn from 2.0.77 to 2.0.79 in /src/rust (#11668) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.77 to 2.0.79. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.77...2.0.79) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 340a45f06d52..7abe17056221 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -334,9 +334,9 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" [[package]] name = "syn" -version = "2.0.77" +version = "2.0.79" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9f35bcdf61fd8e7be6caf75f429fdca8beb3ed76584befb503b1569faee373ed" +checksum = "89132cd0bf050864e1d38dc3bbc07a0eb8e7530af26344d3d2bbbef83499f590" dependencies = [ "proc-macro2", "quote", From 5bad2d69c964fa3db7f954959a50082cec0db611 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 07:20:34 -0400 Subject: [PATCH 1147/1462] Bump portable-atomic from 1.8.0 to 1.9.0 in /src/rust (#11669) Bumps [portable-atomic](https://github.com/taiki-e/portable-atomic) from 1.8.0 to 1.9.0. - [Release notes](https://github.com/taiki-e/portable-atomic/releases) - [Changelog](https://github.com/taiki-e/portable-atomic/blob/main/CHANGELOG.md) - [Commits](https://github.com/taiki-e/portable-atomic/compare/v1.8.0...v1.9.0) --- updated-dependencies: - dependency-name: portable-atomic dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 7abe17056221..407ef17daf44 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -235,9 +235,9 @@ checksum = "953ec861398dccce10c670dfeaf3ec4911ca479e9c02154b3a215178c5f566f2" [[package]] name = "portable-atomic" -version = "1.8.0" +version = "1.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d30538d42559de6b034bc76fd6dd4c38961b1ee5c6c56e3808c50128fdbc22ce" +checksum = "cc9c68a3f6da06753e9335d63e27f6b9754dd1920d941135b7ea8224f141adb2" [[package]] name = "proc-macro2" From 7b4ed42a0e99908551a0d4ece63dff358973d389 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 07:20:49 -0400 Subject: [PATCH 1148/1462] Bump once_cell from 1.20.0 to 1.20.1 in /src/rust (#11670) Bumps [once_cell](https://github.com/matklad/once_cell) from 1.20.0 to 1.20.1. - [Changelog](https://github.com/matklad/once_cell/blob/master/CHANGELOG.md) - [Commits](https://github.com/matklad/once_cell/compare/v1.20.0...v1.20.1) --- updated-dependencies: - dependency-name: once_cell dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 407ef17daf44..0d4161671ae0 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -176,9 +176,12 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.20.0" +version = "1.20.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33ea5043e58958ee56f3e15a90aee535795cd7dfd319846288d93c5b57d85cbe" +checksum = "82881c4be219ab5faaf2ad5e5e5ecdff8c66bd7402ca3160975c93b24961afd1" +dependencies = [ + "portable-atomic", +] [[package]] name = "openssl" From 7eb7abbaece7d092f371e9cd3c5372e847e74442 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 07:21:53 -0400 Subject: [PATCH 1149/1462] Bump pyproject-hooks from 1.1.0 to 1.2.0 (#11671) Bumps [pyproject-hooks](https://github.com/pypa/pyproject-hooks) from 1.1.0 to 1.2.0. - [Changelog](https://github.com/pypa/pyproject-hooks/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/pyproject-hooks/compare/v1.1.0...v1.2.0) --- updated-dependencies: - dependency-name: pyproject-hooks dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 5d8488573191..793a28b5a6ff 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -146,7 +146,7 @@ pygments==2.18.0 ; python_full_version >= '3.8' # via # readme-renderer # sphinx -pyproject-hooks==1.1.0 +pyproject-hooks==1.2.0 # via build pytest==7.4.4 ; python_full_version < '3.8' # via From 55bd63b15efac85c59eb98c5f8fb5485e2239219 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 07:23:30 -0400 Subject: [PATCH 1150/1462] Bump virtualenv from 20.26.5 to 20.26.6 (#11672) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.26.5 to 20.26.6. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.26.5...20.26.6) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 793a28b5a6ff..c547800a7582 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -265,7 +265,7 @@ urllib3==2.0.7 ; python_full_version < '3.8' # via requests urllib3==2.2.3 ; python_full_version >= '3.8' # via requests -virtualenv==20.26.5 +virtualenv==20.26.6 # via nox webencodings==0.5.1 ; python_full_version < '3.8' # via bleach From 2658c81f0dcf4768f9aa944f7f49b3f9827e4c44 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 11:31:36 +0000 Subject: [PATCH 1151/1462] Bump uv from 0.4.16 to 0.4.17 in /.github/requirements (#11673) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.16 to 0.4.17. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.16...0.4.17) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index c731965c977a..2a882f3b4f14 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.16 \ - --hash=sha256:050715938e78c6d69d9bdd6a9bd536c92c9f516ac0ca252726c546e8dc7af30d \ - --hash=sha256:136f4b1f8d3a6f2e7f87d009cc4b75be1e52b8b9837ee97600fdd3b2db960a53 \ - --hash=sha256:1497dbb3a1b41c6c407e0dc7c6b40ca012796b3f9370f0dcbe4edf4dc098a2ec \ - --hash=sha256:2144995a87b161d063bd4ef8294b1e948677bd90d01f8394d0e3fca037bb847f \ - --hash=sha256:29fdf36b2e4de02e676bb2ae3ca25bccb97d457f8bbb5c5a58fc4f223df1e235 \ - --hash=sha256:2a566febc7cbe76e42ad83352c28dd2fe64290e6809f1dfd07f3f158ea5cc68d \ - --hash=sha256:43c7339114431565679f42d3c85b4c7ba5dfdf1d9ad5f89682c1177828161602 \ - --hash=sha256:5ee1c25c8296d932fa2f0629ad6d1b9b04e9f5f0a0f1e90e64d488d13861e533 \ - --hash=sha256:68390b39b36ddbfe48033f308f4e983879b49ce345de2105e5cf3d3baa22dfea \ - --hash=sha256:8147b2998bf9eb743d872de3e469bbe71622126be54ca377bfc0028042bfdad2 \ - --hash=sha256:87505d25163f6fe0afd85c7952ab66593aa1ecc77a41f65e910760e90bd53b4f \ - --hash=sha256:97529f45c0720cafa6870ae3d9a43449c34f6c762505249dcd033ca6d7b121ec \ - --hash=sha256:9de9bfd82d5ec1b0180976b1e5db389c7f13e59a2b08037faa93fef474c63517 \ - --hash=sha256:c390d0887e0bc918d96660460a89101368af28815c40ea26795ab801651d128e \ - --hash=sha256:c54b1725836e5a84168f705a395e21353bdbb2d47e77d645cb0622a77defcf04 \ - --hash=sha256:c92a1a2bf541a3f65b5b2502ca51f8709e8ac8bb85846c87c65d343e66ede622 \ - --hash=sha256:d1712f1c0df309f7682d7e40783ab55927cc1e7108e43847b2a0b795ea855c45 \ - --hash=sha256:d501b14f491057c102e2f6be92e5a1da973453b893fd727a552908fe8a8a1061 +uv==0.4.17 \ + --hash=sha256:01564bd760eff885ad61f44173647a569732934d1a4a558839c8088fbf75e53f \ + --hash=sha256:0da45ca164ef9701dcc5cac3256f1f3a4e6fabe026860101c3b14208bfbde831 \ + --hash=sha256:15cfd020ad4a72f17e669d070a1a8ab50f93ce899486a80029cabf87fac3a8ae \ + --hash=sha256:1a4098128ee54f8b4ca1b083d05f818548cf7182b5b6cbb74fd71235bd105b1d \ + --hash=sha256:39c862a5fae944ea89dca5bf77bf636ac26398f96179bca19e4db26121707cd0 \ + --hash=sha256:44360f88b8e67e36fed00976b94d3f1144faa1c5291e8f6f5306c3ded650e9bf \ + --hash=sha256:489f68441092827fcd590a99f91269d5fb3b5f9cca1da469f7fc3d5ef3bf3e37 \ + --hash=sha256:6141f08aad242372dff4b529b9d26c814e151e95d1a8c85d645a7eb11b0cb34a \ + --hash=sha256:7b27e69454d8f65d800bc61a3d05288cacf8e56b9b716b629b2b6977e85ceabe \ + --hash=sha256:87e4c3b6415e0ce6880023960d7bb7fc08acafc97a4e03c7ce8b6a49ad0c698e \ + --hash=sha256:8844740de53f3997175961c90ff4441e0ea7cb1d11e27b662258f8728f7623b2 \ + --hash=sha256:897c5d7d50341023f28b96afd0bf2553d67f3f46c12986d5ee02e517cf7d5c5a \ + --hash=sha256:8acb510475dd8dbce71533384b95a8b2ad204f10081c92d9d012d193bd4df884 \ + --hash=sha256:b3cad9f33c38a891c3adc3cedfa8171e5d1d696d03c850ecd454e16551b1308b \ + --hash=sha256:df5dabafa07d9beae719bf4df649cb6d825620f0bb3abf985df99fd0394dbbb6 \ + --hash=sha256:dfe717c980d3206d4810b5121566a1e07114b9dd470b6f9f6ebed3706c21517d \ + --hash=sha256:e88911392d0eef4019a1db64951eefd1081a6dda72e33ee4b5b77b32f1112a33 \ + --hash=sha256:f727a356e772c3cdc7752d8d9971e614670658f5219eda2449290c5c4a5c91cf From 8c9bb25dca4839a07ba2041a2beb7cb2d429be69 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 1 Oct 2024 00:18:06 +0000 Subject: [PATCH 1152/1462] Bump BoringSSL and/or OpenSSL in CI (#11674) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 003dee19fc3a..0af2d0e0abf5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Sep 28, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "72a60506ded3407454d6ddc1d848c266020c0c82"}} - # Latest commit on the OpenSSL master branch, as of Sep 28, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ed6862328745c51c2afa2b6485cc3e275d543c4e"}} + # Latest commit on the BoringSSL master branch, as of Oct 01, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f8bb652b01d3b34a20ddbaaa35def260783ee734"}} + # Latest commit on the OpenSSL master branch, as of Oct 01, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2f362e99a1178263c7102474f0190836166f416d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 1690080748792eb3a7461fa2a1815b5ab895cdec Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 17:46:42 -0700 Subject: [PATCH 1153/1462] Bump x509-limbo and/or wycheproof in CI (#11675) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 64a83248d53e..5092e296da9c 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Sep 25, 2024. - ref: "4d87f8fcb080ca175389dab8fac34ccb3821ad01" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Oct 01, 2024. + ref: "b9affa376b1e544f027e1a88299a3230ab5e26bc" # x509-limbo-ref From 6b39f10598c1a291eaccdaa8b7bb2eedf4acab95 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Oct 2024 07:23:27 -0400 Subject: [PATCH 1154/1462] Bump cc from 1.1.22 to 1.1.23 in /src/rust (#11677) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.22 to 1.1.23. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.22...cc-v1.1.23) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 0d4161671ae0..4c54b2268512 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.22" +version = "1.1.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9540e661f81799159abee814118cc139a2004b3a3aa3ea37724a1b66530b90e0" +checksum = "3bbb537bb4a30b90362caddba8f360c0a56bc13d3a5570028e7197204cb54a17" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index a2db8e1b68e3..370e19c38a3f 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,7 +11,7 @@ pyo3 = { version = "0.22.3", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] -cc = "1.1.22" +cc = "1.1.23" [lints.rust] unexpected_cfgs = { level = "warn", check-cfg = ['cfg(python_implementation, values("CPython", "PyPy"))'] } From 979ee6bc10fb65b598bf14438f1f898e1b6871eb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 1 Oct 2024 09:20:53 -0400 Subject: [PATCH 1155/1462] fixed bad formatting in cfg_if (#11679) (rustmft doesn't automatically fix these because they're inside a macro) --- src/rust/src/backend/aead.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index d67bae78b9ba..46a13b9c06bc 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -489,8 +489,8 @@ impl ChaCha20Poly1305 { } else if #[cfg(any( CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_OPENSSL_320_OR_GREATER, - not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER - )))] { + not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), + ))] { if cryptography_openssl::fips::is_enabled() { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( @@ -625,8 +625,8 @@ impl AesGcm { CRYPTOGRAPHY_OPENSSL_320_OR_GREATER, CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_LIBRESSL, - not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER, - )))] { + not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), + ))] { Ok(AesGcm { ctx: EvpCipherAead::new(cipher, key_buf.as_bytes(), 16, false)?, }) From 474b7df73d32d240de2ca7cde44dd00a9b20eebc Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 1 Oct 2024 09:22:48 -0400 Subject: [PATCH 1156/1462] See if we can remove this check (#11678) --- tests/hazmat/primitives/test_pkcs12.py | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 99bb122c1f1e..71b16b538229 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -9,7 +9,6 @@ import pytest from cryptography import x509 -from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.decrepit.ciphers.algorithms import RC2 from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ( @@ -632,11 +631,6 @@ def test_key_serialization_encryption( iters, iter_der, ): - if ( - enc_alg is PBES.PBESv2SHA256AndAES256CBC - ) and not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: - pytest.skip("PBESv2 is not supported on OpenSSL < 3.0") - builder = serialization.PrivateFormat.PKCS12.encryption_builder() if enc_alg is not None: builder = builder.key_cert_algorithm(enc_alg) From 628354a43758331c935ce249a822ad7189856d3f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 00:17:34 +0000 Subject: [PATCH 1157/1462] Bump BoringSSL and/or OpenSSL in CI (#11681) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0af2d0e0abf5..dac8ca2a9e08 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 01, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f8bb652b01d3b34a20ddbaaa35def260783ee734"}} - # Latest commit on the OpenSSL master branch, as of Oct 01, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2f362e99a1178263c7102474f0190836166f416d"}} + # Latest commit on the BoringSSL master branch, as of Oct 02, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "0eda639cb78a5cf0b479910d8c9a039e47ad36fe"}} + # Latest commit on the OpenSSL master branch, as of Oct 02, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "12d14de641c299ec080edc521f7080acc44e366f"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From a987585c5e4fe8de9ee4f49fb069d8fe59680956 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 10:23:08 +0000 Subject: [PATCH 1158/1462] Bump cc from 1.1.23 to 1.1.24 in /src/rust (#11684) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.23 to 1.1.24. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.23...cc-v1.1.24) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 4c54b2268512..a86df175f007 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.23" +version = "1.1.24" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3bbb537bb4a30b90362caddba8f360c0a56bc13d3a5570028e7197204cb54a17" +checksum = "812acba72f0a070b003d3697490d2b55b837230ae7c6c6497f05cc2ddbb8d938" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 370e19c38a3f..82c6993c936a 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,7 +11,7 @@ pyo3 = { version = "0.22.3", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] -cc = "1.1.23" +cc = "1.1.24" [lints.rust] unexpected_cfgs = { level = "warn", check-cfg = ['cfg(python_implementation, values("CPython", "PyPy"))'] } From de90099b2e8e3d379587def3e0cbea9771323256 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 06:54:34 -0700 Subject: [PATCH 1159/1462] Bump uv from 0.4.17 to 0.4.18 in /.github/requirements (#11686) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.17 to 0.4.18. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.17...0.4.18) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 2a882f3b4f14..ecaf5acc9c32 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.17 \ - --hash=sha256:01564bd760eff885ad61f44173647a569732934d1a4a558839c8088fbf75e53f \ - --hash=sha256:0da45ca164ef9701dcc5cac3256f1f3a4e6fabe026860101c3b14208bfbde831 \ - --hash=sha256:15cfd020ad4a72f17e669d070a1a8ab50f93ce899486a80029cabf87fac3a8ae \ - --hash=sha256:1a4098128ee54f8b4ca1b083d05f818548cf7182b5b6cbb74fd71235bd105b1d \ - --hash=sha256:39c862a5fae944ea89dca5bf77bf636ac26398f96179bca19e4db26121707cd0 \ - --hash=sha256:44360f88b8e67e36fed00976b94d3f1144faa1c5291e8f6f5306c3ded650e9bf \ - --hash=sha256:489f68441092827fcd590a99f91269d5fb3b5f9cca1da469f7fc3d5ef3bf3e37 \ - --hash=sha256:6141f08aad242372dff4b529b9d26c814e151e95d1a8c85d645a7eb11b0cb34a \ - --hash=sha256:7b27e69454d8f65d800bc61a3d05288cacf8e56b9b716b629b2b6977e85ceabe \ - --hash=sha256:87e4c3b6415e0ce6880023960d7bb7fc08acafc97a4e03c7ce8b6a49ad0c698e \ - --hash=sha256:8844740de53f3997175961c90ff4441e0ea7cb1d11e27b662258f8728f7623b2 \ - --hash=sha256:897c5d7d50341023f28b96afd0bf2553d67f3f46c12986d5ee02e517cf7d5c5a \ - --hash=sha256:8acb510475dd8dbce71533384b95a8b2ad204f10081c92d9d012d193bd4df884 \ - --hash=sha256:b3cad9f33c38a891c3adc3cedfa8171e5d1d696d03c850ecd454e16551b1308b \ - --hash=sha256:df5dabafa07d9beae719bf4df649cb6d825620f0bb3abf985df99fd0394dbbb6 \ - --hash=sha256:dfe717c980d3206d4810b5121566a1e07114b9dd470b6f9f6ebed3706c21517d \ - --hash=sha256:e88911392d0eef4019a1db64951eefd1081a6dda72e33ee4b5b77b32f1112a33 \ - --hash=sha256:f727a356e772c3cdc7752d8d9971e614670658f5219eda2449290c5c4a5c91cf +uv==0.4.18 \ + --hash=sha256:0c4cb31594cb2ed21bd3b603a207e99dfb9610c3db44da9dbbff0f237270f582 \ + --hash=sha256:157e4a2c063b270de348862dd31abfe600d5601183fd2a6efe552840ac179626 \ + --hash=sha256:1944c0ee567ca7db60705c5d213a75b25601094b026cc17af3e704651c1e3753 \ + --hash=sha256:1b59d742b81c7acf75a3aac71d9b24e07407e044bebcf39d3fc3c87094014e20 \ + --hash=sha256:3e3ade81af961f48517fcd99318192c9c635ef9a38a7ca65026af0c803c71906 \ + --hash=sha256:4be600474db6733078503012f2811c4383f490f77366e66b5f686316db52c870 \ + --hash=sha256:4ec60141f92c9667548ebad8daf4c13aabdb58b22c21dcd834641e791e55f289 \ + --hash=sha256:5234d47abe339c15c318e8b1bbd136ea61c4574503eda6944a5aaea91b7f6775 \ + --hash=sha256:6566448278b6849846b6c586fc86748c66aa53ed70f5568e713122543cc86a50 \ + --hash=sha256:8250148484e1b0f89ec19467946e86ee303619985c23228b5a2f2d94d15c6d8b \ + --hash=sha256:8af0b60adcfa2e87c77a3008d3ed6e0b577c0535468dc58e06f905ccbd27124f \ + --hash=sha256:954964eff8c7e2bc63dd4beeb8d45bcaddb5149a7ef29a36abd77ec76c8b837e \ + --hash=sha256:96c3ccee0fd8cf0a9d679407e157b76db1a854638a4ba4fa14f4d116b4e39b03 \ + --hash=sha256:ade18dbbeb05c8cba4f842cc15b20e59467069183f348844750901227df5008d \ + --hash=sha256:b08564c8c7e8b3665ad1d6c8924d4654451f96c956eb5f3b8ec995c77734163d \ + --hash=sha256:df225a568da01f3d7e126d886c3694c5a4a7d8b85162a4d6e97822716ca0e7c4 \ + --hash=sha256:f043c3c4514c149a00a86c3bf44df43062416d41002114e60df33895e8511c41 \ + --hash=sha256:fcc606da545d9a5ec5c2209e7eb2a4eb76627ad75df5eb5616c0b40789fe3933 From 56e001e28d3266819b20b291fa62b4f634e0aee4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 06:54:52 -0700 Subject: [PATCH 1160/1462] Bump tomli from 2.0.1 to 2.0.2 in /.github/requirements (#11687) Bumps [tomli](https://github.com/hukkin/tomli) from 2.0.1 to 2.0.2. - [Changelog](https://github.com/hukkin/tomli/blob/master/CHANGELOG.md) - [Commits](https://github.com/hukkin/tomli/compare/2.0.1...2.0.2) --- updated-dependencies: - dependency-name: tomli dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 07c6040dd9c2..2e0119b947fc 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -96,9 +96,9 @@ pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc # via cffi -tomli==2.0.1 \ - --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \ - --hash=sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f +tomli==2.0.2 \ + --hash=sha256:2ebe24485c53d303f690b0ec092806a085f07af5a5aa1464f3931eec36caaa38 \ + --hash=sha256:d46d457a85337051c36524bc5349dd91b1877838e2979ac5ced3e710ed8a60ed # via maturin # The following packages are considered to be unsafe in a requirements file: From dbae5c0d7b9e0c81da791a79eec28c6b05f938f4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 06:55:11 -0700 Subject: [PATCH 1161/1462] Bump check-sdist from 0.1.3 to 1.0.0 (#11685) Bumps [check-sdist](https://github.com/henryiii/check-sdist) from 0.1.3 to 1.0.0. - [Release notes](https://github.com/henryiii/check-sdist/releases) - [Commits](https://github.com/henryiii/check-sdist/compare/v0.1.3...v1.0.0) --- updated-dependencies: - dependency-name: check-sdist dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c547800a7582..49f5256a96ac 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -26,7 +26,7 @@ certifi==2024.8.30 # requests charset-normalizer==3.3.2 # via requests -check-sdist==0.1.3 ; python_full_version >= '3.8' +check-sdist==1.0.0 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) click==8.1.7 # via cryptography (pyproject.toml) From be1faef1a51ecc597e80b6f0dba5986fe8086708 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 16:50:32 +0000 Subject: [PATCH 1162/1462] Bump sphinx-rtd-theme from 3.0.0rc3 to 3.0.0rc4 (#11688) Bumps [sphinx-rtd-theme](https://github.com/readthedocs/sphinx_rtd_theme) from 3.0.0rc3 to 3.0.0rc4. - [Changelog](https://github.com/readthedocs/sphinx_rtd_theme/blob/master/docs/changelog.rst) - [Commits](https://github.com/readthedocs/sphinx_rtd_theme/compare/3.0.0rc3...3.0.0rc4) --- updated-dependencies: - dependency-name: sphinx-rtd-theme dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 49f5256a96ac..38906e414874 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -210,7 +210,7 @@ sphinx==8.0.2 ; python_full_version >= '3.10' # sphinx-rtd-theme # sphinxcontrib-jquery # sphinxcontrib-spelling -sphinx-rtd-theme==3.0.0rc3 ; python_full_version >= '3.8' +sphinx-rtd-theme==3.0.0rc4 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) sphinxcontrib-applehelp==1.0.2 ; python_full_version < '3.8' # via sphinx From 6245f3eb0e7fa2878d269a1874f24d47881388c5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 2 Oct 2024 11:59:47 -0500 Subject: [PATCH 1163/1462] Bump packages that dependabot cannot (#11689) --- ci-constraints-requirements.txt | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 38906e414874..be0a3784d2ac 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -85,7 +85,7 @@ importlib-metadata==6.7.0 ; python_full_version < '3.8' # sphinx # sphinxcontrib-spelling # virtualenv -importlib-metadata==8.4.0 ; python_full_version >= '3.8' and python_full_version < '3.10.2' +importlib-metadata==8.5.0 ; python_full_version >= '3.8' and python_full_version < '3.10.2' # via # build # pytest-randomly @@ -176,7 +176,7 @@ pytest-xdist==3.5.0 ; python_full_version < '3.8' # via cryptography (pyproject.toml) pytest-xdist==3.6.1 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) -pytz==2024.1 ; python_full_version < '3.9' +pytz==2024.2 ; python_full_version < '3.9' # via babel readme-renderer==37.3 ; python_full_version < '3.8' # via cryptography (pyproject.toml) @@ -242,7 +242,14 @@ sphinxcontrib-serializinghtml==2.0.0 ; python_full_version >= '3.10' # via sphinx sphinxcontrib-spelling==8.0.0 # via cryptography (pyproject.toml) -tomli==2.0.1 ; python_full_version <= '3.11' +tomli==2.0.1 ; python_full_version < '3.8' + # via + # build + # coverage + # mypy + # nox + # pytest +tomli==2.0.2 ; python_full_version >= '3.8' and python_full_version <= '3.11' # via # build # check-sdist @@ -271,7 +278,7 @@ webencodings==0.5.1 ; python_full_version < '3.8' # via bleach zipp==3.15.0 ; python_full_version < '3.8' # via importlib-metadata -zipp==3.20.1 ; python_full_version >= '3.8' and python_full_version < '3.10.2' +zipp==3.20.2 ; python_full_version >= '3.8' and python_full_version < '3.10.2' # via # importlib-metadata # importlib-resources From 56e5c23ea935705042a149341f360d0a446a92a6 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 3 Oct 2024 03:19:47 +0000 Subject: [PATCH 1164/1462] Bump BoringSSL and/or OpenSSL in CI (#11691) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dac8ca2a9e08..422bcf333bf1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 02, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "0eda639cb78a5cf0b479910d8c9a039e47ad36fe"}} - # Latest commit on the OpenSSL master branch, as of Oct 02, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "12d14de641c299ec080edc521f7080acc44e366f"}} + # Latest commit on the BoringSSL master branch, as of Oct 03, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f8cadd89744dffe7a566c458b80bf2846f213ff1"}} + # Latest commit on the OpenSSL master branch, as of Oct 03, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c262cc0c0444f617387adac3ed4cad9f05f9c526"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From a1c012be806369f2e20de7d604d9acdde1209621 Mon Sep 17 00:00:00 2001 From: Udi Shalev Date: Thu, 3 Oct 2024 16:22:51 +0300 Subject: [PATCH 1165/1462] symbols renaming to match cryptography.hazmat.primitives.ciphers.base.CipherContext interface (#11692) --- src/rust/src/backend/ciphers.rs | 68 ++++++++++++++++----------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index 142175eb2471..8c90fe32e3d8 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -156,41 +156,41 @@ impl CipherContext { fn update<'p>( &mut self, py: pyo3::Python<'p>, - buf: &[u8], + data: &[u8], ) -> CryptographyResult> { - let mut out_buf = vec![0; buf.len() + self.ctx.block_size()]; - let n = self.update_into(py, buf, &mut out_buf)?; - Ok(pyo3::types::PyBytes::new_bound(py, &out_buf[..n])) + let mut buf = vec![0; data.len() + self.ctx.block_size()]; + let n = self.update_into(py, data, &mut buf)?; + Ok(pyo3::types::PyBytes::new_bound(py, &buf[..n])) } pub(crate) fn update_into( &mut self, py: pyo3::Python<'_>, - buf: &[u8], - out_buf: &mut [u8], + data: &[u8], + buf: &mut [u8], ) -> CryptographyResult { - if out_buf.len() < (buf.len() + self.ctx.block_size() - 1) { + if buf.len() < (data.len() + self.ctx.block_size() - 1) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err(format!( "buffer must be at least {} bytes for this payload", - buf.len() + self.ctx.block_size() - 1 + data.len() + self.ctx.block_size() - 1 )), )); } let mut total_written = 0; - for chunk in buf.chunks(1 << 29) { + for chunk in data.chunks(1 << 29) { // SAFETY: We ensure that outbuf is sufficiently large above. unsafe { let n = if self.py_mode.bind(py).is_instance(&types::XTS.get(py)?)? { - self.ctx.cipher_update_unchecked(chunk, Some(&mut out_buf[total_written..])).map_err(|_| { + self.ctx.cipher_update_unchecked(chunk, Some(&mut buf[total_written..])).map_err(|_| { pyo3::exceptions::PyValueError::new_err( "In XTS mode you must supply at least a full block in the first update call. For AES this is 16 bytes." ) })? } else { self.ctx - .cipher_update_unchecked(chunk, Some(&mut out_buf[total_written..]))? + .cipher_update_unchecked(chunk, Some(&mut buf[total_written..]))? }; total_written += n; } @@ -199,8 +199,8 @@ impl CipherContext { Ok(total_written) } - fn authenticate_additional_data(&mut self, buf: &[u8]) -> CryptographyResult<()> { - self.ctx.cipher_update(buf, None)?; + fn authenticate_additional_data(&mut self, data: &[u8]) -> CryptographyResult<()> { + self.ctx.cipher_update(data, None)?; Ok(()) } @@ -268,9 +268,9 @@ impl PyCipherContext { fn update<'p>( &mut self, py: pyo3::Python<'p>, - buf: CffiBuf<'_>, + data: CffiBuf<'_>, ) -> CryptographyResult> { - get_mut_ctx(self.ctx.as_mut())?.update(py, buf.as_bytes()) + get_mut_ctx(self.ctx.as_mut())?.update(py, data.as_bytes()) } fn reset_nonce(&mut self, py: pyo3::Python<'_>, nonce: CffiBuf<'_>) -> CryptographyResult<()> { @@ -280,10 +280,10 @@ impl PyCipherContext { fn update_into( &mut self, py: pyo3::Python<'_>, - buf: CffiBuf<'_>, - mut out_buf: CffiMutBuf<'_>, + data: CffiBuf<'_>, + mut buf: CffiMutBuf<'_>, ) -> CryptographyResult { - get_mut_ctx(self.ctx.as_mut())?.update_into(py, buf.as_bytes(), out_buf.as_mut_bytes()) + get_mut_ctx(self.ctx.as_mut())?.update_into(py, data.as_bytes(), buf.as_mut_bytes()) } fn finalize<'p>( @@ -301,9 +301,9 @@ impl PyAEADEncryptionContext { fn update<'p>( &mut self, py: pyo3::Python<'p>, - buf: CffiBuf<'_>, + data: CffiBuf<'_>, ) -> CryptographyResult> { - let data = buf.as_bytes(); + let data = data.as_bytes(); self.updated = true; self.bytes_remaining = self @@ -318,10 +318,10 @@ impl PyAEADEncryptionContext { fn update_into( &mut self, py: pyo3::Python<'_>, - buf: CffiBuf<'_>, - mut out_buf: CffiMutBuf<'_>, + data: CffiBuf<'_>, + mut buf: CffiMutBuf<'_>, ) -> CryptographyResult { - let data = buf.as_bytes(); + let data = data.as_bytes(); self.updated = true; self.bytes_remaining = self @@ -330,10 +330,10 @@ impl PyAEADEncryptionContext { .ok_or_else(|| { pyo3::exceptions::PyValueError::new_err("Exceeded maximum encrypted byte limit") })?; - get_mut_ctx(self.ctx.as_mut())?.update_into(py, data, out_buf.as_mut_bytes()) + get_mut_ctx(self.ctx.as_mut())?.update_into(py, data, buf.as_mut_bytes()) } - fn authenticate_additional_data(&mut self, buf: CffiBuf<'_>) -> CryptographyResult<()> { + fn authenticate_additional_data(&mut self, data: CffiBuf<'_>) -> CryptographyResult<()> { let ctx = get_mut_ctx(self.ctx.as_mut())?; if self.updated { return Err(CryptographyError::from( @@ -341,7 +341,7 @@ impl PyAEADEncryptionContext { )); } - let data = buf.as_bytes(); + let data = data.as_bytes(); self.aad_bytes_remaining = self .aad_bytes_remaining .checked_sub(data.len().try_into().unwrap()) @@ -392,9 +392,9 @@ impl PyAEADDecryptionContext { fn update<'p>( &mut self, py: pyo3::Python<'p>, - buf: CffiBuf<'_>, + data: CffiBuf<'_>, ) -> CryptographyResult> { - let data = buf.as_bytes(); + let data = data.as_bytes(); self.updated = true; self.bytes_remaining = self @@ -409,10 +409,10 @@ impl PyAEADDecryptionContext { fn update_into( &mut self, py: pyo3::Python<'_>, - buf: CffiBuf<'_>, - mut out_buf: CffiMutBuf<'_>, + data: CffiBuf<'_>, + mut buf: CffiMutBuf<'_>, ) -> CryptographyResult { - let data = buf.as_bytes(); + let data = data.as_bytes(); self.updated = true; self.bytes_remaining = self @@ -421,10 +421,10 @@ impl PyAEADDecryptionContext { .ok_or_else(|| { pyo3::exceptions::PyValueError::new_err("Exceeded maximum encrypted byte limit") })?; - get_mut_ctx(self.ctx.as_mut())?.update_into(py, data, out_buf.as_mut_bytes()) + get_mut_ctx(self.ctx.as_mut())?.update_into(py, data, buf.as_mut_bytes()) } - fn authenticate_additional_data(&mut self, buf: CffiBuf<'_>) -> CryptographyResult<()> { + fn authenticate_additional_data(&mut self, data: CffiBuf<'_>) -> CryptographyResult<()> { let ctx = get_mut_ctx(self.ctx.as_mut())?; if self.updated { return Err(CryptographyError::from( @@ -432,7 +432,7 @@ impl PyAEADDecryptionContext { )); } - let data = buf.as_bytes(); + let data = data.as_bytes(); self.aad_bytes_remaining = self .aad_bytes_remaining .checked_sub(data.len().try_into().unwrap()) From e093bb20d6184eb98cbdfbcc6d8ef837433b716b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 4 Oct 2024 00:16:59 +0000 Subject: [PATCH 1166/1462] Bump BoringSSL and/or OpenSSL in CI (#11693) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 422bcf333bf1..50a8e367b721 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 03, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f8cadd89744dffe7a566c458b80bf2846f213ff1"}} - # Latest commit on the OpenSSL master branch, as of Oct 03, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c262cc0c0444f617387adac3ed4cad9f05f9c526"}} + # Latest commit on the BoringSSL master branch, as of Oct 04, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "76968bb3d53982560bcf08bcd0ba3e1865fe15cd"}} + # Latest commit on the OpenSSL master branch, as of Oct 04, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "93d1bb6dff0f0126ef1a5cac7b8693308763eb8a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From b1463595125b9341ac9647bc092501d3db95ebdf Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 4 Oct 2024 15:23:24 -0500 Subject: [PATCH 1167/1462] Resolve clippy warnings from nightly (#11695) --- src/rust/cryptography-x509/src/common.rs | 8 ++++---- src/rust/cryptography-x509/src/name.rs | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index 0b9555314224..c79ff109bf3e 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -198,7 +198,7 @@ impl<'a> asn1::Asn1Readable<'a> for RawTlv<'a> { true } } -impl<'a> asn1::Asn1Writable for RawTlv<'a> { +impl asn1::Asn1Writable for RawTlv<'_> { fn write(&self, w: &mut asn1::Writer<'_>) -> asn1::WriteResult { w.write_tlv(self.tag, move |dest| dest.push_slice(self.value)) } @@ -471,7 +471,7 @@ impl<'a> asn1::SimpleAsn1Readable<'a> for UnvalidatedVisibleString<'a> { } } -impl<'a> asn1::SimpleAsn1Writable for UnvalidatedVisibleString<'a> { +impl asn1::SimpleAsn1Writable for UnvalidatedVisibleString<'_> { const TAG: asn1::Tag = asn1::VisibleString::TAG; fn write_data(&self, _: &mut asn1::WriteBuf) -> asn1::WriteResult { unimplemented!(); @@ -487,7 +487,7 @@ impl<'a> Utf8StoredBMPString<'a> { } } -impl<'a> asn1::SimpleAsn1Writable for Utf8StoredBMPString<'a> { +impl asn1::SimpleAsn1Writable for Utf8StoredBMPString<'_> { const TAG: asn1::Tag = asn1::BMPString::TAG; fn write_data(&self, writer: &mut asn1::WriteBuf) -> asn1::WriteResult { for ch in self.0.encode_utf16() { @@ -531,7 +531,7 @@ impl<'a, T: asn1::Asn1Readable<'a>> asn1::Asn1Readable<'a> for WithTlv<'a, T> { } } -impl<'a, T: asn1::Asn1Writable> asn1::Asn1Writable for WithTlv<'a, T> { +impl asn1::Asn1Writable for WithTlv<'_, T> { fn write(&self, w: &mut asn1::Writer<'_>) -> asn1::WriteResult<()> { self.value.write(w) } diff --git a/src/rust/cryptography-x509/src/name.rs b/src/rust/cryptography-x509/src/name.rs index 21b6cc8fca9a..41f097689345 100644 --- a/src/rust/cryptography-x509/src/name.rs +++ b/src/rust/cryptography-x509/src/name.rs @@ -35,7 +35,7 @@ impl<'a> asn1::SimpleAsn1Readable<'a> for UnvalidatedIA5String<'a> { } } -impl<'a> asn1::SimpleAsn1Writable for UnvalidatedIA5String<'a> { +impl asn1::SimpleAsn1Writable for UnvalidatedIA5String<'_> { const TAG: asn1::Tag = asn1::IA5String::TAG; fn write_data(&self, dest: &mut asn1::WriteBuf) -> asn1::WriteResult { dest.push_slice(self.0.as_bytes()) From 2b859ef1664660b5bf332bd8e22b9793621d8eaf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 4 Oct 2024 20:30:13 +0000 Subject: [PATCH 1168/1462] Bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3 (#11694) Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.10.2 to 1.10.3. - [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases) - [Commits](https://github.com/pypa/gh-action-pypi-publish/compare/897895f1e160c830e369f9779632ebc134688e1b...f7600683efdcb7656dec5b29656edb7bc586e597) --- updated-dependencies: - dependency-name: pypa/gh-action-pypi-publish dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 10bd56c7064e..4c77c855b8bb 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -52,7 +52,7 @@ jobs: find tmpdist/ -type f -name 'cryptography*' -exec mv {} dist/ \; - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@897895f1e160c830e369f9779632ebc134688e1b # v1.10.2 + uses: pypa/gh-action-pypi-publish@f7600683efdcb7656dec5b29656edb7bc586e597 # v1.10.3 with: repository-url: ${{ env.PYPI_URL }} skip-existing: true From ff20270f6c4f0650a1c1a53f4394f421b129dd0f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 5 Oct 2024 00:16:27 +0000 Subject: [PATCH 1169/1462] Bump BoringSSL and/or OpenSSL in CI (#11697) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 50a8e367b721..d7d1704ab38c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Oct 04, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "76968bb3d53982560bcf08bcd0ba3e1865fe15cd"}} - # Latest commit on the OpenSSL master branch, as of Oct 04, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "93d1bb6dff0f0126ef1a5cac7b8693308763eb8a"}} + # Latest commit on the OpenSSL master branch, as of Oct 05, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "76c4f0e8ea6e885b2b0727c43778fe54ae224135"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 18d24bd1ae2c3b997fa4aad9b0df6278237e02a5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 5 Oct 2024 16:34:18 +0000 Subject: [PATCH 1170/1462] Bump actions/cache from 4.0.2 to 4.1.0 (#11699) Bumps [actions/cache](https://github.com/actions/cache) from 4.0.2 to 4.1.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/0c45773b623bea8c8e75f6c82b208c3cf94ea4f9...2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d7d1704ab38c..0ccae20f2d18 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -97,7 +97,7 @@ jobs: CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }} if: matrix.PYTHON.OPENSSL - name: Load OpenSSL cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0 id: ossl-cache timeout-minutes: 2 with: From 8c982c0f3b9bc96de02d55e1902f34cf4dd81e9e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 5 Oct 2024 16:34:38 +0000 Subject: [PATCH 1171/1462] Bump once_cell from 1.20.1 to 1.20.2 in /src/rust (#11698) Bumps [once_cell](https://github.com/matklad/once_cell) from 1.20.1 to 1.20.2. - [Changelog](https://github.com/matklad/once_cell/blob/master/CHANGELOG.md) - [Commits](https://github.com/matklad/once_cell/compare/v1.20.1...v1.20.2) --- updated-dependencies: - dependency-name: once_cell dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index a86df175f007..3f581f210229 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -176,12 +176,9 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.20.1" +version = "1.20.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "82881c4be219ab5faaf2ad5e5e5ecdff8c66bd7402ca3160975c93b24961afd1" -dependencies = [ - "portable-atomic", -] +checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775" [[package]] name = "openssl" From dfac0d36a7e6a2412d9d85de4713e3fe7fb13da6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 5 Oct 2024 16:38:03 +0000 Subject: [PATCH 1172/1462] Bump ruff from 0.6.8 to 0.6.9 (#11701) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.6.8 to 0.6.9. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.6.8...0.6.9) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index be0a3784d2ac..c088e531703c 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -188,7 +188,7 @@ requests==2.31.0 ; python_full_version < '3.8' # via sphinx requests==2.32.3 ; python_full_version >= '3.8' # via sphinx -ruff==0.6.8 +ruff==0.6.9 # via cryptography (pyproject.toml) six==1.16.0 ; python_full_version < '3.8' # via bleach From 38cde857a501df54d9e73a1728df33067696b08e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 5 Oct 2024 16:38:25 +0000 Subject: [PATCH 1173/1462] Bump cc from 1.1.24 to 1.1.25 in /src/rust (#11700) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.24 to 1.1.25. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.24...cc-v1.1.25) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 3f581f210229..94ecb3f686be 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.24" +version = "1.1.25" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "812acba72f0a070b003d3697490d2b55b837230ae7c6c6497f05cc2ddbb8d938" +checksum = "e8d9e0b4957f635b8d3da819d0db5603620467ecf1f692d22a8c2717ce27e6d8" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 82c6993c936a..fac347dd1307 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,7 +11,7 @@ pyo3 = { version = "0.22.3", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] -cc = "1.1.24" +cc = "1.1.25" [lints.rust] unexpected_cfgs = { level = "warn", check-cfg = ['cfg(python_implementation, values("CPython", "PyPy"))'] } From 6fbdffed71219fba60878ad985833c6b4fbcaa51 Mon Sep 17 00:00:00 2001 From: Gonzalo Atienza <38573982+gonatienza@users.noreply.github.com> Date: Sun, 6 Oct 2024 20:57:57 -0400 Subject: [PATCH 1174/1462] otp-generage-hardening (#11703) --- src/cryptography/hazmat/primitives/twofactor/hotp.py | 10 +++++++++- src/cryptography/hazmat/primitives/twofactor/totp.py | 5 +++++ tests/hazmat/primitives/twofactor/test_hotp.py | 10 ++++++++++ tests/hazmat/primitives/twofactor/test_totp.py | 7 +++++++ 4 files changed, 31 insertions(+), 1 deletion(-) diff --git a/src/cryptography/hazmat/primitives/twofactor/hotp.py b/src/cryptography/hazmat/primitives/twofactor/hotp.py index af5ab6efe290..855a5d212ea3 100644 --- a/src/cryptography/hazmat/primitives/twofactor/hotp.py +++ b/src/cryptography/hazmat/primitives/twofactor/hotp.py @@ -67,6 +67,9 @@ def __init__( self._algorithm = algorithm def generate(self, counter: int) -> bytes: + if not isinstance(counter, int): + raise TypeError("Counter parameter must be an integer type.") + truncated_value = self._dynamic_truncate(counter) hotp = truncated_value % (10**self._length) return "{0:0{1}}".format(hotp, self._length).encode() @@ -77,7 +80,12 @@ def verify(self, hotp: bytes, counter: int) -> None: def _dynamic_truncate(self, counter: int) -> int: ctx = hmac.HMAC(self._key, self._algorithm) - ctx.update(counter.to_bytes(length=8, byteorder="big")) + + try: + ctx.update(counter.to_bytes(length=8, byteorder="big")) + except OverflowError: + raise ValueError(f"Counter must be between 0 and {2 ** 64 - 1}.") + hmac_value = ctx.finalize() offset = hmac_value[len(hmac_value) - 1] & 0b1111 diff --git a/src/cryptography/hazmat/primitives/twofactor/totp.py b/src/cryptography/hazmat/primitives/twofactor/totp.py index 68a5077468e3..b9ed7349a14e 100644 --- a/src/cryptography/hazmat/primitives/twofactor/totp.py +++ b/src/cryptography/hazmat/primitives/twofactor/totp.py @@ -31,6 +31,11 @@ def __init__( ) def generate(self, time: int | float) -> bytes: + if not isinstance(time, (int, float)): + raise TypeError( + "Time parameter must be an integer type or float type." + ) + counter = int(time / self._time_step) return self._hotp.generate(counter) diff --git a/tests/hazmat/primitives/twofactor/test_hotp.py b/tests/hazmat/primitives/twofactor/test_hotp.py index 31e01a495256..acc6ba0dfd24 100644 --- a/tests/hazmat/primitives/twofactor/test_hotp.py +++ b/tests/hazmat/primitives/twofactor/test_hotp.py @@ -107,3 +107,13 @@ def test_buffer_protocol(self, backend): key = bytearray(b"a long key with lots of entropy goes here") hotp = HOTP(key, 6, SHA1(), backend) assert hotp.generate(10) == b"559978" + + def test_invalid_counter(self, backend): + key = os.urandom(16) + hotp = HOTP(key, 6, SHA1(), backend) + + with pytest.raises(TypeError): + hotp.generate(2.5) # type: ignore[arg-type] + + with pytest.raises(ValueError): + hotp.generate(2**64) diff --git a/tests/hazmat/primitives/twofactor/test_totp.py b/tests/hazmat/primitives/twofactor/test_totp.py index f68a8339c443..00c7a7a2d1e0 100644 --- a/tests/hazmat/primitives/twofactor/test_totp.py +++ b/tests/hazmat/primitives/twofactor/test_totp.py @@ -142,3 +142,10 @@ def test_buffer_protocol(self, backend): totp = TOTP(key, 8, hashes.SHA512(), 30, backend) time = 60 assert totp.generate(time) == b"53049576" + + def test_invalid_time(self, backend): + key = b"12345678901234567890" + totp = TOTP(key, 8, hashes.SHA1(), 30, backend) + + with pytest.raises(TypeError): + totp.generate("test") # type: ignore[arg-type] From 85b4aa3f83874def235ad5a4c362f59138275d90 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 07:03:23 -0400 Subject: [PATCH 1175/1462] Bump build from 1.2.2 to 1.2.2.post1 (#11704) Bumps [build](https://github.com/pypa/build) from 1.2.2 to 1.2.2.post1. - [Release notes](https://github.com/pypa/build/releases) - [Changelog](https://github.com/pypa/build/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pypa/build/compare/1.2.2...1.2.2.post1) --- updated-dependencies: - dependency-name: build dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c088e531703c..69c0a37bcc71 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -16,7 +16,7 @@ bleach==6.0.0 ; python_full_version < '3.8' # via readme-renderer build==1.1.1 ; python_full_version < '3.8' # via cryptography (pyproject.toml) -build==1.2.2 ; python_full_version >= '3.8' +build==1.2.2.post1 ; python_full_version >= '3.8' # via # cryptography (pyproject.toml) # check-sdist From a1a0081e33a683394f6447f1891b43e65b453a4f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 07:03:51 -0400 Subject: [PATCH 1176/1462] Bump argcomplete from 3.5.0 to 3.5.1 (#11705) Bumps [argcomplete](https://github.com/kislyuk/argcomplete) from 3.5.0 to 3.5.1. - [Release notes](https://github.com/kislyuk/argcomplete/releases) - [Changelog](https://github.com/kislyuk/argcomplete/blob/develop/Changes.rst) - [Commits](https://github.com/kislyuk/argcomplete/compare/v3.5.0...v3.5.1) --- updated-dependencies: - dependency-name: argcomplete dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 69c0a37bcc71..5851b8083349 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -6,7 +6,7 @@ alabaster==1.0.0 ; python_full_version >= '3.10' # via sphinx argcomplete==3.1.2 ; python_full_version < '3.8' # via nox -argcomplete==3.5.0 ; python_full_version >= '3.8' +argcomplete==3.5.1 ; python_full_version >= '3.8' # via nox babel==2.14.0 ; python_full_version < '3.8' # via sphinx From 50c9920d80b8626b81e1cce85ea023ba6c5d7c8f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 07:04:12 -0400 Subject: [PATCH 1177/1462] Bump sphinx-rtd-theme from 3.0.0rc4 to 3.0.0 (#11706) Bumps [sphinx-rtd-theme](https://github.com/readthedocs/sphinx_rtd_theme) from 3.0.0rc4 to 3.0.0. - [Changelog](https://github.com/readthedocs/sphinx_rtd_theme/blob/master/docs/changelog.rst) - [Commits](https://github.com/readthedocs/sphinx_rtd_theme/compare/3.0.0rc4...3.0.0) --- updated-dependencies: - dependency-name: sphinx-rtd-theme dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 5851b8083349..cbc1a9713a4a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -210,7 +210,7 @@ sphinx==8.0.2 ; python_full_version >= '3.10' # sphinx-rtd-theme # sphinxcontrib-jquery # sphinxcontrib-spelling -sphinx-rtd-theme==3.0.0rc4 ; python_full_version >= '3.8' +sphinx-rtd-theme==3.0.0 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) sphinxcontrib-applehelp==1.0.2 ; python_full_version < '3.8' # via sphinx From 48e3404e495d5e47f924145819c58d4b58387941 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 07:06:06 -0400 Subject: [PATCH 1178/1462] Bump cc from 1.1.25 to 1.1.28 in /src/rust (#11707) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.25 to 1.1.28. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.25...cc-v1.1.28) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 94ecb3f686be..a4d4976ac8bf 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.25" +version = "1.1.28" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e8d9e0b4957f635b8d3da819d0db5603620467ecf1f692d22a8c2717ce27e6d8" +checksum = "2e80e3b6a3ab07840e1cae9b0666a63970dc28e8ed5ffbcdacbfc760c281bfc1" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index fac347dd1307..0414c3ad6153 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,7 +11,7 @@ pyo3 = { version = "0.22.3", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] -cc = "1.1.25" +cc = "1.1.28" [lints.rust] unexpected_cfgs = { level = "warn", check-cfg = ['cfg(python_implementation, values("CPython", "PyPy"))'] } From 3d43e3398e8913bd0601a1335b61053ac790e746 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 7 Oct 2024 08:36:41 -0400 Subject: [PATCH 1179/1462] Drop pre-release from sphinx-rtd-theme dep (#11708) --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 4f9fab38d563..5202e4a9e43e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -74,7 +74,7 @@ test = [ "certifi", ] test-randomorder = ["pytest-randomly"] -docs = ["sphinx >=5.3.0", "sphinx-rtd-theme >=3.0.0rc1; python_version >= '3.8'"] +docs = ["sphinx >=5.3.0", "sphinx-rtd-theme >=3.0.0; python_version >= '3.8'"] docstest = ["pyenchant >=1.6.11", "readme-renderer", "sphinxcontrib-spelling >=4.0.1"] sdist = ["build"] # `click` included because its needed to type check `release.py` From fecf8abe05055401f7f534a5bfc656c84d7939a8 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 7 Oct 2024 10:24:07 -0400 Subject: [PATCH 1180/1462] 3.4.0-beta1 test (#11710) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0ccae20f2d18..638acb515367 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -40,7 +40,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.3", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.7"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.3"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.4.0-alpha1"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.4.0-beta1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} From 223fd2612778ff34788e39dc1541e2e67af8c4fc Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 8 Oct 2024 00:16:32 +0000 Subject: [PATCH 1181/1462] Bump BoringSSL and/or OpenSSL in CI (#11712) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 638acb515367..3410566fae87 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 04, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "76968bb3d53982560bcf08bcd0ba3e1865fe15cd"}} - # Latest commit on the OpenSSL master branch, as of Oct 05, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "76c4f0e8ea6e885b2b0727c43778fe54ae224135"}} + # Latest commit on the BoringSSL master branch, as of Oct 08, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "fa0214602cc5502c2d1e12cc4692d1045a993aba"}} + # Latest commit on the OpenSSL master branch, as of Oct 08, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0a2a8d970f408af595fd699b2675ba45a26c169b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From ee0fb00b499d421cba82b9cc755217c2c0e64870 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 8 Oct 2024 00:34:54 +0000 Subject: [PATCH 1182/1462] Bump x509-limbo and/or wycheproof in CI (#11713) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 5092e296da9c..e462ce38f89a 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Oct 01, 2024. - ref: "b9affa376b1e544f027e1a88299a3230ab5e26bc" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Oct 08, 2024. + ref: "0478ea6ce08c0202c436cd0698be8a7a66cf653c" # x509-limbo-ref From 84c170d587e55e5b91e54c66c56c40e4e8433cc6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Oct 2024 07:01:41 -0400 Subject: [PATCH 1183/1462] Bump markupsafe from 2.1.5 to 3.0.0 (#11715) Bumps [markupsafe](https://github.com/pallets/markupsafe) from 2.1.5 to 3.0.0. - [Release notes](https://github.com/pallets/markupsafe/releases) - [Changelog](https://github.com/pallets/markupsafe/blob/main/CHANGES.rst) - [Commits](https://github.com/pallets/markupsafe/compare/2.1.5...3.0.0) --- updated-dependencies: - dependency-name: markupsafe dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index cbc1a9713a4a..c47c307a8b44 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -96,7 +96,7 @@ iniconfig==2.0.0 # via pytest jinja2==3.1.4 # via sphinx -markupsafe==2.1.5 +markupsafe==3.0.0 # via jinja2 mypy==1.4.1 ; python_full_version < '3.8' # via cryptography (pyproject.toml) From b4c5918875f9b6b62ae61e7038e34005d7b2826b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Oct 2024 07:02:41 -0400 Subject: [PATCH 1184/1462] Bump actions/upload-artifact from 4.4.0 to 4.4.1 (#11717) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.4.0 to 4.4.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/50769540e7f4bd5e21e526ee35c689e35e0d6874...604373da6381bf24206979c74d06a550515601b9) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/wheel-builder.yml | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3410566fae87..d8e049434ca2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -479,14 +479,14 @@ jobs: run: python -m coverage html if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload HTML report. - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 with: name: _html-report path: htmlcov if-no-files-found: ignore if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload rust HTML report. - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 with: name: _html-rust-report path: rust-coverage diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index b90a3dff66ff..1ead0dbca3db 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -40,11 +40,11 @@ jobs: run: uv build --build-constraint=$BUILD_REQUIREMENTS_PATH --require-hashes --sdist - name: Make sdist and wheel (vectors) run: uv build --build-constraint=$BUILD_REQUIREMENTS_PATH --require-hashes vectors/ - - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 with: name: "cryptography-sdist" path: dist/cryptography* - - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 with: name: "vectors-sdist-wheel" path: vectors/dist/cryptography* @@ -140,7 +140,7 @@ jobs: - run: | echo "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" | uv run - - - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: wheelhouse/ @@ -250,7 +250,7 @@ jobs: - run: | echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls wheelhouse/cryptography*.whl))" >> $GITHUB_ENV - - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 with: name: "${{ env.CRYPTOGRAPHY_WHEEL_NAME }}" path: wheelhouse/ @@ -333,7 +333,7 @@ jobs: run: | echo "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" | uv run - - - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: wheelhouse\ From 0e11755c4fee5e479bb00fe512de97da0993f777 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Posp=C3=AD=C5=A1il?= Date: Tue, 8 Oct 2024 13:05:22 +0200 Subject: [PATCH 1185/1462] Don't include engine.h when OPENSSL_NO_ENGINE is defined (#11714) Fedora 41 and RHEL 10 are deprecating and phasing out OpenSSL ENGINE support. Downstream has moved `openssl/engine.h` into a separate RPM package and is recompiling packages with `-DOPENSSL_NO_ENGINE=1`. The compiler flag disables PyCA cryptography's ENGINE support successfully. We also like to build the downstream package without the `engine.h` header file present. This commit makes the include conditional. The `ENGINE` type is defined in `openssl/types.h`. See: https://src.fedoraproject.org/rpms/openssl/c/e67e9d9c40cd2cb9547e539c658e2b63f2736762?branch=rawhide See: https://issues.redhat.com/browse/RHEL-33747 Signed-off-by: Christian Heimes Co-authored-by: Christian Heimes --- src/_cffi_src/openssl/engine.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py index 9629a2c8f929..f47e20327003 100644 --- a/src/_cffi_src/openssl/engine.py +++ b/src/_cffi_src/openssl/engine.py @@ -5,7 +5,9 @@ from __future__ import annotations INCLUDES = """ +#if !defined(OPENSSL_NO_ENGINE) || CRYPTOGRAPHY_IS_LIBRESSL #include +#endif """ TYPES = """ From 0d848b42382b87e6595ce46aef50f688ccad519e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Oct 2024 07:06:47 -0400 Subject: [PATCH 1186/1462] Bump actions/checkout from 4.2.0 to 4.2.1 (#11718) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.0 to 4.2.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/d632683dd7b4114ad314bca15554477dd762a938...eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 4 ++-- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/ci.yml | 12 ++++++------ .github/workflows/linkcheck.yml | 2 +- .github/workflows/wheel-builder.yml | 8 ++++---- .github/workflows/x509-limbo-version-bump.yml | 2 +- 6 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 3275d57b2996..9d308ff37a3c 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -26,12 +26,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 timeout-minutes: 3 with: persist-credentials: false path: "cryptography-pr" - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 timeout-minutes: 3 with: persist-credentials: false diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 33652a071e65..6032b8d325b9 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: # Needed so we can push back to the repo persist-credentials: true diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d8e049434ca2..61180a01bca2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -59,7 +59,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-rust-debug"} timeout-minutes: 15 steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 timeout-minutes: 3 with: persist-credentials: false @@ -183,7 +183,7 @@ jobs: sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release if: matrix.IMAGE.IMAGE == 'alpine:aarch64' - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 timeout-minutes: 3 with: persist-credentials: false @@ -234,7 +234,7 @@ jobs: RUNNER: {OS: 'macos-14', ARCH: 'arm64'} timeout-minutes: 15 steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 timeout-minutes: 3 with: persist-credentials: false @@ -298,7 +298,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests"} timeout-minutes: 15 steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 timeout-minutes: 3 with: persist-credentials: false @@ -372,7 +372,7 @@ jobs: name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" timeout-minutes: 15 steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 timeout-minutes: 3 with: persist-credentials: false @@ -416,7 +416,7 @@ jobs: if: ${{ always() }} timeout-minutes: 3 steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 timeout-minutes: 3 with: persist-credentials: false diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index da777fb02b38..dc530ab64f61 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -20,7 +20,7 @@ jobs: name: "linkcheck" timeout-minutes: 10 steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: persist-credentials: false - name: Setup python diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 1ead0dbca3db..6219139a527e 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest name: sdists steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -99,7 +99,7 @@ jobs: if: startsWith(matrix.MANYLINUX.NAME, 'musllinux') && endsWith(matrix.MANYLINUX.NAME, 'aarch64') - name: Get build-requirements.txt from repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -184,7 +184,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -275,7 +275,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 512e2fda8f6a..7d6a9e59c886 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: # Needed so we can push back to the repo persist-credentials: true From 543e4898f9ae2d24e361a85d15ddd660df24b0b3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Oct 2024 07:09:44 -0400 Subject: [PATCH 1187/1462] Bump uv from 0.4.18 to 0.4.19 in /.github/requirements (#11716) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.18 to 0.4.19. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.18...0.4.19) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index ecaf5acc9c32..0418806205ac 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.18 \ - --hash=sha256:0c4cb31594cb2ed21bd3b603a207e99dfb9610c3db44da9dbbff0f237270f582 \ - --hash=sha256:157e4a2c063b270de348862dd31abfe600d5601183fd2a6efe552840ac179626 \ - --hash=sha256:1944c0ee567ca7db60705c5d213a75b25601094b026cc17af3e704651c1e3753 \ - --hash=sha256:1b59d742b81c7acf75a3aac71d9b24e07407e044bebcf39d3fc3c87094014e20 \ - --hash=sha256:3e3ade81af961f48517fcd99318192c9c635ef9a38a7ca65026af0c803c71906 \ - --hash=sha256:4be600474db6733078503012f2811c4383f490f77366e66b5f686316db52c870 \ - --hash=sha256:4ec60141f92c9667548ebad8daf4c13aabdb58b22c21dcd834641e791e55f289 \ - --hash=sha256:5234d47abe339c15c318e8b1bbd136ea61c4574503eda6944a5aaea91b7f6775 \ - --hash=sha256:6566448278b6849846b6c586fc86748c66aa53ed70f5568e713122543cc86a50 \ - --hash=sha256:8250148484e1b0f89ec19467946e86ee303619985c23228b5a2f2d94d15c6d8b \ - --hash=sha256:8af0b60adcfa2e87c77a3008d3ed6e0b577c0535468dc58e06f905ccbd27124f \ - --hash=sha256:954964eff8c7e2bc63dd4beeb8d45bcaddb5149a7ef29a36abd77ec76c8b837e \ - --hash=sha256:96c3ccee0fd8cf0a9d679407e157b76db1a854638a4ba4fa14f4d116b4e39b03 \ - --hash=sha256:ade18dbbeb05c8cba4f842cc15b20e59467069183f348844750901227df5008d \ - --hash=sha256:b08564c8c7e8b3665ad1d6c8924d4654451f96c956eb5f3b8ec995c77734163d \ - --hash=sha256:df225a568da01f3d7e126d886c3694c5a4a7d8b85162a4d6e97822716ca0e7c4 \ - --hash=sha256:f043c3c4514c149a00a86c3bf44df43062416d41002114e60df33895e8511c41 \ - --hash=sha256:fcc606da545d9a5ec5c2209e7eb2a4eb76627ad75df5eb5616c0b40789fe3933 +uv==0.4.19 \ + --hash=sha256:05701336c1d32f375cf491594b2ed629dab59f58771cefd65a0b1e057b2e89cc \ + --hash=sha256:0f2faf007734294020dd7ace4d1644409c2905c467da0b127ab08738d18028b2 \ + --hash=sha256:12bf974a29cef86640e450b310d8f02e8da9a491f8370768acf77ed329444354 \ + --hash=sha256:13b26e2a84a8bad312f2ada6d00c33bd2856f0b034c22719b20b83fb785d4d7b \ + --hash=sha256:26fdfc0e0a33e71acd6887c0d5098536c65058d52b3e59698aa12b2e797f59f7 \ + --hash=sha256:508cab0c3ecdf46d33f9fc968726652f5cadc5ef22148b1d3c0f74dddc5ab9e5 \ + --hash=sha256:552bfbd6266eaa7aefef92fc8ff39e0a60e0306053daf21eabd76338f74dad3a \ + --hash=sha256:7d33befa9715683794d734fbb3ff69512518258bc9341537a1f70ec7123d0e3c \ + --hash=sha256:7d63288b4a4ab2a3eb0bb493632eb483b08d062d586bfbef95339ade9df03473 \ + --hash=sha256:99d7cb456f0c6f15f725134ce0e577fda690131f1c4e3f5b3279be31509ed495 \ + --hash=sha256:a43ef94d9ac7adec14d84fd1b51263bce5a689bc66e308ce1be7d0df73d9196d \ + --hash=sha256:c0bfcdc084e2cdad771c0ee01c89efe7311f318c075ba1b47f6b7a0b144456b2 \ + --hash=sha256:c15bdf8bb443d4f27369522f882229e908eeccb7c17d0f0c5d33a02570657f37 \ + --hash=sha256:c198d0f9ec659b69c4b95bcddf99e51f7d3b89701ccb017ea0bcfdb180e1afd8 \ + --hash=sha256:c35c295cdbc391d507649ba2556f4149854e278bb40320be2572baa841ec4124 \ + --hash=sha256:d53399b9d35fe20bb610e207f3bac2a0da67e4bc7f39710f4947f0c69d3e72e3 \ + --hash=sha256:dba5ef7fb32129d77b4876de9ef0888849a112220c6d399823c1f266d009e630 \ + --hash=sha256:fbc20b677ada15bd4c2783699a408973164add9977603115b35f1ffe84bf8b30 From 578230134c0bcd80274ee1b1d3b10aad67718dc5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Oct 2024 11:13:31 +0000 Subject: [PATCH 1188/1462] Bump actions/checkout in /.github/actions/fetch-vectors (#11719) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.0 to 4.2.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/d632683dd7b4114ad314bca15554477dd762a938...eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index e462ce38f89a..5753b5f79bc3 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -5,14 +5,14 @@ runs: using: "composite" steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: repository: "C2SP/wycheproof" path: "wycheproof" # Latest commit on the wycheproof master branch, as of Apr 09, 2024. ref: "cd27d6419bedd83cbd24611ec54b6d4bfdb0cdca" # wycheproof-ref - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: repository: "C2SP/x509-limbo" path: "x509-limbo" From ed2bf4d6d7b60950e666e753922d6cb428389817 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Oct 2024 11:19:20 +0000 Subject: [PATCH 1189/1462] Bump actions/upload-artifact in /.github/actions/upload-coverage (#11720) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.4.0 to 4.4.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/50769540e7f4bd5e21e526ee35c689e35e0d6874...604373da6381bf24206979c74d06a550515601b9) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/upload-coverage/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/upload-coverage/action.yml b/.github/actions/upload-coverage/action.yml index 90d258910e10..4c5e68cb380f 100644 --- a/.github/actions/upload-coverage/action.yml +++ b/.github/actions/upload-coverage/action.yml @@ -13,7 +13,7 @@ runs: fi id: coverage-uuid shell: bash - - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 with: name: coverage-data-${{ steps.coverage-uuid.outputs.COVERAGE_UUID }} path: | From e908beaffc2ef72a64e9d429b8f87bd68f4f611b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Oct 2024 11:42:00 +0000 Subject: [PATCH 1190/1462] Bump proc-macro2 from 1.0.86 to 1.0.87 in /src/rust (#11722) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.86 to 1.0.87. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.86...1.0.87) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index a4d4976ac8bf..ffa6c812dd42 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -241,9 +241,9 @@ checksum = "cc9c68a3f6da06753e9335d63e27f6b9754dd1920d941135b7ea8224f141adb2" [[package]] name = "proc-macro2" -version = "1.0.86" +version = "1.0.87" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77" +checksum = "b3e4daa0dcf6feba26f985457cdf104d4b4256fc5a09547140f3631bb076b19a" dependencies = [ "unicode-ident", ] From 594e5d525c8d9aba6ed0f02e7c0c46843db1786b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 8 Oct 2024 08:15:16 -0400 Subject: [PATCH 1191/1462] Rebuild ci-constraints-requirements.txt (#11721) The 3.0.0 worked ok because its only used from the docs extra which is 3.12 only --- ci-constraints-requirements.txt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c47c307a8b44..d0c5dc6f75e5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -96,7 +96,9 @@ iniconfig==2.0.0 # via pytest jinja2==3.1.4 # via sphinx -markupsafe==3.0.0 +markupsafe==2.1.5 ; python_full_version < '3.10' + # via jinja2 +markupsafe==3.0.0 ; python_full_version >= '3.10' # via jinja2 mypy==1.4.1 ; python_full_version < '3.8' # via cryptography (pyproject.toml) From 714538e1294e05a4489ecb91872ff2eb42c8eb52 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 8 Oct 2024 12:19:50 -0400 Subject: [PATCH 1192/1462] Update CI for 3.13 release (#11711) --- .github/workflows/ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 61180a01bca2..622a4994b68d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,7 +30,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "flake"} - {VERSION: "3.12", NOXSESSION: "rust"} - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.3"}} - - {VERSION: "3.13-dev", NOXSESSION: "tests"} + - {VERSION: "3.13", NOXSESSION: "tests"} - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.15"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.7"}} @@ -227,7 +227,7 @@ jobs: - {OS: 'macos-14', ARCH: 'arm64'} PYTHON: - {VERSION: "3.7", NOXSESSION: "tests"} - - {VERSION: "3.12", NOXSESSION: "tests"} + - {VERSION: "3.13", NOXSESSION: "tests"} exclude: # We only test latest Python on arm64. py37 won't work since there's no universal2 binary - PYTHON: {VERSION: "3.7", NOXSESSION: "tests"} @@ -295,7 +295,7 @@ jobs: - {ARCH: 'x64', WINDOWS: 'win64'} PYTHON: - {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} - - {VERSION: "3.12", NOXSESSION: "tests"} + - {VERSION: "3.13", NOXSESSION: "tests"} timeout-minutes: 15 steps: - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 From 9d90c4bb939502d7dc7c4a2a46faa61115d30c99 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 8 Oct 2024 14:55:28 -0400 Subject: [PATCH 1193/1462] fixes #11723 -- add a comment for another source of bad certs (#11724) --- src/rust/src/x509/certificate.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 454f63ad5119..b9e331a72ddc 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -467,6 +467,8 @@ fn warn_if_invalid_params( | AlgorithmParameters::DsaWithSha256(Some(..)) | AlgorithmParameters::DsaWithSha384(Some(..)) | AlgorithmParameters::DsaWithSha512(Some(..)) => { + // This can also be triggered by an Intel On Die certificate + // https://github.com/pyca/cryptography/issues/11723 let warning_cls = types::DEPRECATED_IN_41.get(py)?; pyo3::PyErr::warn_bound( py, From cb0a83fe1ede99f329991b9784eaeeb13d113def Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 9 Oct 2024 00:17:14 +0000 Subject: [PATCH 1194/1462] Bump BoringSSL and/or OpenSSL in CI (#11725) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 622a4994b68d..da7e682a1ead 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 08, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "fa0214602cc5502c2d1e12cc4692d1045a993aba"}} - # Latest commit on the OpenSSL master branch, as of Oct 08, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0a2a8d970f408af595fd699b2675ba45a26c169b"}} + # Latest commit on the BoringSSL master branch, as of Oct 09, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d0a175601b9e180ce58cb1e33649057f5c484146"}} + # Latest commit on the OpenSSL master branch, as of Oct 09, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6f08353a4b816fc04ab53880855b0d79c833e777"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 1767ad0a462f47a0112221ca7e7cf1684a9b1869 Mon Sep 17 00:00:00 2001 From: Ivan Desiatov <76527282+deivse@users.noreply.github.com> Date: Wed, 9 Oct 2024 04:27:15 +0200 Subject: [PATCH 1195/1462] X509 custom verification groundwork (#11559) * Add CustomPolicyBuilder foundation. * Add EKU getters to ClientVerifier and ServerVerifier. * Document the implemented part of custom verification. * Remove `subject` field from VerifiedClient, rename `sans` back to `subjects`. * Remove EKU-related setters, getters and documentation from this PR. * Use double backticks in reStructuredText. * Remove CustomPolicyBuilder in favor of extending PolicyBuilder. * Code style improvements. * Resolve coverage issues. --- docs/spelling_wordlist.txt | 1 + docs/x509/verification.rst | 7 ++- .../hazmat/bindings/_rust/x509.pyi | 2 +- src/rust/src/x509/verify.rs | 44 ++++++++++++------- tests/x509/verification/test_verification.py | 1 + 5 files changed, 37 insertions(+), 18 deletions(-) diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 6a0282266821..f8e6d4232ae0 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -140,6 +140,7 @@ unencrypted unicode unpadded unpadding +validator Ventura verifier Verifier diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst index b0e1daee2994..70aafd48f94c 100644 --- a/docs/x509/verification.rst +++ b/docs/x509/verification.rst @@ -111,12 +111,15 @@ the root of trust: .. versionadded:: 43.0.0 + .. versionchanged:: 44.0.0 + Made ``subjects`` optional with the addition of custom extension policies. + .. attribute:: subjects - :type: list of :class:`~cryptography.x509.GeneralName` + :type: list of :class:`~cryptography.x509.GeneralName` or None The subjects presented in the verified client's Subject Alternative Name - extension. + extension or ``None`` if the extension is not present. .. attribute:: chain diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi index aa85657fcfd8..983200df5e45 100644 --- a/src/cryptography/hazmat/bindings/_rust/x509.pyi +++ b/src/cryptography/hazmat/bindings/_rust/x509.pyi @@ -69,7 +69,7 @@ class PolicyBuilder: class VerifiedClient: @property - def subjects(self) -> list[x509.GeneralName]: ... + def subjects(self) -> list[x509.GeneralName] | None: ... @property def chain(self) -> list[x509.Certificate]: ... diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index dbe95a494267..face9acf674f 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -75,6 +75,16 @@ pub(crate) struct PolicyBuilder { max_chain_depth: Option, } +impl PolicyBuilder { + fn py_clone(&self, py: pyo3::Python<'_>) -> PolicyBuilder { + PolicyBuilder { + time: self.time.clone(), + store: self.store.as_ref().map(|s| s.clone_ref(py)), + max_chain_depth: self.max_chain_depth, + } + } +} + #[pyo3::pymethods] impl PolicyBuilder { #[new] @@ -95,18 +105,20 @@ impl PolicyBuilder { Ok(PolicyBuilder { time: Some(py_to_datetime(py, new_time)?), - store: self.store.as_ref().map(|s| s.clone_ref(py)), - max_chain_depth: self.max_chain_depth, + ..self.py_clone(py) }) } - fn store(&self, new_store: pyo3::Py) -> CryptographyResult { + fn store( + &self, + py: pyo3::Python<'_>, + new_store: pyo3::Py, + ) -> CryptographyResult { policy_builder_set_once_check!(self, store, "trust store"); Ok(PolicyBuilder { - time: self.time.clone(), store: Some(new_store), - max_chain_depth: self.max_chain_depth, + ..self.py_clone(py) }) } @@ -118,9 +130,8 @@ impl PolicyBuilder { policy_builder_set_once_check!(self, max_chain_depth, "maximum chain depth"); Ok(PolicyBuilder { - time: self.time.clone(), - store: self.store.as_ref().map(|s| s.clone_ref(py)), max_chain_depth: Some(new_max_chain_depth), + ..self.py_clone(py) }) } @@ -141,7 +152,8 @@ impl PolicyBuilder { None => datetime_now(py)?, }; - let policy = PyCryptoPolicy(Policy::client(PyCryptoOps {}, time, self.max_chain_depth)); + // TODO: Pass extension policies here once implemented in cryptography-x509-verification. + let policy = Policy::client(PyCryptoOps {}, time, self.max_chain_depth); Ok(PyClientVerifier { policy, store }) } @@ -170,12 +182,14 @@ impl PolicyBuilder { let policy = OwnedPolicy::try_new(subject_owner, |subject_owner| { let subject = build_subject(py, subject_owner)?; - Ok::, pyo3::PyErr>(PyCryptoPolicy(Policy::server( + + // TODO: Pass extension policies here once implemented in cryptography-x509-verification. + Ok::, pyo3::PyErr>(Policy::server( PyCryptoOps {}, subject, time, self.max_chain_depth, - ))) + )) })?; Ok(PyServerVerifier { @@ -186,7 +200,7 @@ impl PolicyBuilder { } } -struct PyCryptoPolicy<'a>(Policy<'a, PyCryptoOps>); +type PyCryptoPolicy<'a> = Policy<'a, PyCryptoOps>; /// This enum exists solely to provide heterogeneously typed ownership for `OwnedPolicy`. enum SubjectOwner { @@ -215,7 +229,7 @@ self_cell::self_cell!( )] pub(crate) struct PyVerifiedClient { #[pyo3(get)] - subjects: pyo3::Py, + subjects: Option>, #[pyo3(get)] chain: pyo3::Py, } @@ -233,7 +247,7 @@ pub(crate) struct PyClientVerifier { impl PyClientVerifier { fn as_policy(&self) -> &Policy<'_, PyCryptoOps> { - &self.policy.0 + &self.policy } } @@ -305,7 +319,7 @@ impl PyClientVerifier { let py_gns = parse_general_names(py, &leaf_gns)?; Ok(PyVerifiedClient { - subjects: py_gns, + subjects: Some(py_gns), chain: py_chain.unbind(), }) } @@ -326,7 +340,7 @@ pub(crate) struct PyServerVerifier { impl PyServerVerifier { fn as_policy(&self) -> &Policy<'_, PyCryptoOps> { - &self.policy.borrow_dependent().0 + self.policy.borrow_dependent() } } diff --git a/tests/x509/verification/test_verification.py b/tests/x509/verification/test_verification.py index f5e70bab3538..1d2f9261c57d 100644 --- a/tests/x509/verification/test_verification.py +++ b/tests/x509/verification/test_verification.py @@ -139,6 +139,7 @@ def test_verify(self): verified_client = verifier.verify(leaf, []) assert verified_client.chain == [leaf] + assert verified_client.subjects is not None assert x509.DNSName("www.cryptography.io") in verified_client.subjects assert x509.DNSName("cryptography.io") in verified_client.subjects assert len(verified_client.subjects) == 2 From 36e6119508dcdbd0206077880a71e6bccd642382 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Oct 2024 02:40:00 +0000 Subject: [PATCH 1196/1462] Bump actions/cache from 4.1.0 to 4.1.1 (#11726) Bumps [actions/cache](https://github.com/actions/cache) from 4.1.0 to 4.1.1. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2...3624ceb22c1c5a301c8db4169662070a689d9ea8) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index da7e682a1ead..25cb5de49823 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -97,7 +97,7 @@ jobs: CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }} if: matrix.PYTHON.OPENSSL - name: Load OpenSSL cache - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0 + uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1 id: ossl-cache timeout-minutes: 2 with: From e4aa185fc2717b3ebceab5f454b4224d999df922 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Oct 2024 02:40:18 +0000 Subject: [PATCH 1197/1462] Bump actions/upload-artifact from 4.4.1 to 4.4.2 (#11727) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.4.1 to 4.4.2. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/604373da6381bf24206979c74d06a550515601b9...84480863f228bb9747b473957fcc9e309aa96097) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/wheel-builder.yml | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 25cb5de49823..07903f625f5c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -479,14 +479,14 @@ jobs: run: python -m coverage html if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload HTML report. - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 + uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 with: name: _html-report path: htmlcov if-no-files-found: ignore if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload rust HTML report. - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 + uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 with: name: _html-rust-report path: rust-coverage diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 6219139a527e..950424558e0d 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -40,11 +40,11 @@ jobs: run: uv build --build-constraint=$BUILD_REQUIREMENTS_PATH --require-hashes --sdist - name: Make sdist and wheel (vectors) run: uv build --build-constraint=$BUILD_REQUIREMENTS_PATH --require-hashes vectors/ - - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 + - uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 with: name: "cryptography-sdist" path: dist/cryptography* - - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 + - uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 with: name: "vectors-sdist-wheel" path: vectors/dist/cryptography* @@ -140,7 +140,7 @@ jobs: - run: | echo "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" | uv run - - - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 + - uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: wheelhouse/ @@ -250,7 +250,7 @@ jobs: - run: | echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls wheelhouse/cryptography*.whl))" >> $GITHUB_ENV - - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 + - uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 with: name: "${{ env.CRYPTOGRAPHY_WHEEL_NAME }}" path: wheelhouse/ @@ -333,7 +333,7 @@ jobs: run: | echo "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" | uv run - - - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 + - uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: wheelhouse\ From b3d9886294940aed02a622a549c34972cee598c8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Oct 2024 02:44:03 +0000 Subject: [PATCH 1198/1462] Bump markupsafe from 3.0.0 to 3.0.1 (#11729) Bumps [markupsafe](https://github.com/pallets/markupsafe) from 3.0.0 to 3.0.1. - [Release notes](https://github.com/pallets/markupsafe/releases) - [Changelog](https://github.com/pallets/markupsafe/blob/main/CHANGES.rst) - [Commits](https://github.com/pallets/markupsafe/compare/3.0.0...3.0.1) --- updated-dependencies: - dependency-name: markupsafe dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d0c5dc6f75e5..851068d2a4cf 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -98,7 +98,7 @@ jinja2==3.1.4 # via sphinx markupsafe==2.1.5 ; python_full_version < '3.10' # via jinja2 -markupsafe==3.0.0 ; python_full_version >= '3.10' +markupsafe==3.0.1 ; python_full_version >= '3.10' # via jinja2 mypy==1.4.1 ; python_full_version < '3.8' # via cryptography (pyproject.toml) From 6d802ca9240327b2c8fdf21768dd8e37776df8cc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Oct 2024 22:47:34 -0400 Subject: [PATCH 1199/1462] Bump uv from 0.4.19 to 0.4.20 in /.github/requirements (#11730) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.19 to 0.4.20. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.19...0.4.20) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 0418806205ac..3168a00aecea 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.19 \ - --hash=sha256:05701336c1d32f375cf491594b2ed629dab59f58771cefd65a0b1e057b2e89cc \ - --hash=sha256:0f2faf007734294020dd7ace4d1644409c2905c467da0b127ab08738d18028b2 \ - --hash=sha256:12bf974a29cef86640e450b310d8f02e8da9a491f8370768acf77ed329444354 \ - --hash=sha256:13b26e2a84a8bad312f2ada6d00c33bd2856f0b034c22719b20b83fb785d4d7b \ - --hash=sha256:26fdfc0e0a33e71acd6887c0d5098536c65058d52b3e59698aa12b2e797f59f7 \ - --hash=sha256:508cab0c3ecdf46d33f9fc968726652f5cadc5ef22148b1d3c0f74dddc5ab9e5 \ - --hash=sha256:552bfbd6266eaa7aefef92fc8ff39e0a60e0306053daf21eabd76338f74dad3a \ - --hash=sha256:7d33befa9715683794d734fbb3ff69512518258bc9341537a1f70ec7123d0e3c \ - --hash=sha256:7d63288b4a4ab2a3eb0bb493632eb483b08d062d586bfbef95339ade9df03473 \ - --hash=sha256:99d7cb456f0c6f15f725134ce0e577fda690131f1c4e3f5b3279be31509ed495 \ - --hash=sha256:a43ef94d9ac7adec14d84fd1b51263bce5a689bc66e308ce1be7d0df73d9196d \ - --hash=sha256:c0bfcdc084e2cdad771c0ee01c89efe7311f318c075ba1b47f6b7a0b144456b2 \ - --hash=sha256:c15bdf8bb443d4f27369522f882229e908eeccb7c17d0f0c5d33a02570657f37 \ - --hash=sha256:c198d0f9ec659b69c4b95bcddf99e51f7d3b89701ccb017ea0bcfdb180e1afd8 \ - --hash=sha256:c35c295cdbc391d507649ba2556f4149854e278bb40320be2572baa841ec4124 \ - --hash=sha256:d53399b9d35fe20bb610e207f3bac2a0da67e4bc7f39710f4947f0c69d3e72e3 \ - --hash=sha256:dba5ef7fb32129d77b4876de9ef0888849a112220c6d399823c1f266d009e630 \ - --hash=sha256:fbc20b677ada15bd4c2783699a408973164add9977603115b35f1ffe84bf8b30 +uv==0.4.20 \ + --hash=sha256:092d4d3cee4a9680832c16d5c1a5e816b2d07a31328580f04e4ddf437821b1f3 \ + --hash=sha256:1f20251b5a6a1cc92d844153b128b346bd0be8178beb4945df63d1a76a905176 \ + --hash=sha256:309539e9b29f3fbbedb3835297a324a9206b42005e15b0af3fa73343ab966349 \ + --hash=sha256:555f0275c3db5b1cd13f6a6825b0b0f23e116a58a46da65f55d4f07915b36b16 \ + --hash=sha256:588aedc47fe02f8cf0dfe0dec3fd5e1f3a707fdf674964b3d31f0523351db9d2 \ + --hash=sha256:5d62655450d173a4dbe76b70b9af81ffa501501d97224f311f126b30924b42f7 \ + --hash=sha256:653bfec188d199384451804a6c055fb1d28662adfee7697fe7108c6fb78924ba \ + --hash=sha256:74f78748e72893a674351ca9d708003629ddc1a00bc51100c901b5d47db73e43 \ + --hash=sha256:865c5fbc2ebe73b4f4b71cbcc1b1bae90a335b15f6eaa9fa6495f77a6e86455e \ + --hash=sha256:8ad94fb135bec5c061ba21b1f081f349c3de2b0f8660e168e5afc829d3069e6d \ + --hash=sha256:8ec4a7d0ab131ea749702d4885ff0f6734e1aca1dc26ebbc1c7c67969ba3c0fc \ + --hash=sha256:a65eaec88b084094f5b08c2ad73f0ae972f7d6afd0d3ee1d0eb29a76c010a39b \ + --hash=sha256:a6faba47d13c1b916bfe9a1828a792ba21558871b4b81dbb79c157077f558fb3 \ + --hash=sha256:b4c8a2027b1f19f8b8949132e728a750e4f9b4bb0ec02544d9b21df3f525ab1a \ + --hash=sha256:b8e3492d5f1613e88201b6f68a2e5fba48b0bdbe0f11179df9b222e9dd8d89d3 \ + --hash=sha256:d0566f3ce596b0192099f7a01be08e1f37061d7399e0128804794cf83cdf2806 \ + --hash=sha256:d37f02ae48540104d9c13d2dfe27bf84b246d5945b55d91568404da08e2a3bd8 \ + --hash=sha256:dbf454b6f56f9181886426c7aed7a8dfc8258f80082365fe99b2044ff92261ba From b444ca02d77f864d8d0c67bbe12e05f162c27c51 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Oct 2024 02:56:38 +0000 Subject: [PATCH 1200/1462] Bump actions/upload-artifact in /.github/actions/upload-coverage (#11728) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.4.1 to 4.4.2. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/604373da6381bf24206979c74d06a550515601b9...84480863f228bb9747b473957fcc9e309aa96097) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/upload-coverage/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/upload-coverage/action.yml b/.github/actions/upload-coverage/action.yml index 4c5e68cb380f..d4f0a8a53f5c 100644 --- a/.github/actions/upload-coverage/action.yml +++ b/.github/actions/upload-coverage/action.yml @@ -13,7 +13,7 @@ runs: fi id: coverage-uuid shell: bash - - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 + - uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 with: name: coverage-data-${{ steps.coverage-uuid.outputs.COVERAGE_UUID }} path: | From 47b289f793fcd4866f4c19450afa18e11f3141ad Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 9 Oct 2024 06:05:30 -0400 Subject: [PATCH 1201/1462] remove typo (#11731) --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 4c77c855b8bb..22ea8054ad3e 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -58,6 +58,6 @@ jobs: skip-existing: true # Do not perform attestation for things for TestPyPI. This is # because there's nothing that would prevent a malicious PyPI from - # serving a signed TestPyPI asset in place of a release intended for' + # serving a signed TestPyPI asset in place of a release intended for # PyPI. attestations: ${{ env.PYPI_URL == 'https://pypi.org/legacy/' }} From 05e517f147c7856929fce7446bbc8a5c96003d41 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Oct 2024 07:15:29 -0400 Subject: [PATCH 1202/1462] Bump charset-normalizer from 3.3.2 to 3.4.0 (#11733) Bumps [charset-normalizer](https://github.com/Ousret/charset_normalizer) from 3.3.2 to 3.4.0. - [Release notes](https://github.com/Ousret/charset_normalizer/releases) - [Changelog](https://github.com/jawah/charset_normalizer/blob/master/CHANGELOG.md) - [Commits](https://github.com/Ousret/charset_normalizer/compare/3.3.2...3.4.0) --- updated-dependencies: - dependency-name: charset-normalizer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 851068d2a4cf..cb0bb7da2248 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -24,7 +24,7 @@ certifi==2024.8.30 # via # cryptography (pyproject.toml) # requests -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 # via requests check-sdist==1.0.0 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) From f6554d1321f5c69e9f5ba4d22fb27c1ce4697604 Mon Sep 17 00:00:00 2001 From: Ivan Desiatov <76527282+deivse@users.noreply.github.com> Date: Wed, 9 Oct 2024 16:00:08 +0200 Subject: [PATCH 1203/1462] Implement fmt::Format for CryptographyError. (#11734) * Implement fmt::Format for CryptographyError. * Code quality improvement + coverage fix. --- src/rust/src/backend/utils.rs | 2 +- src/rust/src/error.rs | 83 ++++++++++++++++++++++++----------- 2 files changed, 58 insertions(+), 27 deletions(-) diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 616ace7cb0d4..77b733ab2315 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -457,7 +457,7 @@ pub(crate) fn handle_key_load_result( )), )), (Err(e), _, _) => { - let errors = error::list_from_openssl_error(py, e); + let errors = error::list_from_openssl_error(py, &e); Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err(( "Could not deserialize key data. The data may be in an incorrect format, the provided password may be incorrect, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).", diff --git a/src/rust/src/error.rs b/src/rust/src/error.rs index 81901e1ad91e..7eb989b63c6d 100644 --- a/src/rust/src/error.rs +++ b/src/rust/src/error.rs @@ -2,6 +2,8 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use std::fmt; + use pyo3::types::PyListMethods; use pyo3::ToPyObject; @@ -81,10 +83,10 @@ impl From for CryptographyError { } } -pub(crate) fn list_from_openssl_error( - py: pyo3::Python<'_>, - error_stack: openssl::error::ErrorStack, -) -> pyo3::Bound<'_, pyo3::types::PyList> { +pub(crate) fn list_from_openssl_error<'p>( + py: pyo3::Python<'p>, + error_stack: &openssl::error::ErrorStack, +) -> pyo3::Bound<'p, pyo3::types::PyList> { let errors = pyo3::types::PyList::empty_bound(py); for e in error_stack.errors() { errors @@ -97,35 +99,54 @@ pub(crate) fn list_from_openssl_error( errors } +impl fmt::Display for CryptographyError { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + match self { + CryptographyError::Asn1Parse(asn1_error) => { + write!(f, "error parsing asn1 value: {asn1_error:?}") + } + CryptographyError::Asn1Write(asn1::WriteError::AllocationError) => { + write!( + f, + "failed to allocate memory while performing ASN.1 serialization" + ) + } + CryptographyError::KeyParsing(asn1_error) => { + write!( + f, + "Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters). Details: {asn1_error}", + ) + } + CryptographyError::Py(py_error) => write!(f, "{}", py_error), + CryptographyError::OpenSSL(error_stack) => { + write!( + f, + "Unknown OpenSSL error. This error is commonly encountered + when another library is not cleaning up the OpenSSL error + stack. If you are using cryptography with another library + that uses OpenSSL try disabling it before reporting a bug. + Otherwise please file an issue at + https://github.com/pyca/cryptography/issues with + information on how to reproduce this. ({error_stack})" + ) + } + } + } +} + impl From for pyo3::PyErr { fn from(e: CryptographyError) -> pyo3::PyErr { match e { - CryptographyError::Asn1Parse(asn1_error) => pyo3::exceptions::PyValueError::new_err( - format!("error parsing asn1 value: {asn1_error:?}"), - ), + CryptographyError::Asn1Parse(_) | CryptographyError::KeyParsing(_) => { + pyo3::exceptions::PyValueError::new_err(e.to_string()) + } CryptographyError::Asn1Write(asn1::WriteError::AllocationError) => { - pyo3::exceptions::PyMemoryError::new_err( - "failed to allocate memory while performing ASN.1 serialization", - ) + pyo3::exceptions::PyMemoryError::new_err(e.to_string()) } - CryptographyError::KeyParsing(asn1_error) => pyo3::exceptions::PyValueError::new_err( - format!("Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters). Details: {asn1_error}"), - ), CryptographyError::Py(py_error) => py_error, - CryptographyError::OpenSSL(error_stack) => pyo3::Python::with_gil(|py| { + CryptographyError::OpenSSL(ref error_stack) => pyo3::Python::with_gil(|py| { let errors = list_from_openssl_error(py, error_stack); - exceptions::InternalError::new_err(( - format!( - "Unknown OpenSSL error. This error is commonly encountered - when another library is not cleaning up the OpenSSL error - stack. If you are using cryptography with another library - that uses OpenSSL try disabling it before reporting a bug. - Otherwise please file an issue at - https://github.com/pyca/cryptography/issues with - information on how to reproduce this. ({errors:?})" - ), - errors.to_object(py), - )) + exceptions::InternalError::new_err((e.to_string(), errors.to_object(py))) }), } } @@ -201,6 +222,16 @@ pub(crate) fn capture_error_stack( mod tests { use super::CryptographyError; + #[test] + fn test_cryptographyerror_display() { + pyo3::prepare_freethreaded_python(); + pyo3::Python::with_gil(|py| { + let py_error = pyo3::exceptions::PyRuntimeError::new_err("abc"); + let e: CryptographyError = py_error.clone_ref(py).into(); + assert!(e.to_string() == py_error.to_string()); + }) + } + #[test] fn test_cryptographyerror_from() { pyo3::prepare_freethreaded_python(); From 515f8af7567f66d308cca0d04120e2b9d10de963 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 9 Oct 2024 18:49:19 -0400 Subject: [PATCH 1204/1462] Raise the macOS target version for our official wheels (#11735) --- .github/workflows/ci.yml | 3 ++- .github/workflows/wheel-builder.yml | 10 +++++++--- CHANGELOG.rst | 4 ++++ 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 07903f625f5c..ec25efce7866 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -272,11 +272,12 @@ jobs: run: | OPENSSL_DIR=$(readlink -f ../openssl-macos-universal2/) \ OPENSSL_STATIC=1 \ - CFLAGS="-Werror -Wno-error=deprecated-declarations -Wno-error=incompatible-pointer-types-discards-qualifiers -Wno-error=unused-function -mmacosx-version-min=10.12" \ + CFLAGS="-Werror -Wno-error=deprecated-declarations -Wno-error=incompatible-pointer-types-discards-qualifiers -Wno-error=unused-function" \ nox -v --install-only env: NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} + MACOSX_DEPLOYMENT_TARGET: "10.13" - name: Tests run: nox --no-install -- --color=yes --wycheproof-root=wycheproof --x509-limbo-root=x509-limbo env: diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 950424558e0d..deab63a1a3a4 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -34,6 +34,10 @@ jobs: ref: ${{ github.event.inputs.version || github.ref }} persist-credentials: false + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + with: + python-version: "3.13" + timeout-minutes: 3 - run: python -m pip install -r $UV_REQUIREMENTS_PATH - name: Make sdist (cryptography) @@ -157,7 +161,7 @@ jobs: # Despite the name, this is built for the macOS 11 SDK on arm64 and 10.9+ on intel DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.3/python-3.11.3-macos11.pkg' BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.11/bin/python3' - DEPLOYMENT_TARGET: '10.12' + DEPLOYMENT_TARGET: '10.13' # This archflags is default, but let's be explicit ARCHFLAGS: '-arch x86_64 -arch arm64' # See https://github.com/pypa/cibuildwheel/blob/c8876b5c54a6c6b08de5d4b1586906b56203bd9e/cibuildwheel/macos.py#L257-L269 @@ -169,7 +173,7 @@ jobs: # Despite the name, this is built for the macOS 11 SDK on arm64 and 10.9+ on intel DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.3/python-3.11.3-macos11.pkg' BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.11/bin/python3' - DEPLOYMENT_TARGET: '10.12' + DEPLOYMENT_TARGET: '10.13' # This archflags is default, but let's be explicit ARCHFLAGS: '-arch x86_64 -arch arm64' # See https://github.com/pypa/cibuildwheel/blob/c8876b5c54a6c6b08de5d4b1586906b56203bd9e/cibuildwheel/macos.py#L257-L269 @@ -178,7 +182,7 @@ jobs: _PYTHON_HOST_PLATFORM: 'macosx-10.9-universal2' - VERSION: 'pypy-3.10' BIN_PATH: 'pypy3' - DEPLOYMENT_TARGET: '10.12' + DEPLOYMENT_TARGET: '10.13' _PYTHON_HOST_PLATFORM: 'macosx-10.9-x86_64' ARCHFLAGS: '-arch x86_64' name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}" diff --git a/CHANGELOG.rst b/CHANGELOG.rst index b2e677dd219c..01d4fa488c49 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -8,9 +8,13 @@ Changelog .. note:: This version is not yet released and is under active development. + * Deprecated Python 3.7 support. Python 3.7 is no longer supported by the Python core team. Support for Python 3.7 will be removed in a future ``cryptography`` release. +* macOS wheels are now built against the macOS 10.13 SDK. Users on older + versions of macOS should upgrade, or they will need to build + ``cryptography`` themselves. * Enforce the :rfc:`5280` requirement that extended key usage extensions must not be empty. * Added support for timestamp extraction to the From 86c73079a897ebeef5fdb8d66403b3dd574eaf1d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 9 Oct 2024 22:11:44 -0400 Subject: [PATCH 1205/1462] install bindgen for boringssl (#11737) * install bindgen for boringssl it used to be in the 22.04 GHA image, but its no longer in the base 24.04 one * Update ci.yml --- .github/workflows/build_openssl.sh | 2 ++ .github/workflows/ci.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_openssl.sh b/.github/workflows/build_openssl.sh index 72b06e0b8f3e..14771481276d 100755 --- a/.github/workflows/build_openssl.sh +++ b/.github/workflows/build_openssl.sh @@ -77,4 +77,6 @@ elif [[ "${TYPE}" == "boringssl" ]]; then rm -rf "${OSSL_PATH}/bin" popd rm -rf boringssl/ + + sudo apt-get install -y bindgen fi diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ec25efce7866..b8290d467ddf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -105,7 +105,7 @@ jobs: # When altering the openssl build process you may need to increment # the value on the end of this cache key so that you can prevent it # from fetching the cache and skipping the build step. - key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.OPENSSL_HASH }}-12 + key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.OPENSSL_HASH }}-13 if: matrix.PYTHON.OPENSSL - name: Build custom OpenSSL/LibreSSL run: .github/workflows/build_openssl.sh From 2b48af7b129a7b28a88028b35727f69f06129fe1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 10 Oct 2024 02:20:50 +0000 Subject: [PATCH 1206/1462] Bump BoringSSL and/or OpenSSL in CI (#11736) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b8290d467ddf..2cc5c0c2d271 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 09, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d0a175601b9e180ce58cb1e33649057f5c484146"}} - # Latest commit on the OpenSSL master branch, as of Oct 09, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6f08353a4b816fc04ab53880855b0d79c833e777"}} + # Latest commit on the BoringSSL master branch, as of Oct 10, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "905c3903fd4291a22328346861ddf15599a7c33b"}} + # Latest commit on the OpenSSL master branch, as of Oct 10, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ee0bf38e8709bf71888fbc97ff867aa22dad2b2c"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 868340d08a0b3350783df35ea3cfe1b575ca3a98 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 10 Oct 2024 07:19:13 -0400 Subject: [PATCH 1207/1462] Bump actions/upload-artifact in /.github/actions/upload-coverage (#11739) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.4.2 to 4.4.3. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/84480863f228bb9747b473957fcc9e309aa96097...b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/upload-coverage/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/upload-coverage/action.yml b/.github/actions/upload-coverage/action.yml index d4f0a8a53f5c..c1fa04df3208 100644 --- a/.github/actions/upload-coverage/action.yml +++ b/.github/actions/upload-coverage/action.yml @@ -13,7 +13,7 @@ runs: fi id: coverage-uuid shell: bash - - uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: coverage-data-${{ steps.coverage-uuid.outputs.COVERAGE_UUID }} path: | From b70a4fa98b881097313a92b1cfb54f202b7cc1f5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 10 Oct 2024 07:20:41 -0400 Subject: [PATCH 1208/1462] Bump distlib from 0.3.8 to 0.3.9 (#11741) Bumps [distlib](https://github.com/pypa/distlib) from 0.3.8 to 0.3.9. - [Release notes](https://github.com/pypa/distlib/releases) - [Changelog](https://github.com/pypa/distlib/blob/master/CHANGES.rst) - [Commits](https://github.com/pypa/distlib/compare/0.3.8...0.3.9) --- updated-dependencies: - dependency-name: distlib dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index cb0bb7da2248..c023d95bfdb2 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -43,7 +43,7 @@ coverage==7.2.7 ; python_full_version < '3.8' # via pytest-cov coverage==7.6.1 ; python_full_version >= '3.8' # via pytest-cov -distlib==0.3.8 +distlib==0.3.9 # via virtualenv docutils==0.19 ; python_full_version < '3.8' # via From dc6275554e00ee0db09936d1661a83391ca7dad8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 10 Oct 2024 07:23:08 -0400 Subject: [PATCH 1209/1462] Bump check-sdist from 1.0.0 to 1.1.0 (#11743) Bumps [check-sdist](https://github.com/henryiii/check-sdist) from 1.0.0 to 1.1.0. - [Release notes](https://github.com/henryiii/check-sdist/releases) - [Commits](https://github.com/henryiii/check-sdist/compare/v1.0.0...v1.1.0) --- updated-dependencies: - dependency-name: check-sdist dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c023d95bfdb2..a63fbd3bd7f9 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -26,7 +26,7 @@ certifi==2024.8.30 # requests charset-normalizer==3.4.0 # via requests -check-sdist==1.0.0 ; python_full_version >= '3.8' +check-sdist==1.1.0 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) click==8.1.7 # via cryptography (pyproject.toml) From cc1c0ab06dfc0de968fd717a1041c0275f407932 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 10 Oct 2024 11:32:08 +0000 Subject: [PATCH 1210/1462] Bump sphinx-rtd-theme from 3.0.0 to 3.0.1 (#11740) Bumps [sphinx-rtd-theme](https://github.com/readthedocs/sphinx_rtd_theme) from 3.0.0 to 3.0.1. - [Changelog](https://github.com/readthedocs/sphinx_rtd_theme/blob/master/docs/changelog.rst) - [Commits](https://github.com/readthedocs/sphinx_rtd_theme/compare/3.0.0...3.0.1) --- updated-dependencies: - dependency-name: sphinx-rtd-theme dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index a63fbd3bd7f9..e72b4dcc6c19 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -212,7 +212,7 @@ sphinx==8.0.2 ; python_full_version >= '3.10' # sphinx-rtd-theme # sphinxcontrib-jquery # sphinxcontrib-spelling -sphinx-rtd-theme==3.0.0 ; python_full_version >= '3.8' +sphinx-rtd-theme==3.0.1 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) sphinxcontrib-applehelp==1.0.2 ; python_full_version < '3.8' # via sphinx From 9baf4ddefb9d85f3d75894e5047a5b5056e0aed8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 10 Oct 2024 11:37:52 +0000 Subject: [PATCH 1211/1462] Bump actions/upload-artifact from 4.4.2 to 4.4.3 (#11738) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.4.2 to 4.4.3. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/84480863f228bb9747b473957fcc9e309aa96097...b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/wheel-builder.yml | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2cc5c0c2d271..0095a8a44b2d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -480,14 +480,14 @@ jobs: run: python -m coverage html if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload HTML report. - uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: _html-report path: htmlcov if-no-files-found: ignore if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload rust HTML report. - uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: _html-rust-report path: rust-coverage diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index deab63a1a3a4..e09ea516d131 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -44,11 +44,11 @@ jobs: run: uv build --build-constraint=$BUILD_REQUIREMENTS_PATH --require-hashes --sdist - name: Make sdist and wheel (vectors) run: uv build --build-constraint=$BUILD_REQUIREMENTS_PATH --require-hashes vectors/ - - uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "cryptography-sdist" path: dist/cryptography* - - uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "vectors-sdist-wheel" path: vectors/dist/cryptography* @@ -144,7 +144,7 @@ jobs: - run: | echo "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" | uv run - - - uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: wheelhouse/ @@ -254,7 +254,7 @@ jobs: - run: | echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls wheelhouse/cryptography*.whl))" >> $GITHUB_ENV - - uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "${{ env.CRYPTOGRAPHY_WHEEL_NAME }}" path: wheelhouse/ @@ -337,7 +337,7 @@ jobs: run: | echo "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" | uv run - - - uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: wheelhouse\ From 15e2125fb6a3aac706abf21fed54a079f8a269fb Mon Sep 17 00:00:00 2001 From: Jiashuo Li <4003950+jiasli@users.noreply.github.com> Date: Thu, 10 Oct 2024 20:52:25 +0800 Subject: [PATCH 1212/1462] Update serialization.rst (#11746) --- docs/hazmat/primitives/asymmetric/serialization.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/hazmat/primitives/asymmetric/serialization.rst b/docs/hazmat/primitives/asymmetric/serialization.rst index b1d382f6ea30..158d7834fbf7 100644 --- a/docs/hazmat/primitives/asymmetric/serialization.rst +++ b/docs/hazmat/primitives/asymmetric/serialization.rst @@ -103,7 +103,7 @@ Key dumping The ``serialization`` module contains functions for loading keys from ``bytes``. To dump a ``key`` object to ``bytes``, you must call the appropriate -method on the key object. Documentation for these methods in found in the +method on the key object. Documentation for these methods is found in the :mod:`~cryptography.hazmat.primitives.asymmetric.rsa`, :mod:`~cryptography.hazmat.primitives.asymmetric.dsa`, and :mod:`~cryptography.hazmat.primitives.asymmetric.ec` module documentation. From 5f51f4eba486eae3a454fc37abf3e2347b569c39 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 11 Oct 2024 00:22:53 +0000 Subject: [PATCH 1213/1462] Bump BoringSSL and/or OpenSSL in CI (#11747) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0095a8a44b2d..3c7445c8b652 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 10, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "905c3903fd4291a22328346861ddf15599a7c33b"}} - # Latest commit on the OpenSSL master branch, as of Oct 10, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ee0bf38e8709bf71888fbc97ff867aa22dad2b2c"}} + # Latest commit on the BoringSSL master branch, as of Oct 11, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e543bbd442af4c42f26cdc0fe8ce09b01e039c0e"}} + # Latest commit on the OpenSSL master branch, as of Oct 11, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "99548cd16e9dfd850a3958e417b9e02950f208f4"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 88af2acbfedb67c43c7c7040aecff72a5aa5197c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 11 Oct 2024 07:37:59 -0400 Subject: [PATCH 1214/1462] Bump sphinx from 8.0.2 to 8.1.0 (#11748) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 8.0.2 to 8.1.0. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v8.0.2...v8.1.0) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e72b4dcc6c19..872202d0c726 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -206,7 +206,7 @@ sphinx==7.1.2 ; python_full_version >= '3.8' and python_full_version < '3.10' # sphinx-rtd-theme # sphinxcontrib-jquery # sphinxcontrib-spelling -sphinx==8.0.2 ; python_full_version >= '3.10' +sphinx==8.1.0 ; python_full_version >= '3.10' # via # cryptography (pyproject.toml) # sphinx-rtd-theme From c7546768e952d77cb0bedad21841251af01db894 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 11 Oct 2024 09:44:03 -0400 Subject: [PATCH 1215/1462] Always install bindgen for BoringSSL (#11750) Not just when we're building. --- .github/workflows/build_openssl.sh | 2 -- .github/workflows/ci.yml | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_openssl.sh b/.github/workflows/build_openssl.sh index 14771481276d..72b06e0b8f3e 100755 --- a/.github/workflows/build_openssl.sh +++ b/.github/workflows/build_openssl.sh @@ -77,6 +77,4 @@ elif [[ "${TYPE}" == "boringssl" ]]; then rm -rf "${OSSL_PATH}/bin" popd rm -rf boringssl/ - - sudo apt-get install -y bindgen fi diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3c7445c8b652..98293981e18b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -119,6 +119,8 @@ jobs: echo "CFLAGS=${CFLAGS} -Werror=implicit-function-declaration" >> $GITHUB_ENV echo "RUSTFLAGS=-Clink-arg=-Wl,-rpath=${OSSL_PATH}/lib -Clink-arg=-Wl,-rpath=${OSSL_PATH}/lib64" >> $GITHUB_ENV if: matrix.PYTHON.OPENSSL + - run: sudo apt-get install -y bindgen + if: matrix.PYTHON.OPENSSL.TYPE == 'boringssl' - name: Cache rust and pip uses: ./.github/actions/cache timeout-minutes: 2 From a70ab52875951f94462b34a50981e71703388f5d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 11 Oct 2024 13:53:53 +0000 Subject: [PATCH 1216/1462] Bump cc from 1.1.28 to 1.1.29 in /src/rust (#11749) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.28 to 1.1.29. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.28...cc-v1.1.29) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index ffa6c812dd42..f72b4d0e6dec 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.28" +version = "1.1.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2e80e3b6a3ab07840e1cae9b0666a63970dc28e8ed5ffbcdacbfc760c281bfc1" +checksum = "58e804ac3194a48bb129643eb1d62fcc20d18c6b8c181704489353d13120bcd1" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 0414c3ad6153..ef0d0b30a9b2 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,7 +11,7 @@ pyo3 = { version = "0.22.3", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] -cc = "1.1.28" +cc = "1.1.29" [lints.rust] unexpected_cfgs = { level = "warn", check-cfg = ['cfg(python_implementation, values("CPython", "PyPy"))'] } From 420231372cff1d73d8bc680b5f8f7495ba140760 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 11 Oct 2024 17:20:12 -0700 Subject: [PATCH 1217/1462] Bump BoringSSL and/or OpenSSL in CI (#11751) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 98293981e18b..95fa20feea64 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 11, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e543bbd442af4c42f26cdc0fe8ce09b01e039c0e"}} - # Latest commit on the OpenSSL master branch, as of Oct 11, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "99548cd16e9dfd850a3958e417b9e02950f208f4"}} + # Latest commit on the BoringSSL master branch, as of Oct 12, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c8fafe8f1a3d9712adc573458766ddfde87e743e"}} + # Latest commit on the OpenSSL master branch, as of Oct 12, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b2474b287fbc7a24f0aa15e6808c6e3ef8287f23"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 6bd5d49899e06c16b225245f66b0f133a0197963 Mon Sep 17 00:00:00 2001 From: Han Yu <51946152+hwooley@users.noreply.github.com> Date: Fri, 11 Oct 2024 18:43:23 -0700 Subject: [PATCH 1218/1462] Inconsistent IDP extension constraint check (#11467) * Per RFC5280 Section 5.2.5, the Issuing Distribution Point extension in a CRL can have only one of onlyContainsUserCerts, onlyContainsCACerts, onlyContainsAttributeCerts set to TRUE. However, extensions.py (lines 1991 : 2003), indirectCRL is also included, which leads to invalid CRL even if the RFC requirement is met. The proposed fix is to drop indirectCRL from the check so it conforms to the RFC. * Made the comment shorter per line to meet the format requirement. Removed a invalid test case for IDP --- src/cryptography/x509/extensions.py | 6 ++++-- tests/x509/test_x509_ext.py | 1 - 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index 5e7486a594ed..48127e35f071 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -1988,10 +1988,12 @@ def __init__( "must all be boolean." ) + # Per RFC5280 Section 5.2.5, the Issuing Distribution Point extension + # in a CRL can have only one of onlyContainsUserCerts, + # onlyContainsCACerts, onlyContainsAttributeCerts set to TRUE. crl_constraints = [ only_contains_user_certs, only_contains_ca_certs, - indirect_crl, only_contains_attribute_certs, ] @@ -1999,7 +2001,7 @@ def __init__( raise ValueError( "Only one of the following can be set to True: " "only_contains_user_certs, only_contains_ca_certs, " - "indirect_crl, only_contains_attribute_certs" + "only_contains_attribute_certs" ) if not any( diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index d11225fb3077..911006406372 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -5380,7 +5380,6 @@ def test_vectors(self, filename, expected, backend): (TypeError, False, False, "notabool", False, None, None, None), (TypeError, False, False, False, "notabool", None, None, None), (ValueError, True, True, False, False, None, None, None), - (ValueError, False, False, True, True, None, None, None), (ValueError, False, False, False, False, None, None, None), ], ) From 9913cc39668ae36cbfa9aa06ddfc15bb481e4b78 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 13 Oct 2024 00:21:33 +0000 Subject: [PATCH 1219/1462] Bump BoringSSL and/or OpenSSL in CI (#11752) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 95fa20feea64..f989b084e1f0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Oct 12, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c8fafe8f1a3d9712adc573458766ddfde87e743e"}} - # Latest commit on the OpenSSL master branch, as of Oct 12, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b2474b287fbc7a24f0aa15e6808c6e3ef8287f23"}} + # Latest commit on the OpenSSL master branch, as of Oct 13, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2c536c8b1554da273103235adabf946fb7f5a041"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 3d238b9f33b1fa8f67937400cd40dc7b0cce2746 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Oct 2024 00:07:06 +0000 Subject: [PATCH 1220/1462] Bump Swatinem/rust-cache from 2.7.3 to 2.7.5 in /.github/actions/cache (#11754) Bumps [Swatinem/rust-cache](https://github.com/swatinem/rust-cache) from 2.7.3 to 2.7.5. - [Release notes](https://github.com/swatinem/rust-cache/releases) - [Changelog](https://github.com/Swatinem/rust-cache/blob/master/CHANGELOG.md) - [Commits](https://github.com/swatinem/rust-cache/compare/23bce251a8cd2ffc3c1075eaa2367cf899916d84...82a92a6e8fbeee089604da2575dc567ae9ddeaab) --- updated-dependencies: - dependency-name: Swatinem/rust-cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/cache/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index 702d82483b6f..327041e85808 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -15,7 +15,7 @@ runs: id: normalized-key run: echo "key=$(echo "${{ inputs.key }}" | tr -d ',')" >> $GITHUB_OUTPUT shell: bash - - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 + - uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5 with: key: ${{ steps.normalized-key.outputs.key }}-2 workspaces: "./src/rust/ -> target" From e8a24df5a254d27cb8c6dd111df4ded2e5bc2b18 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Oct 2024 00:07:19 +0000 Subject: [PATCH 1221/1462] Bump sphinx from 8.1.0 to 8.1.3 (#11755) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 8.1.0 to 8.1.3. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v8.1.0...v8.1.3) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 872202d0c726..c9f92c614bbd 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -206,7 +206,7 @@ sphinx==7.1.2 ; python_full_version >= '3.8' and python_full_version < '3.10' # sphinx-rtd-theme # sphinxcontrib-jquery # sphinxcontrib-spelling -sphinx==8.1.0 ; python_full_version >= '3.10' +sphinx==8.1.3 ; python_full_version >= '3.10' # via # cryptography (pyproject.toml) # sphinx-rtd-theme From ed2058490e6ef4b06abdd4c1b6e8d59d4885f5fa Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Oct 2024 00:13:42 +0000 Subject: [PATCH 1222/1462] Bump cc from 1.1.29 to 1.1.30 in /src/rust (#11757) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.29 to 1.1.30. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.29...cc-v1.1.30) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index f72b4d0e6dec..dc7c11deb64b 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.29" +version = "1.1.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "58e804ac3194a48bb129643eb1d62fcc20d18c6b8c181704489353d13120bcd1" +checksum = "b16803a61b81d9eabb7eae2588776c4c1e584b738ede45fdbb4c972cec1e9945" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index ef0d0b30a9b2..f81dc0f7e910 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,7 +11,7 @@ pyo3 = { version = "0.22.3", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] -cc = "1.1.29" +cc = "1.1.30" [lints.rust] unexpected_cfgs = { level = "warn", check-cfg = ['cfg(python_implementation, values("CPython", "PyPy"))'] } From 54c211c02c634f2a8764a94c43052d6764529f4b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Oct 2024 00:17:49 +0000 Subject: [PATCH 1223/1462] Bump pyo3 from 0.22.3 to 0.22.4 in /src/rust (#11756) Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.22.3 to 0.22.4. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/main/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.22.3...v0.22.4) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 20 ++++++++++---------- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-keepalive/Cargo.toml | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index dc7c11deb64b..af8f08221bf9 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -250,9 +250,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.22.3" +version = "0.22.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "15ee168e30649f7f234c3d49ef5a7a6cbf5134289bc46c29ff3155fa3221c225" +checksum = "00e89ce2565d6044ca31a3eb79a334c3a79a841120a98f64eea9f579564cb691" dependencies = [ "cfg-if", "indoc", @@ -268,9 +268,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.22.3" +version = "0.22.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e61cef80755fe9e46bb8a0b8f20752ca7676dcc07a5277d8b7768c6172e529b3" +checksum = "d8afbaf3abd7325e08f35ffb8deb5892046fcb2608b703db6a583a5ba4cea01e" dependencies = [ "once_cell", "target-lexicon", @@ -278,9 +278,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.22.3" +version = "0.22.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "67ce096073ec5405f5ee2b8b31f03a68e02aa10d5d4f565eca04acc41931fa1c" +checksum = "ec15a5ba277339d04763f4c23d85987a5b08cbb494860be141e6a10a8eb88022" dependencies = [ "libc", "pyo3-build-config", @@ -288,9 +288,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.22.3" +version = "0.22.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2440c6d12bc8f3ae39f1e775266fa5122fd0c8891ce7520fa6048e683ad3de28" +checksum = "15e0f01b5364bcfbb686a52fc4181d412b708a68ed20c330db9fc8d2c2bf5a43" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -300,9 +300,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.22.3" +version = "0.22.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1be962f0e06da8f8465729ea2cb71a416d2257dff56cbe40a70d3e62a93ae5d1" +checksum = "a09b550200e1e5ed9176976d0060cbc2ea82dc8515da07885e7b8153a85caacb" dependencies = [ "heck", "proc-macro2", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 32bfde2e7803..d03d756f6eba 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -17,7 +17,7 @@ rust-version.workspace = true [dependencies] once_cell = "1" cfg-if = "1" -pyo3 = { version = "0.22.3", features = ["abi3"] } +pyo3 = { version = "0.22.4", features = ["abi3"] } asn1 = { version = "0.17.0", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-keepalive = { path = "cryptography-keepalive" } diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index f81dc0f7e910..d59762dac9fb 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -7,7 +7,7 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.22.3", features = ["abi3"] } +pyo3 = { version = "0.22.4", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] diff --git a/src/rust/cryptography-keepalive/Cargo.toml b/src/rust/cryptography-keepalive/Cargo.toml index f3cff5d25fcf..8a8b943e65e1 100644 --- a/src/rust/cryptography-keepalive/Cargo.toml +++ b/src/rust/cryptography-keepalive/Cargo.toml @@ -7,4 +7,4 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.22.3", features = ["abi3"] } +pyo3 = { version = "0.22.4", features = ["abi3"] } From d98fdcc8b0ce5e2380736c2aad541c44a27748af Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 13 Oct 2024 20:26:27 -0400 Subject: [PATCH 1224/1462] Rebuild ci-constraints-requirements.txt (#11745) Needed to generate python-version-specific pins for coverage and nox --- ci-constraints-requirements.txt | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c9f92c614bbd..079d6200aff5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -41,7 +41,9 @@ colorlog==6.8.2 # via nox coverage==7.2.7 ; python_full_version < '3.8' # via pytest-cov -coverage==7.6.1 ; python_full_version >= '3.8' +coverage==7.6.1 ; python_full_version >= '3.8' and python_full_version < '3.10' + # via pytest-cov +coverage==7.6.3 ; python_full_version >= '3.10' # via pytest-cov distlib==0.3.9 # via virtualenv @@ -108,7 +110,9 @@ mypy-extensions==1.0.0 # via mypy nh3==0.2.18 ; python_full_version >= '3.8' # via readme-renderer -nox==2024.4.15 +nox==2024.4.15 ; python_full_version < '3.8' + # via cryptography (pyproject.toml) +nox==2024.10.9 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) packaging==24.0 ; python_full_version < '3.8' # via From 2f3daa894e621216bd9ab0057a0d56945dcb969e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 13 Oct 2024 21:31:51 -0400 Subject: [PATCH 1225/1462] Special case ci-constraints-requirements.txt for Python 3.9 as well (#11759) --- ci-constraints-requirements.txt | 48 +++++++++++++++++++-------------- pyproject.toml | 7 ++++- 2 files changed, 34 insertions(+), 21 deletions(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 079d6200aff5..72305728f1e9 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -1,6 +1,8 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.7 --extra=docs --extra=docstest --extra=pep8test --extra=test --extra=test-randomorder --extra=nox --extra=sdist --unsafe-package=cffi --unsafe-package=pycparser --unsafe-package=setuptools --unsafe-package=cryptography-vectors pyproject.toml -alabaster==0.7.13 ; python_full_version < '3.10' +alabaster==0.7.13 ; python_full_version < '3.9' + # via sphinx +alabaster==0.7.16 ; python_full_version == '3.9.*' # via sphinx alabaster==1.0.0 ; python_full_version >= '3.10' # via sphinx @@ -41,9 +43,9 @@ colorlog==6.8.2 # via nox coverage==7.2.7 ; python_full_version < '3.8' # via pytest-cov -coverage==7.6.1 ; python_full_version >= '3.8' and python_full_version < '3.10' +coverage==7.6.1 ; python_full_version == '3.8.*' # via pytest-cov -coverage==7.6.3 ; python_full_version >= '3.10' +coverage==7.6.3 ; python_full_version >= '3.9' # via pytest-cov distlib==0.3.9 # via virtualenv @@ -51,12 +53,12 @@ docutils==0.19 ; python_full_version < '3.8' # via # readme-renderer # sphinx -docutils==0.20.1 ; python_full_version >= '3.8' and python_full_version < '3.10' +docutils==0.20.1 ; python_full_version == '3.8.*' # via # readme-renderer # sphinx # sphinx-rtd-theme -docutils==0.21.2 ; python_full_version >= '3.10' +docutils==0.21.2 ; python_full_version >= '3.9' # via # readme-renderer # sphinx @@ -98,9 +100,9 @@ iniconfig==2.0.0 # via pytest jinja2==3.1.4 # via sphinx -markupsafe==2.1.5 ; python_full_version < '3.10' +markupsafe==2.1.5 ; python_full_version < '3.9' # via jinja2 -markupsafe==3.0.1 ; python_full_version >= '3.10' +markupsafe==3.0.1 ; python_full_version >= '3.9' # via jinja2 mypy==1.4.1 ; python_full_version < '3.8' # via cryptography (pyproject.toml) @@ -186,9 +188,9 @@ pytz==2024.2 ; python_full_version < '3.9' # via babel readme-renderer==37.3 ; python_full_version < '3.8' # via cryptography (pyproject.toml) -readme-renderer==43.0 ; python_full_version >= '3.8' and python_full_version < '3.10' +readme-renderer==43.0 ; python_full_version == '3.8.*' # via cryptography (pyproject.toml) -readme-renderer==44.0 ; python_full_version >= '3.10' +readme-renderer==44.0 ; python_full_version >= '3.9' # via cryptography (pyproject.toml) requests==2.31.0 ; python_full_version < '3.8' # via sphinx @@ -204,7 +206,13 @@ sphinx==5.3.0 ; python_full_version < '3.8' # via # cryptography (pyproject.toml) # sphinxcontrib-spelling -sphinx==7.1.2 ; python_full_version >= '3.8' and python_full_version < '3.10' +sphinx==7.1.2 ; python_full_version == '3.8.*' + # via + # cryptography (pyproject.toml) + # sphinx-rtd-theme + # sphinxcontrib-jquery + # sphinxcontrib-spelling +sphinx==7.4.7 ; python_full_version == '3.9.*' # via # cryptography (pyproject.toml) # sphinx-rtd-theme @@ -220,31 +228,31 @@ sphinx-rtd-theme==3.0.1 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) sphinxcontrib-applehelp==1.0.2 ; python_full_version < '3.8' # via sphinx -sphinxcontrib-applehelp==1.0.4 ; python_full_version >= '3.8' and python_full_version < '3.10' +sphinxcontrib-applehelp==1.0.4 ; python_full_version == '3.8.*' # via sphinx -sphinxcontrib-applehelp==2.0.0 ; python_full_version >= '3.10' +sphinxcontrib-applehelp==2.0.0 ; python_full_version >= '3.9' # via sphinx -sphinxcontrib-devhelp==1.0.2 ; python_full_version < '3.10' +sphinxcontrib-devhelp==1.0.2 ; python_full_version < '3.9' # via sphinx -sphinxcontrib-devhelp==2.0.0 ; python_full_version >= '3.10' +sphinxcontrib-devhelp==2.0.0 ; python_full_version >= '3.9' # via sphinx sphinxcontrib-htmlhelp==2.0.0 ; python_full_version < '3.8' # via sphinx -sphinxcontrib-htmlhelp==2.0.1 ; python_full_version >= '3.8' and python_full_version < '3.10' +sphinxcontrib-htmlhelp==2.0.1 ; python_full_version == '3.8.*' # via sphinx -sphinxcontrib-htmlhelp==2.1.0 ; python_full_version >= '3.10' +sphinxcontrib-htmlhelp==2.1.0 ; python_full_version >= '3.9' # via sphinx sphinxcontrib-jquery==4.1 ; python_full_version >= '3.8' # via sphinx-rtd-theme sphinxcontrib-jsmath==1.0.1 # via sphinx -sphinxcontrib-qthelp==1.0.3 ; python_full_version < '3.10' +sphinxcontrib-qthelp==1.0.3 ; python_full_version < '3.9' # via sphinx -sphinxcontrib-qthelp==2.0.0 ; python_full_version >= '3.10' +sphinxcontrib-qthelp==2.0.0 ; python_full_version >= '3.9' # via sphinx -sphinxcontrib-serializinghtml==1.1.5 ; python_full_version < '3.10' +sphinxcontrib-serializinghtml==1.1.5 ; python_full_version < '3.9' # via sphinx -sphinxcontrib-serializinghtml==2.0.0 ; python_full_version >= '3.10' +sphinxcontrib-serializinghtml==2.0.0 ; python_full_version >= '3.9' # via sphinx sphinxcontrib-spelling==8.0.0 # via cryptography (pyproject.toml) diff --git a/pyproject.toml b/pyproject.toml index 5202e4a9e43e..e58219cc9f79 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -188,4 +188,9 @@ git-only = [ [tool.uv] # These cover all Python versions, but by expressing multiple environments we # force uv's resolver to pick the latest versions of packages for each version. -environments = ["python_version >= '3.10'", "python_version >= '3.8' and python_version < '3.10'", "python_version < '3.8'"] +environments = [ + "python_version >= '3.10'", + "python_version >= '3.9' and python_version < '3.10'", + "python_version >= '3.8' and python_version < '3.9'", + "python_version < '3.8'", +] From 2feb9dae5c48760684012c6eb4ee4a993840e0b9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Oct 2024 12:30:39 +0000 Subject: [PATCH 1226/1462] Bump mypy from 1.11.2 to 1.12.0 (#11767) Bumps [mypy](https://github.com/python/mypy) from 1.11.2 to 1.12.0. - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](https://github.com/python/mypy/compare/v1.11.2...v1.12.0) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 72305728f1e9..ffb8a8b8ecf0 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -106,7 +106,7 @@ markupsafe==3.0.1 ; python_full_version >= '3.9' # via jinja2 mypy==1.4.1 ; python_full_version < '3.8' # via cryptography (pyproject.toml) -mypy==1.11.2 ; python_full_version >= '3.8' +mypy==1.12.0 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via mypy From f00e7ff5896b471031ea88b7bb8b0aec2e051317 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 00:17:09 +0000 Subject: [PATCH 1227/1462] Bump BoringSSL and/or OpenSSL in CI (#11768) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f989b084e1f0..bac36494c7ec 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 12, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c8fafe8f1a3d9712adc573458766ddfde87e743e"}} - # Latest commit on the OpenSSL master branch, as of Oct 13, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2c536c8b1554da273103235adabf946fb7f5a041"}} + # Latest commit on the BoringSSL master branch, as of Oct 15, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "cd95210465496ac2337b313cf49f607762abe286"}} + # Latest commit on the OpenSSL master branch, as of Oct 15, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f1607c8a2c04bcb95ddb2e6fc4e0aaec9729929b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 8a917c477dbc783bfea9b57af4a05756da13e958 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 07:04:10 -0400 Subject: [PATCH 1228/1462] Bump uv from 0.4.20 to 0.4.21 in /.github/requirements (#11769) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.20 to 0.4.21. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.20...0.4.21) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 3168a00aecea..583a4a3e9e04 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.20 \ - --hash=sha256:092d4d3cee4a9680832c16d5c1a5e816b2d07a31328580f04e4ddf437821b1f3 \ - --hash=sha256:1f20251b5a6a1cc92d844153b128b346bd0be8178beb4945df63d1a76a905176 \ - --hash=sha256:309539e9b29f3fbbedb3835297a324a9206b42005e15b0af3fa73343ab966349 \ - --hash=sha256:555f0275c3db5b1cd13f6a6825b0b0f23e116a58a46da65f55d4f07915b36b16 \ - --hash=sha256:588aedc47fe02f8cf0dfe0dec3fd5e1f3a707fdf674964b3d31f0523351db9d2 \ - --hash=sha256:5d62655450d173a4dbe76b70b9af81ffa501501d97224f311f126b30924b42f7 \ - --hash=sha256:653bfec188d199384451804a6c055fb1d28662adfee7697fe7108c6fb78924ba \ - --hash=sha256:74f78748e72893a674351ca9d708003629ddc1a00bc51100c901b5d47db73e43 \ - --hash=sha256:865c5fbc2ebe73b4f4b71cbcc1b1bae90a335b15f6eaa9fa6495f77a6e86455e \ - --hash=sha256:8ad94fb135bec5c061ba21b1f081f349c3de2b0f8660e168e5afc829d3069e6d \ - --hash=sha256:8ec4a7d0ab131ea749702d4885ff0f6734e1aca1dc26ebbc1c7c67969ba3c0fc \ - --hash=sha256:a65eaec88b084094f5b08c2ad73f0ae972f7d6afd0d3ee1d0eb29a76c010a39b \ - --hash=sha256:a6faba47d13c1b916bfe9a1828a792ba21558871b4b81dbb79c157077f558fb3 \ - --hash=sha256:b4c8a2027b1f19f8b8949132e728a750e4f9b4bb0ec02544d9b21df3f525ab1a \ - --hash=sha256:b8e3492d5f1613e88201b6f68a2e5fba48b0bdbe0f11179df9b222e9dd8d89d3 \ - --hash=sha256:d0566f3ce596b0192099f7a01be08e1f37061d7399e0128804794cf83cdf2806 \ - --hash=sha256:d37f02ae48540104d9c13d2dfe27bf84b246d5945b55d91568404da08e2a3bd8 \ - --hash=sha256:dbf454b6f56f9181886426c7aed7a8dfc8258f80082365fe99b2044ff92261ba +uv==0.4.21 \ + --hash=sha256:0fccf9e232e95917ecbba10767c43dc308e243ea4d17531112a2f4ad63c0d3f1 \ + --hash=sha256:14224075d2edd3d2984391dfcb3138e4840cc998a81c1046cdc746ae1d38cc62 \ + --hash=sha256:19607da8ee024e4ff060804efb8251e3b821cbd7f830b58612600ffe739fd33d \ + --hash=sha256:23d635ef5fe716fb1a1c4b411619f05caa5f9ee669651fcf7a5c00c8a3a1f749 \ + --hash=sha256:343c4ffe77ea93563861b46ed024a90efc162c06749836d9d7a8506db40d4565 \ + --hash=sha256:3d3e35a10f7813d7e540aad24cd3a3e20745a42b671a217e7761686791a562f3 \ + --hash=sha256:45df47a4f43db730bea72bd3150c206d00d1a4d854137ed63dc04bb73032f280 \ + --hash=sha256:58a770b278b0555a966275dbe1461dd6632f938a0aefea89037155dee676c78d \ + --hash=sha256:7d1e239b683fb541cad1ddfa16ef4f8f0681ad666c73f12da17e70edc86aab4b \ + --hash=sha256:9c08b01f8571d2c64d45d569990aa7bffad5eb259cf64bc329d40d8c787fb9ba \ + --hash=sha256:9dcddbb3b6e1662c6db41d63db539742450e2ce17d6c746329c016e3651bfb4a \ + --hash=sha256:a1a9a126ce48f0f0893891adb5a9749220425169092f3e4da1216168736ac16d \ + --hash=sha256:aaff052175df7e43ac2f25849a26a6856dcce498653c69a2f4245cdf47db46f7 \ + --hash=sha256:ba3e3b40cc1d5a980d36589775d6a7e4defa1b33e7e06423af0e395b8e4d9505 \ + --hash=sha256:be55a34aa56192f2fd80a3954ad33e3d4587762f8fffe13a0bdf25da1f34ea5d \ + --hash=sha256:e2d7e9c65e799876a45c9134945d548c3de51e13ee650b58bc936190744a66e1 \ + --hash=sha256:e8efba624edb9ab36e0b3550252dc34b2eb1492c73ca8bfb5faa8148307efa1d \ + --hash=sha256:f787d74abb24532f69cd3029c16edea7544931fd36cc1acda5b3af1cbffa5fb4 From 3fa9aac5183342c7e49d3ab8c3f25c2eb644287c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 16 Oct 2024 00:17:08 +0000 Subject: [PATCH 1229/1462] Bump BoringSSL and/or OpenSSL in CI (#11770) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bac36494c7ec..2f6c9115eddb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 15, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "cd95210465496ac2337b313cf49f607762abe286"}} + # Latest commit on the BoringSSL master branch, as of Oct 16, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "2587c4974dbe9872451151c8e975f58567a1ce0d"}} # Latest commit on the OpenSSL master branch, as of Oct 15, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f1607c8a2c04bcb95ddb2e6fc4e0aaec9729929b"}} # Builds with various Rust versions. Includes MSRV and next From 12506ca4d969f2786defc2b88059f6d181527564 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 16 Oct 2024 00:40:06 +0000 Subject: [PATCH 1230/1462] Bump pyo3 from 0.22.4 to 0.22.5 in /src/rust (#11771) Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.22.4 to 0.22.5. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/main/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.22.4...v0.22.5) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 20 ++++++++++---------- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-keepalive/Cargo.toml | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index af8f08221bf9..0a9493e2ff8d 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -250,9 +250,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.22.4" +version = "0.22.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "00e89ce2565d6044ca31a3eb79a334c3a79a841120a98f64eea9f579564cb691" +checksum = "3d922163ba1f79c04bc49073ba7b32fd5a8d3b76a87c955921234b8e77333c51" dependencies = [ "cfg-if", "indoc", @@ -268,9 +268,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.22.4" +version = "0.22.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8afbaf3abd7325e08f35ffb8deb5892046fcb2608b703db6a583a5ba4cea01e" +checksum = "bc38c5feeb496c8321091edf3d63e9a6829eab4b863b4a6a65f26f3e9cc6b179" dependencies = [ "once_cell", "target-lexicon", @@ -278,9 +278,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.22.4" +version = "0.22.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ec15a5ba277339d04763f4c23d85987a5b08cbb494860be141e6a10a8eb88022" +checksum = "94845622d88ae274d2729fcefc850e63d7a3ddff5e3ce11bd88486db9f1d357d" dependencies = [ "libc", "pyo3-build-config", @@ -288,9 +288,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.22.4" +version = "0.22.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "15e0f01b5364bcfbb686a52fc4181d412b708a68ed20c330db9fc8d2c2bf5a43" +checksum = "e655aad15e09b94ffdb3ce3d217acf652e26bbc37697ef012f5e5e348c716e5e" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -300,9 +300,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.22.4" +version = "0.22.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a09b550200e1e5ed9176976d0060cbc2ea82dc8515da07885e7b8153a85caacb" +checksum = "ae1e3f09eecd94618f60a455a23def79f79eba4dc561a97324bf9ac8c6df30ce" dependencies = [ "heck", "proc-macro2", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index d03d756f6eba..e28fc7274abd 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -17,7 +17,7 @@ rust-version.workspace = true [dependencies] once_cell = "1" cfg-if = "1" -pyo3 = { version = "0.22.4", features = ["abi3"] } +pyo3 = { version = "0.22.5", features = ["abi3"] } asn1 = { version = "0.17.0", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-keepalive = { path = "cryptography-keepalive" } diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index d59762dac9fb..162fa73f2fc2 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -7,7 +7,7 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.22.4", features = ["abi3"] } +pyo3 = { version = "0.22.5", features = ["abi3"] } openssl-sys = "0.9.103" [build-dependencies] diff --git a/src/rust/cryptography-keepalive/Cargo.toml b/src/rust/cryptography-keepalive/Cargo.toml index 8a8b943e65e1..e207b3f4ada4 100644 --- a/src/rust/cryptography-keepalive/Cargo.toml +++ b/src/rust/cryptography-keepalive/Cargo.toml @@ -7,4 +7,4 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.22.4", features = ["abi3"] } +pyo3 = { version = "0.22.5", features = ["abi3"] } From f27bf22d7f541f1bf63beb935efec2f3d8108dfe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 16 Oct 2024 00:45:05 +0000 Subject: [PATCH 1231/1462] Bump check-sdist from 1.1.0 to 1.2.0 (#11773) Bumps [check-sdist](https://github.com/henryiii/check-sdist) from 1.1.0 to 1.2.0. - [Release notes](https://github.com/henryiii/check-sdist/releases) - [Commits](https://github.com/henryiii/check-sdist/compare/v1.1.0...v1.2.0) --- updated-dependencies: - dependency-name: check-sdist dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ffb8a8b8ecf0..6b7c99e4ed48 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -28,7 +28,7 @@ certifi==2024.8.30 # requests charset-normalizer==3.4.0 # via requests -check-sdist==1.1.0 ; python_full_version >= '3.8' +check-sdist==1.2.0 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) click==8.1.7 # via cryptography (pyproject.toml) From 034d2cf63a6fd986b15eb1a2791d513f690fe12a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 20:50:40 -0400 Subject: [PATCH 1232/1462] Bump uv from 0.4.21 to 0.4.22 in /.github/requirements (#11774) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.21 to 0.4.22. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.21...0.4.22) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 583a4a3e9e04..593b11f2871f 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.21 \ - --hash=sha256:0fccf9e232e95917ecbba10767c43dc308e243ea4d17531112a2f4ad63c0d3f1 \ - --hash=sha256:14224075d2edd3d2984391dfcb3138e4840cc998a81c1046cdc746ae1d38cc62 \ - --hash=sha256:19607da8ee024e4ff060804efb8251e3b821cbd7f830b58612600ffe739fd33d \ - --hash=sha256:23d635ef5fe716fb1a1c4b411619f05caa5f9ee669651fcf7a5c00c8a3a1f749 \ - --hash=sha256:343c4ffe77ea93563861b46ed024a90efc162c06749836d9d7a8506db40d4565 \ - --hash=sha256:3d3e35a10f7813d7e540aad24cd3a3e20745a42b671a217e7761686791a562f3 \ - --hash=sha256:45df47a4f43db730bea72bd3150c206d00d1a4d854137ed63dc04bb73032f280 \ - --hash=sha256:58a770b278b0555a966275dbe1461dd6632f938a0aefea89037155dee676c78d \ - --hash=sha256:7d1e239b683fb541cad1ddfa16ef4f8f0681ad666c73f12da17e70edc86aab4b \ - --hash=sha256:9c08b01f8571d2c64d45d569990aa7bffad5eb259cf64bc329d40d8c787fb9ba \ - --hash=sha256:9dcddbb3b6e1662c6db41d63db539742450e2ce17d6c746329c016e3651bfb4a \ - --hash=sha256:a1a9a126ce48f0f0893891adb5a9749220425169092f3e4da1216168736ac16d \ - --hash=sha256:aaff052175df7e43ac2f25849a26a6856dcce498653c69a2f4245cdf47db46f7 \ - --hash=sha256:ba3e3b40cc1d5a980d36589775d6a7e4defa1b33e7e06423af0e395b8e4d9505 \ - --hash=sha256:be55a34aa56192f2fd80a3954ad33e3d4587762f8fffe13a0bdf25da1f34ea5d \ - --hash=sha256:e2d7e9c65e799876a45c9134945d548c3de51e13ee650b58bc936190744a66e1 \ - --hash=sha256:e8efba624edb9ab36e0b3550252dc34b2eb1492c73ca8bfb5faa8148307efa1d \ - --hash=sha256:f787d74abb24532f69cd3029c16edea7544931fd36cc1acda5b3af1cbffa5fb4 +uv==0.4.22 \ + --hash=sha256:062a57ac3aab9a7d41e1b6a66948d563bf47478c719894661ea2c5ed6485a146 \ + --hash=sha256:0904c141f9fd7088d7837fb7ac5e43191236ed9cf8edf824ed838bdc77da7406 \ + --hash=sha256:0ff4ff91a25ed633f4d2556777e1b317262c01f71e8f72dfbc540e97e7eb5392 \ + --hash=sha256:455538b910db65f20a70cf806c5e65cc1d80ea7f40a116ba1c3d4bd1dab933d9 \ + --hash=sha256:48232daa35ebd3e963eea236cf33915a8b0c8a3673d5da35d764f8b1fec0b1b2 \ + --hash=sha256:52605e291f7ab1daca682b7a92b926c2f70e1fc86caaa37cbd56b64587730ea2 \ + --hash=sha256:527d785dafa5bf8fa4aba42188787a4b25c11d005a5f4bd8afda6e8c2c231e1b \ + --hash=sha256:63156e306f860d9fa2bb1d7c9af30053b88276004b2790cd9bbf20cc83ce988b \ + --hash=sha256:7041bf9d2d5d391cebca7778207eb88a96537ff2e93df2ff9f41d6c4057252c3 \ + --hash=sha256:71f3faaa94f60d362a6984fdf7675d6d2d244139de91a7d46e2367caf950951e \ + --hash=sha256:765dac79e5c8e2924efbd4663d4e03f5d7689f1baa98223b298fe4292610a25a \ + --hash=sha256:7be7adf47158c456031b2b78742a432260b5c22e9a86784fa57e7a208b0c3206 \ + --hash=sha256:956c4f0a9eddb8e18003bc39d114c78f6d6b4ba2683a262af043770abee44f2e \ + --hash=sha256:9cf96ddcb6ea2743e4c44fa22b08a4f2fd09cc9c5e228e8ab04b0cd08371c868 \ + --hash=sha256:af70ea49389397d0f6ff43827f73e0e71db0fc45cdf50c7dcff8318d726c8224 \ + --hash=sha256:c96eb12d1bdb1a826cba3c38273604629ac51e723d705aed17ae282650d030f0 \ + --hash=sha256:d9a242b3360c3a62e248053b3a6f618dc59cb5c56f4e30748433a19a002e4bf5 \ + --hash=sha256:e18c42cc99bc2a3f91d43aeb2df61a6d259114fca50dd3818879e9ee12064f7f From 3ade044d48ce3c3c6688329a8d2556fb6060ff35 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 16 Oct 2024 00:54:28 +0000 Subject: [PATCH 1233/1462] Bump openssl-sys from 0.9.103 to 0.9.104 in /src/rust (#11772) Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.103 to 0.9.104. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.103...openssl-sys-v0.9.104) --- updated-dependencies: - dependency-name: openssl-sys dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 0a9493e2ff8d..e9fa75d72d12 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -208,9 +208,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.103" +version = "0.9.104" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f9e8deee91df40a943c71b917e5874b951d32a802526c85721ce3b776c929d6" +checksum = "45abf306cbf99debc8195b66b7346498d7b10c210de50418b5ccd7ceba08c741" dependencies = [ "cc", "libc", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index e28fc7274abd..0f396f67afcf 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -27,7 +27,7 @@ cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.66" -openssl-sys = "0.9.103" +openssl-sys = "0.9.104" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 162fa73f2fc2..552a1a80eb18 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -8,7 +8,7 @@ rust-version.workspace = true [dependencies] pyo3 = { version = "0.22.5", features = ["abi3"] } -openssl-sys = "0.9.103" +openssl-sys = "0.9.104" [build-dependencies] cc = "1.1.30" diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index b44f68d44aeb..d6bcfaec6308 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -10,7 +10,7 @@ rust-version.workspace = true asn1 = { version = "0.17.0", default-features = false } cfg-if = "1" openssl = "0.10.66" -openssl-sys = "0.9.103" +openssl-sys = "0.9.104" cryptography-x509 = { path = "../cryptography-x509" } [lints.rust] From 8d6f5138405d51b072713987480039de78d7b07a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 16 Oct 2024 01:09:39 +0000 Subject: [PATCH 1234/1462] Bump openssl from 0.10.66 to 0.10.67 in /src/rust (#11775) Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.66 to 0.10.67. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.66...openssl-v0.10.67) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index e9fa75d72d12..35128f5385e0 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -182,9 +182,9 @@ checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775" [[package]] name = "openssl" -version = "0.10.66" +version = "0.10.67" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9529f4786b70a3e8c61e11179af17ab6188ad8d0ded78c5529441ed39d4bd9c1" +checksum = "7b8cefcf97f41316955f9294cd61f639bdcfa9f2f230faac6cb896aa8ab64704" dependencies = [ "bitflags", "cfg-if", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 0f396f67afcf..1a02ecc8d1ae 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -26,7 +26,7 @@ cryptography-x509 = { path = "cryptography-x509" } cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } -openssl = "0.10.66" +openssl = "0.10.67" openssl-sys = "0.9.104" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index d6bcfaec6308..cca5d8d5899a 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -9,7 +9,7 @@ rust-version.workspace = true [dependencies] asn1 = { version = "0.17.0", default-features = false } cfg-if = "1" -openssl = "0.10.66" +openssl = "0.10.67" openssl-sys = "0.9.104" cryptography-x509 = { path = "../cryptography-x509" } diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 8d0bf2fd831a..98a71b704da4 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -8,7 +8,7 @@ rust-version.workspace = true [dependencies] cfg-if = "1" -openssl = "0.10.66" +openssl = "0.10.67" ffi = { package = "openssl-sys", version = "0.9.101" } foreign-types = "0.3" foreign-types-shared = "0.1" From 260a61e796879ecd78dff37410d33bab49cb339d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 15 Oct 2024 21:33:45 -0400 Subject: [PATCH 1235/1462] added tests for libressl 4.0.0 (#11776) --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2f6c9115eddb..ae8342e29ebd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,6 +43,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.4.0-beta1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Oct 16, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "2587c4974dbe9872451151c8e975f58567a1ce0d"}} From 9642e5f94b28b6c5c28b3338a5584dbf2b7b0866 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 16 Oct 2024 19:58:05 -0400 Subject: [PATCH 1236/1462] bust openssl cache due to github actions rolling back image changes (#11781) * bust openssl cache due to github actions rolling back image changes * Update action.yml --- .github/actions/cache/action.yml | 2 +- .github/workflows/ci.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index 327041e85808..2dbeca46e270 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -17,5 +17,5 @@ runs: shell: bash - uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5 with: - key: ${{ steps.normalized-key.outputs.key }}-2 + key: ${{ steps.normalized-key.outputs.key }}-3 workspaces: "./src/rust/ -> target" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ae8342e29ebd..a950b8954dd7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -106,7 +106,7 @@ jobs: # When altering the openssl build process you may need to increment # the value on the end of this cache key so that you can prevent it # from fetching the cache and skipping the build step. - key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.OPENSSL_HASH }}-13 + key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.OPENSSL_HASH }}-14 if: matrix.PYTHON.OPENSSL - name: Build custom OpenSSL/LibreSSL run: .github/workflows/build_openssl.sh From 67283d65b9ba265fc40e16d6369b083fc3925e7f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 17 Oct 2024 00:07:32 +0000 Subject: [PATCH 1237/1462] Bump openssl from 0.10.67 to 0.10.68 in /src/rust (#11779) Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.67 to 0.10.68. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.67...openssl-v0.10.68) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 35128f5385e0..eb41f8d32a1e 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -182,9 +182,9 @@ checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775" [[package]] name = "openssl" -version = "0.10.67" +version = "0.10.68" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b8cefcf97f41316955f9294cd61f639bdcfa9f2f230faac6cb896aa8ab64704" +checksum = "6174bc48f102d208783c2c84bf931bb75927a617866870de8a4ea85597f871f5" dependencies = [ "bitflags", "cfg-if", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 1a02ecc8d1ae..87f7fb351d54 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -26,7 +26,7 @@ cryptography-x509 = { path = "cryptography-x509" } cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } -openssl = "0.10.67" +openssl = "0.10.68" openssl-sys = "0.9.104" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index cca5d8d5899a..7e7624d8ac5b 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -9,7 +9,7 @@ rust-version.workspace = true [dependencies] asn1 = { version = "0.17.0", default-features = false } cfg-if = "1" -openssl = "0.10.67" +openssl = "0.10.68" openssl-sys = "0.9.104" cryptography-x509 = { path = "../cryptography-x509" } diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 98a71b704da4..3d4c17ebaafd 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -8,7 +8,7 @@ rust-version.workspace = true [dependencies] cfg-if = "1" -openssl = "0.10.67" +openssl = "0.10.68" ffi = { package = "openssl-sys", version = "0.9.101" } foreign-types = "0.3" foreign-types-shared = "0.1" From 18fdacc77ae1b4a8a9919796504f79ba2dbe1f7e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 17 Oct 2024 00:08:16 +0000 Subject: [PATCH 1238/1462] Bump proc-macro2 from 1.0.87 to 1.0.88 in /src/rust (#11780) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.87 to 1.0.88. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.87...1.0.88) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index eb41f8d32a1e..4fe70c6055fa 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -241,9 +241,9 @@ checksum = "cc9c68a3f6da06753e9335d63e27f6b9754dd1920d941135b7ea8224f141adb2" [[package]] name = "proc-macro2" -version = "1.0.87" +version = "1.0.88" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b3e4daa0dcf6feba26f985457cdf104d4b4256fc5a09547140f3631bb076b19a" +checksum = "7c3a7fc5db1e57d5a779a352c8cdb57b29aa4c40cc69c3a68a7fedc815fbf2f9" dependencies = [ "unicode-ident", ] From ce2f3721d27427ed7363467ee83c48f595a861b0 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 17 Oct 2024 00:18:23 +0000 Subject: [PATCH 1239/1462] Bump BoringSSL and/or OpenSSL in CI (#11782) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a950b8954dd7..2aedf0cd7c47 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,10 +45,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 16, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "2587c4974dbe9872451151c8e975f58567a1ce0d"}} - # Latest commit on the OpenSSL master branch, as of Oct 15, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f1607c8a2c04bcb95ddb2e6fc4e0aaec9729929b"}} + # Latest commit on the BoringSSL master branch, as of Oct 17, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ee3f9468584b6607f944b885ad50db35a70daf8d"}} + # Latest commit on the OpenSSL master branch, as of Oct 17, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6bb62ab82682b9e19d594eb8fd52a5a560ba65f3"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 34cfc948933ad016b7091515541eec41766c85d6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 17 Oct 2024 07:32:57 -0400 Subject: [PATCH 1240/1462] Bump libc from 0.2.159 to 0.2.160 in /src/rust (#11783) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.159 to 0.2.160. - [Release notes](https://github.com/rust-lang/libc/releases) - [Changelog](https://github.com/rust-lang/libc/blob/0.2.160/CHANGELOG.md) - [Commits](https://github.com/rust-lang/libc/compare/0.2.159...0.2.160) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 4fe70c6055fa..233482e7dd2e 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -161,9 +161,9 @@ checksum = "b248f5224d1d606005e02c97f5aa4e88eeb230488bcc03bc9ca4d7991399f2b5" [[package]] name = "libc" -version = "0.2.159" +version = "0.2.160" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "561d97a539a36e26a9a5fad1ea11a3039a67714694aaa379433e580854bc3dc5" +checksum = "f0b21006cd1874ae9e650973c565615676dc4a274c965bb0a73796dac838ce4f" [[package]] name = "memoffset" From 2da0dc4f412f7c8dd71f85ac07a5e04cc269a4f3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 17 Oct 2024 20:34:02 +0000 Subject: [PATCH 1241/1462] Bump libc from 0.2.160 to 0.2.161 in /src/rust (#11786) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.160 to 0.2.161. - [Release notes](https://github.com/rust-lang/libc/releases) - [Changelog](https://github.com/rust-lang/libc/blob/0.2.161/CHANGELOG.md) - [Commits](https://github.com/rust-lang/libc/compare/0.2.160...0.2.161) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 233482e7dd2e..3383b9603a9b 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -161,9 +161,9 @@ checksum = "b248f5224d1d606005e02c97f5aa4e88eeb230488bcc03bc9ca4d7991399f2b5" [[package]] name = "libc" -version = "0.2.160" +version = "0.2.161" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f0b21006cd1874ae9e650973c565615676dc4a274c965bb0a73796dac838ce4f" +checksum = "8e9489c2807c139ffd9c1794f4af0ebe86a828db53ecdc7fea2111d0fed085d1" [[package]] name = "memoffset" From b4618ef30610d2ab7873f44c8c6af83d8be34425 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 17 Oct 2024 20:34:34 +0000 Subject: [PATCH 1242/1462] Bump ruff from 0.6.9 to 0.7.0 (#11787) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.6.9 to 0.7.0. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.6.9...0.7.0) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6b7c99e4ed48..10109ed64f8d 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -196,7 +196,7 @@ requests==2.31.0 ; python_full_version < '3.8' # via sphinx requests==2.32.3 ; python_full_version >= '3.8' # via sphinx -ruff==0.6.9 +ruff==0.7.0 # via cryptography (pyproject.toml) six==1.16.0 ; python_full_version < '3.8' # via bleach From 9b6bce2da4aa3d6ca6a4bc6affd18c564b08da3d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 17 Oct 2024 20:38:27 +0000 Subject: [PATCH 1243/1462] Bump uv from 0.4.22 to 0.4.23 in /.github/requirements (#11788) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.22 to 0.4.23. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.22...0.4.23) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 593b11f2871f..2266da16a47e 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.22 \ - --hash=sha256:062a57ac3aab9a7d41e1b6a66948d563bf47478c719894661ea2c5ed6485a146 \ - --hash=sha256:0904c141f9fd7088d7837fb7ac5e43191236ed9cf8edf824ed838bdc77da7406 \ - --hash=sha256:0ff4ff91a25ed633f4d2556777e1b317262c01f71e8f72dfbc540e97e7eb5392 \ - --hash=sha256:455538b910db65f20a70cf806c5e65cc1d80ea7f40a116ba1c3d4bd1dab933d9 \ - --hash=sha256:48232daa35ebd3e963eea236cf33915a8b0c8a3673d5da35d764f8b1fec0b1b2 \ - --hash=sha256:52605e291f7ab1daca682b7a92b926c2f70e1fc86caaa37cbd56b64587730ea2 \ - --hash=sha256:527d785dafa5bf8fa4aba42188787a4b25c11d005a5f4bd8afda6e8c2c231e1b \ - --hash=sha256:63156e306f860d9fa2bb1d7c9af30053b88276004b2790cd9bbf20cc83ce988b \ - --hash=sha256:7041bf9d2d5d391cebca7778207eb88a96537ff2e93df2ff9f41d6c4057252c3 \ - --hash=sha256:71f3faaa94f60d362a6984fdf7675d6d2d244139de91a7d46e2367caf950951e \ - --hash=sha256:765dac79e5c8e2924efbd4663d4e03f5d7689f1baa98223b298fe4292610a25a \ - --hash=sha256:7be7adf47158c456031b2b78742a432260b5c22e9a86784fa57e7a208b0c3206 \ - --hash=sha256:956c4f0a9eddb8e18003bc39d114c78f6d6b4ba2683a262af043770abee44f2e \ - --hash=sha256:9cf96ddcb6ea2743e4c44fa22b08a4f2fd09cc9c5e228e8ab04b0cd08371c868 \ - --hash=sha256:af70ea49389397d0f6ff43827f73e0e71db0fc45cdf50c7dcff8318d726c8224 \ - --hash=sha256:c96eb12d1bdb1a826cba3c38273604629ac51e723d705aed17ae282650d030f0 \ - --hash=sha256:d9a242b3360c3a62e248053b3a6f618dc59cb5c56f4e30748433a19a002e4bf5 \ - --hash=sha256:e18c42cc99bc2a3f91d43aeb2df61a6d259114fca50dd3818879e9ee12064f7f +uv==0.4.23 \ + --hash=sha256:14a38cb947acffe6bb6c9e4922c2ac3b2d7ec4353e28f59d8fd1f10bc695cf73 \ + --hash=sha256:1663219972c92cdd2a24ab0437284c4fcaac483814e3399e1cafa231c47b0c46 \ + --hash=sha256:1fc6c3b475eaf8057a9592c23d495293f8837b13a9f564f46fccfca4ff7fc0a8 \ + --hash=sha256:23269724349a1831881319e5f2854a5b8260f444ecb2528ac44ffe039a091ac4 \ + --hash=sha256:2f19527992f7d557fd3faec281b43005f1e8c9ebdf07f90bef229d510e002ca0 \ + --hash=sha256:59f1c41baa13646ac64b780b801afd0a451173d38eca03cfd6f98802bfc296b1 \ + --hash=sha256:677b53b1fdbb7211dbe92f7adf8e543fa56061e5edea0ceb724c36ce1df5f35c \ + --hash=sha256:7065dabbb58c44525516bc807bcc279867bd81ae548afa58375bada23db1afd7 \ + --hash=sha256:8a416cb239e6be6c246da6803bf957a32a81fed21fda2fb32d012e5caa1e0b4f \ + --hash=sha256:8b09215f5d388610bc35352dd5938f19a0d7a70a0ab98b9db00d5cd26c751d57 \ + --hash=sha256:8f1a74620f9a7180e3a263bcbf6efb30630819cbd100d266c1760007fcd151c3 \ + --hash=sha256:a403d1231102302a484aab871b1adf42df5623712ce3705a7cb23c41f79611c8 \ + --hash=sha256:a57d00795900550e358d10aff4f56347ee228bcbe4b9f870fb3b7e74c82f634d \ + --hash=sha256:a9f35ee982170590bb45921af18043b6ac379d9019f46c435bcb8293111c9e80 \ + --hash=sha256:ae11724cd14841627a504801949db0f3dfd5060bf9c5861aa1a4eba5d69b2b3f \ + --hash=sha256:c62292ed01170e72157e74e2f24cc535445fc6fbad54b09699344c66393fe41d \ + --hash=sha256:cbb9754f18d0796337a1756e628f0faa74c215ffb139a35bf490ab07fa626ca8 \ + --hash=sha256:f09efd74a3510b797a01ca8e56a007da7d7210b2620d53d67f425324ef079dfb From 4a90339302fa9fd68890e147144223892729b3f4 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 17 Oct 2024 17:52:32 -0700 Subject: [PATCH 1244/1462] Bump BoringSSL and/or OpenSSL in CI (#11789) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2aedf0cd7c47..c4a232f5f9ad 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,8 +47,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Oct 17, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ee3f9468584b6607f944b885ad50db35a70daf8d"}} - # Latest commit on the OpenSSL master branch, as of Oct 17, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6bb62ab82682b9e19d594eb8fd52a5a560ba65f3"}} + # Latest commit on the OpenSSL master branch, as of Oct 18, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f4c467452694e1211395d17c2c027d99c35ee1e1"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From f3032fd21b0bd68820b4cc65483bc0fb1e3b7940 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 17 Oct 2024 22:32:58 -0400 Subject: [PATCH 1245/1462] test on 3.14-dev (#11790) --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c4a232f5f9ad..dc8674b28c0a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,6 +31,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust"} - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.3"}} - {VERSION: "3.13", NOXSESSION: "tests"} + - {VERSION: "3.14-dev", NOXSESSION: "tests"} - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.15"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.7"}} From 5a7fed5c56024c822c5fde933a4dfb6c02a7f129 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 17 Oct 2024 22:37:41 -0400 Subject: [PATCH 1246/1462] remove libressl 3.8.4 from ci (#11791) it's no longer used by any supported version of openbsd --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dc8674b28c0a..dc82a7f23d2a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,7 +42,6 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.7"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.4.0-beta1"}} - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} From b7721e25317b00509b9ead59da22eac153712346 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 17 Oct 2024 23:12:19 -0400 Subject: [PATCH 1247/1462] Added changelog for libressl removal (#11792) --- CHANGELOG.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 01d4fa488c49..06992881e35e 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -9,6 +9,7 @@ Changelog .. note:: This version is not yet released and is under active development. +* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.9. * Deprecated Python 3.7 support. Python 3.7 is no longer supported by the Python core team. Support for Python 3.7 will be removed in a future ``cryptography`` release. From 8b3de53ed80e1d426d512ede2d9fd756e6fb46ec Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 17 Oct 2024 23:13:03 -0400 Subject: [PATCH 1248/1462] When failing to parse SANs or IANs, include which it was that failed (#11785) --- docs/development/test-vectors.rst | 2 ++ src/rust/src/x509/certificate.rs | 8 ++++++-- tests/x509/test_x509_ext.py | 16 ++++++++++++++++ .../x509/custom/malformed-ian.pem | 11 +++++++++++ .../x509/custom/malformed-san.pem | 11 +++++++++++ 5 files changed, 46 insertions(+), 2 deletions(-) create mode 100644 vectors/cryptography_vectors/x509/custom/malformed-ian.pem create mode 100644 vectors/cryptography_vectors/x509/custom/malformed-san.pem diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index dcbc93edf89f..3714b17d4581 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -544,6 +544,8 @@ Custom X.509 Vectors This is an invalid certificate per CA/B 7.1.2.7.6. * ``empty-eku.pem`` - A leaf certificate containing an empty EKU extension. This is an invalid certificate per :rfc:`5280` 4.2.1.12. +* ``malformed-san.pem`` - A certificate with a malformed SAN. +* ``malformed-ian.pem`` - A certificate with a malformed IAN. Custom X.509 Request Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index b9e331a72ddc..739b28694dba 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -737,14 +737,18 @@ pub fn parse_cert_ext<'p>( ) -> CryptographyResult>> { match ext.extn_id { oid::SUBJECT_ALTERNATIVE_NAME_OID => { - let gn_seq = ext.value::>()?; + let gn_seq = ext.value::>().map_err(|e| { + e.add_location(asn1::ParseLocation::Field("subject_alternative_name")) + })?; let sans = x509::parse_general_names(py, &gn_seq)?; Ok(Some( types::SUBJECT_ALTERNATIVE_NAME.get(py)?.call1((sans,))?, )) } oid::ISSUER_ALTERNATIVE_NAME_OID => { - let gn_seq = ext.value::>()?; + let gn_seq = ext.value::>().map_err(|e| { + e.add_location(asn1::ParseLocation::Field("issuer_alternative_name")) + })?; let ians = x509::parse_general_names(py, &gn_seq)?; Ok(Some( types::ISSUER_ALTERNATIVE_NAME.get(py)?.call1((ians,))?, diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index 911006406372..4f75c2987b2e 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -2324,6 +2324,14 @@ def test_uri(self, backend): x509.UniformResourceIdentifier("http://path.to.root/root.crt"), ] + def test_malformed(self): + cert = _load_cert( + os.path.join("x509", "custom", "malformed-ian.pem"), + x509.load_pem_x509_certificate, + ) + with pytest.raises(ValueError, match="issuer_alternative_name"): + cert.extensions + class TestCRLNumber: def test_eq(self): @@ -2709,6 +2717,14 @@ def test_certbuilder(self, rsa_key_2048: rsa.RSAPrivateKey, backend): ] assert result == sans + def test_malformed(self): + cert = _load_cert( + os.path.join("x509", "custom", "malformed-san.pem"), + x509.load_pem_x509_certificate, + ) + with pytest.raises(ValueError, match="subject_alternative_name"): + cert.extensions + class TestExtendedKeyUsageExtension: def test_eku(self, backend): diff --git a/vectors/cryptography_vectors/x509/custom/malformed-ian.pem b/vectors/cryptography_vectors/x509/custom/malformed-ian.pem new file mode 100644 index 000000000000..a7c7d609339d --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/malformed-ian.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBlDCB/qADAgECAgo/X5syqzQbiVZiMA0GCSqGSIb3DQEBBQUAMAAwHhcNMTIw +OTI3MTEyNDQzWhcNMTcwOTI3MTEyNDQzWjAAMIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQDEyUkICYplDtDRdLjZV0nF5oK5tBjoXWPxnfx6Msg5Ywvxjh4jq8Jf +FRwn9oLYpFmnhPYaVNWO7fykCrYz8O6mMtYInUbodvIPniZXjoTlYOPUmLj/XcU0 +iGhUmdo8yquPoe7TC9DDeSfaAwoLMDZjJoQjlBuRk+qTmfySJCNZrQIDAQABoxYw +FDASBgNVHRIECzAJoAcGA1UEAwwAMA0GCSqGSIb3DQEBBQUAA4GBAD5jUyH8eLrZ +tJtEJIVH/cvjtATXWwUnPX5NUGrgIBFwKx1f4csOFe6MIhA7j0VwSJ/iOd4xszLA +r8/2ijoBc+cPbThPSHLdOvOrGJsdrywOUYzGHRh/zoMEnT/FN9p7YbYnQIwFGqx1 +HUFnXljOXCezE5ytzEcpQ/43EvT4u74O +-----END CERTIFICATE----- diff --git a/vectors/cryptography_vectors/x509/custom/malformed-san.pem b/vectors/cryptography_vectors/x509/custom/malformed-san.pem new file mode 100644 index 000000000000..00aa6feeaedc --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/malformed-san.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBlDCB/qADAgECAgo/X5syqzQbiVZiMA0GCSqGSIb3DQEBBQUAMAAwHhcNMTIw +OTI3MTEyNDQzWhcNMTcwOTI3MTEyNDQzWjAAMIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQDEyUkICYplDtDRdLjZV0nF5oK5tBjoXWPxnfx6Msg5Ywvxjh4jq8Jf +FRwn9oLYpFmnhPYaVNWO7fykCrYz8O6mMtYInUbodvIPniZXjoTlYOPUmLj/XcU0 +iGhUmdo8yquPoe7TC9DDeSfaAwoLMDZjJoQjlBuRk+qTmfySJCNZrQIDAQABoxYw +FDASBgNVHREECzAJoAcGA1UEAwwAMA0GCSqGSIb3DQEBBQUAA4GBAD5jUyH8eLrZ +tJtEJIVH/cvjtATXWwUnPX5NUGrgIBFwKx1f4csOFe6MIhA7j0VwSJ/iOd4xszLA +r8/2ijoBc+cPbThPSHLdOvOrGJsdrywOUYzGHRh/zoMEnT/FN9p7YbYnQIwFGqx1 +HUFnXljOXCezE5ytzEcpQ/43EvT4u74O +-----END CERTIFICATE----- From 893fed37d736d5a6b628978b8f44f0ff37470391 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 18 Oct 2024 07:36:09 -0400 Subject: [PATCH 1249/1462] Bump uv from 0.4.23 to 0.4.24 in /.github/requirements (#11794) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.23 to 0.4.24. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.23...0.4.24) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 2266da16a47e..df206ab8985e 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.23 \ - --hash=sha256:14a38cb947acffe6bb6c9e4922c2ac3b2d7ec4353e28f59d8fd1f10bc695cf73 \ - --hash=sha256:1663219972c92cdd2a24ab0437284c4fcaac483814e3399e1cafa231c47b0c46 \ - --hash=sha256:1fc6c3b475eaf8057a9592c23d495293f8837b13a9f564f46fccfca4ff7fc0a8 \ - --hash=sha256:23269724349a1831881319e5f2854a5b8260f444ecb2528ac44ffe039a091ac4 \ - --hash=sha256:2f19527992f7d557fd3faec281b43005f1e8c9ebdf07f90bef229d510e002ca0 \ - --hash=sha256:59f1c41baa13646ac64b780b801afd0a451173d38eca03cfd6f98802bfc296b1 \ - --hash=sha256:677b53b1fdbb7211dbe92f7adf8e543fa56061e5edea0ceb724c36ce1df5f35c \ - --hash=sha256:7065dabbb58c44525516bc807bcc279867bd81ae548afa58375bada23db1afd7 \ - --hash=sha256:8a416cb239e6be6c246da6803bf957a32a81fed21fda2fb32d012e5caa1e0b4f \ - --hash=sha256:8b09215f5d388610bc35352dd5938f19a0d7a70a0ab98b9db00d5cd26c751d57 \ - --hash=sha256:8f1a74620f9a7180e3a263bcbf6efb30630819cbd100d266c1760007fcd151c3 \ - --hash=sha256:a403d1231102302a484aab871b1adf42df5623712ce3705a7cb23c41f79611c8 \ - --hash=sha256:a57d00795900550e358d10aff4f56347ee228bcbe4b9f870fb3b7e74c82f634d \ - --hash=sha256:a9f35ee982170590bb45921af18043b6ac379d9019f46c435bcb8293111c9e80 \ - --hash=sha256:ae11724cd14841627a504801949db0f3dfd5060bf9c5861aa1a4eba5d69b2b3f \ - --hash=sha256:c62292ed01170e72157e74e2f24cc535445fc6fbad54b09699344c66393fe41d \ - --hash=sha256:cbb9754f18d0796337a1756e628f0faa74c215ffb139a35bf490ab07fa626ca8 \ - --hash=sha256:f09efd74a3510b797a01ca8e56a007da7d7210b2620d53d67f425324ef079dfb +uv==0.4.24 \ + --hash=sha256:29c514752873c1be259afd82b975e528ec6783564a306fd24deee0cccb2dc566 \ + --hash=sha256:2a3ea6780e3451c81ce1635656abcd8a47e43f1b0f02542c433b4b6dd459df8e \ + --hash=sha256:4d8e5f66a8756d4908121cb59189e6f9992fdbd0f9c26a5a30a069b94f8acab3 \ + --hash=sha256:5e3ce0350e74b3dba6854789dd253faeab2fdf8e84f2671b68573070bb40ff17 \ + --hash=sha256:70a76cb5b8a459d6f6931becf2b5689599382c2512341d566ce335b8304c44e8 \ + --hash=sha256:7d076875e9fa4d8cda44d3e51c9b47efc578db830535c62f25884772bfa265bc \ + --hash=sha256:7ef6914a7294ac7df5bd15b21652cbe61d1c12a0f29a94d178dce6192f858092 \ + --hash=sha256:a03bc4b2ca2236eece97fffb8b5605b7a2248cd8a4b9a9c67955ad08756a1ceb \ + --hash=sha256:a97c347af12deb687c09fed82dc829efd6e5fbc4d76a38e98b2eaa2b065e4cfe \ + --hash=sha256:b459913d8ba6edba2c4b299e87fccfbd7fca4b2e2abe5fd4fa0da56147e19fc8 \ + --hash=sha256:b8d467d4c4746127b2121d6f67686957a2b5431935d26767aa02fa4516694293 \ + --hash=sha256:bbc24b232c5e874741d863c5bec2257533db86f91381f1a101872028a0502ec9 \ + --hash=sha256:beaff8fdaad3bcd781a8d28b60843b8d1cd2a04229847dc314c1bb7e0bb39ca2 \ + --hash=sha256:c03a411f1b86ce7de25d6271d90358ba2d33e87b4922dc5378c4c07674909363 \ + --hash=sha256:c40f75df1f2c45a7f67fcc69d80231760f6a017b7c8e889a16e21348651a34d7 \ + --hash=sha256:d274f7ddc013697fb52962632bc7e77889a6ec87d2cd12316d218686cfece3d4 \ + --hash=sha256:ec0570f5e2e4dbfd83a89e9a55d5f033050d749f684bd0e7d4c327fd49f89b12 \ + --hash=sha256:f71a00f10cfa15b4f4f0184a67da19f35c48683bba9bb49cebe9c206f1b2bc1f From 1db74fb2879bcf4c79d89ee06416f9ace2f76a65 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 18 Oct 2024 10:05:17 -0400 Subject: [PATCH 1250/1462] Bump virtualenv (#11795) --- ci-constraints-requirements.txt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 10109ed64f8d..01807e4876fe 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -286,7 +286,9 @@ urllib3==2.0.7 ; python_full_version < '3.8' # via requests urllib3==2.2.3 ; python_full_version >= '3.8' # via requests -virtualenv==20.26.6 +virtualenv==20.26.6 ; python_full_version < '3.8' + # via nox +virtualenv==20.27.0 ; python_full_version >= '3.8' # via nox webencodings==0.5.1 ; python_full_version < '3.8' # via bleach From 5050fe5a0cf7f5c023e5068724f443eafb7cbca9 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 18 Oct 2024 11:56:03 -0400 Subject: [PATCH 1251/1462] fix pypi-publish upload URL (#11798) now matches https://github.com/pypa/gh-action-pypi-publish/blob/unstable/v1/action.yml#L23 --- .github/workflows/pypi-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 22ea8054ad3e..b143881eb5ba 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -37,7 +37,7 @@ jobs: EVENT_CONTEXT: ${{ toJson(github.event) }} - run: | - echo "PYPI_URL=https://pypi.org/legacy/" >> $GITHUB_ENV + echo "PYPI_URL=https://upload.pypi.org/legacy/" >> $GITHUB_ENV if: github.event_name == 'workflow_run' || (github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'pypi') - run: | echo "PYPI_URL=https://test.pypi.org/legacy/" >> $GITHUB_ENV @@ -60,4 +60,4 @@ jobs: # because there's nothing that would prevent a malicious PyPI from # serving a signed TestPyPI asset in place of a release intended for # PyPI. - attestations: ${{ env.PYPI_URL == 'https://pypi.org/legacy/' }} + attestations: ${{ env.PYPI_URL == 'https://upload.pypi.org/legacy/' }} From 57973e75549d26c8a943ebe6307f5001faadfbcf Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 18 Oct 2024 12:06:17 -0400 Subject: [PATCH 1252/1462] forward port changelog from 43.0.{2,3} (#11799) --- CHANGELOG.rst | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 06992881e35e..7021e8423b7f 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -24,6 +24,20 @@ Changelog during X.509 verification to allow fields permitted by :rfc:`5280` but forbidden by the CA/Browser BRs. +.. _v43-0-3: + +43.0.3 - 2024-10-18 +~~~~~~~~~~~~~~~~~~~ + +* Fixed release metadata for ``cryptography-vectors`` + +.. _v43-0-2: + +43.0.2 - 2024-10-18 +~~~~~~~~~~~~~~~~~~~ + +* Fixed compilation when using LibreSSL 4.0.0. + .. _v43-0-1: 43.0.1 - 2024-09-03 From c7e16e5e800b67f7f321448f17ed0bffdb4c79c4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 19 Oct 2024 11:04:46 -0400 Subject: [PATCH 1253/1462] Use uv whenever available in nox (#11802) --- noxfile.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/noxfile.py b/noxfile.py index 691259d02868..127ca18071ce 100644 --- a/noxfile.py +++ b/noxfile.py @@ -20,6 +20,7 @@ import tomli as tomllib # type: ignore[import-not-found,no-redef] nox.options.reuse_existing_virtualenvs = True +nox.options.default_venv_backend = "uv|virtualenv" def install( @@ -76,7 +77,10 @@ def tests(session: nox.Session) -> None: else: install(session, f".[{extras}]") - session.run("pip", "list") + if session.venv_backend == "uv": + session.run("uv", "pip", "list") + else: + session.run("pip", "list") if session.name != "tests-nocoverage": cov_args = [ @@ -267,7 +271,7 @@ def rust(session: nox.Session) -> None: process_rust_coverage(session, rust_tests, prof_location) -@nox.session(venv_backend="uv|venv") +@nox.session def local(session): pyproject_data = load_pyproject_toml() install(session, "-e", "./vectors", verbose=False) From ccfea4a25d053ef2fc57e2420964276639e4f40c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 19 Oct 2024 11:13:48 -0400 Subject: [PATCH 1254/1462] Bump cc from 1.1.30 to 1.1.31 in /src/rust (#11803) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.30 to 1.1.31. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.30...cc-v1.1.31) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 3383b9603a9b..4680219fb4b9 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.30" +version = "1.1.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b16803a61b81d9eabb7eae2588776c4c1e584b738ede45fdbb4c972cec1e9945" +checksum = "c2e7962b54006dcfcc61cb72735f4d89bb97061dd6a7ed882ec6b8ee53714c6f" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 552a1a80eb18..451ff963bb58 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,7 +11,7 @@ pyo3 = { version = "0.22.5", features = ["abi3"] } openssl-sys = "0.9.104" [build-dependencies] -cc = "1.1.30" +cc = "1.1.31" [lints.rust] unexpected_cfgs = { level = "warn", check-cfg = ['cfg(python_implementation, values("CPython", "PyPy"))'] } From befa0365edca75113a4b43a9df7bc5fe183f1020 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 19 Oct 2024 15:15:39 +0000 Subject: [PATCH 1255/1462] Bump markupsafe from 3.0.1 to 3.0.2 (#11804) Bumps [markupsafe](https://github.com/pallets/markupsafe) from 3.0.1 to 3.0.2. - [Release notes](https://github.com/pallets/markupsafe/releases) - [Changelog](https://github.com/pallets/markupsafe/blob/main/CHANGES.rst) - [Commits](https://github.com/pallets/markupsafe/compare/3.0.1...3.0.2) --- updated-dependencies: - dependency-name: markupsafe dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 01807e4876fe..d4841a487c11 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -102,7 +102,7 @@ jinja2==3.1.4 # via sphinx markupsafe==2.1.5 ; python_full_version < '3.9' # via jinja2 -markupsafe==3.0.1 ; python_full_version >= '3.9' +markupsafe==3.0.2 ; python_full_version >= '3.9' # via jinja2 mypy==1.4.1 ; python_full_version < '3.8' # via cryptography (pyproject.toml) From 14d80822c9f8a38aa9945c0afdf4d92a548bd8e6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Oct 2024 06:51:13 -0400 Subject: [PATCH 1256/1462] Bump mypy from 1.12.0 to 1.12.1 (#11806) Bumps [mypy](https://github.com/python/mypy) from 1.12.0 to 1.12.1. - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](https://github.com/python/mypy/compare/v1.12.0...v1.12.1) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d4841a487c11..d4774c79ab0c 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -106,7 +106,7 @@ markupsafe==3.0.2 ; python_full_version >= '3.9' # via jinja2 mypy==1.4.1 ; python_full_version < '3.8' # via cryptography (pyproject.toml) -mypy==1.12.0 ; python_full_version >= '3.8' +mypy==1.12.1 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via mypy From 324d9bb29a925d7e27094f4dfd62891ed56ffffd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Oct 2024 06:52:37 -0400 Subject: [PATCH 1257/1462] Bump coverage from 7.6.1 to 7.6.4 (#11807) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.6.1 to 7.6.4. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.6.1...7.6.4) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d4774c79ab0c..76ac497bd09f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -45,7 +45,7 @@ coverage==7.2.7 ; python_full_version < '3.8' # via pytest-cov coverage==7.6.1 ; python_full_version == '3.8.*' # via pytest-cov -coverage==7.6.3 ; python_full_version >= '3.9' +coverage==7.6.4 ; python_full_version >= '3.9' # via pytest-cov distlib==0.3.9 # via virtualenv From 2fad0bad61a85a6b3574e313e0cb99836d201391 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Oct 2024 06:53:20 -0400 Subject: [PATCH 1258/1462] Bump syn from 2.0.79 to 2.0.82 in /src/rust (#11809) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.79 to 2.0.82. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.79...2.0.82) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 4680219fb4b9..454f70a6418a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -334,9 +334,9 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" [[package]] name = "syn" -version = "2.0.79" +version = "2.0.82" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "89132cd0bf050864e1d38dc3bbc07a0eb8e7530af26344d3d2bbbef83499f590" +checksum = "83540f837a8afc019423a8edb95b52a8effe46957ee402287f4292fae35be021" dependencies = [ "proc-macro2", "quote", From a4003a2626de4429679d7f4c16ad52f6802e6737 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Oct 2024 10:57:42 +0000 Subject: [PATCH 1259/1462] Bump uv from 0.4.24 to 0.4.25 in /.github/requirements (#11808) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.24 to 0.4.25. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.24...0.4.25) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index df206ab8985e..95216e700f9a 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.24 \ - --hash=sha256:29c514752873c1be259afd82b975e528ec6783564a306fd24deee0cccb2dc566 \ - --hash=sha256:2a3ea6780e3451c81ce1635656abcd8a47e43f1b0f02542c433b4b6dd459df8e \ - --hash=sha256:4d8e5f66a8756d4908121cb59189e6f9992fdbd0f9c26a5a30a069b94f8acab3 \ - --hash=sha256:5e3ce0350e74b3dba6854789dd253faeab2fdf8e84f2671b68573070bb40ff17 \ - --hash=sha256:70a76cb5b8a459d6f6931becf2b5689599382c2512341d566ce335b8304c44e8 \ - --hash=sha256:7d076875e9fa4d8cda44d3e51c9b47efc578db830535c62f25884772bfa265bc \ - --hash=sha256:7ef6914a7294ac7df5bd15b21652cbe61d1c12a0f29a94d178dce6192f858092 \ - --hash=sha256:a03bc4b2ca2236eece97fffb8b5605b7a2248cd8a4b9a9c67955ad08756a1ceb \ - --hash=sha256:a97c347af12deb687c09fed82dc829efd6e5fbc4d76a38e98b2eaa2b065e4cfe \ - --hash=sha256:b459913d8ba6edba2c4b299e87fccfbd7fca4b2e2abe5fd4fa0da56147e19fc8 \ - --hash=sha256:b8d467d4c4746127b2121d6f67686957a2b5431935d26767aa02fa4516694293 \ - --hash=sha256:bbc24b232c5e874741d863c5bec2257533db86f91381f1a101872028a0502ec9 \ - --hash=sha256:beaff8fdaad3bcd781a8d28b60843b8d1cd2a04229847dc314c1bb7e0bb39ca2 \ - --hash=sha256:c03a411f1b86ce7de25d6271d90358ba2d33e87b4922dc5378c4c07674909363 \ - --hash=sha256:c40f75df1f2c45a7f67fcc69d80231760f6a017b7c8e889a16e21348651a34d7 \ - --hash=sha256:d274f7ddc013697fb52962632bc7e77889a6ec87d2cd12316d218686cfece3d4 \ - --hash=sha256:ec0570f5e2e4dbfd83a89e9a55d5f033050d749f684bd0e7d4c327fd49f89b12 \ - --hash=sha256:f71a00f10cfa15b4f4f0184a67da19f35c48683bba9bb49cebe9c206f1b2bc1f +uv==0.4.25 \ + --hash=sha256:18100f0f36419a154306ed6211e3490bf18384cdf3f1a0950848bf64b62fa251 \ + --hash=sha256:2d29a78f011ecc2f31c13605acb6574c2894c06d258b0f8d0dbb899986800450 \ + --hash=sha256:2fc35b5273f1e018aecd66b70e0fd7d2eb6698853dde3e2fc644e7ebf9f825b1 \ + --hash=sha256:3d7680795ea78cdbabbcce73d039b2651cf1fa635ddc1aa3082660f6d6255c50 \ + --hash=sha256:4c55040e67470f2b73e95e432aba06f103a0b348ea0b9c6689b1029c8d9e89fd \ + --hash=sha256:50c7d0d9e7f392f81b13bf3b7e37768d1486f2fc9d533a54982aa0ed11e4db23 \ + --hash=sha256:578ae385fad6bd6f3868828e33d54994c716b315b1bc49106ec1f54c640837e4 \ + --hash=sha256:6e981b1465e30102e41946adede9cb08051a5d70c6daf09f91a7ea84f0b75c08 \ + --hash=sha256:7d266e02fefef930609328c31c075084295c3cb472bab3f69549fad4fd9d82b3 \ + --hash=sha256:94fb2b454afa6bdfeeea4b4581c878944ca9cf3a13712e6762f245f5fbaaf952 \ + --hash=sha256:a7022a71ff63a3838796f40e954b76bf7820fc27e96fe002c537e75ff8e34f1d \ + --hash=sha256:a7c3a18c20ddb527d296d1222bddf42b78031c50b5b4609d426569b5fb61f5b0 \ + --hash=sha256:aae9dcafd20d5ba978c8a4939ab942e8e2e155c109e9945207fbbd81d2892c9e \ + --hash=sha256:bdbfd0c476b9e80a3f89af96aed6dd7d2782646311317a9c72614ccce99bb2ad \ + --hash=sha256:be2a4fc4fcade9ea5e67e51738c95644360d6e59b6394b74fc579fb617f902f7 \ + --hash=sha256:d39077cdfe3246885fcdf32e7066ae731a166101d063629f9cea08738f79e6a3 \ + --hash=sha256:e02afb0f6d4b58718347f7d7cfa5a801e985ce42181ba971ed85ef149f6658ca \ + --hash=sha256:ec181be2bda10651a3558156409ac481549983e0276d0e3645e3b1464e7f8715 From 8f3aac1d86f97fb8f84c292453220c35d2463d84 Mon Sep 17 00:00:00 2001 From: mdulaney Date: Mon, 21 Oct 2024 10:02:51 -0400 Subject: [PATCH 1260/1462] Expose session serialization primitives (#11811) --- src/_cffi_src/openssl/ssl.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index c78d681dca8d..099ec4db13a6 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -297,6 +297,9 @@ SSL_SESSION *SSL_get_session(const SSL *); +SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **, const unsigned char **, long); +int i2d_SSL_SESSION(SSL_SESSION *, unsigned char **); + uint64_t SSL_set_options(SSL *, uint64_t); uint64_t SSL_get_options(SSL *); From 5e828628a2495b868a8bebbe357f2e257f57acbd Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 21 Oct 2024 17:49:13 -0400 Subject: [PATCH 1261/1462] Install uv in CI when available (#11805) --- .github/workflows/ci.yml | 8 ++++---- ci-constraints-requirements.txt | 2 ++ noxfile.py | 2 +- pyproject.toml | 2 +- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dc82a7f23d2a..a6cbde6b3802 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -131,7 +131,7 @@ jobs: # pypy3-3.8 and pypy3-3.9 -- both of them show up as 7.3.11. key: ${{ matrix.PYTHON.VERSION }}-${{ steps.setup-python.outputs.python-version }}-${{ matrix.PYTHON.NOXSESSION }}-${{ env.OPENSSL_HASH }} - - run: python -m pip install -c ci-constraints-requirements.txt 'nox' 'tomli; python_version < "3.11"' + - run: python -m pip install -c ci-constraints-requirements.txt 'nox' 'nox[uv]; python_version >= "3.8"' 'tomli; python_version < "3.11"' - name: Create nox environment run: | nox -v --install-only @@ -205,7 +205,7 @@ jobs: - run: | echo "OPENSSL_FORCE_FIPS_MODE=1" >> $GITHUB_ENV if: matrix.IMAGE.FIPS - - run: /venv/bin/python -m pip install -c ci-constraints-requirements.txt 'nox' 'tomli; python_version < "3.11"' + - run: /venv/bin/python -m pip install -c ci-constraints-requirements.txt 'nox' 'nox[uv]; python_version >= "3.8"' 'tomli; python_version < "3.11"' - run: '/venv/bin/nox -v --install-only' env: CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} @@ -256,7 +256,7 @@ jobs: timeout-minutes: 3 - run: rustup component add llvm-tools-preview - - run: python -m pip install -c ci-constraints-requirements.txt 'nox' 'tomli; python_version < "3.11"' + - run: python -m pip install -c ci-constraints-requirements.txt 'nox' 'nox[uv]; python_version >= "3.8"' 'tomli; python_version < "3.11"' - name: Clone test vectors timeout-minutes: 2 @@ -321,7 +321,7 @@ jobs: timeout-minutes: 2 with: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - - run: python -m pip install -c ci-constraints-requirements.txt "nox" "tomli; python_version < '3.11'" + - run: python -m pip install -c ci-constraints-requirements.txt "nox" "nox[uv]; python_version >= '3.8'" "tomli; python_version < '3.11'" - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 with: diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 76ac497bd09f..b328283889f3 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -286,6 +286,8 @@ urllib3==2.0.7 ; python_full_version < '3.8' # via requests urllib3==2.2.3 ; python_full_version >= '3.8' # via requests +uv==0.4.24 ; python_full_version >= '3.8' + # via nox virtualenv==20.26.6 ; python_full_version < '3.8' # via nox virtualenv==20.27.0 ; python_full_version >= '3.8' diff --git a/noxfile.py b/noxfile.py index 127ca18071ce..912e79b6b6bb 100644 --- a/noxfile.py +++ b/noxfile.py @@ -107,7 +107,7 @@ def tests(session: nox.Session) -> None: if session.name != "tests-nocoverage": [rust_so] = glob.glob( - f"{session.virtualenv.location}/**/cryptography/hazmat/bindings/_rust.*", + f"{session.virtualenv.location}/lib/**/cryptography/hazmat/bindings/_rust.*", recursive=True, ) process_rust_coverage(session, [rust_so], prof_location) diff --git a/pyproject.toml b/pyproject.toml index e58219cc9f79..28eb931e507f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -63,7 +63,7 @@ changelog = "https://cryptography.io/en/latest/changelog/" ssh = ["bcrypt >=3.1.5"] # All the following are used for our own testing. -nox = ["nox"] +nox = ["nox", "nox[uv] >=2024.03.02; python_version >= '3.8'"] test = [ "cryptography_vectors", "pytest >=6.2.0", From 24b88d81fc6a54c0ebf075a85de9eb8098ad1c09 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 22 Oct 2024 00:17:42 +0000 Subject: [PATCH 1262/1462] Bump BoringSSL and/or OpenSSL in CI (#11812) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a6cbde6b3802..01ac7439e3bf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,10 +45,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 17, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ee3f9468584b6607f944b885ad50db35a70daf8d"}} - # Latest commit on the OpenSSL master branch, as of Oct 18, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f4c467452694e1211395d17c2c027d99c35ee1e1"}} + # Latest commit on the BoringSSL master branch, as of Oct 22, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "fb5b271624ec0344d4ec800b4f89dc84cada741a"}} + # Latest commit on the OpenSSL master branch, as of Oct 22, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1f0cb850473048eef5dc597d8cd42dd7c3cf5a5f"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 98ca2778dd91587ca96af3818d712249f0524724 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 21 Oct 2024 17:52:14 -0700 Subject: [PATCH 1263/1462] Bump x509-limbo and/or wycheproof in CI (#11813) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 5753b5f79bc3..0289ac4487bc 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Oct 08, 2024. - ref: "0478ea6ce08c0202c436cd0698be8a7a66cf653c" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Oct 22, 2024. + ref: "f98aa03f45d108ae4e1bc5a61ec4bd0b8d137559" # x509-limbo-ref From fb49788eb9e2f3c1f476761d306ee0aac6d2d577 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 22 Oct 2024 07:39:52 -0400 Subject: [PATCH 1264/1462] Bump uv from 0.4.24 to 0.4.25 (#11815) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.24 to 0.4.25. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.24...0.4.25) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b328283889f3..e57c7a2b1882 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -286,7 +286,7 @@ urllib3==2.0.7 ; python_full_version < '3.8' # via requests urllib3==2.2.3 ; python_full_version >= '3.8' # via requests -uv==0.4.24 ; python_full_version >= '3.8' +uv==0.4.25 ; python_full_version >= '3.8' # via nox virtualenv==20.26.6 ; python_full_version < '3.8' # via nox From acdece71ec03a3ac5bfe8fa14e54398f6e1690ea Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 22 Oct 2024 11:08:06 -0400 Subject: [PATCH 1265/1462] Test against OpenSSL 3.4.0 (#11817) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 01ac7439e3bf..59fd3a3f583c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -41,7 +41,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.3", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.7"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.3"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.4.0-beta1"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.4.0"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} From 2378e53f26102dffee85a89524ca83b37eb801c8 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 23 Oct 2024 00:23:10 +0000 Subject: [PATCH 1266/1462] Bump BoringSSL and/or OpenSSL in CI (#11819) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 59fd3a3f583c..f8ddee824760 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,10 +45,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 22, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "fb5b271624ec0344d4ec800b4f89dc84cada741a"}} - # Latest commit on the OpenSSL master branch, as of Oct 22, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1f0cb850473048eef5dc597d8cd42dd7c3cf5a5f"}} + # Latest commit on the BoringSSL master branch, as of Oct 23, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ce572d6e9bde836016b200169abf81e71b2a55bf"}} + # Latest commit on the OpenSSL master branch, as of Oct 23, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "36254fda37fe169e136079404a3c32aeea35cbd4"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 0dae3ca936f64ef15b3758adf9b6e1257da041db Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 23 Oct 2024 06:58:27 -0400 Subject: [PATCH 1267/1462] Bump mypy from 1.12.1 to 1.13.0 (#11823) Bumps [mypy](https://github.com/python/mypy) from 1.12.1 to 1.13.0. - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](https://github.com/python/mypy/compare/v1.12.1...v1.13.0) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e57c7a2b1882..09fbe069ea3f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -106,7 +106,7 @@ markupsafe==3.0.2 ; python_full_version >= '3.9' # via jinja2 mypy==1.4.1 ; python_full_version < '3.8' # via cryptography (pyproject.toml) -mypy==1.12.1 ; python_full_version >= '3.8' +mypy==1.13.0 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via mypy From f31c38ce8860151ab7404e733f2c77df54bbae33 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 23 Oct 2024 06:58:42 -0400 Subject: [PATCH 1268/1462] Bump actions/cache from 4.1.1 to 4.1.2 (#11822) Bumps [actions/cache](https://github.com/actions/cache) from 4.1.1 to 4.1.2. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/3624ceb22c1c5a301c8db4169662070a689d9ea8...6849a6489940f00c2f30c0fb92c6274307ccb58a) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f8ddee824760..b4f70b41e9b3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -98,7 +98,7 @@ jobs: CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }} if: matrix.PYTHON.OPENSSL - name: Load OpenSSL cache - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1 + uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 id: ossl-cache timeout-minutes: 2 with: From 20c612e5f376a3db59cb5aee63af96b3418e54cf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 23 Oct 2024 06:59:01 -0400 Subject: [PATCH 1269/1462] Bump proc-macro2 from 1.0.88 to 1.0.89 in /src/rust (#11821) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.88 to 1.0.89. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.88...1.0.89) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 454f70a6418a..c07829dfd964 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -241,9 +241,9 @@ checksum = "cc9c68a3f6da06753e9335d63e27f6b9754dd1920d941135b7ea8224f141adb2" [[package]] name = "proc-macro2" -version = "1.0.88" +version = "1.0.89" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7c3a7fc5db1e57d5a779a352c8cdb57b29aa4c40cc69c3a68a7fedc815fbf2f9" +checksum = "f139b0662de085916d1fb67d2b4169d1addddda1919e696f3252b740b629986e" dependencies = [ "unicode-ident", ] From 2dd3d0a90bebe9874f7dc3ab14d4abe934e8c129 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 24 Oct 2024 00:17:45 +0000 Subject: [PATCH 1270/1462] Bump BoringSSL and/or OpenSSL in CI (#11824) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b4f70b41e9b3..d76b8e19ce0d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,10 +45,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 23, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ce572d6e9bde836016b200169abf81e71b2a55bf"}} - # Latest commit on the OpenSSL master branch, as of Oct 23, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "36254fda37fe169e136079404a3c32aeea35cbd4"}} + # Latest commit on the BoringSSL master branch, as of Oct 24, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "69be68ca92936dd8ddb9e7bf1a491bb89f2f1a8f"}} + # Latest commit on the OpenSSL master branch, as of Oct 24, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3d3bb26a13dcc67f99e66de6a44ae9ced117f64b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 7fa390cfe221cf42cfd494986fabdae0bd5c470c Mon Sep 17 00:00:00 2001 From: Robby Cornelissen Date: Thu, 24 Oct 2024 13:36:14 +0900 Subject: [PATCH 1271/1462] Support 128-bit OID arcs (#11820) * Support 128-bit OID arcs * Update Cargo.lock to reflect updated rust-asn1 dependency --- src/rust/Cargo.lock | 8 ++++---- src/rust/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- src/rust/cryptography-x509-verification/Cargo.toml | 2 +- src/rust/cryptography-x509/Cargo.toml | 2 +- tests/x509/test_x509.py | 3 ++- 6 files changed, 10 insertions(+), 9 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index c07829dfd964..b83116c96745 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -4,18 +4,18 @@ version = 3 [[package]] name = "asn1" -version = "0.17.0" +version = "0.18.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "147a10032de7d9e6f21c3f1cb1c9c0f94cf30ef67f38310588fe6cfa53e0d3f0" +checksum = "3522623dbb7db59b34439c022ab0445a0257a62ad20d499da3a3507394708559" dependencies = [ "asn1_derive", ] [[package]] name = "asn1_derive" -version = "0.17.0" +version = "0.18.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3df30ecdcaf8338675a1413460a1b11df89789e1fcc6a10dc52f6e38b6982aa2" +checksum = "da79157fc864ed738b596d622929466c68ed48371f17a5f05e329880420a160d" dependencies = [ "proc-macro2", "quote", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 87f7fb351d54..f990fb84f513 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -18,7 +18,7 @@ rust-version.workspace = true once_cell = "1" cfg-if = "1" pyo3 = { version = "0.22.5", features = ["abi3"] } -asn1 = { version = "0.17.0", default-features = false } +asn1 = { version = "0.18.0", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-keepalive = { path = "cryptography-keepalive" } cryptography-key-parsing = { path = "cryptography-key-parsing" } diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index 7e7624d8ac5b..466ac72ce398 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -7,7 +7,7 @@ publish.workspace = true rust-version.workspace = true [dependencies] -asn1 = { version = "0.17.0", default-features = false } +asn1 = { version = "0.18.0", default-features = false } cfg-if = "1" openssl = "0.10.68" openssl-sys = "0.9.104" diff --git a/src/rust/cryptography-x509-verification/Cargo.toml b/src/rust/cryptography-x509-verification/Cargo.toml index 4e1f713f2d7a..c5380a2e125d 100644 --- a/src/rust/cryptography-x509-verification/Cargo.toml +++ b/src/rust/cryptography-x509-verification/Cargo.toml @@ -7,7 +7,7 @@ publish.workspace = true rust-version.workspace = true [dependencies] -asn1 = { version = "0.17.0", default-features = false } +asn1 = { version = "0.18.0", default-features = false } cryptography-x509 = { path = "../cryptography-x509" } cryptography-key-parsing = { path = "../cryptography-key-parsing" } once_cell = "1" diff --git a/src/rust/cryptography-x509/Cargo.toml b/src/rust/cryptography-x509/Cargo.toml index e6dc7b741b97..8ed2c5677ed8 100644 --- a/src/rust/cryptography-x509/Cargo.toml +++ b/src/rust/cryptography-x509/Cargo.toml @@ -8,4 +8,4 @@ publish = false rust-version = "1.65.0" [dependencies] -asn1 = { version = "0.17.0", default-features = false } +asn1 = { version = "0.18.0", default-features = false } diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index b96c4dbfdc7a..de6c9110822d 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -6056,10 +6056,11 @@ def test_valid(self): x509.ObjectIdentifier("1.39.999") x509.ObjectIdentifier("2.5.29.3") x509.ObjectIdentifier("2.999.37.5.22.8") + x509.ObjectIdentifier(f"2.25.{2**128 - 1}") def test_oid_arc_too_large(self): with pytest.raises(ValueError): - x509.ObjectIdentifier(f"2.25.{2**128 - 1}") + x509.ObjectIdentifier(f"2.25.{2**128}") class TestName: From 11046960dbe6744146be45bdc4965b7747414830 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 24 Oct 2024 07:05:56 -0400 Subject: [PATCH 1272/1462] Bump syn from 2.0.82 to 2.0.85 in /src/rust (#11829) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.82 to 2.0.85. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.82...2.0.85) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index b83116c96745..af5888adcd94 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -334,9 +334,9 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" [[package]] name = "syn" -version = "2.0.82" +version = "2.0.85" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "83540f837a8afc019423a8edb95b52a8effe46957ee402287f4292fae35be021" +checksum = "5023162dfcd14ef8f32034d8bcd4cc5ddc61ef7a247c024a33e24e1f24d21b56" dependencies = [ "proc-macro2", "quote", From fb33e0066127cf9cdf8276d11d6fdda26a227356 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 24 Oct 2024 07:06:13 -0400 Subject: [PATCH 1273/1462] Bump uv from 0.4.25 to 0.4.26 in /.github/requirements (#11828) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.25 to 0.4.26. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.25...0.4.26) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 95216e700f9a..1e27f20b8654 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.25 \ - --hash=sha256:18100f0f36419a154306ed6211e3490bf18384cdf3f1a0950848bf64b62fa251 \ - --hash=sha256:2d29a78f011ecc2f31c13605acb6574c2894c06d258b0f8d0dbb899986800450 \ - --hash=sha256:2fc35b5273f1e018aecd66b70e0fd7d2eb6698853dde3e2fc644e7ebf9f825b1 \ - --hash=sha256:3d7680795ea78cdbabbcce73d039b2651cf1fa635ddc1aa3082660f6d6255c50 \ - --hash=sha256:4c55040e67470f2b73e95e432aba06f103a0b348ea0b9c6689b1029c8d9e89fd \ - --hash=sha256:50c7d0d9e7f392f81b13bf3b7e37768d1486f2fc9d533a54982aa0ed11e4db23 \ - --hash=sha256:578ae385fad6bd6f3868828e33d54994c716b315b1bc49106ec1f54c640837e4 \ - --hash=sha256:6e981b1465e30102e41946adede9cb08051a5d70c6daf09f91a7ea84f0b75c08 \ - --hash=sha256:7d266e02fefef930609328c31c075084295c3cb472bab3f69549fad4fd9d82b3 \ - --hash=sha256:94fb2b454afa6bdfeeea4b4581c878944ca9cf3a13712e6762f245f5fbaaf952 \ - --hash=sha256:a7022a71ff63a3838796f40e954b76bf7820fc27e96fe002c537e75ff8e34f1d \ - --hash=sha256:a7c3a18c20ddb527d296d1222bddf42b78031c50b5b4609d426569b5fb61f5b0 \ - --hash=sha256:aae9dcafd20d5ba978c8a4939ab942e8e2e155c109e9945207fbbd81d2892c9e \ - --hash=sha256:bdbfd0c476b9e80a3f89af96aed6dd7d2782646311317a9c72614ccce99bb2ad \ - --hash=sha256:be2a4fc4fcade9ea5e67e51738c95644360d6e59b6394b74fc579fb617f902f7 \ - --hash=sha256:d39077cdfe3246885fcdf32e7066ae731a166101d063629f9cea08738f79e6a3 \ - --hash=sha256:e02afb0f6d4b58718347f7d7cfa5a801e985ce42181ba971ed85ef149f6658ca \ - --hash=sha256:ec181be2bda10651a3558156409ac481549983e0276d0e3645e3b1464e7f8715 +uv==0.4.26 \ + --hash=sha256:1214caacc6b9f9c72749634c7a82a5d93123a44b70a1fa6a9d13993c126ca33e \ + --hash=sha256:23cee82020b9e973a5feba81c2cf359a5a09020216d98534926f45ee7b74521d \ + --hash=sha256:2ddb60d508b668b8da055651b30ff56c1efb79d57b064c218a7622b5c74b2af8 \ + --hash=sha256:391a6f5e31b212cb72a8f460493bbdf4088e66049666ad064ac8530230031289 \ + --hash=sha256:41f9876c22ad5b4518bffe9e50ec7169e242b64f139cdcaf42a76f70a9bd5c78 \ + --hash=sha256:468f806e841229c0bd6e1cffaaffc064720704623890cee15b42b877cef748c5 \ + --hash=sha256:6091075420eda571b0377d351c393b096514cb036a3199e033e003edaa0ff880 \ + --hash=sha256:6f66f11e088d231b7e305f089dc949b0e6b1d65e0a877b50ba5c3ae26e151144 \ + --hash=sha256:70a108399d6c9e3d1f4a0f105d6d016f97f292dbb6c724e1ed2e6dc9f6872c79 \ + --hash=sha256:9560c2eb234ea92276bbc647854d4a9e75556981c1193c3cc59f6613f7d177f2 \ + --hash=sha256:9a63a6fe6f249a9fff72328204c3e6b457aae5914590e6881b9b39dcc72d24df \ + --hash=sha256:a41bdd09b9a3ddc8f459c73e924485e1caae43e43305cedb65f5feac05cf184a \ + --hash=sha256:acaa25b304db6f1e8064d3280532ecb80a58346e37f4199659269847848c4da0 \ + --hash=sha256:c4c69532cb4d0c1e160883142b8bf0133a5a67e9aed5148e13743ae55c2dfc03 \ + --hash=sha256:d1ca5183afab454f28573a286811019b3552625af2cd1cd3996049d3bbfdb1ca \ + --hash=sha256:e086ebe200e9718e9622af405d45caad9d84b60824306fcb220335fe6fc90966 \ + --hash=sha256:e826b544020ef407387ed734a89850cac011ee4b5daf94b4f616b71eff2c8a94 \ + --hash=sha256:e9f45d8765a037a13ddedebb9e36fdcf06b7957654cfa8055d84f19eba12957e From c2e1565e03ea4776ae9786cef4300f6f43553fbb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 24 Oct 2024 07:06:26 -0400 Subject: [PATCH 1274/1462] Bump uv from 0.4.25 to 0.4.26 (#11827) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.25 to 0.4.26. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.25...0.4.26) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 09fbe069ea3f..128447a97980 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -286,7 +286,7 @@ urllib3==2.0.7 ; python_full_version < '3.8' # via requests urllib3==2.2.3 ; python_full_version >= '3.8' # via requests -uv==0.4.25 ; python_full_version >= '3.8' +uv==0.4.26 ; python_full_version >= '3.8' # via nox virtualenv==20.26.6 ; python_full_version < '3.8' # via nox From 6182bce0e3f20440be079ef1eb45d33a45510bd3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 24 Oct 2024 07:06:53 -0400 Subject: [PATCH 1275/1462] Bump actions/checkout in /.github/actions/fetch-vectors (#11826) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.1 to 4.2.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871...11bd71901bbe5b1630ceea73d27597364c9af683) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 0289ac4487bc..a535b6fa1bf6 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -5,14 +5,14 @@ runs: using: "composite" steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: "C2SP/wycheproof" path: "wycheproof" # Latest commit on the wycheproof master branch, as of Apr 09, 2024. ref: "cd27d6419bedd83cbd24611ec54b6d4bfdb0cdca" # wycheproof-ref - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: "C2SP/x509-limbo" path: "x509-limbo" From f6d90746744103c5101f424eec9b9b1007b8e376 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 24 Oct 2024 07:24:58 -0400 Subject: [PATCH 1276/1462] Bump actions/checkout from 4.2.1 to 4.2.2 (#11825) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.1 to 4.2.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871...11bd71901bbe5b1630ceea73d27597364c9af683) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 4 ++-- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/ci.yml | 12 ++++++------ .github/workflows/linkcheck.yml | 2 +- .github/workflows/wheel-builder.yml | 8 ++++---- .github/workflows/x509-limbo-version-bump.yml | 2 +- 6 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 9d308ff37a3c..98fdd9e01ca4 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -26,12 +26,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 timeout-minutes: 3 with: persist-credentials: false path: "cryptography-pr" - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 timeout-minutes: 3 with: persist-credentials: false diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 6032b8d325b9..2a5fac7d494d 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: # Needed so we can push back to the repo persist-credentials: true diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d76b8e19ce0d..38548cc9cb15 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -60,7 +60,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-rust-debug"} timeout-minutes: 15 steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 timeout-minutes: 3 with: persist-credentials: false @@ -186,7 +186,7 @@ jobs: sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release if: matrix.IMAGE.IMAGE == 'alpine:aarch64' - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 timeout-minutes: 3 with: persist-credentials: false @@ -237,7 +237,7 @@ jobs: RUNNER: {OS: 'macos-14', ARCH: 'arm64'} timeout-minutes: 15 steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 timeout-minutes: 3 with: persist-credentials: false @@ -302,7 +302,7 @@ jobs: - {VERSION: "3.13", NOXSESSION: "tests"} timeout-minutes: 15 steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 timeout-minutes: 3 with: persist-credentials: false @@ -376,7 +376,7 @@ jobs: name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" timeout-minutes: 15 steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 timeout-minutes: 3 with: persist-credentials: false @@ -420,7 +420,7 @@ jobs: if: ${{ always() }} timeout-minutes: 3 steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 timeout-minutes: 3 with: persist-credentials: false diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index dc530ab64f61..4099355a21ca 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -20,7 +20,7 @@ jobs: name: "linkcheck" timeout-minutes: 10 steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Setup python diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index e09ea516d131..4f0f1ac0c22d 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest name: sdists steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -103,7 +103,7 @@ jobs: if: startsWith(matrix.MANYLINUX.NAME, 'musllinux') && endsWith(matrix.MANYLINUX.NAME, 'aarch64') - name: Get build-requirements.txt from repository - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -188,7 +188,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -279,7 +279,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 7d6a9e59c886..94c7ec8926f7 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: # Needed so we can push back to the repo persist-credentials: true From 4acdfbd3e8f01ecf631d26c4fcd18b7a9f70d3b9 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 24 Oct 2024 19:18:20 -0400 Subject: [PATCH 1277/1462] Move the scrypt scaffholding code to Rust (#11818) --- .../hazmat/backends/openssl/backend.py | 2 +- .../hazmat/bindings/_rust/openssl/kdf.pyi | 24 ++- .../hazmat/primitives/kdf/scrypt.py | 67 +------- src/rust/src/backend/kdf.rs | 161 +++++++++++++++--- src/rust/src/exceptions.rs | 1 + 5 files changed, 157 insertions(+), 98 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index d31b039add0e..9a3dc2108701 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -120,7 +120,7 @@ def scrypt_supported(self) -> bool: if self._fips_enabled: return False else: - return hasattr(rust_openssl.kdf, "derive_scrypt") + return hasattr(rust_openssl.kdf.Scrypt, "derive") def hmac_supported(self, algorithm: hashes.HashAlgorithm) -> bool: # FIPS mode still allows SHA1 for HMAC diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/kdf.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/kdf.pyi index 034a8fed2e78..01f7d606e8cc 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/kdf.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/kdf.pyi @@ -2,6 +2,8 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. +import typing + from cryptography.hazmat.primitives.hashes import HashAlgorithm def derive_pbkdf2_hmac( @@ -11,12 +13,16 @@ def derive_pbkdf2_hmac( iterations: int, length: int, ) -> bytes: ... -def derive_scrypt( - key_material: bytes, - salt: bytes, - n: int, - r: int, - p: int, - max_mem: int, - length: int, -) -> bytes: ... + +class Scrypt: + def __init__( + self, + salt: bytes, + length: int, + n: int, + r: int, + p: int, + backend: typing.Any = None, + ) -> None: ... + def derive(self, key_material: bytes) -> bytes: ... + def verify(self, key_material: bytes, expected_key: bytes) -> None: ... diff --git a/src/cryptography/hazmat/primitives/kdf/scrypt.py b/src/cryptography/hazmat/primitives/kdf/scrypt.py index 05a4f675b6ab..43a7704d48e3 100644 --- a/src/cryptography/hazmat/primitives/kdf/scrypt.py +++ b/src/cryptography/hazmat/primitives/kdf/scrypt.py @@ -5,76 +5,13 @@ from __future__ import annotations import sys -import typing -from cryptography import utils -from cryptography.exceptions import ( - AlreadyFinalized, - InvalidKey, - UnsupportedAlgorithm, -) from cryptography.hazmat.bindings._rust import openssl as rust_openssl -from cryptography.hazmat.primitives import constant_time from cryptography.hazmat.primitives.kdf import KeyDerivationFunction # This is used by the scrypt tests to skip tests that require more memory # than the MEM_LIMIT _MEM_LIMIT = sys.maxsize // 2 - -class Scrypt(KeyDerivationFunction): - def __init__( - self, - salt: bytes, - length: int, - n: int, - r: int, - p: int, - backend: typing.Any = None, - ): - from cryptography.hazmat.backends.openssl.backend import ( - backend as ossl, - ) - - if not ossl.scrypt_supported(): - raise UnsupportedAlgorithm( - "This version of OpenSSL does not support scrypt" - ) - self._length = length - utils._check_bytes("salt", salt) - if n < 2 or (n & (n - 1)) != 0: - raise ValueError("n must be greater than 1 and be a power of 2.") - - if r < 1: - raise ValueError("r must be greater than or equal to 1.") - - if p < 1: - raise ValueError("p must be greater than or equal to 1.") - - self._used = False - self._salt = salt - self._n = n - self._r = r - self._p = p - - def derive(self, key_material: bytes) -> bytes: - if self._used: - raise AlreadyFinalized("Scrypt instances can only be used once.") - self._used = True - - utils._check_byteslike("key_material", key_material) - - return rust_openssl.kdf.derive_scrypt( - key_material, - self._salt, - self._n, - self._r, - self._p, - _MEM_LIMIT, - self._length, - ) - - def verify(self, key_material: bytes, expected_key: bytes) -> None: - derived_key = self.derive(key_material) - if not constant_time.bytes_eq(derived_key, expected_key): - raise InvalidKey("Keys do not match.") +Scrypt = rust_openssl.kdf.Scrypt +KeyDerivationFunction.register(Scrypt) diff --git a/src/rust/src/backend/kdf.rs b/src/rust/src/backend/kdf.rs index 8c6a151a17d0..2292c08af5e2 100644 --- a/src/rust/src/backend/kdf.rs +++ b/src/rust/src/backend/kdf.rs @@ -2,9 +2,13 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +#[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] +use pyo3::types::PyBytesMethods; + use crate::backend::hashes; use crate::buf::CffiBuf; -use crate::error::CryptographyResult; +use crate::error::{CryptographyError, CryptographyResult}; +use crate::exceptions; #[pyo3::pyfunction] pub(crate) fn derive_pbkdf2_hmac<'p>( @@ -23,36 +27,147 @@ pub(crate) fn derive_pbkdf2_hmac<'p>( })?) } -#[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] -#[pyo3::pyfunction] -#[allow(clippy::too_many_arguments)] -fn derive_scrypt<'p>( - py: pyo3::Python<'p>, - key_material: CffiBuf<'_>, - salt: &[u8], +#[pyo3::pyclass(module = "cryptography.hazmat.primitives.kdf.scrypt")] +struct Scrypt { + #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] + salt: pyo3::Py, + #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] + length: usize, + #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] n: u64, + #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] r: u64, + #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] p: u64, - max_mem: u64, - length: usize, -) -> CryptographyResult> { - Ok(pyo3::types::PyBytes::new_bound_with(py, length, |b| { - openssl::pkcs5::scrypt(key_material.as_bytes(), salt, n, r, p, max_mem, b).map_err(|_| { - // memory required formula explained here: - // https://blog.filippo.io/the-scrypt-parameters/ - let min_memory = 128 * n * r / (1024 * 1024); - pyo3::exceptions::PyMemoryError::new_err(format!( - "Not enough memory to derive key. These parameters require {min_memory}MB of memory." - )) - }) - })?) + + #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] + used: bool, +} + +#[pyo3::pymethods] +impl Scrypt { + #[new] + #[pyo3(signature = (salt, length, n, r, p, backend=None))] + fn new( + salt: pyo3::Py, + length: usize, + n: u64, + r: u64, + p: u64, + backend: Option>, + ) -> CryptographyResult { + _ = backend; + + cfg_if::cfg_if! { + if #[cfg(CRYPTOGRAPHY_IS_LIBRESSL)] { + _ = salt; + _ = length; + _ = n; + _ = r; + _ = p; + + Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err( + "This version of OpenSSL does not support scrypt" + ), + )) + } else { + if cryptography_openssl::fips::is_enabled() { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err( + "This version of OpenSSL does not support scrypt" + ), + )); + } + + if n < 2 || (n & (n - 1)) != 0 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "n must be greater than 1 and be a power of 2." + ), + )); + } + if r < 1 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "r must be greater than or equal to 1." + ), + )); + } + if p < 1 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "p must be greater than or equal to 1." + ), + )); + } + + Ok(Scrypt{ + salt, + length, + n, + r, + p, + used: false, + }) + } + } + } + + #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] + fn derive<'p>( + &mut self, + py: pyo3::Python<'p>, + key_material: CffiBuf<'_>, + ) -> CryptographyResult> { + if self.used { + return Err(exceptions::already_finalized_error()); + } + self.used = true; + + Ok(pyo3::types::PyBytes::new_bound_with( + py, + self.length, + |b| { + openssl::pkcs5::scrypt(key_material.as_bytes(), self.salt.as_bytes(py), self.n, self.r, self.p, (usize::MAX / 2).try_into().unwrap(), b).map_err(|_| { + // memory required formula explained here: + // https://blog.filippo.io/the-scrypt-parameters/ + let min_memory = 128 * self.n * self.r / (1024 * 1024); + pyo3::exceptions::PyMemoryError::new_err(format!( + "Not enough memory to derive key. These parameters require {min_memory}MB of memory." + )) + }) + }, + )?) + } + + #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] + fn verify( + &mut self, + py: pyo3::Python<'_>, + key_material: CffiBuf<'_>, + expected_key: CffiBuf<'_>, + ) -> CryptographyResult<()> { + let actual = self.derive(py, key_material)?; + let actual_bytes = actual.as_bytes(); + let expected_bytes = expected_key.as_bytes(); + + if actual_bytes.len() != expected_bytes.len() + || !openssl::memcmp::eq(actual_bytes, expected_bytes) + { + return Err(CryptographyError::from(exceptions::InvalidKey::new_err( + "Keys do not match.", + ))); + } + + Ok(()) + } } #[pyo3::pymodule] pub(crate) mod kdf { #[pymodule_export] use super::derive_pbkdf2_hmac; - #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] #[pymodule_export] - use super::derive_scrypt; + use super::Scrypt; } diff --git a/src/rust/src/exceptions.rs b/src/rust/src/exceptions.rs index 5e0a44f8cc78..cfcedd2eb474 100644 --- a/src/rust/src/exceptions.rs +++ b/src/rust/src/exceptions.rs @@ -30,6 +30,7 @@ pub(crate) enum Reasons { pyo3::import_exception_bound!(cryptography.exceptions, AlreadyUpdated); pyo3::import_exception_bound!(cryptography.exceptions, AlreadyFinalized); pyo3::import_exception_bound!(cryptography.exceptions, InternalError); +pyo3::import_exception_bound!(cryptography.exceptions, InvalidKey); pyo3::import_exception_bound!(cryptography.exceptions, InvalidSignature); pyo3::import_exception_bound!(cryptography.exceptions, InvalidTag); pyo3::import_exception_bound!(cryptography.exceptions, NotYetFinalized); From 8624bcdc4824e8526fcf0fe100a0db9afd55d343 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 25 Oct 2024 00:19:57 +0000 Subject: [PATCH 1278/1462] Bump BoringSSL and/or OpenSSL in CI (#11832) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 38548cc9cb15..0f4a0c8466ca 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,10 +45,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 24, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "69be68ca92936dd8ddb9e7bf1a491bb89f2f1a8f"}} - # Latest commit on the OpenSSL master branch, as of Oct 24, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3d3bb26a13dcc67f99e66de6a44ae9ced117f64b"}} + # Latest commit on the BoringSSL master branch, as of Oct 25, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7628194c2305548364d971406406e06e1153dd31"}} + # Latest commit on the OpenSSL master branch, as of Oct 25, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a08a145d4a7e663dd1e973f06a56e983a5e916f7"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 533ce4009b376802f22e742c020b024b0a1ebfe6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 25 Oct 2024 07:06:42 -0400 Subject: [PATCH 1279/1462] Bump ruff from 0.7.0 to 0.7.1 (#11835) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.7.0 to 0.7.1. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.7.0...0.7.1) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 128447a97980..3f4513268ac9 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -196,7 +196,7 @@ requests==2.31.0 ; python_full_version < '3.8' # via sphinx requests==2.32.3 ; python_full_version >= '3.8' # via sphinx -ruff==0.7.0 +ruff==0.7.1 # via cryptography (pyproject.toml) six==1.16.0 ; python_full_version < '3.8' # via bleach From ea68d9fb641b1f82a16e34d31ed542362572c8e5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 25 Oct 2024 07:07:44 -0400 Subject: [PATCH 1280/1462] Bump actions/setup-python from 5.2.0 to 5.3.0 (#11834) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.2.0 to 5.3.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/f677139bbe7f9c59b41e40162b753c062f5d49a3...0b93645e9fea7318ecaed2b359559ac225c90a2b) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 2 +- .github/workflows/ci.yml | 10 +++++----- .github/workflows/linkcheck.yml | 2 +- .github/workflows/wheel-builder.yml | 6 +++--- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 98fdd9e01ca4..2a3f2357b7ef 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -44,7 +44,7 @@ jobs: - name: Setup python id: setup-python - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: "3.11" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0f4a0c8466ca..70f46b360a5a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -66,7 +66,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: ${{ matrix.PYTHON.VERSION }} cache: pip @@ -248,7 +248,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.PYTHON.VERSION }} - name: Setup python - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: ${{ matrix.PYTHON.VERSION }} cache: pip @@ -308,7 +308,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} @@ -384,7 +384,7 @@ jobs: uses: ./.github/actions/cache timeout-minutes: 2 - name: Setup python - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: ${{ matrix.PYTHON }} cache: pip @@ -430,7 +430,7 @@ jobs: jobs: ${{ toJSON(needs) }} - name: Setup python if: ${{ always() }} - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: '3.12' cache: pip diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index 4099355a21ca..1faf3bcbc2db 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -25,7 +25,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: 3.11 - name: Cache rust and pip diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 4f0f1ac0c22d..6b1a53fe56bf 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -34,7 +34,7 @@ jobs: ref: ${{ github.event.inputs.version || github.ref }} persist-credentials: false - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: "3.13" timeout-minutes: 3 @@ -205,7 +205,7 @@ jobs: PYTHON_DOWNLOAD_URL: ${{ matrix.PYTHON.DOWNLOAD_URL }} if: contains(matrix.PYTHON.VERSION, 'pypy') == false - name: Setup pypy - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') @@ -294,7 +294,7 @@ jobs: name: cryptography-sdist - name: Setup python - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} From 81e9f0158bf3fec5672c6f2f819b8ec23f228c95 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 26 Oct 2024 00:17:55 +0000 Subject: [PATCH 1281/1462] Bump BoringSSL and/or OpenSSL in CI (#11837) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 70f46b360a5a..d57ad1b9df59 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,10 +45,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 25, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7628194c2305548364d971406406e06e1153dd31"}} - # Latest commit on the OpenSSL master branch, as of Oct 25, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a08a145d4a7e663dd1e973f06a56e983a5e916f7"}} + # Latest commit on the BoringSSL master branch, as of Oct 26, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "971951f15d76cfef611c59b7694236fd14b279e6"}} + # Latest commit on the OpenSSL master branch, as of Oct 26, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "06aa41a5f529fc2081793c8bfb36c7e2727665d5"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 377e52543efb94bc18f2bdc43ecdda29a52dc030 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 26 Oct 2024 14:24:41 +0000 Subject: [PATCH 1282/1462] Bump uv from 0.4.26 to 0.4.27 (#11838) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.26 to 0.4.27. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.26...0.4.27) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3f4513268ac9..7df4082895f6 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -286,7 +286,7 @@ urllib3==2.0.7 ; python_full_version < '3.8' # via requests urllib3==2.2.3 ; python_full_version >= '3.8' # via requests -uv==0.4.26 ; python_full_version >= '3.8' +uv==0.4.27 ; python_full_version >= '3.8' # via nox virtualenv==20.26.6 ; python_full_version < '3.8' # via nox From 04af44670516a0e25fc69cc2bf251b49118f786e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 26 Oct 2024 14:36:05 +0000 Subject: [PATCH 1283/1462] Bump uv from 0.4.26 to 0.4.27 in /.github/requirements (#11840) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.26 to 0.4.27. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.26...0.4.27) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 1e27f20b8654..3090c1d20cf7 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.26 \ - --hash=sha256:1214caacc6b9f9c72749634c7a82a5d93123a44b70a1fa6a9d13993c126ca33e \ - --hash=sha256:23cee82020b9e973a5feba81c2cf359a5a09020216d98534926f45ee7b74521d \ - --hash=sha256:2ddb60d508b668b8da055651b30ff56c1efb79d57b064c218a7622b5c74b2af8 \ - --hash=sha256:391a6f5e31b212cb72a8f460493bbdf4088e66049666ad064ac8530230031289 \ - --hash=sha256:41f9876c22ad5b4518bffe9e50ec7169e242b64f139cdcaf42a76f70a9bd5c78 \ - --hash=sha256:468f806e841229c0bd6e1cffaaffc064720704623890cee15b42b877cef748c5 \ - --hash=sha256:6091075420eda571b0377d351c393b096514cb036a3199e033e003edaa0ff880 \ - --hash=sha256:6f66f11e088d231b7e305f089dc949b0e6b1d65e0a877b50ba5c3ae26e151144 \ - --hash=sha256:70a108399d6c9e3d1f4a0f105d6d016f97f292dbb6c724e1ed2e6dc9f6872c79 \ - --hash=sha256:9560c2eb234ea92276bbc647854d4a9e75556981c1193c3cc59f6613f7d177f2 \ - --hash=sha256:9a63a6fe6f249a9fff72328204c3e6b457aae5914590e6881b9b39dcc72d24df \ - --hash=sha256:a41bdd09b9a3ddc8f459c73e924485e1caae43e43305cedb65f5feac05cf184a \ - --hash=sha256:acaa25b304db6f1e8064d3280532ecb80a58346e37f4199659269847848c4da0 \ - --hash=sha256:c4c69532cb4d0c1e160883142b8bf0133a5a67e9aed5148e13743ae55c2dfc03 \ - --hash=sha256:d1ca5183afab454f28573a286811019b3552625af2cd1cd3996049d3bbfdb1ca \ - --hash=sha256:e086ebe200e9718e9622af405d45caad9d84b60824306fcb220335fe6fc90966 \ - --hash=sha256:e826b544020ef407387ed734a89850cac011ee4b5daf94b4f616b71eff2c8a94 \ - --hash=sha256:e9f45d8765a037a13ddedebb9e36fdcf06b7957654cfa8055d84f19eba12957e +uv==0.4.27 \ + --hash=sha256:07d693092ad1f2536fec59e1ad5170fab10a214e9d2e39f9cf385cccbf426aa7 \ + --hash=sha256:0a7d8041f80bf59fac1d3a630ad5ed9d91008c85edc03e318e3016122235c568 \ + --hash=sha256:0bae39264d575d16d5bb3b40699396afb2b27f987d7d7cfe8f336c24d26eda87 \ + --hash=sha256:2035efeb39d8d86355d9002e129a76a032a54b47b1332c6952225f48aa9b583c \ + --hash=sha256:3dd79e9392af6f41c470f9a95a2f3f8e73cde585eecb2df721f0716cd6134893 \ + --hash=sha256:4d249ca5e5444de4dd4984627bef6f077ffdb45c3ad6b27413ddfb1146daf79b \ + --hash=sha256:6c5782274a8d3075f4bf82e90c90b0a960abc11424ab353dc559e9329b479681 \ + --hash=sha256:6d335e40658a6c23554683410e710e5f54374fec20642e459771f50c8736d600 \ + --hash=sha256:ae4f45a0640de23c880bd5bdb27b1d3a059b45c9f73c2f7d53e392664efeca10 \ + --hash=sha256:b05165b0b24573c509286b87825c619658162079e2d3b20fea01d0dd9f444238 \ + --hash=sha256:b7a858209dfaab2527c547836cf823aef5cc1e051c5b15df4ba445a71b252df8 \ + --hash=sha256:b92728ba102ac7284f560c144507961be5aca5263d7a0d70a6896bba7660271c \ + --hash=sha256:b9e9b8b4062388df4c7a5d1e6c692dc8929242f883e1509010efb2b766ac4edd \ + --hash=sha256:bb5ced184be4e7611d983462a9f31a24a2e66de60f688ded6a8c36dc701a58ef \ + --hash=sha256:c0a5a40f23b61b2c693f6fa6f08b920c7d8b9058ce7ca20f18856844d2f11b2c \ + --hash=sha256:c13eea45257362ecfa2a2b31de9b62fbd0542e211a573562d98ab7c8fc50d8fc \ + --hash=sha256:d1731252da1a71a9f38e5864eb037401340a17eab519ad32e9a9f8fd54b7ada9 \ + --hash=sha256:f552967f4b392f880a1a50d3f57b9372a9666da274ea7826ee14e024ba035f4e From 5510fe6dbe5a2a685ac7613c0b714aa8e1c0ec72 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 26 Oct 2024 10:44:32 -0400 Subject: [PATCH 1284/1462] Bump version for new pytest-randomly (#11841) --- ci-constraints-requirements.txt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 7df4082895f6..2b4d28c26cb9 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -178,7 +178,9 @@ pytest-cov==5.0.0 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) pytest-randomly==3.12.0 ; python_full_version < '3.8' # via cryptography (pyproject.toml) -pytest-randomly==3.15.0 ; python_full_version >= '3.8' +pytest-randomly==3.15.0 ; python_full_version == '3.8.*' + # via cryptography (pyproject.toml) +pytest-randomly==3.16.0 ; python_full_version >= '3.9' # via cryptography (pyproject.toml) pytest-xdist==3.5.0 ; python_full_version < '3.8' # via cryptography (pyproject.toml) From 45cf761839b4726c2d58b5a9b34fb8dc3453cb51 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 26 Oct 2024 21:39:17 -0400 Subject: [PATCH 1285/1462] Bump BoringSSL and/or OpenSSL in CI (#11842) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d57ad1b9df59..3407a8251ec2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,10 +45,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 26, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "971951f15d76cfef611c59b7694236fd14b279e6"}} - # Latest commit on the OpenSSL master branch, as of Oct 26, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "06aa41a5f529fc2081793c8bfb36c7e2727665d5"}} + # Latest commit on the BoringSSL master branch, as of Oct 27, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b8c97f5b4bc5d4758612a0430e5c2792d0f9ca7f"}} + # Latest commit on the OpenSSL master branch, as of Oct 27, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "80026e5d9e934907f5847d69ca0d8189765af6f3"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 7a296270aac7147ad4f19752d97f2e31edcc7fce Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 27 Oct 2024 17:17:40 -0400 Subject: [PATCH 1286/1462] Move Cargo.toml workspace configuration to the root of the repo. (#11836) This allows cargo commands like check/fmt to work from the root of the repo --- src/rust/Cargo.lock => Cargo.lock | 0 Cargo.toml | 22 +++++++++ noxfile.py | 75 +++++++++++++++---------------- pyproject.toml | 4 +- src/rust/Cargo.toml | 21 --------- 5 files changed, 60 insertions(+), 62 deletions(-) rename src/rust/Cargo.lock => Cargo.lock (100%) create mode 100644 Cargo.toml diff --git a/src/rust/Cargo.lock b/Cargo.lock similarity index 100% rename from src/rust/Cargo.lock rename to Cargo.lock diff --git a/Cargo.toml b/Cargo.toml new file mode 100644 index 000000000000..05bc91caa1fd --- /dev/null +++ b/Cargo.toml @@ -0,0 +1,22 @@ +[workspace] +resolver = "2" +members = [ + "src/rust/", + "src/rust/cryptography-cffi", + "src/rust/cryptography-keepalive", + "src/rust/cryptography-key-parsing", + "src/rust/cryptography-openssl", + "src/rust/cryptography-x509", + "src/rust/cryptography-x509-verification", +] + +[workspace.package] +version = "0.1.0" +authors = ["The cryptography developers "] +edition = "2021" +publish = false +# This specifies the MSRV +rust-version = "1.65.0" + +[profile.release] +overflow-checks = true diff --git a/noxfile.py b/noxfile.py index 912e79b6b6bb..93ac329a0001 100644 --- a/noxfile.py +++ b/noxfile.py @@ -231,34 +231,33 @@ def rust(session: nox.Session) -> None: pyproject_data = load_pyproject_toml() install(session, *pyproject_data["build-system"]["requires"]) - with session.chdir("src/rust/"): - session.run("cargo", "fmt", "--all", "--", "--check", external=True) - if session.name != "rust-noclippy": - session.run( - "cargo", - "clippy", - "--all", - "--", - "-D", - "warnings", - external=True, - ) - - build_output = session.run( + session.run("cargo", "fmt", "--all", "--", "--check", external=True) + if session.name != "rust-noclippy": + session.run( "cargo", - "test", - "--no-default-features", + "clippy", "--all", - "--no-run", - "-q", - "--message-format=json", + "--", + "-D", + "warnings", external=True, - silent=True, - ) - session.run( - "cargo", "test", "--no-default-features", "--all", external=True ) + build_output = session.run( + "cargo", + "test", + "--no-default-features", + "--all", + "--no-run", + "-q", + "--message-format=json", + external=True, + silent=True, + ) + session.run( + "cargo", "test", "--no-default-features", "--all", external=True + ) + # It's None on install-only invocations if build_output is not None: assert isinstance(build_output, str) @@ -288,18 +287,17 @@ def local(session): session.run("ruff", "format", ".") session.run("ruff", "check", ".") - with session.chdir("src/rust/"): - session.run("cargo", "fmt", "--all", external=True) - session.run("cargo", "check", "--all", "--tests", external=True) - session.run( - "cargo", - "clippy", - "--all", - "--", - "-D", - "warnings", - external=True, - ) + session.run("cargo", "fmt", "--all", external=True) + session.run("cargo", "check", "--all", "--tests", external=True) + session.run( + "cargo", + "clippy", + "--all", + "--", + "-D", + "warnings", + external=True, + ) session.run( "mypy", @@ -331,10 +329,9 @@ def local(session): *tests, ) - with session.chdir("src/rust/"): - session.run( - "cargo", "test", "--no-default-features", "--all", external=True - ) + session.run( + "cargo", "test", "--no-default-features", "--all", external=True + ) LCOV_SOURCEFILE_RE = re.compile( diff --git a/pyproject.toml b/pyproject.toml index 28eb931e507f..2e17f895f57c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -101,8 +101,8 @@ include = [ "src/_cffi_src/**/*.c", "src/_cffi_src/**/*.h", - "src/rust/**/Cargo.toml", - "src/rust/**/Cargo.lock", + "**/Cargo.toml", + "**/Cargo.lock", "src/rust/**/*.rs", "tests/**/*.py", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index f990fb84f513..92064793e1cd 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -1,11 +1,3 @@ -[workspace.package] -version = "0.1.0" -authors = ["The cryptography developers "] -edition = "2021" -publish = false -# This specifies the MSRV -rust-version = "1.65.0" - [package] name = "cryptography-rust" version.workspace = true @@ -39,18 +31,5 @@ default = ["extension-module"] name = "cryptography_rust" crate-type = ["cdylib"] -[profile.release] -overflow-checks = true - -[workspace] -members = [ - "cryptography-cffi", - "cryptography-keepalive", - "cryptography-key-parsing", - "cryptography-openssl", - "cryptography-x509", - "cryptography-x509-verification", -] - [lints.rust] unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_OSSLCONF, values("OPENSSL_NO_IDEA", "OPENSSL_NO_CAST", "OPENSSL_NO_BF", "OPENSSL_NO_CAMELLIA", "OPENSSL_NO_SEED", "OPENSSL_NO_SM4"))'] } From dc4a1c1fd3b124a0cf39b9d991c711dcf41c665e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 28 Oct 2024 20:28:29 +0000 Subject: [PATCH 1287/1462] Bump x509-limbo and/or wycheproof in CI (#11846) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index a535b6fa1bf6..283fbdff897b 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Oct 22, 2024. - ref: "f98aa03f45d108ae4e1bc5a61ec4bd0b8d137559" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Oct 28, 2024. + ref: "bb42ec9de1c78f1e8d903e73417002f45ed2f1fb" # x509-limbo-ref From 7c6aaf6710d6f6e8d219c35e9dc798c12545323e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 28 Oct 2024 17:39:46 -0700 Subject: [PATCH 1288/1462] Bump BoringSSL and/or OpenSSL in CI (#11847) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3407a8251ec2..66d986df19f4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,10 +45,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 27, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b8c97f5b4bc5d4758612a0430e5c2792d0f9ca7f"}} - # Latest commit on the OpenSSL master branch, as of Oct 27, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "80026e5d9e934907f5847d69ca0d8189765af6f3"}} + # Latest commit on the BoringSSL master branch, as of Oct 29, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "197a654639aa39a86782b06abebdeccbfa197e2b"}} + # Latest commit on the OpenSSL master branch, as of Oct 29, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a3660729e68dc11c01edb4a349ff2610b6b59ee0"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 6bac91710136d4700601e4e16cf6c3510321ad67 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 29 Oct 2024 11:06:40 +0000 Subject: [PATCH 1289/1462] Bump virtualenv from 20.27.0 to 20.27.1 (#11849) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.27.0 to 20.27.1. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.27.0...20.27.1) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 2b4d28c26cb9..ab985b202436 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -292,7 +292,7 @@ uv==0.4.27 ; python_full_version >= '3.8' # via nox virtualenv==20.26.6 ; python_full_version < '3.8' # via nox -virtualenv==20.27.0 ; python_full_version >= '3.8' +virtualenv==20.27.1 ; python_full_version >= '3.8' # via nox webencodings==0.5.1 ; python_full_version < '3.8' # via bleach From 8742bc924f433b02abe2d222f5f14e40a963a27e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 29 Oct 2024 11:20:38 +0000 Subject: [PATCH 1290/1462] Bump uv from 0.4.27 to 0.4.28 (#11850) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.27 to 0.4.28. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.27...0.4.28) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ab985b202436..7651e071584c 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -288,7 +288,7 @@ urllib3==2.0.7 ; python_full_version < '3.8' # via requests urllib3==2.2.3 ; python_full_version >= '3.8' # via requests -uv==0.4.27 ; python_full_version >= '3.8' +uv==0.4.28 ; python_full_version >= '3.8' # via nox virtualenv==20.26.6 ; python_full_version < '3.8' # via nox From 5e36b56005cd05215dd140aa2da00d718e1254d8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 29 Oct 2024 07:33:42 -0400 Subject: [PATCH 1291/1462] Bump uv from 0.4.27 to 0.4.28 in /.github/requirements (#11853) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.27 to 0.4.28. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.27...0.4.28) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 3090c1d20cf7..1e9fe59ab071 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.27 \ - --hash=sha256:07d693092ad1f2536fec59e1ad5170fab10a214e9d2e39f9cf385cccbf426aa7 \ - --hash=sha256:0a7d8041f80bf59fac1d3a630ad5ed9d91008c85edc03e318e3016122235c568 \ - --hash=sha256:0bae39264d575d16d5bb3b40699396afb2b27f987d7d7cfe8f336c24d26eda87 \ - --hash=sha256:2035efeb39d8d86355d9002e129a76a032a54b47b1332c6952225f48aa9b583c \ - --hash=sha256:3dd79e9392af6f41c470f9a95a2f3f8e73cde585eecb2df721f0716cd6134893 \ - --hash=sha256:4d249ca5e5444de4dd4984627bef6f077ffdb45c3ad6b27413ddfb1146daf79b \ - --hash=sha256:6c5782274a8d3075f4bf82e90c90b0a960abc11424ab353dc559e9329b479681 \ - --hash=sha256:6d335e40658a6c23554683410e710e5f54374fec20642e459771f50c8736d600 \ - --hash=sha256:ae4f45a0640de23c880bd5bdb27b1d3a059b45c9f73c2f7d53e392664efeca10 \ - --hash=sha256:b05165b0b24573c509286b87825c619658162079e2d3b20fea01d0dd9f444238 \ - --hash=sha256:b7a858209dfaab2527c547836cf823aef5cc1e051c5b15df4ba445a71b252df8 \ - --hash=sha256:b92728ba102ac7284f560c144507961be5aca5263d7a0d70a6896bba7660271c \ - --hash=sha256:b9e9b8b4062388df4c7a5d1e6c692dc8929242f883e1509010efb2b766ac4edd \ - --hash=sha256:bb5ced184be4e7611d983462a9f31a24a2e66de60f688ded6a8c36dc701a58ef \ - --hash=sha256:c0a5a40f23b61b2c693f6fa6f08b920c7d8b9058ce7ca20f18856844d2f11b2c \ - --hash=sha256:c13eea45257362ecfa2a2b31de9b62fbd0542e211a573562d98ab7c8fc50d8fc \ - --hash=sha256:d1731252da1a71a9f38e5864eb037401340a17eab519ad32e9a9f8fd54b7ada9 \ - --hash=sha256:f552967f4b392f880a1a50d3f57b9372a9666da274ea7826ee14e024ba035f4e +uv==0.4.28 \ + --hash=sha256:09a50416622b5df476be774739d1682db9079b7bc7493346c2085cf11b91706b \ + --hash=sha256:22f6d4f95ceb4735a4c8f0555dda6761a57c8ee7fc1b6b7d7004d6a25a8aec38 \ + --hash=sha256:274b5af065a1a3a37456e9f1a8c1c4e9b07825be1c4135d299e022fb0547de38 \ + --hash=sha256:2c8c3a719d68181127fcf90c0e5d2a4b76bb405bf464e04c8bf5c6d356109cec \ + --hash=sha256:2e82236e655c5af1905d7ca15c3c96c28a878f2d77a2e4f714d5254baad85b2e \ + --hash=sha256:4ec1bf494dcf30984b5e6e8208d78a8a4e483855c45c3ea2b1d9e7201d8af00f \ + --hash=sha256:524f38d996b51c27d1342af0d4e69c1524fbcfe57c8e036498811a5079fab070 \ + --hash=sha256:6ea1fac8b9b8d785f66e2ab46296e6939a43ab85da538d3eea12a27dfefd84a6 \ + --hash=sha256:7932026532a8294969777fa500dbd3c3a80aada14ac131d9696d596d31068550 \ + --hash=sha256:8a32af23fc619e1e70923a498c097ec6eb120e764315ba164fa7ab8a65af9ba3 \ + --hash=sha256:a3c59d5a11e0ddf550e20ea10b5d26ed06acab1192d3b70fe3993444cfe8fd41 \ + --hash=sha256:bc33e318b676aeba2ea8bcd1e8f38623272b891200cefc54f9c420f4f4091434 \ + --hash=sha256:be1ce25068d24b42273182729dc1917654438797346a5d470606949ec344fb22 \ + --hash=sha256:d12b58c945e4805f06b954475642049d97f69796b9a4c5742a6e0a281de0db9c \ + --hash=sha256:d9b8543712257678a5ab7e6865486bc71903c231d151ad1aff663b1c25596744 \ + --hash=sha256:dea9d143e52cc295c9da9840530629196b0dc24c71b31a880f2f979fe3f1d62e \ + --hash=sha256:e44e46aecf42e7d075d3428864c42598b3397fd4cdf5fbf198b38673870ac932 \ + --hash=sha256:e680313c3b25eee9f9f521fab20746292cf6ef4e162e4f973e0758867702384f From db814fb68a53c824c1920e8bae08198c5f0ac36f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 29 Oct 2024 09:47:59 -0400 Subject: [PATCH 1292/1462] Bump pytest-benchmark version (#11854) New version is 3.9+ --- ci-constraints-requirements.txt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 7651e071584c..cc9aa3c140a2 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -170,7 +170,9 @@ pytest==8.3.3 ; python_full_version >= '3.8' # pytest-cov # pytest-randomly # pytest-xdist -pytest-benchmark==4.0.0 +pytest-benchmark==4.0.0 ; python_full_version < '3.9' + # via cryptography (pyproject.toml) +pytest-benchmark==5.0.0 ; python_full_version >= '3.9' # via cryptography (pyproject.toml) pytest-cov==4.1.0 ; python_full_version < '3.8' # via cryptography (pyproject.toml) From a0bd4f629ce2a930bc06d3b58ae6945917d5a4e7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 29 Oct 2024 09:48:19 -0400 Subject: [PATCH 1293/1462] Attempt to fix dependabot for our new Cargo.tom location (#11848) --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1634f6e54726..0411a7d15804 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,7 +11,7 @@ updates: open-pull-requests-limit: 1024 - package-ecosystem: cargo - directory: "/src/rust/" + directory: "/" schedule: interval: daily time: "06:00" From 008e105ab45c28901c81702c53bdb748da9e96e0 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 29 Oct 2024 23:49:59 -0400 Subject: [PATCH 1294/1462] Bump BoringSSL and/or OpenSSL in CI (#11857) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 66d986df19f4..ef258ec474a4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 29, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "197a654639aa39a86782b06abebdeccbfa197e2b"}} + # Latest commit on the BoringSSL master branch, as of Oct 30, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "756a322105ed458d3021431ca043eae0e4b83699"}} # Latest commit on the OpenSSL master branch, as of Oct 29, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a3660729e68dc11c01edb4a349ff2610b6b59ee0"}} # Builds with various Rust versions. Includes MSRV and next From 46f4a5a5100bb1a0bb6d8c8bbaeadfbfd9b9f0c9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 30 Oct 2024 08:14:59 -0400 Subject: [PATCH 1295/1462] Bump pytest-benchmark from 5.0.0 to 5.0.1 (#11860) Bumps [pytest-benchmark](https://github.com/ionelmc/pytest-benchmark) from 5.0.0 to 5.0.1. - [Changelog](https://github.com/ionelmc/pytest-benchmark/blob/master/CHANGELOG.rst) - [Commits](https://github.com/ionelmc/pytest-benchmark/compare/v5.0.0...v5.0.1) --- updated-dependencies: - dependency-name: pytest-benchmark dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index cc9aa3c140a2..db02cf7b55c5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -172,7 +172,7 @@ pytest==8.3.3 ; python_full_version >= '3.8' # pytest-xdist pytest-benchmark==4.0.0 ; python_full_version < '3.9' # via cryptography (pyproject.toml) -pytest-benchmark==5.0.0 ; python_full_version >= '3.9' +pytest-benchmark==5.0.1 ; python_full_version >= '3.9' # via cryptography (pyproject.toml) pytest-cov==4.1.0 ; python_full_version < '3.8' # via cryptography (pyproject.toml) From 75a54bb1ac32c3456db75402fdf04504eda9da2a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 30 Oct 2024 08:15:18 -0400 Subject: [PATCH 1296/1462] Bump colorlog from 6.8.2 to 6.9.0 (#11861) Bumps [colorlog](https://github.com/borntyping/python-colorlog) from 6.8.2 to 6.9.0. - [Release notes](https://github.com/borntyping/python-colorlog/releases) - [Commits](https://github.com/borntyping/python-colorlog/compare/v6.8.2...v6.9.0) --- updated-dependencies: - dependency-name: colorlog dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index db02cf7b55c5..e30d7c56eb84 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -39,7 +39,7 @@ colorama==0.4.6 ; (platform_system != 'Windows' and sys_platform == 'win32') or # colorlog # pytest # sphinx -colorlog==6.8.2 +colorlog==6.9.0 # via nox coverage==7.2.7 ; python_full_version < '3.8' # via pytest-cov From dff835d0848a5f712b61fd34c75a9b6993e01fa0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 30 Oct 2024 12:23:05 +0000 Subject: [PATCH 1297/1462] Bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0 (#11858) Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.10.3 to 1.11.0. - [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases) - [Commits](https://github.com/pypa/gh-action-pypi-publish/compare/f7600683efdcb7656dec5b29656edb7bc586e597...fb13cb306901256ace3dab689990e13a5550ffaa) --- updated-dependencies: - dependency-name: pypa/gh-action-pypi-publish dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index b143881eb5ba..9697eec28683 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -52,7 +52,7 @@ jobs: find tmpdist/ -type f -name 'cryptography*' -exec mv {} dist/ \; - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@f7600683efdcb7656dec5b29656edb7bc586e597 # v1.10.3 + uses: pypa/gh-action-pypi-publish@fb13cb306901256ace3dab689990e13a5550ffaa # v1.11.0 with: repository-url: ${{ env.PYPI_URL }} skip-existing: true From 7c985746c59292bf55163ac6655db7c7fd674ece Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 30 Oct 2024 12:32:24 +0000 Subject: [PATCH 1298/1462] Bump pytest-benchmark from 5.0.1 to 5.1.0 (#11863) Bumps [pytest-benchmark](https://github.com/ionelmc/pytest-benchmark) from 5.0.1 to 5.1.0. - [Changelog](https://github.com/ionelmc/pytest-benchmark/blob/master/CHANGELOG.rst) - [Commits](https://github.com/ionelmc/pytest-benchmark/compare/v5.0.1...v5.1.0) --- updated-dependencies: - dependency-name: pytest-benchmark dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e30d7c56eb84..299e3b127ab6 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -172,7 +172,7 @@ pytest==8.3.3 ; python_full_version >= '3.8' # pytest-xdist pytest-benchmark==4.0.0 ; python_full_version < '3.9' # via cryptography (pyproject.toml) -pytest-benchmark==5.0.1 ; python_full_version >= '3.9' +pytest-benchmark==5.1.0 ; python_full_version >= '3.9' # via cryptography (pyproject.toml) pytest-cov==4.1.0 ; python_full_version < '3.8' # via cryptography (pyproject.toml) From 436542ec35b3ffd2917dd9a0b2fcd26e72c18819 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 30 Oct 2024 08:50:48 -0400 Subject: [PATCH 1299/1462] Bump pytest-cov version (#11864) New version is 3.9+ --- ci-constraints-requirements.txt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 299e3b127ab6..bae66ea1f112 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -176,7 +176,9 @@ pytest-benchmark==5.1.0 ; python_full_version >= '3.9' # via cryptography (pyproject.toml) pytest-cov==4.1.0 ; python_full_version < '3.8' # via cryptography (pyproject.toml) -pytest-cov==5.0.0 ; python_full_version >= '3.8' +pytest-cov==5.0.0 ; python_full_version == '3.8.*' + # via cryptography (pyproject.toml) +pytest-cov==6.0.0 ; python_full_version >= '3.9' # via cryptography (pyproject.toml) pytest-randomly==3.12.0 ; python_full_version < '3.8' # via cryptography (pyproject.toml) From 73f5758543be894808989ead0cea5181a89e5521 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 30 Oct 2024 17:12:53 -0400 Subject: [PATCH 1300/1462] Pass VerificationCertificate slightly deeper in the callstack (#11865) refs #11160 --- src/rust/cryptography-x509-verification/src/lib.rs | 2 +- .../cryptography-x509-verification/src/policy/mod.rs | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 5ae8ef90fe12..39b3da98a1b6 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -340,7 +340,7 @@ impl<'a, 'chain: 'a, B: CryptoOps> ChainBuilder<'a, 'chain, B> { let issuer_extensions = issuing_cert_candidate.certificate().extensions()?; match self.policy.valid_issuer( issuing_cert_candidate, - working_cert.certificate(), + working_cert, current_depth, &issuer_extensions, ) { diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 5616a83a8ceb..cb526ac04357 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -504,7 +504,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { pub(crate) fn valid_issuer( &self, issuer: &VerificationCertificate<'_, B>, - child: &Certificate<'_>, + child: &VerificationCertificate<'_, B>, current_depth: u8, issuer_extensions: &Extensions<'_>, ) -> Result<(), ValidationError> { @@ -520,7 +520,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { { return Err(ValidationError::Other(format!( "Forbidden public key algorithm: {:?}", - &child.tbs_cert.spki.algorithm + &issuer.certificate().tbs_cert.spki.algorithm ))); } @@ -532,11 +532,11 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // position). if !self .permitted_signature_algorithms - .contains(&child.signature_alg) + .contains(&child.certificate().signature_alg) { return Err(ValidationError::Other(format!( "Forbidden signature algorithm: {:?}", - &child.signature_alg + &child.certificate().signature_alg ))); } @@ -559,7 +559,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { let pk = issuer .public_key(&self.ops) .map_err(|_| ValidationError::Other("issuer has malformed public key".to_string()))?; - if self.ops.verify_signed_by(child, pk).is_err() { + if self.ops.verify_signed_by(child.certificate(), pk).is_err() { return Err(ValidationError::Other( "signature does not match".to_string(), )); From e2fce25dceb15a612ecc75e41436fb4060249fc2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 30 Oct 2024 17:13:57 -0400 Subject: [PATCH 1301/1462] Use a type alias for ValidationResult (#11866) refs #11160 --- .../cryptography-x509-verification/src/lib.rs | 16 +++---- .../src/policy/extension.rs | 42 +++++++++---------- .../src/policy/mod.rs | 12 +++--- 3 files changed, 36 insertions(+), 34 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 39b3da98a1b6..f13c3541c3c2 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -44,6 +44,8 @@ pub enum ValidationError { Other(String), } +pub type ValidationResult = Result; + impl From for ValidationError { fn from(value: asn1::ParseError) -> Self { Self::Malformed(value) @@ -89,7 +91,7 @@ impl Budget { } } - fn name_constraint_check(&mut self) -> Result<(), ValidationError> { + fn name_constraint_check(&mut self) -> ValidationResult<()> { self.name_constraint_checks = self.name_constraint_checks .checked_sub(1) @@ -110,7 +112,7 @@ impl<'a, 'chain> NameChain<'a, 'chain> { child: Option<&'a NameChain<'a, 'chain>>, extensions: &Extensions<'chain>, self_issued_intermediate: bool, - ) -> Result { + ) -> ValidationResult { let sans = match ( self_issued_intermediate, extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID), @@ -129,7 +131,7 @@ impl<'a, 'chain> NameChain<'a, 'chain> { constraint: &GeneralName<'chain>, san: &GeneralName<'chain>, budget: &mut Budget, - ) -> Result { + ) -> ValidationResult { budget.name_constraint_check()?; match (constraint, san) { @@ -195,7 +197,7 @@ impl<'a, 'chain> NameChain<'a, 'chain> { &self, constraints: &NameConstraints<'chain>, budget: &mut Budget, - ) -> Result<(), ValidationError> { + ) -> ValidationResult<()> { if let Some(child) = self.child { child.evaluate_constraints(constraints, budget)?; } @@ -244,7 +246,7 @@ pub fn verify<'a, 'chain: 'a, B: CryptoOps>( intermediates: &'a [&'a VerificationCertificate<'chain, B>], policy: &'a Policy<'_, B>, store: &'a Store<'chain, B>, -) -> Result, ValidationError> { +) -> ValidationResult> { let builder = ChainBuilder::new(intermediates, policy, store); let mut budget = Budget::new(); @@ -310,7 +312,7 @@ impl<'a, 'chain: 'a, B: CryptoOps> ChainBuilder<'a, 'chain, B> { working_cert_extensions: &Extensions<'chain>, name_chain: NameChain<'_, 'chain>, budget: &mut Budget, - ) -> Result, ValidationError> { + ) -> ValidationResult> { if let Some(nc) = working_cert_extensions.get_extension(&NAME_CONSTRAINTS_OID) { name_chain.evaluate_constraints(&nc.value()?, budget)?; } @@ -413,7 +415,7 @@ impl<'a, 'chain: 'a, B: CryptoOps> ChainBuilder<'a, 'chain, B> { &self, leaf: &'a VerificationCertificate<'chain, B>, budget: &mut Budget, - ) -> Result, ValidationError> { + ) -> ValidationResult> { // Before anything else, check whether the given leaf cert // is well-formed according to our policy (and its underlying // certificate profile). diff --git a/src/rust/cryptography-x509-verification/src/policy/extension.rs b/src/rust/cryptography-x509-verification/src/policy/extension.rs index a01eb490122b..ae9a2a23fbe0 100644 --- a/src/rust/cryptography-x509-verification/src/policy/extension.rs +++ b/src/rust/cryptography-x509-verification/src/policy/extension.rs @@ -12,7 +12,7 @@ use cryptography_x509::{ extensions::{Extension, Extensions}, }; -use crate::{ops::CryptoOps, policy::Policy, ValidationError}; +use crate::{ops::CryptoOps, policy::Policy, ValidationError, ValidationResult}; pub(crate) struct ExtensionPolicy { pub(crate) authority_information_access: ExtensionValidator, @@ -31,7 +31,7 @@ impl ExtensionPolicy { policy: &Policy<'_, B>, cert: &Certificate<'_>, extensions: &Extensions<'_>, - ) -> Result<(), ValidationError> { + ) -> ValidationResult<()> { let mut authority_information_access_seen = false; let mut authority_key_identifier_seen = false; let mut subject_key_identifier_seen = false; @@ -145,10 +145,10 @@ impl Criticality { } type PresentExtensionValidatorCallback = - fn(&Policy<'_, B>, &Certificate<'_>, &Extension<'_>) -> Result<(), ValidationError>; + fn(&Policy<'_, B>, &Certificate<'_>, &Extension<'_>) -> ValidationResult<()>; type MaybeExtensionValidatorCallback = - fn(&Policy<'_, B>, &Certificate<'_>, Option<&Extension<'_>>) -> Result<(), ValidationError>; + fn(&Policy<'_, B>, &Certificate<'_>, Option<&Extension<'_>>) -> ValidationResult<()>; /// Represents different validation states for an extension. pub(crate) enum ExtensionValidator { @@ -200,7 +200,7 @@ impl ExtensionValidator { policy: &Policy<'_, B>, cert: &Certificate<'_>, extension: Option<&Extension<'_>>, - ) -> Result<(), ValidationError> { + ) -> ValidationResult<()> { match (self, extension) { // Extension MUST NOT be present and isn't; OK. (ExtensionValidator::NotPresent, None) => Ok(()), @@ -265,14 +265,14 @@ pub(crate) mod ee { use crate::{ ops::CryptoOps, - policy::{Policy, ValidationError}, + policy::{Policy, ValidationError, ValidationResult}, }; pub(crate) fn basic_constraints( _policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: Option<&Extension<'_>>, - ) -> Result<(), ValidationError> { + ) -> ValidationResult<()> { if let Some(extn) = extn { let basic_constraints: BasicConstraints = extn.value()?; @@ -290,7 +290,7 @@ pub(crate) mod ee { policy: &Policy<'_, B>, cert: &Certificate<'_>, extn: &Extension<'_>, - ) -> Result<(), ValidationError> { + ) -> ValidationResult<()> { match (cert.subject().is_empty(), extn.critical) { // If the subject is empty, the SAN MUST be critical. (true, false) => { @@ -327,7 +327,7 @@ pub(crate) mod ee { policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: Option<&Extension<'_>>, - ) -> Result<(), ValidationError> { + ) -> ValidationResult<()> { if let Some(extn) = extn { let mut ekus: ExtendedKeyUsage<'_> = extn.value()?; @@ -351,7 +351,7 @@ pub(crate) mod ee { _policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: Option<&Extension<'_>>, - ) -> Result<(), ValidationError> { + ) -> ValidationResult<()> { if let Some(extn) = extn { let key_usage: KeyUsage<'_> = extn.value()?; @@ -378,14 +378,14 @@ pub(crate) mod ca { use crate::{ ops::CryptoOps, - policy::{Policy, ValidationError}, + policy::{Policy, ValidationError, ValidationResult}, }; pub(crate) fn authority_key_identifier( _policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: Option<&Extension<'_>>, - ) -> Result<(), ValidationError> { + ) -> ValidationResult<()> { // CABF: AKI is required on all CA certificates *except* root CA certificates, // where is it merely recommended. This is slightly different from RFC 5280, // which requires AKI on all CA certificates *except* self-signed root CA certificates. @@ -428,7 +428,7 @@ pub(crate) mod ca { _policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: &Extension<'_>, - ) -> Result<(), ValidationError> { + ) -> ValidationResult<()> { let key_usage: KeyUsage<'_> = extn.value()?; if !key_usage.key_cert_sign() { @@ -444,7 +444,7 @@ pub(crate) mod ca { _policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: &Extension<'_>, - ) -> Result<(), ValidationError> { + ) -> ValidationResult<()> { let basic_constraints: BasicConstraints = extn.value()?; if !basic_constraints.ca { @@ -464,7 +464,7 @@ pub(crate) mod ca { _policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: Option<&Extension<'_>>, - ) -> Result<(), ValidationError> { + ) -> ValidationResult<()> { if let Some(extn) = extn { let name_constraints: NameConstraints<'_> = extn.value()?; @@ -496,7 +496,7 @@ pub(crate) mod ca { policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: Option<&Extension<'_>>, - ) -> Result<(), ValidationError> { + ) -> ValidationResult<()> { if let Some(extn) = extn { let mut ekus: ExtendedKeyUsage<'_> = extn.value()?; @@ -521,14 +521,14 @@ pub(crate) mod common { use crate::{ ops::CryptoOps, - policy::{Policy, ValidationError}, + policy::{Policy, ValidationResult}, }; pub(crate) fn authority_information_access( _policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: Option<&Extension<'_>>, - ) -> Result<(), ValidationError> { + ) -> ValidationResult<()> { if let Some(extn) = extn { // We don't currently do anything useful with these, but we // do check that they're well-formed. @@ -550,7 +550,7 @@ mod tests { use crate::certificate::tests::PublicKeyErrorOps; use crate::ops::tests::{cert, v1_cert_pem}; use crate::ops::CryptoOps; - use crate::policy::{Policy, Subject, ValidationError}; + use crate::policy::{Policy, Subject, ValidationResult}; use crate::types::DNSName; #[test] @@ -590,7 +590,7 @@ mod tests { _policy: &Policy<'_, B>, _cert: &Certificate<'_>, _ext: &Extension<'_>, - ) -> Result<(), ValidationError> { + ) -> ValidationResult<()> { Ok(()) } @@ -630,7 +630,7 @@ mod tests { _policy: &Policy<'_, B>, _cert: &Certificate<'_>, _ext: Option<&Extension<'_>>, - ) -> Result<(), ValidationError> { + ) -> ValidationResult<()> { Ok(()) } diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index cb526ac04357..5a0c0646b2cd 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -27,7 +27,7 @@ use once_cell::sync::Lazy; use crate::ops::CryptoOps; use crate::policy::extension::{ca, common, ee, Criticality, ExtensionPolicy, ExtensionValidator}; use crate::types::{DNSName, DNSPattern, IPAddress}; -use crate::{ValidationError, VerificationCertificate}; +use crate::{ValidationError, ValidationResult, VerificationCertificate}; // RSA key constraints, as defined in CA/B 6.1.5. static WEBPKI_MINIMUM_RSA_MODULUS: usize = 2048; @@ -373,7 +373,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { ) } - fn permits_basic(&self, cert: &Certificate<'_>) -> Result<(), ValidationError> { + fn permits_basic(&self, cert: &Certificate<'_>) -> ValidationResult<()> { // CA/B 7.1.1: // Certificates MUST be of type X.509 v3. if cert.tbs_cert.version != 2 { @@ -441,7 +441,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { cert: &Certificate<'_>, current_depth: u8, extensions: &Extensions<'_>, - ) -> Result<(), ValidationError> { + ) -> ValidationResult<()> { self.permits_basic(cert)?; // 5280 4.1.2.6: Subject @@ -480,7 +480,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { &self, cert: &Certificate<'_>, extensions: &Extensions<'_>, - ) -> Result<(), ValidationError> { + ) -> ValidationResult<()> { self.permits_basic(cert)?; self.ee_extension_policy.permits(self, cert, extensions)?; @@ -507,7 +507,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { child: &VerificationCertificate<'_, B>, current_depth: u8, issuer_extensions: &Extensions<'_>, - ) -> Result<(), ValidationError> { + ) -> ValidationResult<()> { // The issuer needs to be a valid CA at the current depth. self.permits_ca(issuer.certificate(), current_depth, issuer_extensions)?; @@ -569,7 +569,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { } } -fn permits_validity_date(validity_date: &Time) -> Result<(), ValidationError> { +fn permits_validity_date(validity_date: &Time) -> ValidationResult<()> { const GENERALIZED_DATE_INVALIDITY_RANGE: Range = 1950..2050; // NOTE: The inverse check on `asn1::UtcTime` is already done for us From c44b2b28161ed7a2be1d82cbf9d7d2a6dabe11a0 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 30 Oct 2024 20:27:27 -0400 Subject: [PATCH 1302/1462] Bump BoringSSL and/or OpenSSL in CI (#11868) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ef258ec474a4..bc37280e98fb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,10 +45,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 30, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "756a322105ed458d3021431ca043eae0e4b83699"}} - # Latest commit on the OpenSSL master branch, as of Oct 29, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a3660729e68dc11c01edb4a349ff2610b6b59ee0"}} + # Latest commit on the BoringSSL master branch, as of Oct 31, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "fa2b8e9998947c38d55f96954b44a8a3133149aa"}} + # Latest commit on the OpenSSL master branch, as of Oct 31, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8ff6edb9da6199b130bfb50bc27b2e58cc815932"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 3271ac88832c54f5a52b8b7aab811e6bc6bf1461 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 31 Oct 2024 10:33:30 +0000 Subject: [PATCH 1303/1462] Bump uv from 0.4.28 to 0.4.29 in /.github/requirements (#11870) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.28 to 0.4.29. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.28...0.4.29) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 1e9fe59ab071..f485bd223d6c 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.28 \ - --hash=sha256:09a50416622b5df476be774739d1682db9079b7bc7493346c2085cf11b91706b \ - --hash=sha256:22f6d4f95ceb4735a4c8f0555dda6761a57c8ee7fc1b6b7d7004d6a25a8aec38 \ - --hash=sha256:274b5af065a1a3a37456e9f1a8c1c4e9b07825be1c4135d299e022fb0547de38 \ - --hash=sha256:2c8c3a719d68181127fcf90c0e5d2a4b76bb405bf464e04c8bf5c6d356109cec \ - --hash=sha256:2e82236e655c5af1905d7ca15c3c96c28a878f2d77a2e4f714d5254baad85b2e \ - --hash=sha256:4ec1bf494dcf30984b5e6e8208d78a8a4e483855c45c3ea2b1d9e7201d8af00f \ - --hash=sha256:524f38d996b51c27d1342af0d4e69c1524fbcfe57c8e036498811a5079fab070 \ - --hash=sha256:6ea1fac8b9b8d785f66e2ab46296e6939a43ab85da538d3eea12a27dfefd84a6 \ - --hash=sha256:7932026532a8294969777fa500dbd3c3a80aada14ac131d9696d596d31068550 \ - --hash=sha256:8a32af23fc619e1e70923a498c097ec6eb120e764315ba164fa7ab8a65af9ba3 \ - --hash=sha256:a3c59d5a11e0ddf550e20ea10b5d26ed06acab1192d3b70fe3993444cfe8fd41 \ - --hash=sha256:bc33e318b676aeba2ea8bcd1e8f38623272b891200cefc54f9c420f4f4091434 \ - --hash=sha256:be1ce25068d24b42273182729dc1917654438797346a5d470606949ec344fb22 \ - --hash=sha256:d12b58c945e4805f06b954475642049d97f69796b9a4c5742a6e0a281de0db9c \ - --hash=sha256:d9b8543712257678a5ab7e6865486bc71903c231d151ad1aff663b1c25596744 \ - --hash=sha256:dea9d143e52cc295c9da9840530629196b0dc24c71b31a880f2f979fe3f1d62e \ - --hash=sha256:e44e46aecf42e7d075d3428864c42598b3397fd4cdf5fbf198b38673870ac932 \ - --hash=sha256:e680313c3b25eee9f9f521fab20746292cf6ef4e162e4f973e0758867702384f +uv==0.4.29 \ + --hash=sha256:0be21afa0e582ddc5badff6ef40c3c6784efc5feae4ad568307b668d40dc49bd \ + --hash=sha256:246da468ac0d51e7fb257cd038db2f8d6376ae269a44d01f56776e32108aa9da \ + --hash=sha256:24cccff9c248864ba0ab3429bae56314146c9494ce66a881d70ea8cf2805945f \ + --hash=sha256:287dc3fd3f78093a5a82136f01cbd9f224e0905b38d3dcffdc96c08fbbe48ee9 \ + --hash=sha256:3473b05142ba436ac30d036b7ab5e9bcfa97f63df5d1382f92e0a3e4aaa391bc \ + --hash=sha256:668d3e6095c6f0cac6a831ef4030f7ad79442d1c84b9569f01f50b60c2d51a77 \ + --hash=sha256:67dcfd253020e25ed1c49e5bd06406205c37264f99e14002de53a357cd1cdadf \ + --hash=sha256:68d4967b5f0af8bd46085e0f3ded229026700668a97734a21c3d11a5fc350c47 \ + --hash=sha256:6b03859068aaa08ca9907a51d403d54b0a9d8054091646845a9192f213f099d4 \ + --hash=sha256:7060dfbad0bc26e9cecbb4f8482445c958071511f23728948478f81acfb29048 \ + --hash=sha256:75927da78f74bb935314d236dc61ecdc192e878e06eb79585b6d9d5ee9829f98 \ + --hash=sha256:8c71663c7df4f512c697de39a4926dc191897f5fede73644bb2329f532c1ebfa \ + --hash=sha256:950bbfe1954e9c3a5d6c4777bb778b4c23d0dea9ad9f77622c45d4fbba433355 \ + --hash=sha256:9c559b6fdc042add463e86afa1c210716f7020bfc2e96b00df5af7afcb587ce7 \ + --hash=sha256:b5775db128b98251c3ea7874367fc20dce9f9aac3dbfa635e3ef4a1c56842d9c \ + --hash=sha256:cfb797a87b55d96cc0593e9f29ab5d58454be74598ea0158e1b2f4f2dc97cede \ + --hash=sha256:df35d9cbe4cfbb7bce287f56e3bb7a7cef0b7b5173ed889d936d4c470f2b1b83 \ + --hash=sha256:f6224a322267570e0470c61008fd1c8e2f50bf073b339f4c3010da86aef3c44c From a096e77b667de1a3a4e04599b5dbca1f2f027315 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 31 Oct 2024 10:57:40 +0000 Subject: [PATCH 1304/1462] Bump uv from 0.4.28 to 0.4.29 (#11869) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.28 to 0.4.29. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.28...0.4.29) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index bae66ea1f112..33daed01b065 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -292,7 +292,7 @@ urllib3==2.0.7 ; python_full_version < '3.8' # via requests urllib3==2.2.3 ; python_full_version >= '3.8' # via requests -uv==0.4.28 ; python_full_version >= '3.8' +uv==0.4.29 ; python_full_version >= '3.8' # via nox virtualenv==20.26.6 ; python_full_version < '3.8' # via nox From 813fc5124bda2f7cf32499b16eae6cc4b584e80a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 31 Oct 2024 21:26:35 -0400 Subject: [PATCH 1305/1462] Bump BoringSSL and/or OpenSSL in CI (#11872) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bc37280e98fb..ede0cc76aeb3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,10 +45,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 31, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "fa2b8e9998947c38d55f96954b44a8a3133149aa"}} - # Latest commit on the OpenSSL master branch, as of Oct 31, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8ff6edb9da6199b130bfb50bc27b2e58cc815932"}} + # Latest commit on the BoringSSL master branch, as of Nov 01, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "59f4cc4e90ec856504483a3125eccfe6c0a2b011"}} + # Latest commit on the OpenSSL master branch, as of Nov 01, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "59f5f6c73cd2e1e2bd8ef405fdb6fadf0711f639"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From e25ded435e110e6d5f18354d8c3eb8c9652d7c89 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 Nov 2024 10:40:17 +0000 Subject: [PATCH 1306/1462] Bump flit-core from 3.9.0 to 3.10.0 in /.github/requirements (#11873) Bumps [flit-core](https://github.com/pypa/flit) from 3.9.0 to 3.10.0. - [Changelog](https://github.com/pypa/flit/blob/main/doc/history.rst) - [Commits](https://github.com/pypa/flit/compare/3.9.0...3.10.0) --- updated-dependencies: - dependency-name: flit-core dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 2e0119b947fc..1e6cc158f81e 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -73,9 +73,9 @@ cffi==1.17.1 ; platform_python_implementation != "PyPy" \ --hash=sha256:f7f5baafcc48261359e14bcd6d9bff6d4b28d9103847c9e136694cb0501aef87 \ --hash=sha256:fc48c783f9c87e60831201f2cce7f3b2e4846bf4d8728eabe54d60700b318a0b # via -r build-requirements.in -flit-core==3.9.0 \ - --hash=sha256:72ad266176c4a3fcfab5f2930d76896059851240570ce9a98733b658cb786eba \ - --hash=sha256:7aada352fb0c7f5538c4fafeddf314d3a6a92ee8e2b1de70482329e42de70301 +flit-core==3.10.0 \ + --hash=sha256:6d904233178b3c924f665947ac7d286f2ac799fb69087e39e56ceb4084724a97 \ + --hash=sha256:ca888c3ae0a5a4dae39f2db64f181b8b45143a6650c4b9ce6d171e45a6fa290a # via -r build-requirements.in maturin==1.7.4 \ --hash=sha256:0182a9638399c8835afd39d2aeacf56908e37cba3f7abb15816b9df6774fab81 \ From 3d36ff352e9a7ab0799366697c63e235f5dfc24d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 Nov 2024 11:21:14 +0000 Subject: [PATCH 1307/1462] Bump syn from 2.0.85 to 2.0.86 (#11874) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.85 to 2.0.86. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.85...2.0.86) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index af5888adcd94..f15b4719e744 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -334,9 +334,9 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" [[package]] name = "syn" -version = "2.0.85" +version = "2.0.86" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5023162dfcd14ef8f32034d8bcd4cc5ddc61ef7a247c024a33e24e1f24d21b56" +checksum = "e89275301d38033efb81a6e60e3497e734dfcc62571f2854bf4b16690398824c" dependencies = [ "proc-macro2", "quote", From 0c656381ee2146ff363fca979fff95748b8a9cf7 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 2 Nov 2024 00:17:02 +0000 Subject: [PATCH 1308/1462] Bump BoringSSL and/or OpenSSL in CI (#11877) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ede0cc76aeb3..4271a14e870d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,10 +45,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 01, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "59f4cc4e90ec856504483a3125eccfe6c0a2b011"}} - # Latest commit on the OpenSSL master branch, as of Nov 01, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "59f5f6c73cd2e1e2bd8ef405fdb6fadf0711f639"}} + # Latest commit on the BoringSSL master branch, as of Nov 02, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "96472802acf39548d26958ee6809b26ca25baa7d"}} + # Latest commit on the OpenSSL master branch, as of Nov 02, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1d160dbf39fbdba89389ddff54e45bacf278b04a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 39738d77411e844857cbbbe638bb7bab845baefa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hanno=20B=C3=B6ck?= <990588+hannob@users.noreply.github.com> Date: Sun, 3 Nov 2024 14:27:34 +0100 Subject: [PATCH 1309/1462] Fix error message, Ed448 keys are 57 bytes (#11880) --- src/rust/src/backend/ed448.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index d27f6b361df3..113819b8e53f 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -45,7 +45,7 @@ fn from_private_bytes(data: CffiBuf<'_>) -> pyo3::PyResult { let pkey = openssl::pkey::PKey::private_key_from_raw_bytes(data.as_bytes(), openssl::pkey::Id::ED448) .map_err(|_| { - pyo3::exceptions::PyValueError::new_err("An Ed448 private key is 56 bytes long") + pyo3::exceptions::PyValueError::new_err("An Ed448 private key is 57 bytes long") })?; Ok(Ed448PrivateKey { pkey }) } From 62f115506274b6efcf6738c1f3d3a4facf58a48c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 3 Nov 2024 09:33:28 -0500 Subject: [PATCH 1310/1462] fixes #11878 -- check for keys too large when deriving an EC key from a private value (#11879) --- src/rust/src/backend/ec.rs | 4 +++- tests/hazmat/primitives/test_ec.py | 10 ++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 5a8efe7dac2e..793ae48cf59c 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -186,7 +186,9 @@ fn derive_private_key( point.mul_generator(&curve, &private_value, &bn_ctx)?; let ec = openssl::ec::EcKey::from_private_components(&curve, &private_value, &point) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid EC key"))?; - check_key_infinity(&ec)?; + ec.check_key().map_err(|_| { + pyo3::exceptions::PyValueError::new_err("Invalid EC key (key out of range, infinity, etc.)") + })?; let pkey = openssl::pkey::PKey::from_ec_key(ec)?; Ok(ECPrivateKey { diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index d33fd104cd53..2a30c6661f55 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -144,6 +144,16 @@ def test_derive_point_at_infinity(backend): ec.derive_private_key(q, ec.SECP256R1()) +def test_derive_point_invalid_key(backend): + curve = ec.SECP256R1() + _skip_curve_unsupported(backend, curve) + with pytest.raises(ValueError): + ec.derive_private_key( + 0xE2563328DFABF68188606B91324281C1D58A4456431B09D510B35FECC9F307CA1822846FA2671371A9A81BAC0E35749D, + curve, + ) + + def test_ec_numbers(): numbers = ec.EllipticCurvePrivateNumbers( 1, ec.EllipticCurvePublicNumbers(2, 3, DummyCurve()) From 86458256e486380e1b83d894d61f465f4b32a14e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 3 Nov 2024 09:48:10 -0500 Subject: [PATCH 1311/1462] Simplify ownership of VerificationCertificates (#11871) This removes a lifetime, at the cost of acquiring the GIL to do some increfs. --- .../src/certificate.rs | 14 ++++++ .../cryptography-x509-verification/src/lib.rs | 36 ++++++++-------- .../cryptography-x509-verification/src/ops.rs | 28 ++++++++++-- .../src/trust_store.rs | 6 ++- src/rust/src/x509/verify.rs | 43 +++++++------------ 5 files changed, 76 insertions(+), 51 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/certificate.rs b/src/rust/cryptography-x509-verification/src/certificate.rs index 2260fd6d9604..ec1dd33a8085 100644 --- a/src/rust/cryptography-x509-verification/src/certificate.rs +++ b/src/rust/cryptography-x509-verification/src/certificate.rs @@ -68,6 +68,20 @@ Xw4nMqk= ) -> Result<(), Self::Err> { Ok(()) } + + fn clone_public_key(key: &Self::Key) -> Self::Key { + key.clone() + } + + fn clone_extra(extra: &Self::CertificateExtra) -> Self::CertificateExtra { + extra.clone() + } + } + + #[test] + fn test_clone() { + assert_eq!(PublicKeyErrorOps::clone_public_key(&()), ()); + assert_eq!(PublicKeyErrorOps::clone_extra(&()), ()); } #[test] diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index f13c3541c3c2..7b874df5595e 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -239,14 +239,14 @@ impl<'a, 'chain> NameChain<'a, 'chain> { } } -pub type Chain<'a, 'c, B> = Vec<&'a VerificationCertificate<'c, B>>; - -pub fn verify<'a, 'chain: 'a, B: CryptoOps>( - leaf: &'a VerificationCertificate<'chain, B>, - intermediates: &'a [&'a VerificationCertificate<'chain, B>], - policy: &'a Policy<'_, B>, - store: &'a Store<'chain, B>, -) -> ValidationResult> { +pub type Chain<'c, B> = Vec>; + +pub fn verify<'chain, B: CryptoOps>( + leaf: &VerificationCertificate<'chain, B>, + intermediates: &[VerificationCertificate<'chain, B>], + policy: &Policy<'_, B>, + store: &Store<'chain, B>, +) -> ValidationResult> { let builder = ChainBuilder::new(intermediates, policy, store); let mut budget = Budget::new(); @@ -254,7 +254,7 @@ pub fn verify<'a, 'chain: 'a, B: CryptoOps>( } struct ChainBuilder<'a, 'chain, B: CryptoOps> { - intermediates: &'a [&'a VerificationCertificate<'chain, B>], + intermediates: &'a [VerificationCertificate<'chain, B>], policy: &'a Policy<'a, B>, store: &'a Store<'chain, B>, } @@ -278,9 +278,9 @@ impl ApplyNameConstraintStatus { } } -impl<'a, 'chain: 'a, B: CryptoOps> ChainBuilder<'a, 'chain, B> { +impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn new( - intermediates: &'a [&'a VerificationCertificate<'chain, B>], + intermediates: &'a [VerificationCertificate<'chain, B>], policy: &'a Policy<'a, B>, store: &'a Store<'chain, B>, ) -> Self { @@ -300,19 +300,19 @@ impl<'a, 'chain: 'a, B: CryptoOps> ChainBuilder<'a, 'chain, B> { self.store .get_by_subject(&cert.certificate().tbs_cert.issuer) .iter() - .chain(self.intermediates.iter().copied().filter(|&candidate| { + .chain(self.intermediates.iter().filter(|&candidate| { candidate.certificate().subject() == cert.certificate().issuer() })) } fn build_chain_inner( &self, - working_cert: &'a VerificationCertificate<'chain, B>, + working_cert: &VerificationCertificate<'chain, B>, current_depth: u8, working_cert_extensions: &Extensions<'chain>, name_chain: NameChain<'_, 'chain>, budget: &mut Budget, - ) -> ValidationResult> { + ) -> ValidationResult> { if let Some(nc) = working_cert_extensions.get_extension(&NAME_CONSTRAINTS_OID) { name_chain.evaluate_constraints(&nc.value()?, budget)?; } @@ -320,7 +320,7 @@ impl<'a, 'chain: 'a, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // Look in the store's root set to see if the working cert is listed. // If it is, we've reached the end. if self.store.contains(working_cert) { - return Ok(vec![working_cert]); + return Ok(vec![working_cert.clone()]); } // Check that our current depth does not exceed our policy-configured @@ -383,7 +383,7 @@ impl<'a, 'chain: 'a, B: CryptoOps> ChainBuilder<'a, 'chain, B> { budget, ) { Ok(mut chain) => { - chain.push(working_cert); + chain.push(working_cert.clone()); return Ok(chain); } // Immediately return on fatal error. @@ -413,9 +413,9 @@ impl<'a, 'chain: 'a, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn build_chain( &self, - leaf: &'a VerificationCertificate<'chain, B>, + leaf: &VerificationCertificate<'chain, B>, budget: &mut Budget, - ) -> ValidationResult> { + ) -> ValidationResult> { // Before anything else, check whether the given leaf cert // is well-formed according to our policy (and its underlying // certificate profile). diff --git a/src/rust/cryptography-x509-verification/src/ops.rs b/src/rust/cryptography-x509-verification/src/ops.rs index 1b2f593ccc0b..adbb7681d649 100644 --- a/src/rust/cryptography-x509-verification/src/ops.rs +++ b/src/rust/cryptography-x509-verification/src/ops.rs @@ -5,13 +5,13 @@ use cryptography_x509::certificate::Certificate; pub struct VerificationCertificate<'a, B: CryptoOps> { - cert: Certificate<'a>, + cert: &'a Certificate<'a>, public_key: once_cell::sync::OnceCell, extra: B::CertificateExtra, } impl<'a, B: CryptoOps> VerificationCertificate<'a, B> { - pub fn new(cert: Certificate<'a>, extra: B::CertificateExtra) -> Self { + pub fn new(cert: &'a Certificate<'a>, extra: B::CertificateExtra) -> Self { VerificationCertificate { cert, extra, @@ -20,7 +20,7 @@ impl<'a, B: CryptoOps> VerificationCertificate<'a, B> { } pub fn certificate(&self) -> &Certificate<'a> { - &self.cert + self.cert } pub fn public_key(&self, ops: &B) -> Result<&B::Key, B::Err> { @@ -40,6 +40,22 @@ impl PartialEq for VerificationCertificate<'_, B> { } impl Eq for VerificationCertificate<'_, B> {} +impl Clone for VerificationCertificate<'_, B> { + fn clone(&self) -> Self { + Self { + cert: self.cert, + extra: B::clone_extra(&self.extra), + public_key: { + let cell = once_cell::sync::OnceCell::new(); + if let Some(k) = self.public_key.get() { + cell.set(B::clone_public_key(k)).ok().unwrap(); + } + cell + }, + } + } +} + pub trait CryptoOps { /// A public key type for this cryptographic backend. type Key; @@ -58,6 +74,12 @@ pub trait CryptoOps { /// Verifies the signature on `Certificate` using the given /// `Key`. fn verify_signed_by(&self, cert: &Certificate<'_>, key: &Self::Key) -> Result<(), Self::Err>; + + // Makes a `clone` of `Key` + fn clone_public_key(extra: &Self::Key) -> Self::Key; + + // Makes a `clone` of `CertificateExtra` + fn clone_extra(extra: &Self::CertificateExtra) -> Self::CertificateExtra; } #[cfg(test)] diff --git a/src/rust/cryptography-x509-verification/src/trust_store.rs b/src/rust/cryptography-x509-verification/src/trust_store.rs index 1d76bd584a5a..c3b525930d9f 100644 --- a/src/rust/cryptography-x509-verification/src/trust_store.rs +++ b/src/rust/cryptography-x509-verification/src/trust_store.rs @@ -51,8 +51,10 @@ mod tests { #[test] fn test_store() { let cert_pem = v1_cert_pem(); - let cert1 = VerificationCertificate::new(cert(&cert_pem), ()); - let cert2 = VerificationCertificate::new(cert(&cert_pem), ()); + let c1 = cert(&cert_pem); + let c2 = cert(&cert_pem); + let cert1 = VerificationCertificate::new(&c1, ()); + let cert2 = VerificationCertificate::new(&c2, ()); let store = Store::<'_, PublicKeyErrorOps>::new([cert1]); assert!(store.contains(&cert2)); diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index face9acf674f..2483544710df 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -46,6 +46,14 @@ impl CryptoOps for PyCryptoOps { ) }) } + + fn clone_public_key(key: &Self::Key) -> Self::Key { + pyo3::Python::with_gil(|py| key.clone_ref(py)) + } + + fn clone_extra(extra: &Self::CertificateExtra) -> Self::CertificateExtra { + pyo3::Python::with_gil(|py| extra.clone_ref(py)) + } } pyo3::create_exception!( @@ -277,23 +285,14 @@ impl PyClientVerifier { let intermediates = intermediates .iter() - .map(|i| { - VerificationCertificate::new( - i.get().raw.borrow_dependent().clone(), - i.clone_ref(py), - ) - }) + .map(|i| VerificationCertificate::new(i.get().raw.borrow_dependent(), i.clone_ref(py))) .collect::>(); - let intermediate_refs = intermediates.iter().collect::>(); - let v = VerificationCertificate::new( - leaf.get().raw.borrow_dependent().clone(), - leaf.clone_ref(py), - ); + let v = VerificationCertificate::new(leaf.get().raw.borrow_dependent(), leaf.clone_ref(py)); let chain = cryptography_x509_verification::verify( &v, - &intermediate_refs, + &intermediates, policy, store.raw.borrow_dependent(), ) @@ -370,23 +369,14 @@ impl PyServerVerifier { let intermediates = intermediates .iter() - .map(|i| { - VerificationCertificate::new( - i.get().raw.borrow_dependent().clone(), - i.clone_ref(py), - ) - }) + .map(|i| VerificationCertificate::new(i.get().raw.borrow_dependent(), i.clone_ref(py))) .collect::>(); - let intermediate_refs = intermediates.iter().collect::>(); - let v = VerificationCertificate::new( - leaf.get().raw.borrow_dependent().clone(), - leaf.clone_ref(py), - ); + let v = VerificationCertificate::new(leaf.get().raw.borrow_dependent(), leaf.clone_ref(py)); let chain = cryptography_x509_verification::verify( &v, - &intermediate_refs, + &intermediates, policy, store.raw.borrow_dependent(), ) @@ -479,10 +469,7 @@ impl PyStore { Ok(Self { raw: RawPyStore::new(certs, |v| { Store::new(v.iter().map(|t| { - VerificationCertificate::new( - t.get().raw.borrow_dependent().clone(), - t.clone_ref(py), - ) + VerificationCertificate::new(t.get().raw.borrow_dependent(), t.clone_ref(py)) })) }), }) From 09dfc983a4717511124572636c5f0eac285f3273 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sun, 3 Nov 2024 15:49:47 +0100 Subject: [PATCH 1312/1462] feat(admissions): add naming authority type for the admissions extension (#11876) * feat(admissions): add naming authority python type for the admissions extension Signed-off-by: oleg.hoefling * feat(admissions): user short names for naming authority fields Signed-off-by: oleg.hoefling * feat(admissions): add naming authority rust type for the admissions extension Signed-off-by: oleg.hoefling * chore: use assert_eq macro for value comparison in naming authority test Signed-off-by: oleg.hoefling * chore: drop useless test for naming authority rust type Signed-off-by: oleg.hoefling * fix: correct the naming authority text type Signed-off-by: oleg.hoefling --------- Signed-off-by: oleg.hoefling --- src/cryptography/x509/__init__.py | 2 + src/cryptography/x509/extensions.py | 58 ++++++++++ src/rust/cryptography-x509/src/extensions.rs | 6 ++ tests/x509/test_x509_ext.py | 106 +++++++++++++++++++ 4 files changed, 172 insertions(+) diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py index 26c6444c511f..be229bcc5bf7 100644 --- a/src/cryptography/x509/__init__.py +++ b/src/cryptography/x509/__init__.py @@ -55,6 +55,7 @@ KeyUsage, MSCertificateTemplate, NameConstraints, + NamingAuthority, NoticeReference, OCSPAcceptableResponses, OCSPNoCheck, @@ -216,6 +217,7 @@ "NameAttribute", "NameConstraints", "NameOID", + "NamingAuthority", "NoticeReference", "OCSPAcceptableResponses", "OCSPNoCheck", diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index 48127e35f071..cc2901eb434c 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -2164,6 +2164,64 @@ def public_bytes(self) -> bytes: return rust_x509.encode_extension_value(self) +class NamingAuthority: + def __init__( + self, + id: ObjectIdentifier | None, + url: str | None, + text: str | None, + ) -> None: + if id is not None and not isinstance(id, ObjectIdentifier): + raise TypeError("id must be an ObjectIdentifier") + + if url is not None and not isinstance(url, str): + raise TypeError("url must be a str") + + if text is not None and not isinstance(text, str): + raise TypeError("text must be a str") + + self._id = id + self._url = url + self._text = text + + @property + def id(self) -> ObjectIdentifier | None: + return self._id + + @property + def url(self) -> str | None: + return self._url + + @property + def text(self) -> str | None: + return self._text + + def __repr__(self) -> str: + return ( + f"" + ) + + def __eq__(self, other: object) -> bool: + if not isinstance(other, NamingAuthority): + return NotImplemented + + return ( + self.id == other.id + and self.url == other.url + and self.text == other.text + ) + + def __hash__(self) -> int: + return hash( + ( + self.id, + self.url, + self.text, + ) + ) + + class UnrecognizedExtension(ExtensionType): def __init__(self, oid: ObjectIdentifier, value: bytes) -> None: if not isinstance(oid, ObjectIdentifier): diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index 1fddb3ecf83a..cbf9a4611f1b 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -285,6 +285,12 @@ impl KeyUsage<'_> { } } +pub struct NamingAuthority<'a> { + pub id: Option, + pub url: Option>, + pub text: Option>, +} + #[cfg(test)] mod tests { use super::{BasicConstraints, Extension, Extensions, KeyUsage}; diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index 4f75c2987b2e..5b94c08fcc00 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -6331,6 +6331,112 @@ def test_public_bytes(self): ) +class TestNamingAuthority: + def test_invalid_init(self): + with pytest.raises(TypeError): + x509.NamingAuthority( + 42, # type:ignore[arg-type] + None, + None, + ) + with pytest.raises(TypeError): + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), + 42, # type:ignore[arg-type] + None, + ) + with pytest.raises(TypeError): + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), + "https://example.com", + 42, # type:ignore[arg-type] + ) + + def test_eq(self): + authority1 = x509.NamingAuthority(None, None, None) + authority2 = x509.NamingAuthority(None, None, None) + assert authority1 == authority2 + + authority1 = x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ) + authority2 = x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ) + assert authority1 == authority2 + + def test_ne(self): + authority1 = x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ) + authority2 = x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), None, None + ) + authority3 = x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", None + ) + authority4 = x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), None, "spam" + ) + authority5 = x509.NamingAuthority(None, "https://example.com", "spam") + authority6 = x509.NamingAuthority(None, None, "spam") + authority7 = x509.NamingAuthority(None, "https://example.com", None) + authority8 = x509.NamingAuthority(None, None, None) + assert authority1 != authority2 + assert authority1 != authority3 + assert authority1 != authority4 + assert authority1 != authority5 + assert authority1 != authority6 + assert authority1 != authority7 + assert authority1 != authority8 + assert authority1 != object() + + def test_repr(self): + authority = x509.NamingAuthority(None, None, None) + assert repr(authority) == ( + "" + ) + + authority = x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ) + assert repr(authority) == ( + ", " + "url=https://example.com, text=spam)>" + ) + + def test_hash(self): + authority1 = x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ) + authority2 = x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ) + authority3 = x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), None, None + ) + authority4 = x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", None + ) + authority5 = x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), None, "spam" + ) + authority6 = x509.NamingAuthority(None, "https://example.com", "spam") + authority7 = x509.NamingAuthority(None, None, "spam") + authority8 = x509.NamingAuthority(None, "https://example.com", None) + authority9 = x509.NamingAuthority(None, None, None) + + assert hash(authority1) == hash(authority2) + assert hash(authority1) != hash(authority3) + assert hash(authority1) != hash(authority4) + assert hash(authority1) != hash(authority5) + assert hash(authority1) != hash(authority6) + assert hash(authority1) != hash(authority7) + assert hash(authority1) != hash(authority8) + assert hash(authority1) != hash(authority9) + + def test_all_extension_oid_members_have_names_defined(): for oid in dir(ExtensionOID): if oid.startswith("__"): From 9e46c930349f38c83b7d531939f8301cd22232de Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 3 Nov 2024 09:57:50 -0500 Subject: [PATCH 1313/1462] start refactoring `ValidationError` in prep for tracking which cert had the error (#11844) The end goal is that `ValidationError` will include a cert field, which optionally contains a `VerificationCertificate` where relevant refs #11160 --- .../cryptography-x509-verification/src/lib.rs | 132 ++++++++++-------- .../src/policy/extension.rs | 78 ++++++----- .../src/policy/mod.rs | 61 ++++---- 3 files changed, 154 insertions(+), 117 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 7b874df5595e..1e6219b09e6a 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -33,7 +33,7 @@ use crate::types::{DNSConstraint, IPAddress, IPConstraint}; use crate::ApplyNameConstraintStatus::{Applied, Skipped}; #[derive(Debug)] -pub enum ValidationError { +pub enum ValidationErrorKind { CandidatesExhausted(Box), Malformed(asn1::ParseError), ExtensionError { @@ -43,36 +43,46 @@ pub enum ValidationError { FatalError(&'static str), Other(String), } +#[derive(Debug)] +pub struct ValidationError { + kind: ValidationErrorKind, +} + +impl ValidationError { + pub(crate) fn new(kind: ValidationErrorKind) -> ValidationError { + ValidationError { kind } + } +} pub type ValidationResult = Result; impl From for ValidationError { fn from(value: asn1::ParseError) -> Self { - Self::Malformed(value) + Self::new(ValidationErrorKind::Malformed(value)) } } impl From for ValidationError { fn from(value: DuplicateExtensionsError) -> Self { - Self::ExtensionError { + Self::new(ValidationErrorKind::ExtensionError { oid: value.0, reason: "duplicate extension", - } + }) } } impl Display for ValidationError { fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { - match self { - ValidationError::CandidatesExhausted(inner) => { + match &self.kind { + ValidationErrorKind::CandidatesExhausted(inner) => { write!(f, "candidates exhausted: {inner}") } - ValidationError::Malformed(err) => err.fmt(f), - ValidationError::ExtensionError { oid, reason } => { + ValidationErrorKind::Malformed(err) => err.fmt(f), + ValidationErrorKind::ExtensionError { oid, reason } => { write!(f, "invalid extension: {oid}: {reason}") } - ValidationError::FatalError(err) => write!(f, "fatal error: {err}"), - ValidationError::Other(err) => write!(f, "{err}"), + ValidationErrorKind::FatalError(err) => write!(f, "fatal error: {err}"), + ValidationErrorKind::Other(err) => write!(f, "{err}"), } } } @@ -93,11 +103,11 @@ impl Budget { fn name_constraint_check(&mut self) -> ValidationResult<()> { self.name_constraint_checks = - self.name_constraint_checks - .checked_sub(1) - .ok_or(ValidationError::FatalError( + self.name_constraint_checks.checked_sub(1).ok_or_else(|| { + ValidationError::new(ValidationErrorKind::FatalError( "Exceeded maximum name constraint check limit", - ))?; + )) + })?; Ok(()) } } @@ -138,14 +148,14 @@ impl<'a, 'chain> NameChain<'a, 'chain> { (GeneralName::DNSName(pattern), GeneralName::DNSName(name)) => { match (DNSConstraint::new(pattern.0), DNSName::new(name.0)) { (Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))), - (_, None) => Err(ValidationError::Other(format!( + (_, None) => Err(ValidationError::new(ValidationErrorKind::Other(format!( "unsatisfiable DNS name constraint: malformed SAN {}", name.0 - ))), - (None, _) => Err(ValidationError::Other(format!( + )))), + (None, _) => Err(ValidationError::new(ValidationErrorKind::Other(format!( "malformed DNS name constraint: {}", pattern.0 - ))), + )))), } } (GeneralName::IPAddress(pattern), GeneralName::IPAddress(name)) => { @@ -154,27 +164,27 @@ impl<'a, 'chain> NameChain<'a, 'chain> { IPAddress::from_bytes(name), ) { (Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))), - (_, None) => Err(ValidationError::Other(format!( + (_, None) => Err(ValidationError::new(ValidationErrorKind::Other(format!( "unsatisfiable IP name constraint: malformed SAN {:?}", name, - ))), - (None, _) => Err(ValidationError::Other(format!( + )))), + (None, _) => Err(ValidationError::new(ValidationErrorKind::Other(format!( "malformed IP name constraints: {:?}", pattern - ))), + )))), } } (GeneralName::RFC822Name(pattern), GeneralName::RFC822Name(name)) => { match (RFC822Constraint::new(pattern.0), RFC822Name::new(name.0)) { (Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))), - (_, None) => Err(ValidationError::Other(format!( + (_, None) => Err(ValidationError::new(ValidationErrorKind::Other(format!( "unsatisfiable RFC822 name constraint: malformed SAN {:?}", name.0, - ))), - (None, _) => Err(ValidationError::Other(format!( + )))), + (None, _) => Err(ValidationError::new(ValidationErrorKind::Other(format!( "malformed RFC822 name constraints: {:?}", pattern.0 - ))), + )))), } } // All other matching pairs of (constraint, name) are currently unsupported. @@ -186,9 +196,11 @@ impl<'a, 'chain> NameChain<'a, 'chain> { GeneralName::UniformResourceIdentifier(_), GeneralName::UniformResourceIdentifier(_), ) - | (GeneralName::RegisteredID(_), GeneralName::RegisteredID(_)) => Err( - ValidationError::Other("unsupported name constraint".to_string()), - ), + | (GeneralName::RegisteredID(_), GeneralName::RegisteredID(_)) => { + Err(ValidationError::new(ValidationErrorKind::Other( + "unsupported name constraint".to_string(), + ))) + } _ => Ok(Skipped), } } @@ -218,18 +230,18 @@ impl<'a, 'chain> NameChain<'a, 'chain> { } if !permit { - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "no permitted name constraints matched SAN".into(), - )); + ))); } if let Some(excluded_subtrees) = &constraints.excluded_subtrees { for e in excluded_subtrees.unwrap_read().clone() { let status = self.evaluate_single_constraint(&e.base, &san, budget)?; if status.is_match() { - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "excluded name constraint matched SAN".into(), - )); + ))); } } } @@ -327,9 +339,9 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // max depth. We do this after the root set check, since the depth // only measures the intermediate chain's length, not the root or leaf. if current_depth > self.policy.max_chain_depth { - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "chain construction exceeds max depth".into(), - )); + ))); } // Otherwise, we collect a list of potential issuers for this cert, @@ -365,9 +377,9 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // See https://gist.github.com/woodruffw/776153088e0df3fc2f0675c5e835f7b8 // for an example of this change. current_depth.checked_add(1).ok_or_else(|| { - ValidationError::Other( + ValidationError::new(ValidationErrorKind::Other( "current depth calculation overflowed".to_string(), - ) + )) })?, &issuer_extensions, NameChain::new( @@ -387,7 +399,11 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { return Ok(chain); } // Immediately return on fatal error. - Err(e @ ValidationError::FatalError(..)) => return Err(e), + Err( + e @ ValidationError { + kind: ValidationErrorKind::FatalError(..), + }, + ) => return Err(e), Err(e) => last_err = Some(e), }; } @@ -397,18 +413,22 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // We only reach this if we fail to hit our base case above, or if // a chain building step fails to find a next valid certificate. - Err(ValidationError::CandidatesExhausted(last_err.map_or_else( - || { - Box::new(ValidationError::Other( - "all candidates exhausted with no interior errors".to_string(), - )) - }, - |e| match e { - // Avoid spamming the user with nested `CandidatesExhausted` errors. - ValidationError::CandidatesExhausted(e) => e, - _ => Box::new(e), - }, - ))) + Err(ValidationError::new( + ValidationErrorKind::CandidatesExhausted(last_err.map_or_else( + || { + Box::new(ValidationError::new(ValidationErrorKind::Other( + "all candidates exhausted with no interior errors".to_string(), + ))) + }, + |e| match e { + // Avoid spamming the user with nested `CandidatesExhausted` errors. + ValidationError { + kind: ValidationErrorKind::CandidatesExhausted(e), + } => e, + _ => Box::new(e), + }, + )), + )) } fn build_chain( @@ -444,23 +464,25 @@ mod tests { use asn1::ParseError; use cryptography_x509::oid::SUBJECT_ALTERNATIVE_NAME_OID; - use crate::ValidationError; + use crate::{ValidationError, ValidationErrorKind}; #[test] fn test_validationerror_display() { - let err = ValidationError::Malformed(ParseError::new(asn1::ParseErrorKind::InvalidLength)); + let err = ValidationError::new(ValidationErrorKind::Malformed(ParseError::new( + asn1::ParseErrorKind::InvalidLength, + ))); assert_eq!(err.to_string(), "ASN.1 parsing error: invalid length"); - let err = ValidationError::ExtensionError { + let err = ValidationError::new(ValidationErrorKind::ExtensionError { oid: SUBJECT_ALTERNATIVE_NAME_OID, reason: "duplicate extension", - }; + }); assert_eq!( err.to_string(), "invalid extension: 2.5.29.17: duplicate extension" ); - let err = ValidationError::FatalError("oops"); + let err = ValidationError::new(ValidationErrorKind::FatalError("oops")); assert_eq!(err.to_string(), "fatal error: oops"); } } diff --git a/src/rust/cryptography-x509-verification/src/policy/extension.rs b/src/rust/cryptography-x509-verification/src/policy/extension.rs index ae9a2a23fbe0..c17d66caecf4 100644 --- a/src/rust/cryptography-x509-verification/src/policy/extension.rs +++ b/src/rust/cryptography-x509-verification/src/policy/extension.rs @@ -12,7 +12,9 @@ use cryptography_x509::{ extensions::{Extension, Extensions}, }; -use crate::{ops::CryptoOps, policy::Policy, ValidationError, ValidationResult}; +use crate::{ + ops::CryptoOps, policy::Policy, ValidationError, ValidationErrorKind, ValidationResult, +}; pub(crate) struct ExtensionPolicy { pub(crate) authority_information_access: ExtensionValidator, @@ -81,10 +83,10 @@ impl ExtensionPolicy { self.extended_key_usage.permits(policy, cert, Some(&ext))?; } _ if ext.critical => { - return Err(ValidationError::ExtensionError { + return Err(ValidationError::new(ValidationErrorKind::ExtensionError { oid: ext.extn_id, reason: "certificate contains unaccounted-for critical extensions", - }); + })); } _ => {} } @@ -205,13 +207,15 @@ impl ExtensionValidator { // Extension MUST NOT be present and isn't; OK. (ExtensionValidator::NotPresent, None) => Ok(()), // Extension MUST NOT be present but is; NOT OK. - (ExtensionValidator::NotPresent, Some(extn)) => Err(ValidationError::ExtensionError { - oid: extn.extn_id.clone(), - reason: "Certificate contains prohibited extension", - }), + (ExtensionValidator::NotPresent, Some(extn)) => { + Err(ValidationError::new(ValidationErrorKind::ExtensionError { + oid: extn.extn_id.clone(), + reason: "Certificate contains prohibited extension", + })) + } // Extension MUST be present but is not; NOT OK. - (ExtensionValidator::Present { .. }, None) => Err(ValidationError::Other( - "Certificate is missing required extension".to_string(), + (ExtensionValidator::Present { .. }, None) => Err(ValidationError::new( + ValidationErrorKind::Other("Certificate is missing required extension".to_string()), )), // Extension MUST be present and is; check it. ( @@ -222,10 +226,10 @@ impl ExtensionValidator { Some(extn), ) => { if !criticality.permits(extn.critical) { - return Err(ValidationError::ExtensionError { + return Err(ValidationError::new(ValidationErrorKind::ExtensionError { oid: extn.extn_id.clone(), reason: "Certificate extension has incorrect criticality", - }); + })); } // If a custom validator is supplied, apply it. @@ -242,10 +246,10 @@ impl ExtensionValidator { match extn { // If the extension is present, apply our criticality check. Some(extn) if !criticality.permits(extn.critical) => { - Err(ValidationError::ExtensionError { + Err(ValidationError::new(ValidationErrorKind::ExtensionError { oid: extn.extn_id.clone(), reason: "Certificate extension has incorrect criticality", - }) + })) } // If a custom validator is supplied, apply it. _ => validator.map_or(Ok(()), |v| v(policy, cert, extn)), @@ -265,7 +269,7 @@ pub(crate) mod ee { use crate::{ ops::CryptoOps, - policy::{Policy, ValidationError, ValidationResult}, + policy::{Policy, ValidationError, ValidationErrorKind, ValidationResult}, }; pub(crate) fn basic_constraints( @@ -277,9 +281,9 @@ pub(crate) mod ee { let basic_constraints: BasicConstraints = extn.value()?; if basic_constraints.ca { - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "basicConstraints.cA must not be asserted in an EE certificate".to_string(), - )); + ))); } } @@ -294,15 +298,15 @@ pub(crate) mod ee { match (cert.subject().is_empty(), extn.critical) { // If the subject is empty, the SAN MUST be critical. (true, false) => { - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "EE subjectAltName MUST be critical when subject is empty".to_string(), - )); + ))); } // If the subject is non-empty, the SAN MUST NOT be critical. (false, true) => { - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "EE subjectAltName MUST NOT be critical when subject is nonempty".to_string(), - )) + ))) } _ => (), }; @@ -314,9 +318,9 @@ pub(crate) mod ee { if let Some(sub) = policy.subject.as_ref() { let san: SubjectAlternativeName<'_> = extn.value()?; if !sub.matches(&san) { - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "leaf certificate has no matching subjectAltName".into(), - )); + ))); } } @@ -340,7 +344,9 @@ pub(crate) mod ee { if ekus.any(|eku| eku == policy.extended_key_usage) { Ok(()) } else { - Err(ValidationError::Other("required EKU not found".to_string())) + Err(ValidationError::new(ValidationErrorKind::Other( + "required EKU not found".to_string(), + ))) } } else { Ok(()) @@ -356,9 +362,9 @@ pub(crate) mod ee { let key_usage: KeyUsage<'_> = extn.value()?; if key_usage.key_cert_sign() { - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "EE keyUsage must not assert keyCertSign".to_string(), - )); + ))); } } @@ -378,7 +384,7 @@ pub(crate) mod ca { use crate::{ ops::CryptoOps, - policy::{Policy, ValidationError, ValidationResult}, + policy::{Policy, ValidationError, ValidationErrorKind, ValidationResult}, }; pub(crate) fn authority_key_identifier( @@ -407,9 +413,9 @@ pub(crate) mod ca { // keyIdentifier MUST be present. // TODO: Check that keyIdentifier matches subjectKeyIdentifier. if aki.key_identifier.is_none() { - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "authorityKeyIdentifier must contain keyIdentifier".to_string(), - )); + ))); } // NOTE: CABF 7.1.2.1.3 says that Root CAs MUST NOT @@ -432,9 +438,9 @@ pub(crate) mod ca { let key_usage: KeyUsage<'_> = extn.value()?; if !key_usage.key_cert_sign() { - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "keyUsage.keyCertSign must be asserted in a CA certificate".to_string(), - )); + ))); } Ok(()) @@ -448,9 +454,9 @@ pub(crate) mod ca { let basic_constraints: BasicConstraints = extn.value()?; if !basic_constraints.ca { - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "basicConstraints.cA must be asserted in a CA certificate".to_string(), - )); + ))); } // NOTE: basicConstraints.pathLength is checked as part of @@ -478,10 +484,10 @@ pub(crate) mod ca { .map_or(true, |est| est.unwrap_read().is_empty()); if permitted_subtrees_empty && excluded_subtrees_empty { - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "nameConstraints must have non-empty permittedSubtrees or excludedSubtrees" .to_string(), - )); + ))); } // NOTE: Both RFC 5280 and CABF require each `GeneralSubtree` @@ -505,7 +511,9 @@ pub(crate) mod ca { if ekus.any(|eku| eku == policy.extended_key_usage || eku == EKU_ANY_KEY_USAGE_OID) { Ok(()) } else { - Err(ValidationError::Other("required EKU not found".to_string())) + Err(ValidationError::new(ValidationErrorKind::Other( + "required EKU not found".to_string(), + ))) } } else { Ok(()) diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 5a0c0646b2cd..daeb396e4163 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -27,7 +27,7 @@ use once_cell::sync::Lazy; use crate::ops::CryptoOps; use crate::policy::extension::{ca, common, ee, Criticality, ExtensionPolicy, ExtensionValidator}; use crate::types::{DNSName, DNSPattern, IPAddress}; -use crate::{ValidationError, ValidationResult, VerificationCertificate}; +use crate::{ValidationError, ValidationErrorKind, ValidationResult, VerificationCertificate}; // RSA key constraints, as defined in CA/B 6.1.5. static WEBPKI_MINIMUM_RSA_MODULUS: usize = 2048; @@ -377,18 +377,18 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // CA/B 7.1.1: // Certificates MUST be of type X.509 v3. if cert.tbs_cert.version != 2 { - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "certificate must be an X509v3 certificate".to_string(), - )); + ))); } // 5280 4.1.1.2 / 4.1.2.3: signatureAlgorithm / TBS Certificate Signature // The top-level signatureAlgorithm and TBSCert signature algorithm // MUST match. if cert.signature_alg != cert.tbs_cert.signature_alg { - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "mismatch between signatureAlgorithm and SPKI algorithm".to_string(), - )); + ))); } // 5280 4.1.2.2: Serial Number @@ -402,21 +402,21 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // 21 octets, since some CAs generate 20 bytes of randomness and // then forget to check whether that number would be negative, resulting // in a 21-byte encoding. - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "certificate must have a serial between 1 and 20 octets".to_string(), - )); + ))); } else if serial.is_negative() { - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "certificate serial number cannot be negative".to_string(), - )); + ))); } // 5280 4.1.2.4: Issuer // The issuer MUST be a non-empty distinguished name. if cert.issuer().is_empty() { - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "certificate must have a non-empty Issuer".to_string(), - )); + ))); } // 5280 4.1.2.5: Validity @@ -427,9 +427,9 @@ impl<'a, B: CryptoOps> Policy<'a, B> { permits_validity_date(&cert.tbs_cert.validity.not_before)?; permits_validity_date(&cert.tbs_cert.validity.not_after)?; if &self.validation_time < not_before || &self.validation_time > not_after { - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "cert is not valid at validation time".to_string(), - )); + ))); } Ok(()) @@ -464,9 +464,9 @@ impl<'a, B: CryptoOps> Policy<'a, B> { .path_length .map_or(false, |len| u64::from(current_depth) > len) { - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "path length constraint violated".to_string(), - ))?; + ))); } } @@ -518,10 +518,10 @@ impl<'a, B: CryptoOps> Policy<'a, B> { .permitted_public_key_algorithms .contains(&issuer.certificate().tbs_cert.spki.algorithm) { - return Err(ValidationError::Other(format!( + return Err(ValidationError::new(ValidationErrorKind::Other(format!( "Forbidden public key algorithm: {:?}", &issuer.certificate().tbs_cert.spki.algorithm - ))); + )))); } // CA/B 7.1.3.2 Signature AlgorithmIdentifier @@ -534,12 +534,20 @@ impl<'a, B: CryptoOps> Policy<'a, B> { .permitted_signature_algorithms .contains(&child.certificate().signature_alg) { - return Err(ValidationError::Other(format!( + return Err(ValidationError::new(ValidationErrorKind::Other(format!( "Forbidden signature algorithm: {:?}", &child.certificate().signature_alg - ))); + )))); } + // We do this before checking the RSA key size so that if parsing the + // key fails, we get a nice error message. + let pk = issuer.public_key(&self.ops).map_err(|_| { + ValidationError::new(ValidationErrorKind::Other( + "issuer has malformed public key".to_string(), + )) + })?; + // CA/B 6.1.5: Key sizes // NOTE: We don't currently enforce that RSA moduli are divisible by 8, // since other implementations don't bother. @@ -552,17 +560,16 @@ impl<'a, B: CryptoOps> Policy<'a, B> { asn1::parse_single(issuer_spki.subject_public_key.as_bytes())?; if rsa_key.n.as_bytes().len() * 8 < self.minimum_rsa_modulus { - return Err(ValidationError::Other("RSA key is too weak".into())); + return Err(ValidationError::new(ValidationErrorKind::Other( + "RSA key is too weak".into(), + ))); } } - let pk = issuer - .public_key(&self.ops) - .map_err(|_| ValidationError::Other("issuer has malformed public key".to_string()))?; if self.ops.verify_signed_by(child.certificate(), pk).is_err() { - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "signature does not match".to_string(), - )); + ))); } Ok(()) @@ -576,9 +583,9 @@ fn permits_validity_date(validity_date: &Time) -> ValidationResult<()> { // by the variant's constructor. if let Time::GeneralizedTime(_) = validity_date { if GENERALIZED_DATE_INVALIDITY_RANGE.contains(&validity_date.as_datetime().year()) { - return Err(ValidationError::Other( + return Err(ValidationError::new(ValidationErrorKind::Other( "validity dates between 1950 and 2049 must be UtcTime".to_string(), - )); + ))); } } From f65ab4d7f5ba0ada7b632bd7b7462bb79876690d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sun, 3 Nov 2024 21:16:23 +0100 Subject: [PATCH 1314/1462] feat(admissions): add profession info type for the admissions extension (#11881) * feat(admissions): add profession info python type for the admissions extension Signed-off-by: oleg.hoefling * feat(admissions): add profession info rust type for the admissions extension Signed-off-by: oleg.hoefling * feat(admissions): add test for profession info hash implementation Signed-off-by: oleg.hoefling * fix(admissions): minor fixes Signed-off-by: oleg.hoefling * remove the asn1 traits from the profession info rust type Signed-off-by: oleg.hoefling * remove the explicit mark from the naming authority field Signed-off-by: oleg.hoefling * chore: add commented out annotation for the naming authority field Signed-off-by: Oleg Hoefling * fix: use correct type for add_profeccion_info field Signed-off-by: Oleg Hoefling * refactor: explicitly convert profession items and oids to tuples for hash calculation Signed-off-by: Oleg Hoefling * refactor: add asn1 trait derives to naming authority and profession info types, commented out Signed-off-by: Oleg Hoefling --------- Signed-off-by: oleg.hoefling Signed-off-by: Oleg Hoefling --- src/cryptography/x509/__init__.py | 2 + src/cryptography/x509/extensions.py | 98 ++++++++ src/rust/cryptography-x509/src/extensions.rs | 21 ++ tests/x509/test_x509_ext.py | 231 +++++++++++++++++++ 4 files changed, 352 insertions(+) diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py index be229bcc5bf7..225f5aa67520 100644 --- a/src/cryptography/x509/__init__.py +++ b/src/cryptography/x509/__init__.py @@ -64,6 +64,7 @@ PolicyInformation, PrecertificateSignedCertificateTimestamps, PrecertPoison, + ProfessionInfo, ReasonFlags, SignedCertificateTimestamps, SubjectAlternativeName, @@ -228,6 +229,7 @@ "PolicyInformation", "PrecertPoison", "PrecertificateSignedCertificateTimestamps", + "ProfessionInfo", "PublicKeyAlgorithmOID", "RFC822Name", "ReasonFlags", diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index cc2901eb434c..7b9be63045fb 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -2222,6 +2222,104 @@ def __hash__(self) -> int: ) +class ProfessionInfo: + def __init__( + self, + naming_authority: NamingAuthority | None, + profession_items: typing.Iterable[str], + profession_oids: typing.Iterable[ObjectIdentifier], + registration_number: str | None, + add_profession_info: bytes | None, + ) -> None: + if naming_authority is not None and not isinstance( + naming_authority, NamingAuthority + ): + raise TypeError("naming_authority must be a NamingAuthority") + + profession_items = list(profession_items) + if not all(isinstance(item, str) for item in profession_items): + raise TypeError( + "Every item in the profession_items list must be a str" + ) + + profession_oids = list(profession_oids) + if not all( + isinstance(oid, ObjectIdentifier) for oid in profession_oids + ): + raise TypeError( + "Every item in the profession_oids list must be an " + "ObjectIdentifier" + ) + + if registration_number is not None and not isinstance( + registration_number, str + ): + raise TypeError("registration_number must be a str") + + if add_profession_info is not None and not isinstance( + add_profession_info, bytes + ): + raise TypeError("add_profession_info must be bytes") + + self._naming_authority = naming_authority + self._profession_items = profession_items + self._profession_oids = profession_oids + self._registration_number = registration_number + self._add_profession_info = add_profession_info + + @property + def naming_authority(self) -> NamingAuthority | None: + return self._naming_authority + + @property + def profession_items(self) -> list[str]: + return self._profession_items + + @property + def profession_oids(self) -> list[ObjectIdentifier]: + return self._profession_oids + + @property + def registration_number(self) -> str | None: + return self._registration_number + + @property + def add_profession_info(self) -> bytes | None: + return self._add_profession_info + + def __repr__(self) -> str: + return ( + f"" + ) + + def __eq__(self, other: object) -> bool: + if not isinstance(other, ProfessionInfo): + return NotImplemented + + return ( + self.naming_authority == other.naming_authority + and self.profession_items == other.profession_items + and self.profession_oids == other.profession_oids + and self.registration_number == other.registration_number + and self.add_profession_info == other.add_profession_info + ) + + def __hash__(self) -> int: + return hash( + ( + self.naming_authority, + *tuple(self.profession_items), + *tuple(self.profession_oids), + self.registration_number, + self.add_profession_info, + ) + ) + + class UnrecognizedExtension(ExtensionType): def __init__(self, oid: ObjectIdentifier, value: bytes) -> None: if not isinstance(oid, ObjectIdentifier): diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index cbf9a4611f1b..e5c82ee52872 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -285,12 +285,33 @@ impl KeyUsage<'_> { } } +// #[derive(asn1::Asn1Read, asn1::Asn1Write)] pub struct NamingAuthority<'a> { pub id: Option, pub url: Option>, pub text: Option>, } +type SequenceOfDisplayTexts<'a> = common::Asn1ReadableOrWritable< + asn1::SequenceOf<'a, DisplayText<'a>>, + asn1::SequenceOfWriter<'a, DisplayText<'a>, Vec>>, +>; + +type SequenceOfObjectIdentifiers<'a> = common::Asn1ReadableOrWritable< + asn1::SequenceOf<'a, asn1::ObjectIdentifier>, + asn1::SequenceOfWriter<'a, asn1::ObjectIdentifier, Vec>, +>; + +// #[derive(asn1::Asn1Read, asn1::Asn1Write)] +pub struct ProfessionInfo<'a> { + // #[explicit(0)] + pub naming_authority: Option>, + pub profession_items: SequenceOfDisplayTexts<'a>, + pub profession_oids: Option>, + pub registration_number: Option>, + pub add_profession_info: Option<&'a [u8]>, +} + #[cfg(test)] mod tests { use super::{BasicConstraints, Extension, Extensions, KeyUsage}; diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index 5b94c08fcc00..50cbbd5ee17f 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -6437,6 +6437,237 @@ def test_hash(self): assert hash(authority1) != hash(authority9) +class TestProfessionInfo: + def test_invalid_init(self): + with pytest.raises(TypeError): + x509.ProfessionInfo( + None, + None, # type:ignore[arg-type] + None, # type:ignore[arg-type] + None, + None, + ) + with pytest.raises(TypeError): + x509.ProfessionInfo( + "spam", # type:ignore[arg-type] + [], + [], + None, + None, + ) + with pytest.raises(TypeError): + x509.ProfessionInfo( + None, + [42], # type:ignore[list-item] + [], + None, + None, + ) + with pytest.raises(TypeError): + x509.ProfessionInfo( + None, + [], + "spam", # type:ignore[arg-type] + None, + None, + ) + with pytest.raises(TypeError): + x509.ProfessionInfo( + None, + [], + [], + 42, # type:ignore[arg-type] + None, + ) + with pytest.raises(TypeError): + x509.ProfessionInfo( + None, + [], + [], + None, + 42, # type:ignore[arg-type] + ) + + def test_eq(self): + info1 = x509.ProfessionInfo(None, [], [], None, None) + info2 = x509.ProfessionInfo(None, [], [], None, None) + assert info1 == info2 + + info1 = x509.ProfessionInfo( + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ), + ["spam"], + [x509.ObjectIdentifier("1.2.3.4")], + "eggs", + b"\x01\x02\x03", + ) + info2 = x509.ProfessionInfo( + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ), + ["spam"], + [x509.ObjectIdentifier("1.2.3.4")], + "eggs", + b"\x01\x02\x03", + ) + assert info1 == info2 + + def test_ne(self): + info1 = x509.ProfessionInfo( + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ), + ["spam"], + [x509.ObjectIdentifier("1.2.3.4")], + "eggs", + b"\x01\x02\x03", + ) + info2 = x509.ProfessionInfo( + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ), + ["spam"], + [x509.ObjectIdentifier("1.2.3.4")], + "eggs", + None, + ) + info3 = x509.ProfessionInfo( + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ), + ["spam"], + [x509.ObjectIdentifier("1.2.3.4")], + None, + None, + ) + info4 = x509.ProfessionInfo( + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ), + ["spam"], + [], + None, + None, + ) + info5 = x509.ProfessionInfo( + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ), + [], + [], + None, + None, + ) + info6 = x509.ProfessionInfo(None, ["spam"], [], None, None) + info7 = x509.ProfessionInfo( + None, [], [x509.ObjectIdentifier("1.2.3")], None, None + ) + info8 = x509.ProfessionInfo(None, [], [], "spam", None) + info9 = x509.ProfessionInfo(None, [], [], None, b"\x01\x02\x03") + info10 = x509.ProfessionInfo(None, [], [], None, None) + + assert info1 != info2 + assert info1 != info2 + assert info1 != info3 + assert info1 != info4 + assert info1 != info5 + assert info1 != info6 + assert info1 != info7 + assert info1 != info8 + assert info1 != info9 + assert info1 != info10 + assert info1 != object() + + def test_repr(self): + info = x509.ProfessionInfo(None, [], [], None, None) + assert repr(info) == ( + "" + ) + + info = x509.ProfessionInfo( + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ), + ["spam"], + [x509.ObjectIdentifier("1.2.3.4")], + "eggs", + b"\x01\x02\x03", + ) + assert repr(info) == ( + ", " + "url=https://example.com, text=spam)>, " + "profession_items=['spam'], " + "profession_oids=" + "[], " + "registration_number=eggs, " + "add_profession_info=b'\\x01\\x02\\x03')>" + ) + + def test_hash(self): + info1 = x509.ProfessionInfo( + x509.NamingAuthority(None, None, None), + ["spam"], + [x509.ObjectIdentifier("1.2.3.4")], + "eggs", + b"\x01\x02\x03", + ) + info2 = x509.ProfessionInfo( + x509.NamingAuthority(None, None, None), + ["spam"], + [x509.ObjectIdentifier("1.2.3.4")], + "eggs", + b"\x01\x02\x03", + ) + info3 = x509.ProfessionInfo( + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ), + ["spam"], + [x509.ObjectIdentifier("1.2.3.4")], + "eggs", + b"\x01\x02\x03", + ) + info4 = x509.ProfessionInfo( + x509.NamingAuthority(None, None, None), + [], + [x509.ObjectIdentifier("1.2.3.4")], + "eggs", + b"\x01\x02\x03", + ) + info5 = x509.ProfessionInfo( + x509.NamingAuthority(None, None, None), + [], + [], + "eggs", + b"\x01\x02\x03", + ) + info6 = x509.ProfessionInfo( + x509.NamingAuthority(None, None, None), + [], + [], + None, + b"\x01\x02\x03", + ) + info7 = x509.ProfessionInfo( + x509.NamingAuthority(None, None, None), [], [], None, None + ) + + assert hash(info1) == hash(info2) + assert hash(info1) != hash(info3) + assert hash(info1) != hash(info4) + assert hash(info1) != hash(info5) + assert hash(info1) != hash(info6) + assert hash(info1) != hash(info7) + + def test_all_extension_oid_members_have_names_defined(): for oid in dir(ExtensionOID): if oid.startswith("__"): From 4d869130828174e1de06f8831768aaf5dade186d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sun, 3 Nov 2024 23:12:39 +0100 Subject: [PATCH 1315/1462] feat(admissions): add admission type for the admissions extension (#11883) * feat(admissions): add admission type for the admissions extension Signed-off-by: oleg.hoefling * refactor: explicitly convert profession infos to tuples for hash calculation Signed-off-by: Oleg Hoefling * refactor: add asn1 trait derives to admission type, commented out Signed-off-by: Oleg Hoefling --------- Signed-off-by: oleg.hoefling Signed-off-by: Oleg Hoefling --- src/cryptography/x509/__init__.py | 2 + src/cryptography/x509/extensions.py | 69 ++++ src/rust/cryptography-x509/src/extensions.rs | 14 + tests/x509/test_x509_ext.py | 327 +++++++++++++++++++ 4 files changed, 412 insertions(+) diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py index 225f5aa67520..82531a428482 100644 --- a/src/cryptography/x509/__init__.py +++ b/src/cryptography/x509/__init__.py @@ -30,6 +30,7 @@ ) from cryptography.x509.extensions import ( AccessDescription, + Admission, AuthorityInformationAccess, AuthorityKeyIdentifier, BasicConstraints, @@ -176,6 +177,7 @@ "OID_CA_ISSUERS", "OID_OCSP", "AccessDescription", + "Admission", "Attribute", "AttributeNotFound", "Attributes", diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index 7b9be63045fb..f862a1363781 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -2320,6 +2320,75 @@ def __hash__(self) -> int: ) +class Admission: + def __init__( + self, + admission_authority: GeneralName | None, + naming_authority: NamingAuthority | None, + profession_infos: typing.Iterable[ProfessionInfo], + ) -> None: + if admission_authority is not None and not isinstance( + admission_authority, GeneralName + ): + raise TypeError("admission_authority must be a GeneralName") + + if naming_authority is not None and not isinstance( + naming_authority, NamingAuthority + ): + raise TypeError("naming_authority must be a NamingAuthority") + + profession_infos = list(profession_infos) + if not all( + isinstance(info, ProfessionInfo) for info in profession_infos + ): + raise TypeError( + "Every item in the profession_infos list must be a " + "ProfessionInfo" + ) + + self._admission_authority = admission_authority + self._naming_authority = naming_authority + self._profession_infos = profession_infos + + @property + def admission_authority(self) -> GeneralName | None: + return self._admission_authority + + @property + def naming_authority(self) -> NamingAuthority | None: + return self._naming_authority + + @property + def profession_infos(self) -> list[ProfessionInfo]: + return self._profession_infos + + def __repr__(self) -> str: + return ( + f"" + ) + + def __eq__(self, other: object) -> bool: + if not isinstance(other, Admission): + return NotImplemented + + return ( + self.admission_authority == other.admission_authority + and self.naming_authority == other.naming_authority + and self.profession_infos == other.profession_infos + ) + + def __hash__(self) -> int: + return hash( + ( + self.admission_authority, + self.naming_authority, + *tuple(self.profession_infos), + ) + ) + + class UnrecognizedExtension(ExtensionType): def __init__(self, oid: ObjectIdentifier, value: bytes) -> None: if not isinstance(oid, ObjectIdentifier): diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index e5c82ee52872..d1ebf95ae03f 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -312,6 +312,20 @@ pub struct ProfessionInfo<'a> { pub add_profession_info: Option<&'a [u8]>, } +// #[derive(asn1::Asn1Read, asn1::Asn1Write)] +pub struct Admission<'a> { + // #[explicit(0)] + pub admission_authority: Option>, + // #[explicit(1)] + pub naming_authority: Option>, + /* + pub profession_infos: common::Asn1ReadableOrWritable< + asn1::SequenceOf<'a, ProfessionInfo<'a>>, + asn1::SequenceOfWriter<'a, ProfessionInfo<'a>, Vec>>, + >, + */ +} + #[cfg(test)] mod tests { use super::{BasicConstraints, Extension, Extensions, KeyUsage}; diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index 50cbbd5ee17f..fc73bdfa1afa 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -6668,6 +6668,333 @@ def test_hash(self): assert hash(info1) != hash(info7) +class TestAdmission: + def test_invalid_init(self): + with pytest.raises(TypeError): + x509.Admission( + 42, # type:ignore[arg-type] + None, + [], + ) + with pytest.raises(TypeError): + x509.Admission( + None, + 42, # type:ignore[arg-type] + [], + ) + with pytest.raises(TypeError): + x509.Admission( + None, + None, + 42, # type:ignore[arg-type] + ) + with pytest.raises(TypeError): + x509.Admission( + None, + None, + [42], # type:ignore[list-item] + ) + + def test_eq(self): + admission1 = x509.Admission(None, None, []) + admission2 = x509.Admission(None, None, []) + assert admission1 == admission2 + + admission1 = x509.Admission( + x509.OtherName( + type_id=x509.oid.NameOID.COUNTRY_NAME, + value=b"\x04\x04\x13\x02DE", + ), + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ), + [ + x509.ProfessionInfo( + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3.4"), + "https://example.org", + "eggs", + ), + ["bacon"], + [x509.ObjectIdentifier("1.2.3.4.5")], + "sausage", + b"\x01\x02\x03", + ) + ], + ) + admission2 = x509.Admission( + x509.OtherName( + type_id=x509.oid.NameOID.COUNTRY_NAME, + value=b"\x04\x04\x13\x02DE", + ), + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ), + [ + x509.ProfessionInfo( + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3.4"), + "https://example.org", + "eggs", + ), + ["bacon"], + [x509.ObjectIdentifier("1.2.3.4.5")], + "sausage", + b"\x01\x02\x03", + ) + ], + ) + assert admission1 == admission2 + + def test_ne(self): + admission1 = x509.Admission( + x509.OtherName( + type_id=x509.oid.NameOID.COUNTRY_NAME, + value=b"\x04\x04\x13\x02DE", + ), + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ), + [ + x509.ProfessionInfo( + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3.4"), + "https://example.org", + "eggs", + ), + ["bacon"], + [x509.ObjectIdentifier("1.2.3.4.5")], + "sausage", + b"\x01\x02\x03", + ) + ], + ) + admission2 = x509.Admission( + x509.OtherName( + type_id=x509.oid.NameOID.COUNTRY_NAME, + value=b"\x04\x04\x13\x02DE", + ), + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ), + [], + ) + admission3 = x509.Admission( + x509.OtherName( + type_id=x509.oid.NameOID.COUNTRY_NAME, + value=b"\x04\x04\x13\x02DE", + ), + None, + [ + x509.ProfessionInfo( + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3.4"), + "https://example.org", + "eggs", + ), + ["bacon"], + [x509.ObjectIdentifier("1.2.3.4.5")], + "sausage", + b"\x01\x02\x03", + ) + ], + ) + admission4 = x509.Admission( + None, + None, + [ + x509.ProfessionInfo( + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3.4"), + "https://example.org", + "eggs", + ), + ["bacon"], + [x509.ObjectIdentifier("1.2.3.4.5")], + "sausage", + b"\x01\x02\x03", + ) + ], + ) + admission5 = x509.Admission( + x509.OtherName( + type_id=x509.oid.NameOID.COUNTRY_NAME, + value=b"\x04\x04\x13\x02DE", + ), + None, + [], + ) + admission6 = x509.Admission( + None, + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ), + [], + ) + admission7 = x509.Admission(None, None, []) + + assert admission1 != admission2 + assert admission1 != admission3 + assert admission1 != admission4 + assert admission1 != admission5 + assert admission1 != admission6 + assert admission1 != admission7 + assert admission1 != object() + + def test_repr(self): + admission = x509.Admission(None, None, []) + assert repr(admission) == ( + "" + ) + + admission = x509.Admission( + x509.OtherName( + type_id=x509.oid.NameOID.COUNTRY_NAME, + value=b"\x04\x04\x13\x02DE", + ), + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ), + [ + x509.ProfessionInfo( + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3.4"), + "https://example.org", + "eggs", + ), + ["bacon"], + [x509.ObjectIdentifier("1.2.3.4.5")], + "sausage", + b"\x01\x02\x03", + ) + ], + ) + assert repr(admission) == ( + ", " + "value=b'\\x04\\x04\\x13\\x02DE')>, " + "naming_authority=, " + "url=https://example.com, text=spam)>, " + "profession_infos=[, " + "url=https://example.org, text=eggs)>, " + "profession_items=['bacon'], " + "profession_oids=[], " + "registration_number=sausage, " + "add_profession_info=b'\\x01\\x02\\x03')>])>" + ) + + def test_hash(self): + admission1 = x509.Admission( + x509.OtherName( + type_id=x509.oid.NameOID.COUNTRY_NAME, + value=b"\x04\x04\x13\x02DE", + ), + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ), + [ + x509.ProfessionInfo( + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3.4"), + "https://example.org", + "eggs", + ), + ["bacon"], + [x509.ObjectIdentifier("1.2.3.4.5")], + "sausage", + b"\x01\x02\x03", + ) + ], + ) + admission2 = x509.Admission( + x509.OtherName( + type_id=x509.oid.NameOID.COUNTRY_NAME, + value=b"\x04\x04\x13\x02DE", + ), + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ), + [ + x509.ProfessionInfo( + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3.4"), + "https://example.org", + "eggs", + ), + ["bacon"], + [x509.ObjectIdentifier("1.2.3.4.5")], + "sausage", + b"\x01\x02\x03", + ) + ], + ) + admission3 = x509.Admission( + x509.UniformResourceIdentifier(value="https://www.example.de"), + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ), + [ + x509.ProfessionInfo( + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3.4"), + "https://example.org", + "eggs", + ), + ["bacon"], + [x509.ObjectIdentifier("1.2.3.4.5")], + "sausage", + b"\x01\x02\x03", + ) + ], + ) + admission4 = x509.Admission( + x509.OtherName( + type_id=x509.oid.NameOID.COUNTRY_NAME, + value=b"\x04\x04\x13\x02DE", + ), + x509.NamingAuthority(None, None, None), + [ + x509.ProfessionInfo( + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3.4"), + "https://example.org", + "eggs", + ), + ["bacon"], + [x509.ObjectIdentifier("1.2.3.4.5")], + "sausage", + b"\x01\x02\x03", + ) + ], + ) + admission5 = x509.Admission( + x509.OtherName( + type_id=x509.oid.NameOID.COUNTRY_NAME, + value=b"\x04\x04\x13\x02DE", + ), + x509.NamingAuthority( + x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" + ), + [], + ) + admission6 = x509.Admission(None, None, []) + + assert hash(admission1) == hash(admission2) + assert hash(admission1) != hash(admission3) + assert hash(admission1) != hash(admission4) + assert hash(admission1) != hash(admission5) + assert hash(admission1) != hash(admission6) + + def test_all_extension_oid_members_have_names_defined(): for oid in dir(ExtensionOID): if oid.startswith("__"): From 78b3750a3bc06c15a22540908655da3772be1980 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 4 Nov 2024 00:18:17 +0000 Subject: [PATCH 1316/1462] Bump BoringSSL and/or OpenSSL in CI (#11884) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4271a14e870d..59b7491d939c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 02, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "96472802acf39548d26958ee6809b26ca25baa7d"}} + # Latest commit on the BoringSSL master branch, as of Nov 04, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ddc0647304a8ed854b2d84117f095a5f73571d37"}} # Latest commit on the OpenSSL master branch, as of Nov 02, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1d160dbf39fbdba89389ddff54e45bacf278b04a"}} # Builds with various Rust versions. Includes MSRV and next From cf93084b0efadd36f0f0056c66dd7387ffcf1bd7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Mon, 4 Nov 2024 12:42:08 +0100 Subject: [PATCH 1317/1462] feat(admissions): add admissions extension type (#11886) * feat(admissions): add admissions extension type Signed-off-by: Oleg Hoefling * fix: use tuple for admissions unpacking in hash code calculation Signed-off-by: Oleg Hoefling --------- Signed-off-by: Oleg Hoefling --- src/cryptography/hazmat/_oid.py | 2 + src/cryptography/x509/__init__.py | 2 + src/cryptography/x509/extensions.py | 48 +++++++++ src/rust/cryptography-x509/src/extensions.rs | 11 ++ tests/x509/test_x509_ext.py | 100 +++++++++++++++++++ 5 files changed, 163 insertions(+) diff --git a/src/cryptography/hazmat/_oid.py b/src/cryptography/hazmat/_oid.py index fd5e37d9e2ff..8bd240d099a9 100644 --- a/src/cryptography/hazmat/_oid.py +++ b/src/cryptography/hazmat/_oid.py @@ -39,6 +39,7 @@ class ExtensionOID: PRECERT_POISON = ObjectIdentifier("1.3.6.1.4.1.11129.2.4.3") SIGNED_CERTIFICATE_TIMESTAMPS = ObjectIdentifier("1.3.6.1.4.1.11129.2.4.5") MS_CERTIFICATE_TEMPLATE = ObjectIdentifier("1.3.6.1.4.1.311.21.7") + ADMISSIONS = ObjectIdentifier("1.3.36.8.3.3") class OCSPExtensionOID: @@ -284,6 +285,7 @@ class AttributeOID: ), ExtensionOID.PRECERT_POISON: "ctPoison", ExtensionOID.MS_CERTIFICATE_TEMPLATE: "msCertificateTemplate", + ExtensionOID.ADMISSIONS: "Admissions", CRLEntryExtensionOID.CRL_REASON: "cRLReason", CRLEntryExtensionOID.INVALIDITY_DATE: "invalidityDate", CRLEntryExtensionOID.CERTIFICATE_ISSUER: "certificateIssuer", diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py index 82531a428482..8a89d67f151e 100644 --- a/src/cryptography/x509/__init__.py +++ b/src/cryptography/x509/__init__.py @@ -31,6 +31,7 @@ from cryptography.x509.extensions import ( AccessDescription, Admission, + Admissions, AuthorityInformationAccess, AuthorityKeyIdentifier, BasicConstraints, @@ -178,6 +179,7 @@ "OID_OCSP", "AccessDescription", "Admission", + "Admissions", "Attribute", "AttributeNotFound", "Attributes", diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index f862a1363781..202101208dad 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -2389,6 +2389,54 @@ def __hash__(self) -> int: ) +class Admissions(ExtensionType): + oid = ExtensionOID.ADMISSIONS + + def __init__( + self, + authority: GeneralName | None, + admissions: typing.Iterable[Admission], + ) -> None: + if authority is not None and not isinstance(authority, GeneralName): + raise TypeError("authority must be a GeneralName") + + admissions = list(admissions) + if not all( + isinstance(admission, Admission) for admission in admissions + ): + raise TypeError( + "Every item in the contents_of_admissions list must be an " + "Admission" + ) + + self._authority = authority + self._admissions = admissions + + __len__, __iter__, __getitem__ = _make_sequence_methods("_admissions") + + @property + def authority(self) -> GeneralName | None: + return self._authority + + def __repr__(self) -> str: + return ( + f"" + ) + + def __eq__(self, other: object) -> bool: + if not isinstance(other, Admissions): + return NotImplemented + + return ( + self.authority == other.authority + and self._admissions == other._admissions + ) + + def __hash__(self) -> int: + return hash((self.authority, *tuple(self._admissions))) + + class UnrecognizedExtension(ExtensionType): def __init__(self, oid: ObjectIdentifier, value: bytes) -> None: if not isinstance(oid, ObjectIdentifier): diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index d1ebf95ae03f..5b224db50c3a 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -326,6 +326,17 @@ pub struct Admission<'a> { */ } +// #[derive(asn1::Asn1Read, asn1::Asn1Write)] +pub struct Admissions<'a> { + pub admission_authority: Option>, + /* + pub contents_of_admissions: common::Asn1ReadableOrWritable< + asn1::SequenceOf<'a, Admission<'a>>, + asn1::SequenceOfWriter<'a, Admission<'a>, Vec>>, + >, + */ +} + #[cfg(test)] mod tests { use super::{BasicConstraints, Extension, Extensions, KeyUsage}; diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index fc73bdfa1afa..fa47c277a4d5 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -6995,6 +6995,106 @@ def test_hash(self): assert hash(admission1) != hash(admission6) +class TestAdmissions: + def test_invalid_init(self): + with pytest.raises(TypeError): + x509.Admissions( + 42, # type:ignore[arg-type] + [], + ) + with pytest.raises(TypeError): + x509.Admissions( + None, + 42, # type:ignore[arg-type] + ) + with pytest.raises(TypeError): + x509.Admissions( + None, + [42], # type:ignore[list-item] + ) + with pytest.raises(TypeError): + x509.Admissions( + None, + [None], # type:ignore[list-item] + ) + + def test_eq(self): + admissions1 = x509.Admissions(None, []) + admissions2 = x509.Admissions(None, []) + assert admissions1 == admissions2 + + admissions1 = x509.Admissions( + x509.UniformResourceIdentifier(value="https://www.example.de"), + [x509.Admission(None, None, [])], + ) + admissions2 = x509.Admissions( + x509.UniformResourceIdentifier(value="https://www.example.de"), + [x509.Admission(None, None, [])], + ) + assert admissions1 == admissions2 + + def test_ne(self): + admissions1 = x509.Admissions( + x509.UniformResourceIdentifier(value="https://www.example.de"), + [x509.Admission(None, None, [])], + ) + admissions2 = x509.Admissions( + x509.UniformResourceIdentifier(value="https://www.example.de"), [] + ) + admissions3 = x509.Admissions( + None, + [x509.Admission(None, None, [])], + ) + admissions4 = x509.Admissions(None, []) + + assert admissions1 != admissions2 + assert admissions1 != admissions3 + assert admissions1 != admissions4 + assert admissions1 != object() + + def test_repr(self): + admissions = x509.Admissions(None, []) + assert repr(admissions) == ( + "" + ) + + admissions = x509.Admissions( + x509.UniformResourceIdentifier(value="https://www.example.de"), + [x509.Admission(None, None, [])], + ) + assert repr(admissions) == ( + ", " + "admissions=[])>" + ) + + def test_hash(self): + admissions1 = x509.Admissions( + x509.UniformResourceIdentifier(value="https://www.example.de"), + [x509.Admission(None, None, [])], + ) + admissions2 = x509.Admissions( + x509.UniformResourceIdentifier(value="https://www.example.de"), + [x509.Admission(None, None, [])], + ) + admissions3 = x509.Admissions( + x509.UniformResourceIdentifier(value="https://www.example.de"), [] + ) + admissions4 = x509.Admissions( + None, + [x509.Admission(None, None, [])], + ) + admissions5 = x509.Admissions(None, []) + assert hash(admissions1) == hash(admissions2) + assert hash(admissions1) != hash(admissions3) + assert hash(admissions1) != hash(admissions4) + assert hash(admissions1) != hash(admissions5) + + def test_all_extension_oid_members_have_names_defined(): for oid in dir(ExtensionOID): if oid.startswith("__"): From 634ae789dc6361a0a38bf2202000c5f76f060117 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Nov 2024 12:06:08 +0000 Subject: [PATCH 1318/1462] Bump ruff from 0.7.1 to 0.7.2 (#11887) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.7.1 to 0.7.2. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.7.1...0.7.2) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 33daed01b065..27af7672ee52 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -202,7 +202,7 @@ requests==2.31.0 ; python_full_version < '3.8' # via sphinx requests==2.32.3 ; python_full_version >= '3.8' # via sphinx -ruff==0.7.1 +ruff==0.7.2 # via cryptography (pyproject.toml) six==1.16.0 ; python_full_version < '3.8' # via bleach From 733e6aea655559b1ee37d01ec49bf67c01eb9ce8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Nov 2024 12:09:09 +0000 Subject: [PATCH 1319/1462] Bump cc from 1.1.31 to 1.1.34 (#11889) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.31 to 1.1.34. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.31...cc-v1.1.34) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index f15b4719e744..625a4b672bd4 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.31" +version = "1.1.34" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c2e7962b54006dcfcc61cb72735f4d89bb97061dd6a7ed882ec6b8ee53714c6f" +checksum = "67b9470d453346108f93a59222a9a1a5724db32d0a4727b7ab7ace4b4d822dc9" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 451ff963bb58..87d328ced9a0 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,7 +11,7 @@ pyo3 = { version = "0.22.5", features = ["abi3"] } openssl-sys = "0.9.104" [build-dependencies] -cc = "1.1.31" +cc = "1.1.34" [lints.rust] unexpected_cfgs = { level = "warn", check-cfg = ['cfg(python_implementation, values("CPython", "PyPy"))'] } From a69e700b2efa0be8e1b5e20866dd7869e620bb29 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Nov 2024 12:10:51 +0000 Subject: [PATCH 1320/1462] Bump syn from 2.0.86 to 2.0.87 (#11890) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.86 to 2.0.87. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.86...2.0.87) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 625a4b672bd4..82c984fd6a88 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -334,9 +334,9 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" [[package]] name = "syn" -version = "2.0.86" +version = "2.0.87" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e89275301d38033efb81a6e60e3497e734dfcc62571f2854bf4b16690398824c" +checksum = "25aa4ce346d03a6dcd68dd8b4010bcb74e54e62c90c573f394c46eae99aba32d" dependencies = [ "proc-macro2", "quote", From 57b304996e9ecbafb79b2161f1f7f65c901392ef Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Nov 2024 07:15:07 -0500 Subject: [PATCH 1321/1462] Bump flit-core from 3.10.0 to 3.10.1 in /.github/requirements (#11888) Bumps [flit-core](https://github.com/pypa/flit) from 3.10.0 to 3.10.1. - [Changelog](https://github.com/pypa/flit/blob/main/doc/history.rst) - [Commits](https://github.com/pypa/flit/compare/3.10.0...3.10.1) --- updated-dependencies: - dependency-name: flit-core dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 1e6cc158f81e..b5ec43d88b3b 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -73,9 +73,9 @@ cffi==1.17.1 ; platform_python_implementation != "PyPy" \ --hash=sha256:f7f5baafcc48261359e14bcd6d9bff6d4b28d9103847c9e136694cb0501aef87 \ --hash=sha256:fc48c783f9c87e60831201f2cce7f3b2e4846bf4d8728eabe54d60700b318a0b # via -r build-requirements.in -flit-core==3.10.0 \ - --hash=sha256:6d904233178b3c924f665947ac7d286f2ac799fb69087e39e56ceb4084724a97 \ - --hash=sha256:ca888c3ae0a5a4dae39f2db64f181b8b45143a6650c4b9ce6d171e45a6fa290a +flit-core==3.10.1 \ + --hash=sha256:66e5b87874a0d6e39691f0e22f09306736b633548670ad3c09ec9db03c5662f7 \ + --hash=sha256:cb31a76e8b31ad3351bb89e531f64ef2b05d1e65bd939183250bf81ddf4922a8 # via -r build-requirements.in maturin==1.7.4 \ --hash=sha256:0182a9638399c8835afd39d2aeacf56908e37cba3f7abb15816b9df6774fab81 \ From 10b278c700d77225fe5b4de9a62d38984667b0be Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 4 Nov 2024 14:48:35 -0500 Subject: [PATCH 1322/1462] Make the Hmac paramter optional (#11891) In PBKDF2 structs generally there is no Algorithm Parameter associated with the PRF, but without marking the parameter optional the parser expect a an actual parameter with a null value. Signed-off-by: Simo Sorce --- src/rust/cryptography-x509/src/common.rs | 6 +++--- src/rust/src/pkcs12.rs | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index c79ff109bf3e..4ca825eb2c95 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -132,9 +132,9 @@ pub enum AlgorithmParameters<'a> { Pbkdf2(PBKDF2Params<'a>), #[defined_by(oid::HMAC_WITH_SHA1_OID)] - HmacWithSha1(asn1::Null), + HmacWithSha1(Option), #[defined_by(oid::HMAC_WITH_SHA256_OID)] - HmacWithSha256(asn1::Null), + HmacWithSha256(Option), // Used only in PKCS#7 AlgorithmIdentifiers // https://datatracker.ietf.org/doc/html/rfc3565#section-4.1 @@ -430,7 +430,7 @@ pub struct PBES2Params<'a> { const HMAC_SHA1_ALG: AlgorithmIdentifier<'static> = AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), - params: AlgorithmParameters::HmacWithSha1(()), + params: AlgorithmParameters::HmacWithSha1(Some(())), }; #[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash, Clone, Debug)] diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index c8d334ecfa29..d58e339849eb 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -148,7 +148,7 @@ impl EncryptionAlgorithm { oid: asn1::DefinedByMarker::marker(), params: cryptography_x509::common::AlgorithmParameters::HmacWithSha256( - (), + Some(()), ), }), }, From b9d63a5d9abba9168c03d62de21c426ac449a859 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 5 Nov 2024 00:24:43 +0000 Subject: [PATCH 1323/1462] Bump BoringSSL and/or OpenSSL in CI (#11893) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 59b7491d939c..16f13026e30e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,8 +47,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Nov 04, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ddc0647304a8ed854b2d84117f095a5f73571d37"}} - # Latest commit on the OpenSSL master branch, as of Nov 02, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1d160dbf39fbdba89389ddff54e45bacf278b04a"}} + # Latest commit on the OpenSSL master branch, as of Nov 05, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b9881e8eb1962607a3a920347c4cad6e2566727c"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From b6bf3295661eaf4106d5c4b7c0b2ce7472ac947c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 5 Nov 2024 00:36:27 +0000 Subject: [PATCH 1324/1462] Bump x509-limbo and/or wycheproof in CI (#11894) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 283fbdff897b..83ad8566f371 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Oct 28, 2024. - ref: "bb42ec9de1c78f1e8d903e73417002f45ed2f1fb" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Nov 05, 2024. + ref: "13f9e1cc9c216eb746de1a3898ad37e014fc7291" # x509-limbo-ref From 1fba29e2d73767ca251c26087b788011e34abdb1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Nov 2024 07:13:39 -0500 Subject: [PATCH 1325/1462] Bump uv from 0.4.29 to 0.4.30 (#11896) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.29 to 0.4.30. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.29...0.4.30) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 27af7672ee52..fc5fe8217f35 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -292,7 +292,7 @@ urllib3==2.0.7 ; python_full_version < '3.8' # via requests urllib3==2.2.3 ; python_full_version >= '3.8' # via requests -uv==0.4.29 ; python_full_version >= '3.8' +uv==0.4.30 ; python_full_version >= '3.8' # via nox virtualenv==20.26.6 ; python_full_version < '3.8' # via nox From a63ca251a7aa8a5aac6153e0b69083cb05e1a6d0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Nov 2024 07:13:52 -0500 Subject: [PATCH 1326/1462] Bump uv from 0.4.29 to 0.4.30 in /.github/requirements (#11897) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.29 to 0.4.30. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.29...0.4.30) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index f485bd223d6c..df9a66594a30 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.29 \ - --hash=sha256:0be21afa0e582ddc5badff6ef40c3c6784efc5feae4ad568307b668d40dc49bd \ - --hash=sha256:246da468ac0d51e7fb257cd038db2f8d6376ae269a44d01f56776e32108aa9da \ - --hash=sha256:24cccff9c248864ba0ab3429bae56314146c9494ce66a881d70ea8cf2805945f \ - --hash=sha256:287dc3fd3f78093a5a82136f01cbd9f224e0905b38d3dcffdc96c08fbbe48ee9 \ - --hash=sha256:3473b05142ba436ac30d036b7ab5e9bcfa97f63df5d1382f92e0a3e4aaa391bc \ - --hash=sha256:668d3e6095c6f0cac6a831ef4030f7ad79442d1c84b9569f01f50b60c2d51a77 \ - --hash=sha256:67dcfd253020e25ed1c49e5bd06406205c37264f99e14002de53a357cd1cdadf \ - --hash=sha256:68d4967b5f0af8bd46085e0f3ded229026700668a97734a21c3d11a5fc350c47 \ - --hash=sha256:6b03859068aaa08ca9907a51d403d54b0a9d8054091646845a9192f213f099d4 \ - --hash=sha256:7060dfbad0bc26e9cecbb4f8482445c958071511f23728948478f81acfb29048 \ - --hash=sha256:75927da78f74bb935314d236dc61ecdc192e878e06eb79585b6d9d5ee9829f98 \ - --hash=sha256:8c71663c7df4f512c697de39a4926dc191897f5fede73644bb2329f532c1ebfa \ - --hash=sha256:950bbfe1954e9c3a5d6c4777bb778b4c23d0dea9ad9f77622c45d4fbba433355 \ - --hash=sha256:9c559b6fdc042add463e86afa1c210716f7020bfc2e96b00df5af7afcb587ce7 \ - --hash=sha256:b5775db128b98251c3ea7874367fc20dce9f9aac3dbfa635e3ef4a1c56842d9c \ - --hash=sha256:cfb797a87b55d96cc0593e9f29ab5d58454be74598ea0158e1b2f4f2dc97cede \ - --hash=sha256:df35d9cbe4cfbb7bce287f56e3bb7a7cef0b7b5173ed889d936d4c470f2b1b83 \ - --hash=sha256:f6224a322267570e0470c61008fd1c8e2f50bf073b339f4c3010da86aef3c44c +uv==0.4.30 \ + --hash=sha256:0c89f2eff63a08d04e81629611f43b1ffa668af6de0382b95a71599af7d4b77c \ + --hash=sha256:1a83df281c5d900b4758b1a3969b3cff57231f9027db8508b71dce1f2da78684 \ + --hash=sha256:232575f30ed971ea32d4a525b7146c4b088a07ed6e70a31da63792d563fcac44 \ + --hash=sha256:353617bfcf72e1eabade426d83fb86a69d11273d1612aabc3f4566d41c596c97 \ + --hash=sha256:444468ad0e94b35cbf6acfc8a28589cfe1247136d43895e60a18955ff89a07ad \ + --hash=sha256:44c5aeb5b374f9fd1083959934daa9020db3610f0405198c5e3d8ec1f23d961d \ + --hash=sha256:4aecd9fb39cf018e129627090a1d35af2b0184bb87078d573c9998f5e4072416 \ + --hash=sha256:4d41d09cabba1988728c2d9b9ad25f79233c2aa3d6ecd724c36f4678c4c89711 \ + --hash=sha256:4ddad09385221fa5c609169e4a0dd5bee27cf56c1dc450d4cdc113122c54bb09 \ + --hash=sha256:63196143f45018364c450ba94279a5bcff8562c14ba63deb41a92ed30baa6e22 \ + --hash=sha256:6395820540f368f622e818735862abd633dfe7e729c450fca56b65bab4b46661 \ + --hash=sha256:7f09bd6a853767863e2fb905f0eb1a0ed7afa9ea118852e5c02d2b451944e1cf \ + --hash=sha256:9e17a799c6279800996828e10288ca8ccc40cc883d8998802b938aa671dfa9ce \ + --hash=sha256:9ed0183e747065b9b1bcfb699ff10df671ebe6259709ce83e709f86cea564aee \ + --hash=sha256:d9de718380e2f167243ca5e1dccea781e06404158442491255fec5955d57fed9 \ + --hash=sha256:dedcae3619f0eb181459b597fefefd99cb21fe5a5a48a530be6f5ad934399bfb \ + --hash=sha256:ea55ca0fe5bdd04e46deaf395b3daf4fa92392f774e83610d066a2b272af5d3f \ + --hash=sha256:f63d6646acdf2f38a5afca9fb9eeac62efa663a57f3c134f735a5f575b4e748f From 26b293c3d74773146f0aed33d021a78677333f6b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 5 Nov 2024 09:27:17 -0500 Subject: [PATCH 1327/1462] Added a certificate field to verification error. (#11882) refs #11160 --- .../cryptography-x509-verification/src/lib.rs | 63 ++++++++-------- .../cryptography-x509-verification/src/ops.rs | 17 +++++ .../src/policy/extension.rs | 74 ++++++++++--------- .../src/policy/mod.rs | 41 +++++----- src/rust/src/x509/verify.rs | 2 +- 5 files changed, 114 insertions(+), 83 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 1e6219b09e6a..ab73cd209113 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -32,9 +32,8 @@ use crate::types::DNSName; use crate::types::{DNSConstraint, IPAddress, IPConstraint}; use crate::ApplyNameConstraintStatus::{Applied, Skipped}; -#[derive(Debug)] -pub enum ValidationErrorKind { - CandidatesExhausted(Box), +pub enum ValidationErrorKind<'chain, B: CryptoOps> { + CandidatesExhausted(Box>), Malformed(asn1::ParseError), ExtensionError { oid: ObjectIdentifier, @@ -43,26 +42,28 @@ pub enum ValidationErrorKind { FatalError(&'static str), Other(String), } -#[derive(Debug)] -pub struct ValidationError { - kind: ValidationErrorKind, + +pub struct ValidationError<'chain, B: CryptoOps> { + kind: ValidationErrorKind<'chain, B>, + #[allow(dead_code)] + cert: Option>, } -impl ValidationError { - pub(crate) fn new(kind: ValidationErrorKind) -> ValidationError { - ValidationError { kind } +impl<'chain, B: CryptoOps> ValidationError<'chain, B> { + pub(crate) fn new(kind: ValidationErrorKind<'chain, B>) -> Self { + ValidationError { kind, cert: None } } } -pub type ValidationResult = Result; +pub type ValidationResult<'chain, T, B> = Result>; -impl From for ValidationError { +impl From for ValidationError<'_, B> { fn from(value: asn1::ParseError) -> Self { Self::new(ValidationErrorKind::Malformed(value)) } } -impl From for ValidationError { +impl From for ValidationError<'_, B> { fn from(value: DuplicateExtensionsError) -> Self { Self::new(ValidationErrorKind::ExtensionError { oid: value.0, @@ -71,7 +72,7 @@ impl From for ValidationError { } } -impl Display for ValidationError { +impl Display for ValidationError<'_, B> { fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { match &self.kind { ValidationErrorKind::CandidatesExhausted(inner) => { @@ -101,7 +102,7 @@ impl Budget { } } - fn name_constraint_check(&mut self) -> ValidationResult<()> { + fn name_constraint_check<'chain, B: CryptoOps>(&mut self) -> ValidationResult<'chain, (), B> { self.name_constraint_checks = self.name_constraint_checks.checked_sub(1).ok_or_else(|| { ValidationError::new(ValidationErrorKind::FatalError( @@ -118,11 +119,11 @@ struct NameChain<'a, 'chain> { } impl<'a, 'chain> NameChain<'a, 'chain> { - fn new( + fn new( child: Option<&'a NameChain<'a, 'chain>>, extensions: &Extensions<'chain>, self_issued_intermediate: bool, - ) -> ValidationResult { + ) -> ValidationResult<'chain, Self, B> { let sans = match ( self_issued_intermediate, extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID), @@ -136,12 +137,12 @@ impl<'a, 'chain> NameChain<'a, 'chain> { Ok(Self { child, sans }) } - fn evaluate_single_constraint( + fn evaluate_single_constraint( &self, constraint: &GeneralName<'chain>, san: &GeneralName<'chain>, budget: &mut Budget, - ) -> ValidationResult { + ) -> ValidationResult<'chain, ApplyNameConstraintStatus, B> { budget.name_constraint_check()?; match (constraint, san) { @@ -205,11 +206,11 @@ impl<'a, 'chain> NameChain<'a, 'chain> { } } - fn evaluate_constraints( + fn evaluate_constraints( &self, constraints: &NameConstraints<'chain>, budget: &mut Budget, - ) -> ValidationResult<()> { + ) -> ValidationResult<'chain, (), B> { if let Some(child) = self.child { child.evaluate_constraints(constraints, budget)?; } @@ -258,7 +259,7 @@ pub fn verify<'chain, B: CryptoOps>( intermediates: &[VerificationCertificate<'chain, B>], policy: &Policy<'_, B>, store: &Store<'chain, B>, -) -> ValidationResult> { +) -> ValidationResult<'chain, Chain<'chain, B>, B> { let builder = ChainBuilder::new(intermediates, policy, store); let mut budget = Budget::new(); @@ -324,7 +325,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { working_cert_extensions: &Extensions<'chain>, name_chain: NameChain<'_, 'chain>, budget: &mut Budget, - ) -> ValidationResult> { + ) -> ValidationResult<'chain, Chain<'chain, B>, B> { if let Some(nc) = working_cert_extensions.get_extension(&NAME_CONSTRAINTS_OID) { name_chain.evaluate_constraints(&nc.value()?, budget)?; } @@ -346,7 +347,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // Otherwise, we collect a list of potential issuers for this cert, // and continue with the first that verifies. - let mut last_err: Option = None; + let mut last_err: Option> = None; for issuing_cert_candidate in self.potential_issuers(working_cert) { // A candidate issuer is said to verify if it both // signs for the working certificate and conforms to the @@ -402,6 +403,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { Err( e @ ValidationError { kind: ValidationErrorKind::FatalError(..), + cert: _, }, ) => return Err(e), Err(e) => last_err = Some(e), @@ -424,6 +426,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // Avoid spamming the user with nested `CandidatesExhausted` errors. ValidationError { kind: ValidationErrorKind::CandidatesExhausted(e), + cert: _, } => e, _ => Box::new(e), }, @@ -435,7 +438,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { &self, leaf: &VerificationCertificate<'chain, B>, budget: &mut Budget, - ) -> ValidationResult> { + ) -> ValidationResult<'chain, Chain<'chain, B>, B> { // Before anything else, check whether the given leaf cert // is well-formed according to our policy (and its underlying // certificate profile). @@ -464,16 +467,17 @@ mod tests { use asn1::ParseError; use cryptography_x509::oid::SUBJECT_ALTERNATIVE_NAME_OID; + use crate::certificate::tests::PublicKeyErrorOps; use crate::{ValidationError, ValidationErrorKind}; #[test] fn test_validationerror_display() { - let err = ValidationError::new(ValidationErrorKind::Malformed(ParseError::new( - asn1::ParseErrorKind::InvalidLength, - ))); + let err = ValidationError::::new(ValidationErrorKind::Malformed( + ParseError::new(asn1::ParseErrorKind::InvalidLength), + )); assert_eq!(err.to_string(), "ASN.1 parsing error: invalid length"); - let err = ValidationError::new(ValidationErrorKind::ExtensionError { + let err = ValidationError::::new(ValidationErrorKind::ExtensionError { oid: SUBJECT_ALTERNATIVE_NAME_OID, reason: "duplicate extension", }); @@ -482,7 +486,8 @@ mod tests { "invalid extension: 2.5.29.17: duplicate extension" ); - let err = ValidationError::new(ValidationErrorKind::FatalError("oops")); + let err = + ValidationError::::new(ValidationErrorKind::FatalError("oops")); assert_eq!(err.to_string(), "fatal error: oops"); } } diff --git a/src/rust/cryptography-x509-verification/src/ops.rs b/src/rust/cryptography-x509-verification/src/ops.rs index adbb7681d649..05cca823fdc3 100644 --- a/src/rust/cryptography-x509-verification/src/ops.rs +++ b/src/rust/cryptography-x509-verification/src/ops.rs @@ -33,6 +33,12 @@ impl<'a, B: CryptoOps> VerificationCertificate<'a, B> { } } +impl std::fmt::Debug for VerificationCertificate<'_, B> { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + f.debug_struct("VerificationCertificate").finish() + } +} + impl PartialEq for VerificationCertificate<'_, B> { fn eq(&self, other: &Self) -> bool { self.cert == other.cert @@ -84,6 +90,8 @@ pub trait CryptoOps { #[cfg(test)] pub(crate) mod tests { + use super::VerificationCertificate; + use crate::certificate::tests::PublicKeyErrorOps; use cryptography_x509::certificate::Certificate; pub(crate) fn v1_cert_pem() -> pem::Pem { @@ -106,4 +114,13 @@ zl9HYIMxATFyqSiD9jsx pub(crate) fn cert(cert_pem: &pem::Pem) -> Certificate<'_> { asn1::parse_single(cert_pem.contents()).unwrap() } + + #[test] + fn test_verification_certificate_debug() { + let p = v1_cert_pem(); + let c = cert(&p); + let vc = VerificationCertificate::::new(&c, ()); + + assert_eq!(format!("{:?}", vc), "VerificationCertificate"); + } } diff --git a/src/rust/cryptography-x509-verification/src/policy/extension.rs b/src/rust/cryptography-x509-verification/src/policy/extension.rs index c17d66caecf4..a6b93fde8050 100644 --- a/src/rust/cryptography-x509-verification/src/policy/extension.rs +++ b/src/rust/cryptography-x509-verification/src/policy/extension.rs @@ -28,12 +28,12 @@ pub(crate) struct ExtensionPolicy { } impl ExtensionPolicy { - pub(crate) fn permits( + pub(crate) fn permits<'chain>( &self, policy: &Policy<'_, B>, - cert: &Certificate<'_>, + cert: &Certificate<'chain>, extensions: &Extensions<'_>, - ) -> ValidationResult<()> { + ) -> ValidationResult<'chain, (), B> { let mut authority_information_access_seen = false; let mut authority_key_identifier_seen = false; let mut subject_key_identifier_seen = false; @@ -146,11 +146,17 @@ impl Criticality { } } -type PresentExtensionValidatorCallback = - fn(&Policy<'_, B>, &Certificate<'_>, &Extension<'_>) -> ValidationResult<()>; +type PresentExtensionValidatorCallback = for<'chain> fn( + &Policy<'_, B>, + &Certificate<'chain>, + &Extension<'_>, +) -> ValidationResult<'chain, (), B>; -type MaybeExtensionValidatorCallback = - fn(&Policy<'_, B>, &Certificate<'_>, Option<&Extension<'_>>) -> ValidationResult<()>; +type MaybeExtensionValidatorCallback = for<'chain> fn( + &Policy<'_, B>, + &Certificate<'chain>, + Option<&Extension<'_>>, +) -> ValidationResult<'chain, (), B>; /// Represents different validation states for an extension. pub(crate) enum ExtensionValidator { @@ -197,12 +203,12 @@ impl ExtensionValidator { } } - pub(crate) fn permits( + pub(crate) fn permits<'chain>( &self, policy: &Policy<'_, B>, - cert: &Certificate<'_>, + cert: &Certificate<'chain>, extension: Option<&Extension<'_>>, - ) -> ValidationResult<()> { + ) -> ValidationResult<'chain, (), B> { match (self, extension) { // Extension MUST NOT be present and isn't; OK. (ExtensionValidator::NotPresent, None) => Ok(()), @@ -272,11 +278,11 @@ pub(crate) mod ee { policy::{Policy, ValidationError, ValidationErrorKind, ValidationResult}, }; - pub(crate) fn basic_constraints( + pub(crate) fn basic_constraints<'chain, B: CryptoOps>( _policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: Option<&Extension<'_>>, - ) -> ValidationResult<()> { + ) -> ValidationResult<'chain, (), B> { if let Some(extn) = extn { let basic_constraints: BasicConstraints = extn.value()?; @@ -290,11 +296,11 @@ pub(crate) mod ee { Ok(()) } - pub(crate) fn subject_alternative_name( + pub(crate) fn subject_alternative_name<'chain, B: CryptoOps>( policy: &Policy<'_, B>, cert: &Certificate<'_>, extn: &Extension<'_>, - ) -> ValidationResult<()> { + ) -> ValidationResult<'chain, (), B> { match (cert.subject().is_empty(), extn.critical) { // If the subject is empty, the SAN MUST be critical. (true, false) => { @@ -327,11 +333,11 @@ pub(crate) mod ee { Ok(()) } - pub(crate) fn extended_key_usage( + pub(crate) fn extended_key_usage<'chain, B: CryptoOps>( policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: Option<&Extension<'_>>, - ) -> ValidationResult<()> { + ) -> ValidationResult<'chain, (), B> { if let Some(extn) = extn { let mut ekus: ExtendedKeyUsage<'_> = extn.value()?; @@ -353,11 +359,11 @@ pub(crate) mod ee { } } - pub(crate) fn key_usage( + pub(crate) fn key_usage<'chain, B: CryptoOps>( _policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: Option<&Extension<'_>>, - ) -> ValidationResult<()> { + ) -> ValidationResult<'chain, (), B> { if let Some(extn) = extn { let key_usage: KeyUsage<'_> = extn.value()?; @@ -387,11 +393,11 @@ pub(crate) mod ca { policy::{Policy, ValidationError, ValidationErrorKind, ValidationResult}, }; - pub(crate) fn authority_key_identifier( + pub(crate) fn authority_key_identifier<'chain, B: CryptoOps>( _policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: Option<&Extension<'_>>, - ) -> ValidationResult<()> { + ) -> ValidationResult<'chain, (), B> { // CABF: AKI is required on all CA certificates *except* root CA certificates, // where is it merely recommended. This is slightly different from RFC 5280, // which requires AKI on all CA certificates *except* self-signed root CA certificates. @@ -430,11 +436,11 @@ pub(crate) mod ca { Ok(()) } - pub(crate) fn key_usage( + pub(crate) fn key_usage<'chain, B: CryptoOps>( _policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: &Extension<'_>, - ) -> ValidationResult<()> { + ) -> ValidationResult<'chain, (), B> { let key_usage: KeyUsage<'_> = extn.value()?; if !key_usage.key_cert_sign() { @@ -446,11 +452,11 @@ pub(crate) mod ca { Ok(()) } - pub(crate) fn basic_constraints( + pub(crate) fn basic_constraints<'chain, B: CryptoOps>( _policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: &Extension<'_>, - ) -> ValidationResult<()> { + ) -> ValidationResult<'chain, (), B> { let basic_constraints: BasicConstraints = extn.value()?; if !basic_constraints.ca { @@ -466,11 +472,11 @@ pub(crate) mod ca { Ok(()) } - pub(crate) fn name_constraints( + pub(crate) fn name_constraints<'chain, B: CryptoOps>( _policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: Option<&Extension<'_>>, - ) -> ValidationResult<()> { + ) -> ValidationResult<'chain, (), B> { if let Some(extn) = extn { let name_constraints: NameConstraints<'_> = extn.value()?; @@ -498,11 +504,11 @@ pub(crate) mod ca { Ok(()) } - pub(crate) fn extended_key_usage( + pub(crate) fn extended_key_usage<'chain, B: CryptoOps>( policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: Option<&Extension<'_>>, - ) -> ValidationResult<()> { + ) -> ValidationResult<'chain, (), B> { if let Some(extn) = extn { let mut ekus: ExtendedKeyUsage<'_> = extn.value()?; @@ -532,11 +538,11 @@ pub(crate) mod common { policy::{Policy, ValidationResult}, }; - pub(crate) fn authority_information_access( + pub(crate) fn authority_information_access<'chain, B: CryptoOps>( _policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: Option<&Extension<'_>>, - ) -> ValidationResult<()> { + ) -> ValidationResult<'chain, (), B> { if let Some(extn) = extn { // We don't currently do anything useful with these, but we // do check that they're well-formed. @@ -594,11 +600,11 @@ mod tests { asn1::write_single(&ext).unwrap() } - fn present_extension_validator( + fn present_extension_validator<'chain, B: CryptoOps>( _policy: &Policy<'_, B>, _cert: &Certificate<'_>, _ext: &Extension<'_>, - ) -> ValidationResult<()> { + ) -> ValidationResult<'chain, (), B> { Ok(()) } @@ -634,11 +640,11 @@ mod tests { assert!(extension_validator.permits(&policy, &cert, None).is_err()); } - fn maybe_extension_validator( + fn maybe_extension_validator<'chain, B: CryptoOps>( _policy: &Policy<'_, B>, _cert: &Certificate<'_>, _ext: Option<&Extension<'_>>, - ) -> ValidationResult<()> { + ) -> ValidationResult<'chain, (), B> { Ok(()) } diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index daeb396e4163..e13e1afcbf1a 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -373,7 +373,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { ) } - fn permits_basic(&self, cert: &Certificate<'_>) -> ValidationResult<()> { + fn permits_basic<'chain>(&self, cert: &Certificate<'_>) -> ValidationResult<'chain, (), B> { // CA/B 7.1.1: // Certificates MUST be of type X.509 v3. if cert.tbs_cert.version != 2 { @@ -436,12 +436,12 @@ impl<'a, B: CryptoOps> Policy<'a, B> { } /// Checks whether the given CA certificate is compatible with this policy. - pub(crate) fn permits_ca( + pub(crate) fn permits_ca<'chain>( &self, - cert: &Certificate<'_>, + cert: &Certificate<'chain>, current_depth: u8, extensions: &Extensions<'_>, - ) -> ValidationResult<()> { + ) -> ValidationResult<'chain, (), B> { self.permits_basic(cert)?; // 5280 4.1.2.6: Subject @@ -476,11 +476,11 @@ impl<'a, B: CryptoOps> Policy<'a, B> { } /// Checks whether the given EE certificate is compatible with this policy. - pub(crate) fn permits_ee( + pub(crate) fn permits_ee<'chain>( &self, - cert: &Certificate<'_>, + cert: &Certificate<'chain>, extensions: &Extensions<'_>, - ) -> ValidationResult<()> { + ) -> ValidationResult<'chain, (), B> { self.permits_basic(cert)?; self.ee_extension_policy.permits(self, cert, extensions)?; @@ -501,13 +501,13 @@ impl<'a, B: CryptoOps> Policy<'a, B> { /// may or may not be a higher number than the original depth, depending /// on the kind of validation performed (e.g., whether the issuer was /// self-issued). - pub(crate) fn valid_issuer( + pub(crate) fn valid_issuer<'chain>( &self, - issuer: &VerificationCertificate<'_, B>, - child: &VerificationCertificate<'_, B>, + issuer: &VerificationCertificate<'chain, B>, + child: &VerificationCertificate<'chain, B>, current_depth: u8, issuer_extensions: &Extensions<'_>, - ) -> ValidationResult<()> { + ) -> ValidationResult<'chain, (), B> { // The issuer needs to be a valid CA at the current depth. self.permits_ca(issuer.certificate(), current_depth, issuer_extensions)?; @@ -576,7 +576,9 @@ impl<'a, B: CryptoOps> Policy<'a, B> { } } -fn permits_validity_date(validity_date: &Time) -> ValidationResult<()> { +fn permits_validity_date<'chain, B: CryptoOps>( + validity_date: &Time, +) -> ValidationResult<'chain, (), B> { const GENERALIZED_DATE_INVALIDITY_RANGE: Range = 1950..2050; // NOTE: The inverse check on `asn1::UtcTime` is already done for us @@ -608,6 +610,7 @@ mod tests { RSASSA_PKCS1V15_SHA384, RSASSA_PKCS1V15_SHA512, RSASSA_PSS_SHA256, RSASSA_PSS_SHA384, RSASSA_PSS_SHA512, WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS, }; + use crate::certificate::tests::PublicKeyErrorOps; use crate::{ policy::{ Subject, SPKI_RSA, SPKI_SECP256R1, SPKI_SECP384R1, SPKI_SECP521R1, @@ -777,8 +780,8 @@ mod tests { let utc_validity = Time::UtcTime(asn1::UtcTime::new(utc_dt).unwrap()); let generalized_validity = Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); - assert!(permits_validity_date(&utc_validity).is_ok()); - assert!(permits_validity_date(&generalized_validity).is_err()); + assert!(permits_validity_date::(&utc_validity).is_ok()); + assert!(permits_validity_date::(&generalized_validity).is_err()); } { // 2049 date. @@ -787,8 +790,8 @@ mod tests { let utc_validity = Time::UtcTime(asn1::UtcTime::new(utc_dt).unwrap()); let generalized_validity = Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); - assert!(permits_validity_date(&utc_validity).is_ok()); - assert!(permits_validity_date(&generalized_validity).is_err()); + assert!(permits_validity_date::(&utc_validity).is_ok()); + assert!(permits_validity_date::(&generalized_validity).is_err()); } { // 2050 date. @@ -797,7 +800,7 @@ mod tests { assert!(asn1::UtcTime::new(utc_dt).is_err()); let generalized_validity = Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); - assert!(permits_validity_date(&generalized_validity).is_ok()); + assert!(permits_validity_date::(&generalized_validity).is_ok()); } { // 2051 date. @@ -807,7 +810,7 @@ mod tests { assert!(asn1::UtcTime::new(utc_dt).is_err()); let generalized_validity = Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); - assert!(permits_validity_date(&generalized_validity).is_ok()); + assert!(permits_validity_date::(&generalized_validity).is_ok()); } { // Post-2050 date. @@ -817,7 +820,7 @@ mod tests { assert!(asn1::UtcTime::new(utc_dt).is_err()); let generalized_validity = Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); - assert!(permits_validity_date(&generalized_validity).is_ok()); + assert!(permits_validity_date::(&generalized_validity).is_ok()); } } } diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 2483544710df..0d67c5077ae5 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -380,7 +380,7 @@ impl PyServerVerifier { policy, store.raw.borrow_dependent(), ) - .map_err(|e| VerificationError::new_err(format!("validation failed: {e:?}")))?; + .map_err(|e| VerificationError::new_err(format!("validation failed: {e}")))?; let result = pyo3::types::PyList::empty_bound(py); for c in chain { From 5b425ec41640356bcf820dfaf1ac3de5e6a4d35a Mon Sep 17 00:00:00 2001 From: Quentin Retourne <32574188+nitneuqr@users.noreply.github.com> Date: Tue, 5 Nov 2024 23:29:26 +0100 Subject: [PATCH 1328/1462] added new vectors for PKCS7 tests (#11843) * added new vectors for PKCS7 tests * some corrections in the documentation * removed RSA CA, not using it anymore --- docs/development/test-vectors.rst | 3 +++ .../pkcs7/enveloped-aes-256-cbc.pem | 16 ++++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 vectors/cryptography_vectors/pkcs7/enveloped-aes-256-cbc.pem diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 3714b17d4581..540b984c617b 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -860,6 +860,9 @@ Custom PKCS7 Test Vectors * ``pkcs7/amazon-roots.der`` - A DER encoded PCKS7 file containing Amazon Root CA 2 and 3 generated by OpenSSL. * ``pkcs7/enveloped.pem`` - A PEM encoded PKCS7 file with enveloped data. +* ``pkcs7/enveloped-aes-256-cbc.pem`` - A PEM encoded PKCS7 file with + enveloped data, encrypted using AES-256-CBC under the public key of + ``x509/custom/ca/rsa_ca.pem``. Custom OpenSSH Test Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/vectors/cryptography_vectors/pkcs7/enveloped-aes-256-cbc.pem b/vectors/cryptography_vectors/pkcs7/enveloped-aes-256-cbc.pem new file mode 100644 index 000000000000..bddac0b4ea30 --- /dev/null +++ b/vectors/cryptography_vectors/pkcs7/enveloped-aes-256-cbc.pem @@ -0,0 +1,16 @@ +-----BEGIN PKCS7----- +MIICmwYJKoZIhvcNAQcDoIICjDCCAogCAQAxggJDMIICPwIBADAnMBoxGDAWBgNV +BAMMD2NyeXB0b2dyYXBoeSBDQQIJAOcS06ClbtbJMA0GCSqGSIb3DQEBAQUABIIC +ACTeTHyg8zwnBdhLFogSBMInoAqc8HHZ+3vRN57MJ9UA4MIkqgrUEMg2sYwNkpuS +pT3B0tw3CbrJwL4SemPul1FuYMluTRdhJuI9wskR9BvE6d+BlmnFSjNGdt1y9RM+ +7ZqViXGA2t2HVRQ42Q43tkDUL7gMzveYZ1LxG1d+GNbfKLHVqJLokIe+IQYtyRay +3Tck7l/cC2VpI9lwmF+DugpZbagmb3pSij/ZSzzub3PwNp4YaL2YSa1Vkswdm3LD +jhOMSKyw7jIn2e9gQ3VI8vzh/38OFFFoKq7sAGvNGSLDbCHm6AKvOylksnTCUBF2 +6mbNWaaNpRjCQU+8N5/1UblJAs/voG+hGuWbGjS6z4v6mYvIr5731rQjxYbIpZRT +B6+lu9sCbwHuYQKe8MBlsn0+Y/o7l25m+xOfeRK1UGViUNV+2G2SQKY2CnfBoPis +lZSwKv1mfYifT1bsVyTsDWi0yr3BdbhVRI4pLziNrMFJ5tJhN2Y8HB2FGLlmzJtM +YRyljlMtj3YrYnhX82dKIwlrLfoWYP90tiiGh3DlqUTVCj4Y/IBmFGF6VpKWYZ0F +1VGwR8dDt0a0IonoBo3T4OtqUStlMkWgwGyNlauZnXt4jHoP5ECZ23TLpAtLCgUE +BuTiSXYFHaz+ToomhzTqrqznhLf9PRV+TM96/66xYdSYMDwGCSqGSIb3DQEHATAd +BglghkgBZQMEASoEEFSk9vw7RRWfjkB3sVedCgqAEPYXgbXvcA4rj2DCHA80Etg= +-----END PKCS7----- From e300ce5b79742461bae4eb129ae9b851a9dee216 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 6 Nov 2024 00:17:49 +0000 Subject: [PATCH 1329/1462] Bump BoringSSL and/or OpenSSL in CI (#11901) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 16f13026e30e..58db6b0accb9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,8 +47,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Nov 04, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ddc0647304a8ed854b2d84117f095a5f73571d37"}} - # Latest commit on the OpenSSL master branch, as of Nov 05, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b9881e8eb1962607a3a920347c4cad6e2566727c"}} + # Latest commit on the OpenSSL master branch, as of Nov 06, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e899361b982651dfa2316e06e56637bc21624ce2"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 05a3dc6ee8d626574594c6507972b105e7db6f3c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 5 Nov 2024 19:56:05 -0500 Subject: [PATCH 1330/1462] Bump x509-limbo and/or wycheproof in CI (#11902) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 83ad8566f371..5769e646553d 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Nov 05, 2024. - ref: "13f9e1cc9c216eb746de1a3898ad37e014fc7291" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Nov 06, 2024. + ref: "753dc760a8413a034cf22e7ff1d527772d472528" # x509-limbo-ref From 7a7f916e0375cc01b7c5e798107a23179bd2ce57 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 6 Nov 2024 04:50:30 -0500 Subject: [PATCH 1331/1462] fixes #11160 -- include the cert in the error message for verification error (#11898) --- .../cryptography-x509-verification/src/lib.rs | 13 +++++++++++-- .../src/policy/mod.rs | 3 ++- src/rust/src/x509/verify.rs | 17 +++++++++++++++-- tests/x509/verification/test_verification.py | 18 ++++++++++++++++++ 4 files changed, 46 insertions(+), 5 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index ab73cd209113..730a9ac4fbd4 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -45,7 +45,6 @@ pub enum ValidationErrorKind<'chain, B: CryptoOps> { pub struct ValidationError<'chain, B: CryptoOps> { kind: ValidationErrorKind<'chain, B>, - #[allow(dead_code)] cert: Option>, } @@ -53,6 +52,15 @@ impl<'chain, B: CryptoOps> ValidationError<'chain, B> { pub(crate) fn new(kind: ValidationErrorKind<'chain, B>) -> Self { ValidationError { kind, cert: None } } + + pub(crate) fn set_cert(mut self, cert: VerificationCertificate<'chain, B>) -> Self { + self.cert = Some(cert); + self + } + + pub fn certificate(&self) -> Option<&VerificationCertificate<'chain, B>> { + self.cert.as_ref() + } } pub type ValidationResult<'chain, T, B> = Result>; @@ -447,7 +455,8 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { let leaf_extensions = leaf.certificate().extensions()?; self.policy - .permits_ee(leaf.certificate(), &leaf_extensions)?; + .permits_ee(leaf.certificate(), &leaf_extensions) + .map_err(|e| e.set_cert(leaf.clone()))?; let mut chain = self.build_chain_inner( leaf, diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index e13e1afcbf1a..f124d17d3a69 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -509,7 +509,8 @@ impl<'a, B: CryptoOps> Policy<'a, B> { issuer_extensions: &Extensions<'_>, ) -> ValidationResult<'chain, (), B> { // The issuer needs to be a valid CA at the current depth. - self.permits_ca(issuer.certificate(), current_depth, issuer_extensions)?; + self.permits_ca(issuer.certificate(), current_depth, issuer_extensions) + .map_err(|e| e.set_cert(issuer.clone()))?; // CA/B 7.1.3.1 SubjectPublicKeyInfo // NOTE: We check the issuer's SPKI here, since the issuer is diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 0d67c5077ae5..20121f0a4764 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -296,7 +296,7 @@ impl PyClientVerifier { policy, store.raw.borrow_dependent(), ) - .map_err(|e| VerificationError::new_err(format!("validation failed: {e}")))?; + .or_else(|e| handle_validation_error(py, e))?; let py_chain = pyo3::types::PyList::empty_bound(py); for c in &chain { @@ -380,7 +380,7 @@ impl PyServerVerifier { policy, store.raw.borrow_dependent(), ) - .map_err(|e| VerificationError::new_err(format!("validation failed: {e}")))?; + .or_else(|e| handle_validation_error(py, e))?; let result = pyo3::types::PyList::empty_bound(py); for c in chain { @@ -437,6 +437,19 @@ fn build_subject<'a>( } } +fn handle_validation_error( + py: pyo3::Python<'_>, + e: cryptography_x509_verification::ValidationError<'_, PyCryptoOps>, +) -> CryptographyResult { + let mut msg = format!("validation failed: {e}"); + if let Some(cert) = e.certificate() { + let cert_repr = cert.extra().bind(py).repr()?; + msg = format!("{msg} (encountered processing {cert_repr})"); + } + + Err(CryptographyError::from(VerificationError::new_err(msg))) +} + type PyCryptoOpsStore<'a> = Store<'a, PyCryptoOps>; self_cell::self_cell!( diff --git a/tests/x509/verification/test_verification.py b/tests/x509/verification/test_verification.py index 1d2f9261c57d..879f41c3eb77 100644 --- a/tests/x509/verification/test_verification.py +++ b/tests/x509/verification/test_verification.py @@ -204,3 +204,21 @@ def test_verify_tz_aware(self, validation_time, valid): match="cert is not valid at validation time", ): verifier.verify(leaf, []) + + def test_error_message(self): + # expires 2018-11-16 01:15:03 UTC + leaf = _load_cert( + os.path.join("x509", "cryptography.io.pem"), + x509.load_pem_x509_certificate, + ) + + store = Store([leaf]) + + builder = PolicyBuilder().store(store) + verifier = builder.build_server_verifier(DNSName("cryptography.io")) + + with pytest.raises( + x509.verification.VerificationError, + match=r"", + ): + verifier.verify(leaf, []) From c804519c708b227dca2222f76dbc42d5b2b053d9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Nov 2024 11:32:17 +0000 Subject: [PATCH 1332/1462] Bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0 (#11905) Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.11.0 to 1.12.0. - [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases) - [Commits](https://github.com/pypa/gh-action-pypi-publish/compare/fb13cb306901256ace3dab689990e13a5550ffaa...61da13deb5f5124fb1536194f82ed3d9bbc7e8f3) --- updated-dependencies: - dependency-name: pypa/gh-action-pypi-publish dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 9697eec28683..49360ea4018e 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -52,7 +52,7 @@ jobs: find tmpdist/ -type f -name 'cryptography*' -exec mv {} dist/ \; - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@fb13cb306901256ace3dab689990e13a5550ffaa # v1.11.0 + uses: pypa/gh-action-pypi-publish@61da13deb5f5124fb1536194f82ed3d9bbc7e8f3 # v1.12.0 with: repository-url: ${{ env.PYPI_URL }} skip-existing: true From acaffdfcdd83a7f619e9ceb7d17513c4afd3164e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Nov 2024 11:35:33 +0000 Subject: [PATCH 1333/1462] Bump pyo3 from 0.22.5 to 0.22.6 (#11906) Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.22.5 to 0.22.6. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/v0.22.6/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.22.5...v0.22.6) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 20 ++++++++++---------- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-keepalive/Cargo.toml | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 82c984fd6a88..58a3e69c25c1 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -250,9 +250,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.22.5" +version = "0.22.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3d922163ba1f79c04bc49073ba7b32fd5a8d3b76a87c955921234b8e77333c51" +checksum = "f402062616ab18202ae8319da13fa4279883a2b8a9d9f83f20dbade813ce1884" dependencies = [ "cfg-if", "indoc", @@ -268,9 +268,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.22.5" +version = "0.22.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bc38c5feeb496c8321091edf3d63e9a6829eab4b863b4a6a65f26f3e9cc6b179" +checksum = "b14b5775b5ff446dd1056212d778012cbe8a0fbffd368029fd9e25b514479c38" dependencies = [ "once_cell", "target-lexicon", @@ -278,9 +278,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.22.5" +version = "0.22.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "94845622d88ae274d2729fcefc850e63d7a3ddff5e3ce11bd88486db9f1d357d" +checksum = "9ab5bcf04a2cdcbb50c7d6105de943f543f9ed92af55818fd17b660390fc8636" dependencies = [ "libc", "pyo3-build-config", @@ -288,9 +288,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.22.5" +version = "0.22.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e655aad15e09b94ffdb3ce3d217acf652e26bbc37697ef012f5e5e348c716e5e" +checksum = "0fd24d897903a9e6d80b968368a34e1525aeb719d568dba8b3d4bfa5dc67d453" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -300,9 +300,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.22.5" +version = "0.22.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ae1e3f09eecd94618f60a455a23def79f79eba4dc561a97324bf9ac8c6df30ce" +checksum = "36c011a03ba1e50152b4b394b479826cad97e7a21eb52df179cd91ac411cbfbe" dependencies = [ "heck", "proc-macro2", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 92064793e1cd..96846d3427ce 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -9,7 +9,7 @@ rust-version.workspace = true [dependencies] once_cell = "1" cfg-if = "1" -pyo3 = { version = "0.22.5", features = ["abi3"] } +pyo3 = { version = "0.22.6", features = ["abi3"] } asn1 = { version = "0.18.0", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-keepalive = { path = "cryptography-keepalive" } diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 87d328ced9a0..b4c12aa059ce 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -7,7 +7,7 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.22.5", features = ["abi3"] } +pyo3 = { version = "0.22.6", features = ["abi3"] } openssl-sys = "0.9.104" [build-dependencies] diff --git a/src/rust/cryptography-keepalive/Cargo.toml b/src/rust/cryptography-keepalive/Cargo.toml index e207b3f4ada4..8e27bd18b055 100644 --- a/src/rust/cryptography-keepalive/Cargo.toml +++ b/src/rust/cryptography-keepalive/Cargo.toml @@ -7,4 +7,4 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.22.5", features = ["abi3"] } +pyo3 = { version = "0.22.6", features = ["abi3"] } From 916fd46c25424df4621efe4d0c263c3596ee5eff Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Nov 2024 11:44:25 +0000 Subject: [PATCH 1334/1462] Bump cc from 1.1.34 to 1.1.36 (#11907) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.34 to 1.1.36. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.34...cc-v1.1.36) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 58a3e69c25c1..0da910e9cd1b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.34" +version = "1.1.36" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "67b9470d453346108f93a59222a9a1a5724db32d0a4727b7ab7ace4b4d822dc9" +checksum = "baee610e9452a8f6f0a1b6194ec09ff9e2d85dea54432acdae41aa0761c95d70" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index b4c12aa059ce..0f093188273b 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,7 +11,7 @@ pyo3 = { version = "0.22.6", features = ["abi3"] } openssl-sys = "0.9.104" [build-dependencies] -cc = "1.1.34" +cc = "1.1.36" [lints.rust] unexpected_cfgs = { level = "warn", check-cfg = ['cfg(python_implementation, values("CPython", "PyPy"))'] } From 81d98f4457958d1c365673d1b4759b0f0640597c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Thu, 7 Nov 2024 00:38:20 +0100 Subject: [PATCH 1335/1462] fix(admissions): allow profession_oids field being none (#11908) * fix: allow profession_oids to be none Signed-off-by: oleg.hoefling * chore: provide explicit type hints for profession oids in hash calculation Signed-off-by: oleg.hoefling * chore: remove unused ignore in profession info init test Signed-off-by: oleg.hoefling * fix(profession info): simplify profession oids handling in hash calculation Signed-off-by: oleg.hoefling --------- Signed-off-by: oleg.hoefling --- src/cryptography/x509/extensions.py | 27 ++++++++++++++++----------- tests/x509/test_x509_ext.py | 24 +++++++++++++++++++++++- 2 files changed, 39 insertions(+), 12 deletions(-) diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index 202101208dad..1709862c9869 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -2227,7 +2227,7 @@ def __init__( self, naming_authority: NamingAuthority | None, profession_items: typing.Iterable[str], - profession_oids: typing.Iterable[ObjectIdentifier], + profession_oids: typing.Iterable[ObjectIdentifier] | None, registration_number: str | None, add_profession_info: bytes | None, ) -> None: @@ -2242,14 +2242,15 @@ def __init__( "Every item in the profession_items list must be a str" ) - profession_oids = list(profession_oids) - if not all( - isinstance(oid, ObjectIdentifier) for oid in profession_oids - ): - raise TypeError( - "Every item in the profession_oids list must be an " - "ObjectIdentifier" - ) + if profession_oids is not None: + profession_oids = list(profession_oids) + if not all( + isinstance(oid, ObjectIdentifier) for oid in profession_oids + ): + raise TypeError( + "Every item in the profession_oids list must be an " + "ObjectIdentifier" + ) if registration_number is not None and not isinstance( registration_number, str @@ -2276,7 +2277,7 @@ def profession_items(self) -> list[str]: return self._profession_items @property - def profession_oids(self) -> list[ObjectIdentifier]: + def profession_oids(self) -> list[ObjectIdentifier] | None: return self._profession_oids @property @@ -2309,11 +2310,15 @@ def __eq__(self, other: object) -> bool: ) def __hash__(self) -> int: + if self.profession_oids is None: + profession_oids = None + else: + profession_oids = tuple(self.profession_oids) return hash( ( self.naming_authority, *tuple(self.profession_items), - *tuple(self.profession_oids), + profession_oids, self.registration_number, self.add_profession_info, ) diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index fa47c277a4d5..b29a45664484 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -6443,7 +6443,7 @@ def test_invalid_init(self): x509.ProfessionInfo( None, None, # type:ignore[arg-type] - None, # type:ignore[arg-type] + None, None, None, ) @@ -6493,6 +6493,10 @@ def test_eq(self): info2 = x509.ProfessionInfo(None, [], [], None, None) assert info1 == info2 + info1 = x509.ProfessionInfo(None, [], None, None, None) + info2 = x509.ProfessionInfo(None, [], None, None, None) + assert info1 == info2 + info1 = x509.ProfessionInfo( x509.NamingAuthority( x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" @@ -6566,6 +6570,7 @@ def test_ne(self): info8 = x509.ProfessionInfo(None, [], [], "spam", None) info9 = x509.ProfessionInfo(None, [], [], None, b"\x01\x02\x03") info10 = x509.ProfessionInfo(None, [], [], None, None) + info11 = x509.ProfessionInfo(None, [], None, None, None) assert info1 != info2 assert info1 != info2 @@ -6577,6 +6582,7 @@ def test_ne(self): assert info1 != info8 assert info1 != info9 assert info1 != info10 + assert info1 != info11 assert info1 != object() def test_repr(self): @@ -6590,6 +6596,16 @@ def test_repr(self): "add_profession_info=None)>" ) + info = x509.ProfessionInfo(None, [], None, None, None) + assert repr(info) == ( + "" + ) + info = x509.ProfessionInfo( x509.NamingAuthority( x509.ObjectIdentifier("1.2.3"), "https://example.com", "spam" @@ -6659,6 +6675,10 @@ def test_hash(self): info7 = x509.ProfessionInfo( x509.NamingAuthority(None, None, None), [], [], None, None ) + info8 = x509.ProfessionInfo( + x509.NamingAuthority(None, None, None), [], None, None, None + ) + info9 = x509.ProfessionInfo(None, [], None, None, None) assert hash(info1) == hash(info2) assert hash(info1) != hash(info3) @@ -6666,6 +6686,8 @@ def test_hash(self): assert hash(info1) != hash(info5) assert hash(info1) != hash(info6) assert hash(info1) != hash(info7) + assert hash(info1) != hash(info8) + assert hash(info1) != hash(info9) class TestAdmission: From 530d667ea1e08eca663059af94b302a40a122ae2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Thu, 7 Nov 2024 01:01:40 +0100 Subject: [PATCH 1336/1462] refactor: do not unpack tuples in hash calculation for admissions extension types (#11909) Signed-off-by: oleg.hoefling --- src/cryptography/x509/extensions.py | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index 1709862c9869..0136ab74c2ea 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -892,9 +892,7 @@ def __eq__(self, other: object) -> bool: def __hash__(self) -> int: if self.policy_qualifiers is not None: - pq: tuple[str | UserNotice, ...] | None = tuple( - self.policy_qualifiers - ) + pq = tuple(self.policy_qualifiers) else: pq = None @@ -2310,14 +2308,14 @@ def __eq__(self, other: object) -> bool: ) def __hash__(self) -> int: - if self.profession_oids is None: - profession_oids = None - else: + if self.profession_oids is not None: profession_oids = tuple(self.profession_oids) + else: + profession_oids = None return hash( ( self.naming_authority, - *tuple(self.profession_items), + tuple(self.profession_items), profession_oids, self.registration_number, self.add_profession_info, @@ -2389,7 +2387,7 @@ def __hash__(self) -> int: ( self.admission_authority, self.naming_authority, - *tuple(self.profession_infos), + tuple(self.profession_infos), ) ) @@ -2439,7 +2437,7 @@ def __eq__(self, other: object) -> bool: ) def __hash__(self) -> int: - return hash((self.authority, *tuple(self._admissions))) + return hash((self.authority, tuple(self._admissions))) class UnrecognizedExtension(ExtensionType): From 53d8f59e2e79d736afd72ec10f1d8fdc34730cf7 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 7 Nov 2024 00:25:13 +0000 Subject: [PATCH 1337/1462] Bump BoringSSL and/or OpenSSL in CI (#11910) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 58db6b0accb9..698678d8c5b8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 04, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ddc0647304a8ed854b2d84117f095a5f73571d37"}} + # Latest commit on the BoringSSL master branch, as of Nov 07, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "5b03c8fd1c54397eded6bf84ef52ac610d79bddd"}} # Latest commit on the OpenSSL master branch, as of Nov 06, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e899361b982651dfa2316e06e56637bc21624ce2"}} # Builds with various Rust versions. Includes MSRV and next From 53035da3ddedd4b242eb818d7e6f39ca12378d15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Thu, 7 Nov 2024 05:41:29 +0100 Subject: [PATCH 1338/1462] feat(admissions): implement encoding of admissions extension (#11892) * feat: implement encoding of admissions extension Signed-off-by: oleg.hoefling * chore: add encoding tests Signed-off-by: oleg.hoefling * refactor: split encoding of inner objects into separate functions Signed-off-by: oleg.hoefling * fix: simplify code comment to pass the line length checks Signed-off-by: oleg.hoefling * chore: add test to check encoding of none values Signed-off-by: oleg.hoefling * chore: extend none values test to also check encoding of naming authority with none values Signed-off-by: oleg.hoefling * fix: use none checks when converting python data Signed-off-by: oleg.hoefling * fix: raise a valueerror if the url can not be encoded to an ia5string Signed-off-by: oleg.hoefling * chore: revert to truthness check for py_oids for now, will be amended in a separate pr Signed-off-by: oleg.hoefling * fix: raise a valueerror if the registration_number can not be encoded to a printablestring Signed-off-by: oleg.hoefling * fix: encode none for profession_oids if profession_oids is none Signed-off-by: oleg.hoefling --------- Signed-off-by: oleg.hoefling --- src/cryptography/x509/extensions.py | 3 + src/rust/cryptography-x509/src/extensions.rs | 18 +- src/rust/cryptography-x509/src/oid.rs | 1 + src/rust/src/x509/extensions.rs | 172 +++++++++++++++++++ tests/x509/test_x509_ext.py | 155 +++++++++++++++++ 5 files changed, 338 insertions(+), 11 deletions(-) diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index 0136ab74c2ea..fc3e7730eca0 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -2439,6 +2439,9 @@ def __eq__(self, other: object) -> bool: def __hash__(self) -> int: return hash((self.authority, tuple(self._admissions))) + def public_bytes(self) -> bytes: + return rust_x509.encode_extension_value(self) + class UnrecognizedExtension(ExtensionType): def __init__(self, oid: ObjectIdentifier, value: bytes) -> None: diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index 5b224db50c3a..fbea5637b7f7 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -285,7 +285,7 @@ impl KeyUsage<'_> { } } -// #[derive(asn1::Asn1Read, asn1::Asn1Write)] +#[derive(asn1::Asn1Read, asn1::Asn1Write)] pub struct NamingAuthority<'a> { pub id: Option, pub url: Option>, @@ -302,9 +302,9 @@ type SequenceOfObjectIdentifiers<'a> = common::Asn1ReadableOrWritable< asn1::SequenceOfWriter<'a, asn1::ObjectIdentifier, Vec>, >; -// #[derive(asn1::Asn1Read, asn1::Asn1Write)] +#[derive(asn1::Asn1Read, asn1::Asn1Write)] pub struct ProfessionInfo<'a> { - // #[explicit(0)] + #[explicit(0)] pub naming_authority: Option>, pub profession_items: SequenceOfDisplayTexts<'a>, pub profession_oids: Option>, @@ -312,29 +312,25 @@ pub struct ProfessionInfo<'a> { pub add_profession_info: Option<&'a [u8]>, } -// #[derive(asn1::Asn1Read, asn1::Asn1Write)] +#[derive(asn1::Asn1Read, asn1::Asn1Write)] pub struct Admission<'a> { - // #[explicit(0)] + #[explicit(0)] pub admission_authority: Option>, - // #[explicit(1)] + #[explicit(1)] pub naming_authority: Option>, - /* pub profession_infos: common::Asn1ReadableOrWritable< asn1::SequenceOf<'a, ProfessionInfo<'a>>, asn1::SequenceOfWriter<'a, ProfessionInfo<'a>, Vec>>, >, - */ } -// #[derive(asn1::Asn1Read, asn1::Asn1Write)] +#[derive(asn1::Asn1Read, asn1::Asn1Write)] pub struct Admissions<'a> { pub admission_authority: Option>, - /* pub contents_of_admissions: common::Asn1ReadableOrWritable< asn1::SequenceOf<'a, Admission<'a>>, asn1::SequenceOfWriter<'a, Admission<'a>, Vec>>, >, - */ } #[cfg(test)] diff --git a/src/rust/cryptography-x509/src/oid.rs b/src/rust/cryptography-x509/src/oid.rs index fbc440eea122..ee148a7896ee 100644 --- a/src/rust/cryptography-x509/src/oid.rs +++ b/src/rust/cryptography-x509/src/oid.rs @@ -44,6 +44,7 @@ pub const FRESHEST_CRL_OID: asn1::ObjectIdentifier = asn1::oid!(2, 5, 29, 46); pub const INHIBIT_ANY_POLICY_OID: asn1::ObjectIdentifier = asn1::oid!(2, 5, 29, 54); pub const ACCEPTABLE_RESPONSES_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 5, 5, 7, 48, 1, 4); +pub const ADMISSIONS_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 36, 8, 3, 3); // Public key identifiers pub const EC_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 10045, 2, 1); diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 9bd942542393..2342c40a1f03 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -416,6 +416,149 @@ fn encode_scts(ext: &pyo3::Bound<'_, pyo3::PyAny>) -> CryptographyResult Ok(asn1::write_single(&result.as_slice())?) } +fn encode_naming_authority<'a>( + py: pyo3::Python<'_>, + ka_str: &'a cryptography_keepalive::KeepAlive, + py_naming_authority: &pyo3::Bound<'a, pyo3::PyAny>, +) -> CryptographyResult> { + let py_oid = py_naming_authority.getattr(pyo3::intern!(py, "id"))?; + let id = if !py_oid.is_none() { + Some(py_oid_to_oid(py_oid)?) + } else { + None + }; + let py_url = py_naming_authority.getattr(pyo3::intern!(py, "url"))?; + let url = if !py_url.is_none() { + let py_url_str = ka_str.add(py_url.extract::()?); + match asn1::IA5String::new(py_url_str) { + Some(s) => Some(s), + None => { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("url value must be a valid IA5String"), + )) + } + } + } else { + None + }; + let py_text = py_naming_authority.getattr(pyo3::intern!(py, "text"))?; + let text = if !py_text.is_none() { + let py_text_str = ka_str.add(py_text.extract::()?); + Some(extensions::DisplayText::Utf8String(asn1::Utf8String::new( + py_text_str, + ))) + } else { + None + }; + Ok(extensions::NamingAuthority { id, url, text }) +} + +fn encode_profession_info<'a>( + py: pyo3::Python<'_>, + ka_bytes: &'a cryptography_keepalive::KeepAlive, + ka_str: &'a cryptography_keepalive::KeepAlive, + py_info: &pyo3::Bound<'a, pyo3::PyAny>, +) -> CryptographyResult> { + let py_naming_authority = py_info.getattr(pyo3::intern!(py, "naming_authority"))?; + let naming_authority = if !py_naming_authority.is_none() { + Some(encode_naming_authority(py, ka_str, &py_naming_authority)?) + } else { + None + }; + let mut profession_items = vec![]; + let py_items = py_info.getattr(pyo3::intern!(py, "profession_items"))?; + for py_item in py_items.iter()? { + let py_item = py_item?; + let py_item_str = ka_str.add(py_item.extract::()?); + let item = extensions::DisplayText::Utf8String(asn1::Utf8String::new(py_item_str)); + profession_items.push(item); + } + let profession_items = + common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(profession_items)); + let py_oids = py_info.getattr(pyo3::intern!(py, "profession_oids"))?; + let profession_oids = if !py_oids.is_none() { + let mut profession_oids = vec![]; + for py_oid in py_oids.iter()? { + let py_oid = py_oid?; + let oid = py_oid_to_oid(py_oid)?; + profession_oids.push(oid); + } + Some(common::Asn1ReadableOrWritable::new_write( + asn1::SequenceOfWriter::new(profession_oids), + )) + } else { + None + }; + let py_registration_number = py_info.getattr(pyo3::intern!(py, "registration_number"))?; + let registration_number = if !py_registration_number.is_none() { + let py_registration_number_str = + ka_str.add(py_registration_number.extract::()?); + match asn1::PrintableString::new(py_registration_number_str) { + Some(s) => Some(s), + None => { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "registration_number value must be a valid PrintableString", + ), + )) + } + } + } else { + None + }; + let py_add_profession_info = py_info.getattr(pyo3::intern!(py, "add_profession_info"))?; + let add_profession_info = if !py_add_profession_info.is_none() { + Some(ka_bytes.add(py_add_profession_info.extract::()?)) + } else { + None + }; + Ok(extensions::ProfessionInfo { + naming_authority, + profession_items, + profession_oids, + registration_number, + add_profession_info, + }) +} + +fn encode_admission<'a>( + py: pyo3::Python<'_>, + ka_bytes: &'a cryptography_keepalive::KeepAlive, + ka_str: &'a cryptography_keepalive::KeepAlive, + py_admission: &pyo3::Bound<'a, pyo3::PyAny>, +) -> CryptographyResult> { + let py_admission_authority = py_admission.getattr(pyo3::intern!(py, "admission_authority"))?; + let admission_authority = if !py_admission_authority.is_none() { + Some(x509::common::encode_general_name( + py, + ka_bytes, + ka_str, + &py_admission_authority, + )?) + } else { + None + }; + let py_naming_authority = py_admission.getattr(pyo3::intern!(py, "naming_authority"))?; + let naming_authority = if !py_naming_authority.is_none() { + Some(encode_naming_authority(py, ka_str, &py_naming_authority)?) + } else { + None + }; + + let py_profession_infos = py_admission.getattr(pyo3::intern!(py, "profession_infos"))?; + let mut profession_infos = vec![]; + for py_info in py_profession_infos.iter()? { + profession_infos.push(encode_profession_info(py, ka_bytes, ka_str, &py_info?)?); + } + let profession_infos = + common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(profession_infos)); + Ok(extensions::Admission { + admission_authority, + naming_authority, + profession_infos, + }) +} + pub(crate) fn encode_extension( py: pyo3::Python<'_>, oid: &asn1::ObjectIdentifier, @@ -563,6 +706,35 @@ pub(crate) fn encode_extension( }; Ok(Some(asn1::write_single(&mstpl)?)) } + &oid::ADMISSIONS_OID => { + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let ka_str = cryptography_keepalive::KeepAlive::new(); + let py_admission_authority = ext.getattr(pyo3::intern!(py, "authority"))?; + let admission_authority = if !py_admission_authority.is_none() { + Some(x509::common::encode_general_name( + py, + &ka_bytes, + &ka_str, + &py_admission_authority, + )?) + } else { + None + }; + let mut admissions = vec![]; + for py_admission in ext.iter()? { + let admission = encode_admission(py, &ka_bytes, &ka_str, &py_admission?)?; + admissions.push(admission); + } + + let contents_of_admissions = + common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(admissions)); + + let admission = extensions::Admissions { + admission_authority, + contents_of_admissions, + }; + Ok(Some(asn1::write_single(&admission)?)) + } _ => Ok(None), } } diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index b29a45664484..f1a32b83c09a 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -7116,6 +7116,161 @@ def test_hash(self): assert hash(admissions1) != hash(admissions4) assert hash(admissions1) != hash(admissions5) + def test_public_bytes(self): + ext = x509.Admissions(None, []) + assert ext.public_bytes() == b"0\x020\x00" + + ext = x509.Admissions( + x509.UniformResourceIdentifier(value="https://www.example.com/"), + [], + ) + assert ( + ext.public_bytes() == b"0\x1c\x86\x18https://www.example.com/0\x00" + ) + + # test for encoding none values + ext = x509.Admissions( + None, + [ + x509.Admission( + None, + x509.NamingAuthority(None, None, None), + [x509.ProfessionInfo(None, [], [], None, None)], + ), + x509.Admission( + None, + None, + [ + x509.ProfessionInfo( + x509.NamingAuthority(None, None, None), + [], + [], + None, + None, + ) + ], + ), + ], + ) + assert ext.public_bytes() == ( + b"0\x1e0\x1c0\x0c\xa1\x020\x000\x060\x040\x000\x000\x0c0\n0\x08\xa0\x020\x000\x000\x00" + ) + + # example values taken from https://gemspec.gematik.de/downloads/gemSpec/gemSpec_OID/gemSpec_OID_V3.17.0.pdf + ext = x509.Admissions( + authority=x509.DirectoryName( + value=x509.Name( + [ + x509.NameAttribute( + x509.oid.NameOID.COUNTRY_NAME, "DE" + ), + x509.NameAttribute( + x509.NameOID.ORGANIZATIONAL_UNIT_NAME, + "Elektronisches Gesundheitsberuferegister", + ), + ] + ) + ), + admissions=[ + x509.Admission( + admission_authority=x509.DNSName("gematik.de"), + naming_authority=x509.NamingAuthority( + x509.ObjectIdentifier("1.2.276.0.76.3.1.91"), + "https://gematik.de/", + ( + "Gesellschaft für Telematikanwendungen " + "der Gesundheitskarte mbH" + ), + ), + profession_infos=[ + x509.ProfessionInfo( + naming_authority=x509.NamingAuthority( + x509.ObjectIdentifier("1.2.276.0.76.3.1.1"), + "https://www.kbv.de/", + "KBV Kassenärztliche Bundesvereinigung", + ), + registration_number="123456789", + profession_items=[ + "Ärztin/Arzt", + ( + "Orthopädieschuhmacher/-in " + "und Orthopädietechniker/-in" + ), + ], + profession_oids=[ + x509.ObjectIdentifier("1.2.276.0.76.4.30"), + x509.ObjectIdentifier("1.2.276.0.76.4.305"), + ], + # DER-encoded: + # `OtherName( + # type_id=ObjectIdentifier('1.2.276.0.76.4.60'), + # value=b'\x0c\x1dProbe-Client Broker-Betreiber' + # )` + add_profession_info=( + b"\xa0*\x06\x07*\x82\x14\x00L\x04<\xa0\x1f" + b"\x0c\x1dProbe-Client Broker-Betreiber" + ), + ) + ], + ), + ], + ) + assert ext.public_bytes() == ( + b"0\x82\x01\xa6\xa4B0@1\x0b0\t\x06\x03U\x04\x06\x13\x02DE110/\x06" + b"\x03U\x04\x0b\x0c(Elektronisches Gesundheitsberuferegister0\x82" + b"\x01^0\x82\x01Z\xa0\x0c\x82\ngematik.de\xa1b0`\x06\x08*\x82\x14" + b"\x00L\x03\x01[\x16\x13https://gematik.de/\x0c?Gesellschaft f\xc3" + b"\xbcr Telematikanwendungen der Gesundheitskarte mbH0\x81\xe50" + b"\x81\xe2\xa0I0G\x06\x08*\x82\x14\x00L\x03\x01\x01\x16\x13https://www." + b"kbv.de/\x0c&KBV Kassen\xc3\xa4rztliche Bundesvereinigung0G\x0c" + b"\x0c\xc3\x84rztin/Arzt\x0c7Orthop\xc3\xa4dieschuhmacher/-in und " + b"Orthop\xc3\xa4dietechniker/-in0\x13\x06\x07*\x82\x14\x00L\x04\x1e" + b"\x06\x08*\x82\x14\x00L\x04\x821\x13\t123456789\x04,\xa0*\x06" + b"\x07*\x82\x14\x00L\x04<\xa0\x1f\x0c\x1dProbe-Client Broker-" + b"Betreiber" + ) + + # test for non-ascii url value in naming authority + ext = x509.Admissions( + None, + [ + x509.Admission( + None, + x509.NamingAuthority(None, "😄", None), + [], + ), + ], + ) + with pytest.raises(ValueError): + ext.public_bytes() + + # test for non-ascii registration number value in profession info + ext = x509.Admissions( + None, + [ + x509.Admission( + None, + None, + [x509.ProfessionInfo(None, [], [], "\x00", None)], + ), + ], + ) + with pytest.raises(ValueError): + ext.public_bytes() + + # test that none passed for `profession_oids` is encoded as none + ext = x509.Admissions( + None, + [ + x509.Admission( + None, + None, + [x509.ProfessionInfo(None, [], None, None, None)], + ), + ], + ) + assert ext.public_bytes() == b"0\n0\x080\x060\x040\x020\x00" + def test_all_extension_oid_members_have_names_defined(): for oid in dir(ExtensionOID): From b2dccc7169e4949e5861cec9698c9ca9108806e3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Nov 2024 07:29:04 -0500 Subject: [PATCH 1339/1462] Bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.2 (#11911) Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.12.0 to 1.12.2. - [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases) - [Commits](https://github.com/pypa/gh-action-pypi-publish/compare/61da13deb5f5124fb1536194f82ed3d9bbc7e8f3...15c56dba361d8335944d31a2ecd17d700fc7bcbc) --- updated-dependencies: - dependency-name: pypa/gh-action-pypi-publish dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 49360ea4018e..cc2470ceb0ba 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -52,7 +52,7 @@ jobs: find tmpdist/ -type f -name 'cryptography*' -exec mv {} dist/ \; - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@61da13deb5f5124fb1536194f82ed3d9bbc7e8f3 # v1.12.0 + uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2 with: repository-url: ${{ env.PYPI_URL }} skip-existing: true From 5041eff04e80268d06db2de98fbccdd3c396f7af Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 8 Nov 2024 00:30:54 +0000 Subject: [PATCH 1340/1462] Bump BoringSSL and/or OpenSSL in CI (#11914) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 698678d8c5b8..66aa5cbaec7f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,10 +45,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 07, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "5b03c8fd1c54397eded6bf84ef52ac610d79bddd"}} - # Latest commit on the OpenSSL master branch, as of Nov 06, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e899361b982651dfa2316e06e56637bc21624ce2"}} + # Latest commit on the BoringSSL master branch, as of Nov 08, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "52a2c003d9622a78d6b791c10ea456eabaf6f52a"}} + # Latest commit on the OpenSSL master branch, as of Nov 08, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e54526413d5ef7c665e25f552f2f01d4352bd33d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 31d9e01b36ace1a3221ada86b28e16e896fd795a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 8 Nov 2024 03:36:33 -0500 Subject: [PATCH 1341/1462] fixes #11912 -- when checking ccm decrypt max length, exclude tag (#11913) --- src/rust/src/backend/aead.rs | 5 ++++- tests/hazmat/primitives/test_aead.py | 10 ++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 46a13b9c06bc..72b986e4bc58 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -703,6 +703,7 @@ impl AesGcm { )] struct AesCcm { ctx: LazyEvpCipherAead, + tag_length: usize, } #[pyo3::pymethods] @@ -748,6 +749,7 @@ impl AesCcm { Ok(AesCcm { ctx: LazyEvpCipherAead::new(cipher, key, tag_length, false, true), + tag_length }) } } @@ -824,7 +826,8 @@ impl AesCcm { let max_length = 1usize.checked_shl(8 * l_val as u32); // If `max_length` overflowed, then it's not possible for data to be // longer than it. - if max_length.map(|v| v < data_bytes.len()).unwrap_or(false) { + let pt_length = data_bytes.len().saturating_sub(self.tag_length); + if max_length.map(|v| v < pt_length).unwrap_or(false) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("Data too long for nonce"), )); diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index 80850b689d35..b94ee52ad2d7 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -363,6 +363,16 @@ def test_buffer_protocol(self, backend): computed_pt2 = aesccm2.decrypt(bytearray(nonce), ct2, ad) assert computed_pt2 == pt + def test_max_data_length(self): + plaintext = b"A" * 65535 + aad = b"authenticated but unencrypted data" + aesccm = AESCCM(AESCCM.generate_key(128)) + nonce = os.urandom(13) + + ciphertext = aesccm.encrypt(nonce, plaintext, aad) + decrypted_data = aesccm.decrypt(nonce, ciphertext, aad) + assert decrypted_data == plaintext + def _load_gcm_vectors(): vectors = _load_all_params( From 96d354f2b37d5a1d4d719903483d4bc01bacd455 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 Nov 2024 07:05:56 -0500 Subject: [PATCH 1342/1462] Bump uv from 0.4.30 to 0.5.0 (#11915) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.30 to 0.5.0. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.30...0.5.0) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index fc5fe8217f35..cba5457f84c1 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -292,7 +292,7 @@ urllib3==2.0.7 ; python_full_version < '3.8' # via requests urllib3==2.2.3 ; python_full_version >= '3.8' # via requests -uv==0.4.30 ; python_full_version >= '3.8' +uv==0.5.0 ; python_full_version >= '3.8' # via nox virtualenv==20.26.6 ; python_full_version < '3.8' # via nox From 47d7b720061513e4b3ebf088635d47d6675f460e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 Nov 2024 07:07:23 -0500 Subject: [PATCH 1343/1462] Bump packaging from 24.1 to 24.2 (#11916) Bumps [packaging](https://github.com/pypa/packaging) from 24.1 to 24.2. - [Release notes](https://github.com/pypa/packaging/releases) - [Changelog](https://github.com/pypa/packaging/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pypa/packaging/compare/24.1...24.2) --- updated-dependencies: - dependency-name: packaging dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index cba5457f84c1..c0a251bc0682 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -122,7 +122,7 @@ packaging==24.0 ; python_full_version < '3.8' # nox # pytest # sphinx -packaging==24.1 ; python_full_version >= '3.8' +packaging==24.2 ; python_full_version >= '3.8' # via # build # nox From 13fbb1ca9865de39f30bdea6283de60c68cffcaa Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 Nov 2024 07:07:47 -0500 Subject: [PATCH 1344/1462] Bump ruff from 0.7.2 to 0.7.3 (#11917) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.7.2 to 0.7.3. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.7.2...0.7.3) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c0a251bc0682..c5ad38631905 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -202,7 +202,7 @@ requests==2.31.0 ; python_full_version < '3.8' # via sphinx requests==2.32.3 ; python_full_version >= '3.8' # via sphinx -ruff==0.7.2 +ruff==0.7.3 # via cryptography (pyproject.toml) six==1.16.0 ; python_full_version < '3.8' # via bleach From b48d5245ac998233362dd4daa0346affca1e6303 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 Nov 2024 07:08:15 -0500 Subject: [PATCH 1345/1462] Bump libc from 0.2.161 to 0.2.162 (#11919) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.161 to 0.2.162. - [Release notes](https://github.com/rust-lang/libc/releases) - [Changelog](https://github.com/rust-lang/libc/blob/0.2.162/CHANGELOG.md) - [Commits](https://github.com/rust-lang/libc/compare/0.2.161...0.2.162) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 0da910e9cd1b..ef0c1683c9b8 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -161,9 +161,9 @@ checksum = "b248f5224d1d606005e02c97f5aa4e88eeb230488bcc03bc9ca4d7991399f2b5" [[package]] name = "libc" -version = "0.2.161" +version = "0.2.162" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e9489c2807c139ffd9c1794f4af0ebe86a828db53ecdc7fea2111d0fed085d1" +checksum = "18d287de67fe55fd7e1581fe933d965a5a9477b38e949cfa9f8574ef01506398" [[package]] name = "memoffset" From da3837bfa4c53787db519feb2c21914c373a970f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 Nov 2024 07:16:58 -0500 Subject: [PATCH 1346/1462] Bump uv from 0.4.30 to 0.5.0 in /.github/requirements (#11918) Bumps [uv](https://github.com/astral-sh/uv) from 0.4.30 to 0.5.0. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.4.30...0.5.0) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index df9a66594a30..3cdaf2b180d9 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.4.30 \ - --hash=sha256:0c89f2eff63a08d04e81629611f43b1ffa668af6de0382b95a71599af7d4b77c \ - --hash=sha256:1a83df281c5d900b4758b1a3969b3cff57231f9027db8508b71dce1f2da78684 \ - --hash=sha256:232575f30ed971ea32d4a525b7146c4b088a07ed6e70a31da63792d563fcac44 \ - --hash=sha256:353617bfcf72e1eabade426d83fb86a69d11273d1612aabc3f4566d41c596c97 \ - --hash=sha256:444468ad0e94b35cbf6acfc8a28589cfe1247136d43895e60a18955ff89a07ad \ - --hash=sha256:44c5aeb5b374f9fd1083959934daa9020db3610f0405198c5e3d8ec1f23d961d \ - --hash=sha256:4aecd9fb39cf018e129627090a1d35af2b0184bb87078d573c9998f5e4072416 \ - --hash=sha256:4d41d09cabba1988728c2d9b9ad25f79233c2aa3d6ecd724c36f4678c4c89711 \ - --hash=sha256:4ddad09385221fa5c609169e4a0dd5bee27cf56c1dc450d4cdc113122c54bb09 \ - --hash=sha256:63196143f45018364c450ba94279a5bcff8562c14ba63deb41a92ed30baa6e22 \ - --hash=sha256:6395820540f368f622e818735862abd633dfe7e729c450fca56b65bab4b46661 \ - --hash=sha256:7f09bd6a853767863e2fb905f0eb1a0ed7afa9ea118852e5c02d2b451944e1cf \ - --hash=sha256:9e17a799c6279800996828e10288ca8ccc40cc883d8998802b938aa671dfa9ce \ - --hash=sha256:9ed0183e747065b9b1bcfb699ff10df671ebe6259709ce83e709f86cea564aee \ - --hash=sha256:d9de718380e2f167243ca5e1dccea781e06404158442491255fec5955d57fed9 \ - --hash=sha256:dedcae3619f0eb181459b597fefefd99cb21fe5a5a48a530be6f5ad934399bfb \ - --hash=sha256:ea55ca0fe5bdd04e46deaf395b3daf4fa92392f774e83610d066a2b272af5d3f \ - --hash=sha256:f63d6646acdf2f38a5afca9fb9eeac62efa663a57f3c134f735a5f575b4e748f +uv==0.5.0 \ + --hash=sha256:2c59e971c02a953d1dc1a937ef84de527d8fbe9ae13faa71ee8c0d5f697127cc \ + --hash=sha256:313c9fc30c6679fbf5bf4acc043ad171bee7853bb16f366af064e835d1fb1a74 \ + --hash=sha256:4f0bcd3e97010e79a7a75e840d1177a859bf07764da1079e9fbce66e7ebd9428 \ + --hash=sha256:63cc3a9f346b74012f7ac1daea1aee22568da1023993d8f4a7b8bc30bcb4edf2 \ + --hash=sha256:6fb131612a96b719b80e15e3261b2dee67028b137a4bb86730f8fb02808f2d79 \ + --hash=sha256:886c85e53b99cb66c544feab20d5a64467556ec59c92445a7aa2fc637e4f5820 \ + --hash=sha256:8a603ed4c91fba250cc62aaf3b54b68cf70b7fefda07b6c2f230a6d8a8005616 \ + --hash=sha256:a3bc6911be7d86f3750bce1580e664877a3a88c126eb68afbb132cd0896fd109 \ + --hash=sha256:b256e450f103e98e6d8ebd92af44db16d5d699766c73f9da979cddcc9665577c \ + --hash=sha256:b52fd615c4dba8366677528122f4ead7d0651dc6cbc8cd6d17be72e2deb0390c \ + --hash=sha256:b846b92230d64e50425cbf183e119f9c27ebd2eae77c197b3625c701a5c13b08 \ + --hash=sha256:b9e22f38bd4cd66ea252fe9060ae567da92eec2dc9154fedab1f059c37288ee0 \ + --hash=sha256:d1b7fa52da65196c29569032c1c1144574e75b0caaaca77ea4c22f4a09dedc60 \ + --hash=sha256:d796198163478a8db4e2f27fa6a21fb7c96c3b62c4af28bfaf8a654b7a86ce0a \ + --hash=sha256:de8c70d26bc4231ada30d14eaf105740ad735b2b41fde9b81978df5f0ed25152 \ + --hash=sha256:e6c071304fae1e530c7d24464f80f5efdc3e03b04c620703e1d351d27afc970b \ + --hash=sha256:f5ad860fb028179ce4467fec6dd2b2a1a369cbd67e2a058f1b50116055fda5b8 \ + --hash=sha256:feb4db59fd402461f64d9493525b2dd7bda5f8b1bb1502f1f1dbb8cd9dff7c62 From 2a60a17b7cda0ea3464bbb593fc4d05cb940c865 Mon Sep 17 00:00:00 2001 From: Quentin Retourne <32574188+nitneuqr@users.noreply.github.com> Date: Fri, 8 Nov 2024 16:11:01 +0100 Subject: [PATCH 1347/1462] passing PKCS7 Content Info to readable (#11922) --- src/rust/cryptography-x509/src/pkcs7.rs | 51 +++++++++++++++++-------- src/rust/src/pkcs7.rs | 24 ++++++++---- 2 files changed, 52 insertions(+), 23 deletions(-) diff --git a/src/rust/cryptography-x509/src/pkcs7.rs b/src/rust/cryptography-x509/src/pkcs7.rs index aff6ee2ad818..77bb07797c84 100644 --- a/src/rust/cryptography-x509/src/pkcs7.rs +++ b/src/rust/cryptography-x509/src/pkcs7.rs @@ -9,7 +9,7 @@ pub const PKCS7_SIGNED_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, pub const PKCS7_ENVELOPED_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 7, 3); pub const PKCS7_ENCRYPTED_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 7, 6); -#[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write, asn1::Asn1Read)] pub struct ContentInfo<'a> { pub _content_type: asn1::DefinedByMarker, @@ -17,7 +17,7 @@ pub struct ContentInfo<'a> { pub content: Content<'a>, } -#[derive(asn1::Asn1DefinedByWrite)] +#[derive(asn1::Asn1DefinedByWrite, asn1::Asn1DefinedByRead)] pub enum Content<'a> { #[defined_by(PKCS7_ENVELOPED_DATA_OID)] EnvelopedData(asn1::Explicit>, 0>), @@ -29,22 +29,38 @@ pub enum Content<'a> { EncryptedData(asn1::Explicit, 0>), } -#[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write, asn1::Asn1Read)] pub struct SignedData<'a> { pub version: u8, - pub digest_algorithms: asn1::SetOfWriter<'a, common::AlgorithmIdentifier<'a>>, + pub digest_algorithms: common::Asn1ReadableOrWritable< + asn1::SetOf<'a, common::AlgorithmIdentifier<'a>>, + asn1::SetOfWriter<'a, common::AlgorithmIdentifier<'a>>, + >, pub content_info: ContentInfo<'a>, #[implicit(0)] - pub certificates: Option>>, + pub certificates: Option< + common::Asn1ReadableOrWritable< + asn1::SetOf<'a, certificate::Certificate<'a>>, + asn1::SetOfWriter<'a, &'a certificate::Certificate<'a>>, + >, + >, // We don't ever supply any of these, so for now, don't fill out the fields. #[implicit(1)] - pub crls: Option>>, - - pub signer_infos: asn1::SetOfWriter<'a, SignerInfo<'a>>, + pub crls: Option< + common::Asn1ReadableOrWritable< + asn1::SetOf<'a, asn1::Sequence<'a>>, + asn1::SetOfWriter<'a, asn1::Sequence<'a>>, + >, + >, + + pub signer_infos: common::Asn1ReadableOrWritable< + asn1::SetOf<'a, SignerInfo<'a>>, + asn1::SetOfWriter<'a, SignerInfo<'a>>, + >, } -#[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write, asn1::Asn1Read)] pub struct SignerInfo<'a> { pub version: u8, pub issuer_and_serial_number: IssuerAndSerialNumber<'a>, @@ -59,14 +75,17 @@ pub struct SignerInfo<'a> { pub unauthenticated_attributes: Option>, } -#[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write, asn1::Asn1Read)] pub struct EnvelopedData<'a> { pub version: u8, - pub recipient_infos: asn1::SetOfWriter<'a, RecipientInfo<'a>>, + pub recipient_infos: common::Asn1ReadableOrWritable< + asn1::SetOf<'a, RecipientInfo<'a>>, + asn1::SetOfWriter<'a, RecipientInfo<'a>>, + >, pub encrypted_content_info: EncryptedContentInfo<'a>, } -#[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write, asn1::Asn1Read)] pub struct RecipientInfo<'a> { pub version: u8, pub issuer_and_serial_number: IssuerAndSerialNumber<'a>, @@ -74,19 +93,19 @@ pub struct RecipientInfo<'a> { pub encrypted_key: &'a [u8], } -#[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write, asn1::Asn1Read)] pub struct IssuerAndSerialNumber<'a> { pub issuer: name::Name<'a>, pub serial_number: asn1::BigInt<'a>, } -#[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write, asn1::Asn1Read)] pub struct EncryptedData<'a> { pub version: u8, pub encrypted_content_info: EncryptedContentInfo<'a>, } -#[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write, asn1::Asn1Read)] pub struct EncryptedContentInfo<'a> { pub content_type: asn1::ObjectIdentifier, pub content_encryption_algorithm: common::AlgorithmIdentifier<'a>, @@ -94,7 +113,7 @@ pub struct EncryptedContentInfo<'a> { pub encrypted_content: Option<&'a [u8]>, } -#[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write, asn1::Asn1Read)] pub struct DigestInfo<'a> { pub algorithm: common::AlgorithmIdentifier<'a>, pub digest: &'a [u8], diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 40fbd9b97a11..f8beaf4c2453 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -59,14 +59,16 @@ fn serialize_certificates<'p>( let signed_data = pkcs7::SignedData { version: 1, - digest_algorithms: asn1::SetOfWriter::new(&[]), + digest_algorithms: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(&[])), content_info: pkcs7::ContentInfo { _content_type: asn1::DefinedByMarker::marker(), content: pkcs7::Content::Data(None), }, - certificates: Some(asn1::SetOfWriter::new(&raw_certs)), + certificates: Some(common::Asn1ReadableOrWritable::new_write( + asn1::SetOfWriter::new(&raw_certs), + )), crls: None, - signer_infos: asn1::SetOfWriter::new(&[]), + signer_infos: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(&[])), }; let content_info = pkcs7::ContentInfo { @@ -133,7 +135,9 @@ fn encrypt_and_serialize<'p>( let enveloped_data = pkcs7::EnvelopedData { version: 0, - recipient_infos: asn1::SetOfWriter::new(&recipient_infos), + recipient_infos: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new( + &recipient_infos, + )), encrypted_content_info: pkcs7::EncryptedContentInfo { content_type: PKCS7_DATA_OID, @@ -317,7 +321,9 @@ fn sign_and_serialize<'p>( let signed_data = pkcs7::SignedData { version: 1, - digest_algorithms: asn1::SetOfWriter::new(&digest_algs), + digest_algorithms: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new( + &digest_algs, + )), content_info: pkcs7::ContentInfo { _content_type: asn1::DefinedByMarker::marker(), content: pkcs7::Content::Data(content.map(asn1::Explicit::new)), @@ -325,10 +331,14 @@ fn sign_and_serialize<'p>( certificates: if options.contains(types::PKCS7_NO_CERTS.get(py)?)? { None } else { - Some(asn1::SetOfWriter::new(&certs)) + Some(common::Asn1ReadableOrWritable::new_write( + asn1::SetOfWriter::new(&certs), + )) }, crls: None, - signer_infos: asn1::SetOfWriter::new(&signer_infos), + signer_infos: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new( + &signer_infos, + )), }; let content_info = pkcs7::ContentInfo { From 28b9b26a7252b4f29fe4ef8ea2c012bbb0049ba2 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 9 Nov 2024 00:17:38 +0000 Subject: [PATCH 1348/1462] Bump BoringSSL and/or OpenSSL in CI (#11923) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 66aa5cbaec7f..6095e3ecd2b0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,10 +45,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 08, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "52a2c003d9622a78d6b791c10ea456eabaf6f52a"}} - # Latest commit on the OpenSSL master branch, as of Nov 08, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e54526413d5ef7c665e25f552f2f01d4352bd33d"}} + # Latest commit on the BoringSSL master branch, as of Nov 09, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "571c76e919c0c48219ced35bef83e1fc83b00eed"}} + # Latest commit on the OpenSSL master branch, as of Nov 09, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b10cfd93fd58cc1e9c876be159253b5389dc11a5"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 502a41a3e5e1693f9cf310ad20e423830049931f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 10 Nov 2024 00:18:31 +0000 Subject: [PATCH 1349/1462] Bump BoringSSL and/or OpenSSL in CI (#11926) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6095e3ecd2b0..3fb5a7bf6afc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,8 +47,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Nov 09, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "571c76e919c0c48219ced35bef83e1fc83b00eed"}} - # Latest commit on the OpenSSL master branch, as of Nov 09, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b10cfd93fd58cc1e9c876be159253b5389dc11a5"}} + # Latest commit on the OpenSSL master branch, as of Nov 10, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "012353bdf21b98def920ac317b94c4a9ed501b79"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 7ddddf1d6d5ddd6f4742da127e040f0fbb9a3748 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 10 Nov 2024 08:34:04 -0500 Subject: [PATCH 1350/1462] Move asn1 to be a workspace dep (#11925) This makes it easier to change, you only need to touch one thing --- Cargo.toml | 3 +++ src/rust/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- src/rust/cryptography-x509-verification/Cargo.toml | 2 +- src/rust/cryptography-x509/Cargo.toml | 2 +- 5 files changed, 7 insertions(+), 4 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 05bc91caa1fd..48bc40cff5c5 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -18,5 +18,8 @@ publish = false # This specifies the MSRV rust-version = "1.65.0" +[workspace.dependencies] +asn1 = { version = "0.18.0", default-features = false } + [profile.release] overflow-checks = true diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 96846d3427ce..cc31ddf29791 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -10,7 +10,7 @@ rust-version.workspace = true once_cell = "1" cfg-if = "1" pyo3 = { version = "0.22.6", features = ["abi3"] } -asn1 = { version = "0.18.0", default-features = false } +asn1.workspace = true cryptography-cffi = { path = "cryptography-cffi" } cryptography-keepalive = { path = "cryptography-keepalive" } cryptography-key-parsing = { path = "cryptography-key-parsing" } diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index 466ac72ce398..9b96b736c405 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -7,7 +7,7 @@ publish.workspace = true rust-version.workspace = true [dependencies] -asn1 = { version = "0.18.0", default-features = false } +asn1.workspace = true cfg-if = "1" openssl = "0.10.68" openssl-sys = "0.9.104" diff --git a/src/rust/cryptography-x509-verification/Cargo.toml b/src/rust/cryptography-x509-verification/Cargo.toml index c5380a2e125d..2cc2ff48829c 100644 --- a/src/rust/cryptography-x509-verification/Cargo.toml +++ b/src/rust/cryptography-x509-verification/Cargo.toml @@ -7,7 +7,7 @@ publish.workspace = true rust-version.workspace = true [dependencies] -asn1 = { version = "0.18.0", default-features = false } +asn1.workspace = true cryptography-x509 = { path = "../cryptography-x509" } cryptography-key-parsing = { path = "../cryptography-key-parsing" } once_cell = "1" diff --git a/src/rust/cryptography-x509/Cargo.toml b/src/rust/cryptography-x509/Cargo.toml index 8ed2c5677ed8..03f2c260890e 100644 --- a/src/rust/cryptography-x509/Cargo.toml +++ b/src/rust/cryptography-x509/Cargo.toml @@ -8,4 +8,4 @@ publish = false rust-version = "1.65.0" [dependencies] -asn1 = { version = "0.18.0", default-features = false } +asn1.workspace = true From 78e89e4975824753077b6cc2c38567375657c008 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hanno=20B=C3=B6ck?= <990588+hannob@users.noreply.github.com> Date: Sun, 10 Nov 2024 15:34:58 +0100 Subject: [PATCH 1351/1462] Speedup rsa_recover_prime_factors() by using random value (#11899) * Speedup rsa_recover_prime_factors() by using random value * Comply with ruff codingstyle * Reject invalid combinations of n, d, e early to avoid excessive runtime * Add second failure test case for rsa_recover_prime_factors to hit early error path * Remove leftover debug code * Reduce _MAX_RECOVERY_ATTEMPTS and remove obsolete comment Previously, the code would increase a in steps of 2, therefore, _MAX_RECOVERY_ATTEMPTS was twice the number of tries. With the new code, this is no longer the case. --- .../hazmat/primitives/asymmetric/rsa.py | 17 ++++++++++------- tests/hazmat/primitives/test_rsa.py | 2 ++ 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/src/cryptography/hazmat/primitives/asymmetric/rsa.py b/src/cryptography/hazmat/primitives/asymmetric/rsa.py index 7a387b5ea55d..905068e3b8cc 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/rsa.py +++ b/src/cryptography/hazmat/primitives/asymmetric/rsa.py @@ -5,6 +5,7 @@ from __future__ import annotations import abc +import random import typing from math import gcd @@ -212,9 +213,8 @@ def rsa_recover_private_exponent(e: int, p: int, q: int) -> int: # Controls the number of iterations rsa_recover_prime_factors will perform -# to obtain the prime factors. Each iteration increments by 2 so the actual -# maximum attempts is half this number. -_MAX_RECOVERY_ATTEMPTS = 1000 +# to obtain the prime factors. +_MAX_RECOVERY_ATTEMPTS = 500 def rsa_recover_prime_factors(n: int, e: int, d: int) -> tuple[int, int]: @@ -222,6 +222,9 @@ def rsa_recover_prime_factors(n: int, e: int, d: int) -> tuple[int, int]: Compute factors p and q from the private exponent d. We assume that n has no more than two factors. This function is adapted from code in PyCrypto. """ + # reject invalid values early + if 17 != pow(17, e * d, n): + raise ValueError("n, d, e don't match") # See 8.2.2(i) in Handbook of Applied Cryptography. ktot = d * e - 1 # The quantity d*e-1 is a multiple of phi(n), even, @@ -235,8 +238,10 @@ def rsa_recover_prime_factors(n: int, e: int, d: int) -> tuple[int, int]: # See "Digitalized Signatures and Public Key Functions as Intractable # as Factorization", M. Rabin, 1979 spotted = False - a = 2 - while not spotted and a < _MAX_RECOVERY_ATTEMPTS: + tries = 0 + while not spotted and tries < _MAX_RECOVERY_ATTEMPTS: + a = random.randint(2, n - 1) + tries += 1 k = t # Cycle through all values a^{t*2^i}=a^k while k < ktot: @@ -249,8 +254,6 @@ def rsa_recover_prime_factors(n: int, e: int, d: int) -> tuple[int, int]: spotted = True break k *= 2 - # This value was not any good... let's try another! - a += 2 if not spotted: raise ValueError("Unable to compute factors p and q from exponent d.") # Found ! diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 2f4783cd92fd..92cf9da1ba92 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -2398,6 +2398,8 @@ def test_recover_prime_factors(self, subtests): def test_invalid_recover_prime_factors(self): with pytest.raises(ValueError): rsa.rsa_recover_prime_factors(34, 3, 7) + with pytest.raises(ValueError): + rsa.rsa_recover_prime_factors(629, 17, 20) class TestRSAPrivateKeySerialization: From fef127093be9fd87641da80951998bc3aa94fdb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Mon, 11 Nov 2024 02:06:01 +0100 Subject: [PATCH 1352/1462] feat(admissions): implement parsing of admissions extension (#11903) * feat: implement parsing of admissions extension Signed-off-by: oleg.hoefling * chore: add tests for admissions extension parsing Signed-off-by: oleg.hoefling * chore: use cryptography result return type Signed-off-by: oleg.hoefling * chore: apply fixes done by cargo fmt and clippy Signed-off-by: oleg.hoefling * add gematik company name and the gmbh abbreviations to known words Signed-off-by: oleg.hoefling * fix: regenerate the synthetic certificate with additional admission covering the case of naming authority with no data Signed-off-by: oleg.hoefling * fix: parse none for profession_oids if profession_oids is none Signed-off-by: oleg.hoefling * chore: apply formatting to changes in rust codebase Signed-off-by: oleg.hoefling * refactor: switch return type of parse_profession_infos from PyObject to Bound Signed-off-by: Oleg Hoefling * refactor: switch return type of parse_naming_authority from PyObject to Bound Signed-off-by: Oleg Hoefling * refactor: switch return type of parse_admissions from PyObject to Bound Signed-off-by: Oleg Hoefling * chore: remove gematik certs from repo Signed-off-by: Oleg Hoefling * chore: remove gematik certs from this pr Signed-off-by: Oleg Hoefling * chore: extend parser tests with an additional synthetic certificate to complete rust coverage Signed-off-by: Oleg Hoefling * chore: add description for the additional certificate without authority Signed-off-by: Oleg Hoefling * use into_bound(py) as shortcut, refrain from using to_object() in all added functions Signed-off-by: Oleg Hoefling * add better description for the admissions synthetic cert Signed-off-by: Oleg Hoefling * adjust description to avoid using misspelled words Signed-off-by: Oleg Hoefling --------- Signed-off-by: oleg.hoefling Signed-off-by: Oleg Hoefling --- docs/development/test-vectors.rst | 10 ++ src/rust/src/types.rs | 6 + src/rust/src/x509/certificate.rs | 118 +++++++++++++++- tests/x509/test_x509.py | 132 ++++++++++++++++++ ...sions_extension_authority_not_provided.pem | 21 +++ ...s_extension_optional_data_not_provided.pem | 34 +++++ 6 files changed, 316 insertions(+), 5 deletions(-) create mode 100644 vectors/cryptography_vectors/x509/custom/admissions_extension_authority_not_provided.pem create mode 100644 vectors/cryptography_vectors/x509/custom/admissions_extension_optional_data_not_provided.pem diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 540b984c617b..d27266b017de 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -546,6 +546,16 @@ Custom X.509 Vectors This is an invalid certificate per :rfc:`5280` 4.2.1.12. * ``malformed-san.pem`` - A certificate with a malformed SAN. * ``malformed-ian.pem`` - A certificate with a malformed IAN. +* ``admissions_extension_optional_data_not_provided.pem`` - + A certificate containing the ``Admissions`` extension with multiple admissions, + signed by ``x509/custom/ca/rsa_ca.pem`` CA. The admissions in this certificate + are prepared using synthetic data to verify the possible corner cases are handled + by the parser correctly (an admission missing naming authority or admission + authority, a profession info missing naming authority or profession OIDs + or the registration number etc). +* ``admissions_extension_authority_not_provided.pem`` - A certificate containing + the ``Admissions`` extension with no admissions and no admission authority, + signed by ``x509/custom/ca/rsa_ca.pem`` CA. Custom X.509 Request Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 5a32fa57d135..af7e4e1624ed 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -263,6 +263,12 @@ pub static CERTIFICATE_VERSION_V1: LazyPyImport = LazyPyImport::new("cryptography.x509", &["Version", "v1"]); pub static CERTIFICATE_VERSION_V3: LazyPyImport = LazyPyImport::new("cryptography.x509", &["Version", "v3"]); +pub static ADMISSION: LazyPyImport = LazyPyImport::new("cryptography.x509", &["Admission"]); +pub static NAMING_AUTHORITY: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["NamingAuthority"]); +pub static PROFESSION_INFO: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["ProfessionInfo"]); +pub static ADMISSIONS: LazyPyImport = LazyPyImport::new("cryptography.x509", &["Admissions"]); pub static CRL_REASON_FLAGS: LazyPyImport = LazyPyImport::new("cryptography.x509.extensions", &["_CRLREASONFLAGS"]); diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 739b28694dba..8aa2e9343405 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -8,11 +8,11 @@ use std::hash::{Hash, Hasher}; use cryptography_x509::certificate::Certificate as RawCertificate; use cryptography_x509::common::{AlgorithmParameters, Asn1ReadableOrWritable}; use cryptography_x509::extensions::{ - AuthorityKeyIdentifier, BasicConstraints, DisplayText, DistributionPoint, - DistributionPointName, DuplicateExtensionsError, ExtendedKeyUsage, IssuerAlternativeName, - KeyUsage, MSCertificateTemplate, NameConstraints, PolicyConstraints, PolicyInformation, - PolicyQualifierInfo, Qualifier, RawExtensions, SequenceOfAccessDescriptions, - SequenceOfSubtrees, UserNotice, + Admission, Admissions, AuthorityKeyIdentifier, BasicConstraints, DisplayText, + DistributionPoint, DistributionPointName, DuplicateExtensionsError, ExtendedKeyUsage, + IssuerAlternativeName, KeyUsage, MSCertificateTemplate, NameConstraints, NamingAuthority, + PolicyConstraints, PolicyInformation, PolicyQualifierInfo, ProfessionInfo, Qualifier, + RawExtensions, SequenceOfAccessDescriptions, SequenceOfSubtrees, UserNotice, }; use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; use cryptography_x509::{common, oid}; @@ -731,6 +731,100 @@ pub(crate) fn parse_access_descriptions( Ok(ads.to_object(py)) } +fn parse_naming_authority<'p>( + py: pyo3::Python<'p>, + authority: NamingAuthority<'p>, +) -> CryptographyResult> { + let py_id = match &authority.id { + Some(data) => oid_to_py_oid(py, data)?, + None => py.None().into_bound(py), + }; + let py_url = match authority.url { + Some(data) => pyo3::types::PyString::new_bound(py, data.as_str()).into_any(), + None => py.None().into_bound(py), + }; + let py_text = match authority.text { + Some(data) => parse_display_text(py, data)?, + None => py.None(), + }; + + Ok(types::NAMING_AUTHORITY + .get(py)? + .call1((py_id, py_url, py_text))?) +} + +fn parse_profession_infos<'a>( + py: pyo3::Python<'a>, + profession_infos: &asn1::SequenceOf<'a, ProfessionInfo<'a>>, +) -> CryptographyResult> { + let py_infos = pyo3::types::PyList::empty_bound(py); + for info in profession_infos.clone() { + let py_naming_authority = match info.naming_authority { + Some(data) => parse_naming_authority(py, data)?, + None => py.None().into_bound(py), + }; + let py_profession_items = pyo3::types::PyList::empty_bound(py); + for item in info.profession_items.unwrap_read().clone() { + let py_item = parse_display_text(py, item)?; + py_profession_items.append(py_item)?; + } + let py_profession_oids = match info.profession_oids { + Some(oids) => { + let py_oids = pyo3::types::PyList::empty_bound(py); + for oid in oids.unwrap_read().clone() { + let py_oid = oid_to_py_oid(py, &oid)?; + py_oids.append(py_oid)?; + } + py_oids.into_any() + } + None => py.None().into_bound(py), + }; + let py_registration_number = match info.registration_number { + Some(data) => pyo3::types::PyString::new_bound(py, data.as_str()).into_any(), + None => py.None().into_bound(py), + }; + let py_add_profession_info = match info.add_profession_info { + Some(data) => pyo3::types::PyBytes::new_bound(py, data).into_any(), + None => py.None().into_bound(py), + }; + let py_info = types::PROFESSION_INFO.get(py)?.call1(( + py_naming_authority, + py_profession_items, + py_profession_oids, + py_registration_number, + py_add_profession_info, + ))?; + py_infos.append(py_info)?; + } + Ok(py_infos.into_any()) +} + +fn parse_admissions<'a>( + py: pyo3::Python<'a>, + admissions: &asn1::SequenceOf<'a, Admission<'a>>, +) -> CryptographyResult> { + let py_admissions = pyo3::types::PyList::empty_bound(py); + for admission in admissions.clone() { + let py_admission_authority = match admission.admission_authority { + Some(authority) => x509::parse_general_name(py, authority)?, + None => py.None(), + }; + let py_naming_authority = match admission.naming_authority { + Some(data) => parse_naming_authority(py, data)?, + None => py.None().into_bound(py), + }; + let py_infos = parse_profession_infos(py, admission.profession_infos.unwrap_read())?; + + let py_entry = types::ADMISSION.get(py)?.call1(( + py_admission_authority, + py_naming_authority, + py_infos, + ))?; + py_admissions.append(py_entry)?; + } + Ok(py_admissions.into_any()) +} + pub fn parse_cert_ext<'p>( py: pyo3::Python<'p>, ext: &Extension<'_>, @@ -869,6 +963,20 @@ pub fn parse_cert_ext<'p>( ms_cert_tpl.minor_version, ))?)) } + oid::ADMISSIONS_OID => { + let admissions = ext.value::>()?; + let admission_authority = match admissions.admission_authority { + Some(authority) => x509::parse_general_name(py, authority)?, + None => py.None(), + }; + let py_admissions = + parse_admissions(py, admissions.contents_of_admissions.unwrap_read())?; + Ok(Some( + types::ADMISSIONS + .get(py)? + .call1((admission_authority, py_admissions))?, + )) + } _ => Ok(None), } } diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index de6c9110822d..684ef2f4a343 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -1861,6 +1861,138 @@ def test_verify_directly_issued_by_unsupported_key_type(self, backend): with pytest.raises(TypeError): cert.verify_directly_issued_by(leaf) + def test_admissions_extension(self, backend): + cert = _load_cert( + os.path.join( + "x509", + "custom", + "admissions_extension_optional_data_not_provided.pem", + ), + x509.load_pem_x509_certificate, + ) + ext = cert.extensions.get_extension_for_class(x509.Admissions) + assert ext.value == x509.Admissions( + authority=x509.DirectoryName( + value=x509.Name( + [ + x509.NameAttribute( + oid=x509.NameOID.COUNTRY_NAME, value="DE" + ), + x509.NameAttribute( + oid=x509.NameOID.ORGANIZATION_NAME, + value="Elektronisches Gesundheitsberuferegister", + ), + ] + ) + ), + admissions=[ + x509.Admission( + admission_authority=x509.RegisteredID( + value=x509.NameOID.ORGANIZATION_NAME + ), + naming_authority=x509.NamingAuthority( + id=x509.ObjectIdentifier("1.2.276.0.76.4.223"), + url="", + text="Betriebsstätte GKV-Spitzenverband", + ), + profession_infos=[ + x509.ProfessionInfo( + naming_authority=x509.NamingAuthority( + id=x509.ObjectIdentifier("1.2.276.0.76.4.225"), + url="https://example.com", + text=( + "Betriebsstätte Deutscher " + "Apothekerverband" + ), + ), + profession_items=["Ã\x84rztin/Arzt", ""], + profession_oids=[ + x509.ObjectIdentifier("1.2.276.0.76.4.30"), + x509.ObjectIdentifier("1.2.276.0.76.4.31"), + ], + registration_number="9-999/99999999", + add_profession_info=( + b'\x16"additional profession info example' + ), + ) + ], + ), + x509.Admission( + admission_authority=x509.OtherName( + type_id=x509.NameOID.COUNTRY_NAME, + value=b"\x04\x04\x13\x02DE", + ), + naming_authority=None, + profession_infos=[ + x509.ProfessionInfo( + naming_authority=x509.NamingAuthority( + id=x509.ObjectIdentifier("1.2.276.0.76.4.227"), + url=None, + text=( + "Betriebsstätte der Deutsche Krankenhaus " + "TrustCenter und Informationsverarbeitung " + "GmbH" + ), + ), + profession_items=["Krankenhaus"], + profession_oids=[ + x509.ObjectIdentifier("1.2.276.0.76.4.53"), + x509.ObjectIdentifier("1.2.276.0.76.4.246"), + ], + registration_number="9.9.9-99999999", + add_profession_info=None, + ), + x509.ProfessionInfo( + naming_authority=None, + profession_items=[ + "Krankenhaus", + "Betriebsstätte Geburtshilfe", + ], + profession_oids=[ + x509.ObjectIdentifier("1.2.276.0.76.4.53") + ], + registration_number="", + add_profession_info=None, + ), + ], + ), + x509.Admission( + admission_authority=None, + naming_authority=None, + profession_infos=[ + x509.ProfessionInfo( + naming_authority=None, + profession_items=[], + profession_oids=None, + registration_number=None, + add_profession_info=None, + ) + ], + ), + x509.Admission( + admission_authority=None, + naming_authority=x509.NamingAuthority(None, None, None), + profession_infos=[], + ), + x509.Admission( + admission_authority=None, + naming_authority=None, + profession_infos=[], + ), + ], + ) + + cert = _load_cert( + os.path.join( + "x509", + "custom", + "admissions_extension_authority_not_provided.pem", + ), + x509.load_pem_x509_certificate, + ) + ext = cert.extensions.get_extension_for_class(x509.Admissions) + assert ext.value == x509.Admissions(authority=None, admissions=[]) + class TestRSACertificateRequest: @pytest.mark.parametrize( diff --git a/vectors/cryptography_vectors/x509/custom/admissions_extension_authority_not_provided.pem b/vectors/cryptography_vectors/x509/custom/admissions_extension_authority_not_provided.pem new file mode 100644 index 000000000000..147f26196b8c --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/admissions_extension_authority_not_provided.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDiTCCAy+gAwIBAgIUDuURI/KxJjJlnU/YDGmX0V0DyNQwCgYIKoZIzj0EAwIw +JzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeSBDQTAeFw0yNDEx +MDkxMzI4MjVaFw0yNDEyMDkxMzI4MjVaMCkxCzAJBgNVBAYTAlVTMRowGAYDVQQD +DBFjcnlwdG9ncmFwaHkgdGVzdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC +ggIBANBIheRc1HT4MzV5GvUbDk9CFU6DTomRApNqRmizriRqm6OY4Ht3d71BXog6 +/IBkqAnZ4/XJQ40G4sVDb52k11oPvfJ/F5pc+6UqPBL+QGzYGkJoubAqXFpI6ow0 +qayFNQLv0T9o4yh0QQOoGvgCmv91qmitLrZNXu4U9S76G+DiGST+QyMkMxj+VsGR +sRRBufV1urcnvFWjU6Q2+cr2cp0mMAG96NTyIskYiJ8vL03Wz4DX4klO4X47fPmD +nU/OMn4SbvMZ896j1L0J04S+uVThTkxQWcFcqXhX5qM8kzcjJUmybFlbf150j3Wi +ucW48K/j7fJ0x9q3iUo4Gva0coScglJWcgo/BBCwFDw8NVba7npxSRMiaS3qTv0d +EFcRnvByc+7hyGxxlWdTE9tHisUI1eZVk9P9ziqNOZKscY8ZX1+/C4M9X69Y7A8I +74F5dO27IRycEgOrSo2z1NhfSwbqJr9a2TBtRsFinn8rjKBIzNn0E5p9jO1Wjxtk +cjHfXXpLN8FFMvoYI9l/K+ZWDm9sboaF8jrgozSc004AFemAH79mmCGVRKXn1vDA +o4DLC6p3NiBFYQcYbW9V+beGD6srsF6xJtuY/UwtPROLWSzuCCrZ/4BlmpNsR0eh +IFFvzEKjX6rR2yp3YKlguDbMBMKMpfSGxAFwcZ7OiaxR20UHAgMBAAGjbDBqMA0G +BSskCAMDBAQwAjAAMB0GA1UdDgQWBBTWrADzmGKoPZIVNf6QvnOYMOtMhDA6BgNV +HSMEMzAxoSukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5 +IENBggIDCTAKBggqhkjOPQQDAgNIADBFAiAnRuoEuL/8c/B3Cb89FOSMlV/sX1QW +MXM8X69xVWxyjAIhAIuZ8HI2TUtuTOGascFW46AjkPfwCggknB7kkq86QOn3 +-----END CERTIFICATE----- diff --git a/vectors/cryptography_vectors/x509/custom/admissions_extension_optional_data_not_provided.pem b/vectors/cryptography_vectors/x509/custom/admissions_extension_optional_data_not_provided.pem new file mode 100644 index 000000000000..5899cf19769a --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/admissions_extension_optional_data_not_provided.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF1zCCBXygAwIBAgIUckdGKz+upx7gGI/r6y1UvvQQFKowCgYIKoZIzj0EAwIw +JzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeSBDQTAeFw0yNDEx +MDkxMzI0NTlaFw0yNDEyMDkxMzI0NTlaMCkxCzAJBgNVBAYTAlVTMRowGAYDVQQD +DBFjcnlwdG9ncmFwaHkgdGVzdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC +ggIBANBIheRc1HT4MzV5GvUbDk9CFU6DTomRApNqRmizriRqm6OY4Ht3d71BXog6 +/IBkqAnZ4/XJQ40G4sVDb52k11oPvfJ/F5pc+6UqPBL+QGzYGkJoubAqXFpI6ow0 +qayFNQLv0T9o4yh0QQOoGvgCmv91qmitLrZNXu4U9S76G+DiGST+QyMkMxj+VsGR +sRRBufV1urcnvFWjU6Q2+cr2cp0mMAG96NTyIskYiJ8vL03Wz4DX4klO4X47fPmD +nU/OMn4SbvMZ896j1L0J04S+uVThTkxQWcFcqXhX5qM8kzcjJUmybFlbf150j3Wi +ucW48K/j7fJ0x9q3iUo4Gva0coScglJWcgo/BBCwFDw8NVba7npxSRMiaS3qTv0d +EFcRnvByc+7hyGxxlWdTE9tHisUI1eZVk9P9ziqNOZKscY8ZX1+/C4M9X69Y7A8I +74F5dO27IRycEgOrSo2z1NhfSwbqJr9a2TBtRsFinn8rjKBIzNn0E5p9jO1Wjxtk +cjHfXXpLN8FFMvoYI9l/K+ZWDm9sboaF8jrgozSc004AFemAH79mmCGVRKXn1vDA +o4DLC6p3NiBFYQcYbW9V+beGD6srsF6xJtuY/UwtPROLWSzuCCrZ/4BlmpNsR0eh +IFFvzEKjX6rR2yp3YKlguDbMBMKMpfSGxAFwcZ7OiaxR20UHAgMBAAGjggK3MIIC +szCCAlQGBSskCAMDBIICSTCCAkWkQjBAMQswCQYDVQQGEwJERTExMC8GA1UECgwo +RWxla3Ryb25pc2NoZXMgR2VzdW5kaGVpdHNiZXJ1ZmVyZWdpc3RlcjCCAf0wgfKg +BYgDVQQKoTQwMgYIKoIUAEwEgV8WAAwkQmV0cmllYnNzdMODwqR0dGUgR0tWLVNw +aXR6ZW52ZXJiYW5kMIGyMIGvoE8wTQYIKoIUAEwEgWEWE2h0dHBzOi8vZXhhbXBs +ZS5jb20MLEJldHJpZWJzc3TDg8KkdHRlIERldXRzY2hlciBBcG90aGVrZXJ2ZXJi +YW5kMBIMDsODwoRyenRpbi9Bcnp0DAAwEgYHKoIUAEwEHgYHKoIUAEwEHxMOOS05 +OTkvOTk5OTk5OTkEJBYiYWRkaXRpb25hbCBwcm9mZXNzaW9uIGluZm8gZXhhbXBs +ZTCB8aAPoA0GA1UEBqAGBAQTAkRFMIHdMIGcoGYwZAYIKoIUAEwEgWMMWEJldHJp +ZWJzc3TDg8KkdHRlIGRlciBEZXV0c2NoZSBLcmFua2VuaGF1cyBUcnVzdENlbnRl +ciB1bmQgSW5mb3JtYXRpb25zdmVyYXJiZWl0dW5nIEdtYkgwDQwLS3Jhbmtlbmhh +dXMwEwYHKoIUAEwENQYIKoIUAEwEgXYTDjkuOS45LTk5OTk5OTk5MDwwLQwLS3Jh +bmtlbmhhdXMMHkJldHJpZWJzc3TDg8KkdHRlIEdlYnVydHNoaWxmZTAJBgcqghQA +TAQ1EwAwBjAEMAIwADAGoQIwADAAMAIwADAdBgNVHQ4EFgQU1qwA85hiqD2SFTX+ +kL5zmDDrTIQwOgYDVR0jBDMwMaErpCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMM +D2NyeXB0b2dyYXBoeSBDQYICAwkwCgYIKoZIzj0EAwIDSQAwRgIhAMz8iUp3Tj0W +3mMOPIyNyQ6ZwydHCX199oH5j0opH+4GAiEAyOF2Mw4H6xDOfsEa2NvnpO4mt8Pa +y7msciyCxhMgUZY= +-----END CERTIFICATE----- From e72182eebb23e4968f68ec11533bd50da62779c3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Nov 2024 11:42:00 +0000 Subject: [PATCH 1353/1462] Bump cc from 1.1.36 to 1.1.37 (#11929) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.36 to 1.1.37. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.36...cc-v1.1.37) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index ef0c1683c9b8..dd3efc431b63 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.36" +version = "1.1.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "baee610e9452a8f6f0a1b6194ec09ff9e2d85dea54432acdae41aa0761c95d70" +checksum = "40545c26d092346d8a8dab71ee48e7685a7a9cba76e634790c215b41a4a7b4cf" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 0f093188273b..7deee5897926 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,7 +11,7 @@ pyo3 = { version = "0.22.6", features = ["abi3"] } openssl-sys = "0.9.104" [build-dependencies] -cc = "1.1.36" +cc = "1.1.37" [lints.rust] unexpected_cfgs = { level = "warn", check-cfg = ['cfg(python_implementation, values("CPython", "PyPy"))'] } From a6d5977c06636eecc7a5a1cb340f8a87423664ee Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Nov 2024 11:42:19 +0000 Subject: [PATCH 1354/1462] Bump uv from 0.5.0 to 0.5.1 (#11930) Bumps [uv](https://github.com/astral-sh/uv) from 0.5.0 to 0.5.1. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.5.0...0.5.1) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c5ad38631905..f480548a4d97 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -292,7 +292,7 @@ urllib3==2.0.7 ; python_full_version < '3.8' # via requests urllib3==2.2.3 ; python_full_version >= '3.8' # via requests -uv==0.5.0 ; python_full_version >= '3.8' +uv==0.5.1 ; python_full_version >= '3.8' # via nox virtualenv==20.26.6 ; python_full_version < '3.8' # via nox From 854da3dd85edc5a8b6548885e140b18a249bcde7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Nov 2024 12:01:43 +0000 Subject: [PATCH 1355/1462] Bump uv from 0.5.0 to 0.5.1 in /.github/requirements (#11931) Bumps [uv](https://github.com/astral-sh/uv) from 0.5.0 to 0.5.1. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.5.0...0.5.1) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 3cdaf2b180d9..0e4eccac27b7 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.5.0 \ - --hash=sha256:2c59e971c02a953d1dc1a937ef84de527d8fbe9ae13faa71ee8c0d5f697127cc \ - --hash=sha256:313c9fc30c6679fbf5bf4acc043ad171bee7853bb16f366af064e835d1fb1a74 \ - --hash=sha256:4f0bcd3e97010e79a7a75e840d1177a859bf07764da1079e9fbce66e7ebd9428 \ - --hash=sha256:63cc3a9f346b74012f7ac1daea1aee22568da1023993d8f4a7b8bc30bcb4edf2 \ - --hash=sha256:6fb131612a96b719b80e15e3261b2dee67028b137a4bb86730f8fb02808f2d79 \ - --hash=sha256:886c85e53b99cb66c544feab20d5a64467556ec59c92445a7aa2fc637e4f5820 \ - --hash=sha256:8a603ed4c91fba250cc62aaf3b54b68cf70b7fefda07b6c2f230a6d8a8005616 \ - --hash=sha256:a3bc6911be7d86f3750bce1580e664877a3a88c126eb68afbb132cd0896fd109 \ - --hash=sha256:b256e450f103e98e6d8ebd92af44db16d5d699766c73f9da979cddcc9665577c \ - --hash=sha256:b52fd615c4dba8366677528122f4ead7d0651dc6cbc8cd6d17be72e2deb0390c \ - --hash=sha256:b846b92230d64e50425cbf183e119f9c27ebd2eae77c197b3625c701a5c13b08 \ - --hash=sha256:b9e22f38bd4cd66ea252fe9060ae567da92eec2dc9154fedab1f059c37288ee0 \ - --hash=sha256:d1b7fa52da65196c29569032c1c1144574e75b0caaaca77ea4c22f4a09dedc60 \ - --hash=sha256:d796198163478a8db4e2f27fa6a21fb7c96c3b62c4af28bfaf8a654b7a86ce0a \ - --hash=sha256:de8c70d26bc4231ada30d14eaf105740ad735b2b41fde9b81978df5f0ed25152 \ - --hash=sha256:e6c071304fae1e530c7d24464f80f5efdc3e03b04c620703e1d351d27afc970b \ - --hash=sha256:f5ad860fb028179ce4467fec6dd2b2a1a369cbd67e2a058f1b50116055fda5b8 \ - --hash=sha256:feb4db59fd402461f64d9493525b2dd7bda5f8b1bb1502f1f1dbb8cd9dff7c62 +uv==0.5.1 \ + --hash=sha256:01c40f756e9536c05fdf3485c1dfe3da610c3169195bbe20fab03a4c4b7a0d98 \ + --hash=sha256:3db7513c804fb89dcde671ba917cc486cfb574408d6257e19b19ae6b55f5982f \ + --hash=sha256:3ffb230be0f6552576da67a2737a32a6a640e4b3f42144088222a669802d7f10 \ + --hash=sha256:4601d40b0c02aff9fb791efa5b6f4c7dbad0970e13ac679aa8fb07365f331354 \ + --hash=sha256:4d1ec4a1bc19b523a84fc1bf2a92e9c4d982c831d3da450af71fc3057999d456 \ + --hash=sha256:6a76765c3cc49268f3c6773bd89a0dacf8a91b040fc3faea6c527ef6f2308eba \ + --hash=sha256:6ec61220d883751777cbabf0b076607cfbdeb812bc52c28722e897271461e589 \ + --hash=sha256:72b54a3308e13a81aa2df19baea40611fc344c7556f75d2113f9b9b5a894355e \ + --hash=sha256:73853b98bce9e118cda2d64360ddd7e0f79e237aca8cd2f28b6d5679400b239e \ + --hash=sha256:821b6a9d591d3e951fbe81c53d32499d11500100d66b1c119e183f3d4a6cd07c \ + --hash=sha256:8dce5b6d6dea41db71fe8d9895167cc5abf3e7b28c016174b1b9a9aecb74d483 \ + --hash=sha256:922685dcaa1c9b6663649b379f9bdbe5b87af230f512e69398efc51bd9d8b8eb \ + --hash=sha256:93f0a02ea9149f4e7e359ef92da6f221da2ecf458cda2af729a1f6fa8c3ed1d2 \ + --hash=sha256:aaa63053ff6dc4456e2ac2a9b6a8eda0cfaa1e0f861633d9e7315c7df9a0a525 \ + --hash=sha256:ac3fce68002e79f3c070f3e7d914e992f205f05af00bfffbe6c44d37aa39c86a \ + --hash=sha256:ad2dd8a994a8334a5d4b354589be4b8c4b3b2ebb7bb2f2976c8e21d2799f45a9 \ + --hash=sha256:c4d209164448c8529e21aca4ef1e3da94303b1bf726924786feffd87ed93ab4a \ + --hash=sha256:f66859e67d10ffff8b17c67c7ede207d67487cef20c3d17bc427b690f9dff795 From 7a22df000009805900eb4f87bd608f001c352ad3 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 11 Nov 2024 09:20:09 -0500 Subject: [PATCH 1356/1462] Update zipp for new release that raises MSPV (#11932) --- ci-constraints-requirements.txt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index f480548a4d97..6a85f7fe65df 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -302,10 +302,12 @@ webencodings==0.5.1 ; python_full_version < '3.8' # via bleach zipp==3.15.0 ; python_full_version < '3.8' # via importlib-metadata -zipp==3.20.2 ; python_full_version >= '3.8' and python_full_version < '3.10.2' +zipp==3.20.2 ; python_full_version == '3.8.*' # via # importlib-metadata # importlib-resources +zipp==3.21.0 ; python_full_version >= '3.9' and python_full_version < '3.10.2' + # via importlib-metadata # The following packages were excluded from the output: # cffi From d251c8aec4150b691455c47c7ee34c262a22359c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 11 Nov 2024 09:31:49 -0500 Subject: [PATCH 1357/1462] Specify minimum versions for more deps (#11924) Right now our deps are basically wrong, and impossible to use with lowest version resolution. Let's start trying to specify minimums so our deps are properly accurate. --- pyproject.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 2e17f895f57c..0d561612b14c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -66,7 +66,7 @@ ssh = ["bcrypt >=3.1.5"] nox = ["nox", "nox[uv] >=2024.03.02; python_version >= '3.8'"] test = [ "cryptography_vectors", - "pytest >=6.2.0", + "pytest >=7.2.0", "pytest-benchmark", "pytest-cov", "pytest-xdist", @@ -76,7 +76,7 @@ test = [ test-randomorder = ["pytest-randomly"] docs = ["sphinx >=5.3.0", "sphinx-rtd-theme >=3.0.0; python_version >= '3.8'"] docstest = ["pyenchant >=1.6.11", "readme-renderer", "sphinxcontrib-spelling >=4.0.1"] -sdist = ["build"] +sdist = ["build >=1.0.0"] # `click` included because its needed to type check `release.py` pep8test = ["ruff", "mypy", "check-sdist; python_version >= '3.8'", "click"] From da437d16a95d52feecab366df9813a53717ba4c3 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 11 Nov 2024 09:37:32 -0500 Subject: [PATCH 1358/1462] fixes #11920 raise a clean Python error on DSA signing failure due to nilpotent (#11921) --- docs/development/test-vectors.rst | 4 +++ docs/spelling_wordlist.txt | 1 + .../bindings/_rust/openssl/__init__.pyi | 1 + src/rust/Cargo.toml | 2 +- src/rust/build.rs | 3 +++ src/rust/src/backend/dsa.rs | 10 ++++++-- src/rust/src/lib.rs | 4 +++ tests/hazmat/primitives/test_dsa.py | 25 +++++++++++++++++++ .../asymmetric/DSA/custom/nilpotent.pem | 5 ++++ 9 files changed, 52 insertions(+), 3 deletions(-) create mode 100644 vectors/cryptography_vectors/asymmetric/DSA/custom/nilpotent.pem diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index d27266b017de..3b4adc939528 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -183,6 +183,10 @@ Custom asymmetric vectors encrypted at the PEM level with AES-128-CBC and password "a123456". * ``asymmetric/DER_Serialization/testrsa.der`` - The above as a DER-encoded RSAPrivateKey structure. +* ``asymmetric/DSA/custom/nilpotent.pem`` -- A key where the field is actually + a ring and the generator of the multiplicative subgroup is actually + nilpotent with low degree. Taken from BoringSSL (see + ``TEST(DSATest, NilpotentGenerator)``). Key exchange diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index f8e6d4232ae0..1d70dd88d581 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -89,6 +89,7 @@ namespace namespaces macOS naïve +nilpotent Nonces nonces online diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index 1e66d3331030..320cef10250e 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -48,6 +48,7 @@ __all__ = [ CRYPTOGRAPHY_IS_LIBRESSL: bool CRYPTOGRAPHY_IS_BORINGSSL: bool CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: bool +CRYPTOGRAPHY_OPENSSL_309_OR_GREATER: bool CRYPTOGRAPHY_OPENSSL_320_OR_GREATER: bool class Providers: ... diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index cc31ddf29791..e6f1af8ae696 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -32,4 +32,4 @@ name = "cryptography_rust" crate-type = ["cdylib"] [lints.rust] -unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_OSSLCONF, values("OPENSSL_NO_IDEA", "OPENSSL_NO_CAST", "OPENSSL_NO_BF", "OPENSSL_NO_CAMELLIA", "OPENSSL_NO_SEED", "OPENSSL_NO_SM4"))'] } +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_309_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_OSSLCONF, values("OPENSSL_NO_IDEA", "OPENSSL_NO_CAST", "OPENSSL_NO_BF", "OPENSSL_NO_CAMELLIA", "OPENSSL_NO_SEED", "OPENSSL_NO_SM4"))'] } diff --git a/src/rust/build.rs b/src/rust/build.rs index d4dca24c4566..2d94d8da7ba3 100644 --- a/src/rust/build.rs +++ b/src/rust/build.rs @@ -12,6 +12,9 @@ fn main() { if version >= 0x3_00_00_00_0 { println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_300_OR_GREATER"); } + if version >= 0x3_00_09_00_0 { + println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_309_OR_GREATER"); + } if version >= 0x3_02_00_00_0 { println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_320_OR_GREATER"); } diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index f46cb2860d33..c904824bb894 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -5,8 +5,9 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; -use crate::exceptions; +use crate::{error, exceptions}; use pyo3::types::PyAnyMethods; +use pyo3::ToPyObject; #[pyo3::pyclass( frozen, @@ -76,7 +77,12 @@ impl DsaPrivateKey { let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; signer.sign_init()?; let mut sig = vec![]; - signer.sign_to_vec(data.as_bytes(), &mut sig)?; + signer.sign_to_vec(data.as_bytes(), &mut sig).map_err(|e| { + pyo3::exceptions::PyValueError::new_err(( + "DSA signing failed. This generally indicates an invalid key.", + error::list_from_openssl_error(py, &e).to_object(py), + )) + })?; Ok(pyo3::types::PyBytes::new_bound(py, &sig)) } diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index e15fffa6d32e..66db6e11a259 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -199,6 +199,10 @@ mod _rust { "CRYPTOGRAPHY_OPENSSL_300_OR_GREATER", cfg!(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), )?; + openssl_mod.add( + "CRYPTOGRAPHY_OPENSSL_309_OR_GREATER", + cfg!(CRYPTOGRAPHY_OPENSSL_309_OR_GREATER), + )?; openssl_mod.add( "CRYPTOGRAPHY_OPENSSL_320_OR_GREATER", cfg!(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER), diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py index 35b7f56f69e0..fa75b8d9a000 100644 --- a/tests/hazmat/primitives/test_dsa.py +++ b/tests/hazmat/primitives/test_dsa.py @@ -12,6 +12,7 @@ from cryptography import utils from cryptography.exceptions import InvalidSignature +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import dsa from cryptography.hazmat.primitives.asymmetric.utils import ( @@ -550,6 +551,30 @@ def test_prehashed_digest_mismatch(self, backend): with pytest.raises(ValueError): private_key.sign(digest, prehashed_alg) + @pytest.mark.supported( + only_if=lambda _: ( + rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL + or rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL + or rust_openssl.CRYPTOGRAPHY_OPENSSL_309_OR_GREATER + ), + skip_message="Requires OpenSSL 3.0.9+, LibreSSL, or BoringSSL", + ) + def test_nilpotent(self): + try: + key = load_vectors_from_file( + os.path.join("asymmetric", "DSA", "custom", "nilpotent.pem"), + lambda pemfile: serialization.load_pem_private_key( + pemfile.read().encode(), password=None + ), + ) + except ValueError: + # LibreSSL simply rejects this key on load. + return + assert isinstance(key, dsa.DSAPrivateKey) + + with pytest.raises(ValueError): + key.sign(b"anything", hashes.SHA256()) + class TestDSANumbers: def test_dsa_parameter_numbers(self): diff --git a/vectors/cryptography_vectors/asymmetric/DSA/custom/nilpotent.pem b/vectors/cryptography_vectors/asymmetric/DSA/custom/nilpotent.pem new file mode 100644 index 000000000000..6588c20173cc --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/DSA/custom/nilpotent.pem @@ -0,0 +1,5 @@ +-----BEGIN DSA PRIVATE KEY----- +MGECAQACFQHH+MnFXh4NNlZiV/zUVb5a5ib3kwIVAOP8ZOKvDwabKzEr/moq3y1z +E3vJAhUAl/2Ylx9fWbzHdh1URsc/c6IM/TECAQECFCsjU4AZRcuks45g1NMOUeCB +Epvg +-----END DSA PRIVATE KEY----- From 8c32661ac6455c761c2e930cbb89cc64111de3f4 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 11 Nov 2024 14:38:09 +0000 Subject: [PATCH 1359/1462] add __all__ for scrypt (#11933) --- src/cryptography/hazmat/primitives/kdf/scrypt.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/cryptography/hazmat/primitives/kdf/scrypt.py b/src/cryptography/hazmat/primitives/kdf/scrypt.py index 43a7704d48e3..f791ceea371b 100644 --- a/src/cryptography/hazmat/primitives/kdf/scrypt.py +++ b/src/cryptography/hazmat/primitives/kdf/scrypt.py @@ -15,3 +15,5 @@ Scrypt = rust_openssl.kdf.Scrypt KeyDerivationFunction.register(Scrypt) + +__all__ = ["Scrypt"] From a7aa8cec96cf452de6d7cc1dc3f0beada4eefadb Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 11 Nov 2024 14:42:26 +0000 Subject: [PATCH 1360/1462] argon2id support (#11524) * argon2id support * make it all rust now * set a threadpool number * address comments * set threadpool to max(available, current) * review comments * a few more improvements * Update docs/hazmat/primitives/key-derivation-functions.rst Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor --- CHANGELOG.rst | 2 + .../primitives/key-derivation-functions.rst | 101 +++++++++++ docs/spelling_wordlist.txt | 3 + .../hazmat/backends/openssl/backend.py | 6 + .../hazmat/bindings/_rust/openssl/kdf.pyi | 15 ++ .../hazmat/primitives/kdf/argon2.py | 13 ++ src/rust/src/backend/kdf.rs | 168 ++++++++++++++++++ src/rust/src/lib.rs | 14 ++ tests/hazmat/primitives/test_argon2.py | 160 +++++++++++++++++ 9 files changed, 482 insertions(+) create mode 100644 src/cryptography/hazmat/primitives/kdf/argon2.py create mode 100644 tests/hazmat/primitives/test_argon2.py diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 7021e8423b7f..994eb6360ad5 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -23,6 +23,8 @@ Changelog * Relax the Authority Key Identifier requirements on root CA certificates during X.509 verification to allow fields permitted by :rfc:`5280` but forbidden by the CA/Browser BRs. +* Added support for :class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2id` + when using OpenSSL 3.2.0+. .. _v43-0-3: diff --git a/docs/hazmat/primitives/key-derivation-functions.rst b/docs/hazmat/primitives/key-derivation-functions.rst index 2715e3e56c5d..113b1bf7f87d 100644 --- a/docs/hazmat/primitives/key-derivation-functions.rst +++ b/docs/hazmat/primitives/key-derivation-functions.rst @@ -30,6 +30,106 @@ Different KDFs are suitable for different tasks such as: Variable cost algorithms ~~~~~~~~~~~~~~~~~~~~~~~~ +Argon2id +-------- + +.. currentmodule:: cryptography.hazmat.primitives.kdf.argon2 + +.. class:: Argon2id(*, salt, length, iterations, lanes, memory_cost, ad=None, secret=None) + + .. versionadded:: 44.0.0 + + Argon2id is a KDF designed for password storage. It is designed to be + resistant to hardware attacks and is described in :rfc:`9106`. + + This class conforms to the + :class:`~cryptography.hazmat.primitives.kdf.KeyDerivationFunction` + interface. + + .. doctest:: + + >>> import os + >>> from cryptography.hazmat.primitives.kdf.argon2 import Argon2id + >>> salt = os.urandom(16) + >>> # derive + >>> kdf = Argon2id( + ... salt=salt, + ... length=32, + ... iterations=1, + ... lanes=4, + ... memory_cost=64 * 1024, + ... ad=None, + ... secret=None, + ... ) + >>> key = kdf.derive(b"my great password") + >>> # verify + >>> kdf = Argon2id( + ... salt=salt, + ... length=32, + ... iterations=1, + ... lanes=4, + ... memory_cost=64 * 1024, + ... ad=None, + ... secret=None, + ... ) + >>> kdf.verify(b"my great password", key) + + **All arguments to the constructor are keyword-only.** + + :param bytes salt: A salt should be unique (and randomly generated) per + password and is recommended to be 16 bytes or longer + :param int length: The desired length of the derived key in bytes. + :param int iterations: Also known as passes, this is used to tune + the running time independently of the memory size. + :param int lanes: The number of lanes (parallel threads) to use. Also + known as parallelism. + :param int memory_cost: The amount of memory to use in kibibytes. + 1 kibibyte (KiB) is 1024 bytes. This must be at minimum ``8 * lanes``. + :param bytes ad: Optional associated data. + :param bytes secret: Optional secret data; used for keyed hashing. + + :rfc:`9106` has recommendations for `parameter choice`_. + + :raises cryptography.exceptions.UnsupportedAlgorithm: If Argon2id is not + supported by the OpenSSL version ``cryptography`` is using. + + .. method:: derive(key_material) + + :param key_material: The input key material. + :type key_material: :term:`bytes-like` + :return bytes: the derived key. + :raises TypeError: This exception is raised if ``key_material`` is not + ``bytes``. + :raises cryptography.exceptions.AlreadyFinalized: This is raised when + :meth:`derive` or + :meth:`verify` is + called more than + once. + + This generates and returns a new key from the supplied password. + + .. method:: verify(key_material, expected_key) + + :param bytes key_material: The input key material. This is the same as + ``key_material`` in :meth:`derive`. + :param bytes expected_key: The expected result of deriving a new key, + this is the same as the return value of + :meth:`derive`. + :raises cryptography.exceptions.InvalidKey: This is raised when the + derived key does not match + the expected key. + :raises cryptography.exceptions.AlreadyFinalized: This is raised when + :meth:`derive` or + :meth:`verify` is + called more than + once. + + This checks whether deriving a new key from the supplied + ``key_material`` generates the same key as the ``expected_key``, and + raises an exception if they do not match. This can be used for + checking whether the password a user provides matches the stored derived + key. + PBKDF2 ------ @@ -1039,3 +1139,4 @@ Interface .. _`recommends`: https://datatracker.ietf.org/doc/html/rfc7914#section-2 .. _`The scrypt paper`: https://www.tarsnap.com/scrypt/scrypt.pdf .. _`understanding HKDF`: https://soatok.blog/2021/11/17/understanding-hkdf/ +.. _`parameter choice`: https://datatracker.ietf.org/doc/html/rfc9106#section-4 diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 1d70dd88d581..8cbe187e3e3f 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -77,6 +77,9 @@ iOS iterable Kerberos Keychain +KiB +kibibyte +kibibytes Koblitz Lange logins diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 9a3dc2108701..78996848f391 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -122,6 +122,12 @@ def scrypt_supported(self) -> bool: else: return hasattr(rust_openssl.kdf.Scrypt, "derive") + def argon2_supported(self) -> bool: + if self._fips_enabled: + return False + else: + return hasattr(rust_openssl.kdf.Argon2id, "derive") + def hmac_supported(self, algorithm: hashes.HashAlgorithm) -> bool: # FIPS mode still allows SHA1 for HMAC if self._fips_enabled and isinstance(algorithm, hashes.SHA1): diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/kdf.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/kdf.pyi index 01f7d606e8cc..4b90bb4f7744 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/kdf.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/kdf.pyi @@ -26,3 +26,18 @@ class Scrypt: ) -> None: ... def derive(self, key_material: bytes) -> bytes: ... def verify(self, key_material: bytes, expected_key: bytes) -> None: ... + +class Argon2id: + def __init__( + self, + *, + salt: bytes, + length: int, + iterations: int, + lanes: int, + memory_cost: int, + ad: bytes | None = None, + secret: bytes | None = None, + ) -> None: ... + def derive(self, key_material: bytes) -> bytes: ... + def verify(self, key_material: bytes, expected_key: bytes) -> None: ... diff --git a/src/cryptography/hazmat/primitives/kdf/argon2.py b/src/cryptography/hazmat/primitives/kdf/argon2.py new file mode 100644 index 000000000000..405fc8dff268 --- /dev/null +++ b/src/cryptography/hazmat/primitives/kdf/argon2.py @@ -0,0 +1,13 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import annotations + +from cryptography.hazmat.bindings._rust import openssl as rust_openssl +from cryptography.hazmat.primitives.kdf import KeyDerivationFunction + +Argon2id = rust_openssl.kdf.Argon2id +KeyDerivationFunction.register(Argon2id) + +__all__ = ["Argon2id"] diff --git a/src/rust/src/backend/kdf.rs b/src/rust/src/backend/kdf.rs index 2292c08af5e2..0b4bfd54ed1f 100644 --- a/src/rust/src/backend/kdf.rs +++ b/src/rust/src/backend/kdf.rs @@ -164,10 +164,178 @@ impl Scrypt { } } +#[pyo3::pyclass(module = "cryptography.hazmat.primitives.kdf.argon2")] +struct Argon2id { + #[cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)] + salt: pyo3::Py, + #[cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)] + length: usize, + #[cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)] + iterations: u32, + #[cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)] + lanes: u32, + #[cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)] + memory_cost: u32, + #[cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)] + ad: Option>, + #[cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)] + secret: Option>, + #[cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)] + used: bool, +} + +#[pyo3::pymethods] +impl Argon2id { + #[new] + #[pyo3(signature = (salt, length, iterations, lanes, memory_cost, ad=None, secret=None))] + #[allow(clippy::too_many_arguments)] + fn new( + py: pyo3::Python<'_>, + salt: pyo3::Py, + length: usize, + iterations: u32, + lanes: u32, + memory_cost: u32, + ad: Option>, + secret: Option>, + ) -> CryptographyResult { + cfg_if::cfg_if! { + if #[cfg(not(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER))] { + _ = py; + _ = salt; + _ = length; + _ = iterations; + _ = lanes; + _ = memory_cost; + _ = ad; + _ = secret; + + Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err( + "This version of OpenSSL does not support argon2id" + ), + )) + } else { + if cryptography_openssl::fips::is_enabled() { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err( + "This version of OpenSSL does not support argon2id" + ), + )); + } + + if salt.as_bytes(py).len() < 8 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "salt must be at least 8 bytes" + ), + )); + } + if length < 4 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "length must be greater than or equal to 4." + ), + )); + } + if iterations < 1 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "iterations must be greater than or equal to 1." + ), + )); + } + if lanes < 1 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "lanes must be greater than or equal to 1." + ), + )); + } + + if memory_cost / 8 < lanes { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "memory_cost must be an integer >= 8 * lanes." + ), + )); + } + + + Ok(Argon2id{ + salt, + length, + iterations, + lanes, + memory_cost, + ad, + secret, + used: false, + }) + } + } + } + + #[cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)] + fn derive<'p>( + &mut self, + py: pyo3::Python<'p>, + key_material: CffiBuf<'_>, + ) -> CryptographyResult> { + if self.used { + return Err(exceptions::already_finalized_error()); + } + self.used = true; + Ok(pyo3::types::PyBytes::new_bound_with( + py, + self.length, + |b| { + openssl::kdf::argon2id( + None, + key_material.as_bytes(), + self.salt.as_bytes(py), + self.ad.as_ref().map(|ad| ad.as_bytes(py)), + self.secret.as_ref().map(|secret| secret.as_bytes(py)), + self.iterations, + self.lanes, + self.memory_cost, + b, + ) + .map_err(CryptographyError::from)?; + Ok(()) + }, + )?) + } + + #[cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)] + fn verify( + &mut self, + py: pyo3::Python<'_>, + key_material: CffiBuf<'_>, + expected_key: CffiBuf<'_>, + ) -> CryptographyResult<()> { + let actual = self.derive(py, key_material)?; + let actual_bytes = actual.as_bytes(); + let expected_bytes = expected_key.as_bytes(); + + if actual_bytes.len() != expected_bytes.len() + || !openssl::memcmp::eq(actual_bytes, expected_bytes) + { + return Err(CryptographyError::from(exceptions::InvalidKey::new_err( + "Keys do not match.", + ))); + } + + Ok(()) + } +} + #[pyo3::pymodule] pub(crate) mod kdf { #[pymodule_export] use super::derive_pbkdf2_hmac; #[pymodule_export] + use super::Argon2id; + #[pymodule_export] use super::Scrypt; } diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 66db6e11a259..b2642c5ce999 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -225,6 +225,20 @@ mod _rust { openssl_mod.add("_legacy_provider_loaded", false)?; } } + cfg_if::cfg_if! { + if #[cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)] { + use std::ptr; + use std::cmp::max; + + let available = std::thread::available_parallelism().map_or(0, |v| v.get() as u64); + // SAFETY: This sets a libctx provider limit, but we always use the same libctx by passing NULL. + unsafe { + let current = openssl_sys::OSSL_get_max_threads(ptr::null_mut()); + // Set the thread limit to the max of available parallelism or current limit. + openssl_sys::OSSL_set_max_threads(ptr::null_mut(), max(available, current)); + } + } + } Ok(()) } diff --git a/tests/hazmat/primitives/test_argon2.py b/tests/hazmat/primitives/test_argon2.py new file mode 100644 index 000000000000..7ea79d8b9359 --- /dev/null +++ b/tests/hazmat/primitives/test_argon2.py @@ -0,0 +1,160 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + + +import binascii +import os + +import pytest + +from cryptography.exceptions import AlreadyFinalized, InvalidKey +from cryptography.hazmat.primitives.kdf.argon2 import Argon2id +from tests.utils import ( + load_nist_vectors, + load_vectors_from_file, + raises_unsupported_algorithm, +) + +vectors = load_vectors_from_file( + os.path.join("KDF", "argon2id.txt"), load_nist_vectors +) + + +@pytest.mark.supported( + only_if=lambda backend: not backend.argon2_supported(), + skip_message="Supports argon2 so can't test unsupported path", +) +def test_unsupported_backend(backend): + with raises_unsupported_algorithm(None): + Argon2id( + salt=b"salt" * 2, length=32, iterations=1, lanes=1, memory_cost=32 + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.argon2_supported(), + skip_message="Argon2id not supported by this version of OpenSSL", +) +class TestArgon2id: + @pytest.mark.parametrize("params", vectors) + def test_derive(self, params, backend): + salt = binascii.unhexlify(params["salt"]) + ad = binascii.unhexlify(params["ad"]) if "ad" in params else None + secret = ( + binascii.unhexlify(params["secret"]) + if "secret" in params + else None + ) + length = int(params["length"]) + iterations = int(params["iter"]) + lanes = int(params["lanes"]) + memory_cost = int(params["memcost"]) + password = binascii.unhexlify(params["pass"]) + derived_key = params["output"].lower() + + argon2id = Argon2id( + salt=salt, + length=length, + iterations=iterations, + lanes=lanes, + memory_cost=memory_cost, + ad=ad, + secret=secret, + ) + assert binascii.hexlify(argon2id.derive(password)) == derived_key + + def test_invalid_types(self, backend): + with pytest.raises(TypeError): + Argon2id( + salt="notbytes", # type: ignore[arg-type] + length=32, + iterations=1, + lanes=1, + memory_cost=32, + ad=None, + secret=None, + ) + + with pytest.raises(TypeError): + Argon2id( + salt=b"b" * 8, + length=32, + iterations=1, + lanes=1, + memory_cost=32, + ad="string", # type: ignore[arg-type] + secret=None, + ) + + with pytest.raises(TypeError): + Argon2id( + salt=b"b" * 8, + length=32, + iterations=1, + lanes=1, + memory_cost=32, + ad=None, + secret="string", # type: ignore[arg-type] + ) + + @pytest.mark.parametrize( + "params", + [ + (b"b" * 7, 3, 1, 1, 32), # salt < 8 + (b"b" * 8, 3, 1, 1, 32), # length < 4 + (b"b" * 8, 32, 0, 1, 32), # iterations < 1 + (b"b" * 8, 32, 1, 0, 32), # lanes < 1 + (b"b" * 8, 32, 1, 1, 7), # memory_cost < 8 * lanes + (b"b" * 8, 32, 1, 32, 200), # memory_cost < 8 * lanes + ], + ) + def test_invalid_values(self, params, backend): + (salt, length, iterations, lanes, memory_cost) = params + with pytest.raises(ValueError): + Argon2id( + salt=salt, + length=length, + iterations=iterations, + lanes=lanes, + memory_cost=memory_cost, + ) + + def test_already_finalized(self, backend): + argon2id = Argon2id( + salt=b"salt" * 2, length=32, iterations=1, lanes=1, memory_cost=32 + ) + argon2id.derive(b"password") + with pytest.raises(AlreadyFinalized): + argon2id.derive(b"password") + + def test_already_finalized_verify(self, backend): + argon2id = Argon2id( + salt=b"salt" * 2, length=32, iterations=1, lanes=1, memory_cost=32 + ) + digest = argon2id.derive(b"password") + with pytest.raises(AlreadyFinalized): + argon2id.verify(b"password", digest) + + @pytest.mark.parametrize("digest", [b"invalidkey", b"0" * 32]) + def test_invalid_verify(self, digest, backend): + argon2id = Argon2id( + salt=b"salt" * 2, length=32, iterations=1, lanes=1, memory_cost=32 + ) + with pytest.raises(InvalidKey): + argon2id.verify(b"password", digest) + + def test_verify(self, backend): + argon2id = Argon2id( + salt=b"salt" * 2, + length=32, + iterations=1, + lanes=1, + memory_cost=32, + ad=None, + secret=None, + ) + digest = argon2id.derive(b"password") + Argon2id( + salt=b"salt" * 2, length=32, iterations=1, lanes=1, memory_cost=32 + ).verify(b"password", digest) From 577f92a850300d7200e5662b2721363bbb7571ed Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Nov 2024 16:56:13 -0500 Subject: [PATCH 1361/1462] Bump tomli from 2.0.2 to 2.1.0 in /.github/requirements (#11937) Bumps [tomli](https://github.com/hukkin/tomli) from 2.0.2 to 2.1.0. - [Changelog](https://github.com/hukkin/tomli/blob/master/CHANGELOG.md) - [Commits](https://github.com/hukkin/tomli/compare/2.0.2...2.1.0) --- updated-dependencies: - dependency-name: tomli dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index b5ec43d88b3b..4845dd9d3a8a 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -96,9 +96,9 @@ pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc # via cffi -tomli==2.0.2 \ - --hash=sha256:2ebe24485c53d303f690b0ec092806a085f07af5a5aa1464f3931eec36caaa38 \ - --hash=sha256:d46d457a85337051c36524bc5349dd91b1877838e2979ac5ced3e710ed8a60ed +tomli==2.1.0 \ + --hash=sha256:3f646cae2aec94e17d04973e4249548320197cfabdf130015d023de4b74d8ab8 \ + --hash=sha256:a5c57c3d1c56f5ccdf89f6523458f60ef716e210fc47c4cfb188c5ba473e0391 # via maturin # The following packages are considered to be unsafe in a requirements file: From 7f7d191e2debbf9f061381bafef98b26bfe379c2 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 11 Nov 2024 19:20:50 -0500 Subject: [PATCH 1362/1462] Bump BoringSSL and/or OpenSSL in CI (#11938) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3fb5a7bf6afc..8165abb6ec58 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 09, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "571c76e919c0c48219ced35bef83e1fc83b00eed"}} + # Latest commit on the BoringSSL master branch, as of Nov 12, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d2529067e4a9ec21872b18156646080b3c1fda46"}} # Latest commit on the OpenSSL master branch, as of Nov 10, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "012353bdf21b98def920ac317b94c4a9ed501b79"}} # Builds with various Rust versions. Includes MSRV and next From 6a5cb96832088e8a0f76994f76473470c0811aae Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 00:34:57 +0000 Subject: [PATCH 1363/1462] Bump x509-limbo and/or wycheproof in CI (#11939) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 5769e646553d..a9f7672da042 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Nov 06, 2024. - ref: "753dc760a8413a034cf22e7ff1d527772d472528" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Nov 12, 2024. + ref: "61b7116dbc4da30cceee56c7905a9a322f31b9e4" # x509-limbo-ref From 7c5c7f2fb7e92c28e8e8e03b60b4c5a2a605273e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 07:03:42 -0500 Subject: [PATCH 1364/1462] Bump cc from 1.1.37 to 1.2.0 (#11940) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.37 to 1.2.0. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.37...cc-v1.2.0) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index dd3efc431b63..f35d9a55b240 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.37" +version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "40545c26d092346d8a8dab71ee48e7685a7a9cba76e634790c215b41a4a7b4cf" +checksum = "1aeb932158bd710538c73702db6945cb68a8fb08c519e6e12706b94263b36db8" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 7deee5897926..35a681369d31 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,7 +11,7 @@ pyo3 = { version = "0.22.6", features = ["abi3"] } openssl-sys = "0.9.104" [build-dependencies] -cc = "1.1.37" +cc = "1.2.0" [lints.rust] unexpected_cfgs = { level = "warn", check-cfg = ['cfg(python_implementation, values("CPython", "PyPy"))'] } From 1bafc2607f6c814033f1e6be363dbfdb069fd6cf Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Tue, 12 Nov 2024 16:42:53 -0800 Subject: [PATCH 1365/1462] Update aws-encryption-sdk.sh (#11942) --- .github/downstream.d/aws-encryption-sdk.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/downstream.d/aws-encryption-sdk.sh b/.github/downstream.d/aws-encryption-sdk.sh index 4992282cbaad..27cb8aa1edb3 100755 --- a/.github/downstream.d/aws-encryption-sdk.sh +++ b/.github/downstream.d/aws-encryption-sdk.sh @@ -10,7 +10,7 @@ case "${1}" in ;; run) cd aws-encryption-sdk-python - pytest -m local test/ + pytest -m local test/ --ignore test/mpl/ ;; *) exit 1 From f7b4469dfdbd307f88f3cb1f457ec8cc7fc861d7 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 13 Nov 2024 00:51:15 +0000 Subject: [PATCH 1366/1462] Bump x509-limbo and/or wycheproof in CI (#11943) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index a9f7672da042..4688a928f8c4 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Nov 12, 2024. - ref: "61b7116dbc4da30cceee56c7905a9a322f31b9e4" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Nov 13, 2024. + ref: "b2521cdc61d11e290e398e7bb549992662e391b8" # x509-limbo-ref From 87aceb2ff879fd08f6ef22485d9ac5c14144df35 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 13 Nov 2024 00:52:11 +0000 Subject: [PATCH 1367/1462] Bump BoringSSL and/or OpenSSL in CI (#11941) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8165abb6ec58..379d5b454f42 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,10 +45,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 12, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d2529067e4a9ec21872b18156646080b3c1fda46"}} - # Latest commit on the OpenSSL master branch, as of Nov 10, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "012353bdf21b98def920ac317b94c4a9ed501b79"}} + # Latest commit on the BoringSSL master branch, as of Nov 13, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "eca12891ed873dc183624f28e4e5442e7bc2f4a2"}} + # Latest commit on the OpenSSL master branch, as of Nov 13, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ba6f115ccfbb63fbeb2bc8df3c07918a7a59a186"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 18e44150b02a6ccf8a3dbaf9b6860df74427fa39 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Nov 2024 12:05:01 +0000 Subject: [PATCH 1368/1462] Bump sphinx-rtd-theme from 3.0.1 to 3.0.2 (#11945) Bumps [sphinx-rtd-theme](https://github.com/readthedocs/sphinx_rtd_theme) from 3.0.1 to 3.0.2. - [Changelog](https://github.com/readthedocs/sphinx_rtd_theme/blob/master/docs/changelog.rst) - [Commits](https://github.com/readthedocs/sphinx_rtd_theme/compare/3.0.1...3.0.2) --- updated-dependencies: - dependency-name: sphinx-rtd-theme dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6a85f7fe65df..20f54708ad0e 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -230,7 +230,7 @@ sphinx==8.1.3 ; python_full_version >= '3.10' # sphinx-rtd-theme # sphinxcontrib-jquery # sphinxcontrib-spelling -sphinx-rtd-theme==3.0.1 ; python_full_version >= '3.8' +sphinx-rtd-theme==3.0.2 ; python_full_version >= '3.8' # via cryptography (pyproject.toml) sphinxcontrib-applehelp==1.0.2 ; python_full_version < '3.8' # via sphinx From 78c621342c4d3d3aea242e6b11fade954c82ee9f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 13 Nov 2024 16:30:09 -0800 Subject: [PATCH 1369/1462] Bump BoringSSL and/or OpenSSL in CI (#11948) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 379d5b454f42..6baf7b982744 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,10 +45,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 13, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "eca12891ed873dc183624f28e4e5442e7bc2f4a2"}} - # Latest commit on the OpenSSL master branch, as of Nov 13, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ba6f115ccfbb63fbeb2bc8df3c07918a7a59a186"}} + # Latest commit on the BoringSSL master branch, as of Nov 14, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "61725eafad52eab7063cca7ae3ca763d2b147583"}} + # Latest commit on the OpenSSL master branch, as of Nov 14, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "eaf4da97c9b9c09a407b9f1a47ad7dd99c05884c"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 4ead63a0102147614f5787a9fcebd26e21c1b9a5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 14 Nov 2024 08:13:53 -0500 Subject: [PATCH 1370/1462] Bump cc from 1.2.0 to 1.2.1 (#11949) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.2.0 to 1.2.1. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.2.0...cc-v1.2.1) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index f35d9a55b240..2300c890fd69 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.2.0" +version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1aeb932158bd710538c73702db6945cb68a8fb08c519e6e12706b94263b36db8" +checksum = "fd9de9f2205d5ef3fd67e685b0df337994ddd4495e2a28d185500d0e1edfea47" dependencies = [ "shlex", ] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 35a681369d31..cfa6600ffee0 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,7 +11,7 @@ pyo3 = { version = "0.22.6", features = ["abi3"] } openssl-sys = "0.9.104" [build-dependencies] -cc = "1.2.0" +cc = "1.2.1" [lints.rust] unexpected_cfgs = { level = "warn", check-cfg = ['cfg(python_implementation, values("CPython", "PyPy"))'] } From 2eab3f3ebaed0effb648e201db1463f0384d4b94 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 14 Nov 2024 15:29:06 -0500 Subject: [PATCH 1371/1462] Use workspace dep for pyo3 (#11951) --- Cargo.toml | 1 + src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-keepalive/Cargo.toml | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 48bc40cff5c5..818c97fb5a2d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -20,6 +20,7 @@ rust-version = "1.65.0" [workspace.dependencies] asn1 = { version = "0.18.0", default-features = false } +pyo3 = { version = "0.22.6", features = ["abi3"] } [profile.release] overflow-checks = true diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index e6f1af8ae696..9eb165a96f14 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -9,7 +9,7 @@ rust-version.workspace = true [dependencies] once_cell = "1" cfg-if = "1" -pyo3 = { version = "0.22.6", features = ["abi3"] } +pyo3.workspace = true asn1.workspace = true cryptography-cffi = { path = "cryptography-cffi" } cryptography-keepalive = { path = "cryptography-keepalive" } diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index cfa6600ffee0..9408de8b4415 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -7,7 +7,7 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.22.6", features = ["abi3"] } +pyo3.workspace = true openssl-sys = "0.9.104" [build-dependencies] diff --git a/src/rust/cryptography-keepalive/Cargo.toml b/src/rust/cryptography-keepalive/Cargo.toml index 8e27bd18b055..baf8d9342119 100644 --- a/src/rust/cryptography-keepalive/Cargo.toml +++ b/src/rust/cryptography-keepalive/Cargo.toml @@ -7,4 +7,4 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.22.6", features = ["abi3"] } +pyo3.workspace = true From 8209d63ae70a3ba003a7092cfd235778a5a92728 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 14 Nov 2024 17:16:43 -0500 Subject: [PATCH 1372/1462] fixes #11944 -- don't panic on attributes with no values (#11947) --- docs/development/test-vectors.rst | 2 ++ src/rust/cryptography-x509/src/csr.rs | 2 +- tests/x509/test_x509.py | 8 ++++++++ .../x509/requests/zero-element-attribute.pem | 16 ++++++++++++++++ 4 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 vectors/cryptography_vectors/x509/requests/zero-element-attribute.pem diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 3b4adc939528..3b0b085cbb8f 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -612,6 +612,8 @@ Custom X.509 Request Vectors invalid. * ``long-form-attribute.pem`` - A certificate signing request containing an attribute whose value's tag is encoded in the long form. +* ``zero-element-attribute.pem`` - A certificate signing request containing an + attribute whose value has zero elements. Custom X.509 Certificate Revocation List Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/src/rust/cryptography-x509/src/csr.rs b/src/rust/cryptography-x509/src/csr.rs index 790134bacce0..95745db9380e 100644 --- a/src/rust/cryptography-x509/src/csr.rs +++ b/src/rust/cryptography-x509/src/csr.rs @@ -44,7 +44,7 @@ impl CertificationRequestInfo<'_> { pub fn check_attribute_length<'a>( values: asn1::SetOf<'a, asn1::Tlv<'a>>, ) -> Result<(), asn1::ParseError> { - if values.count() > 1 { + if values.count() != 1 { // TODO: We should raise a more specific error here // Only single-valued attributes are supported Err(asn1::ParseError::new(asn1::ParseErrorKind::InvalidValue)) diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index 684ef2f4a343..39f4997ad61c 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -6825,6 +6825,14 @@ def test_no_attributes(self, backend): ) assert len(request.attributes) == 0 + def test_zero_element_attribute(self): + request = _load_cert( + os.path.join("x509", "requests", "zero-element-attribute.pem"), + x509.load_pem_x509_csr, + ) + with pytest.raises(ValueError, match="Only single-valued"): + request.attributes + def test_load_pem_x509_certificates(): with pytest.raises(ValueError): diff --git a/vectors/cryptography_vectors/x509/requests/zero-element-attribute.pem b/vectors/cryptography_vectors/x509/requests/zero-element-attribute.pem new file mode 100644 index 000000000000..df380fab6e38 --- /dev/null +++ b/vectors/cryptography_vectors/x509/requests/zero-element-attribute.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICgDCCAWgCAQAwLDEQMA4GCSqGSIb3DQEJARYBLzEYMBYGA1UEAwwPbWl0ZWwu +YmxvbmF5LmNoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA765FwcoI +JtKM566SSLXtz85h1ejx3G+efgG2OSiFIcZzPHQnuUPJ5ONL16VedcWi+8OB2Rbx +KWLf8DH3YK9CAxYeMX/eAay4MCbl9AROiDVhyhHL1DU3pUH4MkVKdwPhZiW1b7gM +W0DcY6iAuhLsftz5J/uyjGztfNRciErBZeNCh34fZcls4Iddkh0A6mz7KT4PmfNt +Ywo6+5sG4G0TZPlmXM803soWqfWCX/8FnzXd9ch1oApLE9zfxOlvWM7YBwyGCzZd +92PfX6D6sbMNmQxoZzT4LXeM4wZ11Jv9PHaGIDV/ub/1/7W0hYWnTHvvJRm9Tiyv +5JCH9/VpGhjIGQIDAQABoA8wDQYJKoZIhvcNAQkOMQAwDQYJKoZIhvcNAQELBQAD +ggEBAA9i4mqUrcakDp4YmjwQXaYQhSzxQZjk8xveHLRcyx4Cg8FAE5iUW8s1S+1f +pODlPrsdmZzRq3o+ZEkZNTM63kaXjDQEzlihlQ2yAScKAV22934pLyrMLn3mo5lO +oYgfSCHgYQE3YpNe8a2UFgWU5dhDbucCqbUO/AnBNTcBHpGHyvijbOBJn1cheLjZ +I7jbylyJBjyRgDiG3QNsgc/Iw58ys3DNCTsG0ghAwOh1g1u0LnZJKll1IWuK/HHI +D8d1ZsJic8ok8BkC/qGsrgQmoJpOP1Fu087svKcUbFT9T8UXzPigL1wEaxRPwkI8 +ECT4bDqrtBADIblEpqq4rNp4QoA= +-----END CERTIFICATE REQUEST----- From d6ea63bb7183ec5e6d520eeb01844ffbe0d30510 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 15 Nov 2024 00:20:19 +0000 Subject: [PATCH 1373/1462] Bump BoringSSL and/or OpenSSL in CI (#11952) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6baf7b982744..465224bfaf85 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 14, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "61725eafad52eab7063cca7ae3ca763d2b147583"}} + # Latest commit on the BoringSSL master branch, as of Nov 15, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c691779ed0e98b36eff7ad945a738c402f127122"}} # Latest commit on the OpenSSL master branch, as of Nov 14, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "eaf4da97c9b9c09a407b9f1a47ad7dd99c05884c"}} # Builds with various Rust versions. Includes MSRV and next From 4adb1f52552ca4ccae0755320de82d91c7393c42 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 Nov 2024 11:59:12 +0000 Subject: [PATCH 1374/1462] Bump coverage from 7.6.1 to 7.6.5 (#11956) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.6.1 to 7.6.5. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.6.1...7.6.5) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 20f54708ad0e..19ff7d7cf134 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -45,7 +45,7 @@ coverage==7.2.7 ; python_full_version < '3.8' # via pytest-cov coverage==7.6.1 ; python_full_version == '3.8.*' # via pytest-cov -coverage==7.6.4 ; python_full_version >= '3.9' +coverage==7.6.5 ; python_full_version >= '3.9' # via pytest-cov distlib==0.3.9 # via virtualenv From 9c154996513b03f85c35de9532598ce6a16b2e14 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 Nov 2024 11:59:26 +0000 Subject: [PATCH 1375/1462] Bump ruff from 0.7.3 to 0.7.4 (#11957) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.7.3 to 0.7.4. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.7.3...0.7.4) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 19ff7d7cf134..b2724a96cb12 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -202,7 +202,7 @@ requests==2.31.0 ; python_full_version < '3.8' # via sphinx requests==2.32.3 ; python_full_version >= '3.8' # via sphinx -ruff==0.7.3 +ruff==0.7.4 # via cryptography (pyproject.toml) six==1.16.0 ; python_full_version < '3.8' # via bleach From bf6859f7a6710f25ba6346d274b13f7cf7eabe59 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 Nov 2024 12:03:17 +0000 Subject: [PATCH 1376/1462] Bump uv from 0.5.1 to 0.5.2 (#11958) Bumps [uv](https://github.com/astral-sh/uv) from 0.5.1 to 0.5.2. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.5.1...0.5.2) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b2724a96cb12..53d48e1f9f8e 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -292,7 +292,7 @@ urllib3==2.0.7 ; python_full_version < '3.8' # via requests urllib3==2.2.3 ; python_full_version >= '3.8' # via requests -uv==0.5.1 ; python_full_version >= '3.8' +uv==0.5.2 ; python_full_version >= '3.8' # via nox virtualenv==20.26.6 ; python_full_version < '3.8' # via nox From 74e4b1247f17a2f22f349bc9de203fe12e581761 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 Nov 2024 12:14:59 +0000 Subject: [PATCH 1377/1462] Bump uv from 0.5.1 to 0.5.2 in /.github/requirements (#11959) Bumps [uv](https://github.com/astral-sh/uv) from 0.5.1 to 0.5.2. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.5.1...0.5.2) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 0e4eccac27b7..87ee2798cc15 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.5.1 \ - --hash=sha256:01c40f756e9536c05fdf3485c1dfe3da610c3169195bbe20fab03a4c4b7a0d98 \ - --hash=sha256:3db7513c804fb89dcde671ba917cc486cfb574408d6257e19b19ae6b55f5982f \ - --hash=sha256:3ffb230be0f6552576da67a2737a32a6a640e4b3f42144088222a669802d7f10 \ - --hash=sha256:4601d40b0c02aff9fb791efa5b6f4c7dbad0970e13ac679aa8fb07365f331354 \ - --hash=sha256:4d1ec4a1bc19b523a84fc1bf2a92e9c4d982c831d3da450af71fc3057999d456 \ - --hash=sha256:6a76765c3cc49268f3c6773bd89a0dacf8a91b040fc3faea6c527ef6f2308eba \ - --hash=sha256:6ec61220d883751777cbabf0b076607cfbdeb812bc52c28722e897271461e589 \ - --hash=sha256:72b54a3308e13a81aa2df19baea40611fc344c7556f75d2113f9b9b5a894355e \ - --hash=sha256:73853b98bce9e118cda2d64360ddd7e0f79e237aca8cd2f28b6d5679400b239e \ - --hash=sha256:821b6a9d591d3e951fbe81c53d32499d11500100d66b1c119e183f3d4a6cd07c \ - --hash=sha256:8dce5b6d6dea41db71fe8d9895167cc5abf3e7b28c016174b1b9a9aecb74d483 \ - --hash=sha256:922685dcaa1c9b6663649b379f9bdbe5b87af230f512e69398efc51bd9d8b8eb \ - --hash=sha256:93f0a02ea9149f4e7e359ef92da6f221da2ecf458cda2af729a1f6fa8c3ed1d2 \ - --hash=sha256:aaa63053ff6dc4456e2ac2a9b6a8eda0cfaa1e0f861633d9e7315c7df9a0a525 \ - --hash=sha256:ac3fce68002e79f3c070f3e7d914e992f205f05af00bfffbe6c44d37aa39c86a \ - --hash=sha256:ad2dd8a994a8334a5d4b354589be4b8c4b3b2ebb7bb2f2976c8e21d2799f45a9 \ - --hash=sha256:c4d209164448c8529e21aca4ef1e3da94303b1bf726924786feffd87ed93ab4a \ - --hash=sha256:f66859e67d10ffff8b17c67c7ede207d67487cef20c3d17bc427b690f9dff795 +uv==0.5.2 \ + --hash=sha256:15c7ffa08ae21abd221dbdf9ba25c8969235f587cec6df8035552434e5ca1cc5 \ + --hash=sha256:2597e91be45b3f4458d0d16a5a1cda7e93af7d6dbfddf251aae5377f9187fa88 \ + --hash=sha256:27d666da8fbb0f87d9df67abf9feea0da4ee1336730f2c4be29a11f3feaa0a29 \ + --hash=sha256:374e9498e155fcaa8728a6770b84f03781106d705332f4ec059e1cc93c8f4d8a \ + --hash=sha256:5052758d374dd769efd0c70b4789ffb08439567eb114ad8fe728536bb5cc5299 \ + --hash=sha256:675ca34829ceca3e9de395cf05e8f881334a24488f97dd923c463830270d52a7 \ + --hash=sha256:67776d34cba359c63919c5ad50331171261d2ec7a83fd07f032eb8cc22e22b8e \ + --hash=sha256:71467545d51883d1af7094c8f6da69b55e7d49b742c2dc707d644676dcb66515 \ + --hash=sha256:772b32d157ec8f27c0099ecac94cf5cd298bce72f1a1f512205591de4e9f0c5c \ + --hash=sha256:7bde66f13571e437fd45f32f5742ab53d5e011b4edb1c74cb74cb8b1cbb828b5 \ + --hash=sha256:89e60ad9601f35f187326de84f35e7517c6eb1438359da42ec85cfd9c1895957 \ + --hash=sha256:a4d4fdad03e6dc3e8216192b8a12bcf2c71c8b12046e755575c7f262cbb61924 \ + --hash=sha256:a8a9897dd7657258c53f41aecdbe787da99f4fc0775f19826ab65cc0a7136cbf \ + --hash=sha256:c9795b990fb0b2a18d3a8cef8822e13c6a6f438bc16d34ccf01d931c76cfd5da \ + --hash=sha256:cfba5b0070652da4174083b78852f3ab3d262ba1c8b63a4d5ae497263b02b834 \ + --hash=sha256:d0834c6b37750c045bbea80600d3ae3e95becc4db148f5c0d0bc3ec6a7924e8f \ + --hash=sha256:d1fe4e025dbb9ec5c9250bfc1231847b8487706538f94d10c769f0a54db3e0af \ + --hash=sha256:dfcd8275ff8cb59d5f26f826a44270b2fe8f38aa7188d7355c48d3e9b759d0c0 From 1701d9c904c31a532803e3df05df8569b0bde016 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 Nov 2024 18:11:11 +0000 Subject: [PATCH 1378/1462] Bump coverage from 7.6.1 to 7.6.7 (#11961) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.6.1 to 7.6.7. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.6.1...7.6.7) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 53d48e1f9f8e..07d7173a4fb0 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -45,7 +45,7 @@ coverage==7.2.7 ; python_full_version < '3.8' # via pytest-cov coverage==7.6.1 ; python_full_version == '3.8.*' # via pytest-cov -coverage==7.6.5 ; python_full_version >= '3.9' +coverage==7.6.7 ; python_full_version >= '3.9' # via pytest-cov distlib==0.3.9 # via virtualenv From 466eea779031a3d18e5533f42c0399100cdbb6c9 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 15 Nov 2024 13:19:34 -0500 Subject: [PATCH 1379/1462] Bump tomli. For some reason dependabot isn't (#11962) --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 07d7173a4fb0..ac8fd5fd5cbf 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -269,7 +269,7 @@ tomli==2.0.1 ; python_full_version < '3.8' # mypy # nox # pytest -tomli==2.0.2 ; python_full_version >= '3.8' and python_full_version <= '3.11' +tomli==2.1.0 ; python_full_version >= '3.8' and python_full_version <= '3.11' # via # build # check-sdist From f137596eaa6b62110f7fb08ec5b26b7e7cf617e2 Mon Sep 17 00:00:00 2001 From: Nathan Goldbaum Date: Fri, 15 Nov 2024 15:18:26 -0700 Subject: [PATCH 1380/1462] Update to pyo3-0.23 (#11954) * WIP: Update to pyo3-0.23 * update Cargo.toml * fix lifetime error * avoid unnecessary allocations constructing warning messages * point at 0.23 on crates.io * add _str_ref_to_cstr_ref helper for constructing warnings * use null-terminated strings * fix inline null typos * add cstr_from_literal macro for constructing warnings --- Cargo.lock | 20 ++-- Cargo.toml | 2 +- src/rust/src/asn1.rs | 24 ++--- src/rust/src/backend/aead.rs | 8 +- src/rust/src/backend/ciphers.rs | 26 ++++-- src/rust/src/backend/cmac.rs | 2 +- src/rust/src/backend/dh.rs | 32 +++---- src/rust/src/backend/dsa.rs | 37 ++++---- src/rust/src/backend/ec.rs | 42 ++++----- src/rust/src/backend/ed25519.rs | 6 +- src/rust/src/backend/ed448.rs | 6 +- src/rust/src/backend/hashes.rs | 7 +- src/rust/src/backend/hmac.rs | 2 +- src/rust/src/backend/kdf.rs | 46 ++++------ src/rust/src/backend/keys.rs | 113 +++++++++++++++-------- src/rust/src/backend/poly1305.rs | 4 +- src/rust/src/backend/rsa.rs | 75 +++++++-------- src/rust/src/backend/utils.rs | 37 ++++---- src/rust/src/backend/x25519.rs | 22 ++--- src/rust/src/backend/x448.rs | 22 ++--- src/rust/src/buf.rs | 2 +- src/rust/src/error.rs | 7 +- src/rust/src/oid.rs | 2 +- src/rust/src/padding.rs | 6 +- src/rust/src/pkcs12.rs | 40 ++++---- src/rust/src/pkcs7.rs | 8 +- src/rust/src/test_support.rs | 2 +- src/rust/src/types.rs | 2 +- src/rust/src/x509/certificate.rs | 152 ++++++++++++++----------------- src/rust/src/x509/common.rs | 72 ++++++++------- src/rust/src/x509/crl.rs | 48 ++++------ src/rust/src/x509/csr.rs | 28 +++--- src/rust/src/x509/extensions.rs | 43 +++++---- src/rust/src/x509/ocsp_req.rs | 8 +- src/rust/src/x509/ocsp_resp.rs | 74 +++++---------- src/rust/src/x509/sct.rs | 7 +- src/rust/src/x509/sign.rs | 2 +- src/rust/src/x509/verify.rs | 4 +- 38 files changed, 507 insertions(+), 533 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 2300c890fd69..65901342315f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -250,9 +250,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.22.6" +version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f402062616ab18202ae8319da13fa4279883a2b8a9d9f83f20dbade813ce1884" +checksum = "d51da03e17ef97ae4185cd606a4b316e04bb6f047d66913d6b57d4e6acfb41ec" dependencies = [ "cfg-if", "indoc", @@ -268,9 +268,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.22.6" +version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b14b5775b5ff446dd1056212d778012cbe8a0fbffd368029fd9e25b514479c38" +checksum = "455f646b3d007fb6d85cffccff9c7dfb752f24ec9fb0a04cb49537e7e9bdc2dd" dependencies = [ "once_cell", "target-lexicon", @@ -278,9 +278,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.22.6" +version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9ab5bcf04a2cdcbb50c7d6105de943f543f9ed92af55818fd17b660390fc8636" +checksum = "432fc20d4dd419f8d1dd402a659bb42e75430706b50d367cc978978778638084" dependencies = [ "libc", "pyo3-build-config", @@ -288,9 +288,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.22.6" +version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0fd24d897903a9e6d80b968368a34e1525aeb719d568dba8b3d4bfa5dc67d453" +checksum = "ae1cd532e9356f90d1be1317d8bf51873e4a9468b9305b950c20e8aef786cc16" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -300,9 +300,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.22.6" +version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "36c011a03ba1e50152b4b394b479826cad97e7a21eb52df179cd91ac411cbfbe" +checksum = "975b289b3d3901442a6def73eedf8251dc1aed2cdc0a80d1c4f3998d868a97aa" dependencies = [ "heck", "proc-macro2", diff --git a/Cargo.toml b/Cargo.toml index 818c97fb5a2d..62fd139904a2 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -20,7 +20,7 @@ rust-version = "1.65.0" [workspace.dependencies] asn1 = { version = "0.18.0", default-features = false } -pyo3 = { version = "0.22.6", features = ["abi3"] } +pyo3 = { version = "0.23.0", features = ["abi3"] } [profile.release] overflow-checks = true diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 366fc69eacd6..6dd7a48ca565 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -6,7 +6,7 @@ use cryptography_x509::common::{DssSignature, SubjectPublicKeyInfo}; use pyo3::pybacked::PyBackedBytes; use pyo3::types::IntoPyDict; use pyo3::types::PyAnyMethods; -use pyo3::ToPyObject; +use pyo3::IntoPyObject; use crate::error::{CryptographyError, CryptographyResult}; use crate::types; @@ -38,7 +38,7 @@ fn parse_spki_for_data<'p>( return Err(pyo3::exceptions::PyValueError::new_err("Invalid public key encoding").into()); } - Ok(pyo3::types::PyBytes::new_bound( + Ok(pyo3::types::PyBytes::new( py, spki.subject_public_key.as_bytes(), )) @@ -48,8 +48,8 @@ pub(crate) fn big_byte_slice_to_py_int<'p>( py: pyo3::Python<'p>, v: &'_ [u8], ) -> pyo3::PyResult> { - let int_type = py.get_type_bound::(); - let kwargs = [("signed", true)].into_py_dict_bound(py); + let int_type = py.get_type::(); + let kwargs = [("signed", true)].into_py_dict(py)?; int_type.call_method(pyo3::intern!(py, "from_bytes"), (v, "big"), Some(&kwargs)) } @@ -64,12 +64,14 @@ fn decode_dss_signature( big_byte_slice_to_py_int(py, sig.r.as_bytes())?, big_byte_slice_to_py_int(py, sig.s.as_bytes())?, ) - .to_object(py)) + .into_pyobject(py)? + .into_any() + .unbind()) } pub(crate) fn py_uint_to_big_endian_bytes<'p>( py: pyo3::Python<'p>, - v: pyo3::Bound<'p, pyo3::types::PyLong>, + v: pyo3::Bound<'p, pyo3::types::PyInt>, ) -> pyo3::PyResult { if v.lt(0)? { return Err(pyo3::exceptions::PyValueError::new_err( @@ -96,9 +98,9 @@ pub(crate) fn encode_der_data<'p>( encoding: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { if encoding.is(&types::ENCODING_DER.get(py)?) { - Ok(pyo3::types::PyBytes::new_bound(py, &data)) + Ok(pyo3::types::PyBytes::new(py, &data)) } else if encoding.is(&types::ENCODING_PEM.get(py)?) { - Ok(pyo3::types::PyBytes::new_bound( + Ok(pyo3::types::PyBytes::new( py, &pem::encode_config( &pem::Pem::new(pem_tag, data), @@ -117,8 +119,8 @@ pub(crate) fn encode_der_data<'p>( #[pyo3::pyfunction] fn encode_dss_signature<'p>( py: pyo3::Python<'p>, - r: pyo3::Bound<'_, pyo3::types::PyLong>, - s: pyo3::Bound<'_, pyo3::types::PyLong>, + r: pyo3::Bound<'_, pyo3::types::PyInt>, + s: pyo3::Bound<'_, pyo3::types::PyInt>, ) -> CryptographyResult> { let r_bytes = py_uint_to_big_endian_bytes(py, r)?; let s_bytes = py_uint_to_big_endian_bytes(py, s)?; @@ -127,7 +129,7 @@ fn encode_dss_signature<'p>( s: asn1::BigUint::new(&s_bytes).unwrap(), }; let result = asn1::write_single(&sig)?; - Ok(pyo3::types::PyBytes::new_bound(py, &result)) + Ok(pyo3::types::PyBytes::new(py, &result)) } #[pyo3::pymodule] diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 72b986e4bc58..fc56b64d6553 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -172,7 +172,7 @@ impl EvpCipherAead { Self::process_aad(&mut ctx, aad)?; - Ok(pyo3::types::PyBytes::new_bound_with( + Ok(pyo3::types::PyBytes::new_with( py, plaintext.len() + tag_len, |b| { @@ -254,7 +254,7 @@ impl EvpCipherAead { Self::process_aad(&mut ctx, aad)?; - Ok(pyo3::types::PyBytes::new_bound_with( + Ok(pyo3::types::PyBytes::new_with( py, ciphertext_data.len(), |b| { @@ -399,7 +399,7 @@ impl EvpAead { assert!(aad.is_none()); b"" }; - Ok(pyo3::types::PyBytes::new_bound_with( + Ok(pyo3::types::PyBytes::new_with( py, plaintext.len() + self.tag_len, |b| { @@ -430,7 +430,7 @@ impl EvpAead { b"" }; - Ok(pyo3::types::PyBytes::new_bound_with( + Ok(pyo3::types::PyBytes::new_with( py, ciphertext.len() - self.tag_len, |b| { diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index 8c90fe32e3d8..f102a8e57dfe 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -8,7 +8,7 @@ use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; use crate::types; use pyo3::types::PyAnyMethods; -use pyo3::IntoPy; +use pyo3::IntoPyObject; pub(crate) struct CipherContext { ctx: openssl::cipher_ctx::CipherCtx, @@ -160,7 +160,7 @@ impl CipherContext { ) -> CryptographyResult> { let mut buf = vec![0; data.len() + self.ctx.block_size()]; let n = self.update_into(py, data, &mut buf)?; - Ok(pyo3::types::PyBytes::new_bound(py, &buf[..n])) + Ok(pyo3::types::PyBytes::new(py, &buf[..n])) } pub(crate) fn update_into( @@ -224,7 +224,7 @@ impl CipherContext { ), )) })?; - Ok(pyo3::types::PyBytes::new_bound(py, &out_buf[..n])) + Ok(pyo3::types::PyBytes::new(py, &out_buf[..n])) } } @@ -359,7 +359,7 @@ impl PyAEADEncryptionContext { let result = ctx.finalize(py)?; // XXX: do not hard code 16 - let tag = pyo3::types::PyBytes::new_bound_with(py, 16, |t| { + let tag = pyo3::types::PyBytes::new_with(py, 16, |t| { ctx.ctx.tag(t).map_err(CryptographyError::from)?; Ok(()) })?; @@ -539,9 +539,14 @@ fn create_encryption_ctx( .getattr(pyo3::intern!(py, "_MAX_AAD_BYTES"))? .extract()?, } - .into_py(py)) + .into_pyobject(py)? + .into_any() + .unbind()) } else { - Ok(PyCipherContext { ctx: Some(ctx) }.into_py(py)) + Ok(PyCipherContext { ctx: Some(ctx) } + .into_pyobject(py)? + .into_any() + .unbind()) } } @@ -571,9 +576,14 @@ fn create_decryption_ctx( .getattr(pyo3::intern!(py, "_MAX_AAD_BYTES"))? .extract()?, } - .into_py(py)) + .into_pyobject(py)? + .into_any() + .unbind()) } else { - Ok(PyCipherContext { ctx: Some(ctx) }.into_py(py)) + Ok(PyCipherContext { ctx: Some(ctx) } + .into_pyobject(py)? + .into_any() + .unbind()) } } diff --git a/src/rust/src/backend/cmac.rs b/src/rust/src/backend/cmac.rs index fe11f7495a33..7519c1b88603 100644 --- a/src/rust/src/backend/cmac.rs +++ b/src/rust/src/backend/cmac.rs @@ -77,7 +77,7 @@ impl Cmac { ) -> CryptographyResult> { let data = self.get_mut_ctx()?.finish()?; self.ctx = None; - Ok(pyo3::types::PyBytes::new_bound(py, &data)) + Ok(pyo3::types::PyBytes::new(py, &data)) } fn verify(&mut self, py: pyo3::Python<'_>, signature: &[u8]) -> CryptographyResult<()> { diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index e6cdbb67c7c1..a19ab6342e90 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -149,7 +149,7 @@ impl DHPrivateKey { .map_err(|_| pyo3::exceptions::PyValueError::new_err("Error computing shared key."))?; let len = deriver.len()?; - Ok(pyo3::types::PyBytes::new_bound_with(py, len, |b| { + Ok(pyo3::types::PyBytes::new_with(py, len, |b| { let n = deriver.derive(b).unwrap(); let pad = b.len() - n; @@ -363,7 +363,7 @@ impl DHParameters { #[pyo3::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.dh")] struct DHPrivateNumbers { #[pyo3(get)] - x: pyo3::Py, + x: pyo3::Py, #[pyo3(get)] public_numbers: pyo3::Py, } @@ -371,7 +371,7 @@ struct DHPrivateNumbers { #[pyo3::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.dh")] struct DHPublicNumbers { #[pyo3(get)] - y: pyo3::Py, + y: pyo3::Py, #[pyo3(get)] parameter_numbers: pyo3::Py, } @@ -379,18 +379,18 @@ struct DHPublicNumbers { #[pyo3::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.dh")] struct DHParameterNumbers { #[pyo3(get)] - p: pyo3::Py, + p: pyo3::Py, #[pyo3(get)] - g: pyo3::Py, + g: pyo3::Py, #[pyo3(get)] - q: Option>, + q: Option>, } #[pyo3::pymethods] impl DHPrivateNumbers { #[new] fn new( - x: pyo3::Py, + x: pyo3::Py, public_numbers: pyo3::Py, ) -> DHPrivateNumbers { DHPrivateNumbers { x, public_numbers } @@ -428,7 +428,7 @@ impl DHPrivateNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.x.bind(py).eq(other.x.bind(py))? + Ok((**self.x.bind(py)).eq(other.x.bind(py))? && self .public_numbers .bind(py) @@ -440,7 +440,7 @@ impl DHPrivateNumbers { impl DHPublicNumbers { #[new] fn new( - y: pyo3::Py, + y: pyo3::Py, parameter_numbers: pyo3::Py, ) -> DHPublicNumbers { DHPublicNumbers { @@ -472,7 +472,7 @@ impl DHPublicNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.y.bind(py).eq(other.y.bind(py))? + Ok((**self.y.bind(py)).eq(other.y.bind(py))? && self .parameter_numbers .bind(py) @@ -486,9 +486,9 @@ impl DHParameterNumbers { #[pyo3(signature = (p, g, q=None))] fn new( py: pyo3::Python<'_>, - p: pyo3::Py, - g: pyo3::Py, - q: Option>, + p: pyo3::Py, + g: pyo3::Py, + q: Option>, ) -> CryptographyResult { if g.bind(py).lt(2)? { return Err(CryptographyError::from( @@ -528,12 +528,12 @@ impl DHParameterNumbers { other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { let q_equal = match (self.q.as_ref(), other.q.as_ref()) { - (Some(self_q), Some(other_q)) => self_q.bind(py).eq(other_q.bind(py))?, + (Some(self_q), Some(other_q)) => (**self_q.bind(py)).eq(other_q.bind(py))?, (None, None) => true, _ => false, }; - Ok(self.p.bind(py).eq(other.p.bind(py))? - && self.g.bind(py).eq(other.g.bind(py))? + Ok((**self.p.bind(py)).eq(other.p.bind(py))? + && (**self.g.bind(py)).eq(other.g.bind(py))? && q_equal) } } diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index c904824bb894..86ddac9c88d0 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -7,7 +7,6 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{error, exceptions}; use pyo3::types::PyAnyMethods; -use pyo3::ToPyObject; #[pyo3::pyclass( frozen, @@ -80,10 +79,10 @@ impl DsaPrivateKey { signer.sign_to_vec(data.as_bytes(), &mut sig).map_err(|e| { pyo3::exceptions::PyValueError::new_err(( "DSA signing failed. This generally indicates an invalid key.", - error::list_from_openssl_error(py, &e).to_object(py), + error::list_from_openssl_error(py, &e).unbind(), )) })?; - Ok(pyo3::types::PyBytes::new_bound(py, &sig)) + Ok(pyo3::types::PyBytes::new(py, &sig)) } #[getter] @@ -300,7 +299,7 @@ fn check_dsa_private_numbers( )); } - if numbers.public_numbers.get().y.bind(py).ne(params + if (**numbers.public_numbers.get().y.bind(py)).ne(params .g .bind(py) .pow(numbers.x.bind(py), Some(params.p.bind(py)))?)? @@ -320,7 +319,7 @@ fn check_dsa_private_numbers( )] struct DsaPrivateNumbers { #[pyo3(get)] - x: pyo3::Py, + x: pyo3::Py, #[pyo3(get)] public_numbers: pyo3::Py, } @@ -332,7 +331,7 @@ struct DsaPrivateNumbers { )] struct DsaPublicNumbers { #[pyo3(get)] - y: pyo3::Py, + y: pyo3::Py, #[pyo3(get)] parameter_numbers: pyo3::Py, } @@ -344,18 +343,18 @@ struct DsaPublicNumbers { )] struct DsaParameterNumbers { #[pyo3(get)] - p: pyo3::Py, + p: pyo3::Py, #[pyo3(get)] - q: pyo3::Py, + q: pyo3::Py, #[pyo3(get)] - g: pyo3::Py, + g: pyo3::Py, } #[pyo3::pymethods] impl DsaPrivateNumbers { #[new] fn new( - x: pyo3::Py, + x: pyo3::Py, public_numbers: pyo3::Py, ) -> DsaPrivateNumbers { DsaPrivateNumbers { x, public_numbers } @@ -391,7 +390,7 @@ impl DsaPrivateNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.x.bind(py).eq(other.x.bind(py))? + Ok((**self.x.bind(py)).eq(other.x.bind(py))? && self .public_numbers .bind(py) @@ -403,7 +402,7 @@ impl DsaPrivateNumbers { impl DsaPublicNumbers { #[new] fn new( - y: pyo3::Py, + y: pyo3::Py, parameter_numbers: pyo3::Py, ) -> DsaPublicNumbers { DsaPublicNumbers { @@ -440,7 +439,7 @@ impl DsaPublicNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.y.bind(py).eq(other.y.bind(py))? + Ok((**self.y.bind(py)).eq(other.y.bind(py))? && self .parameter_numbers .bind(py) @@ -460,9 +459,9 @@ impl DsaPublicNumbers { impl DsaParameterNumbers { #[new] fn new( - p: pyo3::Py, - q: pyo3::Py, - g: pyo3::Py, + p: pyo3::Py, + q: pyo3::Py, + g: pyo3::Py, ) -> DsaParameterNumbers { DsaParameterNumbers { p, q, g } } @@ -491,9 +490,9 @@ impl DsaParameterNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.p.bind(py).eq(other.p.bind(py))? - && self.q.bind(py).eq(other.q.bind(py))? - && self.g.bind(py).eq(other.g.bind(py))?) + Ok((**self.p.bind(py)).eq(other.p.bind(py))? + && (**self.q.bind(py)).eq(other.q.bind(py))? + && (**self.g.bind(py)).eq(other.g.bind(py))?) } fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 793ae48cf59c..37bfc9123dbd 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -10,6 +10,7 @@ use pyo3::types::{PyAnyMethods, PyDictMethods}; use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; +use crate::x509::common::cstr_from_literal; use crate::{exceptions, types}; #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ec")] @@ -34,8 +35,8 @@ fn curve_from_py_curve( if !py_curve.is_instance(&types::ELLIPTIC_CURVE.get(py)?)? { if allow_curve_class { let warning_cls = types::DEPRECATED_IN_42.get(py)?; - let warning_msg = "Curve argument must be an instance of an EllipticCurve class. Did you pass a class by mistake? This will be an exception in a future version of cryptography."; - pyo3::PyErr::warn_bound(py, &warning_cls, warning_msg, 1)?; + let message = cstr_from_literal!("Curve argument must be an instance of an EllipticCurve class. Did you pass a class by mistake? This will be an exception in a future version of cryptography"); + pyo3::PyErr::warn(py, &warning_cls, message, 1)?; } else { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err("curve must be an EllipticCurve instance"), @@ -175,7 +176,7 @@ fn generate_private_key( #[pyo3::pyfunction] fn derive_private_key( py: pyo3::Python<'_>, - py_private_value: &pyo3::Bound<'_, pyo3::types::PyLong>, + py_private_value: &pyo3::Bound<'_, pyo3::types::PyInt>, py_curve: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { let curve = curve_from_py_curve(py, py_curve.clone(), false)?; @@ -257,7 +258,7 @@ impl ECPrivateKey { .map_err(|_| pyo3::exceptions::PyValueError::new_err("Error computing shared key."))?; let len = deriver.len()?; - Ok(pyo3::types::PyBytes::new_bound_with(py, len, |b| { + Ok(pyo3::types::PyBytes::new_with(py, len, |b| { let n = deriver.derive(b).map_err(|_| { pyo3::exceptions::PyValueError::new_err("Error computing shared key.") })?; @@ -314,7 +315,7 @@ impl ECPrivateKey { // will be a byte or two shorter than the maximum possible length). let mut sig = vec![]; signer.sign_to_vec(data.as_bytes(), &mut sig)?; - Ok(pyo3::types::PyBytes::new_bound(py, &sig)) + Ok(pyo3::types::PyBytes::new(py, &sig)) } fn public_key(&self, py: pyo3::Python<'_>) -> CryptographyResult { @@ -464,7 +465,7 @@ impl ECPublicKey { #[pyo3::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.ec")] struct EllipticCurvePrivateNumbers { #[pyo3(get)] - private_value: pyo3::Py, + private_value: pyo3::Py, #[pyo3(get)] public_numbers: pyo3::Py, } @@ -472,9 +473,9 @@ struct EllipticCurvePrivateNumbers { #[pyo3::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.ec")] struct EllipticCurvePublicNumbers { #[pyo3(get)] - x: pyo3::Py, + x: pyo3::Py, #[pyo3(get)] - y: pyo3::Py, + y: pyo3::Py, #[pyo3(get)] curve: pyo3::Py, } @@ -512,7 +513,7 @@ fn public_key_from_numbers( impl EllipticCurvePrivateNumbers { #[new] fn new( - private_value: pyo3::Py, + private_value: pyo3::Py, public_numbers: pyo3::Py, ) -> EllipticCurvePrivateNumbers { EllipticCurvePrivateNumbers { @@ -563,14 +564,13 @@ impl EllipticCurvePrivateNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self - .private_value - .bind(py) - .eq(other.private_value.bind(py))? - && self - .public_numbers - .bind(py) - .eq(other.public_numbers.bind(py))?) + Ok( + (**self.private_value.bind(py)).eq(other.private_value.bind(py))? + && self + .public_numbers + .bind(py) + .eq(other.public_numbers.bind(py))?, + ) } fn __hash__(&self, py: pyo3::Python<'_>) -> CryptographyResult { @@ -586,8 +586,8 @@ impl EllipticCurvePublicNumbers { #[new] fn new( py: pyo3::Python<'_>, - x: pyo3::Py, - y: pyo3::Py, + x: pyo3::Py, + y: pyo3::Py, curve: pyo3::Py, ) -> CryptographyResult { if !curve @@ -628,8 +628,8 @@ impl EllipticCurvePublicNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.x.bind(py).eq(other.x.bind(py))? - && self.y.bind(py).eq(other.y.bind(py))? + Ok((**self.x.bind(py)).eq(other.x.bind(py))? + && (**self.y.bind(py)).eq(other.y.bind(py))? && self .curve .bind(py) diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index 3460640a1a53..721bac816882 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -70,7 +70,7 @@ impl Ed25519PrivateKey { ) -> CryptographyResult> { let mut signer = openssl::sign::Signer::new_without_digest(&self.pkey)?; let len = signer.len()?; - Ok(pyo3::types::PyBytes::new_bound_with(py, len, |b| { + Ok(pyo3::types::PyBytes::new_with(py, len, |b| { let n = signer .sign_oneshot(b, data.as_bytes()) .map_err(CryptographyError::from)?; @@ -94,7 +94,7 @@ impl Ed25519PrivateKey { py: pyo3::Python<'p>, ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_private_key()?; - Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) } fn private_bytes<'p>( @@ -138,7 +138,7 @@ impl Ed25519PublicKey { py: pyo3::Python<'p>, ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_public_key()?; - Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) } fn public_bytes<'p>( diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index 113819b8e53f..ba743d02c1ef 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -68,7 +68,7 @@ impl Ed448PrivateKey { ) -> CryptographyResult> { let mut signer = openssl::sign::Signer::new_without_digest(&self.pkey)?; let len = signer.len()?; - Ok(pyo3::types::PyBytes::new_bound_with(py, len, |b| { + Ok(pyo3::types::PyBytes::new_with(py, len, |b| { let n = signer .sign_oneshot(b, data.as_bytes()) .map_err(CryptographyError::from)?; @@ -92,7 +92,7 @@ impl Ed448PrivateKey { py: pyo3::Python<'p>, ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_private_key()?; - Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) } fn private_bytes<'p>( @@ -135,7 +135,7 @@ impl Ed448PublicKey { py: pyo3::Python<'p>, ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_public_key()?; - Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) } fn public_bytes<'p>( diff --git a/src/rust/src/backend/hashes.rs b/src/rust/src/backend/hashes.rs index 155ad6ec755c..09c75f336ec2 100644 --- a/src/rust/src/backend/hashes.rs +++ b/src/rust/src/backend/hashes.rs @@ -3,7 +3,6 @@ // for complete details. use pyo3::types::PyAnyMethods; -use pyo3::IntoPy; use std::borrow::Cow; use crate::buf::CffiBuf; @@ -93,7 +92,7 @@ impl Hash { let ctx = openssl::hash::Hasher::new(md)?; Ok(Hash { - algorithm: algorithm.clone().into_py(py), + algorithm: algorithm.clone().unbind(), ctx: Some(ctx), }) } @@ -115,7 +114,7 @@ impl Hash { let digest_size = algorithm .getattr(pyo3::intern!(py, "digest_size"))? .extract::()?; - let result = pyo3::types::PyBytes::new_bound_with(py, digest_size, |b| { + let result = pyo3::types::PyBytes::new_with(py, digest_size, |b| { ctx.finish_xof(b).unwrap(); Ok(()) })?; @@ -126,7 +125,7 @@ impl Hash { let data = self.get_mut_ctx()?.finish()?; self.ctx = None; - Ok(pyo3::types::PyBytes::new_bound(py, &data)) + Ok(pyo3::types::PyBytes::new(py, &data)) } fn copy(&self, py: pyo3::Python<'_>) -> CryptographyResult { diff --git a/src/rust/src/backend/hmac.rs b/src/rust/src/backend/hmac.rs index cce3593fa782..4e2d06943377 100644 --- a/src/rust/src/backend/hmac.rs +++ b/src/rust/src/backend/hmac.rs @@ -83,7 +83,7 @@ impl Hmac { ) -> CryptographyResult> { let data = self.get_mut_ctx()?.finish()?; self.ctx = None; - Ok(pyo3::types::PyBytes::new_bound(py, &data)) + Ok(pyo3::types::PyBytes::new(py, &data)) } fn verify(&mut self, py: pyo3::Python<'_>, signature: &[u8]) -> CryptographyResult<()> { diff --git a/src/rust/src/backend/kdf.rs b/src/rust/src/backend/kdf.rs index 0b4bfd54ed1f..2144caf1ea9a 100644 --- a/src/rust/src/backend/kdf.rs +++ b/src/rust/src/backend/kdf.rs @@ -21,7 +21,7 @@ pub(crate) fn derive_pbkdf2_hmac<'p>( ) -> CryptographyResult> { let md = hashes::message_digest_from_algorithm(py, algorithm)?; - Ok(pyo3::types::PyBytes::new_bound_with(py, length, |b| { + Ok(pyo3::types::PyBytes::new_with(py, length, |b| { openssl::pkcs5::pbkdf2_hmac(key_material.as_bytes(), salt, iterations, md, b).unwrap(); Ok(()) })?) @@ -125,11 +125,8 @@ impl Scrypt { } self.used = true; - Ok(pyo3::types::PyBytes::new_bound_with( - py, - self.length, - |b| { - openssl::pkcs5::scrypt(key_material.as_bytes(), self.salt.as_bytes(py), self.n, self.r, self.p, (usize::MAX / 2).try_into().unwrap(), b).map_err(|_| { + Ok(pyo3::types::PyBytes::new_with(py, self.length, |b| { + openssl::pkcs5::scrypt(key_material.as_bytes(), self.salt.as_bytes(py), self.n, self.r, self.p, (usize::MAX / 2).try_into().unwrap(), b).map_err(|_| { // memory required formula explained here: // https://blog.filippo.io/the-scrypt-parameters/ let min_memory = 128 * self.n * self.r / (1024 * 1024); @@ -137,8 +134,7 @@ impl Scrypt { "Not enough memory to derive key. These parameters require {min_memory}MB of memory." )) }) - }, - )?) + })?) } #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] @@ -286,25 +282,21 @@ impl Argon2id { return Err(exceptions::already_finalized_error()); } self.used = true; - Ok(pyo3::types::PyBytes::new_bound_with( - py, - self.length, - |b| { - openssl::kdf::argon2id( - None, - key_material.as_bytes(), - self.salt.as_bytes(py), - self.ad.as_ref().map(|ad| ad.as_bytes(py)), - self.secret.as_ref().map(|secret| secret.as_bytes(py)), - self.iterations, - self.lanes, - self.memory_cost, - b, - ) - .map_err(CryptographyError::from)?; - Ok(()) - }, - )?) + Ok(pyo3::types::PyBytes::new_with(py, self.length, |b| { + openssl::kdf::argon2id( + None, + key_material.as_bytes(), + self.salt.as_bytes(py), + self.ad.as_ref().map(|ad| ad.as_bytes(py)), + self.secret.as_ref().map(|secret| secret.as_bytes(py)), + self.iterations, + self.lanes, + self.memory_cost, + b, + ) + .map_err(CryptographyError::from)?; + Ok(()) + })?) } #[cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)] diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index c16ff8628c2c..36c84aeebb8b 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::IntoPy; +use pyo3::IntoPyObject; use crate::backend::utils; use crate::buf::CffiBuf; @@ -70,7 +70,9 @@ pub(crate) fn private_key_from_pkey( pkey, unsafe_skip_rsa_key_validation, )? - .into_py(py)), + .into_pyobject(py)? + .unbind() + .into_any()), openssl::pkey::Id::RSA_PSS => { // At the moment the way we handle RSA PSS keys is to strip the // PSS constraints from them and treat them as normal RSA keys @@ -81,34 +83,50 @@ pub(crate) fn private_key_from_pkey( let pkey = openssl::pkey::PKey::from_rsa(rsa)?; Ok( crate::backend::rsa::private_key_from_pkey(&pkey, unsafe_skip_rsa_key_validation)? - .into_py(py), + .into_pyobject(py)? + .into_any() + .unbind(), ) } - openssl::pkey::Id::EC => { - Ok(crate::backend::ec::private_key_from_pkey(py, pkey)?.into_py(py)) - } - openssl::pkey::Id::X25519 => { - Ok(crate::backend::x25519::private_key_from_pkey(pkey).into_py(py)) - } + openssl::pkey::Id::EC => Ok(crate::backend::ec::private_key_from_pkey(py, pkey)? + .into_pyobject(py)? + .into_any() + .unbind()), + openssl::pkey::Id::X25519 => Ok(crate::backend::x25519::private_key_from_pkey(pkey) + .into_pyobject(py)? + .into_any() + .unbind()), #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] - openssl::pkey::Id::X448 => { - Ok(crate::backend::x448::private_key_from_pkey(pkey).into_py(py)) - } + openssl::pkey::Id::X448 => Ok(crate::backend::x448::private_key_from_pkey(pkey) + .into_pyobject(py)? + .into_any() + .unbind()), - openssl::pkey::Id::ED25519 => { - Ok(crate::backend::ed25519::private_key_from_pkey(pkey).into_py(py)) - } + openssl::pkey::Id::ED25519 => Ok(crate::backend::ed25519::private_key_from_pkey(pkey) + .into_pyobject(py)? + .into_any() + .unbind()), #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] - openssl::pkey::Id::ED448 => { - Ok(crate::backend::ed448::private_key_from_pkey(pkey).into_py(py)) - } - openssl::pkey::Id::DSA => Ok(crate::backend::dsa::private_key_from_pkey(pkey).into_py(py)), - openssl::pkey::Id::DH => Ok(crate::backend::dh::private_key_from_pkey(pkey).into_py(py)), + openssl::pkey::Id::ED448 => Ok(crate::backend::ed448::private_key_from_pkey(pkey) + .into_pyobject(py)? + .into_any() + .unbind()), + openssl::pkey::Id::DSA => Ok(crate::backend::dsa::private_key_from_pkey(pkey) + .into_pyobject(py)? + .into_any() + .unbind()), + openssl::pkey::Id::DH => Ok(crate::backend::dh::private_key_from_pkey(pkey) + .into_pyobject(py)? + .into_any() + .unbind()), #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] - openssl::pkey::Id::DHX => Ok(crate::backend::dh::private_key_from_pkey(pkey).into_py(py)), + openssl::pkey::Id::DHX => Ok(crate::backend::dh::private_key_from_pkey(pkey) + .into_pyobject(py)? + .into_any() + .unbind()), _ => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err("Unsupported key type."), )), @@ -190,29 +208,48 @@ fn public_key_from_pkey( // `id` is a separate argument so we can test this while passing something // unsupported. match id { - openssl::pkey::Id::RSA => Ok(crate::backend::rsa::public_key_from_pkey(pkey).into_py(py)), - openssl::pkey::Id::EC => { - Ok(crate::backend::ec::public_key_from_pkey(py, pkey)?.into_py(py)) - } - openssl::pkey::Id::X25519 => { - Ok(crate::backend::x25519::public_key_from_pkey(pkey).into_py(py)) - } + openssl::pkey::Id::RSA => Ok(crate::backend::rsa::public_key_from_pkey(pkey) + .into_pyobject(py)? + .into_any() + .unbind()), + openssl::pkey::Id::EC => Ok(crate::backend::ec::public_key_from_pkey(py, pkey)? + .into_pyobject(py)? + .into_any() + .unbind()), + openssl::pkey::Id::X25519 => Ok(crate::backend::x25519::public_key_from_pkey(pkey) + .into_pyobject(py)? + .into_any() + .unbind()), #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] - openssl::pkey::Id::X448 => Ok(crate::backend::x448::public_key_from_pkey(pkey).into_py(py)), + openssl::pkey::Id::X448 => Ok(crate::backend::x448::public_key_from_pkey(pkey) + .into_pyobject(py)? + .into_any() + .unbind()), - openssl::pkey::Id::ED25519 => { - Ok(crate::backend::ed25519::public_key_from_pkey(pkey).into_py(py)) - } + openssl::pkey::Id::ED25519 => Ok(crate::backend::ed25519::public_key_from_pkey(pkey) + .into_pyobject(py)? + .into_any() + .unbind()), #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] - openssl::pkey::Id::ED448 => { - Ok(crate::backend::ed448::public_key_from_pkey(pkey).into_py(py)) - } + openssl::pkey::Id::ED448 => Ok(crate::backend::ed448::public_key_from_pkey(pkey) + .into_pyobject(py)? + .into_any() + .unbind()), - openssl::pkey::Id::DSA => Ok(crate::backend::dsa::public_key_from_pkey(pkey).into_py(py)), - openssl::pkey::Id::DH => Ok(crate::backend::dh::public_key_from_pkey(pkey).into_py(py)), + openssl::pkey::Id::DSA => Ok(crate::backend::dsa::public_key_from_pkey(pkey) + .into_pyobject(py)? + .into_any() + .unbind()), + openssl::pkey::Id::DH => Ok(crate::backend::dh::public_key_from_pkey(pkey) + .into_pyobject(py)? + .into_any() + .unbind()), #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] - openssl::pkey::Id::DHX => Ok(crate::backend::dh::public_key_from_pkey(pkey).into_py(py)), + openssl::pkey::Id::DHX => Ok(crate::backend::dh::public_key_from_pkey(pkey) + .into_pyobject(py)? + .into_any() + .unbind()), _ => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err("Unsupported key type."), diff --git a/src/rust/src/backend/poly1305.rs b/src/rust/src/backend/poly1305.rs index d955a9a90338..9b1d8165f8dc 100644 --- a/src/rust/src/backend/poly1305.rs +++ b/src/rust/src/backend/poly1305.rs @@ -32,7 +32,7 @@ impl Poly1305Boring { &mut self, py: pyo3::Python<'p>, ) -> CryptographyResult> { - let result = pyo3::types::PyBytes::new_bound_with(py, 16usize, |b| { + let result = pyo3::types::PyBytes::new_with(py, 16usize, |b| { self.context.finalize(b.as_mut()); Ok(()) })?; @@ -78,7 +78,7 @@ impl Poly1305Open { &mut self, py: pyo3::Python<'p>, ) -> CryptographyResult> { - let result = pyo3::types::PyBytes::new_bound_with(py, self.signer.len()?, |b| { + let result = pyo3::types::PyBytes::new_with(py, self.signer.len()?, |b| { let n = self.signer.sign(b).unwrap(); assert_eq!(n, b.len()); Ok(()) diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 066b1412af92..79b385ffb73f 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -297,7 +297,7 @@ impl RsaPrivateKey { setup_signature_ctx(py, &mut ctx, padding, &algorithm, self.pkey.size(), true)?; let length = ctx.sign(data.as_bytes(), None)?; - Ok(pyo3::types::PyBytes::new_bound_with(py, length, |b| { + Ok(pyo3::types::PyBytes::new_with(py, length, |b| { let length = ctx.sign(data.as_bytes(), Some(b)).map_err(|_| { pyo3::exceptions::PyValueError::new_err( "Digest or salt length too long for key size. Use a larger key or shorter salt length if you are specifying a PSS salt", @@ -345,7 +345,7 @@ impl RsaPrivateKey { let result = ctx.decrypt(ciphertext, Some(&mut plaintext)); let py_result = - pyo3::types::PyBytes::new_bound(py, &plaintext[..*result.as_ref().unwrap_or(&length)]); + pyo3::types::PyBytes::new(py, &plaintext[..*result.as_ref().unwrap_or(&length)]); if result.is_err() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("Decryption failed"), @@ -458,7 +458,7 @@ impl RsaPublicKey { setup_encryption_ctx(py, &mut ctx, padding)?; let length = ctx.encrypt(plaintext, None)?; - Ok(pyo3::types::PyBytes::new_bound_with(py, length, |b| { + Ok(pyo3::types::PyBytes::new_with(py, length, |b| { let length = ctx .encrypt(plaintext, Some(b)) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Encryption failed"))?; @@ -492,7 +492,7 @@ impl RsaPublicKey { .verify_recover(signature, Some(&mut buf)) .map_err(|_| exceptions::InvalidSignature::new_err(()))?; - Ok(pyo3::types::PyBytes::new_bound(py, &buf[..length])) + Ok(pyo3::types::PyBytes::new(py, &buf[..length])) } #[getter] @@ -537,17 +537,17 @@ impl RsaPublicKey { )] struct RsaPrivateNumbers { #[pyo3(get)] - p: pyo3::Py, + p: pyo3::Py, #[pyo3(get)] - q: pyo3::Py, + q: pyo3::Py, #[pyo3(get)] - d: pyo3::Py, + d: pyo3::Py, #[pyo3(get)] - dmp1: pyo3::Py, + dmp1: pyo3::Py, #[pyo3(get)] - dmq1: pyo3::Py, + dmq1: pyo3::Py, #[pyo3(get)] - iqmp: pyo3::Py, + iqmp: pyo3::Py, #[pyo3(get)] public_numbers: pyo3::Py, } @@ -559,21 +559,21 @@ struct RsaPrivateNumbers { )] struct RsaPublicNumbers { #[pyo3(get)] - e: pyo3::Py, + e: pyo3::Py, #[pyo3(get)] - n: pyo3::Py, + n: pyo3::Py, } #[allow(clippy::too_many_arguments)] fn check_private_key_components( - p: &pyo3::Bound<'_, pyo3::types::PyLong>, - q: &pyo3::Bound<'_, pyo3::types::PyLong>, - private_exponent: &pyo3::Bound<'_, pyo3::types::PyLong>, - dmp1: &pyo3::Bound<'_, pyo3::types::PyLong>, - dmq1: &pyo3::Bound<'_, pyo3::types::PyLong>, - iqmp: &pyo3::Bound<'_, pyo3::types::PyLong>, - public_exponent: &pyo3::Bound<'_, pyo3::types::PyLong>, - modulus: &pyo3::Bound<'_, pyo3::types::PyLong>, + p: &pyo3::Bound<'_, pyo3::types::PyInt>, + q: &pyo3::Bound<'_, pyo3::types::PyInt>, + private_exponent: &pyo3::Bound<'_, pyo3::types::PyInt>, + dmp1: &pyo3::Bound<'_, pyo3::types::PyInt>, + dmq1: &pyo3::Bound<'_, pyo3::types::PyInt>, + iqmp: &pyo3::Bound<'_, pyo3::types::PyInt>, + public_exponent: &pyo3::Bound<'_, pyo3::types::PyInt>, + modulus: &pyo3::Bound<'_, pyo3::types::PyInt>, ) -> CryptographyResult<()> { if modulus.lt(3)? { return Err(CryptographyError::from( @@ -654,12 +654,12 @@ fn check_private_key_components( impl RsaPrivateNumbers { #[new] fn new( - p: pyo3::Py, - q: pyo3::Py, - d: pyo3::Py, - dmp1: pyo3::Py, - dmq1: pyo3::Py, - iqmp: pyo3::Py, + p: pyo3::Py, + q: pyo3::Py, + d: pyo3::Py, + dmp1: pyo3::Py, + dmq1: pyo3::Py, + iqmp: pyo3::Py, public_numbers: pyo3::Py, ) -> RsaPrivateNumbers { Self { @@ -716,12 +716,12 @@ impl RsaPrivateNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.p.bind(py).eq(other.p.bind(py))? - && self.q.bind(py).eq(other.q.bind(py))? - && self.d.bind(py).eq(other.d.bind(py))? - && self.dmp1.bind(py).eq(other.dmp1.bind(py))? - && self.dmq1.bind(py).eq(other.dmq1.bind(py))? - && self.iqmp.bind(py).eq(other.iqmp.bind(py))? + Ok((**self.p.bind(py)).eq(other.p.bind(py))? + && (**self.q.bind(py)).eq(other.q.bind(py))? + && (**self.d.bind(py)).eq(other.d.bind(py))? + && (**self.dmp1.bind(py)).eq(other.dmp1.bind(py))? + && (**self.dmq1.bind(py)).eq(other.dmq1.bind(py))? + && (**self.iqmp.bind(py)).eq(other.iqmp.bind(py))? && self .public_numbers .bind(py) @@ -742,8 +742,8 @@ impl RsaPrivateNumbers { } fn check_public_key_components( - e: &pyo3::Bound<'_, pyo3::types::PyLong>, - n: &pyo3::Bound<'_, pyo3::types::PyLong>, + e: &pyo3::Bound<'_, pyo3::types::PyInt>, + n: &pyo3::Bound<'_, pyo3::types::PyInt>, ) -> CryptographyResult<()> { if n.lt(3)? { return Err(CryptographyError::from( @@ -769,7 +769,7 @@ fn check_public_key_components( #[pyo3::pymethods] impl RsaPublicNumbers { #[new] - fn new(e: pyo3::Py, n: pyo3::Py) -> RsaPublicNumbers { + fn new(e: pyo3::Py, n: pyo3::Py) -> RsaPublicNumbers { RsaPublicNumbers { e, n } } @@ -797,7 +797,10 @@ impl RsaPublicNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.e.bind(py).eq(other.e.bind(py))? && self.n.bind(py).eq(other.n.bind(py))?) + Ok( + (**self.e.bind(py)).eq(other.e.bind(py))? + && (**self.n.bind(py)).eq(other.n.bind(py))?, + ) } fn __hash__(&self, py: pyo3::Python<'_>) -> CryptographyResult { diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 77b733ab2315..832fdf3542f5 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -6,7 +6,6 @@ use crate::backend::hashes::Hash; use crate::error::{CryptographyError, CryptographyResult}; use crate::{error, types}; use pyo3::types::{PyAnyMethods, PyBytesMethods}; -use pyo3::ToPyObject; pub(crate) fn py_int_to_bn( py: pyo3::Python<'_>, @@ -30,7 +29,7 @@ pub(crate) fn bn_to_py_int<'p>( ) -> CryptographyResult> { assert!(!b.is_negative()); - let int_type = py.get_type_bound::(); + let int_type = py.get_type::(); Ok(int_type.call_method1( pyo3::intern!(py, "from_bytes"), (b.to_vec(), pyo3::intern!(py, "big")), @@ -87,7 +86,7 @@ pub(crate) fn pkey_private_bytes<'p>( ))); } let raw_bytes = pkey.raw_private_key()?; - return Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)); + return Ok(pyo3::types::PyBytes::new(py, &raw_bytes)); } let py_password; @@ -127,7 +126,7 @@ pub(crate) fn pkey_private_bytes<'p>( password, )? }; - return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); + return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); } else if encoding.is(&types::ENCODING_DER.get(py)?) { let der_bytes = if password.is_empty() { pkey.private_key_to_pkcs8()? @@ -137,7 +136,7 @@ pub(crate) fn pkey_private_bytes<'p>( password, )? }; - return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); + return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); } return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("Unsupported encoding for PKCS8"), @@ -162,7 +161,7 @@ pub(crate) fn pkey_private_bytes<'p>( password, )? }; - return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); + return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); } else if encoding.is(&types::ENCODING_DER.get(py)?) { if !password.is_empty() { return Err(CryptographyError::from( @@ -173,7 +172,7 @@ pub(crate) fn pkey_private_bytes<'p>( } let der_bytes = rsa.private_key_to_der()?; - return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); + return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); } } else if let Ok(dsa) = pkey.dsa() { if encoding.is(&types::ENCODING_PEM.get(py)?) { @@ -185,7 +184,7 @@ pub(crate) fn pkey_private_bytes<'p>( password, )? }; - return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); + return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); } else if encoding.is(&types::ENCODING_DER.get(py)?) { if !password.is_empty() { return Err(CryptographyError::from( @@ -196,7 +195,7 @@ pub(crate) fn pkey_private_bytes<'p>( } let der_bytes = dsa.private_key_to_der()?; - return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); + return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); } } else if let Ok(ec) = pkey.ec_key() { if encoding.is(&types::ENCODING_PEM.get(py)?) { @@ -208,7 +207,7 @@ pub(crate) fn pkey_private_bytes<'p>( password, )? }; - return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); + return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); } else if encoding.is(&types::ENCODING_DER.get(py)?) { if !password.is_empty() { return Err(CryptographyError::from( @@ -219,7 +218,7 @@ pub(crate) fn pkey_private_bytes<'p>( } let der_bytes = ec.private_key_to_der()?; - return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); + return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); } } } @@ -283,17 +282,17 @@ pub(crate) fn pkey_public_bytes<'p>( )); } let raw_bytes = pkey.raw_public_key()?; - return Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)); + return Ok(pyo3::types::PyBytes::new(py, &raw_bytes)); } // SubjectPublicKeyInfo + PEM/DER if format.is(&types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?) { if encoding.is(&types::ENCODING_PEM.get(py)?) { let pem_bytes = pkey.public_key_to_pem()?; - return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); + return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); } else if encoding.is(&types::ENCODING_DER.get(py)?) { let der_bytes = pkey.public_key_to_der()?; - return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); + return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); } return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -319,7 +318,7 @@ pub(crate) fn pkey_public_bytes<'p>( let data = ec .public_key() .to_bytes(ec.group(), point_form, &mut bn_ctx)?; - return Ok(pyo3::types::PyBytes::new_bound(py, &data)); + return Ok(pyo3::types::PyBytes::new(py, &data)); } } @@ -327,10 +326,10 @@ pub(crate) fn pkey_public_bytes<'p>( if format.is(&types::PUBLIC_FORMAT_PKCS1.get(py)?) { if encoding.is(&types::ENCODING_PEM.get(py)?) { let pem_bytes = rsa.public_key_to_pem_pkcs1()?; - return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); + return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); } else if encoding.is(&types::ENCODING_DER.get(py)?) { let der_bytes = rsa.public_key_to_der_pkcs1()?; - return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); + return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); } return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -393,7 +392,7 @@ pub(crate) fn calculate_digest_and_algorithm<'p>( (algorithm.clone(), BytesOrPyBytes::PyBytes(h.finalize(py)?)) }; - if data.as_bytes().len() != algorithm.getattr("digest_size")?.extract()? { + if data.as_bytes().len() != (algorithm.getattr("digest_size")?.extract::()?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "The provided data must be the same length as the hash algorithm's digest size.", @@ -461,7 +460,7 @@ pub(crate) fn handle_key_load_result( Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err(( "Could not deserialize key data. The data may be in an incorrect format, the provided password may be incorrect, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).", - errors.to_object(py), + errors.unbind(), )) )) } diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index 84f355f49787..4cc6124aefc5 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -70,17 +70,13 @@ impl X25519PrivateKey { let mut deriver = openssl::derive::Deriver::new(&self.pkey)?; deriver.set_peer(&peer_public_key.pkey)?; - Ok(pyo3::types::PyBytes::new_bound_with( - py, - deriver.len()?, - |b| { - let n = deriver.derive(b).map_err(|_| { - pyo3::exceptions::PyValueError::new_err("Error computing shared key.") - })?; - assert_eq!(n, b.len()); - Ok(()) - }, - )?) + Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { + let n = deriver.derive(b).map_err(|_| { + pyo3::exceptions::PyValueError::new_err("Error computing shared key.") + })?; + assert_eq!(n, b.len()); + Ok(()) + })?) } fn public_key(&self) -> CryptographyResult { @@ -98,7 +94,7 @@ impl X25519PrivateKey { py: pyo3::Python<'p>, ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_private_key()?; - Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) } fn private_bytes<'p>( @@ -128,7 +124,7 @@ impl X25519PublicKey { py: pyo3::Python<'p>, ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_public_key()?; - Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) } fn public_bytes<'p>( diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index 0e9aa1c99194..953302dd63d1 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -69,17 +69,13 @@ impl X448PrivateKey { let mut deriver = openssl::derive::Deriver::new(&self.pkey)?; deriver.set_peer(&peer_public_key.pkey)?; - Ok(pyo3::types::PyBytes::new_bound_with( - py, - deriver.len()?, - |b| { - let n = deriver.derive(b).map_err(|_| { - pyo3::exceptions::PyValueError::new_err("Error computing shared key.") - })?; - assert_eq!(n, b.len()); - Ok(()) - }, - )?) + Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { + let n = deriver.derive(b).map_err(|_| { + pyo3::exceptions::PyValueError::new_err("Error computing shared key.") + })?; + assert_eq!(n, b.len()); + Ok(()) + })?) } fn public_key(&self) -> CryptographyResult { @@ -97,7 +93,7 @@ impl X448PrivateKey { py: pyo3::Python<'p>, ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_private_key()?; - Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) } fn private_bytes<'p>( @@ -127,7 +123,7 @@ impl X448PublicKey { py: pyo3::Python<'p>, ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_public_key()?; - Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) } fn public_bytes<'p>( diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs index 303e5ff86fe7..e55bf12a45be 100644 --- a/src/rust/src/buf.rs +++ b/src/rust/src/buf.rs @@ -19,7 +19,7 @@ fn _extract_buffer_length<'p>( ) -> pyo3::PyResult<(pyo3::Bound<'p, pyo3::PyAny>, usize)> { let py = pyobj.py(); let bufobj = if mutable { - let kwargs = [(pyo3::intern!(py, "require_writable"), true)].into_py_dict_bound(py); + let kwargs = [(pyo3::intern!(py, "require_writable"), true)].into_py_dict(py)?; types::FFI_FROM_BUFFER .get(py)? .call((pyobj,), Some(&kwargs))? diff --git a/src/rust/src/error.rs b/src/rust/src/error.rs index 7eb989b63c6d..f0c10391ff2f 100644 --- a/src/rust/src/error.rs +++ b/src/rust/src/error.rs @@ -5,7 +5,6 @@ use std::fmt; use pyo3::types::PyListMethods; -use pyo3::ToPyObject; use crate::exceptions; @@ -87,7 +86,7 @@ pub(crate) fn list_from_openssl_error<'p>( py: pyo3::Python<'p>, error_stack: &openssl::error::ErrorStack, ) -> pyo3::Bound<'p, pyo3::types::PyList> { - let errors = pyo3::types::PyList::empty_bound(py); + let errors = pyo3::types::PyList::empty(py); for e in error_stack.errors() { errors .append( @@ -146,7 +145,7 @@ impl From for pyo3::PyErr { CryptographyError::Py(py_error) => py_error, CryptographyError::OpenSSL(ref error_stack) => pyo3::Python::with_gil(|py| { let errors = list_from_openssl_error(py, error_stack); - exceptions::InternalError::new_err((e.to_string(), errors.to_object(py))) + exceptions::InternalError::new_err((e.to_string(), errors.unbind())) }), } } @@ -211,7 +210,7 @@ impl OpenSSLError { pub(crate) fn capture_error_stack( py: pyo3::Python<'_>, ) -> pyo3::PyResult> { - let errs = pyo3::types::PyList::empty_bound(py); + let errs = pyo3::types::PyList::empty(py); for e in openssl::error::ErrorStack::get().errors() { errs.append(pyo3::Bound::new(py, OpenSSLError { e: e.clone() })?)?; } diff --git a/src/rust/src/oid.rs b/src/rust/src/oid.rs index fb64837b6bff..c034c3dcb601 100644 --- a/src/rust/src/oid.rs +++ b/src/rust/src/oid.rs @@ -29,7 +29,7 @@ impl ObjectIdentifier { #[getter] fn _name<'p>( - slf: pyo3::PyRef<'_, Self>, + slf: pyo3::PyRef<'p, Self>, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { types::OID_NAMES diff --git a/src/rust/src/padding.rs b/src/rust/src/padding.rs index 0031f148ea15..eb16cfaaad41 100644 --- a/src/rust/src/padding.rs +++ b/src/rust/src/padding.rs @@ -103,7 +103,7 @@ impl PKCS7PaddingContext { Some(v) => { let pad_size = self.block_size - (v % self.block_size); let pad = vec![pad_size as u8; pad_size]; - Ok(pyo3::types::PyBytes::new_bound(py, &pad)) + Ok(pyo3::types::PyBytes::new(py, &pad)) } None => Err(exceptions::already_finalized_error()), } @@ -137,7 +137,7 @@ impl PKCS7UnpaddingContext { let finished_blocks = (v.len() / self.block_size).saturating_sub(1); let result_size = finished_blocks * self.block_size; let result = v.drain(..result_size); - Ok(pyo3::types::PyBytes::new_bound(py, result.as_slice())) + Ok(pyo3::types::PyBytes::new(py, result.as_slice())) } None => Err(exceptions::already_finalized_error()), } @@ -162,7 +162,7 @@ impl PKCS7UnpaddingContext { let pad_size = *v.last().unwrap(); let result = &v[..v.len() - pad_size as usize]; - Ok(pyo3::types::PyBytes::new_bound(py, result)) + Ok(pyo3::types::PyBytes::new(py, result)) } None => Err(exceptions::already_finalized_error()), } diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index d58e339849eb..743a3cb3101b 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -10,7 +10,7 @@ use crate::x509::certificate::Certificate; use crate::{types, x509}; use cryptography_x509::common::Utf8StoredBMPString; use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods}; -use pyo3::IntoPy; +use pyo3::IntoPyObject; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; @@ -205,10 +205,10 @@ impl EncryptionAlgorithm { let triple_des = types::TRIPLE_DES .get(py)? - .call1((pyo3::types::PyBytes::new_bound(py, &key),))?; + .call1((pyo3::types::PyBytes::new(py, &key),))?; let cbc = types::CBC .get(py)? - .call1((pyo3::types::PyBytes::new_bound(py, &iv),))?; + .call1((pyo3::types::PyBytes::new(py, &iv),))?; symmetric_encrypt(py, triple_des, cbc, data) } @@ -415,7 +415,7 @@ fn decode_encryption_algorithm<'a>( if encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get(py)?)? { Ok(( - pyo3::types::PyBytes::new_bound(py, b"").extract()?, + pyo3::types::PyBytes::new(py, b"").extract()?, default_hmac_alg, default_hmac_kdf_iter, default_cipher_kdf_iter, @@ -540,7 +540,7 @@ fn serialize_key_and_certificates<'p>( } if let Some(cas) = cas { - for cert in cas.iter()? { + for cert in cas.try_iter()? { ca_certs.push(cert?.extract::()?); } @@ -715,10 +715,7 @@ fn serialize_key_and_certificates<'p>( iterations: mac_kdf_iter, }), }; - Ok(pyo3::types::PyBytes::new_bound( - py, - &asn1::write_single(&p12)?, - )) + Ok(pyo3::types::PyBytes::new(py, &asn1::write_single(&p12)?)) } fn decode_p12( @@ -767,14 +764,14 @@ fn load_key_and_certificates<'p>( py.None() }; let cert = if let Some(ossl_cert) = p12.cert { - let cert_der = pyo3::types::PyBytes::new_bound(py, &ossl_cert.to_der()?).unbind(); + let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).unbind(); Some(x509::certificate::load_der_x509_certificate( py, cert_der, None, )?) } else { None }; - let additional_certs = pyo3::types::PyList::empty_bound(py); + let additional_certs = pyo3::types::PyList::empty(py); if let Some(ossl_certs) = p12.ca { cfg_if::cfg_if! { if #[cfg(any( @@ -787,9 +784,9 @@ fn load_key_and_certificates<'p>( }; for ossl_cert in it { - let cert_der = pyo3::types::PyBytes::new_bound(py, &ossl_cert.to_der()?).unbind(); + let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).unbind(); let cert = x509::certificate::load_der_x509_certificate(py, cert_der, None)?; - additional_certs.append(cert.into_py(py))?; + additional_certs.append(cert)?; } } @@ -814,17 +811,20 @@ fn load_pkcs12<'p>( py.None() }; let cert = if let Some(ossl_cert) = p12.cert { - let cert_der = pyo3::types::PyBytes::new_bound(py, &ossl_cert.to_der()?).unbind(); + let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).unbind(); let cert = x509::certificate::load_der_x509_certificate(py, cert_der, None)?; let alias = ossl_cert .alias() - .map(|a| pyo3::types::PyBytes::new_bound(py, a).unbind()); + .map(|a| pyo3::types::PyBytes::new(py, a).unbind()); - PKCS12Certificate::new(pyo3::Py::new(py, cert)?, alias).into_py(py) + PKCS12Certificate::new(pyo3::Py::new(py, cert)?, alias) + .into_pyobject(py)? + .into_any() + .unbind() } else { py.None() }; - let additional_certs = pyo3::types::PyList::empty_bound(py); + let additional_certs = pyo3::types::PyList::empty(py); if let Some(ossl_certs) = p12.ca { cfg_if::cfg_if! { if #[cfg(any( @@ -837,13 +837,13 @@ fn load_pkcs12<'p>( }; for ossl_cert in it { - let cert_der = pyo3::types::PyBytes::new_bound(py, &ossl_cert.to_der()?).unbind(); + let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).unbind(); let cert = x509::certificate::load_der_x509_certificate(py, cert_der, None)?; let alias = ossl_cert .alias() - .map(|a| pyo3::types::PyBytes::new_bound(py, a).unbind()); + .map(|a| pyo3::types::PyBytes::new(py, a).unbind()); - let p12_cert = PKCS12Certificate::new(pyo3::Py::new(py, cert)?, alias).into_py(py); + let p12_cert = PKCS12Certificate::new(pyo3::Py::new(py, cert)?, alias); additional_certs.append(p12_cert)?; } } diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index f8beaf4c2453..ec328e2b0920 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -14,8 +14,6 @@ use once_cell::sync::Lazy; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use openssl::pkcs7::Pkcs7; use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods}; -#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] -use pyo3::IntoPy; use crate::asn1::encode_der_data; use crate::buf::CffiBuf; @@ -441,11 +439,11 @@ fn load_pkcs7_certificates( ), )), Some(certificates) => { - let result = pyo3::types::PyList::empty_bound(py); + let result = pyo3::types::PyList::empty(py); for c in certificates { - let cert_der = pyo3::types::PyBytes::new_bound(py, c.to_der()?.as_slice()).unbind(); + let cert_der = pyo3::types::PyBytes::new(py, c.to_der()?.as_slice()).unbind(); let cert = load_der_x509_certificate(py, cert_der, None)?; - result.append(cert.into_py(py))?; + result.append(cert)?; } Ok(result) } diff --git a/src/rust/src/test_support.rs b/src/rust/src/test_support.rs index 9b37b6c51056..524e904873df 100644 --- a/src/rust/src/test_support.rs +++ b/src/rust/src/test_support.rs @@ -144,7 +144,7 @@ fn pkcs7_decrypt<'p>( let result = p7.decrypt(&pkey_ossl, &cert_ossl, flags)?; - Ok(pyo3::types::PyBytes::new_bound(py, &result)) + Ok(pyo3::types::PyBytes::new(py, &result)) } #[pyo3::pymodule] diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index af7e4e1624ed..3c36145cf32e 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -21,7 +21,7 @@ impl LazyPyImport { pub fn get<'p>(&'p self, py: pyo3::Python<'p>) -> pyo3::PyResult> { let p = self.value.get_or_try_init(py, || { - let mut obj = py.import_bound(self.module)?.into_any(); + let mut obj = py.import(self.module)?.into_any(); for name in self.names { obj = obj.getattr(*name)?; } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 8aa2e9343405..1eb8eec4ab9d 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -18,13 +18,13 @@ use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; use cryptography_x509::{common, oid}; use cryptography_x509_verification::ops::CryptoOps; use pyo3::types::{PyAnyMethods, PyListMethods}; -use pyo3::{IntoPy, ToPyObject}; use crate::asn1::{ big_byte_slice_to_py_int, encode_der_data, oid_to_py_oid, py_uint_to_big_endian_bytes, }; use crate::backend::{hashes, keys}; use crate::error::{CryptographyError, CryptographyResult}; +use crate::x509::common::cstr_from_literal; use crate::x509::verify::PyCryptoOps; use crate::x509::{extensions, sct, sign}; use crate::{exceptions, types, x509}; @@ -143,7 +143,7 @@ impl Certificate { py: pyo3::Python<'p>, ) -> CryptographyResult> { let result = asn1::write_single(&self.raw.borrow_dependent().tbs_cert)?; - Ok(pyo3::types::PyBytes::new_bound(py, &result)) + Ok(pyo3::types::PyBytes::new(py, &result)) } #[getter] @@ -177,13 +177,13 @@ impl Certificate { tbs_precert.raw_extensions = Some(filtered_extensions); let result = asn1::write_single(&tbs_precert)?; - Ok(pyo3::types::PyBytes::new_bound(py, &result)) + Ok(pyo3::types::PyBytes::new(py, &result)) } Err(DuplicateExtensionsError(oid)) => { let oid_obj = oid_to_py_oid(py, &oid)?; Err(exceptions::DuplicateExtension::new_err(( format!("Duplicate {} extension found", &oid), - oid_obj.into_py(py), + oid_obj.unbind(), )) .into()) } @@ -192,7 +192,7 @@ impl Certificate { #[getter] fn signature<'p>(&self, py: pyo3::Python<'p>) -> pyo3::Bound<'p, pyo3::types::PyBytes> { - pyo3::types::PyBytes::new_bound(py, self.raw.borrow_dependent().signature.as_bytes()) + pyo3::types::PyBytes::new(py, self.raw.borrow_dependent().signature.as_bytes()) } #[getter] @@ -201,12 +201,8 @@ impl Certificate { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { let warning_cls = types::DEPRECATED_IN_42.get(py)?; - pyo3::PyErr::warn_bound( - py, - &warning_cls, - "Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_before_utc.", - 1, - )?; + let message = cstr_from_literal!("Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_before_utc."); + pyo3::PyErr::warn(py, &warning_cls, message, 1)?; let dt = &self .raw .borrow_dependent() @@ -238,12 +234,8 @@ impl Certificate { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { let warning_cls = types::DEPRECATED_IN_42.get(py)?; - pyo3::PyErr::warn_bound( - py, - &warning_cls, - "Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_after_utc.", - 1, - )?; + let message = cstr_from_literal!("Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_after_utc."); + pyo3::PyErr::warn(py, &warning_cls, message, 1)?; let dt = &self .raw .borrow_dependent() @@ -382,7 +374,7 @@ pub(crate) fn load_pem_x509_certificate( )?; load_der_x509_certificate( py, - pyo3::types::PyBytes::new_bound(py, parsed.contents()).unbind(), + pyo3::types::PyBytes::new(py, parsed.contents()).unbind(), None, ) } @@ -398,7 +390,7 @@ pub(crate) fn load_pem_x509_certificates( .map(|p| { load_der_x509_certificate( py, - pyo3::types::PyBytes::new_bound(py, p.contents()).unbind(), + pyo3::types::PyBytes::new(py, p.contents()).unbind(), None, ) }) @@ -444,12 +436,8 @@ pub(crate) fn load_der_x509_certificate( fn warn_if_negative_serial(py: pyo3::Python<'_>, bytes: &'_ [u8]) -> pyo3::PyResult<()> { if bytes[0] & 0x80 != 0 { let warning_cls = types::DEPRECATED_IN_36.get(py)?; - pyo3::PyErr::warn_bound( - py, - &warning_cls, - "Parsed a negative serial number, which is disallowed by RFC 5280. Loading this certificate will cause an exception in the next release of cryptography.", - 1, - )?; + let message = cstr_from_literal!("Parsed a negative serial number, which is disallowed by RFC 5280. Loading this certificate will cause an exception in the next release of cryptography."); + pyo3::PyErr::warn(py, &warning_cls, message, 1)?; } Ok(()) } @@ -470,12 +458,8 @@ fn warn_if_invalid_params( // This can also be triggered by an Intel On Die certificate // https://github.com/pyca/cryptography/issues/11723 let warning_cls = types::DEPRECATED_IN_41.get(py)?; - pyo3::PyErr::warn_bound( - py, - &warning_cls, - "The parsed certificate contains a NULL parameter value in its signature algorithm parameters. This is invalid and will be rejected in a future version of cryptography. If this certificate was created via Java, please upgrade to JDK21+ or the latest JDK11/17 once a fix is issued. If this certificate was created in some other fashion please report the issue to the cryptography issue tracker. See https://github.com/pyca/cryptography/issues/8996 and https://github.com/pyca/cryptography/issues/9253 for more details.", - 2, - )?; + let message = cstr_from_literal!("The parsed certificate contains a NULL parameter value in its signature algorithm parameters. This is invalid and will be rejected in a future version of cryptography. If this certificate was created via Java, please upgrade to JDK21+ or the latest JDK11/17 once a fix is issued. If this certificate was created in some other fashion please report the issue to the cryptography issue tracker. See https://github.com/pyca/cryptography/issues/8996 and https://github.com/pyca/cryptography/issues/9253 for more details."); + pyo3::PyErr::warn(py, &warning_cls, message, 2)?; } _ => {} } @@ -487,33 +471,31 @@ fn parse_display_text( text: DisplayText<'_>, ) -> pyo3::PyResult { match text { - DisplayText::IA5String(o) => { - Ok(pyo3::types::PyString::new_bound(py, o.as_str()).to_object(py)) - } - DisplayText::Utf8String(o) => { - Ok(pyo3::types::PyString::new_bound(py, o.as_str()).to_object(py)) - } + DisplayText::IA5String(o) => Ok(pyo3::types::PyString::new(py, o.as_str()) + .into_any() + .unbind()), + DisplayText::Utf8String(o) => Ok(pyo3::types::PyString::new(py, o.as_str()) + .into_any() + .unbind()), DisplayText::VisibleString(o) => { if asn1::VisibleString::new(o.as_str()).is_none() { let warning_cls = types::DEPRECATED_IN_41.get(py)?; - pyo3::PyErr::warn_bound( - py, - &warning_cls, - "Invalid ASN.1 (UTF-8 characters in a VisibleString) in the explicit text and/or notice reference of the certificate policies extension. In a future version of cryptography, an exception will be raised.", - 1, - )?; + let message = cstr_from_literal!("Invalid ASN.1 (UTF-8 characters in a VisibleString) in the explicit text and/or notice reference of the certificate policies extension. In a future version of cryptography, an exception will be raised."); + pyo3::PyErr::warn(py, &warning_cls, message, 1)?; } - Ok(pyo3::types::PyString::new_bound(py, o.as_str()).to_object(py)) + Ok(pyo3::types::PyString::new(py, o.as_str()) + .into_any() + .unbind()) } DisplayText::BmpString(o) => { - let py_bytes = pyo3::types::PyBytes::new_bound(py, o.as_utf16_be_bytes()); + let py_bytes = pyo3::types::PyBytes::new(py, o.as_utf16_be_bytes()); // TODO: do the string conversion in rust perhaps Ok(py_bytes .call_method1( pyo3::intern!(py, "decode"), (pyo3::intern!(py, "utf_16_be"),), )? - .to_object(py)) + .unbind()) } } } @@ -529,30 +511,32 @@ fn parse_user_notice( let nr = match un.notice_ref { Some(data) => { let org = parse_display_text(py, data.organization)?; - let numbers = pyo3::types::PyList::empty_bound(py); + let numbers = pyo3::types::PyList::empty(py); for num in data.notice_numbers.unwrap_read().clone() { numbers.append(big_byte_slice_to_py_int(py, num.as_bytes())?)?; } types::NOTICE_REFERENCE .get(py)? .call1((org, numbers))? - .to_object(py) + .unbind() } None => py.None(), }; - Ok(types::USER_NOTICE.get(py)?.call1((nr, et))?.to_object(py)) + Ok(types::USER_NOTICE.get(py)?.call1((nr, et))?.unbind()) } fn parse_policy_qualifiers<'a>( py: pyo3::Python<'_>, policy_qualifiers: &asn1::SequenceOf<'a, PolicyQualifierInfo<'a>>, ) -> Result { - let py_pq = pyo3::types::PyList::empty_bound(py); + let py_pq = pyo3::types::PyList::empty(py); for pqi in policy_qualifiers.clone() { let qualifier = match pqi.qualifier { Qualifier::CpsUri(data) => { if pqi.policy_qualifier_id == oid::CP_CPS_URI_OID { - pyo3::types::PyString::new_bound(py, data.as_str()).to_object(py) + pyo3::types::PyString::new(py, data.as_str()) + .into_any() + .unbind() } else { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -574,7 +558,7 @@ fn parse_policy_qualifiers<'a>( }; py_pq.append(qualifier)?; } - Ok(py_pq.to_object(py)) + Ok(py_pq.into_any().unbind()) } fn parse_cp( @@ -582,7 +566,7 @@ fn parse_cp( ext: &Extension<'_>, ) -> Result { let cp = ext.value::>>()?; - let certificate_policies = pyo3::types::PyList::empty_bound(py); + let certificate_policies = pyo3::types::PyList::empty(py); for policyinfo in cp { let pi_oid = oid_to_py_oid(py, &policyinfo.policy_identifier)?; let py_pqis = match policyinfo.policy_qualifiers { @@ -596,18 +580,18 @@ fn parse_cp( .call1((pi_oid, py_pqis))?; certificate_policies.append(pi)?; } - Ok(certificate_policies.to_object(py)) + Ok(certificate_policies.into_any().unbind()) } fn parse_general_subtrees( py: pyo3::Python<'_>, subtrees: SequenceOfSubtrees<'_>, ) -> Result { - let gns = pyo3::types::PyList::empty_bound(py); + let gns = pyo3::types::PyList::empty(py); for gs in subtrees.unwrap_read().clone() { gns.append(x509::parse_general_name(py, gs.base)?)?; } - Ok(gns.to_object(py)) + Ok(gns.into_any().unbind()) } pub(crate) fn parse_distribution_point_name( @@ -642,7 +626,7 @@ fn parse_distribution_point( Ok(types::DISTRIBUTION_POINT .get(py)? .call1((full_name, relative_name, reasons, crl_issuer))? - .to_object(py)) + .unbind()) } pub(crate) fn parse_distribution_points( @@ -650,12 +634,12 @@ pub(crate) fn parse_distribution_points( ext: &Extension<'_>, ) -> Result { let dps = ext.value::>>()?; - let py_dps = pyo3::types::PyList::empty_bound(py); + let py_dps = pyo3::types::PyList::empty(py); for dp in dps { let py_dp = parse_distribution_point(py, dp)?; py_dps.append(py_dp)?; } - Ok(py_dps.to_object(py)) + Ok(py_dps.into_any().unbind()) } pub(crate) fn parse_distribution_point_reasons( @@ -672,7 +656,7 @@ pub(crate) fn parse_distribution_point_reasons( vec.push(reason_bit_mapping.get_item(i)?); } } - pyo3::types::PyFrozenSet::new_bound(py, &vec)?.to_object(py) + pyo3::types::PyFrozenSet::new(py, &vec)?.into_any().unbind() } None => py.None(), }) @@ -685,7 +669,7 @@ pub(crate) fn encode_distribution_point_reasons( let reason_flag_mapping = types::CRL_REASON_FLAGS.get(py)?; let mut bits = vec![0, 0]; - for py_reason in py_reasons.iter()? { + for py_reason in py_reasons.try_iter()? { let bit = reason_flag_mapping .get_item(py_reason?)? .extract::()?; @@ -704,7 +688,7 @@ pub(crate) fn parse_authority_key_identifier<'p>( ) -> Result, CryptographyError> { let aki = ext.value::>()?; let serial = match aki.authority_cert_serial_number { - Some(biguint) => big_byte_slice_to_py_int(py, biguint.as_bytes())?.to_object(py), + Some(biguint) => big_byte_slice_to_py_int(py, biguint.as_bytes())?.unbind(), None => py.None(), }; let issuer = match aki.authority_cert_issuer { @@ -720,27 +704,27 @@ pub(crate) fn parse_access_descriptions( py: pyo3::Python<'_>, ext: &Extension<'_>, ) -> Result { - let ads = pyo3::types::PyList::empty_bound(py); + let ads = pyo3::types::PyList::empty(py); let parsed = ext.value::>()?; for access in parsed.unwrap_read().clone() { - let py_oid = oid_to_py_oid(py, &access.access_method)?.to_object(py); + let py_oid = oid_to_py_oid(py, &access.access_method)?.unbind(); let gn = x509::parse_general_name(py, access.access_location)?; let ad = types::ACCESS_DESCRIPTION.get(py)?.call1((py_oid, gn))?; ads.append(ad)?; } - Ok(ads.to_object(py)) + Ok(ads.into_any().unbind()) } fn parse_naming_authority<'p>( py: pyo3::Python<'p>, - authority: NamingAuthority<'p>, + authority: NamingAuthority<'_>, ) -> CryptographyResult> { let py_id = match &authority.id { Some(data) => oid_to_py_oid(py, data)?, None => py.None().into_bound(py), }; let py_url = match authority.url { - Some(data) => pyo3::types::PyString::new_bound(py, data.as_str()).into_any(), + Some(data) => pyo3::types::PyString::new(py, data.as_str()).into_any(), None => py.None().into_bound(py), }; let py_text = match authority.text { @@ -753,24 +737,24 @@ fn parse_naming_authority<'p>( .call1((py_id, py_url, py_text))?) } -fn parse_profession_infos<'a>( - py: pyo3::Python<'a>, +fn parse_profession_infos<'p, 'a>( + py: pyo3::Python<'p>, profession_infos: &asn1::SequenceOf<'a, ProfessionInfo<'a>>, -) -> CryptographyResult> { - let py_infos = pyo3::types::PyList::empty_bound(py); +) -> CryptographyResult> { + let py_infos = pyo3::types::PyList::empty(py); for info in profession_infos.clone() { let py_naming_authority = match info.naming_authority { Some(data) => parse_naming_authority(py, data)?, None => py.None().into_bound(py), }; - let py_profession_items = pyo3::types::PyList::empty_bound(py); + let py_profession_items = pyo3::types::PyList::empty(py); for item in info.profession_items.unwrap_read().clone() { let py_item = parse_display_text(py, item)?; py_profession_items.append(py_item)?; } let py_profession_oids = match info.profession_oids { Some(oids) => { - let py_oids = pyo3::types::PyList::empty_bound(py); + let py_oids = pyo3::types::PyList::empty(py); for oid in oids.unwrap_read().clone() { let py_oid = oid_to_py_oid(py, &oid)?; py_oids.append(py_oid)?; @@ -780,11 +764,11 @@ fn parse_profession_infos<'a>( None => py.None().into_bound(py), }; let py_registration_number = match info.registration_number { - Some(data) => pyo3::types::PyString::new_bound(py, data.as_str()).into_any(), + Some(data) => pyo3::types::PyString::new(py, data.as_str()).into_any(), None => py.None().into_bound(py), }; let py_add_profession_info = match info.add_profession_info { - Some(data) => pyo3::types::PyBytes::new_bound(py, data).into_any(), + Some(data) => pyo3::types::PyBytes::new(py, data).into_any(), None => py.None().into_bound(py), }; let py_info = types::PROFESSION_INFO.get(py)?.call1(( @@ -799,11 +783,11 @@ fn parse_profession_infos<'a>( Ok(py_infos.into_any()) } -fn parse_admissions<'a>( - py: pyo3::Python<'a>, +fn parse_admissions<'p, 'a>( + py: pyo3::Python<'p>, admissions: &asn1::SequenceOf<'a, Admission<'a>>, -) -> CryptographyResult> { - let py_admissions = pyo3::types::PyList::empty_bound(py); +) -> CryptographyResult> { + let py_admissions = pyo3::types::PyList::empty(py); for admission in admissions.clone() { let py_admission_authority = match admission.admission_authority { Some(authority) => x509::parse_general_name(py, authority)?, @@ -851,7 +835,7 @@ pub fn parse_cert_ext<'p>( oid::TLS_FEATURE_OID => { let tls_feature_type_to_enum = types::TLS_FEATURE_TYPE_TO_ENUM.get(py)?; - let features = pyo3::types::PyList::empty_bound(py); + let features = pyo3::types::PyList::empty(py); for feature in ext.value::>()? { let py_feature = tls_feature_type_to_enum.get_item(feature)?; features.append(py_feature)?; @@ -867,7 +851,7 @@ pub fn parse_cert_ext<'p>( )) } oid::EXTENDED_KEY_USAGE_OID => { - let ekus = pyo3::types::PyList::empty_bound(py); + let ekus = pyo3::types::PyList::empty(py); for oid in ext.value::>()? { let oid_obj = oid_to_py_oid(py, &oid)?; ekus.append(oid_obj)?; @@ -1075,11 +1059,7 @@ pub(crate) fn create_x509_certificate( signature_alg: sigalg, signature: asn1::BitString::new(&signature, 0).unwrap(), })?; - load_der_x509_certificate( - py, - pyo3::types::PyBytes::new_bound(py, &data).unbind(), - None, - ) + load_der_x509_certificate(py, pyo3::types::PyBytes::new(py, &data).unbind(), None) } pub(crate) fn set_bit(vals: &mut [u8], n: usize, set: bool) { diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index cdb53a7b6553..e5da45381c16 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -9,7 +9,6 @@ use cryptography_x509::extensions::{ use cryptography_x509::name::{GeneralName, Name, NameReadable, OtherName, UnvalidatedIA5String}; use pyo3::types::IntoPyDict; use pyo3::types::{PyAnyMethods, PyListMethods}; -use pyo3::{IntoPy, ToPyObject}; use crate::asn1::{oid_to_py_oid, py_oid_to_oid}; use crate::error::{CryptographyError, CryptographyResult}; @@ -38,11 +37,11 @@ pub(crate) fn encode_name<'p>( ) -> pyo3::PyResult> { let mut rdns = vec![]; - for py_rdn in py_name.getattr(pyo3::intern!(py, "rdns"))?.iter()? { + for py_rdn in py_name.getattr(pyo3::intern!(py, "rdns"))?.try_iter()? { let py_rdn = py_rdn?; let mut attrs = vec![]; - for py_attr in py_rdn.iter()? { + for py_attr in py_rdn.try_iter()? { attrs.push(encode_name_entry(py, ka, &py_attr?)?); } rdns.push(asn1::SetOfWriter::new(attrs)); @@ -96,7 +95,7 @@ pub(crate) fn encode_name_bytes<'p>( let ka = cryptography_keepalive::KeepAlive::new(); let name = encode_name(py, &ka, py_name)?; let result = asn1::write_single(&name)?; - Ok(pyo3::types::PyBytes::new_bound(py, &result)) + Ok(pyo3::types::PyBytes::new(py, &result)) } pub(crate) fn encode_general_names<'a>( @@ -106,7 +105,7 @@ pub(crate) fn encode_general_names<'a>( py_gns: &pyo3::Bound<'a, pyo3::PyAny>, ) -> Result>, CryptographyError> { let mut gns = vec![]; - for el in py_gns.iter()? { + for el in py_gns.try_iter()? { let gn = encode_general_name(py, ka_bytes, ka_str, &el?)?; gns.push(gn); } @@ -168,7 +167,7 @@ pub(crate) fn encode_access_descriptions<'a>( let mut ads = vec![]; let ka_bytes = cryptography_keepalive::KeepAlive::new(); let ka_str = cryptography_keepalive::KeepAlive::new(); - for py_ad in py_ads.iter()? { + for py_ad in py_ads.try_iter()? { let py_ad = py_ad?; let py_oid = py_ad.getattr(pyo3::intern!(py, "access_method"))?; let access_method = py_oid_to_oid(py_oid)?; @@ -186,7 +185,7 @@ pub(crate) fn parse_name<'p>( py: pyo3::Python<'p>, name: &NameReadable<'_>, ) -> Result, CryptographyError> { - let py_rdns = pyo3::types::PyList::empty_bound(py); + let py_rdns = pyo3::types::PyList::empty(py); for rdn in name.clone() { let py_rdn = parse_rdn(py, &rdn)?; py_rdns.append(py_rdn)?; @@ -207,35 +206,35 @@ fn parse_name_attribute( let py_tag = types::ASN1_TYPE_TO_ENUM.get(py)?.get_item(tag_val)?; let py_data = match attribute.value.tag().as_u8() { // BitString tag value - Some(3) => pyo3::types::PyBytes::new_bound(py, attribute.value.data()).into_any(), + Some(3) => pyo3::types::PyBytes::new(py, attribute.value.data()).into_any(), // BMPString tag value Some(30) => { - let py_bytes = pyo3::types::PyBytes::new_bound(py, attribute.value.data()); + let py_bytes = pyo3::types::PyBytes::new(py, attribute.value.data()); py_bytes.call_method1(pyo3::intern!(py, "decode"), ("utf_16_be",))? } // UniversalString Some(28) => { - let py_bytes = pyo3::types::PyBytes::new_bound(py, attribute.value.data()); + let py_bytes = pyo3::types::PyBytes::new(py, attribute.value.data()); py_bytes.call_method1(pyo3::intern!(py, "decode"), ("utf_32_be",))? } _ => { let parsed = std::str::from_utf8(attribute.value.data()) .map_err(|_| asn1::ParseError::new(asn1::ParseErrorKind::InvalidValue))?; - pyo3::types::PyString::new_bound(py, parsed).into_any() + pyo3::types::PyString::new(py, parsed).into_any() } }; - let kwargs = [(pyo3::intern!(py, "_validate"), false)].into_py_dict_bound(py); + let kwargs = [(pyo3::intern!(py, "_validate"), false)].into_py_dict(py)?; Ok(types::NAME_ATTRIBUTE .get(py)? .call((oid, py_data, py_tag), Some(&kwargs))? - .to_object(py)) + .unbind()) } pub(crate) fn parse_rdn<'a>( py: pyo3::Python<'_>, rdn: &asn1::SetOf<'a, AttributeTypeValue<'a>>, ) -> Result { - let py_attrs = pyo3::types::PyList::empty_bound(py); + let py_attrs = pyo3::types::PyList::empty(py); for attribute in rdn.clone() { let na = parse_name_attribute(py, attribute)?; py_attrs.append(na)?; @@ -243,7 +242,7 @@ pub(crate) fn parse_rdn<'a>( Ok(types::RELATIVE_DISTINGUISHED_NAME .get(py)? .call1((py_attrs,))? - .to_object(py)) + .unbind()) } pub(crate) fn parse_general_name( @@ -256,31 +255,28 @@ pub(crate) fn parse_general_name( types::OTHER_NAME .get(py)? .call1((oid, data.value.full_data()))? - .to_object(py) + .unbind() } GeneralName::RFC822Name(data) => types::RFC822_NAME .get(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? - .to_object(py), + .unbind(), GeneralName::DNSName(data) => types::DNS_NAME .get(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? - .to_object(py), + .unbind(), GeneralName::DirectoryName(data) => { let py_name = parse_name(py, data.unwrap_read())?; - types::DIRECTORY_NAME - .get(py)? - .call1((py_name,))? - .to_object(py) + types::DIRECTORY_NAME.get(py)?.call1((py_name,))?.unbind() } GeneralName::UniformResourceIdentifier(data) => types::UNIFORM_RESOURCE_IDENTIFIER .get(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? - .to_object(py), + .unbind(), GeneralName::IPAddress(data) => { if data.len() == 4 || data.len() == 16 { let addr = types::IPADDRESS_IPADDRESS.get(py)?.call1((data,))?; - types::IP_ADDRESS.get(py)?.call1((addr,))?.to_object(py) + types::IP_ADDRESS.get(py)?.call1((addr,))?.unbind() } else { // if it's not an IPv4 or IPv6 we assume it's an IPNetwork and // verify length in this function. @@ -289,7 +285,7 @@ pub(crate) fn parse_general_name( } GeneralName::RegisteredID(data) => { let oid = oid_to_py_oid(py, &data)?; - types::REGISTERED_ID.get(py)?.call1((oid,))?.to_object(py) + types::REGISTERED_ID.get(py)?.call1((oid,))?.unbind() } _ => { return Err(CryptographyError::from( @@ -306,12 +302,12 @@ pub(crate) fn parse_general_names<'a>( py: pyo3::Python<'_>, gn_seq: &asn1::SequenceOf<'a, GeneralName<'a>>, ) -> Result { - let gns = pyo3::types::PyList::empty_bound(py); + let gns = pyo3::types::PyList::empty(py); for gn in gn_seq.clone() { let py_gn = parse_general_name(py, gn)?; gns.append(py_gn)?; } - Ok(gns.to_object(py)) + Ok(gns.into_any().unbind()) } fn create_ip_network( @@ -333,7 +329,7 @@ fn create_ip_network( }; let base = types::IPADDRESS_IPADDRESS .get(py)? - .call1((pyo3::types::PyBytes::new_bound(py, &data[..data.len() / 2]),))?; + .call1((pyo3::types::PyBytes::new(py, &data[..data.len() / 2]),))?; let net = format!( "{}/{}", base.getattr(pyo3::intern!(py, "exploded"))? @@ -341,7 +337,7 @@ fn create_ip_network( prefix? ); let addr = types::IPADDRESS_IPNETWORK.get(py)?.call1((net,))?; - Ok(types::IP_ADDRESS.get(py)?.call1((addr,))?.to_object(py)) + Ok(types::IP_ADDRESS.get(py)?.call1((addr,))?.unbind()) } fn ipv4_netmask(num: u32) -> Result { @@ -379,12 +375,12 @@ pub(crate) fn parse_and_cache_extensions< let oid_obj = oid_to_py_oid(py, &oid)?; return Err(exceptions::DuplicateExtension::new_err(( format!("Duplicate {} extension found", &oid), - oid_obj.into_py(py), + oid_obj.unbind(), ))); } }; - let exts = pyo3::types::PyList::empty_bound(py); + let exts = pyo3::types::PyList::empty(py); for raw_ext in extensions.iter() { let oid_obj = oid_to_py_oid(py, &raw_ext.extn_id)?; @@ -400,7 +396,7 @@ pub(crate) fn parse_and_cache_extensions< .call1((oid_obj, raw_ext.critical, extn_value))?; exts.append(ext_obj)?; } - Ok(types::EXTENSIONS.get(py)?.call1((exts,))?.to_object(py)) + Ok(types::EXTENSIONS.get(py)?.call1((exts,))?.unbind()) }) .map(|p| p.clone_ref(py)) } @@ -420,7 +416,7 @@ pub(crate) fn encode_extensions< encode_ext: F, ) -> pyo3::PyResult>> { let mut exts = vec![]; - for py_ext in py_exts.iter()? { + for py_ext in py_exts.try_iter()? { let py_ext = py_ext?; let py_oid = py_ext.getattr(pyo3::intern!(py, "oid"))?; let oid = py_oid_to_oid(py_oid)?; @@ -466,7 +462,7 @@ pub(crate) fn encode_extension_value<'p>( if let Some(data) = x509::extensions::encode_extension(py, &oid, &py_ext)? { // TODO: extra copy - let py_data = pyo3::types::PyBytes::new_bound(py, &data); + let py_data = pyo3::types::PyBytes::new(py, &data); return Ok(py_data); } @@ -540,3 +536,11 @@ pub(crate) fn datetime_now(py: pyo3::Python<'_>) -> pyo3::PyResult { + std::ffi::CStr::from_bytes_with_nul(concat!($str, "\0").as_bytes()).unwrap() + }; +} + +pub(crate) use cstr_from_literal; diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 58c22408557b..8c8d9ceca6d2 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -14,13 +14,13 @@ use cryptography_x509::{ name, oid, }; use pyo3::types::{PyAnyMethods, PyListMethods, PySliceMethods}; -use pyo3::ToPyObject; use crate::asn1::{ big_byte_slice_to_py_int, encode_der_data, oid_to_py_oid, py_uint_to_big_endian_bytes, }; use crate::backend::hashes::Hash; use crate::error::{CryptographyError, CryptographyResult}; +use crate::x509::common::cstr_from_literal; use crate::x509::{certificate, extensions, sign}; use crate::{exceptions, types, x509}; @@ -70,7 +70,7 @@ pub(crate) fn load_pem_x509_crl( )?; load_der_x509_crl( py, - pyo3::types::PyBytes::new_bound(py, block.contents()).unbind(), + pyo3::types::PyBytes::new(py, block.contents()).unbind(), None, ) } @@ -156,12 +156,12 @@ impl CertificateRevocationList { let indices = idx .downcast::()? .indices(self.len().try_into().unwrap())?; - let result = pyo3::types::PyList::empty_bound(py); + let result = pyo3::types::PyList::empty(py); for i in (indices.start..indices.stop).step_by(indices.step.try_into().unwrap()) { let revoked_cert = pyo3::Bound::new(py, self.revoked_cert(py, i as usize))?; result.append(revoked_cert)?; } - Ok(result.to_object(py)) + Ok(result.into_any().unbind()) } else { let mut idx = idx.extract::()?; if idx < 0 { @@ -170,7 +170,9 @@ impl CertificateRevocationList { if idx >= (self.len() as isize) || idx < 0 { return Err(pyo3::exceptions::PyIndexError::new_err(())); } - Ok(pyo3::Bound::new(py, self.revoked_cert(py, idx as usize))?.to_object(py)) + Ok(pyo3::Bound::new(py, self.revoked_cert(py, idx as usize))? + .into_any() + .unbind()) } } @@ -231,7 +233,7 @@ impl CertificateRevocationList { py: pyo3::Python<'p>, ) -> CryptographyResult> { let b = asn1::write_single(&self.owned.borrow_dependent().tbs_cert_list)?; - Ok(pyo3::types::PyBytes::new_bound(py, &b)) + Ok(pyo3::types::PyBytes::new(py, &b)) } fn public_bytes<'p>( @@ -262,12 +264,8 @@ impl CertificateRevocationList { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { let warning_cls = types::DEPRECATED_IN_42.get(py)?; - pyo3::PyErr::warn_bound( - py, - &warning_cls, - "Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc.", - 1, - )?; + let message = cstr_from_literal!("Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc."); + pyo3::PyErr::warn(py, &warning_cls, message, 1)?; match &self.owned.borrow_dependent().tbs_cert_list.next_update { Some(t) => x509::datetime_to_py(py, t.as_datetime()), None => Ok(py.None().into_bound(py)), @@ -291,12 +289,8 @@ impl CertificateRevocationList { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { let warning_cls = types::DEPRECATED_IN_42.get(py)?; - pyo3::PyErr::warn_bound( - py, - &warning_cls, - "Properties that return a naïve datetime object have been deprecated. Please switch to last_update_utc.", - 1, - )?; + let message = cstr_from_literal!("Properties that return a naïve datetime object have been deprecated. Please switch to last_update_utc."); + pyo3::PyErr::warn(py, &warning_cls, message, 1)?; x509::datetime_to_py( py, self.owned @@ -393,7 +387,7 @@ impl CertificateRevocationList { fn get_revoked_certificate_by_serial_number( &self, py: pyo3::Python<'_>, - serial: pyo3::Bound<'_, pyo3::types::PyLong>, + serial: pyo3::Bound<'_, pyo3::types::PyInt>, ) -> pyo3::PyResult> { let serial_bytes = py_uint_to_big_endian_bytes(py, serial)?; let owned = OwnedRevokedCertificate::try_new(Arc::clone(&self.owned), |v| { @@ -559,12 +553,8 @@ impl RevokedCertificate { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { let warning_cls = types::DEPRECATED_IN_42.get(py)?; - pyo3::PyErr::warn_bound( - py, - &warning_cls, - "Properties that return a naïve datetime object have been deprecated. Please switch to revocation_date_utc.", - 1, - )?; + let message = cstr_from_literal!("Properties that return a naïve datetime object have been deprecated. Please switch to revocation_date_utc."); + pyo3::PyErr::warn(py, &warning_cls, message, 1)?; x509::datetime_to_py( py, self.owned.borrow_dependent().revocation_date.as_datetime(), @@ -661,7 +651,7 @@ pub(crate) fn create_x509_crl( let ka_bytes = cryptography_keepalive::KeepAlive::new(); for py_revoked_cert in builder .getattr(pyo3::intern!(py, "_revoked_certificates"))? - .iter()? + .try_iter()? { let py_revoked_cert = py_revoked_cert?; let serial_number = py_revoked_cert @@ -723,9 +713,5 @@ pub(crate) fn create_x509_crl( signature_algorithm: sigalg, signature_value: asn1::BitString::new(&signature, 0).unwrap(), })?; - load_der_x509_crl( - py, - pyo3::types::PyBytes::new_bound(py, &data).unbind(), - None, - ) + load_der_x509_crl(py, pyo3::types::PyBytes::new(py, &data).unbind(), None) } diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 9d4f81958c51..9ca3080672d2 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -9,12 +9,11 @@ use asn1::SimpleAsn1Readable; use cryptography_x509::csr::{check_attribute_length, Attribute, CertificationRequestInfo, Csr}; use cryptography_x509::{common, oid}; use pyo3::types::{PyAnyMethods, PyListMethods}; -use pyo3::IntoPy; use crate::asn1::{encode_der_data, oid_to_py_oid, py_oid_to_oid}; use crate::backend::keys; use crate::error::{CryptographyError, CryptographyResult}; -use crate::x509::{certificate, sign}; +use crate::x509::{certificate, common::cstr_from_literal, sign}; use crate::{exceptions, types, x509}; self_cell::self_cell!( @@ -80,12 +79,12 @@ impl CertificateSigningRequest { py: pyo3::Python<'p>, ) -> CryptographyResult> { let result = asn1::write_single(&self.raw.borrow_dependent().csr_info)?; - Ok(pyo3::types::PyBytes::new_bound(py, &result)) + Ok(pyo3::types::PyBytes::new(py, &result)) } #[getter] fn signature<'p>(&self, py: pyo3::Python<'p>) -> pyo3::Bound<'p, pyo3::types::PyBytes> { - pyo3::types::PyBytes::new_bound(py, self.raw.borrow_dependent().signature.as_bytes()) + pyo3::types::PyBytes::new(py, self.raw.borrow_dependent().signature.as_bytes()) } #[getter] @@ -131,8 +130,8 @@ impl CertificateSigningRequest { oid: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult> { let warning_cls = types::DEPRECATED_IN_36.get(py)?; - let warning_msg = "CertificateSigningRequest.get_attribute_for_oid has been deprecated. Please switch to request.attributes.get_attribute_for_oid."; - pyo3::PyErr::warn_bound(py, &warning_cls, warning_msg, 1)?; + let warning_msg = cstr_from_literal!("CertificateSigningRequest.get_attribute_for_oid has been deprecated. Please switch to request.attributes.get_attribute_for_oid."); + pyo3::PyErr::warn(py, &warning_cls, warning_msg, 1)?; let rust_oid = py_oid_to_oid(oid.clone())?; for attribute in self @@ -155,7 +154,7 @@ impl CertificateSigningRequest { || val.tag() == asn1::PrintableString::TAG || val.tag() == asn1::IA5String::TAG { - return Ok(pyo3::types::PyBytes::new_bound(py, val.data()).into_any()); + return Ok(pyo3::types::PyBytes::new(py, val.data()).into_any()); } return Err(pyo3::exceptions::PyValueError::new_err(format!( "OID {} has a disallowed ASN.1 type: {:?}", @@ -166,13 +165,13 @@ impl CertificateSigningRequest { } Err(exceptions::AttributeNotFound::new_err(( format!("No {oid} attribute was found"), - oid.into_py(py), + oid.unbind(), ))) } #[getter] fn attributes<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { - let pyattrs = pyo3::types::PyList::empty_bound(py); + let pyattrs = pyo3::types::PyList::empty(py); for attribute in self .raw .borrow_dependent() @@ -188,7 +187,7 @@ impl CertificateSigningRequest { })?; let oid = oid_to_py_oid(py, &attribute.type_id)?; let val = attribute.values.unwrap_read().clone().next().unwrap(); - let serialized = pyo3::types::PyBytes::new_bound(py, val.data()); + let serialized = pyo3::types::PyBytes::new(py, val.data()); let tag = val.tag().as_u8().ok_or_else(|| { CryptographyError::from(pyo3::exceptions::PyValueError::new_err( "Long-form tags are not supported in CSR attribute values", @@ -253,7 +252,7 @@ pub(crate) fn load_pem_x509_csr( )?; load_der_x509_csr( py, - pyo3::types::PyBytes::new_bound(py, parsed.contents()).unbind(), + pyo3::types::PyBytes::new(py, parsed.contents()).unbind(), None, ) } @@ -329,7 +328,10 @@ pub(crate) fn create_x509_csr( } let mut attr_values = vec![]; - for py_attr in builder.getattr(pyo3::intern!(py, "_attributes"))?.iter()? { + for py_attr in builder + .getattr(pyo3::intern!(py, "_attributes"))? + .try_iter()? + { let (py_oid, value, tag): ( pyo3::Bound<'_, pyo3::PyAny>, pyo3::pybacked::PyBackedBytes, @@ -387,7 +389,7 @@ pub(crate) fn create_x509_csr( })?; load_der_x509_csr( py, - pyo3::types::PyBytes::new_bound(py, &data).clone().unbind(), + pyo3::types::PyBytes::new(py, &data).clone().unbind(), None, ) } diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 2342c40a1f03..7659a4bd5fdd 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -21,7 +21,7 @@ fn encode_general_subtrees<'a>( Ok(None) } else { let mut subtree_seq = vec![]; - for name in subtrees.iter()? { + for name in subtrees.try_iter()? { let gn = x509::common::encode_general_name(py, ka_bytes, ka_str, &name?)?; subtree_seq.push(extensions::GeneralSubtree { base: gn, @@ -43,7 +43,7 @@ pub(crate) fn encode_authority_key_identifier<'a>( struct PyAuthorityKeyIdentifier<'a> { key_identifier: Option, authority_cert_issuer: Option>, - authority_cert_serial_number: Option>, + authority_cert_serial_number: Option>, } let aki = py_aki.extract::>()?; @@ -88,7 +88,7 @@ pub(crate) fn encode_distribution_points<'p>( let ka_bytes = cryptography_keepalive::KeepAlive::new(); let ka_str = cryptography_keepalive::KeepAlive::new(); let mut dps = vec![]; - for py_dp in py_dps.iter()? { + for py_dp in py_dps.try_iter()? { let py_dp = py_dp?.extract::>()?; let crl_issuer = if let Some(py_crl_issuer) = py_dp.crl_issuer { @@ -106,7 +106,7 @@ pub(crate) fn encode_distribution_points<'p>( )) } else if let Some(py_relative_name) = py_dp.relative_name { let mut name_entries = vec![]; - for py_name_entry in py_relative_name.iter()? { + for py_name_entry in py_relative_name.try_iter()? { let ne = x509::common::encode_name_entry(py, &ka_bytes, &py_name_entry?)?; name_entries.push(ne); } @@ -228,13 +228,13 @@ fn encode_certificate_policies( let mut policy_informations = vec![]; let ka_bytes = cryptography_keepalive::KeepAlive::new(); let ka_str = cryptography_keepalive::KeepAlive::new(); - for py_policy_info in ext.iter()? { + for py_policy_info in ext.try_iter()? { let py_policy_info = py_policy_info?; let py_policy_qualifiers = py_policy_info.getattr(pyo3::intern!(py, "policy_qualifiers"))?; let qualifiers = if py_policy_qualifiers.is_truthy()? { let mut qualifiers = vec![]; - for py_qualifier in py_policy_qualifiers.iter()? { + for py_qualifier in py_policy_qualifiers.try_iter()? { let py_qualifier = py_qualifier?; let qualifier = if py_qualifier.is_instance_of::() { let py_qualifier_str = ka_str.add(py_qualifier.extract::()?); @@ -257,7 +257,7 @@ fn encode_certificate_policies( let mut notice_numbers = vec![]; for py_num in py_notice .getattr(pyo3::intern!(py, "notice_numbers"))? - .iter()? + .try_iter()? { let bytes = ka_bytes .add(py_uint_to_big_endian_bytes(ext.py(), py_num?.extract()?)?); @@ -346,7 +346,10 @@ fn encode_issuing_distribution_point( .is_truthy()? { let mut name_entries = vec![]; - for py_name_entry in ext.getattr(pyo3::intern!(py, "relative_name"))?.iter()? { + for py_name_entry in ext + .getattr(pyo3::intern!(py, "relative_name"))? + .try_iter()? + { let name_entry = x509::common::encode_name_entry(ext.py(), &ka_bytes, &py_name_entry?)?; name_entries.push(name_entry); } @@ -376,7 +379,7 @@ fn encode_issuing_distribution_point( fn encode_oid_sequence(ext: &pyo3::Bound<'_, pyo3::PyAny>) -> CryptographyResult> { let mut oids = vec![]; - for el in ext.iter()? { + for el in ext.try_iter()? { let oid = py_oid_to_oid(el?)?; oids.push(oid); } @@ -392,7 +395,7 @@ fn encode_tls_features( // an asn1::Sequence can't return an error, and we need to handle errors // from Python. let mut els = vec![]; - for el in ext.iter()? { + for el in ext.try_iter()? { els.push(el?.getattr(pyo3::intern!(py, "value"))?.extract::()?); } @@ -401,14 +404,14 @@ fn encode_tls_features( fn encode_scts(ext: &pyo3::Bound<'_, pyo3::PyAny>) -> CryptographyResult> { let mut length = 0; - for sct in ext.iter()? { + for sct in ext.try_iter()? { let sct = sct?.downcast::()?.clone(); length += sct.get().sct_data.len() + 2; } let mut result = vec![]; result.extend_from_slice(&(length as u16).to_be_bytes()); - for sct in ext.iter()? { + for sct in ext.try_iter()? { let sct = sct?.downcast::()?.clone(); result.extend_from_slice(&(sct.get().sct_data.len() as u16).to_be_bytes()); result.extend_from_slice(&sct.get().sct_data); @@ -454,7 +457,7 @@ fn encode_naming_authority<'a>( } fn encode_profession_info<'a>( - py: pyo3::Python<'_>, + py: pyo3::Python<'a>, ka_bytes: &'a cryptography_keepalive::KeepAlive, ka_str: &'a cryptography_keepalive::KeepAlive, py_info: &pyo3::Bound<'a, pyo3::PyAny>, @@ -467,7 +470,7 @@ fn encode_profession_info<'a>( }; let mut profession_items = vec![]; let py_items = py_info.getattr(pyo3::intern!(py, "profession_items"))?; - for py_item in py_items.iter()? { + for py_item in py_items.try_iter()? { let py_item = py_item?; let py_item_str = ka_str.add(py_item.extract::()?); let item = extensions::DisplayText::Utf8String(asn1::Utf8String::new(py_item_str)); @@ -478,7 +481,7 @@ fn encode_profession_info<'a>( let py_oids = py_info.getattr(pyo3::intern!(py, "profession_oids"))?; let profession_oids = if !py_oids.is_none() { let mut profession_oids = vec![]; - for py_oid in py_oids.iter()? { + for py_oid in py_oids.try_iter()? { let py_oid = py_oid?; let oid = py_oid_to_oid(py_oid)?; profession_oids.push(oid); @@ -522,7 +525,7 @@ fn encode_profession_info<'a>( } fn encode_admission<'a>( - py: pyo3::Python<'_>, + py: pyo3::Python<'a>, ka_bytes: &'a cryptography_keepalive::KeepAlive, ka_str: &'a cryptography_keepalive::KeepAlive, py_admission: &pyo3::Bound<'a, pyo3::PyAny>, @@ -547,7 +550,7 @@ fn encode_admission<'a>( let py_profession_infos = py_admission.getattr(pyo3::intern!(py, "profession_infos"))?; let mut profession_infos = vec![]; - for py_info in py_profession_infos.iter()? { + for py_info in py_profession_infos.try_iter()? { profession_infos.push(encode_profession_info(py, ka_bytes, ka_str, &py_info?)?); } let profession_infos = @@ -627,7 +630,7 @@ pub(crate) fn encode_extension( &oid::INHIBIT_ANY_POLICY_OID => { let intval = ext .getattr(pyo3::intern!(py, "skip_certs"))? - .downcast::()? + .downcast::()? .clone(); let bytes = py_uint_to_big_endian_bytes(ext.py(), intval)?; Ok(Some(asn1::write_single( @@ -680,7 +683,7 @@ pub(crate) fn encode_extension( &oid::CRL_NUMBER_OID | &oid::DELTA_CRL_INDICATOR_OID => { let intval = ext .getattr(pyo3::intern!(py, "crl_number"))? - .downcast::()? + .downcast::()? .clone(); let bytes = py_uint_to_big_endian_bytes(ext.py(), intval)?; Ok(Some(asn1::write_single( @@ -721,7 +724,7 @@ pub(crate) fn encode_extension( None }; let mut admissions = vec![]; - for py_admission in ext.iter()? { + for py_admission in ext.try_iter()? { let admission = encode_admission(py, &ka_bytes, &ka_str, &py_admission?)?; admissions.push(admission); } diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 7770fb9d6f40..2b3ae3df3656 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -132,7 +132,7 @@ impl OCSPRequest { } oid::ACCEPTABLE_RESPONSES_OID => { let oids = ext.value::>()?; - let py_oids = pyo3::types::PyList::empty_bound(py); + let py_oids = pyo3::types::PyList::empty(py); for oid in oids { py_oids.append(oid_to_py_oid(py, &oid)?)?; } @@ -161,7 +161,7 @@ impl OCSPRequest { .into()); } let result = asn1::write_single(self.raw.borrow_dependent())?; - Ok(pyo3::types::PyBytes::new_bound(py, &result)) + Ok(pyo3::types::PyBytes::new(py, &result)) } } @@ -188,7 +188,7 @@ pub(crate) fn create_ocsp_request( (py_cert, py_issuer, py_hash) = builder_request.extract()?; ocsp::certid_new(py, &ka_bytes, &py_cert, &py_issuer, &py_hash)? } else { - let py_serial: pyo3::Bound<'_, pyo3::types::PyLong>; + let py_serial: pyo3::Bound<'_, pyo3::types::PyInt>; (issuer_name_hash, issuer_key_hash, py_serial, py_hash) = builder .getattr(pyo3::intern!(py, "_request_hash"))? .extract()?; @@ -226,5 +226,5 @@ pub(crate) fn create_ocsp_request( optional_signature: None, }; let data = asn1::write_single(&ocsp_req)?; - load_der_ocsp_request(py, pyo3::types::PyBytes::new_bound(py, &data).unbind()) + load_der_ocsp_request(py, pyo3::types::PyBytes::new(py, &data).unbind()) } diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 955bf35a4c31..26c8050f731c 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -14,6 +14,7 @@ use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods}; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid}; use crate::error::{CryptographyError, CryptographyResult}; +use crate::x509::common::cstr_from_literal; use crate::x509::{certificate, crl, extensions, ocsp, py_to_datetime, sct}; use crate::{exceptions, types, x509}; @@ -168,7 +169,7 @@ impl OCSPResponse { let resp = self.requires_successful_response()?; match resp.tbs_response_data.responder_id { ocsp_resp::ResponderId::ByKey(key_hash) => { - Ok(pyo3::types::PyBytes::new_bound(py, key_hash).into_any()) + Ok(pyo3::types::PyBytes::new(py, key_hash).into_any()) } ocsp_resp::ResponderId::ByName(_) => Ok(py.None().into_bound(py)), } @@ -180,12 +181,8 @@ impl OCSPResponse { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { let warning_cls = types::DEPRECATED_IN_43.get(py)?; - pyo3::PyErr::warn_bound( - py, - &warning_cls, - "Properties that return a naïve datetime object have been deprecated. Please switch to produced_at_utc.", - 1, - )?; + let message = cstr_from_literal!("Properties that return a naïve datetime object have been deprecated. Please switch to produced_at_utc."); + pyo3::PyErr::warn(py, &warning_cls, message, 1)?; let resp = self.requires_successful_response()?; x509::datetime_to_py(py, resp.tbs_response_data.produced_at.as_datetime()) } @@ -238,10 +235,7 @@ impl OCSPResponse { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; - Ok(pyo3::types::PyBytes::new_bound( - py, - resp.signature.as_bytes(), - )) + Ok(pyo3::types::PyBytes::new(py, resp.signature.as_bytes())) } #[getter] @@ -251,7 +245,7 @@ impl OCSPResponse { ) -> CryptographyResult> { let resp = self.requires_successful_response()?; let result = asn1::write_single(&resp.tbs_response_data)?; - Ok(pyo3::types::PyBytes::new_bound(py, &result)) + Ok(pyo3::types::PyBytes::new(py, &result)) } #[getter] @@ -260,7 +254,7 @@ impl OCSPResponse { py: pyo3::Python<'p>, ) -> CryptographyResult> { let resp = self.requires_successful_response()?; - let py_certs = pyo3::types::PyList::empty_bound(py); + let py_certs = pyo3::types::PyList::empty(py); let certs = match &resp.certs { Some(certs) => certs.unwrap_read(), None => return Ok(py_certs), @@ -342,12 +336,8 @@ impl OCSPResponse { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { let warning_cls = types::DEPRECATED_IN_43.get(py)?; - pyo3::PyErr::warn_bound( - py, - &warning_cls, - "Properties that return a naïve datetime object have been deprecated. Please switch to revocation_time_utc.", - 1, - )?; + let message = cstr_from_literal!("Properties that return a naïve datetime object have been deprecated. Please switch to revocation_time_utc."); + pyo3::PyErr::warn(py, &warning_cls, message, 1)?; let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_revocation_time(&single_resp, py) @@ -379,12 +369,8 @@ impl OCSPResponse { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { let warning_cls = types::DEPRECATED_IN_43.get(py)?; - pyo3::PyErr::warn_bound( - py, - &warning_cls, - "Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.", - 1, - )?; + let message = cstr_from_literal!("Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc."); + pyo3::PyErr::warn(py, &warning_cls, message, 1)?; let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_this_update(&single_resp, py) @@ -406,12 +392,8 @@ impl OCSPResponse { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { let warning_cls = types::DEPRECATED_IN_43.get(py)?; - pyo3::PyErr::warn_bound( - py, - &warning_cls, - "Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc.", - 1, - )?; + let message = cstr_from_literal!("Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc."); + pyo3::PyErr::warn(py, &warning_cls, message, 1)?; let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_next_update(&single_resp, py) @@ -507,7 +489,7 @@ impl OCSPResponse { .into()); } let result = asn1::write_single(self.raw.borrow_dependent())?; - Ok(pyo3::types::PyBytes::new_bound(py, &result)) + Ok(pyo3::types::PyBytes::new(py, &result)) } } @@ -708,7 +690,7 @@ pub(crate) fn create_ocsp_response( response_bytes: None, }; let data = asn1::write_single(&resp)?; - return load_der_ocsp_response(py, pyo3::types::PyBytes::new_bound(py, &data).unbind()); + return load_der_ocsp_response(py, pyo3::types::PyBytes::new(py, &data).unbind()); } let py_single_resp = builder.getattr(pyo3::intern!(py, "_response"))?; @@ -873,7 +855,7 @@ pub(crate) fn create_ocsp_response( response_bytes, }; let data = asn1::write_single(&resp)?; - load_der_ocsp_response(py, pyo3::types::PyBytes::new_bound(py, &data).unbind()) + load_der_ocsp_response(py, pyo3::types::PyBytes::new(py, &data).unbind()) } type RawOCSPResponseIterator<'a> = asn1::SequenceOf<'a, SingleResponse<'a>>; @@ -975,12 +957,8 @@ impl OCSPSingleResponse { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { let warning_cls = types::DEPRECATED_IN_43.get(py)?; - pyo3::PyErr::warn_bound( - py, - &warning_cls, - "Properties that return a naïve datetime object have been deprecated. Please switch to revocation_time_utc.", - 1, - )?; + let message = cstr_from_literal!("Properties that return a naïve datetime object have been deprecated. Please switch to revocation_time_utc."); + pyo3::PyErr::warn(py, &warning_cls, message, 1)?; let single_resp = self.single_response(); singleresp_py_revocation_time(single_resp, py) } @@ -1009,12 +987,8 @@ impl OCSPSingleResponse { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { let warning_cls = types::DEPRECATED_IN_43.get(py)?; - pyo3::PyErr::warn_bound( - py, - &warning_cls, - "Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.", - 1, - )?; + let message = cstr_from_literal!("Properties that return a naïve datetime object have been deprecated. Please switch to revocation_time_utc."); + pyo3::PyErr::warn(py, &warning_cls, message, 1)?; let single_resp = self.single_response(); singleresp_py_this_update(single_resp, py) } @@ -1034,12 +1008,8 @@ impl OCSPSingleResponse { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { let warning_cls = types::DEPRECATED_IN_43.get(py)?; - pyo3::PyErr::warn_bound( - py, - &warning_cls, - "Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc.", - 1, - )?; + let message = cstr_from_literal!("Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc."); + pyo3::PyErr::warn(py, &warning_cls, message, 1)?; let single_resp = self.single_response(); singleresp_py_next_update(single_resp, py) } diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index 78985af4dfc0..88ab8c911df5 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -6,7 +6,6 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; use pyo3::types::{PyAnyMethods, PyDictMethods, PyListMethods}; -use pyo3::ToPyObject; use crate::error::CryptographyError; use crate::types; @@ -167,7 +166,7 @@ impl Sct { fn timestamp<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { let utc = types::DATETIME_TIMEZONE_UTC.get(py)?; - let kwargs = pyo3::types::PyDict::new_bound(py); + let kwargs = pyo3::types::PyDict::new(py); kwargs.set_item("microsecond", self.timestamp % 1000 * 1000)?; kwargs.set_item("tzinfo", None::>)?; @@ -226,7 +225,7 @@ pub(crate) fn parse_scts( ) -> Result { let mut reader = TLSReader::new(data).read_length_prefixed()?; - let py_scts = pyo3::types::PyList::empty_bound(py); + let py_scts = pyo3::types::PyList::empty(py); while !reader.is_empty() { let mut sct_data = reader.read_length_prefixed()?; let raw_sct_data = sct_data.data.to_vec(); @@ -256,7 +255,7 @@ pub(crate) fn parse_scts( }; py_scts.append(pyo3::Bound::new(py, sct)?)?; } - Ok(py_scts.to_object(py)) + Ok(py_scts.into_any().unbind()) } #[cfg(test)] diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index 4e96b8a8e02d..d826dda8fbae 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -119,7 +119,7 @@ fn compute_pss_salt_length<'p>( hash_algorithm .getattr(pyo3::intern!(py, "digest_size"))? .extract::() - } else if py_saltlen.is_instance_of::() { + } else if py_saltlen.is_instance_of::() { py_saltlen.extract::() } else { Err(pyo3::exceptions::PyTypeError::new_err( diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 20121f0a4764..1722ab960bac 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -298,7 +298,7 @@ impl PyClientVerifier { ) .or_else(|e| handle_validation_error(py, e))?; - let py_chain = pyo3::types::PyList::empty_bound(py); + let py_chain = pyo3::types::PyList::empty(py); for c in &chain { py_chain.append(c.extra())?; } @@ -382,7 +382,7 @@ impl PyServerVerifier { ) .or_else(|e| handle_validation_error(py, e))?; - let result = pyo3::types::PyList::empty_bound(py); + let result = pyo3::types::PyList::empty(py); for c in chain { result.append(c.extra())?; } From 0793e74710686bb879398c1e1e41aa449d58df35 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 16 Nov 2024 00:21:18 +0000 Subject: [PATCH 1381/1462] Bump BoringSSL and/or OpenSSL in CI (#11963) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 465224bfaf85..1a90348818da 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,10 +45,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 15, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c691779ed0e98b36eff7ad945a738c402f127122"}} - # Latest commit on the OpenSSL master branch, as of Nov 14, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "eaf4da97c9b9c09a407b9f1a47ad7dd99c05884c"}} + # Latest commit on the BoringSSL master branch, as of Nov 16, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "83fc0d94d7040544480d42db01554f2421cfc081"}} + # Latest commit on the OpenSSL master branch, as of Nov 16, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5c5b8d2d7c59fc48981861629bb0b75a03497440"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From cb23110342c527888b30b622f2b87079491ebe2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sat, 16 Nov 2024 22:48:58 +0100 Subject: [PATCH 1382/1462] chore: fix clippy warning emitted in rust-nightly job (#11965) Signed-off-by: oleg.hoefling --- src/rust/cryptography-x509-verification/src/policy/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index f124d17d3a69..2703e868dbde 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -183,7 +183,7 @@ impl Subject<'_> { DNSPattern::new(pattern.0).map_or(false, |p| p.matches(name)) } (GeneralName::IPAddress(addr), Self::IP(name)) => { - IPAddress::from_bytes(addr).map_or(false, |addr| addr == *name) + IPAddress::from_bytes(addr) == Some(*name) } _ => false, } From b7def9815e331d033b9ac6691372ab4d4046f6a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sat, 16 Nov 2024 23:07:33 +0100 Subject: [PATCH 1383/1462] refactor: replace returning pyobject with bound<'p, pyany> in asn1 module (#11966) Signed-off-by: oleg.hoefling --- src/rust/src/asn1.rs | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 6dd7a48ca565..26ee176bb935 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -54,10 +54,10 @@ pub(crate) fn big_byte_slice_to_py_int<'p>( } #[pyo3::pyfunction] -fn decode_dss_signature( - py: pyo3::Python<'_>, +fn decode_dss_signature<'p>( + py: pyo3::Python<'p>, data: &[u8], -) -> Result { +) -> CryptographyResult> { let sig = asn1::parse_single::>(data)?; Ok(( @@ -65,8 +65,7 @@ fn decode_dss_signature( big_byte_slice_to_py_int(py, sig.s.as_bytes())?, ) .into_pyobject(py)? - .into_any() - .unbind()) + .into_any()) } pub(crate) fn py_uint_to_big_endian_bytes<'p>( From 16659b4a605d095e96bad6a3303a2b7664240fe1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sat, 16 Nov 2024 23:35:59 +0100 Subject: [PATCH 1384/1462] refactor: replace returning pyobject with bound<'p, pyany> in x509::sct module (#11967) Signed-off-by: oleg.hoefling --- src/rust/src/x509/sct.rs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index 88ab8c911df5..65fd001d31d1 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -7,7 +7,7 @@ use std::hash::{Hash, Hasher}; use pyo3::types::{PyAnyMethods, PyDictMethods, PyListMethods}; -use crate::error::CryptographyError; +use crate::error::{CryptographyError, CryptographyResult}; use crate::types; struct TLSReader<'a> { @@ -218,11 +218,11 @@ impl Sct { } } -pub(crate) fn parse_scts( - py: pyo3::Python<'_>, +pub(crate) fn parse_scts<'p>( + py: pyo3::Python<'p>, data: &[u8], entry_type: LogEntryType, -) -> Result { +) -> CryptographyResult> { let mut reader = TLSReader::new(data).read_length_prefixed()?; let py_scts = pyo3::types::PyList::empty(py); @@ -255,7 +255,7 @@ pub(crate) fn parse_scts( }; py_scts.append(pyo3::Bound::new(py, sct)?)?; } - Ok(py_scts.into_any().unbind()) + Ok(py_scts.into_any()) } #[cfg(test)] From 7cbcf128db9e29a5dc90b30658098f4553716379 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sat, 16 Nov 2024 23:45:17 +0100 Subject: [PATCH 1385/1462] refactor: replace returning pyobject with bound<'p, pyany> in x509::certificate::parse_access_descriptions (#11968) Signed-off-by: oleg.hoefling --- src/rust/src/x509/certificate.rs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 1eb8eec4ab9d..0533ea455fcf 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -700,19 +700,19 @@ pub(crate) fn parse_authority_key_identifier<'p>( .call1((aki.key_identifier, issuer, serial))?) } -pub(crate) fn parse_access_descriptions( - py: pyo3::Python<'_>, +pub(crate) fn parse_access_descriptions<'p>( + py: pyo3::Python<'p>, ext: &Extension<'_>, -) -> Result { +) -> CryptographyResult> { let ads = pyo3::types::PyList::empty(py); let parsed = ext.value::>()?; for access in parsed.unwrap_read().clone() { - let py_oid = oid_to_py_oid(py, &access.access_method)?.unbind(); + let py_oid = oid_to_py_oid(py, &access.access_method)?; let gn = x509::parse_general_name(py, access.access_location)?; let ad = types::ACCESS_DESCRIPTION.get(py)?.call1((py_oid, gn))?; ads.append(ad)?; } - Ok(ads.into_any().unbind()) + Ok(ads.into_any()) } fn parse_naming_authority<'p>( From 120583a07363366b6b4f8d1e0e9fbbcda63b340d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sat, 16 Nov 2024 23:50:12 +0100 Subject: [PATCH 1386/1462] docs(admissions): add documentation for the admissions extension (#11964) * docs: add intersphinx refs for the admission types Signed-off-by: oleg.hoefling * chore: add types and description for the admissions fields and classes Signed-off-by: oleg.hoefling --------- Signed-off-by: oleg.hoefling --- docs/x509/reference.rst | 121 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 121 insertions(+) diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index c3de5e6dcb58..d53c5814ce18 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -2995,6 +2995,28 @@ X.509 Extensions Returns :attr:`~cryptography.x509.oid.ExtensionOID.CERTIFICATE_POLICIES`. +.. class:: Admissions(authority, admissions) + :canonical: cryptography.x509.extensions.Admissions + + .. versionadded:: 44.0.0 + + The admissions extension contains information on registration and professional admission, + as specified by `Common PKI v2`_. + It is an iterable, containing one or more :class:`~cryptography.x509.Admission` instances. + + .. attribute:: oid + + :type: :class:`ObjectIdentifier` + + Returns :attr:`~cryptography.x509.oid.ExtensionOID.ADMISSIONS`. + + .. attribute:: authority + + :type: :class:`GeneralName` or None + + An optional identifier of the institution who granted the admissions. This serves as the default value + for the admission authority in a single :class:`~cryptography.x509.Admission` if it is not specified there. + Certificate Policies Classes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -3065,6 +3087,98 @@ These classes may be present within a :class:`CertificatePolicies` instance. A list of integers. +Admissions Classes +~~~~~~~~~~~~~~~~~~ + +These classes may be present within an :class:`Admissions` instance. + +.. class:: Admission(admission_authority, naming_authority, profession_infos) + :canonical: cryptography.x509.extensions.Admission + + .. versionadded:: 44.0.0 + + Contains professional information and optionally the authorization information. + + .. attribute:: admission_authority + + :type: :class:`GeneralName` or None + + An optional identifier of the institution who granted the admission. + + .. attribute:: naming_authority + + :type: :class:`NamingAuthority` or None + + An optional identifier of the institution who is administering the information of the professions in this admission. + This serves as the default value for the naming authority in a single :class:`~cryptography.x509.ProfessionInfo` + if it is not specified there. + + .. attribute:: profession_infos + + :type: list + + An information on the professions that are part of this admission. This is a list of :class:`ProfessionInfo` objects. + +.. class:: ProfessionInfo(naming_authority, profession_items, profession_oids, registration_number, add_profession_info) + :canonical: cryptography.x509.extensions.ProfessionInfo + + .. versionadded:: 44.0.0 + + Contains the information for a single profession in the admission. + + .. attribute:: naming_authority + + :type: :class:`NamingAuthority` or None + + An optional identifier of the institution who is administering the information of this profession. + + .. attribute:: profession_items + + :type: list + + One or more text strings identifying the profession. + + .. attribute:: profession_oids + + :type: list or None + + An optional list of :class:`ObjectIdentifier` elements. Each element in the list corresponds to the resp. + text string in the :attr:`profession_items` list. + + .. attribute:: registration_number + + :type: str or None + + An optional registration number for the profession. + + .. attribute:: add_profession_info + + :type: bytes or None + + Optional additional application-specific information in DER-encoded form. + +.. class:: NamingAuthority(id, url, text) + :canonical: cryptography.x509.extensions.NamingAuthority + + .. versionadded:: 44.0.0 + + Identifies an institution who is responsible for the administration of title registers in an admission. The naming + authority can be identified by an object identifier in the field :attr:`id`, by the text in the field :attr:`text`, + by a URL address in the field :attr:`url`, or by a combination of them. + + .. attribute:: id + + :type: :class:`ObjectIdentifier` or None + + .. attribute:: url + + :type: str or None + + .. attribute:: text + + :type: str or None + + .. _crl_entry_extensions: CRL Entry Extensions @@ -3831,6 +3945,12 @@ instances. The following common OIDs are available as constants. Corresponds to the dotted string ``"1.3.6.1.4.1.311.21.7"``. + .. attribute:: ADMISSIONS + + .. versionadded:: 44.0.0 + + Corresponds to the dotted string ``"1.3.36.8.3.3"``. + .. class:: CRLEntryExtensionOID :canonical: cryptography.hazmat._oid.CRLEntryExtensionOID @@ -4019,3 +4139,4 @@ Exceptions .. _`RFC 5280 section 4.2.1.1`: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1 .. _`RFC 5280 section 4.2.1.6`: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 .. _`CABForum Guidelines`: https://cabforum.org/baseline-requirements-documents/ +.. _`Common PKI v2`: https://www.elektronische-vertrauensdienste.de/EVD/SharedDocuments/Downloads/QES/Common_PKI_v2.0_02.pdf From 464130112908a3b4f4dd1910150ac1794df70b70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sat, 16 Nov 2024 23:50:30 +0100 Subject: [PATCH 1387/1462] refactor: replace returning pyobject with bound<'p, pyany> in x509::certificate::parse_distribution_point_reasons (#11969) Signed-off-by: oleg.hoefling --- src/rust/src/x509/certificate.rs | 10 +++++----- src/rust/src/x509/crl.rs | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 0533ea455fcf..f5597f669d98 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -642,10 +642,10 @@ pub(crate) fn parse_distribution_points( Ok(py_dps.into_any().unbind()) } -pub(crate) fn parse_distribution_point_reasons( - py: pyo3::Python<'_>, +pub(crate) fn parse_distribution_point_reasons<'p>( + py: pyo3::Python<'p>, reasons: Option<&asn1::BitString<'_>>, -) -> Result { +) -> CryptographyResult> { let reason_bit_mapping = types::REASON_BIT_MAPPING.get(py)?; Ok(match reasons { @@ -656,9 +656,9 @@ pub(crate) fn parse_distribution_point_reasons( vec.push(reason_bit_mapping.get_item(i)?); } } - pyo3::types::PyFrozenSet::new(py, &vec)?.into_any().unbind() + pyo3::types::PyFrozenSet::new(py, &vec)?.into_any() } - None => py.None(), + None => py.None().into_bound(py), }) } diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 8c8d9ceca6d2..e2d307e8ee8b 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -363,7 +363,7 @@ impl CertificateRevocationList { Some(reasons.unwrap_read()), )? } else { - py.None() + py.None().into_bound(py) }; Ok(Some(types::ISSUING_DISTRIBUTION_POINT.get(py)?.call1(( full_name, From 04e25086bbbbbdaa38281436c09b1a1216c8a0f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sat, 16 Nov 2024 23:59:04 +0100 Subject: [PATCH 1388/1462] refactor: replace returning pyobject with bound<'p, pyany> in x509::certificate::parse_distribution_points (#11970) Signed-off-by: oleg.hoefling --- src/rust/src/x509/certificate.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index f5597f669d98..4e130259e187 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -629,17 +629,17 @@ fn parse_distribution_point( .unbind()) } -pub(crate) fn parse_distribution_points( - py: pyo3::Python<'_>, +pub(crate) fn parse_distribution_points<'p>( + py: pyo3::Python<'p>, ext: &Extension<'_>, -) -> Result { +) -> CryptographyResult> { let dps = ext.value::>>()?; let py_dps = pyo3::types::PyList::empty(py); for dp in dps { let py_dp = parse_distribution_point(py, dp)?; py_dps.append(py_dp)?; } - Ok(py_dps.into_any().unbind()) + Ok(py_dps.into_any()) } pub(crate) fn parse_distribution_point_reasons<'p>( From 8c5b99d01e196e5c94d36694c9400138830e8d36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sun, 17 Nov 2024 00:03:34 +0100 Subject: [PATCH 1389/1462] chore(admissions): add changelog entry for the admissions extension addition (#11971) Signed-off-by: oleg.hoefling --- CHANGELOG.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 994eb6360ad5..eea6e0914985 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -25,6 +25,7 @@ Changelog forbidden by the CA/Browser BRs. * Added support for :class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2id` when using OpenSSL 3.2.0+. +* Added support for the :class:`~cryptography.x509.Admissions` certificate extension. .. _v43-0-3: From 51ef76c14ece03dfa53eada47e849bece5585573 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sun, 17 Nov 2024 00:30:04 +0100 Subject: [PATCH 1390/1462] refactor: replace returning pyobject with bound<'p, pyany> in x509::certificate::parse_distribution_point (#11972) Signed-off-by: oleg.hoefling --- src/rust/src/x509/certificate.rs | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 4e130259e187..9a7103e0b564 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -609,10 +609,10 @@ pub(crate) fn parse_distribution_point_name( }) } -fn parse_distribution_point( - py: pyo3::Python<'_>, +fn parse_distribution_point<'p>( + py: pyo3::Python<'p>, dp: DistributionPoint<'_>, -) -> Result { +) -> CryptographyResult> { let (full_name, relative_name) = match dp.distribution_point { Some(data) => parse_distribution_point_name(py, data)?, None => (py.None(), py.None()), @@ -625,8 +625,7 @@ fn parse_distribution_point( }; Ok(types::DISTRIBUTION_POINT .get(py)? - .call1((full_name, relative_name, reasons, crl_issuer))? - .unbind()) + .call1((full_name, relative_name, reasons, crl_issuer))?) } pub(crate) fn parse_distribution_points<'p>( From 78095d7fcf026f2d87c017220b4d061ddc99d8d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sun, 17 Nov 2024 00:31:21 +0100 Subject: [PATCH 1391/1462] refactor: replace returning pyobject with bound<'p, pyany> in x509::certificate::parse_general_subtrees (#11974) Signed-off-by: oleg.hoefling --- src/rust/src/x509/certificate.rs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 9a7103e0b564..60fab92f4a0a 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -583,15 +583,15 @@ fn parse_cp( Ok(certificate_policies.into_any().unbind()) } -fn parse_general_subtrees( - py: pyo3::Python<'_>, +fn parse_general_subtrees<'p>( + py: pyo3::Python<'p>, subtrees: SequenceOfSubtrees<'_>, -) -> Result { +) -> CryptographyResult> { let gns = pyo3::types::PyList::empty(py); for gs in subtrees.unwrap_read().clone() { gns.append(x509::parse_general_name(py, gs.base)?)?; } - Ok(gns.into_any().unbind()) + Ok(gns.into_any()) } pub(crate) fn parse_distribution_point_name( @@ -925,11 +925,11 @@ pub fn parse_cert_ext<'p>( let nc = ext.value::>()?; let permitted_subtrees = match nc.permitted_subtrees { Some(data) => parse_general_subtrees(py, data)?, - None => py.None(), + None => py.None().into_bound(py), }; let excluded_subtrees = match nc.excluded_subtrees { Some(data) => parse_general_subtrees(py, data)?, - None => py.None(), + None => py.None().into_bound(py), }; Ok(Some( types::NAME_CONSTRAINTS From b27517f9906ffba0e81b0d6771dc581b6a20ff72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sun, 17 Nov 2024 00:31:38 +0100 Subject: [PATCH 1392/1462] refactor: replace returning pyobject with bound<'p, pyany> in x509::common::parse_name_attribute (#11975) Signed-off-by: oleg.hoefling --- src/rust/src/x509/common.rs | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index e5da45381c16..a00d13113f48 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -193,10 +193,10 @@ pub(crate) fn parse_name<'p>( Ok(types::NAME.get(py)?.call1((py_rdns,))?) } -fn parse_name_attribute( - py: pyo3::Python<'_>, +fn parse_name_attribute<'p>( + py: pyo3::Python<'p>, attribute: AttributeTypeValue<'_>, -) -> Result { +) -> CryptographyResult> { let oid = oid_to_py_oid(py, &attribute.type_id)?; let tag_val = attribute.value.tag().as_u8().ok_or_else(|| { CryptographyError::from(pyo3::exceptions::PyValueError::new_err( @@ -226,8 +226,7 @@ fn parse_name_attribute( let kwargs = [(pyo3::intern!(py, "_validate"), false)].into_py_dict(py)?; Ok(types::NAME_ATTRIBUTE .get(py)? - .call((oid, py_data, py_tag), Some(&kwargs))? - .unbind()) + .call((oid, py_data, py_tag), Some(&kwargs))?) } pub(crate) fn parse_rdn<'a>( From 9bd3e5915367dac1f48298ba3a3fd9f88781560c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sun, 17 Nov 2024 00:35:50 +0100 Subject: [PATCH 1393/1462] refactor: replace returning pyobject with bound<'p, pyany> in x509::certificate::parse_cp (#11973) Signed-off-by: oleg.hoefling --- src/rust/src/x509/certificate.rs | 35 ++++++++++++++------------------ 1 file changed, 15 insertions(+), 20 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 60fab92f4a0a..d203f5f3bac8 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -500,10 +500,10 @@ fn parse_display_text( } } -fn parse_user_notice( - py: pyo3::Python<'_>, +fn parse_user_notice<'p>( + py: pyo3::Python<'p>, un: UserNotice<'_>, -) -> Result { +) -> CryptographyResult> { let et = match un.explicit_text { Some(data) => parse_display_text(py, data)?, None => py.None(), @@ -515,28 +515,23 @@ fn parse_user_notice( for num in data.notice_numbers.unwrap_read().clone() { numbers.append(big_byte_slice_to_py_int(py, num.as_bytes())?)?; } - types::NOTICE_REFERENCE - .get(py)? - .call1((org, numbers))? - .unbind() + types::NOTICE_REFERENCE.get(py)?.call1((org, numbers))? } - None => py.None(), + None => py.None().into_bound(py), }; - Ok(types::USER_NOTICE.get(py)?.call1((nr, et))?.unbind()) + Ok(types::USER_NOTICE.get(py)?.call1((nr, et))?) } fn parse_policy_qualifiers<'a>( - py: pyo3::Python<'_>, + py: pyo3::Python<'a>, policy_qualifiers: &asn1::SequenceOf<'a, PolicyQualifierInfo<'a>>, -) -> Result { +) -> CryptographyResult> { let py_pq = pyo3::types::PyList::empty(py); for pqi in policy_qualifiers.clone() { let qualifier = match pqi.qualifier { Qualifier::CpsUri(data) => { if pqi.policy_qualifier_id == oid::CP_CPS_URI_OID { - pyo3::types::PyString::new(py, data.as_str()) - .into_any() - .unbind() + pyo3::types::PyString::new(py, data.as_str()).into_any() } else { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -558,13 +553,13 @@ fn parse_policy_qualifiers<'a>( }; py_pq.append(qualifier)?; } - Ok(py_pq.into_any().unbind()) + Ok(py_pq.into_any()) } -fn parse_cp( - py: pyo3::Python<'_>, +fn parse_cp<'p>( + py: pyo3::Python<'p>, ext: &Extension<'_>, -) -> Result { +) -> CryptographyResult> { let cp = ext.value::>>()?; let certificate_policies = pyo3::types::PyList::empty(py); for policyinfo in cp { @@ -573,14 +568,14 @@ fn parse_cp( Some(policy_qualifiers) => { parse_policy_qualifiers(py, policy_qualifiers.unwrap_read())? } - None => py.None(), + None => py.None().into_bound(py), }; let pi = types::POLICY_INFORMATION .get(py)? .call1((pi_oid, py_pqis))?; certificate_policies.append(pi)?; } - Ok(certificate_policies.into_any().unbind()) + Ok(certificate_policies.into_any()) } fn parse_general_subtrees<'p>( From c9cb69e7db3c5856470853a29ec09b53f4c2d330 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sun, 17 Nov 2024 00:46:11 +0100 Subject: [PATCH 1394/1462] refactor: replace returning pyobject with bound<'p, pyany> in x509::common::parse_general_name (#11976) Signed-off-by: oleg.hoefling --- src/rust/src/x509/certificate.rs | 4 ++-- src/rust/src/x509/common.rs | 30 +++++++++++++----------------- 2 files changed, 15 insertions(+), 19 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index d203f5f3bac8..35d8f4f76209 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -785,7 +785,7 @@ fn parse_admissions<'p, 'a>( for admission in admissions.clone() { let py_admission_authority = match admission.admission_authority { Some(authority) => x509::parse_general_name(py, authority)?, - None => py.None(), + None => py.None().into_bound(py), }; let py_naming_authority = match admission.naming_authority { Some(data) => parse_naming_authority(py, data)?, @@ -945,7 +945,7 @@ pub fn parse_cert_ext<'p>( let admissions = ext.value::>()?; let admission_authority = match admissions.admission_authority { Some(authority) => x509::parse_general_name(py, authority)?, - None => py.None(), + None => py.None().into_bound(py), }; let py_admissions = parse_admissions(py, admissions.contents_of_admissions.unwrap_read())?; diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index a00d13113f48..58fa0b2d309d 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -244,38 +244,34 @@ pub(crate) fn parse_rdn<'a>( .unbind()) } -pub(crate) fn parse_general_name( - py: pyo3::Python<'_>, +pub(crate) fn parse_general_name<'p>( + py: pyo3::Python<'p>, gn: GeneralName<'_>, -) -> Result { +) -> CryptographyResult> { let py_gn = match gn { GeneralName::OtherName(data) => { let oid = oid_to_py_oid(py, &data.type_id)?; types::OTHER_NAME .get(py)? .call1((oid, data.value.full_data()))? - .unbind() } GeneralName::RFC822Name(data) => types::RFC822_NAME .get(py)? - .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? - .unbind(), + .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))?, GeneralName::DNSName(data) => types::DNS_NAME .get(py)? - .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? - .unbind(), + .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))?, GeneralName::DirectoryName(data) => { let py_name = parse_name(py, data.unwrap_read())?; - types::DIRECTORY_NAME.get(py)?.call1((py_name,))?.unbind() + types::DIRECTORY_NAME.get(py)?.call1((py_name,))? } GeneralName::UniformResourceIdentifier(data) => types::UNIFORM_RESOURCE_IDENTIFIER .get(py)? - .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? - .unbind(), + .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))?, GeneralName::IPAddress(data) => { if data.len() == 4 || data.len() == 16 { let addr = types::IPADDRESS_IPADDRESS.get(py)?.call1((data,))?; - types::IP_ADDRESS.get(py)?.call1((addr,))?.unbind() + types::IP_ADDRESS.get(py)?.call1((addr,))? } else { // if it's not an IPv4 or IPv6 we assume it's an IPNetwork and // verify length in this function. @@ -284,7 +280,7 @@ pub(crate) fn parse_general_name( } GeneralName::RegisteredID(data) => { let oid = oid_to_py_oid(py, &data)?; - types::REGISTERED_ID.get(py)?.call1((oid,))?.unbind() + types::REGISTERED_ID.get(py)?.call1((oid,))? } _ => { return Err(CryptographyError::from( @@ -309,10 +305,10 @@ pub(crate) fn parse_general_names<'a>( Ok(gns.into_any().unbind()) } -fn create_ip_network( - py: pyo3::Python<'_>, +fn create_ip_network<'p>( + py: pyo3::Python<'p>, data: &[u8], -) -> Result { +) -> CryptographyResult> { let prefix = match data.len() { 8 => { let num = u32::from_be_bytes(data[4..].try_into().unwrap()); @@ -336,7 +332,7 @@ fn create_ip_network( prefix? ); let addr = types::IPADDRESS_IPNETWORK.get(py)?.call1((net,))?; - Ok(types::IP_ADDRESS.get(py)?.call1((addr,))?.unbind()) + Ok(types::IP_ADDRESS.get(py)?.call1((addr,))?) } fn ipv4_netmask(num: u32) -> Result { From 79a49f2f400e17066ebea0e83cb6d5f6af29a13d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 16 Nov 2024 23:46:41 +0000 Subject: [PATCH 1395/1462] chore(deps): bump libc from 0.2.162 to 0.2.164 (#11977) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.162 to 0.2.164. - [Release notes](https://github.com/rust-lang/libc/releases) - [Changelog](https://github.com/rust-lang/libc/blob/0.2.164/CHANGELOG.md) - [Commits](https://github.com/rust-lang/libc/compare/0.2.162...0.2.164) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 65901342315f..6b171f642dba 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -161,9 +161,9 @@ checksum = "b248f5224d1d606005e02c97f5aa4e88eeb230488bcc03bc9ca4d7991399f2b5" [[package]] name = "libc" -version = "0.2.162" +version = "0.2.164" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "18d287de67fe55fd7e1581fe933d965a5a9477b38e949cfa9f8574ef01506398" +checksum = "433bfe06b8c75da9b2e3fbea6e5329ff87748f0b144ef75306e674c3f6f7c13f" [[package]] name = "memoffset" From 1c05763d202c99177471be7161bf6d20953f3d40 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 16 Nov 2024 23:50:02 +0000 Subject: [PATCH 1396/1462] chore(deps): bump pyo3 from 0.23.0 to 0.23.1 (#11979) Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.23.0 to 0.23.1. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/v0.23.1/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.23.0...v0.23.1) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 20 ++++++++++---------- Cargo.toml | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 6b171f642dba..21416bb37d15 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -250,9 +250,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.23.0" +version = "0.23.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d51da03e17ef97ae4185cd606a4b316e04bb6f047d66913d6b57d4e6acfb41ec" +checksum = "7ebb0c0cc0de9678e53be9ccf8a2ab53045e6e3a8be03393ceccc5e7396ccb40" dependencies = [ "cfg-if", "indoc", @@ -268,9 +268,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.23.0" +version = "0.23.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "455f646b3d007fb6d85cffccff9c7dfb752f24ec9fb0a04cb49537e7e9bdc2dd" +checksum = "80e3ce69c4ec34476534b490e412b871ba03a82e35604c3dfb95fcb6bfb60c09" dependencies = [ "once_cell", "target-lexicon", @@ -278,9 +278,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.23.0" +version = "0.23.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "432fc20d4dd419f8d1dd402a659bb42e75430706b50d367cc978978778638084" +checksum = "3b09f311c76b36dfd6dd6f7fa6f9f18e7e46a1c937110d283e80b12ba2468a75" dependencies = [ "libc", "pyo3-build-config", @@ -288,9 +288,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.23.0" +version = "0.23.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ae1cd532e9356f90d1be1317d8bf51873e4a9468b9305b950c20e8aef786cc16" +checksum = "fd4f74086536d1e1deaff99ec0387481fb3325c82e4e48be0e75ab3d3fcb487a" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -300,9 +300,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.23.0" +version = "0.23.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "975b289b3d3901442a6def73eedf8251dc1aed2cdc0a80d1c4f3998d868a97aa" +checksum = "9e77dfeb76b32bbf069144a5ea0a36176ab59c8db9ce28732d0f06f096bbfbc8" dependencies = [ "heck", "proc-macro2", diff --git a/Cargo.toml b/Cargo.toml index 62fd139904a2..d912435a8253 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -20,7 +20,7 @@ rust-version = "1.65.0" [workspace.dependencies] asn1 = { version = "0.18.0", default-features = false } -pyo3 = { version = "0.23.0", features = ["abi3"] } +pyo3 = { version = "0.23.1", features = ["abi3"] } [profile.release] overflow-checks = true From e0ebc427a78787abdd9a3073a433e7225addd285 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sun, 17 Nov 2024 01:03:16 +0100 Subject: [PATCH 1397/1462] refactor: replace returning pyobject with bound<'p, pyany> in x509::common::parse_general_names (#11980) Signed-off-by: oleg.hoefling --- src/rust/src/x509/certificate.rs | 29 +++++++++++++++-------------- src/rust/src/x509/common.rs | 17 ++++++++--------- src/rust/src/x509/crl.rs | 4 ++-- src/rust/src/x509/verify.rs | 2 +- 4 files changed, 26 insertions(+), 26 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 35d8f4f76209..d57c2b7f0731 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -589,34 +589,35 @@ fn parse_general_subtrees<'p>( Ok(gns.into_any()) } -pub(crate) fn parse_distribution_point_name( - py: pyo3::Python<'_>, - dp: DistributionPointName<'_>, -) -> Result<(pyo3::PyObject, pyo3::PyObject), CryptographyError> { +pub(crate) fn parse_distribution_point_name<'p>( + py: pyo3::Python<'p>, + dp: DistributionPointName<'p>, +) -> CryptographyResult<(pyo3::Bound<'p, pyo3::PyAny>, pyo3::Bound<'p, pyo3::PyAny>)> { Ok(match dp { DistributionPointName::FullName(data) => ( x509::parse_general_names(py, data.unwrap_read())?, - py.None(), + py.None().into_bound(py), + ), + DistributionPointName::NameRelativeToCRLIssuer(data) => ( + py.None().into_bound(py), + x509::parse_rdn(py, data.unwrap_read())?, ), - DistributionPointName::NameRelativeToCRLIssuer(data) => { - (py.None(), x509::parse_rdn(py, data.unwrap_read())?) - } }) } fn parse_distribution_point<'p>( py: pyo3::Python<'p>, - dp: DistributionPoint<'_>, + dp: DistributionPoint<'p>, ) -> CryptographyResult> { let (full_name, relative_name) = match dp.distribution_point { Some(data) => parse_distribution_point_name(py, data)?, - None => (py.None(), py.None()), + None => (py.None().into_bound(py), py.None().into_bound(py)), }; let reasons = parse_distribution_point_reasons(py, dp.reasons.as_ref().map(|v| v.unwrap_read()))?; let crl_issuer = match dp.crl_issuer { Some(aci) => x509::parse_general_names(py, aci.unwrap_read())?, - None => py.None(), + None => py.None().into_bound(py), }; Ok(types::DISTRIBUTION_POINT .get(py)? @@ -678,7 +679,7 @@ pub(crate) fn encode_distribution_point_reasons( pub(crate) fn parse_authority_key_identifier<'p>( py: pyo3::Python<'p>, - ext: &Extension<'_>, + ext: &Extension<'p>, ) -> Result, CryptographyError> { let aki = ext.value::>()?; let serial = match aki.authority_cert_serial_number { @@ -687,7 +688,7 @@ pub(crate) fn parse_authority_key_identifier<'p>( }; let issuer = match aki.authority_cert_issuer { Some(aci) => x509::parse_general_names(py, aci.unwrap_read())?, - None => py.None(), + None => py.None().into_bound(py), }; Ok(types::AUTHORITY_KEY_IDENTIFIER .get(py)? @@ -805,7 +806,7 @@ fn parse_admissions<'p, 'a>( pub fn parse_cert_ext<'p>( py: pyo3::Python<'p>, - ext: &Extension<'_>, + ext: &Extension<'p>, ) -> CryptographyResult>> { match ext.extn_id { oid::SUBJECT_ALTERNATIVE_NAME_OID => { diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 58fa0b2d309d..3ebdd44003da 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -230,9 +230,9 @@ fn parse_name_attribute<'p>( } pub(crate) fn parse_rdn<'a>( - py: pyo3::Python<'_>, + py: pyo3::Python<'a>, rdn: &asn1::SetOf<'a, AttributeTypeValue<'a>>, -) -> Result { +) -> CryptographyResult> { let py_attrs = pyo3::types::PyList::empty(py); for attribute in rdn.clone() { let na = parse_name_attribute(py, attribute)?; @@ -240,8 +240,7 @@ pub(crate) fn parse_rdn<'a>( } Ok(types::RELATIVE_DISTINGUISHED_NAME .get(py)? - .call1((py_attrs,))? - .unbind()) + .call1((py_attrs,))?) } pub(crate) fn parse_general_name<'p>( @@ -294,15 +293,15 @@ pub(crate) fn parse_general_name<'p>( } pub(crate) fn parse_general_names<'a>( - py: pyo3::Python<'_>, + py: pyo3::Python<'a>, gn_seq: &asn1::SequenceOf<'a, GeneralName<'a>>, -) -> Result { +) -> CryptographyResult> { let gns = pyo3::types::PyList::empty(py); for gn in gn_seq.clone() { let py_gn = parse_general_name(py, gn)?; gns.append(py_gn)?; } - Ok(gns.into_any().unbind()) + Ok(gns.into_any()) } fn create_ip_network<'p>( @@ -355,11 +354,11 @@ fn ipv6_netmask(num: u128) -> Result { pub(crate) fn parse_and_cache_extensions< 'p, - F: Fn(&Extension<'_>) -> Result>, CryptographyError>, + F: Fn(&Extension<'p>) -> Result>, CryptographyError>, >( py: pyo3::Python<'p>, cached_extensions: &pyo3::sync::GILOnceCell, - raw_extensions: &Option>, + raw_extensions: &Option>, parse_ext: F, ) -> pyo3::PyResult { cached_extensions diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index e2d307e8ee8b..d33428aa5ef5 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -355,7 +355,7 @@ impl CertificateRevocationList { let idp = ext.value::>()?; let (full_name, relative_name) = match idp.distribution_point { Some(data) => certificate::parse_distribution_point_name(py, data)?, - None => (py.None(), py.None()), + None => (py.None().into_bound(py), py.None().into_bound(py)), }; let py_reasons = if let Some(reasons) = idp.only_some_reasons { certificate::parse_distribution_point_reasons( @@ -611,7 +611,7 @@ pub(crate) fn parse_crl_reason_flags<'p>( pub fn parse_crl_entry_ext<'p>( py: pyo3::Python<'p>, - ext: &Extension<'_>, + ext: &Extension<'p>, ) -> CryptographyResult>> { match ext.extn_id { oid::CRL_REASON_OID => { diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 1722ab960bac..d9c7ddcb84d4 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -318,7 +318,7 @@ impl PyClientVerifier { let py_gns = parse_general_names(py, &leaf_gns)?; Ok(PyVerifiedClient { - subjects: Some(py_gns), + subjects: Some(py_gns.into()), chain: py_chain.unbind(), }) } From 974a5bd86511b90852e9b81cb8b4bbcc5bb51958 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sun, 17 Nov 2024 01:26:24 +0100 Subject: [PATCH 1398/1462] refactor: replace returning pyobject with bound<'p, pyany> in backend::ciphers (#11981) Signed-off-by: oleg.hoefling --- src/rust/src/backend/ciphers.rs | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index f102a8e57dfe..a469d7824eda 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -520,11 +520,11 @@ impl PyAEADDecryptionContext { } #[pyo3::pyfunction] -fn create_encryption_ctx( - py: pyo3::Python<'_>, +fn create_encryption_ctx<'p>( + py: pyo3::Python<'p>, algorithm: pyo3::Bound<'_, pyo3::PyAny>, mode: pyo3::Bound<'_, pyo3::PyAny>, -) -> CryptographyResult { +) -> CryptographyResult> { let ctx = CipherContext::new(py, algorithm, mode.clone(), openssl::symm::Mode::Encrypt)?; if mode.is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? { @@ -540,22 +540,20 @@ fn create_encryption_ctx( .extract()?, } .into_pyobject(py)? - .into_any() - .unbind()) + .into_any()) } else { Ok(PyCipherContext { ctx: Some(ctx) } .into_pyobject(py)? - .into_any() - .unbind()) + .into_any()) } } #[pyo3::pyfunction] -fn create_decryption_ctx( - py: pyo3::Python<'_>, +fn create_decryption_ctx<'p>( + py: pyo3::Python<'p>, algorithm: pyo3::Bound<'_, pyo3::PyAny>, mode: pyo3::Bound<'_, pyo3::PyAny>, -) -> CryptographyResult { +) -> CryptographyResult> { let mut ctx = CipherContext::new(py, algorithm, mode.clone(), openssl::symm::Mode::Decrypt)?; if mode.is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? { @@ -577,13 +575,11 @@ fn create_decryption_ctx( .extract()?, } .into_pyobject(py)? - .into_any() - .unbind()) + .into_any()) } else { Ok(PyCipherContext { ctx: Some(ctx) } .into_pyobject(py)? - .into_any() - .unbind()) + .into_any()) } } From 74f262155d19f2e2cbea6d0750b9569dff90bfca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sun, 17 Nov 2024 14:33:49 +0100 Subject: [PATCH 1399/1462] chore: replace plaing hyperlinks to rfc sections with rfc roles with section argument (#11985) Signed-off-by: oleg.hoefling --- docs/x509/reference.rst | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index d53c5814ce18..a9f655085bb6 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -2228,7 +2228,7 @@ X.509 Extensions public key corresponding to the private key used to sign a certificate. This extension is typically used to assist in determining the appropriate certificate chain. For more information about generation and use of this - extension see `RFC 5280 section 4.2.1.1`_. + extension see :rfc:`5280#section-4.2.1.1`. .. attribute:: oid @@ -4133,10 +4133,8 @@ Exceptions :type: int The integer value of the unsupported type. The complete list of - types can be found in `RFC 5280 section 4.2.1.6`_. + types can be found in :rfc:`5280#section-4.2.1.6`. -.. _`RFC 5280 section 4.2.1.1`: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1 -.. _`RFC 5280 section 4.2.1.6`: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 .. _`CABForum Guidelines`: https://cabforum.org/baseline-requirements-documents/ .. _`Common PKI v2`: https://www.elektronische-vertrauensdienste.de/EVD/SharedDocuments/Downloads/QES/Common_PKI_v2.0_02.pdf From 45409f7a327c9a7c9ee82da19c6401d673ef638c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sun, 17 Nov 2024 14:35:43 +0100 Subject: [PATCH 1400/1462] refactor: replace returning pyobject with bound<'p, pyany> in backend::keys (#11983) Signed-off-by: oleg.hoefling --- src/rust/src/backend/keys.rs | 46 ++++++++++++++---------------------- src/rust/src/pkcs12.rs | 6 ++--- 2 files changed, 21 insertions(+), 31 deletions(-) diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index 36c84aeebb8b..b819e875b2a7 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -11,13 +11,13 @@ use crate::exceptions; #[pyo3::pyfunction] #[pyo3(signature = (data, password, backend=None, *, unsafe_skip_rsa_key_validation=false))] -fn load_der_private_key( - py: pyo3::Python<'_>, +fn load_der_private_key<'p>( + py: pyo3::Python<'p>, data: CffiBuf<'_>, password: Option>, backend: Option>, unsafe_skip_rsa_key_validation: bool, -) -> CryptographyResult { +) -> CryptographyResult> { let _ = backend; if let Ok(pkey) = openssl::pkey::PKey::private_key_from_der(data.as_bytes()) { if password.is_some() { @@ -42,13 +42,13 @@ fn load_der_private_key( #[pyo3::pyfunction] #[pyo3(signature = (data, password, backend=None, *, unsafe_skip_rsa_key_validation=false))] -fn load_pem_private_key( - py: pyo3::Python<'_>, +fn load_pem_private_key<'p>( + py: pyo3::Python<'p>, data: CffiBuf<'_>, password: Option>, backend: Option>, unsafe_skip_rsa_key_validation: bool, -) -> CryptographyResult { +) -> CryptographyResult> { let _ = backend; let password = password.as_ref().map(CffiBuf::as_bytes); let mut status = utils::PasswordCallbackStatus::Unused; @@ -60,18 +60,17 @@ fn load_pem_private_key( private_key_from_pkey(py, &pkey, unsafe_skip_rsa_key_validation) } -pub(crate) fn private_key_from_pkey( - py: pyo3::Python<'_>, +pub(crate) fn private_key_from_pkey<'p>( + py: pyo3::Python<'p>, pkey: &openssl::pkey::PKeyRef, unsafe_skip_rsa_key_validation: bool, -) -> CryptographyResult { +) -> CryptographyResult> { match pkey.id() { openssl::pkey::Id::RSA => Ok(crate::backend::rsa::private_key_from_pkey( pkey, unsafe_skip_rsa_key_validation, )? .into_pyobject(py)? - .unbind() .into_any()), openssl::pkey::Id::RSA_PSS => { // At the moment the way we handle RSA PSS keys is to strip the @@ -84,49 +83,40 @@ pub(crate) fn private_key_from_pkey( Ok( crate::backend::rsa::private_key_from_pkey(&pkey, unsafe_skip_rsa_key_validation)? .into_pyobject(py)? - .into_any() - .unbind(), + .into_any(), ) } openssl::pkey::Id::EC => Ok(crate::backend::ec::private_key_from_pkey(py, pkey)? .into_pyobject(py)? - .into_any() - .unbind()), + .into_any()), openssl::pkey::Id::X25519 => Ok(crate::backend::x25519::private_key_from_pkey(pkey) .into_pyobject(py)? - .into_any() - .unbind()), + .into_any()), #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] openssl::pkey::Id::X448 => Ok(crate::backend::x448::private_key_from_pkey(pkey) .into_pyobject(py)? - .into_any() - .unbind()), + .into_any()), openssl::pkey::Id::ED25519 => Ok(crate::backend::ed25519::private_key_from_pkey(pkey) .into_pyobject(py)? - .into_any() - .unbind()), + .into_any()), #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] openssl::pkey::Id::ED448 => Ok(crate::backend::ed448::private_key_from_pkey(pkey) .into_pyobject(py)? - .into_any() - .unbind()), + .into_any()), openssl::pkey::Id::DSA => Ok(crate::backend::dsa::private_key_from_pkey(pkey) .into_pyobject(py)? - .into_any() - .unbind()), + .into_any()), openssl::pkey::Id::DH => Ok(crate::backend::dh::private_key_from_pkey(pkey) .into_pyobject(py)? - .into_any() - .unbind()), + .into_any()), #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] openssl::pkey::Id::DHX => Ok(crate::backend::dh::private_key_from_pkey(pkey) .into_pyobject(py)? - .into_any() - .unbind()), + .into_any()), _ => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err("Unsupported key type."), )), diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 743a3cb3101b..899b0cc45cee 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -750,7 +750,7 @@ fn load_key_and_certificates<'p>( password: Option>, backend: Option>, ) -> CryptographyResult<( - pyo3::PyObject, + pyo3::Bound<'p, pyo3::PyAny>, Option, pyo3::Bound<'p, pyo3::types::PyList>, )> { @@ -761,7 +761,7 @@ fn load_key_and_certificates<'p>( let private_key = if let Some(pkey) = p12.pkey { keys::private_key_from_pkey(py, &pkey, false)? } else { - py.None() + py.None().into_bound(py) }; let cert = if let Some(ossl_cert) = p12.cert { let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).unbind(); @@ -808,7 +808,7 @@ fn load_pkcs12<'p>( let private_key = if let Some(pkey) = p12.pkey { keys::private_key_from_pkey(py, &pkey, false)? } else { - py.None() + py.None().into_bound(py) }; let cert = if let Some(ossl_cert) = p12.cert { let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).unbind(); From ab306cf17ae77478affdccecaf7b49ae4c0bfede Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sun, 17 Nov 2024 14:36:22 +0100 Subject: [PATCH 1401/1462] refactor: replace returning pyobject with bound<'p, pyany> in x509::certificate::parse_display_text (#11982) Signed-off-by: oleg.hoefling --- src/rust/src/x509/certificate.rs | 32 ++++++++++++-------------------- 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index d57c2b7f0731..e14c890ea889 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -466,36 +466,28 @@ fn warn_if_invalid_params( Ok(()) } -fn parse_display_text( - py: pyo3::Python<'_>, +fn parse_display_text<'p>( + py: pyo3::Python<'p>, text: DisplayText<'_>, -) -> pyo3::PyResult { +) -> pyo3::PyResult> { match text { - DisplayText::IA5String(o) => Ok(pyo3::types::PyString::new(py, o.as_str()) - .into_any() - .unbind()), - DisplayText::Utf8String(o) => Ok(pyo3::types::PyString::new(py, o.as_str()) - .into_any() - .unbind()), + DisplayText::IA5String(o) => Ok(pyo3::types::PyString::new(py, o.as_str()).into_any()), + DisplayText::Utf8String(o) => Ok(pyo3::types::PyString::new(py, o.as_str()).into_any()), DisplayText::VisibleString(o) => { if asn1::VisibleString::new(o.as_str()).is_none() { let warning_cls = types::DEPRECATED_IN_41.get(py)?; let message = cstr_from_literal!("Invalid ASN.1 (UTF-8 characters in a VisibleString) in the explicit text and/or notice reference of the certificate policies extension. In a future version of cryptography, an exception will be raised."); pyo3::PyErr::warn(py, &warning_cls, message, 1)?; } - Ok(pyo3::types::PyString::new(py, o.as_str()) - .into_any() - .unbind()) + Ok(pyo3::types::PyString::new(py, o.as_str()).into_any()) } DisplayText::BmpString(o) => { let py_bytes = pyo3::types::PyBytes::new(py, o.as_utf16_be_bytes()); // TODO: do the string conversion in rust perhaps - Ok(py_bytes - .call_method1( - pyo3::intern!(py, "decode"), - (pyo3::intern!(py, "utf_16_be"),), - )? - .unbind()) + Ok(py_bytes.call_method1( + pyo3::intern!(py, "decode"), + (pyo3::intern!(py, "utf_16_be"),), + )?) } } } @@ -506,7 +498,7 @@ fn parse_user_notice<'p>( ) -> CryptographyResult> { let et = match un.explicit_text { Some(data) => parse_display_text(py, data)?, - None => py.None(), + None => py.None().into_bound(py), }; let nr = match un.notice_ref { Some(data) => { @@ -724,7 +716,7 @@ fn parse_naming_authority<'p>( }; let py_text = match authority.text { Some(data) => parse_display_text(py, data)?, - None => py.None(), + None => py.None().into_bound(py), }; Ok(types::NAMING_AUTHORITY From cdcfaab917254d8d612c98e049215dc7516b460e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 17 Nov 2024 09:34:00 -0500 Subject: [PATCH 1402/1462] Added minimal bounds for a bunch of dependencies (#11953) --- pyproject.toml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 0d561612b14c..0ba039a129be 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -63,22 +63,22 @@ changelog = "https://cryptography.io/en/latest/changelog/" ssh = ["bcrypt >=3.1.5"] # All the following are used for our own testing. -nox = ["nox", "nox[uv] >=2024.03.02; python_version >= '3.8'"] +nox = ["nox >=2024.04.15", "nox[uv] >=2024.03.02; python_version >= '3.8'"] test = [ "cryptography_vectors", - "pytest >=7.2.0", - "pytest-benchmark", - "pytest-cov", - "pytest-xdist", - "pretend", - "certifi", + "pytest >=7.4.0", + "pytest-benchmark >=4.0", + "pytest-cov >=2.10.1", + "pytest-xdist >=3.5.0", + "pretend >=0.7", + "certifi >=2024", ] test-randomorder = ["pytest-randomly"] docs = ["sphinx >=5.3.0", "sphinx-rtd-theme >=3.0.0; python_version >= '3.8'"] -docstest = ["pyenchant >=1.6.11", "readme-renderer", "sphinxcontrib-spelling >=4.0.1"] +docstest = ["pyenchant >=3", "readme-renderer >=30.0", "sphinxcontrib-spelling >=7.3.1"] sdist = ["build >=1.0.0"] # `click` included because its needed to type check `release.py` -pep8test = ["ruff", "mypy", "check-sdist; python_version >= '3.8'", "click"] +pep8test = ["ruff >=0.3.6", "mypy >=1.4", "check-sdist; python_version >= '3.8'", "click >=8.0.1"] [tool.maturin] python-source = "src" From aa322e5c32c5cb1f7c47594faf557df4ca556d99 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 17 Nov 2024 09:37:08 -0500 Subject: [PATCH 1403/1462] remove unused default on CryptographyResult (#11986) --- src/rust/src/error.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/src/error.rs b/src/rust/src/error.rs index f0c10391ff2f..165b2b782483 100644 --- a/src/rust/src/error.rs +++ b/src/rust/src/error.rs @@ -166,7 +166,7 @@ impl CryptographyError { // The primary purpose of this alias is for brevity to keep function signatures // to a single-line as a work around for coverage issues. See // https://github.com/pyca/cryptography/pull/6173 -pub(crate) type CryptographyResult = Result; +pub(crate) type CryptographyResult = Result; #[pyo3::pyfunction] pub(crate) fn raise_openssl_error() -> crate::error::CryptographyResult<()> { From 0eedb6867ab8cb7d9b0828882af887e3047045d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sun, 17 Nov 2024 16:32:12 +0100 Subject: [PATCH 1404/1462] refactor: replace returning pyobject with bound<'p, pyany> in backend::keys module, public_key functions (#11984) * refactor: replace returning pyobject with bound<'p, pyany> in public_key methods Signed-off-by: oleg.hoefling * fix: remove obsolete clone call Signed-off-by: oleg.hoefling --------- Signed-off-by: oleg.hoefling --- src/rust/src/backend/keys.rs | 51 +++++++++++++------------------- src/rust/src/pkcs12.rs | 1 - src/rust/src/x509/certificate.rs | 5 +++- src/rust/src/x509/csr.rs | 7 +++-- src/rust/src/x509/verify.rs | 2 +- 5 files changed, 31 insertions(+), 35 deletions(-) diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index b819e875b2a7..4a323adedc4c 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -125,19 +125,19 @@ pub(crate) fn private_key_from_pkey<'p>( #[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] -fn load_der_public_key( - py: pyo3::Python<'_>, +fn load_der_public_key<'p>( + py: pyo3::Python<'p>, data: CffiBuf<'_>, backend: Option>, -) -> CryptographyResult { +) -> CryptographyResult> { let _ = backend; load_der_public_key_bytes(py, data.as_bytes()) } -pub(crate) fn load_der_public_key_bytes( - py: pyo3::Python<'_>, +pub(crate) fn load_der_public_key_bytes<'p>( + py: pyo3::Python<'p>, data: &[u8], -) -> CryptographyResult { +) -> CryptographyResult> { match cryptography_key_parsing::spki::parse_public_key(data) { Ok(pkey) => public_key_from_pkey(py, &pkey, pkey.id()), // It's not a (RSA/DSA/ECDSA) subjectPublicKeyInfo, but we still need @@ -154,11 +154,11 @@ pub(crate) fn load_der_public_key_bytes( #[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] -fn load_pem_public_key( - py: pyo3::Python<'_>, +fn load_pem_public_key<'p>( + py: pyo3::Python<'p>, data: CffiBuf<'_>, backend: Option>, -) -> CryptographyResult { +) -> CryptographyResult> { let _ = backend; let p = pem::parse(data.as_bytes())?; let pkey = match p.tag() { @@ -190,56 +190,47 @@ fn load_pem_public_key( public_key_from_pkey(py, &pkey, pkey.id()) } -fn public_key_from_pkey( - py: pyo3::Python<'_>, +fn public_key_from_pkey<'p>( + py: pyo3::Python<'p>, pkey: &openssl::pkey::PKeyRef, id: openssl::pkey::Id, -) -> CryptographyResult { +) -> CryptographyResult> { // `id` is a separate argument so we can test this while passing something // unsupported. match id { openssl::pkey::Id::RSA => Ok(crate::backend::rsa::public_key_from_pkey(pkey) .into_pyobject(py)? - .into_any() - .unbind()), + .into_any()), openssl::pkey::Id::EC => Ok(crate::backend::ec::public_key_from_pkey(py, pkey)? .into_pyobject(py)? - .into_any() - .unbind()), + .into_any()), openssl::pkey::Id::X25519 => Ok(crate::backend::x25519::public_key_from_pkey(pkey) .into_pyobject(py)? - .into_any() - .unbind()), + .into_any()), #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] openssl::pkey::Id::X448 => Ok(crate::backend::x448::public_key_from_pkey(pkey) .into_pyobject(py)? - .into_any() - .unbind()), + .into_any()), openssl::pkey::Id::ED25519 => Ok(crate::backend::ed25519::public_key_from_pkey(pkey) .into_pyobject(py)? - .into_any() - .unbind()), + .into_any()), #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] openssl::pkey::Id::ED448 => Ok(crate::backend::ed448::public_key_from_pkey(pkey) .into_pyobject(py)? - .into_any() - .unbind()), + .into_any()), openssl::pkey::Id::DSA => Ok(crate::backend::dsa::public_key_from_pkey(pkey) .into_pyobject(py)? - .into_any() - .unbind()), + .into_any()), openssl::pkey::Id::DH => Ok(crate::backend::dh::public_key_from_pkey(pkey) .into_pyobject(py)? - .into_any() - .unbind()), + .into_any()), #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] openssl::pkey::Id::DHX => Ok(crate::backend::dh::public_key_from_pkey(pkey) .into_pyobject(py)? - .into_any() - .unbind()), + .into_any()), _ => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err("Unsupported key type."), diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 899b0cc45cee..3de031a22b38 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -520,7 +520,6 @@ fn serialize_key_and_certificates<'p>( if let Some(ref key) = key { if !cert .public_key(py)? - .into_bound(py) .eq(key.call_method0(pyo3::intern!(py, "public_key"))?)? { return Err(CryptographyError::from( diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index e14c890ea889..989d6365f47c 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -66,7 +66,10 @@ impl Certificate { slf } - pub(crate) fn public_key(&self, py: pyo3::Python<'_>) -> CryptographyResult { + pub(crate) fn public_key<'p>( + &self, + py: pyo3::Python<'p>, + ) -> CryptographyResult> { keys::load_der_public_key_bytes( py, self.raw.borrow_dependent().tbs_cert.spki.tlv().full_data(), diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 9ca3080672d2..ae669d941bf5 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -47,7 +47,10 @@ impl CertificateSigningRequest { self.raw.borrow_owner().as_bytes(py) == other.raw.borrow_owner().as_bytes(py) } - fn public_key(&self, py: pyo3::Python<'_>) -> CryptographyResult { + fn public_key<'p>( + &self, + py: pyo3::Python<'p>, + ) -> CryptographyResult> { keys::load_der_public_key_bytes( py, self.raw.borrow_dependent().csr_info.spki.tlv().full_data(), @@ -225,7 +228,7 @@ impl CertificateSigningRequest { let public_key = slf.public_key(py)?; Ok(sign::verify_signature_with_signature_algorithm( py, - public_key.bind(py).clone(), + public_key, &slf.raw.borrow_dependent().signature_alg, slf.raw.borrow_dependent().signature.as_bytes(), &asn1::write_single(&slf.raw.borrow_dependent().csr_info)?, diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index d9c7ddcb84d4..39bfb7952a86 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -31,7 +31,7 @@ impl CryptoOps for PyCryptoOps { fn public_key(&self, cert: &Certificate<'_>) -> Result { pyo3::Python::with_gil(|py| -> Result { - keys::load_der_public_key_bytes(py, cert.tbs_cert.spki.tlv().full_data()) + Ok(keys::load_der_public_key_bytes(py, cert.tbs_cert.spki.tlv().full_data())?.unbind()) }) } From cabe787cca4f31a64cd201eac2e5a117edf3f79f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oleg=20H=C3=B6fling?= Date: Sun, 17 Nov 2024 16:33:58 +0100 Subject: [PATCH 1405/1462] refactor: replace returning pyobject with bound<'p, pyany> in crl::CertificateRevocationList::__getitem__ (#11987) Signed-off-by: oleg.hoefling --- src/rust/src/x509/crl.rs | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index d33428aa5ef5..fe307d5c118e 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -138,11 +138,11 @@ impl CertificateRevocationList { } } - fn __getitem__( + fn __getitem__<'p>( &self, - py: pyo3::Python<'_>, + py: pyo3::Python<'p>, idx: pyo3::Bound<'_, pyo3::PyAny>, - ) -> pyo3::PyResult { + ) -> pyo3::PyResult> { self.revoked_certs.get_or_init(py, || { let mut revoked_certs = vec![]; let mut it = self.__iter__(); @@ -161,7 +161,7 @@ impl CertificateRevocationList { let revoked_cert = pyo3::Bound::new(py, self.revoked_cert(py, i as usize))?; result.append(revoked_cert)?; } - Ok(result.into_any().unbind()) + Ok(result.into_any()) } else { let mut idx = idx.extract::()?; if idx < 0 { @@ -170,9 +170,7 @@ impl CertificateRevocationList { if idx >= (self.len() as isize) || idx < 0 { return Err(pyo3::exceptions::PyIndexError::new_err(())); } - Ok(pyo3::Bound::new(py, self.revoked_cert(py, idx as usize))? - .into_any() - .unbind()) + Ok(pyo3::Bound::new(py, self.revoked_cert(py, idx as usize))?.into_any()) } } From 7a246af5fe0c75cb2708ea8d9dcfa11c41225a85 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 17 Nov 2024 07:35:54 -0800 Subject: [PATCH 1406/1462] update to asn1 0.19 and use X509GeneralizedTime (#11988) --- Cargo.lock | 15 +++++++++++---- Cargo.toml | 2 +- .../src/policy/mod.rs | 10 +++++----- src/rust/cryptography-x509/src/common.rs | 2 +- src/rust/cryptography-x509/src/ocsp_resp.rs | 8 ++++---- src/rust/src/x509/certificate.rs | 6 +++--- src/rust/src/x509/extensions.rs | 4 +++- src/rust/src/x509/ocsp_resp.rs | 9 +++++---- 8 files changed, 33 insertions(+), 23 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 21416bb37d15..e1956740645d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4,18 +4,19 @@ version = 3 [[package]] name = "asn1" -version = "0.18.0" +version = "0.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3522623dbb7db59b34439c022ab0445a0257a62ad20d499da3a3507394708559" +checksum = "18d97d0d2e60ad0595a73b82264dcd46c2f96769b0f555ae71c14122f0679f65" dependencies = [ "asn1_derive", + "itoa", ] [[package]] name = "asn1_derive" -version = "0.18.0" +version = "0.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "da79157fc864ed738b596d622929466c68ed48371f17a5f05e329880420a160d" +checksum = "00cec5ab4e9217b82bdd194bf6a4c74890a7e6d530159546bd83684f42211b8a" dependencies = [ "proc-macro2", "quote", @@ -159,6 +160,12 @@ version = "2.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b248f5224d1d606005e02c97f5aa4e88eeb230488bcc03bc9ca4d7991399f2b5" +[[package]] +name = "itoa" +version = "1.0.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b" + [[package]] name = "libc" version = "0.2.164" diff --git a/Cargo.toml b/Cargo.toml index d912435a8253..92f599d49dd3 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -19,7 +19,7 @@ publish = false rust-version = "1.65.0" [workspace.dependencies] -asn1 = { version = "0.18.0", default-features = false } +asn1 = { version = "0.19.0", default-features = false } pyo3 = { version = "0.23.1", features = ["abi3"] } [profile.release] diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 2703e868dbde..8c2216b71fe4 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -780,7 +780,7 @@ mod tests { let generalized_dt = utc_dt.clone(); let utc_validity = Time::UtcTime(asn1::UtcTime::new(utc_dt).unwrap()); let generalized_validity = - Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); + Time::GeneralizedTime(asn1::X509GeneralizedTime::new(generalized_dt).unwrap()); assert!(permits_validity_date::(&utc_validity).is_ok()); assert!(permits_validity_date::(&generalized_validity).is_err()); } @@ -790,7 +790,7 @@ mod tests { let generalized_dt = utc_dt.clone(); let utc_validity = Time::UtcTime(asn1::UtcTime::new(utc_dt).unwrap()); let generalized_validity = - Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); + Time::GeneralizedTime(asn1::X509GeneralizedTime::new(generalized_dt).unwrap()); assert!(permits_validity_date::(&utc_validity).is_ok()); assert!(permits_validity_date::(&generalized_validity).is_err()); } @@ -800,7 +800,7 @@ mod tests { let generalized_dt = utc_dt.clone(); assert!(asn1::UtcTime::new(utc_dt).is_err()); let generalized_validity = - Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); + Time::GeneralizedTime(asn1::X509GeneralizedTime::new(generalized_dt).unwrap()); assert!(permits_validity_date::(&generalized_validity).is_ok()); } { @@ -810,7 +810,7 @@ mod tests { // The `asn1::UtcTime` constructor prevents this. assert!(asn1::UtcTime::new(utc_dt).is_err()); let generalized_validity = - Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); + Time::GeneralizedTime(asn1::X509GeneralizedTime::new(generalized_dt).unwrap()); assert!(permits_validity_date::(&generalized_validity).is_ok()); } { @@ -820,7 +820,7 @@ mod tests { // The `asn1::UtcTime` constructor prevents this. assert!(asn1::UtcTime::new(utc_dt).is_err()); let generalized_validity = - Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); + Time::GeneralizedTime(asn1::X509GeneralizedTime::new(generalized_dt).unwrap()); assert!(permits_validity_date::(&generalized_validity).is_ok()); } } diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index 4ca825eb2c95..d4a91cb2d5b5 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -207,7 +207,7 @@ impl asn1::Asn1Writable for RawTlv<'_> { #[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash, Clone)] pub enum Time { UtcTime(asn1::UtcTime), - GeneralizedTime(asn1::GeneralizedTime), + GeneralizedTime(asn1::X509GeneralizedTime), } impl Time { diff --git a/src/rust/cryptography-x509/src/ocsp_resp.rs b/src/rust/cryptography-x509/src/ocsp_resp.rs index f40707ed2f75..5b0338b5028e 100644 --- a/src/rust/cryptography-x509/src/ocsp_resp.rs +++ b/src/rust/cryptography-x509/src/ocsp_resp.rs @@ -39,7 +39,7 @@ pub struct ResponseData<'a> { #[default(0)] pub version: u8, pub responder_id: ResponderId<'a>, - pub produced_at: asn1::GeneralizedTime, + pub produced_at: asn1::X509GeneralizedTime, pub responses: common::Asn1ReadableOrWritable< asn1::SequenceOf<'a, SingleResponse<'a>>, asn1::SequenceOfWriter<'a, SingleResponse<'a>, Vec>>, @@ -60,9 +60,9 @@ pub enum ResponderId<'a> { pub struct SingleResponse<'a> { pub cert_id: ocsp_req::CertID<'a>, pub cert_status: CertStatus, - pub this_update: asn1::GeneralizedTime, + pub this_update: asn1::X509GeneralizedTime, #[explicit(0)] - pub next_update: Option, + pub next_update: Option, #[explicit(1)] pub raw_single_extensions: Option>, } @@ -79,7 +79,7 @@ pub enum CertStatus { #[derive(asn1::Asn1Read, asn1::Asn1Write)] pub struct RevokedInfo { - pub revocation_time: asn1::GeneralizedTime, + pub revocation_time: asn1::X509GeneralizedTime, #[explicit(0)] pub revocation_reason: Option, } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 989d6365f47c..775140682284 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -965,9 +965,9 @@ pub(crate) fn time_from_py( pub(crate) fn time_from_datetime(dt: asn1::DateTime) -> CryptographyResult { if dt.year() >= 2050 { - Ok(common::Time::GeneralizedTime(asn1::GeneralizedTime::new( - dt, - )?)) + Ok(common::Time::GeneralizedTime( + asn1::X509GeneralizedTime::new(dt)?, + )) } else { Ok(common::Time::UtcTime(asn1::UtcTime::new(dt).unwrap())) } diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 7659a4bd5fdd..7ac539f23007 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -678,7 +678,9 @@ pub(crate) fn encode_extension( &oid::INVALIDITY_DATE_OID => { let py_dt = ext.getattr(pyo3::intern!(py, "invalidity_date_utc"))?; let dt = x509::py_to_datetime(py, py_dt)?; - Ok(Some(asn1::write_single(&asn1::GeneralizedTime::new(dt)?)?)) + Ok(Some(asn1::write_single(&asn1::X509GeneralizedTime::new( + dt, + )?)?)) } &oid::CRL_NUMBER_OID | &oid::DELTA_CRL_INDICATOR_OID => { let intval = ext diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 26c8050f731c..25b1dc20d6d0 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -728,7 +728,8 @@ pub(crate) fn create_ocsp_response( }; // REVOKED let py_revocation_time = py_single_resp.getattr(pyo3::intern!(py, "_revocation_time"))?; - let revocation_time = asn1::GeneralizedTime::new(py_to_datetime(py, py_revocation_time)?)?; + let revocation_time = + asn1::X509GeneralizedTime::new(py_to_datetime(py, py_revocation_time)?)?; ocsp_resp::CertStatus::Revoked(ocsp_resp::RevokedInfo { revocation_time, revocation_reason, @@ -739,7 +740,7 @@ pub(crate) fn create_ocsp_response( .is_none() { let py_next_update = py_single_resp.getattr(pyo3::intern!(py, "_next_update"))?; - Some(asn1::GeneralizedTime::new(py_to_datetime( + Some(asn1::X509GeneralizedTime::new(py_to_datetime( py, py_next_update, )?)?) @@ -747,7 +748,7 @@ pub(crate) fn create_ocsp_response( None }; let py_this_update = py_single_resp.getattr(pyo3::intern!(py, "_this_update"))?; - let this_update = asn1::GeneralizedTime::new(py_to_datetime(py, py_this_update)?)?; + let this_update = asn1::X509GeneralizedTime::new(py_to_datetime(py, py_this_update)?)?; let ka_vec = cryptography_keepalive::KeepAlive::new(); let ka_bytes = cryptography_keepalive::KeepAlive::new(); @@ -789,7 +790,7 @@ pub(crate) fn create_ocsp_response( let tbs_response_data = ocsp_resp::ResponseData { version: 0, - produced_at: asn1::GeneralizedTime::new(x509::common::datetime_now(py)?)?, + produced_at: asn1::X509GeneralizedTime::new(x509::common::datetime_now(py)?)?, responder_id, responses: common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new( responses, From 451003b8334c4becc4a39da8b54e3c45f280cf2d Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 17 Nov 2024 08:23:14 -0800 Subject: [PATCH 1407/1462] remove Certificate abc (#11989) --- .../hazmat/bindings/_rust/x509.pyi | 54 +++++- src/cryptography/x509/base.py | 161 +----------------- 2 files changed, 52 insertions(+), 163 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi index 983200df5e45..c116974de125 100644 --- a/src/cryptography/hazmat/bindings/_rust/x509.pyi +++ b/src/cryptography/hazmat/bindings/_rust/x509.pyi @@ -6,9 +6,13 @@ import datetime import typing from cryptography import x509 -from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives import hashes, serialization +from cryptography.hazmat.primitives.asymmetric.ec import ECDSA from cryptography.hazmat.primitives.asymmetric.padding import PSS, PKCS1v15 -from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes +from cryptography.hazmat.primitives.asymmetric.types import ( + CertificatePublicKeyTypes, + PrivateKeyTypes, +) def load_pem_x509_certificate( data: bytes, backend: typing.Any = None @@ -53,7 +57,51 @@ def create_x509_crl( ) -> x509.CertificateRevocationList: ... class Sct: ... -class Certificate: ... + +class Certificate: + def fingerprint(self, algorithm: hashes.HashAlgorithm) -> bytes: ... + @property + def serial_number(self) -> int: ... + @property + def version(self) -> x509.Version: ... + def public_key(self) -> CertificatePublicKeyTypes: ... + @property + def public_key_algorithm_oid(self) -> x509.ObjectIdentifier: ... + @property + def not_valid_before(self) -> datetime.datetime: ... + @property + def not_valid_before_utc(self) -> datetime.datetime: ... + @property + def not_valid_after(self) -> datetime.datetime: ... + @property + def not_valid_after_utc(self) -> datetime.datetime: ... + @property + def issuer(self) -> x509.Name: ... + @property + def subject(self) -> x509.Name: ... + @property + def signature_hash_algorithm( + self, + ) -> hashes.HashAlgorithm | None: ... + @property + def signature_algorithm_oid(self) -> x509.ObjectIdentifier: ... + @property + def signature_algorithm_parameters( + self, + ) -> None | PSS | PKCS1v15 | ECDSA: ... + @property + def extensions(self) -> x509.Extensions: ... + @property + def signature(self) -> bytes: ... + @property + def tbs_certificate_bytes(self) -> bytes: ... + @property + def tbs_precertificate_bytes(self) -> bytes: ... + def __eq__(self, other: object) -> bool: ... + def __hash__(self) -> int: ... + def public_bytes(self, encoding: serialization.Encoding) -> bytes: ... + def verify_directly_issued_by(self, issuer: Certificate) -> None: ... + class RevokedCertificate: ... class CertificateRevocationList: ... class CertificateSigningRequest: ... diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index 6ed41e6694c6..af69194ccc5e 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -160,166 +160,7 @@ def __init__(self, msg: str, parsed_version: int) -> None: self.parsed_version = parsed_version -class Certificate(metaclass=abc.ABCMeta): - @abc.abstractmethod - def fingerprint(self, algorithm: hashes.HashAlgorithm) -> bytes: - """ - Returns bytes using digest passed. - """ - - @property - @abc.abstractmethod - def serial_number(self) -> int: - """ - Returns certificate serial number - """ - - @property - @abc.abstractmethod - def version(self) -> Version: - """ - Returns the certificate version - """ - - @abc.abstractmethod - def public_key(self) -> CertificatePublicKeyTypes: - """ - Returns the public key - """ - - @property - @abc.abstractmethod - def public_key_algorithm_oid(self) -> ObjectIdentifier: - """ - Returns the ObjectIdentifier of the public key. - """ - - @property - @abc.abstractmethod - def not_valid_before(self) -> datetime.datetime: - """ - Not before time (represented as UTC datetime) - """ - - @property - @abc.abstractmethod - def not_valid_before_utc(self) -> datetime.datetime: - """ - Not before time (represented as a non-naive UTC datetime) - """ - - @property - @abc.abstractmethod - def not_valid_after(self) -> datetime.datetime: - """ - Not after time (represented as UTC datetime) - """ - - @property - @abc.abstractmethod - def not_valid_after_utc(self) -> datetime.datetime: - """ - Not after time (represented as a non-naive UTC datetime) - """ - - @property - @abc.abstractmethod - def issuer(self) -> Name: - """ - Returns the issuer name object. - """ - - @property - @abc.abstractmethod - def subject(self) -> Name: - """ - Returns the subject name object. - """ - - @property - @abc.abstractmethod - def signature_hash_algorithm( - self, - ) -> hashes.HashAlgorithm | None: - """ - Returns a HashAlgorithm corresponding to the type of the digest signed - in the certificate. - """ - - @property - @abc.abstractmethod - def signature_algorithm_oid(self) -> ObjectIdentifier: - """ - Returns the ObjectIdentifier of the signature algorithm. - """ - - @property - @abc.abstractmethod - def signature_algorithm_parameters( - self, - ) -> None | padding.PSS | padding.PKCS1v15 | ec.ECDSA: - """ - Returns the signature algorithm parameters. - """ - - @property - @abc.abstractmethod - def extensions(self) -> Extensions: - """ - Returns an Extensions object. - """ - - @property - @abc.abstractmethod - def signature(self) -> bytes: - """ - Returns the signature bytes. - """ - - @property - @abc.abstractmethod - def tbs_certificate_bytes(self) -> bytes: - """ - Returns the tbsCertificate payload bytes as defined in RFC 5280. - """ - - @property - @abc.abstractmethod - def tbs_precertificate_bytes(self) -> bytes: - """ - Returns the tbsCertificate payload bytes with the SCT list extension - stripped. - """ - - @abc.abstractmethod - def __eq__(self, other: object) -> bool: - """ - Checks equality. - """ - - @abc.abstractmethod - def __hash__(self) -> int: - """ - Computes a hash. - """ - - @abc.abstractmethod - def public_bytes(self, encoding: serialization.Encoding) -> bytes: - """ - Serializes the certificate to PEM or DER format. - """ - - @abc.abstractmethod - def verify_directly_issued_by(self, issuer: Certificate) -> None: - """ - This method verifies that certificate issuer name matches the - issuer subject name and that the certificate is signed by the - issuer's private key. No other validation is performed. - """ - - -# Runtime isinstance checks need this since the rust class is not a subclass. -Certificate.register(rust_x509.Certificate) +Certificate = rust_x509.Certificate class RevokedCertificate(metaclass=abc.ABCMeta): From e8a0d1ddb75e6bf1e7ef0a61479d1250b592fc39 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 17 Nov 2024 08:29:33 -0800 Subject: [PATCH 1408/1462] remove OCSPRequest abc (#11990) --- .../hazmat/bindings/_rust/ocsp.pyi | 17 ++++++- src/cryptography/x509/ocsp.py | 45 +------------------ 2 files changed, 16 insertions(+), 46 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/ocsp.pyi b/src/cryptography/hazmat/bindings/_rust/ocsp.pyi index 5e02145d86a5..6ff6ec770a14 100644 --- a/src/cryptography/hazmat/bindings/_rust/ocsp.pyi +++ b/src/cryptography/hazmat/bindings/_rust/ocsp.pyi @@ -2,11 +2,24 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. -from cryptography.hazmat.primitives import hashes +from cryptography import x509 +from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes from cryptography.x509 import ocsp -class OCSPRequest: ... +class OCSPRequest: + @property + def issuer_key_hash(self) -> bytes: ... + @property + def issuer_name_hash(self) -> bytes: ... + @property + def hash_algorithm(self) -> hashes.HashAlgorithm: ... + @property + def serial_number(self) -> int: ... + def public_bytes(self, encoding: serialization.Encoding) -> bytes: ... + @property + def extensions(self) -> x509.Extensions: ... + class OCSPResponse: ... class OCSPSingleResponse: ... diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py index dbb475db2ab2..f55009634c2b 100644 --- a/src/cryptography/x509/ocsp.py +++ b/src/cryptography/x509/ocsp.py @@ -127,49 +127,6 @@ def __init__( self._revocation_reason = revocation_reason -class OCSPRequest(metaclass=abc.ABCMeta): - @property - @abc.abstractmethod - def issuer_key_hash(self) -> bytes: - """ - The hash of the issuer public key - """ - - @property - @abc.abstractmethod - def issuer_name_hash(self) -> bytes: - """ - The hash of the issuer name - """ - - @property - @abc.abstractmethod - def hash_algorithm(self) -> hashes.HashAlgorithm: - """ - The hash algorithm used in the issuer name and key hashes - """ - - @property - @abc.abstractmethod - def serial_number(self) -> int: - """ - The serial number of the cert whose status is being checked - """ - - @abc.abstractmethod - def public_bytes(self, encoding: serialization.Encoding) -> bytes: - """ - Serializes the request to DER - """ - - @property - @abc.abstractmethod - def extensions(self) -> x509.Extensions: - """ - The list of request extensions. Not single request extensions. - """ - - class OCSPSingleResponse(metaclass=abc.ABCMeta): @property @abc.abstractmethod @@ -460,7 +417,7 @@ def public_bytes(self, encoding: serialization.Encoding) -> bytes: """ -OCSPRequest.register(ocsp.OCSPRequest) +OCSPRequest = ocsp.OCSPRequest OCSPResponse.register(ocsp.OCSPResponse) OCSPSingleResponse.register(ocsp.OCSPSingleResponse) From d680859b8b5f45c1a3f7948edbb4caf1a3f1196d Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 17 Nov 2024 08:46:59 -0800 Subject: [PATCH 1409/1462] remove OCSPResponse abc (#11992) * remove OCSPResponse abc * flake fix --- .../hazmat/bindings/_rust/ocsp.pyi | 59 ++++- src/cryptography/x509/ocsp.py | 201 +----------------- 2 files changed, 60 insertions(+), 200 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/ocsp.pyi b/src/cryptography/hazmat/bindings/_rust/ocsp.pyi index 6ff6ec770a14..bd80ba3fe7a3 100644 --- a/src/cryptography/hazmat/bindings/_rust/ocsp.pyi +++ b/src/cryptography/hazmat/bindings/_rust/ocsp.pyi @@ -2,6 +2,9 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. +import datetime +import typing + from cryptography import x509 from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes @@ -20,7 +23,61 @@ class OCSPRequest: @property def extensions(self) -> x509.Extensions: ... -class OCSPResponse: ... +class OCSPResponse: + @property + def responses(self) -> typing.Iterator[OCSPSingleResponse]: ... + @property + def response_status(self) -> ocsp.OCSPResponseStatus: ... + @property + def signature_algorithm_oid(self) -> x509.ObjectIdentifier: ... + @property + def signature_hash_algorithm( + self, + ) -> hashes.HashAlgorithm | None: ... + @property + def signature(self) -> bytes: ... + @property + def tbs_response_bytes(self) -> bytes: ... + @property + def certificates(self) -> list[x509.Certificate]: ... + @property + def responder_key_hash(self) -> bytes | None: ... + @property + def responder_name(self) -> x509.Name | None: ... + @property + def produced_at(self) -> datetime.datetime: ... + @property + def produced_at_utc(self) -> datetime.datetime: ... + @property + def certificate_status(self) -> ocsp.OCSPCertStatus: ... + @property + def revocation_time(self) -> datetime.datetime | None: ... + @property + def revocation_time_utc(self) -> datetime.datetime | None: ... + @property + def revocation_reason(self) -> x509.ReasonFlags | None: ... + @property + def this_update(self) -> datetime.datetime: ... + @property + def this_update_utc(self) -> datetime.datetime: ... + @property + def next_update(self) -> datetime.datetime | None: ... + @property + def next_update_utc(self) -> datetime.datetime | None: ... + @property + def issuer_key_hash(self) -> bytes: ... + @property + def issuer_name_hash(self) -> bytes: ... + @property + def hash_algorithm(self) -> hashes.HashAlgorithm: ... + @property + def serial_number(self) -> int: ... + @property + def extensions(self) -> x509.Extensions: ... + @property + def single_extensions(self) -> x509.Extensions: ... + def public_bytes(self, encoding: serialization.Encoding) -> bytes: ... + class OCSPSingleResponse: ... def load_der_ocsp_request(data: bytes) -> ocsp.OCSPRequest: ... diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py index f55009634c2b..27091e68c229 100644 --- a/src/cryptography/x509/ocsp.py +++ b/src/cryptography/x509/ocsp.py @@ -10,7 +10,7 @@ from cryptography import utils, x509 from cryptography.hazmat.bindings._rust import ocsp -from cryptography.hazmat.primitives import hashes, serialization +from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric.types import ( CertificateIssuerPrivateKeyTypes, ) @@ -220,205 +220,8 @@ def serial_number(self) -> int: """ -class OCSPResponse(metaclass=abc.ABCMeta): - @property - @abc.abstractmethod - def responses(self) -> typing.Iterator[OCSPSingleResponse]: - """ - An iterator over the individual SINGLERESP structures in the - response - """ - - @property - @abc.abstractmethod - def response_status(self) -> OCSPResponseStatus: - """ - The status of the response. This is a value from the OCSPResponseStatus - enumeration - """ - - @property - @abc.abstractmethod - def signature_algorithm_oid(self) -> x509.ObjectIdentifier: - """ - The ObjectIdentifier of the signature algorithm - """ - - @property - @abc.abstractmethod - def signature_hash_algorithm( - self, - ) -> hashes.HashAlgorithm | None: - """ - Returns a HashAlgorithm corresponding to the type of the digest signed - """ - - @property - @abc.abstractmethod - def signature(self) -> bytes: - """ - The signature bytes - """ - - @property - @abc.abstractmethod - def tbs_response_bytes(self) -> bytes: - """ - The tbsResponseData bytes - """ - - @property - @abc.abstractmethod - def certificates(self) -> list[x509.Certificate]: - """ - A list of certificates used to help build a chain to verify the OCSP - response. This situation occurs when the OCSP responder uses a delegate - certificate. - """ - - @property - @abc.abstractmethod - def responder_key_hash(self) -> bytes | None: - """ - The responder's key hash or None - """ - - @property - @abc.abstractmethod - def responder_name(self) -> x509.Name | None: - """ - The responder's Name or None - """ - - @property - @abc.abstractmethod - def produced_at(self) -> datetime.datetime: - """ - The time the response was produced - """ - - @property - @abc.abstractmethod - def produced_at_utc(self) -> datetime.datetime: - """ - The time the response was produced. Represented as a non-naive UTC - datetime. - """ - - @property - @abc.abstractmethod - def certificate_status(self) -> OCSPCertStatus: - """ - The status of the certificate (an element from the OCSPCertStatus enum) - """ - - @property - @abc.abstractmethod - def revocation_time(self) -> datetime.datetime | None: - """ - The date of when the certificate was revoked or None if not - revoked. - """ - - @property - @abc.abstractmethod - def revocation_time_utc(self) -> datetime.datetime | None: - """ - The date of when the certificate was revoked or None if not - revoked. Represented as a non-naive UTC datetime. - """ - - @property - @abc.abstractmethod - def revocation_reason(self) -> x509.ReasonFlags | None: - """ - The reason the certificate was revoked or None if not specified or - not revoked. - """ - - @property - @abc.abstractmethod - def this_update(self) -> datetime.datetime: - """ - The most recent time at which the status being indicated is known by - the responder to have been correct - """ - - @property - @abc.abstractmethod - def this_update_utc(self) -> datetime.datetime: - """ - The most recent time at which the status being indicated is known by - the responder to have been correct. Represented as a non-naive UTC - datetime. - """ - - @property - @abc.abstractmethod - def next_update(self) -> datetime.datetime | None: - """ - The time when newer information will be available - """ - - @property - @abc.abstractmethod - def next_update_utc(self) -> datetime.datetime | None: - """ - The time when newer information will be available. Represented as a - non-naive UTC datetime. - """ - - @property - @abc.abstractmethod - def issuer_key_hash(self) -> bytes: - """ - The hash of the issuer public key - """ - - @property - @abc.abstractmethod - def issuer_name_hash(self) -> bytes: - """ - The hash of the issuer name - """ - - @property - @abc.abstractmethod - def hash_algorithm(self) -> hashes.HashAlgorithm: - """ - The hash algorithm used in the issuer name and key hashes - """ - - @property - @abc.abstractmethod - def serial_number(self) -> int: - """ - The serial number of the cert whose status is being checked - """ - - @property - @abc.abstractmethod - def extensions(self) -> x509.Extensions: - """ - The list of response extensions. Not single response extensions. - """ - - @property - @abc.abstractmethod - def single_extensions(self) -> x509.Extensions: - """ - The list of single response extensions. Not response extensions. - """ - - @abc.abstractmethod - def public_bytes(self, encoding: serialization.Encoding) -> bytes: - """ - Serializes the response to DER - """ - - OCSPRequest = ocsp.OCSPRequest -OCSPResponse.register(ocsp.OCSPResponse) +OCSPResponse = ocsp.OCSPResponse OCSPSingleResponse.register(ocsp.OCSPSingleResponse) From 6311b9dcd5d48785c356309c3cef6a25d2e4e05b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 17 Nov 2024 08:54:13 -0800 Subject: [PATCH 1410/1462] remove crl abc (#11991) * remove crl abc * flake fix * oops --- .../hazmat/bindings/_rust/x509.pyi | 46 +++++- src/cryptography/x509/base.py | 150 +----------------- 2 files changed, 46 insertions(+), 150 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi index c116974de125..b343260b1631 100644 --- a/src/cryptography/hazmat/bindings/_rust/x509.pyi +++ b/src/cryptography/hazmat/bindings/_rust/x509.pyi @@ -10,6 +10,7 @@ from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric.ec import ECDSA from cryptography.hazmat.primitives.asymmetric.padding import PSS, PKCS1v15 from cryptography.hazmat.primitives.asymmetric.types import ( + CertificateIssuerPublicKeyTypes, CertificatePublicKeyTypes, PrivateKeyTypes, ) @@ -103,7 +104,50 @@ class Certificate: def verify_directly_issued_by(self, issuer: Certificate) -> None: ... class RevokedCertificate: ... -class CertificateRevocationList: ... + +class CertificateRevocationList: + def public_bytes(self, encoding: serialization.Encoding) -> bytes: ... + def fingerprint(self, algorithm: hashes.HashAlgorithm) -> bytes: ... + def get_revoked_certificate_by_serial_number( + self, serial_number: int + ) -> RevokedCertificate | None: ... + @property + def signature_hash_algorithm( + self, + ) -> hashes.HashAlgorithm | None: ... + @property + def signature_algorithm_oid(self) -> x509.ObjectIdentifier: ... + @property + def signature_algorithm_parameters( + self, + ) -> None | PSS | PKCS1v15 | ECDSA: ... + @property + def issuer(self) -> x509.Name: ... + @property + def next_update(self) -> datetime.datetime | None: ... + @property + def next_update_utc(self) -> datetime.datetime | None: ... + @property + def last_update(self) -> datetime.datetime: ... + @property + def last_update_utc(self) -> datetime.datetime: ... + @property + def extensions(self) -> x509.Extensions: ... + @property + def signature(self) -> bytes: ... + @property + def tbs_certlist_bytes(self) -> bytes: ... + def __eq__(self, other: object) -> bool: ... + def __len__(self) -> int: ... + @typing.overload + def __getitem__(self, idx: int) -> x509.RevokedCertificate: ... + @typing.overload + def __getitem__(self, idx: slice) -> list[x509.RevokedCertificate]: ... + def __iter__(self) -> typing.Iterator[x509.RevokedCertificate]: ... + def is_signature_valid( + self, public_key: CertificateIssuerPublicKeyTypes + ) -> bool: ... + class CertificateSigningRequest: ... class PolicyBuilder: diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index af69194ccc5e..d3ed3c848661 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -25,7 +25,6 @@ ) from cryptography.hazmat.primitives.asymmetric.types import ( CertificateIssuerPrivateKeyTypes, - CertificateIssuerPublicKeyTypes, CertificatePublicKeyTypes, ) from cryptography.x509.extensions import ( @@ -232,154 +231,7 @@ def extensions(self) -> Extensions: return self._extensions -class CertificateRevocationList(metaclass=abc.ABCMeta): - @abc.abstractmethod - def public_bytes(self, encoding: serialization.Encoding) -> bytes: - """ - Serializes the CRL to PEM or DER format. - """ - - @abc.abstractmethod - def fingerprint(self, algorithm: hashes.HashAlgorithm) -> bytes: - """ - Returns bytes using digest passed. - """ - - @abc.abstractmethod - def get_revoked_certificate_by_serial_number( - self, serial_number: int - ) -> RevokedCertificate | None: - """ - Returns an instance of RevokedCertificate or None if the serial_number - is not in the CRL. - """ - - @property - @abc.abstractmethod - def signature_hash_algorithm( - self, - ) -> hashes.HashAlgorithm | None: - """ - Returns a HashAlgorithm corresponding to the type of the digest signed - in the certificate. - """ - - @property - @abc.abstractmethod - def signature_algorithm_oid(self) -> ObjectIdentifier: - """ - Returns the ObjectIdentifier of the signature algorithm. - """ - - @property - @abc.abstractmethod - def signature_algorithm_parameters( - self, - ) -> None | padding.PSS | padding.PKCS1v15 | ec.ECDSA: - """ - Returns the signature algorithm parameters. - """ - - @property - @abc.abstractmethod - def issuer(self) -> Name: - """ - Returns the X509Name with the issuer of this CRL. - """ - - @property - @abc.abstractmethod - def next_update(self) -> datetime.datetime | None: - """ - Returns the date of next update for this CRL. - """ - - @property - @abc.abstractmethod - def next_update_utc(self) -> datetime.datetime | None: - """ - Returns the date of next update for this CRL as a non-naive UTC - datetime. - """ - - @property - @abc.abstractmethod - def last_update(self) -> datetime.datetime: - """ - Returns the date of last update for this CRL. - """ - - @property - @abc.abstractmethod - def last_update_utc(self) -> datetime.datetime: - """ - Returns the date of last update for this CRL as a non-naive UTC - datetime. - """ - - @property - @abc.abstractmethod - def extensions(self) -> Extensions: - """ - Returns an Extensions object containing a list of CRL extensions. - """ - - @property - @abc.abstractmethod - def signature(self) -> bytes: - """ - Returns the signature bytes. - """ - - @property - @abc.abstractmethod - def tbs_certlist_bytes(self) -> bytes: - """ - Returns the tbsCertList payload bytes as defined in RFC 5280. - """ - - @abc.abstractmethod - def __eq__(self, other: object) -> bool: - """ - Checks equality. - """ - - @abc.abstractmethod - def __len__(self) -> int: - """ - Number of revoked certificates in the CRL. - """ - - @typing.overload - def __getitem__(self, idx: int) -> RevokedCertificate: ... - - @typing.overload - def __getitem__(self, idx: slice) -> list[RevokedCertificate]: ... - - @abc.abstractmethod - def __getitem__( - self, idx: int | slice - ) -> RevokedCertificate | list[RevokedCertificate]: - """ - Returns a revoked certificate (or slice of revoked certificates). - """ - - @abc.abstractmethod - def __iter__(self) -> typing.Iterator[RevokedCertificate]: - """ - Iterator over the revoked certificates - """ - - @abc.abstractmethod - def is_signature_valid( - self, public_key: CertificateIssuerPublicKeyTypes - ) -> bool: - """ - Verifies signature of revocation list against given public key. - """ - - -CertificateRevocationList.register(rust_x509.CertificateRevocationList) +CertificateRevocationList = rust_x509.CertificateRevocationList class CertificateSigningRequest(metaclass=abc.ABCMeta): From 1cae81e6da2bcc681bbdb136caf4643117e0c139 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 17 Nov 2024 08:58:59 -0800 Subject: [PATCH 1411/1462] remove OCSPSingleResponse abc (#11993) --- .../hazmat/bindings/_rust/ocsp.pyi | 26 ++++- src/cryptography/x509/ocsp.py | 96 +------------------ 2 files changed, 26 insertions(+), 96 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/ocsp.pyi b/src/cryptography/hazmat/bindings/_rust/ocsp.pyi index bd80ba3fe7a3..e4321bec2ad2 100644 --- a/src/cryptography/hazmat/bindings/_rust/ocsp.pyi +++ b/src/cryptography/hazmat/bindings/_rust/ocsp.pyi @@ -78,7 +78,31 @@ class OCSPResponse: def single_extensions(self) -> x509.Extensions: ... def public_bytes(self, encoding: serialization.Encoding) -> bytes: ... -class OCSPSingleResponse: ... +class OCSPSingleResponse: + @property + def certificate_status(self) -> ocsp.OCSPCertStatus: ... + @property + def revocation_time(self) -> datetime.datetime | None: ... + @property + def revocation_time_utc(self) -> datetime.datetime | None: ... + @property + def revocation_reason(self) -> x509.ReasonFlags | None: ... + @property + def this_update(self) -> datetime.datetime: ... + @property + def this_update_utc(self) -> datetime.datetime: ... + @property + def next_update(self) -> datetime.datetime | None: ... + @property + def next_update_utc(self) -> datetime.datetime | None: ... + @property + def issuer_key_hash(self) -> bytes: ... + @property + def issuer_name_hash(self) -> bytes: ... + @property + def hash_algorithm(self) -> hashes.HashAlgorithm: ... + @property + def serial_number(self) -> int: ... def load_der_ocsp_request(data: bytes) -> ocsp.OCSPRequest: ... def load_der_ocsp_response(data: bytes) -> ocsp.OCSPResponse: ... diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py index 27091e68c229..5a011c412ad3 100644 --- a/src/cryptography/x509/ocsp.py +++ b/src/cryptography/x509/ocsp.py @@ -4,7 +4,6 @@ from __future__ import annotations -import abc import datetime import typing @@ -127,102 +126,9 @@ def __init__( self._revocation_reason = revocation_reason -class OCSPSingleResponse(metaclass=abc.ABCMeta): - @property - @abc.abstractmethod - def certificate_status(self) -> OCSPCertStatus: - """ - The status of the certificate (an element from the OCSPCertStatus enum) - """ - - @property - @abc.abstractmethod - def revocation_time(self) -> datetime.datetime | None: - """ - The date of when the certificate was revoked or None if not - revoked. - """ - - @property - @abc.abstractmethod - def revocation_time_utc(self) -> datetime.datetime | None: - """ - The date of when the certificate was revoked or None if not - revoked. Represented as a non-naive UTC datetime. - """ - - @property - @abc.abstractmethod - def revocation_reason(self) -> x509.ReasonFlags | None: - """ - The reason the certificate was revoked or None if not specified or - not revoked. - """ - - @property - @abc.abstractmethod - def this_update(self) -> datetime.datetime: - """ - The most recent time at which the status being indicated is known by - the responder to have been correct - """ - - @property - @abc.abstractmethod - def this_update_utc(self) -> datetime.datetime: - """ - The most recent time at which the status being indicated is known by - the responder to have been correct. Represented as a non-naive UTC - datetime. - """ - - @property - @abc.abstractmethod - def next_update(self) -> datetime.datetime | None: - """ - The time when newer information will be available - """ - - @property - @abc.abstractmethod - def next_update_utc(self) -> datetime.datetime | None: - """ - The time when newer information will be available. Represented as a - non-naive UTC datetime. - """ - - @property - @abc.abstractmethod - def issuer_key_hash(self) -> bytes: - """ - The hash of the issuer public key - """ - - @property - @abc.abstractmethod - def issuer_name_hash(self) -> bytes: - """ - The hash of the issuer name - """ - - @property - @abc.abstractmethod - def hash_algorithm(self) -> hashes.HashAlgorithm: - """ - The hash algorithm used in the issuer name and key hashes - """ - - @property - @abc.abstractmethod - def serial_number(self) -> int: - """ - The serial number of the cert whose status is being checked - """ - - OCSPRequest = ocsp.OCSPRequest OCSPResponse = ocsp.OCSPResponse -OCSPSingleResponse.register(ocsp.OCSPSingleResponse) +OCSPSingleResponse = ocsp.OCSPSingleResponse class OCSPRequestBuilder: From 3fdf1f8b985c8bc240edcf5ec46d7862a2f105c3 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 17 Nov 2024 09:03:33 -0800 Subject: [PATCH 1412/1462] remove csr abc (#11994) --- .../hazmat/bindings/_rust/x509.pyi | 29 ++++- src/cryptography/x509/base.py | 108 +----------------- 2 files changed, 30 insertions(+), 107 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi index b343260b1631..398b5c2329dc 100644 --- a/src/cryptography/hazmat/bindings/_rust/x509.pyi +++ b/src/cryptography/hazmat/bindings/_rust/x509.pyi @@ -148,7 +148,34 @@ class CertificateRevocationList: self, public_key: CertificateIssuerPublicKeyTypes ) -> bool: ... -class CertificateSigningRequest: ... +class CertificateSigningRequest: + def __eq__(self, other: object) -> bool: ... + def __hash__(self) -> int: ... + def public_key(self) -> CertificatePublicKeyTypes: ... + @property + def subject(self) -> x509.Name: ... + @property + def signature_hash_algorithm( + self, + ) -> hashes.HashAlgorithm | None: ... + @property + def signature_algorithm_oid(self) -> x509.ObjectIdentifier: ... + @property + def signature_algorithm_parameters( + self, + ) -> None | PSS | PKCS1v15 | ECDSA: ... + @property + def extensions(self) -> x509.Extensions: ... + @property + def attributes(self) -> x509.Attributes: ... + def public_bytes(self, encoding: serialization.Encoding) -> bytes: ... + @property + def signature(self) -> bytes: ... + @property + def tbs_certrequest_bytes(self) -> bytes: ... + @property + def is_signature_valid(self) -> bool: ... + def get_attribute_for_oid(self, oid: x509.ObjectIdentifier) -> bytes: ... class PolicyBuilder: def time(self, new_time: datetime.datetime) -> PolicyBuilder: ... diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index d3ed3c848661..25b317af626f 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -12,7 +12,7 @@ from cryptography import utils from cryptography.hazmat.bindings._rust import x509 as rust_x509 -from cryptography.hazmat.primitives import hashes, serialization +from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import ( dsa, ec, @@ -232,111 +232,7 @@ def extensions(self) -> Extensions: CertificateRevocationList = rust_x509.CertificateRevocationList - - -class CertificateSigningRequest(metaclass=abc.ABCMeta): - @abc.abstractmethod - def __eq__(self, other: object) -> bool: - """ - Checks equality. - """ - - @abc.abstractmethod - def __hash__(self) -> int: - """ - Computes a hash. - """ - - @abc.abstractmethod - def public_key(self) -> CertificatePublicKeyTypes: - """ - Returns the public key - """ - - @property - @abc.abstractmethod - def subject(self) -> Name: - """ - Returns the subject name object. - """ - - @property - @abc.abstractmethod - def signature_hash_algorithm( - self, - ) -> hashes.HashAlgorithm | None: - """ - Returns a HashAlgorithm corresponding to the type of the digest signed - in the certificate. - """ - - @property - @abc.abstractmethod - def signature_algorithm_oid(self) -> ObjectIdentifier: - """ - Returns the ObjectIdentifier of the signature algorithm. - """ - - @property - @abc.abstractmethod - def signature_algorithm_parameters( - self, - ) -> None | padding.PSS | padding.PKCS1v15 | ec.ECDSA: - """ - Returns the signature algorithm parameters. - """ - - @property - @abc.abstractmethod - def extensions(self) -> Extensions: - """ - Returns the extensions in the signing request. - """ - - @property - @abc.abstractmethod - def attributes(self) -> Attributes: - """ - Returns an Attributes object. - """ - - @abc.abstractmethod - def public_bytes(self, encoding: serialization.Encoding) -> bytes: - """ - Encodes the request to PEM or DER format. - """ - - @property - @abc.abstractmethod - def signature(self) -> bytes: - """ - Returns the signature bytes. - """ - - @property - @abc.abstractmethod - def tbs_certrequest_bytes(self) -> bytes: - """ - Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC - 2986. - """ - - @property - @abc.abstractmethod - def is_signature_valid(self) -> bool: - """ - Verifies signature of signing request. - """ - - @abc.abstractmethod - def get_attribute_for_oid(self, oid: ObjectIdentifier) -> bytes: - """ - Get the attribute value for a given OID. - """ - - -# Runtime isinstance checks need this since the rust class is not a subclass. -CertificateSigningRequest.register(rust_x509.CertificateSigningRequest) +CertificateSigningRequest = rust_x509.CertificateSigningRequest load_pem_x509_certificate = rust_x509.load_pem_x509_certificate From 4c72f368234e60a06e4a0beaf87be55940dd49c1 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 17 Nov 2024 09:24:19 -0800 Subject: [PATCH 1413/1462] remove sct abc (#11995) * remove sct abc * don't alias --- .../hazmat/bindings/_rust/x509.pyi | 21 +++++- .../x509/certificate_transparency.py | 64 +------------------ 2 files changed, 21 insertions(+), 64 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi index 398b5c2329dc..b494fb61de3d 100644 --- a/src/cryptography/hazmat/bindings/_rust/x509.pyi +++ b/src/cryptography/hazmat/bindings/_rust/x509.pyi @@ -14,6 +14,7 @@ from cryptography.hazmat.primitives.asymmetric.types import ( CertificatePublicKeyTypes, PrivateKeyTypes, ) +from cryptography.x509 import certificate_transparency def load_pem_x509_certificate( data: bytes, backend: typing.Any = None @@ -57,7 +58,25 @@ def create_x509_crl( rsa_padding: PKCS1v15 | PSS | None, ) -> x509.CertificateRevocationList: ... -class Sct: ... +class Sct: + @property + def version(self) -> certificate_transparency.Version: ... + @property + def log_id(self) -> bytes: ... + @property + def timestamp(self) -> datetime.datetime: ... + @property + def entry_type(self) -> certificate_transparency.LogEntryType: ... + @property + def signature_hash_algorithm(self) -> hashes.HashAlgorithm: ... + @property + def signature_algorithm( + self, + ) -> certificate_transparency.SignatureAlgorithm: ... + @property + def signature(self) -> bytes: ... + @property + def extension_bytes(self) -> bytes: ... class Certificate: def fingerprint(self, algorithm: hashes.HashAlgorithm) -> bytes: ... diff --git a/src/cryptography/x509/certificate_transparency.py b/src/cryptography/x509/certificate_transparency.py index 73647ee716fc..fb66cc604952 100644 --- a/src/cryptography/x509/certificate_transparency.py +++ b/src/cryptography/x509/certificate_transparency.py @@ -4,12 +4,8 @@ from __future__ import annotations -import abc -import datetime - from cryptography import utils from cryptography.hazmat.bindings._rust import x509 as rust_x509 -from cryptography.hazmat.primitives.hashes import HashAlgorithm class LogEntryType(utils.Enum): @@ -36,62 +32,4 @@ class SignatureAlgorithm(utils.Enum): ECDSA = 3 -class SignedCertificateTimestamp(metaclass=abc.ABCMeta): - @property - @abc.abstractmethod - def version(self) -> Version: - """ - Returns the SCT version. - """ - - @property - @abc.abstractmethod - def log_id(self) -> bytes: - """ - Returns an identifier indicating which log this SCT is for. - """ - - @property - @abc.abstractmethod - def timestamp(self) -> datetime.datetime: - """ - Returns the timestamp for this SCT. - """ - - @property - @abc.abstractmethod - def entry_type(self) -> LogEntryType: - """ - Returns whether this is an SCT for a certificate or pre-certificate. - """ - - @property - @abc.abstractmethod - def signature_hash_algorithm(self) -> HashAlgorithm: - """ - Returns the hash algorithm used for the SCT's signature. - """ - - @property - @abc.abstractmethod - def signature_algorithm(self) -> SignatureAlgorithm: - """ - Returns the signing algorithm used for the SCT's signature. - """ - - @property - @abc.abstractmethod - def signature(self) -> bytes: - """ - Returns the signature for this SCT. - """ - - @property - @abc.abstractmethod - def extension_bytes(self) -> bytes: - """ - Returns the raw bytes of any extensions for this SCT. - """ - - -SignedCertificateTimestamp.register(rust_x509.Sct) +SignedCertificateTimestamp = rust_x509.Sct From 44e08782847a3063ee19f3e7882029c9c53d2091 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 19 Nov 2024 00:18:56 +0000 Subject: [PATCH 1414/1462] Bump BoringSSL and/or OpenSSL in CI (#11996) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1a90348818da..c3df6eb8a4a7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 16, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "83fc0d94d7040544480d42db01554f2421cfc081"}} + # Latest commit on the BoringSSL master branch, as of Nov 19, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "bb01fbf752b9197d2a2ffc890d1b2b9390e9e319"}} # Latest commit on the OpenSSL master branch, as of Nov 16, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5c5b8d2d7c59fc48981861629bb0b75a03497440"}} # Builds with various Rust versions. Includes MSRV and next From be03c0cad27b2bc7c8ee5f2832fff4cc8056a75a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 19 Nov 2024 00:38:46 +0000 Subject: [PATCH 1415/1462] Bump x509-limbo and/or wycheproof in CI (#11997) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 4688a928f8c4..742227752c85 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Nov 13, 2024. - ref: "b2521cdc61d11e290e398e7bb549992662e391b8" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Nov 19, 2024. + ref: "018b4cf10ac7c94669d3d50d4d759003497d6bea" # x509-limbo-ref From 57401ba1943fbc9e65e85c215d4b2d87d1c33115 Mon Sep 17 00:00:00 2001 From: Quentin Retourne <32574188+nitneuqr@users.noreply.github.com> Date: Tue, 19 Nov 2024 12:44:21 +0100 Subject: [PATCH 1416/1462] added vector with different key encryption algo (#11998) adapted documentation accordingly --- docs/development/test-vectors.rst | 5 ++++- .../pkcs7/enveloped-rsa-oaep.pem | 16 ++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 vectors/cryptography_vectors/pkcs7/enveloped-rsa-oaep.pem diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 3b0b085cbb8f..6bc031464ef9 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -877,7 +877,10 @@ Custom PKCS7 Test Vectors CA 2 and 3 generated by OpenSSL. * ``pkcs7/enveloped.pem`` - A PEM encoded PKCS7 file with enveloped data. * ``pkcs7/enveloped-aes-256-cbc.pem`` - A PEM encoded PKCS7 file with - enveloped data, encrypted using AES-256-CBC under the public key of + enveloped data, with content encrypted using AES-256-CBC, under the public key of + ``x509/custom/ca/rsa_ca.pem``. +* ``pkcs7/enveloped-rsa-oaep.pem``- A PEM encoded PKCS7 file with + enveloped data, with key encrypted using RSA-OAEP, under the public key of ``x509/custom/ca/rsa_ca.pem``. Custom OpenSSH Test Vectors diff --git a/vectors/cryptography_vectors/pkcs7/enveloped-rsa-oaep.pem b/vectors/cryptography_vectors/pkcs7/enveloped-rsa-oaep.pem new file mode 100644 index 000000000000..6acec6915e7d --- /dev/null +++ b/vectors/cryptography_vectors/pkcs7/enveloped-rsa-oaep.pem @@ -0,0 +1,16 @@ +-----BEGIN PKCS7----- +MIICmwYJKoZIhvcNAQcDoIICjDCCAogCAQAxggJDMIICPwIBADAnMBoxGDAWBgNV +BAMMD2NyeXB0b2dyYXBoeSBDQQIJAOcS06ClbtbJMA0GCSqGSIb3DQEBBzAABIIC +AKQssr4/Kd+CcT6waZG2xeaM8z8AcL1ISOqcul01uZNG/7LmGffjkpSWZmv4fZsY +ZkmZI5eKYk1DcOmMAx8lbKt3uAqOLQi2UuZBk/iY0k20GXk9G6hA7fhOy6yL4ntR +h4I+iX5DeVvGu4HTMV0gAGHBf3mCrpZkZrXdX8iL4N4xMpwNim5FO9js+9/I4c2u +AOWGKrOO8oR5cc8ty7rC/PZ3qQ0B26SdXr4kiQPdLZAE10WR0A7WZdTwzIBGRX8S +r9SCi5cKokE30ft/J7ckojpu6hmfFOdPY6+14p+1+7WoqNmDkcROiFB7kDnkkBp/ +hDnMHIlmP0/tzsAr0FWnIgP9ht2dJrCL0aA/pITh3IVgIxdB5cIqTfUbRSm/ahpI +XnR8cZjV864vx9ioqVqCxR6FOtV0faFwie3gIy4M4gD5VFWX+cWX3KQRHN6tYLAR +5yu9jt1ArB9kO+q8fUZ99MC6DesnLraYldWUI/nmv3ioUxOPYFEMyFR00y2fjDBf +zyB5w/uHcqP2Im1hXqjixcIKLoijNe2KSdYhNngE3vwl/hxlhCgjncsZulL8Nlyv +VFeaphRJcHrKwoEUO4PCkoMi6TbrrS/wYwjgIW6ftBvgXGr751NJdDSDbfT3bkdm +ixQrG7Osq9sV83s9cAkuXsrxLj5Vou0KjaWWrwNxBVWXMDwGCSqGSIb3DQEHATAd +BglghkgBZQMEAQIEECvpZHTTj4XIKBhqcfKQrGaAEJuq6z8EFxz5sbr6W0opVEA= +-----END PKCS7----- From a6237ca11e1883d0207547de905bac29d7c19444 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 20 Nov 2024 00:18:11 +0000 Subject: [PATCH 1417/1462] Bump BoringSSL and/or OpenSSL in CI (#11999) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c3df6eb8a4a7..62f243a6e003 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,10 +45,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 19, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "bb01fbf752b9197d2a2ffc890d1b2b9390e9e319"}} - # Latest commit on the OpenSSL master branch, as of Nov 16, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5c5b8d2d7c59fc48981861629bb0b75a03497440"}} + # Latest commit on the BoringSSL master branch, as of Nov 20, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "264f4f7a958af6c4ccb04662e302a99dfa7c5b85"}} + # Latest commit on the OpenSSL master branch, as of Nov 20, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "dcb5d6bf887797ce65a88fa08e66167fa4155657"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From fc78bf0e9714062752c51c24570ffae16bdfc7ad Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 20 Nov 2024 00:37:16 +0000 Subject: [PATCH 1418/1462] Bump x509-limbo and/or wycheproof in CI (#12000) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 742227752c85..ff12ad56b059 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Nov 19, 2024. - ref: "018b4cf10ac7c94669d3d50d4d759003497d6bea" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Nov 20, 2024. + ref: "169fb4337b2811ddf4df3672e2614cb54aea5ab6" # x509-limbo-ref From 54af082d60cbe47796bed8c978a60b34575ad414 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Nov 2024 07:04:38 -0500 Subject: [PATCH 1419/1462] chore(deps): bump itoa from 1.0.11 to 1.0.12 (#12004) Bumps [itoa](https://github.com/dtolnay/itoa) from 1.0.11 to 1.0.12. - [Release notes](https://github.com/dtolnay/itoa/releases) - [Commits](https://github.com/dtolnay/itoa/compare/1.0.11...1.0.12) --- updated-dependencies: - dependency-name: itoa dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index e1956740645d..b181c877d295 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -162,9 +162,9 @@ checksum = "b248f5224d1d606005e02c97f5aa4e88eeb230488bcc03bc9ca4d7991399f2b5" [[package]] name = "itoa" -version = "1.0.11" +version = "1.0.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b" +checksum = "7a73e9fe3c49d7afb2ace819fa181a287ce54a0983eda4e0eb05c22f82ffe534" [[package]] name = "libc" From 106b735692066371f5fe7c21cf9abc000e5d65fe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Nov 2024 07:05:08 -0500 Subject: [PATCH 1420/1462] chore(deps): bump unicode-ident from 1.0.13 to 1.0.14 (#12003) Bumps [unicode-ident](https://github.com/dtolnay/unicode-ident) from 1.0.13 to 1.0.14. - [Release notes](https://github.com/dtolnay/unicode-ident/releases) - [Commits](https://github.com/dtolnay/unicode-ident/compare/1.0.13...1.0.14) --- updated-dependencies: - dependency-name: unicode-ident dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index b181c877d295..beb9a8434354 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -358,9 +358,9 @@ checksum = "61c41af27dd6d1e27b1b16b489db798443478cef1f06a660c96db617ba5de3b1" [[package]] name = "unicode-ident" -version = "1.0.13" +version = "1.0.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e91b56cd4cadaeb79bbf1a5645f6b4f8dc5bde8834ad5894a8db35fda9efa1fe" +checksum = "adb9e6ca4f869e1180728b7950e35922a7fc6397f7b641499e8f3ef06e50dc83" [[package]] name = "unindent" From 926d084bc77732cd91db2d5785fe606f7d68e8eb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Nov 2024 07:05:23 -0500 Subject: [PATCH 1421/1462] chore(deps): bump uv from 0.5.2 to 0.5.3 in /.github/requirements (#12002) Bumps [uv](https://github.com/astral-sh/uv) from 0.5.2 to 0.5.3. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.5.2...0.5.3) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 87ee2798cc15..7767b4c3c1c0 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.5.2 \ - --hash=sha256:15c7ffa08ae21abd221dbdf9ba25c8969235f587cec6df8035552434e5ca1cc5 \ - --hash=sha256:2597e91be45b3f4458d0d16a5a1cda7e93af7d6dbfddf251aae5377f9187fa88 \ - --hash=sha256:27d666da8fbb0f87d9df67abf9feea0da4ee1336730f2c4be29a11f3feaa0a29 \ - --hash=sha256:374e9498e155fcaa8728a6770b84f03781106d705332f4ec059e1cc93c8f4d8a \ - --hash=sha256:5052758d374dd769efd0c70b4789ffb08439567eb114ad8fe728536bb5cc5299 \ - --hash=sha256:675ca34829ceca3e9de395cf05e8f881334a24488f97dd923c463830270d52a7 \ - --hash=sha256:67776d34cba359c63919c5ad50331171261d2ec7a83fd07f032eb8cc22e22b8e \ - --hash=sha256:71467545d51883d1af7094c8f6da69b55e7d49b742c2dc707d644676dcb66515 \ - --hash=sha256:772b32d157ec8f27c0099ecac94cf5cd298bce72f1a1f512205591de4e9f0c5c \ - --hash=sha256:7bde66f13571e437fd45f32f5742ab53d5e011b4edb1c74cb74cb8b1cbb828b5 \ - --hash=sha256:89e60ad9601f35f187326de84f35e7517c6eb1438359da42ec85cfd9c1895957 \ - --hash=sha256:a4d4fdad03e6dc3e8216192b8a12bcf2c71c8b12046e755575c7f262cbb61924 \ - --hash=sha256:a8a9897dd7657258c53f41aecdbe787da99f4fc0775f19826ab65cc0a7136cbf \ - --hash=sha256:c9795b990fb0b2a18d3a8cef8822e13c6a6f438bc16d34ccf01d931c76cfd5da \ - --hash=sha256:cfba5b0070652da4174083b78852f3ab3d262ba1c8b63a4d5ae497263b02b834 \ - --hash=sha256:d0834c6b37750c045bbea80600d3ae3e95becc4db148f5c0d0bc3ec6a7924e8f \ - --hash=sha256:d1fe4e025dbb9ec5c9250bfc1231847b8487706538f94d10c769f0a54db3e0af \ - --hash=sha256:dfcd8275ff8cb59d5f26f826a44270b2fe8f38aa7188d7355c48d3e9b759d0c0 +uv==0.5.3 \ + --hash=sha256:0cb6583bba8904732879eefba09b19183d456073cb2c86a98d48bfe2e4a02dd9 \ + --hash=sha256:1be17854ee881b454f5eb6a6b501f0431c7c00870ff9375dc08af7c655dd36a3 \ + --hash=sha256:2e900108b7744dba514ba19931edad3bfdfb7d6f76a654bc2eff544da6f20207 \ + --hash=sha256:319ea98006bdeecbc26d7bb59ce8821828eed266bceef86fd2c46c64d9adafd9 \ + --hash=sha256:37eaeb2535a362b55be3e6eb6cfca8df7cb94786c99a150c77e0a7b218f54159 \ + --hash=sha256:415c26372814404105b810ae29e3a8eccd2d4b17f9fdeaf570f24b7ee4e22417 \ + --hash=sha256:4b37792524ce9864bbc0090110727a219473c971e3b4673b14c1817e0bbb3465 \ + --hash=sha256:53da2848e6b5f33ed1a834aee73020a728fe7363334f0cd53c00d1800dd5f2ed \ + --hash=sha256:5caa1cd194925e5c215459c26081ab304c47292d52902faf7a34d94c6e153c03 \ + --hash=sha256:80f079ca405ee4ecc814f4591b92e869887c70d6a6a3120e9216462c98924f65 \ + --hash=sha256:837c9e303c23697508a6ab125d451bcea8bd2d0dbdf13d12e6860b481c46bbfd \ + --hash=sha256:867f9651225a55aec882c40b2a7a905cd4d3521c74a0675c11a7bdaf753b0400 \ + --hash=sha256:991c04f9351705ee322caa7e776d37ef215f74458f68c292811a25eb3ed18e07 \ + --hash=sha256:bfee241db07e4663c8f37d70e63a7ce411e7de567f3c87f929174d01d23e752c \ + --hash=sha256:d8b3cd685faa9eb8aa74dac56b5aae8184fef1c127f113539703d1cc8e27d1b8 \ + --hash=sha256:df2ef8f276324ef9445a26384c86f799493f26974733e6a727c4e05a8b35860f \ + --hash=sha256:fb261c706d7e9899b0f739237cd05386721a93c1f4376085d4a8e86339e8cb22 \ + --hash=sha256:fcab6875bf937d6e203dd424c0140af461175b4aa71faddc87d6e5ce61adcc5a From c58e8b8b0a1fb8a9ed5335c346e1d11d034fd219 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Nov 2024 07:24:59 -0500 Subject: [PATCH 1422/1462] chore(deps): bump uv from 0.5.2 to 0.5.3 (#12001) Bumps [uv](https://github.com/astral-sh/uv) from 0.5.2 to 0.5.3. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.5.2...0.5.3) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ac8fd5fd5cbf..8713a6d3f414 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -292,7 +292,7 @@ urllib3==2.0.7 ; python_full_version < '3.8' # via requests urllib3==2.2.3 ; python_full_version >= '3.8' # via requests -uv==0.5.2 ; python_full_version >= '3.8' +uv==0.5.3 ; python_full_version >= '3.8' # via nox virtualenv==20.26.6 ; python_full_version < '3.8' # via nox From 3c353944ccda04638f334008ce9e73cd51cc6bdf Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 21 Nov 2024 00:19:50 +0000 Subject: [PATCH 1423/1462] Bump BoringSSL and/or OpenSSL in CI (#12007) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 62f243a6e003..809a176595dd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,10 +45,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 20, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "264f4f7a958af6c4ccb04662e302a99dfa7c5b85"}} - # Latest commit on the OpenSSL master branch, as of Nov 20, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "dcb5d6bf887797ce65a88fa08e66167fa4155657"}} + # Latest commit on the BoringSSL master branch, as of Nov 21, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "5cce3fbd23e14b8e12c8b842ab9af00448582142"}} + # Latest commit on the OpenSSL master branch, as of Nov 21, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "47a80fd2034cd4314d3b4958539dcd3106087109"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From e0b937a0f6718f47e8cedb557aa0e9a567f7e8e5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Nov 2024 04:07:07 +0000 Subject: [PATCH 1424/1462] chore(deps): bump proc-macro2 from 1.0.89 to 1.0.90 (#12008) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.89 to 1.0.90. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.89...1.0.90) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index beb9a8434354..c625d2576b52 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -248,9 +248,9 @@ checksum = "cc9c68a3f6da06753e9335d63e27f6b9754dd1920d941135b7ea8224f141adb2" [[package]] name = "proc-macro2" -version = "1.0.89" +version = "1.0.90" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f139b0662de085916d1fb67d2b4169d1addddda1919e696f3252b740b629986e" +checksum = "d4e1ced3fe749df87a909c23e9607ab9a09c8f0bedb7e03b8146f4c08c298673" dependencies = [ "unicode-ident", ] From 525350cd62f887e1e738d05ba62618ceb2626ca0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Nov 2024 04:07:26 +0000 Subject: [PATCH 1425/1462] chore(deps): bump itoa from 1.0.12 to 1.0.13 (#12009) Bumps [itoa](https://github.com/dtolnay/itoa) from 1.0.12 to 1.0.13. - [Release notes](https://github.com/dtolnay/itoa/releases) - [Commits](https://github.com/dtolnay/itoa/compare/1.0.12...1.0.13) --- updated-dependencies: - dependency-name: itoa dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index c625d2576b52..de40993cda47 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -162,9 +162,9 @@ checksum = "b248f5224d1d606005e02c97f5aa4e88eeb230488bcc03bc9ca4d7991399f2b5" [[package]] name = "itoa" -version = "1.0.12" +version = "1.0.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a73e9fe3c49d7afb2ace819fa181a287ce54a0983eda4e0eb05c22f82ffe534" +checksum = "540654e97a3f4470a492cd30ff187bc95d89557a903a2bbf112e2fae98104ef2" [[package]] name = "libc" From ca52b619ce43b357db2eb946d020ef456ad1dc2e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 20 Nov 2024 23:12:09 -0500 Subject: [PATCH 1426/1462] Bump asn1 to 0.20 (#12010) --- Cargo.lock | 8 ++++---- Cargo.toml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index de40993cda47..4158d82eeeed 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4,9 +4,9 @@ version = 3 [[package]] name = "asn1" -version = "0.19.0" +version = "0.20.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "18d97d0d2e60ad0595a73b82264dcd46c2f96769b0f555ae71c14122f0679f65" +checksum = "2d8b84b4ea1de2bf1dcd2a759737ddb328fb6695b2a95eb7e44fed67e3406f32" dependencies = [ "asn1_derive", "itoa", @@ -14,9 +14,9 @@ dependencies = [ [[package]] name = "asn1_derive" -version = "0.19.0" +version = "0.20.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "00cec5ab4e9217b82bdd194bf6a4c74890a7e6d530159546bd83684f42211b8a" +checksum = "a200809d0138620b3dba989f1d08d0620e76248bc1e62a2ec1b2df5eb1ee08ad" dependencies = [ "proc-macro2", "quote", diff --git a/Cargo.toml b/Cargo.toml index 92f599d49dd3..86f3e4042b26 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -19,7 +19,7 @@ publish = false rust-version = "1.65.0" [workspace.dependencies] -asn1 = { version = "0.19.0", default-features = false } +asn1 = { version = "0.20.0", default-features = false } pyo3 = { version = "0.23.1", features = ["abi3"] } [profile.release] From 5c25564f2ecb332b20b837d5d737d3da95000dab Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Nov 2024 07:37:19 -0500 Subject: [PATCH 1427/1462] chore(deps): bump uv from 0.5.3 to 0.5.4 (#12012) Bumps [uv](https://github.com/astral-sh/uv) from 0.5.3 to 0.5.4. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.5.3...0.5.4) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 8713a6d3f414..6cff11b02c96 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -292,7 +292,7 @@ urllib3==2.0.7 ; python_full_version < '3.8' # via requests urllib3==2.2.3 ; python_full_version >= '3.8' # via requests -uv==0.5.3 ; python_full_version >= '3.8' +uv==0.5.4 ; python_full_version >= '3.8' # via nox virtualenv==20.26.6 ; python_full_version < '3.8' # via nox From 6258d8a6c442fb33afd34d04d40dc4f5f0d7aab5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Nov 2024 07:37:37 -0500 Subject: [PATCH 1428/1462] chore(deps): bump uv from 0.5.3 to 0.5.4 in /.github/requirements (#12013) Bumps [uv](https://github.com/astral-sh/uv) from 0.5.3 to 0.5.4. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/uv/compare/0.5.3...0.5.4) --- updated-dependencies: - dependency-name: uv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/uv-requirements.txt | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/requirements/uv-requirements.txt b/.github/requirements/uv-requirements.txt index 7767b4c3c1c0..6a799fcaa391 100644 --- a/.github/requirements/uv-requirements.txt +++ b/.github/requirements/uv-requirements.txt @@ -1,21 +1,21 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal -p 3.8 --generate-hashes - -uv==0.5.3 \ - --hash=sha256:0cb6583bba8904732879eefba09b19183d456073cb2c86a98d48bfe2e4a02dd9 \ - --hash=sha256:1be17854ee881b454f5eb6a6b501f0431c7c00870ff9375dc08af7c655dd36a3 \ - --hash=sha256:2e900108b7744dba514ba19931edad3bfdfb7d6f76a654bc2eff544da6f20207 \ - --hash=sha256:319ea98006bdeecbc26d7bb59ce8821828eed266bceef86fd2c46c64d9adafd9 \ - --hash=sha256:37eaeb2535a362b55be3e6eb6cfca8df7cb94786c99a150c77e0a7b218f54159 \ - --hash=sha256:415c26372814404105b810ae29e3a8eccd2d4b17f9fdeaf570f24b7ee4e22417 \ - --hash=sha256:4b37792524ce9864bbc0090110727a219473c971e3b4673b14c1817e0bbb3465 \ - --hash=sha256:53da2848e6b5f33ed1a834aee73020a728fe7363334f0cd53c00d1800dd5f2ed \ - --hash=sha256:5caa1cd194925e5c215459c26081ab304c47292d52902faf7a34d94c6e153c03 \ - --hash=sha256:80f079ca405ee4ecc814f4591b92e869887c70d6a6a3120e9216462c98924f65 \ - --hash=sha256:837c9e303c23697508a6ab125d451bcea8bd2d0dbdf13d12e6860b481c46bbfd \ - --hash=sha256:867f9651225a55aec882c40b2a7a905cd4d3521c74a0675c11a7bdaf753b0400 \ - --hash=sha256:991c04f9351705ee322caa7e776d37ef215f74458f68c292811a25eb3ed18e07 \ - --hash=sha256:bfee241db07e4663c8f37d70e63a7ce411e7de567f3c87f929174d01d23e752c \ - --hash=sha256:d8b3cd685faa9eb8aa74dac56b5aae8184fef1c127f113539703d1cc8e27d1b8 \ - --hash=sha256:df2ef8f276324ef9445a26384c86f799493f26974733e6a727c4e05a8b35860f \ - --hash=sha256:fb261c706d7e9899b0f739237cd05386721a93c1f4376085d4a8e86339e8cb22 \ - --hash=sha256:fcab6875bf937d6e203dd424c0140af461175b4aa71faddc87d6e5ce61adcc5a +uv==0.5.4 \ + --hash=sha256:05b45c7eefb178dcdab0d49cd642fb7487377d00727102a8d6d306cc034c0d83 \ + --hash=sha256:2118bb99cbc9787cb5e5cc4a507201e25a3fe88a9f389e8ffb84f242d96038c2 \ + --hash=sha256:30ce031e36c54d4ba791d743d992d0a4fd8d70480db781d30a2f6f5125f39194 \ + --hash=sha256:4432215deb8d5c1ccab17ee51cb80f5de1a20865ee02df47532f87442a3d6a58 \ + --hash=sha256:493aedc3c758bbaede83ecc8d5f7e6a9279ebec151c7f756aa9ea898c73f8ddb \ + --hash=sha256:69079e900bd26b0f65069ac6fa684c74662ed87121c076f2b1cbcf042539034c \ + --hash=sha256:8d7a4a3df943a7c16cd032ccbaab8ed21ff64f4cb090b3a0a15a8b7502ccd876 \ + --hash=sha256:928ed95fefe4e1338d0a7ad2f6b635de59e2ec92adaed4a267f7501a3b252263 \ + --hash=sha256:a79a0885df364b897da44aae308e6ed9cca3a189d455cf1c205bd6f7b03daafa \ + --hash=sha256:ca72e6a4c3c6b8b5605867e16a7f767f5c99b7f526de6bbb903c60eb44fd1e01 \ + --hash=sha256:cd7a5a3a36f975a7678f27849a2d49bafe7272143d938e9b6f3bf28392a3ba00 \ + --hash=sha256:dd2df2ba823e6684230ab4c581f2320be38d7f46de11ce21d2dbba631470d7b6 \ + --hash=sha256:df3cb58b7da91f4fc647d09c3e96006cd6c7bd424a81ce2308a58593c6887c39 \ + --hash=sha256:ed5659cde099f39995f4cb793fd939d2260b4a26e4e29412c91e7537f53d8d25 \ + --hash=sha256:f07e5e0df40a09154007da41b76932671333f9fecb0735c698b19da25aa08927 \ + --hash=sha256:f40c6c6c3a1b398b56d3a8b28f7b455ac1ce4cbb1469f8d35d3bbc804d83daa4 \ + --hash=sha256:f511faf719b797ef0f14688f1abe20b3fd126209cf58512354d1813249745119 \ + --hash=sha256:f806af0ee451a81099c449c4cff0e813056fdf7dd264f3d3a8fd321b17ff9efc From aa77402cc2192a5e10408a20c24297f946e5cabe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Nov 2024 07:38:20 -0500 Subject: [PATCH 1429/1462] chore(deps): bump syn from 2.0.87 to 2.0.88 (#12015) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.87 to 2.0.88. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.87...2.0.88) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 4158d82eeeed..66c2e6008886 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -341,9 +341,9 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" [[package]] name = "syn" -version = "2.0.87" +version = "2.0.88" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "25aa4ce346d03a6dcd68dd8b4010bcb74e54e62c90c573f394c46eae99aba32d" +checksum = "f8e9a4e1639f47f655bf8e5198232f05615d5fb7e864ef5c4f5abdaf8ad3b8f4" dependencies = [ "proc-macro2", "quote", From a5ce486ec58898eb93e67205a98a605ab24516ba Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Nov 2024 07:38:57 -0500 Subject: [PATCH 1430/1462] chore(deps): bump proc-macro2 from 1.0.90 to 1.0.91 (#12016) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.90 to 1.0.91. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.90...1.0.91) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 66c2e6008886..d51508c2e9ad 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -248,9 +248,9 @@ checksum = "cc9c68a3f6da06753e9335d63e27f6b9754dd1920d941135b7ea8224f141adb2" [[package]] name = "proc-macro2" -version = "1.0.90" +version = "1.0.91" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d4e1ced3fe749df87a909c23e9607ab9a09c8f0bedb7e03b8146f4c08c298673" +checksum = "307e3004becf10f5a6e0d59d20f3cd28231b0e0827a96cd3e0ce6d14bc1e4bb3" dependencies = [ "unicode-ident", ] From a93d1947d771704f0c6be4c566881fd3ffc534dc Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 22 Nov 2024 00:19:39 +0000 Subject: [PATCH 1431/1462] Bump BoringSSL and/or OpenSSL in CI (#12017) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 809a176595dd..2b0da0252595 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,8 +47,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Nov 21, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "5cce3fbd23e14b8e12c8b842ab9af00448582142"}} - # Latest commit on the OpenSSL master branch, as of Nov 21, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "47a80fd2034cd4314d3b4958539dcd3106087109"}} + # Latest commit on the OpenSSL master branch, as of Nov 22, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2de7e1d69851a363cadd9d6bdd95302b89a4383b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 750f34e95b1566adc9713a9a21f844d4ba292b82 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 21 Nov 2024 21:47:05 -0500 Subject: [PATCH 1432/1462] Introduce new GAT based Asn1 Read/Write (#12011) This replaces the runtime based Asn1ReadableOrWritable. Adopts it for IssuingDistributionPoint, DistributionPoint --- src/rust/cryptography-x509/src/common.rs | 14 ++++++++++++++ src/rust/cryptography-x509/src/crl.rs | 8 ++++---- src/rust/cryptography-x509/src/extensions.rs | 5 +++-- src/rust/src/x509/certificate.rs | 8 ++++---- src/rust/src/x509/crl.rs | 9 +++------ src/rust/src/x509/extensions.rs | 13 ++++++++----- 6 files changed, 36 insertions(+), 21 deletions(-) diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index d4a91cb2d5b5..8e303e7db4fc 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -263,6 +263,20 @@ impl asn1::SimpleAsn1W } } +pub trait Asn1Operation { + type OwnedBitString<'a>; +} + +pub struct Asn1Read; +pub struct Asn1Write; + +impl Asn1Operation for Asn1Read { + type OwnedBitString<'a> = asn1::BitString<'a>; +} +impl Asn1Operation for Asn1Write { + type OwnedBitString<'a> = asn1::OwnedBitString; +} + #[derive(asn1::Asn1Read, asn1::Asn1Write)] pub struct DssSignature<'a> { pub r: asn1::BigUint<'a>, diff --git a/src/rust/cryptography-x509/src/crl.rs b/src/rust/cryptography-x509/src/crl.rs index acd4adb64eb0..d17d991ebd41 100644 --- a/src/rust/cryptography-x509/src/crl.rs +++ b/src/rust/cryptography-x509/src/crl.rs @@ -2,10 +2,10 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use crate::common::Asn1Operation; use crate::{common, extensions, name}; -pub type ReasonFlags<'a> = - Option, asn1::OwnedBitString>>; +pub type ReasonFlags<'a, Op> = Option<::OwnedBitString<'a>>; #[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash)] pub struct CertificateRevocationList<'a> { @@ -41,7 +41,7 @@ pub struct RevokedCertificate<'a> { } #[derive(asn1::Asn1Read, asn1::Asn1Write)] -pub struct IssuingDistributionPoint<'a> { +pub struct IssuingDistributionPoint<'a, Op: Asn1Operation> { #[explicit(0)] pub distribution_point: Option>, @@ -54,7 +54,7 @@ pub struct IssuingDistributionPoint<'a> { pub only_contains_ca_certs: bool, #[implicit(3)] - pub only_some_reasons: ReasonFlags<'a>, + pub only_some_reasons: ReasonFlags<'a, Op>, #[implicit(4)] #[default(false)] diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index fbea5637b7f7..752be1dcc252 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -5,6 +5,7 @@ use std::collections::HashSet; use crate::common; +use crate::common::Asn1Operation; use crate::crl; use crate::name; @@ -183,12 +184,12 @@ pub struct MSCertificateTemplate { } #[derive(asn1::Asn1Read, asn1::Asn1Write)] -pub struct DistributionPoint<'a> { +pub struct DistributionPoint<'a, Op: Asn1Operation> { #[explicit(0)] pub distribution_point: Option>, #[implicit(1)] - pub reasons: crl::ReasonFlags<'a>, + pub reasons: crl::ReasonFlags<'a, Op>, #[implicit(2)] pub crl_issuer: Option>, diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 775140682284..bed3de5b68d7 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -6,6 +6,7 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; use cryptography_x509::certificate::Certificate as RawCertificate; +use cryptography_x509::common::Asn1Read; use cryptography_x509::common::{AlgorithmParameters, Asn1ReadableOrWritable}; use cryptography_x509::extensions::{ Admission, Admissions, AuthorityKeyIdentifier, BasicConstraints, DisplayText, @@ -602,14 +603,13 @@ pub(crate) fn parse_distribution_point_name<'p>( fn parse_distribution_point<'p>( py: pyo3::Python<'p>, - dp: DistributionPoint<'p>, + dp: DistributionPoint<'p, Asn1Read>, ) -> CryptographyResult> { let (full_name, relative_name) = match dp.distribution_point { Some(data) => parse_distribution_point_name(py, data)?, None => (py.None().into_bound(py), py.None().into_bound(py)), }; - let reasons = - parse_distribution_point_reasons(py, dp.reasons.as_ref().map(|v| v.unwrap_read()))?; + let reasons = parse_distribution_point_reasons(py, dp.reasons.as_ref())?; let crl_issuer = match dp.crl_issuer { Some(aci) => x509::parse_general_names(py, aci.unwrap_read())?, None => py.None().into_bound(py), @@ -623,7 +623,7 @@ pub(crate) fn parse_distribution_points<'p>( py: pyo3::Python<'p>, ext: &Extension<'_>, ) -> CryptographyResult> { - let dps = ext.value::>>()?; + let dps = ext.value::>>()?; let py_dps = pyo3::types::PyList::empty(py); for dp in dps { let py_dp = parse_distribution_point(py, dp)?; diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index fe307d5c118e..4d4ca9540f4d 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -6,7 +6,7 @@ use std::sync::Arc; use cryptography_x509::extensions::{Extension, IssuerAlternativeName}; use cryptography_x509::{ - common, + common::{self, Asn1Read}, crl::{ self, CertificateRevocationList as RawCertificateRevocationList, RevokedCertificate as RawRevokedCertificate, @@ -350,16 +350,13 @@ impl CertificateRevocationList { Ok(Some(certificate::parse_authority_key_identifier(py, ext)?)) } oid::ISSUING_DISTRIBUTION_POINT_OID => { - let idp = ext.value::>()?; + let idp = ext.value::>()?; let (full_name, relative_name) = match idp.distribution_point { Some(data) => certificate::parse_distribution_point_name(py, data)?, None => (py.None().into_bound(py), py.None().into_bound(py)), }; let py_reasons = if let Some(reasons) = idp.only_some_reasons { - certificate::parse_distribution_point_reasons( - py, - Some(reasons.unwrap_read()), - )? + certificate::parse_distribution_point_reasons(py, Some(&reasons))? } else { py.None().into_bound(py) }; diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 7ac539f23007..1636bf431c3b 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -2,7 +2,10 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use cryptography_x509::{common, crl, extensions, oid}; +use cryptography_x509::{ + common::{self, Asn1Write}, + crl, extensions, oid, +}; use crate::asn1::{py_oid_to_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; @@ -118,11 +121,11 @@ pub(crate) fn encode_distribution_points<'p>( }; let reasons = if let Some(py_reasons) = py_dp.reasons { let reasons = certificate::encode_distribution_point_reasons(py, &py_reasons)?; - Some(common::Asn1ReadableOrWritable::new_write(reasons)) + Some(reasons) } else { None }; - dps.push(extensions::DistributionPoint { + dps.push(extensions::DistributionPoint:: { crl_issuer, distribution_point, reasons, @@ -331,7 +334,7 @@ fn encode_issuing_distribution_point( { let py_reasons = ext.getattr(pyo3::intern!(py, "only_some_reasons"))?; let reasons = certificate::encode_distribution_point_reasons(ext.py(), &py_reasons)?; - Some(common::Asn1ReadableOrWritable::new_write(reasons)) + Some(reasons) } else { None }; @@ -360,7 +363,7 @@ fn encode_issuing_distribution_point( None }; - let idp = crl::IssuingDistributionPoint { + let idp = crl::IssuingDistributionPoint:: { distribution_point, indirect_crl: ext.getattr(pyo3::intern!(py, "indirect_crl"))?.extract()?, only_contains_attribute_certs: ext From f6282863f9393a7e81b553b632085cf150050125 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 21 Nov 2024 22:26:48 -0500 Subject: [PATCH 1433/1462] Apply the Asn1Operation API to several extensions (#12019) --- .../src/policy/extension.rs | 3 +- src/rust/cryptography-x509/src/common.rs | 11 ++++++ src/rust/cryptography-x509/src/extensions.rs | 35 ++++++++----------- src/rust/src/x509/certificate.rs | 16 ++++----- src/rust/src/x509/extensions.rs | 10 ++---- 5 files changed, 37 insertions(+), 38 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/policy/extension.rs b/src/rust/cryptography-x509-verification/src/policy/extension.rs index a6b93fde8050..80221a4c0ff8 100644 --- a/src/rust/cryptography-x509-verification/src/policy/extension.rs +++ b/src/rust/cryptography-x509-verification/src/policy/extension.rs @@ -530,6 +530,7 @@ pub(crate) mod ca { pub(crate) mod common { use cryptography_x509::{ certificate::Certificate, + common::Asn1Read, extensions::{Extension, SequenceOfAccessDescriptions}, }; @@ -546,7 +547,7 @@ pub(crate) mod common { if let Some(extn) = extn { // We don't currently do anything useful with these, but we // do check that they're well-formed. - let _: SequenceOfAccessDescriptions<'_> = extn.value()?; + let _: SequenceOfAccessDescriptions<'_, Asn1Read> = extn.value()?; } Ok(()) diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index 8e303e7db4fc..4bc3af631ac6 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -264,6 +264,9 @@ impl asn1::SimpleAsn1W } pub trait Asn1Operation { + type SequenceOfVec<'a, T> + where + T: 'a; type OwnedBitString<'a>; } @@ -271,9 +274,17 @@ pub struct Asn1Read; pub struct Asn1Write; impl Asn1Operation for Asn1Read { + type SequenceOfVec<'a, T> + = asn1::SequenceOf<'a, T> + where + T: 'a; type OwnedBitString<'a> = asn1::BitString<'a>; } impl Asn1Operation for Asn1Write { + type SequenceOfVec<'a, T> + = asn1::SequenceOfWriter<'a, T, Vec> + where + T: 'a; type OwnedBitString<'a> = asn1::OwnedBitString; } diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index 752be1dcc252..2f739882dd6a 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -94,48 +94,41 @@ pub struct AccessDescription<'a> { pub access_location: name::GeneralName<'a>, } -pub type SequenceOfAccessDescriptions<'a> = common::Asn1ReadableOrWritable< - asn1::SequenceOf<'a, AccessDescription<'a>>, - asn1::SequenceOfWriter<'a, AccessDescription<'a>, Vec>>, ->; +pub type SequenceOfAccessDescriptions<'a, Op> = + ::SequenceOfVec<'a, AccessDescription<'a>>; // Needed due to clippy type complexity warning. -type SequenceOfPolicyQualifiers<'a> = common::Asn1ReadableOrWritable< - asn1::SequenceOf<'a, PolicyQualifierInfo<'a>>, - asn1::SequenceOfWriter<'a, PolicyQualifierInfo<'a>, Vec>>, ->; +type SequenceOfPolicyQualifiers<'a, Op> = + ::SequenceOfVec<'a, PolicyQualifierInfo<'a, Op>>; #[derive(asn1::Asn1Read, asn1::Asn1Write)] -pub struct PolicyInformation<'a> { +pub struct PolicyInformation<'a, Op: Asn1Operation + 'a> { pub policy_identifier: asn1::ObjectIdentifier, - pub policy_qualifiers: Option>, + pub policy_qualifiers: Option>, } #[derive(asn1::Asn1Read, asn1::Asn1Write)] -pub struct PolicyQualifierInfo<'a> { +pub struct PolicyQualifierInfo<'a, Op: Asn1Operation> { pub policy_qualifier_id: asn1::ObjectIdentifier, - pub qualifier: Qualifier<'a>, + pub qualifier: Qualifier<'a, Op>, } #[derive(asn1::Asn1Read, asn1::Asn1Write)] -pub enum Qualifier<'a> { +pub enum Qualifier<'a, Op: Asn1Operation> { CpsUri(asn1::IA5String<'a>), - UserNotice(UserNotice<'a>), + UserNotice(UserNotice<'a, Op>), } #[derive(asn1::Asn1Read, asn1::Asn1Write)] -pub struct UserNotice<'a> { - pub notice_ref: Option>, +pub struct UserNotice<'a, Op: Asn1Operation> { + pub notice_ref: Option>, pub explicit_text: Option>, } #[derive(asn1::Asn1Read, asn1::Asn1Write)] -pub struct NoticeReference<'a> { +pub struct NoticeReference<'a, Op: Asn1Operation> { pub organization: DisplayText<'a>, - pub notice_numbers: common::Asn1ReadableOrWritable< - asn1::SequenceOf<'a, asn1::BigUint<'a>>, - asn1::SequenceOfWriter<'a, asn1::BigUint<'a>, Vec>>, - >, + pub notice_numbers: Op::SequenceOfVec<'a, asn1::BigUint<'a>>, } // DisplayText also allows BMPString, which we currently do not support. diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index bed3de5b68d7..2fbf280eaf7b 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -498,7 +498,7 @@ fn parse_display_text<'p>( fn parse_user_notice<'p>( py: pyo3::Python<'p>, - un: UserNotice<'_>, + un: UserNotice<'_, Asn1Read>, ) -> CryptographyResult> { let et = match un.explicit_text { Some(data) => parse_display_text(py, data)?, @@ -508,7 +508,7 @@ fn parse_user_notice<'p>( Some(data) => { let org = parse_display_text(py, data.organization)?; let numbers = pyo3::types::PyList::empty(py); - for num in data.notice_numbers.unwrap_read().clone() { + for num in data.notice_numbers.clone() { numbers.append(big_byte_slice_to_py_int(py, num.as_bytes())?)?; } types::NOTICE_REFERENCE.get(py)?.call1((org, numbers))? @@ -520,7 +520,7 @@ fn parse_user_notice<'p>( fn parse_policy_qualifiers<'a>( py: pyo3::Python<'a>, - policy_qualifiers: &asn1::SequenceOf<'a, PolicyQualifierInfo<'a>>, + policy_qualifiers: &asn1::SequenceOf<'a, PolicyQualifierInfo<'a, Asn1Read>>, ) -> CryptographyResult> { let py_pq = pyo3::types::PyList::empty(py); for pqi in policy_qualifiers.clone() { @@ -556,14 +556,12 @@ fn parse_cp<'p>( py: pyo3::Python<'p>, ext: &Extension<'_>, ) -> CryptographyResult> { - let cp = ext.value::>>()?; + let cp = ext.value::>>()?; let certificate_policies = pyo3::types::PyList::empty(py); for policyinfo in cp { let pi_oid = oid_to_py_oid(py, &policyinfo.policy_identifier)?; let py_pqis = match policyinfo.policy_qualifiers { - Some(policy_qualifiers) => { - parse_policy_qualifiers(py, policy_qualifiers.unwrap_read())? - } + Some(policy_qualifiers) => parse_policy_qualifiers(py, &policy_qualifiers)?, None => py.None().into_bound(py), }; let pi = types::POLICY_INFORMATION @@ -695,8 +693,8 @@ pub(crate) fn parse_access_descriptions<'p>( ext: &Extension<'_>, ) -> CryptographyResult> { let ads = pyo3::types::PyList::empty(py); - let parsed = ext.value::>()?; - for access in parsed.unwrap_read().clone() { + let parsed = ext.value::>()?; + for access in parsed { let py_oid = oid_to_py_oid(py, &access.access_method)?; let gn = x509::parse_general_name(py, access.access_location)?; let ad = types::ACCESS_DESCRIPTION.get(py)?.call1((py_oid, gn))?; diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 1636bf431c3b..6883f655fb11 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -275,9 +275,7 @@ fn encode_certificate_policies( organization: extensions::DisplayText::Utf8String( asn1::Utf8String::new(py_notice_str), ), - notice_numbers: common::Asn1ReadableOrWritable::new_write( - asn1::SequenceOfWriter::new(notice_numbers), - ), + notice_numbers: asn1::SequenceOfWriter::new(notice_numbers), }) } else { None @@ -304,14 +302,12 @@ fn encode_certificate_policies( }; qualifiers.push(qualifier); } - Some(common::Asn1ReadableOrWritable::new_write( - asn1::SequenceOfWriter::new(qualifiers), - )) + Some(asn1::SequenceOfWriter::new(qualifiers)) } else { None }; let py_policy_id = py_policy_info.getattr(pyo3::intern!(py, "policy_identifier"))?; - policy_informations.push(extensions::PolicyInformation { + policy_informations.push(extensions::PolicyInformation:: { policy_identifier: py_oid_to_oid(py_policy_id)?, policy_qualifiers: qualifiers, }); From 3c83d15e9b1d691fd5e84761fd6c2596a34b15f6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 22 Nov 2024 07:07:47 -0500 Subject: [PATCH 1434/1462] chore(deps): bump syn from 2.0.88 to 2.0.89 (#12021) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.88 to 2.0.89. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.88...2.0.89) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index d51508c2e9ad..a41b2bb4d2b2 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -341,9 +341,9 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" [[package]] name = "syn" -version = "2.0.88" +version = "2.0.89" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f8e9a4e1639f47f655bf8e5198232f05615d5fb7e864ef5c4f5abdaf8ad3b8f4" +checksum = "44d46482f1c1c87acd84dea20c1bf5ebff4c757009ed6bf19cfd36fb10e92c4e" dependencies = [ "proc-macro2", "quote", From c469b44603551163c4dfea34b3812b359b22c53e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 22 Nov 2024 07:08:11 -0500 Subject: [PATCH 1435/1462] chore(deps): bump proc-macro2 from 1.0.91 to 1.0.92 (#12022) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.91 to 1.0.92. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.91...1.0.92) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index a41b2bb4d2b2..345fe67c0afa 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -248,9 +248,9 @@ checksum = "cc9c68a3f6da06753e9335d63e27f6b9754dd1920d941135b7ea8224f141adb2" [[package]] name = "proc-macro2" -version = "1.0.91" +version = "1.0.92" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "307e3004becf10f5a6e0d59d20f3cd28231b0e0827a96cd3e0ce6d14bc1e4bb3" +checksum = "37d3544b3f2748c54e147655edb5025752e2303145b5aefb3c3ea2c78b973bb0" dependencies = [ "unicode-ident", ] From c266456cd2ab05e82368897010be7c4ff438b0ca Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 22 Nov 2024 07:08:33 -0500 Subject: [PATCH 1436/1462] chore(deps): bump ruff from 0.7.4 to 0.8.0 (#12023) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.7.4 to 0.8.0. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.7.4...0.8.0) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6cff11b02c96..612b3750238a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -202,7 +202,7 @@ requests==2.31.0 ; python_full_version < '3.8' # via sphinx requests==2.32.3 ; python_full_version >= '3.8' # via sphinx -ruff==0.7.4 +ruff==0.8.0 # via cryptography (pyproject.toml) six==1.16.0 ; python_full_version < '3.8' # via bleach From 644dcafecf47dfd598302b35dbd53c6af3189fca Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 23 Nov 2024 00:20:10 +0000 Subject: [PATCH 1437/1462] Bump BoringSSL and/or OpenSSL in CI (#12025) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2b0da0252595..17d55f035924 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,8 +47,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Nov 21, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "5cce3fbd23e14b8e12c8b842ab9af00448582142"}} - # Latest commit on the OpenSSL master branch, as of Nov 22, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2de7e1d69851a363cadd9d6bdd95302b89a4383b"}} + # Latest commit on the OpenSSL master branch, as of Nov 23, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ea5817854cf67b89c874101f209f06ae016fd333"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 34521602186646cb05f82166dddf8276cc532db0 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 24 Nov 2024 00:19:16 +0000 Subject: [PATCH 1438/1462] Bump BoringSSL and/or OpenSSL in CI (#12027) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 17d55f035924..9da5176b7eaa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 21, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "5cce3fbd23e14b8e12c8b842ab9af00448582142"}} + # Latest commit on the BoringSSL master branch, as of Nov 24, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "a351cc0c570a436f182c51efda65bd6e72f62ab8"}} # Latest commit on the OpenSSL master branch, as of Nov 23, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ea5817854cf67b89c874101f209f06ae016fd333"}} # Builds with various Rust versions. Includes MSRV and next From d3403c0de05fb30ded2590eeee4dd48bff311e27 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 24 Nov 2024 09:55:29 -0500 Subject: [PATCH 1439/1462] Avoid storing references to Certificates (#12028) Its asymmetric with the read path, which owns the value, and thus woudl need to change for our GAT API. --- src/rust/cryptography-x509/src/pkcs7.rs | 2 +- src/rust/src/pkcs7.rs | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/cryptography-x509/src/pkcs7.rs b/src/rust/cryptography-x509/src/pkcs7.rs index 77bb07797c84..7a55d48b473b 100644 --- a/src/rust/cryptography-x509/src/pkcs7.rs +++ b/src/rust/cryptography-x509/src/pkcs7.rs @@ -41,7 +41,7 @@ pub struct SignedData<'a> { pub certificates: Option< common::Asn1ReadableOrWritable< asn1::SetOf<'a, certificate::Certificate<'a>>, - asn1::SetOfWriter<'a, &'a certificate::Certificate<'a>>, + asn1::SetOfWriter<'a, certificate::Certificate<'a>>, >, >, diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index ec328e2b0920..d1c1c6f15003 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -52,7 +52,7 @@ fn serialize_certificates<'p>( let raw_certs = py_certs .iter() - .map(|c| c.raw.borrow_dependent()) + .map(|c| c.raw.borrow_dependent().clone()) .collect::>(); let signed_data = pkcs7::SignedData { @@ -211,7 +211,7 @@ fn sign_and_serialize<'p>( let mut digest_algs = vec![]; let mut certs = py_certs .iter() - .map(|p| p.raw.borrow_dependent()) + .map(|p| p.raw.borrow_dependent().clone()) .collect::>(); let ka_vec = cryptography_keepalive::KeepAlive::new(); @@ -288,7 +288,7 @@ fn sign_and_serialize<'p>( if !digest_algs.contains(&digest_alg) { digest_algs.push(digest_alg.clone()); } - certs.push(cert.raw.borrow_dependent()); + certs.push(cert.raw.borrow_dependent().clone()); signer_infos.push(pkcs7::SignerInfo { version: 1, From 050b6560e94d457955b59ecf871176b4961314f2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 24 Nov 2024 09:56:05 -0500 Subject: [PATCH 1440/1462] Remove various pointless borrows (#12026) --- .../cryptography-x509-verification/src/policy/extension.rs | 2 +- src/rust/cryptography-x509-verification/src/policy/mod.rs | 6 +++--- src/rust/src/pkcs7.rs | 6 +++--- src/rust/src/x509/certificate.rs | 2 +- src/rust/src/x509/crl.rs | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/policy/extension.rs b/src/rust/cryptography-x509-verification/src/policy/extension.rs index 80221a4c0ff8..fa034ac10d00 100644 --- a/src/rust/cryptography-x509-verification/src/policy/extension.rs +++ b/src/rust/cryptography-x509-verification/src/policy/extension.rs @@ -592,7 +592,7 @@ mod tests { critical: bool, ext: &T, ) -> Vec { - let ext_value = asn1::write_single(&ext).unwrap(); + let ext_value = asn1::write_single(ext).unwrap(); let ext = Extension { extn_id: oid, critical, diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 8c2216b71fe4..935113fcdf3c 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -680,7 +680,7 @@ mod tests { assert!(WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS.contains(&RSASSA_PSS_SHA256.deref())); let exp_encoding = b"0A\x06\t*\x86H\x86\xf7\r\x01\x01\n04\xa0\x0f0\r\x06\t`\x86H\x01e\x03\x04\x02\x01\x05\x00\xa1\x1c0\x1a\x06\t*\x86H\x86\xf7\r\x01\x01\x080\r\x06\t`\x86H\x01e\x03\x04\x02\x01\x05\x00\xa2\x03\x02\x01 "; assert_eq!( - asn1::write_single(&RSASSA_PSS_SHA256.deref()).unwrap(), + asn1::write_single(RSASSA_PSS_SHA256.deref()).unwrap(), exp_encoding ); } @@ -689,7 +689,7 @@ mod tests { assert!(WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS.contains(&RSASSA_PSS_SHA384.deref())); let exp_encoding = b"0A\x06\t*\x86H\x86\xf7\r\x01\x01\n04\xa0\x0f0\r\x06\t`\x86H\x01e\x03\x04\x02\x02\x05\x00\xa1\x1c0\x1a\x06\t*\x86H\x86\xf7\r\x01\x01\x080\r\x06\t`\x86H\x01e\x03\x04\x02\x02\x05\x00\xa2\x03\x02\x010"; assert_eq!( - asn1::write_single(&RSASSA_PSS_SHA384.deref()).unwrap(), + asn1::write_single(RSASSA_PSS_SHA384.deref()).unwrap(), exp_encoding ); } @@ -698,7 +698,7 @@ mod tests { assert!(WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS.contains(&RSASSA_PSS_SHA512.deref())); let exp_encoding = b"0A\x06\t*\x86H\x86\xf7\r\x01\x01\n04\xa0\x0f0\r\x06\t`\x86H\x01e\x03\x04\x02\x03\x05\x00\xa1\x1c0\x1a\x06\t*\x86H\x86\xf7\r\x01\x01\x080\r\x06\t`\x86H\x01e\x03\x04\x02\x03\x05\x00\xa2\x03\x02\x01@"; assert_eq!( - asn1::write_single(&RSASSA_PSS_SHA512.deref()).unwrap(), + asn1::write_single(RSASSA_PSS_SHA512.deref()).unwrap(), exp_encoding ); } diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index d1c1c6f15003..f6d8a5cfcd6a 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -190,9 +190,9 @@ fn sign_and_serialize<'p>( // Subset of values OpenSSL provides: // https://github.com/openssl/openssl/blob/667a8501f0b6e5705fd611d5bb3ca24848b07154/crypto/pkcs7/pk7_smime.c#L150 // removing all the ones that are bad cryptography - &asn1::SequenceOfWriter::new([oid::AES_256_CBC_OID]), - &asn1::SequenceOfWriter::new([oid::AES_192_CBC_OID]), - &asn1::SequenceOfWriter::new([oid::AES_128_CBC_OID]), + asn1::SequenceOfWriter::new([oid::AES_256_CBC_OID]), + asn1::SequenceOfWriter::new([oid::AES_192_CBC_OID]), + asn1::SequenceOfWriter::new([oid::AES_128_CBC_OID]), ]))?; #[allow(clippy::type_complexity)] diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 2fbf280eaf7b..5c18c2246db9 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -93,7 +93,7 @@ impl Certificate { py: pyo3::Python<'p>, algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - let serialized = asn1::write_single(&self.raw.borrow_dependent())?; + let serialized = asn1::write_single(self.raw.borrow_dependent())?; let mut h = hashes::Hash::new(py, algorithm, None)?; h.update_bytes(&serialized)?; diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 4d4ca9540f4d..027c178efe42 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -93,7 +93,7 @@ pub(crate) struct CertificateRevocationList { impl CertificateRevocationList { fn public_bytes_der(&self) -> CryptographyResult> { - Ok(asn1::write_single(&self.owned.borrow_dependent())?) + Ok(asn1::write_single(self.owned.borrow_dependent())?) } fn revoked_cert(&self, py: pyo3::Python<'_>, idx: usize) -> RevokedCertificate { @@ -239,7 +239,7 @@ impl CertificateRevocationList { py: pyo3::Python<'p>, encoding: pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - let result = asn1::write_single(&self.owned.borrow_dependent())?; + let result = asn1::write_single(self.owned.borrow_dependent())?; encode_der_data(py, "X509 CRL".to_string(), result, &encoding) } From 7124ffb4cffbf345c409985ccf19c85882d9ccf7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 24 Nov 2024 10:56:32 -0500 Subject: [PATCH 1441/1462] Build manylinux 2.34 images (#12029) --- .github/workflows/wheel-builder.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 6b1a53fe56bf..813a9c10e835 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -71,10 +71,12 @@ jobs: MANYLINUX: - { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest" } - { NAME: "manylinux_2_28_x86_64", CONTAINER: "cryptography-manylinux_2_28:x86_64", RUNNER: "ubuntu-latest"} + - { NAME: "manylinux_2_34_x86_64", CONTAINER: "cryptography-manylinux_2_34:x86_64", RUNNER: "ubuntu-latest"} - { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} - { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64] } - { NAME: "manylinux_2_28_aarch64", CONTAINER: "cryptography-manylinux_2_28:aarch64", RUNNER: [self-hosted, Linux, ARM64]} + - { NAME: "manylinux_2_34_aarch64", CONTAINER: "cryptography-manylinux_2_34:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} exclude: # There are no readily available musllinux PyPy distributions From f01ee1dd48d0ce1fa6772a00831c0d56409aae47 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 24 Nov 2024 15:11:03 -0500 Subject: [PATCH 1442/1462] Convert several additional extensions to use Asn1Operation (#12020) --- .../cryptography-x509-verification/src/lib.rs | 7 ++-- .../src/policy/extension.rs | 9 ++--- src/rust/cryptography-x509/src/common.rs | 11 ++++++ src/rust/cryptography-x509/src/crl.rs | 2 +- src/rust/cryptography-x509/src/extensions.rs | 35 ++++++------------- src/rust/cryptography-x509/src/name.rs | 8 ++--- src/rust/src/x509/certificate.rs | 23 ++++++------ src/rust/src/x509/extensions.rs | 28 +++++++-------- 8 files changed, 58 insertions(+), 65 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 730a9ac4fbd4..75ec6ce005da 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -18,6 +18,7 @@ use std::vec; use asn1::ObjectIdentifier; use cryptography_x509::extensions::{DuplicateExtensionsError, Extensions}; use cryptography_x509::{ + common::Asn1Read, extensions::{NameConstraints, SubjectAlternativeName}, name::GeneralName, oid::{NAME_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID}, @@ -216,7 +217,7 @@ impl<'a, 'chain> NameChain<'a, 'chain> { fn evaluate_constraints( &self, - constraints: &NameConstraints<'chain>, + constraints: &NameConstraints<'chain, Asn1Read>, budget: &mut Budget, ) -> ValidationResult<'chain, (), B> { if let Some(child) = self.child { @@ -227,7 +228,7 @@ impl<'a, 'chain> NameChain<'a, 'chain> { // If there are no applicable constraints, the SAN is considered valid so the default is true. let mut permit = true; if let Some(permitted_subtrees) = &constraints.permitted_subtrees { - for p in permitted_subtrees.unwrap_read().clone() { + for p in permitted_subtrees.clone() { let status = self.evaluate_single_constraint(&p.base, &san, budget)?; if status.is_applied() { permit = status.is_match(); @@ -245,7 +246,7 @@ impl<'a, 'chain> NameChain<'a, 'chain> { } if let Some(excluded_subtrees) = &constraints.excluded_subtrees { - for e in excluded_subtrees.unwrap_read().clone() { + for e in excluded_subtrees.clone() { let status = self.evaluate_single_constraint(&e.base, &san, budget)?; if status.is_match() { return Err(ValidationError::new(ValidationErrorKind::Other( diff --git a/src/rust/cryptography-x509-verification/src/policy/extension.rs b/src/rust/cryptography-x509-verification/src/policy/extension.rs index fa034ac10d00..c5c751a7a96e 100644 --- a/src/rust/cryptography-x509-verification/src/policy/extension.rs +++ b/src/rust/cryptography-x509-verification/src/policy/extension.rs @@ -381,6 +381,7 @@ pub(crate) mod ee { pub(crate) mod ca { use cryptography_x509::{ certificate::Certificate, + common::Asn1Read, extensions::{ AuthorityKeyIdentifier, BasicConstraints, ExtendedKeyUsage, Extension, KeyUsage, NameConstraints, @@ -413,7 +414,7 @@ pub(crate) mod ca { // some chains that are not strictly CABF compliant (e.g. ones where intermediate // CAs are missing AKIs), but this is a relatively minor discrepancy. if let Some(extn) = extn { - let aki: AuthorityKeyIdentifier<'_> = extn.value()?; + let aki: AuthorityKeyIdentifier<'_, Asn1Read> = extn.value()?; // 7.1.2.11.1 Authority Key Identifier: // keyIdentifier MUST be present. @@ -478,16 +479,16 @@ pub(crate) mod ca { extn: Option<&Extension<'_>>, ) -> ValidationResult<'chain, (), B> { if let Some(extn) = extn { - let name_constraints: NameConstraints<'_> = extn.value()?; + let name_constraints: NameConstraints<'_, Asn1Read> = extn.value()?; let permitted_subtrees_empty = name_constraints .permitted_subtrees .as_ref() - .map_or(true, |pst| pst.unwrap_read().is_empty()); + .map_or(true, |pst| pst.is_empty()); let excluded_subtrees_empty = name_constraints .excluded_subtrees .as_ref() - .map_or(true, |est| est.unwrap_read().is_empty()); + .map_or(true, |est| est.is_empty()); if permitted_subtrees_empty && excluded_subtrees_empty { return Err(ValidationError::new(ValidationErrorKind::Other( diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index 4bc3af631ac6..77ccd011a85e 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -265,6 +265,9 @@ impl asn1::SimpleAsn1W pub trait Asn1Operation { type SequenceOfVec<'a, T> + where + T: 'a; + type SetOfVec<'a, T> where T: 'a; type OwnedBitString<'a>; @@ -278,6 +281,10 @@ impl Asn1Operation for Asn1Read { = asn1::SequenceOf<'a, T> where T: 'a; + type SetOfVec<'a, T> + = asn1::SetOf<'a, T> + where + T: 'a; type OwnedBitString<'a> = asn1::BitString<'a>; } impl Asn1Operation for Asn1Write { @@ -285,6 +292,10 @@ impl Asn1Operation for Asn1Write { = asn1::SequenceOfWriter<'a, T, Vec> where T: 'a; + type SetOfVec<'a, T> + = asn1::SetOfWriter<'a, T, Vec> + where + T: 'a; type OwnedBitString<'a> = asn1::OwnedBitString; } diff --git a/src/rust/cryptography-x509/src/crl.rs b/src/rust/cryptography-x509/src/crl.rs index d17d991ebd41..ced8fb8e26b2 100644 --- a/src/rust/cryptography-x509/src/crl.rs +++ b/src/rust/cryptography-x509/src/crl.rs @@ -43,7 +43,7 @@ pub struct RevokedCertificate<'a> { #[derive(asn1::Asn1Read, asn1::Asn1Write)] pub struct IssuingDistributionPoint<'a, Op: Asn1Operation> { #[explicit(0)] - pub distribution_point: Option>, + pub distribution_point: Option>, #[implicit(1)] #[default(false)] diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index 2f739882dd6a..2e8299d9b5c5 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -142,19 +142,15 @@ pub enum DisplayText<'a> { BmpString(asn1::BMPString<'a>), } -// Needed due to clippy type complexity warning. -pub type SequenceOfSubtrees<'a> = common::Asn1ReadableOrWritable< - asn1::SequenceOf<'a, GeneralSubtree<'a>>, - asn1::SequenceOfWriter<'a, GeneralSubtree<'a>, Vec>>, ->; +pub type SequenceOfSubtrees<'a, Op> = ::SequenceOfVec<'a, GeneralSubtree<'a>>; #[derive(asn1::Asn1Read, asn1::Asn1Write)] -pub struct NameConstraints<'a> { +pub struct NameConstraints<'a, Op: Asn1Operation> { #[implicit(0)] - pub permitted_subtrees: Option>, + pub permitted_subtrees: Option>, #[implicit(1)] - pub excluded_subtrees: Option>, + pub excluded_subtrees: Option>, } #[derive(asn1::Asn1Read, asn1::Asn1Write)] @@ -179,39 +175,30 @@ pub struct MSCertificateTemplate { #[derive(asn1::Asn1Read, asn1::Asn1Write)] pub struct DistributionPoint<'a, Op: Asn1Operation> { #[explicit(0)] - pub distribution_point: Option>, + pub distribution_point: Option>, #[implicit(1)] pub reasons: crl::ReasonFlags<'a, Op>, #[implicit(2)] - pub crl_issuer: Option>, + pub crl_issuer: Option>, } #[derive(asn1::Asn1Read, asn1::Asn1Write)] -pub enum DistributionPointName<'a> { +pub enum DistributionPointName<'a, Op: Asn1Operation> { #[implicit(0)] - FullName(name::SequenceOfGeneralName<'a>), + FullName(name::SequenceOfGeneralName<'a, Op>), #[implicit(1)] - NameRelativeToCRLIssuer( - common::Asn1ReadableOrWritable< - asn1::SetOf<'a, common::AttributeTypeValue<'a>>, - asn1::SetOfWriter< - 'a, - common::AttributeTypeValue<'a>, - Vec>, - >, - >, - ), + NameRelativeToCRLIssuer(Op::SetOfVec<'a, common::AttributeTypeValue<'a>>), } #[derive(asn1::Asn1Read, asn1::Asn1Write)] -pub struct AuthorityKeyIdentifier<'a> { +pub struct AuthorityKeyIdentifier<'a, Op: Asn1Operation> { #[implicit(0)] pub key_identifier: Option<&'a [u8]>, #[implicit(1)] - pub authority_cert_issuer: Option>, + pub authority_cert_issuer: Option>, #[implicit(2)] pub authority_cert_serial_number: Option>, } diff --git a/src/rust/cryptography-x509/src/name.rs b/src/rust/cryptography-x509/src/name.rs index 41f097689345..078bca19446e 100644 --- a/src/rust/cryptography-x509/src/name.rs +++ b/src/rust/cryptography-x509/src/name.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::common; +use crate::common::{self, Asn1Operation}; pub type NameReadable<'a> = asn1::SequenceOf<'a, asn1::SetOf<'a, common::AttributeTypeValue<'a>>>; @@ -82,7 +82,5 @@ pub enum GeneralName<'a> { RegisteredID(asn1::ObjectIdentifier), } -pub(crate) type SequenceOfGeneralName<'a> = common::Asn1ReadableOrWritable< - asn1::SequenceOf<'a, GeneralName<'a>>, - asn1::SequenceOfWriter<'a, GeneralName<'a>, Vec>>, ->; +pub(crate) type SequenceOfGeneralName<'a, Op> = + ::SequenceOfVec<'a, GeneralName<'a>>; diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 5c18c2246db9..bfa3a946f789 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -574,10 +574,10 @@ fn parse_cp<'p>( fn parse_general_subtrees<'p>( py: pyo3::Python<'p>, - subtrees: SequenceOfSubtrees<'_>, + subtrees: SequenceOfSubtrees<'_, Asn1Read>, ) -> CryptographyResult> { let gns = pyo3::types::PyList::empty(py); - for gs in subtrees.unwrap_read().clone() { + for gs in subtrees { gns.append(x509::parse_general_name(py, gs.base)?)?; } Ok(gns.into_any()) @@ -585,17 +585,16 @@ fn parse_general_subtrees<'p>( pub(crate) fn parse_distribution_point_name<'p>( py: pyo3::Python<'p>, - dp: DistributionPointName<'p>, + dp: DistributionPointName<'p, Asn1Read>, ) -> CryptographyResult<(pyo3::Bound<'p, pyo3::PyAny>, pyo3::Bound<'p, pyo3::PyAny>)> { Ok(match dp { DistributionPointName::FullName(data) => ( - x509::parse_general_names(py, data.unwrap_read())?, + x509::parse_general_names(py, &data)?, py.None().into_bound(py), ), - DistributionPointName::NameRelativeToCRLIssuer(data) => ( - py.None().into_bound(py), - x509::parse_rdn(py, data.unwrap_read())?, - ), + DistributionPointName::NameRelativeToCRLIssuer(data) => { + (py.None().into_bound(py), x509::parse_rdn(py, &data)?) + } }) } @@ -609,7 +608,7 @@ fn parse_distribution_point<'p>( }; let reasons = parse_distribution_point_reasons(py, dp.reasons.as_ref())?; let crl_issuer = match dp.crl_issuer { - Some(aci) => x509::parse_general_names(py, aci.unwrap_read())?, + Some(aci) => x509::parse_general_names(py, &aci)?, None => py.None().into_bound(py), }; Ok(types::DISTRIBUTION_POINT @@ -674,13 +673,13 @@ pub(crate) fn parse_authority_key_identifier<'p>( py: pyo3::Python<'p>, ext: &Extension<'p>, ) -> Result, CryptographyError> { - let aki = ext.value::>()?; + let aki = ext.value::>()?; let serial = match aki.authority_cert_serial_number { Some(biguint) => big_byte_slice_to_py_int(py, biguint.as_bytes())?.unbind(), None => py.None(), }; let issuer = match aki.authority_cert_issuer { - Some(aci) => x509::parse_general_names(py, aci.unwrap_read())?, + Some(aci) => x509::parse_general_names(py, &aci)?, None => py.None().into_bound(py), }; Ok(types::AUTHORITY_KEY_IDENTIFIER @@ -911,7 +910,7 @@ pub fn parse_cert_ext<'p>( Ok(Some(types::FRESHEST_CRL.get(py)?.call1((dp,))?)) } oid::NAME_CONSTRAINTS_OID => { - let nc = ext.value::>()?; + let nc = ext.value::>()?; let permitted_subtrees = match nc.permitted_subtrees { Some(data) => parse_general_subtrees(py, data)?, None => py.None().into_bound(py), diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 6883f655fb11..c676dc0cd3f3 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -19,7 +19,7 @@ fn encode_general_subtrees<'a>( ka_bytes: &'a cryptography_keepalive::KeepAlive, ka_str: &'a cryptography_keepalive::KeepAlive, subtrees: &pyo3::Bound<'a, pyo3::PyAny>, -) -> Result>, CryptographyError> { +) -> Result>, CryptographyError> { if subtrees.is_none() { Ok(None) } else { @@ -32,9 +32,7 @@ fn encode_general_subtrees<'a>( maximum: None, }); } - Ok(Some(common::Asn1ReadableOrWritable::new_write( - asn1::SequenceOfWriter::new(subtree_seq), - ))) + Ok(Some(asn1::SequenceOfWriter::new(subtree_seq))) } } @@ -55,9 +53,7 @@ pub(crate) fn encode_authority_key_identifier<'a>( let authority_cert_issuer = if let Some(authority_cert_issuer) = aki.authority_cert_issuer { let gns = x509::common::encode_general_names(py, &ka_bytes, &ka_str, &authority_cert_issuer)?; - Some(common::Asn1ReadableOrWritable::new_write( - asn1::SequenceOfWriter::new(gns), - )) + Some(asn1::SequenceOfWriter::new(gns)) } else { None }; @@ -69,7 +65,9 @@ pub(crate) fn encode_authority_key_identifier<'a>( } else { None }; - Ok(asn1::write_single(&extensions::AuthorityKeyIdentifier { + Ok(asn1::write_single(&extensions::AuthorityKeyIdentifier::< + Asn1Write, + > { authority_cert_issuer, authority_cert_serial_number, key_identifier: aki.key_identifier.as_deref(), @@ -96,16 +94,14 @@ pub(crate) fn encode_distribution_points<'p>( let crl_issuer = if let Some(py_crl_issuer) = py_dp.crl_issuer { let gns = x509::common::encode_general_names(py, &ka_bytes, &ka_str, &py_crl_issuer)?; - Some(common::Asn1ReadableOrWritable::new_write( - asn1::SequenceOfWriter::new(gns), - )) + Some(asn1::SequenceOfWriter::new(gns)) } else { None }; let distribution_point = if let Some(py_full_name) = py_dp.full_name { let gns = x509::common::encode_general_names(py, &ka_bytes, &ka_str, &py_full_name)?; Some(extensions::DistributionPointName::FullName( - common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(gns)), + asn1::SequenceOfWriter::new(gns), )) } else if let Some(py_relative_name) = py_dp.relative_name { let mut name_entries = vec![]; @@ -114,7 +110,7 @@ pub(crate) fn encode_distribution_points<'p>( name_entries.push(ne); } Some(extensions::DistributionPointName::NameRelativeToCRLIssuer( - common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(name_entries)), + asn1::SetOfWriter::new(name_entries), )) } else { None @@ -338,7 +334,7 @@ fn encode_issuing_distribution_point( let py_full_name = ext.getattr(pyo3::intern!(py, "full_name"))?; let gns = x509::common::encode_general_names(ext.py(), &ka_bytes, &ka_str, &py_full_name)?; Some(extensions::DistributionPointName::FullName( - common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(gns)), + asn1::SequenceOfWriter::new(gns), )) } else if ext .getattr(pyo3::intern!(py, "relative_name"))? @@ -353,7 +349,7 @@ fn encode_issuing_distribution_point( name_entries.push(name_entry); } Some(extensions::DistributionPointName::NameRelativeToCRLIssuer( - common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(name_entries)), + asn1::SetOfWriter::new(name_entries), )) } else { None @@ -610,7 +606,7 @@ pub(crate) fn encode_extension( let permitted = ext.getattr(pyo3::intern!(py, "permitted_subtrees"))?; let excluded = ext.getattr(pyo3::intern!(py, "excluded_subtrees"))?; - let nc = extensions::NameConstraints { + let nc = extensions::NameConstraints:: { permitted_subtrees: encode_general_subtrees( ext.py(), &ka_bytes, From 0c7607294cf4b3384598c3a523a404ddef9b6099 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 24 Nov 2024 16:10:15 -0500 Subject: [PATCH 1443/1462] Convert the remaining extensions to use Asn1Operation (#12030) --- src/rust/cryptography-x509/src/extensions.rs | 31 +++++++------------- src/rust/src/x509/certificate.rs | 15 +++++----- src/rust/src/x509/extensions.rs | 24 +++++---------- 3 files changed, 25 insertions(+), 45 deletions(-) diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index 2e8299d9b5c5..2ffa8781d1a0 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -273,45 +273,34 @@ pub struct NamingAuthority<'a> { pub text: Option>, } -type SequenceOfDisplayTexts<'a> = common::Asn1ReadableOrWritable< - asn1::SequenceOf<'a, DisplayText<'a>>, - asn1::SequenceOfWriter<'a, DisplayText<'a>, Vec>>, ->; +type SequenceOfDisplayTexts<'a, Op> = ::SequenceOfVec<'a, DisplayText<'a>>; -type SequenceOfObjectIdentifiers<'a> = common::Asn1ReadableOrWritable< - asn1::SequenceOf<'a, asn1::ObjectIdentifier>, - asn1::SequenceOfWriter<'a, asn1::ObjectIdentifier, Vec>, ->; +type SequenceOfObjectIdentifiers<'a, Op> = + ::SequenceOfVec<'a, asn1::ObjectIdentifier>; #[derive(asn1::Asn1Read, asn1::Asn1Write)] -pub struct ProfessionInfo<'a> { +pub struct ProfessionInfo<'a, Op: Asn1Operation> { #[explicit(0)] pub naming_authority: Option>, - pub profession_items: SequenceOfDisplayTexts<'a>, - pub profession_oids: Option>, + pub profession_items: SequenceOfDisplayTexts<'a, Op>, + pub profession_oids: Option>, pub registration_number: Option>, pub add_profession_info: Option<&'a [u8]>, } #[derive(asn1::Asn1Read, asn1::Asn1Write)] -pub struct Admission<'a> { +pub struct Admission<'a, Op: Asn1Operation + 'a> { #[explicit(0)] pub admission_authority: Option>, #[explicit(1)] pub naming_authority: Option>, - pub profession_infos: common::Asn1ReadableOrWritable< - asn1::SequenceOf<'a, ProfessionInfo<'a>>, - asn1::SequenceOfWriter<'a, ProfessionInfo<'a>, Vec>>, - >, + pub profession_infos: Op::SequenceOfVec<'a, ProfessionInfo<'a, Op>>, } #[derive(asn1::Asn1Read, asn1::Asn1Write)] -pub struct Admissions<'a> { +pub struct Admissions<'a, Op: Asn1Operation> { pub admission_authority: Option>, - pub contents_of_admissions: common::Asn1ReadableOrWritable< - asn1::SequenceOf<'a, Admission<'a>>, - asn1::SequenceOfWriter<'a, Admission<'a>, Vec>>, - >, + pub contents_of_admissions: Op::SequenceOfVec<'a, Admission<'a, Op>>, } #[cfg(test)] diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index bfa3a946f789..adef55f6abf3 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -726,7 +726,7 @@ fn parse_naming_authority<'p>( fn parse_profession_infos<'p, 'a>( py: pyo3::Python<'p>, - profession_infos: &asn1::SequenceOf<'a, ProfessionInfo<'a>>, + profession_infos: &asn1::SequenceOf<'a, ProfessionInfo<'a, Asn1Read>>, ) -> CryptographyResult> { let py_infos = pyo3::types::PyList::empty(py); for info in profession_infos.clone() { @@ -735,14 +735,14 @@ fn parse_profession_infos<'p, 'a>( None => py.None().into_bound(py), }; let py_profession_items = pyo3::types::PyList::empty(py); - for item in info.profession_items.unwrap_read().clone() { + for item in info.profession_items { let py_item = parse_display_text(py, item)?; py_profession_items.append(py_item)?; } let py_profession_oids = match info.profession_oids { Some(oids) => { let py_oids = pyo3::types::PyList::empty(py); - for oid in oids.unwrap_read().clone() { + for oid in oids { let py_oid = oid_to_py_oid(py, &oid)?; py_oids.append(py_oid)?; } @@ -772,7 +772,7 @@ fn parse_profession_infos<'p, 'a>( fn parse_admissions<'p, 'a>( py: pyo3::Python<'p>, - admissions: &asn1::SequenceOf<'a, Admission<'a>>, + admissions: &asn1::SequenceOf<'a, Admission<'a, Asn1Read>>, ) -> CryptographyResult> { let py_admissions = pyo3::types::PyList::empty(py); for admission in admissions.clone() { @@ -784,7 +784,7 @@ fn parse_admissions<'p, 'a>( Some(data) => parse_naming_authority(py, data)?, None => py.None().into_bound(py), }; - let py_infos = parse_profession_infos(py, admission.profession_infos.unwrap_read())?; + let py_infos = parse_profession_infos(py, &admission.profession_infos)?; let py_entry = types::ADMISSION.get(py)?.call1(( py_admission_authority, @@ -935,13 +935,12 @@ pub fn parse_cert_ext<'p>( ))?)) } oid::ADMISSIONS_OID => { - let admissions = ext.value::>()?; + let admissions = ext.value::>()?; let admission_authority = match admissions.admission_authority { Some(authority) => x509::parse_general_name(py, authority)?, None => py.None().into_bound(py), }; - let py_admissions = - parse_admissions(py, admissions.contents_of_admissions.unwrap_read())?; + let py_admissions = parse_admissions(py, &admissions.contents_of_admissions)?; Ok(Some( types::ADMISSIONS .get(py)? diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index c676dc0cd3f3..3b67dfa2ecd2 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -2,10 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use cryptography_x509::{ - common::{self, Asn1Write}, - crl, extensions, oid, -}; +use cryptography_x509::{common::Asn1Write, crl, extensions, oid}; use crate::asn1::{py_oid_to_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; @@ -456,7 +453,7 @@ fn encode_profession_info<'a>( ka_bytes: &'a cryptography_keepalive::KeepAlive, ka_str: &'a cryptography_keepalive::KeepAlive, py_info: &pyo3::Bound<'a, pyo3::PyAny>, -) -> CryptographyResult> { +) -> CryptographyResult> { let py_naming_authority = py_info.getattr(pyo3::intern!(py, "naming_authority"))?; let naming_authority = if !py_naming_authority.is_none() { Some(encode_naming_authority(py, ka_str, &py_naming_authority)?) @@ -471,8 +468,7 @@ fn encode_profession_info<'a>( let item = extensions::DisplayText::Utf8String(asn1::Utf8String::new(py_item_str)); profession_items.push(item); } - let profession_items = - common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(profession_items)); + let profession_items = asn1::SequenceOfWriter::new(profession_items); let py_oids = py_info.getattr(pyo3::intern!(py, "profession_oids"))?; let profession_oids = if !py_oids.is_none() { let mut profession_oids = vec![]; @@ -481,9 +477,7 @@ fn encode_profession_info<'a>( let oid = py_oid_to_oid(py_oid)?; profession_oids.push(oid); } - Some(common::Asn1ReadableOrWritable::new_write( - asn1::SequenceOfWriter::new(profession_oids), - )) + Some(asn1::SequenceOfWriter::new(profession_oids)) } else { None }; @@ -524,7 +518,7 @@ fn encode_admission<'a>( ka_bytes: &'a cryptography_keepalive::KeepAlive, ka_str: &'a cryptography_keepalive::KeepAlive, py_admission: &pyo3::Bound<'a, pyo3::PyAny>, -) -> CryptographyResult> { +) -> CryptographyResult> { let py_admission_authority = py_admission.getattr(pyo3::intern!(py, "admission_authority"))?; let admission_authority = if !py_admission_authority.is_none() { Some(x509::common::encode_general_name( @@ -548,8 +542,7 @@ fn encode_admission<'a>( for py_info in py_profession_infos.try_iter()? { profession_infos.push(encode_profession_info(py, ka_bytes, ka_str, &py_info?)?); } - let profession_infos = - common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(profession_infos)); + let profession_infos = asn1::SequenceOfWriter::new(profession_infos); Ok(extensions::Admission { admission_authority, naming_authority, @@ -726,10 +719,9 @@ pub(crate) fn encode_extension( admissions.push(admission); } - let contents_of_admissions = - common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(admissions)); + let contents_of_admissions = asn1::SequenceOfWriter::new(admissions); - let admission = extensions::Admissions { + let admission = extensions::Admissions:: { admission_authority, contents_of_admissions, }; From 3c7c54ffc8c8ffa9f55c149d6076a6a83138e111 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Nov 2024 12:21:20 +0000 Subject: [PATCH 1444/1462] chore(deps): bump coverage from 7.6.1 to 7.6.8 (#12032) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.6.1 to 7.6.8. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.6.1...7.6.8) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 612b3750238a..63f6428cd0e6 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -45,7 +45,7 @@ coverage==7.2.7 ; python_full_version < '3.8' # via pytest-cov coverage==7.6.1 ; python_full_version == '3.8.*' # via pytest-cov -coverage==7.6.7 ; python_full_version >= '3.9' +coverage==7.6.8 ; python_full_version >= '3.9' # via pytest-cov distlib==0.3.9 # via virtualenv From 7971c6b3e0143e761037b58bd53775bd2446d58e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Nov 2024 12:21:48 +0000 Subject: [PATCH 1445/1462] chore(deps): bump portable-atomic from 1.9.0 to 1.10.0 (#12031) Bumps [portable-atomic](https://github.com/taiki-e/portable-atomic) from 1.9.0 to 1.10.0. - [Release notes](https://github.com/taiki-e/portable-atomic/releases) - [Changelog](https://github.com/taiki-e/portable-atomic/blob/main/CHANGELOG.md) - [Commits](https://github.com/taiki-e/portable-atomic/compare/v1.9.0...v1.10.0) --- updated-dependencies: - dependency-name: portable-atomic dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 345fe67c0afa..dea0e186fc99 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -242,9 +242,9 @@ checksum = "953ec861398dccce10c670dfeaf3ec4911ca479e9c02154b3a215178c5f566f2" [[package]] name = "portable-atomic" -version = "1.9.0" +version = "1.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cc9c68a3f6da06753e9335d63e27f6b9754dd1920d941135b7ea8224f141adb2" +checksum = "280dc24453071f1b63954171985a0b0d30058d287960968b9b2aca264c8d4ee6" [[package]] name = "proc-macro2" From a7f95c1d2094e5c0a95531245cfbbc310318dade Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 26 Nov 2024 00:30:29 +0000 Subject: [PATCH 1446/1462] Bump BoringSSL and/or OpenSSL in CI (#12034) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9da5176b7eaa..53889641ed88 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,10 +45,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 24, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "a351cc0c570a436f182c51efda65bd6e72f62ab8"}} - # Latest commit on the OpenSSL master branch, as of Nov 23, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ea5817854cf67b89c874101f209f06ae016fd333"}} + # Latest commit on the BoringSSL master branch, as of Nov 26, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "705a80f6955bf1fa63572dbc4e0729e698c1d9db"}} + # Latest commit on the OpenSSL master branch, as of Nov 26, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b9886a6f3483e0525596d3b3956416282038da82"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. # - 1.70: crates.io sparse protocol by default From 84aa9d6eefa9fcc4ea930dba3ead944bb9f6e867 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 26 Nov 2024 00:39:08 +0000 Subject: [PATCH 1447/1462] Bump x509-limbo and/or wycheproof in CI (#12035) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index ff12ad56b059..bff2a1781a89 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Nov 20, 2024. - ref: "169fb4337b2811ddf4df3672e2614cb54aea5ab6" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Nov 26, 2024. + ref: "a994fa8e3b661757b0b64ca23a07588c2a3d047b" # x509-limbo-ref From 8f522feb12999085680ae224ede0b8756ea079a0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Nov 2024 04:44:57 +0000 Subject: [PATCH 1448/1462] chore(deps): bump pyo3 from 0.23.1 to 0.23.2 (#12038) Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.23.1 to 0.23.2. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/main/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.23.1...v0.23.2) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 20 ++++++++++---------- Cargo.toml | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index dea0e186fc99..78e40fd43554 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -257,9 +257,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.23.1" +version = "0.23.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7ebb0c0cc0de9678e53be9ccf8a2ab53045e6e3a8be03393ceccc5e7396ccb40" +checksum = "f54b3d09cbdd1f8c20650b28e7b09e338881482f4aa908a5f61a00c98fba2690" dependencies = [ "cfg-if", "indoc", @@ -275,9 +275,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.23.1" +version = "0.23.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "80e3ce69c4ec34476534b490e412b871ba03a82e35604c3dfb95fcb6bfb60c09" +checksum = "3015cf985888fe66cfb63ce0e321c603706cd541b7aec7ddd35c281390af45d8" dependencies = [ "once_cell", "target-lexicon", @@ -285,9 +285,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.23.1" +version = "0.23.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3b09f311c76b36dfd6dd6f7fa6f9f18e7e46a1c937110d283e80b12ba2468a75" +checksum = "6fca7cd8fd809b5ac4eefb89c1f98f7a7651d3739dfb341ca6980090f554c270" dependencies = [ "libc", "pyo3-build-config", @@ -295,9 +295,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.23.1" +version = "0.23.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd4f74086536d1e1deaff99ec0387481fb3325c82e4e48be0e75ab3d3fcb487a" +checksum = "34e657fa5379a79151b6ff5328d9216a84f55dc93b17b08e7c3609a969b73aa0" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -307,9 +307,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.23.1" +version = "0.23.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9e77dfeb76b32bbf069144a5ea0a36176ab59c8db9ce28732d0f06f096bbfbc8" +checksum = "295548d5ffd95fd1981d2d3cf4458831b21d60af046b729b6fd143b0ba7aee2f" dependencies = [ "heck", "proc-macro2", diff --git a/Cargo.toml b/Cargo.toml index 86f3e4042b26..26ecfa4ed6c4 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -20,7 +20,7 @@ rust-version = "1.65.0" [workspace.dependencies] asn1 = { version = "0.20.0", default-features = false } -pyo3 = { version = "0.23.1", features = ["abi3"] } +pyo3 = { version = "0.23.2", features = ["abi3"] } [profile.release] overflow-checks = true From abecfaadb2e3df3bcd28ef596edfa226e88133c9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Nov 2024 04:45:11 +0000 Subject: [PATCH 1449/1462] chore(deps): bump itoa from 1.0.13 to 1.0.14 (#12039) Bumps [itoa](https://github.com/dtolnay/itoa) from 1.0.13 to 1.0.14. - [Release notes](https://github.com/dtolnay/itoa/releases) - [Commits](https://github.com/dtolnay/itoa/compare/1.0.13...1.0.14) --- updated-dependencies: - dependency-name: itoa dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 78e40fd43554..0aeb82911487 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -162,9 +162,9 @@ checksum = "b248f5224d1d606005e02c97f5aa4e88eeb230488bcc03bc9ca4d7991399f2b5" [[package]] name = "itoa" -version = "1.0.13" +version = "1.0.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "540654e97a3f4470a492cd30ff187bc95d89557a903a2bbf112e2fae98104ef2" +checksum = "d75a2a4b1b190afb6f5425f10f6a8f959d2ea0b9c2b1d79553551850539e4674" [[package]] name = "libc" From 85d92f6ecc03dcec8984f12104a0807b2797d9d9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Nov 2024 04:51:49 +0000 Subject: [PATCH 1450/1462] chore(deps): bump virtualenv from 20.27.1 to 20.28.0 (#12040) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.27.1 to 20.28.0. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.27.1...20.28.0) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 63f6428cd0e6..3331ce04c01c 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -296,7 +296,7 @@ uv==0.5.4 ; python_full_version >= '3.8' # via nox virtualenv==20.26.6 ; python_full_version < '3.8' # via nox -virtualenv==20.27.1 ; python_full_version >= '3.8' +virtualenv==20.28.0 ; python_full_version >= '3.8' # via nox webencodings==0.5.1 ; python_full_version < '3.8' # via bleach From b8e5bfd4d7b35ba8d18b8052266e2cdae4963970 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Nov 2024 04:56:22 +0000 Subject: [PATCH 1451/1462] chore(deps): bump libc from 0.2.164 to 0.2.165 (#12042) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.164 to 0.2.165. - [Release notes](https://github.com/rust-lang/libc/releases) - [Changelog](https://github.com/rust-lang/libc/blob/0.2.165/CHANGELOG.md) - [Commits](https://github.com/rust-lang/libc/compare/0.2.164...0.2.165) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 0aeb82911487..505ac2a51071 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -168,9 +168,9 @@ checksum = "d75a2a4b1b190afb6f5425f10f6a8f959d2ea0b9c2b1d79553551850539e4674" [[package]] name = "libc" -version = "0.2.164" +version = "0.2.165" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "433bfe06b8c75da9b2e3fbea6e5329ff87748f0b144ef75306e674c3f6f7c13f" +checksum = "fcb4d3d38eab6c5239a362fa8bae48c03baf980a6e7079f063942d563ef3533e" [[package]] name = "memoffset" From d6cac753c2fcf8e0ca52ee7038a7d729ad5d763a Mon Sep 17 00:00:00 2001 From: Quentin Retourne <32574188+nitneuqr@users.noreply.github.com> Date: Tue, 26 Nov 2024 14:39:53 +0100 Subject: [PATCH 1452/1462] Add support for decrypting S/MIME messages (#11555) * first python API proposition first round-trip tests feat: made asn1 structures readable refacto: adapted existing functions accordingly feat/pkcs12: added symmetric_decrypt feat: deserialize 3 possible encodings feat: handling AES-128 feat: raise error when no recipient is found feat/pkcs7: added decanonicalize function feat/asn1: added decode_der_data feat/pkcs7: added smime_enveloped_decode tests are the round-trip (encrypt & decrypt) more tests for 100% python coverage test support pkcs7_encrypt with openssl added algorithm to pkcs7_encrypt signature refacto: decrypt function is clearer flow is more natural refacto: added all rust error tests refacto: added another CA chain for checking fix: const handling Refactor PKCS7Decryptor to pkcs7_decrypt refacto: removed SMIME_ENVELOPED_DECODE from rust code refacto: removed decode_der_data adapted tests accordingly removed the PEM tag check added tests for smime_decnonicalize one more test case Update src/rust/src/pkcs7.rs Co-authored-by: Alex Gaynor took comments into account pem to der is now outside of decrypt fix: removed test_support pkcs7_encrypt added vector for aes_256_cbc encrypted pkcs7 feat: not using test_support decrypt anymore added new vectors for PKCS7 tests feat: using pkcs7 vectors removed previous ones fix: changed wrong function feat: added certificate issuer check test: generating the RSA chain removed the vectors accordingly moved symmetric_decrypt to pkcs7.rs * Update src/cryptography/hazmat/primitives/serialization/pkcs7.py Co-authored-by: Alex Gaynor * fix: removed use of deprecated new_bound for PyBytes * corrected some error types * updated tests accordingly * fix: handling other key encryption algorithms added vectors & tests accordingly * first attempts raising error when no header to remove * one more test to handle text data without header * fix: went back to the previous implementation * refacto: removed the return part * feat: Binary option does not seem useful for decryption removed decanonicalization function adapted tests accordingly * moved logic into rust only left some checks (for now?) * removed pyfunction for the inner decrypt one * added checks in rust now :) changed name for clarity * removed unused function * some checks not needed anymore * removed a parameter * took comments into account * removed unused import removed excess get_type * added first unwrap corrections cleaned tests, added some others added more vectors * no more unwrap for parameter checks * removing headers is Python now added tests accordingly will compare with OpenSSL * final corrections? * first version of documentation some minor refactoring * corrected doctests * better indentation * doctest: added RSA private key * oops --------- Co-authored-by: Alex Gaynor --- CHANGELOG.rst | 4 + docs/development/test-vectors.rst | 3 + .../primitives/asymmetric/serialization.rst | 247 ++++++++++++- .../hazmat/bindings/_rust/pkcs7.pyi | 19 + .../hazmat/bindings/_rust/test_support.pyi | 7 - .../hazmat/primitives/serialization/pkcs7.py | 33 ++ src/rust/src/pkcs7.rs | 266 +++++++++++++- src/rust/src/test_support.rs | 47 --- src/rust/src/types.rs | 15 + tests/hazmat/primitives/test_pkcs7.py | 325 +++++++++++++++++- .../pkcs7/enveloped-no-content.der | Bin 0 -> 653 bytes 11 files changed, 886 insertions(+), 80 deletions(-) create mode 100644 vectors/cryptography_vectors/pkcs7/enveloped-no-content.der diff --git a/CHANGELOG.rst b/CHANGELOG.rst index eea6e0914985..809bfbe32d6a 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -26,6 +26,10 @@ Changelog * Added support for :class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2id` when using OpenSSL 3.2.0+. * Added support for the :class:`~cryptography.x509.Admissions` certificate extension. +* Added basic support for PKCS7 decryption (including S/MIME 3.2) via + :class:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_der`, + :class:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_pem`, and + :class:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_smime`. .. _v43-0-3: diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 6bc031464ef9..b5097cbb1b77 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -882,6 +882,9 @@ Custom PKCS7 Test Vectors * ``pkcs7/enveloped-rsa-oaep.pem``- A PEM encoded PKCS7 file with enveloped data, with key encrypted using RSA-OAEP, under the public key of ``x509/custom/ca/rsa_ca.pem``. +* ``pkcs7/enveloped-no-content.der``- A DER encoded PKCS7 file with + enveloped data, without encrypted content, with key encrypted under the + public key of ``x509/custom/ca/rsa_ca.pem``. Custom OpenSSH Test Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/hazmat/primitives/asymmetric/serialization.rst b/docs/hazmat/primitives/asymmetric/serialization.rst index 158d7834fbf7..6d1130cbc729 100644 --- a/docs/hazmat/primitives/asymmetric/serialization.rst +++ b/docs/hazmat/primitives/asymmetric/serialization.rst @@ -1001,11 +1001,6 @@ PKCS7 is a format described in :rfc:`2315`, among other specifications. It can contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``, ``p7m``, or ``p7s`` file suffix but other suffixes are also seen in the wild. -.. note:: - - ``cryptography`` only supports parsing certificates from PKCS7 files at - this time. - .. data:: PKCS7HashTypes .. versionadded:: 40.0.0 @@ -1126,6 +1121,60 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``, -----END CERTIFICATE----- """.strip() + ca_key_rsa = b""" + -----BEGIN PRIVATE KEY----- + MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDQSIXkXNR0+DM1 + eRr1Gw5PQhVOg06JkQKTakZos64kapujmOB7d3e9QV6IOvyAZKgJ2eP1yUONBuLF + Q2+dpNdaD73yfxeaXPulKjwS/kBs2BpCaLmwKlxaSOqMNKmshTUC79E/aOModEED + qBr4Apr/daporS62TV7uFPUu+hvg4hkk/kMjJDMY/lbBkbEUQbn1dbq3J7xVo1Ok + NvnK9nKdJjABvejU8iLJGIifLy9N1s+A1+JJTuF+O3z5g51PzjJ+Em7zGfPeo9S9 + CdOEvrlU4U5MUFnBXKl4V+ajPJM3IyVJsmxZW39edI91ornFuPCv4+3ydMfat4lK + OBr2tHKEnIJSVnIKPwQQsBQ8PDVW2u56cUkTImkt6k79HRBXEZ7wcnPu4chscZVn + UxPbR4rFCNXmVZPT/c4qjTmSrHGPGV9fvwuDPV+vWOwPCO+BeXTtuyEcnBIDq0qN + s9TYX0sG6ia/WtkwbUbBYp5/K4ygSMzZ9BOafYztVo8bZHIx3116SzfBRTL6GCPZ + fyvmVg5vbG6GhfI64KM0nNNOABXpgB+/ZpghlUSl59bwwKOAywuqdzYgRWEHGG1v + Vfm3hg+rK7BesSbbmP1MLT0Ti1ks7ggq2f+AZZqTbEdHoSBRb8xCo1+q0dsqd2Cp + YLg2zATCjKX0hsQBcHGezomsUdtFBwIDAQABAoICAQDH6YQRvwPwzTWhkn7MWU6v + xjbbJ+7e3T9CrNOttSBlNanzKU31U6KrFS4dxbgLqBEde3Rwud/LYZuRSPu9rLVC + bS+crF3EPJEQY2xLspu1nOn/abMoolAIHEp7jiR5QVWzXulRWmQFtSed0eEowJ9y + qMaKOAdI1RRToev/TfIqM/l8Z0ubVChzSdONcUAsuDU7ouc22r3K2Lv0Nwwkwc0a + hse3NEdg9JNsvs6LM2fM52w9N3ircjm+xmxatPft3HTcSucREIzg2hDb7K2HkOQj + 0ykq2Eh97ml+56eocADBAEvO46FZVxf2WhxEBY8Xdz4VJMmDWJFmnZj5ksZWmrX6 + U5BfFY7DZvE2EpoZ5ph1Fm6dcXrJFkaZEyJLlzFKehXMipVenjCanIPpEEUvIz+p + m0QVoNJRj/GcNyIEZ0BCXedBOUWU4XE1pG4r6oZqwUvcjsVrqXP5kbJMVybiS6Kd + 6T8ve+4qsn3ZvGRVKjInqf2WI0Wvum2sTF+4OAkYvFel9dKNjpYnnj4tLFc/EKWz + 9+pE/Zz5fMOyMD9qXM6bdVkPjWjy1vXmNW4qFCZljrb395hTvsAPMsO6bbAM+lu6 + YcdOAf8k7awTb79kPMrPcbCygyKSGN9C9T3a/Nhrbr3TPi9SD9hC5Q8bL9uSHcR2 + hgRQcApxsfDRrGwy2lheEQKCAQEA/Hrynao+k6sYtlDc/ueCjb323EzsuhOxPqUZ + fKtGeFkJzKuaKTtymasvVpAAqJBEhTALrptGWlJQ0Y/EVaPpZ9pmk791EWNXdXsX + wwufbHxm6K9aOeogev8cd+B/9wUAQPQVotyRzCcOfbVe7t81cBNktqam5Zb9Y4Zr + qu63gBB1UttdmIF5qitl3JcFztlBjiza2UrqgVdKE+d9vLR84IBRy3dyQIOi6C1c + y37GNgObjx8ZcUVV54/KgvoVvDkvN6TEbUdC9eQz7FW7DA7MMVqyDvWZrSjBzVhK + 2bTrd+Pi6S4n/ETvA6XRufHC8af4bdE2hzuq5VZO1kkgH37djwKCAQEA0y/YU0b4 + vCYpZ1MNhBFI6J9346DHD55Zu5dWFRqNkC0PiO6xEMUaUMbG4gxkiQPNT5WvddQs + EbRQTnd4FFdqB7XWoH+wERN7zjbT+BZVrHVC4gxEEy33s5oXGn7/ATxaowo7I4oq + 15MwgZu3hBNxVUtuePZ6D9/ePNGOGOUtdMRrusmVX7gZEXxwvlLJXyVepl2V4JV1 + otI8EZCcoRhSfeYNEs4VhN0WmfMSV7ge0eFfVb6Lb+6PCcasYED8S0tBN2vjzvol + zCMv8skPATm7SopqBDoBPcXCHwN/gUFXHf/lrvE6bbeX1ZMxnRYKdQLLNYyQK9cr + nCUJXuNM21tVCQKCAQBapCkFwWDF0t8EVPOB78tG57QAUv2JsBgpzUvhHfwmqJCE + Efc+ZkE2Oea8xOX3nhN7XUxUWxpewr6Q/XQW6smYpye8UzfMDkYPvylAtKN/Zwnq + 70kNEainf37Q6qAGJp14tCgwV89f44WoS7zRNQESQ2QczqeMNTCy0kdFDn6CU2ZL + YMWxQopTNVFUaEOFhympySCoceTOmm/VxX22iXVrg6XZzgAOeTO69s4hoFm4eoMW + Vqvjpmi4wT6K1w2GjWEOMPDz6ml3rX2WkxCbu5RDA7R4+mM5bzBkcBYvImyGliGY + ZSGlx3mnbZhlkQ3Tg+IESt+wnRM1Uk7rT0VhCUKxAoIBABWYuPibM2iaRnWoiqNM + 2TXgyPPgRzsTqH2ElmsGEiACW6pXLohWf8Bu83u+ZLGWT/Kpjg3wqqkM1YGQuhjq + b49mSxKSvECiy3BlLvwZ3J0MSNCxDG0hsEkPovk0r4NC1soBi9awlH0DMlyuve+l + xVtBoYSBQC5LaICztWJaXXGpfJLXdo0ZWIbvQOBVuv4d5jYBMAiNgEAsW7Q4I6xd + vmHdmsyngo/ZxCvuLZwG2jAAai1slPnXXY1UYeBeBO72PS8bu2o5LpBXsNmVMhGg + A8U1rm3MOMBGbvmY8/sV4YDR4H0pch4yPja7HMHBtUQOCxXoz/2LvYv0RacMe5mb + F3ECggEAWxQZnT8pObxKrISZpHSKi54VxuLYbemS63Tdr4HE/KuiFAvbM6AeZOki + jbiMnqrCTOhJRS/i9HV78zSxRZZyVm961tnsjqMyaamX/S4yD7v3Vzu1mfsdVCa2 + Sl+JUUxsEgs/G3Fu6I/0TsCSn/HgNLM8b3f8TDkbpnOqKX165ddojXqSCfxjuYau + Szih/+jF1dz2/zBye1ARkLRdY/SzlzGl0cVn8bfkE0YEde7wvQ624Biy7r9i1o40 + 7cy/8EQBR2FcXpOAZ7UgOqgGLNhXnd4FPsX4ldKOf5De8FErQOFirJ8pCUxFGr0U + fDWXtBuybAb5u+ZaVwHgqaaPCkKkVQ== + -----END PRIVATE KEY----- + """.strip() .. class:: PKCS7SignatureBuilder @@ -1261,28 +1310,204 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``, this operation only :attr:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options.Text` and :attr:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options.Binary` - are supported. + are supported, and cannot be used at the same time. :returns bytes: The enveloped PKCS7 message. +.. function:: pkcs7_decrypt_der(data, certificate, private_key, options) + + .. versionadded:: 44.0.0 + + .. doctest:: + + >>> from cryptography import x509 + >>> from cryptography.hazmat.primitives import serialization + >>> from cryptography.hazmat.primitives.serialization import pkcs7 + >>> cert = x509.load_pem_x509_certificate(ca_cert_rsa) + >>> key = serialization.load_pem_private_key(ca_key_rsa, None) + >>> options = [pkcs7.PKCS7Options.Text] + >>> enveloped = pkcs7.PKCS7EnvelopeBuilder().set_data( + ... b"data to encrypt" + ... ).add_recipient( + ... cert + ... ).encrypt( + ... serialization.Encoding.DER, options + ... ) + >>> pkcs7.pkcs7_decrypt_der(enveloped, cert, key, options) + b'data to encrypt' + + Deserialize and decrypt a DER-encoded PKCS7 message. PKCS7 (or S/MIME) has multiple versions, + but this supports a subset of :rfc:`5751`, also known as S/MIME Version 3.2. + + :param data: The data, encoded in DER format. + :type data: bytes + + :param certificate: A :class:`~cryptography.x509.Certificate` for an intended + recipient of the encrypted message. Only certificates with public RSA keys + are currently supported. + + :param private_key: The :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey` + associated with the certificate provided. Only private RSA keys are supported. + + :param options: A list of + :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options`. For + this operation only + :attr:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options.Text` is supported. + + :returns bytes: The decrypted message. + + :raises ValueError: If the recipient certificate does not match any of the encrypted keys in the + PKCS7 data. + + :raises cryptography.exceptions.UnsupportedAlgorithm: If any of the PKCS7 keys are encrypted + with another algorithm than RSA with PKCS1 v1.5 padding. + + :raises cryptography.exceptions.UnsupportedAlgorithm: If the content is encrypted with + another algorithm than AES-128-CBC. + + :raises ValueError: If the PKCS7 data does not contain encrypted content. + + :raises ValueError: If the PKCS7 data is not of the enveloped data type. + +.. function:: pkcs7_decrypt_pem(data, certificate, private_key, options) + + .. versionadded:: 44.0.0 + + .. doctest:: + + >>> from cryptography import x509 + >>> from cryptography.hazmat.primitives import serialization + >>> from cryptography.hazmat.primitives.serialization import pkcs7 + >>> cert = x509.load_pem_x509_certificate(ca_cert_rsa) + >>> key = serialization.load_pem_private_key(ca_key_rsa, None) + >>> options = [pkcs7.PKCS7Options.Text] + >>> enveloped = pkcs7.PKCS7EnvelopeBuilder().set_data( + ... b"data to encrypt" + ... ).add_recipient( + ... cert + ... ).encrypt( + ... serialization.Encoding.PEM, options + ... ) + >>> pkcs7.pkcs7_decrypt_pem(enveloped, cert, key, options) + b'data to encrypt' + + Deserialize and decrypt a PEM-encoded PKCS7E message. PKCS7 (or S/MIME) has multiple versions, + but this supports a subset of :rfc:`5751`, also known as S/MIME Version 3.2. + + :param data: The data, encoded in PEM format. + :type data: bytes + + :param certificate: A :class:`~cryptography.x509.Certificate` for an intended + recipient of the encrypted message. Only certificates with public RSA keys + are currently supported. + + :param private_key: The :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey` + associated with the certificate provided. Only private RSA keys are supported. + + :param options: A list of + :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options`. For + this operation only + :attr:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options.Text` is supported. + + :returns bytes: The decrypted message. + + :raises ValueError: If the PEM data does not have the PKCS7 tag. + + :raises ValueError: If the recipient certificate does not match any of the encrypted keys in the + PKCS7 data. + + :raises cryptography.exceptions.UnsupportedAlgorithm: If any of the PKCS7 keys are encrypted + with another algorithm than RSA with PKCS1 v1.5 padding. + + :raises cryptography.exceptions.UnsupportedAlgorithm: If the content is encrypted with + another algorithm than AES-128-CBC. + + :raises ValueError: If the PKCS7 data does not contain encrypted content. + + :raises ValueError: If the PKCS7 data is not of the enveloped data type. + +.. function:: pkcs7_decrypt_smime(data, certificate, private_key, options) + + .. versionadded:: 44.0.0 + + .. doctest:: + + >>> from cryptography import x509 + >>> from cryptography.hazmat.primitives import serialization + >>> from cryptography.hazmat.primitives.serialization import pkcs7 + >>> cert = x509.load_pem_x509_certificate(ca_cert_rsa) + >>> key = serialization.load_pem_private_key(ca_key_rsa, None) + >>> options = [pkcs7.PKCS7Options.Text] + >>> enveloped = pkcs7.PKCS7EnvelopeBuilder().set_data( + ... b"data to encrypt" + ... ).add_recipient( + ... cert + ... ).encrypt( + ... serialization.Encoding.SMIME, options + ... ) + >>> pkcs7.pkcs7_decrypt_smime(enveloped, cert, key, options) + b'data to encrypt' + + Deserialize and decrypt a S/MIME-encoded PKCS7 message. PKCS7 (or S/MIME) has multiple versions, + but this supports a subset of :rfc:`5751`, also known as S/MIME Version 3.2. + + :param data: The data. It should be in S/MIME format, meaning MIME with content type + ``application/pkcs7-mime`` or ``application/x-pkcs7-mime``. + :type data: bytes + + :param certificate: A :class:`~cryptography.x509.Certificate` for an intended + recipient of the encrypted message. Only certificates with public RSA keys + are currently supported. + + :param private_key: The :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey` + associated with the certificate provided. Only private RSA keys are supported. + + :param options: A list of + :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options`. For + this operation only + :attr:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options.Text` is supported. + + :returns bytes: The decrypted message. + + :raises ValueError: If the S/MIME data is not one of the correct content types. + + :raises ValueError: If the recipient certificate does not match any of the encrypted keys in the + PKCS7 data. + + :raises cryptography.exceptions.UnsupportedAlgorithm: If any of the PKCS7 keys are encrypted + with another algorithm than RSA with PKCS1 v1.5 padding. + + :raises cryptography.exceptions.UnsupportedAlgorithm: If the content is encrypted with + another algorithm than AES-128-CBC. + + :raises ValueError: If the PKCS7 data does not contain encrypted content. + + :raises ValueError: If the PKCS7 data is not of the enveloped data type. + .. class:: PKCS7Options .. versionadded:: 3.2 - An enumeration of options for PKCS7 signature and envelope creation. + An enumeration of options for PKCS7 signature, envelope creation, and decryption. .. attribute:: Text - The text option adds ``text/plain`` headers to an S/MIME message when - serializing to + For signing, the text option adds ``text/plain`` headers to an S/MIME message when + serializing to :attr:`~cryptography.hazmat.primitives.serialization.Encoding.SMIME`. This option is disallowed with ``DER`` serialization. + For envelope creation, it adds ``text/plain`` headers to the encrypted content, regardless + of the specified encoding. + For envelope decryption, it parses the decrypted content headers (if any), checks if the + content type is 'text/plain', then removes all headers (keeping only the payload) of this + decrypted content. If there is no header, or the content type is not "text/plain", it + raises an error. .. attribute:: Binary - Signing normally converts line endings (LF to CRLF). When - passing this option the data will not be converted. + Signature and envelope creation normally converts line endings (LF to CRLF). When + passing this option, the data will not be converted. .. attribute:: DetachedSignature diff --git a/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi b/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi index a72120a762ec..f9aa81ea0caf 100644 --- a/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi +++ b/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi @@ -6,6 +6,7 @@ import typing from cryptography import x509 from cryptography.hazmat.primitives import serialization +from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives.serialization import pkcs7 def serialize_certificates( @@ -22,6 +23,24 @@ def sign_and_serialize( encoding: serialization.Encoding, options: typing.Iterable[pkcs7.PKCS7Options], ) -> bytes: ... +def decrypt_der( + data: bytes, + certificate: x509.Certificate, + private_key: rsa.RSAPrivateKey, + options: typing.Iterable[pkcs7.PKCS7Options], +) -> bytes: ... +def decrypt_pem( + data: bytes, + certificate: x509.Certificate, + private_key: rsa.RSAPrivateKey, + options: typing.Iterable[pkcs7.PKCS7Options], +) -> bytes: ... +def decrypt_smime( + data: bytes, + certificate: x509.Certificate, + private_key: rsa.RSAPrivateKey, + options: typing.Iterable[pkcs7.PKCS7Options], +) -> bytes: ... def load_pem_pkcs7_certificates( data: bytes, ) -> list[x509.Certificate]: ... diff --git a/src/cryptography/hazmat/bindings/_rust/test_support.pyi b/src/cryptography/hazmat/bindings/_rust/test_support.pyi index a53ee25dd752..ef9f779f2ee9 100644 --- a/src/cryptography/hazmat/bindings/_rust/test_support.pyi +++ b/src/cryptography/hazmat/bindings/_rust/test_support.pyi @@ -13,13 +13,6 @@ class TestCertificate: subject_value_tags: list[int] def test_parse_certificate(data: bytes) -> TestCertificate: ... -def pkcs7_decrypt( - encoding: serialization.Encoding, - msg: bytes, - pkey: serialization.pkcs7.PKCS7PrivateKeyTypes, - cert_recipient: x509.Certificate, - options: list[pkcs7.PKCS7Options], -) -> bytes: ... def pkcs7_verify( encoding: serialization.Encoding, sig: bytes, diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs7.py b/src/cryptography/hazmat/primitives/serialization/pkcs7.py index 97ea9db8e171..882e345f2e7f 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs7.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs7.py @@ -263,6 +263,11 @@ def encrypt( return rust_pkcs7.encrypt_and_serialize(self, encoding, options) +pkcs7_decrypt_der = rust_pkcs7.decrypt_der +pkcs7_decrypt_pem = rust_pkcs7.decrypt_pem +pkcs7_decrypt_smime = rust_pkcs7.decrypt_smime + + def _smime_signed_encode( data: bytes, signature: bytes, micalg: str, text_mode: bool ) -> bytes: @@ -328,6 +333,34 @@ def _smime_enveloped_encode(data: bytes) -> bytes: return m.as_bytes(policy=m.policy.clone(linesep="\n", max_line_length=0)) +def _smime_enveloped_decode(data: bytes) -> bytes: + m = email.message_from_bytes(data) + if m.get_content_type() not in { + "application/x-pkcs7-mime", + "application/pkcs7-mime", + }: + raise ValueError("Not an S/MIME enveloped message") + return bytes(m.get_payload(decode=True)) + + +def _smime_remove_text_headers(data: bytes) -> bytes: + m = email.message_from_bytes(data) + # Using get() instead of get_content_type() since it has None as default, + # where the latter has "text/plain". Both methods are case-insensitive. + content_type = m.get("content-type") + if content_type is None: + raise ValueError( + "Decrypted MIME data has no 'Content-Type' header. " + "Please remove the 'Text' option to parse it manually." + ) + if "text/plain" not in content_type: + raise ValueError( + f"Decrypted MIME data content type is '{content_type}', not " + "'text/plain'. Remove the 'Text' option to parse it manually." + ) + return bytes(m.get_payload(decode=True)) + + class OpenSSLMimePart(email.message.MIMEPart): # A MIMEPart subclass that replicates OpenSSL's behavior of not including # a newline if there are no headers. diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index f6d8a5cfcd6a..90cd063f8b6a 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -16,8 +16,10 @@ use openssl::pkcs7::Pkcs7; use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods}; use crate::asn1::encode_der_data; +use crate::backend::ciphers; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; +use crate::padding::PKCS7UnpaddingContext; use crate::pkcs12::symmetric_encrypt; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use crate::x509::certificate::load_der_x509_certificate; @@ -164,6 +166,265 @@ fn encrypt_and_serialize<'p>( } } +#[pyo3::pyfunction] +fn decrypt_smime<'p>( + py: pyo3::Python<'p>, + data: CffiBuf<'p>, + certificate: pyo3::Bound<'p, x509::certificate::Certificate>, + private_key: pyo3::Bound<'p, pyo3::types::PyAny>, + options: &pyo3::Bound<'p, pyo3::types::PyList>, +) -> CryptographyResult> { + let decoded_smime_data = types::SMIME_ENVELOPED_DECODE + .get(py)? + .call1((data.as_bytes(),))?; + let data = decoded_smime_data.extract()?; + + decrypt_der(py, data, certificate, private_key, options) +} +#[pyo3::pyfunction] +fn decrypt_pem<'p>( + py: pyo3::Python<'p>, + data: &[u8], + certificate: pyo3::Bound<'p, x509::certificate::Certificate>, + private_key: pyo3::Bound<'p, pyo3::types::PyAny>, + options: &pyo3::Bound<'p, pyo3::types::PyList>, +) -> CryptographyResult> { + let pem_str = std::str::from_utf8(data) + .map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid PEM data"))?; + let pem = pem::parse(pem_str) + .map_err(|_| pyo3::exceptions::PyValueError::new_err("Failed to parse PEM data"))?; + + // Raise error if the PEM tag is not PKCS7 + if pem.tag() != "PKCS7" { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "The provided PEM data does not have the PKCS7 tag.", + ), + )); + } + + decrypt_der(py, &pem.into_contents(), certificate, private_key, options) +} + +#[pyo3::pyfunction] +fn decrypt_der<'p>( + py: pyo3::Python<'p>, + data: &[u8], + certificate: pyo3::Bound<'p, x509::certificate::Certificate>, + private_key: pyo3::Bound<'p, pyo3::types::PyAny>, + options: &pyo3::Bound<'p, pyo3::types::PyList>, +) -> CryptographyResult> { + // Check the decrypt parameters + check_decrypt_parameters(py, &certificate, &private_key, options)?; + + // Decrypt the data + let content_info = asn1::parse_single::>(data)?; + let plain_content = match content_info.content { + pkcs7::Content::EnvelopedData(data) => { + // Extract enveloped data + let enveloped_data = data.into_inner(); + + // Get recipients, and the one matching with the given certificate (if any) + let mut recipient_infos = enveloped_data.recipient_infos.unwrap_read().clone(); + let recipient_certificate = certificate.get().raw.borrow_dependent(); + let recipient_serial_number = recipient_certificate.tbs_cert.serial; + let recipient_issuer = recipient_certificate.tbs_cert.issuer.clone(); + let found_recipient_info = recipient_infos.find(|info| { + info.issuer_and_serial_number.serial_number == recipient_serial_number + && info.issuer_and_serial_number.issuer == recipient_issuer + }); + + // Raise error when no recipient is found + let recipient_info = match found_recipient_info { + Some(info) => info, + None => { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "No recipient found that matches the given certificate.", + ), + )); + } + }; + + // Raise error when the key encryption algorithm is not RSA + let key = match recipient_info.key_encryption_algorithm.oid() { + &oid::RSA_OID => { + let padding = types::PKCS1V15.get(py)?.call0()?; + private_key + .call_method1( + pyo3::intern!(py, "decrypt"), + (recipient_info.encrypted_key, &padding), + )? + .extract::()? + } + _ => { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "Only RSA with PKCS #1 v1.5 padding is currently supported for key decryption.", + exceptions::Reasons::UNSUPPORTED_SERIALIZATION, + )), + )); + } + }; + + // Get algorithm + // TODO: implement all the possible algorithms + let algorithm_identifier = enveloped_data + .encrypted_content_info + .content_encryption_algorithm; + let (algorithm, mode) = match algorithm_identifier.params { + AlgorithmParameters::Aes128Cbc(iv) => ( + types::AES128.get(py)?.call1((key,))?, + types::CBC + .get(py)? + .call1((pyo3::types::PyBytes::new(py, &iv),))?, + ), + _ => { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "Only AES-128-CBC is currently supported for content decryption.", + exceptions::Reasons::UNSUPPORTED_SERIALIZATION, + )), + )); + } + }; + + // Decrypt the content using the key and proper algorithm + let encrypted_content = match enveloped_data.encrypted_content_info.encrypted_content { + Some(content) => content, + None => { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "The EnvelopedData structure does not contain encrypted content.", + ), + )); + } + }; + let decrypted_content = symmetric_decrypt(py, algorithm, mode, encrypted_content)?; + pyo3::types::PyBytes::new(py, decrypted_content.as_slice()) + } + _ => { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "The PKCS7 data is not an EnvelopedData structure.", + ), + )); + } + }; + + // If text_mode, remove the headers after checking the content type + let plain_data = if options.contains(types::PKCS7_TEXT.get(py)?)? { + let stripped_data = types::SMIME_REMOVE_TEXT_HEADERS + .get(py)? + .call1((plain_content.as_bytes(),))?; + pyo3::types::PyBytes::new(py, stripped_data.extract()?) + } else { + pyo3::types::PyBytes::new(py, plain_content.as_bytes()) + }; + + Ok(plain_data) +} + +fn check_decrypt_parameters<'p>( + py: pyo3::Python<'p>, + certificate: &pyo3::Bound<'p, x509::certificate::Certificate>, + private_key: &pyo3::Bound<'p, pyo3::PyAny>, + options: &pyo3::Bound<'p, pyo3::types::PyList>, +) -> Result<(), CryptographyError> { + // Check if RSA encryption with PKCS1 v1.5 padding is supported (dependent of FIPS mode) + if cryptography_openssl::fips::is_enabled() { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "RSA with PKCS1 v1.5 padding is not supported by this version of OpenSSL.", + exceptions::Reasons::UNSUPPORTED_PADDING, + )), + )); + } + + // Check if all options are from the PKCS7Options enum + let pkcs7_options = types::PKCS7_OPTIONS.get(py)?; + for opt in options.iter() { + if !opt.is_instance(&pkcs7_options)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "options must be from the PKCS7Options enum", + ), + )); + } + } + + // Check if any option is not PKCS7Options::Text + let text_option = types::PKCS7_TEXT.get(py)?; + for opt in options.iter() { + if !opt.eq(text_option.clone())? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Only the following options are supported for decryption: Text", + ), + )); + } + } + + // Check if certificate's public key is an RSA public key + let public_key_type = types::RSA_PUBLIC_KEY.get(py)?; + if !certificate + .call_method0(pyo3::intern!(py, "public_key"))? + .is_instance(&public_key_type)? + { + return Err(CryptographyError::from( + pyo3::exceptions::PyTypeError::new_err( + "Only certificate with RSA public keys are supported at this time.", + ), + )); + } + + // Check if private_key is an instance of RSA private key + let private_key_type = types::RSA_PRIVATE_KEY.get(py)?; + if !private_key.is_instance(&private_key_type)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyTypeError::new_err( + "Only RSA private keys are supported at this time.", + ), + )); + } + + Ok(()) +} + +pub(crate) fn symmetric_decrypt( + py: pyo3::Python<'_>, + algorithm: pyo3::Bound<'_, pyo3::PyAny>, + mode: pyo3::Bound<'_, pyo3::PyAny>, + data: &[u8], +) -> CryptographyResult> { + let block_size = algorithm + .getattr(pyo3::intern!(py, "block_size"))? + .extract()?; + + let mut cipher = + ciphers::CipherContext::new(py, algorithm, mode, openssl::symm::Mode::Decrypt)?; + + // Decrypt the data + let mut decrypted_data = vec![0; data.len() + (block_size / 8)]; + let count = cipher.update_into(py, data, &mut decrypted_data)?; + let final_block = cipher.finalize(py)?; + assert!(final_block.as_bytes().is_empty()); + decrypted_data.truncate(count); + + // Unpad the data + let mut unpadder = PKCS7UnpaddingContext::new(block_size); + let unpadded_first_blocks = unpadder.update(py, CffiBuf::from_bytes(py, &decrypted_data))?; + let unpadded_last_block = unpadder.finalize(py)?; + + let unpadded_data = [ + unpadded_first_blocks.as_bytes(), + unpadded_last_block.as_bytes(), + ] + .concat(); + + Ok(unpadded_data) +} + #[pyo3::pyfunction] fn sign_and_serialize<'p>( py: pyo3::Python<'p>, @@ -507,8 +768,9 @@ fn load_der_pkcs7_certificates<'p>( pub(crate) mod pkcs7_mod { #[pymodule_export] use super::{ - encrypt_and_serialize, load_der_pkcs7_certificates, load_pem_pkcs7_certificates, - serialize_certificates, sign_and_serialize, + decrypt_der, decrypt_pem, decrypt_smime, encrypt_and_serialize, + load_der_pkcs7_certificates, load_pem_pkcs7_certificates, serialize_certificates, + sign_and_serialize, }; } diff --git a/src/rust/src/test_support.rs b/src/rust/src/test_support.rs index 524e904873df..8f4599723680 100644 --- a/src/rust/src/test_support.rs +++ b/src/rust/src/test_support.rs @@ -103,55 +103,8 @@ fn pkcs7_verify( Ok(()) } -#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] -#[pyo3::pyfunction] -#[pyo3(signature = (encoding, msg, pkey, cert_recipient, options))] -fn pkcs7_decrypt<'p>( - py: pyo3::Python<'p>, - encoding: pyo3::Bound<'p, pyo3::PyAny>, - msg: CffiBuf<'p>, - pkey: pyo3::Bound<'p, pyo3::PyAny>, - cert_recipient: pyo3::Bound<'p, PyCertificate>, - options: pyo3::Bound<'p, pyo3::types::PyList>, -) -> CryptographyResult> { - let p7 = if encoding.is(&types::ENCODING_DER.get(py)?) { - openssl::pkcs7::Pkcs7::from_der(msg.as_bytes())? - } else if encoding.is(&types::ENCODING_PEM.get(py)?) { - openssl::pkcs7::Pkcs7::from_pem(msg.as_bytes())? - } else { - openssl::pkcs7::Pkcs7::from_smime(msg.as_bytes())?.0 - }; - - let mut flags = openssl::pkcs7::Pkcs7Flags::empty(); - if options.contains(types::PKCS7_TEXT.get(py)?)? { - flags |= openssl::pkcs7::Pkcs7Flags::TEXT; - } - - let cert_der = asn1::write_single(cert_recipient.get().raw.borrow_dependent())?; - let cert_ossl = openssl::x509::X509::from_der(&cert_der)?; - - let der = types::ENCODING_DER.get(py)?; - let pkcs8 = types::PRIVATE_FORMAT_PKCS8.get(py)?; - let no_encryption = types::NO_ENCRYPTION.get(py)?.call0()?; - let pkey_bytes = pkey - .call_method1( - pyo3::intern!(py, "private_bytes"), - (der, pkcs8, no_encryption), - )? - .extract::()?; - - let pkey_ossl = openssl::pkey::PKey::private_key_from_der(&pkey_bytes)?; - - let result = p7.decrypt(&pkey_ossl, &cert_ossl, flags)?; - - Ok(pyo3::types::PyBytes::new(py, &result)) -} - #[pyo3::pymodule] pub(crate) mod test_support { - #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - #[pymodule_export] - use super::pkcs7_decrypt; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] #[pymodule_export] use super::pkcs7_verify; diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 3c36145cf32e..37ca3f424249 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -320,6 +320,11 @@ pub static ASN1_TYPE_BMP_STRING: LazyPyImport = pub static ASN1_TYPE_UNIVERSAL_STRING: LazyPyImport = LazyPyImport::new("cryptography.x509.name", &["_ASN1Type", "UniversalString"]); +pub static PKCS7_OPTIONS: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.pkcs7", + &["PKCS7Options"], +); + pub static PKCS7_BINARY: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.serialization.pkcs7", &["PKCS7Options", "Binary"], @@ -350,6 +355,16 @@ pub static SMIME_ENVELOPED_ENCODE: LazyPyImport = LazyPyImport::new( &["_smime_enveloped_encode"], ); +pub static SMIME_ENVELOPED_DECODE: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.pkcs7", + &["_smime_enveloped_decode"], +); + +pub static SMIME_REMOVE_TEXT_HEADERS: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.pkcs7", + &["_smime_remove_text_headers"], +); + pub static SMIME_SIGNED_ENCODE: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.serialization.pkcs7", &["_smime_signed_encode"], diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 63641d61d412..64f14b9dc8a0 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -6,18 +6,28 @@ import email.parser import os import typing +from email.message import EmailMessage import pytest -from cryptography import x509 +from cryptography import exceptions, x509 from cryptography.exceptions import _Reasons from cryptography.hazmat.bindings._rust import test_support from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ed25519, padding, rsa from cryptography.hazmat.primitives.serialization import pkcs7 +from tests.x509.test_x509 import _generate_ca_and_leaf +from ...hazmat.primitives.fixtures_rsa import ( + RSA_KEY_2048_ALT, +) +from ...hazmat.primitives.test_rsa import rsa_key_2048 from ...utils import load_vectors_from_file, raises_unsupported_algorithm +# Make ruff happy since we're importing fixtures that pytest patches in as +# func args +__all__ = ["rsa_key_2048"] + @pytest.mark.supported( only_if=lambda backend: backend.pkcs7_supported(), @@ -966,13 +976,13 @@ def test_smime_encrypt_smime_encoding(self, backend, options): b"\x20\x43\x41" ) in payload - decrypted_bytes = test_support.pkcs7_decrypt( - serialization.Encoding.SMIME, + decrypted_bytes = pkcs7.pkcs7_decrypt_smime( enveloped, - private_key, cert, - options, + private_key, + [o for o in options if o != pkcs7.PKCS7Options.Binary], ) + # New lines are canonicalized to '\r\n' when not using Binary expected_data = ( data @@ -1008,12 +1018,11 @@ def test_smime_encrypt_der_encoding(self, backend, options): b"\x20\x43\x41" ) in enveloped - decrypted_bytes = test_support.pkcs7_decrypt( - serialization.Encoding.DER, + decrypted_bytes = pkcs7.pkcs7_decrypt_der( enveloped, - private_key, cert, - options, + private_key, + [o for o in options if o != pkcs7.PKCS7Options.Binary], ) # New lines are canonicalized to '\r\n' when not using Binary expected_data = ( @@ -1037,13 +1046,13 @@ def test_smime_encrypt_pem_encoding(self, backend, options): pkcs7.PKCS7EnvelopeBuilder().set_data(data).add_recipient(cert) ) enveloped = builder.encrypt(serialization.Encoding.PEM, options) - decrypted_bytes = test_support.pkcs7_decrypt( - serialization.Encoding.PEM, + decrypted_bytes = pkcs7.pkcs7_decrypt_pem( enveloped, - private_key, cert, - options, + private_key, + [o for o in options if o != pkcs7.PKCS7Options.Binary], ) + # New lines are canonicalized to '\r\n' when not using Binary expected_data = ( data @@ -1070,6 +1079,284 @@ def test_smime_encrypt_multiple_recipients(self, backend): assert enveloped.count(common_name_bytes) == 2 +@pytest.mark.supported( + only_if=lambda backend: backend.pkcs7_supported() + and backend.rsa_encryption_supported(padding.PKCS1v15()), + skip_message="Requires OpenSSL with PKCS7 support and PKCS1 v1.5 padding " + "support", +) +class TestPKCS7Decrypt: + @pytest.fixture(name="data") + def fixture_data(self, backend) -> bytes: + return b"Hello world!\n" + + @pytest.fixture(name="certificate") + def fixture_certificate(self, backend) -> x509.Certificate: + certificate, _ = _load_rsa_cert_key() + return certificate + + @pytest.fixture(name="private_key") + def fixture_private_key(self, backend) -> rsa.RSAPrivateKey: + _, private_key = _load_rsa_cert_key() + return private_key + + def test_unsupported_certificate_encryption(self, backend, private_key): + cert_non_rsa, _ = _load_cert_key() + with pytest.raises(TypeError): + pkcs7.pkcs7_decrypt_der(b"", cert_non_rsa, private_key, []) + + def test_not_a_cert(self, backend, private_key): + with pytest.raises(TypeError): + pkcs7.pkcs7_decrypt_der(b"", b"wrong_type", private_key, []) # type: ignore[arg-type] + + def test_not_a_pkey(self, backend, certificate): + with pytest.raises(TypeError): + pkcs7.pkcs7_decrypt_der(b"", certificate, b"wrong_type", []) # type: ignore[arg-type] + + @pytest.mark.parametrize( + "invalid_options", + [ + [b"invalid"], + [pkcs7.PKCS7Options.NoAttributes], + [pkcs7.PKCS7Options.Binary], + ], + ) + def test_pkcs7_decrypt_invalid_options( + self, backend, invalid_options, data, certificate, private_key + ): + with pytest.raises(ValueError): + pkcs7.pkcs7_decrypt_der( + data, certificate, private_key, invalid_options + ) + + @pytest.mark.parametrize("options", [[], [pkcs7.PKCS7Options.Text]]) + def test_pkcs7_decrypt_der( + self, backend, data, certificate, private_key, options + ): + # Encryption + builder = ( + pkcs7.PKCS7EnvelopeBuilder() + .set_data(data) + .add_recipient(certificate) + ) + enveloped = builder.encrypt(serialization.Encoding.DER, options) + + # Test decryption: new lines are canonicalized to '\r\n' when + # encryption has no Binary option + decrypted = pkcs7.pkcs7_decrypt_der( + enveloped, certificate, private_key, options + ) + assert decrypted == data.replace(b"\n", b"\r\n") + + @pytest.mark.parametrize( + "header", + [ + "content-type: text/plain", + "CONTENT-TYPE: text/plain", + "MIME-Version: 1.0\r\nContent-Type: text/plain; charset='UTF-8'" + "\r\nContent-Transfer-Encoding: 7bit\r\nFrom: sender@example.com" + "\r\nTo: recipient@example.com\r\nSubject: Test Email", + ], + ) + def test_pkcs7_decrypt_der_text_handmade_header( + self, backend, certificate, private_key, header + ): + # Encryption of data with a custom header + base_data = "Hello world!\r\n" + data = f"{header}\r\n\r\n{base_data}".encode() + builder = ( + pkcs7.PKCS7EnvelopeBuilder() + .set_data(data) + .add_recipient(certificate) + ) + enveloped = builder.encrypt( + serialization.Encoding.DER, [pkcs7.PKCS7Options.Binary] + ) + + # Test decryption with text option + decrypted = pkcs7.pkcs7_decrypt_der( + enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] + ) + assert decrypted == base_data.encode() + + @pytest.mark.parametrize("options", [[], [pkcs7.PKCS7Options.Text]]) + def test_pkcs7_decrypt_pem( + self, backend, data, certificate, private_key, options + ): + # Encryption + builder = ( + pkcs7.PKCS7EnvelopeBuilder() + .set_data(data) + .add_recipient(certificate) + ) + enveloped = builder.encrypt(serialization.Encoding.PEM, options) + + # Test decryption: new lines are canonicalized to '\r\n' when + # encryption has no Binary option + decrypted = pkcs7.pkcs7_decrypt_pem( + enveloped, certificate, private_key, options + ) + assert decrypted == data.replace(b"\n", b"\r\n") + + def test_pkcs7_decrypt_pem_with_wrong_tag( + self, backend, data, certificate, private_key + ): + with pytest.raises(ValueError): + pkcs7.pkcs7_decrypt_pem( + certificate.public_bytes(serialization.Encoding.PEM), + certificate, + private_key, + [], + ) + + @pytest.mark.parametrize("options", [[], [pkcs7.PKCS7Options.Text]]) + def test_pkcs7_decrypt_smime( + self, backend, data, certificate, private_key, options + ): + # Encryption + builder = ( + pkcs7.PKCS7EnvelopeBuilder() + .set_data(data) + .add_recipient(certificate) + ) + enveloped = builder.encrypt(serialization.Encoding.SMIME, options) + + # Test decryption + decrypted = pkcs7.pkcs7_decrypt_smime( + enveloped, certificate, private_key, options + ) + assert decrypted == data.replace(b"\n", b"\r\n") + + def test_pkcs7_decrypt_no_encrypted_content( + self, backend, data, certificate, private_key + ): + enveloped = load_vectors_from_file( + os.path.join("pkcs7", "enveloped-no-content.der"), + loader=lambda pemfile: pemfile.read(), + mode="rb", + ) + + # Test decryption with text option + with pytest.raises(ValueError): + pkcs7.pkcs7_decrypt_der(enveloped, certificate, private_key, []) + + def test_pkcs7_decrypt_text_no_header( + self, backend, data, certificate, private_key + ): + # Encryption of data without a header (no "Text" option) + builder = ( + pkcs7.PKCS7EnvelopeBuilder() + .set_data(data) + .add_recipient(certificate) + ) + enveloped = builder.encrypt(serialization.Encoding.DER, []) + + # Test decryption with text option + with pytest.raises(ValueError): + pkcs7.pkcs7_decrypt_der( + enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] + ) + + def test_pkcs7_decrypt_text_html_content_type( + self, backend, certificate, private_key + ): + # Encryption of data with a text/html content type header + data = b"Content-Type: text/html\r\n\r\nHello world!
" + builder = ( + pkcs7.PKCS7EnvelopeBuilder() + .set_data(data) + .add_recipient(certificate) + ) + enveloped = builder.encrypt( + serialization.Encoding.DER, [pkcs7.PKCS7Options.Binary] + ) + + # Test decryption with text option + with pytest.raises(ValueError): + pkcs7.pkcs7_decrypt_der( + enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] + ) + + def test_smime_decrypt_no_recipient_match( + self, backend, data, certificate, rsa_key_2048: rsa.RSAPrivateKey + ): + # Encrypt some data with one RSA chain + builder = ( + pkcs7.PKCS7EnvelopeBuilder() + .set_data(data) + .add_recipient(certificate) + ) + enveloped = builder.encrypt(serialization.Encoding.DER, []) + + # Prepare another RSA chain + another_private_key = RSA_KEY_2048_ALT.private_key( + unsafe_skip_rsa_key_validation=True + ) + _, another_cert = _generate_ca_and_leaf( + rsa_key_2048, another_private_key + ) + + # Test decryption with another RSA chain + with pytest.raises(ValueError): + pkcs7.pkcs7_decrypt_der( + enveloped, another_cert, another_private_key, [] + ) + + def test_smime_decrypt_unsupported_key_encryption_algorithm( + self, backend, data, certificate, private_key + ): + enveloped = load_vectors_from_file( + os.path.join("pkcs7", "enveloped-rsa-oaep.pem"), + loader=lambda pemfile: pemfile.read(), + mode="rb", + ) + + with pytest.raises(exceptions.UnsupportedAlgorithm): + pkcs7.pkcs7_decrypt_pem(enveloped, certificate, private_key, []) + + def test_smime_decrypt_unsupported_content_encryption_algorithm( + self, backend, data, certificate, private_key + ): + enveloped = load_vectors_from_file( + os.path.join("pkcs7", "enveloped-aes-256-cbc.pem"), + loader=lambda pemfile: pemfile.read(), + mode="rb", + ) + + with pytest.raises(exceptions.UnsupportedAlgorithm): + pkcs7.pkcs7_decrypt_pem(enveloped, certificate, private_key, []) + + def test_smime_decrypt_not_enveloped( + self, backend, data, certificate, private_key + ): + # Create a signed email + cert, key = _load_cert_key() + options = [pkcs7.PKCS7Options.DetachedSignature] + builder = ( + pkcs7.PKCS7SignatureBuilder() + .set_data(data) + .add_signer(cert, key, hashes.SHA256()) + ) + signed = builder.sign(serialization.Encoding.DER, options) + + # Test decryption failure with signed email + with pytest.raises(ValueError): + pkcs7.pkcs7_decrypt_der(signed, certificate, private_key, []) + + def test_smime_decrypt_smime_not_encrypted( + self, backend, certificate, private_key + ): + # Create a plain email + email_message = EmailMessage() + email_message.set_content("Hello world!") + + # Test decryption failure with plain email + with pytest.raises(ValueError): + pkcs7.pkcs7_decrypt_smime( + email_message.as_bytes(), certificate, private_key, [] + ) + + @pytest.mark.supported( only_if=lambda backend: backend.pkcs7_supported(), skip_message="Requires OpenSSL with PKCS7 support", @@ -1168,3 +1455,15 @@ class TestPKCS7EnvelopeBuilderUnsupported: def test_envelope_builder_unsupported(self, backend): with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_PADDING): pkcs7.PKCS7EnvelopeBuilder() + + +@pytest.mark.supported( + only_if=lambda backend: backend.pkcs7_supported() + and not backend.rsa_encryption_supported(padding.PKCS1v15()), + skip_message="Requires OpenSSL with no PKCS1 v1.5 padding support", +) +class TestPKCS7DecryptUnsupported: + def test_pkcs7_decrypt_unsupported(self, backend): + cert, key = _load_rsa_cert_key() + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_PADDING): + pkcs7.pkcs7_decrypt_der(b"", cert, key, []) diff --git a/vectors/cryptography_vectors/pkcs7/enveloped-no-content.der b/vectors/cryptography_vectors/pkcs7/enveloped-no-content.der new file mode 100644 index 0000000000000000000000000000000000000000..3bdf58523f6c5c49020890bb9e442a2159fde417 GIT binary patch literal 653 zcmV;80&@K@f&z&K2`Yw2hW8Bt2Lqsj0(vll0(Jrc05O6BLok8@KLP;&Fefk?F&How z1_Mw;p&nWkhL&-usL_{!ErUg(tp!r6H&hY7g?K8jS*Czw)0kW2 zlZbE=PK#!A$I_Vs<;aanJf?U;)=$ zo-o}@P9|lU2M?Rt$j`0Sdar7BKh8pLVWRC+N|43cS1%3N*X0>DgA`+jjy;titpq-#3Brr|VAB$50|e6F#ETjP0lywD^xGTp(yTAh_))YLt5 zIR?~yPG^h?H&7YetA?AlTEYYaXQ`9fWlyJpceQSS_u;J@z7itPE$DyqKRQvue=5E_ zsh4^EYz4G%#C}*>czZximZoUn-iWm)BpawWd3@^RTxWEUb$s4kv4!TZFe(NKDuzgg n_YDCD0Wci~31Egu0c8UO0RjXNjS`x7K%Whh4LMvc(vhq)RN5sZ literal 0 HcmV?d00001 From c6104cc3669585941dc1d2b9c6507621c53d242f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 26 Nov 2024 11:23:15 -0500 Subject: [PATCH 1453/1462] Prohibit Python 3.9.0, 3.9.1 -- they have a bug that causes errors (#12045) --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 0ba039a129be..9a3d25dbee38 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -46,7 +46,7 @@ classifiers = [ "Programming Language :: Python :: Implementation :: PyPy", "Topic :: Security :: Cryptography", ] -requires-python = ">=3.7" +requires-python = ">=3.7,!=3.9.0,!=3.9.1" dependencies = [ # Must be kept in sync with `build-system.requires` "cffi>=1.12; platform_python_implementation != 'PyPy'", From e201c870b89fd2606d67230a97e50c3badb07907 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 26 Nov 2024 11:23:37 -0500 Subject: [PATCH 1454/1462] fixed metadata in changelog (#12044) --- CHANGELOG.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 809bfbe32d6a..13654c3960f5 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -27,9 +27,9 @@ Changelog when using OpenSSL 3.2.0+. * Added support for the :class:`~cryptography.x509.Admissions` certificate extension. * Added basic support for PKCS7 decryption (including S/MIME 3.2) via - :class:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_der`, - :class:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_pem`, and - :class:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_smime`. + :func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_der`, + :func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_pem`, and + :func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_smime`. .. _v43-0-3: From f2259d7aa0d134c839ebe298baa8b63de9ead804 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 26 Nov 2024 16:25:55 -0800 Subject: [PATCH 1455/1462] Bump BoringSSL and/or OpenSSL in CI (#12046) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 53889641ed88..36bfa53c512a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 26, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "705a80f6955bf1fa63572dbc4e0729e698c1d9db"}} + # Latest commit on the BoringSSL master branch, as of Nov 27, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "fcef13a49852397a0d39c00be8d7bc2ba1ab6fb9"}} # Latest commit on the OpenSSL master branch, as of Nov 26, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b9886a6f3483e0525596d3b3956416282038da82"}} # Builds with various Rust versions. Includes MSRV and next From 133c0e02edf2f172318eb27d8f50525ed64c9ec3 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 27 Nov 2024 00:37:34 +0000 Subject: [PATCH 1456/1462] Bump x509-limbo and/or wycheproof in CI (#12047) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index bff2a1781a89..b567db8a316a 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Nov 26, 2024. - ref: "a994fa8e3b661757b0b64ca23a07588c2a3d047b" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Nov 27, 2024. + ref: "793e65108940143e97abff5250aecd02f1d5316d" # x509-limbo-ref From d23968adddd79aa8508d7c1f985da09383b3808f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Nov 2024 08:46:07 -0500 Subject: [PATCH 1457/1462] chore(deps): bump libc from 0.2.165 to 0.2.166 (#12049) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.165 to 0.2.166. - [Release notes](https://github.com/rust-lang/libc/releases) - [Changelog](https://github.com/rust-lang/libc/blob/0.2.166/CHANGELOG.md) - [Commits](https://github.com/rust-lang/libc/compare/0.2.165...0.2.166) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 505ac2a51071..32aebbdfad24 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -168,9 +168,9 @@ checksum = "d75a2a4b1b190afb6f5425f10f6a8f959d2ea0b9c2b1d79553551850539e4674" [[package]] name = "libc" -version = "0.2.165" +version = "0.2.166" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fcb4d3d38eab6c5239a362fa8bae48c03baf980a6e7079f063942d563ef3533e" +checksum = "c2ccc108bbc0b1331bd061864e7cd823c0cab660bbe6970e66e2c0614decde36" [[package]] name = "memoffset" From 2c5ad4d8dcec1b8f833198bc2f3b4634c4fd9d78 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Nov 2024 08:46:40 -0500 Subject: [PATCH 1458/1462] chore(deps): bump maturin from 1.7.4 to 1.7.5 in /.github/requirements (#12050) Bumps [maturin](https://github.com/pyo3/maturin) from 1.7.4 to 1.7.5. - [Release notes](https://github.com/pyo3/maturin/releases) - [Changelog](https://github.com/PyO3/maturin/blob/main/Changelog.md) - [Commits](https://github.com/pyo3/maturin/compare/v1.7.4...v1.7.5) --- updated-dependencies: - dependency-name: maturin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 28 ++++++++++----------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 4845dd9d3a8a..875330958ca0 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -77,20 +77,20 @@ flit-core==3.10.1 \ --hash=sha256:66e5b87874a0d6e39691f0e22f09306736b633548670ad3c09ec9db03c5662f7 \ --hash=sha256:cb31a76e8b31ad3351bb89e531f64ef2b05d1e65bd939183250bf81ddf4922a8 # via -r build-requirements.in -maturin==1.7.4 \ - --hash=sha256:0182a9638399c8835afd39d2aeacf56908e37cba3f7abb15816b9df6774fab81 \ - --hash=sha256:23fae44e345a2da5cb391ae878726fb793394826e2f97febe41710bd4099460e \ - --hash=sha256:2b349d742a07527d236f0b4b6cab26f53ebecad0ceabfc09ec4c6a396e3176f9 \ - --hash=sha256:35487a424467d1fda4567cbb02d21f09febb10eda22f5fd647b130bc0767dc61 \ - --hash=sha256:41a29c5b23f3ebdfe7633637e3de256579a1b2700c04cd68c16ed46934440c5a \ - --hash=sha256:71f668f19e719048605dbca6a1f4d0dc03b987c922ad9c4bf5be03b9b278e4c3 \ - --hash=sha256:7ccb66d0c5297cf06652c5f72cb398f447d3a332eccf5d1e73b3fe14dbc9498c \ - --hash=sha256:8b441521c151f0dbe70ed06fb1feb29b855d787bda038ff4330ca962e5d56641 \ - --hash=sha256:c179fcb2b494f19186781b667320e43d95b3e71fcb1c98fffad9ef6bd6e276b3 \ - --hash=sha256:eb7b7753b733ae302c08f80bca7b0c3fda1eea665c2b1922c58795f35a54c833 \ - --hash=sha256:f3d38a6d0c7fd7b04bec30dd470b2173cf9bd184ab6220c1acaf49df6b48faf5 \ - --hash=sha256:f70c1c8ec9bd4749a53c0f3ae8fdbb326ce45be4f1c5551985ee25a6d7150328 \ - --hash=sha256:fd5b4b95286f2f376437340f8a4908f4761587212170263084455be8099099a7 +maturin==1.7.5 \ + --hash=sha256:0d2d04ab5f47c1bc2b075a5d8255d9a72921e8dceebf9f9e9884f09d67f7cdd6 \ + --hash=sha256:5563d61cfa2fcd7d1552022df6566300f229fa3aed62020c93a750fa3dca9a99 \ + --hash=sha256:71cbcfd4a74aac3eafe99a1cd73d83af8049f572986ff4e0e5e4d8fec9c66a93 \ + --hash=sha256:742cd76a50104fdd832b010a205199e9b02333879f750c0cfca6c93e9472623f \ + --hash=sha256:76a78284a96c24cd2d0ac3eac865315b4b0be7a443463fd5b3ebea3c6f147703 \ + --hash=sha256:9044e5e2eb68bbf8ad86c4ffeab365b78b54bf342ba346dc93775531d3a4e647 \ + --hash=sha256:c1002ca9a23c45123af752d353f6b221151a6eab2b5b65d57a79298b7d8ca6d4 \ + --hash=sha256:c38e585555be525ebc2602ea7189c7ef3e1c3001c94893e5bc71f934468ff124 \ + --hash=sha256:c441fe54945fe8077f17cb116834980391169cf712b63631d8380c8c3de781a1 \ + --hash=sha256:e31c4d25b56346c7872417d58cca81e52387a37469cdb79f7225bae9ad75daf9 \ + --hash=sha256:e773ade7a1383c24eaf6b665340a91278c80ab544c18687aa69e9661b289cf48 \ + --hash=sha256:f05ccbdfe96ad58d70dba9c3eed090726db8ccbaf07ec03852113ca2fec6d84b \ + --hash=sha256:f6c80fa7d67f58fd2cecbcdf309e2c3c5cd6f965216191de73af6cf947ef2ab8 # via -r build-requirements.in pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ From 439eb0594a9ffb7c9adedb2490998d83914d141e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 27 Nov 2024 12:27:28 -0500 Subject: [PATCH 1459/1462] Bump version for 44.0.0 (#12051) --- CHANGELOG.rst | 8 +++----- pyproject.toml | 4 ++-- src/cryptography/__about__.py | 2 +- vectors/cryptography_vectors/__about__.py | 2 +- vectors/pyproject.toml | 2 +- 5 files changed, 8 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 13654c3960f5..2cc482613bd8 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -3,16 +3,14 @@ Changelog .. _v44-0-0: -44.0.0 - `main`_ -~~~~~~~~~~~~~~~~ - -.. note:: This version is not yet released and is under active development. - +44.0.0 - 2024-11-27 +~~~~~~~~~~~~~~~~~~~ * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.9. * Deprecated Python 3.7 support. Python 3.7 is no longer supported by the Python core team. Support for Python 3.7 will be removed in a future ``cryptography`` release. +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.0. * macOS wheels are now built against the macOS 10.13 SDK. Users on older versions of macOS should upgrade, or they will need to build ``cryptography`` themselves. diff --git a/pyproject.toml b/pyproject.toml index 9a3d25dbee38..949d68423064 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -14,7 +14,7 @@ build-backend = "maturin" [project] name = "cryptography" -version = "44.0.0.dev1" +version = "44.0.0" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] @@ -65,7 +65,7 @@ ssh = ["bcrypt >=3.1.5"] # All the following are used for our own testing. nox = ["nox >=2024.04.15", "nox[uv] >=2024.03.02; python_version >= '3.8'"] test = [ - "cryptography_vectors", + "cryptography_vectors==44.0.0", "pytest >=7.4.0", "pytest-benchmark >=4.0", "pytest-cov >=2.10.1", diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index 1cd38fc44d53..99fc2d1593c4 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -10,7 +10,7 @@ "__version__", ] -__version__ = "44.0.0.dev1" +__version__ = "44.0.0" __author__ = "The Python Cryptographic Authority and individual contributors" diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py index 64b3ee956012..98114348efa6 100644 --- a/vectors/cryptography_vectors/__about__.py +++ b/vectors/cryptography_vectors/__about__.py @@ -6,4 +6,4 @@ "__version__", ] -__version__ = "44.0.0.dev1" +__version__ = "44.0.0" diff --git a/vectors/pyproject.toml b/vectors/pyproject.toml index d1b24e9c6535..7760ca6448da 100644 --- a/vectors/pyproject.toml +++ b/vectors/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi" [project] name = "cryptography_vectors" -version = "44.0.0.dev1" +version = "44.0.0" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] From f299a48153650f2dd87716343f2daa7cd39a1f59 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 27 Nov 2024 09:50:10 -0800 Subject: [PATCH 1460/1462] remove deprecated call (#12052) --- src/rust/cryptography-cffi/src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-cffi/src/lib.rs b/src/rust/cryptography-cffi/src/lib.rs index b927fae370ac..b834f2642473 100644 --- a/src/rust/cryptography-cffi/src/lib.rs +++ b/src/rust/cryptography-cffi/src/lib.rs @@ -20,7 +20,7 @@ pub fn create_module( let openssl_mod = unsafe { let res = Cryptography_make_openssl_module(); assert_eq!(res, 0); - pyo3::types::PyModule::import_bound(py, "_openssl")?.clone() + pyo3::types::PyModule::import(py, "_openssl")?.clone() }; #[cfg(not(python_implementation = "PyPy"))] // SAFETY: `PyInit__openssl` returns an owned reference. From ccc61dabe38b86956bf218565cd4e82b918345a1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 11 Feb 2025 00:09:49 -0500 Subject: [PATCH 1461/1462] [backport] test and build on armv7l (#12420) (#12431) * [backport] test and build on armv7l (#12420) * add explicit config to rtd (#12184) also update some versions we declare, why not * poetry 2.0 no longer has export, install it for certbot-josepy (#12241) * poetry 2.0 no longer has export, install it for certbot-josepy * Update .github/downstream.d/certbot-josepy.sh Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor * chore(deps): bump pyo3 from 0.23.3 to 0.23.4 (#12278) Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.23.3 to 0.23.4. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/v0.23.4/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.23.3...v0.23.4) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * backport uv version bump --------- Signed-off-by: dependabot[bot] Co-authored-by: Paul Kehrer Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/downstream.d/certbot-josepy.sh | 1 + .github/workflows/ci.yml | 6 ++++-- .github/workflows/wheel-builder.yml | 18 ++++++++++++------ .readthedocs.yml | 7 ++++--- CHANGELOG.rst | 9 ++++++++- Cargo.lock | 20 ++++++++++---------- Cargo.toml | 2 +- ci-constraints-requirements.txt | 2 +- docs/installation.rst | 1 + 9 files changed, 42 insertions(+), 24 deletions(-) diff --git a/.github/downstream.d/certbot-josepy.sh b/.github/downstream.d/certbot-josepy.sh index c27568ffe4f1..f172dd0088a3 100755 --- a/.github/downstream.d/certbot-josepy.sh +++ b/.github/downstream.d/certbot-josepy.sh @@ -6,6 +6,7 @@ case "${1}" in cd josepy git rev-parse HEAD curl -sSL https://install.python-poetry.org | python3 - + "${HOME}/.local/bin/poetry" self add poetry-plugin-export "${HOME}/.local/bin/poetry" export -f constraints.txt --dev --without-hashes -o constraints.txt pip install -e . pytest -c constraints.txt ;; diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 36bfa53c512a..6bb21f168fa7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -171,8 +171,10 @@ jobs: - {IMAGE: "centos-stream9", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "centos-stream9-fips", NOXSESSION: "tests", RUNNER: "ubuntu-latest", FIPS: true} - - {IMAGE: "ubuntu-rolling:aarch64", NOXSESSION: "tests", RUNNER: [self-hosted, Linux, ARM64]} - - {IMAGE: "alpine:aarch64", NOXSESSION: "tests", RUNNER: [self-hosted, Linux, ARM64]} + - {IMAGE: "ubuntu-rolling:aarch64", NOXSESSION: "tests", RUNNER: "ubuntu-24.04-arm"} + - {IMAGE: "alpine:aarch64", NOXSESSION: "tests", RUNNER: "ubuntu-24.04-arm"} + + - {IMAGE: "ubuntu-rolling:armv7l", NOXSESSION: "tests", RUNNER: "ubuntu-24.04-arm"} timeout-minutes: 15 env: RUSTUP_HOME: /root/.rustup diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 813a9c10e835..706a034cc627 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -74,22 +74,28 @@ jobs: - { NAME: "manylinux_2_34_x86_64", CONTAINER: "cryptography-manylinux_2_34:x86_64", RUNNER: "ubuntu-latest"} - { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} - - { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64] } - - { NAME: "manylinux_2_28_aarch64", CONTAINER: "cryptography-manylinux_2_28:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - - { NAME: "manylinux_2_34_aarch64", CONTAINER: "cryptography-manylinux_2_34:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - - { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} + - { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: "ubuntu-24.04-arm" } + - { NAME: "manylinux_2_28_aarch64", CONTAINER: "cryptography-manylinux_2_28:aarch64", RUNNER: "ubuntu-24.04-arm" } + - { NAME: "manylinux_2_34_aarch64", CONTAINER: "cryptography-manylinux_2_34:aarch64", RUNNER: "ubuntu-24.04-arm" } + - { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: "ubuntu-24.04-arm" } + + - { NAME: "manylinux_2_31_armv7l", CONTAINER: "cryptography-manylinux_2_31:armv7l", RUNNER: "ubuntu-24.04-arm" } exclude: # There are no readily available musllinux PyPy distributions - PYTHON: { VERSION: "pp310-pypy310_pp73" } MANYLINUX: { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} - PYTHON: { VERSION: "pp310-pypy310_pp73" } - MANYLINUX: { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} + MANYLINUX: { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: "ubuntu-24.04-arm"} # We also don't build pypy wheels for anything except the latest manylinux - PYTHON: { VERSION: "pp310-pypy310_pp73" } MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest"} - PYTHON: { VERSION: "pp310-pypy310_pp73" } - MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]} + MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: "ubuntu-24.04-arm" } + + # No PyPy on armv7l either + - PYTHON: { VERSION: "pp310-pypy310_pp73" } + MANYLINUX: { NAME: "manylinux_2_31_armv7l", CONTAINER: "cryptography-manylinux_2_31:armv7l", RUNNER: "ubuntu-24.04-arm" } name: "${{ matrix.PYTHON.VERSION }} for ${{ matrix.MANYLINUX.NAME }}" steps: - name: Ridiculous-er workaround for static node20 diff --git a/.readthedocs.yml b/.readthedocs.yml index 7ef04db29181..f97891f9c3c9 100644 --- a/.readthedocs.yml +++ b/.readthedocs.yml @@ -6,15 +6,16 @@ sphinx: # The config file overrides the UI settings: # https://github.com/pyca/cryptography/issues/5863#issuecomment-817828152 builder: dirhtml + configuration: docs/conf.py formats: - pdf build: - os: "ubuntu-22.04" + os: "ubuntu-24.04" tools: - python: "3.11" - rust: "1.70" + python: "3.13" + rust: "latest" python: install: diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 2cc482613bd8..984df9176195 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,13 @@ Changelog ========= +.. _v44-0-1: + +44.0.1 - 2025-02-11 +~~~~~~~~~~~~~~~~~~~ + +* We now build ``armv7l`` ``manylinux`` wheels and publish them to PyPI. + .. _v44-0-0: 44.0.0 - 2024-11-27 @@ -25,7 +32,7 @@ Changelog when using OpenSSL 3.2.0+. * Added support for the :class:`~cryptography.x509.Admissions` certificate extension. * Added basic support for PKCS7 decryption (including S/MIME 3.2) via - :func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_der`, + :func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_der`, :func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_pem`, and :func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_smime`. diff --git a/Cargo.lock b/Cargo.lock index 32aebbdfad24..b9a109617b13 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -257,9 +257,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.23.2" +version = "0.23.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f54b3d09cbdd1f8c20650b28e7b09e338881482f4aa908a5f61a00c98fba2690" +checksum = "57fe09249128b3173d092de9523eaa75136bf7ba85e0d69eca241c7939c933cc" dependencies = [ "cfg-if", "indoc", @@ -275,9 +275,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.23.2" +version = "0.23.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3015cf985888fe66cfb63ce0e321c603706cd541b7aec7ddd35c281390af45d8" +checksum = "1cd3927b5a78757a0d71aa9dff669f903b1eb64b54142a9bd9f757f8fde65fd7" dependencies = [ "once_cell", "target-lexicon", @@ -285,9 +285,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.23.2" +version = "0.23.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6fca7cd8fd809b5ac4eefb89c1f98f7a7651d3739dfb341ca6980090f554c270" +checksum = "dab6bb2102bd8f991e7749f130a70d05dd557613e39ed2deeee8e9ca0c4d548d" dependencies = [ "libc", "pyo3-build-config", @@ -295,9 +295,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.23.2" +version = "0.23.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "34e657fa5379a79151b6ff5328d9216a84f55dc93b17b08e7c3609a969b73aa0" +checksum = "91871864b353fd5ffcb3f91f2f703a22a9797c91b9ab497b1acac7b07ae509c7" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -307,9 +307,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.23.2" +version = "0.23.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "295548d5ffd95fd1981d2d3cf4458831b21d60af046b729b6fd143b0ba7aee2f" +checksum = "43abc3b80bc20f3facd86cd3c60beed58c3e2aa26213f3cda368de39c60a27e4" dependencies = [ "heck", "proc-macro2", diff --git a/Cargo.toml b/Cargo.toml index 26ecfa4ed6c4..8bae3163d938 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -20,7 +20,7 @@ rust-version = "1.65.0" [workspace.dependencies] asn1 = { version = "0.20.0", default-features = false } -pyo3 = { version = "0.23.2", features = ["abi3"] } +pyo3 = { version = "0.23.4", features = ["abi3"] } [profile.release] overflow-checks = true diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3331ce04c01c..d67c26b2e87b 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -292,7 +292,7 @@ urllib3==2.0.7 ; python_full_version < '3.8' # via requests urllib3==2.2.3 ; python_full_version >= '3.8' # via requests -uv==0.5.4 ; python_full_version >= '3.8' +uv==0.5.29 ; python_full_version >= '3.8' # via nox virtualenv==20.26.6 ; python_full_version < '3.8' # via nox diff --git a/docs/installation.rst b/docs/installation.rst index 8e5af7dd54c3..5835d8dbd64c 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -22,6 +22,7 @@ operating systems. * x86-64 macOS 13 Ventura and ARM64 macOS 14 Sonoma * x86-64 Ubuntu 20.04, 22.04, 24.04, rolling * ARM64 Ubuntu rolling +* ARMv7l Ubuntu rolling * x86-64 Debian Bullseye (11.x), Bookworm (12.x), Trixie (13.x), and Sid (unstable) * x86-64 and ARM64 Alpine (latest) From adaaaed77db676bbaa9d171175db81dce056e2a7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 11 Feb 2025 10:36:49 -0500 Subject: [PATCH 1462/1462] Bump for 44.0.1 release (#12441) * Bump for 44.0.1 release * chore(deps): bump actions/cache from 4.1.2 to 4.2.0 (#12112) Bumps [actions/cache](https://github.com/actions/cache) from 4.1.2 to 4.2.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/6849a6489940f00c2f30c0fb92c6274307ccb58a...1bd1e32a3bdc45362d1e726936510720a7c30a57) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * changelog --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- CHANGELOG.rst | 2 ++ pyproject.toml | 4 ++-- src/cryptography/__about__.py | 2 +- vectors/cryptography_vectors/__about__.py | 2 +- vectors/pyproject.toml | 2 +- 6 files changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6bb21f168fa7..f7bda38773f9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -98,7 +98,7 @@ jobs: CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }} if: matrix.PYTHON.OPENSSL - name: Load OpenSSL cache - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 id: ossl-cache timeout-minutes: 2 with: diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 984df9176195..a1ffe6e8a7f7 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -6,7 +6,9 @@ Changelog 44.0.1 - 2025-02-11 ~~~~~~~~~~~~~~~~~~~ +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.1. * We now build ``armv7l`` ``manylinux`` wheels and publish them to PyPI. +* We now build ``manylinux_2_34`` wheels and publish them to PyPI. .. _v44-0-0: diff --git a/pyproject.toml b/pyproject.toml index 949d68423064..759ceba86b8c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -14,7 +14,7 @@ build-backend = "maturin" [project] name = "cryptography" -version = "44.0.0" +version = "44.0.1" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] @@ -65,7 +65,7 @@ ssh = ["bcrypt >=3.1.5"] # All the following are used for our own testing. nox = ["nox >=2024.04.15", "nox[uv] >=2024.03.02; python_version >= '3.8'"] test = [ - "cryptography_vectors==44.0.0", + "cryptography_vectors==44.0.1", "pytest >=7.4.0", "pytest-benchmark >=4.0", "pytest-cov >=2.10.1", diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index 99fc2d1593c4..d1ca20a6073b 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -10,7 +10,7 @@ "__version__", ] -__version__ = "44.0.0" +__version__ = "44.0.1" __author__ = "The Python Cryptographic Authority and individual contributors" diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py index 98114348efa6..44a2c76a2caf 100644 --- a/vectors/cryptography_vectors/__about__.py +++ b/vectors/cryptography_vectors/__about__.py @@ -6,4 +6,4 @@ "__version__", ] -__version__ = "44.0.0" +__version__ = "44.0.1" diff --git a/vectors/pyproject.toml b/vectors/pyproject.toml index 7760ca6448da..4d9c48e8713c 100644 --- a/vectors/pyproject.toml +++ b/vectors/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi" [project] name = "cryptography_vectors" -version = "44.0.0" +version = "44.0.1" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ]