Commit 214ab8fa authored by Tristan Seligmann's avatar Tristan Seligmann

Import python-cryptography_2.1.3.orig.tar.gz

parent 84a8cc88
This diff is collapsed.
Metadata-Version: 1.1
Name: cryptography
Version: 2.0.3
Version: 2.1.3
Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Home-page: https://github.com/pyca/cryptography
Author: The cryptography developers
Author-email: cryptography-dev@python.org
License: BSD or Apache License, Version 2.0
Description-Content-Type: UNKNOWN
Description: pyca/cryptography
=================
......
......@@ -59,3 +59,7 @@ def setup(app):
latex=(latex_visit_hazmat_node, depart_hazmat_node),
)
app.add_directive("hazmat", HazmatDirective)
return {
"parallel_read_safe": True,
}
......@@ -36,6 +36,7 @@ Asymmetric ciphers
* `asymmetric/public/PKCS1/dsa.pub.pem`_ is a PKCS1 DSA public key from the
Ruby test suite.
* X25519 test vectors from :rfc:`7748`.
* RSA OAEP with custom label from the `BoringSSL evp tests`_.
Custom asymmetric vectors
......@@ -163,6 +164,16 @@ X.509
* ``bigoid.pem`` - A certificate with a rather long OID in the
Certificate Policies extension. We need to make sure we can parse
long OIDs.
* ``wosign-bc-invalid.pem`` - A certificate issued by WoSign that contains
a basic constraints extension with CA set to false and a path length of zero
in violation of :rfc:`5280`.
* ``tls-feature-ocsp-staple.pem`` - A certificate issued by Let's Encrypt that
contains a TLS Feature extension with the ``status_request`` feature
(commonly known as OCSP Must-Staple).
* ``unique-identifier.pem`` - A certificate containing
a distinguished name with an ``x500UniqueIdentifier``.
* ``utf8-dnsname.pem`` - A certificate containing non-ASCII characters in the
DNS name entries of the SAN extension.
Custom X.509 Vectors
~~~~~~~~~~~~~~~~~~~~
......@@ -315,6 +326,8 @@ Custom X.509 Vectors
is an unknown OID (``1.3.6.1.4.1.8432.1.1.2``).
* ``policy_constraints_explicit.pem`` - A self-signed certificate containing
a ``policyConstraints`` extension with a ``requireExplicitPolicy`` value.
* ``freshestcrl.pem`` - A self-signed certificate containing a ``freshestCRL``
extension.
Custom X.509 Request Vectors
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
......@@ -369,6 +382,18 @@ Custom X.509 Certificate Revocation List Vectors
* ``crl_ian_aia_aki.pem`` - Contains a CRL with ``IssuerAlternativeName``,
``AuthorityInformationAccess``, ``AuthorityKeyIdentifier`` and ``CRLNumber``
extensions.
* ``valid_signature.pem`` - Contains a CRL with the public key which was used
to generate it.
* ``invalid_signature.pem`` - Contains a CRL with the last signature byte
incremented by 1 to produce an invalid signature, and the public key which
was used to generate it.
* ``crl_delta_crl_indicator.pem`` - Contains a CRL with the
``DeltaCRLIndicator`` extension.
Custom X.509 OCSP Test Vectors
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* ``x509/ocsp/req-sha1.der`` - An OCSP request containing a single request and
using SHA1 as the hash algorithm.
Hashes
~~~~~~
......@@ -423,6 +448,7 @@ Symmetric ciphers
* CAST5 (ECB) from :rfc:`2144`.
* CAST5 (CBC, CFB, OFB) generated by this project.
See: :doc:`/development/custom-vectors/cast5`
* ChaCha20 from :rfc:`7539`.
* ChaCha20Poly1305 from :rfc:`7539`, `OpenSSL's evpciph.txt`_, and the
`BoringSSL ChaCha20Poly1305 tests`_.
* IDEA (ECB) from the `NESSIE IDEA vectors`_ created by `NESSIE`_.
......@@ -477,13 +503,14 @@ header format (substituting the correct information):
.. _`NIST`: https://www.nist.gov/
.. _`IETF`: https://www.ietf.org/
.. _`NIST CAVP`: http://csrc.nist.gov/groups/STM/cavp/
.. _`NIST CAVP`: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program
.. _`Bruce Schneier's vectors`: https://www.schneier.com/code/vectors.txt
.. _`Camellia page`: https://info.isl.ntt.co.jp/crypt/eng/camellia/
.. _`CRYPTREC`: https://www.cryptrec.go.jp
.. _`OpenSSL's test vectors`: https://github.com/openssl/openssl/blob/97cf1f6c2854a3a955fd7dd3a1f113deba00c9ef/crypto/evp/evptests.txt#L232
.. _`OpenSSL's evpciph.txt`: https://github.com/openssl/openssl/blob/5a7bc0be97dee9ac715897fe8180a08e211bc6ea/test/evpciph.txt#L2362
.. _`BoringSSL ChaCha20Poly1305 tests`: https://boringssl.googlesource.com/boringssl/+/2e2a226ac9201ac411a84b5e79ac3a7333d8e1c9/crypto/cipher_extra/test/chacha20_poly1305_tests.txt
.. _`BoringSSL evp tests`: https://boringssl.googlesource.com/boringssl/+/ce3773f9fe25c3b54390bc51d72572f251c7d7e6/crypto/evp/evp_tests.txt
.. _`RIPEMD website`: https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
.. _`Whirlpool website`: http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
.. _`draft RFC`: https://tools.ietf.org/html/draft-josefsson-scrypt-kdf-01
......@@ -500,8 +527,8 @@ header format (substituting the correct information):
.. _`NESSIE IDEA vectors`: https://www.cosic.esat.kuleuven.be/nessie/testvectors/bc/idea/Idea-128-64.verified.test-vectors
.. _`NESSIE`: https://en.wikipedia.org/wiki/NESSIE
.. _`Ed25519 website`: https://ed25519.cr.yp.to/software.html
.. _`NIST SP-800-38B`: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
.. _`NIST PKI Testing`: http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html
.. _`NIST SP-800-38B`: https://csrc.nist.gov/publications/detail/sp/800-38b/archive/2005-05-01
.. _`NIST PKI Testing`: https://csrc.nist.gov/Projects/PKI-Testing
.. _`testx509.pem`: https://github.com/openssl/openssl/blob/master/test/testx509.pem
.. _`DigiCert Global Root G3`: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt
.. _`root data`: https://hg.mozilla.org/projects/nss/file/25b2922cc564/security/nss/lib/ckfw/builtins/certdata.txt#l2053
......
[parsers]
smart_quotes: no
......@@ -79,7 +79,7 @@ Post-release tasks
------------------
* Update the version number to the next major (e.g. ``0.5.dev1``) in
``cryptography/__about__.py`` and
``src/cryptography/__about__.py`` and
``vectors/cryptography_vectors/__about__.py``.
* Close the `milestone`_ for the previous release on GitHub.
* Add new :doc:`/changelog` entry with next version and note that it is under
......
......@@ -75,6 +75,15 @@ Installing ``cryptography`` fails with ``ImportError: No module named setuptools
Your ``cffi`` package is out of date. ``pip install -U cffi`` to update it.
error: ``-Werror=sign-conversion``: No option ``-Wsign-conversion`` during installation
---------------------------------------------------------------------------------------
The compiler you are using is too old and not supported by ``cryptography``.
Please upgrade to a more recent version. If you are running OpenBSD 6.1 or
earlier the default compiler is extremely old. Use ``pkg_add`` to install a
newer ``gcc`` and then install ``cryptography`` using
``CC=/path/to/newer/gcc pip install cryptography``.
Installing cryptography with OpenSSL 0.9.8 or 1.0.0 fails
---------------------------------------------------------
......
......@@ -79,5 +79,25 @@ Glossary
but does not allow access to the key itself. Typically an opaque key is
loaded from a `hardware security module`_ (HSM).
A-label
The ASCII compatible encoded (ACE) representation of an
internationalized (unicode) domain name. A-labels begin with the
prefix ``xn--``. To create an A-label from a unicode domain string use
a library like `idna`_.
bits
A bit is binary value -- a value that has only two possible states.
Typically binary values are represented visually as 0 or 1, but
remember that their actual value is not a printable character. A byte
on modern computers is 8 bits and represents 256 possible values. In
cryptographic applications when you see something say it requires a 128
bit key, you can calculate the number of bytes by dividing by 8. 128
divided by 8 is 16, so a 128 bit key is a 16 byte key.
U-label
The presentational unicode form of an internationalized domain
name. U-labels use unicode characters outside the ASCII range and
are encoded as A-labels when stored in certificates.
.. _`hardware security module`: https://en.wikipedia.org/wiki/Hardware_security_module
.. _`idna`: https://pypi.org/project/idna/
......@@ -266,7 +266,7 @@ A specific ``backend`` may provide one or more of these interfaces.
.. method:: load_rsa_public_numbers(numbers)
:param numbers: An instance of
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers`.
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicNumbers`.
:returns: An instance of
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`.
......
......@@ -122,7 +122,7 @@ also support providing integrity for associated data which is not encrypted.
passed directly to the ``decrypt`` method.
:param bytes nonce: NIST `recommends a 96-bit IV length`_ for best
performance but it can be up to 2\ :sup:`64` - 1 bits.
performance but it can be up to 2\ :sup:`64` - 1 :term:`bits`.
**NEVER REUSE A NONCE** with a key.
:param bytes data: The data to encrypt.
:param bytes associated_data: Additional data that should be
......@@ -136,7 +136,7 @@ also support providing integrity for associated data which is not encrypted.
``associated_data`` in decrypt or the integrity check will fail.
:param bytes nonce: NIST `recommends a 96-bit IV length`_ for best
performance but it can be up to 2\ :sup:`64` - 1 bits.
performance but it can be up to 2\ :sup:`64` - 1 :term:`bits`.
**NEVER REUSE A NONCE** with a key.
:param bytes data: The data to decrypt (with tag appended).
:param bytes associated_data: Additional data to authenticate. Can be
......@@ -231,4 +231,4 @@ also support providing integrity for associated data which is not encrypted.
when the ciphertext has been changed, but will also occur when the
key, nonce, or associated data are wrong.
.. _`recommends a 96-bit IV length`: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf
.. _`recommends a 96-bit IV length`: https://csrc.nist.gov/publications/detail/sp/800-38d/final
......@@ -17,8 +17,8 @@ Generation
Generate a DSA private key from the given key size. This function will
generate a new set of parameters and key in one step.
:param int key_size: The length of the modulus in bits. It should be
either 1024, 2048 or 3072. For keys generated in 2015 this should
:param int key_size: The length of the modulus in :term:`bits`. It should
be either 1024, 2048 or 3072. For keys generated in 2015 this should
be `at least 2048`_ (See page 41). Note that some applications
(such as SSH) have not yet gained support for larger key sizes
specified in FIPS 186-3 and are still restricted to only the
......@@ -443,5 +443,5 @@ Key interfaces
.. _`DSA`: https://en.wikipedia.org/wiki/Digital_Signature_Algorithm
.. _`public-key`: https://en.wikipedia.org/wiki/Public-key_cryptography
.. _`FIPS 186-4`: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
.. _`FIPS 186-4`: https://csrc.nist.gov/publications/detail/fips/186/4/final
.. _`at least 2048`: http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf
......@@ -268,7 +268,7 @@ is faster than diffie-hellman`_.
.. note::
Curves with a size of `less than 224 bits`_ should not be used. You should
strongly consider using curves of at least 224 bits.
strongly consider using curves of at least 224 :term:`bits`.
Generally the NIST prime field ("P") curves are significantly faster than the
other types suggested by NIST at both signing and verifying with ECDSA.
......@@ -415,8 +415,8 @@ Key Interfaces
:type: int
Size (in bits) of a secret scalar for the curve (as generated by
:func:`generate_private_key`).
Size (in :term:`bits`) of a secret scalar for the curve (as generated
by :func:`generate_private_key`).
.. class:: EllipticCurveSignatureAlgorithm
......@@ -490,8 +490,8 @@ Key Interfaces
:type: int
Size (in bits) of a secret scalar for the curve (as generated by
:func:`generate_private_key`).
Size (in :term:`bits`) of a secret scalar for the curve (as generated
by :func:`generate_private_key`).
.. class:: EllipticCurvePrivateKeyWithSerialization
......@@ -593,8 +593,8 @@ Key Interfaces
:type: int
Size (in bits) of a secret scalar for the curve (as generated by
:func:`generate_private_key`).
Size (in :term:`bits`) of a secret scalar for the curve (as generated
by :func:`generate_private_key`).
.. class:: EllipticCurvePublicKeyWithSerialization
......@@ -669,10 +669,10 @@ in PEM format.
... )
.. _`FIPS 186-3`: http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
.. _`FIPS 186-4`: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
.. _`800-56A`: http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf
.. _`800-56Ar2`: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf
.. _`FIPS 186-3`: https://csrc.nist.gov/csrc/media/publications/fips/186/3/archive/2009-06-25/documents/fips_186-3.pdf
.. _`FIPS 186-4`: https://csrc.nist.gov/publications/detail/fips/186/4/final
.. _`800-56A`: https://csrc.nist.gov/publications/detail/sp/800-56a/revised/archive/2007-03-14
.. _`800-56Ar2`: https://csrc.nist.gov/publications/detail/sp/800-56a/rev-2/final
.. _`some concern`: https://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters
.. _`less than 224 bits`: http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf
.. _`elliptic curve diffie-hellman is faster than diffie-hellman`: http://digitalcommons.unl.edu/cgi/viewcontent.cgi?article=1100&context=cseconfwork
......
......@@ -19,9 +19,9 @@ mathematical properties`_.
.. versionadded:: 0.5
Generates a new RSA private key using the provided ``backend``.
``key_size`` describes how many bits long the key should be, larger keys
provide more security, currently ``1024`` and below are considered
breakable, and ``2048`` or ``4096`` are reasonable default key sizes for
``key_size`` describes how many :term:`bits` long the key should be. Larger
keys provide more security; currently ``1024`` and below are considered
breakable while ``2048`` or ``4096`` are reasonable default key sizes for
new keys. The ``public_exponent`` indicates what one mathematical property
of the key generation will be. Unless you have a specific reason to do
otherwise, you should always `use 65537`_.
......@@ -40,7 +40,7 @@ mathematical properties`_.
Usually one of the small Fermat primes 3, 5, 17, 257, 65537. If in
doubt you should `use 65537`_.
:param int key_size: The length of the modulus in bits. For keys
:param int key_size: The length of the modulus in :term:`bits`. For keys
generated in 2015 it is strongly recommended to be
`at least 2048`_ (See page 41). It must not be less than 512.
Some backends may have additional limitations.
......@@ -702,7 +702,7 @@ Key interfaces
:param algorithm: An instance of
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` or
:class:`~cryptography.hazmat.primitives.asymmetric.utils.Prehashed`
if the ``data`` you want to sign has already been hashed.
if the ``data`` you want to verify has already been hashed.
:raises cryptography.exceptions.InvalidSignature: If the signature does
not validate.
......
......@@ -897,9 +897,9 @@ Interface
.. [#nist] See `NIST SP 800-132`_.
.. _`NIST SP 800-132`: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf
.. _`NIST SP 800-108`: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-108.pdf
.. _`NIST SP 800-56Ar2`: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf
.. _`NIST SP 800-132`: https://csrc.nist.gov/publications/detail/sp/800-132/final
.. _`NIST SP 800-108`: https://csrc.nist.gov/publications/detail/sp/800-108/final
.. _`NIST SP 800-56Ar2`: https://csrc.nist.gov/publications/detail/sp/800-56a/rev-2/final
.. _`ANSI X9.63:2001`: https://webstore.ansi.org
.. _`SEC 1 v2.0`: http://www.secg.org/sec1-v2.pdf
.. _`Password Storage Cheat Sheet`: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
......
......@@ -36,8 +36,8 @@ multiple of the block size.
>>> data + unpadder.finalize()
'11111111111111112222222222'
:param block_size: The size of the block in bits that the data is being
padded to.
:param block_size: The size of the block in :term:`bits` that the data is
being padded to.
:raises ValueError: Raised if block size is not a multiple of 8 or is not
between 0 and 2040 inclusive.
......@@ -79,8 +79,8 @@ multiple of the block size.
>>> data + unpadder.finalize()
'11111111111111112222222222'
:param block_size: The size of the block in bits that the data is being
padded to.
:param block_size: The size of the block in :term:`bits` that the data is
being padded to.
:raises ValueError: Raised if block size is not a multiple of 8 or is not
between 0 and 2040 inclusive.
......
......@@ -24,8 +24,9 @@ codes (HMAC).
HOTP objects take a ``key``, ``length`` and ``algorithm`` parameter. The
``key`` should be :doc:`randomly generated bytes </random-numbers>` and is
recommended to be 160 bits in length. The ``length`` parameter controls the
length of the generated one time password and must be >= 6 and <= 8.
recommended to be 160 :term:`bits` in length. The ``length`` parameter
controls the length of the generated one time password and must be >= 6
and <= 8.
This is an implementation of :rfc:`4226`.
......@@ -41,8 +42,8 @@ codes (HMAC).
>>> hotp.verify(hotp_value, 0)
:param bytes key: Per-user secret key. This value must be kept secret
and be at least 128 bits. It is recommended that the
key be 160 bits.
and be at least 128 :term:`bits`. It is recommended that
the key be 160 bits.
:param int length: Length of generated one time password as ``int``.
:param cryptography.hazmat.primitives.hashes.HashAlgorithm algorithm: A
:class:`~cryptography.hazmat.primitives.hashes`
......@@ -51,17 +52,17 @@ codes (HMAC).
:class:`~cryptography.hazmat.backends.interfaces.HMACBackend`
instance.
:param enforce_key_length: A boolean flag defaulting to True that toggles
whether a minimum key length of 128 bits is enforced. This exists to
work around the fact that as documented in `Issue #2915`_, the
Google Authenticator PAM module by default generates 80 bit keys. If
this flag is set to False, the application develop should implement
whether a minimum key length of 128 :term:`bits` is enforced. This
exists to work around the fact that as documented in `Issue #2915`_,
the Google Authenticator PAM module by default generates 80 bit keys.
If this flag is set to False, the application develop should implement
additional checks of the key length before passing it into
:class:`~cryptography.hazmat.primitives.twofactor.hotp.HOTP`.
.. versionadded:: 1.5
:raises ValueError: This is raised if the provided ``key`` is shorter than
128 bits or if the ``length`` parameter is not 6, 7 or 8.
128 :term:`bits` or if the ``length`` parameter is not 6, 7 or 8.
:raises TypeError: This is raised if the provided ``algorithm`` is not
:class:`~cryptography.hazmat.primitives.hashes.SHA1()`,
:class:`~cryptography.hazmat.primitives.hashes.SHA256()` or
......@@ -163,7 +164,7 @@ similar to the following code.
>>> totp.verify(totp_value, time_value)
:param bytes key: Per-user secret key. This value must be kept secret
and be at least 128 bits. It is recommended that the
and be at least 128 :term:`bits`. It is recommended that the
key be 160 bits.
:param int length: Length of generated one time password as ``int``.
:param cryptography.hazmat.primitives.hashes.HashAlgorithm algorithm: A
......@@ -174,7 +175,7 @@ similar to the following code.
:class:`~cryptography.hazmat.backends.interfaces.HMACBackend`
instance.
:param enforce_key_length: A boolean flag defaulting to True that toggles
whether a minimum key length of 128 bits is enforced. This exists to
whether a minimum key length of 128 :term:`bits` is enforced. This exists to
work around the fact that as documented in `Issue #2915`_, the
Google Authenticator PAM module by default generates 80 bit keys. If
this flag is set to False, the application develop should implement
......@@ -183,7 +184,7 @@ similar to the following code.
.. versionadded:: 1.5
:raises ValueError: This is raised if the provided ``key`` is shorter than
128 bits or if the ``length`` parameter is not 6, 7 or 8.
128 :term:`bits` or if the ``length`` parameter is not 6, 7 or 8.
:raises TypeError: This is raised if the provided ``algorithm`` is not
:class:`~cryptography.hazmat.primitives.hashes.SHA1()`,
:class:`~cryptography.hazmat.primitives.hashes.SHA256()` or
......
......@@ -15,15 +15,15 @@ PyPy 5.3+ on these operating systems.
* x86-64 CentOS 7.x
* x86-64 FreeBSD 11
* macOS 10.12 Sierra, 10.11 El Capitan, 10.10 Yosemite, 10.9 Mavericks
* macOS 10.12 Sierra, 10.11 El Capitan
* x86-64 Ubuntu 14.04, 16.04, and rolling
* x86-64 Debian Wheezy (7.x), Jessie (8.x), Stretch (9.x), and Sid (unstable)
* x86-64 Alpine (latest)
* 32-bit and 64-bit Python on 64-bit Windows Server 2012
.. warning::
Python 2.6 is no longer supported by the Python core team. A future version
of cryptography will drop support for this version.
Python 2.6 is no longer supported by the Python core team. The next release
of ``cryptography`` will drop support for Python 2.6.
We test compiling with ``clang`` as well as ``gcc`` and use the following
OpenSSL releases:
......
......@@ -5,6 +5,14 @@ We take the security of ``cryptography`` seriously. The following are a set of
policies we have adopted to ensure that security issues are addressed in a
timely fashion.
Infrastructure
--------------
In addition to ``cryptography``'s code, we're also concerned with the security
of the infrastructure we run (primarily ``cryptography.io`` and
``ci.cryptography.io``). If you discover a security vulnerability in our
infrastructure, we ask you to report it using the same procedure.
What is a security issue?
-------------------------
......@@ -63,10 +71,10 @@ as well as the most recent release.
New releases for OpenSSL updates
--------------------------------
As of version 0.5, ``cryptography`` statically links OpenSSL on Windows, and as
of version 1.0.1 on macOS, to ease installation. Due to this, ``cryptography``
will release a new version whenever OpenSSL has a security or bug fix release to
avoid shipping insecure software.
As of versions 0.5, 1.0.1, and 2.0.0, ``cryptography`` statically links OpenSSL
on Windows, macOS, and Linux respectively, to ease installation. Due to this,
``cryptography`` will release a new version whenever OpenSSL has a security or
bug fix release to avoid shipping insecure software.
Like all our other releases, this will be announced on the mailing list and we
strongly recommend that you upgrade as soon as possible.
......
accessor
affine
Authenticator
backend
......@@ -10,6 +11,7 @@ Botan
Capitan
Changelog
ciphertext
codebook
committer
committers
conda
......@@ -22,6 +24,7 @@ decrypt
Decrypts
decrypted
decrypting
deprecations
DER
deserialize
deserialized
......@@ -43,6 +46,7 @@ Google
hazmat
Homebrew
hostname
idna
indistinguishability
initialisms
interoperable
......@@ -71,6 +75,7 @@ plaintext
pre
preprocessor
preprocessors
presentational
pseudorandom
pyOpenSSL
relicensed
......@@ -95,4 +100,6 @@ verifier
Verifier
Verisign
wildcard
WoSign
Xcode
XEX
......@@ -563,6 +563,18 @@ X.509 CRL (Certificate Revocation List) Object
over the network and used as part of a certificate verification
process.
.. method:: is_signature_valid(public_key)
.. versionadded:: 2.1
.. warning::
Checking the validity of the signature on the CRL is insufficient
to know if the CRL should be trusted. More details are available
in :rfc:`5280`.
Returns True if the CRL signature is correct for given public key,
False otherwise.
X.509 Certificate Builder
~~~~~~~~~~~~~~~~~~~~~~~~~
......@@ -1230,8 +1242,24 @@ General Name Classes
.. versionadded:: 0.9
.. versionchanged:: 2.1
.. warning::
Starting with version 2.1 :term:`U-label` input is deprecated. If
passing an internationalized domain name (IDN) you should first IDNA
encode the value and then pass the result as a string. Accessing
``value`` will return the :term:`A-label` encoded form even if you pass
a U-label. This breaks backwards compatibility, but only for
internationalized domain names.
This corresponds to an email address. For example, ``user@example.com``.
:param value: The email address. If the address contains an
internationalized domain name then it must be encoded to an
:term:`A-label` string before being passed.
.. attribute:: value
:type: :term:`text`
......@@ -1240,8 +1268,25 @@ General Name Classes
.. versionadded:: 0.9
.. versionchanged:: 2.1
.. warning::
Starting with version 2.1 :term:`U-label` input is deprecated. If
passing an internationalized domain name (IDN) you should first IDNA
encode the value and then pass the result as a string. Accessing
``value`` will return the :term:`A-label` encoded form even if you pass
a U-label. This breaks backwards compatibility, but only for
internationalized domain names.
This corresponds to a domain name. For example, ``cryptography.io``.
:param value: The domain name. If it is an internationalized domain
name then it must be encoded to an :term:`A-label` string before being
passed.
:type: :term:`text`
.. attribute:: value
:type: :term:`text`
......@@ -1260,13 +1305,23 @@ General Name Classes
.. versionadded:: 0.9
This corresponds to a uniform resource identifier. For example,
``https://cryptography.io``. The URI is parsed and IDNA decoded (see
:rfc:`5895`).
.. versionchanged:: 2.1
.. warning::
Starting with version 2.1 :term:`U-label` input is deprecated. If
passing an internationalized domain name (IDN) you should first IDNA
encode the value and then pass the result as a string. Accessing
``value`` will return the :term:`A-label` encoded form even if you pass
a U-label. This breaks backwards compatibility, but only for
internationalized domain names.
.. note::
This corresponds to a uniform resource identifier. For example,
``https://cryptography.io``.
URIs that do not contain ``://`` in them will not be decoded.
:param value: The URI. If it contains an internationalized domain
name then it must be encoded to an :term:`A-label` string before
being passed.
.. attribute:: value
......@@ -1557,6 +1612,45 @@ X.509 Extensions
Returns :attr:`~cryptography.x509.oid.ExtensionOID.OCSP_NO_CHECK`.
.. class:: TLSFeature(features)
.. versionadded:: 2.1
The TLS Feature extension is defined in :rfc:`7633` and is used in
certificates for OCSP Must-Staple. The object is iterable to get every
element.
:param list features: A list of features to enable from the
:class:`~cryptography.x509.TLSFeatureType` enum. At this time only
``status_request`` or ``status_request_v2`` are allowed.
.. attribute:: oid
:type: :class:`ObjectIdentifier`
Returns :attr:`~cryptography.x509.oid.ExtensionOID.TLS_FEATURE`.
.. class:: TLSFeatureType
.. versionadded:: 2.1
An enumeration of TLS Feature types.
.. attribute:: status_request
This feature type is defined in :rfc:`6066` and, when embedded in
an X.509 certificate, signals to the client that it should require
a stapled OCSP response in the TLS handshake. Commonly known as OCSP
Must-Staple in certificates.
.. attribute:: status_request_v2
This feature type is defined in :rfc:`6961`. This value is not
commonly used and if you want to enable OCSP Must-Staple you should
use ``status_request``.
.. class:: NameConstraints(permitted_subtrees, excluded_subtrees)
.. versionadded:: 1.0
......@@ -1840,6 +1934,30 @@ X.509 Extensions
:attr:`~cryptography.x509.oid.ExtensionOID.PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS`.
.. class:: DeltaCRLIndicator(crl_number)
.. versionadded:: 2.1
The delta CRL indicator is a CRL extension that identifies a CRL as being
a delta CRL. Delta CRLs contain updates to revocation information
previously distributed, rather than all the information that would appear
in a complete CRL.
:param int crl_number: The CRL number of the complete CRL that the
delta CRL is updating.
.. attribute:: oid
:type: :class:`ObjectIdentifier`
Returns
:attr:`~cryptography.x509.oid.ExtensionOID.DELTA_CRL_INDICATOR`.
.. attribute:: crl_number
:type: int
.. class:: AuthorityInformationAccess(descriptions)
.. versionadded:: 0.9
......@@ -1889,6 +2007,24 @@ X.509 Extensions
Where to access the information defined by the access method.
.. class:: FreshestCRL(distribution_points)
.. versionadded:: 2.1
The freshest CRL extension (also known as Delta CRL Distribution Point)
identifies how delta CRL information is obtained. It is an iterable,
containing one or more :class:`DistributionPoint` instances.
:param list distribution_points: A list of :class:`DistributionPoint`
instances.
.. attribute:: oid
:type: :class:`ObjectIdentifier`
Returns
:attr:`~cryptography.x509.oid.ExtensionOID.FRESHEST_CRL`.
.. class:: CRLDistributionPoints(distribution_points)
.. versionadded:: 0.9
......@@ -2231,8 +2367,7 @@ These extensions are only valid within a :class:`RevokedCertificate` object.
valid inside :class:`~cryptography.x509.RevokedCertificate` objects. It
identifies a reason for the certificate revocation.
:param reason: A value from the
:class:`~cryptography.x509.oid.CRLEntryExtensionOID` enum.
:param reason: An element from :class:`~cryptography.x509.ReasonFlags`.
.. attribute:: oid
......@@ -2624,12 +2759,26 @@ instances. The following common OIDs are available as constants.
identifier for the :class:`~cryptography.x509.OCSPNoCheck` extension
type.
.. attribute:: TLS_FEATURE
Corresponds to the dotted string ``"1.3.6.1.5.5.7.1.24"``. The
identifier for the :class:`~cryptography.x509.TLSFeature` extension
type.
.. attribute:: CRL_NUMBER
Corresponds to the dotted string ``"2.5.29.20"``. The identifier for
the ``CRLNumber`` extension type. This extension only has meaning
for certificate revocation lists.
.. attribute:: DELTA_CRL_INDICATOR
.. versionadded:: 2.1
Corresponds to the dotted string ``"2.5.29.27"``. The identifier for
the ``DeltaCRLIndicator`` extension type. This extension only has
meaning for certificate revocation lists.
.. attribute:: PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS
.. versionadded:: 1.9
......@@ -2641,6 +2790,11 @@ instances. The following common OIDs are available as constants.
Corresponds to the dotted string ``"2.5.29.36"``. The identifier for the
:class:`~cryptography.x509.PolicyConstraints` extension type.
.. attribute:: FRESHEST_CRL
Corresponds to the dotted string ``"2.5.29.46"``. The identifier for the
:class:`~cryptography.x509.FreshestCRL` extension type.