Commit 66e2b735 authored by Tristan Seligmann's avatar Tristan Seligmann

Import python-cryptography_2.3.orig.tar.gz

parent 1ab96a37
......@@ -40,3 +40,4 @@ PGP key fingerprints are enclosed in parentheses.
* Chris Wolfe <chriswwolfe@gmail.com>
* Jeremy Lainé <jeremy.laine@m4x.org>
* Denis Gladkikh <denis@gladkikh.email>
* John Pacific <me@johnpacific.com> (2CF6 0381 B5EF 29B7 D48C 2020 7BB9 71A0 E891 44D9)
Changelog
=========
.. _v2-3:
2.3 - 2018-07-18
~~~~~~~~~~~~~~~~
* **SECURITY ISSUE:**
:meth:`~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag`
allowed tag truncation by default which can allow tag forgery in some cases.
The method now enforces the ``min_tag_length`` provided to the
:class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` constructor.
* Added support for Python 3.7.
* Added :meth:`~cryptography.fernet.Fernet.extract_timestamp` to get the
authenticated timestamp of a :doc:`Fernet </fernet>` token.
* Support for Python 2.7.x without ``hmac.compare_digest`` has been deprecated.
We will require Python 2.7.7 or higher (or 2.7.6 on Ubuntu) in the next
``cryptography`` release.
* Fixed multiple issues preventing ``cryptography`` from compiling against
LibreSSL 2.7.x.
* Added
:class:`~cryptography.x509.CertificateRevocationList.get_revoked_certificate_by_serial_number`
for quick serial number searches in CRLs.
* The :class:`~cryptography.x509.RelativeDistinguishedName` class now
preserves the order of attributes. Duplicate attributes now raise an error
instead of silently discarding duplicates.
* :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap` and
:func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding`
now raise :class:`~cryptography.hazmat.primitives.keywrap.InvalidUnwrap` if
the wrapped key is an invalid length, instead of ``ValueError``.
.. _v2-2-2:
2.2.2 - 2018-03-27
......@@ -21,6 +50,7 @@ Changelog
that caused it to raise ``InvalidUnwrap`` when key length modulo 8 was
zero.
.. _v2-2:
2.2 - 2018-03-19
......
Metadata-Version: 2.1
Name: cryptography
Version: 2.2.2
Version: 2.3
Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Home-page: https://github.com/pyca/cryptography
Author: The cryptography developers
......@@ -10,7 +10,7 @@ Description: pyca/cryptography
=================
.. image:: https://img.shields.io/pypi/v/cryptography.svg
:target: https://pypi.python.org/pypi/cryptography/
:target: https://pypi.org/project/cryptography/
:alt: Latest Version
.. image:: https://readthedocs.org/projects/cryptography/badge/?version=latest
......@@ -79,6 +79,7 @@ Description: pyca/cryptography
.. _`security reporting`: https://cryptography.io/en/latest/security/
Platform: UNKNOWN
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Apache Software License
Classifier: License :: OSI Approved :: BSD License
......@@ -95,11 +96,12 @@ Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.4
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Programming Language :: Python :: Implementation :: PyPy
Classifier: Topic :: Security :: Cryptography
Requires-Python: >=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*
Provides-Extra: docs
Provides-Extra: docstest
Provides-Extra: pep8test
Provides-Extra: test
Provides-Extra: docs
Provides-Extra: pep8test
......@@ -2,7 +2,7 @@ pyca/cryptography
=================
.. image:: https://img.shields.io/pypi/v/cryptography.svg
:target: https://pypi.python.org/pypi/cryptography/
:target: https://pypi.org/project/cryptography/
:alt: Latest Version
.. image:: https://readthedocs.org/projects/cryptography/badge/?version=latest
......
......@@ -29,4 +29,4 @@ the following python script was run to generate the vector files.
Download link: :download:`verify_secp256k1.py
</development/custom-vectors/secp256k1/verify_secp256k1.py>`
.. _`pure Python ecdsa`: https://pypi.python.org/pypi/ecdsa
.. _`pure Python ecdsa`: https://pypi.org/project/ecdsa/
......@@ -61,7 +61,7 @@ automatically, so all you have to do is:
.. code-block:: console
$ py.test
$ pytest
...
62746 passed in 220.43 seconds
......@@ -106,10 +106,10 @@ The HTML documentation index can now be found at
.. _`Homebrew`: https://brew.sh
.. _`MacPorts`: https://www.macports.org
.. _`OpenSSL`: https://www.openssl.org
.. _`pytest`: https://pypi.python.org/pypi/pytest
.. _`tox`: https://pypi.python.org/pypi/tox
.. _`virtualenv`: https://pypi.python.org/pypi/virtualenv
.. _`pip`: https://pypi.python.org/pypi/pip
.. _`sphinx`: https://pypi.python.org/pypi/Sphinx
.. _`reStructured Text`: http://sphinx-doc.org/rest.html
.. _`pytest`: https://pypi.org/project/pytest/
.. _`tox`: https://pypi.org/project/tox/
.. _`virtualenv`: https://pypi.org/project/virtualenv/
.. _`pip`: https://pypi.org/project/pip/
.. _`sphinx`: https://pypi.org/project/Sphinx/
.. _`reStructured Text`: http://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html
.. _`this Github issue`: https://github.com/rfk/pyenchant/issues/42
......@@ -155,7 +155,7 @@ So, specifically:
.. _`Write comments as complete sentences.`: https://nedbatchelder.com/blog/201401/comments_should_be_sentences.html
.. _`syntax`: http://sphinx-doc.org/domains.html#info-field-lists
.. _`syntax`: http://www.sphinx-doc.org/en/master/usage/restructuredtext/domains.html#info-field-lists
.. _`Studies have shown`: https://smartbear.com/SmartBear/media/pdfs/11_Best_Practices_for_Peer_Code_Review.pdf
.. _`our mailing list`: https://mail.python.org/mailman/listinfo/cryptography-dev
.. _`doc8`: https://github.com/openstack/doc8
......@@ -176,6 +176,8 @@ X.509
a distinguished name with an ``x500UniqueIdentifier``.
* ``utf8-dnsname.pem`` - A certificate containing non-ASCII characters in the
DNS name entries of the SAN extension.
* ``badasn1time.pem`` - A certificate containing an incorrectly specified
UTCTime in its validity->not_after.
Custom X.509 Vectors
~~~~~~~~~~~~~~~~~~~~
......@@ -403,7 +405,9 @@ Hashes
* MD5 from :rfc:`1321`.
* RIPEMD160 from the `RIPEMD website`_.
* SHA1 from `NIST CAVP`_.
* SHA2 (224, 256, 384, 512) from `NIST CAVP`_.
* SHA2 (224, 256, 384, 512, 512/224, 512/256) from `NIST CAVP`_.
* SHA3 (224, 256, 384, 512) from `NIST CAVP`_.
* SHAKE (128, 256) from `NIST CAVP`_.
* Blake2s and Blake2b from OpenSSL `test/evptests.txt`_.
HMAC
......
......@@ -3,32 +3,19 @@ Doing a release
Doing a release of ``cryptography`` requires a few steps.
Verifying and upgrading OpenSSL version
---------------------------------------
Verifying OpenSSL version
-------------------------
The release process creates wheels bundling OpenSSL for Windows, macOS, and
Linux. Check that the Windows and macOS Jenkins builders have the latest
version of OpenSSL installed and verify that the latest version is present in
the ``pyca/cryptography-manylinux1`` docker containers. If anything is out
of date:
of date follow the instructions for upgrading OpenSSL.
Upgrading Windows
~~~~~~~~~~~~~~~~~
Upgrading OpenSSL
-----------------
Run the ``openssl-release-1.1`` Jenkins job, then copy the resulting artifacts
to the Windows builders and unzip them in the root of the file system.
Upgrading macOS
~~~~~~~~~~~~~~~
Run the ``update-brew-openssl`` Jenkins job.
Upgrading ``manylinux1`` docker containers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Send a pull request to the ``pyca/infra`` project updating the version and
file hash in ``cryptography-manylinux1/install_openssl.sh``. Once this is
merged the updated image will be available to the wheel builder.
Use the `upgrading OpenSSL issue template`_.
Bumping the version number
--------------------------
......@@ -91,6 +78,7 @@ Post-release tasks
* Send an email to the `mailing list`_ and `python-announce`_ announcing the
release.
.. _`upgrading OpenSSL issue template`: https://github.com/pyca/cryptography/issues/new?template=openssl-release.md
.. _`milestone`: https://github.com/pyca/cryptography/milestones
.. _`mailing list`: https://mail.python.org/mailman/listinfo/cryptography-dev
.. _`python-announce`: https://mail.python.org/mailman/listinfo/python-announce-list
......@@ -19,9 +19,9 @@ has support for implementing key rotation via :class:`MultiFernet`.
>>> f = Fernet(key)
>>> token = f.encrypt(b"my deep dark secret")
>>> token
'...'
b'...'
>>> f.decrypt(token)
'my deep dark secret'
b'my deep dark secret'
:param bytes key: A URL-safe base64-encoded 32-byte key. This **must** be
kept secret. Anyone with this key is able to create and
......@@ -80,6 +80,22 @@ has support for implementing key rotation via :class:`MultiFernet`.
:raises TypeError: This exception is raised if ``token`` is not
``bytes``.
.. method:: extract_timestamp(token)
.. versionadded:: 2.3
Returns the timestamp for the token. The caller can then decide if
the token is about to expire and, for example, issue a new token.
:param bytes token: The Fernet token. This is the result of calling
:meth:`encrypt`.
:returns int: The UNIX timestamp of the token.
:raises cryptography.fernet.InvalidToken: If the ``token``'s signature
is invalid this exception
is raised.
:raises TypeError: This exception is raised if ``token`` is not
``bytes``.
.. class:: MultiFernet(fernets)
......@@ -97,9 +113,9 @@ has support for implementing key rotation via :class:`MultiFernet`.
>>> f = MultiFernet([key1, key2])
>>> token = f.encrypt(b"Secret message!")
>>> token
'...'
b'...'
>>> f.decrypt(token)
'Secret message!'
b'Secret message!'
MultiFernet performs all encryption options using the *first* key in the
``list`` provided. MultiFernet attempts to decrypt tokens with each key in
......@@ -136,14 +152,14 @@ has support for implementing key rotation via :class:`MultiFernet`.
>>> f = MultiFernet([key1, key2])
>>> token = f.encrypt(b"Secret message!")
>>> token
'...'
b'...'
>>> f.decrypt(token)
'Secret message!'
b'Secret message!'
>>> key3 = Fernet(Fernet.generate_key())
>>> f2 = MultiFernet([key3, key1, key2])
>>> rotated = f2.rotate(token)
>>> f2.decrypt(rotated)
'Secret message!'
b'Secret message!'
:param bytes msg: The token to re-encrypt.
:returns bytes: A secure message that cannot be read or altered without
......@@ -189,9 +205,9 @@ password through a key derivation function such as
>>> f = Fernet(key)
>>> token = f.encrypt(b"Secret message!")
>>> token
'...'
b'...'
>>> f.decrypt(token)
'Secret message!'
b'Secret message!'
In this scheme, the salt has to be stored in a retrievable location in order
to derive the same key from the password in the future.
......
......@@ -34,7 +34,7 @@ also support providing integrity for associated data which is not encrypted.
>>> nonce = os.urandom(12)
>>> ct = chacha.encrypt(nonce, data, aad)
>>> chacha.decrypt(nonce, ct, aad)
'a secret message'
b'a secret message'
.. classmethod:: generate_key()
......@@ -60,6 +60,8 @@ also support providing integrity for associated data which is not encrypted.
authenticated with the key, but does not need to be encrypted. Can
be ``None``.
:returns bytes: The ciphertext bytes with the 16 byte tag appended.
:raises OverflowError: If ``data`` or ``associated_data`` is larger
than 2\ :sup:`32` bytes.
.. method:: decrypt(nonce, data, associated_data)
......@@ -99,7 +101,7 @@ also support providing integrity for associated data which is not encrypted.
>>> nonce = os.urandom(12)
>>> ct = aesgcm.encrypt(nonce, data, aad)
>>> aesgcm.decrypt(nonce, ct, aad)
'a secret message'
b'a secret message'
.. classmethod:: generate_key(bit_length)
......@@ -128,6 +130,8 @@ also support providing integrity for associated data which is not encrypted.
:param bytes associated_data: Additional data that should be
authenticated with the key, but is not encrypted. Can be ``None``.
:returns bytes: The ciphertext bytes with the 16 byte tag appended.
:raises OverflowError: If ``data`` or ``associated_data`` is larger
than 2\ :sup:`32` bytes.
.. method:: decrypt(nonce, data, associated_data)
......@@ -181,7 +185,7 @@ also support providing integrity for associated data which is not encrypted.
>>> nonce = os.urandom(13)
>>> ct = aesccm.encrypt(nonce, data, aad)
>>> aesccm.decrypt(nonce, ct, aad)
'a secret message'
b'a secret message'
.. classmethod:: generate_key(bit_length)
......@@ -212,6 +216,8 @@ also support providing integrity for associated data which is not encrypted.
:param bytes associated_data: Additional data that should be
authenticated with the key, but is not encrypted. Can be ``None``.
:returns bytes: The ciphertext bytes with the tag appended.
:raises OverflowError: If ``data`` or ``associated_data`` is larger
than 2\ :sup:`32` bytes.
.. method:: decrypt(nonce, data, associated_data)
......
......@@ -152,6 +152,13 @@ Elliptic Curve Signature Algorithms
.. class:: EllipticCurvePublicNumbers(x, y, curve)
.. warning::
The point represented by this object is not validated in any way until
:meth:`EllipticCurvePublicNumbers.public_key` is called and may not
represent a valid point on the curve. You should not attempt to perform
any computations using the values from this class until you have either
validated it yourself or called ``public_key()`` successfully.
.. versionadded:: 0.5
The collection of integers that make up an EC public key.
......@@ -182,6 +189,7 @@ Elliptic Curve Signature Algorithms
:param backend: An instance of
:class:`~cryptography.hazmat.backends.interfaces.EllipticCurveBackend`.
:raises ValueError: Raised if the point is invalid for the curve.
:returns: A new instance of :class:`EllipticCurvePublicKey`.
.. method:: encode_point()
......@@ -669,7 +677,7 @@ This sample demonstrates how to generate a private key and serialize it.
... encryption_algorithm=serialization.BestAvailableEncryption(b'testpassword')
... )
>>> serialized_private.splitlines()[0]
'-----BEGIN ENCRYPTED PRIVATE KEY-----'
b'-----BEGIN ENCRYPTED PRIVATE KEY-----'
You can also serialize the key without a password, by relying on
:class:`~cryptography.hazmat.primitives.serialization.NoEncryption`.
......@@ -685,7 +693,7 @@ The public key is serialized as follows:
... format=serialization.PublicFormat.SubjectPublicKeyInfo
... )
>>> serialized_public.splitlines()[0]
'-----BEGIN PUBLIC KEY-----'
b'-----BEGIN PUBLIC KEY-----'
This is the part that you would normally share with the rest of the world.
......
......@@ -100,7 +100,7 @@ to serialize the key.
... encryption_algorithm=serialization.BestAvailableEncryption(b'mypassword')
... )
>>> pem.splitlines()[0]
'-----BEGIN ENCRYPTED PRIVATE KEY-----'
b'-----BEGIN ENCRYPTED PRIVATE KEY-----'
It is also possible to serialize without encryption using
:class:`~cryptography.hazmat.primitives.serialization.NoEncryption`.
......@@ -113,7 +113,7 @@ It is also possible to serialize without encryption using
... encryption_algorithm=serialization.NoEncryption()
... )
>>> pem.splitlines()[0]
'-----BEGIN RSA PRIVATE KEY-----'
b'-----BEGIN RSA PRIVATE KEY-----'
For public keys you can use
:meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey.public_bytes`
......@@ -128,7 +128,7 @@ to serialize the key.
... format=serialization.PublicFormat.SubjectPublicKeyInfo
... )
>>> pem.splitlines()[0]
'-----BEGIN PUBLIC KEY-----'
b'-----BEGIN PUBLIC KEY-----'
Signing
~~~~~~~
......
......@@ -418,12 +418,24 @@ Serialization Formats
Frequently known as PKCS#1 format. Still a widely used format, but
generally considered legacy.
A PEM encoded RSA key will look like::
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
.. attribute:: PKCS8
A more modern format for serializing keys which allows for better
encryption. Choose this unless you have explicit legacy compatibility
requirements.
A PEM encoded key will look like::
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
.. class:: PublicFormat
.. versionadded:: 0.8
......@@ -443,11 +455,23 @@ Serialization Formats
identifier and the public key as a bit string. Choose this unless
you have specific needs.
A PEM encoded key will look like::
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
.. attribute:: PKCS1
Just the public key elements (without the algorithm identifier). This
format is RSA only, but is used by some older systems.
A PEM encoded key will look like::
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
.. attribute:: OpenSSH
.. versionadded:: 1.4
......
......@@ -26,7 +26,7 @@ Message digests (Hashing)
>>> digest.update(b"abc")
>>> digest.update(b"123")
>>> digest.finalize()
'l\xa1=R\xcap\xc8\x83\xe0\xf0\xbb\x10\x1eBZ\x89\xe8bM\xe5\x1d\xb2\xd29%\x93\xafj\x84\x11\x80\x90'
b'l\xa1=R\xcap\xc8\x83\xe0\xf0\xbb\x10\x1eBZ\x89\xe8bM\xe5\x1d\xb2\xd29%\x93\xafj\x84\x11\x80\x90'
If the backend doesn't support the requested ``algorithm`` an
:class:`~cryptography.exceptions.UnsupportedAlgorithm` exception will be
......@@ -183,12 +183,6 @@ Interfaces
The size of the resulting digest in bytes.
.. attribute:: block_size
:type: int
The internal block size of the hash algorithm in bytes.
.. class:: HashContext
......
......@@ -282,7 +282,6 @@ Different KDFs are suitable for different tasks such as:
:raises cryptography.exceptions.UnsupportedAlgorithm: This is raised if the
provided ``backend`` does not implement
:class:`~cryptography.hazmat.backends.interfaces.HMACBackend`
:raises TypeError: This is raised if the provided ``info`` is a unicode object
:raises TypeError: This exception is raised if ``info`` is not ``bytes``.
.. method:: derive(key_material)
......@@ -290,8 +289,6 @@ Different KDFs are suitable for different tasks such as:
:param bytes key_material: The input key material.
:return bytes: The derived key.
:raises TypeError: This is raised if the provided ``key_material`` is
a unicode object
:raises TypeError: This exception is raised if ``key_material`` is not
``bytes``.
......@@ -314,7 +311,7 @@ Different KDFs are suitable for different tasks such as:
called more than
once.
:raises TypeError: This is raised if the provided ``key_material`` is
a unicode object
a ``unicode`` object
This checks whether deriving a new key from the supplied
``key_material`` generates the same key as the ``expected_key``, and
......
......@@ -32,7 +32,7 @@ A subset of CMAC with the AES-128 algorithm is described in :rfc:`4493`.
>>> c = cmac.CMAC(algorithms.AES(key), backend=default_backend())
>>> c.update(b"message to authenticate")
>>> c.finalize()
'CT\x1d\xc8\x0e\x15\xbe4e\xdb\xb6\x84\xca\xd9Xk'
b'CT\x1d\xc8\x0e\x15\xbe4e\xdb\xb6\x84\xca\xd9Xk'
If the backend doesn't support the requested ``algorithm`` an
:class:`~cryptography.exceptions.UnsupportedAlgorithm` exception will be
......
......@@ -32,7 +32,7 @@ of a message.
>>> h = hmac.HMAC(key, hashes.SHA256(), backend=default_backend())
>>> h.update(b"message to hash")
>>> h.finalize()
'#F\xdaI\x8b"e\xc4\xf1\xbb\x9a\x8fc\xff\xf5\xdex.\xbc\xcd/+\x8a\x86\x1d\x84\'\xc3\xa6\x1d\xd8J'
b'#F\xdaI\x8b"e\xc4\xf1\xbb\x9a\x8fc\xff\xf5\xdex.\xbc\xcd/+\x8a\x86\x1d\x84\'\xc3\xa6\x1d\xd8J'
If the backend doesn't support the requested ``algorithm`` an
:class:`~cryptography.exceptions.UnsupportedAlgorithm` exception will be
......
......@@ -25,16 +25,16 @@ multiple of the block size.
>>> padder = padding.PKCS7(128).padder()
>>> padded_data = padder.update(b"11111111111111112222222222")
>>> padded_data
'1111111111111111'
b'1111111111111111'
>>> padded_data += padder.finalize()
>>> padded_data
'11111111111111112222222222\x06\x06\x06\x06\x06\x06'
b'11111111111111112222222222\x06\x06\x06\x06\x06\x06'
>>> unpadder = padding.PKCS7(128).unpadder()
>>> data = unpadder.update(padded_data)
>>> data
'1111111111111111'
b'1111111111111111'
>>> data + unpadder.finalize()
'11111111111111112222222222'
b'11111111111111112222222222'
:param block_size: The size of the block in :term:`bits` that the data is
being padded to.
......@@ -68,16 +68,16 @@ multiple of the block size.
>>> padder = padding.ANSIX923(128).padder()
>>> padded_data = padder.update(b"11111111111111112222222222")
>>> padded_data
'1111111111111111'
b'1111111111111111'
>>> padded_data += padder.finalize()
>>> padded_data
'11111111111111112222222222\x00\x00\x00\x00\x00\x06'
b'11111111111111112222222222\x00\x00\x00\x00\x00\x06'
>>> unpadder = padding.ANSIX923(128).unpadder()
>>> data = unpadder.update(padded_data)
>>> data
'1111111111111111'
b'1111111111111111'
>>> data + unpadder.finalize()
'11111111111111112222222222'
b'11111111111111112222222222'
:param block_size: The size of the block in :term:`bits` that the data is
being padded to.
......
......@@ -42,7 +42,7 @@ it fits your needs before implementing anything using this module.**
>>> ct = encryptor.update(b"a secret message") + encryptor.finalize()
>>> decryptor = cipher.decryptor()
>>> decryptor.update(ct) + decryptor.finalize()
'a secret message'
b'a secret message'
:param algorithms: A
:class:`~cryptography.hazmat.primitives.ciphers.CipherAlgorithm`
......@@ -151,7 +151,7 @@ Algorithms
>>> ct = encryptor.update(b"a secret message")
>>> decryptor = cipher.decryptor()
>>> decryptor.update(ct)
'a secret message'
b'a secret message'
.. class:: TripleDES(key)
......@@ -229,7 +229,7 @@ Weak ciphers
>>> ct = encryptor.update(b"a secret message")
>>> decryptor = cipher.decryptor()
>>> decryptor.update(ct)
'a secret message'
b'a secret message'
.. class:: IDEA(key)
......@@ -278,7 +278,7 @@ Modes
.. doctest::
>>> from cryptography.hazmat.primitives.ciphers.modes import CBC
>>> iv = "a" * 16
>>> iv = b"a" * 16
>>> mode = CBC(iv)
......@@ -379,10 +379,10 @@ Modes
Cryptography will generate a 128-bit tag when finalizing encryption.
You can shorten a tag by truncating it to the desired length but this
is **not recommended** as it lowers the security margins of the
authentication (`NIST SP-800-38D`_ recommends 96-:term:`bits` or
greater). Applications wishing to allow truncation must pass the
``min_tag_length`` parameter.
is **not recommended** as it makes it easier to forge messages, and
also potentially leaks the key (`NIST SP-800-38D`_ recommends
96-:term:`bits` or greater). Applications wishing to allow truncation
can pass the ``min_tag_length`` parameter.
.. versionchanged:: 0.5
......@@ -395,11 +395,12 @@ Modes
:meth:`~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag`.
Otherwise, the tag is mandatory.
:param bytes min_tag_length: The minimum length ``tag`` must be. By default
:param int min_tag_length: The minimum length ``tag`` must be. By default
this is ``16``, meaning tag truncation is not allowed. Allowing tag
truncation is strongly discouraged for most applications.
:raises ValueError: This is raised if ``len(tag) < min_tag_length``.
:raises ValueError: This is raised if ``len(tag) < min_tag_length`` or the
``initialization_vector`` is too short.
:raises NotImplementedError: This is raised if the version of the OpenSSL
backend used is 1.0.1 or earlier.
......@@ -471,7 +472,7 @@ Modes
.. testoutput::
a secret message!
b'a secret message!'
.. class:: XTS(tweak)
......@@ -594,7 +595,7 @@ Interfaces
>>> len_decrypted = decryptor.update_into(ct, buf)
>>> # get the plaintext from the buffer reading only the bytes written (len_decrypted)
>>> bytes(buf[:len_decrypted]) + decryptor.finalize()
'a secret message'
b'a secret message'
.. method:: finalize()
......@@ -670,6 +671,7 @@ Interfaces
:raises ValueError: This is raised when the data provided isn't
a multiple of the algorithm's block size, if ``min_tag_length`` is
less than 4, or if ``len(tag) < min_tag_length``.
``min_tag_length`` is an argument to the ``GCM`` constructor.
:raises NotImplementedError: This is raised if the version of the
OpenSSL backend used is 1.0.1 or earlier.
......
......@@ -10,7 +10,7 @@ You can install ``cryptography`` with ``pip``:
Supported platforms
-------------------
Currently we test ``cryptography`` on Python 2.7, 3.4, 3.5, 3.6, and
Currently we test ``cryptography`` on Python 2.7, 3.4+, and
PyPy 5.3+ on these operating systems.
* x86-64 CentOS 7.x
......@@ -205,7 +205,7 @@ dependencies.
./config no-shared no-ssl2 no-ssl3 -fPIC --prefix=${CWD}/openssl
make && make install
cd ..
CFLAGS="-I${CWD}/openssl/include" LDFLAGS="-L${CWD}/openssl/lib" pip wheel --no-use-wheel cryptography
CFLAGS="-I${CWD}/openssl/include" LDFLAGS="-L${CWD}/openssl/lib" pip wheel --no-binary :all: cryptography
Building cryptography on macOS
------------------------------
......
......@@ -96,6 +96,7 @@ timestamp
tunable
Ubuntu
unencrypted
unicode
unpadded
unpadding
verifier
......
......@@ -271,7 +271,7 @@ X.509 Certificate Object
>>> from cryptography.hazmat.primitives import hashes
>>> cert.fingerprint(hashes.SHA256())
'\x86\xd2\x187Gc\xfc\xe7}[+E9\x8d\xb4\x8f\x10\xe5S\xda\x18u\xbe}a\x03\x08[\xac\xa04?'
b'\x86\xd2\x187Gc\xfc\xe7}[+E9\x8d\xb4\x8f\x10\xe5S\xda\x18u\xbe}a\x03\x08[\xac\xa04?'
.. attribute:: serial_number
......@@ -389,8 +389,8 @@ X.509 Certificate Object
>>> for ext in cert.extensions:
... print(ext)
<Extension(oid=<ObjectIdentifier(oid=2.5.29.35, name=authorityKeyIdentifier)>, critical=False, value=<AuthorityKeyIdentifier(key_identifier='\xe4}_\xd1\\\x95\x86\x08,\x05\xae\xbeu\xb6e\xa7\xd9]\xa8f', authority_cert_issuer=None, authority_cert_serial_number=None)>)>
<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectKeyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(digest='X\x01\x84$\x1b\xbc+R\x94J=\xa5\x10r\x14Q\xf5\xaf:\xc9')>)>
<Extension(oid=<ObjectIdentifier(oid=2.5.29.35, name=authorityKeyIdentifier)>, critical=False, value=<AuthorityKeyIdentifier(key_identifier=b'\xe4}_\xd1\\\x95\x86\x08,\x05\xae\xbeu\xb6e\xa7\xd9]\xa8f', authority_cert_issuer=None, authority_cert_serial_number=None)>)>
<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectKeyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(digest=b'X\x01\x84$\x1b\xbc+R\x94J=\xa5\x10r\x14Q\xf5\xaf:\xc9')>)>
<Extension(oid=<ObjectIdentifier(oid=2.5.29.15, name=keyUsage)>, critical=True, value=<KeyUsage(digital_signature=False, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=True, encipher_only=None, decipher_only=None)>)>
<Extension(oid=<ObjectIdentifier(oid=2.5.29.32, name=certificatePolicies)>, critical=False, value=<CertificatePolicies([<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=2.16.840.1.101.3.2.1.48.1, name=Unknown OID)>, policy_qualifiers=None)>])>)>
<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=True, path_length=None)>)>
......@@ -461,7 +461,16 @@ X.509 CRL (Certificate Revocation List) Object
>>> from cryptography.hazmat.primitives import hashes
>>> crl.fingerprint(hashes.SHA256())
'e\xcf.\xc4:\x83?1\xdc\xf3\xfc\x95\xd7\xb3\x87\xb3\x8e\xf8\xb93!\x87\x07\x9d\x1b\xb4!\xb9\xe4W\xf4\x1f'
b'e\xcf.\xc4:\x83?1\xdc\xf3\xfc\x95\xd7\xb3\x87\xb3\x8e\xf8\xb93!\x87\x07\x9d\x1b\xb4!\xb9\xe4W\xf4\x1f'
.. method:: get_revoked_certificate_by_serial_number(serial_number)
.. versionadded:: 2.3
:param serial_number: The serial as a Python integer.
:returns: :class:`~cryptography.x509.RevokedCertificate` if the
``serial_number`` is present in the CRL or ``None`` if it
is not.
.. attribute:: signature_hash_algorithm
......@@ -501,7 +510,7 @@ X.509 CRL (Certificate Revocation List) Object
.. doctest::
>>> crl.issuer
<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.6, name=countryName)>, value=u'US')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'cryptography.io')>])>
<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.6, name=countryName)>, value='US')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='cryptography.io')>])>
.. attribute:: next_update
......@@ -1117,7 +1126,7 @@ X.509 CSR (Certificate Signing Request) Builder Object
Technically, a Name is a list of *sets* of attributes, called *Relative
Distinguished Names* or *RDNs*, although multi-valued RDNs are rarely
encountered. The iteration order of values within a multi-valued RDN is
undefined. If you need to handle multi-valued RDNs, the ``rdns`` property
preserved. If you need to handle multi-valued RDNs, the ``rdns`` property
gives access to an ordered list of :class:`RelativeDistinguishedName`
objects.
......@@ -1132,9 +1141,9 @@ X.509 CSR (Certificate Signing Request) Builder Object
3
>>> for attribute in cert.subject:
... print(attribute)
<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.6, name=countryName)>, value=u'US')>
<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, value=u'Test Certificates 2011')>
<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'Good CA')>
<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.6, name=countryName)>, value='US')>
<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, value='Test Certificates 2011')>
<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='Good CA')>