profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/reaperhulk/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.

certbot/certbot 28314

Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.

fishinabarrel/linux-kernel-module-rust 1204

Framework for writing Linux kernel modules in safe Rust

alex/rust-asn1 72

A Rust ASN.1 (DER) serializer.

alex/just-use 60

Just Use /dev/urandom -- now with more safety at early boot

algorand/pairing-plus 16

This is a fork of pairing library with additional efficiency functionality improvement.

algorand/pixel 11

Algorand's implementation of pixel consensus signature

reaperhulk/AvianSafari 10

A (discontinued) Twitter client for Safari. Pure HTML/CSS/JS with OAuth.

lvh/hhgtls 4

Hitchhiker's guide to TLS, a tutorial

reaperhulk/battersbox 3

An iOS MLB score tracking app from the mists of history

algorand/pixel_param 2

A rust implementation for parameter generations of Pixel signature scheme

delete branch pyca/cryptography

delete branch : alex-patch-2

delete time in 19 hours

push eventpyca/cryptography

Alex Gaynor

commit sha ac645332d66a96dd86ebd024c56be0ac4162ccb2

simplify code (#6291)

view details

push time in 19 hours

PR merged pyca/cryptography

simplify code
+1 -1

0 comment

1 changed file

alex

pr closed time in 19 hours

PullRequestReviewEvent

delete branch reaperhulk/cryptography

delete branch : rust-why

delete time in 19 hours

issue commentpyca/cryptography

[Feature request] Upload arm32(armv7l) wheels

Looking at this more deeply the manylinux project doesn't even publish armv7l manylinux/musllinux containers (https://quay.io/organization/pypa) so even if we wanted to we wouldn't be able to create a build env.

For now armv7l is simply not a platform we're going to directly support. Every architecture we test carries significant costs for us and we will, for now, limit ourselves to x86_64 and aarch64. Projects like piwheels.org (https://www.piwheels.org/project/cryptography/) have been producing their own packages for armv7l, although since they're not manylinux-based they aren't portable to other distributions.

MrNaif2018

comment created time in 19 hours

issue closedpyca/cryptography

[Feature request] Upload arm32(armv7l) wheels

Recently cryptography has gained manymusl support, that's great! :tada: We build our docker images for amd64,arm64(aarch64) and arm32(armv7l). Currently cryptography covers all the architectures in both manylinux and manymusl formats except for armv7l. Could it be possible to also upload armv7l in addition to aarch64 wheels to pypi? I see zuul is used for aarch64 wheels, could it possibly be used for armv7l wheels too? Or is there some common convention to not build armv7l wheels, as I often see aarch64 wheels and not armv7l?

closed time in 19 hours

MrNaif2018

push eventreaperhulk/cryptography

Paul Kehrer

commit sha 2d6c2f25df8800a02732f660aec0b87dd87b4e76

de facto isn't misspelled

view details

push time in 20 hours

PR opened pyca/cryptography

add faq entry about why rust

fixes #5810

+12 -0

0 comment

1 changed file

pr created time in 20 hours

create barnchreaperhulk/cryptography

branch : rust-why

created branch time in 20 hours

issue openedpyca/cryptography

Remove unneeded bindings

Once we finish OCSPResponse and CSR we should comb through the bindings to remove functions that are no longer needed.

created time in 21 hours

create barnchreaperhulk/cryptography

branch : exception-text

created branch time in 21 hours

push eventpyca/cryptography

Alex Gaynor

commit sha 9f6ac959a099702b89368d3b704044a2a8f231d8

Migrate CRL implementation to Rust (#6276) (Lots of commits that got squashed)

view details

push time in 21 hours

PR merged pyca/cryptography

Migrate CRL implementation to Rust
+642 -422

1 comment

11 changed files

alex

pr closed time in 21 hours

PullRequestReviewEvent

Pull request review commentpyca/cryptography

Migrate CRL implementation to Rust

 fn load_der_x509_certificate(py: pyo3::Python<'_>, data: &[u8]) -> PyAsn1Result<     }) } +#[pyo3::prelude::pyfunction]+fn load_der_x509_crl(+    _py: pyo3::Python<'_>,+    data: &[u8],+) -> Result<CertificateRevocationList, PyAsn1Error> {+    let raw = OwnedRawCertificateRevocationList::try_new(+        data.to_vec(),+        |data| asn1::parse_single(data),+        |_| Ok(pyo3::once_cell::GILOnceCell::new()),+    )?;++    Ok(CertificateRevocationList {+        raw: Arc::new(raw),+        cached_extensions: None,+    })+}++#[pyo3::prelude::pyfunction]+fn load_pem_x509_crl(+    py: pyo3::Python<'_>,+    data: &[u8],+) -> Result<CertificateRevocationList, PyAsn1Error> {+    let block = pem::parse(data)?;+    if block.tag != "X509 CRL" {+        return Err(PyAsn1Error::from(pyo3::exceptions::PyValueError::new_err(+            "Valid PEM but no BEGIN X509 CRL/END X509 delimiters. Are you sure this is a CRL?",+        )));+    }+    // TODO: Produces an extra copy+    load_der_x509_crl(py, &block.contents)+}++#[ouroboros::self_referencing]+struct OwnedRawCertificateRevocationList {+    data: Vec<u8>,+    #[borrows(data)]+    #[covariant]+    value: RawCertificateRevocationList<'this>,+    #[borrows(data)]+    #[not_covariant]+    revoked_certs: pyo3::once_cell::GILOnceCell<Vec<RawRevokedCertificate<'this>>>,+}++#[pyo3::prelude::pyclass]+struct CertificateRevocationList {+    raw: Arc<OwnedRawCertificateRevocationList>,++    cached_extensions: Option<pyo3::PyObject>,+}++impl CertificateRevocationList {+    fn public_bytes_der(&self) -> Vec<u8> {+        asn1::write_single(self.raw.borrow_value())+    }++    fn revoked_cert(&self, py: pyo3::Python<'_>, idx: usize) -> pyo3::PyResult<RevokedCertificate> {+        let raw = try_map_arc_data_crl(&self.raw, |_crl, revoked_certs| {+            let revoked_certs = revoked_certs.get(py).unwrap();+            Ok::<_, pyo3::PyErr>(revoked_certs.get(idx).cloned().unwrap())+        })?;+        Ok(RevokedCertificate {+            raw,+            cached_extensions: None,+        })+    }++    fn len(&self) -> usize {+        self.raw+            .borrow_value()+            .tbs_cert_list+            .revoked_certificates+            .as_ref()+            .map_or(0, |v| v.len())+    }+}++#[pyo3::prelude::pyproto]+impl pyo3::class::basic::PyObjectProtocol for CertificateRevocationList {+    fn __richcmp__(+        &self,+        other: pyo3::pycell::PyRef<CertificateRevocationList>,+        op: pyo3::class::basic::CompareOp,+    ) -> pyo3::PyResult<bool> {+        match op {+            pyo3::class::basic::CompareOp::Eq => {+                Ok(self.raw.borrow_value() == other.raw.borrow_value())+            }+            pyo3::class::basic::CompareOp::Ne => {+                Ok(self.raw.borrow_value() != other.raw.borrow_value())+            }+            _ => Err(pyo3::exceptions::PyTypeError::new_err(+                "CRLs cannot be ordered",+            )),+        }+    }+}++#[pyo3::prelude::pyproto]+impl pyo3::PyMappingProtocol for CertificateRevocationList {+    fn __len__(&self) -> usize {+        self.len()+    }++    fn __getitem__(&self, idx: &pyo3::PyAny) -> pyo3::PyResult<pyo3::PyObject> {+        let gil = pyo3::Python::acquire_gil();+        let py = gil.python();++        self.raw.with(|val| {+            val.revoked_certs.get_or_init(py, || {+                match &val.value.tbs_cert_list.revoked_certificates {+                    Some(c) => c.clone().collect(),+                    None => vec![],+                }+            });+        });++        if idx.is_instance::<pyo3::types::PySlice>()? {+            let indices = idx+                .downcast::<pyo3::types::PySlice>()?+                .indices(self.len().try_into().unwrap())?;+            let result = pyo3::types::PyList::empty(py);+            for i in (indices.start..indices.stop).step_by(indices.step.try_into().unwrap()) {+                let revoked_cert =+                    pyo3::pycell::PyCell::new(py, self.revoked_cert(py, i as usize)?)?;+                result.append(revoked_cert)?;+            }+            Ok(result.to_object(py))+        } else {+            let mut idx = idx.extract::<isize>()?;+            if idx < 0 {+                idx += self.len() as isize;+            }+            if idx >= (self.len() as isize) || idx < 0 {+                return Err(pyo3::exceptions::PyIndexError::new_err(()));+            }+            Ok(pyo3::pycell::PyCell::new(py, self.revoked_cert(py, idx as usize)?)?.to_object(py))+        }+    }+}++#[pyo3::prelude::pymethods]+impl CertificateRevocationList {+    fn fingerprint<'p>(+        &self,+        py: pyo3::Python<'p>,+        algorithm: pyo3::PyObject,+    ) -> pyo3::PyResult<&'p pyo3::PyAny> {+        let hashes_mod = py.import("cryptography.hazmat.primitives.hashes")?;+        let h = hashes_mod.getattr("Hash")?.call1((algorithm,))?;+        h.call_method1("update", (self.public_bytes_der().as_slice(),))?;+        h.call_method0("finalize")+    }++    #[getter]+    fn signature_algorithm_oid<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> {+        let x509_module = py.import("cryptography.x509")?;+        x509_module.call_method1(+            "ObjectIdentifier",+            (self.raw.borrow_value().signature_algorithm.oid.to_string(),),+        )+    }++    #[getter]+    fn signature_hash_algorithm<'p>(+        &self,+        py: pyo3::Python<'p>,+    ) -> pyo3::PyResult<&'p pyo3::PyAny> {+        let oid = self.signature_algorithm_oid(py)?;+        let oid_module = py.import("cryptography.hazmat._oid")?;+        let exceptions_module = py.import("cryptography.exceptions")?;+        match oid_module.getattr("_SIG_OIDS_TO_HASH")?.get_item(oid) {+            Ok(v) => Ok(v),+            Err(_) => Err(pyo3::PyErr::from_instance(exceptions_module.call_method1(+                "UnsupportedAlgorithm",+                (format!(+                    "Signature algorithm OID:{} not recognized",+                    self.raw.borrow_value().signature_algorithm.oid+                ),),+            )?)),+        }+    }++    #[getter]+    fn signature(&self) -> &[u8] {+        self.raw.borrow_value().signature_value.as_bytes()+    }++    #[getter]+    fn tbs_certlist_bytes<'p>(&self, py: pyo3::Python<'p>) -> &'p pyo3::types::PyBytes {+        let b = asn1::write_single(&self.raw.borrow_value().tbs_cert_list);+        pyo3::types::PyBytes::new(py, &b)+    }++    fn public_bytes<'p>(+        &self,+        py: pyo3::Python<'p>,+        encoding: &pyo3::PyAny,+    ) -> pyo3::PyResult<&'p pyo3::types::PyBytes> {+        let encoding_class = py+            .import("cryptography.hazmat.primitives.serialization")?+            .getattr("Encoding")?;++        let result = asn1::write_single(self.raw.borrow_value());+        if encoding == encoding_class.getattr("DER")? {+            Ok(pyo3::types::PyBytes::new(py, &result))+        } else if encoding == encoding_class.getattr("PEM")? {+            let pem = pem::encode_config(+                &pem::Pem {+                    tag: "X509 CRL".to_string(),+                    contents: result,+                },+                pem::EncodeConfig {+                    line_ending: pem::LineEnding::LF,+                },+            )+            .into_bytes();+            Ok(pyo3::types::PyBytes::new(py, &pem))+        } else {+            Err(pyo3::exceptions::PyTypeError::new_err(+                "encoding must be an item from the Encoding enum",

(This should be a followup PR)

alex

comment created time in 21 hours

Pull request review commentpyca/cryptography

Migrate CRL implementation to Rust

 fn load_der_x509_certificate(py: pyo3::Python<'_>, data: &[u8]) -> PyAsn1Result<     }) } +#[pyo3::prelude::pyfunction]+fn load_der_x509_crl(+    _py: pyo3::Python<'_>,+    data: &[u8],+) -> Result<CertificateRevocationList, PyAsn1Error> {+    let raw = OwnedRawCertificateRevocationList::try_new(+        data.to_vec(),+        |data| asn1::parse_single(data),+        |_| Ok(pyo3::once_cell::GILOnceCell::new()),+    )?;++    Ok(CertificateRevocationList {+        raw: Arc::new(raw),+        cached_extensions: None,+    })+}++#[pyo3::prelude::pyfunction]+fn load_pem_x509_crl(+    py: pyo3::Python<'_>,+    data: &[u8],+) -> Result<CertificateRevocationList, PyAsn1Error> {+    let block = pem::parse(data)?;+    if block.tag != "X509 CRL" {+        return Err(PyAsn1Error::from(pyo3::exceptions::PyValueError::new_err(+            "Valid PEM but no BEGIN X509 CRL/END X509 delimiters. Are you sure this is a CRL?",+        )));+    }+    // TODO: Produces an extra copy+    load_der_x509_crl(py, &block.contents)+}++#[ouroboros::self_referencing]+struct OwnedRawCertificateRevocationList {+    data: Vec<u8>,+    #[borrows(data)]+    #[covariant]+    value: RawCertificateRevocationList<'this>,+    #[borrows(data)]+    #[not_covariant]+    revoked_certs: pyo3::once_cell::GILOnceCell<Vec<RawRevokedCertificate<'this>>>,+}++#[pyo3::prelude::pyclass]+struct CertificateRevocationList {+    raw: Arc<OwnedRawCertificateRevocationList>,++    cached_extensions: Option<pyo3::PyObject>,+}++impl CertificateRevocationList {+    fn public_bytes_der(&self) -> Vec<u8> {+        asn1::write_single(self.raw.borrow_value())+    }++    fn revoked_cert(&self, py: pyo3::Python<'_>, idx: usize) -> pyo3::PyResult<RevokedCertificate> {+        let raw = try_map_arc_data_crl(&self.raw, |_crl, revoked_certs| {+            let revoked_certs = revoked_certs.get(py).unwrap();+            Ok::<_, pyo3::PyErr>(revoked_certs.get(idx).cloned().unwrap())+        })?;+        Ok(RevokedCertificate {+            raw,+            cached_extensions: None,+        })+    }++    fn len(&self) -> usize {+        self.raw+            .borrow_value()+            .tbs_cert_list+            .revoked_certificates+            .as_ref()+            .map_or(0, |v| v.len())+    }+}++#[pyo3::prelude::pyproto]+impl pyo3::class::basic::PyObjectProtocol for CertificateRevocationList {+    fn __richcmp__(+        &self,+        other: pyo3::pycell::PyRef<CertificateRevocationList>,+        op: pyo3::class::basic::CompareOp,+    ) -> pyo3::PyResult<bool> {+        match op {+            pyo3::class::basic::CompareOp::Eq => {+                Ok(self.raw.borrow_value() == other.raw.borrow_value())+            }+            pyo3::class::basic::CompareOp::Ne => {+                Ok(self.raw.borrow_value() != other.raw.borrow_value())+            }+            _ => Err(pyo3::exceptions::PyTypeError::new_err(+                "CRLs cannot be ordered",+            )),+        }+    }+}++#[pyo3::prelude::pyproto]+impl pyo3::PyMappingProtocol for CertificateRevocationList {+    fn __len__(&self) -> usize {+        self.len()+    }++    fn __getitem__(&self, idx: &pyo3::PyAny) -> pyo3::PyResult<pyo3::PyObject> {+        let gil = pyo3::Python::acquire_gil();+        let py = gil.python();++        self.raw.with(|val| {+            val.revoked_certs.get_or_init(py, || {+                match &val.value.tbs_cert_list.revoked_certificates {+                    Some(c) => c.clone().collect(),+                    None => vec![],+                }+            });+        });++        if idx.is_instance::<pyo3::types::PySlice>()? {+            let indices = idx+                .downcast::<pyo3::types::PySlice>()?+                .indices(self.len().try_into().unwrap())?;+            let result = pyo3::types::PyList::empty(py);+            for i in (indices.start..indices.stop).step_by(indices.step.try_into().unwrap()) {+                let revoked_cert =+                    pyo3::pycell::PyCell::new(py, self.revoked_cert(py, i as usize)?)?;+                result.append(revoked_cert)?;+            }+            Ok(result.to_object(py))+        } else {+            let mut idx = idx.extract::<isize>()?;+            if idx < 0 {+                idx += self.len() as isize;+            }+            if idx >= (self.len() as isize) || idx < 0 {+                return Err(pyo3::exceptions::PyIndexError::new_err(()));+            }+            Ok(pyo3::pycell::PyCell::new(py, self.revoked_cert(py, idx as usize)?)?.to_object(py))+        }+    }+}++#[pyo3::prelude::pymethods]+impl CertificateRevocationList {+    fn fingerprint<'p>(+        &self,+        py: pyo3::Python<'p>,+        algorithm: pyo3::PyObject,+    ) -> pyo3::PyResult<&'p pyo3::PyAny> {+        let hashes_mod = py.import("cryptography.hazmat.primitives.hashes")?;+        let h = hashes_mod.getattr("Hash")?.call1((algorithm,))?;+        h.call_method1("update", (self.public_bytes_der().as_slice(),))?;+        h.call_method0("finalize")+    }++    #[getter]+    fn signature_algorithm_oid<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> {+        let x509_module = py.import("cryptography.x509")?;+        x509_module.call_method1(+            "ObjectIdentifier",+            (self.raw.borrow_value().signature_algorithm.oid.to_string(),),+        )+    }++    #[getter]+    fn signature_hash_algorithm<'p>(+        &self,+        py: pyo3::Python<'p>,+    ) -> pyo3::PyResult<&'p pyo3::PyAny> {+        let oid = self.signature_algorithm_oid(py)?;+        let oid_module = py.import("cryptography.hazmat._oid")?;+        let exceptions_module = py.import("cryptography.exceptions")?;+        match oid_module.getattr("_SIG_OIDS_TO_HASH")?.get_item(oid) {+            Ok(v) => Ok(v),+            Err(_) => Err(pyo3::PyErr::from_instance(exceptions_module.call_method1(+                "UnsupportedAlgorithm",+                (format!(+                    "Signature algorithm OID:{} not recognized",+                    self.raw.borrow_value().signature_algorithm.oid+                ),),+            )?)),+        }+    }++    #[getter]+    fn signature(&self) -> &[u8] {+        self.raw.borrow_value().signature_value.as_bytes()+    }++    #[getter]+    fn tbs_certlist_bytes<'p>(&self, py: pyo3::Python<'p>) -> &'p pyo3::types::PyBytes {+        let b = asn1::write_single(&self.raw.borrow_value().tbs_cert_list);+        pyo3::types::PyBytes::new(py, &b)+    }++    fn public_bytes<'p>(+        &self,+        py: pyo3::Python<'p>,+        encoding: &pyo3::PyAny,+    ) -> pyo3::PyResult<&'p pyo3::types::PyBytes> {+        let encoding_class = py+            .import("cryptography.hazmat.primitives.serialization")?+            .getattr("Encoding")?;++        let result = asn1::write_single(self.raw.borrow_value());+        if encoding == encoding_class.getattr("DER")? {+            Ok(pyo3::types::PyBytes::new(py, &result))+        } else if encoding == encoding_class.getattr("PEM")? {+            let pem = pem::encode_config(+                &pem::Pem {+                    tag: "X509 CRL".to_string(),+                    contents: result,+                },+                pem::EncodeConfig {+                    line_ending: pem::LineEnding::LF,+                },+            )+            .into_bytes();+            Ok(pyo3::types::PyBytes::new(py, &pem))+        } else {+            Err(pyo3::exceptions::PyTypeError::new_err(+                "encoding must be an item from the Encoding enum",

The encoding enum has tons of stuff, we should probably just say it must be DER or PEM from encoding.

alex

comment created time in 21 hours

PullRequestReviewEvent

issue openedpyca/cryptography

_create_asn1_time should be named _create_asn1_time_gc

For these types of functions we try to denote whether they gc or not in the name. We should fix this.

created time in 21 hours

issue commentpyca/cryptography

[Feature request] Upload arm32(armv7l) wheels

Getting armv7l in hosted CI isn't really possible at this time and armv7l systems tend to be very low performance compared to their aarch64 brethren. We won't ship wheels for platforms we don't directly test, so that's the primary obstacle here.

MrNaif2018

comment created time in a day

issue closedpyca/cryptography

cryptography.x509.NameAttribute missing attribute types

According to the official documents of cryptography library The name attribute has a property as rfc4514_string() based on RFC4514. But in real development and working with different certificate types as mentioned in page 6 of RFC4514, we need to support the OID of attributes according to the RFC4519. Now, it does not support, all a developer needs. I'm ready to add this feature to the library. If you're Ok, please let me know.

closed time in a day

KeyvanArj

issue commentpyca/cryptography

cryptography.x509.NameAttribute missing attribute types

Closing due to lack of activity; if this is still of interest feel free to submit a PR.

KeyvanArj

comment created time in a day

PR closed pyca/cryptography

[WIP] make OCSP conditional

We probably want to have the builders and loaders properly fail saying OCSP support isn't present before we merge this.

+183 -35

4 comments

5 changed files

reaperhulk

pr closed time in a day

pull request commentpyca/cryptography

[WIP] make OCSP conditional

(This becomes possible when we finish oxidizing so just closing this)

reaperhulk

comment created time in a day

issue closedpyca/cryptography

Need support for Private Enterprise Numbers in Extensions and Attributes

My employer has been allocated a Private Enterprise Number from which we're allocating OIDs as subtrees to use in X.509 Extensions in our CSR's.

However, when trying to add some trivial custom extensions to our CSR's with the CertificateSigningRequestBuilder, we see the following:

Traceback (most recent call last):
  File "./tests/device_enrollment.py", line 249, in <module>
    main(sys.argv)
  File "./tests/device_enrollment.py", line 205, in main
    csr = utility.generateCSR(
  File "./utility/utility.py", line 362, in generateCSR
    csr = builder.sign(sk, hashes.SHA256())
  File "/Library/Python/3.8/site-packages/cryptography/x509/base.py", line 494, in sign
    return backend.create_x509_csr(self, private_key, algorithm)
  File "/Library/Python/3.8/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 961, in create_x509_csr
    self._create_x509_extensions(
  File "/Library/Python/3.8/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1141, in _create_x509_extensions
    x509_extension = self._create_x509_extension(handlers, extension)
  File "/Library/Python/3.8/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1178, in _create_x509_extension
    raise NotImplementedError(
NotImplementedError: Extension not supported: <ObjectIdentifier(oid=1.3.6.1.4.1.54807.1.1, name=Unknown OID)>
Error: offset out of range

Similarly, when trying to add custom attributes, we found that everything defaulted to _ASN1Type.UTF8String and there wasn't a way to specify other encodings like _ASN1Type.IA5String (there's no reason not to export this class, BTW).

I'd like to see support for dynamically adding custom OIDs (either as extensions or attributes).

This is on MacOS running 11.5.2. It's the Python 3.8 that comes with MacOS. And cryptography.io 3.4.7 that comes with MacOS.

closed time in a day

pprindeville

delete branch reaperhulk/cryptography

delete branch : 35-time

delete time in a day

delete branch reaperhulk/cryptography

delete branch : blinding

delete time in a day

delete branch reaperhulk/cryptography

delete branch : bindings-shrink

delete time in a day

delete branch reaperhulk/cryptography

delete branch : vector-invalid-time-crl

delete time in a day