delta/python-packages/pyopenssl.git/tests/test_crypto.py, branch dependabot/github_actions/actions/setup-python-2.3.1

Remove some more py27-isms (#1062)

2021-11-23T20:56:09+00:00

Fill in notBefore/notAfter in X509 _PKeyInteractionTestsMixin tests (#1039)

2021-09-07T18:24:13+00:00

While the tests currently pass without it, this is because OpenSSL's
encoder doesn't notice that it is emitting garbage. See
https://github.com/openssl/openssl/issues/16538

Fill in a placeholder validity period so the tests both better mirror
real X.509 signing code and do not rely on this bug.

Don't try to serialize invalid objects in tests (#1037)

2021-08-23T03:19:40+00:00

A default-constructed X509_REQ or NETSCAPE_SPKI contains empty values
for all its fields, notably the OIDs in public keys. This initial state
is incomplete and not yet a valid object. The ASN.1 structures make the
public key mandatory.  When serializing, OpenSSL would previously
silently omit the field, which doesn't actually produce a valid
structure.

As of https://github.com/openssl/openssl/pull/16027, OpenSSL will notice
this and return an error rather than serialize garbage. Sadly, that had
to be reverted on 1.1.1, but it is present in the 3.0 branch. With that
change, some of pyOpenSSL's tests fail.

The bug here is in pyOpenSSL: pyOpenSSL tests are trying to serialize
incomplete objects. Instead, fill in the public key.  While not
syntactically necessary (the empty string is a BIT STRING), also fill in
the signature for NetscapeSPKI, to better align with real code.

Tested by running pyOpenSSL tests against a copy of OpenSSL 1.1.1's dev
branch, prior to the changes getting reverted.

fix a memleak (#967)

2020-11-27T21:22:30+00:00

* fix a memleak

* black

crypto._PassphraseHelper: pass non-callable passphrase using callback (#947)

2020-10-13T04:14:19+00:00

* crypto._PassphraseHelper: pass non-callable passphrase using callback
Fixes #945

Before this commit, we would pass a bytes passphrase as a null terminated string.
This causes issue when a randomly generated key's first byte is null because
OpenSSL rightly determines the key length is 0.
This commit modifies the passphrase helper to pass the passphrase via the
 callback

* Update changelog to document bug fix

Allow using additional untrusted certificates for chain building in X509StoreContext (#948)

2020-10-12T13:42:23+00:00

The additional certificates provided in the new `chain` parameter will be
untrusted but may be used to build the chain.

This makes it easier to validate a certificate against a store which
contains only root ca certificates, and the intermediates come from e.g.
the same untrusted source as the certificate to be verified.

Co-authored-by: Sandor Oroszi

Allow using an OpenSSL hashed directory for verification in X509Store (#943)

2020-09-11T15:17:31+00:00

Add X509Store.load_locations() to set a CA bundle file and/or an OpenSSL-
style hashed CA/CRL lookup directory, similar to the already existing
SSL.Context.load_verify_locations().

Co-authored-by: Sandor Oroszi

Allow accessing a connection's verfied certificate chain (#894)

2020-08-05T23:48:51+00:00

* Allow accessing a connection's verfied certificate chain

Add X509StoreContext.get_verified_chain using X509_STORE_CTX_get1_chain.
Add Connection.get_verified_chain using SSL_get0_verified_chain if
available (ie OpenSSL 1.1+) and X509StoreContext.get_verified_chain
otherwise.
Fixes #740.

* TLSv1_METHOD -> SSLv23_METHOD

* Use X509_up_ref instead of X509_dup

* Add _openssl_assert where appropriate

* SSL_get_peer_cert_chain should not be null

* Reformat with black

* Fix  != 

* Add Changelog entry

* Remove _add_chain

update cert fixtures and simplify tests (#927)

2020-08-03T22:50:31+00:00

* simplify

* generate new certs and keys with 3072-bit RSA

* black

* add a test to avoid losing coverage

make our CI less frustrating (#926)

2020-08-03T20:54:20+00:00

* make our CI less frustrating

* sigh, even less sensitive

* can we stop doing this on macos now?