From lists at sonnenglanz.net Sun Jan 8 11:19:09 2017 From: lists at sonnenglanz.net (Pim van der Eijk (Lists)) Date: Sun, 8 Jan 2017 17:19:09 +0100 Subject: [Cryptography-dev] EC key values Message-ID: <640fe21f-99dd-fcf8-c8dd-7a9f1edaf1e5@sonnenglanz.net> Hi, I am using cryptography to implement the KeyInfo part of W3C XML Signature and am looking to add support for EC keys. The following is part of an example structure I would like to be able to process: vWccUP6Jp3pcaMCGIcAh3YOev4gaa2ukOANC7Ufg Cf8KDO7AtTOsGJK7/TA8IC3vZoCy9I5oPjRhyTBulBnj7Y I have two questions. First, according to W3C XML Signature (see https://www.w3.org/TR/xmldsig-core1/#sec-ECKeyValue) the content of |PublicKey|in ECKeyValue element is: /"///a Base64 encoding of a binary representation of the x and y coordinates of the point. ///Its value is computed as follows:/ 1. /Convert the elliptic curve point (x,y) to an octet string by first converting the field elements x and y to octet strings as specified in Section 6.2 of //https://www.rfc-editor.org/rfc/rfc6090.txt//, and then prepend the concatenated result of the conversion with 0x04. Support for Elliptic-Curve-Point-to-Octet-String conversion without point compression is/////required///./ 2. /Base64 encode the octet string resulting from the conversion in Step 1."/ RFC 6090 section 6.2 states: 6.2. Integer-to-Octet-String Conversion The integer x shall be converted to an octet string S of length k as follows. The string S shall satisfy k y = SUM 2^(8(k-i)) Si . i = 1 where S1, ..., Sk are the octets of S from first to last. In other words, the first octet of S has the most significance in the integer, and the last octet of S has the least significance. I am looking to implement this using cryptography. There is an encode_point() function in hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers which is documented to transform "an elliptic curve point to a byte string as described inSEC 1 v2.0 section 2.3.3.". Is this the same encoding as under the quoted section of XML Signature, item (1) ? Second question, the class asymmetric.ec.EllipticCurve has a "name" that is the symbolic name used for the ASN.1 OID For example, OID 1.3.132.0.34 has the name "secp384r1". W3C XML Signature apparently expects the OID encoded as a URN (https://www.ietf.org/rfc/rfc3061.txt), i.e. something like "urn:oid:1.3.132.0.34". Is there a way in Python to get the OID value for a named curve, rather than its symbolic name? Kind Regards, Pim Kind Regards, Pim -------------- next part -------------- An HTML attachment was scrubbed... URL: From tmacey at podcastinit.com Tue Jan 10 23:09:10 2017 From: tmacey at podcastinit.com (Tobias Macey) Date: Tue, 10 Jan 2017 23:09:10 -0500 Subject: [Cryptography-dev] Podcast.__init__ Interview About Cryptography Message-ID: <638a1af4-d8a0-944c-318a-916f6c717be9@podcastinit.com> Hello, I am the host of Podcast.__init__, the podcast about Python and its community. I think that given the increasing need for effective encryption in our day to day lives and our development projects, an episode about your work on the cryptography library would be interesting and exceedingly relevant. If any or all of the maintainers would be interested in joining me to discuss the goals of the projects, its history, and dive into its implementation then please let me know what time zone(s) you are in so that I can send out a scheduling invitation. -- Regards, Tobias Macey Host of Podcast.__init__ http://podcastinit.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Fri Jan 13 00:23:07 2017 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Fri, 13 Jan 2017 00:23:07 -0500 Subject: [Cryptography-dev] EC key values In-Reply-To: <640fe21f-99dd-fcf8-c8dd-7a9f1edaf1e5@sonnenglanz.net> References: <640fe21f-99dd-fcf8-c8dd-7a9f1edaf1e5@sonnenglanz.net> Message-ID: Hi Pim, Answers inline. On January 9, 2017 at 12:19:29 AM, Pim van der Eijk (Lists) ( lists at sonnenglanz.net) wrote: Hi, I am using cryptography to implement the KeyInfo part of W3C XML Signature and am looking to add support for EC keys. The following is part of an example structure I would like to be able to process: > vWccUP6Jp3pcaMCGIcAh3YOev4gaa2ukOANC7Ufg Cf8KDO7AtTOsGJK7/TA8IC3vZoCy9I5oPjRhyTBulBnj7Y I have two questions. First, according to W3C XML Signature (see https://www.w3.org/TR/xmldsig-core1/#sec-ECKeyValue) the content of PublicKey in ECKeyValue element is: *"**a Base64 encoding of a binary representation of the x and y coordinates of the point.* *Its value is computed as follows:* 1. *Convert the elliptic curve point (x,y) to an octet string by first converting the field elements x and y to octet strings as specified in Section 6.2 of* *https://www.rfc-editor.org/rfc/rfc6090.txt **, and then prepend the concatenated result of the conversion with 0x04. Support for Elliptic-Curve-Point-to-Octet-String conversion without point compression is* *required**.* 2. *Base64 encode the octet string resulting from the conversion in Step 1."* RFC 6090 section 6.2 states: 6.2. Integer-to-Octet-String Conversion The integer x shall be converted to an octet string S of length k as follows. The string S shall satisfy k y = SUM 2^(8(k-i)) Si . i = 1 where S1, ..., Sk are the octets of S from first to last. In other words, the first octet of S has the most significance in the integer, and the last octet of S has the least significance. I am looking to implement this using cryptography. There is an encode_point() function in hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers which is documented to transform "an elliptic curve point to a byte string as described in SEC 1 v2.0 section 2.3.3.". Is this the same encoding as under the quoted section of XML Signature, item (1) ? Yes, encode_point() returns the standard uncompressed form. Second question, the class asymmetric.ec.EllipticCurve has a "name" that is the symbolic name used for the ASN.1 OID For example, OID 1.3.132.0.34 has the name "secp384r1". W3C XML Signature apparently expects the OID encoded as a URN ( https://www.ietf.org/rfc/rfc3061.txt), i.e. something like "urn:oid:1.3.132.0.34". Is there a way in Python to get the OID value for a named curve, rather than its symbolic name? We don't currently encode OIDs as part of the EC classes, but you can file an issue and we can discuss adding them. For now you'll have to maintain your own mapping. Kind Regards, Pim -Paul (reaperhulk) -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcea at jcea.es Sun Jan 15 22:27:56 2017 From: jcea at jcea.es (Jesus Cea) Date: Mon, 16 Jan 2017 04:27:56 +0100 Subject: [Cryptography-dev] Support for ED25519? Message-ID: <81f562f7-818b-3063-0127-56a9377bf8c8@jcea.es> Any plan to support ED25519 Elliptic Curve signatures? . -- Jes?s Cea Avi?n _/_/ _/_/_/ _/_/_/ jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From paul.l.kehrer at gmail.com Mon Jan 16 20:55:33 2017 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Mon, 16 Jan 2017 17:55:33 -0800 Subject: [Cryptography-dev] Support for ED25519? In-Reply-To: <81f562f7-818b-3063-0127-56a9377bf8c8@jcea.es> References: <81f562f7-818b-3063-0127-56a9377bf8c8@jcea.es> Message-ID: We plan to add support for ed25519 as soon as there is an OpenSSL release that supports it. That may be 1.1.1, but it hasn't landed yet. -Paul Kehrer (reaperhulk) On January 16, 2017 at 11:33:27 AM, Jesus Cea (jcea at jcea.es) wrote: Any plan to support ED25519 Elliptic Curve signatures? . -- Jes?s Cea Avi?n _/_/ _/_/_/ _/_/_/ jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex.gaynor at gmail.com Mon Jan 16 21:00:24 2017 From: alex.gaynor at gmail.com (Alex Gaynor) Date: Mon, 16 Jan 2017 21:00:24 -0500 Subject: [Cryptography-dev] Support for ED25519? In-Reply-To: References: <81f562f7-818b-3063-0127-56a9377bf8c8@jcea.es> Message-ID: If you'd like ed25519 from a supported library today, pyncal has it. On Mon, Jan 16, 2017 at 8:55 PM, Paul Kehrer wrote: > We plan to add support for ed25519 as soon as there is an OpenSSL release > that supports it. That may be 1.1.1, but it hasn't landed yet. > > -Paul Kehrer (reaperhulk) > > On January 16, 2017 at 11:33:27 AM, Jesus Cea (jcea at jcea.es) wrote: > > Any plan to support ED25519 Elliptic Curve signatures? > . > > -- > Jes?s Cea Avi?n _/_/ _/_/_/ _/_/_/ > jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ > Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ > jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ > "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ > "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ > "El amor es poner tu felicidad en la felicidad de otro" - Leibniz > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ronf at timeheart.net Mon Jan 16 22:29:44 2017 From: ronf at timeheart.net (Ron Frederick) Date: Mon, 16 Jan 2017 19:29:44 -0800 Subject: [Cryptography-dev] Support for ED25519? In-Reply-To: References: <81f562f7-818b-3063-0127-56a9377bf8c8@jcea.es> Message-ID: <5D5454DC-208E-40A2-9CB3-216B4B1EE2F4@timeheart.net> I?m getting ed25519 from libsodium through Python?s libnacl plus a few declarations of my own. One nice thing about libnacl is that it has no corresponding C bindings in it. It?s pure Python + ctypes wrapped around the standard libsodium.so/dll. On Jan 16, 2017, at 6:00 PM, Alex Gaynor wrote: > If you'd like ed25519 from a supported library today, pyncal has it. > > On Mon, Jan 16, 2017 at 8:55 PM, Paul Kehrer > wrote: > We plan to add support for ed25519 as soon as there is an OpenSSL release that supports it. That may be 1.1.1, but it hasn't landed yet. > > -Paul Kehrer (reaperhulk) > > On January 16, 2017 at 11:33:27 AM, Jesus Cea (jcea at jcea.es ) wrote: > >> Any plan to support ED25519 Elliptic Curve signatures? >> >. >> >> -- >> Jes?s Cea Avi?n _/_/ _/_/_/ _/_/_/ >> jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ >> Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ >> jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ >> "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ >> "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ >> "El amor es poner tu felicidad en la felicidad de otro" - Leibniz -- Ron Frederick ronf at timeheart.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcea at jcea.es Mon Jan 16 22:49:16 2017 From: jcea at jcea.es (Jesus Cea) Date: Tue, 17 Jan 2017 04:49:16 +0100 Subject: [Cryptography-dev] Support for ED25519? In-Reply-To: <5D5454DC-208E-40A2-9CB3-216B4B1EE2F4@timeheart.net> References: <81f562f7-818b-3063-0127-56a9377bf8c8@jcea.es> <5D5454DC-208E-40A2-9CB3-216B4B1EE2F4@timeheart.net> Message-ID: <40d8d9ba-bdf6-e403-7a36-fe357b292029@jcea.es> On 17/01/17 04:29, Ron Frederick wrote: > I?m getting ed25519 from libsodium through Python?s libnacl plus a few > declarations of my own. One nice thing about libnacl is that it has no > corresponding C bindings in it. It?s pure Python + ctypes wrapped around > the standard libsodium.so/dll. I don't need side-channel protection or to be lighting fastso far, so I am just using for now. But I rather use Cryptography module if I can. Seems like I can't since even if OpenSSL grows ED25519, I still need to be able to use this code in ancient Debian installations. It will take five years or more to get mainstream :-(. Understandable, but inconvenient. Thanks for the suggestions. They are useful. -- Jes?s Cea Avi?n _/_/ _/_/_/ _/_/_/ jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From readthedocs at readthedocs.org Wed Jan 18 00:44:43 2017 From: readthedocs at readthedocs.org (Read the Docs) Date: Wed, 18 Jan 2017 05:44:43 -0000 Subject: [Cryptography-dev] Failed: Cryptography (latest) Message-ID: <20170118054443.14957.78707@web04.servers.readthedocs.org> Build Failed for Cryptography (latest) You can find out more about this failure here: https://readthedocs.org/projects/cryptography/builds/4911126/ If you have questions, a good place to start is the FAQ: https://docs.readthedocs.org/en/latest/faq.html Keep documenting, Read the Docs -- http://readthedocs.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From readthedocs at readthedocs.org Sat Jan 21 09:21:08 2017 From: readthedocs at readthedocs.org (Read the Docs) Date: Sat, 21 Jan 2017 14:21:08 -0000 Subject: [Cryptography-dev] Failed: Cryptography (latest) Message-ID: <20170121142108.11826.6019@web01.servers.readthedocs.org> Build Failed for Cryptography (latest) You can find out more about this failure here: https://readthedocs.org/projects/cryptography/builds/4925783/ If you have questions, a good place to start is the FAQ: https://docs.readthedocs.org/en/latest/faq.html Keep documenting, Read the Docs -- http://readthedocs.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From andynewlands at gmail.com Tue Jan 24 09:57:47 2017 From: andynewlands at gmail.com (Andy Newlands) Date: Tue, 24 Jan 2017 14:57:47 +0000 Subject: [Cryptography-dev] CA database & configuration? Message-ID: Hi, I have established my own CA, using EasyRSA. This works fine with EasyRSA bash scripts and when invoking openssl from the command line. I'm now trying to use python with pyopenssl to generate keys/certificates and to update the CA database (I.E. "index.txt", under the EasyRSA PKI), but cannot see how to do this. Is it possible to use pyopenssl in this manner? If so, how can I get it to use the openssl configuration and extensions defined in the "openssl-1.0.cnf" file, created by EasyRSA? How can I get pyopenssl to update the database file (again created and maintained by EasyRSA), in the PKI file, "index.txt" FYI: I am a novice when it comes to SSL etc, so any advise would be gratefully received. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Fri Jan 27 10:27:39 2017 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Fri, 27 Jan 2017 07:27:39 -0800 Subject: [Cryptography-dev] PyCA cryptography 1.7.2 released Message-ID: PyCA cryptography 1.7.2 has been released to PyPI. cryptography is a package which provides cryptographic recipes and primitives to Python developers. Our goal is for it to be your "cryptographic standard library". We support Python 2.6-2.7, Python 3.3+, and PyPy. This release updates the version of OpenSSL shipping in the Windows and macOS wheels to 1.0.2k. There are no other changes. -Paul Kehrer (reaperhulk) -------------- next part -------------- An HTML attachment was scrubbed... URL: