From ryanlives at gmail.com Thu Oct 3 20:44:29 2019 From: ryanlives at gmail.com (Ryan Hsu) Date: Thu, 3 Oct 2019 17:44:29 -0700 Subject: [Cryptography-dev] cryptography built with custom OpenSSL missing FIPS functionality Message-ID: Hi All, Running into an interesting problem here. I have built cryptography in a centos container using a custom OpenSSL (1.0.2t) with FIPS object module (2.0.16). This all works well and fine but FIPS functionality seems to be missing. For example, when running: print backend._lib.FIPS_mode_set(1) print ''.join([backend._lib.OPENSSL_VERSION_TEXT[i] for i in range(30)]) I expect to get "1" and "OpenSSL 1.0.2t-fips 10 Sep 2019". Instead, I am getting "0" and "OpenSSL 1.0.2t 10 Sep 2019" (without the -fips designation). Since the output of "openssl version" using the OpenSSL binary that I built shows "OpenSSL 1.0.2t-fips 10 Sep 2019", I assume that my OpenSSL build is fine and therefore something went wrong in my cryptography build. As a quick way to reproduce this, I have attached a Dockerfile that can reproduce what I'm seeing. Does anyone know if what I'm seeing is expected or perhaps I'm doing something wrong in my cryptography build? Since I'm not much of an expert in C and building from source, I'm hoping this is just a small mistake on my part. Appreciate any help here! Thank you, Ryan FROM centos # Install build dependencies RUN yum groupinstall -y "Development Tools" && \ yum install -y python-devel libffi-devel # Install Python dependencies RUN curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py && \ python get-pip.py && \ pip install virtualenv setuptools wheel pip # Build Fips object module RUN curl -O https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz && \ tar xvf openssl-fips-2.0.16.tar.gz && \ cd openssl-fips-2.0.16 && \ ./config && \ make && \ make install # Build OpenSSL RUN curl -O https://www.openssl.org/source/openssl-1.0.2t.tar.gz && \ tar xvf openssl-1.0.2t.tar.gz && \ cd /openssl-1.0.2t && \ ./config fips no-shared -fPIC --prefix=/openssl-1.0.2t/openssl && \ make depend && \ make && \ make install # Build cryptography RUN CFLAGS="-I/openssl-1.0.2t/openssl/include" LDFLAGS="-L/openssl-1.0.2t/openssl/lib" pip wheel --no-cache --no-binary :all: cryptography && \ pip install cryptography*.whl # Test if fips is enabled RUN python -c "\ from cryptography.hazmat.backends.openssl.backend import backend;\ print backend._lib.FIPS_mode_set(1);\ print ''.join([backend._lib.OPENSSL_VERSION_TEXT[i] for i in range(30)])" -------------- next part -------------- An HTML attachment was scrubbed... URL: From gksalil at gmail.com Thu Oct 3 22:48:43 2019 From: gksalil at gmail.com (salil GK) Date: Fri, 4 Oct 2019 08:18:43 +0530 Subject: [Cryptography-dev] Help to get a patch for ocsp and crl support for cryptography Message-ID: Hello I am not that an expert developer in cryptography. We are using cryptography module for certificate management. I was looking at our code base and found that there was a patch we applied to cryptography module to get ocsp and crl support. We have been using 2.1.4 cryptography version. But now we need to move to 2.7 and the older patch is not working. Could you please help me find the patch for this that works in cryptography 2.7. Thanks GKS From paul.l.kehrer at gmail.com Thu Oct 3 23:00:54 2019 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Fri, 4 Oct 2019 11:00:54 +0800 Subject: [Cryptography-dev] Help to get a patch for ocsp and crl support for cryptography In-Reply-To: References: Message-ID: We have OCSP and CRL support natively without any patches in cryptography, could you elaborate on what you think is missing? -Paul > On Oct 4, 2019, at 10:49 AM, salil GK wrote: > > ?Hello > > I am not that an expert developer in cryptography. We are using > cryptography module for certificate management. I was looking at our > code base and found that there was a patch we applied to cryptography > module to get ocsp and crl support. We have been using 2.1.4 > cryptography version. But now we need to move to 2.7 and the older > patch is not working. Could you please help me find the patch for this > that works in cryptography 2.7. > > Thanks > GKS > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev From gksalil at gmail.com Thu Oct 3 23:45:03 2019 From: gksalil at gmail.com (salil GK) Date: Fri, 4 Oct 2019 09:15:03 +0530 Subject: [Cryptography-dev] Help to get a patch for ocsp and crl support for cryptography In-Reply-To: References: Message-ID: Oh - thanks for the confirmation. I didn't know that the support for ocsp and crl is natively available. I will do some tests and get back to you in case any issue is found. Could you please tell me if ocsp and crl support was available in 2.1.4 version of cryptography. Thanks GKS On Fri, 4 Oct 2019 at 08:31, Paul Kehrer wrote: > > We have OCSP and CRL support natively without any patches in cryptography, could you elaborate on what you think is missing? > > -Paul > > > On Oct 4, 2019, at 10:49 AM, salil GK wrote: > > > > ?Hello > > > > I am not that an expert developer in cryptography. We are using > > cryptography module for certificate management. I was looking at our > > code base and found that there was a patch we applied to cryptography > > module to get ocsp and crl support. We have been using 2.1.4 > > cryptography version. But now we need to move to 2.7 and the older > > patch is not working. Could you please help me find the patch for this > > that works in cryptography 2.7. > > > > Thanks > > GKS > > _______________________________________________ > > Cryptography-dev mailing list > > Cryptography-dev at python.org > > https://mail.python.org/mailman/listinfo/cryptography-dev > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev From paul.l.kehrer at gmail.com Thu Oct 3 23:47:41 2019 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Fri, 4 Oct 2019 11:47:41 +0800 Subject: [Cryptography-dev] Help to get a patch for ocsp and crl support for cryptography In-Reply-To: References: Message-ID: <21B546E9-107A-4035-9B45-3E1F24911DD5@gmail.com> You can find this information in our change log (https://cryptography.io/en/latest/changelog/) We added OCSP in 2.4 but CRL support was present prior to 2.1.4. > On Oct 4, 2019, at 11:45 AM, salil GK wrote: > > ?Oh - thanks for the confirmation. I didn't know that the support for > ocsp and crl is natively available. I will do some tests and get back > to you in case any issue is found. > > Could you please tell me if ocsp and crl support was available in > 2.1.4 version of cryptography. > > Thanks > GKS > >> On Fri, 4 Oct 2019 at 08:31, Paul Kehrer wrote: >> >> We have OCSP and CRL support natively without any patches in cryptography, could you elaborate on what you think is missing? >> >> -Paul >> >>>> On Oct 4, 2019, at 10:49 AM, salil GK wrote: >>> >>> ?Hello >>> >>> I am not that an expert developer in cryptography. We are using >>> cryptography module for certificate management. I was looking at our >>> code base and found that there was a patch we applied to cryptography >>> module to get ocsp and crl support. We have been using 2.1.4 >>> cryptography version. But now we need to move to 2.7 and the older >>> patch is not working. Could you please help me find the patch for this >>> that works in cryptography 2.7. >>> >>> Thanks >>> GKS >>> _______________________________________________ >>> Cryptography-dev mailing list >>> Cryptography-dev at python.org >>> https://mail.python.org/mailman/listinfo/cryptography-dev >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev at python.org >> https://mail.python.org/mailman/listinfo/cryptography-dev > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From gksalil at gmail.com Fri Oct 4 01:00:01 2019 From: gksalil at gmail.com (salil GK) Date: Fri, 4 Oct 2019 10:30:01 +0530 Subject: [Cryptography-dev] Help to get a patch for ocsp and crl support for cryptography In-Reply-To: <21B546E9-107A-4035-9B45-3E1F24911DD5@gmail.com> References: <21B546E9-107A-4035-9B45-3E1F24911DD5@gmail.com> Message-ID: Thanks a lot for timely response. It is of great help. I will test things out and get back to you in case any assistance is needed. Best regards GKS On Fri, 4 Oct 2019 at 09:17, Paul Kehrer wrote: > > You can find this information in our change log (https://cryptography.io/en/latest/changelog/) > > We added OCSP in 2.4 but CRL support was present prior to 2.1.4. > > On Oct 4, 2019, at 11:45 AM, salil GK wrote: > > ?Oh - thanks for the confirmation. I didn't know that the support for > ocsp and crl is natively available. I will do some tests and get back > to you in case any issue is found. > > Could you please tell me if ocsp and crl support was available in > 2.1.4 version of cryptography. > > Thanks > GKS > > On Fri, 4 Oct 2019 at 08:31, Paul Kehrer wrote: > > > We have OCSP and CRL support natively without any patches in cryptography, could you elaborate on what you think is missing? > > > -Paul > > > On Oct 4, 2019, at 10:49 AM, salil GK wrote: > > > ?Hello > > > I am not that an expert developer in cryptography. We are using > > cryptography module for certificate management. I was looking at our > > code base and found that there was a patch we applied to cryptography > > module to get ocsp and crl support. We have been using 2.1.4 > > cryptography version. But now we need to move to 2.7 and the older > > patch is not working. Could you please help me find the patch for this > > that works in cryptography 2.7. > > > Thanks > > GKS > > _______________________________________________ > > Cryptography-dev mailing list > > Cryptography-dev at python.org > > https://mail.python.org/mailman/listinfo/cryptography-dev > > _______________________________________________ > > Cryptography-dev mailing list > > Cryptography-dev at python.org > > https://mail.python.org/mailman/listinfo/cryptography-dev > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev From paul.l.kehrer at gmail.com Thu Oct 17 09:38:39 2019 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Thu, 17 Oct 2019 06:38:39 -0700 Subject: [Cryptography-dev] PyCA cryptography 2.8 released Message-ID: PyCA cryptography 2.8 has been released to PyPI. cryptography includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, asymmetric algorithms, message digests, X509, key derivation functions, and much more. We support Python 2.7, Python 3.4+, and PyPy. Changelog (https://cryptography.io/en/latest/changelog/#v2-8): * Updated Windows, macOS, and manylinux1 wheels to be compiled with OpenSSL 1.1.1d. * Added support for Python 3.8. * Added class methods Poly1305.generate_tag and Poly1305.verify_tag for Poly1305 sign and verify operations. * Deprecated support for OpenSSL 1.0.1. Support will be removed in cryptography 2.9. * We now ship manylinux2010 wheels in addition to our manylinux1 wheels. * Added support for ed25519 and ed448 keys in the CertificateBuilder, CertificateSigningRequestBuilder, CertificateRevocationListBuilder and OCSPResponseBuilder. * cryptography no longer depends on asn1crypto. * FreshestCRL is now allowed as a CertificateRevocationList extension. -Paul Kehrer (reaperhulk) -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex.gaynor at gmail.com Fri Oct 18 20:27:49 2019 From: alex.gaynor at gmail.com (Alex Gaynor) Date: Fri, 18 Oct 2019 20:27:49 -0400 Subject: [Cryptography-dev] macOS older than 10.12 Message-ID: Hi everyone, We're considering dropping support for macOS versions older than 10.12, due to maintenance burden, and incredibly low usage (per PyPI metrics). Before we do that, we just wanted to check in to see if there was any reason this would cause a problem for anyone? Alex -- All that is necessary for evil to succeed is for good people to do nothing. -------------- next part -------------- An HTML attachment was scrubbed... URL: From shige.takeda at snowflake.com Sun Oct 20 18:31:53 2019 From: shige.takeda at snowflake.com (Shige Takeda) Date: Sun, 20 Oct 2019 15:31:53 -0700 Subject: [Cryptography-dev] macOS older than 10.12 In-Reply-To: References: Message-ID: +1. I have no problem of dropping MacOS older than 10.12. On Fri, Oct 18, 2019 at 5:28 PM Alex Gaynor wrote: > Hi everyone, > > We're considering dropping support for macOS versions older than 10.12, > due to maintenance burden, and incredibly low usage (per PyPI metrics). > > Before we do that, we just wanted to check in to see if there was any > reason this would cause a problem for anyone? > > Alex > > -- > All that is necessary for evil to succeed is for good people to do nothing. > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ajeesing at adobe.com Fri Oct 25 05:41:05 2019 From: ajeesing at adobe.com (Ajeet Singh) Date: Fri, 25 Oct 2019 09:41:05 +0000 Subject: [Cryptography-dev] Verify signature via cryptography. Message-ID: Hi All, I am trying to verify signature via lib cryptography. Basically , I am trying to simulate below Openssl command via python lib. openssl smime -verify -in $PKCS7 -inform PEM -content $DOCUMENT -certfile pubkey Can you please help me how can I do this in python. Thanks and Regards, Ajeet -------------- next part -------------- An HTML attachment was scrubbed... URL: