From pepone.onrez at gmail.com Thu Sep 16 11:51:09 2021 From: pepone.onrez at gmail.com (pepone.onrez) Date: Thu, 16 Sep 2021 17:51:09 +0200 Subject: [Cryptography-dev] Compute issuerKeyHash Message-ID: Hi, Is there a way to compute the issuer key hash from the certificate issuer? I tried with: public_key = issuer_cert.public_key().public_bytes( Encoding.PEM, PublicFormat.SubjectPublicKeyInfo) print(hashlib.sha1(public_key).digest()) This doesn't seem to be it, I was previously using oscrypto issuerSha1 = cert.asn1.public_key.sha1 is there a way to get this info with pyca/cryptography? Cheers, Jose -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex.gaynor at gmail.com Thu Sep 16 11:57:02 2021 From: alex.gaynor at gmail.com (Alex Gaynor) Date: Thu, 16 Sep 2021 11:57:02 -0400 Subject: [Cryptography-dev] Compute issuerKeyHash In-Reply-To: References: Message-ID: You want Encoding.DER, not PEM. Alex On Thu, Sep 16, 2021 at 11:51 AM pepone.onrez wrote: > > Hi, > > Is there a way to compute the issuer key hash from the certificate issuer? > > I tried with: > > public_key = issuer_cert.public_key().public_bytes( > Encoding.PEM, > PublicFormat.SubjectPublicKeyInfo) > print(hashlib.sha1(public_key).digest()) > > This doesn't seem to be it, I was previously using oscrypto > > issuerSha1 = cert.asn1.public_key.sha1 > > is there a way to get this info with pyca/cryptography? > > Cheers, > Jose > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev -- All that is necessary for evil to succeed is for good people to do nothing. From pepone.onrez at gmail.com Thu Sep 16 12:14:12 2021 From: pepone.onrez at gmail.com (pepone.onrez) Date: Thu, 16 Sep 2021 18:14:12 +0200 Subject: [Cryptography-dev] Compute issuerKeyHash In-Reply-To: References: Message-ID: Thanks Alex, I found that I can also do issuerSha1 = issuer_cert.extensions.get_extension_for_class(SubjectKeyIdentifier).value.digest Cheers, Jose On Thu, 16 Sept 2021 at 17:57, Alex Gaynor wrote: > You want Encoding.DER, not PEM. > > Alex > > On Thu, Sep 16, 2021 at 11:51 AM pepone.onrez > wrote: > > > > Hi, > > > > Is there a way to compute the issuer key hash from the certificate > issuer? > > > > I tried with: > > > > public_key = issuer_cert.public_key().public_bytes( > > Encoding.PEM, > > PublicFormat.SubjectPublicKeyInfo) > > print(hashlib.sha1(public_key).digest()) > > > > This doesn't seem to be it, I was previously using oscrypto > > > > issuerSha1 = cert.asn1.public_key.sha1 > > > > is there a way to get this info with pyca/cryptography? > > > > Cheers, > > Jose > > _______________________________________________ > > Cryptography-dev mailing list > > Cryptography-dev at python.org > > https://mail.python.org/mailman/listinfo/cryptography-dev > > > > -- > All that is necessary for evil to succeed is for good people to do nothing. > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Wed Sep 29 21:31:13 2021 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Thu, 30 Sep 2021 09:31:13 +0800 Subject: [Cryptography-dev] PyCA cryptography 35.0.0 released Message-ID: PyCA cryptography 35.0.0 has been released to PyPI. cryptography includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, asymmetric algorithms, message digests, X509, key derivation functions, and much more. We support Python 3.6+, and PyPy3. Changelog (https://cryptography.io/en/latest/changelog/#v35-0-0): * Changed the version scheme. This will result in us incrementing the major version more frequently, but does not change our existing backwards compatibility policy. * BACKWARDS INCOMPATIBLE: The X.509 certificate parser no longer allows negative serial numbers. RFC 5280 has always prohibited these. * BACKWARDS INCOMPATIBLE: Invalid ASN.1 found during X.509 parsing will raise an error on initial parse rather than when the invalid field is accessed. * Rust is now required for building cryptography, the CRYPTOGRAPHY_DONT_BUILD_RUST environment variable is no longer respected. * Parsers for X.509 no longer use OpenSSL and have been rewritten in Rust. This should be backwards compatible (modulo the items listed above) and improve both security and performance. * Added support for OpenSSL 3.0.0 as a compilation target. * Added support for SM3 and SM4, when using OpenSSL 1.1.1. These algorithms are provided for compatibility in regions where they may be required, and are not generally recommended. * We now ship manylinux_2_24 and musllinux_1_1 wheels, in addition to our manylinux2010 and manylinux2014 wheels. Users on distributions like Alpine Linux should ensure they upgrade to the latest pip to correctly receive wheels. * Added rfc4514_attribute_name attribute to x509.NameAttribute. * Added KBKDFCMAC. -Paul Kehrer (reaperhulk)