From paul.l.kehrer at gmail.com Tue Sep 6 20:05:55 2022 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Wed, 7 Sep 2022 08:05:55 +0800 Subject: [Cryptography-dev] PyCA cryptography 38.0.0 released Message-ID: PyCA cryptography 38.0.0 has been released to PyPI. cryptography includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, asymmetric algorithms, message digests, X509, key derivation functions, and much more. We support Python 3.6+, and PyPy3. Changelog (https://cryptography.io/en/latest/changelog/#v38-0-0): * Final deprecation of OpenSSL 1.1.0. The next release of cryptography will drop support. * We no longer ship manylinux2010 wheels. Users should upgrade to the latest pip to ensure this doesn?t cause issues downloading wheels on their platform. We now ship manylinux_2_28 wheels for users on new enough platforms. * Updated the minimum supported Rust version (MSRV) to 1.48.0, from 1.41.0. Users with the latest pip will typically get a wheel and not need Rust installed, but check Installation for documentation on installing a newer rustc if required. decrypt() and related methods now accept both str and bytes tokens. * Parsing CertificateSigningRequest restores the behavior of enforcing that the Extension critical field must be correctly encoded DER. See the issue for complete details. * Added two new OpenSSL functions to the bindings to support an upcoming pyOpenSSL release. * When parsing CertificateRevocationList and CertificateSigningRequest values, it is now enforced that the version value in the input must be valid according to the rules of RFC 2986 and RFC 5280. * Using MD5 or SHA1 in CertificateBuilder and other X.509 builders is deprecated and support will be removed in the next version. * Added additional APIs to SignedCertificateTimestamp, including signature_hash_algorithm, signature_algorithm, signature, and extension_bytes. * Added tbs_precertificate_bytes, allowing users to access the to-be-signed pre-certificate data needed for signed certificate timestamp verification. * KBKDFHMAC and KBKDFCMAC now support MiddleFixed counter location. * Fixed RFC 4514 name parsing to reverse the order of the RDNs according to the section 2.1 of the RFC, affecting method from_rfc4514_string(). * It is now possible to customize some aspects of encryption when serializing private keys, using encryption_builder(). * Removed several legacy symbols from our OpenSSL bindings. Users of pyOpenSSL versions older than 22.0 will need to upgrade. * Added AES128 and AES256 classes. These classes do not replace AES (which allows all AES key lengths), but are intended for applications where developers want to be explicit about key length. -Paul Kehrer (reaperhulk) From paul.l.kehrer at gmail.com Wed Sep 7 08:36:16 2022 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Wed, 7 Sep 2022 20:36:16 +0800 Subject: [Cryptography-dev] PyCA cryptography 38.0.1 released Message-ID: PyCA cryptography 38.0.1 has been released to PyPI. cryptography includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, asymmetric algorithms, message digests, X509, key derivation functions, and much more. We support Python 3.6+, and PyPy3. Changelog (https://cryptography.io/en/latest/changelog/#v38-0-1): * Fixed parsing TLVs in ASN.1 with length greater than 65535 bytes (typically seen in large CRLs). -Paul Kehrer (reaperhulk) From pkutekar99 at gmail.com Wed Sep 14 23:41:49 2022 From: pkutekar99 at gmail.com (Prathamesh Utekar) Date: Thu, 15 Sep 2022 09:11:49 +0530 Subject: [Cryptography-dev] help regarding cryptography package Message-ID: hey I am Prathamesh from India we are using cryptograhy package for our project on aws and we are getting error "Unable to import module 'lambda_function': cannot import name 'x509' from 'cryptography.hazmat.bindings._rust" can you guide us about this error we are using python3.9 for cryptography "cryptography-38.0.1-pp39-pypy39_pp73-manylinux_2_24_x86_64" this package Regards, Prathamesh -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Thu Sep 15 12:40:59 2022 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Thu, 15 Sep 2022 11:40:59 -0500 Subject: [Cryptography-dev] help regarding cryptography package In-Reply-To: References: Message-ID: You appear to be using the pypy wheel, which is not appropriate for Lambda. The AWS Lambda documentation is the best path for understanding how to run Python packages with native modules, but you should assume you'll be using the cp36-abi3 x86_64 wheel. -Paul On Thu, Sep 15, 2022 at 5:53 AM Prathamesh Utekar wrote: > > hey > I am Prathamesh from India we are using cryptograhy package for our project on aws and we are getting error > "Unable to import module 'lambda_function': cannot import name 'x509' from 'cryptography.hazmat.bindings._rust" > > can you guide us about this error > we are using python3.9 for cryptography "cryptography-38.0.1-pp39-pypy39_pp73-manylinux_2_24_x86_64" this package > > Regards, > Prathamesh > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev From heraldo.dev at gmail.com Thu Sep 29 19:22:14 2022 From: heraldo.dev at gmail.com (Heraldo Lucena) Date: Thu, 29 Sep 2022 20:22:14 -0300 Subject: [Cryptography-dev] Integrating pyOpenSSL to asyncio Message-ID: I am integrating pyOpenSSL to asyncio by reimplementing the SSLContext interface from the Python standard SSL module and all OpenSSL semantics it depends on. I choose this path to avoid overriding asyncio's standard event loops. To receive SSL traffic I am copying the incoming ssl.MemoryBIO passed by asyncio to SSLContext.wrap_bio() by using Connection.write_bio(). To send SSL traffic I am copying pyOpenSSL's outgoing BIO witn Connection.read_bio() and writing it to asyncio's outgoing ssl.MemoryBIO. I always copy the whole content right before Connection.recv() and right after Connection.send(). The only issue I have now is that application data is lost (in my case HTTP data) when the server sends a TLS close_notify alert right after the application data. When testing with aiohttp HTTP library the connection is taken as closed before the HTTP response be read. When inspecting the error cause aiohttp got SSL.ZeroReturnError from pyOpenSSL which signals TLS shutdown was performed on the connection. On Wireshark I also confirmed the server sent close_notify right after the HTTP response body. This issue doesn't happen when the server doesn't send close_notify (the HTTP server doesn't close the connection after sending the response). I also implemented SSLContext.wrap_socket() to test with blocking sockets, this issue doesn't happen. I tested with urllib and the requests library, in both tests the HTTP response is fully read. -------------- next part -------------- An HTML attachment was scrubbed... URL: From heraldo.dev at gmail.com Thu Sep 29 20:57:07 2022 From: heraldo.dev at gmail.com (Heraldo Lucena) Date: Thu, 29 Sep 2022 21:57:07 -0300 Subject: [Cryptography-dev] Integrating pyOpenSSL to asyncio In-Reply-To: References: Message-ID: Ok I found the issue. The standard SSL module won't propagate up the SSL_ERROR_ZERO_RETURN when the TLS connection is shutting down and the application tries to read data, instead an empty byte string is returned to signal EOF. Em qui., 29 de set. de 2022 ?s 20:22, Heraldo Lucena escreveu: > I am integrating pyOpenSSL to asyncio by reimplementing the SSLContext > interface from the Python standard SSL module and all OpenSSL semantics it > depends on. I choose this path to avoid overriding asyncio's standard event > loops. > > To receive SSL traffic I am copying the incoming ssl.MemoryBIO passed by > asyncio to SSLContext.wrap_bio() by using Connection.write_bio(). > To send SSL traffic I am copying pyOpenSSL's outgoing BIO witn > Connection.read_bio() and writing it to asyncio's outgoing ssl.MemoryBIO. > I always copy the whole content right before Connection.recv() and right > after Connection.send(). > > The only issue I have now is that application data is lost (in my case > HTTP data) when the server sends a TLS close_notify alert right after the > application data. When testing with aiohttp HTTP library the connection is > taken as closed before the HTTP response be read. When inspecting the error > cause aiohttp got SSL.ZeroReturnError from pyOpenSSL which signals TLS > shutdown was performed on the connection. On Wireshark I also confirmed the > server sent close_notify right after the HTTP response body. > > This issue doesn't happen when the server doesn't send close_notify (the > HTTP server doesn't close the connection after sending the response). > > I also implemented SSLContext.wrap_socket() to test with blocking sockets, > this issue doesn't happen. I tested with urllib and the requests library, > in both tests the HTTP response is fully read. > -------------- next part -------------- An HTML attachment was scrubbed... URL: