From readthedocs at readthedocs.org Fri Sep 8 19:03:54 2017 From: readthedocs at readthedocs.org (Read the Docs) Date: Fri, 08 Sep 2017 23:03:54 -0000 Subject: [Cryptography-dev] Failed: Cryptography (latest) Message-ID: <20170908230354.1376.12785@web01.servers.readthedocs.org> Build Failed for Cryptography (latest) You can find out more about this failure here: https://readthedocs.org/projects/cryptography/builds/5951653/ If you have questions, a good place to start is the FAQ: https://docs.readthedocs.org/en/latest/faq.html Keep documenting, Read the Docs -- http://readthedocs.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Wed Sep 13 23:08:10 2017 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Wed, 13 Sep 2017 20:08:10 -0700 Subject: [Cryptography-dev] pyOpenSSL 17.3.0 released Message-ID: pyOpenSSL 17.3.0 has been released. Changelog: Backward-incompatible changes: Dropped support for Python 3.3. #677 Removed the deprecated OpenSSL.rand module. This is being done ahead of our normal deprecation schedule due to its lack of use and the fact that it was becoming a maintenance burden. os.urandom() should be used instead. #675 Deprecations: Deprecated OpenSSL.tsafe. #673 Changes: Fixed a memory leak in OpenSSL.crypto.CRL. #690 Fixed a memory leak when verifying certificates with OpenSSL.crypto.X509StoreContext. #691 -------------- next part -------------- An HTML attachment was scrubbed... URL: From readthedocs at readthedocs.org Fri Sep 15 02:37:45 2017 From: readthedocs at readthedocs.org (Read the Docs) Date: Fri, 15 Sep 2017 06:37:45 -0000 Subject: [Cryptography-dev] Failed: Cryptography (b522324c) Message-ID: <20170915063745.31397.24318@web02.servers.readthedocs.org> Build Failed for Cryptography (latest) You can find out more about this failure here: https://readthedocs.org/projects/cryptography/builds/5980357/ If you have questions, a good place to start is the FAQ: https://docs.readthedocs.org/en/latest/faq.html Keep documenting, Read the Docs -- http://readthedocs.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From me at johnpacific.com Fri Sep 15 15:11:51 2017 From: me at johnpacific.com (John Pacific) Date: Fri, 15 Sep 2017 13:11:51 -0600 Subject: [Cryptography-dev] Raw ECDSA keypairs? In-Reply-To: References: Message-ID: Hey there! Is there a good way to generate an ECDSA keypair and get the raw bytes of those keys? -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex.gaynor at gmail.com Fri Sep 15 17:39:02 2017 From: alex.gaynor at gmail.com (Alex Gaynor) Date: Fri, 15 Sep 2017 17:39:02 -0400 Subject: [Cryptography-dev] Raw ECDSA keypairs? In-Reply-To: References: Message-ID: I'm not sure what you mean by "raw bytes", keys can be generated and serialized as documented here: https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#serialization Alex On Fri, Sep 15, 2017 at 3:11 PM, John Pacific wrote: > Hey there! > > Is there a good way to generate an ECDSA keypair and get the raw bytes of > those keys? > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6 -------------- next part -------------- An HTML attachment was scrubbed... URL: From me at johnpacific.com Fri Sep 15 18:09:17 2017 From: me at johnpacific.com (John Pacific) Date: Fri, 15 Sep 2017 16:09:17 -0600 Subject: [Cryptography-dev] Raw ECDSA keypairs? In-Reply-To: References: Message-ID: Sorry, asking questions for remote people. I think he meant the actual numbers of the key pair. I found a class that does it in the API. I'm assuming, that I could probably convert it to the bytes representation of it by doing something along the lines of (presuming a 256bit curve a la secp256k1): `PrivKeyNumber.to_bytes(32, byteorder='big')`. Does that make sense? On Sep 15, 2017 15:40, "Alex Gaynor" wrote: > I'm not sure what you mean by "raw bytes", keys can be generated and > serialized as documented here: https://cryptography.io/ > en/latest/hazmat/primitives/asymmetric/ec/#serialization > Alex > > > On Fri, Sep 15, 2017 at 3:11 PM, John Pacific wrote: > >> Hey there! >> >> Is there a good way to generate an ECDSA keypair and get the raw bytes of >> those keys? >> >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev at python.org >> https://mail.python.org/mailman/listinfo/cryptography-dev >> >> > > > -- > "I disapprove of what you say, but I will defend to the death your right > to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) > "The people's good is the highest law." -- Cicero > GPG Key fingerprint: D1B3 ADC0 E023 8CA6 > > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex.gaynor at gmail.com Fri Sep 15 18:15:02 2017 From: alex.gaynor at gmail.com (Alex Gaynor) Date: Fri, 15 Sep 2017 18:15:02 -0400 Subject: [Cryptography-dev] Raw ECDSA keypairs? In-Reply-To: References: Message-ID: private_key.private_numbers() gives you an object with a `private_value` attribute which is an integer. Alex On Fri, Sep 15, 2017 at 6:09 PM, John Pacific wrote: > Sorry, asking questions for remote people. > I think he meant the actual numbers of the key pair. > > I found a class that does it in the API. I'm assuming, that I could > probably convert it to the bytes representation of it by doing something > along the lines of (presuming a 256bit curve a la secp256k1): > `PrivKeyNumber.to_bytes(32, byteorder='big')`. > > Does that make sense? > > On Sep 15, 2017 15:40, "Alex Gaynor" wrote: > >> I'm not sure what you mean by "raw bytes", keys can be generated and >> serialized as documented here: https://cryptography.io/ >> en/latest/hazmat/primitives/asymmetric/ec/#serialization >> Alex >> >> >> On Fri, Sep 15, 2017 at 3:11 PM, John Pacific wrote: >> >>> Hey there! >>> >>> Is there a good way to generate an ECDSA keypair and get the raw bytes >>> of those keys? >>> >>> _______________________________________________ >>> Cryptography-dev mailing list >>> Cryptography-dev at python.org >>> https://mail.python.org/mailman/listinfo/cryptography-dev >>> >>> >> >> >> -- >> "I disapprove of what you say, but I will defend to the death your right >> to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) >> "The people's good is the highest law." -- Cicero >> GPG Key fingerprint: D1B3 ADC0 E023 8CA6 >> >> >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev at python.org >> https://mail.python.org/mailman/listinfo/cryptography-dev >> >> > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6 -------------- next part -------------- An HTML attachment was scrubbed... URL: From me at johnpacific.com Fri Sep 15 18:18:08 2017 From: me at johnpacific.com (John Pacific) Date: Fri, 15 Sep 2017 16:18:08 -0600 Subject: [Cryptography-dev] Raw ECDSA keypairs? In-Reply-To: References: Message-ID: Awesome. Thanks, Alex. On Sep 15, 2017 16:15, "Alex Gaynor" wrote: > private_key.private_numbers() gives you an object with a `private_value` > attribute which is an integer. > > Alex > > On Fri, Sep 15, 2017 at 6:09 PM, John Pacific wrote: > >> Sorry, asking questions for remote people. >> I think he meant the actual numbers of the key pair. >> >> I found a class that does it in the API. I'm assuming, that I could >> probably convert it to the bytes representation of it by doing something >> along the lines of (presuming a 256bit curve a la secp256k1): >> `PrivKeyNumber.to_bytes(32, byteorder='big')`. >> >> Does that make sense? >> >> On Sep 15, 2017 15:40, "Alex Gaynor" wrote: >> >>> I'm not sure what you mean by "raw bytes", keys can be generated and >>> serialized as documented here: https://cryptography.io/ >>> en/latest/hazmat/primitives/asymmetric/ec/#serialization >>> Alex >>> >>> >>> On Fri, Sep 15, 2017 at 3:11 PM, John Pacific >>> wrote: >>> >>>> Hey there! >>>> >>>> Is there a good way to generate an ECDSA keypair and get the raw bytes >>>> of those keys? >>>> >>>> _______________________________________________ >>>> Cryptography-dev mailing list >>>> Cryptography-dev at python.org >>>> https://mail.python.org/mailman/listinfo/cryptography-dev >>>> >>>> >>> >>> >>> -- >>> "I disapprove of what you say, but I will defend to the death your right >>> to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) >>> "The people's good is the highest law." -- Cicero >>> GPG Key fingerprint: D1B3 ADC0 E023 8CA6 >>> >>> >>> _______________________________________________ >>> Cryptography-dev mailing list >>> Cryptography-dev at python.org >>> https://mail.python.org/mailman/listinfo/cryptography-dev >>> >>> >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev at python.org >> https://mail.python.org/mailman/listinfo/cryptography-dev >> >> > > > -- > "I disapprove of what you say, but I will defend to the death your right > to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) > "The people's good is the highest law." -- Cicero > GPG Key fingerprint: D1B3 ADC0 E023 8CA6 > > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From fellipetheophilo at gmail.com Tue Sep 19 08:01:04 2017 From: fellipetheophilo at gmail.com (Fellipe Theophilo) Date: Tue, 19 Sep 2017 09:01:04 -0300 Subject: [Cryptography-dev] not_valid_before and not_valid_after as GeneralizedTime Message-ID: Hi everyone, I need to generate an attribute certificate according to Government's specification law about students identification card that must have not_valid_before and not_valid_after set in GeneralizedTime instead of UTCTime(datetime.datetime object). Is it possible to do it? Actually, I tried this: *from pyasn1.type.useful import GeneralizedTime* *.not_valid_before(GeneralizedTime('20170101000100Z').asDateTime).not_valid_after(GeneralizedTime('20180331235900Z').asDateTime)* But the time still appear in UTCTime. Please help ----- Fellipe -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Tue Sep 19 08:25:48 2017 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Tue, 19 Sep 2017 20:25:48 +0800 Subject: [Cryptography-dev] not_valid_before and not_valid_after as GeneralizedTime In-Reply-To: References: Message-ID: Right now cryptography attempts to use the logic of RFC 5280 to automatically encode the type of the time. It appears that is insufficient for your needs. I've filed this as?https://github.com/pyca/cryptography/issues/3927 -Paul Kehrer (reaperhulk) On September 19, 2017 at 8:15:11 PM, Fellipe Theophilo (fellipetheophilo at gmail.com) wrote: Hi everyone, I need to generate an attribute certificate according to Government's specification law about students identification card that must have not_valid_before and not_valid_after set in GeneralizedTime instead of UTCTime(datetime.datetime object). Is it possible to do it? Actually, I tried this: from pyasn1.type.useful import GeneralizedTime .not_valid_before(GeneralizedTime('20170101000100Z').asDateTime).not_valid_after(GeneralizedTime('20180331235900Z').asDateTime) But the time still appear in UTCTime. Please help ----- Fellipe _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From scott.sturdivant at gmail.com Mon Sep 25 11:54:44 2017 From: scott.sturdivant at gmail.com (Scott Sturdivant) Date: Mon, 25 Sep 2017 15:54:44 +0000 Subject: [Cryptography-dev] FIPS cffi bindings Message-ID: Hi, Would the cryptography dev team be accepting of a patch that added binding support for the OpenSSL FIPS_mode, FIPS_mode_set, and FIPS_selftest functions? Reading Alex's thoughts on the matter ( https://bugs.python.org/issue27592#msg271008), my guess is "probably not." Assuming that a patch would not be accepted, is there a way to somehow build these bindings without requiring a fork of the project? Would there be a way for my library to specify some build arguments to cryptography? The src/_cffi_src/openssl/crypto.py CUSTOMIZATIONS variable seems like a good place for this to go, but I cannot see how to modify it during the build process. Thanks for the guidance, Scott -------------- next part -------------- An HTML attachment was scrubbed... URL: From Anilkumar.Abbaiahred at Staples.com Mon Sep 25 11:24:52 2017 From: Anilkumar.Abbaiahred at Staples.com (Kumar, Anil) Date: Mon, 25 Sep 2017 15:24:52 +0000 Subject: [Cryptography-dev] Cryptography error when running a script. Message-ID: Hi I am getting an error when running a script in production. Here are the details. # Session Timeout Enabled on linux /usr/lib64/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6 DeprecationWarning No handlers could be found for logger "paramiko.transport" coherent_path_default_score coherent_path_default_score failed with exception Blue Uranium is our dev box which is working fine. Blue Neon is our Production Box where were are getting the above error. Can you please let me know if this issue is related to a version change? Thanks Anil Blue Uranium # This file is dual licensed under the terms of the Apache License, Version # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. from __future__ import absolute_import, division, print_function __all__ = [ "__title__", "__summary__", "__uri__", "__version__", "__author__", "__email__", "__license__", "__copyright__", ] __title__ = "cryptography" __summary__ = ("cryptography is a package which provides cryptographic recipes" " and primitives to Python developers.") __uri__ = "https://github.com/pyca/cryptography" __version__ = "2.0.3" __author__ = "The cryptography developers" __email__ = "cryptography-dev at python.org" __license__ = "BSD or Apache License, Version 2.0" __copyright__ = "Copyright 2013-2017 {0}".format(__author__) Blue Neon # This file is dual licensed under the terms of the Apache License, Version # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. from __future__ import absolute_import, division, print_function __all__ = [ "__title__", "__summary__", "__uri__", "__version__", "__author__", "__email__", "__license__", "__copyright__", ] __title__ = "cryptography" __summary__ = ("cryptography is a package which provides cryptographic recipes" " and primitives to Python developers.") __uri__ = "https://github.com/pyca/cryptography" __version__ = "1.4" __author__ = "The cryptography developers" __email__ = "cryptography-dev at python.org" __license__ = "BSD or Apache License, Version 2.0" __copyright__ = "Copyright 2013-2016 {0}".format(__author__) -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Mon Sep 25 20:11:22 2017 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Tue, 26 Sep 2017 08:11:22 +0800 Subject: [Cryptography-dev] Cryptography error when running a script. In-Reply-To: References: Message-ID: The error you?re referencing is a user warning and not an error from cryptography at all. It only exists to notify users of Python 2.6 that support will be dropped at some point in the future and that they should stop using such an old Python. The actual error appears to be related to the ?coherent_path_default_score failed with exception? line after that. That isn?t in cryptography so you?ll need to look deeper to figure out where your issue is. -Paul Kehrer (reaperhulk) > On Sep 25, 2017, at 11:24 PM, Kumar, Anil wrote: > > Hi > > I am getting an error when running a script in production. > > > Here are the details. > > # Session Timeout Enabled on linux > /usr/lib64/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6 > DeprecationWarning > No handlers could be found for logger "paramiko.transport" > coherent_path_default_score > coherent_path_default_score failed with exception > > Blue Uranium is our dev box which is working fine. Blue Neon is our Production Box where were are getting the above error. > > Can you please let me know if this issue is related to a version change? > > Thanks > Anil > > Blue Uranium > > # This file is dual licensed under the terms of the Apache License, Version > # 2.0, and the BSD License. See the LICENSE file in the root of this repository > # for complete details. > > from __future__ import absolute_import, division, print_function > > __all__ = [ > "__title__", "__summary__", "__uri__", "__version__", "__author__", > "__email__", "__license__", "__copyright__", > ] > > __title__ = "cryptography" > __summary__ = ("cryptography is a package which provides cryptographic recipes" > " and primitives to Python developers.") > __uri__ = "https://github.com/pyca/cryptography" > > __version__ = "2.0.3" > > __author__ = "The cryptography developers" > __email__ = "cryptography-dev at python.org" > > __license__ = "BSD or Apache License, Version 2.0" > __copyright__ = "Copyright 2013-2017 {0}".format(__author__) > > > Blue Neon > > # This file is dual licensed under the terms of the Apache License, Version > # 2.0, and the BSD License. See the LICENSE file in the root of this repository > # for complete details. > > from __future__ import absolute_import, division, print_function > > __all__ = [ > "__title__", "__summary__", "__uri__", "__version__", "__author__", > "__email__", "__license__", "__copyright__", > ] > > __title__ = "cryptography" > __summary__ = ("cryptography is a package which provides cryptographic recipes" > " and primitives to Python developers.") > __uri__ = "https://github.com/pyca/cryptography" > > __version__ = "1.4" > > __author__ = "The cryptography developers" > __email__ = "cryptography-dev at python.org" > > __license__ = "BSD or Apache License, Version 2.0" > __copyright__ = "Copyright 2013-2016 {0}".format(__author__) > > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex.gaynor at gmail.com Mon Sep 25 21:54:43 2017 From: alex.gaynor at gmail.com (Alex Gaynor) Date: Mon, 25 Sep 2017 21:54:43 -0400 Subject: [Cryptography-dev] FIPS cffi bindings In-Reply-To: References: Message-ID: As you noted, I have a disdain for FIPS-140. Familiarity breeds contempt. That said, I'm ok with landing just the bindings. Alex On Mon, Sep 25, 2017 at 11:54 AM, Scott Sturdivant < scott.sturdivant at gmail.com> wrote: > Hi, > > Would the cryptography dev team be accepting of a patch that added binding > support for the OpenSSL FIPS_mode, FIPS_mode_set, and FIPS_selftest > functions? Reading Alex's thoughts on the matter ( > https://bugs.python.org/issue27592#msg271008), my guess is "probably not." > > Assuming that a patch would not be accepted, is there a way to somehow > build these bindings without requiring a fork of the project? Would there > be a way for my library to specify some build arguments to cryptography? > The src/_cffi_src/openssl/crypto.py CUSTOMIZATIONS variable seems like a > good place for this to go, but I cannot see how to modify it during the > build process. > > Thanks for the guidance, > > Scott > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6 -------------- next part -------------- An HTML attachment was scrubbed... URL: From julian at meyer-privat.com Fri Sep 29 12:54:46 2017 From: julian at meyer-privat.com (Julian Meyer) Date: Fri, 29 Sep 2017 18:54:46 +0200 Subject: [Cryptography-dev] Signing a Certificate with AuthorityKeyIdentifier Extension Message-ID: Hi, I woud like to sign a certificate with my internal intermediate (CA) certificate and add the AuthorityKeyIdentifier Extension with authority_cert_issuer and authority_cert_serial_number. Only key_identifier work, but with authority_cert_issuer and authority_cert_serial_number I get this error: authority_cert_issuer must be a list of GeneralName objects I try to use the subject of the public certificate of my intermediate certificate. The Code looks like this: builder = builder.add_extension( x509.AuthorityKeyIdentifier( x509.AuthorityKeyIdentifier.from_issuer_public_key(caCert.cert.public_key()), caCert.cert.subject, caCert.cert.serial, ), critical=False, ) In caCert.cert I have loaded the public certificate of my Intermediate CA. In caCert.key is my private key, witch I use to sign it. How can I generate authority_cert_issuer and authority_cert_serial_number from the CAs public certificate? I`m just a hoby programmer and not a pro, so it would be very nice, if someone can help me with this issue. Kind regards Julian From paul.l.kehrer at gmail.com Fri Sep 29 20:54:31 2017 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Fri, 29 Sep 2017 17:54:31 -0700 Subject: [Cryptography-dev] Signing a Certificate with AuthorityKeyIdentifier Extension In-Reply-To: References: Message-ID: You don't need to populate all those fields in an AKI extension (just the key_identifier is sufficient). The authority_cert_issuer is a list of GeneralName objects. This is typically derived from the Name, but a Name is actually a list of RelativeDistinguishedName objects, each of which can contain 1 to n GeneralName objects. In the common case each RDN contains just one GeneralName so you can just extract them to make the list of GeneralName objects. However, you probably just don't want to set values for the last two fields. -Paul (reaperhulk) On September 30, 2017 at 4:48:35 AM, Julian Meyer (julian at meyer-privat.com) wrote: Hi, I woud like to sign a certificate with my internal intermediate (CA) certificate and add the AuthorityKeyIdentifier Extension with authority_cert_issuer and authority_cert_serial_number. Only key_identifier work, but with authority_cert_issuer and authority_cert_serial_number I get this error: authority_cert_issuer must be a list of GeneralName objects I try to use the subject of the public certificate of my intermediate certificate. The Code looks like this: builder = builder.add_extension( x509.AuthorityKeyIdentifier( x509.AuthorityKeyIdentifier.from_issuer_public_key(caCert.cert.public_key()), caCert.cert.subject, caCert.cert.serial, ), critical=False, ) In caCert.cert I have loaded the public certificate of my Intermediate CA. In caCert.key is my private key, witch I use to sign it. How can I generate authority_cert_issuer and authority_cert_serial_number from the CAs public certificate? I`m just a hoby programmer and not a pro, so it would be very nice, if someone can help me with this issue. Kind regards Julian _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: