From paul.l.kehrer at gmail.com  Tue Sep 22 14:43:10 2020
From: paul.l.kehrer at gmail.com (Paul Kehrer)
Date: Tue, 22 Sep 2020 13:43:10 -0500
Subject: [Cryptography-dev] PyCA cryptography 3.1.1 released
Message-ID: <CABj5TKSTwdEQGG68eJmtr7rWv7GYcusBe8ON1vc40nomyCKVyw@mail.gmail.com>

PyCA cryptography 3.1.1 has been released to PyPI. cryptography
includes both high level recipes and low level interfaces to
common cryptographic algorithms such as symmetric ciphers,
asymmetric algorithms, message digests, X509, key derivation functions, and
much more. We support Python 2.7, Python 3.5+, and PyPy.

Changelog (https://cryptography.io/en/latest/changelog/#v3-1-1):
* Updated Windows, macOS, and manylinux wheels to be compiled with OpenSSL
1.1.1h.

-Paul Kehrer (reaperhulk)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20200922/f580f647/attachment.html>

From bencedav at gmail.com  Thu Sep 24 07:58:31 2020
From: bencedav at gmail.com (=?UTF-8?B?RMOhdmlkIEJlbmNl?=)
Date: Thu, 24 Sep 2020 13:58:31 +0200
Subject: [Cryptography-dev] support for PSS signatures in X509 certificates
Message-ID: <CABfe2sELmd0UHdYTFg_7NW9YyyQTZicWvzxR1+01JbtjBi8Hcw@mail.gmail.com>

Hi all,

I am trying to sign X509 certificates, however not with the default
signature algorithm RSA_WITH_SHA256 with the oid "1.2.840.113549.1.1.11"
but with the RSASSA_PSS one with oid  "1.2.840.113549.1.1.10" for which as
far as I know there is not really a possibility currently. I saw the
related issue: https://github.com/pyca/cryptography/issues/2850 is still
open. I am doing this for backwards compatibility reasons but I have not
really found a way yet to circumvent the problem. Is it possible to use the
low level OpenSSL API functions directly? I succeeded in calling some
functions with "default_backend()._lib.xxx" but I have not found everything
I need.

Can somebody suggest a solution?

Many thanks,
Bence
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20200924/fdc2ea50/attachment.html>

From paul.l.kehrer at gmail.com  Fri Sep 25 23:41:20 2020
From: paul.l.kehrer at gmail.com (Paul Kehrer)
Date: Fri, 25 Sep 2020 22:41:20 -0500
Subject: [Cryptography-dev] support for PSS signatures in X509
 certificates
In-Reply-To: <CABfe2sELmd0UHdYTFg_7NW9YyyQTZicWvzxR1+01JbtjBi8Hcw@mail.gmail.com>
References: <CABfe2sELmd0UHdYTFg_7NW9YyyQTZicWvzxR1+01JbtjBi8Hcw@mail.gmail.com>
Message-ID: <CABj5TKRmCA6-8RWp9CYck84R_r-Q7cGFsBvDOwy-rpGL7nCYNg@mail.gmail.com>

I don't believe we have the right functions bound to do PSS signing
(X509_sign_ctx is missing and there may be more). We also don't have the
ability to properly parse PSS X509 because OpenSSL didn't add the ability
to look at X509 PSS params until a recent 1.1.1 version.

If you're interested in adding support we'd be happy to take a patch (or
probably several separate ones), but this is likely to be a complex piece
of work requiring conditional bindings, numerous tests, and quite a few new
vectors.

-Paul

On Thu, Sep 24, 2020 at 6:58 AM D?vid Bence <bencedav at gmail.com> wrote:

> Hi all,
>
> I am trying to sign X509 certificates, however not with the default
> signature algorithm RSA_WITH_SHA256 with the oid "1.2.840.113549.1.1.11"
> but with the RSASSA_PSS one with oid  "1.2.840.113549.1.1.10" for which
> as far as I know there is not really a possibility currently. I saw the
> related issue: https://github.com/pyca/cryptography/issues/2850 is still
> open. I am doing this for backwards compatibility reasons but I have not
> really found a way yet to circumvent the problem. Is it possible to use the
> low level OpenSSL API functions directly? I succeeded in calling some
> functions with "default_backend()._lib.xxx" but I have not found everything
> I need.
>
> Can somebody suggest a solution?
>
> Many thanks,
> Bence
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20200925/85c11f4d/attachment.html>

From momchil at bojinov.info  Tue Sep 29 16:02:43 2020
From: momchil at bojinov.info (momchil at bojinov.info)
Date: Tue, 29 Sep 2020 23:02:43 +0300
Subject: [Cryptography-dev] private_key.decrypt painfully slow
Message-ID: <007101d6969b$7e7f7d70$7b7e7850$@bojinov.info>

Hello,

 

New guy.

 

Not much of a python dev but I managed to put together some code to
encrypt/decrypt files using RSA

But like the entire fine, not just some intermediate password

 

public_key.encrypt of 11 Mb ( ~47 000 * 190 byte pieces) file took about 8
seconds

private_key.decrypt of the same file took 143 seconds

 

profiler said 142 of those came from _openssl.EVP_PKEY_decrypt

 

I m running x64 Python version 3.8.5

And I just installed the cryptography module today through pip

 

Am I being stupid trying to do this and not go with asymmetric encryption
for the intermediate and go symmetric from there ?

 

Regards,

Momchil 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20200929/bef43e0e/attachment.html>

From paul.l.kehrer at gmail.com  Tue Sep 29 17:13:50 2020
From: paul.l.kehrer at gmail.com (Paul Kehrer)
Date: Tue, 29 Sep 2020 16:13:50 -0500
Subject: [Cryptography-dev] private_key.decrypt painfully slow
In-Reply-To: <007101d6969b$7e7f7d70$7b7e7850$@bojinov.info>
References: <007101d6969b$7e7f7d70$7b7e7850$@bojinov.info>
Message-ID: <CABj5TKQ-nxiprP9CxU1sBPa-7_u+dxjAoZhi5316DOyqtP3baQ@mail.gmail.com>

Yes, you want a hybrid encryption scheme here. Generate a symmetric key,
use that to encrypt the payload, and encrypt the key itself under the
public key.

Composing this in a safe manner is tricky though, so you may want to
consider PyNaCl for this.

On Tue, Sep 29, 2020 at 4:03 PM <momchil at bojinov.info> wrote:

> Hello,
>
>
>
> New guy.
>
>
>
> Not much of a python dev but I managed to put together some code to
> encrypt/decrypt files using RSA
>
> But like the entire fine, not just some intermediate password
>
>
>
> public_key.encrypt of 11 Mb ( ~47 000 * 190 byte pieces) file took about 8
> seconds
>
> private_key.decrypt of the same file took 143 seconds
>
>
>
> profiler said 142 of those came from _openssl.EVP_PKEY_decrypt
>
>
>
> I m running x64 Python version 3.8.5
>
> And I just installed the cryptography module today through pip
>
>
>
> Am I being stupid trying to do this and not go with asymmetric encryption
> for the intermediate and go symmetric from there ?
>
>
>
> Regards,
>
> Momchil
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20200929/f0df88d3/attachment.html>