From paul.l.kehrer at gmail.com Thu Mar 2 16:28:58 2023 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Fri, 3 Mar 2023 05:28:58 +0800 Subject: [Cryptography-dev] PyCA cryptography 39.0.2 released Message-ID: PyCA cryptography 39.0.2 has been released to PyPI. cryptography includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, asymmetric algorithms, message digests, X509, key derivation functions, and much more. We support Python 3.6+, and PyPy3. Changelog (https://cryptography.io/en/latest/changelog/#v39-0-2) * Fixed a bug where the content type header was not properly encoded for PKCS7 signatures when using the ``Text`` option and ``SMIME`` encoding. -Paul Kehrer (reaperhulk) From mkaranam at salesforce.com Tue Mar 7 05:42:32 2023 From: mkaranam at salesforce.com (Mani Sankar Karanam) Date: Tue, 7 Mar 2023 16:12:32 +0530 Subject: [Cryptography-dev] Request to remediate vulnerabilities Message-ID: Hello Team !!! Thank you for providing the open source python package *cryptography*. It is greatly helpful to us. We are currently using *cryptography* of version* 3.4.7*. It has below Common Vulnerabilities and Exposures(CVEs) associated with it. CVE-2023-23931 Can you please remediate them in the upcoming versions. Regards, Mani Sankar -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex.gaynor at gmail.com Tue Mar 7 06:02:57 2023 From: alex.gaynor at gmail.com (Alex Gaynor) Date: Tue, 7 Mar 2023 06:02:57 -0500 Subject: [Cryptography-dev] Request to remediate vulnerabilities In-Reply-To: References: Message-ID: This issue is resolved in cryptography version 39.0.1 and newer. You simply need to upgrade. Alex On Tue, Mar 7, 2023 at 6:02?AM Mani Sankar Karanam via Cryptography-dev wrote: > > Hello Team !!! > Thank you for providing the open source python package cryptography. It is greatly helpful to us. > We are currently using cryptography of version 3.4.7. It has below Common Vulnerabilities and Exposures(CVEs) associated with it. > CVE-2023-23931 > > Can you please remediate them in the upcoming versions. > > Regards, > Mani Sankar > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev -- All that is necessary for evil to succeed is for good people to do nothing. From paul.l.kehrer at gmail.com Tue Mar 7 06:04:36 2023 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Tue, 7 Mar 2023 19:04:36 +0800 Subject: [Cryptography-dev] Request to remediate vulnerabilities In-Reply-To: References: Message-ID: 3.4.7 was released 2021-03-25. Since that time we've had 18 releases. Why would you ask for a patch without looking to see if we have newer versions? We also document our support policy (main branch and latest release) under our security page: https://cryptography.io/en/latest/security/#supported-versions -Paul On Tue, Mar 7, 2023 at 7:02?PM Mani Sankar Karanam via Cryptography-dev wrote: > > Hello Team !!! > Thank you for providing the open source python package cryptography. It is greatly helpful to us. > We are currently using cryptography of version 3.4.7. It has below Common Vulnerabilities and Exposures(CVEs) associated with it. > CVE-2023-23931 > > Can you please remediate them in the upcoming versions. > > Regards, > Mani Sankar > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev From mikael_stalhammar at hotmail.com Wed Mar 22 05:57:26 2023 From: mikael_stalhammar at hotmail.com (=?iso-8859-1?Q?Mikael_St=E5lhammar?=) Date: Wed, 22 Mar 2023 09:57:26 +0000 Subject: [Cryptography-dev] Download and save certificate chain as single file Message-ID: Hi. In a web browser it is possible to export a certificate chain as a single (pem/crt) file on disk. I wonder if the same is possible using Python and pyOpenSSL? I've played around with the connection.get_peer_cert_chain() method, which returns a list of X509 objects. Not sure how to process those properly and have them saved as a cert chain in a single valid cert file, that later can be passed in as a "verify" param when calling "requests.post(url, verify=...)". Does anyone know and can share a code snippet? Thanks! /Mikael -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Wed Mar 22 07:11:28 2023 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Wed, 22 Mar 2023 19:11:28 +0800 Subject: [Cryptography-dev] Download and save certificate chain as single file In-Reply-To: References: Message-ID: You can loop over the certs you get and serialize them to a single file. Either via converting it to a cryptography object (there's a method on the X509 object for that) and calling public_bytes() (see https://cryptography.io/en/latest/x509/reference/#cryptography.x509.Certificate.public_bytes) or the serialize functions in pyOpenSSL itself (see https://www.pyopenssl.org/en/latest/api/crypto.html#serialization-and-deserialization). -Paul (reaperhulk) On Wed, Mar 22, 2023 at 7:07?PM Mikael St?lhammar wrote: > > Hi. In a web browser it is possible to export a certificate chain as a single (pem/crt) file on disk. I wonder if the same is possible using Python and pyOpenSSL? I've played around with the connection.get_peer_cert_chain() method, which returns a list of X509 objects. Not sure how to process those properly and have them saved as a cert chain in a single valid cert file, that later can be passed in as a "verify" param when calling "requests.post(url, verify=...)". Does anyone know and can share a code snippet? Thanks! > > /Mikael > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev From paul.l.kehrer at gmail.com Fri Mar 24 00:41:27 2023 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Fri, 24 Mar 2023 12:41:27 +0800 Subject: [Cryptography-dev] PyCA cryptography 40.0.0 released Message-ID: PyCA cryptography 40.0.0 has been released to PyPI. cryptography includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, asymmetric algorithms, message digests, X509, key derivation functions, and much more. We support Python 3.6+, and PyPy3 7.3.10+. Changelog (https://cryptography.io/en/latest/changelog/#v40-0-0): * BACKWARDS INCOMPATIBLE: As announced in the 39.0.0 changelog, the way cryptography links OpenSSL has changed. This only impacts users who build cryptography from source (i.e., not from a wheel), and specify their own version of OpenSSL. For those users, the CFLAGS, LDFLAGS, INCLUDE, LIB, and CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS environment variables are no longer valid. Instead, users need to configure their builds as documented here. * Support for Python 3.6 is deprecated and will be removed in the next release. * Deprecated the current minimum supported Rust version (MSRV) of 1.48.0. In the next release we will raise MSRV to 1.56.0. Users with the latest pip will typically get a wheel and not need Rust installed, but check Installation for documentation on installing a newer rustc if required. * Deprecated support for OpenSSL less than 1.1.1d. The next release of cryptography will drop support for older versions. * Deprecated support for DSA keys in load_ssh_public_key() and load_ssh_private_key(). * Deprecated support for OpenSSH serialization in DSAPublicKey and DSAPrivateKey. * The minimum supported version of PyPy3 is now 7.3.10. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.0. * Added support for parsing SSH certificates in addition to public keys with load_ssh_public_identity(). load_ssh_public_key() continues to support only public keys. * Added support for generating SSH certificates with SSHCertificateBuilder. * Added verify_directly_issued_by() to Certificate. * Added a check to NameConstraints to ensure that DNSName constraints do not contain any * wildcards. * Removed many unused CFFI OpenSSL bindings. This will not impact you unless you are using cryptography to directly invoke OpenSSL?s C API. Note that these have never been considered a stable, supported, public API by cryptography, this note is included as a courtesy. * The X.509 builder classes now raise UnsupportedAlgorithm instead of ValueError if an unsupported hash algorithm is passed. * Added public union type aliases for type hinting: Asymmetric types: PublicKeyTypes, PrivateKeyTypes, CertificatePublicKeyTypes, CertificateIssuerPublicKeyTypes, CertificateIssuerPrivateKeyTypes SSH keys: SSHPublicKeyTypes, SSHPrivateKeyTypes, SSHCertPublicKeyTypes, SSHCertPrivateKeyTypes PKCS12: PKCS12PrivateKeyTypes PKCS7: PKCS7HashTypes, PKCS7PrivateKeyTypes Two-factor: HOTPHashTypes * Deprecated previously undocumented but not private type aliases in the cryptography.hazmat.primitives.asymmetric.types module in favor of new ones above. -Paul Kehrer (reaperhulk) From paul.l.kehrer at gmail.com Sat Mar 25 06:53:16 2023 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Sat, 25 Mar 2023 19:53:16 +0900 Subject: [Cryptography-dev] PyCA cryptography 40.0.1 released Message-ID: PyCA cryptography 40.0.1 has been released to PyPI. cryptography includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, asymmetric algorithms, message digests, X509, key derivation functions, and much more. We support Python 3.6+, and PyPy3 7.3.10+. Changelog (https://cryptography.io/en/latest/changelog/#v40-0-1): * Fixed a bug where certain operations would fail if an object happened to be in the top-half of the memory-space. This only impacted 32-bit systems. -Paul Kehrer (reaperhulk)