Merge remote-tracking branch 'upstream/main' into tob-x509-cv-skeleton

Signed-off-by: William Woodruff <[email protected]>
pyca · Oct 26, 2023 · 9ff4070 · 9ff4070
2 parents 0f21360 + 16a969e
commit 9ff4070
Show file tree

Hide file tree

Showing 26 changed files with 264 additions and 101 deletions.
diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt
@@ -166,30 +166,30 @@ charset-normalizer==3.3.1 \
     --hash=sha256:f6a02a3c7950cafaadcd46a226ad9e12fc9744652cc69f9e5534f98b47f3bbcf \
     --hash=sha256:fe81b35c33772e56f4b6cf62cf4aedc1762ef7162a31e6ac7fe5e40d0149eb67
     # via requests
-cryptography==41.0.4 \
-    --hash=sha256:004b6ccc95943f6a9ad3142cfabcc769d7ee38a3f60fb0dddbfb431f818c3a67 \
-    --hash=sha256:047c4603aeb4bbd8db2756e38f5b8bd7e94318c047cfe4efeb5d715e08b49311 \
-    --hash=sha256:0d9409894f495d465fe6fda92cb70e8323e9648af912d5b9141d616df40a87b8 \
-    --hash=sha256:23a25c09dfd0d9f28da2352503b23e086f8e78096b9fd585d1d14eca01613e13 \
-    --hash=sha256:2ed09183922d66c4ec5fdaa59b4d14e105c084dd0febd27452de8f6f74704143 \
-    --hash=sha256:35c00f637cd0b9d5b6c6bd11b6c3359194a8eba9c46d4e875a3660e3b400005f \
-    --hash=sha256:37480760ae08065437e6573d14be973112c9e6dcaf5f11d00147ee74f37a3829 \
-    --hash=sha256:3b224890962a2d7b57cf5eeb16ccaafba6083f7b811829f00476309bce2fe0fd \
-    --hash=sha256:5a0f09cefded00e648a127048119f77bc2b2ec61e736660b5789e638f43cc397 \
-    --hash=sha256:5b72205a360f3b6176485a333256b9bcd48700fc755fef51c8e7e67c4b63e3ac \
-    --hash=sha256:7e53db173370dea832190870e975a1e09c86a879b613948f09eb49324218c14d \
-    --hash=sha256:7febc3094125fc126a7f6fb1f420d0da639f3f32cb15c8ff0dc3997c4549f51a \
-    --hash=sha256:80907d3faa55dc5434a16579952ac6da800935cd98d14dbd62f6f042c7f5e839 \
-    --hash=sha256:86defa8d248c3fa029da68ce61fe735432b047e32179883bdb1e79ed9bb8195e \
-    --hash=sha256:8ac4f9ead4bbd0bc8ab2d318f97d85147167a488be0e08814a37eb2f439d5cf6 \
-    --hash=sha256:93530900d14c37a46ce3d6c9e6fd35dbe5f5601bf6b3a5c325c7bffc030344d9 \
-    --hash=sha256:9eeb77214afae972a00dee47382d2591abe77bdae166bda672fb1e24702a3860 \
-    --hash=sha256:b5f4dfe950ff0479f1f00eda09c18798d4f49b98f4e2006d644b3301682ebdca \
-    --hash=sha256:c3391bd8e6de35f6f1140e50aaeb3e2b3d6a9012536ca23ab0d9c35ec18c8a91 \
-    --hash=sha256:c880eba5175f4307129784eca96f4e70b88e57aa3f680aeba3bab0e980b0f37d \
-    --hash=sha256:cecfefa17042941f94ab54f769c8ce0fe14beff2694e9ac684176a2535bf9714 \
-    --hash=sha256:e40211b4923ba5a6dc9769eab704bdb3fbb58d56c5b336d30996c24fcf12aadb \
-    --hash=sha256:efc8ad4e6fc4f1752ebfb58aefece8b4e3c4cae940b0994d43649bdfce8d0d4f
+cryptography==41.0.5 \
+    --hash=sha256:0c327cac00f082013c7c9fb6c46b7cc9fa3c288ca702c74773968173bda421bf \
+    --hash=sha256:0d2a6a598847c46e3e321a7aef8af1436f11c27f1254933746304ff014664d84 \
+    --hash=sha256:227ec057cd32a41c6651701abc0328135e472ed450f47c2766f23267b792a88e \
+    --hash=sha256:22892cc830d8b2c89ea60148227631bb96a7da0c1b722f2aac8824b1b7c0b6b8 \
+    --hash=sha256:392cb88b597247177172e02da6b7a63deeff1937fa6fec3bbf902ebd75d97ec7 \
+    --hash=sha256:3be3ca726e1572517d2bef99a818378bbcf7d7799d5372a46c79c29eb8d166c1 \
+    --hash=sha256:573eb7128cbca75f9157dcde974781209463ce56b5804983e11a1c462f0f4e88 \
+    --hash=sha256:580afc7b7216deeb87a098ef0674d6ee34ab55993140838b14c9b83312b37b86 \
+    --hash=sha256:5a70187954ba7292c7876734183e810b728b4f3965fbe571421cb2434d279179 \
+    --hash=sha256:73801ac9736741f220e20435f84ecec75ed70eda90f781a148f1bad546963d81 \
+    --hash=sha256:7d208c21e47940369accfc9e85f0de7693d9a5d843c2509b3846b2db170dfd20 \
+    --hash=sha256:8254962e6ba1f4d2090c44daf50a547cd5f0bf446dc658a8e5f8156cae0d8548 \
+    --hash=sha256:88417bff20162f635f24f849ab182b092697922088b477a7abd6664ddd82291d \
+    --hash=sha256:a48e74dad1fb349f3dc1d449ed88e0017d792997a7ad2ec9587ed17405667e6d \
+    --hash=sha256:b948e09fe5fb18517d99994184854ebd50b57248736fd4c720ad540560174ec5 \
+    --hash=sha256:c707f7afd813478e2019ae32a7c49cd932dd60ab2d2a93e796f68236b7e1fbf1 \
+    --hash=sha256:d38e6031e113b7421db1de0c1b1f7739564a88f1684c6b89234fbf6c11b75147 \
+    --hash=sha256:d3977f0e276f6f5bf245c403156673db103283266601405376f075c849a0b936 \
+    --hash=sha256:da6a0ff8f1016ccc7477e6339e1d50ce5f59b88905585f77193ebd5068f1e797 \
+    --hash=sha256:e270c04f4d9b5671ebcc792b3ba5d4488bf7c42c3c241a3748e2599776f29696 \
+    --hash=sha256:e886098619d3815e0ad5790c973afeee2c0e6e04b4da90b88e6bd06e2a0b1b72 \
+    --hash=sha256:ec3b055ff8f1dce8e6ef28f626e0972981475173d7973d63f271b29c8a2897da \
+    --hash=sha256:fba1e91467c65fe64a82c689dc6cf58151158993b13eb7a7f3f4b7f395636723
     # via
     #   pyopenssl
     #   secretstorage

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -42,10 +42,10 @@ jobs:
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}}
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}}
           - {VERSION: "3.12", NOXSESSION: "tests-randomorder"}
-          # Latest commit on the BoringSSL master branch, as of Oct 21, 2023.
-          - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "bfa8369795b7533a222a72b7a1bc928941cd66bf"}}
-          # Latest commit on the OpenSSL master branch, as of Oct 24, 2023.
-          - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fac61ea4618c83826b51aebf03cbc2bc3ac7b8c8"}}
+          # Latest commit on the BoringSSL master branch, as of Oct 26, 2023.
+          - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "c38dc29860a72540eb2c4fdb8a8bfb27ef94ddf3"}}
+          # Latest commit on the OpenSSL master branch, as of Oct 26, 2023.
+          - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6a0ae393dd554eb718e5148696e8f437d4faae5b"}}
           # Builds with various Rust versions. Includes MSRV and next
           # potential future MSRV:
           # 1.64 - maturin

diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt
@@ -9,10 +9,8 @@ alabaster==0.7.13
     # via sphinx
 argcomplete==3.1.2
     # via nox
-babel==2.13.0
+babel==2.13.1
     # via sphinx
-black==23.10.1
-    # via cryptography (pyproject.toml)
 bleach==6.1.0
     # via readme-renderer
 build==1.0.3
@@ -26,7 +24,7 @@ charset-normalizer==3.3.1
 check-sdist==0.1.3
     # via cryptography (pyproject.toml)
 click==8.1.7
-    # via black
+    # via cryptography (pyproject.toml)
 colorlog==6.7.0
     # via nox
 coverage==7.3.2; python_version >= "3.8"
@@ -72,26 +70,22 @@ mypy==1.6.1
     # via cryptography (pyproject.toml)
 mypy-extensions==1.0.0
     # via
-    #   black
     #   mypy
 nox==2023.4.22
     # via cryptography (pyproject.toml)
 packaging==23.2
     # via
-    #   black
     #   build
     #   nox
     #   pytest
     #   sphinx
 pathspec==0.11.2
     # via
-    #   black
     #   check-sdist
 pkginfo==1.9.6
     # via twine
 platformdirs==3.11.0
     # via
-    #   black
     #   virtualenv
 pluggy==1.3.0; python_version >= "3.8"
     # via pytest
@@ -110,7 +104,7 @@ pygments==2.16.1
     #   sphinx
 pyproject-hooks==1.0.0
     # via build
-pytest==7.4.2
+pytest==7.4.3
     # via
     #   cryptography (pyproject.toml)
     #   pytest-benchmark
@@ -138,7 +132,7 @@ rfc3986==2.0.0
     # via twine
 rich==13.6.0
     # via twine
-ruff==0.1.1
+ruff==0.1.2
     # via cryptography (pyproject.toml)
 six==1.16.0
     # via bleach
@@ -170,7 +164,6 @@ sphinxcontrib-spelling==8.0.0
     # via cryptography (pyproject.toml)
 tomli==2.0.1
     # via
-    #   black
     #   build
     #   check-manifest
     #   coverage

diff --git a/docs/development/submitting-patches.rst b/docs/development/submitting-patches.rst
@@ -19,10 +19,10 @@ Code
 ----
 
 When in doubt, refer to :pep:`8` for Python code. You can check if your code
-meets our automated requirements by formatting it with ``black`` and running
-``ruff`` against it. If you've installed the development requirements this
-will automatically use our configuration. You can also run the ``nox`` job with
-``nox -e flake``.
+meets our automated requirements by formatting it with ``ruff format`` and
+running ``ruff`` against it. If you've installed the development requirements
+this will automatically use our configuration. You can also run the ``nox``
+job with ``nox -e flake``.
 
 `Write comments as complete sentences.`_
 
@@ -61,12 +61,12 @@ whether the signature was valid.
 .. code-block:: python
 
     # This is bad.
-    def verify(sig):
+    def verify(sig: bytes) -> bool:
         # ...
         return is_valid
 
     # Good!
-    def verify(sig):
+    def verify(sig: bytes) -> None:
         # ...
         if not is_valid:
             raise InvalidSignature

diff --git a/docs/installation.rst b/docs/installation.rst
@@ -19,7 +19,7 @@ operating systems.
 * x86-64 RHEL 8.x
 * x86-64 CentOS 9 Stream
 * x86-64 Fedora (latest)
-* x86-64 and ARM64 macOS 13 Ventura
+* x86-64 macOS 13 Ventura and ARM64 macOS 14 Sonoma
 * x86-64 Ubuntu 20.04, 22.04, rolling
 * ARM64 Ubuntu 22.04
 * x86-64 Debian Buster (10.x), Bullseye (11.x), Bookworm (12.x),

diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
@@ -117,6 +117,7 @@ Serializers
 setuptools
 SHA
 Solaris
+Sonoma
 Sur
 syscall
 Tanja

diff --git a/noxfile.py b/noxfile.py
@@ -155,7 +155,7 @@ def flake(session: nox.Session) -> None:
     install(session, ".[pep8test,test,ssh,nox]")
 
     session.run("ruff", ".")
-    session.run("black", "--check", ".")
+    session.run("ruff", "format", "--check", ".")
     session.run("check-sdist")
     session.run(
         "mypy",

diff --git a/pyproject.toml b/pyproject.toml
@@ -80,7 +80,8 @@ test-randomorder = ["pytest-randomly"]
 docs = ["sphinx >=5.3.0", "sphinx-rtd-theme >=1.1.1"]
 docstest =  ["pyenchant >=1.6.11", "twine >=1.12.0", "sphinxcontrib-spelling >=4.0.1"]
 sdist = ["build"]
-pep8test = ["black", "ruff", "mypy", "check-sdist"]
+# `click` included because its needed to type check `release.py`
+pep8test = ["ruff", "mypy", "check-sdist", "click"]
 
 [[tool.setuptools-rust.ext-modules]]
 target = "cryptography.hazmat.bindings._rust"
@@ -89,10 +90,6 @@ py-limited-api = true
 rust-version = ">=1.63.0"
 
 
-[tool.black]
-line-length = 79
-target-version = ["py37"]
-
 [tool.pytest.ini_options]
 addopts = "-r s --capture=no --strict-markers --benchmark-disable"
 console_output_style = "progress-even-when-capture-no"

diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -149,8 +149,9 @@ def update_into(self, data: bytes, buf: bytes) -> int:
         total_data_len = len(data)
         if len(buf) < (total_data_len + self._block_size_bytes - 1):
             raise ValueError(
-                "buffer must be at least {} bytes for this "
-                "payload".format(len(data) + self._block_size_bytes - 1)
+                "buffer must be at least {} bytes for this payload".format(
+                    len(data) + self._block_size_bytes - 1
+                )
             )
 
         data_processed = 0

diff --git a/src/rust/cryptography-x509-validation/src/certificate.rs b/src/rust/cryptography-x509-validation/src/certificate.rs
@@ -8,13 +8,102 @@ use cryptography_x509::certificate::Certificate;
 
 use crate::ops::CryptoOps;
 
+// TODO: Remove these attributes once we start using these helpers.
+#[allow(dead_code)]
 pub(crate) fn cert_is_self_issued(cert: &Certificate<'_>) -> bool {
     cert.issuer() == cert.subject()
 }
 
+#[allow(dead_code)]
 pub(crate) fn cert_is_self_signed<B: CryptoOps>(cert: &Certificate<'_>, ops: &B) -> bool {
     match ops.public_key(cert) {
         Ok(pk) => cert_is_self_issued(cert) && ops.verify_signed_by(cert, pk).is_ok(),
         Err(_) => false,
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use crate::certificate::Certificate;
+    use crate::ops::tests::{cert, v1_cert_pem, NullOps};
+    use crate::ops::CryptoOps;
+
+    use super::{cert_is_self_issued, cert_is_self_signed};
+
+    #[test]
+    fn test_certificate_v1() {
+        let cert_pem = v1_cert_pem();
+        let cert = cert(&cert_pem);
+        let ops = NullOps {};
+
+        assert!(!cert_is_self_issued(&cert));
+        assert!(!cert_is_self_signed(&cert, &ops));
+    }
+
+    fn ca_pem() -> pem::Pem {
+        // From vectors/cryptography_vectors/x509/custom/ca/ca.pem
+        pem::parse(
+            "-----BEGIN CERTIFICATE-----
+MIIBUTCB96ADAgECAgIDCTAKBggqhkjOPQQDAjAnMQswCQYDVQQGEwJVUzEYMBYG
+A1UEAwwPY3J5cHRvZ3JhcGh5IENBMB4XDTE3MDEwMTEyMDEwMFoXDTM4MTIzMTA4
+MzAwMFowJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeSBDQTBZ
+MBMGByqGSM49AgEGCCqGSM49AwEHA0IABBj/z7v5Obj13cPuwECLBnUGq0/N2CxS
+JE4f4BBGZ7VfFblivTvPDG++Gve0oQ+0uctuhrNQ+WxRv8GC177F+QWjEzARMA8G
+A1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANES742XWm64tkGnz8Dn
+pG6u2lHkZFQr3oaVvPcemvlbAiEA0WGGzmYx5C9UvfXIK7NEziT4pQtyESE0uRVK
+Xw4nMqk=
+-----END CERTIFICATE-----",
+        )
+        .unwrap()
+    }
+
+    #[test]
+    fn test_certificate_ca() {
+        let cert_pem = ca_pem();
+        let cert = cert(&cert_pem);
+        let ops = NullOps {};
+
+        assert!(cert_is_self_issued(&cert));
+        assert!(cert_is_self_signed(&cert, &ops));
+    }
+
+    struct PublicKeyErrorOps {}
+    impl CryptoOps for PublicKeyErrorOps {
+        type Key = ();
+        type Err = ();
+
+        fn public_key(&self, _cert: &Certificate<'_>) -> Result<Self::Key, Self::Err> {
+            // Simulate failing to retrieve a public key.
+            Err(())
+        }
+
+        fn verify_signed_by(
+            &self,
+            _cert: &Certificate<'_>,
+            _key: Self::Key,
+        ) -> Result<(), Self::Err> {
+            Ok(())
+        }
+    }
+
+    #[test]
+    fn test_certificate_public_key_error() {
+        let cert_pem = ca_pem();
+        let cert = cert(&cert_pem);
+        let ops = PublicKeyErrorOps {};
+
+        assert!(cert_is_self_issued(&cert));
+        assert!(!cert_is_self_signed(&cert, &ops));
+    }
+
+    #[test]
+    fn test_certificate_public_key_error_ops() {
+        // Just to get coverage on the `PublicKeyErrorOps` helper.
+        let cert_pem = ca_pem();
+        let cert = cert(&cert_pem);
+        let ops = PublicKeyErrorOps {};
+
+        assert!(ops.public_key(&cert).is_err());
+        assert!(ops.verify_signed_by(&cert, ()).is_ok());
+    }
+}
diff --git a/tests/hazmat/primitives/test_block.py b/tests/hazmat/primitives/test_block.py
@@ -44,7 +44,9 @@ def test_instantiate_with_non_algorithm(self, backend):
         algorithm = object()
         with pytest.raises(TypeError):
             Cipher(
-                algorithm, mode=None, backend=backend  # type: ignore[arg-type]
+                algorithm,  # type: ignore[arg-type]
+                mode=None,
+                backend=backend,
             )
 
 

diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
@@ -346,7 +346,9 @@ def test_update_into_auto_chunking(self, backend, monkeypatch):
         encryptor = c.encryptor()
         # Lower max chunk size so we can test chunking
         monkeypatch.setattr(
-            encryptor._ctx, "_MAX_CHUNK_SIZE", 40  # type: ignore[attr-defined]
+            encryptor._ctx,  # type: ignore[attr-defined]
+            "_MAX_CHUNK_SIZE",
+            40,
         )
         buf = bytearray(527)
         pt = b"abcdefghijklmnopqrstuvwxyz012345" * 16  # 512 bytes
@@ -355,7 +357,9 @@ def test_update_into_auto_chunking(self, backend, monkeypatch):
         decryptor = c.decryptor()
         # Change max chunk size to verify alternate boundaries don't matter
         monkeypatch.setattr(
-            decryptor._ctx, "_MAX_CHUNK_SIZE", 73  # type: ignore[attr-defined]
+            decryptor._ctx,  # type: ignore[attr-defined]
+            "_MAX_CHUNK_SIZE",
+            73,
         )
         decbuf = bytearray(527)
         decprocessed = decryptor.update_into(buf[:processed], decbuf)

diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py
@@ -572,7 +572,8 @@ def test_dsa_public_numbers(self):
     def test_dsa_public_numbers_invalid_types(self):
         with pytest.raises(TypeError):
             dsa.DSAPublicNumbers(
-                y=4, parameter_numbers=None  # type: ignore[arg-type]
+                y=4,
+                parameter_numbers=None,  # type: ignore[arg-type]
             )
 
         with pytest.raises(TypeError):
@@ -606,7 +607,8 @@ def test_dsa_private_numbers_invalid_types(self):
 
         with pytest.raises(TypeError):
             dsa.DSAPrivateNumbers(
-                x=None, public_numbers=public_numbers  # type: ignore[arg-type]
+                x=None,  # type: ignore[arg-type]
+                public_numbers=public_numbers,
             )
 
     def test_repr(self):

diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py
@@ -1098,7 +1098,8 @@ def test_from_encoded_point_empty_byte_string(self):
     def test_from_encoded_point_not_a_curve(self):
         with pytest.raises(TypeError):
             ec.EllipticCurvePublicKey.from_encoded_point(
-                "notacurve", b"\x04data"  # type: ignore[arg-type]
+                "notacurve",  # type: ignore[arg-type]
+                b"\x04data",
             )
 
     def test_from_encoded_point_unsupported_encoding(self):
-Original file line number
+Diff line change
@@ Expand Up / @@ -117,6 +117,7 @@ Serializers @@
     setuptools
     SHA
     Solaris
+    Sonoma
     Sur
     syscall
     Tanja
@@ Expand Down @@