Drop 1.0.0 (#3312)
* delete the 1.0.0 support
* drop the version check
* drop the AES-CTR stuff
* Update the example
* openssl truncates for us now
* delete unused test
* unused imports
* Remove a bunch of conditional bindings for NPN
* no more 1.0.0 builders
* libressl fix
* update the docs
* remove dead branches
* oops
* this is a word, damnit
* spelling
* try removing this
* this test is not needed
* unused import
diff --git a/.travis.yml b/.travis.yml
index d4c39b6..0cd7461 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -26,10 +26,6 @@
- python: pypy
env: TOXENV=pypy PYPY_VERSION=5.4.1
- python: 2.7
- env: TOXENV=py27 OPENSSL=1.0.0t
- - python: 3.5
- env: TOXENV=py35 OPENSSL=1.0.0t
- - python: 2.7
env: TOXENV=py27 OPENSSL=1.1.0c
- python: 3.5
env: TOXENV=py35 OPENSSL=1.1.0c
diff --git a/docs/development/c-bindings.rst b/docs/development/c-bindings.rst
index cbd8fab..d76154d 100644
--- a/docs/development/c-bindings.rst
+++ b/docs/development/c-bindings.rst
@@ -183,9 +183,9 @@
Sometimes, a set of loosely related features are added in the same
version, and it's impractical to create ``#ifdef`` statements for each
one. In that case, it may make sense to either check for a particular
-version. For example, to check for OpenSSL 1.0.0 or newer::
+version. For example, to check for OpenSSL 1.1.0 or newer::
- #if OPENSSL_VERSION_NUMBER >= 0x10000000L
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L
Sometimes, the version of a library on a particular platform will have
features that you thought it wouldn't, based on its version.
diff --git a/docs/faq.rst b/docs/faq.rst
index 76117a9..bbcf302 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -40,27 +40,14 @@
appear to be at fault, it's possible that this is a bug in ``cryptography``.
Please file an `issue`_ with instructions on how to reproduce it.
-Importing cryptography causes a ``RuntimeError`` about OpenSSL 1.0.0
---------------------------------------------------------------------
+Installing cryptography with OpenSSL 0.9.8 or 1.0.0 fails
+---------------------------------------------------------
-The OpenSSL project has dropped support for the 1.0.0 release series. Since it
-is no longer receiving security patches from upstream, ``cryptography`` is also
-dropping support for it. To fix this issue you should upgrade to a newer
-version of OpenSSL (1.0.1 or later). This may require you to upgrade to a newer
-operating system.
-
-For the 1.7 release, you can set the ``CRYPTOGRAPHY_ALLOW_OPENSSL_100``
-environment variable. Please note that this is *temporary* and will be removed
-in ``cryptography`` 1.8.
-
-Installing cryptography with OpenSSL 0.9.8 fails
-------------------------------------------------
-
-The OpenSSL project has dropped support for the 0.9.8 release series. Since it
-is no longer receiving security patches from upstream, ``cryptography`` is also
-dropping support for it. To fix this issue you should upgrade to a newer
-version of OpenSSL (1.0.1 or later). This may require you to upgrade to a newer
-operating system.
+The OpenSSL project has dropped support for the 0.9.8 and 1.0.0 release series.
+Since they are no longer receiving security patches from upstream,
+``cryptography`` is also dropping support for them. To fix this issue you
+should upgrade to a newer version of OpenSSL (1.0.1 or later). This may require
+you to upgrade to a newer operating system.
.. _`NaCl`: https://nacl.cr.yp.to/
.. _`PyNaCl`: https://pynacl.readthedocs.io
diff --git a/docs/hazmat/backends/openssl.rst b/docs/hazmat/backends/openssl.rst
index f97ec57..e293c06 100644
--- a/docs/hazmat/backends/openssl.rst
+++ b/docs/hazmat/backends/openssl.rst
@@ -3,7 +3,7 @@
OpenSSL backend
===============
-The `OpenSSL`_ C library. Cryptography supports OpenSSL version ``1.0.0`` and
+The `OpenSSL`_ C library. Cryptography supports OpenSSL version 1.0.1 and
greater.
.. data:: cryptography.hazmat.backends.openssl.backend
diff --git a/docs/hazmat/bindings/openssl.rst b/docs/hazmat/bindings/openssl.rst
index 482cfaf..ac65aa9 100644
--- a/docs/hazmat/bindings/openssl.rst
+++ b/docs/hazmat/bindings/openssl.rst
@@ -6,7 +6,7 @@
.. currentmodule:: cryptography.hazmat.bindings.openssl.binding
These are `CFFI`_ bindings to the `OpenSSL`_ C library. Cryptography supports
-OpenSSL version ``1.0.0`` and greater.
+OpenSSL version 1.0.1 and greater.
.. class:: cryptography.hazmat.bindings.openssl.binding.Binding()
diff --git a/docs/installation.rst b/docs/installation.rst
index 9ad9a3c..31116ff 100644
--- a/docs/installation.rst
+++ b/docs/installation.rst
@@ -28,7 +28,6 @@
We test compiling with ``clang`` as well as ``gcc`` and use the following
OpenSSL releases:
-* ``OpenSSL 1.0.0-fips`` (``RHEL/CentOS 6.4``)
* ``OpenSSL 1.0.1``
* ``OpenSSL 1.0.1e-fips`` (``RHEL/CentOS 7``)
* ``OpenSSL 1.0.1j-freebsd``
@@ -36,10 +35,6 @@
* ``OpenSSL 1.0.2-latest``
* ``OpenSSL 1.1.0``
-.. warning::
- Cryptography 1.7 has dropped support for OpenSSL 1.0.0, see the
- :doc:`FAQ </faq>` for more details
-
Building cryptography on Windows
--------------------------------
diff --git a/src/_cffi_src/openssl/aes.py b/src/_cffi_src/openssl/aes.py
index c54b636..d035fa8 100644
--- a/src/_cffi_src/openssl/aes.py
+++ b/src/_cffi_src/openssl/aes.py
@@ -10,7 +10,6 @@
TYPES = """
static const int Cryptography_HAS_AES_WRAP;
-static const int Cryptography_HAS_AES_CTR128_ENCRYPT;
struct aes_key_st {
...;
@@ -29,22 +28,8 @@
"""
MACROS = """
-/* The ctr128_encrypt function is only useful in 1.0.0. We can use EVP for
- this in 1.0.1+. */
-void AES_ctr128_encrypt(const unsigned char *, unsigned char *,
- size_t, const AES_KEY *, unsigned char[],
- unsigned char[], unsigned int *);
"""
CUSTOMIZATIONS = """
static const long Cryptography_HAS_AES_WRAP = 1;
-#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER && !defined(LIBRESSL_VERSION_NUMBER)
-static const int Cryptography_HAS_AES_CTR128_ENCRYPT = 0;
-void (*AES_ctr128_encrypt)(const unsigned char *, unsigned char *,
- size_t, const AES_KEY *,
- unsigned char[], unsigned char[],
- unsigned int *) = NULL;
-#else
-static const int Cryptography_HAS_AES_CTR128_ENCRYPT = 1;
-#endif
"""
diff --git a/src/_cffi_src/openssl/cmac.py b/src/_cffi_src/openssl/cmac.py
index 67abc85..0998745 100644
--- a/src/_cffi_src/openssl/cmac.py
+++ b/src/_cffi_src/openssl/cmac.py
@@ -5,7 +5,7 @@
from __future__ import absolute_import, division, print_function
INCLUDES = """
-#if !defined(OPENSSL_NO_CMAC) && CRYPTOGRAPHY_OPENSSL_101_OR_GREATER
+#if !defined(OPENSSL_NO_CMAC)
#include <openssl/cmac.h>
#endif
"""
@@ -28,7 +28,7 @@
"""
CUSTOMIZATIONS = """
-#if !defined(OPENSSL_NO_CMAC) && CRYPTOGRAPHY_OPENSSL_101_OR_GREATER
+#if !defined(OPENSSL_NO_CMAC)
static const long Cryptography_HAS_CMAC = 1;
#else
static const long Cryptography_HAS_CMAC = 0;
diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py
index 373f830..1ce9d0f 100644
--- a/src/_cffi_src/openssl/cryptography.py
+++ b/src/_cffi_src/openssl/cryptography.py
@@ -17,8 +17,6 @@
#include <windows.h>
#endif
-#define CRYPTOGRAPHY_OPENSSL_101_OR_GREATER \
- (OPENSSL_VERSION_NUMBER >= 0x10001000)
#define CRYPTOGRAPHY_OPENSSL_102_OR_GREATER \
(OPENSSL_VERSION_NUMBER >= 0x10002000)
#define CRYPTOGRAPHY_OPENSSL_102BETA2_OR_GREATER \
@@ -26,8 +24,6 @@
#define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \
(OPENSSL_VERSION_NUMBER >= 0x10100000)
-#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_101 \
- (OPENSSL_VERSION_NUMBER < 0x10001000)
#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 \
(OPENSSL_VERSION_NUMBER < 0x10002000)
#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102BETA3 \
@@ -51,12 +47,8 @@
"""
TYPES = """
-static const int CRYPTOGRAPHY_OPENSSL_101_OR_GREATER;
-
static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER;
-static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_101;
-
static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I;
static const int CRYPTOGRAPHY_IS_LIBRESSL;
diff --git a/src/_cffi_src/openssl/ec.py b/src/_cffi_src/openssl/ec.py
index 0853a72..d174505 100644
--- a/src/_cffi_src/openssl/ec.py
+++ b/src/_cffi_src/openssl/ec.py
@@ -14,7 +14,6 @@
TYPES = """
static const int Cryptography_HAS_EC;
-static const int Cryptography_HAS_EC_1_0_1;
static const int Cryptography_HAS_EC2M;
static const int Cryptography_HAS_EC_1_0_2;
@@ -327,13 +326,6 @@
int (*EC_METHOD_get_field_type)(const EC_METHOD *) = NULL;
-#else
-static const long Cryptography_HAS_EC = 1;
-#endif
-
-#if defined(OPENSSL_NO_EC) || CRYPTOGRAPHY_OPENSSL_LESS_THAN_101
-static const long Cryptography_HAS_EC_1_0_1 = 0;
-
int (*EC_KEY_get_flags)(const EC_KEY *) = NULL;
void (*EC_KEY_set_flags)(EC_KEY *, int) = NULL;
void (*EC_KEY_clear_flags)(EC_KEY *, int) = NULL;
@@ -341,10 +333,9 @@
int (*EC_KEY_set_public_key_affine_coordinates)(
EC_KEY *, BIGNUM *, BIGNUM *) = NULL;
#else
-static const long Cryptography_HAS_EC_1_0_1 = 1;
+static const long Cryptography_HAS_EC = 1;
#endif
-
#if defined(OPENSSL_NO_EC) || defined(OPENSSL_NO_EC2M)
static const long Cryptography_HAS_EC2M = 0;
diff --git a/src/_cffi_src/openssl/rsa.py b/src/_cffi_src/openssl/rsa.py
index e920cf2..e907490 100644
--- a/src/_cffi_src/openssl/rsa.py
+++ b/src/_cffi_src/openssl/rsa.py
@@ -20,7 +20,6 @@
static const int RSA_F4;
static const int Cryptography_HAS_PSS_PADDING;
-static const int Cryptography_HAS_MGF1_MD;
static const int Cryptography_HAS_RSA_OAEP_MD;
"""
@@ -73,12 +72,6 @@
CUSTOMIZATIONS = """
static const long Cryptography_HAS_PSS_PADDING = 1;
-#if CRYPTOGRAPHY_OPENSSL_101_OR_GREATER
-static const long Cryptography_HAS_MGF1_MD = 1;
-#else
-static const long Cryptography_HAS_MGF1_MD = 0;
-int (*EVP_PKEY_CTX_set_rsa_mgf1_md)(EVP_PKEY_CTX *, EVP_MD *) = NULL;
-#endif
#if defined(EVP_PKEY_CTX_set_rsa_oaep_md)
static const long Cryptography_HAS_RSA_OAEP_MD = 1;
#else
diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
index 28c14ca..12af346 100644
--- a/src/_cffi_src/openssl/ssl.py
+++ b/src/_cffi_src/openssl/ssl.py
@@ -25,7 +25,6 @@
static const long Cryptography_HAS_GET_SERVER_TMP_KEY;
static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE;
static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS;
-static const long Cryptography_HAS_NPN_NEGOTIATED;
/* Internally invented symbol to tell us if SNI is supported */
static const long Cryptography_HAS_TLSEXT_HOSTNAME;
@@ -44,7 +43,6 @@
static const long Cryptography_HAS_SSL_SET_SSL_CTX;
static const long Cryptography_HAS_SSL_OP_NO_TICKET;
static const long Cryptography_HAS_NETBSD_D1_METH;
-static const long Cryptography_HAS_NEXTPROTONEG;
static const long Cryptography_HAS_ALPN;
static const long Cryptography_HAS_SET_CERT_CB;
@@ -363,9 +361,6 @@
long SSL_session_reused(SSL *);
-/* NPN APIs were introduced in OpenSSL 1.0.1. To continue to support earlier
- * versions some special handling of these is necessary.
- */
void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *,
int (*)(SSL *,
const unsigned char **,
@@ -414,7 +409,7 @@
/* Added in 1.0.2 */
const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *);
-/* Added in 1.0.1 */
+
int SSL_SESSION_set1_id_context(SSL_SESSION *, const unsigned char *,
unsigned int);
/* Added in 1.1.0 for the great opaquing of structs */
@@ -438,28 +433,6 @@
"""
CUSTOMIZATIONS = """
-/* Added in 1.0.1 but we need it in all versions now due to the great
- opaquing. */
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_101
-/* from ssl.h */
-#define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312
-#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273
-/* from ssl/ssl_sess.c */
-int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
- unsigned int sid_ctx_len)
-{
- if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
- SSLerr(SSL_F_SSL_SESSION_SET1_ID_CONTEXT,
- SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
- return 0;
- }
- s->sid_ctx_length = sid_ctx_len;
- memcpy(s->sid_ctx, sid_ctx, sid_ctx_len);
-
- return 1;
-}
-#endif
-
/* Added in 1.0.2 but we need it in all versions now due to the great
opaquing. */
#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 || defined(LIBRESSL_VERSION_NUMBER)
@@ -605,37 +578,6 @@
static const long Cryptography_HAS_NETBSD_D1_METH = 1;
#endif
-/* Because OPENSSL defines macros that claim lack of support for things, rather
- * than macros that claim support for things, we need to do a version check in
- * addition to a definition check. NPN was added in 1.0.1: for any version
- * before that, there is no compatibility.
- */
-#if defined(OPENSSL_NO_NEXTPROTONEG) || CRYPTOGRAPHY_OPENSSL_LESS_THAN_101
-static const long Cryptography_HAS_NEXTPROTONEG = 0;
-void (*SSL_CTX_set_next_protos_advertised_cb)(SSL_CTX *,
- int (*)(SSL *,
- const unsigned char **,
- unsigned int *,
- void *),
- void *) = NULL;
-void (*SSL_CTX_set_next_proto_select_cb)(SSL_CTX *,
- int (*)(SSL *,
- unsigned char **,
- unsigned char *,
- const unsigned char *,
- unsigned int,
- void *),
- void *) = NULL;
-int (*SSL_select_next_proto)(unsigned char **, unsigned char *,
- const unsigned char *, unsigned int,
- const unsigned char *, unsigned int) = NULL;
-void (*SSL_get0_next_proto_negotiated)(const SSL *,
- const unsigned char **,
- unsigned *) = NULL;
-#else
-static const long Cryptography_HAS_NEXTPROTONEG = 1;
-#endif
-
/* ALPN was added in OpenSSL 1.0.2. */
#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !defined(LIBRESSL_VERSION_NUMBER)
int (*SSL_CTX_set_alpn_protos)(SSL_CTX *,
@@ -707,13 +649,4 @@
static const long TLS_ST_BEFORE = 0;
static const long TLS_ST_OK = 0;
#endif
-
-/* This define is available in 1.0.1+ so we can remove this when we drop
- support for 1.0.0 */
-#ifdef OPENSSL_NPN_NEGOTIATED
-static const long Cryptography_HAS_NPN_NEGOTIATED = 1;
-#else
-static const long OPENSSL_NPN_NEGOTIATED = -1;
-static const long Cryptography_HAS_NPN_NEGOTIATED = 0;
-#endif
"""
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 71063c1..d2a9e6c 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -21,9 +21,7 @@
EllipticCurveBackend, HMACBackend, HashBackend, PBKDF2HMACBackend,
PEMSerializationBackend, RSABackend, ScryptBackend, X509Backend
)
-from cryptography.hazmat.backends.openssl.ciphers import (
- _AESCTRCipherContext, _CipherContext
-)
+from cryptography.hazmat.backends.openssl.ciphers import _CipherContext
from cryptography.hazmat.backends.openssl.cmac import _CMACContext
from cryptography.hazmat.backends.openssl.dh import (
_DHParameters, _DHPrivateKey, _DHPublicKey
@@ -233,12 +231,7 @@
return _HashContext(self, algorithm)
def cipher_supported(self, cipher, mode):
- if self._evp_cipher_supported(cipher, mode):
- return True
- elif isinstance(mode, CTR) and isinstance(cipher, AES):
- return True
- else:
- return False
+ return self._evp_cipher_supported(cipher, mode)
def _evp_cipher_supported(self, cipher, mode):
try:
@@ -307,22 +300,10 @@
)
def create_symmetric_encryption_ctx(self, cipher, mode):
- if (isinstance(mode, CTR) and isinstance(cipher, AES) and
- not self._evp_cipher_supported(cipher, mode)):
- # This is needed to provide support for AES CTR mode in OpenSSL
- # 1.0.0. It can be removed when we drop 1.0.0 support (RHEL 6.4).
- return _AESCTRCipherContext(self, cipher, mode)
- else:
- return _CipherContext(self, cipher, mode, _CipherContext._ENCRYPT)
+ return _CipherContext(self, cipher, mode, _CipherContext._ENCRYPT)
def create_symmetric_decryption_ctx(self, cipher, mode):
- if (isinstance(mode, CTR) and isinstance(cipher, AES) and
- not self._evp_cipher_supported(cipher, mode)):
- # This is needed to provide support for AES CTR mode in OpenSSL
- # 1.0.0. It can be removed when we drop 1.0.0 support (RHEL 6.4).
- return _AESCTRCipherContext(self, cipher, mode)
- else:
- return _CipherContext(self, cipher, mode, _CipherContext._DECRYPT)
+ return _CipherContext(self, cipher, mode, _CipherContext._DECRYPT)
def pbkdf2_hmac_supported(self, algorithm):
return self.hmac_supported(algorithm)
@@ -606,10 +587,7 @@
return isinstance(algorithm, hashes.SHA1)
def _pss_mgf1_hash_supported(self, algorithm):
- if self._lib.Cryptography_HAS_MGF1_MD:
- return self.hash_supported(algorithm)
- else:
- return isinstance(algorithm, hashes.SHA1)
+ return self.hash_supported(algorithm)
def rsa_padding_supported(self, padding):
if isinstance(padding, PKCS1v15):
@@ -737,18 +715,6 @@
if not isinstance(algorithm, hashes.HashAlgorithm):
raise TypeError('Algorithm must be a registered hash algorithm.')
- if self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
- if isinstance(private_key, _DSAPrivateKey):
- raise NotImplementedError(
- "Certificate signing requests aren't implemented for DSA"
- " keys on OpenSSL versions less than 1.0.1."
- )
- if isinstance(private_key, _EllipticCurvePrivateKey):
- raise NotImplementedError(
- "Certificate signing requests aren't implemented for EC"
- " keys on OpenSSL versions less than 1.0.1."
- )
-
# Resolve the signature algorithm.
evp_md = self._lib.EVP_get_digestbyname(
algorithm.name.encode('ascii')
@@ -815,18 +781,6 @@
if not isinstance(algorithm, hashes.HashAlgorithm):
raise TypeError('Algorithm must be a registered hash algorithm.')
- if self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
- if isinstance(private_key, _DSAPrivateKey):
- raise NotImplementedError(
- "Certificate signatures aren't implemented for DSA"
- " keys on OpenSSL versions less than 1.0.1."
- )
- if isinstance(private_key, _EllipticCurvePrivateKey):
- raise NotImplementedError(
- "Certificate signatures aren't implemented for EC"
- " keys on OpenSSL versions less than 1.0.1."
- )
-
# Resolve the signature algorithm.
evp_md = self._lib.EVP_get_digestbyname(
algorithm.name.encode('ascii')
@@ -920,18 +874,6 @@
if not isinstance(algorithm, hashes.HashAlgorithm):
raise TypeError('Algorithm must be a registered hash algorithm.')
- if self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
- if isinstance(private_key, _DSAPrivateKey):
- raise NotImplementedError(
- "CRL signatures aren't implemented for DSA"
- " keys on OpenSSL versions less than 1.0.1."
- )
- if isinstance(private_key, _EllipticCurvePrivateKey):
- raise NotImplementedError(
- "CRL signatures aren't implemented for EC"
- " keys on OpenSSL versions less than 1.0.1."
- )
-
evp_md = self._lib.EVP_get_digestbyname(
algorithm.name.encode('ascii')
)
diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
index bd5dfb3..898b349 100644
--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -167,38 +167,3 @@
self._backend.openssl_assert(res != 0)
tag = utils.read_only_property("_tag")
-
-
-@utils.register_interface(ciphers.CipherContext)
-class _AESCTRCipherContext(object):
- """
- This is needed to provide support for AES CTR mode in OpenSSL 1.0.0. It can
- be removed when we drop 1.0.0 support (RHEL 6.4 is the only thing that
- ships it).
- """
- def __init__(self, backend, cipher, mode):
- self._backend = backend
-
- self._key = self._backend._ffi.new("AES_KEY *")
- res = self._backend._lib.AES_set_encrypt_key(
- cipher.key, len(cipher.key) * 8, self._key
- )
- self._backend.openssl_assert(res == 0)
- self._ecount = self._backend._ffi.new("unsigned char[]", 16)
- self._nonce = self._backend._ffi.new("unsigned char[16]", mode.nonce)
- self._num = self._backend._ffi.new("unsigned int *", 0)
-
- def update(self, data):
- buf = self._backend._ffi.new("unsigned char[]", len(data))
- self._backend._lib.AES_ctr128_encrypt(
- data, buf, len(data), self._key, self._nonce,
- self._ecount, self._num
- )
- return self._backend._ffi.buffer(buf)[:]
-
- def finalize(self):
- self._key = None
- self._ecount = None
- self._nonce = None
- self._num = None
- return b""
diff --git a/src/cryptography/hazmat/backends/openssl/dsa.py b/src/cryptography/hazmat/backends/openssl/dsa.py
index e82c043..e2ed3df 100644
--- a/src/cryptography/hazmat/backends/openssl/dsa.py
+++ b/src/cryptography/hazmat/backends/openssl/dsa.py
@@ -7,7 +7,7 @@
from cryptography import utils
from cryptography.exceptions import InvalidSignature
from cryptography.hazmat.backends.openssl.utils import (
- _calculate_digest_and_algorithm, _truncate_digest
+ _calculate_digest_and_algorithm
)
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import (
@@ -15,24 +15,6 @@
)
-def _truncate_digest_for_dsa(dsa_cdata, digest, backend):
- """
- This function truncates digests that are longer than a given DS
- key's length so they can be signed. OpenSSL does this for us in
- 1.0.0c+, leaving us with three releases (1.0.0, 1.0.0a, and 1.0.0b) where
- this is a problem.
- """
-
- q = backend._ffi.new("BIGNUM **")
- backend._lib.DSA_get0_pqg(
- dsa_cdata, backend._ffi.NULL, q, backend._ffi.NULL
- )
- backend.openssl_assert(q[0] != backend._ffi.NULL)
-
- order_bits = backend._lib.BN_num_bits(q[0])
- return _truncate_digest(digest, order_bits)
-
-
def _dsa_sig_sign(backend, private_key, data):
sig_buf_len = backend._lib.DSA_size(private_key._dsa_cdata)
sig_buf = backend._ffi.new("unsigned char[]", sig_buf_len)
@@ -77,9 +59,6 @@
def verify(self):
data_to_verify = self._hash_ctx.finalize()
- data_to_verify = _truncate_digest_for_dsa(
- self._public_key._dsa_cdata, data_to_verify, self._backend
- )
_dsa_sig_verify(
self._backend, self._public_key, self._signature, data_to_verify
)
@@ -98,9 +77,6 @@
def finalize(self):
data_to_sign = self._hash_ctx.finalize()
- data_to_sign = _truncate_digest_for_dsa(
- self._private_key._dsa_cdata, data_to_sign, self._backend
- )
return _dsa_sig_sign(self._backend, self._private_key, data_to_sign)
@@ -212,7 +188,6 @@
data, algorithm = _calculate_digest_and_algorithm(
self._backend, data, algorithm
)
- data = _truncate_digest_for_dsa(self._dsa_cdata, data, self._backend)
return _dsa_sig_sign(self._backend, self, data)
@@ -286,5 +261,4 @@
data, algorithm = _calculate_digest_and_algorithm(
self._backend, data, algorithm
)
- data = _truncate_digest_for_dsa(self._dsa_cdata, data, self._backend)
return _dsa_sig_verify(self._backend, self, signature, data)
diff --git a/src/cryptography/hazmat/backends/openssl/ec.py b/src/cryptography/hazmat/backends/openssl/ec.py
index 5969f2a..f2b5249 100644
--- a/src/cryptography/hazmat/backends/openssl/ec.py
+++ b/src/cryptography/hazmat/backends/openssl/ec.py
@@ -9,7 +9,7 @@
InvalidSignature, UnsupportedAlgorithm, _Reasons
)
from cryptography.hazmat.backends.openssl.utils import (
- _calculate_digest_and_algorithm, _truncate_digest
+ _calculate_digest_and_algorithm
)
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import (
@@ -17,31 +17,6 @@
)
-def _truncate_digest_for_ecdsa(ec_key_cdata, digest, backend):
- """
- This function truncates digests that are longer than a given elliptic
- curve key's length so they can be signed. Since elliptic curve keys are
- much shorter than RSA keys many digests (e.g. SHA-512) may require
- truncation.
- """
-
- _lib = backend._lib
- _ffi = backend._ffi
-
- group = _lib.EC_KEY_get0_group(ec_key_cdata)
-
- with backend._tmp_bn_ctx() as bn_ctx:
- order = _lib.BN_CTX_get(bn_ctx)
- backend.openssl_assert(order != _ffi.NULL)
-
- res = _lib.EC_GROUP_get_order(group, order, bn_ctx)
- backend.openssl_assert(res == 1)
-
- order_bits = _lib.BN_num_bits(order)
-
- return _truncate_digest(digest, order_bits)
-
-
def _check_signature_algorithm(signature_algorithm):
if not isinstance(signature_algorithm, ec.ECDSA):
raise UnsupportedAlgorithm(
@@ -127,9 +102,6 @@
def finalize(self):
digest = self._digest.finalize()
- digest = _truncate_digest_for_ecdsa(
- self._private_key._ec_key, digest, self._backend
- )
return _ecdsa_sig_sign(self._backend, self._private_key, digest)
@@ -146,9 +118,6 @@
def verify(self):
digest = self._digest.finalize()
- digest = _truncate_digest_for_ecdsa(
- self._public_key._ec_key, digest, self._backend
- )
return _ecdsa_sig_verify(
self._backend, self._public_key, self._signature, digest
)
@@ -247,9 +216,6 @@
data, algorithm = _calculate_digest_and_algorithm(
self._backend, data, signature_algorithm._algorithm
)
- data = _truncate_digest_for_ecdsa(
- self._ec_key, data, self._backend
- )
return _ecdsa_sig_sign(self._backend, self, data)
@@ -317,7 +283,4 @@
data, algorithm = _calculate_digest_and_algorithm(
self._backend, data, signature_algorithm._algorithm
)
- data = _truncate_digest_for_ecdsa(
- self._ec_key, data, self._backend
- )
return _ecdsa_sig_verify(self._backend, self, signature, data)
diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
index 8996d88..0a37572 100644
--- a/src/cryptography/hazmat/backends/openssl/rsa.py
+++ b/src/cryptography/hazmat/backends/openssl/rsa.py
@@ -164,13 +164,6 @@
raise ValueError("Digest too large for key size. Use a larger "
"key or different digest.")
- if not backend._pss_mgf1_hash_supported(padding._mgf._algorithm):
- raise UnsupportedAlgorithm(
- "When OpenSSL is older than 1.0.1 then only SHA1 is "
- "supported with MGF1.",
- _Reasons.UNSUPPORTED_HASH
- )
-
padding_enum = backend._lib.RSA_PKCS1_PSS_PADDING
else:
raise UnsupportedAlgorithm(
@@ -212,17 +205,15 @@
)
backend.openssl_assert(res > 0)
- if backend._lib.Cryptography_HAS_MGF1_MD:
- # MGF1 MD is configurable in OpenSSL 1.0.1+
- mgf1_md = backend._lib.EVP_get_digestbyname(
- padding._mgf._algorithm.name.encode("ascii"))
- backend.openssl_assert(
- mgf1_md != backend._ffi.NULL
- )
- res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md(
- pkey_ctx, mgf1_md
- )
- backend.openssl_assert(res > 0)
+ mgf1_md = backend._lib.EVP_get_digestbyname(
+ padding._mgf._algorithm.name.encode("ascii"))
+ backend.openssl_assert(
+ mgf1_md != backend._ffi.NULL
+ )
+ res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md(
+ pkey_ctx, mgf1_md
+ )
+ backend.openssl_assert(res > 0)
buflen = backend._ffi.new("size_t *")
res = backend._lib.EVP_PKEY_sign(
@@ -284,17 +275,15 @@
)
)
backend.openssl_assert(res > 0)
- if backend._lib.Cryptography_HAS_MGF1_MD:
- # MGF1 MD is configurable in OpenSSL 1.0.1+
- mgf1_md = backend._lib.EVP_get_digestbyname(
- padding._mgf._algorithm.name.encode("ascii"))
- backend.openssl_assert(
- mgf1_md != backend._ffi.NULL
- )
- res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md(
- pkey_ctx, mgf1_md
- )
- backend.openssl_assert(res > 0)
+ mgf1_md = backend._lib.EVP_get_digestbyname(
+ padding._mgf._algorithm.name.encode("ascii"))
+ backend.openssl_assert(
+ mgf1_md != backend._ffi.NULL
+ )
+ res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md(
+ pkey_ctx, mgf1_md
+ )
+ backend.openssl_assert(res > 0)
res = backend._lib.EVP_PKEY_verify(
pkey_ctx,
diff --git a/src/cryptography/hazmat/backends/openssl/utils.py b/src/cryptography/hazmat/backends/openssl/utils.py
index c88e318..e8b4a30 100644
--- a/src/cryptography/hazmat/backends/openssl/utils.py
+++ b/src/cryptography/hazmat/backends/openssl/utils.py
@@ -4,31 +4,10 @@
from __future__ import absolute_import, division, print_function
-import six
-
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric.utils import Prehashed
-def _truncate_digest(digest, order_bits):
- digest_len = len(digest)
-
- if 8 * digest_len > order_bits:
- digest_len = (order_bits + 7) // 8
- digest = digest[:digest_len]
-
- if 8 * digest_len > order_bits:
- rshift = 8 - (order_bits & 0x7)
- assert 0 < rshift < 8
-
- mask = 0xFF >> rshift << rshift
-
- # Set the bottom rshift bits to 0
- digest = digest[:-1] + six.int2byte(six.indexbytes(digest, -1) & mask)
-
- return digest
-
-
def _calculate_digest_and_algorithm(backend, data, algorithm):
if not isinstance(algorithm, Prehashed):
hash_ctx = hashes.Hash(algorithm, backend)
diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py
index d1cebd8..46c32d1 100644
--- a/src/cryptography/hazmat/bindings/openssl/_conditional.py
+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py
@@ -133,9 +133,6 @@
"POINT_CONVERSION_COMPRESSED",
"POINT_CONVERSION_UNCOMPRESSED",
"POINT_CONVERSION_HYBRID",
- ],
-
- "Cryptography_HAS_EC_1_0_1": [
"EC_KEY_get_flags",
"EC_KEY_set_flags",
"EC_KEY_clear_flags",
@@ -195,9 +192,6 @@
"RAND_egd_bytes",
"RAND_query_egd_bytes",
],
- "Cryptography_HAS_MGF1_MD": [
- "EVP_PKEY_CTX_set_rsa_mgf1_md",
- ],
"Cryptography_HAS_RSA_OAEP_MD": [
"EVP_PKEY_CTX_set_rsa_oaep_md",
],
@@ -241,13 +235,6 @@
"DTLSv1_method",
],
- "Cryptography_HAS_NEXTPROTONEG": [
- "SSL_CTX_set_next_protos_advertised_cb",
- "SSL_CTX_set_next_proto_select_cb",
- "SSL_select_next_proto",
- "SSL_get0_next_proto_negotiated",
- ],
-
"Cryptography_HAS_ALPN": [
"SSL_CTX_set_alpn_protos",
"SSL_set_alpn_protos",
@@ -296,9 +283,6 @@
"SSL_CTX_set_cert_cb",
"SSL_set_cert_cb",
],
- "Cryptography_HAS_AES_CTR128_ENCRYPT": [
- "AES_ctr128_encrypt",
- ],
"Cryptography_HAS_SSL_ST": [
"SSL_ST_BEFORE",
"SSL_ST_OK",
@@ -319,7 +303,4 @@
"Cryptography_HAS_SCRYPT": [
"EVP_PBE_scrypt",
],
- "Cryptography_HAS_NPN_NEGOTIATED": [
- "OPENSSL_NPN_NEGOTIATED",
- ],
}
diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py
index 39750ab..b661754 100644
--- a/src/cryptography/hazmat/bindings/openssl/binding.py
+++ b/src/cryptography/hazmat/bindings/openssl/binding.py
@@ -5,10 +5,8 @@
from __future__ import absolute_import, division, print_function
import collections
-import os
import threading
import types
-import warnings
from cryptography.exceptions import InternalError
from cryptography.hazmat.bindings._openssl import ffi, lib
@@ -148,28 +146,9 @@
_openssl_assert(cls.lib, res == 1)
-def _verify_openssl_version(version):
- if version < 0x10001000:
- if os.environ.get("CRYPTOGRAPHY_ALLOW_OPENSSL_100"):
- warnings.warn(
- "OpenSSL version 1.0.0 is no longer supported by the OpenSSL "
- "project, please upgrade. The next version of cryptography "
- "will completely remove support for it.",
- DeprecationWarning
- )
- else:
- raise RuntimeError(
- "You are linking against OpenSSL 1.0.0, which is no longer "
- "support by the OpenSSL project. You need to upgrade to a "
- "newer version of OpenSSL."
- )
-
-
# OpenSSL is not thread safe until the locks are initialized. We call this
# method in module scope so that it executes with the import lock. On
# Pythons < 3.4 this import lock is a global lock, which can prevent a race
# condition registering the OpenSSL locks. On Python 3.4+ the import lock
# is per module so this approach will not work.
Binding.init_static_locks()
-
-_verify_openssl_version(Binding.lib.SSLeay())
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 47c4606..6d6f345 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -4,7 +4,6 @@
from __future__ import absolute_import, division, print_function
-import datetime
import itertools
import os
import subprocess
@@ -26,11 +25,9 @@
from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding
from cryptography.hazmat.primitives.ciphers import Cipher
from cryptography.hazmat.primitives.ciphers.algorithms import AES
-from cryptography.hazmat.primitives.ciphers.modes import CBC, CTR
+from cryptography.hazmat.primitives.ciphers.modes import CBC
-from ..primitives.fixtures_dsa import DSA_KEY_2048
from ..primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
-from ..primitives.test_ec import _skip_curve_unsupported
from ...doubles import (
DummyAsymmetricPadding, DummyCipherAlgorithm, DummyHashAlgorithm, DummyMode
)
@@ -77,11 +74,6 @@
def test_supports_cipher(self):
assert backend.cipher_supported(None, None) is False
- def test_aes_ctr_always_available(self):
- # AES CTR should always be available, even in 1.0.0.
- assert backend.cipher_supported(AES(b"\x00" * 16),
- CTR(b"\x00" * 16)) is True
-
def test_register_duplicate_cipher_adapter(self):
with pytest.raises(ValueError):
backend.register_cipher_adapter(AES, CBC, None)
@@ -325,35 +317,6 @@
backend.generate_rsa_private_key(public_exponent=65537,
key_size=256)
- @pytest.mark.skipif(
- backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
- reason="Requires an older OpenSSL. Must be < 1.0.1"
- )
- def test_non_sha1_pss_mgf1_hash_algorithm_on_old_openssl(self):
- private_key = RSA_KEY_512.private_key(backend)
- with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH):
- private_key.signer(
- padding.PSS(
- mgf=padding.MGF1(
- algorithm=hashes.SHA256(),
- ),
- salt_length=padding.PSS.MAX_LENGTH
- ),
- hashes.SHA1()
- )
- public_key = private_key.public_key()
- with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH):
- public_key.verifier(
- b"sig",
- padding.PSS(
- mgf=padding.MGF1(
- algorithm=hashes.SHA256(),
- ),
- salt_length=padding.PSS.MAX_LENGTH
- ),
- hashes.SHA1()
- )
-
def test_rsa_padding_unsupported_pss_mgf1_hash(self):
assert backend.rsa_padding_supported(
padding.PSS(mgf=padding.MGF1(DummyHashAlgorithm()), salt_length=0)
@@ -500,39 +463,12 @@
)
-@pytest.mark.skipif(
- backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101,
- reason="Requires an OpenSSL version >= 1.0.1"
-)
class TestOpenSSLCMAC(object):
def test_unsupported_cipher(self):
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER):
backend.create_cmac_ctx(DummyCipherAlgorithm())
-class TestOpenSSLCreateX509CSR(object):
- @pytest.mark.skipif(
- backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
- reason="Requires an older OpenSSL. Must be < 1.0.1"
- )
- def test_unsupported_dsa_keys(self):
- private_key = DSA_KEY_2048.private_key(backend)
-
- with pytest.raises(NotImplementedError):
- backend.create_x509_csr(object(), private_key, hashes.SHA1())
-
- @pytest.mark.skipif(
- backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
- reason="Requires an older OpenSSL. Must be < 1.0.1"
- )
- def test_unsupported_ec_keys(self):
- _skip_curve_unsupported(backend, ec.SECP256R1())
- private_key = ec.generate_private_key(ec.SECP256R1(), backend)
-
- with pytest.raises(NotImplementedError):
- backend.create_x509_csr(object(), private_key, hashes.SHA1())
-
-
class TestOpenSSLSignX509Certificate(object):
def test_requires_certificate_builder(self):
private_key = RSA_KEY_2048.private_key(backend)
@@ -542,55 +478,6 @@
object(), private_key, DummyHashAlgorithm()
)
- @pytest.mark.skipif(
- backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
- reason="Requires an older OpenSSL. Must be < 1.0.1"
- )
- def test_sign_with_dsa_private_key_is_unsupported(self):
- private_key = DSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder()
- builder = builder.subject_name(
- x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')])
- ).serial_number(
- 1
- ).public_key(
- private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2032, 1, 1, 12, 1)
- )
-
- with pytest.raises(NotImplementedError):
- builder.sign(private_key, hashes.SHA512(), backend)
-
- @pytest.mark.skipif(
- backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
- reason="Requires an older OpenSSL. Must be < 1.0.1"
- )
- def test_sign_with_ec_private_key_is_unsupported(self):
- _skip_curve_unsupported(backend, ec.SECP256R1())
- private_key = ec.generate_private_key(ec.SECP256R1(), backend)
- builder = x509.CertificateBuilder()
- builder = builder.subject_name(
- x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')])
- ).serial_number(
- 1
- ).public_key(
- private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2032, 1, 1, 12, 1)
- )
-
- with pytest.raises(NotImplementedError):
- builder.sign(private_key, hashes.SHA512(), backend)
-
class TestOpenSSLSignX509CertificateRevocationList(object):
def test_invalid_builder(self):
@@ -599,43 +486,6 @@
with pytest.raises(TypeError):
backend.create_x509_crl(object(), private_key, hashes.SHA256())
- @pytest.mark.skipif(
- backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
- reason="Requires an older OpenSSL. Must be < 1.0.1"
- )
- def test_sign_with_dsa_private_key_is_unsupported(self):
- private_key = DSA_KEY_2048.private_key(backend)
- builder = x509.CertificateRevocationListBuilder()
- builder = builder.issuer_name(
- x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')])
- ).last_update(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).next_update(
- datetime.datetime(2032, 1, 1, 12, 1)
- )
-
- with pytest.raises(NotImplementedError):
- builder.sign(private_key, hashes.SHA1(), backend)
-
- @pytest.mark.skipif(
- backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
- reason="Requires an older OpenSSL. Must be < 1.0.1"
- )
- def test_sign_with_ec_private_key_is_unsupported(self):
- _skip_curve_unsupported(backend, ec.SECP256R1())
- private_key = ec.generate_private_key(ec.SECP256R1(), backend)
- builder = x509.CertificateRevocationListBuilder()
- builder = builder.issuer_name(
- x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')])
- ).last_update(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).next_update(
- datetime.datetime(2032, 1, 1, 12, 1)
- )
-
- with pytest.raises(NotImplementedError):
- builder.sign(private_key, hashes.SHA512(), backend)
-
class TestOpenSSLCreateRevokedCertificate(object):
def test_invalid_builder(self):
diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
index 3e01717..85b5172 100644
--- a/tests/hazmat/bindings/test_openssl.py
+++ b/tests/hazmat/bindings/test_openssl.py
@@ -8,7 +8,7 @@
from cryptography.exceptions import InternalError
from cryptography.hazmat.bindings.openssl.binding import (
- Binding, _OpenSSLErrorWithText, _openssl_assert, _verify_openssl_version
+ Binding, _OpenSSLErrorWithText, _openssl_assert
)
@@ -79,11 +79,14 @@
def test_conditional_removal(self):
b = Binding()
- if b.lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER:
- assert b.lib.CMAC_Init
+ if (
+ b.lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER and
+ not b.lib.CRYPTOGRAPHY_IS_LIBRESSL
+ ):
+ assert b.lib.TLS_ST_OK
else:
with pytest.raises(AttributeError):
- b.lib.CMAC_Init
+ b.lib.TLS_ST_OK
def test_openssl_assert_error_on_stack(self):
b = Binding()
@@ -107,9 +110,3 @@
b'ex:data not multiple of block length'
)
)]
-
- def test_verify_openssl_version(self, monkeypatch):
- monkeypatch.delenv("CRYPTOGRAPHY_ALLOW_OPENSSL_100", raising=False)
- with pytest.raises(RuntimeError):
- # OpenSSL 1.0.0
- _verify_openssl_version(0x100000F)
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 966cba6..1ecf6b6 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -2082,9 +2082,6 @@
@pytest.mark.requires_backend_interface(interface=DSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_build_cert_with_dsa_private_key(self, backend):
- if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
- pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
-
issuer_private_key = DSA_KEY_2048.private_key(backend)
subject_private_key = DSA_KEY_2048.private_key(backend)
@@ -2130,9 +2127,6 @@
@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_build_cert_with_ec_private_key(self, backend):
- if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
- pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
-
_skip_curve_unsupported(backend, ec.SECP256R1())
issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
@@ -2734,9 +2728,6 @@
@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
def test_build_ca_request_with_ec(self, backend):
- if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
- pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
-
_skip_curve_unsupported(backend, ec.SECP256R1())
private_key = ec.generate_private_key(ec.SECP256R1(), backend)
@@ -2764,9 +2755,6 @@
@pytest.mark.requires_backend_interface(interface=DSABackend)
def test_build_ca_request_with_dsa(self, backend):
- if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
- pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
-
private_key = DSA_KEY_2048.private_key(backend)
request = x509.CertificateSigningRequestBuilder().subject_name(
diff --git a/tests/test_x509_crlbuilder.py b/tests/test_x509_crlbuilder.py
index 0d29a3e..f0306ef 100644
--- a/tests/test_x509_crlbuilder.py
+++ b/tests/test_x509_crlbuilder.py
@@ -347,8 +347,6 @@
@pytest.mark.requires_backend_interface(interface=DSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_sign_dsa_key(self, backend):
- if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
- pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
private_key = DSA_KEY_2048.private_key(backend)
invalidity_date = x509.InvalidityDate(
datetime.datetime(2002, 1, 1, 0, 0)
@@ -393,8 +391,6 @@
@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_sign_ec_key_unsupported(self, backend):
- if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
- pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
_skip_curve_unsupported(backend, ec.SECP256R1())
private_key = ec.generate_private_key(ec.SECP256R1(), backend)
invalidity_date = x509.InvalidityDate(