Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update cryptography to 3.4.7 #305

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

pyup-bot
Copy link
Collaborator

This PR updates cryptography from 1.8.1 to 3.4.7.

Changelog

3.4.7

~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1k.

.. _v3-4-6:

3.4.6

~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1j.

.. _v3-4-5:

3.4.5

~~~~~~~~~~~~~~~~~~

* Various improvements to type hints.
* Lower the minimum supported Rust version (MSRV) to >=1.41.0. This change
improves compatibility with system-provided Rust on several Linux
distributions.
* ``cryptography`` will be switching to a new versioning scheme with its next
feature release. More information is available in our
:doc:`/api-stability` documentation.

.. _v3-4-4:

3.4.4

~~~~~~~~~~~~~~~~~~

* Added a ``py.typed`` file so that ``mypy`` will know to use our type
annotations.
* Fixed an import cycle that could be triggered by certain import sequences.

.. _v3-4-3:

3.4.3

~~~~~~~~~~~~~~~~~~

* Specify our supported Rust version (>=1.45.0) in our ``setup.py`` so users
on older versions will get a clear error message.

.. _v3-4-2:

3.4.2

~~~~~~~~~~~~~~~~~~

* Improvements to make the rust transition a bit easier. This includes some
better error messages and small dependency fixes. If you experience
installation problems **Be sure to update pip** first, then check the
:doc:`FAQ </faq>`.

.. _v3-4-1:

3.4.1

~~~~~~~~~~~~~~~~~~

* Fixed a circular import issue.
* Added additional debug output to assist users seeing installation errors
due to outdated ``pip`` or missing ``rustc``.

.. _v3-4:

3.4

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Support for Python 2 has been removed.
* We now ship ``manylinux2014`` wheels and no longer ship ``manylinux1``
wheels. Users should upgrade to the latest ``pip`` to ensure this doesn't
cause issues downloading wheels on their platform.
* ``cryptography`` now incorporates Rust code. Users building ``cryptography``
themselves will need to have the Rust toolchain installed. Users who use an
officially produced wheel will not need to make any changes. The minimum
supported Rust version is 1.45.0.
* ``cryptography`` now has :pep:`484` type hints on nearly all of of its public
APIs. Users can begin using them to type check their code with ``mypy``.

.. _v3-3-2:

3.3.2

~~~~~~~~~~~~~~~~~~

* **SECURITY ISSUE:** Fixed a bug where certain sequences of ``update()`` calls
when symmetrically encrypting very large payloads (>2GB) could result in an
integer overflow, leading to buffer overflows. *CVE-2020-36242* **Update:**
This fix is a workaround for *CVE-2021-23840* in OpenSSL, fixed in OpenSSL
1.1.1j.

.. _v3-3-1:

3.3.1

~~~~~~~~~~~~~~~~~~

* Re-added a legacy symbol causing problems for older ``pyOpenSSL`` users.

.. _v3-3:

3.3

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Support for Python 3.5 has been removed due to
low usage and maintenance burden.
* **BACKWARDS INCOMPATIBLE:** The
:class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` and
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCM` now require
64-bit to 1024-bit (8 byte to 128 byte) initialization vectors. This change
is to conform with an upcoming OpenSSL release that will no longer support
sizes outside this window.
* **BACKWARDS INCOMPATIBLE:** When deserializing asymmetric keys we now
raise ``ValueError`` rather than ``UnsupportedAlgorithm`` when an
unsupported cipher is used. This change is to conform with an upcoming
OpenSSL release that will no longer distinguish between error types.
* **BACKWARDS INCOMPATIBLE:** We no longer allow loading of finite field
Diffie-Hellman parameters of less than 512 bits in length. This change is to
conform with an upcoming OpenSSL release that no longer supports smaller
sizes. These keys were already wildly insecure and should not have been used
in any application outside of testing.
* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1i.
* Python 2 support is deprecated in ``cryptography``. This is the last release
that will support Python 2.
* Added the
:meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey.recover_data_from_signature`
function to
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`
for recovering the signed data from an RSA signature.

.. _v3-2-1:

3.2.1

~~~~~~~~~~~~~~~~~~

* Disable blinding on RSA public keys to address an error with some versions
of OpenSSL.

.. _v3-2:

3.2

~~~~~~~~~~~~~~~~

* **SECURITY ISSUE:** Attempted to make RSA PKCS1v1.5 decryption more constant
time, to protect against Bleichenbacher vulnerabilities. Due to limitations
imposed by our API, we cannot completely mitigate this vulnerability and a
future release will contain a new API which is designed to be resilient to
these for contexts where it is required. Credit to **Hubert Kario** for
reporting the issue. *CVE-2020-25659*
* Support for OpenSSL 1.0.2 has been removed. Users on older version of OpenSSL
will need to upgrade.
* Added basic support for PKCS7 signing (including SMIME) via
:class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder`.

.. _v3-1-1:

3.1.1

~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1h.

.. _v3-1:

3.1

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Removed support for ``idna`` based
:term:`U-label` parsing in various X.509 classes. This support was originally
deprecated in version 2.1 and moved to an extra in 2.5.
* Deprecated OpenSSL 1.0.2 support. OpenSSL 1.0.2 is no longer supported by
the OpenSSL project. The next version of ``cryptography`` will drop support
for it.
* Deprecated support for Python 3.5. This version sees very little use and will
be removed in the next release.
* ``backend`` arguments to functions are no longer required and the
default backend will automatically be selected if no ``backend`` is provided.
* Added initial support for parsing certificates from PKCS7 files with
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates`
and
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates`
.
* Calling ``update`` or ``update_into`` on
:class:`~cryptography.hazmat.primitives.ciphers.CipherContext` with ``data``
longer than 2\ :sup:`31` bytes no longer raises an ``OverflowError``. This
also resolves the same issue in :doc:`/fernet`.

.. _v3-0:

3.0

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Removed support for passing an
:class:`~cryptography.x509.Extension` instance to
:meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`,
as per our deprecation policy.
* **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.7.x, 2.8.x, and 2.9.0 has
been removed (2.9.1+ is still supported).
* **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.9, macOS users must
upgrade to 10.10 or newer.
* **BACKWARDS INCOMPATIBLE:** RSA
:meth:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key`
no longer accepts ``public_exponent`` values except 65537 and 3 (the latter
for legacy purposes).
* **BACKWARDS INCOMPATIBLE:** X.509 certificate parsing now enforces that the
``version`` field contains a valid value, rather than deferring this check
until :attr:`~cryptography.x509.Certificate.version` is accessed.
* Deprecated support for Python 2. At the time there is no time table for
actually dropping support, however we strongly encourage all users to upgrade
their Python, as Python 2 no longer receives support from the Python core
team.

If you have trouble suppressing this warning in tests view the :ref:`FAQ
entry addressing this issue <faq-howto-handle-deprecation-warning>`.

* Added support for ``OpenSSH`` serialization format for
``ec``, ``ed25519``, ``rsa`` and ``dsa`` private keys:
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`
for loading and
:attr:`~cryptography.hazmat.primitives.serialization.PrivateFormat.OpenSSH`
for writing.
* Added support for ``OpenSSH`` certificates to
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key`.
* Added :meth:`~cryptography.fernet.Fernet.encrypt_at_time` and
:meth:`~cryptography.fernet.Fernet.decrypt_at_time` to
:class:`~cryptography.fernet.Fernet`.
* Added support for the :class:`~cryptography.x509.SubjectInformationAccess`
X.509 extension.
* Added support for parsing
:class:`~cryptography.x509.SignedCertificateTimestamps` in OCSP responses.
* Added support for parsing attributes in certificate signing requests via
:meth:`~cryptography.x509.CertificateSigningRequest.get_attribute_for_oid`.
* Added support for encoding attributes in certificate signing requests via
:meth:`~cryptography.x509.CertificateSigningRequestBuilder.add_attribute`.
* On OpenSSL 1.1.1d and higher ``cryptography`` now uses OpenSSL's
built-in CSPRNG instead of its own OS random engine because these versions of
OpenSSL properly reseed on fork.
* Added initial support for creating PKCS12 files with
:func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates`.

.. _v2-9-2:

2.9.2

~~~~~~~~~~~~~~~~~~

* Updated the macOS wheel to fix an issue where it would not run on macOS
versions older than 10.15.

.. _v2-9-1:

2.9.1

~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1g.

.. _v2-9:

2.9

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Support for Python 3.4 has been removed due to
low usage and maintenance burden.
* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.0.1 has been removed.
Users on older version of OpenSSL will need to upgrade.
* **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.6.x has been removed.
* Removed support for calling
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey.public_bytes`
with no arguments, as per our deprecation policy. You must now pass
``encoding`` and ``format``.
* **BACKWARDS INCOMPATIBLE:** Reversed the order in which
:meth:`~cryptography.x509.Name.rfc4514_string` returns the RDNs
as required by :rfc:`4514`.
* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1f.
* Added support for parsing
:attr:`~cryptography.x509.ocsp.OCSPResponse.single_extensions` in an OCSP
response.
* :class:`~cryptography.x509.NameAttribute` values can now be empty strings.

.. _v2-8:

2.8

~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1d.
* Added support for Python 3.8.
* Added class methods
:meth:`Poly1305.generate_tag
<cryptography.hazmat.primitives.poly1305.Poly1305.generate_tag>`
and
:meth:`Poly1305.verify_tag
<cryptography.hazmat.primitives.poly1305.Poly1305.verify_tag>`
for Poly1305 sign and verify operations.
* Deprecated support for OpenSSL 1.0.1. Support will be removed in
``cryptography`` 2.9.
* We now ship ``manylinux2010`` wheels in addition to our ``manylinux1``
wheels.
* Added support for ``ed25519`` and ``ed448`` keys in the
:class:`~cryptography.x509.CertificateBuilder`,
:class:`~cryptography.x509.CertificateSigningRequestBuilder`,
:class:`~cryptography.x509.CertificateRevocationListBuilder` and
:class:`~cryptography.x509.ocsp.OCSPResponseBuilder`.
* ``cryptography`` no longer depends on ``asn1crypto``.
* :class:`~cryptography.x509.FreshestCRL` is now allowed as a
:class:`~cryptography.x509.CertificateRevocationList` extension.

.. _v2-7:

2.7

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** We no longer distribute 32-bit ``manylinux1``
wheels. Continuing to produce them was a maintenance burden.
* **BACKWARDS INCOMPATIBLE:** Removed the
``cryptography.hazmat.primitives.mac.MACContext`` interface. The ``CMAC`` and
``HMAC`` APIs have not changed, but they are no longer registered as
``MACContext`` instances.
* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
OpenSSL 1.1.1c.
* Removed support for running our tests with ``setup.py test``. Users
interested in running our tests can continue to follow the directions in our
:doc:`development documentation</development/getting-started>`.
* Add support for :class:`~cryptography.hazmat.primitives.poly1305.Poly1305`
when using OpenSSL 1.1.1 or newer.
* Support serialization with ``Encoding.OpenSSH`` and ``PublicFormat.OpenSSH``
in
:meth:`Ed25519PublicKey.public_bytes
<cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey.public_bytes>`
.
* Correctly allow passing a ``SubjectKeyIdentifier`` to
:meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`
and deprecate passing an ``Extension`` object. The documentation always
required ``SubjectKeyIdentifier`` but the implementation previously
required an ``Extension``.

.. _v2-6-1:

2.6.1

~~~~~~~~~~~~~~~~~~

* Resolved an error in our build infrastructure that broke our Python3 wheels
for macOS and Linux.

.. _v2-6:

2.6

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Removed
``cryptography.hazmat.primitives.asymmetric.utils.encode_rfc6979_signature``
and
``cryptography.hazmat.primitives.asymmetric.utils.decode_rfc6979_signature``,
which had been deprecated for nearly 4 years. Use
:func:`~cryptography.hazmat.primitives.asymmetric.utils.encode_dss_signature`
and
:func:`~cryptography.hazmat.primitives.asymmetric.utils.decode_dss_signature`
instead.
* **BACKWARDS INCOMPATIBLE**: Removed ``cryptography.x509.Certificate.serial``,
which had been deprecated for nearly 3 years. Use
:attr:`~cryptography.x509.Certificate.serial_number` instead.
* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
OpenSSL 1.1.1b.
* Added support for :doc:`/hazmat/primitives/asymmetric/ed448` when using
OpenSSL 1.1.1b or newer.
* Added support for :doc:`/hazmat/primitives/asymmetric/ed25519` when using
OpenSSL 1.1.1b or newer.
* :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` can
now load ``ed25519`` public keys.
* Add support for easily mapping an object identifier to its elliptic curve
class via
:func:`~cryptography.hazmat.primitives.asymmetric.ec.get_curve_for_oid`.
* Add support for OpenSSL when compiled with the ``no-engine``
(``OPENSSL_NO_ENGINE``) flag.

.. _v2-5:

2.5

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** :term:`U-label` strings were deprecated in
version 2.1, but this version removes the default ``idna`` dependency as
well. If you still need this deprecated path please install cryptography
with the ``idna`` extra: ``pip install cryptography[idna]``.
* **BACKWARDS INCOMPATIBLE:** The minimum supported PyPy version is now 5.4.
* Numerous classes and functions have been updated to allow :term:`bytes-like`
types for keying material and passwords, including symmetric algorithms, AEAD
ciphers, KDFs, loading asymmetric keys, and one time password classes.
* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
OpenSSL 1.1.1a.
* Added support for :class:`~cryptography.hazmat.primitives.hashes.SHA512_224`
and :class:`~cryptography.hazmat.primitives.hashes.SHA512_256` when using
OpenSSL 1.1.1.
* Added support for :class:`~cryptography.hazmat.primitives.hashes.SHA3_224`,
:class:`~cryptography.hazmat.primitives.hashes.SHA3_256`,
:class:`~cryptography.hazmat.primitives.hashes.SHA3_384`, and
:class:`~cryptography.hazmat.primitives.hashes.SHA3_512` when using OpenSSL
1.1.1.
* Added support for :doc:`/hazmat/primitives/asymmetric/x448` when using
OpenSSL 1.1.1.
* Added support for :class:`~cryptography.hazmat.primitives.hashes.SHAKE128`
and :class:`~cryptography.hazmat.primitives.hashes.SHAKE256` when using
OpenSSL 1.1.1.
* Added initial support for parsing PKCS12 files with
:func:`~cryptography.hazmat.primitives.serialization.pkcs12.load_key_and_certificates`.
* Added support for :class:`~cryptography.x509.IssuingDistributionPoint`.
* Added ``rfc4514_string()`` method to
:meth:`x509.Name <cryptography.x509.Name.rfc4514_string>`,
:meth:`x509.RelativeDistinguishedName
<cryptography.x509.RelativeDistinguishedName.rfc4514_string>`, and
:meth:`x509.NameAttribute <cryptography.x509.NameAttribute.rfc4514_string>`
to format the name or component an :rfc:`4514` Distinguished Name string.
* Added
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point`,
which immediately checks if the point is on the curve and supports compressed
points. Deprecated the previous method
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`.
* Added :attr:`~cryptography.x509.ocsp.OCSPResponse.signature_hash_algorithm`
to ``OCSPResponse``.
* Updated :doc:`/hazmat/primitives/asymmetric/x25519` support to allow
additional serialization methods. Calling
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey.public_bytes`
with no arguments has been deprecated.
* Added support for encoding compressed and uncompressed points via
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.public_bytes`. Deprecated the previous method
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.encode_point`.


.. _v2-4-2:

2.4.2

~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
OpenSSL 1.1.0j.

.. _v2-4-1:

2.4.1

~~~~~~~~~~~~~~~~~~

* Fixed a build breakage in our ``manylinux1`` wheels.

.. _v2-4:

2.4

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.4.x.
* Deprecated OpenSSL 1.0.1 support. OpenSSL 1.0.1 is no longer supported by
the OpenSSL project. At this time there is no time table for dropping
support, however we strongly encourage all users to upgrade or install
``cryptography`` from a wheel.
* Added initial :doc:`OCSP </x509/ocsp>` support.
* Added support for :class:`~cryptography.x509.PrecertPoison`.

.. _v2-3-1:

2.3.1

~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
OpenSSL 1.1.0i.

.. _v2-3:

2.3

~~~~~~~~~~~~~~~~

* **SECURITY ISSUE:**
:meth:`~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag`
allowed tag truncation by default which can allow tag forgery in some cases.
The method now enforces the ``min_tag_length`` provided to the
:class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` constructor.
*CVE-2018-10903*
* Added support for Python 3.7.
* Added :meth:`~cryptography.fernet.Fernet.extract_timestamp` to get the
authenticated timestamp of a :doc:`Fernet </fernet>` token.
* Support for Python 2.7.x without ``hmac.compare_digest`` has been deprecated.
We will require Python 2.7.7 or higher (or 2.7.6 on Ubuntu) in the next
``cryptography`` release.
* Fixed multiple issues preventing ``cryptography`` from compiling against
LibreSSL 2.7.x.
* Added
:class:`~cryptography.x509.CertificateRevocationList.get_revoked_certificate_by_serial_number`
for quick serial number searches in CRLs.
* The :class:`~cryptography.x509.RelativeDistinguishedName` class now
preserves the order of attributes. Duplicate attributes now raise an error
instead of silently discarding duplicates.
* :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap` and
:func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding`
now raise :class:`~cryptography.hazmat.primitives.keywrap.InvalidUnwrap` if
the wrapped key is an invalid length, instead of ``ValueError``.

.. _v2-2-2:

2.2.2

~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
OpenSSL 1.1.0h.

.. _v2-2-1:

2.2.1

~~~~~~~~~~~~~~~~~~

* Reverted a change to ``GeneralNames`` which prohibited having zero elements,
due to breakages.
* Fixed a bug in
:func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding`
that caused it to raise ``InvalidUnwrap`` when key length modulo 8 was
zero.


.. _v2-2:

2.2

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Support for Python 2.6 has been dropped.
* Resolved a bug in ``HKDF`` that incorrectly constrained output size.
* Added :class:`~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP256R1`,
:class:`~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP384R1`, and
:class:`~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP512R1` to
support inter-operating with systems like German smart meters.
* Added token rotation support to :doc:`Fernet </fernet>` with
:meth:`~cryptography.fernet.MultiFernet.rotate`.
* Fixed a memory leak in
:func:`~cryptography.hazmat.primitives.asymmetric.ec.derive_private_key`.
* Added support for AES key wrapping with padding via
:func:`~cryptography.hazmat.primitives.keywrap.aes_key_wrap_with_padding`
and
:func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding`
.
* Allow loading DSA keys with 224 bit ``q``.

.. _v2-1-4:

2.1.4

~~~~~~~~~~~~~~~~~~

* Added ``X509_up_ref`` for an upcoming ``pyOpenSSL`` release.

.. _v2-1-3:

2.1.3

~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
OpenSSL 1.1.0g.

.. _v2-1-2:

2.1.2

~~~~~~~~~~~~~~~~~~

* Corrected a bug with the ``manylinux1`` wheels where OpenSSL's stack was
marked executable.

.. _v2-1-1:

2.1.1

~~~~~~~~~~~~~~~~~~

* Fixed support for install with the system ``pip`` on Ubuntu 16.04.

.. _v2-1:

2.1

~~~~~~~~~~~~~~~~

* **FINAL DEPRECATION** Python 2.6 support is deprecated, and will be removed
in the next release of ``cryptography``.
* **BACKWARDS INCOMPATIBLE:** ``Whirlpool``, ``RIPEMD160``, and
``UnsupportedExtension`` have been removed in accordance with our
:doc:`/api-stability` policy.
* **BACKWARDS INCOMPATIBLE:**
:attr:`DNSName.value <cryptography.x509.DNSName.value>`,
:attr:`RFC822Name.value <cryptography.x509.RFC822Name.value>`, and
:attr:`UniformResourceIdentifier.value
<cryptography.x509.UniformResourceIdentifier.value>`
will now return an :term:`A-label` string when parsing a certificate
containing an internationalized domain name (IDN) or if the caller passed
a :term:`U-label` to the constructor. See below for additional deprecations
related to this change.
* Installing ``cryptography`` now requires ``pip`` 6 or newer.
* Deprecated passing :term:`U-label` strings to the
:class:`~cryptography.x509.DNSName`,
:class:`~cryptography.x509.UniformResourceIdentifier`, and
:class:`~cryptography.x509.RFC822Name` constructors. Instead, users should
pass values as :term:`A-label` strings with ``idna`` encoding if necessary.
This change will not affect anyone who is not processing internationalized
domains.
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20`. In
most cases users should choose
:class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`
rather than using this unauthenticated form.
* Added :meth:`~cryptography.x509.CertificateRevocationList.is_signature_valid`
to :class:`~cryptography.x509.CertificateRevocationList`.
* Support :class:`~cryptography.hazmat.primitives.hashes.BLAKE2b` and
:class:`~cryptography.hazmat.primitives.hashes.BLAKE2s` with
:class:`~cryptography.hazmat.primitives.hmac.HMAC`.
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.modes.XTS` mode for
AES.
* Added support for using labels with
:class:`~cryptography.hazmat.primitives.asymmetric.padding.OAEP` when using
OpenSSL 1.0.2 or greater.
* Improved compatibility with NSS when issuing certificates from an issuer
that has a subject with non-``UTF8String`` string types.
* Add support for the :class:`~cryptography.x509.DeltaCRLIndicator` extension.
* Add support for the :class:`~cryptography.x509.TLSFeature`
extension. This is commonly used for enabling ``OCSP Must-Staple`` in
certificates.
* Add support for the :class:`~cryptography.x509.FreshestCRL` extension.

.. _v2-0-3:

2.0.3

~~~~~~~~~~~~~~~~~~

* Fixed an issue with weak linking symbols when compiling on macOS
versions older than 10.12.


.. _v2-0-2:

2.0.2

~~~~~~~~~~~~~~~~~~

* Marked all symbols as hidden in the ``manylinux1`` wheel to avoid a
bug with symbol resolution in certain scenarios.


.. _v2-0-1:

2.0.1

~~~~~~~~~~~~~~~~~~

* Fixed a compilation bug affecting OpenBSD.
* Altered the ``manylinux1`` wheels to statically link OpenSSL instead of
dynamically linking and bundling the shared object. This should resolve
crashes seen when using ``uwsgi`` or other binaries that link against
OpenSSL independently.
* Fixed the stack level for the ``signer`` and ``verifier`` warnings.


.. _v2-0:

2.0

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Support for Python 3.3 has been dropped.
* We now ship ``manylinux1`` wheels linked against OpenSSL 1.1.0f. These wheels
will be automatically used with most Linux distributions if you are running
the latest pip.
* Deprecated the use of ``signer`` on
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`,
and
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
in favor of ``sign``.
* Deprecated the use of ``verifier`` on
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`,
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`,
and
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`
in favor of ``verify``.
* Added support for parsing
:class:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp`
objects from X.509 certificate extensions.
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`.
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESCCM`.
* Added
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCM`, a "one shot"
API for AES GCM encryption.
* Added support for :doc:`/hazmat/primitives/asymmetric/x25519`.
* Added support for serializing and deserializing Diffie-Hellman parameters
with
:func:`~cryptography.hazmat.primitives.serialization.load_pem_parameters`,
:func:`~cryptography.hazmat.primitives.serialization.load_der_parameters`,
and
:meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters.parameter_bytes`
.
* The ``extensions`` attribute on :class:`~cryptography.x509.Certificate`,
:class:`~cryptography.x509.CertificateSigningRequest`,
:class:`~cryptography.x509.CertificateRevocationList`, and
:class:`~cryptography.x509.RevokedCertificate` now caches the computed
``Extensions`` object. There should be no performance change, just a
performance improvement for programs accessing the ``extensions`` attribute
multiple times.


.. _v1-9:

1.9

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Elliptic Curve signature verification no longer
returns ``True`` on success. This brings it in line with the interface's
documentation, and our intent. The correct way to use
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.verify`
has always been to check whether or not
:class:`~cryptography.exceptions.InvalidSignature` was raised.
* **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.7 and 10.8.
* **BACKWARDS INCOMPATIBLE:** The minimum supported PyPy version is now 5.3.
* Python 3.3 support has been deprecated, and will be removed in the next
``cryptography`` release.
* Add support for providing ``tag`` during
:class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` finalization via
:meth:`~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag`.
* Fixed an issue preventing ``cryptography`` from compiling against
LibreSSL 2.5.x.
* Added
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.key_size`
and
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.key_size`
as convenience methods for determining the bit size of a secret scalar for
the curve.
* Accessing an unrecognized extension marked critical on an X.509 object will
no longer raise an ``UnsupportedExtension`` exception, instead an
:class:`~cryptography.x509.UnrecognizedExtension` object will be returned.
This behavior was based on a poor reading of the RFC, unknown critical
extensions only need to be rejected on certificate verification.
* The CommonCrypto backend has been removed.
* MultiBackend has been removed.
* ``Whirlpool`` and ``RIPEMD160`` have been deprecated.


.. _v1-8-2:

1.8.2

~~~~~~~~~~~~~~~~~~

* Fixed a compilation bug affecting OpenSSL 1.1.0f.
* Updated Windows and macOS wheels to be compiled against OpenSSL 1.1.0f.


.. _v1-8-1:
Links

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant