• Files Changed
• Browse Source

• Files Changed
• Browse Source

- update to 38.0.1:
  * Fixed parsing TLVs in ASN.1 with length greater than 65535 bytes (typically
    seen in large CRLs).
  * Final deprecation of OpenSSL 1.1.0. The next release of ``cryptography``
    will drop support.
  * We no longer ship ``manylinux2010`` wheels. Users should upgrade to the
    latest ``pip`` to ensure this doesn't cause issues downloading wheels on
    their platform. We now ship ``manylinux_2_28`` wheels for users on new
    enough platforms.
  * Updated the minimum supported Rust version (MSRV) to 1.48.0, from 1.41.0.
    Users with the latest ``pip`` will typically get a wheel and not need Rust
    installed, but check :doc:`/installation` for documentation on installing a
    newer ``rustc`` if required.
  * :meth:`~cryptography.fernet.Fernet.decrypt` and related methods now accept
    both ``str`` and ``bytes`` tokens.
  * Parsing ``CertificateSigningRequest`` restores the behavior of enforcing
    that the ``Extension`` ``critical`` field must be correctly encoded DER. See
    `the issue <https://github.com/pyca/cryptography/issues/6368>`_ for complete
    details.
  * Added two new OpenSSL functions to the bindings to support an upcoming
    ``pyOpenSSL`` release.
  * When parsing :class:`~cryptography.x509.CertificateRevocationList` and
    :class:`~cryptography.x509.CertificateSigningRequest` values, it is now
    enforced that the ``version`` value in the input must be valid according to
    the rules of :rfc:`2986` and :rfc:`5280`.
  * Using MD5 or SHA1 in :class:`~cryptography.x509.CertificateBuilder` and
    other X.509 builders is deprecated and support will be removed in the next
    version.
  * Added additional APIs to
    :class:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp`, including

• Files Changed
• Browse Source

- update to 37.0.4:
  * updated wheels to b ecompiled against openssl 3.0.5

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- update to 37.0.2:
  * Fixed an issue where parsing an encrypted private key with the public
    loader functions would hang waiting for console input on OpenSSL 3.0.x rather
    than raising an error.
  * Restored some legacy symbols for older ``pyOpenSSL`` users. These will be
    removed again in the future, so ``pyOpenSSL`` users should still upgrade
    to the latest version of that package when they upgrade ``cryptography``.
  * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2.
  * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.9.x and 3.0.x.
    The new minimum LibreSSL version is 3.1+.
  * **BACKWARDS INCOMPATIBLE:** Removed ``signer`` and ``verifier`` methods
    from the public key and private key classes. These methods were originally
    deprecated in version 2.0, but had an extended deprecation timeline due
    to usage. Any remaining users should transition to ``sign`` and ``verify``.
  * Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by
    the OpenSSL project. The next release of ``cryptography`` will be the last
    to support compiling with OpenSSL 1.1.0.
  * Deprecated Python 3.6 support. Python 3.6 is no longer supported by the
    Python core team. Support for Python 3.6 will be removed in a future
    ``cryptography`` release.
  * Deprecated the current minimum supported Rust version (MSRV) of 1.41.0.
    In the next release we will raise MSRV to 1.48.0. Users with the latest
    ``pip`` will typically get a wheel and not need Rust installed, but check
    :doc:`/installation` for documentation on installing a newer ``rustc`` if
    required.
  * Deprecated
    :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`,
    :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`,
    :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and
    :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish` because

• Files Changed
• Browse Source

  - drops CVE-2020-36242-buffer-overflow.patch on older dists
- drops 5507-mitigate-Bleichenbacher-attacks.patch on older dists

• Files Changed
• Browse Source

- update to 3.3.2 (bsc#1182066, CVE-2020-36242, bsc#1198331):

• Files Changed
• Browse Source

- update to 3.3.2 (bsc#1182066, CVE-2020-36242):
- update to 3.2 (bsc#1178168, CVE-2020-25659):

• Files Changed
• Browse Source

- update to 36.0.2:
  * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1n.

• Files Changed
• Browse Source

- split tests in a multibuild variant to optimize rebuild time a bit

• Files Changed
• Browse Source

- update to 36.0.1:
  * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1m.

• Files Changed
• Browse Source

- update to 36.0.0:
  * FINAL DEPRECATION Support for verifier and signer on our asymmetric key
    classes was deprecated in version 2.1. These functions had an extended
    deprecation due to usage, however the next version of cryptography will
    drop support. Users should migrate to sign and verify.
  * The entire X.509 layer is now written in Rust. This allows alternate
    asymmetric key implementations that can support cloud key management
    services or hardware security modules provided they implement the necessary
    interface (for example: EllipticCurvePrivateKey).
  * Deprecated the backend argument for all functions.
  * Added support for AESOCB3.
  * Added support for iterating over arbitrary request attributes.
  * Deprecated the get_attribute_for_oid method on CertificateSigningRequest in
    favor of get_attribute_for_oid() on the new Attributes object.
  * Fixed handling of PEM files to allow loading when certificate and key are
    in the same file.
  * Fixed parsing of CertificatePolicies extensions containing legacy BMPString values in their explicitText.
  * Allow parsing of negative serial numbers in certificates. Negative serial
    numbers are prohibited by RFC 5280 so a deprecation warning will be raised
    whenever they are encountered. A future version of cryptography will drop
    support for parsing them.
  * Added support for parsing PKCS12 files with friendly names for all
    certificates with load_pkcs12(), which will return an object of type
    PKCS12KeyAndCertificates.
  * rfc4514_string() and related methods now have an optional
    attr_name_overrides parameter to supply custom OID to name mappings, which
    can be used to match vendor-specific extensions.
  * BACKWARDS INCOMPATIBLE: Reverted the nonstandard formatting of email
    address fields as E in rfc4514_string() methods from version 35.0.
  * The previous behavior can be restored with:

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Remove unnecessary %ifpython3 construct

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- update to 3.3.1:
  * Re-added a legacy symbol causing problems for older ``pyOpenSSL`` use

• Files Changed
• Browse Source

- update to 3.3.0
  - BACKWARDS INCOMPATIBLE: Support for Python 3.5 has been removed
    due to low usage and maintenance burden.
  - BACKWARDS INCOMPATIBLE: The GCM and AESGCM now require 64-bit
    to 1024-bit (8 byte to 128 byte) initialization vectors. This
    change is to conform with an upcoming OpenSSL release that will
    no longer support sizes outside this window.
  - BACKWARDS INCOMPATIBLE: When deserializing asymmetric keys we
    now raise ValueError rather than UnsupportedAlgorithm when an
    unsupported cipher is used. This change is to conform with an
    upcoming OpenSSL release that will no longer distinguish
    between error types.
  - BACKWARDS INCOMPATIBLE: We no longer allow loading of finite
    field Diffie-Hellman parameters of less than 512 bits in
    length. This change is to conform with an upcoming OpenSSL
    release that no longer supports smaller sizes. These keys were
    already wildly insecure and should not have been used in any
    application outside of testing.
  - Updated Windows, macOS, and manylinux wheels to be compiled
    with OpenSSL 1.1.1i.
  - Python 2 support is deprecated in cryptography. This is the
    last release that will support Python 2.
  - Added the recover_data_from_signature() function to
    RSAPublicKey for recovering the signed data from an RSA
    signature. 
- Remove unnecessary dependency virtualenv.

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- update to 3.0
- refreshed disable-uneven-sizes-tests.patch and  skip_openssl_memleak_test.patch
 * Removed support for passing an Extension instance
    to from_issuer_subject_key_identifier(), as per our deprecation policy.
 * Support for LibreSSL 2.7.x, 2.8.x, and 2.9.0 has been removed
 * Dropped support for macOS 10.9, macOS users must upgrade to 10.10 or newer.
 * RSA generate_private_key() no longer accepts public_exponent values except
    65537 and 3 (the latter for legacy purposes).
 * X.509 certificate parsing now enforces that the version field contains
    a valid value, rather than deferring this check until version is accessed.
 * Deprecated support for Python 2
 * Added support for OpenSSH serialization format for ec, ed25519, rsa and dsa
    private keys: load_ssh_private_key() for loading and OpenSSH for writing.
 * Added support for OpenSSH certificates to load_ssh_public_key().
 * Added encrypt_at_time() and decrypt_at_time() to Fernet.
 * Added support for the SubjectInformationAccess X.509 extension.
 * Added support for parsing SignedCertificateTimestamps in OCSP responses.
 * Added support for parsing attributes in certificate signing requests via get_attribute_for_oid().
 * Added support for encoding attributes in certificate signing requests via add_attribute().
 * On OpenSSL 1.1.1d and higher cryptography now uses OpenSSL’s built-in CSPRNG
    instead of its own OS random engine because these versions of OpenSSL properly reseed on fork.
 * Added initial support for creating PKCS12 files with serialize_key_and_certificates().

• Files Changed
• Browse Source