info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Python-announce] PyCA cryptography 36.0.0 released
5 views
Skip to first unread message
Paul Kehrer
Nov 21, 2021, 5:20:01 PM11/21/21
to
PyCA cryptography 36.0.0 has been released to PyPI. cryptography
includes both high level recipes and low level interfaces to common
cryptographic algorithms such as symmetric ciphers, asymmetric
algorithms, message digests, X509, key derivation functions, and much
more. We support Python 3.6+, and PyPy3.
(As a reminder, cryptography changed its versioning scheme with 35.0.
For more information see
https://cryptography.io/en/latest/api-stability/#versioning)
Changelog (https://cryptography.io/en/latest/changelog/#v36-0-0):
* FINAL DEPRECATION: Support for verifier and signer on our asymmetric
key classes was deprecated in version 2.1. These functions had an
extended deprecation due to usage, however the next version of
cryptography will drop support. Users should migrate to sign and
verify.
* The entire X.509 layer is now written in Rust. This allows alternate
asymmetric key implementations that can support cloud key management
services or hardware security modules provided they implement the
necessary interface (for example: EllipticCurvePrivateKey).
* Deprecated the backend argument for all functions.
* Added support for AESOCB3.
* Added support for iterating over arbitrary request attributes.
* Deprecated the get_attribute_for_oid method on
CertificateSigningRequest in favor of get_attribute_for_oid() on the
new Attributes object.
* Fixed handling of PEM files to allow loading when certificate and
key are in the same file.
* Fixed parsing of CertificatePolicies extensions containing legacy
BMPString values in their explicitText.
* Allow parsing of negative serial numbers in certificates. Negative
serial numbers are prohibited by RFC 5280 so a deprecation warning
will be raised whenever they are encountered. A future version of
cryptography will drop support for parsing them.
* Added support for parsing PKCS12 files with friendly names for all
certificates with load_pkcs12(), which will return an object of type
PKCS12KeyAndCertificates.
rfc4514_string() and related methods now have an optional
attr_name_overrides parameter to supply custom OID to name mappings,
which can be used to match vendor-specific extensions.
* BACKWARDS INCOMPATIBLE: Reverted the nonstandard formatting of email
address fields as E in rfc4514_string() methods from version 35.0. The
previous behavior can be restored with:
name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})
* Allow X25519PublicKey and X448PublicKey to be used as public keys
when parsing certificates or creating them with CertificateBuilder.
These key types must be signed with a different signing algorithm as
X25519 and X448 do not support signing.
* Extension values can now be serialized to a DER byte string by
calling public_bytes().
* Added experimental support for compiling against BoringSSL. As
BoringSSL does not commit to a stable API, cryptography tests against
the latest commit only. Please note that several features are not
available when building against BoringSSL.
* Parsing CertificateSigningRequest from DER and PEM now, for a
limited time period, allows the Extension critical field to be
incorrectly encoded. See the issue for complete details. This will be
reverted in a future cryptography release.
* When OCSPNonce are parsed and generated their value is now correctly
wrapped in an ASN.1 OCTET STRING. This conforms to RFC 6960 but
conflicts with the original behavior specified in RFC 2560. For a
temporary period for backwards compatibility, we will also parse
values that are encoded as specified in RFC 2560 but this behavior
will be removed in a future release.
-Paul Kehrer (reaperhulk)
includes both high level recipes and low level interfaces to common
cryptographic algorithms such as symmetric ciphers, asymmetric
algorithms, message digests, X509, key derivation functions, and much
more. We support Python 3.6+, and PyPy3.
(As a reminder, cryptography changed its versioning scheme with 35.0.
For more information see
https://cryptography.io/en/latest/api-stability/#versioning)
Changelog (https://cryptography.io/en/latest/changelog/#v36-0-0):
* FINAL DEPRECATION: Support for verifier and signer on our asymmetric
key classes was deprecated in version 2.1. These functions had an
extended deprecation due to usage, however the next version of
cryptography will drop support. Users should migrate to sign and
verify.
* The entire X.509 layer is now written in Rust. This allows alternate
asymmetric key implementations that can support cloud key management
services or hardware security modules provided they implement the
necessary interface (for example: EllipticCurvePrivateKey).
* Deprecated the backend argument for all functions.
* Added support for AESOCB3.
* Added support for iterating over arbitrary request attributes.
* Deprecated the get_attribute_for_oid method on
CertificateSigningRequest in favor of get_attribute_for_oid() on the
new Attributes object.
* Fixed handling of PEM files to allow loading when certificate and
key are in the same file.
* Fixed parsing of CertificatePolicies extensions containing legacy
BMPString values in their explicitText.
* Allow parsing of negative serial numbers in certificates. Negative
serial numbers are prohibited by RFC 5280 so a deprecation warning
will be raised whenever they are encountered. A future version of
cryptography will drop support for parsing them.
* Added support for parsing PKCS12 files with friendly names for all
certificates with load_pkcs12(), which will return an object of type
PKCS12KeyAndCertificates.
rfc4514_string() and related methods now have an optional
attr_name_overrides parameter to supply custom OID to name mappings,
which can be used to match vendor-specific extensions.
* BACKWARDS INCOMPATIBLE: Reverted the nonstandard formatting of email
address fields as E in rfc4514_string() methods from version 35.0. The
previous behavior can be restored with:
name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})
* Allow X25519PublicKey and X448PublicKey to be used as public keys
when parsing certificates or creating them with CertificateBuilder.
These key types must be signed with a different signing algorithm as
X25519 and X448 do not support signing.
* Extension values can now be serialized to a DER byte string by
calling public_bytes().
* Added experimental support for compiling against BoringSSL. As
BoringSSL does not commit to a stable API, cryptography tests against
the latest commit only. Please note that several features are not
available when building against BoringSSL.
* Parsing CertificateSigningRequest from DER and PEM now, for a
limited time period, allows the Extension critical field to be
incorrectly encoded. See the issue for complete details. This will be
reverted in a future cryptography release.
* When OCSPNonce are parsed and generated their value is now correctly
wrapped in an ASN.1 OCTET STRING. This conforms to RFC 6960 but
conflicts with the original behavior specified in RFC 2560. For a
temporary period for backwards compatibility, we will also parse
values that are encoded as specified in RFC 2560 but this behavior
will be removed in a future release.
-Paul Kehrer (reaperhulk)
0 new messages