123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286 |
- Changelog
- =========
- .. _v41-0-6:
- 41.0.6 - 2023-11-27
- ~~~~~~~~~~~~~~~~~~~
- * Fixed a null-pointer-dereference and segfault that could occur when loading
- certificates from a PKCS#7 bundle. Credit to **pkuzco** for reporting the
- issue. **CVE-2023-49083**
- .. _v41-0-5:
- 41.0.5 - 2023-10-24
- ~~~~~~~~~~~~~~~~~~~
- * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4.
- * Added a function to support an upcoming ``pyOpenSSL`` release.
- .. _v41-0-4:
- 41.0.4 - 2023-09-19
- ~~~~~~~~~~~~~~~~~~~
- * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3.
- .. _v41-0-3:
- 41.0.3 - 2023-08-01
- ~~~~~~~~~~~~~~~~~~~
- * Fixed performance regression loading DH public keys.
- * Fixed a memory leak when using
- :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`.
- * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.2.
- .. _v41-0-2:
- 41.0.2 - 2023-07-10
- ~~~~~~~~~~~~~~~~~~~
- * Fixed bugs in creating and parsing SSH certificates where critical options
- with values were handled incorrectly. Certificates are now created correctly
- and parsing accepts correct values as well as the previously generated
- invalid forms with a warning. In the next release, support for parsing these
- invalid forms will be removed.
- .. _v41-0-1:
- 41.0.1 - 2023-06-01
- ~~~~~~~~~~~~~~~~~~~
- * Temporarily allow invalid ECDSA signature algorithm parameters in X.509
- certificates, which are generated by older versions of Java.
- * Allow null bytes in pass phrases when serializing private keys.
- .. _v41-0-0:
- 41.0.0 - 2023-05-30
- ~~~~~~~~~~~~~~~~~~~
- * **BACKWARDS INCOMPATIBLE:** Support for OpenSSL less than 1.1.1d has been
- removed. Users on older version of OpenSSL will need to upgrade.
- * **BACKWARDS INCOMPATIBLE:** Support for Python 3.6 has been removed.
- * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.6.
- * Updated the minimum supported Rust version (MSRV) to 1.56.0, from 1.48.0.
- * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.1.
- * Added support for the :class:`~cryptography.x509.OCSPAcceptableResponses`
- OCSP extension.
- * Added support for the :class:`~cryptography.x509.MSCertificateTemplate`
- proprietary Microsoft certificate extension.
- * Implemented support for equality checks on all asymmetric public key types.
- * Added support for ``aes256-gcm@openssh.com`` encrypted keys in
- :func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`.
- * Added support for obtaining X.509 certificate signature algorithm parameters
- (including PSS) via
- :meth:`~cryptography.x509.Certificate.signature_algorithm_parameters`.
- * Support signing :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`
- X.509 certificates via the new keyword-only argument ``rsa_padding`` on
- :meth:`~cryptography.x509.CertificateBuilder.sign`.
- * Added support for
- :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`
- on BoringSSL.
- .. _v40-0-2:
- 40.0.2 - 2023-04-14
- ~~~~~~~~~~~~~~~~~~~
- * Fixed compilation when using LibreSSL 3.7.2.
- * Added some functions to support an upcoming ``pyOpenSSL`` release.
- .. _v40-0-1:
- 40.0.1 - 2023-03-24
- ~~~~~~~~~~~~~~~~~~~
- * Fixed a bug where certain operations would fail if an object happened to be
- in the top-half of the memory-space. This only impacted 32-bit systems.
- .. _v40-0-0:
- 40.0.0 - 2023-03-24
- ~~~~~~~~~~~~~~~~~~~
- * **BACKWARDS INCOMPATIBLE:** As announced in the 39.0.0 changelog, the way
- ``cryptography`` links OpenSSL has changed. This only impacts users who
- build ``cryptography`` from source (i.e., not from a ``wheel``), and
- specify their own version of OpenSSL. For those users, the ``CFLAGS``,
- ``LDFLAGS``, ``INCLUDE``, ``LIB``, and ``CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS``
- environment variables are no longer valid. Instead, users need to configure
- their builds `as documented here`_.
- * Support for Python 3.6 is deprecated and will be removed in the next
- release.
- * Deprecated the current minimum supported Rust version (MSRV) of 1.48.0.
- In the next release we will raise MSRV to 1.56.0. Users with the latest
- ``pip`` will typically get a wheel and not need Rust installed, but check
- :doc:`/installation` for documentation on installing a newer ``rustc`` if
- required.
- * Deprecated support for OpenSSL less than 1.1.1d. The next release of
- ``cryptography`` will drop support for older versions.
- * Deprecated support for DSA keys in
- :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key`
- and
- :func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`.
- * Deprecated support for OpenSSH serialization in
- :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`
- and
- :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`.
- * The minimum supported version of PyPy3 is now 7.3.10.
- * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.0.
- * Added support for parsing SSH certificates in addition to public keys with
- :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_identity`.
- :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key`
- continues to support only public keys.
- * Added support for generating SSH certificates with
- :class:`~cryptography.hazmat.primitives.serialization.SSHCertificateBuilder`.
- * Added :meth:`~cryptography.x509.Certificate.verify_directly_issued_by` to
- :class:`~cryptography.x509.Certificate`.
- * Added a check to :class:`~cryptography.x509.NameConstraints` to ensure that
- :class:`~cryptography.x509.DNSName` constraints do not contain any ``*``
- wildcards.
- * Removed many unused CFFI OpenSSL bindings. This will not impact you unless
- you are using ``cryptography`` to directly invoke OpenSSL's C API. Note that
- these have never been considered a stable, supported, public API by
- ``cryptography``, this note is included as a courtesy.
- * The X.509 builder classes now raise ``UnsupportedAlgorithm`` instead of
- ``ValueError`` if an unsupported hash algorithm is passed.
- * Added public union type aliases for type hinting:
- * Asymmetric types:
- :const:`~cryptography.hazmat.primitives.asymmetric.types.PublicKeyTypes`,
- :const:`~cryptography.hazmat.primitives.asymmetric.types.PrivateKeyTypes`,
- :const:`~cryptography.hazmat.primitives.asymmetric.types.CertificatePublicKeyTypes`,
- :const:`~cryptography.hazmat.primitives.asymmetric.types.CertificateIssuerPublicKeyTypes`,
- :const:`~cryptography.hazmat.primitives.asymmetric.types.CertificateIssuerPrivateKeyTypes`.
- * SSH keys:
- :const:`~cryptography.hazmat.primitives.serialization.SSHPublicKeyTypes`,
- :const:`~cryptography.hazmat.primitives.serialization.SSHPrivateKeyTypes`,
- :const:`~cryptography.hazmat.primitives.serialization.SSHCertPublicKeyTypes`,
- :const:`~cryptography.hazmat.primitives.serialization.SSHCertPrivateKeyTypes`.
- * PKCS12:
- :const:`~cryptography.hazmat.primitives.serialization.pkcs12.PKCS12PrivateKeyTypes`
- * PKCS7:
- :const:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7HashTypes`,
- :const:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7PrivateKeyTypes`.
- * Two-factor:
- :const:`~cryptography.hazmat.primitives.twofactor.hotp.HOTPHashTypes`
- * Deprecated previously undocumented but not private type aliases in the
- ``cryptography.hazmat.primitives.asymmetric.types`` module in favor of new
- ones above.
- .. _v39-0-2:
- 39.0.2 - 2023-03-02
- ~~~~~~~~~~~~~~~~~~~
- * Fixed a bug where the content type header was not properly encoded for
- PKCS7 signatures when using the ``Text`` option and ``SMIME`` encoding.
- .. _v39-0-1:
- 39.0.1 - 2023-02-07
- ~~~~~~~~~~~~~~~~~~~
- * **SECURITY ISSUE** - Fixed a bug where ``Cipher.update_into`` accepted Python
- buffer protocol objects, but allowed immutable buffers. **CVE-2023-23931**
- * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.8.
- .. _v39-0-0:
- 39.0.0 - 2023-01-01
- ~~~~~~~~~~~~~~~~~~~
- * **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.0 has been removed.
- Users on older version of OpenSSL will need to upgrade.
- * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.5. The new
- minimum LibreSSL version is 3.5.0. Going forward our policy is to support
- versions of LibreSSL that are available in versions of OpenBSD that are
- still receiving security support.
- * **BACKWARDS INCOMPATIBLE:** Removed the ``encode_point`` and
- ``from_encoded_point`` methods on
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers`,
- which had been deprecated for several years.
- :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.public_bytes`
- and
- :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point`
- should be used instead.
- * **BACKWARDS INCOMPATIBLE:** Support for using MD5 or SHA1 in
- :class:`~cryptography.x509.CertificateBuilder`, other X.509 builders, and
- PKCS7 has been removed.
- * **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.10 and 10.11, macOS
- users must upgrade to 10.12 or newer.
- * **ANNOUNCEMENT:** The next version of ``cryptography`` (40.0) will change
- the way we link OpenSSL. This will only impact users who build
- ``cryptography`` from source (i.e., not from a ``wheel``), and specify their
- own version of OpenSSL. For those users, the ``CFLAGS``, ``LDFLAGS``,
- ``INCLUDE``, ``LIB``, and ``CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS`` environment
- variables will no longer be respected. Instead, users will need to
- configure their builds `as documented here`_.
- * Added support for
- :ref:`disabling the legacy provider in OpenSSL 3.0.x<legacy-provider>`.
- * Added support for disabling RSA key validation checks when loading RSA
- keys via
- :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`,
- :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`,
- and
- :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers.private_key`.
- This speeds up key loading but is :term:`unsafe` if you are loading potentially
- attacker supplied keys.
- * Significantly improved performance for
- :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`
- when repeatedly calling ``encrypt`` or ``decrypt`` with the same key.
- * Added support for creating OCSP requests with precomputed hashes using
- :meth:`~cryptography.x509.ocsp.OCSPRequestBuilder.add_certificate_by_hash`.
- * Added support for loading multiple PEM-encoded X.509 certificates from
- a single input via :func:`~cryptography.x509.load_pem_x509_certificates`.
- .. _v38-0-4:
- 38.0.4 - 2022-11-27
- ~~~~~~~~~~~~~~~~~~~
- * Fixed compilation when using LibreSSL 3.6.0.
- * Fixed error when using ``py2app`` to build an application with a
- ``cryptography`` dependency.
- .. _v38-0-3:
- 38.0.3 - 2022-11-01
- ~~~~~~~~~~~~~~~~~~~
- * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.7,
- which resolves *CVE-2022-3602* and *CVE-2022-3786*.
- .. _v38-0-2:
- 38.0.2 - 2022-10-11 (YANKED)
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- .. attention::
- This release was subsequently yanked from PyPI due to a regression in OpenSSL.
- * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.6.
- .. _v38-0-1:
- 38.0.1 - 2022-09-07
- ~~~~~~~~~~~~~~~~~~~
- * Fixed parsing TLVs in ASN.1 with length greater than 65535 bytes (typically
- seen in large CRLs).
- .. _v38-0-0:
- 38.0.0 - 2022-09-06
- ~~~~~~~~~~~~~~~~~~~
- * Final deprecation of OpenSSL 1.1.0. The next release of ``cryptography``
- will drop support.
- * We no longer ship ``manylinux2010`` wheels. Users should upgrade to the
- latest ``pip`` to ensure this doesn't cause issues downloading wheels on
- their platform. We now ship ``manylinux_2_28`` wheels for users on new
- enough platforms.
- * Updated the minimum supported Rust version (MSRV) to 1.48.0, from 1.41.0.
- Users with the latest ``pip`` will typically get a wheel and not need Rust
- installed, but check :doc:`/installation` for documentation on installing a
- newer ``rustc`` if required.
- * :meth:`~cryptography.fernet.Fernet.decrypt` and related methods now accept
- both ``str`` and ``bytes`` tokens.
- * Parsing ``CertificateSigningRequest`` restores the behavior of enforcing
- that the ``Extension`` ``critical`` field must be correctly encoded DER. See
- `the issue <https://github.com/pyca/cryptography/issues/6368>`_ for complete
- details.
- * Added two new OpenSSL functions to the bindings to support an upcoming
- ``pyOpenSSL`` release.
- * When parsing :class:`~cryptography.x509.CertificateRevocationList` and
- :class:`~cryptography.x509.CertificateSigningRequest` values, it is now
- enforced that the ``version`` value in the input must be valid according to
- the rules of :rfc:`2986` and :rfc:`5280`.
- * Using MD5 or SHA1 in :class:`~cryptography.x509.CertificateBuilder` and
- other X.509 builders is deprecated and support will be removed in the next
- version.
- * Added additional APIs to
- :class:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp`, including
- :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature_hash_algorithm`,
- :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature_algorithm`,
- :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature`, and
- :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.extension_bytes`.
- * Added :attr:`~cryptography.x509.Certificate.tbs_precertificate_bytes`, allowing
- users to access the to-be-signed pre-certificate data needed for signed
- certificate timestamp verification.
- * :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFHMAC` and
- :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC` now support
- :attr:`~cryptography.hazmat.primitives.kdf.kbkdf.CounterLocation.MiddleFixed`
- counter location.
- * Fixed :rfc:`4514` name parsing to reverse the order of the RDNs according
- to the section 2.1 of the RFC, affecting method
- :meth:`~cryptography.x509.Name.from_rfc4514_string`.
- * It is now possible to customize some aspects of encryption when serializing
- private keys, using
- :meth:`~cryptography.hazmat.primitives.serialization.PrivateFormat.encryption_builder`.
- * Removed several legacy symbols from our OpenSSL bindings. Users of pyOpenSSL
- versions older than 22.0 will need to upgrade.
- * Added
- :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES128` and
- :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES256` classes.
- These classes do not replace
- :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` (which
- allows all AES key lengths), but are intended for applications where
- developers want to be explicit about key length.
- .. _v37-0-4:
- 37.0.4 - 2022-07-05
- ~~~~~~~~~~~~~~~~~~~
- * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.5.
- .. _v37-0-3:
- 37.0.3 - 2022-06-21 (YANKED)
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- .. attention::
- This release was subsequently yanked from PyPI due to a regression in OpenSSL.
- * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.4.
- .. _v37-0-2:
- 37.0.2 - 2022-05-03
- ~~~~~~~~~~~~~~~~~~~
- * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.3.
- * Added a constant needed for an upcoming pyOpenSSL release.
- .. _v37-0-1:
- 37.0.1 - 2022-04-27
- ~~~~~~~~~~~~~~~~~~~
- * Fixed an issue where parsing an encrypted private key with the public
- loader functions would hang waiting for console input on OpenSSL 3.0.x rather
- than raising an error.
- * Restored some legacy symbols for older ``pyOpenSSL`` users. These will be
- removed again in the future, so ``pyOpenSSL`` users should still upgrade
- to the latest version of that package when they upgrade ``cryptography``.
- .. _v37-0-0:
- 37.0.0 - 2022-04-26
- ~~~~~~~~~~~~~~~~~~~
- * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2.
- * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.9.x and 3.0.x.
- The new minimum LibreSSL version is 3.1+.
- * **BACKWARDS INCOMPATIBLE:** Removed ``signer`` and ``verifier`` methods
- from the public key and private key classes. These methods were originally
- deprecated in version 2.0, but had an extended deprecation timeline due
- to usage. Any remaining users should transition to ``sign`` and ``verify``.
- * Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by
- the OpenSSL project. The next release of ``cryptography`` will be the last
- to support compiling with OpenSSL 1.1.0.
- * Deprecated Python 3.6 support. Python 3.6 is no longer supported by the
- Python core team. Support for Python 3.6 will be removed in a future
- ``cryptography`` release.
- * Deprecated the current minimum supported Rust version (MSRV) of 1.41.0.
- In the next release we will raise MSRV to 1.48.0. Users with the latest
- ``pip`` will typically get a wheel and not need Rust installed, but check
- :doc:`/installation` for documentation on installing a newer ``rustc`` if
- required.
- * Deprecated
- :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`,
- :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`,
- :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and
- :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish` because
- they are legacy algorithms with extremely low usage. These will be removed
- in a future version of ``cryptography``.
- * Added limited support for distinguished names containing a bit string.
- * We now ship ``universal2`` wheels on macOS, which contain both ``arm64``
- and ``x86_64`` architectures. Users on macOS should upgrade to the latest
- ``pip`` to ensure they can use this wheel, although we will continue to
- ship ``x86_64`` specific wheels for now to ease the transition.
- * This will be the final release for which we ship ``manylinux2010`` wheels.
- Going forward the minimum supported ``manylinux`` ABI for our wheels will
- be ``manylinux2014``. The vast majority of users will continue to receive
- ``manylinux`` wheels provided they have an up to date ``pip``. For PyPy
- wheels this release already requires ``manylinux2014`` for compatibility
- with binaries distributed by upstream.
- * Added support for multiple
- :class:`~cryptography.x509.ocsp.OCSPSingleResponse` in a
- :class:`~cryptography.x509.ocsp.OCSPResponse`.
- * Restored support for signing certificates and other structures in
- :doc:`/x509/index` with SHA3 hash algorithms.
- * :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` is
- disabled in FIPS mode.
- * Added support for serialization of PKCS#12 CA friendly names/aliases in
- :func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates`
- * Added support for 12-15 byte (96 to 120 bit) nonces to
- :class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`. This class
- previously supported only 12 byte (96 bit).
- * Added support for
- :class:`~cryptography.hazmat.primitives.ciphers.aead.AESSIV` when using
- OpenSSL 3.0.0+.
- * Added support for serializing PKCS7 structures from a list of
- certificates with
- :class:`~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates`.
- * Added support for parsing :rfc:`4514` strings with
- :meth:`~cryptography.x509.Name.from_rfc4514_string`.
- * Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.AUTO` to
- :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This can
- be used to verify a signature where the salt length is not already known.
- * Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.DIGEST_LENGTH`
- to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This
- constant will set the salt length to the same length as the ``PSS`` hash
- algorithm.
- * Added support for loading RSA-PSS key types with
- :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`
- and
- :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`.
- This functionality is limited to OpenSSL 1.1.1e+ and loads the key as a
- normal RSA private key, discarding the PSS constraint information.
- .. _v36-0-2:
- 36.0.2 - 2022-03-15
- ~~~~~~~~~~~~~~~~~~~
- * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1n.
- .. _v36-0-1:
- 36.0.1 - 2021-12-14
- ~~~~~~~~~~~~~~~~~~~
- * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1m.
- .. _v36-0-0:
- 36.0.0 - 2021-11-21
- ~~~~~~~~~~~~~~~~~~~
- * **FINAL DEPRECATION** Support for ``verifier`` and ``signer`` on our
- asymmetric key classes was deprecated in version 2.0. These functions had an
- extended deprecation due to usage, however the next version of
- ``cryptography`` will drop support. Users should migrate to ``sign`` and
- ``verify``.
- * The entire :doc:`/x509/index` layer is now written in Rust. This allows
- alternate asymmetric key implementations that can support cloud key
- management services or hardware security modules provided they implement
- the necessary interface (for example:
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`).
- * :ref:`Deprecated the backend argument<faq-missing-backend>` for all
- functions.
- * Added support for
- :class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`.
- * Added support for iterating over arbitrary request
- :attr:`~cryptography.x509.CertificateSigningRequest.attributes`.
- * Deprecated the ``get_attribute_for_oid`` method on
- :class:`~cryptography.x509.CertificateSigningRequest` in favor of
- :meth:`~cryptography.x509.Attributes.get_attribute_for_oid` on the new
- :class:`~cryptography.x509.Attributes` object.
- * Fixed handling of PEM files to allow loading when certificate and key are
- in the same file.
- * Fixed parsing of :class:`~cryptography.x509.CertificatePolicies` extensions
- containing legacy ``BMPString`` values in their ``explicitText``.
- * Allow parsing of negative serial numbers in certificates. Negative serial
- numbers are prohibited by :rfc:`5280` so a deprecation warning will be
- raised whenever they are encountered. A future version of ``cryptography``
- will drop support for parsing them.
- * Added support for parsing PKCS12 files with friendly names for all
- certificates with
- :func:`~cryptography.hazmat.primitives.serialization.pkcs12.load_pkcs12`,
- which will return an object of type
- :class:`~cryptography.hazmat.primitives.serialization.pkcs12.PKCS12KeyAndCertificates`.
- * :meth:`~cryptography.x509.Name.rfc4514_string` and related methods now have
- an optional ``attr_name_overrides`` parameter to supply custom OID to name
- mappings, which can be used to match vendor-specific extensions.
- * **BACKWARDS INCOMPATIBLE:** Reverted the nonstandard formatting of
- email address fields as ``E`` in
- :meth:`~cryptography.x509.Name.rfc4514_string` methods from version 35.0.
- The previous behavior can be restored with:
- ``name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})``
- * Allow
- :class:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey`
- and
- :class:`~cryptography.hazmat.primitives.asymmetric.x448.X448PublicKey` to
- be used as public keys when parsing certificates or creating them with
- :class:`~cryptography.x509.CertificateBuilder`. These key types must be
- signed with a different signing algorithm as ``X25519`` and ``X448`` do
- not support signing.
- * Extension values can now be serialized to a DER byte string by calling
- :func:`~cryptography.x509.ExtensionType.public_bytes`.
- * Added experimental support for compiling against BoringSSL. As BoringSSL
- does not commit to a stable API, ``cryptography`` tests against the
- latest commit only. Please note that several features are not available
- when building against BoringSSL.
- * Parsing ``CertificateSigningRequest`` from DER and PEM now, for a limited
- time period, allows the ``Extension`` ``critical`` field to be incorrectly
- encoded. See `the issue <https://github.com/pyca/cryptography/issues/6368>`_
- for complete details. This will be reverted in a future ``cryptography``
- release.
- * When :class:`~cryptography.x509.OCSPNonce` are parsed and generated their
- value is now correctly wrapped in an ASN.1 ``OCTET STRING``. This conforms
- to :rfc:`6960` but conflicts with the original behavior specified in
- :rfc:`2560`. For a temporary period for backwards compatibility, we will
- also parse values that are encoded as specified in :rfc:`2560` but this
- behavior will be removed in a future release.
- .. _v35-0-0:
- 35.0.0 - 2021-09-29
- ~~~~~~~~~~~~~~~~~~~
- * Changed the :ref:`version scheme <api-stability:versioning>`. This will
- result in us incrementing the major version more frequently, but does not
- change our existing backwards compatibility policy.
- * **BACKWARDS INCOMPATIBLE:** The :doc:`/x509/index` PEM parsers now require
- that the PEM string passed have PEM delimiters of the correct type. For
- example, parsing a private key PEM concatenated with a certificate PEM will
- no longer be accepted by the PEM certificate parser.
- * **BACKWARDS INCOMPATIBLE:** The X.509 certificate parser no longer allows
- negative serial numbers. :rfc:`5280` has always prohibited these.
- * **BACKWARDS INCOMPATIBLE:** Additional forms of invalid ASN.1 found during
- :doc:`/x509/index` parsing will raise an error on initial parse rather than
- when the malformed field is accessed.
- * Rust is now required for building ``cryptography``, the
- ``CRYPTOGRAPHY_DONT_BUILD_RUST`` environment variable is no longer
- respected.
- * Parsers for :doc:`/x509/index` no longer use OpenSSL and have been
- rewritten in Rust. This should be backwards compatible (modulo the items
- listed above) and improve both security and performance.
- * Added support for OpenSSL 3.0.0 as a compilation target.
- * Added support for
- :class:`~cryptography.hazmat.primitives.hashes.SM3` and
- :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SM4`,
- when using OpenSSL 1.1.1. These algorithms are provided for compatibility
- in regions where they may be required, and are not generally recommended.
- * We now ship ``manylinux_2_24`` and ``musllinux_1_1`` wheels, in addition to
- our ``manylinux2010`` and ``manylinux2014`` wheels. Users on distributions
- like Alpine Linux should ensure they upgrade to the latest ``pip`` to
- correctly receive wheels.
- * Added ``rfc4514_attribute_name`` attribute to :attr:`x509.NameAttribute
- <cryptography.x509.NameAttribute.rfc4514_attribute_name>`.
- * Added :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC`.
- .. _v3-4-8:
- 3.4.8 - 2021-08-24
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
- OpenSSL 1.1.1l.
- .. _v3-4-7:
- 3.4.7 - 2021-03-25
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
- OpenSSL 1.1.1k.
- .. _v3-4-6:
- 3.4.6 - 2021-02-16
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
- OpenSSL 1.1.1j.
- .. _v3-4-5:
- 3.4.5 - 2021-02-13
- ~~~~~~~~~~~~~~~~~~
- * Various improvements to type hints.
- * Lower the minimum supported Rust version (MSRV) to >=1.41.0. This change
- improves compatibility with system-provided Rust on several Linux
- distributions.
- * ``cryptography`` will be switching to a new versioning scheme with its next
- feature release. More information is available in our
- :doc:`/api-stability` documentation.
- .. _v3-4-4:
- 3.4.4 - 2021-02-09
- ~~~~~~~~~~~~~~~~~~
- * Added a ``py.typed`` file so that ``mypy`` will know to use our type
- annotations.
- * Fixed an import cycle that could be triggered by certain import sequences.
- .. _v3-4-3:
- 3.4.3 - 2021-02-08
- ~~~~~~~~~~~~~~~~~~
- * Specify our supported Rust version (>=1.45.0) in our ``setup.py`` so users
- on older versions will get a clear error message.
- .. _v3-4-2:
- 3.4.2 - 2021-02-08
- ~~~~~~~~~~~~~~~~~~
- * Improvements to make the rust transition a bit easier. This includes some
- better error messages and small dependency fixes. If you experience
- installation problems **Be sure to update pip** first, then check the
- :doc:`FAQ </faq>`.
- .. _v3-4-1:
- 3.4.1 - 2021-02-07
- ~~~~~~~~~~~~~~~~~~
- * Fixed a circular import issue.
- * Added additional debug output to assist users seeing installation errors
- due to outdated ``pip`` or missing ``rustc``.
- .. _v3-4:
- 3.4 - 2021-02-07
- ~~~~~~~~~~~~~~~~
- * **BACKWARDS INCOMPATIBLE:** Support for Python 2 has been removed.
- * We now ship ``manylinux2014`` wheels and no longer ship ``manylinux1``
- wheels. Users should upgrade to the latest ``pip`` to ensure this doesn't
- cause issues downloading wheels on their platform.
- * ``cryptography`` now incorporates Rust code. Users building ``cryptography``
- themselves will need to have the Rust toolchain installed. Users who use an
- officially produced wheel will not need to make any changes. The minimum
- supported Rust version is 1.45.0.
- * ``cryptography`` now has :pep:`484` type hints on nearly all of of its public
- APIs. Users can begin using them to type check their code with ``mypy``.
- .. _v3-3-2:
- 3.3.2 - 2021-02-07
- ~~~~~~~~~~~~~~~~~~
- * **SECURITY ISSUE:** Fixed a bug where certain sequences of ``update()`` calls
- when symmetrically encrypting very large payloads (>2GB) could result in an
- integer overflow, leading to buffer overflows. *CVE-2020-36242* **Update:**
- This fix is a workaround for *CVE-2021-23840* in OpenSSL, fixed in OpenSSL
- 1.1.1j.
- .. _v3-3-1:
- 3.3.1 - 2020-12-09
- ~~~~~~~~~~~~~~~~~~
- * Re-added a legacy symbol causing problems for older ``pyOpenSSL`` users.
- .. _v3-3:
- 3.3 - 2020-12-08
- ~~~~~~~~~~~~~~~~
- * **BACKWARDS INCOMPATIBLE:** Support for Python 3.5 has been removed due to
- low usage and maintenance burden.
- * **BACKWARDS INCOMPATIBLE:** The
- :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` and
- :class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCM` now require
- 64-bit to 1024-bit (8 byte to 128 byte) initialization vectors. This change
- is to conform with an upcoming OpenSSL release that will no longer support
- sizes outside this window.
- * **BACKWARDS INCOMPATIBLE:** When deserializing asymmetric keys we now
- raise ``ValueError`` rather than ``UnsupportedAlgorithm`` when an
- unsupported cipher is used. This change is to conform with an upcoming
- OpenSSL release that will no longer distinguish between error types.
- * **BACKWARDS INCOMPATIBLE:** We no longer allow loading of finite field
- Diffie-Hellman parameters of less than 512 bits in length. This change is to
- conform with an upcoming OpenSSL release that no longer supports smaller
- sizes. These keys were already wildly insecure and should not have been used
- in any application outside of testing.
- * Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
- OpenSSL 1.1.1i.
- * Python 2 support is deprecated in ``cryptography``. This is the last release
- that will support Python 2.
- * Added the
- :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey.recover_data_from_signature`
- function to
- :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`
- for recovering the signed data from an RSA signature.
- .. _v3-2-1:
- 3.2.1 - 2020-10-27
- ~~~~~~~~~~~~~~~~~~
- * Disable blinding on RSA public keys to address an error with some versions
- of OpenSSL.
- .. _v3-2:
- 3.2 - 2020-10-25
- ~~~~~~~~~~~~~~~~
- * **SECURITY ISSUE:** Attempted to make RSA PKCS#1v1.5 decryption more constant
- time, to protect against Bleichenbacher vulnerabilities. Due to limitations
- imposed by our API, we cannot completely mitigate this vulnerability and a
- future release will contain a new API which is designed to be resilient to
- these for contexts where it is required. Credit to **Hubert Kario** for
- reporting the issue. *CVE-2020-25659*
- * Support for OpenSSL 1.0.2 has been removed. Users on older version of OpenSSL
- will need to upgrade.
- * Added basic support for PKCS7 signing (including SMIME) via
- :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder`.
- .. _v3-1-1:
- 3.1.1 - 2020-09-22
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
- OpenSSL 1.1.1h.
- .. _v3-1:
- 3.1 - 2020-08-26
- ~~~~~~~~~~~~~~~~
- * **BACKWARDS INCOMPATIBLE:** Removed support for ``idna`` based
- :term:`U-label` parsing in various X.509 classes. This support was originally
- deprecated in version 2.1 and moved to an extra in 2.5.
- * Deprecated OpenSSL 1.0.2 support. OpenSSL 1.0.2 is no longer supported by
- the OpenSSL project. The next version of ``cryptography`` will drop support
- for it.
- * Deprecated support for Python 3.5. This version sees very little use and will
- be removed in the next release.
- * ``backend`` arguments to functions are no longer required and the
- default backend will automatically be selected if no ``backend`` is provided.
- * Added initial support for parsing certificates from PKCS7 files with
- :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates`
- and
- :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates`
- .
- * Calling ``update`` or ``update_into`` on
- :class:`~cryptography.hazmat.primitives.ciphers.CipherContext` with ``data``
- longer than 2\ :sup:`31` bytes no longer raises an ``OverflowError``. This
- also resolves the same issue in :doc:`/fernet`.
- .. _v3-0:
- 3.0 - 2020-07-20
- ~~~~~~~~~~~~~~~~
- * **BACKWARDS INCOMPATIBLE:** Removed support for passing an
- :class:`~cryptography.x509.Extension` instance to
- :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`,
- as per our deprecation policy.
- * **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.7.x, 2.8.x, and 2.9.0 has
- been removed (2.9.1+ is still supported).
- * **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.9, macOS users must
- upgrade to 10.10 or newer.
- * **BACKWARDS INCOMPATIBLE:** RSA
- :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key`
- no longer accepts ``public_exponent`` values except 65537 and 3 (the latter
- for legacy purposes).
- * **BACKWARDS INCOMPATIBLE:** X.509 certificate parsing now enforces that the
- ``version`` field contains a valid value, rather than deferring this check
- until :attr:`~cryptography.x509.Certificate.version` is accessed.
- * Deprecated support for Python 2. At the time there is no time table for
- actually dropping support, however we strongly encourage all users to upgrade
- their Python, as Python 2 no longer receives support from the Python core
- team.
- If you have trouble suppressing this warning in tests view the :ref:`FAQ
- entry addressing this issue <faq-howto-handle-deprecation-warning>`.
- * Added support for ``OpenSSH`` serialization format for
- ``ec``, ``ed25519``, ``rsa`` and ``dsa`` private keys:
- :func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`
- for loading and
- :attr:`~cryptography.hazmat.primitives.serialization.PrivateFormat.OpenSSH`
- for writing.
- * Added support for ``OpenSSH`` certificates to
- :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key`.
- * Added :meth:`~cryptography.fernet.Fernet.encrypt_at_time` and
- :meth:`~cryptography.fernet.Fernet.decrypt_at_time` to
- :class:`~cryptography.fernet.Fernet`.
- * Added support for the :class:`~cryptography.x509.SubjectInformationAccess`
- X.509 extension.
- * Added support for parsing
- :class:`~cryptography.x509.SignedCertificateTimestamps` in OCSP responses.
- * Added support for parsing attributes in certificate signing requests via
- ``CertificateSigningRequest.get_attribute_for_oid``.
- * Added support for encoding attributes in certificate signing requests via
- :meth:`~cryptography.x509.CertificateSigningRequestBuilder.add_attribute`.
- * On OpenSSL 1.1.1d and higher ``cryptography`` now uses OpenSSL's
- built-in CSPRNG instead of its own OS random engine because these versions of
- OpenSSL properly reseed on fork.
- * Added initial support for creating PKCS12 files with
- :func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates`.
- .. _v2-9-2:
- 2.9.2 - 2020-04-22
- ~~~~~~~~~~~~~~~~~~
- * Updated the macOS wheel to fix an issue where it would not run on macOS
- versions older than 10.15.
- .. _v2-9-1:
- 2.9.1 - 2020-04-21
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
- OpenSSL 1.1.1g.
- .. _v2-9:
- 2.9 - 2020-04-02
- ~~~~~~~~~~~~~~~~
- * **BACKWARDS INCOMPATIBLE:** Support for Python 3.4 has been removed due to
- low usage and maintenance burden.
- * **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.0.1 has been removed.
- Users on older version of OpenSSL will need to upgrade.
- * **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.6.x has been removed.
- * Removed support for calling
- :meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey.public_bytes`
- with no arguments, as per our deprecation policy. You must now pass
- ``encoding`` and ``format``.
- * **BACKWARDS INCOMPATIBLE:** Reversed the order in which
- :meth:`~cryptography.x509.Name.rfc4514_string` returns the RDNs
- as required by :rfc:`4514`.
- * Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
- OpenSSL 1.1.1f.
- * Added support for parsing
- :attr:`~cryptography.x509.ocsp.OCSPResponse.single_extensions` in an OCSP
- response.
- * :class:`~cryptography.x509.NameAttribute` values can now be empty strings.
- .. _v2-8:
- 2.8 - 2019-10-16
- ~~~~~~~~~~~~~~~~
- * Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
- OpenSSL 1.1.1d.
- * Added support for Python 3.8.
- * Added class methods
- :meth:`Poly1305.generate_tag
- <cryptography.hazmat.primitives.poly1305.Poly1305.generate_tag>`
- and
- :meth:`Poly1305.verify_tag
- <cryptography.hazmat.primitives.poly1305.Poly1305.verify_tag>`
- for Poly1305 sign and verify operations.
- * Deprecated support for OpenSSL 1.0.1. Support will be removed in
- ``cryptography`` 2.9.
- * We now ship ``manylinux2010`` wheels in addition to our ``manylinux1``
- wheels.
- * Added support for ``ed25519`` and ``ed448`` keys in the
- :class:`~cryptography.x509.CertificateBuilder`,
- :class:`~cryptography.x509.CertificateSigningRequestBuilder`,
- :class:`~cryptography.x509.CertificateRevocationListBuilder` and
- :class:`~cryptography.x509.ocsp.OCSPResponseBuilder`.
- * ``cryptography`` no longer depends on ``asn1crypto``.
- * :class:`~cryptography.x509.FreshestCRL` is now allowed as a
- :class:`~cryptography.x509.CertificateRevocationList` extension.
- .. _v2-7:
- 2.7 - 2019-05-30
- ~~~~~~~~~~~~~~~~
- * **BACKWARDS INCOMPATIBLE:** We no longer distribute 32-bit ``manylinux1``
- wheels. Continuing to produce them was a maintenance burden.
- * **BACKWARDS INCOMPATIBLE:** Removed the
- ``cryptography.hazmat.primitives.mac.MACContext`` interface. The ``CMAC`` and
- ``HMAC`` APIs have not changed, but they are no longer registered as
- ``MACContext`` instances.
- * Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
- OpenSSL 1.1.1c.
- * Removed support for running our tests with ``setup.py test``. Users
- interested in running our tests can continue to follow the directions in our
- :doc:`development documentation</development/getting-started>`.
- * Add support for :class:`~cryptography.hazmat.primitives.poly1305.Poly1305`
- when using OpenSSL 1.1.1 or newer.
- * Support serialization with ``Encoding.OpenSSH`` and ``PublicFormat.OpenSSH``
- in
- :meth:`Ed25519PublicKey.public_bytes
- <cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey.public_bytes>`
- .
- * Correctly allow passing a ``SubjectKeyIdentifier`` to
- :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`
- and deprecate passing an ``Extension`` object. The documentation always
- required ``SubjectKeyIdentifier`` but the implementation previously
- required an ``Extension``.
- .. _v2-6-1:
- 2.6.1 - 2019-02-27
- ~~~~~~~~~~~~~~~~~~
- * Resolved an error in our build infrastructure that broke our Python3 wheels
- for macOS and Linux.
- .. _v2-6:
- 2.6 - 2019-02-27
- ~~~~~~~~~~~~~~~~
- * **BACKWARDS INCOMPATIBLE:** Removed
- ``cryptography.hazmat.primitives.asymmetric.utils.encode_rfc6979_signature``
- and
- ``cryptography.hazmat.primitives.asymmetric.utils.decode_rfc6979_signature``,
- which had been deprecated for nearly 4 years. Use
- :func:`~cryptography.hazmat.primitives.asymmetric.utils.encode_dss_signature`
- and
- :func:`~cryptography.hazmat.primitives.asymmetric.utils.decode_dss_signature`
- instead.
- * **BACKWARDS INCOMPATIBLE**: Removed ``cryptography.x509.Certificate.serial``,
- which had been deprecated for nearly 3 years. Use
- :attr:`~cryptography.x509.Certificate.serial_number` instead.
- * Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
- OpenSSL 1.1.1b.
- * Added support for :doc:`/hazmat/primitives/asymmetric/ed448` when using
- OpenSSL 1.1.1b or newer.
- * Added support for :doc:`/hazmat/primitives/asymmetric/ed25519` when using
- OpenSSL 1.1.1b or newer.
- * :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` can
- now load ``ed25519`` public keys.
- * Add support for easily mapping an object identifier to its elliptic curve
- class via
- :func:`~cryptography.hazmat.primitives.asymmetric.ec.get_curve_for_oid`.
- * Add support for OpenSSL when compiled with the ``no-engine``
- (``OPENSSL_NO_ENGINE``) flag.
- .. _v2-5:
- 2.5 - 2019-01-22
- ~~~~~~~~~~~~~~~~
- * **BACKWARDS INCOMPATIBLE:** :term:`U-label` strings were deprecated in
- version 2.1, but this version removes the default ``idna`` dependency as
- well. If you still need this deprecated path please install cryptography
- with the ``idna`` extra: ``pip install cryptography[idna]``.
- * **BACKWARDS INCOMPATIBLE:** The minimum supported PyPy version is now 5.4.
- * Numerous classes and functions have been updated to allow :term:`bytes-like`
- types for keying material and passwords, including symmetric algorithms, AEAD
- ciphers, KDFs, loading asymmetric keys, and one time password classes.
- * Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
- OpenSSL 1.1.1a.
- * Added support for :class:`~cryptography.hazmat.primitives.hashes.SHA512_224`
- and :class:`~cryptography.hazmat.primitives.hashes.SHA512_256` when using
- OpenSSL 1.1.1.
- * Added support for :class:`~cryptography.hazmat.primitives.hashes.SHA3_224`,
- :class:`~cryptography.hazmat.primitives.hashes.SHA3_256`,
- :class:`~cryptography.hazmat.primitives.hashes.SHA3_384`, and
- :class:`~cryptography.hazmat.primitives.hashes.SHA3_512` when using OpenSSL
- 1.1.1.
- * Added support for :doc:`/hazmat/primitives/asymmetric/x448` when using
- OpenSSL 1.1.1.
- * Added support for :class:`~cryptography.hazmat.primitives.hashes.SHAKE128`
- and :class:`~cryptography.hazmat.primitives.hashes.SHAKE256` when using
- OpenSSL 1.1.1.
- * Added initial support for parsing PKCS12 files with
- :func:`~cryptography.hazmat.primitives.serialization.pkcs12.load_key_and_certificates`.
- * Added support for :class:`~cryptography.x509.IssuingDistributionPoint`.
- * Added ``rfc4514_string()`` method to
- :meth:`x509.Name <cryptography.x509.Name.rfc4514_string>`,
- :meth:`x509.RelativeDistinguishedName
- <cryptography.x509.RelativeDistinguishedName.rfc4514_string>`, and
- :meth:`x509.NameAttribute <cryptography.x509.NameAttribute.rfc4514_string>`
- to format the name or component an :rfc:`4514` Distinguished Name string.
- * Added
- :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point`,
- which immediately checks if the point is on the curve and supports compressed
- points. Deprecated the previous method
- :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`.
- * Added :attr:`~cryptography.x509.ocsp.OCSPResponse.signature_hash_algorithm`
- to ``OCSPResponse``.
- * Updated :doc:`/hazmat/primitives/asymmetric/x25519` support to allow
- additional serialization methods. Calling
- :meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey.public_bytes`
- with no arguments has been deprecated.
- * Added support for encoding compressed and uncompressed points via
- :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.public_bytes`. Deprecated the previous method
- ``cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.encode_point``.
- .. _v2-4-2:
- 2.4.2 - 2018-11-21
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
- OpenSSL 1.1.0j.
- .. _v2-4-1:
- 2.4.1 - 2018-11-11
- ~~~~~~~~~~~~~~~~~~
- * Fixed a build breakage in our ``manylinux1`` wheels.
- .. _v2-4:
- 2.4 - 2018-11-11
- ~~~~~~~~~~~~~~~~
- * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.4.x.
- * Deprecated OpenSSL 1.0.1 support. OpenSSL 1.0.1 is no longer supported by
- the OpenSSL project. At this time there is no time table for dropping
- support, however we strongly encourage all users to upgrade or install
- ``cryptography`` from a wheel.
- * Added initial :doc:`OCSP </x509/ocsp>` support.
- * Added support for :class:`~cryptography.x509.PrecertPoison`.
- .. _v2-3-1:
- 2.3.1 - 2018-08-14
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
- OpenSSL 1.1.0i.
- .. _v2-3:
- 2.3 - 2018-07-18
- ~~~~~~~~~~~~~~~~
- * **SECURITY ISSUE:**
- :meth:`~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag`
- allowed tag truncation by default which can allow tag forgery in some cases.
- The method now enforces the ``min_tag_length`` provided to the
- :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` constructor.
- *CVE-2018-10903*
- * Added support for Python 3.7.
- * Added :meth:`~cryptography.fernet.Fernet.extract_timestamp` to get the
- authenticated timestamp of a :doc:`Fernet </fernet>` token.
- * Support for Python 2.7.x without ``hmac.compare_digest`` has been deprecated.
- We will require Python 2.7.7 or higher (or 2.7.6 on Ubuntu) in the next
- ``cryptography`` release.
- * Fixed multiple issues preventing ``cryptography`` from compiling against
- LibreSSL 2.7.x.
- * Added
- :class:`~cryptography.x509.CertificateRevocationList.get_revoked_certificate_by_serial_number`
- for quick serial number searches in CRLs.
- * The :class:`~cryptography.x509.RelativeDistinguishedName` class now
- preserves the order of attributes. Duplicate attributes now raise an error
- instead of silently discarding duplicates.
- * :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap` and
- :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding`
- now raise :class:`~cryptography.hazmat.primitives.keywrap.InvalidUnwrap` if
- the wrapped key is an invalid length, instead of ``ValueError``.
- .. _v2-2-2:
- 2.2.2 - 2018-03-27
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
- OpenSSL 1.1.0h.
- .. _v2-2-1:
- 2.2.1 - 2018-03-20
- ~~~~~~~~~~~~~~~~~~
- * Reverted a change to ``GeneralNames`` which prohibited having zero elements,
- due to breakages.
- * Fixed a bug in
- :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding`
- that caused it to raise ``InvalidUnwrap`` when key length modulo 8 was
- zero.
- .. _v2-2:
- 2.2 - 2018-03-19
- ~~~~~~~~~~~~~~~~
- * **BACKWARDS INCOMPATIBLE:** Support for Python 2.6 has been dropped.
- * Resolved a bug in ``HKDF`` that incorrectly constrained output size.
- * Added :class:`~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP256R1`,
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP384R1`, and
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP512R1` to
- support inter-operating with systems like German smart meters.
- * Added token rotation support to :doc:`Fernet </fernet>` with
- :meth:`~cryptography.fernet.MultiFernet.rotate`.
- * Fixed a memory leak in
- :func:`~cryptography.hazmat.primitives.asymmetric.ec.derive_private_key`.
- * Added support for AES key wrapping with padding via
- :func:`~cryptography.hazmat.primitives.keywrap.aes_key_wrap_with_padding`
- and
- :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding`
- .
- * Allow loading DSA keys with 224 bit ``q``.
- .. _v2-1-4:
- 2.1.4 - 2017-11-29
- ~~~~~~~~~~~~~~~~~~
- * Added ``X509_up_ref`` for an upcoming ``pyOpenSSL`` release.
- .. _v2-1-3:
- 2.1.3 - 2017-11-02
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
- OpenSSL 1.1.0g.
- .. _v2-1-2:
- 2.1.2 - 2017-10-24
- ~~~~~~~~~~~~~~~~~~
- * Corrected a bug with the ``manylinux1`` wheels where OpenSSL's stack was
- marked executable.
- .. _v2-1-1:
- 2.1.1 - 2017-10-12
- ~~~~~~~~~~~~~~~~~~
- * Fixed support for install with the system ``pip`` on Ubuntu 16.04.
- .. _v2-1:
- 2.1 - 2017-10-11
- ~~~~~~~~~~~~~~~~
- * **FINAL DEPRECATION** Python 2.6 support is deprecated, and will be removed
- in the next release of ``cryptography``.
- * **BACKWARDS INCOMPATIBLE:** ``Whirlpool``, ``RIPEMD160``, and
- ``UnsupportedExtension`` have been removed in accordance with our
- :doc:`/api-stability` policy.
- * **BACKWARDS INCOMPATIBLE:**
- :attr:`DNSName.value <cryptography.x509.DNSName.value>`,
- :attr:`RFC822Name.value <cryptography.x509.RFC822Name.value>`, and
- :attr:`UniformResourceIdentifier.value
- <cryptography.x509.UniformResourceIdentifier.value>`
- will now return an :term:`A-label` string when parsing a certificate
- containing an internationalized domain name (IDN) or if the caller passed
- a :term:`U-label` to the constructor. See below for additional deprecations
- related to this change.
- * Installing ``cryptography`` now requires ``pip`` 6 or newer.
- * Deprecated passing :term:`U-label` strings to the
- :class:`~cryptography.x509.DNSName`,
- :class:`~cryptography.x509.UniformResourceIdentifier`, and
- :class:`~cryptography.x509.RFC822Name` constructors. Instead, users should
- pass values as :term:`A-label` strings with ``idna`` encoding if necessary.
- This change will not affect anyone who is not processing internationalized
- domains.
- * Added support for
- :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20`. In
- most cases users should choose
- :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`
- rather than using this unauthenticated form.
- * Added :meth:`~cryptography.x509.CertificateRevocationList.is_signature_valid`
- to :class:`~cryptography.x509.CertificateRevocationList`.
- * Support :class:`~cryptography.hazmat.primitives.hashes.BLAKE2b` and
- :class:`~cryptography.hazmat.primitives.hashes.BLAKE2s` with
- :class:`~cryptography.hazmat.primitives.hmac.HMAC`.
- * Added support for
- :class:`~cryptography.hazmat.primitives.ciphers.modes.XTS` mode for
- AES.
- * Added support for using labels with
- :class:`~cryptography.hazmat.primitives.asymmetric.padding.OAEP` when using
- OpenSSL 1.0.2 or greater.
- * Improved compatibility with NSS when issuing certificates from an issuer
- that has a subject with non-``UTF8String`` string types.
- * Add support for the :class:`~cryptography.x509.DeltaCRLIndicator` extension.
- * Add support for the :class:`~cryptography.x509.TLSFeature`
- extension. This is commonly used for enabling ``OCSP Must-Staple`` in
- certificates.
- * Add support for the :class:`~cryptography.x509.FreshestCRL` extension.
- .. _v2-0-3:
- 2.0.3 - 2017-08-03
- ~~~~~~~~~~~~~~~~~~
- * Fixed an issue with weak linking symbols when compiling on macOS
- versions older than 10.12.
- .. _v2-0-2:
- 2.0.2 - 2017-07-27
- ~~~~~~~~~~~~~~~~~~
- * Marked all symbols as hidden in the ``manylinux1`` wheel to avoid a
- bug with symbol resolution in certain scenarios.
- .. _v2-0-1:
- 2.0.1 - 2017-07-26
- ~~~~~~~~~~~~~~~~~~
- * Fixed a compilation bug affecting OpenBSD.
- * Altered the ``manylinux1`` wheels to statically link OpenSSL instead of
- dynamically linking and bundling the shared object. This should resolve
- crashes seen when using ``uwsgi`` or other binaries that link against
- OpenSSL independently.
- * Fixed the stack level for the ``signer`` and ``verifier`` warnings.
- .. _v2-0:
- 2.0 - 2017-07-17
- ~~~~~~~~~~~~~~~~
- * **BACKWARDS INCOMPATIBLE:** Support for Python 3.3 has been dropped.
- * We now ship ``manylinux1`` wheels linked against OpenSSL 1.1.0f. These wheels
- will be automatically used with most Linux distributions if you are running
- the latest pip.
- * Deprecated the use of ``signer`` on
- :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
- :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`,
- and
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
- in favor of ``sign``.
- * Deprecated the use of ``verifier`` on
- :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`,
- :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`,
- and
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`
- in favor of ``verify``.
- * Added support for parsing
- :class:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp`
- objects from X.509 certificate extensions.
- * Added support for
- :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`.
- * Added support for
- :class:`~cryptography.hazmat.primitives.ciphers.aead.AESCCM`.
- * Added
- :class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCM`, a "one shot"
- API for AES GCM encryption.
- * Added support for :doc:`/hazmat/primitives/asymmetric/x25519`.
- * Added support for serializing and deserializing Diffie-Hellman parameters
- with
- :func:`~cryptography.hazmat.primitives.serialization.load_pem_parameters`,
- :func:`~cryptography.hazmat.primitives.serialization.load_der_parameters`,
- and
- :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters.parameter_bytes`
- .
- * The ``extensions`` attribute on :class:`~cryptography.x509.Certificate`,
- :class:`~cryptography.x509.CertificateSigningRequest`,
- :class:`~cryptography.x509.CertificateRevocationList`, and
- :class:`~cryptography.x509.RevokedCertificate` now caches the computed
- ``Extensions`` object. There should be no performance change, just a
- performance improvement for programs accessing the ``extensions`` attribute
- multiple times.
- .. _v1-9:
- 1.9 - 2017-05-29
- ~~~~~~~~~~~~~~~~
- * **BACKWARDS INCOMPATIBLE:** Elliptic Curve signature verification no longer
- returns ``True`` on success. This brings it in line with the interface's
- documentation, and our intent. The correct way to use
- :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.verify`
- has always been to check whether or not
- :class:`~cryptography.exceptions.InvalidSignature` was raised.
- * **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.7 and 10.8.
- * **BACKWARDS INCOMPATIBLE:** The minimum supported PyPy version is now 5.3.
- * Python 3.3 support has been deprecated, and will be removed in the next
- ``cryptography`` release.
- * Add support for providing ``tag`` during
- :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` finalization via
- :meth:`~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag`.
- * Fixed an issue preventing ``cryptography`` from compiling against
- LibreSSL 2.5.x.
- * Added
- :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.key_size`
- and
- :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.key_size`
- as convenience methods for determining the bit size of a secret scalar for
- the curve.
- * Accessing an unrecognized extension marked critical on an X.509 object will
- no longer raise an ``UnsupportedExtension`` exception, instead an
- :class:`~cryptography.x509.UnrecognizedExtension` object will be returned.
- This behavior was based on a poor reading of the RFC, unknown critical
- extensions only need to be rejected on certificate verification.
- * The CommonCrypto backend has been removed.
- * MultiBackend has been removed.
- * ``Whirlpool`` and ``RIPEMD160`` have been deprecated.
- .. _v1-8-2:
- 1.8.2 - 2017-05-26
- ~~~~~~~~~~~~~~~~~~
- * Fixed a compilation bug affecting OpenSSL 1.1.0f.
- * Updated Windows and macOS wheels to be compiled against OpenSSL 1.1.0f.
- .. _v1-8-1:
- 1.8.1 - 2017-03-10
- ~~~~~~~~~~~~~~~~~~
- * Fixed macOS wheels to properly link against 1.1.0 rather than 1.0.2.
- .. _v1-8:
- 1.8 - 2017-03-09
- ~~~~~~~~~~~~~~~~
- * Added support for Python 3.6.
- * Windows and macOS wheels now link against OpenSSL 1.1.0.
- * macOS wheels are no longer universal. This change significantly shrinks the
- size of the wheels. Users on macOS 32-bit Python (if there are any) should
- migrate to 64-bit or build their own packages.
- * Changed ASN.1 dependency from ``pyasn1`` to ``asn1crypto`` resulting in a
- general performance increase when encoding/decoding ASN.1 structures. Also,
- the ``pyasn1_modules`` test dependency is no longer required.
- * Added support for
- :meth:`~cryptography.hazmat.primitives.ciphers.CipherContext.update_into` on
- :class:`~cryptography.hazmat.primitives.ciphers.CipherContext`.
- * Added
- :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.private_bytes`
- to
- :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`.
- * Added
- :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKey.public_bytes`
- to
- :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKey`.
- * :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`
- and
- :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`
- now require that ``password`` must be bytes if provided. Previously this
- was documented but not enforced.
- * Added support for subgroup order in :doc:`/hazmat/primitives/asymmetric/dh`.
- .. _v1-7-2:
- 1.7.2 - 2017-01-27
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows and macOS wheels to be compiled against OpenSSL 1.0.2k.
- .. _v1-7-1:
- 1.7.1 - 2016-12-13
- ~~~~~~~~~~~~~~~~~~
- * Fixed a regression in ``int_from_bytes`` where it failed to accept
- ``bytearray``.
- .. _v1-7:
- 1.7 - 2016-12-12
- ~~~~~~~~~~~~~~~~
- * Support for OpenSSL 1.0.0 has been removed. Users on older version of OpenSSL
- will need to upgrade.
- * Added support for Diffie-Hellman key exchange using
- :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.
- * The OS random engine for OpenSSL has been rewritten to improve compatibility
- with embedded Python and other edge cases. More information about this change
- can be found in the
- `pull request <https://github.com/pyca/cryptography/pull/3229>`_.
- .. _v1-6:
- 1.6 - 2016-11-22
- ~~~~~~~~~~~~~~~~
- * Deprecated support for OpenSSL 1.0.0. Support will be removed in
- ``cryptography`` 1.7.
- * Replaced the Python-based OpenSSL locking callbacks with a C version to fix
- a potential deadlock that could occur if a garbage collection cycle occurred
- while inside the lock.
- * Added support for :class:`~cryptography.hazmat.primitives.hashes.BLAKE2b` and
- :class:`~cryptography.hazmat.primitives.hashes.BLAKE2s` when using OpenSSL
- 1.1.0.
- * Added
- :attr:`~cryptography.x509.Certificate.signature_algorithm_oid` support to
- :class:`~cryptography.x509.Certificate`.
- * Added
- :attr:`~cryptography.x509.CertificateSigningRequest.signature_algorithm_oid`
- support to :class:`~cryptography.x509.CertificateSigningRequest`.
- * Added
- :attr:`~cryptography.x509.CertificateRevocationList.signature_algorithm_oid`
- support to :class:`~cryptography.x509.CertificateRevocationList`.
- * Added support for :class:`~cryptography.hazmat.primitives.kdf.scrypt.Scrypt`
- when using OpenSSL 1.1.0.
- * Added a workaround to improve compatibility with Python application bundling
- tools like ``PyInstaller`` and ``cx_freeze``.
- * Added support for generating a
- :meth:`~cryptography.x509.random_serial_number`.
- * Added support for encoding ``IPv4Network`` and ``IPv6Network`` in X.509
- certificates for use with :class:`~cryptography.x509.NameConstraints`.
- * Added :meth:`~cryptography.x509.Name.public_bytes` to
- :class:`~cryptography.x509.Name`.
- * Added :class:`~cryptography.x509.RelativeDistinguishedName`
- * :class:`~cryptography.x509.DistributionPoint` now accepts
- :class:`~cryptography.x509.RelativeDistinguishedName` for
- :attr:`~cryptography.x509.DistributionPoint.relative_name`.
- Deprecated use of :class:`~cryptography.x509.Name` as
- :attr:`~cryptography.x509.DistributionPoint.relative_name`.
- * :class:`~cryptography.x509.Name` now accepts an iterable of
- :class:`~cryptography.x509.RelativeDistinguishedName`. RDNs can
- be accessed via the :attr:`~cryptography.x509.Name.rdns`
- attribute. When constructed with an iterable of
- :class:`~cryptography.x509.NameAttribute`, each attribute becomes
- a single-valued RDN.
- * Added
- :func:`~cryptography.hazmat.primitives.asymmetric.ec.derive_private_key`.
- * Added support for signing and verifying RSA, DSA, and ECDSA signatures with
- :class:`~cryptography.hazmat.primitives.asymmetric.utils.Prehashed`
- digests.
- .. _v1-5-3:
- 1.5.3 - 2016-11-05
- ~~~~~~~~~~~~~~~~~~
- * **SECURITY ISSUE**: Fixed a bug where ``HKDF`` would return an empty
- byte-string if used with a ``length`` less than ``algorithm.digest_size``.
- Credit to **Markus Döring** for reporting the issue. *CVE-2016-9243*
- .. _v1-5-2:
- 1.5.2 - 2016-09-26
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2j.
- .. _v1-5-1:
- 1.5.1 - 2016-09-22
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2i.
- * Resolved a ``UserWarning`` when used with cffi 1.8.3.
- * Fixed a memory leak in name creation with X.509.
- * Added a workaround for old versions of setuptools.
- * Fixed an issue preventing ``cryptography`` from compiling against
- OpenSSL 1.0.2i.
- .. _v1-5:
- 1.5 - 2016-08-26
- ~~~~~~~~~~~~~~~~
- * Added
- :func:`~cryptography.hazmat.primitives.asymmetric.padding.calculate_max_pss_salt_length`.
- * Added "one shot"
- :meth:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey.sign`
- and
- :meth:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey.verify`
- methods to DSA keys.
- * Added "one shot"
- :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign`
- and
- :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.verify`
- methods to ECDSA keys.
- * Switched back to the older callback model on Python 3.5 in order to mitigate
- the locking callback problem with OpenSSL <1.1.0.
- * :class:`~cryptography.x509.CertificateBuilder`,
- :class:`~cryptography.x509.CertificateRevocationListBuilder`, and
- :class:`~cryptography.x509.RevokedCertificateBuilder` now accept timezone
- aware ``datetime`` objects as method arguments
- * ``cryptography`` now supports OpenSSL 1.1.0 as a compilation target.
- .. _v1-4:
- 1.4 - 2016-06-04
- ~~~~~~~~~~~~~~~~
- * Support for OpenSSL 0.9.8 has been removed. Users on older versions of
- OpenSSL will need to upgrade.
- * Added :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFHMAC`.
- * Added support for ``OpenSSH`` public key serialization.
- * Added support for SHA-2 in RSA
- :class:`~cryptography.hazmat.primitives.asymmetric.padding.OAEP` when using
- OpenSSL 1.0.2 or greater.
- * Added "one shot"
- :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey.sign`
- and
- :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey.verify`
- methods to RSA keys.
- * Deprecated the ``serial`` attribute on
- :class:`~cryptography.x509.Certificate`, in favor of
- :attr:`~cryptography.x509.Certificate.serial_number`.
- .. _v1-3-4:
- 1.3.4 - 2016-06-03
- ~~~~~~~~~~~~~~~~~~
- * Added another OpenSSL function to the bindings to support an upcoming
- ``pyOpenSSL`` release.
- .. _v1-3-3:
- 1.3.3 - 2016-06-02
- ~~~~~~~~~~~~~~~~~~
- * Added two new OpenSSL functions to the bindings to support an upcoming
- ``pyOpenSSL`` release.
- .. _v1-3-2:
- 1.3.2 - 2016-05-04
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2h.
- * Fixed an issue preventing ``cryptography`` from compiling against
- LibreSSL 2.3.x.
- .. _v1-3-1:
- 1.3.1 - 2016-03-21
- ~~~~~~~~~~~~~~~~~~
- * Fixed a bug that caused an ``AttributeError`` when using ``mock`` to patch
- some ``cryptography`` modules.
- .. _v1-3:
- 1.3 - 2016-03-18
- ~~~~~~~~~~~~~~~~
- * Added support for padding ANSI X.923 with
- :class:`~cryptography.hazmat.primitives.padding.ANSIX923`.
- * Deprecated support for OpenSSL 0.9.8. Support will be removed in
- ``cryptography`` 1.4.
- * Added support for the :class:`~cryptography.x509.PolicyConstraints`
- X.509 extension including both parsing and generation using
- :class:`~cryptography.x509.CertificateBuilder` and
- :class:`~cryptography.x509.CertificateSigningRequestBuilder`.
- * Added :attr:`~cryptography.x509.CertificateSigningRequest.is_signature_valid`
- to :class:`~cryptography.x509.CertificateSigningRequest`.
- * Fixed an intermittent ``AssertionError`` when performing an RSA decryption on
- an invalid ciphertext, ``ValueError`` is now correctly raised in all cases.
- * Added
- :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`.
- .. _v1-2-3:
- 1.2.3 - 2016-03-01
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2g.
- .. _v1-2-2:
- 1.2.2 - 2016-01-29
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2f.
- .. _v1-2-1:
- 1.2.1 - 2016-01-08
- ~~~~~~~~~~~~~~~~~~
- * Reverts a change to an OpenSSL ``EVP_PKEY`` object that caused errors with
- ``pyOpenSSL``.
- .. _v1-2:
- 1.2 - 2016-01-08
- ~~~~~~~~~~~~~~~~
- * **BACKWARDS INCOMPATIBLE:**
- :class:`~cryptography.x509.RevokedCertificate`
- :attr:`~cryptography.x509.RevokedCertificate.extensions` now uses extension
- classes rather than returning raw values inside the
- :class:`~cryptography.x509.Extension`
- :attr:`~cryptography.x509.Extension.value`. The new classes
- are:
- * :class:`~cryptography.x509.CertificateIssuer`
- * :class:`~cryptography.x509.CRLReason`
- * :class:`~cryptography.x509.InvalidityDate`
- * Deprecated support for OpenSSL 0.9.8 and 1.0.0. At this time there is no time
- table for actually dropping support, however we strongly encourage all users
- to upgrade, as those versions no longer receive support from the OpenSSL
- project.
- * The :class:`~cryptography.x509.Certificate` class now has
- :attr:`~cryptography.x509.Certificate.signature` and
- :attr:`~cryptography.x509.Certificate.tbs_certificate_bytes` attributes.
- * The :class:`~cryptography.x509.CertificateSigningRequest` class now has
- :attr:`~cryptography.x509.CertificateSigningRequest.signature` and
- :attr:`~cryptography.x509.CertificateSigningRequest.tbs_certrequest_bytes`
- attributes.
- * The :class:`~cryptography.x509.CertificateRevocationList` class now has
- :attr:`~cryptography.x509.CertificateRevocationList.signature` and
- :attr:`~cryptography.x509.CertificateRevocationList.tbs_certlist_bytes`
- attributes.
- * :class:`~cryptography.x509.NameConstraints` are now supported in the
- :class:`~cryptography.x509.CertificateBuilder` and
- :class:`~cryptography.x509.CertificateSigningRequestBuilder`.
- * Support serialization of certificate revocation lists using the
- :meth:`~cryptography.x509.CertificateRevocationList.public_bytes` method of
- :class:`~cryptography.x509.CertificateRevocationList`.
- * Add support for parsing :class:`~cryptography.x509.CertificateRevocationList`
- :meth:`~cryptography.x509.CertificateRevocationList.extensions` in the
- OpenSSL backend. The following extensions are currently supported:
- * :class:`~cryptography.x509.AuthorityInformationAccess`
- * :class:`~cryptography.x509.AuthorityKeyIdentifier`
- * :class:`~cryptography.x509.CRLNumber`
- * :class:`~cryptography.x509.IssuerAlternativeName`
- * Added :class:`~cryptography.x509.CertificateRevocationListBuilder` and
- :class:`~cryptography.x509.RevokedCertificateBuilder` to allow creation of
- CRLs.
- * Unrecognized non-critical X.509 extensions are now parsed into an
- :class:`~cryptography.x509.UnrecognizedExtension` object.
- .. _v1-1-2:
- 1.1.2 - 2015-12-10
- ~~~~~~~~~~~~~~~~~~
- * Fixed a SIGBUS crash with the OS X wheels caused by redefinition of a
- method.
- * Fixed a runtime error ``undefined symbol EC_GFp_nistp224_method`` that
- occurred with some OpenSSL installations.
- * Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2e.
- .. _v1-1-1:
- 1.1.1 - 2015-11-19
- ~~~~~~~~~~~~~~~~~~
- * Fixed several small bugs related to compiling the OpenSSL bindings with
- unusual OpenSSL configurations.
- * Resolved an issue where, depending on the method of installation and
- which Python interpreter they were using, users on El Capitan (OS X 10.11)
- may have seen an ``InternalError`` on import.
- .. _v1-1:
- 1.1 - 2015-10-28
- ~~~~~~~~~~~~~~~~
- * Added support for Elliptic Curve Diffie-Hellman with
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDH`.
- * Added :class:`~cryptography.hazmat.primitives.kdf.x963kdf.X963KDF`.
- * Added support for parsing certificate revocation lists (CRLs) using
- :func:`~cryptography.x509.load_pem_x509_crl` and
- :func:`~cryptography.x509.load_der_x509_crl`.
- * Add support for AES key wrapping with
- :func:`~cryptography.hazmat.primitives.keywrap.aes_key_wrap` and
- :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap`.
- * Added a ``__hash__`` method to :class:`~cryptography.x509.Name`.
- * Add support for encoding and decoding elliptic curve points to a byte string
- form using
- ``cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.encode_point``
- and
- :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`.
- * Added :meth:`~cryptography.x509.Extensions.get_extension_for_class`.
- * :class:`~cryptography.x509.CertificatePolicies` are now supported in the
- :class:`~cryptography.x509.CertificateBuilder`.
- * ``countryName`` is now encoded as a ``PrintableString`` when creating subject
- and issuer distinguished names with the Certificate and CSR builder classes.
- .. _v1-0-2:
- 1.0.2 - 2015-09-27
- ~~~~~~~~~~~~~~~~~~
- * **SECURITY ISSUE**: The OpenSSL backend prior to 1.0.2 made extensive use
- of assertions to check response codes where our tests could not trigger a
- failure. However, when Python is run with ``-O`` these asserts are optimized
- away. If a user ran Python with this flag and got an invalid response code
- this could result in undefined behavior or worse. Accordingly, all response
- checks from the OpenSSL backend have been converted from ``assert``
- to a true function call. Credit **Emilia Käsper (Google Security Team)**
- for the report.
- .. _v1-0-1:
- 1.0.1 - 2015-09-05
- ~~~~~~~~~~~~~~~~~~
- * We now ship OS X wheels that statically link OpenSSL by default. When
- installing a wheel on OS X 10.10+ (and using a Python compiled against the
- 10.10 SDK) users will no longer need to compile. See :doc:`/installation` for
- alternate installation methods if required.
- * Set the default string mask to UTF-8 in the OpenSSL backend to resolve
- character encoding issues with older versions of OpenSSL.
- * Several new OpenSSL bindings have been added to support a future pyOpenSSL
- release.
- * Raise an error during install on PyPy < 2.6. 1.0+ requires PyPy 2.6+.
- .. _v1-0:
- 1.0 - 2015-08-12
- ~~~~~~~~~~~~~~~~
- * Switched to the new `cffi`_ ``set_source`` out-of-line API mode for
- compilation. This results in significantly faster imports and lowered
- memory consumption. Due to this change we no longer support PyPy releases
- older than 2.6 nor do we support any released version of PyPy3 (until a
- version supporting cffi 1.0 comes out).
- * Fix parsing of OpenSSH public keys that have spaces in comments.
- * Support serialization of certificate signing requests using the
- ``public_bytes`` method of
- :class:`~cryptography.x509.CertificateSigningRequest`.
- * Support serialization of certificates using the ``public_bytes`` method of
- :class:`~cryptography.x509.Certificate`.
- * Add ``get_provisioning_uri`` method to
- :class:`~cryptography.hazmat.primitives.twofactor.hotp.HOTP` and
- :class:`~cryptography.hazmat.primitives.twofactor.totp.TOTP` for generating
- provisioning URIs.
- * Add :class:`~cryptography.hazmat.primitives.kdf.concatkdf.ConcatKDFHash`
- and :class:`~cryptography.hazmat.primitives.kdf.concatkdf.ConcatKDFHMAC`.
- * Raise a ``TypeError`` when passing objects that are not text as the value to
- :class:`~cryptography.x509.NameAttribute`.
- * Add support for :class:`~cryptography.x509.OtherName` as a general name
- type.
- * Added new X.509 extension support in :class:`~cryptography.x509.Certificate`
- The following new extensions are now supported:
- * :class:`~cryptography.x509.OCSPNoCheck`
- * :class:`~cryptography.x509.InhibitAnyPolicy`
- * :class:`~cryptography.x509.IssuerAlternativeName`
- * :class:`~cryptography.x509.NameConstraints`
- * Extension support was added to
- :class:`~cryptography.x509.CertificateSigningRequest`.
- * Add support for creating signed certificates with
- :class:`~cryptography.x509.CertificateBuilder`. This includes support for
- the following extensions:
- * :class:`~cryptography.x509.BasicConstraints`
- * :class:`~cryptography.x509.SubjectAlternativeName`
- * :class:`~cryptography.x509.KeyUsage`
- * :class:`~cryptography.x509.ExtendedKeyUsage`
- * :class:`~cryptography.x509.SubjectKeyIdentifier`
- * :class:`~cryptography.x509.AuthorityKeyIdentifier`
- * :class:`~cryptography.x509.AuthorityInformationAccess`
- * :class:`~cryptography.x509.CRLDistributionPoints`
- * :class:`~cryptography.x509.InhibitAnyPolicy`
- * :class:`~cryptography.x509.IssuerAlternativeName`
- * :class:`~cryptography.x509.OCSPNoCheck`
- * Add support for creating certificate signing requests with
- :class:`~cryptography.x509.CertificateSigningRequestBuilder`. This includes
- support for the same extensions supported in the ``CertificateBuilder``.
- * Deprecate ``encode_rfc6979_signature`` and ``decode_rfc6979_signature`` in
- favor of
- :func:`~cryptography.hazmat.primitives.asymmetric.utils.encode_dss_signature`
- and
- :func:`~cryptography.hazmat.primitives.asymmetric.utils.decode_dss_signature`.
- .. _v0-9-3:
- 0.9.3 - 2015-07-09
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows wheels to be compiled against OpenSSL 1.0.2d.
- .. _v0-9-2:
- 0.9.2 - 2015-07-04
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows wheels to be compiled against OpenSSL 1.0.2c.
- .. _v0-9-1:
- 0.9.1 - 2015-06-06
- ~~~~~~~~~~~~~~~~~~
- * **SECURITY ISSUE**: Fixed a double free in the OpenSSL backend when using DSA
- to verify signatures. Note that this only affects PyPy 2.6.0 and (presently
- unreleased) CFFI versions greater than 1.1.0.
- .. _v0-9:
- 0.9 - 2015-05-13
- ~~~~~~~~~~~~~~~~
- * Removed support for Python 3.2. This version of Python is rarely used
- and caused support headaches. Users affected by this should upgrade to 3.3+.
- * Deprecated support for Python 2.6. At the time there is no time table for
- actually dropping support, however we strongly encourage all users to upgrade
- their Python, as Python 2.6 no longer receives support from the Python core
- team.
- * Add support for the
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.SECP256K1` elliptic
- curve.
- * Fixed compilation when using an OpenSSL which was compiled with the
- ``no-comp`` (``OPENSSL_NO_COMP``) option.
- * Support :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`
- serialization of public keys using the ``public_bytes`` method of
- :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`,
- :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`,
- and
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`.
- * Support :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`
- serialization of private keys using the ``private_bytes`` method of
- :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
- :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`,
- and
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`.
- * Add support for parsing X.509 certificate signing requests (CSRs) with
- :func:`~cryptography.x509.load_pem_x509_csr` and
- :func:`~cryptography.x509.load_der_x509_csr`.
- * Moved ``cryptography.exceptions.InvalidToken`` to
- :class:`cryptography.hazmat.primitives.twofactor.InvalidToken` and deprecated
- the old location. This was moved to minimize confusion between this exception
- and :class:`cryptography.fernet.InvalidToken`.
- * Added support for X.509 extensions in :class:`~cryptography.x509.Certificate`
- objects. The following extensions are supported as of this release:
- * :class:`~cryptography.x509.BasicConstraints`
- * :class:`~cryptography.x509.AuthorityKeyIdentifier`
- * :class:`~cryptography.x509.SubjectKeyIdentifier`
- * :class:`~cryptography.x509.KeyUsage`
- * :class:`~cryptography.x509.SubjectAlternativeName`
- * :class:`~cryptography.x509.ExtendedKeyUsage`
- * :class:`~cryptography.x509.CRLDistributionPoints`
- * :class:`~cryptography.x509.AuthorityInformationAccess`
- * :class:`~cryptography.x509.CertificatePolicies`
- Note that unsupported extensions with the critical flag raise
- ``UnsupportedExtension`` while unsupported extensions set to non-critical are
- silently ignored. Read the :doc:`X.509 documentation</x509/index>` for more
- information.
- .. _v0-8-2:
- 0.8.2 - 2015-04-10
- ~~~~~~~~~~~~~~~~~~
- * Fixed a race condition when initializing the OpenSSL or CommonCrypto backends
- in a multi-threaded scenario.
- .. _v0-8-1:
- 0.8.1 - 2015-03-20
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows wheels to be compiled against OpenSSL 1.0.2a.
- .. _v0-8:
- 0.8 - 2015-03-08
- ~~~~~~~~~~~~~~~~
- * :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` can
- now load elliptic curve public keys.
- * Added
- :attr:`~cryptography.x509.Certificate.signature_hash_algorithm` support to
- :class:`~cryptography.x509.Certificate`.
- * Added
- :func:`~cryptography.hazmat.primitives.asymmetric.rsa.rsa_recover_prime_factors`
- * :class:`~cryptography.hazmat.primitives.kdf.KeyDerivationFunction` was moved
- from ``cryptography.hazmat.primitives.interfaces`` to
- :mod:`~cryptography.hazmat.primitives.kdf`.
- * Added support for parsing X.509 names. See the
- :doc:`X.509 documentation</x509/index>` for more information.
- * Added
- :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key` to
- support loading of DER encoded private keys and
- :func:`~cryptography.hazmat.primitives.serialization.load_der_public_key` to
- support loading DER encoded public keys.
- * Fixed building against LibreSSL, a compile-time substitute for OpenSSL.
- * FreeBSD 9.2 was removed from the continuous integration system.
- * Updated Windows wheels to be compiled against OpenSSL 1.0.2.
- * :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`
- and :func:`~cryptography.hazmat.primitives.serialization.load_der_public_key`
- now support PKCS1 RSA public keys (in addition to the previous support for
- SubjectPublicKeyInfo format for RSA, EC, and DSA).
- * Added ``EllipticCurvePrivateKeyWithSerialization`` and deprecated
- ``EllipticCurvePrivateKeyWithNumbers``.
- * Added
- :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.private_bytes`
- to
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`.
- * Added ``RSAPrivateKeyWithSerialization`` and deprecated ``RSAPrivateKeyWithNumbers``.
- * Added
- :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey.private_bytes`
- to
- :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`.
- * Added ``DSAPrivateKeyWithSerialization`` and deprecated ``DSAPrivateKeyWithNumbers``.
- * Added
- :meth:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey.private_bytes`
- to
- :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`.
- * Added ``RSAPublicKeyWithSerialization`` and deprecated ``RSAPublicKeyWithNumbers``.
- * Added ``public_bytes`` to
- :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`.
- * Added ``EllipticCurvePublicKeyWithSerialization`` and deprecated
- ``EllipticCurvePublicKeyWithNumbers``.
- * Added ``public_bytes`` to
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`.
- * Added ``DSAPublicKeyWithSerialization`` and deprecated ``DSAPublicKeyWithNumbers``.
- * Added ``public_bytes`` to
- :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`.
- * :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` and
- :class:`~cryptography.hazmat.primitives.hashes.HashContext` were moved from
- ``cryptography.hazmat.primitives.interfaces`` to
- :mod:`~cryptography.hazmat.primitives.hashes`.
- * :class:`~cryptography.hazmat.primitives.ciphers.CipherContext`,
- :class:`~cryptography.hazmat.primitives.ciphers.AEADCipherContext`,
- :class:`~cryptography.hazmat.primitives.ciphers.AEADEncryptionContext`,
- :class:`~cryptography.hazmat.primitives.ciphers.CipherAlgorithm`, and
- :class:`~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm`
- were moved from ``cryptography.hazmat.primitives.interfaces`` to
- :mod:`~cryptography.hazmat.primitives.ciphers`.
- * :class:`~cryptography.hazmat.primitives.ciphers.modes.Mode`,
- :class:`~cryptography.hazmat.primitives.ciphers.modes.ModeWithInitializationVector`,
- :class:`~cryptography.hazmat.primitives.ciphers.modes.ModeWithNonce`, and
- :class:`~cryptography.hazmat.primitives.ciphers.modes.ModeWithAuthenticationTag`
- were moved from ``cryptography.hazmat.primitives.interfaces`` to
- :mod:`~cryptography.hazmat.primitives.ciphers.modes`.
- * :class:`~cryptography.hazmat.primitives.padding.PaddingContext` was moved
- from ``cryptography.hazmat.primitives.interfaces`` to
- :mod:`~cryptography.hazmat.primitives.padding`.
- *
- :class:`~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding`
- was moved from ``cryptography.hazmat.primitives.interfaces`` to
- :mod:`~cryptography.hazmat.primitives.asymmetric.padding`.
- * ``AsymmetricSignatureContext`` and ``AsymmetricVerificationContext``
- were moved from ``cryptography.hazmat.primitives.interfaces`` to
- ``cryptography.hazmat.primitives.asymmetric``.
- * :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`,
- ``DSAParametersWithNumbers``,
- :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`,
- ``DSAPrivateKeyWithNumbers``,
- :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` and
- ``DSAPublicKeyWithNumbers`` were moved from
- ``cryptography.hazmat.primitives.interfaces`` to
- :mod:`~cryptography.hazmat.primitives.asymmetric.dsa`
- * :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`,
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurveSignatureAlgorithm`,
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`,
- ``EllipticCurvePrivateKeyWithNumbers``,
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`,
- and ``EllipticCurvePublicKeyWithNumbers``
- were moved from ``cryptography.hazmat.primitives.interfaces`` to
- :mod:`~cryptography.hazmat.primitives.asymmetric.ec`.
- * :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
- ``RSAPrivateKeyWithNumbers``,
- :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` and
- ``RSAPublicKeyWithNumbers`` were moved from
- ``cryptography.hazmat.primitives.interfaces`` to
- :mod:`~cryptography.hazmat.primitives.asymmetric.rsa`.
- .. _v0-7-2:
- 0.7.2 - 2015-01-16
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows wheels to be compiled against OpenSSL 1.0.1l.
- * ``enum34`` is no longer installed on Python 3.4, where it is included in
- the standard library.
- * Added a new function to the OpenSSL bindings to support additional
- functionality in pyOpenSSL.
- .. _v0-7-1:
- 0.7.1 - 2014-12-28
- ~~~~~~~~~~~~~~~~~~
- * Fixed an issue preventing compilation on platforms where ``OPENSSL_NO_SSL3``
- was defined.
- .. _v0-7:
- 0.7 - 2014-12-17
- ~~~~~~~~~~~~~~~~
- * Cryptography has been relicensed from the Apache Software License, Version
- 2.0, to being available under *either* the Apache Software License, Version
- 2.0, or the BSD license.
- * Added key-rotation support to :doc:`Fernet </fernet>` with
- :class:`~cryptography.fernet.MultiFernet`.
- * More bit-lengths are now supported for ``p`` and ``q`` when loading DSA keys
- from numbers.
- * Added ``MACContext`` as a common interface for CMAC and HMAC and
- deprecated ``CMACContext``.
- * Added support for encoding and decoding :rfc:`6979` signatures in
- :doc:`/hazmat/primitives/asymmetric/utils`.
- * Added
- :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` to
- support the loading of OpenSSH public keys (:rfc:`4253`). Only RSA and DSA
- keys are currently supported.
- * Added initial support for X.509 certificate parsing. See the
- :doc:`X.509 documentation</x509/index>` for more information.
- .. _v0-6-1:
- 0.6.1 - 2014-10-15
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows wheels to be compiled against OpenSSL 1.0.1j.
- * Fixed an issue where OpenSSL 1.0.1j changed the errors returned by some
- functions.
- * Added our license file to the ``cryptography-vectors`` package.
- * Implemented DSA hash truncation support (per FIPS 186-3) in the OpenSSL
- backend. This works around an issue in 1.0.0, 1.0.0a, and 1.0.0b where
- truncation was not implemented.
- .. _v0-6:
- 0.6 - 2014-09-29
- ~~~~~~~~~~~~~~~~
- * Added
- :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key` to
- ease loading private keys, and
- :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key` to
- support loading public keys.
- * Removed the, deprecated in 0.4, support for the ``salt_length`` argument to
- the :class:`~cryptography.hazmat.primitives.asymmetric.padding.MGF1`
- constructor. The ``salt_length`` should be passed to
- :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` instead.
- * Fix compilation on OS X Yosemite.
- * Deprecated ``elliptic_curve_private_key_from_numbers`` and
- ``elliptic_curve_public_key_from_numbers`` in favor of
- ``load_elliptic_curve_private_numbers`` and
- ``load_elliptic_curve_public_numbers`` on ``EllipticCurveBackend``.
- * Added ``EllipticCurvePrivateKeyWithNumbers`` and
- ``EllipticCurvePublicKeyWithNumbers`` support.
- * Work around three GCM related bugs in CommonCrypto and OpenSSL.
- * On the CommonCrypto backend adding AAD but not subsequently calling update
- would return null tag bytes.
- * One the CommonCrypto backend a call to update without an empty add AAD call
- would return null ciphertext bytes.
- * On the OpenSSL backend with certain versions adding AAD only would give
- invalid tag bytes.
- * Support loading EC private keys from PEM.
- .. _v0-5-4:
- 0.5.4 - 2014-08-20
- ~~~~~~~~~~~~~~~~~~
- * Added several functions to the OpenSSL bindings to support new
- functionality in pyOpenSSL.
- * Fixed a redefined constant causing compilation failure with Solaris 11.2.
- .. _v0-5-3:
- 0.5.3 - 2014-08-06
- ~~~~~~~~~~~~~~~~~~
- * Updated Windows wheels to be compiled against OpenSSL 1.0.1i.
- .. _v0-5-2:
- 0.5.2 - 2014-07-09
- ~~~~~~~~~~~~~~~~~~
- * Add ``TraditionalOpenSSLSerializationBackend`` support to ``multibackend``.
- * Fix compilation error on OS X 10.8 (Mountain Lion).
- .. _v0-5-1:
- 0.5.1 - 2014-07-07
- ~~~~~~~~~~~~~~~~~~
- * Add ``PKCS8SerializationBackend`` support to ``multibackend``.
- .. _v0-5:
- 0.5 - 2014-07-07
- ~~~~~~~~~~~~~~~~
- * **BACKWARDS INCOMPATIBLE:**
- :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` no longer allows
- truncation of tags by default. Previous versions of ``cryptography`` allowed
- tags to be truncated by default, applications wishing to preserve this
- behavior (not recommended) can pass the ``min_tag_length`` argument.
- * Windows builds now statically link OpenSSL by default. When installing a
- wheel on Windows you no longer need to install OpenSSL separately. Windows
- users can switch between static and dynamic linking with an environment
- variable. See :doc:`/installation` for more details.
- * Added :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDFExpand`.
- * Added :class:`~cryptography.hazmat.primitives.ciphers.modes.CFB8` support
- for :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` and
- :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` on
- ``commoncrypto`` and ``openssl``.
- * Added ``AES`` :class:`~cryptography.hazmat.primitives.ciphers.modes.CTR`
- support to the OpenSSL backend when linked against 0.9.8.
- * Added ``PKCS8SerializationBackend`` and
- ``TraditionalOpenSSLSerializationBackend`` support to ``openssl``.
- * Added :doc:`/hazmat/primitives/asymmetric/ec` and ``EllipticCurveBackend``.
- * Added :class:`~cryptography.hazmat.primitives.ciphers.modes.ECB` support
- for :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` on
- ``commoncrypto`` and ``openssl``.
- * Deprecated the concrete ``RSAPrivateKey`` class in favor of backend
- specific providers of the
- :class:`cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`
- interface.
- * Deprecated the concrete ``RSAPublicKey`` in favor of backend specific
- providers of the
- :class:`cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`
- interface.
- * Deprecated the concrete ``DSAPrivateKey`` class in favor of backend
- specific providers of the
- :class:`cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`
- interface.
- * Deprecated the concrete ``DSAPublicKey`` class in favor of backend specific
- providers of the
- :class:`cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`
- interface.
- * Deprecated the concrete ``DSAParameters`` class in favor of backend specific
- providers of the
- :class:`cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`
- interface.
- * Deprecated ``encrypt_rsa``, ``decrypt_rsa``, ``create_rsa_signature_ctx`` and
- ``create_rsa_verification_ctx`` on ``RSABackend``.
- * Deprecated ``create_dsa_signature_ctx`` and ``create_dsa_verification_ctx``
- on ``DSABackend``.
- .. _v0-4:
- 0.4 - 2014-05-03
- ~~~~~~~~~~~~~~~~
- * Deprecated ``salt_length`` on
- :class:`~cryptography.hazmat.primitives.asymmetric.padding.MGF1` and added it
- to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. It will
- be removed from ``MGF1`` in two releases per our :doc:`/api-stability`
- policy.
- * Added :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`
- support.
- * Added :class:`~cryptography.hazmat.primitives.cmac.CMAC`.
- * Added decryption support to
- :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`
- and encryption support to
- :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`.
- * Added signature support to
- :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`
- and verification support to
- :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`.
- .. _v0-3:
- 0.3 - 2014-03-27
- ~~~~~~~~~~~~~~~~
- * Added :class:`~cryptography.hazmat.primitives.twofactor.hotp.HOTP`.
- * Added :class:`~cryptography.hazmat.primitives.twofactor.totp.TOTP`.
- * Added :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`
- support.
- * Added signature support to
- :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`
- and verification support to
- :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`.
- * Moved test vectors to the new ``cryptography_vectors`` package.
- .. _v0-2-2:
- 0.2.2 - 2014-03-03
- ~~~~~~~~~~~~~~~~~~
- * Removed a constant definition that was causing compilation problems with
- specific versions of OpenSSL.
- .. _v0-2-1:
- 0.2.1 - 2014-02-22
- ~~~~~~~~~~~~~~~~~~
- * Fix a bug where importing cryptography from multiple paths could cause
- initialization to fail.
- .. _v0-2:
- 0.2 - 2014-02-20
- ~~~~~~~~~~~~~~~~
- * Added ``commoncrypto``.
- * Added initial ``commoncrypto``.
- * Removed ``register_cipher_adapter`` method from ``CipherBackend``.
- * Added support for the OpenSSL backend under Windows.
- * Improved thread-safety for the OpenSSL backend.
- * Fixed compilation on systems where OpenSSL's ``ec.h`` header is not
- available, such as CentOS.
- * Added :class:`~cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC`.
- * Added :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF`.
- * Added ``multibackend``.
- * Set default random for ``openssl`` to the OS random engine.
- * Added :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`
- (CAST-128) support.
- .. _v0-1:
- 0.1 - 2014-01-08
- ~~~~~~~~~~~~~~~~
- * Initial release.
- .. _`as documented here`: https://docs.rs/openssl/latest/openssl/#automatic
- .. _`main`: https://github.com/pyca/cryptography/
- .. _`cffi`: https://cffi.readthedocs.io/
|