* Fixed parsing TLVs in ASN.1 with length greater than 65535 bytes (typically
seen in large CRLs).
* Final deprecation of OpenSSL 1.1.0. The next release of ``cryptography``
will drop support.
* We no longer ship ``manylinux2010`` wheels. Users should upgrade to the
latest ``pip`` to ensure this doesn't cause issues downloading wheels on
their platform. We now ship ``manylinux_2_28`` wheels for users on new
enough platforms.
* Updated the minimum supported Rust version (MSRV) to 1.48.0, from 1.41.0.
Users with the latest ``pip`` will typically get a wheel and not need Rust
installed, but check :doc:`/installation` for documentation on installing a
newer ``rustc`` if required.
* :meth:`~cryptography.fernet.Fernet.decrypt` and related methods now accept
both ``str`` and ``bytes`` tokens.
* Parsing ``CertificateSigningRequest`` restores the behavior of enforcing
that the ``Extension`` ``critical`` field must be correctly encoded DER. See
`the issue <https://github.com/pyca/cryptography/issues/6368>`_ for complete
details.
* Added two new OpenSSL functions to the bindings to support an upcoming
``pyOpenSSL`` release.
* When parsing :class:`~cryptography.x509.CertificateRevocationList` and
:class:`~cryptography.x509.CertificateSigningRequest` values, it is now
enforced that the ``version`` value in the input must be valid according to
the rules of :rfc:`2986` and :rfc:`5280`.
* Using MD5 or SHA1 in :class:`~cryptography.x509.CertificateBuilder` and
other X.509 builders is deprecated and support will be removed in the next
version.
* Added additional APIs to
:class:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp`, including
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-cryptography?expand=0&rev=161
* Fixed an issue where parsing an encrypted private key with the public
loader functions would hang waiting for console input on OpenSSL 3.0.x rather
than raising an error.
* Restored some legacy symbols for older ``pyOpenSSL`` users. These will be
removed again in the future, so ``pyOpenSSL`` users should still upgrade
to the latest version of that package when they upgrade ``cryptography``.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.9.x and 3.0.x.
The new minimum LibreSSL version is 3.1+.
* **BACKWARDS INCOMPATIBLE:** Removed ``signer`` and ``verifier`` methods
from the public key and private key classes. These methods were originally
deprecated in version 2.0, but had an extended deprecation timeline due
to usage. Any remaining users should transition to ``sign`` and ``verify``.
* Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by
the OpenSSL project. The next release of ``cryptography`` will be the last
to support compiling with OpenSSL 1.1.0.
* Deprecated Python 3.6 support. Python 3.6 is no longer supported by the
Python core team. Support for Python 3.6 will be removed in a future
``cryptography`` release.
* Deprecated the current minimum supported Rust version (MSRV) of 1.41.0.
In the next release we will raise MSRV to 1.48.0. Users with the latest
``pip`` will typically get a wheel and not need Rust installed, but check
:doc:`/installation` for documentation on installing a newer ``rustc`` if
required.
* Deprecated
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`,
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`,
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish` because
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-cryptography?expand=0&rev=153
- update to 36.0.0:
* FINAL DEPRECATION Support for verifier and signer on our asymmetric key
classes was deprecated in version 2.1. These functions had an extended
deprecation due to usage, however the next version of cryptography will
drop support. Users should migrate to sign and verify.
* The entire X.509 layer is now written in Rust. This allows alternate
asymmetric key implementations that can support cloud key management
services or hardware security modules provided they implement the necessary
interface (for example: EllipticCurvePrivateKey).
* Deprecated the backend argument for all functions.
* Added support for AESOCB3.
* Added support for iterating over arbitrary request attributes.
* Deprecated the get_attribute_for_oid method on CertificateSigningRequest in
favor of get_attribute_for_oid() on the new Attributes object.
* Fixed handling of PEM files to allow loading when certificate and key are
in the same file.
* Fixed parsing of CertificatePolicies extensions containing legacy BMPString values in their explicitText.
* Allow parsing of negative serial numbers in certificates. Negative serial
numbers are prohibited by RFC 5280 so a deprecation warning will be raised
whenever they are encountered. A future version of cryptography will drop
support for parsing them.
* Added support for parsing PKCS12 files with friendly names for all
certificates with load_pkcs12(), which will return an object of type
PKCS12KeyAndCertificates.
* rfc4514_string() and related methods now have an optional
attr_name_overrides parameter to supply custom OID to name mappings, which
can be used to match vendor-specific extensions.
* BACKWARDS INCOMPATIBLE: Reverted the nonstandard formatting of email
address fields as E in rfc4514_string() methods from version 35.0.
* The previous behavior can be restored with:
OBS-URL: https://build.opensuse.org/request/show/934514
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-cryptography?expand=0&rev=140
