276b7ca0b1- update to 45.0.5: * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.1. * Fixed decrypting PKCS#8 files encrypted with SHA1-RC4. (This is not considered secure, and is supported only for backwards compatibility.) * Fixed decrypting PKCS#8 files encrypted with long salts (this impacts keys encrypted by Bouncy Castle). * Fixed decrypting PKCS#8 files encrypted with DES-CBC-MD5. While wildly insecure, this remains prevalent. * Fixed using mypy with cryptography on older versions of Python. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.0. * Support for Python 3.7 is deprecated and will be removed in the next cryptography release. * Updated the minimum supported Rust version (MSRV) to 1.74.0, from 1.65.0. * Added support for serialization of PKCS#12 Java truststores in :func:~cryptography.hazmat.primitives.serialization.pkcs1 2.serialize_java_truststore * Added :meth:~cryptography.hazmat.primitives.kdf.argon2.Argon 2id.derive_phc_encoded and :meth:~cryptography.hazmat.primi tives.kdf.argon2.Argon2id.verify_phc_encoded methods to support password hashing in the PHC string format * Added support for PKCS7 decryption and encryption using AES-256 as the content algorithm, in addition to AES-128. * BACKWARDS INCOMPATIBLE: Made SSH private key loading more consistent with other private key loading: :func:~cryptograp hy.hazmat.primitives.serialization.load_ssh_private_key nowDirk Mueller2025-07-12 08:36:35 +00:00
d6d120e786- update to 44.0.1: * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.1. * We now build armv7l manylinux wheels and publish them to PyPI. * We now build manylinux_2_34 wheels and publish them to PyPI.Dirk Mueller2025-02-26 09:41:33 +00:00
405e6469c4Accepting request 1242838 from devel:languages:pythonAna Guerrero2025-02-06 21:01:51 +00:00
b71fd351ec- Update to version 44.0.0: * BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.9. * Deprecated Python 3.7 support. Python 3.7 is no longer supported by the Python core team. Support for Python 3.7 will be removed in a future cryptography release. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.0. * macOS wheels are now built against the macOS 10.13 SDK. Users on older versions of macOS should upgrade, or they will need to build cryptography themselves. * Enforce the RFC 5280 requirement that extended key usage extensions must not be empty. * Added support for timestamp extraction to the :class:~cryptography.fernet.MultiFernet class. * Relax the Authority Key Identifier requirements on root CA certificates during X.509 verification to allow fields permitted by RFC 5280 but forbidden by the CA/Browser BRs. * Added support for :class:~cryptography.hazmat.primitives.kdf.argon2.Argon2id when using OpenSSL 3.2.0+. * Added support for the :class:~cryptography.x509.Admissions certificate extension. * Added basic support for PKCS7 decryption (including S/MIME 3.2) via :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_der, :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_pem, and :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_smime. - Update specfile to accommodate new project structure at version 44.0.0 - Update no-pytest_benchmark.patchDirk Mueller2025-01-29 08:34:20 +00:00
d0ad3bb3fc- Fix requires_eq replacement for distributions which do not have python3-cffi installed (such as SLE15 python module pythons) * gh#openSUSE/python-rpm-macros#185 - Remove outdated section in descriptionMatej Cepl2024-11-08 15:01:32 +00:00
97d57cc1dfAccepting request 1221413 from devel:languages:pythonAna Guerrero2024-11-06 15:49:39 +00:00
6c5fc4f022- Avoid using requires_eq, which after the last modifications conflicts with python singlespec (order of expansion).Markéta Machová2024-11-05 11:51:09 +00:00
3bab3768bfAccepting request 1217043 from devel:languages:pythonAna Guerrero2024-10-23 19:08:56 +00:00
b61703c6e8- update to 43.0.3: * Fixed release metadata for cryptography-vectors * Fixed compilation when using LibreSSL 4.0.0.Dirk Mueller2024-10-22 13:26:27 +00:00
5f93749b9eAccepting request 1204397 from devel:languages:pythonAna Guerrero2024-09-30 13:34:29 +00:00
310b72870a- update to 43.0.1: * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.3.2.Dirk Mueller2024-09-28 19:46:03 +00:00
8c4e8aa051Accepting request 1201401 from devel:languages:pythonAna Guerrero2024-09-18 13:26:47 +00:00
eae8858b3e- Fix building optimized binaries with debuginfo.Matej Cepl2024-08-12 20:36:26 +00:00
1b46516713- Update building of Rust modules to use modern cargo_vendor service - Remove unneeded use-offline-build.patchMatej Cepl2024-07-31 21:48:34 +00:00
651c5e926b- update to 43.0.0: * BACKWARDS INCOMPATIBLE: Support for OpenSSL less than 1.1.1e has been removed. Users on older version of OpenSSL will need to upgrade. * BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.8. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.3.1. * Updated the minimum supported Rust version (MSRV) to 1.65.0, from 1.63.0. * :func:~cryptography.hazmat.primitives.asymmetric.rsa.generat e_private_key now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still considered insecure, users should generally use a key size of 2048-bits. * :func:~cryptography.hazmat.primitives.serialization.pkcs7.se rialize_certificates now emits ASN.1 that more closely follows the recommendations in RFC 2315. * Added new :doc:/hazmat/decrepit/index module which contains outdated and insecure cryptographic primitives. :class:~cryp tography.hazmat.primitives.ciphers.algorithms.CAST5, :class: ~cryptography.hazmat.primitives.ciphers.algorithms.SEED, :c lass:~cryptography.hazmat.primitives.ciphers.algorithms.IDEA , and :class:~cryptography.hazmat.primitives.ciphers.algori thms.Blowfish, which were deprecated in 37.0.0, have been added to this module. They will be removed from the cipher module in 45.0.0. * Moved :class:~cryptography.hazmat.primitives.ciphers.algorit hms.TripleDES and :class:~cryptography.hazmat.primitives.ci phers.algorithms.ARC4 into :doc:/hazmat/decrepit/index and deprecated them in the cipher module. They will be removed from the cipher module in 48.0.0.Dirk Mueller2024-07-26 10:51:57 +00:00
81867a0a54Accepting request 1179508 from devel:languages:pythonAna Guerrero2024-06-09 18:18:45 +00:00
5fd0f8aee2- update to 42.0.8: * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.2.Dirk Mueller2024-06-08 12:04:45 +00:00
283cd268dfAccepting request 1174053 from devel:languages:pythonAna Guerrero2024-05-16 15:12:39 +00:00
1bcd019a4b- update to 42.0.7: * Restored Windows 7 compatibility for our pre-built wheels. Note that we do not test on Windows 7 and wheels for our next release will not support it. Microsoft no longer provides support for Windows 7 and users are encouraged to upgrade.Dirk Mueller2024-05-07 16:14:48 +00:00
7d82e714af- update to 42.0.6: * Fixed compilation when using LibreSSL 3.9.1.Dirk Mueller2024-05-07 07:36:43 +00:00
46be1e4e9cAccepting request 1164122 from devel:languages:pythonAna Guerrero2024-04-03 15:18:49 +00:00
469d7f8302- update to 42.0.5: * Limit the number of name constraint checks that will be performed in :mod:X.509 path validation <cryptography.x509.verification> to protect against denial of service attacks. * Upgrade pyo3 version, which fixes building on PowerPC.Dirk Mueller2024-04-02 13:19:25 +00:00
db2f1d8603Accepting request 1149625 from devel:languages:pythonAna Guerrero2024-02-23 15:41:42 +00:00
22718d2516- update to 42.0.4 (bsc#1220210, CVE-2024-26130): * Fixed a null-pointer-dereference and segfault that could occur when creating a PKCS#12 bundle. Credit to Alexander-Programming for reporting the issue. CVE-2024-26130 * Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields SMIMECapabilities and SignatureAlgorithmIdentifier should now be correctly encoded according to the definitions in :rfc:2633 :rfc:3370. - update to 42.0.3: * Fixed an initialization issue that caused key loading failures for some users. - Drop patch skip_openssl_memleak_test.patch not needed anymore.Daniel Garcia2024-02-22 17:38:15 +00:00
4507ff5d23- update to 42.0.2: * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1. * Fixed an issue that prevented the use of Python buffer protocol objects in sign and verify methods on asymmetric keys. * Fixed an issue with incorrect keyword-argument naming with EllipticCurvePrivateKey :meth:~cryptography.hazmat.primitive s.asymmetric.ec.EllipticCurvePrivateKey.exchange, X25519PrivateKey :meth:~cryptography.hazmat.primitives.asymm etric.x25519.X25519PrivateKey.exchange, X448PrivateKey :meth :~cryptography.hazmat.primitives.asymmetric.x448.X448Private Key.exchange, and DHPrivateKey :meth:~cryptography.hazmat.p rimitives.asymmetric.dh.DHPrivateKey.exchange.Dirk Mueller2024-01-31 17:24:40 +00:00
2f68d9363c- update to 42.0.1: * Fixed an issue with incorrect keyword-argument naming with EllipticCurvePrivateKey :meth:~cryptography.hazmat.primitive s.asymmetric.ec.EllipticCurvePrivateKey.sign. * Resolved compatibility issue with loading certain RSA public keys in :func:~cryptography.hazmat.primitives.serialization. load_pem_public_key. * BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.7. * BACKWARDS INCOMPATIBLE: Loading a PKCS7 with no content field using :func:~cryptography.hazmat.primitives.serialization.pk cs7.load_pem_pkcs7_certificates or :func:~cryptography.hazm at.primitives.serialization.pkcs7.load_der_pkcs7_certificates will now raise a ValueError rather than return an empty list. * Parsing SSH certificates no longer permits malformed critical options with values, as documented in the 41.0.2 release notes. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.0. * Updated the minimum supported Rust version (MSRV) to 1.63.0, from 1.56.0. * We now publish both py37 and py39 abi3 wheels. This should resolve some errors relating to initializing a module multiple times per process. * Support :class:~cryptography.hazmat.primitives.asymmetric.pa dding.PSS for X.509 certificate signing requests and certificate revocation lists with the keyword-only argument rsa_padding on the sign methods for :class:~cryptography.x509.CertificateSigningRequestBuilder andDirk Mueller2024-01-29 14:19:13 +00:00
5476db9cddAccepting request 1129560 from devel:languages:pythonAna Guerrero2023-11-29 20:18:37 +00:00
70f0f2e8c2- update to 41.0.7 (CVE-2023-49083, bsc#1217592):Dirk Mueller2023-11-28 12:51:56 +00:00
ec10c5ca11- update to 41.0.7 (CVE-2023-49083, bsc#FIXME): * Fixed compilation when using LibreSSL 3.8.2. * Fixed a null-pointer-dereference and segfault that could occur when loading certificates from a PKCS#7 bundle. Credit to **pkuzco** for reporting the issue. **CVE-2023-49083**Dirk Mueller2023-11-28 09:39:28 +00:00
42676a4074Accepting request 1124982 from devel:languages:pythonAna Guerrero2023-11-13 21:16:19 +00:00
35e0fa6aa4- update to 41.0.5: * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4. * Added a function to support an upcoming `pyOpenSSL release. parameters in X.509 certificates, which are * Fixed error when using py2app to build an application with a cryptography dependency. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1n. - split tests in a multibuild variant to optimize rebuild time a bit * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1m. - drop disable-RustExtension.patch: building rust extension now * Re-added a legacy symbol causing problems for older pyOpenSSL` use signature. * wheels compiled with OpenSSL 1.1.1h. - Removed support for calling public_bytes() with no arguments, as per * BACKWARDS INCOMPATIBLE: Removedcryptography.hazmat.primitives.asymmetric.utils.encode_rfc6979_signature andcryptography.hazmat.primitives.asymmetric.utils.decode_rfc6979_signature, which had been deprecated for nearly 4 years. Use encode_dss_signature() * BACKWARDS INCOMPATIBLE: Removed cryptography.x509.Certificate.serial, which * Add support for easily mapping an object identifier to its elliptic curve * Add support for OpenSSL when compiled with the no-engine * BACKWARDS INCOMPATIBLE: U-label strings were deprecated in version 2.1, but this version removes the default idna dependency as well. If you still need this deprecated path please install cryptography with the idna extra: * Numerous classes and functions have been updated to allow bytes-like types for keying material and passwords, including symmetric algorithms, * Added rfc4514_string() method to x509.Name, x509.RelativeDistinguishedName, and x509.NameAttribute to format the name * Added from_encoded_point(), which immediately checks if the point is onDirk Mueller2023-11-10 13:29:19 +00:00
2c43154be0Accepting request 1115782 from devel:languages:pythonAna Guerrero2023-10-06 19:12:33 +00:00
c880559867- update to 41.0.4: * ~~~~~~~~~~~~~~~~~~~ * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3. * .. _v41-0-3:Dirk Mueller2023-10-05 09:30:49 +00:00
08fd477308Accepting request 1109339 from devel:languages:pythonAna Guerrero2023-09-07 19:12:48 +00:00
0f0452c689- Update to 39.0.1 (bsc#1208036, CVE-2023-23931): * drops CVE-2023-23931-dont-allow-update-into.patch in older distsDirk Mueller2023-09-06 20:34:30 +00:00
9ed6a9c7a8- update to 41.0.3: * Fixed performance regression loading DH public keys. * Fixed a memory leak when using * :class:~cryptography.hazmat.primitives.ciphers.aead.ChaCha20 Poly1305.Dirk Mueller2023-08-08 10:57:35 +00:00
4fea656379Accepting request 1100618 from devel:languages:pythonAna Guerrero2023-07-26 11:22:27 +00:00
a74a7d5144- Add reference to bsc#1213378 and CVE-2023-38325Daniel Garcia2023-07-18 12:05:23 +00:00
985179992e- update to 41.0.2: * Fixed bugs in creating and parsing SSH certificates where critical options with values were handled incorrectly. Certificates are now created correctly and parsing accepts correct values as well as the previously generated invalid forms with a warning. In the next release, support for parsing these invalid forms will be removed.Dirk Mueller2023-07-11 13:46:03 +00:00
af1b2b2d21Accepting request 1098106 from home:ojkastl_buildservice:Branch_devel_languages_pythonDirk Mueller2023-07-11 13:39:26 +00:00
9a5eb8ae60Accepting request 1098044 from home:mcepl:branches:devel:languages:pythonMatej Cepl2023-07-11 05:55:34 +00:00
7fafc344c8- update to 41.0.1: * Temporarily allow invalid ECDSA signature algorithm parameters in X.509 certificates, which are generated by older versions of Java. * Allow null bytes in pass phrases when serializing private keys. * **BACKWARDS INCOMPATIBLE:** Support for OpenSSL less than 1.1.1d has been removed. Users on older version of OpenSSL will need to upgrade. * **BACKWARDS INCOMPATIBLE:** Support for Python 3.6 has been removed. * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.6. * Updated the minimum supported Rust version (MSRV) to 1.56.0, from 1.48.0. * Added support for the :class:~cryptography.x509.OCSPAcceptableResponses OCSP extension. * Added support for the :class:~cryptography.x509.MSCertificateTemplate proprietary Microsoft certificate extension. * Implemented support for equality checks on all asymmetric public key types. * Added support for `aes256-gcm@openssh.com encrypted keys in :func:~cryptography.hazmat.primitives.serialization.load_ssh _private_key`. * Added support for obtaining X.509 certificate signature algorithm parameters (including PSS)Dirk Mueller2023-06-19 20:44:25 +00:00
54a0f9a21eAccepting request 1074567 from home:ojkastl_buildservice:Branch_devel_languages_pythonDirk Mueller2023-03-27 07:21:36 +00:00
d31ee80686- update to 40.0.1: * Support for Python 3.6 is deprecated and will be removed in the next release. * Deprecated the current minimum supported Rust version (MSRV) of 1.48.0. In the next release we will raise MSRV to 1.56.0. Users with the latest `pip will typically get a wheel and not need Rust installed * Deprecated support for OpenSSL less than 1.1.1d. The next release of cryptography will drop support for older versions. * Deprecated support for DSA keys in :func:~cryptography.hazmat.primitives.serialization.load_s sh_public_key and :func:~cryptography.hazmat.primitives.serialization.load_s sh_private_key. * Deprecated support for OpenSSH serialization in :class:~cryptography.hazmat.primitives.asymmetric.dsa.DSAP ublicKey and :class:~cryptography.hazmat.primitives.asymmetric.dsa.DSAP rivateKey. * Added support for parsing SSH certificates in addition to public keys with :func:~cryptography.hazmat.primitives.serialization.load_s sh_public_identity. :func:~cryptography.hazmat.primitives.serialization.load_s sh_public_key continues to support only public keys. * Added support for generating SSH certificates with :class:~cryptography.hazmat.primitives.serialization.SSHCe rtificateBuilder`.Dirk Mueller2023-03-26 19:59:51 +00:00
6b5cf01ce1- update to 39.0.2: * Fixed a bug where the content type header was not properly encoded for PKCS7 signatures when using the `Text option and SMIME` encoding.Dirk Mueller2023-03-07 07:38:33 +00:00
7333d27eea- update to 39.0.0: * **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.0 has been removed. Users on older version of OpenSSL will need to upgrade. * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.5. The new minimum LibreSSL version is 3.5.0. Going forward our policy is to support versions of LibreSSL that are available in versions of OpenBSD that are still receiving security support. * **BACKWARDS INCOMPATIBLE:** Removed the `encode_point and from_encoded_point methods on :class:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers, which had been deprecated for several years. :meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.public_bytes and :meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point should be used instead. * **BACKWARDS INCOMPATIBLE:** Support for using MD5 or SHA1 in :class:~cryptography.x509.CertificateBuilder, other X.509 builders, and PKCS7 has been removed. * **ANNOUNCEMENT:** The next version of cryptography (40.0) will change the way we link OpenSSL. This will only impact users who build cryptography from source (i.e., not from a wheel), and specify their own version of OpenSSL. For those users, the CFLAGS, LDFLAGS, INCLUDE, LIB, and CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS environment variables will no longer be respected. Instead, users will need to configure their builds as documented here`_. * Added support for disabling the legacy provider in OpenSSL 3.0.x * Added support for disabling RSA key validation checks when loading RSA keys via ~cryptography.hazmat.primitives.serialization.load_pem_private_keyDirk Mueller2023-01-02 19:50:55 +00:00
7c43eed0a5- update to 38.0.1: * Fixed parsing TLVs in ASN.1 with length greater than 65535 bytes (typically seen in large CRLs). * Final deprecation of OpenSSL 1.1.0. The next release of `cryptography will drop support. * We no longer ship manylinux2010 wheels. Users should upgrade to the latest pip to ensure this doesn't cause issues downloading wheels on their platform. We now ship manylinux_2_28 wheels for users on new enough platforms. * Updated the minimum supported Rust version (MSRV) to 1.48.0, from 1.41.0. Users with the latest pip will typically get a wheel and not need Rust installed, but check :doc:/installation for documentation on installing a newer rustc if required. * :meth:~cryptography.fernet.Fernet.decrypt and related methods now accept both str and bytes tokens. * Parsing CertificateSigningRequest restores the behavior of enforcing that the Extensioncritical field must be correctly encoded DER. See the issue <https://github.com/pyca/cryptography/issues/6368>_ for complete details. * Added two new OpenSSL functions to the bindings to support an upcoming pyOpenSSL release. * When parsing :class:~cryptography.x509.CertificateRevocationList and :class:~cryptography.x509.CertificateSigningRequest values, it is now enforced that the version value in the input must be valid according to the rules of :rfc:2986 and :rfc:5280. * Using MD5 or SHA1 in :class:~cryptography.x509.CertificateBuilder and other X.509 builders is deprecated and support will be removed in the next version. * Added additional APIs to :class:~cryptography.x509.certificate_transparency.SignedCertificateTimestamp`, includingDirk Mueller2022-09-29 19:43:01 +00:00