aboutsummaryrefslogtreecommitdiffstats
path: root/contrib
diff options
context:
space:
mode:
authorrobot-piglet <robot-piglet@yandex-team.com>2024-05-29 11:24:01 +0300
committerrobot-piglet <robot-piglet@yandex-team.com>2024-05-29 11:38:19 +0300
commit8788a47c2b48e19d7246346fae2ae5e446575a7a (patch)
treedce7e8e56a7dd1e22b64d7728117163b1cdef1f1 /contrib
parentfc27761312bba603b104749357bd46a7603cf483 (diff)
downloadydb-8788a47c2b48e19d7246346fae2ae5e446575a7a.tar.gz
Intermediate changes
Diffstat (limited to 'contrib')
-rw-r--r--contrib/python/cryptography/next/py3/LICENSE3
-rw-r--r--contrib/python/cryptography/next/py3/LICENSE.APACHE202
-rw-r--r--contrib/python/cryptography/next/py3/LICENSE.BSD27
-rw-r--r--contrib/python/cryptography/next/py3/README.rst68
-rw-r--r--contrib/python/cryptography/next/rust/CHANGELOG.rst2286
-rw-r--r--contrib/python/cryptography/next/rust/CONTRIBUTING.rst23
-rw-r--r--contrib/python/cryptography/next/rust/LICENSE3
-rw-r--r--contrib/python/cryptography/next/rust/LICENSE.APACHE202
-rw-r--r--contrib/python/cryptography/next/rust/LICENSE.BSD27
-rw-r--r--contrib/python/cryptography/next/rust/README.rst68
-rw-r--r--contrib/python/cryptography/next/rust/ci-constraints-requirements.txt197
-rw-r--r--contrib/python/cryptography/ya.make4
12 files changed, 3110 insertions, 0 deletions
diff --git a/contrib/python/cryptography/next/py3/LICENSE b/contrib/python/cryptography/next/py3/LICENSE
new file mode 100644
index 0000000000..b11f379efe
--- /dev/null
+++ b/contrib/python/cryptography/next/py3/LICENSE
@@ -0,0 +1,3 @@
+This software is made available under the terms of *either* of the licenses
+found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made
+under the terms of *both* these licenses.
diff --git a/contrib/python/cryptography/next/py3/LICENSE.APACHE b/contrib/python/cryptography/next/py3/LICENSE.APACHE
new file mode 100644
index 0000000000..62589edd12
--- /dev/null
+++ b/contrib/python/cryptography/next/py3/LICENSE.APACHE
@@ -0,0 +1,202 @@
+
+ Apache License
+ Version 2.0, January 2004
+ https://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ https://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/contrib/python/cryptography/next/py3/LICENSE.BSD b/contrib/python/cryptography/next/py3/LICENSE.BSD
new file mode 100644
index 0000000000..ec1a29d34d
--- /dev/null
+++ b/contrib/python/cryptography/next/py3/LICENSE.BSD
@@ -0,0 +1,27 @@
+Copyright (c) Individual contributors.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ 3. Neither the name of PyCA Cryptography nor the names of its contributors
+ may be used to endorse or promote products derived from this software
+ without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/contrib/python/cryptography/next/py3/README.rst b/contrib/python/cryptography/next/py3/README.rst
new file mode 100644
index 0000000000..d71765b8db
--- /dev/null
+++ b/contrib/python/cryptography/next/py3/README.rst
@@ -0,0 +1,68 @@
+pyca/cryptography
+=================
+
+.. image:: https://img.shields.io/pypi/v/cryptography.svg
+ :target: https://pypi.org/project/cryptography/
+ :alt: Latest Version
+
+.. image:: https://readthedocs.org/projects/cryptography/badge/?version=latest
+ :target: https://cryptography.io
+ :alt: Latest Docs
+
+.. image:: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
+ :target: https://github.com/pyca/cryptography/actions?query=workflow%3ACI+branch%3Amain
+
+
+``cryptography`` is a package which provides cryptographic recipes and
+primitives to Python developers. Our goal is for it to be your "cryptographic
+standard library". It supports Python 3.7+ and PyPy3 7.3.10+.
+
+``cryptography`` includes both high level recipes and low level interfaces to
+common cryptographic algorithms such as symmetric ciphers, message digests, and
+key derivation functions. For example, to encrypt something with
+``cryptography``'s high level symmetric encryption recipe:
+
+.. code-block:: pycon
+
+ >>> from cryptography.fernet import Fernet
+ >>> # Put this somewhere safe!
+ >>> key = Fernet.generate_key()
+ >>> f = Fernet(key)
+ >>> token = f.encrypt(b"A really secret message. Not for prying eyes.")
+ >>> token
+ b'...'
+ >>> f.decrypt(token)
+ b'A really secret message. Not for prying eyes.'
+
+You can find more information in the `documentation`_.
+
+You can install ``cryptography`` with:
+
+.. code-block:: console
+
+ $ pip install cryptography
+
+For full details see `the installation documentation`_.
+
+Discussion
+~~~~~~~~~~
+
+If you run into bugs, you can file them in our `issue tracker`_.
+
+We maintain a `cryptography-dev`_ mailing list for development discussion.
+
+You can also join ``#pyca`` on ``irc.libera.chat`` to ask questions or get
+involved.
+
+Security
+~~~~~~~~
+
+Need to report a security issue? Please consult our `security reporting`_
+documentation.
+
+
+.. _`documentation`: https://cryptography.io/
+.. _`the installation documentation`: https://cryptography.io/en/latest/installation/
+.. _`issue tracker`: https://github.com/pyca/cryptography/issues
+.. _`cryptography-dev`: https://mail.python.org/mailman/listinfo/cryptography-dev
+.. _`security reporting`: https://cryptography.io/en/latest/security/
diff --git a/contrib/python/cryptography/next/rust/CHANGELOG.rst b/contrib/python/cryptography/next/rust/CHANGELOG.rst
new file mode 100644
index 0000000000..857a32f673
--- /dev/null
+++ b/contrib/python/cryptography/next/rust/CHANGELOG.rst
@@ -0,0 +1,2286 @@
+Changelog
+=========
+
+.. _v41-0-6:
+
+41.0.6 - 2023-11-27
+~~~~~~~~~~~~~~~~~~~
+
+* Fixed a null-pointer-dereference and segfault that could occur when loading
+ certificates from a PKCS#7 bundle. Credit to **pkuzco** for reporting the
+ issue. **CVE-2023-49083**
+
+.. _v41-0-5:
+
+41.0.5 - 2023-10-24
+~~~~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4.
+* Added a function to support an upcoming ``pyOpenSSL`` release.
+
+.. _v41-0-4:
+
+41.0.4 - 2023-09-19
+~~~~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3.
+
+.. _v41-0-3:
+
+41.0.3 - 2023-08-01
+~~~~~~~~~~~~~~~~~~~
+
+* Fixed performance regression loading DH public keys.
+* Fixed a memory leak when using
+ :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`.
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.2.
+
+.. _v41-0-2:
+
+41.0.2 - 2023-07-10
+~~~~~~~~~~~~~~~~~~~
+
+* Fixed bugs in creating and parsing SSH certificates where critical options
+ with values were handled incorrectly. Certificates are now created correctly
+ and parsing accepts correct values as well as the previously generated
+ invalid forms with a warning. In the next release, support for parsing these
+ invalid forms will be removed.
+
+.. _v41-0-1:
+
+41.0.1 - 2023-06-01
+~~~~~~~~~~~~~~~~~~~
+
+* Temporarily allow invalid ECDSA signature algorithm parameters in X.509
+ certificates, which are generated by older versions of Java.
+* Allow null bytes in pass phrases when serializing private keys.
+
+.. _v41-0-0:
+
+41.0.0 - 2023-05-30
+~~~~~~~~~~~~~~~~~~~
+
+* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL less than 1.1.1d has been
+ removed. Users on older version of OpenSSL will need to upgrade.
+* **BACKWARDS INCOMPATIBLE:** Support for Python 3.6 has been removed.
+* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.6.
+* Updated the minimum supported Rust version (MSRV) to 1.56.0, from 1.48.0.
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.1.
+* Added support for the :class:`~cryptography.x509.OCSPAcceptableResponses`
+ OCSP extension.
+* Added support for the :class:`~cryptography.x509.MSCertificateTemplate`
+ proprietary Microsoft certificate extension.
+* Implemented support for equality checks on all asymmetric public key types.
+* Added support for ``aes256-gcm@openssh.com`` encrypted keys in
+ :func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`.
+* Added support for obtaining X.509 certificate signature algorithm parameters
+ (including PSS) via
+ :meth:`~cryptography.x509.Certificate.signature_algorithm_parameters`.
+* Support signing :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`
+ X.509 certificates via the new keyword-only argument ``rsa_padding`` on
+ :meth:`~cryptography.x509.CertificateBuilder.sign`.
+* Added support for
+ :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`
+ on BoringSSL.
+
+.. _v40-0-2:
+
+40.0.2 - 2023-04-14
+~~~~~~~~~~~~~~~~~~~
+
+* Fixed compilation when using LibreSSL 3.7.2.
+* Added some functions to support an upcoming ``pyOpenSSL`` release.
+
+.. _v40-0-1:
+
+40.0.1 - 2023-03-24
+~~~~~~~~~~~~~~~~~~~
+
+* Fixed a bug where certain operations would fail if an object happened to be
+ in the top-half of the memory-space. This only impacted 32-bit systems.
+
+.. _v40-0-0:
+
+40.0.0 - 2023-03-24
+~~~~~~~~~~~~~~~~~~~
+
+
+* **BACKWARDS INCOMPATIBLE:** As announced in the 39.0.0 changelog, the way
+ ``cryptography`` links OpenSSL has changed. This only impacts users who
+ build ``cryptography`` from source (i.e., not from a ``wheel``), and
+ specify their own version of OpenSSL. For those users, the ``CFLAGS``,
+ ``LDFLAGS``, ``INCLUDE``, ``LIB``, and ``CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS``
+ environment variables are no longer valid. Instead, users need to configure
+ their builds `as documented here`_.
+* Support for Python 3.6 is deprecated and will be removed in the next
+ release.
+* Deprecated the current minimum supported Rust version (MSRV) of 1.48.0.
+ In the next release we will raise MSRV to 1.56.0. Users with the latest
+ ``pip`` will typically get a wheel and not need Rust installed, but check
+ :doc:`/installation` for documentation on installing a newer ``rustc`` if
+ required.
+* Deprecated support for OpenSSL less than 1.1.1d. The next release of
+ ``cryptography`` will drop support for older versions.
+* Deprecated support for DSA keys in
+ :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key`
+ and
+ :func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`.
+* Deprecated support for OpenSSH serialization in
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`
+ and
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`.
+* The minimum supported version of PyPy3 is now 7.3.10.
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.0.
+* Added support for parsing SSH certificates in addition to public keys with
+ :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_identity`.
+ :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key`
+ continues to support only public keys.
+* Added support for generating SSH certificates with
+ :class:`~cryptography.hazmat.primitives.serialization.SSHCertificateBuilder`.
+* Added :meth:`~cryptography.x509.Certificate.verify_directly_issued_by` to
+ :class:`~cryptography.x509.Certificate`.
+* Added a check to :class:`~cryptography.x509.NameConstraints` to ensure that
+ :class:`~cryptography.x509.DNSName` constraints do not contain any ``*``
+ wildcards.
+* Removed many unused CFFI OpenSSL bindings. This will not impact you unless
+ you are using ``cryptography`` to directly invoke OpenSSL's C API. Note that
+ these have never been considered a stable, supported, public API by
+ ``cryptography``, this note is included as a courtesy.
+* The X.509 builder classes now raise ``UnsupportedAlgorithm`` instead of
+ ``ValueError`` if an unsupported hash algorithm is passed.
+* Added public union type aliases for type hinting:
+
+ * Asymmetric types:
+ :const:`~cryptography.hazmat.primitives.asymmetric.types.PublicKeyTypes`,
+ :const:`~cryptography.hazmat.primitives.asymmetric.types.PrivateKeyTypes`,
+ :const:`~cryptography.hazmat.primitives.asymmetric.types.CertificatePublicKeyTypes`,
+ :const:`~cryptography.hazmat.primitives.asymmetric.types.CertificateIssuerPublicKeyTypes`,
+ :const:`~cryptography.hazmat.primitives.asymmetric.types.CertificateIssuerPrivateKeyTypes`.
+ * SSH keys:
+ :const:`~cryptography.hazmat.primitives.serialization.SSHPublicKeyTypes`,
+ :const:`~cryptography.hazmat.primitives.serialization.SSHPrivateKeyTypes`,
+ :const:`~cryptography.hazmat.primitives.serialization.SSHCertPublicKeyTypes`,
+ :const:`~cryptography.hazmat.primitives.serialization.SSHCertPrivateKeyTypes`.
+ * PKCS12:
+ :const:`~cryptography.hazmat.primitives.serialization.pkcs12.PKCS12PrivateKeyTypes`
+ * PKCS7:
+ :const:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7HashTypes`,
+ :const:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7PrivateKeyTypes`.
+ * Two-factor:
+ :const:`~cryptography.hazmat.primitives.twofactor.hotp.HOTPHashTypes`
+
+* Deprecated previously undocumented but not private type aliases in the
+ ``cryptography.hazmat.primitives.asymmetric.types`` module in favor of new
+ ones above.
+
+
+.. _v39-0-2:
+
+
+39.0.2 - 2023-03-02
+~~~~~~~~~~~~~~~~~~~
+
+* Fixed a bug where the content type header was not properly encoded for
+ PKCS7 signatures when using the ``Text`` option and ``SMIME`` encoding.
+
+
+.. _v39-0-1:
+
+39.0.1 - 2023-02-07
+~~~~~~~~~~~~~~~~~~~
+
+* **SECURITY ISSUE** - Fixed a bug where ``Cipher.update_into`` accepted Python
+ buffer protocol objects, but allowed immutable buffers. **CVE-2023-23931**
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.8.
+
+.. _v39-0-0:
+
+39.0.0 - 2023-01-01
+~~~~~~~~~~~~~~~~~~~
+
+* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.0 has been removed.
+ Users on older version of OpenSSL will need to upgrade.
+* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.5. The new
+ minimum LibreSSL version is 3.5.0. Going forward our policy is to support
+ versions of LibreSSL that are available in versions of OpenBSD that are
+ still receiving security support.
+* **BACKWARDS INCOMPATIBLE:** Removed the ``encode_point`` and
+ ``from_encoded_point`` methods on
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers`,
+ which had been deprecated for several years.
+ :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.public_bytes`
+ and
+ :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point`
+ should be used instead.
+* **BACKWARDS INCOMPATIBLE:** Support for using MD5 or SHA1 in
+ :class:`~cryptography.x509.CertificateBuilder`, other X.509 builders, and
+ PKCS7 has been removed.
+* **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.10 and 10.11, macOS
+ users must upgrade to 10.12 or newer.
+* **ANNOUNCEMENT:** The next version of ``cryptography`` (40.0) will change
+ the way we link OpenSSL. This will only impact users who build
+ ``cryptography`` from source (i.e., not from a ``wheel``), and specify their
+ own version of OpenSSL. For those users, the ``CFLAGS``, ``LDFLAGS``,
+ ``INCLUDE``, ``LIB``, and ``CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS`` environment
+ variables will no longer be respected. Instead, users will need to
+ configure their builds `as documented here`_.
+* Added support for
+ :ref:`disabling the legacy provider in OpenSSL 3.0.x<legacy-provider>`.
+* Added support for disabling RSA key validation checks when loading RSA
+ keys via
+ :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`,
+ :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`,
+ and
+ :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers.private_key`.
+ This speeds up key loading but is :term:`unsafe` if you are loading potentially
+ attacker supplied keys.
+* Significantly improved performance for
+ :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`
+ when repeatedly calling ``encrypt`` or ``decrypt`` with the same key.
+* Added support for creating OCSP requests with precomputed hashes using
+ :meth:`~cryptography.x509.ocsp.OCSPRequestBuilder.add_certificate_by_hash`.
+* Added support for loading multiple PEM-encoded X.509 certificates from
+ a single input via :func:`~cryptography.x509.load_pem_x509_certificates`.
+
+.. _v38-0-4:
+
+38.0.4 - 2022-11-27
+~~~~~~~~~~~~~~~~~~~
+
+* Fixed compilation when using LibreSSL 3.6.0.
+* Fixed error when using ``py2app`` to build an application with a
+ ``cryptography`` dependency.
+
+.. _v38-0-3:
+
+38.0.3 - 2022-11-01
+~~~~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.7,
+ which resolves *CVE-2022-3602* and *CVE-2022-3786*.
+
+.. _v38-0-2:
+
+38.0.2 - 2022-10-11 (YANKED)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. attention::
+
+ This release was subsequently yanked from PyPI due to a regression in OpenSSL.
+
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.6.
+
+
+.. _v38-0-1:
+
+38.0.1 - 2022-09-07
+~~~~~~~~~~~~~~~~~~~
+
+* Fixed parsing TLVs in ASN.1 with length greater than 65535 bytes (typically
+ seen in large CRLs).
+
+.. _v38-0-0:
+
+38.0.0 - 2022-09-06
+~~~~~~~~~~~~~~~~~~~
+
+* Final deprecation of OpenSSL 1.1.0. The next release of ``cryptography``
+ will drop support.
+* We no longer ship ``manylinux2010`` wheels. Users should upgrade to the
+ latest ``pip`` to ensure this doesn't cause issues downloading wheels on
+ their platform. We now ship ``manylinux_2_28`` wheels for users on new
+ enough platforms.
+* Updated the minimum supported Rust version (MSRV) to 1.48.0, from 1.41.0.
+ Users with the latest ``pip`` will typically get a wheel and not need Rust
+ installed, but check :doc:`/installation` for documentation on installing a
+ newer ``rustc`` if required.
+* :meth:`~cryptography.fernet.Fernet.decrypt` and related methods now accept
+ both ``str`` and ``bytes`` tokens.
+* Parsing ``CertificateSigningRequest`` restores the behavior of enforcing
+ that the ``Extension`` ``critical`` field must be correctly encoded DER. See
+ `the issue <https://github.com/pyca/cryptography/issues/6368>`_ for complete
+ details.
+* Added two new OpenSSL functions to the bindings to support an upcoming
+ ``pyOpenSSL`` release.
+* When parsing :class:`~cryptography.x509.CertificateRevocationList` and
+ :class:`~cryptography.x509.CertificateSigningRequest` values, it is now
+ enforced that the ``version`` value in the input must be valid according to
+ the rules of :rfc:`2986` and :rfc:`5280`.
+* Using MD5 or SHA1 in :class:`~cryptography.x509.CertificateBuilder` and
+ other X.509 builders is deprecated and support will be removed in the next
+ version.
+* Added additional APIs to
+ :class:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp`, including
+ :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature_hash_algorithm`,
+ :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature_algorithm`,
+ :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature`, and
+ :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.extension_bytes`.
+* Added :attr:`~cryptography.x509.Certificate.tbs_precertificate_bytes`, allowing
+ users to access the to-be-signed pre-certificate data needed for signed
+ certificate timestamp verification.
+* :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFHMAC` and
+ :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC` now support
+ :attr:`~cryptography.hazmat.primitives.kdf.kbkdf.CounterLocation.MiddleFixed`
+ counter location.
+* Fixed :rfc:`4514` name parsing to reverse the order of the RDNs according
+ to the section 2.1 of the RFC, affecting method
+ :meth:`~cryptography.x509.Name.from_rfc4514_string`.
+* It is now possible to customize some aspects of encryption when serializing
+ private keys, using
+ :meth:`~cryptography.hazmat.primitives.serialization.PrivateFormat.encryption_builder`.
+* Removed several legacy symbols from our OpenSSL bindings. Users of pyOpenSSL
+ versions older than 22.0 will need to upgrade.
+* Added
+ :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES128` and
+ :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES256` classes.
+ These classes do not replace
+ :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` (which
+ allows all AES key lengths), but are intended for applications where
+ developers want to be explicit about key length.
+
+.. _v37-0-4:
+
+37.0.4 - 2022-07-05
+~~~~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.5.
+
+.. _v37-0-3:
+
+37.0.3 - 2022-06-21 (YANKED)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. attention::
+
+ This release was subsequently yanked from PyPI due to a regression in OpenSSL.
+
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.4.
+
+.. _v37-0-2:
+
+37.0.2 - 2022-05-03
+~~~~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.3.
+* Added a constant needed for an upcoming pyOpenSSL release.
+
+.. _v37-0-1:
+
+37.0.1 - 2022-04-27
+~~~~~~~~~~~~~~~~~~~
+
+* Fixed an issue where parsing an encrypted private key with the public
+ loader functions would hang waiting for console input on OpenSSL 3.0.x rather
+ than raising an error.
+* Restored some legacy symbols for older ``pyOpenSSL`` users. These will be
+ removed again in the future, so ``pyOpenSSL`` users should still upgrade
+ to the latest version of that package when they upgrade ``cryptography``.
+
+.. _v37-0-0:
+
+37.0.0 - 2022-04-26
+~~~~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2.
+* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.9.x and 3.0.x.
+ The new minimum LibreSSL version is 3.1+.
+* **BACKWARDS INCOMPATIBLE:** Removed ``signer`` and ``verifier`` methods
+ from the public key and private key classes. These methods were originally
+ deprecated in version 2.0, but had an extended deprecation timeline due
+ to usage. Any remaining users should transition to ``sign`` and ``verify``.
+* Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by
+ the OpenSSL project. The next release of ``cryptography`` will be the last
+ to support compiling with OpenSSL 1.1.0.
+* Deprecated Python 3.6 support. Python 3.6 is no longer supported by the
+ Python core team. Support for Python 3.6 will be removed in a future
+ ``cryptography`` release.
+* Deprecated the current minimum supported Rust version (MSRV) of 1.41.0.
+ In the next release we will raise MSRV to 1.48.0. Users with the latest
+ ``pip`` will typically get a wheel and not need Rust installed, but check
+ :doc:`/installation` for documentation on installing a newer ``rustc`` if
+ required.
+* Deprecated
+ :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`,
+ :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`,
+ :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and
+ :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish` because
+ they are legacy algorithms with extremely low usage. These will be removed
+ in a future version of ``cryptography``.
+* Added limited support for distinguished names containing a bit string.
+* We now ship ``universal2`` wheels on macOS, which contain both ``arm64``
+ and ``x86_64`` architectures. Users on macOS should upgrade to the latest
+ ``pip`` to ensure they can use this wheel, although we will continue to
+ ship ``x86_64`` specific wheels for now to ease the transition.
+* This will be the final release for which we ship ``manylinux2010`` wheels.
+ Going forward the minimum supported ``manylinux`` ABI for our wheels will
+ be ``manylinux2014``. The vast majority of users will continue to receive
+ ``manylinux`` wheels provided they have an up to date ``pip``. For PyPy
+ wheels this release already requires ``manylinux2014`` for compatibility
+ with binaries distributed by upstream.
+* Added support for multiple
+ :class:`~cryptography.x509.ocsp.OCSPSingleResponse` in a
+ :class:`~cryptography.x509.ocsp.OCSPResponse`.
+* Restored support for signing certificates and other structures in
+ :doc:`/x509/index` with SHA3 hash algorithms.
+* :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` is
+ disabled in FIPS mode.
+* Added support for serialization of PKCS#12 CA friendly names/aliases in
+ :func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates`
+* Added support for 12-15 byte (96 to 120 bit) nonces to
+ :class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`. This class
+ previously supported only 12 byte (96 bit).
+* Added support for
+ :class:`~cryptography.hazmat.primitives.ciphers.aead.AESSIV` when using
+ OpenSSL 3.0.0+.
+* Added support for serializing PKCS7 structures from a list of
+ certificates with
+ :class:`~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates`.
+* Added support for parsing :rfc:`4514` strings with
+ :meth:`~cryptography.x509.Name.from_rfc4514_string`.
+* Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.AUTO` to
+ :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This can
+ be used to verify a signature where the salt length is not already known.
+* Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.DIGEST_LENGTH`
+ to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This
+ constant will set the salt length to the same length as the ``PSS`` hash
+ algorithm.
+* Added support for loading RSA-PSS key types with
+ :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`
+ and
+ :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`.
+ This functionality is limited to OpenSSL 1.1.1e+ and loads the key as a
+ normal RSA private key, discarding the PSS constraint information.
+
+.. _v36-0-2:
+
+36.0.2 - 2022-03-15
+~~~~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1n.
+
+.. _v36-0-1:
+
+36.0.1 - 2021-12-14
+~~~~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1m.
+
+.. _v36-0-0:
+
+36.0.0 - 2021-11-21
+~~~~~~~~~~~~~~~~~~~
+
+* **FINAL DEPRECATION** Support for ``verifier`` and ``signer`` on our
+ asymmetric key classes was deprecated in version 2.0. These functions had an
+ extended deprecation due to usage, however the next version of
+ ``cryptography`` will drop support. Users should migrate to ``sign`` and
+ ``verify``.
+* The entire :doc:`/x509/index` layer is now written in Rust. This allows
+ alternate asymmetric key implementations that can support cloud key
+ management services or hardware security modules provided they implement
+ the necessary interface (for example:
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`).
+* :ref:`Deprecated the backend argument<faq-missing-backend>` for all
+ functions.
+* Added support for
+ :class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`.
+* Added support for iterating over arbitrary request
+ :attr:`~cryptography.x509.CertificateSigningRequest.attributes`.
+* Deprecated the ``get_attribute_for_oid`` method on
+ :class:`~cryptography.x509.CertificateSigningRequest` in favor of
+ :meth:`~cryptography.x509.Attributes.get_attribute_for_oid` on the new
+ :class:`~cryptography.x509.Attributes` object.
+* Fixed handling of PEM files to allow loading when certificate and key are
+ in the same file.
+* Fixed parsing of :class:`~cryptography.x509.CertificatePolicies` extensions
+ containing legacy ``BMPString`` values in their ``explicitText``.
+* Allow parsing of negative serial numbers in certificates. Negative serial
+ numbers are prohibited by :rfc:`5280` so a deprecation warning will be
+ raised whenever they are encountered. A future version of ``cryptography``
+ will drop support for parsing them.
+* Added support for parsing PKCS12 files with friendly names for all
+ certificates with
+ :func:`~cryptography.hazmat.primitives.serialization.pkcs12.load_pkcs12`,
+ which will return an object of type
+ :class:`~cryptography.hazmat.primitives.serialization.pkcs12.PKCS12KeyAndCertificates`.
+* :meth:`~cryptography.x509.Name.rfc4514_string` and related methods now have
+ an optional ``attr_name_overrides`` parameter to supply custom OID to name
+ mappings, which can be used to match vendor-specific extensions.
+* **BACKWARDS INCOMPATIBLE:** Reverted the nonstandard formatting of
+ email address fields as ``E`` in
+ :meth:`~cryptography.x509.Name.rfc4514_string` methods from version 35.0.
+
+ The previous behavior can be restored with:
+ ``name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})``
+* Allow
+ :class:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey`
+ and
+ :class:`~cryptography.hazmat.primitives.asymmetric.x448.X448PublicKey` to
+ be used as public keys when parsing certificates or creating them with
+ :class:`~cryptography.x509.CertificateBuilder`. These key types must be
+ signed with a different signing algorithm as ``X25519`` and ``X448`` do
+ not support signing.
+* Extension values can now be serialized to a DER byte string by calling
+ :func:`~cryptography.x509.ExtensionType.public_bytes`.
+* Added experimental support for compiling against BoringSSL. As BoringSSL
+ does not commit to a stable API, ``cryptography`` tests against the
+ latest commit only. Please note that several features are not available
+ when building against BoringSSL.
+* Parsing ``CertificateSigningRequest`` from DER and PEM now, for a limited
+ time period, allows the ``Extension`` ``critical`` field to be incorrectly
+ encoded. See `the issue <https://github.com/pyca/cryptography/issues/6368>`_
+ for complete details. This will be reverted in a future ``cryptography``
+ release.
+* When :class:`~cryptography.x509.OCSPNonce` are parsed and generated their
+ value is now correctly wrapped in an ASN.1 ``OCTET STRING``. This conforms
+ to :rfc:`6960` but conflicts with the original behavior specified in
+ :rfc:`2560`. For a temporary period for backwards compatibility, we will
+ also parse values that are encoded as specified in :rfc:`2560` but this
+ behavior will be removed in a future release.
+
+.. _v35-0-0:
+
+35.0.0 - 2021-09-29
+~~~~~~~~~~~~~~~~~~~
+
+* Changed the :ref:`version scheme <api-stability:versioning>`. This will
+ result in us incrementing the major version more frequently, but does not
+ change our existing backwards compatibility policy.
+* **BACKWARDS INCOMPATIBLE:** The :doc:`/x509/index` PEM parsers now require
+ that the PEM string passed have PEM delimiters of the correct type. For
+ example, parsing a private key PEM concatenated with a certificate PEM will
+ no longer be accepted by the PEM certificate parser.
+* **BACKWARDS INCOMPATIBLE:** The X.509 certificate parser no longer allows
+ negative serial numbers. :rfc:`5280` has always prohibited these.
+* **BACKWARDS INCOMPATIBLE:** Additional forms of invalid ASN.1 found during
+ :doc:`/x509/index` parsing will raise an error on initial parse rather than
+ when the malformed field is accessed.
+* Rust is now required for building ``cryptography``, the
+ ``CRYPTOGRAPHY_DONT_BUILD_RUST`` environment variable is no longer
+ respected.
+* Parsers for :doc:`/x509/index` no longer use OpenSSL and have been
+ rewritten in Rust. This should be backwards compatible (modulo the items
+ listed above) and improve both security and performance.
+* Added support for OpenSSL 3.0.0 as a compilation target.
+* Added support for
+ :class:`~cryptography.hazmat.primitives.hashes.SM3` and
+ :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SM4`,
+ when using OpenSSL 1.1.1. These algorithms are provided for compatibility
+ in regions where they may be required, and are not generally recommended.
+* We now ship ``manylinux_2_24`` and ``musllinux_1_1`` wheels, in addition to
+ our ``manylinux2010`` and ``manylinux2014`` wheels. Users on distributions
+ like Alpine Linux should ensure they upgrade to the latest ``pip`` to
+ correctly receive wheels.
+* Added ``rfc4514_attribute_name`` attribute to :attr:`x509.NameAttribute
+ <cryptography.x509.NameAttribute.rfc4514_attribute_name>`.
+* Added :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC`.
+
+.. _v3-4-8:
+
+3.4.8 - 2021-08-24
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
+ OpenSSL 1.1.1l.
+
+.. _v3-4-7:
+
+3.4.7 - 2021-03-25
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
+ OpenSSL 1.1.1k.
+
+.. _v3-4-6:
+
+3.4.6 - 2021-02-16
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
+ OpenSSL 1.1.1j.
+
+.. _v3-4-5:
+
+3.4.5 - 2021-02-13
+~~~~~~~~~~~~~~~~~~
+
+* Various improvements to type hints.
+* Lower the minimum supported Rust version (MSRV) to >=1.41.0. This change
+ improves compatibility with system-provided Rust on several Linux
+ distributions.
+* ``cryptography`` will be switching to a new versioning scheme with its next
+ feature release. More information is available in our
+ :doc:`/api-stability` documentation.
+
+.. _v3-4-4:
+
+3.4.4 - 2021-02-09
+~~~~~~~~~~~~~~~~~~
+
+* Added a ``py.typed`` file so that ``mypy`` will know to use our type
+ annotations.
+* Fixed an import cycle that could be triggered by certain import sequences.
+
+.. _v3-4-3:
+
+3.4.3 - 2021-02-08
+~~~~~~~~~~~~~~~~~~
+
+* Specify our supported Rust version (>=1.45.0) in our ``setup.py`` so users
+ on older versions will get a clear error message.
+
+.. _v3-4-2:
+
+3.4.2 - 2021-02-08
+~~~~~~~~~~~~~~~~~~
+
+* Improvements to make the rust transition a bit easier. This includes some
+ better error messages and small dependency fixes. If you experience
+ installation problems **Be sure to update pip** first, then check the
+ :doc:`FAQ </faq>`.
+
+.. _v3-4-1:
+
+3.4.1 - 2021-02-07
+~~~~~~~~~~~~~~~~~~
+
+* Fixed a circular import issue.
+* Added additional debug output to assist users seeing installation errors
+ due to outdated ``pip`` or missing ``rustc``.
+
+.. _v3-4:
+
+3.4 - 2021-02-07
+~~~~~~~~~~~~~~~~
+
+* **BACKWARDS INCOMPATIBLE:** Support for Python 2 has been removed.
+* We now ship ``manylinux2014`` wheels and no longer ship ``manylinux1``
+ wheels. Users should upgrade to the latest ``pip`` to ensure this doesn't
+ cause issues downloading wheels on their platform.
+* ``cryptography`` now incorporates Rust code. Users building ``cryptography``
+ themselves will need to have the Rust toolchain installed. Users who use an
+ officially produced wheel will not need to make any changes. The minimum
+ supported Rust version is 1.45.0.
+* ``cryptography`` now has :pep:`484` type hints on nearly all of of its public
+ APIs. Users can begin using them to type check their code with ``mypy``.
+
+.. _v3-3-2:
+
+3.3.2 - 2021-02-07
+~~~~~~~~~~~~~~~~~~
+
+* **SECURITY ISSUE:** Fixed a bug where certain sequences of ``update()`` calls
+ when symmetrically encrypting very large payloads (>2GB) could result in an
+ integer overflow, leading to buffer overflows. *CVE-2020-36242* **Update:**
+ This fix is a workaround for *CVE-2021-23840* in OpenSSL, fixed in OpenSSL
+ 1.1.1j.
+
+.. _v3-3-1:
+
+3.3.1 - 2020-12-09
+~~~~~~~~~~~~~~~~~~
+
+* Re-added a legacy symbol causing problems for older ``pyOpenSSL`` users.
+
+.. _v3-3:
+
+3.3 - 2020-12-08
+~~~~~~~~~~~~~~~~
+
+* **BACKWARDS INCOMPATIBLE:** Support for Python 3.5 has been removed due to
+ low usage and maintenance burden.
+* **BACKWARDS INCOMPATIBLE:** The
+ :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` and
+ :class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCM` now require
+ 64-bit to 1024-bit (8 byte to 128 byte) initialization vectors. This change
+ is to conform with an upcoming OpenSSL release that will no longer support
+ sizes outside this window.
+* **BACKWARDS INCOMPATIBLE:** When deserializing asymmetric keys we now
+ raise ``ValueError`` rather than ``UnsupportedAlgorithm`` when an
+ unsupported cipher is used. This change is to conform with an upcoming
+ OpenSSL release that will no longer distinguish between error types.
+* **BACKWARDS INCOMPATIBLE:** We no longer allow loading of finite field
+ Diffie-Hellman parameters of less than 512 bits in length. This change is to
+ conform with an upcoming OpenSSL release that no longer supports smaller
+ sizes. These keys were already wildly insecure and should not have been used
+ in any application outside of testing.
+* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
+ OpenSSL 1.1.1i.
+* Python 2 support is deprecated in ``cryptography``. This is the last release
+ that will support Python 2.
+* Added the
+ :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey.recover_data_from_signature`
+ function to
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`
+ for recovering the signed data from an RSA signature.
+
+.. _v3-2-1:
+
+3.2.1 - 2020-10-27
+~~~~~~~~~~~~~~~~~~
+
+* Disable blinding on RSA public keys to address an error with some versions
+ of OpenSSL.
+
+.. _v3-2:
+
+3.2 - 2020-10-25
+~~~~~~~~~~~~~~~~
+
+* **SECURITY ISSUE:** Attempted to make RSA PKCS#1v1.5 decryption more constant
+ time, to protect against Bleichenbacher vulnerabilities. Due to limitations
+ imposed by our API, we cannot completely mitigate this vulnerability and a
+ future release will contain a new API which is designed to be resilient to
+ these for contexts where it is required. Credit to **Hubert Kario** for
+ reporting the issue. *CVE-2020-25659*
+* Support for OpenSSL 1.0.2 has been removed. Users on older version of OpenSSL
+ will need to upgrade.
+* Added basic support for PKCS7 signing (including SMIME) via
+ :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder`.
+
+.. _v3-1-1:
+
+3.1.1 - 2020-09-22
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
+ OpenSSL 1.1.1h.
+
+.. _v3-1:
+
+3.1 - 2020-08-26
+~~~~~~~~~~~~~~~~
+
+* **BACKWARDS INCOMPATIBLE:** Removed support for ``idna`` based
+ :term:`U-label` parsing in various X.509 classes. This support was originally
+ deprecated in version 2.1 and moved to an extra in 2.5.
+* Deprecated OpenSSL 1.0.2 support. OpenSSL 1.0.2 is no longer supported by
+ the OpenSSL project. The next version of ``cryptography`` will drop support
+ for it.
+* Deprecated support for Python 3.5. This version sees very little use and will
+ be removed in the next release.
+* ``backend`` arguments to functions are no longer required and the
+ default backend will automatically be selected if no ``backend`` is provided.
+* Added initial support for parsing certificates from PKCS7 files with
+ :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates`
+ and
+ :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates`
+ .
+* Calling ``update`` or ``update_into`` on
+ :class:`~cryptography.hazmat.primitives.ciphers.CipherContext` with ``data``
+ longer than 2\ :sup:`31` bytes no longer raises an ``OverflowError``. This
+ also resolves the same issue in :doc:`/fernet`.
+
+.. _v3-0:
+
+3.0 - 2020-07-20
+~~~~~~~~~~~~~~~~
+
+* **BACKWARDS INCOMPATIBLE:** Removed support for passing an
+ :class:`~cryptography.x509.Extension` instance to
+ :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`,
+ as per our deprecation policy.
+* **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.7.x, 2.8.x, and 2.9.0 has
+ been removed (2.9.1+ is still supported).
+* **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.9, macOS users must
+ upgrade to 10.10 or newer.
+* **BACKWARDS INCOMPATIBLE:** RSA
+ :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key`
+ no longer accepts ``public_exponent`` values except 65537 and 3 (the latter
+ for legacy purposes).
+* **BACKWARDS INCOMPATIBLE:** X.509 certificate parsing now enforces that the
+ ``version`` field contains a valid value, rather than deferring this check
+ until :attr:`~cryptography.x509.Certificate.version` is accessed.
+* Deprecated support for Python 2. At the time there is no time table for
+ actually dropping support, however we strongly encourage all users to upgrade
+ their Python, as Python 2 no longer receives support from the Python core
+ team.
+
+ If you have trouble suppressing this warning in tests view the :ref:`FAQ
+ entry addressing this issue <faq-howto-handle-deprecation-warning>`.
+
+* Added support for ``OpenSSH`` serialization format for
+ ``ec``, ``ed25519``, ``rsa`` and ``dsa`` private keys:
+ :func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`
+ for loading and
+ :attr:`~cryptography.hazmat.primitives.serialization.PrivateFormat.OpenSSH`
+ for writing.
+* Added support for ``OpenSSH`` certificates to
+ :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key`.
+* Added :meth:`~cryptography.fernet.Fernet.encrypt_at_time` and
+ :meth:`~cryptography.fernet.Fernet.decrypt_at_time` to
+ :class:`~cryptography.fernet.Fernet`.
+* Added support for the :class:`~cryptography.x509.SubjectInformationAccess`
+ X.509 extension.
+* Added support for parsing
+ :class:`~cryptography.x509.SignedCertificateTimestamps` in OCSP responses.
+* Added support for parsing attributes in certificate signing requests via
+ ``CertificateSigningRequest.get_attribute_for_oid``.
+* Added support for encoding attributes in certificate signing requests via
+ :meth:`~cryptography.x509.CertificateSigningRequestBuilder.add_attribute`.
+* On OpenSSL 1.1.1d and higher ``cryptography`` now uses OpenSSL's
+ built-in CSPRNG instead of its own OS random engine because these versions of
+ OpenSSL properly reseed on fork.
+* Added initial support for creating PKCS12 files with
+ :func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates`.
+
+.. _v2-9-2:
+
+2.9.2 - 2020-04-22
+~~~~~~~~~~~~~~~~~~
+
+* Updated the macOS wheel to fix an issue where it would not run on macOS
+ versions older than 10.15.
+
+.. _v2-9-1:
+
+2.9.1 - 2020-04-21
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
+ OpenSSL 1.1.1g.
+
+.. _v2-9:
+
+2.9 - 2020-04-02
+~~~~~~~~~~~~~~~~
+
+* **BACKWARDS INCOMPATIBLE:** Support for Python 3.4 has been removed due to
+ low usage and maintenance burden.
+* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.0.1 has been removed.
+ Users on older version of OpenSSL will need to upgrade.
+* **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.6.x has been removed.
+* Removed support for calling
+ :meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey.public_bytes`
+ with no arguments, as per our deprecation policy. You must now pass
+ ``encoding`` and ``format``.
+* **BACKWARDS INCOMPATIBLE:** Reversed the order in which
+ :meth:`~cryptography.x509.Name.rfc4514_string` returns the RDNs
+ as required by :rfc:`4514`.
+* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
+ OpenSSL 1.1.1f.
+* Added support for parsing
+ :attr:`~cryptography.x509.ocsp.OCSPResponse.single_extensions` in an OCSP
+ response.
+* :class:`~cryptography.x509.NameAttribute` values can now be empty strings.
+
+.. _v2-8:
+
+2.8 - 2019-10-16
+~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
+ OpenSSL 1.1.1d.
+* Added support for Python 3.8.
+* Added class methods
+ :meth:`Poly1305.generate_tag
+ <cryptography.hazmat.primitives.poly1305.Poly1305.generate_tag>`
+ and
+ :meth:`Poly1305.verify_tag
+ <cryptography.hazmat.primitives.poly1305.Poly1305.verify_tag>`
+ for Poly1305 sign and verify operations.
+* Deprecated support for OpenSSL 1.0.1. Support will be removed in
+ ``cryptography`` 2.9.
+* We now ship ``manylinux2010`` wheels in addition to our ``manylinux1``
+ wheels.
+* Added support for ``ed25519`` and ``ed448`` keys in the
+ :class:`~cryptography.x509.CertificateBuilder`,
+ :class:`~cryptography.x509.CertificateSigningRequestBuilder`,
+ :class:`~cryptography.x509.CertificateRevocationListBuilder` and
+ :class:`~cryptography.x509.ocsp.OCSPResponseBuilder`.
+* ``cryptography`` no longer depends on ``asn1crypto``.
+* :class:`~cryptography.x509.FreshestCRL` is now allowed as a
+ :class:`~cryptography.x509.CertificateRevocationList` extension.
+
+.. _v2-7:
+
+2.7 - 2019-05-30
+~~~~~~~~~~~~~~~~
+
+* **BACKWARDS INCOMPATIBLE:** We no longer distribute 32-bit ``manylinux1``
+ wheels. Continuing to produce them was a maintenance burden.
+* **BACKWARDS INCOMPATIBLE:** Removed the
+ ``cryptography.hazmat.primitives.mac.MACContext`` interface. The ``CMAC`` and
+ ``HMAC`` APIs have not changed, but they are no longer registered as
+ ``MACContext`` instances.
+* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
+ OpenSSL 1.1.1c.
+* Removed support for running our tests with ``setup.py test``. Users
+ interested in running our tests can continue to follow the directions in our
+ :doc:`development documentation</development/getting-started>`.
+* Add support for :class:`~cryptography.hazmat.primitives.poly1305.Poly1305`
+ when using OpenSSL 1.1.1 or newer.
+* Support serialization with ``Encoding.OpenSSH`` and ``PublicFormat.OpenSSH``
+ in
+ :meth:`Ed25519PublicKey.public_bytes
+ <cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey.public_bytes>`
+ .
+* Correctly allow passing a ``SubjectKeyIdentifier`` to
+ :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`
+ and deprecate passing an ``Extension`` object. The documentation always
+ required ``SubjectKeyIdentifier`` but the implementation previously
+ required an ``Extension``.
+
+.. _v2-6-1:
+
+2.6.1 - 2019-02-27
+~~~~~~~~~~~~~~~~~~
+
+* Resolved an error in our build infrastructure that broke our Python3 wheels
+ for macOS and Linux.
+
+.. _v2-6:
+
+2.6 - 2019-02-27
+~~~~~~~~~~~~~~~~
+
+* **BACKWARDS INCOMPATIBLE:** Removed
+ ``cryptography.hazmat.primitives.asymmetric.utils.encode_rfc6979_signature``
+ and
+ ``cryptography.hazmat.primitives.asymmetric.utils.decode_rfc6979_signature``,
+ which had been deprecated for nearly 4 years. Use
+ :func:`~cryptography.hazmat.primitives.asymmetric.utils.encode_dss_signature`
+ and
+ :func:`~cryptography.hazmat.primitives.asymmetric.utils.decode_dss_signature`
+ instead.
+* **BACKWARDS INCOMPATIBLE**: Removed ``cryptography.x509.Certificate.serial``,
+ which had been deprecated for nearly 3 years. Use
+ :attr:`~cryptography.x509.Certificate.serial_number` instead.
+* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
+ OpenSSL 1.1.1b.
+* Added support for :doc:`/hazmat/primitives/asymmetric/ed448` when using
+ OpenSSL 1.1.1b or newer.
+* Added support for :doc:`/hazmat/primitives/asymmetric/ed25519` when using
+ OpenSSL 1.1.1b or newer.
+* :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` can
+ now load ``ed25519`` public keys.
+* Add support for easily mapping an object identifier to its elliptic curve
+ class via
+ :func:`~cryptography.hazmat.primitives.asymmetric.ec.get_curve_for_oid`.
+* Add support for OpenSSL when compiled with the ``no-engine``
+ (``OPENSSL_NO_ENGINE``) flag.
+
+.. _v2-5:
+
+2.5 - 2019-01-22
+~~~~~~~~~~~~~~~~
+
+* **BACKWARDS INCOMPATIBLE:** :term:`U-label` strings were deprecated in
+ version 2.1, but this version removes the default ``idna`` dependency as
+ well. If you still need this deprecated path please install cryptography
+ with the ``idna`` extra: ``pip install cryptography[idna]``.
+* **BACKWARDS INCOMPATIBLE:** The minimum supported PyPy version is now 5.4.
+* Numerous classes and functions have been updated to allow :term:`bytes-like`
+ types for keying material and passwords, including symmetric algorithms, AEAD
+ ciphers, KDFs, loading asymmetric keys, and one time password classes.
+* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
+ OpenSSL 1.1.1a.
+* Added support for :class:`~cryptography.hazmat.primitives.hashes.SHA512_224`
+ and :class:`~cryptography.hazmat.primitives.hashes.SHA512_256` when using
+ OpenSSL 1.1.1.
+* Added support for :class:`~cryptography.hazmat.primitives.hashes.SHA3_224`,
+ :class:`~cryptography.hazmat.primitives.hashes.SHA3_256`,
+ :class:`~cryptography.hazmat.primitives.hashes.SHA3_384`, and
+ :class:`~cryptography.hazmat.primitives.hashes.SHA3_512` when using OpenSSL
+ 1.1.1.
+* Added support for :doc:`/hazmat/primitives/asymmetric/x448` when using
+ OpenSSL 1.1.1.
+* Added support for :class:`~cryptography.hazmat.primitives.hashes.SHAKE128`
+ and :class:`~cryptography.hazmat.primitives.hashes.SHAKE256` when using
+ OpenSSL 1.1.1.
+* Added initial support for parsing PKCS12 files with
+ :func:`~cryptography.hazmat.primitives.serialization.pkcs12.load_key_and_certificates`.
+* Added support for :class:`~cryptography.x509.IssuingDistributionPoint`.
+* Added ``rfc4514_string()`` method to
+ :meth:`x509.Name <cryptography.x509.Name.rfc4514_string>`,
+ :meth:`x509.RelativeDistinguishedName
+ <cryptography.x509.RelativeDistinguishedName.rfc4514_string>`, and
+ :meth:`x509.NameAttribute <cryptography.x509.NameAttribute.rfc4514_string>`
+ to format the name or component an :rfc:`4514` Distinguished Name string.
+* Added
+ :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point`,
+ which immediately checks if the point is on the curve and supports compressed
+ points. Deprecated the previous method
+ :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`.
+* Added :attr:`~cryptography.x509.ocsp.OCSPResponse.signature_hash_algorithm`
+ to ``OCSPResponse``.
+* Updated :doc:`/hazmat/primitives/asymmetric/x25519` support to allow
+ additional serialization methods. Calling
+ :meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey.public_bytes`
+ with no arguments has been deprecated.
+* Added support for encoding compressed and uncompressed points via
+ :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.public_bytes`. Deprecated the previous method
+ ``cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.encode_point``.
+
+
+.. _v2-4-2:
+
+2.4.2 - 2018-11-21
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
+ OpenSSL 1.1.0j.
+
+.. _v2-4-1:
+
+2.4.1 - 2018-11-11
+~~~~~~~~~~~~~~~~~~
+
+* Fixed a build breakage in our ``manylinux1`` wheels.
+
+.. _v2-4:
+
+2.4 - 2018-11-11
+~~~~~~~~~~~~~~~~
+
+* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.4.x.
+* Deprecated OpenSSL 1.0.1 support. OpenSSL 1.0.1 is no longer supported by
+ the OpenSSL project. At this time there is no time table for dropping
+ support, however we strongly encourage all users to upgrade or install
+ ``cryptography`` from a wheel.
+* Added initial :doc:`OCSP </x509/ocsp>` support.
+* Added support for :class:`~cryptography.x509.PrecertPoison`.
+
+.. _v2-3-1:
+
+2.3.1 - 2018-08-14
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
+ OpenSSL 1.1.0i.
+
+.. _v2-3:
+
+2.3 - 2018-07-18
+~~~~~~~~~~~~~~~~
+
+* **SECURITY ISSUE:**
+ :meth:`~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag`
+ allowed tag truncation by default which can allow tag forgery in some cases.
+ The method now enforces the ``min_tag_length`` provided to the
+ :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` constructor.
+ *CVE-2018-10903*
+* Added support for Python 3.7.
+* Added :meth:`~cryptography.fernet.Fernet.extract_timestamp` to get the
+ authenticated timestamp of a :doc:`Fernet </fernet>` token.
+* Support for Python 2.7.x without ``hmac.compare_digest`` has been deprecated.
+ We will require Python 2.7.7 or higher (or 2.7.6 on Ubuntu) in the next
+ ``cryptography`` release.
+* Fixed multiple issues preventing ``cryptography`` from compiling against
+ LibreSSL 2.7.x.
+* Added
+ :class:`~cryptography.x509.CertificateRevocationList.get_revoked_certificate_by_serial_number`
+ for quick serial number searches in CRLs.
+* The :class:`~cryptography.x509.RelativeDistinguishedName` class now
+ preserves the order of attributes. Duplicate attributes now raise an error
+ instead of silently discarding duplicates.
+* :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap` and
+ :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding`
+ now raise :class:`~cryptography.hazmat.primitives.keywrap.InvalidUnwrap` if
+ the wrapped key is an invalid length, instead of ``ValueError``.
+
+.. _v2-2-2:
+
+2.2.2 - 2018-03-27
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
+ OpenSSL 1.1.0h.
+
+.. _v2-2-1:
+
+2.2.1 - 2018-03-20
+~~~~~~~~~~~~~~~~~~
+
+* Reverted a change to ``GeneralNames`` which prohibited having zero elements,
+ due to breakages.
+* Fixed a bug in
+ :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding`
+ that caused it to raise ``InvalidUnwrap`` when key length modulo 8 was
+ zero.
+
+
+.. _v2-2:
+
+2.2 - 2018-03-19
+~~~~~~~~~~~~~~~~
+
+* **BACKWARDS INCOMPATIBLE:** Support for Python 2.6 has been dropped.
+* Resolved a bug in ``HKDF`` that incorrectly constrained output size.
+* Added :class:`~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP256R1`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP384R1`, and
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP512R1` to
+ support inter-operating with systems like German smart meters.
+* Added token rotation support to :doc:`Fernet </fernet>` with
+ :meth:`~cryptography.fernet.MultiFernet.rotate`.
+* Fixed a memory leak in
+ :func:`~cryptography.hazmat.primitives.asymmetric.ec.derive_private_key`.
+* Added support for AES key wrapping with padding via
+ :func:`~cryptography.hazmat.primitives.keywrap.aes_key_wrap_with_padding`
+ and
+ :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding`
+ .
+* Allow loading DSA keys with 224 bit ``q``.
+
+.. _v2-1-4:
+
+2.1.4 - 2017-11-29
+~~~~~~~~~~~~~~~~~~
+
+* Added ``X509_up_ref`` for an upcoming ``pyOpenSSL`` release.
+
+.. _v2-1-3:
+
+2.1.3 - 2017-11-02
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
+ OpenSSL 1.1.0g.
+
+.. _v2-1-2:
+
+2.1.2 - 2017-10-24
+~~~~~~~~~~~~~~~~~~
+
+* Corrected a bug with the ``manylinux1`` wheels where OpenSSL's stack was
+ marked executable.
+
+.. _v2-1-1:
+
+2.1.1 - 2017-10-12
+~~~~~~~~~~~~~~~~~~
+
+* Fixed support for install with the system ``pip`` on Ubuntu 16.04.
+
+.. _v2-1:
+
+2.1 - 2017-10-11
+~~~~~~~~~~~~~~~~
+
+* **FINAL DEPRECATION** Python 2.6 support is deprecated, and will be removed
+ in the next release of ``cryptography``.
+* **BACKWARDS INCOMPATIBLE:** ``Whirlpool``, ``RIPEMD160``, and
+ ``UnsupportedExtension`` have been removed in accordance with our
+ :doc:`/api-stability` policy.
+* **BACKWARDS INCOMPATIBLE:**
+ :attr:`DNSName.value <cryptography.x509.DNSName.value>`,
+ :attr:`RFC822Name.value <cryptography.x509.RFC822Name.value>`, and
+ :attr:`UniformResourceIdentifier.value
+ <cryptography.x509.UniformResourceIdentifier.value>`
+ will now return an :term:`A-label` string when parsing a certificate
+ containing an internationalized domain name (IDN) or if the caller passed
+ a :term:`U-label` to the constructor. See below for additional deprecations
+ related to this change.
+* Installing ``cryptography`` now requires ``pip`` 6 or newer.
+* Deprecated passing :term:`U-label` strings to the
+ :class:`~cryptography.x509.DNSName`,
+ :class:`~cryptography.x509.UniformResourceIdentifier`, and
+ :class:`~cryptography.x509.RFC822Name` constructors. Instead, users should
+ pass values as :term:`A-label` strings with ``idna`` encoding if necessary.
+ This change will not affect anyone who is not processing internationalized
+ domains.
+* Added support for
+ :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20`. In
+ most cases users should choose
+ :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`
+ rather than using this unauthenticated form.
+* Added :meth:`~cryptography.x509.CertificateRevocationList.is_signature_valid`
+ to :class:`~cryptography.x509.CertificateRevocationList`.
+* Support :class:`~cryptography.hazmat.primitives.hashes.BLAKE2b` and
+ :class:`~cryptography.hazmat.primitives.hashes.BLAKE2s` with
+ :class:`~cryptography.hazmat.primitives.hmac.HMAC`.
+* Added support for
+ :class:`~cryptography.hazmat.primitives.ciphers.modes.XTS` mode for
+ AES.
+* Added support for using labels with
+ :class:`~cryptography.hazmat.primitives.asymmetric.padding.OAEP` when using
+ OpenSSL 1.0.2 or greater.
+* Improved compatibility with NSS when issuing certificates from an issuer
+ that has a subject with non-``UTF8String`` string types.
+* Add support for the :class:`~cryptography.x509.DeltaCRLIndicator` extension.
+* Add support for the :class:`~cryptography.x509.TLSFeature`
+ extension. This is commonly used for enabling ``OCSP Must-Staple`` in
+ certificates.
+* Add support for the :class:`~cryptography.x509.FreshestCRL` extension.
+
+.. _v2-0-3:
+
+2.0.3 - 2017-08-03
+~~~~~~~~~~~~~~~~~~
+
+* Fixed an issue with weak linking symbols when compiling on macOS
+ versions older than 10.12.
+
+
+.. _v2-0-2:
+
+2.0.2 - 2017-07-27
+~~~~~~~~~~~~~~~~~~
+
+* Marked all symbols as hidden in the ``manylinux1`` wheel to avoid a
+ bug with symbol resolution in certain scenarios.
+
+
+.. _v2-0-1:
+
+2.0.1 - 2017-07-26
+~~~~~~~~~~~~~~~~~~
+
+* Fixed a compilation bug affecting OpenBSD.
+* Altered the ``manylinux1`` wheels to statically link OpenSSL instead of
+ dynamically linking and bundling the shared object. This should resolve
+ crashes seen when using ``uwsgi`` or other binaries that link against
+ OpenSSL independently.
+* Fixed the stack level for the ``signer`` and ``verifier`` warnings.
+
+
+.. _v2-0:
+
+2.0 - 2017-07-17
+~~~~~~~~~~~~~~~~
+
+* **BACKWARDS INCOMPATIBLE:** Support for Python 3.3 has been dropped.
+* We now ship ``manylinux1`` wheels linked against OpenSSL 1.1.0f. These wheels
+ will be automatically used with most Linux distributions if you are running
+ the latest pip.
+* Deprecated the use of ``signer`` on
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`,
+ and
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
+ in favor of ``sign``.
+* Deprecated the use of ``verifier`` on
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`,
+ and
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`
+ in favor of ``verify``.
+* Added support for parsing
+ :class:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp`
+ objects from X.509 certificate extensions.
+* Added support for
+ :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`.
+* Added support for
+ :class:`~cryptography.hazmat.primitives.ciphers.aead.AESCCM`.
+* Added
+ :class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCM`, a "one shot"
+ API for AES GCM encryption.
+* Added support for :doc:`/hazmat/primitives/asymmetric/x25519`.
+* Added support for serializing and deserializing Diffie-Hellman parameters
+ with
+ :func:`~cryptography.hazmat.primitives.serialization.load_pem_parameters`,
+ :func:`~cryptography.hazmat.primitives.serialization.load_der_parameters`,
+ and
+ :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters.parameter_bytes`
+ .
+* The ``extensions`` attribute on :class:`~cryptography.x509.Certificate`,
+ :class:`~cryptography.x509.CertificateSigningRequest`,
+ :class:`~cryptography.x509.CertificateRevocationList`, and
+ :class:`~cryptography.x509.RevokedCertificate` now caches the computed
+ ``Extensions`` object. There should be no performance change, just a
+ performance improvement for programs accessing the ``extensions`` attribute
+ multiple times.
+
+
+.. _v1-9:
+
+1.9 - 2017-05-29
+~~~~~~~~~~~~~~~~
+
+* **BACKWARDS INCOMPATIBLE:** Elliptic Curve signature verification no longer
+ returns ``True`` on success. This brings it in line with the interface's
+ documentation, and our intent. The correct way to use
+ :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.verify`
+ has always been to check whether or not
+ :class:`~cryptography.exceptions.InvalidSignature` was raised.
+* **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.7 and 10.8.
+* **BACKWARDS INCOMPATIBLE:** The minimum supported PyPy version is now 5.3.
+* Python 3.3 support has been deprecated, and will be removed in the next
+ ``cryptography`` release.
+* Add support for providing ``tag`` during
+ :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` finalization via
+ :meth:`~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag`.
+* Fixed an issue preventing ``cryptography`` from compiling against
+ LibreSSL 2.5.x.
+* Added
+ :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.key_size`
+ and
+ :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.key_size`
+ as convenience methods for determining the bit size of a secret scalar for
+ the curve.
+* Accessing an unrecognized extension marked critical on an X.509 object will
+ no longer raise an ``UnsupportedExtension`` exception, instead an
+ :class:`~cryptography.x509.UnrecognizedExtension` object will be returned.
+ This behavior was based on a poor reading of the RFC, unknown critical
+ extensions only need to be rejected on certificate verification.
+* The CommonCrypto backend has been removed.
+* MultiBackend has been removed.
+* ``Whirlpool`` and ``RIPEMD160`` have been deprecated.
+
+
+.. _v1-8-2:
+
+1.8.2 - 2017-05-26
+~~~~~~~~~~~~~~~~~~
+
+* Fixed a compilation bug affecting OpenSSL 1.1.0f.
+* Updated Windows and macOS wheels to be compiled against OpenSSL 1.1.0f.
+
+
+.. _v1-8-1:
+
+1.8.1 - 2017-03-10
+~~~~~~~~~~~~~~~~~~
+
+* Fixed macOS wheels to properly link against 1.1.0 rather than 1.0.2.
+
+
+.. _v1-8:
+
+1.8 - 2017-03-09
+~~~~~~~~~~~~~~~~
+
+* Added support for Python 3.6.
+* Windows and macOS wheels now link against OpenSSL 1.1.0.
+* macOS wheels are no longer universal. This change significantly shrinks the
+ size of the wheels. Users on macOS 32-bit Python (if there are any) should
+ migrate to 64-bit or build their own packages.
+* Changed ASN.1 dependency from ``pyasn1`` to ``asn1crypto`` resulting in a
+ general performance increase when encoding/decoding ASN.1 structures. Also,
+ the ``pyasn1_modules`` test dependency is no longer required.
+* Added support for
+ :meth:`~cryptography.hazmat.primitives.ciphers.CipherContext.update_into` on
+ :class:`~cryptography.hazmat.primitives.ciphers.CipherContext`.
+* Added
+ :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.private_bytes`
+ to
+ :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`.
+* Added
+ :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKey.public_bytes`
+ to
+ :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKey`.
+* :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`
+ and
+ :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`
+ now require that ``password`` must be bytes if provided. Previously this
+ was documented but not enforced.
+* Added support for subgroup order in :doc:`/hazmat/primitives/asymmetric/dh`.
+
+
+.. _v1-7-2:
+
+1.7.2 - 2017-01-27
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows and macOS wheels to be compiled against OpenSSL 1.0.2k.
+
+
+.. _v1-7-1:
+
+1.7.1 - 2016-12-13
+~~~~~~~~~~~~~~~~~~
+
+* Fixed a regression in ``int_from_bytes`` where it failed to accept
+ ``bytearray``.
+
+
+.. _v1-7:
+
+1.7 - 2016-12-12
+~~~~~~~~~~~~~~~~
+
+* Support for OpenSSL 1.0.0 has been removed. Users on older version of OpenSSL
+ will need to upgrade.
+* Added support for Diffie-Hellman key exchange using
+ :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.
+* The OS random engine for OpenSSL has been rewritten to improve compatibility
+ with embedded Python and other edge cases. More information about this change
+ can be found in the
+ `pull request <https://github.com/pyca/cryptography/pull/3229>`_.
+
+
+.. _v1-6:
+
+1.6 - 2016-11-22
+~~~~~~~~~~~~~~~~
+
+* Deprecated support for OpenSSL 1.0.0. Support will be removed in
+ ``cryptography`` 1.7.
+* Replaced the Python-based OpenSSL locking callbacks with a C version to fix
+ a potential deadlock that could occur if a garbage collection cycle occurred
+ while inside the lock.
+* Added support for :class:`~cryptography.hazmat.primitives.hashes.BLAKE2b` and
+ :class:`~cryptography.hazmat.primitives.hashes.BLAKE2s` when using OpenSSL
+ 1.1.0.
+* Added
+ :attr:`~cryptography.x509.Certificate.signature_algorithm_oid` support to
+ :class:`~cryptography.x509.Certificate`.
+* Added
+ :attr:`~cryptography.x509.CertificateSigningRequest.signature_algorithm_oid`
+ support to :class:`~cryptography.x509.CertificateSigningRequest`.
+* Added
+ :attr:`~cryptography.x509.CertificateRevocationList.signature_algorithm_oid`
+ support to :class:`~cryptography.x509.CertificateRevocationList`.
+* Added support for :class:`~cryptography.hazmat.primitives.kdf.scrypt.Scrypt`
+ when using OpenSSL 1.1.0.
+* Added a workaround to improve compatibility with Python application bundling
+ tools like ``PyInstaller`` and ``cx_freeze``.
+* Added support for generating a
+ :meth:`~cryptography.x509.random_serial_number`.
+* Added support for encoding ``IPv4Network`` and ``IPv6Network`` in X.509
+ certificates for use with :class:`~cryptography.x509.NameConstraints`.
+* Added :meth:`~cryptography.x509.Name.public_bytes` to
+ :class:`~cryptography.x509.Name`.
+* Added :class:`~cryptography.x509.RelativeDistinguishedName`
+* :class:`~cryptography.x509.DistributionPoint` now accepts
+ :class:`~cryptography.x509.RelativeDistinguishedName` for
+ :attr:`~cryptography.x509.DistributionPoint.relative_name`.
+ Deprecated use of :class:`~cryptography.x509.Name` as
+ :attr:`~cryptography.x509.DistributionPoint.relative_name`.
+* :class:`~cryptography.x509.Name` now accepts an iterable of
+ :class:`~cryptography.x509.RelativeDistinguishedName`. RDNs can
+ be accessed via the :attr:`~cryptography.x509.Name.rdns`
+ attribute. When constructed with an iterable of
+ :class:`~cryptography.x509.NameAttribute`, each attribute becomes
+ a single-valued RDN.
+* Added
+ :func:`~cryptography.hazmat.primitives.asymmetric.ec.derive_private_key`.
+* Added support for signing and verifying RSA, DSA, and ECDSA signatures with
+ :class:`~cryptography.hazmat.primitives.asymmetric.utils.Prehashed`
+ digests.
+
+
+.. _v1-5-3:
+
+1.5.3 - 2016-11-05
+~~~~~~~~~~~~~~~~~~
+
+* **SECURITY ISSUE**: Fixed a bug where ``HKDF`` would return an empty
+ byte-string if used with a ``length`` less than ``algorithm.digest_size``.
+ Credit to **Markus Döring** for reporting the issue. *CVE-2016-9243*
+
+
+.. _v1-5-2:
+
+1.5.2 - 2016-09-26
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2j.
+
+
+.. _v1-5-1:
+
+1.5.1 - 2016-09-22
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2i.
+* Resolved a ``UserWarning`` when used with cffi 1.8.3.
+* Fixed a memory leak in name creation with X.509.
+* Added a workaround for old versions of setuptools.
+* Fixed an issue preventing ``cryptography`` from compiling against
+ OpenSSL 1.0.2i.
+
+
+
+.. _v1-5:
+
+1.5 - 2016-08-26
+~~~~~~~~~~~~~~~~
+
+* Added
+ :func:`~cryptography.hazmat.primitives.asymmetric.padding.calculate_max_pss_salt_length`.
+* Added "one shot"
+ :meth:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey.sign`
+ and
+ :meth:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey.verify`
+ methods to DSA keys.
+* Added "one shot"
+ :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign`
+ and
+ :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.verify`
+ methods to ECDSA keys.
+* Switched back to the older callback model on Python 3.5 in order to mitigate
+ the locking callback problem with OpenSSL <1.1.0.
+* :class:`~cryptography.x509.CertificateBuilder`,
+ :class:`~cryptography.x509.CertificateRevocationListBuilder`, and
+ :class:`~cryptography.x509.RevokedCertificateBuilder` now accept timezone
+ aware ``datetime`` objects as method arguments
+* ``cryptography`` now supports OpenSSL 1.1.0 as a compilation target.
+
+
+
+.. _v1-4:
+
+1.4 - 2016-06-04
+~~~~~~~~~~~~~~~~
+
+* Support for OpenSSL 0.9.8 has been removed. Users on older versions of
+ OpenSSL will need to upgrade.
+* Added :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFHMAC`.
+* Added support for ``OpenSSH`` public key serialization.
+* Added support for SHA-2 in RSA
+ :class:`~cryptography.hazmat.primitives.asymmetric.padding.OAEP` when using
+ OpenSSL 1.0.2 or greater.
+* Added "one shot"
+ :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey.sign`
+ and
+ :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey.verify`
+ methods to RSA keys.
+* Deprecated the ``serial`` attribute on
+ :class:`~cryptography.x509.Certificate`, in favor of
+ :attr:`~cryptography.x509.Certificate.serial_number`.
+
+
+
+.. _v1-3-4:
+
+1.3.4 - 2016-06-03
+~~~~~~~~~~~~~~~~~~
+
+* Added another OpenSSL function to the bindings to support an upcoming
+ ``pyOpenSSL`` release.
+
+
+
+.. _v1-3-3:
+
+1.3.3 - 2016-06-02
+~~~~~~~~~~~~~~~~~~
+
+* Added two new OpenSSL functions to the bindings to support an upcoming
+ ``pyOpenSSL`` release.
+
+
+.. _v1-3-2:
+
+1.3.2 - 2016-05-04
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2h.
+* Fixed an issue preventing ``cryptography`` from compiling against
+ LibreSSL 2.3.x.
+
+
+.. _v1-3-1:
+
+1.3.1 - 2016-03-21
+~~~~~~~~~~~~~~~~~~
+
+* Fixed a bug that caused an ``AttributeError`` when using ``mock`` to patch
+ some ``cryptography`` modules.
+
+
+.. _v1-3:
+
+1.3 - 2016-03-18
+~~~~~~~~~~~~~~~~
+
+* Added support for padding ANSI X.923 with
+ :class:`~cryptography.hazmat.primitives.padding.ANSIX923`.
+* Deprecated support for OpenSSL 0.9.8. Support will be removed in
+ ``cryptography`` 1.4.
+* Added support for the :class:`~cryptography.x509.PolicyConstraints`
+ X.509 extension including both parsing and generation using
+ :class:`~cryptography.x509.CertificateBuilder` and
+ :class:`~cryptography.x509.CertificateSigningRequestBuilder`.
+* Added :attr:`~cryptography.x509.CertificateSigningRequest.is_signature_valid`
+ to :class:`~cryptography.x509.CertificateSigningRequest`.
+* Fixed an intermittent ``AssertionError`` when performing an RSA decryption on
+ an invalid ciphertext, ``ValueError`` is now correctly raised in all cases.
+* Added
+ :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`.
+
+
+.. _v1-2-3:
+
+1.2.3 - 2016-03-01
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2g.
+
+
+.. _v1-2-2:
+
+1.2.2 - 2016-01-29
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2f.
+
+
+.. _v1-2-1:
+
+1.2.1 - 2016-01-08
+~~~~~~~~~~~~~~~~~~
+
+* Reverts a change to an OpenSSL ``EVP_PKEY`` object that caused errors with
+ ``pyOpenSSL``.
+
+
+.. _v1-2:
+
+1.2 - 2016-01-08
+~~~~~~~~~~~~~~~~
+
+* **BACKWARDS INCOMPATIBLE:**
+ :class:`~cryptography.x509.RevokedCertificate`
+ :attr:`~cryptography.x509.RevokedCertificate.extensions` now uses extension
+ classes rather than returning raw values inside the
+ :class:`~cryptography.x509.Extension`
+ :attr:`~cryptography.x509.Extension.value`. The new classes
+ are:
+
+ * :class:`~cryptography.x509.CertificateIssuer`
+ * :class:`~cryptography.x509.CRLReason`
+ * :class:`~cryptography.x509.InvalidityDate`
+* Deprecated support for OpenSSL 0.9.8 and 1.0.0. At this time there is no time
+ table for actually dropping support, however we strongly encourage all users
+ to upgrade, as those versions no longer receive support from the OpenSSL
+ project.
+* The :class:`~cryptography.x509.Certificate` class now has
+ :attr:`~cryptography.x509.Certificate.signature` and
+ :attr:`~cryptography.x509.Certificate.tbs_certificate_bytes` attributes.
+* The :class:`~cryptography.x509.CertificateSigningRequest` class now has
+ :attr:`~cryptography.x509.CertificateSigningRequest.signature` and
+ :attr:`~cryptography.x509.CertificateSigningRequest.tbs_certrequest_bytes`
+ attributes.
+* The :class:`~cryptography.x509.CertificateRevocationList` class now has
+ :attr:`~cryptography.x509.CertificateRevocationList.signature` and
+ :attr:`~cryptography.x509.CertificateRevocationList.tbs_certlist_bytes`
+ attributes.
+* :class:`~cryptography.x509.NameConstraints` are now supported in the
+ :class:`~cryptography.x509.CertificateBuilder` and
+ :class:`~cryptography.x509.CertificateSigningRequestBuilder`.
+* Support serialization of certificate revocation lists using the
+ :meth:`~cryptography.x509.CertificateRevocationList.public_bytes` method of
+ :class:`~cryptography.x509.CertificateRevocationList`.
+* Add support for parsing :class:`~cryptography.x509.CertificateRevocationList`
+ :meth:`~cryptography.x509.CertificateRevocationList.extensions` in the
+ OpenSSL backend. The following extensions are currently supported:
+
+ * :class:`~cryptography.x509.AuthorityInformationAccess`
+ * :class:`~cryptography.x509.AuthorityKeyIdentifier`
+ * :class:`~cryptography.x509.CRLNumber`
+ * :class:`~cryptography.x509.IssuerAlternativeName`
+* Added :class:`~cryptography.x509.CertificateRevocationListBuilder` and
+ :class:`~cryptography.x509.RevokedCertificateBuilder` to allow creation of
+ CRLs.
+* Unrecognized non-critical X.509 extensions are now parsed into an
+ :class:`~cryptography.x509.UnrecognizedExtension` object.
+
+
+.. _v1-1-2:
+
+1.1.2 - 2015-12-10
+~~~~~~~~~~~~~~~~~~
+
+* Fixed a SIGBUS crash with the OS X wheels caused by redefinition of a
+ method.
+* Fixed a runtime error ``undefined symbol EC_GFp_nistp224_method`` that
+ occurred with some OpenSSL installations.
+* Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2e.
+
+
+.. _v1-1-1:
+
+1.1.1 - 2015-11-19
+~~~~~~~~~~~~~~~~~~
+
+* Fixed several small bugs related to compiling the OpenSSL bindings with
+ unusual OpenSSL configurations.
+* Resolved an issue where, depending on the method of installation and
+ which Python interpreter they were using, users on El Capitan (OS X 10.11)
+ may have seen an ``InternalError`` on import.
+
+
+.. _v1-1:
+
+1.1 - 2015-10-28
+~~~~~~~~~~~~~~~~
+
+* Added support for Elliptic Curve Diffie-Hellman with
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDH`.
+* Added :class:`~cryptography.hazmat.primitives.kdf.x963kdf.X963KDF`.
+* Added support for parsing certificate revocation lists (CRLs) using
+ :func:`~cryptography.x509.load_pem_x509_crl` and
+ :func:`~cryptography.x509.load_der_x509_crl`.
+* Add support for AES key wrapping with
+ :func:`~cryptography.hazmat.primitives.keywrap.aes_key_wrap` and
+ :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap`.
+* Added a ``__hash__`` method to :class:`~cryptography.x509.Name`.
+* Add support for encoding and decoding elliptic curve points to a byte string
+ form using
+ ``cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.encode_point``
+ and
+ :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`.
+* Added :meth:`~cryptography.x509.Extensions.get_extension_for_class`.
+* :class:`~cryptography.x509.CertificatePolicies` are now supported in the
+ :class:`~cryptography.x509.CertificateBuilder`.
+* ``countryName`` is now encoded as a ``PrintableString`` when creating subject
+ and issuer distinguished names with the Certificate and CSR builder classes.
+
+
+.. _v1-0-2:
+
+1.0.2 - 2015-09-27
+~~~~~~~~~~~~~~~~~~
+* **SECURITY ISSUE**: The OpenSSL backend prior to 1.0.2 made extensive use
+ of assertions to check response codes where our tests could not trigger a
+ failure. However, when Python is run with ``-O`` these asserts are optimized
+ away. If a user ran Python with this flag and got an invalid response code
+ this could result in undefined behavior or worse. Accordingly, all response
+ checks from the OpenSSL backend have been converted from ``assert``
+ to a true function call. Credit **Emilia Käsper (Google Security Team)**
+ for the report.
+
+
+.. _v1-0-1:
+
+1.0.1 - 2015-09-05
+~~~~~~~~~~~~~~~~~~
+
+* We now ship OS X wheels that statically link OpenSSL by default. When
+ installing a wheel on OS X 10.10+ (and using a Python compiled against the
+ 10.10 SDK) users will no longer need to compile. See :doc:`/installation` for
+ alternate installation methods if required.
+* Set the default string mask to UTF-8 in the OpenSSL backend to resolve
+ character encoding issues with older versions of OpenSSL.
+* Several new OpenSSL bindings have been added to support a future pyOpenSSL
+ release.
+* Raise an error during install on PyPy < 2.6. 1.0+ requires PyPy 2.6+.
+
+
+.. _v1-0:
+
+1.0 - 2015-08-12
+~~~~~~~~~~~~~~~~
+
+* Switched to the new `cffi`_ ``set_source`` out-of-line API mode for
+ compilation. This results in significantly faster imports and lowered
+ memory consumption. Due to this change we no longer support PyPy releases
+ older than 2.6 nor do we support any released version of PyPy3 (until a
+ version supporting cffi 1.0 comes out).
+* Fix parsing of OpenSSH public keys that have spaces in comments.
+* Support serialization of certificate signing requests using the
+ ``public_bytes`` method of
+ :class:`~cryptography.x509.CertificateSigningRequest`.
+* Support serialization of certificates using the ``public_bytes`` method of
+ :class:`~cryptography.x509.Certificate`.
+* Add ``get_provisioning_uri`` method to
+ :class:`~cryptography.hazmat.primitives.twofactor.hotp.HOTP` and
+ :class:`~cryptography.hazmat.primitives.twofactor.totp.TOTP` for generating
+ provisioning URIs.
+* Add :class:`~cryptography.hazmat.primitives.kdf.concatkdf.ConcatKDFHash`
+ and :class:`~cryptography.hazmat.primitives.kdf.concatkdf.ConcatKDFHMAC`.
+* Raise a ``TypeError`` when passing objects that are not text as the value to
+ :class:`~cryptography.x509.NameAttribute`.
+* Add support for :class:`~cryptography.x509.OtherName` as a general name
+ type.
+* Added new X.509 extension support in :class:`~cryptography.x509.Certificate`
+ The following new extensions are now supported:
+
+ * :class:`~cryptography.x509.OCSPNoCheck`
+ * :class:`~cryptography.x509.InhibitAnyPolicy`
+ * :class:`~cryptography.x509.IssuerAlternativeName`
+ * :class:`~cryptography.x509.NameConstraints`
+
+* Extension support was added to
+ :class:`~cryptography.x509.CertificateSigningRequest`.
+* Add support for creating signed certificates with
+ :class:`~cryptography.x509.CertificateBuilder`. This includes support for
+ the following extensions:
+
+ * :class:`~cryptography.x509.BasicConstraints`
+ * :class:`~cryptography.x509.SubjectAlternativeName`
+ * :class:`~cryptography.x509.KeyUsage`
+ * :class:`~cryptography.x509.ExtendedKeyUsage`
+ * :class:`~cryptography.x509.SubjectKeyIdentifier`
+ * :class:`~cryptography.x509.AuthorityKeyIdentifier`
+ * :class:`~cryptography.x509.AuthorityInformationAccess`
+ * :class:`~cryptography.x509.CRLDistributionPoints`
+ * :class:`~cryptography.x509.InhibitAnyPolicy`
+ * :class:`~cryptography.x509.IssuerAlternativeName`
+ * :class:`~cryptography.x509.OCSPNoCheck`
+
+* Add support for creating certificate signing requests with
+ :class:`~cryptography.x509.CertificateSigningRequestBuilder`. This includes
+ support for the same extensions supported in the ``CertificateBuilder``.
+* Deprecate ``encode_rfc6979_signature`` and ``decode_rfc6979_signature`` in
+ favor of
+ :func:`~cryptography.hazmat.primitives.asymmetric.utils.encode_dss_signature`
+ and
+ :func:`~cryptography.hazmat.primitives.asymmetric.utils.decode_dss_signature`.
+
+
+
+.. _v0-9-3:
+
+0.9.3 - 2015-07-09
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows wheels to be compiled against OpenSSL 1.0.2d.
+
+
+.. _v0-9-2:
+
+0.9.2 - 2015-07-04
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows wheels to be compiled against OpenSSL 1.0.2c.
+
+
+.. _v0-9-1:
+
+0.9.1 - 2015-06-06
+~~~~~~~~~~~~~~~~~~
+
+* **SECURITY ISSUE**: Fixed a double free in the OpenSSL backend when using DSA
+ to verify signatures. Note that this only affects PyPy 2.6.0 and (presently
+ unreleased) CFFI versions greater than 1.1.0.
+
+
+.. _v0-9:
+
+0.9 - 2015-05-13
+~~~~~~~~~~~~~~~~
+
+* Removed support for Python 3.2. This version of Python is rarely used
+ and caused support headaches. Users affected by this should upgrade to 3.3+.
+* Deprecated support for Python 2.6. At the time there is no time table for
+ actually dropping support, however we strongly encourage all users to upgrade
+ their Python, as Python 2.6 no longer receives support from the Python core
+ team.
+* Add support for the
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.SECP256K1` elliptic
+ curve.
+* Fixed compilation when using an OpenSSL which was compiled with the
+ ``no-comp`` (``OPENSSL_NO_COMP``) option.
+* Support :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`
+ serialization of public keys using the ``public_bytes`` method of
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`,
+ and
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`.
+* Support :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`
+ serialization of private keys using the ``private_bytes`` method of
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`,
+ and
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`.
+* Add support for parsing X.509 certificate signing requests (CSRs) with
+ :func:`~cryptography.x509.load_pem_x509_csr` and
+ :func:`~cryptography.x509.load_der_x509_csr`.
+* Moved ``cryptography.exceptions.InvalidToken`` to
+ :class:`cryptography.hazmat.primitives.twofactor.InvalidToken` and deprecated
+ the old location. This was moved to minimize confusion between this exception
+ and :class:`cryptography.fernet.InvalidToken`.
+* Added support for X.509 extensions in :class:`~cryptography.x509.Certificate`
+ objects. The following extensions are supported as of this release:
+
+ * :class:`~cryptography.x509.BasicConstraints`
+ * :class:`~cryptography.x509.AuthorityKeyIdentifier`
+ * :class:`~cryptography.x509.SubjectKeyIdentifier`
+ * :class:`~cryptography.x509.KeyUsage`
+ * :class:`~cryptography.x509.SubjectAlternativeName`
+ * :class:`~cryptography.x509.ExtendedKeyUsage`
+ * :class:`~cryptography.x509.CRLDistributionPoints`
+ * :class:`~cryptography.x509.AuthorityInformationAccess`
+ * :class:`~cryptography.x509.CertificatePolicies`
+
+ Note that unsupported extensions with the critical flag raise
+ ``UnsupportedExtension`` while unsupported extensions set to non-critical are
+ silently ignored. Read the :doc:`X.509 documentation</x509/index>` for more
+ information.
+
+
+.. _v0-8-2:
+
+0.8.2 - 2015-04-10
+~~~~~~~~~~~~~~~~~~
+
+* Fixed a race condition when initializing the OpenSSL or CommonCrypto backends
+ in a multi-threaded scenario.
+
+
+.. _v0-8-1:
+
+0.8.1 - 2015-03-20
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows wheels to be compiled against OpenSSL 1.0.2a.
+
+
+.. _v0-8:
+
+0.8 - 2015-03-08
+~~~~~~~~~~~~~~~~
+
+* :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` can
+ now load elliptic curve public keys.
+* Added
+ :attr:`~cryptography.x509.Certificate.signature_hash_algorithm` support to
+ :class:`~cryptography.x509.Certificate`.
+* Added
+ :func:`~cryptography.hazmat.primitives.asymmetric.rsa.rsa_recover_prime_factors`
+* :class:`~cryptography.hazmat.primitives.kdf.KeyDerivationFunction` was moved
+ from ``cryptography.hazmat.primitives.interfaces`` to
+ :mod:`~cryptography.hazmat.primitives.kdf`.
+* Added support for parsing X.509 names. See the
+ :doc:`X.509 documentation</x509/index>` for more information.
+* Added
+ :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key` to
+ support loading of DER encoded private keys and
+ :func:`~cryptography.hazmat.primitives.serialization.load_der_public_key` to
+ support loading DER encoded public keys.
+* Fixed building against LibreSSL, a compile-time substitute for OpenSSL.
+* FreeBSD 9.2 was removed from the continuous integration system.
+* Updated Windows wheels to be compiled against OpenSSL 1.0.2.
+* :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`
+ and :func:`~cryptography.hazmat.primitives.serialization.load_der_public_key`
+ now support PKCS1 RSA public keys (in addition to the previous support for
+ SubjectPublicKeyInfo format for RSA, EC, and DSA).
+* Added ``EllipticCurvePrivateKeyWithSerialization`` and deprecated
+ ``EllipticCurvePrivateKeyWithNumbers``.
+* Added
+ :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.private_bytes`
+ to
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`.
+* Added ``RSAPrivateKeyWithSerialization`` and deprecated ``RSAPrivateKeyWithNumbers``.
+* Added
+ :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey.private_bytes`
+ to
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`.
+* Added ``DSAPrivateKeyWithSerialization`` and deprecated ``DSAPrivateKeyWithNumbers``.
+* Added
+ :meth:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey.private_bytes`
+ to
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`.
+* Added ``RSAPublicKeyWithSerialization`` and deprecated ``RSAPublicKeyWithNumbers``.
+* Added ``public_bytes`` to
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`.
+* Added ``EllipticCurvePublicKeyWithSerialization`` and deprecated
+ ``EllipticCurvePublicKeyWithNumbers``.
+* Added ``public_bytes`` to
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`.
+* Added ``DSAPublicKeyWithSerialization`` and deprecated ``DSAPublicKeyWithNumbers``.
+* Added ``public_bytes`` to
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`.
+* :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` and
+ :class:`~cryptography.hazmat.primitives.hashes.HashContext` were moved from
+ ``cryptography.hazmat.primitives.interfaces`` to
+ :mod:`~cryptography.hazmat.primitives.hashes`.
+* :class:`~cryptography.hazmat.primitives.ciphers.CipherContext`,
+ :class:`~cryptography.hazmat.primitives.ciphers.AEADCipherContext`,
+ :class:`~cryptography.hazmat.primitives.ciphers.AEADEncryptionContext`,
+ :class:`~cryptography.hazmat.primitives.ciphers.CipherAlgorithm`, and
+ :class:`~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm`
+ were moved from ``cryptography.hazmat.primitives.interfaces`` to
+ :mod:`~cryptography.hazmat.primitives.ciphers`.
+* :class:`~cryptography.hazmat.primitives.ciphers.modes.Mode`,
+ :class:`~cryptography.hazmat.primitives.ciphers.modes.ModeWithInitializationVector`,
+ :class:`~cryptography.hazmat.primitives.ciphers.modes.ModeWithNonce`, and
+ :class:`~cryptography.hazmat.primitives.ciphers.modes.ModeWithAuthenticationTag`
+ were moved from ``cryptography.hazmat.primitives.interfaces`` to
+ :mod:`~cryptography.hazmat.primitives.ciphers.modes`.
+* :class:`~cryptography.hazmat.primitives.padding.PaddingContext` was moved
+ from ``cryptography.hazmat.primitives.interfaces`` to
+ :mod:`~cryptography.hazmat.primitives.padding`.
+*
+ :class:`~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding`
+ was moved from ``cryptography.hazmat.primitives.interfaces`` to
+ :mod:`~cryptography.hazmat.primitives.asymmetric.padding`.
+* ``AsymmetricSignatureContext`` and ``AsymmetricVerificationContext``
+ were moved from ``cryptography.hazmat.primitives.interfaces`` to
+ ``cryptography.hazmat.primitives.asymmetric``.
+* :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`,
+ ``DSAParametersWithNumbers``,
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`,
+ ``DSAPrivateKeyWithNumbers``,
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` and
+ ``DSAPublicKeyWithNumbers`` were moved from
+ ``cryptography.hazmat.primitives.interfaces`` to
+ :mod:`~cryptography.hazmat.primitives.asymmetric.dsa`
+* :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurveSignatureAlgorithm`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`,
+ ``EllipticCurvePrivateKeyWithNumbers``,
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`,
+ and ``EllipticCurvePublicKeyWithNumbers``
+ were moved from ``cryptography.hazmat.primitives.interfaces`` to
+ :mod:`~cryptography.hazmat.primitives.asymmetric.ec`.
+* :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
+ ``RSAPrivateKeyWithNumbers``,
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` and
+ ``RSAPublicKeyWithNumbers`` were moved from
+ ``cryptography.hazmat.primitives.interfaces`` to
+ :mod:`~cryptography.hazmat.primitives.asymmetric.rsa`.
+
+
+.. _v0-7-2:
+
+0.7.2 - 2015-01-16
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows wheels to be compiled against OpenSSL 1.0.1l.
+* ``enum34`` is no longer installed on Python 3.4, where it is included in
+ the standard library.
+* Added a new function to the OpenSSL bindings to support additional
+ functionality in pyOpenSSL.
+
+
+.. _v0-7-1:
+
+0.7.1 - 2014-12-28
+~~~~~~~~~~~~~~~~~~
+
+* Fixed an issue preventing compilation on platforms where ``OPENSSL_NO_SSL3``
+ was defined.
+
+
+.. _v0-7:
+
+0.7 - 2014-12-17
+~~~~~~~~~~~~~~~~
+
+* Cryptography has been relicensed from the Apache Software License, Version
+ 2.0, to being available under *either* the Apache Software License, Version
+ 2.0, or the BSD license.
+* Added key-rotation support to :doc:`Fernet </fernet>` with
+ :class:`~cryptography.fernet.MultiFernet`.
+* More bit-lengths are now supported for ``p`` and ``q`` when loading DSA keys
+ from numbers.
+* Added ``MACContext`` as a common interface for CMAC and HMAC and
+ deprecated ``CMACContext``.
+* Added support for encoding and decoding :rfc:`6979` signatures in
+ :doc:`/hazmat/primitives/asymmetric/utils`.
+* Added
+ :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` to
+ support the loading of OpenSSH public keys (:rfc:`4253`). Only RSA and DSA
+ keys are currently supported.
+* Added initial support for X.509 certificate parsing. See the
+ :doc:`X.509 documentation</x509/index>` for more information.
+
+
+.. _v0-6-1:
+
+0.6.1 - 2014-10-15
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows wheels to be compiled against OpenSSL 1.0.1j.
+* Fixed an issue where OpenSSL 1.0.1j changed the errors returned by some
+ functions.
+* Added our license file to the ``cryptography-vectors`` package.
+* Implemented DSA hash truncation support (per FIPS 186-3) in the OpenSSL
+ backend. This works around an issue in 1.0.0, 1.0.0a, and 1.0.0b where
+ truncation was not implemented.
+
+
+.. _v0-6:
+
+0.6 - 2014-09-29
+~~~~~~~~~~~~~~~~
+
+* Added
+ :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key` to
+ ease loading private keys, and
+ :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key` to
+ support loading public keys.
+* Removed the, deprecated in 0.4, support for the ``salt_length`` argument to
+ the :class:`~cryptography.hazmat.primitives.asymmetric.padding.MGF1`
+ constructor. The ``salt_length`` should be passed to
+ :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` instead.
+* Fix compilation on OS X Yosemite.
+* Deprecated ``elliptic_curve_private_key_from_numbers`` and
+ ``elliptic_curve_public_key_from_numbers`` in favor of
+ ``load_elliptic_curve_private_numbers`` and
+ ``load_elliptic_curve_public_numbers`` on ``EllipticCurveBackend``.
+* Added ``EllipticCurvePrivateKeyWithNumbers`` and
+ ``EllipticCurvePublicKeyWithNumbers`` support.
+* Work around three GCM related bugs in CommonCrypto and OpenSSL.
+
+ * On the CommonCrypto backend adding AAD but not subsequently calling update
+ would return null tag bytes.
+
+ * One the CommonCrypto backend a call to update without an empty add AAD call
+ would return null ciphertext bytes.
+
+ * On the OpenSSL backend with certain versions adding AAD only would give
+ invalid tag bytes.
+
+* Support loading EC private keys from PEM.
+
+
+.. _v0-5-4:
+
+0.5.4 - 2014-08-20
+~~~~~~~~~~~~~~~~~~
+
+* Added several functions to the OpenSSL bindings to support new
+ functionality in pyOpenSSL.
+* Fixed a redefined constant causing compilation failure with Solaris 11.2.
+
+
+.. _v0-5-3:
+
+0.5.3 - 2014-08-06
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows wheels to be compiled against OpenSSL 1.0.1i.
+
+
+.. _v0-5-2:
+
+0.5.2 - 2014-07-09
+~~~~~~~~~~~~~~~~~~
+
+* Add ``TraditionalOpenSSLSerializationBackend`` support to ``multibackend``.
+* Fix compilation error on OS X 10.8 (Mountain Lion).
+
+
+.. _v0-5-1:
+
+0.5.1 - 2014-07-07
+~~~~~~~~~~~~~~~~~~
+
+* Add ``PKCS8SerializationBackend`` support to ``multibackend``.
+
+
+.. _v0-5:
+
+0.5 - 2014-07-07
+~~~~~~~~~~~~~~~~
+
+* **BACKWARDS INCOMPATIBLE:**
+ :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` no longer allows
+ truncation of tags by default. Previous versions of ``cryptography`` allowed
+ tags to be truncated by default, applications wishing to preserve this
+ behavior (not recommended) can pass the ``min_tag_length`` argument.
+* Windows builds now statically link OpenSSL by default. When installing a
+ wheel on Windows you no longer need to install OpenSSL separately. Windows
+ users can switch between static and dynamic linking with an environment
+ variable. See :doc:`/installation` for more details.
+* Added :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDFExpand`.
+* Added :class:`~cryptography.hazmat.primitives.ciphers.modes.CFB8` support
+ for :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` and
+ :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` on
+ ``commoncrypto`` and ``openssl``.
+* Added ``AES`` :class:`~cryptography.hazmat.primitives.ciphers.modes.CTR`
+ support to the OpenSSL backend when linked against 0.9.8.
+* Added ``PKCS8SerializationBackend`` and
+ ``TraditionalOpenSSLSerializationBackend`` support to ``openssl``.
+* Added :doc:`/hazmat/primitives/asymmetric/ec` and ``EllipticCurveBackend``.
+* Added :class:`~cryptography.hazmat.primitives.ciphers.modes.ECB` support
+ for :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` on
+ ``commoncrypto`` and ``openssl``.
+* Deprecated the concrete ``RSAPrivateKey`` class in favor of backend
+ specific providers of the
+ :class:`cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`
+ interface.
+* Deprecated the concrete ``RSAPublicKey`` in favor of backend specific
+ providers of the
+ :class:`cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`
+ interface.
+* Deprecated the concrete ``DSAPrivateKey`` class in favor of backend
+ specific providers of the
+ :class:`cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`
+ interface.
+* Deprecated the concrete ``DSAPublicKey`` class in favor of backend specific
+ providers of the
+ :class:`cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`
+ interface.
+* Deprecated the concrete ``DSAParameters`` class in favor of backend specific
+ providers of the
+ :class:`cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`
+ interface.
+* Deprecated ``encrypt_rsa``, ``decrypt_rsa``, ``create_rsa_signature_ctx`` and
+ ``create_rsa_verification_ctx`` on ``RSABackend``.
+* Deprecated ``create_dsa_signature_ctx`` and ``create_dsa_verification_ctx``
+ on ``DSABackend``.
+
+
+.. _v0-4:
+
+0.4 - 2014-05-03
+~~~~~~~~~~~~~~~~
+
+* Deprecated ``salt_length`` on
+ :class:`~cryptography.hazmat.primitives.asymmetric.padding.MGF1` and added it
+ to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. It will
+ be removed from ``MGF1`` in two releases per our :doc:`/api-stability`
+ policy.
+* Added :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`
+ support.
+* Added :class:`~cryptography.hazmat.primitives.cmac.CMAC`.
+* Added decryption support to
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`
+ and encryption support to
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`.
+* Added signature support to
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`
+ and verification support to
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`.
+
+
+.. _v0-3:
+
+0.3 - 2014-03-27
+~~~~~~~~~~~~~~~~
+
+* Added :class:`~cryptography.hazmat.primitives.twofactor.hotp.HOTP`.
+* Added :class:`~cryptography.hazmat.primitives.twofactor.totp.TOTP`.
+* Added :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`
+ support.
+* Added signature support to
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`
+ and verification support to
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`.
+* Moved test vectors to the new ``cryptography_vectors`` package.
+
+
+.. _v0-2-2:
+
+0.2.2 - 2014-03-03
+~~~~~~~~~~~~~~~~~~
+
+* Removed a constant definition that was causing compilation problems with
+ specific versions of OpenSSL.
+
+
+.. _v0-2-1:
+
+0.2.1 - 2014-02-22
+~~~~~~~~~~~~~~~~~~
+
+* Fix a bug where importing cryptography from multiple paths could cause
+ initialization to fail.
+
+
+.. _v0-2:
+
+0.2 - 2014-02-20
+~~~~~~~~~~~~~~~~
+
+* Added ``commoncrypto``.
+* Added initial ``commoncrypto``.
+* Removed ``register_cipher_adapter`` method from ``CipherBackend``.
+* Added support for the OpenSSL backend under Windows.
+* Improved thread-safety for the OpenSSL backend.
+* Fixed compilation on systems where OpenSSL's ``ec.h`` header is not
+ available, such as CentOS.
+* Added :class:`~cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC`.
+* Added :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF`.
+* Added ``multibackend``.
+* Set default random for ``openssl`` to the OS random engine.
+* Added :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`
+ (CAST-128) support.
+
+
+.. _v0-1:
+
+0.1 - 2014-01-08
+~~~~~~~~~~~~~~~~
+
+* Initial release.
+
+.. _`as documented here`: https://docs.rs/openssl/latest/openssl/#automatic
+.. _`main`: https://github.com/pyca/cryptography/
+.. _`cffi`: https://cffi.readthedocs.io/
diff --git a/contrib/python/cryptography/next/rust/CONTRIBUTING.rst b/contrib/python/cryptography/next/rust/CONTRIBUTING.rst
new file mode 100644
index 0000000000..6cd409a1b2
--- /dev/null
+++ b/contrib/python/cryptography/next/rust/CONTRIBUTING.rst
@@ -0,0 +1,23 @@
+Contributing to cryptography
+============================
+
+As an open source project, cryptography welcomes contributions of many forms.
+
+Examples of contributions include:
+
+* Code patches
+* Documentation improvements
+* Bug reports and patch reviews
+
+Extensive contribution guidelines are available in the repository at
+``docs/development/index.rst``, or online at:
+
+https://cryptography.io/en/latest/development/
+
+Security issues
+---------------
+
+To report a security issue, please follow the special `security reporting
+guidelines`_, do not report them in the public issue tracker.
+
+.. _`security reporting guidelines`: https://cryptography.io/en/latest/security/
diff --git a/contrib/python/cryptography/next/rust/LICENSE b/contrib/python/cryptography/next/rust/LICENSE
new file mode 100644
index 0000000000..b11f379efe
--- /dev/null
+++ b/contrib/python/cryptography/next/rust/LICENSE
@@ -0,0 +1,3 @@
+This software is made available under the terms of *either* of the licenses
+found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made
+under the terms of *both* these licenses.
diff --git a/contrib/python/cryptography/next/rust/LICENSE.APACHE b/contrib/python/cryptography/next/rust/LICENSE.APACHE
new file mode 100644
index 0000000000..62589edd12
--- /dev/null
+++ b/contrib/python/cryptography/next/rust/LICENSE.APACHE
@@ -0,0 +1,202 @@
+
+ Apache License
+ Version 2.0, January 2004
+ https://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ https://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/contrib/python/cryptography/next/rust/LICENSE.BSD b/contrib/python/cryptography/next/rust/LICENSE.BSD
new file mode 100644
index 0000000000..ec1a29d34d
--- /dev/null
+++ b/contrib/python/cryptography/next/rust/LICENSE.BSD
@@ -0,0 +1,27 @@
+Copyright (c) Individual contributors.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ 3. Neither the name of PyCA Cryptography nor the names of its contributors
+ may be used to endorse or promote products derived from this software
+ without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/contrib/python/cryptography/next/rust/README.rst b/contrib/python/cryptography/next/rust/README.rst
new file mode 100644
index 0000000000..d71765b8db
--- /dev/null
+++ b/contrib/python/cryptography/next/rust/README.rst
@@ -0,0 +1,68 @@
+pyca/cryptography
+=================
+
+.. image:: https://img.shields.io/pypi/v/cryptography.svg
+ :target: https://pypi.org/project/cryptography/
+ :alt: Latest Version
+
+.. image:: https://readthedocs.org/projects/cryptography/badge/?version=latest
+ :target: https://cryptography.io
+ :alt: Latest Docs
+
+.. image:: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
+ :target: https://github.com/pyca/cryptography/actions?query=workflow%3ACI+branch%3Amain
+
+
+``cryptography`` is a package which provides cryptographic recipes and
+primitives to Python developers. Our goal is for it to be your "cryptographic
+standard library". It supports Python 3.7+ and PyPy3 7.3.10+.
+
+``cryptography`` includes both high level recipes and low level interfaces to
+common cryptographic algorithms such as symmetric ciphers, message digests, and
+key derivation functions. For example, to encrypt something with
+``cryptography``'s high level symmetric encryption recipe:
+
+.. code-block:: pycon
+
+ >>> from cryptography.fernet import Fernet
+ >>> # Put this somewhere safe!
+ >>> key = Fernet.generate_key()
+ >>> f = Fernet(key)
+ >>> token = f.encrypt(b"A really secret message. Not for prying eyes.")
+ >>> token
+ b'...'
+ >>> f.decrypt(token)
+ b'A really secret message. Not for prying eyes.'
+
+You can find more information in the `documentation`_.
+
+You can install ``cryptography`` with:
+
+.. code-block:: console
+
+ $ pip install cryptography
+
+For full details see `the installation documentation`_.
+
+Discussion
+~~~~~~~~~~
+
+If you run into bugs, you can file them in our `issue tracker`_.
+
+We maintain a `cryptography-dev`_ mailing list for development discussion.
+
+You can also join ``#pyca`` on ``irc.libera.chat`` to ask questions or get
+involved.
+
+Security
+~~~~~~~~
+
+Need to report a security issue? Please consult our `security reporting`_
+documentation.
+
+
+.. _`documentation`: https://cryptography.io/
+.. _`the installation documentation`: https://cryptography.io/en/latest/installation/
+.. _`issue tracker`: https://github.com/pyca/cryptography/issues
+.. _`cryptography-dev`: https://mail.python.org/mailman/listinfo/cryptography-dev
+.. _`security reporting`: https://cryptography.io/en/latest/security/
diff --git a/contrib/python/cryptography/next/rust/ci-constraints-requirements.txt b/contrib/python/cryptography/next/rust/ci-constraints-requirements.txt
new file mode 100644
index 0000000000..009faa5e0b
--- /dev/null
+++ b/contrib/python/cryptography/next/rust/ci-constraints-requirements.txt
@@ -0,0 +1,197 @@
+# This is named ambigiously, but it's a pip constraints file, named like a
+# requirements file so dependabot will update the pins.
+# It was originally generated with;
+# pip-compile --extra=docs --extra=docstest --extra=pep8test --extra=test --extra=test-randomorder --extra=nox --extra=sdist --resolver=backtracking --strip-extras --unsafe-package=cffi --unsafe-package=pycparser --unsafe-package=setuptools pyproject.toml
+# and then manually massaged to add version specifiers to packages whose
+# versions vary by Python version
+
+alabaster==0.7.13
+ # via sphinx
+argcomplete==3.0.8
+ # via nox
+babel==2.12.1
+ # via sphinx
+black==23.3.0
+ # via cryptography (pyproject.toml)
+bleach==6.0.0
+ # via readme-renderer
+build==0.10.0
+ # via
+ # check-sdist
+ # cryptography (pyproject.toml)
+certifi==2023.5.7
+ # via requests
+charset-normalizer==3.1.0
+ # via requests
+check-sdist==0.1.2
+ # via cryptography (pyproject.toml)
+click==8.1.3
+ # via black
+colorlog==6.7.0
+ # via nox
+coverage==7.2.7
+ # via pytest-cov
+distlib==0.3.6
+ # via virtualenv
+docutils==0.18.1
+ # via
+ # readme-renderer
+ # sphinx
+ # sphinx-rtd-theme
+exceptiongroup==1.1.1
+ # via pytest
+execnet==1.9.0
+ # via pytest-xdist
+filelock==3.12.0
+ # via virtualenv
+idna==3.4
+ # via requests
+imagesize==1.4.1
+ # via sphinx
+importlib-metadata==6.6.0
+ # via
+ # keyring
+ # twine
+iniconfig==2.0.0
+ # via pytest
+jaraco-classes==3.2.3
+ # via keyring
+jinja2==3.1.2
+ # via sphinx
+keyring==23.13.1
+ # via twine
+markdown-it-py==2.2.0
+ # via rich
+markupsafe==2.1.2
+ # via jinja2
+mdurl==0.1.2
+ # via markdown-it-py
+more-itertools==9.1.0
+ # via jaraco-classes
+mypy==1.3.0
+ # via cryptography (pyproject.toml)
+mypy-extensions==1.0.0
+ # via
+ # black
+ # mypy
+nox==2023.4.22
+ # via cryptography (pyproject.toml)
+packaging==23.1
+ # via
+ # black
+ # build
+ # nox
+ # pytest
+ # sphinx
+pathspec==0.11.1
+ # via
+ # black
+ # check-sdist
+pkginfo==1.9.6
+ # via twine
+platformdirs==3.5.1
+ # via
+ # black
+ # virtualenv
+pluggy==1.0.0
+ # via pytest
+pretend==1.0.9
+ # via cryptography (pyproject.toml)
+py-cpuinfo==9.0.0
+ # via pytest-benchmark
+pyenchant==3.2.2
+ # via
+ # cryptography (pyproject.toml)
+ # sphinxcontrib-spelling
+pygments==2.15.1
+ # via
+ # readme-renderer
+ # rich
+ # sphinx
+pyproject-hooks==1.0.0
+ # via build
+pytest==7.3.1
+ # via
+ # cryptography (pyproject.toml)
+ # pytest-benchmark
+ # pytest-cov
+ # pytest-randomly
+ # pytest-xdist
+pytest-benchmark==4.0.0
+ # via cryptography (pyproject.toml)
+pytest-cov==4.1.0
+ # via cryptography (pyproject.toml)
+pytest-randomly==3.12.0
+ # via cryptography (pyproject.toml)
+pytest-xdist==3.3.1
+ # via cryptography (pyproject.toml)
+readme-renderer==37.3
+ # via twine
+requests==2.31.0
+ # via
+ # requests-toolbelt
+ # sphinx
+ # twine
+requests-toolbelt==1.0.0
+ # via twine
+rfc3986==2.0.0
+ # via twine
+rich==13.3.5
+ # via twine
+ruff==0.0.270
+ # via cryptography (pyproject.toml)
+six==1.16.0
+ # via bleach
+snowballstemmer==2.2.0
+ # via sphinx
+sphinx==6.2.1
+ # via
+ # cryptography (pyproject.toml)
+ # sphinx-rtd-theme
+ # sphinxcontrib-jquery
+ # sphinxcontrib-spelling
+sphinx-rtd-theme==1.2.1
+ # via cryptography (pyproject.toml)
+sphinxcontrib-applehelp==1.0.4
+ # via sphinx
+sphinxcontrib-devhelp==1.0.2
+ # via sphinx
+sphinxcontrib-htmlhelp==2.0.1
+ # via sphinx
+sphinxcontrib-jquery==4.1
+ # via sphinx-rtd-theme
+sphinxcontrib-jsmath==1.0.1
+ # via sphinx
+sphinxcontrib-qthelp==1.0.3
+ # via sphinx
+sphinxcontrib-serializinghtml==1.1.5
+ # via sphinx
+sphinxcontrib-spelling==8.0.0
+ # via cryptography (pyproject.toml)
+tomli==2.0.1
+ # via
+ # black
+ # build
+ # check-manifest
+ # coverage
+ # mypy
+ # pyproject-hooks
+ # pytest
+twine==4.0.2
+ # via cryptography (pyproject.toml)
+typing-extensions==4.6.2
+ # via mypy
+urllib3==2.0.2
+ # via
+ # requests
+ # twine
+virtualenv==20.23.0
+ # via nox
+webencodings==0.5.1
+ # via bleach
+zipp==3.15.0
+ # via importlib-metadata
+
+# The following packages are considered to be unsafe in a requirements file:
+# cffi
+# pycparser
diff --git a/contrib/python/cryptography/ya.make b/contrib/python/cryptography/ya.make
index 4965fdc720..ce070b8473 100644
--- a/contrib/python/cryptography/ya.make
+++ b/contrib/python/cryptography/ya.make
@@ -16,3 +16,7 @@ RECURSE(
py2
py3
)
+
+IF (OS_LINUX AND MUSL)
+ RECURSE(next)
+ENDIF()