diff options
author | robot-piglet <robot-piglet@yandex-team.com> | 2024-05-29 11:24:01 +0300 |
---|---|---|
committer | robot-piglet <robot-piglet@yandex-team.com> | 2024-05-29 11:38:19 +0300 |
commit | 8788a47c2b48e19d7246346fae2ae5e446575a7a (patch) | |
tree | dce7e8e56a7dd1e22b64d7728117163b1cdef1f1 /contrib | |
parent | fc27761312bba603b104749357bd46a7603cf483 (diff) | |
download | ydb-8788a47c2b48e19d7246346fae2ae5e446575a7a.tar.gz |
Intermediate changes
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/python/cryptography/next/py3/LICENSE | 3 | ||||
-rw-r--r-- | contrib/python/cryptography/next/py3/LICENSE.APACHE | 202 | ||||
-rw-r--r-- | contrib/python/cryptography/next/py3/LICENSE.BSD | 27 | ||||
-rw-r--r-- | contrib/python/cryptography/next/py3/README.rst | 68 | ||||
-rw-r--r-- | contrib/python/cryptography/next/rust/CHANGELOG.rst | 2286 | ||||
-rw-r--r-- | contrib/python/cryptography/next/rust/CONTRIBUTING.rst | 23 | ||||
-rw-r--r-- | contrib/python/cryptography/next/rust/LICENSE | 3 | ||||
-rw-r--r-- | contrib/python/cryptography/next/rust/LICENSE.APACHE | 202 | ||||
-rw-r--r-- | contrib/python/cryptography/next/rust/LICENSE.BSD | 27 | ||||
-rw-r--r-- | contrib/python/cryptography/next/rust/README.rst | 68 | ||||
-rw-r--r-- | contrib/python/cryptography/next/rust/ci-constraints-requirements.txt | 197 | ||||
-rw-r--r-- | contrib/python/cryptography/ya.make | 4 |
12 files changed, 3110 insertions, 0 deletions
diff --git a/contrib/python/cryptography/next/py3/LICENSE b/contrib/python/cryptography/next/py3/LICENSE new file mode 100644 index 0000000000..b11f379efe --- /dev/null +++ b/contrib/python/cryptography/next/py3/LICENSE @@ -0,0 +1,3 @@ +This software is made available under the terms of *either* of the licenses +found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made +under the terms of *both* these licenses. diff --git a/contrib/python/cryptography/next/py3/LICENSE.APACHE b/contrib/python/cryptography/next/py3/LICENSE.APACHE new file mode 100644 index 0000000000..62589edd12 --- /dev/null +++ b/contrib/python/cryptography/next/py3/LICENSE.APACHE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + https://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/contrib/python/cryptography/next/py3/LICENSE.BSD b/contrib/python/cryptography/next/py3/LICENSE.BSD new file mode 100644 index 0000000000..ec1a29d34d --- /dev/null +++ b/contrib/python/cryptography/next/py3/LICENSE.BSD @@ -0,0 +1,27 @@ +Copyright (c) Individual contributors. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + 3. Neither the name of PyCA Cryptography nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR +ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON +ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/contrib/python/cryptography/next/py3/README.rst b/contrib/python/cryptography/next/py3/README.rst new file mode 100644 index 0000000000..d71765b8db --- /dev/null +++ b/contrib/python/cryptography/next/py3/README.rst @@ -0,0 +1,68 @@ +pyca/cryptography +================= + +.. image:: https://img.shields.io/pypi/v/cryptography.svg + :target: https://pypi.org/project/cryptography/ + :alt: Latest Version + +.. image:: https://readthedocs.org/projects/cryptography/badge/?version=latest + :target: https://cryptography.io + :alt: Latest Docs + +.. image:: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main + :target: https://github.com/pyca/cryptography/actions?query=workflow%3ACI+branch%3Amain + + +``cryptography`` is a package which provides cryptographic recipes and +primitives to Python developers. Our goal is for it to be your "cryptographic +standard library". It supports Python 3.7+ and PyPy3 7.3.10+. + +``cryptography`` includes both high level recipes and low level interfaces to +common cryptographic algorithms such as symmetric ciphers, message digests, and +key derivation functions. For example, to encrypt something with +``cryptography``'s high level symmetric encryption recipe: + +.. code-block:: pycon + + >>> from cryptography.fernet import Fernet + >>> # Put this somewhere safe! + >>> key = Fernet.generate_key() + >>> f = Fernet(key) + >>> token = f.encrypt(b"A really secret message. Not for prying eyes.") + >>> token + b'...' + >>> f.decrypt(token) + b'A really secret message. Not for prying eyes.' + +You can find more information in the `documentation`_. + +You can install ``cryptography`` with: + +.. code-block:: console + + $ pip install cryptography + +For full details see `the installation documentation`_. + +Discussion +~~~~~~~~~~ + +If you run into bugs, you can file them in our `issue tracker`_. + +We maintain a `cryptography-dev`_ mailing list for development discussion. + +You can also join ``#pyca`` on ``irc.libera.chat`` to ask questions or get +involved. + +Security +~~~~~~~~ + +Need to report a security issue? Please consult our `security reporting`_ +documentation. + + +.. _`documentation`: https://cryptography.io/ +.. _`the installation documentation`: https://cryptography.io/en/latest/installation/ +.. _`issue tracker`: https://github.com/pyca/cryptography/issues +.. _`cryptography-dev`: https://mail.python.org/mailman/listinfo/cryptography-dev +.. _`security reporting`: https://cryptography.io/en/latest/security/ diff --git a/contrib/python/cryptography/next/rust/CHANGELOG.rst b/contrib/python/cryptography/next/rust/CHANGELOG.rst new file mode 100644 index 0000000000..857a32f673 --- /dev/null +++ b/contrib/python/cryptography/next/rust/CHANGELOG.rst @@ -0,0 +1,2286 @@ +Changelog +========= + +.. _v41-0-6: + +41.0.6 - 2023-11-27 +~~~~~~~~~~~~~~~~~~~ + +* Fixed a null-pointer-dereference and segfault that could occur when loading + certificates from a PKCS#7 bundle. Credit to **pkuzco** for reporting the + issue. **CVE-2023-49083** + +.. _v41-0-5: + +41.0.5 - 2023-10-24 +~~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4. +* Added a function to support an upcoming ``pyOpenSSL`` release. + +.. _v41-0-4: + +41.0.4 - 2023-09-19 +~~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3. + +.. _v41-0-3: + +41.0.3 - 2023-08-01 +~~~~~~~~~~~~~~~~~~~ + +* Fixed performance regression loading DH public keys. +* Fixed a memory leak when using + :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`. +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.2. + +.. _v41-0-2: + +41.0.2 - 2023-07-10 +~~~~~~~~~~~~~~~~~~~ + +* Fixed bugs in creating and parsing SSH certificates where critical options + with values were handled incorrectly. Certificates are now created correctly + and parsing accepts correct values as well as the previously generated + invalid forms with a warning. In the next release, support for parsing these + invalid forms will be removed. + +.. _v41-0-1: + +41.0.1 - 2023-06-01 +~~~~~~~~~~~~~~~~~~~ + +* Temporarily allow invalid ECDSA signature algorithm parameters in X.509 + certificates, which are generated by older versions of Java. +* Allow null bytes in pass phrases when serializing private keys. + +.. _v41-0-0: + +41.0.0 - 2023-05-30 +~~~~~~~~~~~~~~~~~~~ + +* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL less than 1.1.1d has been + removed. Users on older version of OpenSSL will need to upgrade. +* **BACKWARDS INCOMPATIBLE:** Support for Python 3.6 has been removed. +* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.6. +* Updated the minimum supported Rust version (MSRV) to 1.56.0, from 1.48.0. +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.1. +* Added support for the :class:`~cryptography.x509.OCSPAcceptableResponses` + OCSP extension. +* Added support for the :class:`~cryptography.x509.MSCertificateTemplate` + proprietary Microsoft certificate extension. +* Implemented support for equality checks on all asymmetric public key types. +* Added support for ``aes256-gcm@openssh.com`` encrypted keys in + :func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`. +* Added support for obtaining X.509 certificate signature algorithm parameters + (including PSS) via + :meth:`~cryptography.x509.Certificate.signature_algorithm_parameters`. +* Support signing :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` + X.509 certificates via the new keyword-only argument ``rsa_padding`` on + :meth:`~cryptography.x509.CertificateBuilder.sign`. +* Added support for + :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305` + on BoringSSL. + +.. _v40-0-2: + +40.0.2 - 2023-04-14 +~~~~~~~~~~~~~~~~~~~ + +* Fixed compilation when using LibreSSL 3.7.2. +* Added some functions to support an upcoming ``pyOpenSSL`` release. + +.. _v40-0-1: + +40.0.1 - 2023-03-24 +~~~~~~~~~~~~~~~~~~~ + +* Fixed a bug where certain operations would fail if an object happened to be + in the top-half of the memory-space. This only impacted 32-bit systems. + +.. _v40-0-0: + +40.0.0 - 2023-03-24 +~~~~~~~~~~~~~~~~~~~ + + +* **BACKWARDS INCOMPATIBLE:** As announced in the 39.0.0 changelog, the way + ``cryptography`` links OpenSSL has changed. This only impacts users who + build ``cryptography`` from source (i.e., not from a ``wheel``), and + specify their own version of OpenSSL. For those users, the ``CFLAGS``, + ``LDFLAGS``, ``INCLUDE``, ``LIB``, and ``CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS`` + environment variables are no longer valid. Instead, users need to configure + their builds `as documented here`_. +* Support for Python 3.6 is deprecated and will be removed in the next + release. +* Deprecated the current minimum supported Rust version (MSRV) of 1.48.0. + In the next release we will raise MSRV to 1.56.0. Users with the latest + ``pip`` will typically get a wheel and not need Rust installed, but check + :doc:`/installation` for documentation on installing a newer ``rustc`` if + required. +* Deprecated support for OpenSSL less than 1.1.1d. The next release of + ``cryptography`` will drop support for older versions. +* Deprecated support for DSA keys in + :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` + and + :func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`. +* Deprecated support for OpenSSH serialization in + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` + and + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`. +* The minimum supported version of PyPy3 is now 7.3.10. +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.0. +* Added support for parsing SSH certificates in addition to public keys with + :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_identity`. + :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` + continues to support only public keys. +* Added support for generating SSH certificates with + :class:`~cryptography.hazmat.primitives.serialization.SSHCertificateBuilder`. +* Added :meth:`~cryptography.x509.Certificate.verify_directly_issued_by` to + :class:`~cryptography.x509.Certificate`. +* Added a check to :class:`~cryptography.x509.NameConstraints` to ensure that + :class:`~cryptography.x509.DNSName` constraints do not contain any ``*`` + wildcards. +* Removed many unused CFFI OpenSSL bindings. This will not impact you unless + you are using ``cryptography`` to directly invoke OpenSSL's C API. Note that + these have never been considered a stable, supported, public API by + ``cryptography``, this note is included as a courtesy. +* The X.509 builder classes now raise ``UnsupportedAlgorithm`` instead of + ``ValueError`` if an unsupported hash algorithm is passed. +* Added public union type aliases for type hinting: + + * Asymmetric types: + :const:`~cryptography.hazmat.primitives.asymmetric.types.PublicKeyTypes`, + :const:`~cryptography.hazmat.primitives.asymmetric.types.PrivateKeyTypes`, + :const:`~cryptography.hazmat.primitives.asymmetric.types.CertificatePublicKeyTypes`, + :const:`~cryptography.hazmat.primitives.asymmetric.types.CertificateIssuerPublicKeyTypes`, + :const:`~cryptography.hazmat.primitives.asymmetric.types.CertificateIssuerPrivateKeyTypes`. + * SSH keys: + :const:`~cryptography.hazmat.primitives.serialization.SSHPublicKeyTypes`, + :const:`~cryptography.hazmat.primitives.serialization.SSHPrivateKeyTypes`, + :const:`~cryptography.hazmat.primitives.serialization.SSHCertPublicKeyTypes`, + :const:`~cryptography.hazmat.primitives.serialization.SSHCertPrivateKeyTypes`. + * PKCS12: + :const:`~cryptography.hazmat.primitives.serialization.pkcs12.PKCS12PrivateKeyTypes` + * PKCS7: + :const:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7HashTypes`, + :const:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7PrivateKeyTypes`. + * Two-factor: + :const:`~cryptography.hazmat.primitives.twofactor.hotp.HOTPHashTypes` + +* Deprecated previously undocumented but not private type aliases in the + ``cryptography.hazmat.primitives.asymmetric.types`` module in favor of new + ones above. + + +.. _v39-0-2: + + +39.0.2 - 2023-03-02 +~~~~~~~~~~~~~~~~~~~ + +* Fixed a bug where the content type header was not properly encoded for + PKCS7 signatures when using the ``Text`` option and ``SMIME`` encoding. + + +.. _v39-0-1: + +39.0.1 - 2023-02-07 +~~~~~~~~~~~~~~~~~~~ + +* **SECURITY ISSUE** - Fixed a bug where ``Cipher.update_into`` accepted Python + buffer protocol objects, but allowed immutable buffers. **CVE-2023-23931** +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.8. + +.. _v39-0-0: + +39.0.0 - 2023-01-01 +~~~~~~~~~~~~~~~~~~~ + +* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.0 has been removed. + Users on older version of OpenSSL will need to upgrade. +* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.5. The new + minimum LibreSSL version is 3.5.0. Going forward our policy is to support + versions of LibreSSL that are available in versions of OpenBSD that are + still receiving security support. +* **BACKWARDS INCOMPATIBLE:** Removed the ``encode_point`` and + ``from_encoded_point`` methods on + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers`, + which had been deprecated for several years. + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.public_bytes` + and + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point` + should be used instead. +* **BACKWARDS INCOMPATIBLE:** Support for using MD5 or SHA1 in + :class:`~cryptography.x509.CertificateBuilder`, other X.509 builders, and + PKCS7 has been removed. +* **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.10 and 10.11, macOS + users must upgrade to 10.12 or newer. +* **ANNOUNCEMENT:** The next version of ``cryptography`` (40.0) will change + the way we link OpenSSL. This will only impact users who build + ``cryptography`` from source (i.e., not from a ``wheel``), and specify their + own version of OpenSSL. For those users, the ``CFLAGS``, ``LDFLAGS``, + ``INCLUDE``, ``LIB``, and ``CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS`` environment + variables will no longer be respected. Instead, users will need to + configure their builds `as documented here`_. +* Added support for + :ref:`disabling the legacy provider in OpenSSL 3.0.x<legacy-provider>`. +* Added support for disabling RSA key validation checks when loading RSA + keys via + :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`, + :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`, + and + :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers.private_key`. + This speeds up key loading but is :term:`unsafe` if you are loading potentially + attacker supplied keys. +* Significantly improved performance for + :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305` + when repeatedly calling ``encrypt`` or ``decrypt`` with the same key. +* Added support for creating OCSP requests with precomputed hashes using + :meth:`~cryptography.x509.ocsp.OCSPRequestBuilder.add_certificate_by_hash`. +* Added support for loading multiple PEM-encoded X.509 certificates from + a single input via :func:`~cryptography.x509.load_pem_x509_certificates`. + +.. _v38-0-4: + +38.0.4 - 2022-11-27 +~~~~~~~~~~~~~~~~~~~ + +* Fixed compilation when using LibreSSL 3.6.0. +* Fixed error when using ``py2app`` to build an application with a + ``cryptography`` dependency. + +.. _v38-0-3: + +38.0.3 - 2022-11-01 +~~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.7, + which resolves *CVE-2022-3602* and *CVE-2022-3786*. + +.. _v38-0-2: + +38.0.2 - 2022-10-11 (YANKED) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. attention:: + + This release was subsequently yanked from PyPI due to a regression in OpenSSL. + +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.6. + + +.. _v38-0-1: + +38.0.1 - 2022-09-07 +~~~~~~~~~~~~~~~~~~~ + +* Fixed parsing TLVs in ASN.1 with length greater than 65535 bytes (typically + seen in large CRLs). + +.. _v38-0-0: + +38.0.0 - 2022-09-06 +~~~~~~~~~~~~~~~~~~~ + +* Final deprecation of OpenSSL 1.1.0. The next release of ``cryptography`` + will drop support. +* We no longer ship ``manylinux2010`` wheels. Users should upgrade to the + latest ``pip`` to ensure this doesn't cause issues downloading wheels on + their platform. We now ship ``manylinux_2_28`` wheels for users on new + enough platforms. +* Updated the minimum supported Rust version (MSRV) to 1.48.0, from 1.41.0. + Users with the latest ``pip`` will typically get a wheel and not need Rust + installed, but check :doc:`/installation` for documentation on installing a + newer ``rustc`` if required. +* :meth:`~cryptography.fernet.Fernet.decrypt` and related methods now accept + both ``str`` and ``bytes`` tokens. +* Parsing ``CertificateSigningRequest`` restores the behavior of enforcing + that the ``Extension`` ``critical`` field must be correctly encoded DER. See + `the issue <https://github.com/pyca/cryptography/issues/6368>`_ for complete + details. +* Added two new OpenSSL functions to the bindings to support an upcoming + ``pyOpenSSL`` release. +* When parsing :class:`~cryptography.x509.CertificateRevocationList` and + :class:`~cryptography.x509.CertificateSigningRequest` values, it is now + enforced that the ``version`` value in the input must be valid according to + the rules of :rfc:`2986` and :rfc:`5280`. +* Using MD5 or SHA1 in :class:`~cryptography.x509.CertificateBuilder` and + other X.509 builders is deprecated and support will be removed in the next + version. +* Added additional APIs to + :class:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp`, including + :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature_hash_algorithm`, + :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature_algorithm`, + :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature`, and + :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.extension_bytes`. +* Added :attr:`~cryptography.x509.Certificate.tbs_precertificate_bytes`, allowing + users to access the to-be-signed pre-certificate data needed for signed + certificate timestamp verification. +* :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFHMAC` and + :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC` now support + :attr:`~cryptography.hazmat.primitives.kdf.kbkdf.CounterLocation.MiddleFixed` + counter location. +* Fixed :rfc:`4514` name parsing to reverse the order of the RDNs according + to the section 2.1 of the RFC, affecting method + :meth:`~cryptography.x509.Name.from_rfc4514_string`. +* It is now possible to customize some aspects of encryption when serializing + private keys, using + :meth:`~cryptography.hazmat.primitives.serialization.PrivateFormat.encryption_builder`. +* Removed several legacy symbols from our OpenSSL bindings. Users of pyOpenSSL + versions older than 22.0 will need to upgrade. +* Added + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES128` and + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES256` classes. + These classes do not replace + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` (which + allows all AES key lengths), but are intended for applications where + developers want to be explicit about key length. + +.. _v37-0-4: + +37.0.4 - 2022-07-05 +~~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.5. + +.. _v37-0-3: + +37.0.3 - 2022-06-21 (YANKED) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. attention:: + + This release was subsequently yanked from PyPI due to a regression in OpenSSL. + +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.4. + +.. _v37-0-2: + +37.0.2 - 2022-05-03 +~~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.3. +* Added a constant needed for an upcoming pyOpenSSL release. + +.. _v37-0-1: + +37.0.1 - 2022-04-27 +~~~~~~~~~~~~~~~~~~~ + +* Fixed an issue where parsing an encrypted private key with the public + loader functions would hang waiting for console input on OpenSSL 3.0.x rather + than raising an error. +* Restored some legacy symbols for older ``pyOpenSSL`` users. These will be + removed again in the future, so ``pyOpenSSL`` users should still upgrade + to the latest version of that package when they upgrade ``cryptography``. + +.. _v37-0-0: + +37.0.0 - 2022-04-26 +~~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2. +* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.9.x and 3.0.x. + The new minimum LibreSSL version is 3.1+. +* **BACKWARDS INCOMPATIBLE:** Removed ``signer`` and ``verifier`` methods + from the public key and private key classes. These methods were originally + deprecated in version 2.0, but had an extended deprecation timeline due + to usage. Any remaining users should transition to ``sign`` and ``verify``. +* Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by + the OpenSSL project. The next release of ``cryptography`` will be the last + to support compiling with OpenSSL 1.1.0. +* Deprecated Python 3.6 support. Python 3.6 is no longer supported by the + Python core team. Support for Python 3.6 will be removed in a future + ``cryptography`` release. +* Deprecated the current minimum supported Rust version (MSRV) of 1.41.0. + In the next release we will raise MSRV to 1.48.0. Users with the latest + ``pip`` will typically get a wheel and not need Rust installed, but check + :doc:`/installation` for documentation on installing a newer ``rustc`` if + required. +* Deprecated + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`, + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`, + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish` because + they are legacy algorithms with extremely low usage. These will be removed + in a future version of ``cryptography``. +* Added limited support for distinguished names containing a bit string. +* We now ship ``universal2`` wheels on macOS, which contain both ``arm64`` + and ``x86_64`` architectures. Users on macOS should upgrade to the latest + ``pip`` to ensure they can use this wheel, although we will continue to + ship ``x86_64`` specific wheels for now to ease the transition. +* This will be the final release for which we ship ``manylinux2010`` wheels. + Going forward the minimum supported ``manylinux`` ABI for our wheels will + be ``manylinux2014``. The vast majority of users will continue to receive + ``manylinux`` wheels provided they have an up to date ``pip``. For PyPy + wheels this release already requires ``manylinux2014`` for compatibility + with binaries distributed by upstream. +* Added support for multiple + :class:`~cryptography.x509.ocsp.OCSPSingleResponse` in a + :class:`~cryptography.x509.ocsp.OCSPResponse`. +* Restored support for signing certificates and other structures in + :doc:`/x509/index` with SHA3 hash algorithms. +* :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` is + disabled in FIPS mode. +* Added support for serialization of PKCS#12 CA friendly names/aliases in + :func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates` +* Added support for 12-15 byte (96 to 120 bit) nonces to + :class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`. This class + previously supported only 12 byte (96 bit). +* Added support for + :class:`~cryptography.hazmat.primitives.ciphers.aead.AESSIV` when using + OpenSSL 3.0.0+. +* Added support for serializing PKCS7 structures from a list of + certificates with + :class:`~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates`. +* Added support for parsing :rfc:`4514` strings with + :meth:`~cryptography.x509.Name.from_rfc4514_string`. +* Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.AUTO` to + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This can + be used to verify a signature where the salt length is not already known. +* Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.DIGEST_LENGTH` + to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This + constant will set the salt length to the same length as the ``PSS`` hash + algorithm. +* Added support for loading RSA-PSS key types with + :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key` + and + :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`. + This functionality is limited to OpenSSL 1.1.1e+ and loads the key as a + normal RSA private key, discarding the PSS constraint information. + +.. _v36-0-2: + +36.0.2 - 2022-03-15 +~~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1n. + +.. _v36-0-1: + +36.0.1 - 2021-12-14 +~~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1m. + +.. _v36-0-0: + +36.0.0 - 2021-11-21 +~~~~~~~~~~~~~~~~~~~ + +* **FINAL DEPRECATION** Support for ``verifier`` and ``signer`` on our + asymmetric key classes was deprecated in version 2.0. These functions had an + extended deprecation due to usage, however the next version of + ``cryptography`` will drop support. Users should migrate to ``sign`` and + ``verify``. +* The entire :doc:`/x509/index` layer is now written in Rust. This allows + alternate asymmetric key implementations that can support cloud key + management services or hardware security modules provided they implement + the necessary interface (for example: + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`). +* :ref:`Deprecated the backend argument<faq-missing-backend>` for all + functions. +* Added support for + :class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`. +* Added support for iterating over arbitrary request + :attr:`~cryptography.x509.CertificateSigningRequest.attributes`. +* Deprecated the ``get_attribute_for_oid`` method on + :class:`~cryptography.x509.CertificateSigningRequest` in favor of + :meth:`~cryptography.x509.Attributes.get_attribute_for_oid` on the new + :class:`~cryptography.x509.Attributes` object. +* Fixed handling of PEM files to allow loading when certificate and key are + in the same file. +* Fixed parsing of :class:`~cryptography.x509.CertificatePolicies` extensions + containing legacy ``BMPString`` values in their ``explicitText``. +* Allow parsing of negative serial numbers in certificates. Negative serial + numbers are prohibited by :rfc:`5280` so a deprecation warning will be + raised whenever they are encountered. A future version of ``cryptography`` + will drop support for parsing them. +* Added support for parsing PKCS12 files with friendly names for all + certificates with + :func:`~cryptography.hazmat.primitives.serialization.pkcs12.load_pkcs12`, + which will return an object of type + :class:`~cryptography.hazmat.primitives.serialization.pkcs12.PKCS12KeyAndCertificates`. +* :meth:`~cryptography.x509.Name.rfc4514_string` and related methods now have + an optional ``attr_name_overrides`` parameter to supply custom OID to name + mappings, which can be used to match vendor-specific extensions. +* **BACKWARDS INCOMPATIBLE:** Reverted the nonstandard formatting of + email address fields as ``E`` in + :meth:`~cryptography.x509.Name.rfc4514_string` methods from version 35.0. + + The previous behavior can be restored with: + ``name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})`` +* Allow + :class:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey` + and + :class:`~cryptography.hazmat.primitives.asymmetric.x448.X448PublicKey` to + be used as public keys when parsing certificates or creating them with + :class:`~cryptography.x509.CertificateBuilder`. These key types must be + signed with a different signing algorithm as ``X25519`` and ``X448`` do + not support signing. +* Extension values can now be serialized to a DER byte string by calling + :func:`~cryptography.x509.ExtensionType.public_bytes`. +* Added experimental support for compiling against BoringSSL. As BoringSSL + does not commit to a stable API, ``cryptography`` tests against the + latest commit only. Please note that several features are not available + when building against BoringSSL. +* Parsing ``CertificateSigningRequest`` from DER and PEM now, for a limited + time period, allows the ``Extension`` ``critical`` field to be incorrectly + encoded. See `the issue <https://github.com/pyca/cryptography/issues/6368>`_ + for complete details. This will be reverted in a future ``cryptography`` + release. +* When :class:`~cryptography.x509.OCSPNonce` are parsed and generated their + value is now correctly wrapped in an ASN.1 ``OCTET STRING``. This conforms + to :rfc:`6960` but conflicts with the original behavior specified in + :rfc:`2560`. For a temporary period for backwards compatibility, we will + also parse values that are encoded as specified in :rfc:`2560` but this + behavior will be removed in a future release. + +.. _v35-0-0: + +35.0.0 - 2021-09-29 +~~~~~~~~~~~~~~~~~~~ + +* Changed the :ref:`version scheme <api-stability:versioning>`. This will + result in us incrementing the major version more frequently, but does not + change our existing backwards compatibility policy. +* **BACKWARDS INCOMPATIBLE:** The :doc:`/x509/index` PEM parsers now require + that the PEM string passed have PEM delimiters of the correct type. For + example, parsing a private key PEM concatenated with a certificate PEM will + no longer be accepted by the PEM certificate parser. +* **BACKWARDS INCOMPATIBLE:** The X.509 certificate parser no longer allows + negative serial numbers. :rfc:`5280` has always prohibited these. +* **BACKWARDS INCOMPATIBLE:** Additional forms of invalid ASN.1 found during + :doc:`/x509/index` parsing will raise an error on initial parse rather than + when the malformed field is accessed. +* Rust is now required for building ``cryptography``, the + ``CRYPTOGRAPHY_DONT_BUILD_RUST`` environment variable is no longer + respected. +* Parsers for :doc:`/x509/index` no longer use OpenSSL and have been + rewritten in Rust. This should be backwards compatible (modulo the items + listed above) and improve both security and performance. +* Added support for OpenSSL 3.0.0 as a compilation target. +* Added support for + :class:`~cryptography.hazmat.primitives.hashes.SM3` and + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SM4`, + when using OpenSSL 1.1.1. These algorithms are provided for compatibility + in regions where they may be required, and are not generally recommended. +* We now ship ``manylinux_2_24`` and ``musllinux_1_1`` wheels, in addition to + our ``manylinux2010`` and ``manylinux2014`` wheels. Users on distributions + like Alpine Linux should ensure they upgrade to the latest ``pip`` to + correctly receive wheels. +* Added ``rfc4514_attribute_name`` attribute to :attr:`x509.NameAttribute + <cryptography.x509.NameAttribute.rfc4514_attribute_name>`. +* Added :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC`. + +.. _v3-4-8: + +3.4.8 - 2021-08-24 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with + OpenSSL 1.1.1l. + +.. _v3-4-7: + +3.4.7 - 2021-03-25 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with + OpenSSL 1.1.1k. + +.. _v3-4-6: + +3.4.6 - 2021-02-16 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with + OpenSSL 1.1.1j. + +.. _v3-4-5: + +3.4.5 - 2021-02-13 +~~~~~~~~~~~~~~~~~~ + +* Various improvements to type hints. +* Lower the minimum supported Rust version (MSRV) to >=1.41.0. This change + improves compatibility with system-provided Rust on several Linux + distributions. +* ``cryptography`` will be switching to a new versioning scheme with its next + feature release. More information is available in our + :doc:`/api-stability` documentation. + +.. _v3-4-4: + +3.4.4 - 2021-02-09 +~~~~~~~~~~~~~~~~~~ + +* Added a ``py.typed`` file so that ``mypy`` will know to use our type + annotations. +* Fixed an import cycle that could be triggered by certain import sequences. + +.. _v3-4-3: + +3.4.3 - 2021-02-08 +~~~~~~~~~~~~~~~~~~ + +* Specify our supported Rust version (>=1.45.0) in our ``setup.py`` so users + on older versions will get a clear error message. + +.. _v3-4-2: + +3.4.2 - 2021-02-08 +~~~~~~~~~~~~~~~~~~ + +* Improvements to make the rust transition a bit easier. This includes some + better error messages and small dependency fixes. If you experience + installation problems **Be sure to update pip** first, then check the + :doc:`FAQ </faq>`. + +.. _v3-4-1: + +3.4.1 - 2021-02-07 +~~~~~~~~~~~~~~~~~~ + +* Fixed a circular import issue. +* Added additional debug output to assist users seeing installation errors + due to outdated ``pip`` or missing ``rustc``. + +.. _v3-4: + +3.4 - 2021-02-07 +~~~~~~~~~~~~~~~~ + +* **BACKWARDS INCOMPATIBLE:** Support for Python 2 has been removed. +* We now ship ``manylinux2014`` wheels and no longer ship ``manylinux1`` + wheels. Users should upgrade to the latest ``pip`` to ensure this doesn't + cause issues downloading wheels on their platform. +* ``cryptography`` now incorporates Rust code. Users building ``cryptography`` + themselves will need to have the Rust toolchain installed. Users who use an + officially produced wheel will not need to make any changes. The minimum + supported Rust version is 1.45.0. +* ``cryptography`` now has :pep:`484` type hints on nearly all of of its public + APIs. Users can begin using them to type check their code with ``mypy``. + +.. _v3-3-2: + +3.3.2 - 2021-02-07 +~~~~~~~~~~~~~~~~~~ + +* **SECURITY ISSUE:** Fixed a bug where certain sequences of ``update()`` calls + when symmetrically encrypting very large payloads (>2GB) could result in an + integer overflow, leading to buffer overflows. *CVE-2020-36242* **Update:** + This fix is a workaround for *CVE-2021-23840* in OpenSSL, fixed in OpenSSL + 1.1.1j. + +.. _v3-3-1: + +3.3.1 - 2020-12-09 +~~~~~~~~~~~~~~~~~~ + +* Re-added a legacy symbol causing problems for older ``pyOpenSSL`` users. + +.. _v3-3: + +3.3 - 2020-12-08 +~~~~~~~~~~~~~~~~ + +* **BACKWARDS INCOMPATIBLE:** Support for Python 3.5 has been removed due to + low usage and maintenance burden. +* **BACKWARDS INCOMPATIBLE:** The + :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` and + :class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCM` now require + 64-bit to 1024-bit (8 byte to 128 byte) initialization vectors. This change + is to conform with an upcoming OpenSSL release that will no longer support + sizes outside this window. +* **BACKWARDS INCOMPATIBLE:** When deserializing asymmetric keys we now + raise ``ValueError`` rather than ``UnsupportedAlgorithm`` when an + unsupported cipher is used. This change is to conform with an upcoming + OpenSSL release that will no longer distinguish between error types. +* **BACKWARDS INCOMPATIBLE:** We no longer allow loading of finite field + Diffie-Hellman parameters of less than 512 bits in length. This change is to + conform with an upcoming OpenSSL release that no longer supports smaller + sizes. These keys were already wildly insecure and should not have been used + in any application outside of testing. +* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with + OpenSSL 1.1.1i. +* Python 2 support is deprecated in ``cryptography``. This is the last release + that will support Python 2. +* Added the + :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey.recover_data_from_signature` + function to + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` + for recovering the signed data from an RSA signature. + +.. _v3-2-1: + +3.2.1 - 2020-10-27 +~~~~~~~~~~~~~~~~~~ + +* Disable blinding on RSA public keys to address an error with some versions + of OpenSSL. + +.. _v3-2: + +3.2 - 2020-10-25 +~~~~~~~~~~~~~~~~ + +* **SECURITY ISSUE:** Attempted to make RSA PKCS#1v1.5 decryption more constant + time, to protect against Bleichenbacher vulnerabilities. Due to limitations + imposed by our API, we cannot completely mitigate this vulnerability and a + future release will contain a new API which is designed to be resilient to + these for contexts where it is required. Credit to **Hubert Kario** for + reporting the issue. *CVE-2020-25659* +* Support for OpenSSL 1.0.2 has been removed. Users on older version of OpenSSL + will need to upgrade. +* Added basic support for PKCS7 signing (including SMIME) via + :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder`. + +.. _v3-1-1: + +3.1.1 - 2020-09-22 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with + OpenSSL 1.1.1h. + +.. _v3-1: + +3.1 - 2020-08-26 +~~~~~~~~~~~~~~~~ + +* **BACKWARDS INCOMPATIBLE:** Removed support for ``idna`` based + :term:`U-label` parsing in various X.509 classes. This support was originally + deprecated in version 2.1 and moved to an extra in 2.5. +* Deprecated OpenSSL 1.0.2 support. OpenSSL 1.0.2 is no longer supported by + the OpenSSL project. The next version of ``cryptography`` will drop support + for it. +* Deprecated support for Python 3.5. This version sees very little use and will + be removed in the next release. +* ``backend`` arguments to functions are no longer required and the + default backend will automatically be selected if no ``backend`` is provided. +* Added initial support for parsing certificates from PKCS7 files with + :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates` + and + :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates` + . +* Calling ``update`` or ``update_into`` on + :class:`~cryptography.hazmat.primitives.ciphers.CipherContext` with ``data`` + longer than 2\ :sup:`31` bytes no longer raises an ``OverflowError``. This + also resolves the same issue in :doc:`/fernet`. + +.. _v3-0: + +3.0 - 2020-07-20 +~~~~~~~~~~~~~~~~ + +* **BACKWARDS INCOMPATIBLE:** Removed support for passing an + :class:`~cryptography.x509.Extension` instance to + :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`, + as per our deprecation policy. +* **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.7.x, 2.8.x, and 2.9.0 has + been removed (2.9.1+ is still supported). +* **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.9, macOS users must + upgrade to 10.10 or newer. +* **BACKWARDS INCOMPATIBLE:** RSA + :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key` + no longer accepts ``public_exponent`` values except 65537 and 3 (the latter + for legacy purposes). +* **BACKWARDS INCOMPATIBLE:** X.509 certificate parsing now enforces that the + ``version`` field contains a valid value, rather than deferring this check + until :attr:`~cryptography.x509.Certificate.version` is accessed. +* Deprecated support for Python 2. At the time there is no time table for + actually dropping support, however we strongly encourage all users to upgrade + their Python, as Python 2 no longer receives support from the Python core + team. + + If you have trouble suppressing this warning in tests view the :ref:`FAQ + entry addressing this issue <faq-howto-handle-deprecation-warning>`. + +* Added support for ``OpenSSH`` serialization format for + ``ec``, ``ed25519``, ``rsa`` and ``dsa`` private keys: + :func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key` + for loading and + :attr:`~cryptography.hazmat.primitives.serialization.PrivateFormat.OpenSSH` + for writing. +* Added support for ``OpenSSH`` certificates to + :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key`. +* Added :meth:`~cryptography.fernet.Fernet.encrypt_at_time` and + :meth:`~cryptography.fernet.Fernet.decrypt_at_time` to + :class:`~cryptography.fernet.Fernet`. +* Added support for the :class:`~cryptography.x509.SubjectInformationAccess` + X.509 extension. +* Added support for parsing + :class:`~cryptography.x509.SignedCertificateTimestamps` in OCSP responses. +* Added support for parsing attributes in certificate signing requests via + ``CertificateSigningRequest.get_attribute_for_oid``. +* Added support for encoding attributes in certificate signing requests via + :meth:`~cryptography.x509.CertificateSigningRequestBuilder.add_attribute`. +* On OpenSSL 1.1.1d and higher ``cryptography`` now uses OpenSSL's + built-in CSPRNG instead of its own OS random engine because these versions of + OpenSSL properly reseed on fork. +* Added initial support for creating PKCS12 files with + :func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates`. + +.. _v2-9-2: + +2.9.2 - 2020-04-22 +~~~~~~~~~~~~~~~~~~ + +* Updated the macOS wheel to fix an issue where it would not run on macOS + versions older than 10.15. + +.. _v2-9-1: + +2.9.1 - 2020-04-21 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with + OpenSSL 1.1.1g. + +.. _v2-9: + +2.9 - 2020-04-02 +~~~~~~~~~~~~~~~~ + +* **BACKWARDS INCOMPATIBLE:** Support for Python 3.4 has been removed due to + low usage and maintenance burden. +* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.0.1 has been removed. + Users on older version of OpenSSL will need to upgrade. +* **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.6.x has been removed. +* Removed support for calling + :meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey.public_bytes` + with no arguments, as per our deprecation policy. You must now pass + ``encoding`` and ``format``. +* **BACKWARDS INCOMPATIBLE:** Reversed the order in which + :meth:`~cryptography.x509.Name.rfc4514_string` returns the RDNs + as required by :rfc:`4514`. +* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with + OpenSSL 1.1.1f. +* Added support for parsing + :attr:`~cryptography.x509.ocsp.OCSPResponse.single_extensions` in an OCSP + response. +* :class:`~cryptography.x509.NameAttribute` values can now be empty strings. + +.. _v2-8: + +2.8 - 2019-10-16 +~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with + OpenSSL 1.1.1d. +* Added support for Python 3.8. +* Added class methods + :meth:`Poly1305.generate_tag + <cryptography.hazmat.primitives.poly1305.Poly1305.generate_tag>` + and + :meth:`Poly1305.verify_tag + <cryptography.hazmat.primitives.poly1305.Poly1305.verify_tag>` + for Poly1305 sign and verify operations. +* Deprecated support for OpenSSL 1.0.1. Support will be removed in + ``cryptography`` 2.9. +* We now ship ``manylinux2010`` wheels in addition to our ``manylinux1`` + wheels. +* Added support for ``ed25519`` and ``ed448`` keys in the + :class:`~cryptography.x509.CertificateBuilder`, + :class:`~cryptography.x509.CertificateSigningRequestBuilder`, + :class:`~cryptography.x509.CertificateRevocationListBuilder` and + :class:`~cryptography.x509.ocsp.OCSPResponseBuilder`. +* ``cryptography`` no longer depends on ``asn1crypto``. +* :class:`~cryptography.x509.FreshestCRL` is now allowed as a + :class:`~cryptography.x509.CertificateRevocationList` extension. + +.. _v2-7: + +2.7 - 2019-05-30 +~~~~~~~~~~~~~~~~ + +* **BACKWARDS INCOMPATIBLE:** We no longer distribute 32-bit ``manylinux1`` + wheels. Continuing to produce them was a maintenance burden. +* **BACKWARDS INCOMPATIBLE:** Removed the + ``cryptography.hazmat.primitives.mac.MACContext`` interface. The ``CMAC`` and + ``HMAC`` APIs have not changed, but they are no longer registered as + ``MACContext`` instances. +* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with + OpenSSL 1.1.1c. +* Removed support for running our tests with ``setup.py test``. Users + interested in running our tests can continue to follow the directions in our + :doc:`development documentation</development/getting-started>`. +* Add support for :class:`~cryptography.hazmat.primitives.poly1305.Poly1305` + when using OpenSSL 1.1.1 or newer. +* Support serialization with ``Encoding.OpenSSH`` and ``PublicFormat.OpenSSH`` + in + :meth:`Ed25519PublicKey.public_bytes + <cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey.public_bytes>` + . +* Correctly allow passing a ``SubjectKeyIdentifier`` to + :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier` + and deprecate passing an ``Extension`` object. The documentation always + required ``SubjectKeyIdentifier`` but the implementation previously + required an ``Extension``. + +.. _v2-6-1: + +2.6.1 - 2019-02-27 +~~~~~~~~~~~~~~~~~~ + +* Resolved an error in our build infrastructure that broke our Python3 wheels + for macOS and Linux. + +.. _v2-6: + +2.6 - 2019-02-27 +~~~~~~~~~~~~~~~~ + +* **BACKWARDS INCOMPATIBLE:** Removed + ``cryptography.hazmat.primitives.asymmetric.utils.encode_rfc6979_signature`` + and + ``cryptography.hazmat.primitives.asymmetric.utils.decode_rfc6979_signature``, + which had been deprecated for nearly 4 years. Use + :func:`~cryptography.hazmat.primitives.asymmetric.utils.encode_dss_signature` + and + :func:`~cryptography.hazmat.primitives.asymmetric.utils.decode_dss_signature` + instead. +* **BACKWARDS INCOMPATIBLE**: Removed ``cryptography.x509.Certificate.serial``, + which had been deprecated for nearly 3 years. Use + :attr:`~cryptography.x509.Certificate.serial_number` instead. +* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with + OpenSSL 1.1.1b. +* Added support for :doc:`/hazmat/primitives/asymmetric/ed448` when using + OpenSSL 1.1.1b or newer. +* Added support for :doc:`/hazmat/primitives/asymmetric/ed25519` when using + OpenSSL 1.1.1b or newer. +* :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` can + now load ``ed25519`` public keys. +* Add support for easily mapping an object identifier to its elliptic curve + class via + :func:`~cryptography.hazmat.primitives.asymmetric.ec.get_curve_for_oid`. +* Add support for OpenSSL when compiled with the ``no-engine`` + (``OPENSSL_NO_ENGINE``) flag. + +.. _v2-5: + +2.5 - 2019-01-22 +~~~~~~~~~~~~~~~~ + +* **BACKWARDS INCOMPATIBLE:** :term:`U-label` strings were deprecated in + version 2.1, but this version removes the default ``idna`` dependency as + well. If you still need this deprecated path please install cryptography + with the ``idna`` extra: ``pip install cryptography[idna]``. +* **BACKWARDS INCOMPATIBLE:** The minimum supported PyPy version is now 5.4. +* Numerous classes and functions have been updated to allow :term:`bytes-like` + types for keying material and passwords, including symmetric algorithms, AEAD + ciphers, KDFs, loading asymmetric keys, and one time password classes. +* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with + OpenSSL 1.1.1a. +* Added support for :class:`~cryptography.hazmat.primitives.hashes.SHA512_224` + and :class:`~cryptography.hazmat.primitives.hashes.SHA512_256` when using + OpenSSL 1.1.1. +* Added support for :class:`~cryptography.hazmat.primitives.hashes.SHA3_224`, + :class:`~cryptography.hazmat.primitives.hashes.SHA3_256`, + :class:`~cryptography.hazmat.primitives.hashes.SHA3_384`, and + :class:`~cryptography.hazmat.primitives.hashes.SHA3_512` when using OpenSSL + 1.1.1. +* Added support for :doc:`/hazmat/primitives/asymmetric/x448` when using + OpenSSL 1.1.1. +* Added support for :class:`~cryptography.hazmat.primitives.hashes.SHAKE128` + and :class:`~cryptography.hazmat.primitives.hashes.SHAKE256` when using + OpenSSL 1.1.1. +* Added initial support for parsing PKCS12 files with + :func:`~cryptography.hazmat.primitives.serialization.pkcs12.load_key_and_certificates`. +* Added support for :class:`~cryptography.x509.IssuingDistributionPoint`. +* Added ``rfc4514_string()`` method to + :meth:`x509.Name <cryptography.x509.Name.rfc4514_string>`, + :meth:`x509.RelativeDistinguishedName + <cryptography.x509.RelativeDistinguishedName.rfc4514_string>`, and + :meth:`x509.NameAttribute <cryptography.x509.NameAttribute.rfc4514_string>` + to format the name or component an :rfc:`4514` Distinguished Name string. +* Added + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point`, + which immediately checks if the point is on the curve and supports compressed + points. Deprecated the previous method + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`. +* Added :attr:`~cryptography.x509.ocsp.OCSPResponse.signature_hash_algorithm` + to ``OCSPResponse``. +* Updated :doc:`/hazmat/primitives/asymmetric/x25519` support to allow + additional serialization methods. Calling + :meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey.public_bytes` + with no arguments has been deprecated. +* Added support for encoding compressed and uncompressed points via + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.public_bytes`. Deprecated the previous method + ``cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.encode_point``. + + +.. _v2-4-2: + +2.4.2 - 2018-11-21 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with + OpenSSL 1.1.0j. + +.. _v2-4-1: + +2.4.1 - 2018-11-11 +~~~~~~~~~~~~~~~~~~ + +* Fixed a build breakage in our ``manylinux1`` wheels. + +.. _v2-4: + +2.4 - 2018-11-11 +~~~~~~~~~~~~~~~~ + +* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.4.x. +* Deprecated OpenSSL 1.0.1 support. OpenSSL 1.0.1 is no longer supported by + the OpenSSL project. At this time there is no time table for dropping + support, however we strongly encourage all users to upgrade or install + ``cryptography`` from a wheel. +* Added initial :doc:`OCSP </x509/ocsp>` support. +* Added support for :class:`~cryptography.x509.PrecertPoison`. + +.. _v2-3-1: + +2.3.1 - 2018-08-14 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with + OpenSSL 1.1.0i. + +.. _v2-3: + +2.3 - 2018-07-18 +~~~~~~~~~~~~~~~~ + +* **SECURITY ISSUE:** + :meth:`~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag` + allowed tag truncation by default which can allow tag forgery in some cases. + The method now enforces the ``min_tag_length`` provided to the + :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` constructor. + *CVE-2018-10903* +* Added support for Python 3.7. +* Added :meth:`~cryptography.fernet.Fernet.extract_timestamp` to get the + authenticated timestamp of a :doc:`Fernet </fernet>` token. +* Support for Python 2.7.x without ``hmac.compare_digest`` has been deprecated. + We will require Python 2.7.7 or higher (or 2.7.6 on Ubuntu) in the next + ``cryptography`` release. +* Fixed multiple issues preventing ``cryptography`` from compiling against + LibreSSL 2.7.x. +* Added + :class:`~cryptography.x509.CertificateRevocationList.get_revoked_certificate_by_serial_number` + for quick serial number searches in CRLs. +* The :class:`~cryptography.x509.RelativeDistinguishedName` class now + preserves the order of attributes. Duplicate attributes now raise an error + instead of silently discarding duplicates. +* :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap` and + :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding` + now raise :class:`~cryptography.hazmat.primitives.keywrap.InvalidUnwrap` if + the wrapped key is an invalid length, instead of ``ValueError``. + +.. _v2-2-2: + +2.2.2 - 2018-03-27 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with + OpenSSL 1.1.0h. + +.. _v2-2-1: + +2.2.1 - 2018-03-20 +~~~~~~~~~~~~~~~~~~ + +* Reverted a change to ``GeneralNames`` which prohibited having zero elements, + due to breakages. +* Fixed a bug in + :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding` + that caused it to raise ``InvalidUnwrap`` when key length modulo 8 was + zero. + + +.. _v2-2: + +2.2 - 2018-03-19 +~~~~~~~~~~~~~~~~ + +* **BACKWARDS INCOMPATIBLE:** Support for Python 2.6 has been dropped. +* Resolved a bug in ``HKDF`` that incorrectly constrained output size. +* Added :class:`~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP256R1`, + :class:`~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP384R1`, and + :class:`~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP512R1` to + support inter-operating with systems like German smart meters. +* Added token rotation support to :doc:`Fernet </fernet>` with + :meth:`~cryptography.fernet.MultiFernet.rotate`. +* Fixed a memory leak in + :func:`~cryptography.hazmat.primitives.asymmetric.ec.derive_private_key`. +* Added support for AES key wrapping with padding via + :func:`~cryptography.hazmat.primitives.keywrap.aes_key_wrap_with_padding` + and + :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding` + . +* Allow loading DSA keys with 224 bit ``q``. + +.. _v2-1-4: + +2.1.4 - 2017-11-29 +~~~~~~~~~~~~~~~~~~ + +* Added ``X509_up_ref`` for an upcoming ``pyOpenSSL`` release. + +.. _v2-1-3: + +2.1.3 - 2017-11-02 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with + OpenSSL 1.1.0g. + +.. _v2-1-2: + +2.1.2 - 2017-10-24 +~~~~~~~~~~~~~~~~~~ + +* Corrected a bug with the ``manylinux1`` wheels where OpenSSL's stack was + marked executable. + +.. _v2-1-1: + +2.1.1 - 2017-10-12 +~~~~~~~~~~~~~~~~~~ + +* Fixed support for install with the system ``pip`` on Ubuntu 16.04. + +.. _v2-1: + +2.1 - 2017-10-11 +~~~~~~~~~~~~~~~~ + +* **FINAL DEPRECATION** Python 2.6 support is deprecated, and will be removed + in the next release of ``cryptography``. +* **BACKWARDS INCOMPATIBLE:** ``Whirlpool``, ``RIPEMD160``, and + ``UnsupportedExtension`` have been removed in accordance with our + :doc:`/api-stability` policy. +* **BACKWARDS INCOMPATIBLE:** + :attr:`DNSName.value <cryptography.x509.DNSName.value>`, + :attr:`RFC822Name.value <cryptography.x509.RFC822Name.value>`, and + :attr:`UniformResourceIdentifier.value + <cryptography.x509.UniformResourceIdentifier.value>` + will now return an :term:`A-label` string when parsing a certificate + containing an internationalized domain name (IDN) or if the caller passed + a :term:`U-label` to the constructor. See below for additional deprecations + related to this change. +* Installing ``cryptography`` now requires ``pip`` 6 or newer. +* Deprecated passing :term:`U-label` strings to the + :class:`~cryptography.x509.DNSName`, + :class:`~cryptography.x509.UniformResourceIdentifier`, and + :class:`~cryptography.x509.RFC822Name` constructors. Instead, users should + pass values as :term:`A-label` strings with ``idna`` encoding if necessary. + This change will not affect anyone who is not processing internationalized + domains. +* Added support for + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20`. In + most cases users should choose + :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305` + rather than using this unauthenticated form. +* Added :meth:`~cryptography.x509.CertificateRevocationList.is_signature_valid` + to :class:`~cryptography.x509.CertificateRevocationList`. +* Support :class:`~cryptography.hazmat.primitives.hashes.BLAKE2b` and + :class:`~cryptography.hazmat.primitives.hashes.BLAKE2s` with + :class:`~cryptography.hazmat.primitives.hmac.HMAC`. +* Added support for + :class:`~cryptography.hazmat.primitives.ciphers.modes.XTS` mode for + AES. +* Added support for using labels with + :class:`~cryptography.hazmat.primitives.asymmetric.padding.OAEP` when using + OpenSSL 1.0.2 or greater. +* Improved compatibility with NSS when issuing certificates from an issuer + that has a subject with non-``UTF8String`` string types. +* Add support for the :class:`~cryptography.x509.DeltaCRLIndicator` extension. +* Add support for the :class:`~cryptography.x509.TLSFeature` + extension. This is commonly used for enabling ``OCSP Must-Staple`` in + certificates. +* Add support for the :class:`~cryptography.x509.FreshestCRL` extension. + +.. _v2-0-3: + +2.0.3 - 2017-08-03 +~~~~~~~~~~~~~~~~~~ + +* Fixed an issue with weak linking symbols when compiling on macOS + versions older than 10.12. + + +.. _v2-0-2: + +2.0.2 - 2017-07-27 +~~~~~~~~~~~~~~~~~~ + +* Marked all symbols as hidden in the ``manylinux1`` wheel to avoid a + bug with symbol resolution in certain scenarios. + + +.. _v2-0-1: + +2.0.1 - 2017-07-26 +~~~~~~~~~~~~~~~~~~ + +* Fixed a compilation bug affecting OpenBSD. +* Altered the ``manylinux1`` wheels to statically link OpenSSL instead of + dynamically linking and bundling the shared object. This should resolve + crashes seen when using ``uwsgi`` or other binaries that link against + OpenSSL independently. +* Fixed the stack level for the ``signer`` and ``verifier`` warnings. + + +.. _v2-0: + +2.0 - 2017-07-17 +~~~~~~~~~~~~~~~~ + +* **BACKWARDS INCOMPATIBLE:** Support for Python 3.3 has been dropped. +* We now ship ``manylinux1`` wheels linked against OpenSSL 1.1.0f. These wheels + will be automatically used with most Linux distributions if you are running + the latest pip. +* Deprecated the use of ``signer`` on + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`, + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`, + and + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey` + in favor of ``sign``. +* Deprecated the use of ``verifier`` on + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`, + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`, + and + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey` + in favor of ``verify``. +* Added support for parsing + :class:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp` + objects from X.509 certificate extensions. +* Added support for + :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`. +* Added support for + :class:`~cryptography.hazmat.primitives.ciphers.aead.AESCCM`. +* Added + :class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCM`, a "one shot" + API for AES GCM encryption. +* Added support for :doc:`/hazmat/primitives/asymmetric/x25519`. +* Added support for serializing and deserializing Diffie-Hellman parameters + with + :func:`~cryptography.hazmat.primitives.serialization.load_pem_parameters`, + :func:`~cryptography.hazmat.primitives.serialization.load_der_parameters`, + and + :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters.parameter_bytes` + . +* The ``extensions`` attribute on :class:`~cryptography.x509.Certificate`, + :class:`~cryptography.x509.CertificateSigningRequest`, + :class:`~cryptography.x509.CertificateRevocationList`, and + :class:`~cryptography.x509.RevokedCertificate` now caches the computed + ``Extensions`` object. There should be no performance change, just a + performance improvement for programs accessing the ``extensions`` attribute + multiple times. + + +.. _v1-9: + +1.9 - 2017-05-29 +~~~~~~~~~~~~~~~~ + +* **BACKWARDS INCOMPATIBLE:** Elliptic Curve signature verification no longer + returns ``True`` on success. This brings it in line with the interface's + documentation, and our intent. The correct way to use + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.verify` + has always been to check whether or not + :class:`~cryptography.exceptions.InvalidSignature` was raised. +* **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.7 and 10.8. +* **BACKWARDS INCOMPATIBLE:** The minimum supported PyPy version is now 5.3. +* Python 3.3 support has been deprecated, and will be removed in the next + ``cryptography`` release. +* Add support for providing ``tag`` during + :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` finalization via + :meth:`~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag`. +* Fixed an issue preventing ``cryptography`` from compiling against + LibreSSL 2.5.x. +* Added + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.key_size` + and + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.key_size` + as convenience methods for determining the bit size of a secret scalar for + the curve. +* Accessing an unrecognized extension marked critical on an X.509 object will + no longer raise an ``UnsupportedExtension`` exception, instead an + :class:`~cryptography.x509.UnrecognizedExtension` object will be returned. + This behavior was based on a poor reading of the RFC, unknown critical + extensions only need to be rejected on certificate verification. +* The CommonCrypto backend has been removed. +* MultiBackend has been removed. +* ``Whirlpool`` and ``RIPEMD160`` have been deprecated. + + +.. _v1-8-2: + +1.8.2 - 2017-05-26 +~~~~~~~~~~~~~~~~~~ + +* Fixed a compilation bug affecting OpenSSL 1.1.0f. +* Updated Windows and macOS wheels to be compiled against OpenSSL 1.1.0f. + + +.. _v1-8-1: + +1.8.1 - 2017-03-10 +~~~~~~~~~~~~~~~~~~ + +* Fixed macOS wheels to properly link against 1.1.0 rather than 1.0.2. + + +.. _v1-8: + +1.8 - 2017-03-09 +~~~~~~~~~~~~~~~~ + +* Added support for Python 3.6. +* Windows and macOS wheels now link against OpenSSL 1.1.0. +* macOS wheels are no longer universal. This change significantly shrinks the + size of the wheels. Users on macOS 32-bit Python (if there are any) should + migrate to 64-bit or build their own packages. +* Changed ASN.1 dependency from ``pyasn1`` to ``asn1crypto`` resulting in a + general performance increase when encoding/decoding ASN.1 structures. Also, + the ``pyasn1_modules`` test dependency is no longer required. +* Added support for + :meth:`~cryptography.hazmat.primitives.ciphers.CipherContext.update_into` on + :class:`~cryptography.hazmat.primitives.ciphers.CipherContext`. +* Added + :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.private_bytes` + to + :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`. +* Added + :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKey.public_bytes` + to + :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKey`. +* :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key` + and + :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key` + now require that ``password`` must be bytes if provided. Previously this + was documented but not enforced. +* Added support for subgroup order in :doc:`/hazmat/primitives/asymmetric/dh`. + + +.. _v1-7-2: + +1.7.2 - 2017-01-27 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows and macOS wheels to be compiled against OpenSSL 1.0.2k. + + +.. _v1-7-1: + +1.7.1 - 2016-12-13 +~~~~~~~~~~~~~~~~~~ + +* Fixed a regression in ``int_from_bytes`` where it failed to accept + ``bytearray``. + + +.. _v1-7: + +1.7 - 2016-12-12 +~~~~~~~~~~~~~~~~ + +* Support for OpenSSL 1.0.0 has been removed. Users on older version of OpenSSL + will need to upgrade. +* Added support for Diffie-Hellman key exchange using + :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`. +* The OS random engine for OpenSSL has been rewritten to improve compatibility + with embedded Python and other edge cases. More information about this change + can be found in the + `pull request <https://github.com/pyca/cryptography/pull/3229>`_. + + +.. _v1-6: + +1.6 - 2016-11-22 +~~~~~~~~~~~~~~~~ + +* Deprecated support for OpenSSL 1.0.0. Support will be removed in + ``cryptography`` 1.7. +* Replaced the Python-based OpenSSL locking callbacks with a C version to fix + a potential deadlock that could occur if a garbage collection cycle occurred + while inside the lock. +* Added support for :class:`~cryptography.hazmat.primitives.hashes.BLAKE2b` and + :class:`~cryptography.hazmat.primitives.hashes.BLAKE2s` when using OpenSSL + 1.1.0. +* Added + :attr:`~cryptography.x509.Certificate.signature_algorithm_oid` support to + :class:`~cryptography.x509.Certificate`. +* Added + :attr:`~cryptography.x509.CertificateSigningRequest.signature_algorithm_oid` + support to :class:`~cryptography.x509.CertificateSigningRequest`. +* Added + :attr:`~cryptography.x509.CertificateRevocationList.signature_algorithm_oid` + support to :class:`~cryptography.x509.CertificateRevocationList`. +* Added support for :class:`~cryptography.hazmat.primitives.kdf.scrypt.Scrypt` + when using OpenSSL 1.1.0. +* Added a workaround to improve compatibility with Python application bundling + tools like ``PyInstaller`` and ``cx_freeze``. +* Added support for generating a + :meth:`~cryptography.x509.random_serial_number`. +* Added support for encoding ``IPv4Network`` and ``IPv6Network`` in X.509 + certificates for use with :class:`~cryptography.x509.NameConstraints`. +* Added :meth:`~cryptography.x509.Name.public_bytes` to + :class:`~cryptography.x509.Name`. +* Added :class:`~cryptography.x509.RelativeDistinguishedName` +* :class:`~cryptography.x509.DistributionPoint` now accepts + :class:`~cryptography.x509.RelativeDistinguishedName` for + :attr:`~cryptography.x509.DistributionPoint.relative_name`. + Deprecated use of :class:`~cryptography.x509.Name` as + :attr:`~cryptography.x509.DistributionPoint.relative_name`. +* :class:`~cryptography.x509.Name` now accepts an iterable of + :class:`~cryptography.x509.RelativeDistinguishedName`. RDNs can + be accessed via the :attr:`~cryptography.x509.Name.rdns` + attribute. When constructed with an iterable of + :class:`~cryptography.x509.NameAttribute`, each attribute becomes + a single-valued RDN. +* Added + :func:`~cryptography.hazmat.primitives.asymmetric.ec.derive_private_key`. +* Added support for signing and verifying RSA, DSA, and ECDSA signatures with + :class:`~cryptography.hazmat.primitives.asymmetric.utils.Prehashed` + digests. + + +.. _v1-5-3: + +1.5.3 - 2016-11-05 +~~~~~~~~~~~~~~~~~~ + +* **SECURITY ISSUE**: Fixed a bug where ``HKDF`` would return an empty + byte-string if used with a ``length`` less than ``algorithm.digest_size``. + Credit to **Markus Döring** for reporting the issue. *CVE-2016-9243* + + +.. _v1-5-2: + +1.5.2 - 2016-09-26 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2j. + + +.. _v1-5-1: + +1.5.1 - 2016-09-22 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2i. +* Resolved a ``UserWarning`` when used with cffi 1.8.3. +* Fixed a memory leak in name creation with X.509. +* Added a workaround for old versions of setuptools. +* Fixed an issue preventing ``cryptography`` from compiling against + OpenSSL 1.0.2i. + + + +.. _v1-5: + +1.5 - 2016-08-26 +~~~~~~~~~~~~~~~~ + +* Added + :func:`~cryptography.hazmat.primitives.asymmetric.padding.calculate_max_pss_salt_length`. +* Added "one shot" + :meth:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey.sign` + and + :meth:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey.verify` + methods to DSA keys. +* Added "one shot" + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign` + and + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.verify` + methods to ECDSA keys. +* Switched back to the older callback model on Python 3.5 in order to mitigate + the locking callback problem with OpenSSL <1.1.0. +* :class:`~cryptography.x509.CertificateBuilder`, + :class:`~cryptography.x509.CertificateRevocationListBuilder`, and + :class:`~cryptography.x509.RevokedCertificateBuilder` now accept timezone + aware ``datetime`` objects as method arguments +* ``cryptography`` now supports OpenSSL 1.1.0 as a compilation target. + + + +.. _v1-4: + +1.4 - 2016-06-04 +~~~~~~~~~~~~~~~~ + +* Support for OpenSSL 0.9.8 has been removed. Users on older versions of + OpenSSL will need to upgrade. +* Added :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFHMAC`. +* Added support for ``OpenSSH`` public key serialization. +* Added support for SHA-2 in RSA + :class:`~cryptography.hazmat.primitives.asymmetric.padding.OAEP` when using + OpenSSL 1.0.2 or greater. +* Added "one shot" + :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey.sign` + and + :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey.verify` + methods to RSA keys. +* Deprecated the ``serial`` attribute on + :class:`~cryptography.x509.Certificate`, in favor of + :attr:`~cryptography.x509.Certificate.serial_number`. + + + +.. _v1-3-4: + +1.3.4 - 2016-06-03 +~~~~~~~~~~~~~~~~~~ + +* Added another OpenSSL function to the bindings to support an upcoming + ``pyOpenSSL`` release. + + + +.. _v1-3-3: + +1.3.3 - 2016-06-02 +~~~~~~~~~~~~~~~~~~ + +* Added two new OpenSSL functions to the bindings to support an upcoming + ``pyOpenSSL`` release. + + +.. _v1-3-2: + +1.3.2 - 2016-05-04 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2h. +* Fixed an issue preventing ``cryptography`` from compiling against + LibreSSL 2.3.x. + + +.. _v1-3-1: + +1.3.1 - 2016-03-21 +~~~~~~~~~~~~~~~~~~ + +* Fixed a bug that caused an ``AttributeError`` when using ``mock`` to patch + some ``cryptography`` modules. + + +.. _v1-3: + +1.3 - 2016-03-18 +~~~~~~~~~~~~~~~~ + +* Added support for padding ANSI X.923 with + :class:`~cryptography.hazmat.primitives.padding.ANSIX923`. +* Deprecated support for OpenSSL 0.9.8. Support will be removed in + ``cryptography`` 1.4. +* Added support for the :class:`~cryptography.x509.PolicyConstraints` + X.509 extension including both parsing and generation using + :class:`~cryptography.x509.CertificateBuilder` and + :class:`~cryptography.x509.CertificateSigningRequestBuilder`. +* Added :attr:`~cryptography.x509.CertificateSigningRequest.is_signature_valid` + to :class:`~cryptography.x509.CertificateSigningRequest`. +* Fixed an intermittent ``AssertionError`` when performing an RSA decryption on + an invalid ciphertext, ``ValueError`` is now correctly raised in all cases. +* Added + :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`. + + +.. _v1-2-3: + +1.2.3 - 2016-03-01 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2g. + + +.. _v1-2-2: + +1.2.2 - 2016-01-29 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2f. + + +.. _v1-2-1: + +1.2.1 - 2016-01-08 +~~~~~~~~~~~~~~~~~~ + +* Reverts a change to an OpenSSL ``EVP_PKEY`` object that caused errors with + ``pyOpenSSL``. + + +.. _v1-2: + +1.2 - 2016-01-08 +~~~~~~~~~~~~~~~~ + +* **BACKWARDS INCOMPATIBLE:** + :class:`~cryptography.x509.RevokedCertificate` + :attr:`~cryptography.x509.RevokedCertificate.extensions` now uses extension + classes rather than returning raw values inside the + :class:`~cryptography.x509.Extension` + :attr:`~cryptography.x509.Extension.value`. The new classes + are: + + * :class:`~cryptography.x509.CertificateIssuer` + * :class:`~cryptography.x509.CRLReason` + * :class:`~cryptography.x509.InvalidityDate` +* Deprecated support for OpenSSL 0.9.8 and 1.0.0. At this time there is no time + table for actually dropping support, however we strongly encourage all users + to upgrade, as those versions no longer receive support from the OpenSSL + project. +* The :class:`~cryptography.x509.Certificate` class now has + :attr:`~cryptography.x509.Certificate.signature` and + :attr:`~cryptography.x509.Certificate.tbs_certificate_bytes` attributes. +* The :class:`~cryptography.x509.CertificateSigningRequest` class now has + :attr:`~cryptography.x509.CertificateSigningRequest.signature` and + :attr:`~cryptography.x509.CertificateSigningRequest.tbs_certrequest_bytes` + attributes. +* The :class:`~cryptography.x509.CertificateRevocationList` class now has + :attr:`~cryptography.x509.CertificateRevocationList.signature` and + :attr:`~cryptography.x509.CertificateRevocationList.tbs_certlist_bytes` + attributes. +* :class:`~cryptography.x509.NameConstraints` are now supported in the + :class:`~cryptography.x509.CertificateBuilder` and + :class:`~cryptography.x509.CertificateSigningRequestBuilder`. +* Support serialization of certificate revocation lists using the + :meth:`~cryptography.x509.CertificateRevocationList.public_bytes` method of + :class:`~cryptography.x509.CertificateRevocationList`. +* Add support for parsing :class:`~cryptography.x509.CertificateRevocationList` + :meth:`~cryptography.x509.CertificateRevocationList.extensions` in the + OpenSSL backend. The following extensions are currently supported: + + * :class:`~cryptography.x509.AuthorityInformationAccess` + * :class:`~cryptography.x509.AuthorityKeyIdentifier` + * :class:`~cryptography.x509.CRLNumber` + * :class:`~cryptography.x509.IssuerAlternativeName` +* Added :class:`~cryptography.x509.CertificateRevocationListBuilder` and + :class:`~cryptography.x509.RevokedCertificateBuilder` to allow creation of + CRLs. +* Unrecognized non-critical X.509 extensions are now parsed into an + :class:`~cryptography.x509.UnrecognizedExtension` object. + + +.. _v1-1-2: + +1.1.2 - 2015-12-10 +~~~~~~~~~~~~~~~~~~ + +* Fixed a SIGBUS crash with the OS X wheels caused by redefinition of a + method. +* Fixed a runtime error ``undefined symbol EC_GFp_nistp224_method`` that + occurred with some OpenSSL installations. +* Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2e. + + +.. _v1-1-1: + +1.1.1 - 2015-11-19 +~~~~~~~~~~~~~~~~~~ + +* Fixed several small bugs related to compiling the OpenSSL bindings with + unusual OpenSSL configurations. +* Resolved an issue where, depending on the method of installation and + which Python interpreter they were using, users on El Capitan (OS X 10.11) + may have seen an ``InternalError`` on import. + + +.. _v1-1: + +1.1 - 2015-10-28 +~~~~~~~~~~~~~~~~ + +* Added support for Elliptic Curve Diffie-Hellman with + :class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDH`. +* Added :class:`~cryptography.hazmat.primitives.kdf.x963kdf.X963KDF`. +* Added support for parsing certificate revocation lists (CRLs) using + :func:`~cryptography.x509.load_pem_x509_crl` and + :func:`~cryptography.x509.load_der_x509_crl`. +* Add support for AES key wrapping with + :func:`~cryptography.hazmat.primitives.keywrap.aes_key_wrap` and + :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap`. +* Added a ``__hash__`` method to :class:`~cryptography.x509.Name`. +* Add support for encoding and decoding elliptic curve points to a byte string + form using + ``cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.encode_point`` + and + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`. +* Added :meth:`~cryptography.x509.Extensions.get_extension_for_class`. +* :class:`~cryptography.x509.CertificatePolicies` are now supported in the + :class:`~cryptography.x509.CertificateBuilder`. +* ``countryName`` is now encoded as a ``PrintableString`` when creating subject + and issuer distinguished names with the Certificate and CSR builder classes. + + +.. _v1-0-2: + +1.0.2 - 2015-09-27 +~~~~~~~~~~~~~~~~~~ +* **SECURITY ISSUE**: The OpenSSL backend prior to 1.0.2 made extensive use + of assertions to check response codes where our tests could not trigger a + failure. However, when Python is run with ``-O`` these asserts are optimized + away. If a user ran Python with this flag and got an invalid response code + this could result in undefined behavior or worse. Accordingly, all response + checks from the OpenSSL backend have been converted from ``assert`` + to a true function call. Credit **Emilia Käsper (Google Security Team)** + for the report. + + +.. _v1-0-1: + +1.0.1 - 2015-09-05 +~~~~~~~~~~~~~~~~~~ + +* We now ship OS X wheels that statically link OpenSSL by default. When + installing a wheel on OS X 10.10+ (and using a Python compiled against the + 10.10 SDK) users will no longer need to compile. See :doc:`/installation` for + alternate installation methods if required. +* Set the default string mask to UTF-8 in the OpenSSL backend to resolve + character encoding issues with older versions of OpenSSL. +* Several new OpenSSL bindings have been added to support a future pyOpenSSL + release. +* Raise an error during install on PyPy < 2.6. 1.0+ requires PyPy 2.6+. + + +.. _v1-0: + +1.0 - 2015-08-12 +~~~~~~~~~~~~~~~~ + +* Switched to the new `cffi`_ ``set_source`` out-of-line API mode for + compilation. This results in significantly faster imports and lowered + memory consumption. Due to this change we no longer support PyPy releases + older than 2.6 nor do we support any released version of PyPy3 (until a + version supporting cffi 1.0 comes out). +* Fix parsing of OpenSSH public keys that have spaces in comments. +* Support serialization of certificate signing requests using the + ``public_bytes`` method of + :class:`~cryptography.x509.CertificateSigningRequest`. +* Support serialization of certificates using the ``public_bytes`` method of + :class:`~cryptography.x509.Certificate`. +* Add ``get_provisioning_uri`` method to + :class:`~cryptography.hazmat.primitives.twofactor.hotp.HOTP` and + :class:`~cryptography.hazmat.primitives.twofactor.totp.TOTP` for generating + provisioning URIs. +* Add :class:`~cryptography.hazmat.primitives.kdf.concatkdf.ConcatKDFHash` + and :class:`~cryptography.hazmat.primitives.kdf.concatkdf.ConcatKDFHMAC`. +* Raise a ``TypeError`` when passing objects that are not text as the value to + :class:`~cryptography.x509.NameAttribute`. +* Add support for :class:`~cryptography.x509.OtherName` as a general name + type. +* Added new X.509 extension support in :class:`~cryptography.x509.Certificate` + The following new extensions are now supported: + + * :class:`~cryptography.x509.OCSPNoCheck` + * :class:`~cryptography.x509.InhibitAnyPolicy` + * :class:`~cryptography.x509.IssuerAlternativeName` + * :class:`~cryptography.x509.NameConstraints` + +* Extension support was added to + :class:`~cryptography.x509.CertificateSigningRequest`. +* Add support for creating signed certificates with + :class:`~cryptography.x509.CertificateBuilder`. This includes support for + the following extensions: + + * :class:`~cryptography.x509.BasicConstraints` + * :class:`~cryptography.x509.SubjectAlternativeName` + * :class:`~cryptography.x509.KeyUsage` + * :class:`~cryptography.x509.ExtendedKeyUsage` + * :class:`~cryptography.x509.SubjectKeyIdentifier` + * :class:`~cryptography.x509.AuthorityKeyIdentifier` + * :class:`~cryptography.x509.AuthorityInformationAccess` + * :class:`~cryptography.x509.CRLDistributionPoints` + * :class:`~cryptography.x509.InhibitAnyPolicy` + * :class:`~cryptography.x509.IssuerAlternativeName` + * :class:`~cryptography.x509.OCSPNoCheck` + +* Add support for creating certificate signing requests with + :class:`~cryptography.x509.CertificateSigningRequestBuilder`. This includes + support for the same extensions supported in the ``CertificateBuilder``. +* Deprecate ``encode_rfc6979_signature`` and ``decode_rfc6979_signature`` in + favor of + :func:`~cryptography.hazmat.primitives.asymmetric.utils.encode_dss_signature` + and + :func:`~cryptography.hazmat.primitives.asymmetric.utils.decode_dss_signature`. + + + +.. _v0-9-3: + +0.9.3 - 2015-07-09 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows wheels to be compiled against OpenSSL 1.0.2d. + + +.. _v0-9-2: + +0.9.2 - 2015-07-04 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows wheels to be compiled against OpenSSL 1.0.2c. + + +.. _v0-9-1: + +0.9.1 - 2015-06-06 +~~~~~~~~~~~~~~~~~~ + +* **SECURITY ISSUE**: Fixed a double free in the OpenSSL backend when using DSA + to verify signatures. Note that this only affects PyPy 2.6.0 and (presently + unreleased) CFFI versions greater than 1.1.0. + + +.. _v0-9: + +0.9 - 2015-05-13 +~~~~~~~~~~~~~~~~ + +* Removed support for Python 3.2. This version of Python is rarely used + and caused support headaches. Users affected by this should upgrade to 3.3+. +* Deprecated support for Python 2.6. At the time there is no time table for + actually dropping support, however we strongly encourage all users to upgrade + their Python, as Python 2.6 no longer receives support from the Python core + team. +* Add support for the + :class:`~cryptography.hazmat.primitives.asymmetric.ec.SECP256K1` elliptic + curve. +* Fixed compilation when using an OpenSSL which was compiled with the + ``no-comp`` (``OPENSSL_NO_COMP``) option. +* Support :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER` + serialization of public keys using the ``public_bytes`` method of + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`, + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`, + and + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`. +* Support :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER` + serialization of private keys using the ``private_bytes`` method of + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`, + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`, + and + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`. +* Add support for parsing X.509 certificate signing requests (CSRs) with + :func:`~cryptography.x509.load_pem_x509_csr` and + :func:`~cryptography.x509.load_der_x509_csr`. +* Moved ``cryptography.exceptions.InvalidToken`` to + :class:`cryptography.hazmat.primitives.twofactor.InvalidToken` and deprecated + the old location. This was moved to minimize confusion between this exception + and :class:`cryptography.fernet.InvalidToken`. +* Added support for X.509 extensions in :class:`~cryptography.x509.Certificate` + objects. The following extensions are supported as of this release: + + * :class:`~cryptography.x509.BasicConstraints` + * :class:`~cryptography.x509.AuthorityKeyIdentifier` + * :class:`~cryptography.x509.SubjectKeyIdentifier` + * :class:`~cryptography.x509.KeyUsage` + * :class:`~cryptography.x509.SubjectAlternativeName` + * :class:`~cryptography.x509.ExtendedKeyUsage` + * :class:`~cryptography.x509.CRLDistributionPoints` + * :class:`~cryptography.x509.AuthorityInformationAccess` + * :class:`~cryptography.x509.CertificatePolicies` + + Note that unsupported extensions with the critical flag raise + ``UnsupportedExtension`` while unsupported extensions set to non-critical are + silently ignored. Read the :doc:`X.509 documentation</x509/index>` for more + information. + + +.. _v0-8-2: + +0.8.2 - 2015-04-10 +~~~~~~~~~~~~~~~~~~ + +* Fixed a race condition when initializing the OpenSSL or CommonCrypto backends + in a multi-threaded scenario. + + +.. _v0-8-1: + +0.8.1 - 2015-03-20 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows wheels to be compiled against OpenSSL 1.0.2a. + + +.. _v0-8: + +0.8 - 2015-03-08 +~~~~~~~~~~~~~~~~ + +* :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` can + now load elliptic curve public keys. +* Added + :attr:`~cryptography.x509.Certificate.signature_hash_algorithm` support to + :class:`~cryptography.x509.Certificate`. +* Added + :func:`~cryptography.hazmat.primitives.asymmetric.rsa.rsa_recover_prime_factors` +* :class:`~cryptography.hazmat.primitives.kdf.KeyDerivationFunction` was moved + from ``cryptography.hazmat.primitives.interfaces`` to + :mod:`~cryptography.hazmat.primitives.kdf`. +* Added support for parsing X.509 names. See the + :doc:`X.509 documentation</x509/index>` for more information. +* Added + :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key` to + support loading of DER encoded private keys and + :func:`~cryptography.hazmat.primitives.serialization.load_der_public_key` to + support loading DER encoded public keys. +* Fixed building against LibreSSL, a compile-time substitute for OpenSSL. +* FreeBSD 9.2 was removed from the continuous integration system. +* Updated Windows wheels to be compiled against OpenSSL 1.0.2. +* :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key` + and :func:`~cryptography.hazmat.primitives.serialization.load_der_public_key` + now support PKCS1 RSA public keys (in addition to the previous support for + SubjectPublicKeyInfo format for RSA, EC, and DSA). +* Added ``EllipticCurvePrivateKeyWithSerialization`` and deprecated + ``EllipticCurvePrivateKeyWithNumbers``. +* Added + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.private_bytes` + to + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`. +* Added ``RSAPrivateKeyWithSerialization`` and deprecated ``RSAPrivateKeyWithNumbers``. +* Added + :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey.private_bytes` + to + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`. +* Added ``DSAPrivateKeyWithSerialization`` and deprecated ``DSAPrivateKeyWithNumbers``. +* Added + :meth:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey.private_bytes` + to + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`. +* Added ``RSAPublicKeyWithSerialization`` and deprecated ``RSAPublicKeyWithNumbers``. +* Added ``public_bytes`` to + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`. +* Added ``EllipticCurvePublicKeyWithSerialization`` and deprecated + ``EllipticCurvePublicKeyWithNumbers``. +* Added ``public_bytes`` to + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`. +* Added ``DSAPublicKeyWithSerialization`` and deprecated ``DSAPublicKeyWithNumbers``. +* Added ``public_bytes`` to + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`. +* :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` and + :class:`~cryptography.hazmat.primitives.hashes.HashContext` were moved from + ``cryptography.hazmat.primitives.interfaces`` to + :mod:`~cryptography.hazmat.primitives.hashes`. +* :class:`~cryptography.hazmat.primitives.ciphers.CipherContext`, + :class:`~cryptography.hazmat.primitives.ciphers.AEADCipherContext`, + :class:`~cryptography.hazmat.primitives.ciphers.AEADEncryptionContext`, + :class:`~cryptography.hazmat.primitives.ciphers.CipherAlgorithm`, and + :class:`~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm` + were moved from ``cryptography.hazmat.primitives.interfaces`` to + :mod:`~cryptography.hazmat.primitives.ciphers`. +* :class:`~cryptography.hazmat.primitives.ciphers.modes.Mode`, + :class:`~cryptography.hazmat.primitives.ciphers.modes.ModeWithInitializationVector`, + :class:`~cryptography.hazmat.primitives.ciphers.modes.ModeWithNonce`, and + :class:`~cryptography.hazmat.primitives.ciphers.modes.ModeWithAuthenticationTag` + were moved from ``cryptography.hazmat.primitives.interfaces`` to + :mod:`~cryptography.hazmat.primitives.ciphers.modes`. +* :class:`~cryptography.hazmat.primitives.padding.PaddingContext` was moved + from ``cryptography.hazmat.primitives.interfaces`` to + :mod:`~cryptography.hazmat.primitives.padding`. +* + :class:`~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding` + was moved from ``cryptography.hazmat.primitives.interfaces`` to + :mod:`~cryptography.hazmat.primitives.asymmetric.padding`. +* ``AsymmetricSignatureContext`` and ``AsymmetricVerificationContext`` + were moved from ``cryptography.hazmat.primitives.interfaces`` to + ``cryptography.hazmat.primitives.asymmetric``. +* :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`, + ``DSAParametersWithNumbers``, + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`, + ``DSAPrivateKeyWithNumbers``, + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` and + ``DSAPublicKeyWithNumbers`` were moved from + ``cryptography.hazmat.primitives.interfaces`` to + :mod:`~cryptography.hazmat.primitives.asymmetric.dsa` +* :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`, + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurveSignatureAlgorithm`, + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`, + ``EllipticCurvePrivateKeyWithNumbers``, + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`, + and ``EllipticCurvePublicKeyWithNumbers`` + were moved from ``cryptography.hazmat.primitives.interfaces`` to + :mod:`~cryptography.hazmat.primitives.asymmetric.ec`. +* :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`, + ``RSAPrivateKeyWithNumbers``, + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` and + ``RSAPublicKeyWithNumbers`` were moved from + ``cryptography.hazmat.primitives.interfaces`` to + :mod:`~cryptography.hazmat.primitives.asymmetric.rsa`. + + +.. _v0-7-2: + +0.7.2 - 2015-01-16 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows wheels to be compiled against OpenSSL 1.0.1l. +* ``enum34`` is no longer installed on Python 3.4, where it is included in + the standard library. +* Added a new function to the OpenSSL bindings to support additional + functionality in pyOpenSSL. + + +.. _v0-7-1: + +0.7.1 - 2014-12-28 +~~~~~~~~~~~~~~~~~~ + +* Fixed an issue preventing compilation on platforms where ``OPENSSL_NO_SSL3`` + was defined. + + +.. _v0-7: + +0.7 - 2014-12-17 +~~~~~~~~~~~~~~~~ + +* Cryptography has been relicensed from the Apache Software License, Version + 2.0, to being available under *either* the Apache Software License, Version + 2.0, or the BSD license. +* Added key-rotation support to :doc:`Fernet </fernet>` with + :class:`~cryptography.fernet.MultiFernet`. +* More bit-lengths are now supported for ``p`` and ``q`` when loading DSA keys + from numbers. +* Added ``MACContext`` as a common interface for CMAC and HMAC and + deprecated ``CMACContext``. +* Added support for encoding and decoding :rfc:`6979` signatures in + :doc:`/hazmat/primitives/asymmetric/utils`. +* Added + :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` to + support the loading of OpenSSH public keys (:rfc:`4253`). Only RSA and DSA + keys are currently supported. +* Added initial support for X.509 certificate parsing. See the + :doc:`X.509 documentation</x509/index>` for more information. + + +.. _v0-6-1: + +0.6.1 - 2014-10-15 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows wheels to be compiled against OpenSSL 1.0.1j. +* Fixed an issue where OpenSSL 1.0.1j changed the errors returned by some + functions. +* Added our license file to the ``cryptography-vectors`` package. +* Implemented DSA hash truncation support (per FIPS 186-3) in the OpenSSL + backend. This works around an issue in 1.0.0, 1.0.0a, and 1.0.0b where + truncation was not implemented. + + +.. _v0-6: + +0.6 - 2014-09-29 +~~~~~~~~~~~~~~~~ + +* Added + :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key` to + ease loading private keys, and + :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key` to + support loading public keys. +* Removed the, deprecated in 0.4, support for the ``salt_length`` argument to + the :class:`~cryptography.hazmat.primitives.asymmetric.padding.MGF1` + constructor. The ``salt_length`` should be passed to + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` instead. +* Fix compilation on OS X Yosemite. +* Deprecated ``elliptic_curve_private_key_from_numbers`` and + ``elliptic_curve_public_key_from_numbers`` in favor of + ``load_elliptic_curve_private_numbers`` and + ``load_elliptic_curve_public_numbers`` on ``EllipticCurveBackend``. +* Added ``EllipticCurvePrivateKeyWithNumbers`` and + ``EllipticCurvePublicKeyWithNumbers`` support. +* Work around three GCM related bugs in CommonCrypto and OpenSSL. + + * On the CommonCrypto backend adding AAD but not subsequently calling update + would return null tag bytes. + + * One the CommonCrypto backend a call to update without an empty add AAD call + would return null ciphertext bytes. + + * On the OpenSSL backend with certain versions adding AAD only would give + invalid tag bytes. + +* Support loading EC private keys from PEM. + + +.. _v0-5-4: + +0.5.4 - 2014-08-20 +~~~~~~~~~~~~~~~~~~ + +* Added several functions to the OpenSSL bindings to support new + functionality in pyOpenSSL. +* Fixed a redefined constant causing compilation failure with Solaris 11.2. + + +.. _v0-5-3: + +0.5.3 - 2014-08-06 +~~~~~~~~~~~~~~~~~~ + +* Updated Windows wheels to be compiled against OpenSSL 1.0.1i. + + +.. _v0-5-2: + +0.5.2 - 2014-07-09 +~~~~~~~~~~~~~~~~~~ + +* Add ``TraditionalOpenSSLSerializationBackend`` support to ``multibackend``. +* Fix compilation error on OS X 10.8 (Mountain Lion). + + +.. _v0-5-1: + +0.5.1 - 2014-07-07 +~~~~~~~~~~~~~~~~~~ + +* Add ``PKCS8SerializationBackend`` support to ``multibackend``. + + +.. _v0-5: + +0.5 - 2014-07-07 +~~~~~~~~~~~~~~~~ + +* **BACKWARDS INCOMPATIBLE:** + :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` no longer allows + truncation of tags by default. Previous versions of ``cryptography`` allowed + tags to be truncated by default, applications wishing to preserve this + behavior (not recommended) can pass the ``min_tag_length`` argument. +* Windows builds now statically link OpenSSL by default. When installing a + wheel on Windows you no longer need to install OpenSSL separately. Windows + users can switch between static and dynamic linking with an environment + variable. See :doc:`/installation` for more details. +* Added :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDFExpand`. +* Added :class:`~cryptography.hazmat.primitives.ciphers.modes.CFB8` support + for :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` and + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` on + ``commoncrypto`` and ``openssl``. +* Added ``AES`` :class:`~cryptography.hazmat.primitives.ciphers.modes.CTR` + support to the OpenSSL backend when linked against 0.9.8. +* Added ``PKCS8SerializationBackend`` and + ``TraditionalOpenSSLSerializationBackend`` support to ``openssl``. +* Added :doc:`/hazmat/primitives/asymmetric/ec` and ``EllipticCurveBackend``. +* Added :class:`~cryptography.hazmat.primitives.ciphers.modes.ECB` support + for :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` on + ``commoncrypto`` and ``openssl``. +* Deprecated the concrete ``RSAPrivateKey`` class in favor of backend + specific providers of the + :class:`cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey` + interface. +* Deprecated the concrete ``RSAPublicKey`` in favor of backend specific + providers of the + :class:`cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` + interface. +* Deprecated the concrete ``DSAPrivateKey`` class in favor of backend + specific providers of the + :class:`cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` + interface. +* Deprecated the concrete ``DSAPublicKey`` class in favor of backend specific + providers of the + :class:`cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` + interface. +* Deprecated the concrete ``DSAParameters`` class in favor of backend specific + providers of the + :class:`cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters` + interface. +* Deprecated ``encrypt_rsa``, ``decrypt_rsa``, ``create_rsa_signature_ctx`` and + ``create_rsa_verification_ctx`` on ``RSABackend``. +* Deprecated ``create_dsa_signature_ctx`` and ``create_dsa_verification_ctx`` + on ``DSABackend``. + + +.. _v0-4: + +0.4 - 2014-05-03 +~~~~~~~~~~~~~~~~ + +* Deprecated ``salt_length`` on + :class:`~cryptography.hazmat.primitives.asymmetric.padding.MGF1` and added it + to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. It will + be removed from ``MGF1`` in two releases per our :doc:`/api-stability` + policy. +* Added :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED` + support. +* Added :class:`~cryptography.hazmat.primitives.cmac.CMAC`. +* Added decryption support to + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey` + and encryption support to + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`. +* Added signature support to + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` + and verification support to + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`. + + +.. _v0-3: + +0.3 - 2014-03-27 +~~~~~~~~~~~~~~~~ + +* Added :class:`~cryptography.hazmat.primitives.twofactor.hotp.HOTP`. +* Added :class:`~cryptography.hazmat.primitives.twofactor.totp.TOTP`. +* Added :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA` + support. +* Added signature support to + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey` + and verification support to + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`. +* Moved test vectors to the new ``cryptography_vectors`` package. + + +.. _v0-2-2: + +0.2.2 - 2014-03-03 +~~~~~~~~~~~~~~~~~~ + +* Removed a constant definition that was causing compilation problems with + specific versions of OpenSSL. + + +.. _v0-2-1: + +0.2.1 - 2014-02-22 +~~~~~~~~~~~~~~~~~~ + +* Fix a bug where importing cryptography from multiple paths could cause + initialization to fail. + + +.. _v0-2: + +0.2 - 2014-02-20 +~~~~~~~~~~~~~~~~ + +* Added ``commoncrypto``. +* Added initial ``commoncrypto``. +* Removed ``register_cipher_adapter`` method from ``CipherBackend``. +* Added support for the OpenSSL backend under Windows. +* Improved thread-safety for the OpenSSL backend. +* Fixed compilation on systems where OpenSSL's ``ec.h`` header is not + available, such as CentOS. +* Added :class:`~cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC`. +* Added :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF`. +* Added ``multibackend``. +* Set default random for ``openssl`` to the OS random engine. +* Added :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5` + (CAST-128) support. + + +.. _v0-1: + +0.1 - 2014-01-08 +~~~~~~~~~~~~~~~~ + +* Initial release. + +.. _`as documented here`: https://docs.rs/openssl/latest/openssl/#automatic +.. _`main`: https://github.com/pyca/cryptography/ +.. _`cffi`: https://cffi.readthedocs.io/ diff --git a/contrib/python/cryptography/next/rust/CONTRIBUTING.rst b/contrib/python/cryptography/next/rust/CONTRIBUTING.rst new file mode 100644 index 0000000000..6cd409a1b2 --- /dev/null +++ b/contrib/python/cryptography/next/rust/CONTRIBUTING.rst @@ -0,0 +1,23 @@ +Contributing to cryptography +============================ + +As an open source project, cryptography welcomes contributions of many forms. + +Examples of contributions include: + +* Code patches +* Documentation improvements +* Bug reports and patch reviews + +Extensive contribution guidelines are available in the repository at +``docs/development/index.rst``, or online at: + +https://cryptography.io/en/latest/development/ + +Security issues +--------------- + +To report a security issue, please follow the special `security reporting +guidelines`_, do not report them in the public issue tracker. + +.. _`security reporting guidelines`: https://cryptography.io/en/latest/security/ diff --git a/contrib/python/cryptography/next/rust/LICENSE b/contrib/python/cryptography/next/rust/LICENSE new file mode 100644 index 0000000000..b11f379efe --- /dev/null +++ b/contrib/python/cryptography/next/rust/LICENSE @@ -0,0 +1,3 @@ +This software is made available under the terms of *either* of the licenses +found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made +under the terms of *both* these licenses. diff --git a/contrib/python/cryptography/next/rust/LICENSE.APACHE b/contrib/python/cryptography/next/rust/LICENSE.APACHE new file mode 100644 index 0000000000..62589edd12 --- /dev/null +++ b/contrib/python/cryptography/next/rust/LICENSE.APACHE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + https://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/contrib/python/cryptography/next/rust/LICENSE.BSD b/contrib/python/cryptography/next/rust/LICENSE.BSD new file mode 100644 index 0000000000..ec1a29d34d --- /dev/null +++ b/contrib/python/cryptography/next/rust/LICENSE.BSD @@ -0,0 +1,27 @@ +Copyright (c) Individual contributors. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + 3. Neither the name of PyCA Cryptography nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR +ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON +ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/contrib/python/cryptography/next/rust/README.rst b/contrib/python/cryptography/next/rust/README.rst new file mode 100644 index 0000000000..d71765b8db --- /dev/null +++ b/contrib/python/cryptography/next/rust/README.rst @@ -0,0 +1,68 @@ +pyca/cryptography +================= + +.. image:: https://img.shields.io/pypi/v/cryptography.svg + :target: https://pypi.org/project/cryptography/ + :alt: Latest Version + +.. image:: https://readthedocs.org/projects/cryptography/badge/?version=latest + :target: https://cryptography.io + :alt: Latest Docs + +.. image:: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main + :target: https://github.com/pyca/cryptography/actions?query=workflow%3ACI+branch%3Amain + + +``cryptography`` is a package which provides cryptographic recipes and +primitives to Python developers. Our goal is for it to be your "cryptographic +standard library". It supports Python 3.7+ and PyPy3 7.3.10+. + +``cryptography`` includes both high level recipes and low level interfaces to +common cryptographic algorithms such as symmetric ciphers, message digests, and +key derivation functions. For example, to encrypt something with +``cryptography``'s high level symmetric encryption recipe: + +.. code-block:: pycon + + >>> from cryptography.fernet import Fernet + >>> # Put this somewhere safe! + >>> key = Fernet.generate_key() + >>> f = Fernet(key) + >>> token = f.encrypt(b"A really secret message. Not for prying eyes.") + >>> token + b'...' + >>> f.decrypt(token) + b'A really secret message. Not for prying eyes.' + +You can find more information in the `documentation`_. + +You can install ``cryptography`` with: + +.. code-block:: console + + $ pip install cryptography + +For full details see `the installation documentation`_. + +Discussion +~~~~~~~~~~ + +If you run into bugs, you can file them in our `issue tracker`_. + +We maintain a `cryptography-dev`_ mailing list for development discussion. + +You can also join ``#pyca`` on ``irc.libera.chat`` to ask questions or get +involved. + +Security +~~~~~~~~ + +Need to report a security issue? Please consult our `security reporting`_ +documentation. + + +.. _`documentation`: https://cryptography.io/ +.. _`the installation documentation`: https://cryptography.io/en/latest/installation/ +.. _`issue tracker`: https://github.com/pyca/cryptography/issues +.. _`cryptography-dev`: https://mail.python.org/mailman/listinfo/cryptography-dev +.. _`security reporting`: https://cryptography.io/en/latest/security/ diff --git a/contrib/python/cryptography/next/rust/ci-constraints-requirements.txt b/contrib/python/cryptography/next/rust/ci-constraints-requirements.txt new file mode 100644 index 0000000000..009faa5e0b --- /dev/null +++ b/contrib/python/cryptography/next/rust/ci-constraints-requirements.txt @@ -0,0 +1,197 @@ +# This is named ambigiously, but it's a pip constraints file, named like a +# requirements file so dependabot will update the pins. +# It was originally generated with; +# pip-compile --extra=docs --extra=docstest --extra=pep8test --extra=test --extra=test-randomorder --extra=nox --extra=sdist --resolver=backtracking --strip-extras --unsafe-package=cffi --unsafe-package=pycparser --unsafe-package=setuptools pyproject.toml +# and then manually massaged to add version specifiers to packages whose +# versions vary by Python version + +alabaster==0.7.13 + # via sphinx +argcomplete==3.0.8 + # via nox +babel==2.12.1 + # via sphinx +black==23.3.0 + # via cryptography (pyproject.toml) +bleach==6.0.0 + # via readme-renderer +build==0.10.0 + # via + # check-sdist + # cryptography (pyproject.toml) +certifi==2023.5.7 + # via requests +charset-normalizer==3.1.0 + # via requests +check-sdist==0.1.2 + # via cryptography (pyproject.toml) +click==8.1.3 + # via black +colorlog==6.7.0 + # via nox +coverage==7.2.7 + # via pytest-cov +distlib==0.3.6 + # via virtualenv +docutils==0.18.1 + # via + # readme-renderer + # sphinx + # sphinx-rtd-theme +exceptiongroup==1.1.1 + # via pytest +execnet==1.9.0 + # via pytest-xdist +filelock==3.12.0 + # via virtualenv +idna==3.4 + # via requests +imagesize==1.4.1 + # via sphinx +importlib-metadata==6.6.0 + # via + # keyring + # twine +iniconfig==2.0.0 + # via pytest +jaraco-classes==3.2.3 + # via keyring +jinja2==3.1.2 + # via sphinx +keyring==23.13.1 + # via twine +markdown-it-py==2.2.0 + # via rich +markupsafe==2.1.2 + # via jinja2 +mdurl==0.1.2 + # via markdown-it-py +more-itertools==9.1.0 + # via jaraco-classes +mypy==1.3.0 + # via cryptography (pyproject.toml) +mypy-extensions==1.0.0 + # via + # black + # mypy +nox==2023.4.22 + # via cryptography (pyproject.toml) +packaging==23.1 + # via + # black + # build + # nox + # pytest + # sphinx +pathspec==0.11.1 + # via + # black + # check-sdist +pkginfo==1.9.6 + # via twine +platformdirs==3.5.1 + # via + # black + # virtualenv +pluggy==1.0.0 + # via pytest +pretend==1.0.9 + # via cryptography (pyproject.toml) +py-cpuinfo==9.0.0 + # via pytest-benchmark +pyenchant==3.2.2 + # via + # cryptography (pyproject.toml) + # sphinxcontrib-spelling +pygments==2.15.1 + # via + # readme-renderer + # rich + # sphinx +pyproject-hooks==1.0.0 + # via build +pytest==7.3.1 + # via + # cryptography (pyproject.toml) + # pytest-benchmark + # pytest-cov + # pytest-randomly + # pytest-xdist +pytest-benchmark==4.0.0 + # via cryptography (pyproject.toml) +pytest-cov==4.1.0 + # via cryptography (pyproject.toml) +pytest-randomly==3.12.0 + # via cryptography (pyproject.toml) +pytest-xdist==3.3.1 + # via cryptography (pyproject.toml) +readme-renderer==37.3 + # via twine +requests==2.31.0 + # via + # requests-toolbelt + # sphinx + # twine +requests-toolbelt==1.0.0 + # via twine +rfc3986==2.0.0 + # via twine +rich==13.3.5 + # via twine +ruff==0.0.270 + # via cryptography (pyproject.toml) +six==1.16.0 + # via bleach +snowballstemmer==2.2.0 + # via sphinx +sphinx==6.2.1 + # via + # cryptography (pyproject.toml) + # sphinx-rtd-theme + # sphinxcontrib-jquery + # sphinxcontrib-spelling +sphinx-rtd-theme==1.2.1 + # via cryptography (pyproject.toml) +sphinxcontrib-applehelp==1.0.4 + # via sphinx +sphinxcontrib-devhelp==1.0.2 + # via sphinx +sphinxcontrib-htmlhelp==2.0.1 + # via sphinx +sphinxcontrib-jquery==4.1 + # via sphinx-rtd-theme +sphinxcontrib-jsmath==1.0.1 + # via sphinx +sphinxcontrib-qthelp==1.0.3 + # via sphinx +sphinxcontrib-serializinghtml==1.1.5 + # via sphinx +sphinxcontrib-spelling==8.0.0 + # via cryptography (pyproject.toml) +tomli==2.0.1 + # via + # black + # build + # check-manifest + # coverage + # mypy + # pyproject-hooks + # pytest +twine==4.0.2 + # via cryptography (pyproject.toml) +typing-extensions==4.6.2 + # via mypy +urllib3==2.0.2 + # via + # requests + # twine +virtualenv==20.23.0 + # via nox +webencodings==0.5.1 + # via bleach +zipp==3.15.0 + # via importlib-metadata + +# The following packages are considered to be unsafe in a requirements file: +# cffi +# pycparser diff --git a/contrib/python/cryptography/ya.make b/contrib/python/cryptography/ya.make index 4965fdc720..ce070b8473 100644 --- a/contrib/python/cryptography/ya.make +++ b/contrib/python/cryptography/ya.make @@ -16,3 +16,7 @@ RECURSE( py2 py3 ) + +IF (OS_LINUX AND MUSL) + RECURSE(next) +ENDIF() |