• [Python-announce] PyCA cryptography 36.0.0 released

    From Paul Kehrer@21:1/5 to All on Mon Nov 22 06:11:54 2021
    PyCA cryptography 36.0.0 has been released to PyPI. cryptography
    includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, asymmetric
    algorithms, message digests, X509, key derivation functions, and much
    more. We support Python 3.6+, and PyPy3.

    (As a reminder, cryptography changed its versioning scheme with 35.0.
    For more information see https://cryptography.io/en/latest/api-stability/#versioning)

    Changelog (https://cryptography.io/en/latest/changelog/#v36-0-0):
    * FINAL DEPRECATION: Support for verifier and signer on our asymmetric
    key classes was deprecated in version 2.1. These functions had an
    extended deprecation due to usage, however the next version of
    cryptography will drop support. Users should migrate to sign and
    verify.
    * The entire X.509 layer is now written in Rust. This allows alternate asymmetric key implementations that can support cloud key management
    services or hardware security modules provided they implement the
    necessary interface (for example: EllipticCurvePrivateKey).
    * Deprecated the backend argument for all functions.
    * Added support for AESOCB3.
    * Added support for iterating over arbitrary request attributes.
    * Deprecated the get_attribute_for_oid method on
    CertificateSigningRequest in favor of get_attribute_for_oid() on the
    new Attributes object.
    * Fixed handling of PEM files to allow loading when certificate and
    key are in the same file.
    * Fixed parsing of CertificatePolicies extensions containing legacy
    BMPString values in their explicitText.
    * Allow parsing of negative serial numbers in certificates. Negative
    serial numbers are prohibited by RFC 5280 so a deprecation warning
    will be raised whenever they are encountered. A future version of
    cryptography will drop support for parsing them.
    * Added support for parsing PKCS12 files with friendly names for all certificates with load_pkcs12(), which will return an object of type PKCS12KeyAndCertificates.
    rfc4514_string() and related methods now have an optional
    attr_name_overrides parameter to supply custom OID to name mappings,
    which can be used to match vendor-specific extensions.
    * BACKWARDS INCOMPATIBLE: Reverted the nonstandard formatting of email
    address fields as E in rfc4514_string() methods from version 35.0. The
    previous behavior can be restored with: name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})
    * Allow X25519PublicKey and X448PublicKey to be used as public keys
    when parsing certificates or creating them with CertificateBuilder.
    These key types must be signed with a different signing algorithm as
    X25519 and X448 do not support signing.
    * Extension values can now be serialized to a DER byte string by
    calling public_bytes().
    * Added experimental support for compiling against BoringSSL. As
    BoringSSL does not commit to a stable API, cryptography tests against
    the latest commit only. Please note that several features are not
    available when building against BoringSSL.
    * Parsing CertificateSigningRequest from DER and PEM now, for a
    limited time period, allows the Extension critical field to be
    incorrectly encoded. See the issue for complete details. This will be
    reverted in a future cryptography release.
    * When OCSPNonce are parsed and generated their value is now correctly
    wrapped in an ASN.1 OCTET STRING. This conforms to RFC 6960 but
    conflicts with the original behavior specified in RFC 2560. For a
    temporary period for backwards compatibility, we will also parse
    values that are encoded as specified in RFC 2560 but this behavior
    will be removed in a future release.

    -Paul Kehrer (reaperhulk)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)