Cryptography

~~~~~~~~~~~~~~~~

.. note:: This version is not yet released and is under active development.

* Support for Python 3.7 is deprecated and will be removed in the next
``cryptography`` release.
* Added support for PKCS7 decryption and encryption using AES-256 as the
content algorithm, in addition to AES-128.
* **BACKWARDS INCOMPATIBLE:** Made SSH private key loading more consistent with
other private key loading:
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`
now raises a ``TypeError`` if the key is unencrypted but a password is
provided (previously no exception was raised), and raises a ``TypeError`` if
the key is encrypted but no password is provided (previously a ``ValueError``
was raised).
* Added ``unsafe_skip_rsa_key_validation`` keyword-argument to
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`.
* Added :class:`~cryptography.hazmat.primitives.hashes.XOFHash` to support
repeated :meth:`~cryptography.hazmat.primitives.hashes.XOFHash.squeeze`
operations on extendable output functions.
* Extended the :mod:`X.509 path validation <cryptography.x509.verification>` API to
support user-configured extension policies via the
:meth:`PolicyBuilder.extension_policies <cryptography.x509.verification.PolicyBuilder.extension_policies>` method.
* Deprecated the ``subject``, ``verification_time`` and ``max_chain_depth``
properties on :class:`~cryptography.x509.verification.ClientVerifier` and
:class:`~cryptography.x509.verification.ServerVerifier` in favor of a new ``policy`` property.
These properties will be removed in the next release of ``cryptography``.
* **BACKWARDS INCOMPATIBLE:** The
:meth:`VerifiedClient.subject <cryptography.x509.verification.VerifiedClient.subjects>`
property can now be `None` since a custom extension policy may allow certificates
without a Subject Alternative Name extension.

.. _v44-0-2:

~~~~~~~~~~~~~~~~~~~

* We now build wheels for PyPy 3.11.

.. _v44-0-1:

~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.1.
* We now build ``armv7l`` ``manylinux`` wheels and publish them to PyPI.
* We now build ``manylinux_2_34`` wheels and publish them to PyPI.

.. _v44-0-0:

~~~~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.9.
* Deprecated Python 3.7 support. Python 3.7 is no longer supported by the
Python core team. Support for Python 3.7 will be removed in a future
``cryptography`` release.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.0.
* macOS wheels are now built against the macOS 10.13 SDK. Users on older
versions of macOS should upgrade, or they will need to build
``cryptography`` themselves.
* Enforce the :rfc:`5280` requirement that extended key usage extensions must
not be empty.
* Added support for timestamp extraction to the
:class:`~cryptography.fernet.MultiFernet` class.
* Relax the Authority Key Identifier requirements on root CA certificates
during X.509 verification to allow fields permitted by :rfc:`5280` but
forbidden by the CA/Browser BRs.
* Added support for :class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2id`
when using OpenSSL 3.2.0+.
* Added support for the :class:`~cryptography.x509.Admissions` certificate extension.
* Added basic support for PKCS7 decryption (including S/MIME 3.2) via
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_der`,
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_pem`, and
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_smime`.

.. _v43-0-3:

~~~~~~~~~~~~~~~~~~~

* Fixed release metadata for ``cryptography-vectors``

.. _v43-0-2:

~~~~~~~~~~~~~~~~~~~

* Fixed compilation when using LibreSSL 4.0.0.

.. _v43-0-1: