-------------------
* Remove dependency of ``pyasn1`` and ``pyasn1-modules`` entirely to provide more robust
parsing of ASN.1 structures, adding the ability to parse structures independent of
RFC version. Certain bugs we've encountered in the past, have now been resolved
as a result of this. On top of that, structures defined in the replacement,
``asn1crypto``, are a lot more Pythonic, and parsing speed has been sliced in more
than half.
This does have a serious impact if you use certain functions to deeply inspect the
original data (as all these structures have now changed) and on some parts of the API
to better align with the new dependency. Most notably, all OIDs are now strings,
rather than integer tuples, and references to attributes or specific types are now
strings as well (such as in attribute lists). These strings can be in dotted form,
but most commonly are a representation as provided by ``asn1crypto`` or ourselves.
* Add (default) option to swallow ``SignedPEParseError`` while parsing a PE file's
certificate table. This allows checking certificates until such a parse error occurs,
better aligning with how Windows handles these cases.
``SignedPEFile.signed_datas`` will no longer raise an exception when anything goes
wrong, and will simply stop without yielding anything if no valid
``AuthenticodeSignedData`` is found.
``SignedPEFile.verify`` will raise a ``AuthenticodeNotSignedError`` when there's no
valid ``AuthenticodeSignedData``, instead of a ``SignedPEParseError``.
The former behaviour can be restored with the ``ignore_parse_errors`` argument to
``SignedPEFile.verify`` and ``SignedPEFile.iter_signed_datas``. The latter method
has been changed to keyword-arguments only.
* Add support for ``AuthenticodeSignedData`` versions other than v1
* Add support for ``SignerInfo`` versions other than v1
* Fix bug that could cause out-of-bound reads during parsing of the PE file's
certificate table
* Correctly handle the lifetime-signing EKU (OID 1.3.6.1.4.1.311.10.3.13) by ignoring
the countersignature's timestamp during verification of the certification chain when
this is set on the end-entity's certificate. Note that the private
``SignerInfo._verify_issuer`` has slightly changed semantics based on this.
* Return the certificate chain(s) in ``AuthenticodeSignedData.verify`` and
the used ``AuthenticodeSignedData`` and chains in ``SignedPEFile.verify``
* Parse the ``SpcPeImageData`` as part of the SpcInfo. This adds the attributes
``image_flags`` and ``image_publisher``, although this information is never used.
* Parse the ``SpcStatementType`` as part of the authenticated attributes of the
``AuthenticodeSignerInfo``. This adds the attribute ``statement_types``, although this
information is never used.
* Parse the ``SpcFinancialCriteria`` (``microsoft_spc_financial_criteria``) and
(partially) ``SpcSpAgencyInfo`` (``microsoft_spc_sp_agency_info``) as part of the
``extensions`` of ``Certificate``. These extensions are poorly documented, but may
provide some additional information, such as when researching CVE-2019–1388.