Cryptography

~~~~~~~~~~~~~~~~~~

* **SECURITY ISSUE**: Fixed a double free in the OpenSSL backend when using DSA
to verify signatures. Note that this only affects PyPy 2.6.0 and (presently
unreleased) CFFI versions greater than 1.1.0.


.. _v0-9:

~~~~~~~~~~~~~~~~

* Removed support for Python 3.2. This version of Python is rarely used
and caused support headaches. Users affected by this should upgrade to 3.3+.
* Deprecated support for Python 2.6. At the time there is no time table for
actually dropping support, however we strongly encourage all users to upgrade
their Python, as Python 2.6 no longer receives support from the Python core
team.
* Add support for the
:class:`~cryptography.hazmat.primitives.asymmetric.ec.SECP256K1` elliptic
curve.
* Fixed compilation when using an OpenSSL which was compiled with the
``no-comp`` (``OPENSSL_NO_COMP``) option.
* Support :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`
serialization of public keys using the ``public_bytes`` method of
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`,
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`,
and
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`.
* Support :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`
serialization of private keys using the ``private_bytes`` method of
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`,
and
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`.
* Add support for parsing X.509 certificate signing requests (CSRs) with
:func:`~cryptography.x509.load_pem_x509_csr` and
:func:`~cryptography.x509.load_der_x509_csr`.
* Moved ``cryptography.exceptions.InvalidToken`` to
:class:`cryptography.hazmat.primitives.twofactor.InvalidToken` and deprecated
the old location. This was moved to minimize confusion between this exception
and :class:`cryptography.fernet.InvalidToken`.
* Added support for X.509 extensions in :class:`~cryptography.x509.Certificate`
objects. The following extensions are supported as of this release:

* :class:`~cryptography.x509.BasicConstraints`
* :class:`~cryptography.x509.AuthorityKeyIdentifier`
* :class:`~cryptography.x509.SubjectKeyIdentifier`
* :class:`~cryptography.x509.KeyUsage`
* :class:`~cryptography.x509.SubjectAlternativeName`
* :class:`~cryptography.x509.ExtendedKeyUsage`
* :class:`~cryptography.x509.CRLDistributionPoints`
* :class:`~cryptography.x509.AuthorityInformationAccess`
* :class:`~cryptography.x509.CertificatePolicies`

Note that unsupported extensions with the critical flag raise
``UnsupportedExtension`` while unsupported extensions set to non-critical are
silently ignored. Read the :doc:`X.509 documentation</x509/index>` for more
information.


.. _v0-8-2:

~~~~~~~~~~~~~~~~~~

* Fixed a race condition when initializing the OpenSSL or CommonCrypto backends
in a multi-threaded scenario.


.. _v0-8-1:

~~~~~~~~~~~~~~~~~~

* Updated Windows wheels to be compiled against OpenSSL 1.0.2a.


.. _v0-8:

~~~~~~~~~~~~~~~~

* :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` can
now load elliptic curve public keys.
* Added
:attr:`~cryptography.x509.Certificate.signature_hash_algorithm` support to
:class:`~cryptography.x509.Certificate`.
* Added
:func:`~cryptography.hazmat.primitives.asymmetric.rsa.rsa_recover_prime_factors`
* :class:`~cryptography.hazmat.primitives.kdf.KeyDerivationFunction` was moved
from ``cryptography.hazmat.primitives.interfaces`` to
:mod:`~cryptography.hazmat.primitives.kdf`.
* Added support for parsing X.509 names. See the
:doc:`X.509 documentation</x509/index>` for more information.
* Added
:func:`~cryptography.hazmat.primitives.serialization.load_der_private_key` to
support loading of DER encoded private keys and
:func:`~cryptography.hazmat.primitives.serialization.load_der_public_key` to
support loading DER encoded public keys.
* Fixed building against LibreSSL, a compile-time substitute for OpenSSL.
* FreeBSD 9.2 was removed from the continuous integration system.
* Updated Windows wheels to be compiled against OpenSSL 1.0.2.
* :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`
and :func:`~cryptography.hazmat.primitives.serialization.load_der_public_key`
now support PKCS1 RSA public keys (in addition to the previous support for
SubjectPublicKeyInfo format for RSA, EC, and DSA).
* Added ``EllipticCurvePrivateKeyWithSerialization`` and deprecated
``EllipticCurvePrivateKeyWithNumbers``.
* Added
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.private_bytes`
to
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`.
* Added ``RSAPrivateKeyWithSerialization`` and deprecated ``RSAPrivateKeyWithNumbers``.
* Added
:meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey.private_bytes`
to
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`.
* Added ``DSAPrivateKeyWithSerialization`` and deprecated ``DSAPrivateKeyWithNumbers``.
* Added
:meth:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey.private_bytes`
to
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`.
* Added ``RSAPublicKeyWithSerialization`` and deprecated ``RSAPublicKeyWithNumbers``.
* Added ``public_bytes`` to
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`.
* Added ``EllipticCurvePublicKeyWithSerialization`` and deprecated
``EllipticCurvePublicKeyWithNumbers``.
* Added ``public_bytes`` to
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`.
* Added ``DSAPublicKeyWithSerialization`` and deprecated ``DSAPublicKeyWithNumbers``.
* Added ``public_bytes`` to
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`.
* :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` and
:class:`~cryptography.hazmat.primitives.hashes.HashContext` were moved from
``cryptography.hazmat.primitives.interfaces`` to
:mod:`~cryptography.hazmat.primitives.hashes`.
* :class:`~cryptography.hazmat.primitives.ciphers.CipherContext`,
:class:`~cryptography.hazmat.primitives.ciphers.AEADCipherContext`,
:class:`~cryptography.hazmat.primitives.ciphers.AEADEncryptionContext`,
:class:`~cryptography.hazmat.primitives.ciphers.CipherAlgorithm`, and
:class:`~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm`
were moved from ``cryptography.hazmat.primitives.interfaces`` to
:mod:`~cryptography.hazmat.primitives.ciphers`.
* :class:`~cryptography.hazmat.primitives.ciphers.modes.Mode`,
:class:`~cryptography.hazmat.primitives.ciphers.modes.ModeWithInitializationVector`,
:class:`~cryptography.hazmat.primitives.ciphers.modes.ModeWithNonce`, and
:class:`~cryptography.hazmat.primitives.ciphers.modes.ModeWithAuthenticationTag`
were moved from ``cryptography.hazmat.primitives.interfaces`` to
:mod:`~cryptography.hazmat.primitives.ciphers.modes`.
* :class:`~cryptography.hazmat.primitives.padding.PaddingContext` was moved
from ``cryptography.hazmat.primitives.interfaces`` to
:mod:`~cryptography.hazmat.primitives.padding`.
*
:class:`~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding`
was moved from ``cryptography.hazmat.primitives.interfaces`` to
:mod:`~cryptography.hazmat.primitives.asymmetric.padding`.
* ``AsymmetricSignatureContext`` and ``AsymmetricVerificationContext``
were moved from ``cryptography.hazmat.primitives.interfaces`` to
``cryptography.hazmat.primitives.asymmetric``.
* :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`,
``DSAParametersWithNumbers``,
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`,
``DSAPrivateKeyWithNumbers``,
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` and
``DSAPublicKeyWithNumbers`` were moved from
``cryptography.hazmat.primitives.interfaces`` to
:mod:`~cryptography.hazmat.primitives.asymmetric.dsa`
* :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`,
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurveSignatureAlgorithm`,
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`,
``EllipticCurvePrivateKeyWithNumbers``,
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`,
and ``EllipticCurvePublicKeyWithNumbers``
were moved from ``cryptography.hazmat.primitives.interfaces`` to
:mod:`~cryptography.hazmat.primitives.asymmetric.ec`.
* :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
``RSAPrivateKeyWithNumbers``,
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` and
``RSAPublicKeyWithNumbers`` were moved from
``cryptography.hazmat.primitives.interfaces`` to
:mod:`~cryptography.hazmat.primitives.asymmetric.rsa`.


.. _v0-7-2:

~~~~~~~~~~~~~~~~~~

* Updated Windows wheels to be compiled against OpenSSL 1.0.1l.
* ``enum34`` is no longer installed on Python 3.4, where it is included in
the standard library.
* Added a new function to the OpenSSL bindings to support additional
functionality in pyOpenSSL.


.. _v0-7-1: