PyCA cryptography 45.0.3 has been released to PyPI. cryptography
includes both high level recipes and low level interfaces to common
cryptographic algorithms such as symmetric ciphers, asymmetric
algorithms, message digests, X.509, key derivation functions, and much
more. We support Python 3.7+, and PyPy3 7.3.11+.
Changelog (https://cryptography.io/en/latest/changelog/#v45-0-3):
* Fixed decrypting PKCS#8 files encrypted with long salts (this impacts keys
encrypted by Bouncy Castle).
* Fixed decrypting PKCS#8 files encrypted with DES-CBC-MD5. While wildly
insecure, this remains prevalent.
Alex
--
All that is necessary for evil to succeed is for good people to do nothing.
Hi,
We are excited that cryptography version 45.x has introduced support to build it with aws-lc, however there are no instructions provided and it's a bit hard for someone with little to no rust knowledge.
I have been trying to build the Python cryptography 45.0.2 with aws-lc, I have replaced all the openssl and openssl-sys dependencies with aws-ls-rs and aws-lc-sys in the main Cargo.toml files and also in the sub modules within `src/rust/cryptography-*`. After updating the dependencies, the build is still failing because there are Openssl import statements within in the submodules like for example this one - https://github.com/pyca/cryptography/blob/45.0.x/src/rust/cryptography-cryp…
Do we really need to update the dependencies in the submodules (src/rust/cryptography-*)? What is the correct way of building it with a different crypto provider (aws-lc)?
Could someone please provide us the instructions or point us to the documentation to build it with aws-lc as a crypto provider?
PyCA cryptography 45.0.2 has been released to PyPI. cryptography
includes both high level recipes and low level interfaces to common
cryptographic algorithms such as symmetric ciphers, asymmetric
algorithms, message digests, X.509, key derivation functions, and much
more. We support Python 3.7+, and PyPy3 7.3.11+.
Changelog (https://cryptography.io/en/latest/changelog/#v45-0-2):
* Fixed using ``mypy`` with ``cryptography`` on older versions of Python.
Alex
--
All that is necessary for evil to succeed is for good people to do nothing.
PyCA cryptography 45.0.1 has been released to PyPI. cryptography includes
both high level recipes and low level interfaces to
common cryptographic algorithms such as symmetric ciphers, asymmetric
algorithms, message digests, X.509, key derivation functions, and much
more. We support Python 3.7+, and PyPy3 7.3.10+.
Changelog (https://cryptography.io/en/latest/changelog/#v45-0-1):
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL
3.5.0.
This also includes the changes from 45.0.0:
Changelog (https://cryptography.io/en/latest/changelog/#v45-0-0):
* Support for Python 3.7 is deprecated and will be removed in the next
cryptography release.
* Updated the minimum supported Rust version (MSRV) to 1.74.0, from 1.65.0.
* Added support for serialization of PKCS#12 Java truststores in
serialize_java_truststore()
* Added derive_phc_encoded() and verify_phc_encoded() methods to support
password hashing in the PHC string format.
* Added support for PKCS7 decryption and encryption using AES-256 as the
content algorithm, in addition to AES-128.
* BACKWARDS INCOMPATIBLE: Made SSH private key loading more consistent with
other private key loading: load_ssh_private_key() now raises a TypeError if
the key is unencrypted but a password is provided (previously no exception
was raised), and raises a TypeError if the key is encrypted but no password
is provided (previously a ValueError was raised).
* We significantly refactored how private key loading (
load_pem_private_key() and load_der_private_key()) works. This is intended
to be backwards compatible for all well-formed keys, therefore if you
discover a key that now raises an exception, please file a bug with
instructions for reproducing.
* Added unsafe_skip_rsa_key_validation keyword-argument to
load_ssh_private_key().
* Added XOFHash to support repeated squeeze() operations on extendable
output functions.
* Added add_response_by_hash() method to allow creating OCSP responses
using certificate hash values rather than full certificates.
* Extended the X.509 path validation API to support user-configured
extension policies via the PolicyBuilder.extension_policies method.
* Deprecated the subject, verification_time and max_chain_depth properties
on ClientVerifier and ServerVerifier in favor of a new policy property.
These properties will be removed in the next release of cryptography.
* BACKWARDS INCOMPATIBLE: The VerifiedClient.subject property can now be
None since a custom extension policy may allow certificates without a
Subject Alternative Name extension.
* Changed the behavior when the OpenSSL 3 legacy provider fails to load.
Instead of raising an exception, a warning is now emitted. The
CRYPTOGRAPHY_OPENSSL_NO_LEGACY environment variable can still be used to
disable the legacy provider at runtime.
* Added support for the CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY environment
variable during build time, which prevents the library from ever attempting
to load the legacy provider.
* Added support for the PrivateKeyUsagePeriod X.509 extension. This
extension defines the period during which the private key corresponding to
the certificate’s public key may be used.
Added support for compiling against aws-lc.
* Parsing X.509 structures now more strictly enforces that Name structures
do not have malformed ASN.1.
* We now publish py311 wheels that utilize the faster
pyo3::buffer::PyBuffer interface, resulting in significantly improved
performance for operations involving small buffers.
* Added ssh_key_fingerprint() for computing fingerprints of SSH public keys.
* Added support for deterministic ECDSA signing via the new keyword-only
argument ecdsa_deterministic in the X509 builder sign methods.
-Pau Kehrer (reaperhulk)
PyCA cryptography 45.0.0 has been released to PyPI. cryptography includes
both high level recipes and low level interfaces to common
cryptographic algorithms
such as symmetric ciphers, asymmetric algorithms, message digests, X.509,
key derivation functions, and much more. We support Python 3.7+, and PyPy3
7.3.10+.
Changelog (https://cryptography.io/en/latest/changelog/#v45-0-0):
* Support for Python 3.7 is deprecated and will be removed in the next
cryptography release.
* Updated the minimum supported Rust version (MSRV) to 1.74.0, from 1.65.0.
* Added support for serialization of PKCS#12 Java truststores in
serialize_java_truststore()
* Added derive_phc_encoded() and verify_phc_encoded() methods to support
password hashing in the PHC string format.
* Added support for PKCS7 decryption and encryption using AES-256 as the
content algorithm, in addition to AES-128.
* BACKWARDS INCOMPATIBLE: Made SSH private key loading more consistent with
other private key loading: load_ssh_private_key() now raises a TypeError if
the key is unencrypted but a password is provided (previously no exception
was raised), and raises a TypeError if the key is encrypted but no password
is provided (previously a ValueError was raised).
* We significantly refactored how private key loading (
load_pem_private_key() and load_der_private_key()) works. This is intended
to be backwards compatible for all well-formed keys, therefore if you
discover a key that now raises an exception, please file a bug with
instructions for reproducing.
* Added unsafe_skip_rsa_key_validation keyword-argument to
load_ssh_private_key().
* Added XOFHash to support repeated squeeze() operations on extendable
output functions.
* Added add_response_by_hash() method to allow creating OCSP responses
using certificate hash values rather than full certificates.
* Extended the X.509 path validation API to support user-configured
extension policies via the PolicyBuilder.extension_policies method.
* Deprecated the subject, verification_time and max_chain_depth properties
on ClientVerifier and ServerVerifier in favor of a new policy property.
These properties will be removed in the next release of cryptography.
* BACKWARDS INCOMPATIBLE: The VerifiedClient.subject property can now be
None since a custom extension policy may allow certificates without a
Subject Alternative Name extension.
* Changed the behavior when the OpenSSL 3 legacy provider fails to load.
Instead of raising an exception, a warning is now emitted. The
CRYPTOGRAPHY_OPENSSL_NO_LEGACY environment variable can still be used to
disable the legacy provider at runtime.
* Added support for the CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY environment
variable during build time, which prevents the library from ever attempting
to load the legacy provider.
* Added support for the PrivateKeyUsagePeriod X.509 extension. This
extension defines the period during which the private key corresponding to
the certificate’s public key may be used.
Added support for compiling against aws-lc.
* Parsing X.509 structures now more strictly enforces that Name structures
do not have malformed ASN.1.
* We now publish py311 wheels that utilize the faster
pyo3::buffer::PyBuffer interface, resulting in significantly improved
performance for operations involving small buffers.
* Added ssh_key_fingerprint() for computing fingerprints of SSH public keys.
* Added support for deterministic ECDSA signing via the new keyword-only
argument ecdsa_deterministic in the X509 builder sign methods.
-Paul Kehrer (reaperhulk)
PyCA cryptography 44.0.3 has been released to PyPI. cryptography
includes both high level recipes and low level interfaces to common
cryptographic algorithms such as symmetric ciphers, asymmetric
algorithms, message digests, X.509, key derivation functions, and much
more. We support Python 3.7+, and PyPy3 7.3.10+.
Changelog (https://cryptography.io/en/latest/changelog/#v44-0-3):
* Fixed compilation when using LibreSSL 4.1.0.
Alex
--
All that is necessary for evil to succeed is for good people to do nothing.
