PyCA cryptography 45.0.0 has been released to PyPI. cryptography includes
both high level recipes and low level interfaces to common
cryptographic algorithms
such as symmetric ciphers, asymmetric algorithms, message digests, X.509,
key derivation functions, and much more. We support Python 3.7+, and PyPy3
7.3.10+.
Changelog (
https://cryptography.io/en/latest/changelog/#v45-0-0):
* Support for Python 3.7 is deprecated and will be removed in the next
cryptography release.
* Updated the minimum supported Rust version (MSRV) to 1.74.0, from 1.65.0.
* Added support for serialization of PKCS#12 Java truststores in
serialize_java_truststore()
* Added derive_phc_encoded() and verify_phc_encoded() methods to support
password hashing in the PHC string format.
* Added support for PKCS7 decryption and encryption using AES-256 as the
content algorithm, in addition to AES-128.
* BACKWARDS INCOMPATIBLE: Made SSH private key loading more consistent with
other private key loading: load_ssh_private_key() now raises a TypeError if
the key is unencrypted but a password is provided (previously no exception
was raised), and raises a TypeError if the key is encrypted but no password
is provided (previously a ValueError was raised).
* We significantly refactored how private key loading (
load_pem_private_key() and load_der_private_key()) works. This is intended
to be backwards compatible for all well-formed keys, therefore if you
discover a key that now raises an exception, please file a bug with
instructions for reproducing.
* Added unsafe_skip_rsa_key_validation keyword-argument to
load_ssh_private_key().
* Added XOFHash to support repeated squeeze() operations on extendable
output functions.
* Added add_response_by_hash() method to allow creating OCSP responses
using certificate hash values rather than full certificates.
* Extended the X.509 path validation API to support user-configured
extension policies via the PolicyBuilder.extension_policies method.
* Deprecated the subject, verification_time and max_chain_depth properties
on ClientVerifier and ServerVerifier in favor of a new policy property.
These properties will be removed in the next release of cryptography.
* BACKWARDS INCOMPATIBLE: The VerifiedClient.subject property can now be
None since a custom extension policy may allow certificates without a
Subject Alternative Name extension.
* Changed the behavior when the OpenSSL 3 legacy provider fails to load.
Instead of raising an exception, a warning is now emitted. The
CRYPTOGRAPHY_OPENSSL_NO_LEGACY environment variable can still be used to
disable the legacy provider at runtime.
* Added support for the CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY environment
variable during build time, which prevents the library from ever attempting
to load the legacy provider.
* Added support for the PrivateKeyUsagePeriod X.509 extension. This
extension defines the period during which the private key corresponding to
the certificate’s public key may be used.
Added support for compiling against aws-lc.
* Parsing X.509 structures now more strictly enforces that Name structures
do not have malformed ASN.1.
* We now publish py311 wheels that utilize the faster
pyo3::buffer::PyBuffer interface, resulting in significantly improved
performance for operations involving small buffers.
* Added ssh_key_fingerprint() for computing fingerprints of SSH public keys.
* Added support for deterministic ECDSA signing via the new keyword-only
argument ecdsa_deterministic in the X509 builder sign methods.
-Paul Kehrer (reaperhulk)
[Python-announce] PyCA cryptography 45.0.0 released