Scheduled monthly dependency update for April

[pyup-bot]

Update base58 from 2.0.0 to 2.1.1.

Changelog

2.1.1

- [67](https://github.com/keis/base58/pull/67) use github actions (keis)
- [66](https://github.com/keis/base58/pull/66) Escape illegal special characters in error message (hukkin)

2.1.0

- [64](https://github.com/keis/base58/pull/64) Parametrise a few tests over alphabet (keis)
- [63](https://github.com/keis/base58/pull/63) Made it handle any base with passing alphabet. (#63) (tanupoo)
- [62](https://github.com/keis/base58/pull/62) Setup cfg (keis)
- [61](https://github.com/keis/base58/pull/61) Add support to ppc64le (gururajrkatti)
- [60](https://github.com/keis/base58/pull/60) Update README.md (alloynetworks)
- [59](https://github.com/keis/base58/pull/59) New alias for XRP alphabet (alloynetworks)
- [58](https://github.com/keis/base58/pull/58) Improve invalid character message (keis)
- [57](https://github.com/keis/base58/pull/57) Autofix for similar letters (keis)
- [56](https://github.com/keis/base58/pull/56) Add performance benchmarks using pytest-benchmark (keis)
- [53](https://github.com/keis/base58/pull/53) Performance optimizations (kolomenkin)

2.0.1

- [55](https://github.com/keis/base58/pull/55) Include license file in source distribution (synapticarbors)
- [50](https://github.com/keis/base58/pull/50) Typecheck tests now that hamcrest has typing (keis)
- [49](https://github.com/keis/base58/pull/49) Replace custom exception assert with hamcrest utils (keis)

Links

• PyPI: https://pypi.org/project/base58
• Changelog: https://data.safetycli.com/changelogs/base58/
• Repo: https://github.com/keis/base58

Update cffi from 1.14.0 to 1.16.0.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/cffi
• Docs: http://cffi.readthedocs.org

Update cryptography from 2.8 to 42.0.5.

Changelog

42.0.5

~~~~~~~~~~~~~~~~~~~

* Limit the number of name constraint checks that will be performed in
:mod:`X.509 path validation <cryptography.x509.verification>` to protect
against denial of service attacks.
* Upgrade ``pyo3`` version, which fixes building on PowerPC.

.. _v42-0-4:

42.0.4

~~~~~~~~~~~~~~~~~~~

* Fixed a null-pointer-dereference and segfault that could occur when creating
a PKCS12 bundle. Credit to **Alexander-Programming** for reporting the
issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
definitions in :rfc:`2633` :rfc:`3370`.

.. _v42-0-3:

42.0.3

~~~~~~~~~~~~~~~~~~~

* Fixed an initialization issue that caused key loading failures for some
users.

.. _v42-0-2:

42.0.2

~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol objects in
``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
``X25519PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
``X448PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
and ``DHPrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.

.. _v42-0-1:

42.0.1

~~~~~~~~~~~~~~~~~~~

* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign`.
* Resolved compatibility issue with loading certain RSA public keys in
:func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`.

.. _v42-0-0:

42.0.0

~~~~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.7.
* **BACKWARDS INCOMPATIBLE:** Loading a PKCS7 with no content field using
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates`
or
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates`
will now raise a ``ValueError`` rather than return an empty list.
* Parsing SSH certificates no longer permits malformed critical options with
values, as documented in the 41.0.2 release notes.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.0.
* Updated the minimum supported Rust version (MSRV) to 1.63.0, from 1.56.0.
* We now publish both ``py37`` and ``py39`` ``abi3`` wheels. This should
resolve some errors relating to initializing a module multiple times per
process.
* Support :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` for
X.509 certificate signing requests and certificate revocation lists with the
keyword-only argument ``rsa_padding`` on the ``sign`` methods for
:class:`~cryptography.x509.CertificateSigningRequestBuilder` and
:class:`~cryptography.x509.CertificateRevocationListBuilder`.
* Added support for obtaining X.509 certificate signing request signature
algorithm parameters (including PSS) via
:meth:`~cryptography.x509.CertificateSigningRequest.signature_algorithm_parameters`.
* Added support for obtaining X.509 certificate revocation list signature
algorithm parameters (including PSS) via
:meth:`~cryptography.x509.CertificateRevocationList.signature_algorithm_parameters`.
* Added ``mgf`` property to
:class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`.
* Added ``algorithm`` and ``mgf`` properties to
:class:`~cryptography.hazmat.primitives.asymmetric.padding.OAEP`.
* Added the following properties that return timezone-aware ``datetime`` objects:
:meth:`~cryptography.x509.Certificate.not_valid_before_utc`,
:meth:`~cryptography.x509.Certificate.not_valid_after_utc`,
:meth:`~cryptography.x509.RevokedCertificate.revocation_date_utc`,
:meth:`~cryptography.x509.CertificateRevocationList.next_update_utc`,
:meth:`~cryptography.x509.CertificateRevocationList.last_update_utc`.
These are timezone-aware variants of existing properties that return naïve
``datetime`` objects.
* Deprecated the following properties that return naïve ``datetime`` objects:
:meth:`~cryptography.x509.Certificate.not_valid_before`,
:meth:`~cryptography.x509.Certificate.not_valid_after`,
:meth:`~cryptography.x509.RevokedCertificate.revocation_date`,
:meth:`~cryptography.x509.CertificateRevocationList.next_update`,
:meth:`~cryptography.x509.CertificateRevocationList.last_update`
in favor of the new timezone-aware variants mentioned above.
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20`
on LibreSSL.
* Added support for RSA PSS signatures in PKCS7 with
:meth:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder.add_signer`.
* In the next release (43.0.0) of cryptography, loading an X.509 certificate
with a negative serial number will raise an exception. This has been
deprecated since 36.0.0.
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCMSIV` when using
OpenSSL 3.2.0+.
* Added the :mod:`X.509 path validation <cryptography.x509.verification>` APIs
for :class:`~cryptography.x509.Certificate` chains. These APIs should be
considered unstable and not subject to our stability guarantees until
documented as such in a future release.
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.SM4`
:class:`~cryptography.hazmat.primitives.ciphers.modes.GCM`
when using OpenSSL 3.0 or greater.

.. _v41-0-7:

41.0.7

~~~~~~~~~~~~~~~~~~~

* Fixed compilation when using LibreSSL 3.8.2.

.. _v41-0-6:

41.0.6

~~~~~~~~~~~~~~~~~~~

* Fixed a null-pointer-dereference and segfault that could occur when loading
certificates from a PKCS7 bundle.  Credit to **pkuzco** for reporting the
issue. **CVE-2023-49083**

.. _v41-0-5:

41.0.5

~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4.
* Added a function to support an upcoming ``pyOpenSSL`` release.

.. _v41-0-4:

41.0.4

~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3.

.. _v41-0-3:

41.0.3

~~~~~~~~~~~~~~~~~~~

* Fixed performance regression loading DH public keys.
* Fixed a memory leak when using
:class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.2.

.. _v41-0-2:

41.0.2

~~~~~~~~~~~~~~~~~~~

* Fixed bugs in creating and parsing SSH certificates where critical options
with values were handled incorrectly. Certificates are now created correctly
and parsing accepts correct values as well as the previously generated
invalid forms with a warning. In the next release, support for parsing these
invalid forms will be removed.

.. _v41-0-1:

41.0.1

~~~~~~~~~~~~~~~~~~~

* Temporarily allow invalid ECDSA signature algorithm parameters in X.509
certificates, which are generated by older versions of Java.
* Allow null bytes in pass phrases when serializing private keys.

.. _v41-0-0:

41.0.0

~~~~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL less than 1.1.1d has been
removed.  Users on older version of OpenSSL will need to upgrade.
* **BACKWARDS INCOMPATIBLE:** Support for Python 3.6 has been removed.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.6.
* Updated the minimum supported Rust version (MSRV) to 1.56.0, from 1.48.0.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.1.
* Added support for the :class:`~cryptography.x509.OCSPAcceptableResponses`
OCSP extension.
* Added support for the :class:`~cryptography.x509.MSCertificateTemplate`
proprietary Microsoft certificate extension.
* Implemented support for equality checks on all asymmetric public key types.
* Added support for ``aes256-gcmopenssh.com`` encrypted keys in
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`.
* Added support for obtaining X.509 certificate signature algorithm parameters
(including PSS) via
:meth:`~cryptography.x509.Certificate.signature_algorithm_parameters`.
* Support signing :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`
X.509 certificates via the new keyword-only argument ``rsa_padding`` on
:meth:`~cryptography.x509.CertificateBuilder.sign`.
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`
on BoringSSL.

.. _v40-0-2:

40.0.2

~~~~~~~~~~~~~~~~~~~

* Fixed compilation when using LibreSSL 3.7.2.
* Added some functions to support an upcoming ``pyOpenSSL`` release.

.. _v40-0-1:

40.0.1

~~~~~~~~~~~~~~~~~~~

* Fixed a bug where certain operations would fail if an object happened to be
in the top-half of the memory-space. This only impacted 32-bit systems.

.. _v40-0-0:

40.0.0

~~~~~~~~~~~~~~~~~~~


* **BACKWARDS INCOMPATIBLE:** As announced in the 39.0.0 changelog, the way
``cryptography`` links OpenSSL has changed. This only impacts users who
build ``cryptography`` from source (i.e., not from a ``wheel``), and
specify their own version of OpenSSL. For those users, the ``CFLAGS``,
``LDFLAGS``, ``INCLUDE``, ``LIB``, and ``CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS``
environment variables are no longer valid. Instead, users need to configure
their builds `as documented here`_.
* Support for Python 3.6 is deprecated and will be removed in the next
release.
* Deprecated the current minimum supported Rust version (MSRV) of 1.48.0.
In the next release we will raise MSRV to 1.56.0. Users with the latest
``pip`` will typically get a wheel and not need Rust installed, but check
:doc:`/installation` for documentation on installing a newer ``rustc`` if
required.
* Deprecated support for OpenSSL less than 1.1.1d. The next release of
``cryptography`` will drop support for older versions.
* Deprecated support for DSA keys in
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key`
and
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`.
* Deprecated support for OpenSSH serialization in
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`
and
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`.
* The minimum supported version of PyPy3 is now 7.3.10.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.0.
* Added support for parsing SSH certificates in addition to public keys with
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_identity`.
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key`
continues to support only public keys.
* Added support for generating SSH certificates with
:class:`~cryptography.hazmat.primitives.serialization.SSHCertificateBuilder`.
* Added :meth:`~cryptography.x509.Certificate.verify_directly_issued_by` to
:class:`~cryptography.x509.Certificate`.
* Added a check to :class:`~cryptography.x509.NameConstraints` to ensure that
:class:`~cryptography.x509.DNSName` constraints do not contain any ``*``
wildcards.
* Removed many unused CFFI OpenSSL bindings. This will not impact you unless
you are using ``cryptography`` to directly invoke OpenSSL's C API. Note that
these have never been considered a stable, supported, public API by
``cryptography``, this note is included as a courtesy.
* The X.509 builder classes now raise ``UnsupportedAlgorithm`` instead of
``ValueError`` if an unsupported hash algorithm is passed.
* Added public union type aliases for type hinting:

* Asymmetric types:
 :const:`~cryptography.hazmat.primitives.asymmetric.types.PublicKeyTypes`,
 :const:`~cryptography.hazmat.primitives.asymmetric.types.PrivateKeyTypes`,
 :const:`~cryptography.hazmat.primitives.asymmetric.types.CertificatePublicKeyTypes`,
 :const:`~cryptography.hazmat.primitives.asymmetric.types.CertificateIssuerPublicKeyTypes`,
 :const:`~cryptography.hazmat.primitives.asymmetric.types.CertificateIssuerPrivateKeyTypes`.
* SSH keys:
 :const:`~cryptography.hazmat.primitives.serialization.SSHPublicKeyTypes`,
 :const:`~cryptography.hazmat.primitives.serialization.SSHPrivateKeyTypes`,
 :const:`~cryptography.hazmat.primitives.serialization.SSHCertPublicKeyTypes`,
 :const:`~cryptography.hazmat.primitives.serialization.SSHCertPrivateKeyTypes`.
* PKCS12:
 :const:`~cryptography.hazmat.primitives.serialization.pkcs12.PKCS12PrivateKeyTypes`
* PKCS7:
 :const:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7HashTypes`,
 :const:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7PrivateKeyTypes`.
* Two-factor:
 :const:`~cryptography.hazmat.primitives.twofactor.hotp.HOTPHashTypes`

* Deprecated previously undocumented but not private type aliases in the
``cryptography.hazmat.primitives.asymmetric.types`` module in favor of new
ones above.


.. _v39-0-2:

39.0.2

~~~~~~~~~~~~~~~~~~~

* Fixed a bug where the content type header was not properly encoded for
PKCS7 signatures when using the ``Text`` option and ``SMIME`` encoding.


.. _v39-0-1:

39.0.1

~~~~~~~~~~~~~~~~~~~

* **SECURITY ISSUE** - Fixed a bug where ``Cipher.update_into`` accepted Python
buffer protocol objects, but allowed immutable buffers. **CVE-2023-23931**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.8.

.. _v39-0-0:

39.0.0

~~~~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.0 has been removed.
Users on older version of OpenSSL will need to upgrade.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.5. The new
minimum LibreSSL version is 3.5.0. Going forward our policy is to support
versions of LibreSSL that are available in versions of OpenBSD that are
still receiving security support.
* **BACKWARDS INCOMPATIBLE:** Removed the ``encode_point`` and
``from_encoded_point`` methods on
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers`,
which had been deprecated for several years.
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.public_bytes`
and
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point`
should be used instead.
* **BACKWARDS INCOMPATIBLE:** Support for using MD5 or SHA1 in
:class:`~cryptography.x509.CertificateBuilder`, other X.509 builders, and
PKCS7 has been removed.
* **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.10 and 10.11, macOS
users must upgrade to 10.12 or newer.
* **ANNOUNCEMENT:** The next version of ``cryptography`` (40.0) will change
the way we link OpenSSL. This will only impact users who build
``cryptography`` from source (i.e., not from a ``wheel``), and specify their
own version of OpenSSL. For those users, the ``CFLAGS``, ``LDFLAGS``,
``INCLUDE``, ``LIB``, and ``CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS`` environment
variables will no longer be respected. Instead, users will need to
configure their builds `as documented here`_.
* Added support for
:ref:`disabling the legacy provider in OpenSSL 3.0.x<legacy-provider>`.
* Added support for disabling RSA key validation checks when loading RSA
keys via
:func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`,
:func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`,
and
:meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers.private_key`.
This speeds up key loading but is :term:`unsafe` if you are loading potentially
attacker supplied keys.
* Significantly improved performance for
:class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`
when repeatedly calling ``encrypt`` or ``decrypt`` with the same key.
* Added support for creating OCSP requests with precomputed hashes using
:meth:`~cryptography.x509.ocsp.OCSPRequestBuilder.add_certificate_by_hash`.
* Added support for loading multiple PEM-encoded X.509 certificates from
a single input via :func:`~cryptography.x509.load_pem_x509_certificates`.

.. _v38-0-4:

38.0.4

~~~~~~~~~~~~~~~~~~~

* Fixed compilation when using LibreSSL 3.6.0.
* Fixed error when using ``py2app`` to build an application with a
``cryptography`` dependency.

.. _v38-0-3:

38.0.3

~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.7,
which resolves *CVE-2022-3602* and *CVE-2022-3786*.

.. _v38-0-2:

38.0.2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. attention::

 This release was subsequently yanked from PyPI due to a regression in OpenSSL.

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.6.


.. _v38-0-1:

38.0.1

~~~~~~~~~~~~~~~~~~~

* Fixed parsing TLVs in ASN.1 with length greater than 65535 bytes (typically
seen in large CRLs).

.. _v38-0-0:

38.0.0

~~~~~~~~~~~~~~~~~~~

* Final deprecation of OpenSSL 1.1.0. The next release of ``cryptography``
will drop support.
* We no longer ship ``manylinux2010`` wheels. Users should upgrade to the
latest ``pip`` to ensure this doesn't cause issues downloading wheels on
their platform. We now ship ``manylinux_2_28`` wheels for users on new
enough platforms.
* Updated the minimum supported Rust version (MSRV) to 1.48.0, from 1.41.0.
Users with the latest ``pip`` will typically get a wheel and not need Rust
installed, but check :doc:`/installation` for documentation on installing a
newer ``rustc`` if required.
* :meth:`~cryptography.fernet.Fernet.decrypt` and related methods now accept
both ``str`` and ``bytes`` tokens.
* Parsing ``CertificateSigningRequest`` restores the behavior of enforcing
that the ``Extension`` ``critical`` field must be correctly encoded DER. See
`the issue <https://github.com/pyca/cryptography/issues/6368>`_ for complete
details.
* Added two new OpenSSL functions to the bindings to support an upcoming
``pyOpenSSL`` release.
* When parsing :class:`~cryptography.x509.CertificateRevocationList` and
:class:`~cryptography.x509.CertificateSigningRequest` values, it is now
enforced that the ``version`` value in the input must be valid according to
the rules of :rfc:`2986` and :rfc:`5280`.
* Using MD5 or SHA1 in :class:`~cryptography.x509.CertificateBuilder` and
other X.509 builders is deprecated and support will be removed in the next
version.
* Added additional APIs to
:class:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp`, including
:attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature_hash_algorithm`,
:attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature_algorithm`,
:attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature`, and
:attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.extension_bytes`.
* Added :attr:`~cryptography.x509.Certificate.tbs_precertificate_bytes`, allowing
users to access the to-be-signed pre-certificate data needed for signed
certificate timestamp verification.
* :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFHMAC` and
:class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC` now support
:attr:`~cryptography.hazmat.primitives.kdf.kbkdf.CounterLocation.MiddleFixed`
counter location.
* Fixed :rfc:`4514` name parsing to reverse the order of the RDNs according
to the section 2.1 of the RFC, affecting method
:meth:`~cryptography.x509.Name.from_rfc4514_string`.
* It is now possible to customize some aspects of encryption when serializing
private keys, using
:meth:`~cryptography.hazmat.primitives.serialization.PrivateFormat.encryption_builder`.
* Removed several legacy symbols from our OpenSSL bindings. Users of pyOpenSSL
versions older than 22.0 will need to upgrade.
* Added
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES128` and
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES256` classes.
These classes do not replace
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` (which
allows all AES key lengths), but are intended for applications where
developers want to be explicit about key length.

.. _v37-0-4:

37.0.4

~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.5.

.. _v37-0-3:

37.0.3

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. attention::

 This release was subsequently yanked from PyPI due to a regression in OpenSSL.

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.4.

.. _v37-0-2:

37.0.2

~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.3.
* Added a constant needed for an upcoming pyOpenSSL release.

.. _v37-0-1:

37.0.1

~~~~~~~~~~~~~~~~~~~

* Fixed an issue where parsing an encrypted private key with the public
loader functions would hang waiting for console input on OpenSSL 3.0.x rather
than raising an error.
* Restored some legacy symbols for older ``pyOpenSSL`` users. These will be
removed again in the future, so ``pyOpenSSL`` users should still upgrade
to the latest version of that package when they upgrade ``cryptography``.

.. _v37-0-0:

37.0.0

~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.9.x and 3.0.x.
The new minimum LibreSSL version is 3.1+.
* **BACKWARDS INCOMPATIBLE:** Removed ``signer`` and ``verifier`` methods
from the public key and private key classes. These methods were originally
deprecated in version 2.0, but had an extended deprecation timeline due
to usage. Any remaining users should transition to ``sign`` and ``verify``.
* Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by
the OpenSSL project. The next release of ``cryptography`` will be the last
to support compiling with OpenSSL 1.1.0.
* Deprecated Python 3.6 support. Python 3.6 is no longer supported by the
Python core team. Support for Python 3.6 will be removed in a future
``cryptography`` release.
* Deprecated the current minimum supported Rust version (MSRV) of 1.41.0.
In the next release we will raise MSRV to 1.48.0. Users with the latest
``pip`` will typically get a wheel and not need Rust installed, but check
:doc:`/installation` for documentation on installing a newer ``rustc`` if
required.
* Deprecated
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`,
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`,
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish` because
they are legacy algorithms with extremely low usage. These will be removed
in a future version of ``cryptography``.
* Added limited support for distinguished names containing a bit string.
* We now ship ``universal2`` wheels on macOS, which contain both ``arm64``
and ``x86_64`` architectures. Users on macOS should upgrade to the latest
``pip`` to ensure they can use this wheel, although we will continue to
ship ``x86_64`` specific wheels for now to ease the transition.
* This will be the final release for which we ship ``manylinux2010`` wheels.
Going forward the minimum supported ``manylinux`` ABI for our wheels will
be ``manylinux2014``. The vast majority of users will continue to receive
``manylinux`` wheels provided they have an up to date ``pip``. For PyPy
wheels this release already requires ``manylinux2014`` for compatibility
with binaries distributed by upstream.
* Added support for multiple
:class:`~cryptography.x509.ocsp.OCSPSingleResponse` in a
:class:`~cryptography.x509.ocsp.OCSPResponse`.
* Restored support for signing certificates and other structures in
:doc:`/x509/index` with SHA3 hash algorithms.
* :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` is
disabled in FIPS mode.
* Added support for serialization of PKCS12 CA friendly names/aliases in
:func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates`
* Added support for 12-15 byte (96 to 120 bit) nonces to
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`. This class
previously supported only 12 byte (96 bit).
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESSIV` when using
OpenSSL 3.0.0+.
* Added support for serializing PKCS7 structures from a list of
certificates with
:class:`~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates`.
* Added support for parsing :rfc:`4514` strings with
:meth:`~cryptography.x509.Name.from_rfc4514_string`.
* Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.AUTO` to
:class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This can
be used to verify a signature where the salt length is not already known.
* Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.DIGEST_LENGTH`
to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This
constant will set the salt length to the same length as the ``PSS`` hash
algorithm.
* Added support for loading RSA-PSS key types with
:func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`
and
:func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`.
This functionality is limited to OpenSSL 1.1.1e+ and loads the key as a
normal RSA private key, discarding the PSS constraint information.

.. _v36-0-2:

36.0.2

~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1n.

.. _v36-0-1:

36.0.1

~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1m.

.. _v36-0-0:

36.0.0

~~~~~~~~~~~~~~~~~~~

* **FINAL DEPRECATION** Support for ``verifier`` and ``signer`` on our
asymmetric key classes was deprecated in version 2.0. These functions had an
extended deprecation due to usage, however the next version of
``cryptography`` will drop support. Users should migrate to ``sign`` and
``verify``.
* The entire :doc:`/x509/index` layer is now written in Rust. This allows
alternate asymmetric key implementations that can support cloud key
management services or hardware security modules provided they implement
the necessary interface (for example:
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`).
* :ref:`Deprecated the backend argument<faq-missing-backend>` for all
functions.
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`.
* Added support for iterating over arbitrary request
:attr:`~cryptography.x509.CertificateSigningRequest.attributes`.
* Deprecated the ``get_attribute_for_oid`` method on
:class:`~cryptography.x509.CertificateSigningRequest` in favor of
:meth:`~cryptography.x509.Attributes.get_attribute_for_oid` on the new
:class:`~cryptography.x509.Attributes` object.
* Fixed handling of PEM files to allow loading when certificate and key are
in the same file.
* Fixed parsing of :class:`~cryptography.x509.CertificatePolicies` extensions
containing legacy ``BMPString`` values in their ``explicitText``.
* Allow parsing of negative serial numbers in certificates. Negative serial
numbers are prohibited by :rfc:`5280` so a deprecation warning will be
raised whenever they are encountered. A future version of ``cryptography``
will drop support for parsing them.
* Added support for parsing PKCS12 files with friendly names for all
certificates with
:func:`~cryptography.hazmat.primitives.serialization.pkcs12.load_pkcs12`,
which will return an object of type
:class:`~cryptography.hazmat.primitives.serialization.pkcs12.PKCS12KeyAndCertificates`.
* :meth:`~cryptography.x509.Name.rfc4514_string` and related methods now have
an optional ``attr_name_overrides`` parameter to supply custom OID to name
mappings, which can be used to match vendor-specific extensions.
* **BACKWARDS INCOMPATIBLE:** Reverted the nonstandard formatting of
email address fields as ``E`` in
:meth:`~cryptography.x509.Name.rfc4514_string` methods from version 35.0.

The previous behavior can be restored with:
``name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})``
* Allow
:class:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey`
and
:class:`~cryptography.hazmat.primitives.asymmetric.x448.X448PublicKey` to
be used as public keys when parsing certificates or creating them with
:class:`~cryptography.x509.CertificateBuilder`. These key types must be
signed with a different signing algorithm as ``X25519`` and ``X448`` do
not support signing.
* Extension values can now be serialized to a DER byte string by calling
:func:`~cryptography.x509.ExtensionType.public_bytes`.
* Added experimental support for compiling against BoringSSL. As BoringSSL
does not commit to a stable API, ``cryptography`` tests against the
latest commit only. Please note that several features are not available
when building against BoringSSL.
* Parsing ``CertificateSigningRequest`` from DER and PEM now, for a limited
time period, allows the ``Extension`` ``critical`` field to be incorrectly
encoded. See `the issue <https://github.com/pyca/cryptography/issues/6368>`_
for complete details. This will be reverted in a future ``cryptography``
release.
* When :class:`~cryptography.x509.OCSPNonce` are parsed and generated their
value is now correctly wrapped in an ASN.1 ``OCTET STRING``. This conforms
to :rfc:`6960` but conflicts with the original behavior specified in
:rfc:`2560`. For a temporary period for backwards compatibility, we will
also parse values that are encoded as specified in :rfc:`2560` but this
behavior will be removed in a future release.

.. _v35-0-0:

35.0.0

~~~~~~~~~~~~~~~~~~~

* Changed the :ref:`version scheme <api-stability:versioning>`. This will
result in us incrementing the major version more frequently, but does not
change our existing backwards compatibility policy.
* **BACKWARDS INCOMPATIBLE:** The :doc:`/x509/index` PEM parsers now require
that the PEM string passed have PEM delimiters of the correct type. For
example, parsing a private key PEM concatenated with a certificate PEM will
no longer be accepted by the PEM certificate parser.
* **BACKWARDS INCOMPATIBLE:** The X.509 certificate parser no longer allows
negative serial numbers. :rfc:`5280` has always prohibited these.
* **BACKWARDS INCOMPATIBLE:** Additional forms of invalid ASN.1 found during
:doc:`/x509/index` parsing will raise an error on initial parse rather than
when the malformed field is accessed.
* Rust is now required for building ``cryptography``, the
``CRYPTOGRAPHY_DONT_BUILD_RUST`` environment variable is no longer
respected.
* Parsers for :doc:`/x509/index` no longer use OpenSSL and have been
rewritten in Rust. This should be backwards compatible (modulo the items
listed above) and improve both security and performance.
* Added support for OpenSSL 3.0.0 as a compilation target.
* Added support for
:class:`~cryptography.hazmat.primitives.hashes.SM3` and
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.SM4`,
when using OpenSSL 1.1.1. These algorithms are provided for compatibility
in regions where they may be required, and are not generally recommended.
* We now ship ``manylinux_2_24`` and ``musllinux_1_1`` wheels, in addition to
our ``manylinux2010`` and ``manylinux2014`` wheels. Users on distributions
like Alpine Linux should ensure they upgrade to the latest ``pip`` to
correctly receive wheels.
* Added ``rfc4514_attribute_name`` attribute to :attr:`x509.NameAttribute
<cryptography.x509.NameAttribute.rfc4514_attribute_name>`.
* Added :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC`.

.. _v3-4-8:

3.4.8

~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1l.

.. _v3-4-7:

3.4.7

~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1k.

.. _v3-4-6:

3.4.6

~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1j.

.. _v3-4-5:

3.4.5

~~~~~~~~~~~~~~~~~~

* Various improvements to type hints.
* Lower the minimum supported Rust version (MSRV) to >=1.41.0. This change
improves compatibility with system-provided Rust on several Linux
distributions.
* ``cryptography`` will be switching to a new versioning scheme with its next
feature release. More information is available in our
:doc:`/api-stability` documentation.

.. _v3-4-4:

3.4.4

~~~~~~~~~~~~~~~~~~

* Added a ``py.typed`` file so that ``mypy`` will know to use our type
annotations.
* Fixed an import cycle that could be triggered by certain import sequences.

.. _v3-4-3:

3.4.3

~~~~~~~~~~~~~~~~~~

* Specify our supported Rust version (>=1.45.0) in our ``setup.py`` so users
on older versions will get a clear error message.

.. _v3-4-2:

3.4.2

~~~~~~~~~~~~~~~~~~

* Improvements to make the rust transition a bit easier. This includes some
better error messages and small dependency fixes. If you experience
installation problems **Be sure to update pip** first, then check the
:doc:`FAQ </faq>`.

.. _v3-4-1:

3.4.1

~~~~~~~~~~~~~~~~~~

* Fixed a circular import issue.
* Added additional debug output to assist users seeing installation errors
due to outdated ``pip`` or missing ``rustc``.

.. _v3-4:

3.4

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Support for Python 2 has been removed.
* We now ship ``manylinux2014`` wheels and no longer ship ``manylinux1``
wheels. Users should upgrade to the latest ``pip`` to ensure this doesn't
cause issues downloading wheels on their platform.
* ``cryptography`` now incorporates Rust code. Users building ``cryptography``
themselves will need to have the Rust toolchain installed. Users who use an
officially produced wheel will not need to make any changes. The minimum
supported Rust version is 1.45.0.
* ``cryptography`` now has :pep:`484` type hints on nearly all of of its public
APIs. Users can begin using them to type check their code with ``mypy``.

.. _v3-3-2:

3.3.2

~~~~~~~~~~~~~~~~~~

* **SECURITY ISSUE:** Fixed a bug where certain sequences of ``update()`` calls
when symmetrically encrypting very large payloads (>2GB) could result in an
integer overflow, leading to buffer overflows. *CVE-2020-36242* **Update:**
This fix is a workaround for *CVE-2021-23840* in OpenSSL, fixed in OpenSSL
1.1.1j.

.. _v3-3-1:

3.3.1

~~~~~~~~~~~~~~~~~~

* Re-added a legacy symbol causing problems for older ``pyOpenSSL`` users.

.. _v3-3:

3.3

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Support for Python 3.5 has been removed due to
low usage and maintenance burden.
* **BACKWARDS INCOMPATIBLE:** The
:class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` and
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCM` now require
64-bit to 1024-bit (8 byte to 128 byte) initialization vectors. This change
is to conform with an upcoming OpenSSL release that will no longer support
sizes outside this window.
* **BACKWARDS INCOMPATIBLE:** When deserializing asymmetric keys we now
raise ``ValueError`` rather than ``UnsupportedAlgorithm`` when an
unsupported cipher is used. This change is to conform with an upcoming
OpenSSL release that will no longer distinguish between error types.
* **BACKWARDS INCOMPATIBLE:** We no longer allow loading of finite field
Diffie-Hellman parameters of less than 512 bits in length. This change is to
conform with an upcoming OpenSSL release that no longer supports smaller
sizes. These keys were already wildly insecure and should not have been used
in any application outside of testing.
* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1i.
* Python 2 support is deprecated in ``cryptography``. This is the last release
that will support Python 2.
* Added the
:meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey.recover_data_from_signature`
function to
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`
for recovering the signed data from an RSA signature.

.. _v3-2-1:

3.2.1

~~~~~~~~~~~~~~~~~~

* Disable blinding on RSA public keys to address an error with some versions
of OpenSSL.

.. _v3-2:

3.2

~~~~~~~~~~~~~~~~

* **SECURITY ISSUE:** Attempted to make RSA PKCS1v1.5 decryption more constant
time, to protect against Bleichenbacher vulnerabilities. Due to limitations
imposed by our API, we cannot completely mitigate this vulnerability and a
future release will contain a new API which is designed to be resilient to
these for contexts where it is required. Credit to **Hubert Kario** for
reporting the issue. *CVE-2020-25659*
* Support for OpenSSL 1.0.2 has been removed. Users on older version of OpenSSL
will need to upgrade.
* Added basic support for PKCS7 signing (including SMIME) via
:class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder`.

.. _v3-1-1:

3.1.1

~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1h.

.. _v3-1:

3.1

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Removed support for ``idna`` based
:term:`U-label` parsing in various X.509 classes. This support was originally
deprecated in version 2.1 and moved to an extra in 2.5.
* Deprecated OpenSSL 1.0.2 support. OpenSSL 1.0.2 is no longer supported by
the OpenSSL project. The next version of ``cryptography`` will drop support
for it.
* Deprecated support for Python 3.5. This version sees very little use and will
be removed in the next release.
* ``backend`` arguments to functions are no longer required and the
default backend will automatically be selected if no ``backend`` is provided.
* Added initial support for parsing certificates from PKCS7 files with
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates`
and
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates`
.
* Calling ``update`` or ``update_into`` on
:class:`~cryptography.hazmat.primitives.ciphers.CipherContext` with ``data``
longer than 2\ :sup:`31` bytes no longer raises an ``OverflowError``. This
also resolves the same issue in :doc:`/fernet`.

.. _v3-0:

3.0

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Removed support for passing an
:class:`~cryptography.x509.Extension` instance to
:meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`,
as per our deprecation policy.
* **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.7.x, 2.8.x, and 2.9.0 has
been removed (2.9.1+ is still supported).
* **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.9, macOS users must
upgrade to 10.10 or newer.
* **BACKWARDS INCOMPATIBLE:** RSA
:meth:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key`
no longer accepts ``public_exponent`` values except 65537 and 3 (the latter
for legacy purposes).
* **BACKWARDS INCOMPATIBLE:** X.509 certificate parsing now enforces that the
``version`` field contains a valid value, rather than deferring this check
until :attr:`~cryptography.x509.Certificate.version` is accessed.
* Deprecated support for Python 2. At the time there is no time table for
actually dropping support, however we strongly encourage all users to upgrade
their Python, as Python 2 no longer receives support from the Python core
team.

If you have trouble suppressing this warning in tests view the :ref:`FAQ
entry addressing this issue <faq-howto-handle-deprecation-warning>`.

* Added support for ``OpenSSH`` serialization format for
``ec``, ``ed25519``, ``rsa`` and ``dsa`` private keys:
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`
for loading and
:attr:`~cryptography.hazmat.primitives.serialization.PrivateFormat.OpenSSH`
for writing.
* Added support for ``OpenSSH`` certificates to
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key`.
* Added :meth:`~cryptography.fernet.Fernet.encrypt_at_time` and
:meth:`~cryptography.fernet.Fernet.decrypt_at_time` to
:class:`~cryptography.fernet.Fernet`.
* Added support for the :class:`~cryptography.x509.SubjectInformationAccess`
X.509 extension.
* Added support for parsing
:class:`~cryptography.x509.SignedCertificateTimestamps` in OCSP responses.
* Added support for parsing attributes in certificate signing requests via
``CertificateSigningRequest.get_attribute_for_oid``.
* Added support for encoding attributes in certificate signing requests via
:meth:`~cryptography.x509.CertificateSigningRequestBuilder.add_attribute`.
* On OpenSSL 1.1.1d and higher ``cryptography`` now uses OpenSSL's
built-in CSPRNG instead of its own OS random engine because these versions of
OpenSSL properly reseed on fork.
* Added initial support for creating PKCS12 files with
:func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates`.

.. _v2-9-2:

2.9.2

~~~~~~~~~~~~~~~~~~

* Updated the macOS wheel to fix an issue where it would not run on macOS
versions older than 10.15.

.. _v2-9-1:

2.9.1

~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1g.

.. _v2-9:

2.9

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Support for Python 3.4 has been removed due to
low usage and maintenance burden.
* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.0.1 has been removed.
Users on older version of OpenSSL will need to upgrade.
* **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.6.x has been removed.
* Removed support for calling
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey.public_bytes`
with no arguments, as per our deprecation policy. You must now pass
``encoding`` and ``format``.
* **BACKWARDS INCOMPATIBLE:** Reversed the order in which
:meth:`~cryptography.x509.Name.rfc4514_string` returns the RDNs
as required by :rfc:`4514`.
* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1f.
* Added support for parsing
:attr:`~cryptography.x509.ocsp.OCSPResponse.single_extensions` in an OCSP
response.
* :class:`~cryptography.x509.NameAttribute` values can now be empty strings.

.. _v2-8:

Links

• PyPI: https://pypi.org/project/cryptography
• Changelog: https://data.safetycli.com/changelogs/cryptography/

Update ecdsa from 0.15 to 0.18.0.

Changelog

0.18.0

New API:
* `curve_by_name` in `curves` module to get a `Curve` object by providing curve
name.

Bug fix:
* Make the `VerifyingKey` encoded with explicit parameters use the same
kind of point encoding for public key and curve generator.
* Better handling of malformed curve parameters (as in CVE-2022-0778);
make python-ecdsa raise `MalformedPointError` instead of `AssertionError`.

Doc fix:
* Publish the documentation on https://ecdsa.readthedocs.io/,
include explanation of basics of handling of ECC data formats and how to use
the library for elliptic curve arithmetic.
* Make object names more consistent, make them into hyperlinks on the
readthedocs documentation.
* Make security note more explicit (Ian Rodney)
* Fix the `explicit` vs `named_curve` confusion in `VerifyingKey` docs.

Maintenance:
* Updated black version; slight changes to formatting
* Include interoperability tests for Ed25519 and Ed448 with OpenSSL.

0.18.0beta2

New features:
* Support for point precomputation for EdDSA.

Maintenance:
* Fix few typos (thanks to Tim Gates and Kian Meng Ang).

Bug fix:
* Accept private EdDSA keys that include public key in the ASN.1 structure.
* Fix incompatibility with Python 3.3 in handling of memoryviews of empty
strings.

0.18.0beta1

New features:
* Support for EdDSA (Ed25519, Ed448) signature creation and verification.
* Support for Ed25519 and Ed448 in PKCS8 and public key files.

New API:
* CurveEdTw class to represent the Twisted Edwards curve parameters.
* PointEdwards class to represent points on Twisted Edwards curve and
provide point arithmetic on it.

0.17.0

New API:
* Keys that use explicit curve parameters can now be read and written.
Reading of explicit curves can be disabled by using the
`valid_curve_encodings` keyword argument in `VerifyingKey.from_pem()`,
`VerifyingKey.from_der()`, `SigningKey.from_pem()`, and
`SigningKey.from_der()`.
* Keys can now be written with use of explicit curve parameters,
use `curve_parameters_encoding` keyword argument of `VerifyingKey.to_pem()`,
`VerifyingKey.to_der()`, `SigningKey.to_pem(), or `SigningKey.to_der()` to
specify the format. By default `named_curve` will be used, unless the
curve doesn't have an associated OID (as will be the case for an unsupported
curve), then `explicit` encoding will be used.
* Allow specifying acceptable point formats when loading public keys
(this also fixes a minor bug where python-ecdsa would accept raw
encoding for points in PKCS8 files). Set of accepted encodings is controlled
by `valid_encodings` keyword argument in
`ECDH.load_received_public_key_bytes()`, `VerifyingKey.from_string()`,
`VerifyingKey.from_pem()`, VerifyingKey.from_der()`.
* `PointJacobi` and `Point` now inherit from `AbstractPoint` that implements
the methods for parsing points. That added `from_bytes()` and
`to_bytes()` methods to both of them.
* Curve parameters can now be read and written to PEM and DER files. The
`Curve` class supports new `to_der()`, `from_der()`, `to_pem()`, and
`from_pem()` methods.

Doc fix:
* Describe in detail which methods can raise `RSZeroError`, and that
`SigningKey.sign_deterministic()` won't raise it.

Bug fix:
* Correctly truncate hash values larger than the curve order (only impacted
custom curves and the curves added in this release).
* Correctly handle curves for which the order is larger than the prime
(only impacted custom curves and the secp160r1 curve added in this release).
* Fix the handling of `==` and `!=` for `Public_key`, `Private_key`, `Point`,
`PointJacobi`, `VerifyingKey`, and `SigningKey` so that it behaves
consistently and in the expected way both in Python 2 and Python 3.
* Implement lock-less algorithm inside PointJacobi for keeping shared state
so that when a calculation is aborted with KeyboardInterrupt, the state
doesn't become corrupted (this fixes the occasional breakage of ecdsa in
interactive shells).

New features:
* The `speed.py` script now provides performance for signature verification
without the use of precomputation.
* New curves supported: secp112r1, secp112r2, secp128r1, secp160r1.

Performance:
* Use 2-ary Non-Adjacent Form for the combined multiply-add. This speeds up
single-shot verify (i.e. without precomputation) by about 4 to 5%.
* Use native Python 3.8 support for calculating multiplicative inverses.

Maintenance:
* Include Python 3.9 in PyPI keywords.
* More realistic branch coverage counting (ignore Python version-specific
branches).
* Additional test coverage to many parts of the library.
* Migrate to Github Actions for Continuous Testing.

0.16.1

New API:
`VerifyingKey.precompute()` supports `lazy` argument to delay precomputation
to the first time the key is used to verify a signature.

Doc fixes:
Documentation for the `VerifyingKey.precompute()` method.

Bug fix:
Make created signatures correct when the hash used is bigger than the curve
order bit size and the curve order is not a multiple of 8 (this affects
only users of custom curves or hashes with output larger than 512 bits).

Performance:
Speed up library load time by calculating the generator point multiplication
tables the first time the points are used, not when they are initialised.

Maintenance:
Include Python 3.9 in CI testing.
Test coverage for the `VerifyingKey.precompute()` method.
Small speed-ups for the test suite.

0.16.0

New features:
Support for reading and writing private keys in PKCS8 format.

New API:
`to_pem` and `to_der` now accept new parameter, `format`, to specify
the format of the encoded files, either the default, legacy `ssleay`, or
the new `pkcs8` to use PKCS8. Note that only unencrypted PKCS8 files are
supported.
Add `allow_truncate` to `verify` in `VerifyingKey`, it defaults to True,
when specified as False, the use of large hashes smaller than curves will be
disallowed (as it was in 0.14.1 and earlier).

Bug fix:
Correctly calculate signatures for private keys equal to n-1.
Make `PointJacobi` and thus `SigningKey` and `VerifyingKey` pickleable.

Doc fixes:
`to_pem` functions return `bytes` not `str`, document them as such.
`from_pem` and `from_pem` in `SigningKey` returns `SigningKey`, document them
as such.

Maintenance:
Ensure that version checks will work with Python 4.
Format the source with black.
Fix uses of `assert_` in the test suite.
Use newer Ubuntu in Travis to test against OpenSSL 1.1.1 (and thus
test the interoperability of ECDH code in Travis).

Links

• PyPI: https://pypi.org/project/ecdsa
• Changelog: https://data.safetycli.com/changelogs/ecdsa/
• Repo: http://github.com/tlsfuzzer/python-ecdsa

Update googleapis-common-protos from 1.51.0 to 1.63.0.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/googleapis-common-protos
• Repo: https://github.com/googleapis/python-api-common-protos

Update grpcio from 1.27.2 to 1.62.1.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/grpcio
• Homepage: https://grpc.io

Update protobuf from 3.11.3 to 5.26.1.

Changelog

3.20.3

Java
* Refactoring java full runtime to reuse sub-message builders and prepare to
 migrate parsing logic from parse constructor to builder.
* Move proto wireformat parsing functionality from the private "parsing
 constructor" to the Builder class.
* Change the Lite runtime to prefer merging from the wireformat into mutable
 messages rather than building up a new immutable object before merging. This
 way results in fewer allocations and copy operations.
* Make message-type extensions merge from wire-format instead of building up
 instances and merging afterwards. This has much better performance.
* Fix TextFormat parser to build up recurring (but supposedly not repeated)
 sub-messages directly from text rather than building a new sub-message and
 merging the fully formed message into the existing field.
* This release addresses a [Security Advisory for Java users](https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2)

3.20.2

C++
* Reduce memory consumption of MessageSet parsing
* This release addresses a [Security Advisory for C++ and Python users](https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf)

3.20.1

PHP
* Fix building packaged PHP extension (9727)
* Fixed composer.json to only advertise compatibility with PHP 7.0+.  (9819)

Ruby
* Disable the aarch64 build on macOS until it can be fixed. (9816)

Other
* Fix versioning issues in 3.20.0

3.20.1rc1

PHP
* Fix building packaged PHP extension (9727)

Other
* Fix versioning issues in 3.20.0

3.20.0

2022-03-25 version 3.20.0 (C++/Java/Python/PHP/Objective-C/C/Ruby/JavaScript)

Ruby
* Dropped Ruby 2.3 and 2.4 support for CI and releases. (9311)
* Added Ruby 3.1 support for CI and releases (9566).
* Message.decode/encode: Add recursion_limit option (9218/9486)
* Allocate with xrealloc()/xfree() so message allocation is visible to the
 Ruby GC.  In certain tests this leads to much lower memory usage due to more
 frequent GC runs (9586).
* Fix conversion of singleton classes in Ruby (9342)
* Suppress warning for intentional circular require (9556)
* JSON will now output shorter strings for double and float fields when possible
 without losing precision.
* Encoding and decoding of binary format will now work properly on big-endian
 systems.
* UTF-8 verification was fixed to properly reject surrogate code points.
* Unknown enums for proto2 protos now properly implement proto2's behavior of
 putting such values in unknown fields.

Java
* Revert "Standardize on Array copyOf" (9400)
* Resolve more java field accessor name conflicts (8198)
* Don't support map fields in DynamicMessage.Builder.{getFieldBuilder,getRepeatedFieldBuilder}
* Fix parseFrom to only throw InvalidProtocolBufferException
* InvalidProtocolBufferException now allows arbitrary wrapped Exception types.
* Fix bug in `FieldSet.Builder.mergeFrom`
* Flush CodedOutputStream also flushes underlying OutputStream
* When oneof case is the same and the field type is Message, merge the
 subfield. (previously it was replaced.)’
* Add CheckReturnValue to some protobuf types
* Report original exceptions when parsing JSON
* Add more info to deprecated javadoc for set/get/has methods
* Fix initialization bug in doc comment line numbers
* Fix comments for message set wire format.

Kotlin
* Add test scope to kotlin-test for protobuf-kotlin-lite (9518)
* Add orNull extensions for optional message fields.
* Add orNull extensions to all proto3 message fields.

Python
* Dropped support for Python < 3.7 (9480)
* Protoc is now able to generate python stubs (.pyi) with --pyi_out
* Pin multibuild scripts to get manylinux1 wheels back (9216)
* Fix type annotations of some Duration and Timestamp methods.
* Repeated field containers are now generic in field types and could be used
 in type annotations.
*[Breaking change] Protobuf python generated codes are simplified. Descriptors and message
 classes' definitions are now dynamic created in internal/builder.py.
 Insertion Points for messages classes are discarded.
* has_presence is added for FieldDescriptor in python
* Loosen indexing type requirements to allow valid __index__() implementations
 rather than only PyLongObjects.
* Fix the deepcopy bug caused by not copying message_listener.
* Added python JSON parse recursion limit (default 100)
* Path info is added for python JSON parse errors
* Pure python repeated scalar fields will not able to pickle. Convert to list
 first.
* Timestamp.ToDatetime() now accepts an optional tzinfo parameter. If
 specified, the function returns a timezone-aware datetime in the given time
 zone. If omitted or None, the function returns a timezone-naive UTC datetime
 (as previously).
* Adds client_streaming and server_streaming fields to MethodDescriptor.
* Add "ensure_ascii" parameter to json_format.MessageToJson. This allows smaller
 JSON serializations with UTF-8 or other non-ASCII encodings.
* Added experimental support for directly assigning numpy scalars and array.
* Improve the calculation of public_dependencies in DescriptorPool.
* [Breaking Change] Disallow setting fields to numpy singleton arrays or repeated fields to numpy
 multi-dimensional arrays. Numpy arrays should be indexed or flattened explicitly before assignment.

Compiler
* Migrate IsDefault(const std::string*) and UnsafeSetDefault(const std::string*)
* Implement strong qualified tags for TaggedPtr
* Rework allocations to power-of-two byte sizes.
* Migrate IsDefault(const std::string*) and UnsafeSetDefault(const std::string*)
* Implement strong qualified tags for TaggedPtr
* Make TaggedPtr Set...() calls explicitly spell out the content type.
* Check for parsing error before verifying UTF8.
* Enforce a maximum message nesting limit of 32 in the descriptor builder to
 guard against stack overflows
* Fixed bugs in operators for RepeatedPtrIterator
* Assert a maximum map alignment for allocated values
* Fix proto1 group extension protodb parsing error
* Do not log/report the same descriptor symbol multiple times if it contains
 more than one invalid character.
* Add UnknownFieldSet::SerializeToString and SerializeToCodedStream.
* Remove explicit default pointers and deprecated API from protocol compiler

Arenas
* Change Repeated*Field to reuse memory when using arenas.
* Implements pbarenaz for profiling proto arenas
* Introduce CreateString() and CreateArenaString() for cleaner semantics
* Fix unreferenced parameter for MSVC builds
* Add UnsafeSetAllocated to be used for one-of string fields.
* Make Arena::AllocateAligned() a public function.
* Determine if ArenaDtor related code generation is necessary in one place.
* Implement on demand register ArenaDtor for InlinedStringField

C++
* Enable testing via CTest (8737)
* Add option to use external GTest in CMake (8736)
* CMake: Set correct sonames for libprotobuf-lite.so and libprotoc.so (8635) (9529)
* Add cmake option `protobuf_INSTALL` to not install files (7123)
* CMake: Allow custom plugin options e.g. to generate mocks (9105)
* CMake: Use linker version scripts (9545)
* Manually *struct Cord fields to work better with arenas.
* Manually destruct map fields.
* Generate narrower code
* Fix https://github.com/protocolbuffers/protobuf/issues/9378 by removing
 shadowed _cached_size_ field
* Remove GetPointer() and explicit nullptr defaults.
* Add proto_h flag for speeding up large builds
* Add missing overload for reference wrapped fields.
* Add MergedDescriptorDatabase::FindAllFileNames()
* RepeatedField now defines an iterator type instead of using a pointer.
* Remove obsolete macros GOOGLE_PROTOBUF_HAS_ONEOF and GOOGLE_PROTOBUF_HAS_ARENAS.

PHP
* Fix: add missing reserved classnames (9458)
* PHP 8.1 compatibility (9370)

C
* Fix trim warnings (9182)
* Fixes NullReferenceException when accessing FieldDescriptor.IsPacked (9430)
* Add ToProto() method to all descriptor classes (9426)
* Add an option to preserve proto names in JsonFormatter (6307)

Objective-C
* Add prefix_to_proto_package_mappings_path option. (9498)
* Rename `proto_package_to_prefix_mappings_path` to `package_to_prefix_mappings_path`. (9552)
* Add a generation option to control use of forward declarations in headers. (9568)

3.20.0rc2

Ruby
* to_json will now use fewer decimal places to encode float/double in some cases, if the extra digits are not necessary for round-tripping

PHP
* to_json will now use fewer decimal places to encode float/double in some cases, if the extra digits are not necessary for round-tripping

3.20.0rc1

Ruby
* Dropped Ruby 2.3 and 2.4 support for CI and releases. (9311)
* Message.decode/encode: Add max_recursion_depth option (9218)
* Rename max_recursion_depth to recursion_limit (9486)
* Fix conversion of singleton classes in Ruby (9342)
* Suppress warning for intentional circular require (9556)
* JSON will now output shorter strings for double and float fields when possible
 without losing precision.
* Encoding and decoding of binary format will now work properly on big-endian
 systems.
* UTF-8 verification was fixed to properly reject surrogate code points.
* Unknown enums for proto2 protos now properly implement proto2's behavior of
 putting such values in unknown fields.

Java
* Revert "Standardize on Array copyOf" (9400)
* Resolve more java field accessor name conflicts (8198)
* Don't support map fields in DynamicMessage.Builder.{getFieldBuilder,getRepeatedFieldBuilder}
* Fix parseFrom to only throw InvalidProtocolBufferException
* InvalidProtocolBufferException now allows arbitrary wrapped Exception types.
* Fix bug in `FieldSet.Builder.mergeFrom`
* Flush CodedOutputStream also flushes underlying OutputStream
* When oneof case is the same and the field type is Message, merge the
 subfield. (previously it was replaced.)’
* Add CheckReturnValue to some protobuf types
* Report original exceptions when parsing JSON
* Add

[pyup-bot]

Closing this in favor of #138