pythad / nider

Python package to add text to images, textures and different backgrounds
MIT License
151 stars 19 forks source link

Update cryptography to 37.0.0 #343

Closed pyup-bot closed 2 years ago

pyup-bot commented 2 years ago

This PR updates cryptography from 3.0 to 37.0.0.

Changelog ### 37.0.0 ``` ~~~~~~~~~~~~~~~~~~~ * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2. * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.9.x and 3.0.x. The new minimum LibreSSL version is 3.1+. * **BACKWARDS INCOMPATIBLE:** Removed ``signer`` and ``verifier`` methods from the public key and private key classes. These methods were originally deprecated in version 2.0, but had an extended deprecation timeline due to usage. Any remaining users should transition to ``sign`` and ``verify``. * Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by the OpenSSL project. The next release of ``cryptography`` will be the last to support compiling with OpenSSL 1.1.0. * Deprecated Python 3.6 support. Python 3.6 is no longer supported by the Python core team. Support for Python 3.6 will be removed in a future ``cryptography`` release. * Deprecated the current minimum supported Rust version (MSRV) of 1.41.0. In the next release we will raise MSRV to 1.48.0. Users with the latest ``pip`` will typically get a wheel and not need Rust installed, but check :doc:`/installation` for documentation on installing a newer ``rustc`` if required. * Deprecated :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`, :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`, :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish` because they are legacy algorithms with extremely low usage. These will be removed in a future version of ``cryptography``. * Added limited support for distinguished names containing a bit string. * We now ship ``universal2`` wheels on macOS, which contain both ``arm64`` and ``x86_64`` architectures. Users on macOS should upgrade to the latest ``pip`` to ensure they can use this wheel, although we will continue to ship ``x86_64`` specific wheels for now to ease the transition. * This will be the final release for which we ship ``manylinux2010`` wheels. Going forward the minimum supported ``manylinux`` ABI for our wheels will be ``manylinux2014``. The vast majority of users will continue to receive ``manylinux`` wheels provided they have an up to date ``pip``. For PyPy wheels this release already requires ``manylinux2014`` for compatibility with binaries distributed by upstream. * Added support for multiple :class:`~cryptography.x509.ocsp.OCSPSingleResponse` in a :class:`~cryptography.x509.ocsp.OCSPResponse`. * Restored support for signing certificates and other structures in :doc:`/x509/index` with SHA3 hash algorithms. * :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` is disabled in FIPS mode. * Added support for serialization of PKCS12 CA friendly names/aliases in :func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates` * Added support for 12-15 byte (96 to 120 bit) nonces to :class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`. This class previously supported only 12 byte (96 bit). * Added support for :class:`~cryptography.hazmat.primitives.ciphers.aead.AESSIV` when using OpenSSL 3.0.0+. * Added support for serializing PKCS7 structures from a list of certificates with :class:`~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates`. * Added support for parsing :rfc:`4514` strings with :meth:`~cryptography.x509.Name.from_rfc4514_string`. * Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.AUTO` to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This can be used to verify a signature where the salt length is not already known. * Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.DIGEST_LENGTH` to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This constant will set the salt length to the same length as the ``PSS`` hash algorithm. * Added support for loading RSA-PSS key types with :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key` and :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`. This functionality is limited to OpenSSL 1.1.1e+ and loads the key as a normal RSA private key, discarding the PSS constraint information. .. _v36-0-2: ``` ### 36.0.2 ``` ~~~~~~~~~~~~~~~~~~~ * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1n. .. _v36-0-1: ``` ### 36.0.1 ``` ~~~~~~~~~~~~~~~~~~~ * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1m. .. _v36-0-0: ``` ### 36.0.0 ``` ~~~~~~~~~~~~~~~~~~~ * **FINAL DEPRECATION** Support for ``verifier`` and ``signer`` on our asymmetric key classes was deprecated in version 2.0. These functions had an extended deprecation due to usage, however the next version of ``cryptography`` will drop support. Users should migrate to ``sign`` and ``verify``. * The entire :doc:`/x509/index` layer is now written in Rust. This allows alternate asymmetric key implementations that can support cloud key management services or hardware security modules provided they implement the necessary interface (for example: :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`). * :ref:`Deprecated the backend argument<faq-missing-backend>` for all functions. * Added support for :class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`. * Added support for iterating over arbitrary request :attr:`~cryptography.x509.CertificateSigningRequest.attributes`. * Deprecated the ``get_attribute_for_oid`` method on :class:`~cryptography.x509.CertificateSigningRequest` in favor of :meth:`~cryptography.x509.Attributes.get_attribute_for_oid` on the new :class:`~cryptography.x509.Attributes` object. * Fixed handling of PEM files to allow loading when certificate and key are in the same file. * Fixed parsing of :class:`~cryptography.x509.CertificatePolicies` extensions containing legacy ``BMPString`` values in their ``explicitText``. * Allow parsing of negative serial numbers in certificates. Negative serial numbers are prohibited by :rfc:`5280` so a deprecation warning will be raised whenever they are encountered. A future version of ``cryptography`` will drop support for parsing them. * Added support for parsing PKCS12 files with friendly names for all certificates with :func:`~cryptography.hazmat.primitives.serialization.pkcs12.load_pkcs12`, which will return an object of type :class:`~cryptography.hazmat.primitives.serialization.pkcs12.PKCS12KeyAndCertificates`. * :meth:`~cryptography.x509.Name.rfc4514_string` and related methods now have an optional ``attr_name_overrides`` parameter to supply custom OID to name mappings, which can be used to match vendor-specific extensions. * **BACKWARDS INCOMPATIBLE:** Reverted the nonstandard formatting of email address fields as ``E`` in :meth:`~cryptography.x509.Name.rfc4514_string` methods from version 35.0. The previous behavior can be restored with: ``name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})`` * Allow :class:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey` and :class:`~cryptography.hazmat.primitives.asymmetric.x448.X448PublicKey` to be used as public keys when parsing certificates or creating them with :class:`~cryptography.x509.CertificateBuilder`. These key types must be signed with a different signing algorithm as ``X25519`` and ``X448`` do not support signing. * Extension values can now be serialized to a DER byte string by calling :func:`~cryptography.x509.ExtensionType.public_bytes`. * Added experimental support for compiling against BoringSSL. As BoringSSL does not commit to a stable API, ``cryptography`` tests against the latest commit only. Please note that several features are not available when building against BoringSSL. * Parsing ``CertificateSigningRequest`` from DER and PEM now, for a limited time period, allows the ``Extension`` ``critical`` field to be incorrectly encoded. See `the issue <https://github.com/pyca/cryptography/issues/6368>`_ for complete details. This will be reverted in a future ``cryptography`` release. * When :class:`~cryptography.x509.OCSPNonce` are parsed and generated their value is now correctly wrapped in an ASN.1 ``OCTET STRING``. This conforms to :rfc:`6960` but conflicts with the original behavior specified in :rfc:`2560`. For a temporary period for backwards compatibility, we will also parse values that are encoded as specified in :rfc:`2560` but this behavior will be removed in a future release. .. _v35-0-0: ``` ### 35.0.0 ``` ~~~~~~~~~~~~~~~~~~~ * Changed the :ref:`version scheme <api-stability:versioning>`. This will result in us incrementing the major version more frequently, but does not change our existing backwards compatibility policy. * **BACKWARDS INCOMPATIBLE:** The :doc:`/x509/index` PEM parsers now require that the PEM string passed have PEM delimiters of the correct type. For example, parsing a private key PEM concatenated with a certificate PEM will no longer be accepted by the PEM certificate parser. * **BACKWARDS INCOMPATIBLE:** The X.509 certificate parser no longer allows negative serial numbers. :rfc:`5280` has always prohibited these. * **BACKWARDS INCOMPATIBLE:** Additional forms of invalid ASN.1 found during :doc:`/x509/index` parsing will raise an error on initial parse rather than when the malformed field is accessed. * Rust is now required for building ``cryptography``, the ``CRYPTOGRAPHY_DONT_BUILD_RUST`` environment variable is no longer respected. * Parsers for :doc:`/x509/index` no longer use OpenSSL and have been rewritten in Rust. This should be backwards compatible (modulo the items listed above) and improve both security and performance. * Added support for OpenSSL 3.0.0 as a compilation target. * Added support for :class:`~cryptography.hazmat.primitives.hashes.SM3` and :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SM4`, when using OpenSSL 1.1.1. These algorithms are provided for compatibility in regions where they may be required, and are not generally recommended. * We now ship ``manylinux_2_24`` and ``musllinux_1_1`` wheels, in addition to our ``manylinux2010`` and ``manylinux2014`` wheels. Users on distributions like Alpine Linux should ensure they upgrade to the latest ``pip`` to correctly receive wheels. * Added ``rfc4514_attribute_name`` attribute to :attr:`x509.NameAttribute <cryptography.x509.NameAttribute.rfc4514_attribute_name>`. * Added :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC`. .. _v3-4-8: ``` ### 3.4.8 ``` ~~~~~~~~~~~~~~~~~~ * Updated Windows, macOS, and ``manylinux`` wheels to be compiled with OpenSSL 1.1.1l. .. _v3-4-7: ``` ### 3.4.7 ``` ~~~~~~~~~~~~~~~~~~ * Updated Windows, macOS, and ``manylinux`` wheels to be compiled with OpenSSL 1.1.1k. .. _v3-4-6: ``` ### 3.4.6 ``` ~~~~~~~~~~~~~~~~~~ * Updated Windows, macOS, and ``manylinux`` wheels to be compiled with OpenSSL 1.1.1j. .. _v3-4-5: ``` ### 3.4.5 ``` ~~~~~~~~~~~~~~~~~~ * Various improvements to type hints. * Lower the minimum supported Rust version (MSRV) to >=1.41.0. This change improves compatibility with system-provided Rust on several Linux distributions. * ``cryptography`` will be switching to a new versioning scheme with its next feature release. More information is available in our :doc:`/api-stability` documentation. .. _v3-4-4: ``` ### 3.4.4 ``` ~~~~~~~~~~~~~~~~~~ * Added a ``py.typed`` file so that ``mypy`` will know to use our type annotations. * Fixed an import cycle that could be triggered by certain import sequences. .. _v3-4-3: ``` ### 3.4.3 ``` ~~~~~~~~~~~~~~~~~~ * Specify our supported Rust version (>=1.45.0) in our ``setup.py`` so users on older versions will get a clear error message. .. _v3-4-2: ``` ### 3.4.2 ``` ~~~~~~~~~~~~~~~~~~ * Improvements to make the rust transition a bit easier. This includes some better error messages and small dependency fixes. If you experience installation problems **Be sure to update pip** first, then check the :doc:`FAQ </faq>`. .. _v3-4-1: ``` ### 3.4.1 ``` ~~~~~~~~~~~~~~~~~~ * Fixed a circular import issue. * Added additional debug output to assist users seeing installation errors due to outdated ``pip`` or missing ``rustc``. .. _v3-4: ``` ### 3.4 ``` ~~~~~~~~~~~~~~~~ * **BACKWARDS INCOMPATIBLE:** Support for Python 2 has been removed. * We now ship ``manylinux2014`` wheels and no longer ship ``manylinux1`` wheels. Users should upgrade to the latest ``pip`` to ensure this doesn't cause issues downloading wheels on their platform. * ``cryptography`` now incorporates Rust code. Users building ``cryptography`` themselves will need to have the Rust toolchain installed. Users who use an officially produced wheel will not need to make any changes. The minimum supported Rust version is 1.45.0. * ``cryptography`` now has :pep:`484` type hints on nearly all of of its public APIs. Users can begin using them to type check their code with ``mypy``. .. _v3-3-2: ``` ### 3.3.2 ``` ~~~~~~~~~~~~~~~~~~ * **SECURITY ISSUE:** Fixed a bug where certain sequences of ``update()`` calls when symmetrically encrypting very large payloads (>2GB) could result in an integer overflow, leading to buffer overflows. *CVE-2020-36242* **Update:** This fix is a workaround for *CVE-2021-23840* in OpenSSL, fixed in OpenSSL 1.1.1j. .. _v3-3-1: ``` ### 3.3.1 ``` ~~~~~~~~~~~~~~~~~~ * Re-added a legacy symbol causing problems for older ``pyOpenSSL`` users. .. _v3-3: ``` ### 3.3 ``` ~~~~~~~~~~~~~~~~ * **BACKWARDS INCOMPATIBLE:** Support for Python 3.5 has been removed due to low usage and maintenance burden. * **BACKWARDS INCOMPATIBLE:** The :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` and :class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCM` now require 64-bit to 1024-bit (8 byte to 128 byte) initialization vectors. This change is to conform with an upcoming OpenSSL release that will no longer support sizes outside this window. * **BACKWARDS INCOMPATIBLE:** When deserializing asymmetric keys we now raise ``ValueError`` rather than ``UnsupportedAlgorithm`` when an unsupported cipher is used. This change is to conform with an upcoming OpenSSL release that will no longer distinguish between error types. * **BACKWARDS INCOMPATIBLE:** We no longer allow loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing. * Updated Windows, macOS, and ``manylinux`` wheels to be compiled with OpenSSL 1.1.1i. * Python 2 support is deprecated in ``cryptography``. This is the last release that will support Python 2. * Added the :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey.recover_data_from_signature` function to :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` for recovering the signed data from an RSA signature. .. _v3-2-1: ``` ### 3.2.1 ``` ~~~~~~~~~~~~~~~~~~ * Disable blinding on RSA public keys to address an error with some versions of OpenSSL. .. _v3-2: ``` ### 3.2 ``` ~~~~~~~~~~~~~~~~ * **SECURITY ISSUE:** Attempted to make RSA PKCS1v1.5 decryption more constant time, to protect against Bleichenbacher vulnerabilities. Due to limitations imposed by our API, we cannot completely mitigate this vulnerability and a future release will contain a new API which is designed to be resilient to these for contexts where it is required. Credit to **Hubert Kario** for reporting the issue. *CVE-2020-25659* * Support for OpenSSL 1.0.2 has been removed. Users on older version of OpenSSL will need to upgrade. * Added basic support for PKCS7 signing (including SMIME) via :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder`. .. _v3-1-1: ``` ### 3.1.1 ``` ~~~~~~~~~~~~~~~~~~ * Updated Windows, macOS, and ``manylinux`` wheels to be compiled with OpenSSL 1.1.1h. .. _v3-1: ``` ### 3.1 ``` ~~~~~~~~~~~~~~~~ * **BACKWARDS INCOMPATIBLE:** Removed support for ``idna`` based :term:`U-label` parsing in various X.509 classes. This support was originally deprecated in version 2.1 and moved to an extra in 2.5. * Deprecated OpenSSL 1.0.2 support. OpenSSL 1.0.2 is no longer supported by the OpenSSL project. The next version of ``cryptography`` will drop support for it. * Deprecated support for Python 3.5. This version sees very little use and will be removed in the next release. * ``backend`` arguments to functions are no longer required and the default backend will automatically be selected if no ``backend`` is provided. * Added initial support for parsing certificates from PKCS7 files with :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates` and :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates` . * Calling ``update`` or ``update_into`` on :class:`~cryptography.hazmat.primitives.ciphers.CipherContext` with ``data`` longer than 2\ :sup:`31` bytes no longer raises an ``OverflowError``. This also resolves the same issue in :doc:`/fernet`. .. _v3-0: ```
Links - PyPI: https://pypi.org/project/cryptography - Changelog: https://pyup.io/changelogs/cryptography/ - Repo: https://github.com/pyca/cryptography
pyup-bot commented 2 years ago

Closing this in favor of #344