[Cryptography-dev] PyCA cryptography 37.0.0 released

Tue Apr 26 11:25:44 EDT 2022

PyCA cryptography 37.0.0 has been released to PyPI. cryptography
includes both high level recipes and low level interfaces to common
cryptographic algorithms such as symmetric ciphers, asymmetric
algorithms, message digests, X509, key derivation functions, and much
more. We support Python 3.6+, and PyPy3.

Changelog (https://cryptography.io/en/latest/changelog/#v37-0-0):
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2.
* BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL 2.9.x and
3.0.x. The new minimum LibreSSL version is 3.1+.
* BACKWARDS INCOMPATIBLE: Removed signer and verifier methods from the
public key and private key classes. These methods were originally
deprecated in version 2.0, but had an extended deprecation timeline
due to usage. Any remaining users should transition to sign and
verify.
* Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer
supported by the OpenSSL project. The next release of cryptography
will be the last to support compiling with OpenSSL 1.1.0.
* Deprecated Python 3.6 support. Python 3.6 is no longer supported by
the Python core team. Support for Python 3.6 will be removed in a
future cryptography release.
* Deprecated the current minimum supported Rust version (MSRV) of
1.41.0. In the next release we will raise MSRV to 1.48.0. Users with
the latest pip will typically get a wheel and not need Rust installed,
but check Installation for documentation on installing a newer rustc
if required.
* Deprecated CAST5, SEED, IDEA, and Blowfish because they are legacy
algorithms with extremely low usage. These will be removed in a future
version of cryptography.
* Added limited support for distinguished names containing a bit string.
* We now ship universal2 wheels on macOS, which contain both arm64 and
x86_64 architectures. Users on macOS should upgrade to the latest pip
to ensure they can use this wheel, although we will continue to ship
x86_64 specific wheels for now to ease the transition.
* This will be the final release for which we ship manylinux2010
wheels. Going forward the minimum supported manylinux ABI for our
wheels will be manylinux2014. The vast majority of users will continue
to receive manylinux wheels provided they have an up to date pip. For
PyPy wheels this release already requires manylinux2014 for
compatibility with binaries distributed by upstream.
* Added support for multiple OCSPSingleResponse in a OCSPResponse.
* Restored support for signing certificates and other structures in
X.509 with SHA3 hash algorithms.
* TripleDES is disabled in FIPS mode.
* Added support for serialization of PKCS#12 CA friendly names/aliases
in serialize_key_and_certificates()
* Added support for 12-15 byte (96 to 120 bit) nonces to AESOCB3. This
class previously supported only 12 byte (96 bit).
* Added support for AESSIV when using OpenSSL 3.0.0+.
* Added support for serializing PKCS7 structures from a list of
certificates with serialize_certificates.
* Added support for parsing RFC 4514 strings with from_rfc4514_string().
* Added AUTO to PSS. This can be used to verify a signature where the
salt length is not already known.
* Added DIGEST_LENGTH to PSS. This constant will set the salt length
to the same length as the PSS hash algorithm.
* Added support for loading RSA-PSS key types with
load_pem_private_key() and load_der_private_key(). This functionality
is limited to OpenSSL 1.1.1e+ and loads the key as a normal RSA
private key, discarding the PSS constraint information.

-Paul Kehrer (reaperhulk)