[Cryptography-dev] PyCA cryptography 40.0.0 released

Paul Kehrer paul.l.kehrer at gmail.com
Fri Mar 24 00:41:27 EDT 2023 

PyCA cryptography 40.0.0 has been released to PyPI. cryptography
includes both high level recipes and low level interfaces to common
cryptographic algorithms such as symmetric ciphers, asymmetric
algorithms, message digests, X509, key derivation functions, and much
more. We support Python 3.6+, and PyPy3 7.3.10+.

Changelog (https://cryptography.io/en/latest/changelog/#v40-0-0):
* BACKWARDS INCOMPATIBLE: As announced in the 39.0.0 changelog, the
way cryptography links OpenSSL has changed. This only impacts users
who build cryptography from source (i.e., not from a wheel), and
specify their own version of OpenSSL. For those users, the CFLAGS,
LDFLAGS, INCLUDE, LIB, and CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS
environment variables are no longer valid. Instead, users need to
configure their builds as documented here.
* Support for Python 3.6 is deprecated and will be removed in the next release.
* Deprecated the current minimum supported Rust version (MSRV) of
1.48.0. In the next release we will raise MSRV to 1.56.0. Users with
the latest pip will typically get a wheel and not need Rust installed,
but check Installation for documentation on installing a newer rustc
if required.
* Deprecated support for OpenSSL less than 1.1.1d. The next release of
cryptography will drop support for older versions.
* Deprecated support for DSA keys in load_ssh_public_key() and
load_ssh_private_key().
* Deprecated support for OpenSSH serialization in DSAPublicKey and
DSAPrivateKey.
* The minimum supported version of PyPy3 is now 7.3.10.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.0.
* Added support for parsing SSH certificates in addition to public
keys with load_ssh_public_identity(). load_ssh_public_key() continues
to support only public keys.
* Added support for generating SSH certificates with SSHCertificateBuilder.
* Added verify_directly_issued_by() to Certificate.
* Added a check to NameConstraints to ensure that DNSName constraints
do not contain any * wildcards.
* Removed many unused CFFI OpenSSL bindings. This will not impact you
unless you are using cryptography to directly invoke OpenSSL’s C API.
Note that these have never been considered a stable, supported, public
API by cryptography, this note is included as a courtesy.
* The X.509 builder classes now raise UnsupportedAlgorithm instead of
ValueError if an unsupported hash algorithm is passed.
* Added public union type aliases for type hinting:
    Asymmetric types: PublicKeyTypes, PrivateKeyTypes,
CertificatePublicKeyTypes, CertificateIssuerPublicKeyTypes,
CertificateIssuerPrivateKeyTypes
    SSH keys: SSHPublicKeyTypes, SSHPrivateKeyTypes,
SSHCertPublicKeyTypes, SSHCertPrivateKeyTypes
    PKCS12: PKCS12PrivateKeyTypes
    PKCS7: PKCS7HashTypes, PKCS7PrivateKeyTypes
    Two-factor: HOTPHashTypes
* Deprecated previously undocumented but not private type aliases in
the cryptography.hazmat.primitives.asymmetric.types module in favor of
new ones above.

-Paul Kehrer (reaperhulk)

More information about the Cryptography-dev mailing list