[Cryptography-dev] PyCA cryptography 42.0.0 released

Paul Kehrer paul.l.kehrer at gmail.com
Mon Jan 22 20:41:31 EST 2024 

PyCA cryptography 42.0.0 has been released to PyPI. cryptography
includes both high level recipes and low level interfaces to common
cryptographic algorithms such as symmetric ciphers, asymmetric
algorithms, message digests, X509, key derivation functions, and much
more. We support Python 3.7+, and PyPy3 7.3.10+.

Changelog (https://cryptography.io/en/latest/changelog/#v42-0-0):
* BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.7.
* BACKWARDS INCOMPATIBLE: Loading a PKCS7 with no content field using
load_pem_pkcs7_certificates() or load_der_pkcs7_certificates() will
now raise a ValueError rather than return an empty list.
* Parsing SSH certificates no longer permits malformed critical
options with values, as documented in the 41.0.2 release notes.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.0.
* Updated the minimum supported Rust version (MSRV) to 1.63.0, from 1.56.0.
* We now publish both py37 and py39 abi3 wheels. This should resolve
some errors relating to initializing a module multiple times per
process.
* Support PSS for X.509 certificate signing requests and certificate
revocation lists with the keyword-only argument rsa_padding on the
sign methods for CertificateSigningRequestBuilder and
CertificateRevocationListBuilder.
* Added support for obtaining X.509 certificate signing request
signature algorithm parameters (including PSS) via
signature_algorithm_parameters().
* Added support for obtaining X.509 certificate revocation list
signature algorithm parameters (including PSS) via
signature_algorithm_parameters().
* Added mgf property to PSS.
* Added algorithm and mgf properties to OAEP.
* Added the following properties that return timezone-aware datetime
objects: not_valid_before_utc(), not_valid_after_utc(),
revocation_date_utc(), next_update_utc(), last_update_utc(). These are
timezone-aware variants of existing properties that return naïve
datetime objects.
* Deprecated the following properties that return naïve datetime
objects: not_valid_before(), not_valid_after(), revocation_date(),
next_update(), last_update() in favor of the new timezone-aware
variants mentioned above.
* Added support for ChaCha20 on LibreSSL.
* Added support for RSA PSS signatures in PKCS7 with add_signer().
* In the next release (43.0.0) of cryptography, loading an X.509
certificate with a negative serial number will raise an exception.
This has been deprecated since 36.0.0.
* Added support for AESGCMSIV when using OpenSSL 3.2.0+.
* Added the X.509 path validation APIs for Certificate chains. These
APIs should be considered unstable and not subject to our stability
guarantees until documented as such in a future release.
* Added support for SM4 GCM when using OpenSSL 3.0 or greater.

-Paul Kehrer (reaperhulk)

More information about the Cryptography-dev mailing list