Skip to content

Latest commit

 

History

History
288 lines (234 loc) · 12 KB

changelog.md

File metadata and controls

288 lines (234 loc) · 12 KB

changelog

1.3.0

  • Add support for OpenSSL 3.0
  • Add first-class support for RSASSA-PSS certificates
  • Add user-friendly handling of the error message with TLS on macOS when a ceritificate has a lifetime that is longer than the CAB forum guidelines
  • Fix AES 192/256 encryption on OpenSSL and Windows to allow no padding when plaintext is an exact multiple of 16 bytes long. Previously AES192 would require plaintext with a length that was a multiple of 24 AND 16, and AES256 would require plaintext with a length that was a multiple of 32.
  • Add the ability to skip tests that require internet connectivity via @jnahmias
  • Fix a bug throwing an exception when passing an invalid type to asymmetric.load_public_key() via @Arbitrage0
  • Fix a number of typos in doc strings via @frennkie and @kianmeng

1.2.1

  • Fix running in an environment with a custom OpenSSL install on macOS 10.15
  • Fix compatibility with macOS 11, where ctype.find_library() no longer works due to system .dylibs no longer being present on the filesystem
  • Handle the Mac EPROTOTYPE error that may be returned when a TLS connection is terminated
  • Fixed the oscrypto-tests sdist on PyPi to work properly to generate a .whl

1.2.0

  • Allow oscrypto.use_ctypes(), oscrypto.use_openssl() and oscrypto.use_winlegacy() to be called after initialization as long as the configuration does not change

1.1.1

  • Use versioned libcrypto.dylib and libssl.dylib on macOS Catalina to prevent segfaults
  • Fix warnings reported when using with cffi 1.13.2

1.1.0

  • Added oscrypto.load_order(), which returns a list of unicode strings of the names of the fully-qualified module names for all of submodules of the package. The module names are listed in their dependency load order. This is primarily intended for the sake of implementing hot reloading.

1.0.0

  • Backwards Compatibility Breaks
    • oscrypto.backend() will now return "mac" instead of "osx" when running on a Mac and not explicitly configured to use OpenSSL
  • Enhancements
    • Added functionality to calculate public keys from private keys since that was removed from asn1crypto:
      • asn1crypto.keys.PrivateKeyInfo().unwrap() is now asymmetric.PrivateKey().unwrap()
      • asn1crypto.keys.PrivateKeyInfo().public_key is now asymmetric.PrivateKey().public_key.unwrap()
      • asn1crypto.keys.PrivateKeyInfo().public_key_info is now asymmetric.PrivateKey().public_key.asn1
      • asn1crypto.keys.PrivateKeyInfo().fingerprint is now asymmetric.PrivateKey().fingerprint
      • asn1crypto.keys.PublicKeyInfo().unwrap() is now asymmetric.PublicKey().unwrap()
      • asn1crypto.keys.PublicKeyInfo().fingerprint is now asymmetric.PublicKey().fingerprint
    • Added oscrypto.use_ctypes() to avoid CFFI if desired
    • Added tls.TLSSocket().port property
    • Improved handling of disconnects with tls.TLSSocket()
    • Improved error messages when dealing with failures originating in OpenSSL
    • Allow PEM-encoded files to have leading whitespace when loaded via keys.parse_private(), keys.parse_public() and keys.parse_certificate()
    • Restructured internal imports of asn1crypto to make vendoring easier
    • No longer touch the user keychain on Macs when generating keys, instead use a temporary one
  • Bug Fixes
    • Fixed compatibility with Python 3.7+
    • Fixed compatibility with LibreSSL version 2.2.x+
    • Fixed a bug where tls.TLSSocket().read_until() that would sometimes read more data from the socket than necessary
    • Fixed a buffer overflow when reading data from an OpenSSL memory bio
    • Fixed a bug in util.pbkdf2() that would cause incorrect output in some situations when run on Windows XP or with OpenSSL 0.9.8
    • Fixed aes_cbc_no_padding_encrypt() so it can be executed when the backend is OpenSSL
    • A SecTrustRef obtained from SSLCopyPeerTrust() on Mac is now properly released
  • Packaging
    • wheel, sdist and bdist_egg releases now all include LICENSE, sdist includes docs
    • Added oscrypto_tests package to PyPi

0.19.1

  • Fixed a bug where trust_list.get_path() would not call the cert_callback when a certificate was exported
  • Fixed an issue on OS X/macOS where a certificate with an explicit any purpose trust OID would not be exported since it didn't contain the OID for SSL

0.19.0

  • Backwards compatibility break: trust_list.get_path() not longer accepts the parameter map_vendor_oids, and only includes CA certificates that the OS marks as trusted for TLS server authentication. This change was made due to (at least some versions of) OpenSSL not verifying a server certificate if the CA bundle includes a TRUSTED CERTIFICATE entry, which is how the trust information was exported. Since trust information can no longer be exported to disk, the list of certificates must be filtered, and since the intent of this function was always to provide a list of CA certs for use by OpenSSL when creating TLS connection, this change in functionality is in line with the original intent.
  • asymmetric.rsa_pkcs1v15_verify() and asymmetric.rsa_rss_verify() will now raise a SignatureError when there is a key size mismatch.

0.18.0

  • trust_list.get_path() and trust_list.get_list() now accept a parameter cert_callback, which is a callback that will be called once for each certificate in the trust store. If the certificate will not be exported, a reason will be provided.
  • Added oscrypto.version for version introspection without side-effects
  • Now uses asn1crypto.algos.DSASignature instead of self-contained ASN.1 definition

0.17.3

  • Work around an issue on OS X where SecureTransport would try to read non-TLS data as TLS records, causing hangs with tls.TLSSocket()
  • Handle an alternate way the Windows SChannel API can fail when the DH params for a TLS handshake are too small
  • Fix a bug with cffi on OS X and converting a CFString to a UTF-8 byte string

0.17.2

  • Handle errSecInvalidTrustSettings errors on macOS exporting trust roots
  • Prevent a KeyError on macOS when exporting trust roots and trust settings are present for certificates not in the list

0.17.1

  • Expose LibraryNotFoundError via errors.LibraryNotFoundError

0.17.0

  • Added support for OpenSSL 1.1.0
  • Allow using OpenSSL on OS X and Windows
  • Prevent FFI library references from being garbage collected before parent asymmetric.PublicKey, asymmetric.PrivateKey and asymmetric.Certificate objects
  • Improved handling of errSecAuthFailed error that occurs when calling asymmetric.generate_*() functions on OS X in some virtualenvs

0.16.2

  • Allow cffi files to be removed from source tree when embedding

0.16.1

0.16.0

  • Backwards compatibility break: trust_list.get_list() now returns a list of 3-element tuples containing the certificate byte string, a set of trust OIDs and a set of reject OIDs. Previously it returned a list of certificate byte strings.
  • trust_list now makes OS trust information OIDs available via the trust_list.get_list() function, and writes OpenSSL-compatible trust information to the CA certs file when calling trust_info.get_path() on Windows and OS X.
  • Removed reliance on opaque OpenSSL struct information for compatibility with upcoming OpenSSL 1.1.0 release
  • Improved handling of client authentication and socket read errors when using OpenSSL
  • Added Windows XP support

0.15.0

  • Added asymmetric.generate_dh_parameters() and asymmetric.dump_dh_parameters()
  • Improve disconnection handling of tls.TLSSocket on Windows
  • Ensure that certificates signed using MD5 and MD2 are rejected on Windows when using the extra_trust_roots parameter of tls.TLSSession

0.14.2

  • Fixed trust_list to work with new Security.framework behavior on OS X 10.11 El Capitan
  • Fixed an occasional bug with tls.TLSSocket() on Windows when using TLSv1.2 and the server negotiated using a DHE_RSA key exchange
  • Fixed a bug on Windows 10 where a TLS handshake would fail if the TLS record was not completely received within one call to socket.recv()
  • Fixed a bug where a private key would not be encoded with PEM encoding when requested, if no passphrase was provided to asymmetric.dump_private_key()

0.14.1

  • Fixed a bug where asymmetric.generate_pair() would raise an exception on OS X when the system Python was used to create a virtualenv

0.14.0

  • tls.TLSSocket() now has a default connect, read and write timeout of 10 seconds
  • Fixed bugs with manual_validation keyword param for tls.TLSSession() on all three platforms
  • Fixed a bug in asymmetric.PublicKey.self_signed that would always force signature verification
  • Improved parsing of TLS records during handshakes to improve error messaging
  • tls.TLSSocket() on OS X now respects KeyboardInterrupt while in a read or write callback
  • TLS connections on Windows will fallback to TLSv1.1 if TLSv1.2 is negotiated but a trust root with an MD2 or MD5 certificate is part of the certificate path. Previously the connection would fail.
  • TLS connections with optional client authentication no longer fail on Windows
  • trust_list.get_list() on Windows now returns a de-duplicated list

0.13.1

  • Improved handling of signature errors to always raise errors.SignatureError
  • Fixed a bug with trust_list.get_list() on Windows not returning certificates that were valid for all uses

0.13.0

  • Backwards compatibility break: trust_list.get_list() now returns a list of asn1crypto.x509.Certificate objects instead of a list of byte strings
  • trust_list.get_list() now returns a copy of the list to prevent accidental modification of the list
  • Added tls.TLSSocket.hostname

0.12.0

  • Fixed Python 2.6 support on Windows and Linux
  • Fixed handling of some TLS error conditions with Python 2 on Windows
  • Corrected handling of incomplete DSA keys on Windows
  • Fixed a bug converting a FILETIME struct with Python 2 on Windows to a datetime object
  • Fixed a cast/free bug with cffi and CPython on Windows that incorrectly reported some TLS certificates as invalid
  • Fixed a bug with exporting the trust list from Windows on Python 2 x64
  • Fixed detection of weak DH params in a TLS connection on OS X 10.7-10.9
  • OS X 10.7-10.9 no longer use CRL/OCSP to check for revocation, making the functionality consistent with Linux, Window and OS X 10.10 and newer
  • Fixed OS X 10.7 TLS validation when using extra_trust_roots in a tls.TLSSession

0.11.1

  • Handles specific weak DH keys error code in newer versions of OpenSSL
  • Added __str__() and __unicode__() to TLS exceptions

0.11.0

  • Added TLS functionality
  • Added Python 2.6 support
  • Added asymmetric.Certificate.self_signed
  • Added "raw" RSA signing/verification to asymmetric.rsa_pkcs1v15_sign() and asymmetric.rsa_pkcs1v15_verify() functions
  • Fixes for compatibility bugs with OS X 10.7
  • Fixes for compatibility bugs with pypy3
  • Fixes for compatibility bugs with cffi 0.8.6

0.10.0

  • oscrypto.public_key renamed to oscrypto.asymmetric
  • .algo attribute of asymmetric.PublicKey, asymmetric.PrivateKey and asymmetric.Certificate classes renamed to .algorithm
  • parse_public(), parse_private(), parse_certificate() and parse_pkcs12() all now return just an asn1crypto object instead of a 2-element tuple with the algorithm name
  • Added the asymmetric.generate_pair() function
  • Added the functions:
    • asymmetric.dump_certificate()
    • asymmetric.dump_public_key()
    • asymmetric.dump_private_key()
    • asymmetric.dump_openssl_private_key()
  • Added the kdf.pbkdf2_iteration_calculator() function
  • Added the setup.py clean command

0.9.0

  • Initial release