Update cryptography to 3.2.1

[pyup-bot]

This PR updates cryptography from 2.3.1 to 3.2.1.

Changelog

3.2

~~~~~~~~~~~~~~~~

* **SECURITY ISSUE:** Attempted to make RSA PKCS1v1.5 decryption more constant
time, to protect against Bleichenbacher vulnerabilities. Due to limitations
imposed by our API, we cannot completely mitigate this vulnerability and a
future release will contain a new API which is designed to be resilient to
these for contexts where it is required. Credit to **Hubert Kario** for
reporting the issue. *CVE-2020-25659*
* Support for OpenSSL 1.0.2 has been removed. Users on older version of OpenSSL
will need to upgrade.
* Added basic support for PKCS7 signing (including SMIME) via
:class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder`.

.. _v3-1-1:

3.1.1

~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1h.

.. _v3-1:

3.1

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Removed support for ``idna`` based
:term:`U-label` parsing in various X.509 classes. This support was originally
deprecated in version 2.1 and moved to an extra in 2.5.
* Deprecated OpenSSL 1.0.2 support. OpenSSL 1.0.2 is no longer supported by
the OpenSSL project. The next version of ``cryptography`` will drop support
for it.
* Deprecated support for Python 3.5. This version sees very little use and will
be removed in the next release.
* ``backend`` arguments to functions are no longer required and the
default backend will automatically be selected if no ``backend`` is provided.
* Added initial support for parsing certificates from PKCS7 files with
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates`
and
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates`
.
* Calling ``update`` or ``update_into`` on
:class:`~cryptography.hazmat.primitives.ciphers.CipherContext` with ``data``
longer than 2\ :sup:`31` bytes no longer raises an ``OverflowError``. This
also resolves the same issue in :doc:`/fernet`.

.. _v3-0:

3.0

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Removed support for passing an
:class:`~cryptography.x509.Extension` instance to
:meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`,
as per our deprecation policy.
* **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.7.x, 2.8.x, and 2.9.0 has
been removed (2.9.1+ is still supported).
* **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.9, macOS users must
upgrade to 10.10 or newer.
* **BACKWARDS INCOMPATIBLE:** RSA
:meth:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key`
no longer accepts ``public_exponent`` values except 65537 and 3 (the latter
for legacy purposes).
* **BACKWARDS INCOMPATIBLE:** X.509 certificate parsing now enforces that the
``version`` field contains a valid value, rather than deferring this check
until :attr:`~cryptography.x509.Certificate.version` is accessed.
* Deprecated support for Python 2. At the time there is no time table for
actually dropping support, however we strongly encourage all users to upgrade
their Python, as Python 2 no longer receives support from the Python core
team.

If you have trouble suppressing this warning in tests view the :ref:`FAQ
entry addressing this issue <faq-howto-handle-deprecation-warning>`.

* Added support for ``OpenSSH`` serialization format for
``ec``, ``ed25519``, ``rsa`` and ``dsa`` private keys:
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`
for loading and
:attr:`~cryptography.hazmat.primitives.serialization.PrivateFormat.OpenSSH`
for writing.
* Added support for ``OpenSSH`` certificates to
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key`.
* Added :meth:`~cryptography.fernet.Fernet.encrypt_at_time` and
:meth:`~cryptography.fernet.Fernet.decrypt_at_time` to
:class:`~cryptography.fernet.Fernet`.
* Added support for the :class:`~cryptography.x509.SubjectInformationAccess`
X.509 extension.
* Added support for parsing
:class:`~cryptography.x509.SignedCertificateTimestamps` in OCSP responses.
* Added support for parsing attributes in certificate signing requests via
:meth:`~cryptography.x509.CertificateSigningRequest.get_attribute_for_oid`.
* Added support for encoding attributes in certificate signing requests via
:meth:`~cryptography.x509.CertificateSigningRequestBuilder.add_attribute`.
* On OpenSSL 1.1.1d and higher ``cryptography`` now uses OpenSSL's
built-in CSPRNG instead of its own OS random engine because these versions of
OpenSSL properly reseed on fork.
* Added initial support for creating PKCS12 files with
:func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates`.

.. _v2-9-2:

2.9.2

~~~~~~~~~~~~~~~~~~

* Updated the macOS wheel to fix an issue where it would not run on macOS
versions older than 10.15.

.. _v2-9-1:

2.9.1

~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1g.

.. _v2-9:

2.9

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Support for Python 3.4 has been removed due to
low usage and maintenance burden.
* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.0.1 has been removed.
Users on older version of OpenSSL will need to upgrade.
* **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.6.x has been removed.
* Removed support for calling
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey.public_bytes`
with no arguments, as per our deprecation policy. You must now pass
``encoding`` and ``format``.
* **BACKWARDS INCOMPATIBLE:** Reversed the order in which
:meth:`~cryptography.x509.Name.rfc4514_string` returns the RDNs
as required by :rfc:`4514`.
* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1f.
* Added support for parsing
:attr:`~cryptography.x509.ocsp.OCSPResponse.single_extensions` in an OCSP
response.
* :class:`~cryptography.x509.NameAttribute` values can now be empty strings.

.. _v2-8:

2.8

~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1d.
* Added support for Python 3.8.
* Added class methods
:meth:`Poly1305.generate_tag
<cryptography.hazmat.primitives.poly1305.Poly1305.generate_tag>`
and
:meth:`Poly1305.verify_tag
<cryptography.hazmat.primitives.poly1305.Poly1305.verify_tag>`
for Poly1305 sign and verify operations.
* Deprecated support for OpenSSL 1.0.1. Support will be removed in
``cryptography`` 2.9.
* We now ship ``manylinux2010`` wheels in addition to our ``manylinux1``
wheels.
* Added support for ``ed25519`` and ``ed448`` keys in the
:class:`~cryptography.x509.CertificateBuilder`,
:class:`~cryptography.x509.CertificateSigningRequestBuilder`,
:class:`~cryptography.x509.CertificateRevocationListBuilder` and
:class:`~cryptography.x509.ocsp.OCSPResponseBuilder`.
* ``cryptography`` no longer depends on ``asn1crypto``.
* :class:`~cryptography.x509.FreshestCRL` is now allowed as a
:class:`~cryptography.x509.CertificateRevocationList` extension.

.. _v2-7:

2.7

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** We no longer distribute 32-bit ``manylinux1``
wheels. Continuing to produce them was a maintenance burden.
* **BACKWARDS INCOMPATIBLE:** Removed the
``cryptography.hazmat.primitives.mac.MACContext`` interface. The ``CMAC`` and
``HMAC`` APIs have not changed, but they are no longer registered as
``MACContext`` instances.
* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
OpenSSL 1.1.1c.
* Removed support for running our tests with ``setup.py test``. Users
interested in running our tests can continue to follow the directions in our
:doc:`development documentation</development/getting-started>`.
* Add support for :class:`~cryptography.hazmat.primitives.poly1305.Poly1305`
when using OpenSSL 1.1.1 or newer.
* Support serialization with ``Encoding.OpenSSH`` and ``PublicFormat.OpenSSH``
in
:meth:`Ed25519PublicKey.public_bytes
<cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey.public_bytes>`
.
* Correctly allow passing a ``SubjectKeyIdentifier`` to
:meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`
and deprecate passing an ``Extension`` object. The documentation always
required ``SubjectKeyIdentifier`` but the implementation previously
required an ``Extension``.

.. _v2-6-1:

2.6.1

~~~~~~~~~~~~~~~~~~

* Resolved an error in our build infrastructure that broke our Python3 wheels
for macOS and Linux.

.. _v2-6:

2.6

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Removed
``cryptography.hazmat.primitives.asymmetric.utils.encode_rfc6979_signature``
and
``cryptography.hazmat.primitives.asymmetric.utils.decode_rfc6979_signature``,
which had been deprecated for nearly 4 years. Use
:func:`~cryptography.hazmat.primitives.asymmetric.utils.encode_dss_signature`
and
:func:`~cryptography.hazmat.primitives.asymmetric.utils.decode_dss_signature`
instead.
* **BACKWARDS INCOMPATIBLE**: Removed ``cryptography.x509.Certificate.serial``,
which had been deprecated for nearly 3 years. Use
:attr:`~cryptography.x509.Certificate.serial_number` instead.
* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
OpenSSL 1.1.1b.
* Added support for :doc:`/hazmat/primitives/asymmetric/ed448` when using
OpenSSL 1.1.1b or newer.
* Added support for :doc:`/hazmat/primitives/asymmetric/ed25519` when using
OpenSSL 1.1.1b or newer.
* :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` can
now load ``ed25519`` public keys.
* Add support for easily mapping an object identifier to its elliptic curve
class via
:func:`~cryptography.hazmat.primitives.asymmetric.ec.get_curve_for_oid`.
* Add support for OpenSSL when compiled with the ``no-engine``
(``OPENSSL_NO_ENGINE``) flag.

.. _v2-5:

2.5

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** :term:`U-label` strings were deprecated in
version 2.1, but this version removes the default ``idna`` dependency as
well. If you still need this deprecated path please install cryptography
with the ``idna`` extra: ``pip install cryptography[idna]``.
* **BACKWARDS INCOMPATIBLE:** The minimum supported PyPy version is now 5.4.
* Numerous classes and functions have been updated to allow :term:`bytes-like`
types for keying material and passwords, including symmetric algorithms, AEAD
ciphers, KDFs, loading asymmetric keys, and one time password classes.
* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
OpenSSL 1.1.1a.
* Added support for :class:`~cryptography.hazmat.primitives.hashes.SHA512_224`
and :class:`~cryptography.hazmat.primitives.hashes.SHA512_256` when using
OpenSSL 1.1.1.
* Added support for :class:`~cryptography.hazmat.primitives.hashes.SHA3_224`,
:class:`~cryptography.hazmat.primitives.hashes.SHA3_256`,
:class:`~cryptography.hazmat.primitives.hashes.SHA3_384`, and
:class:`~cryptography.hazmat.primitives.hashes.SHA3_512` when using OpenSSL
1.1.1.
* Added support for :doc:`/hazmat/primitives/asymmetric/x448` when using
OpenSSL 1.1.1.
* Added support for :class:`~cryptography.hazmat.primitives.hashes.SHAKE128`
and :class:`~cryptography.hazmat.primitives.hashes.SHAKE256` when using
OpenSSL 1.1.1.
* Added initial support for parsing PKCS12 files with
:func:`~cryptography.hazmat.primitives.serialization.pkcs12.load_key_and_certificates`.
* Added support for :class:`~cryptography.x509.IssuingDistributionPoint`.
* Added ``rfc4514_string()`` method to
:meth:`x509.Name <cryptography.x509.Name.rfc4514_string>`,
:meth:`x509.RelativeDistinguishedName
<cryptography.x509.RelativeDistinguishedName.rfc4514_string>`, and
:meth:`x509.NameAttribute <cryptography.x509.NameAttribute.rfc4514_string>`
to format the name or component an :rfc:`4514` Distinguished Name string.
* Added
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point`,
which immediately checks if the point is on the curve and supports compressed
points. Deprecated the previous method
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`.
* Added :attr:`~cryptography.x509.ocsp.OCSPResponse.signature_hash_algorithm`
to ``OCSPResponse``.
* Updated :doc:`/hazmat/primitives/asymmetric/x25519` support to allow
additional serialization methods. Calling
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey.public_bytes`
with no arguments has been deprecated.
* Added support for encoding compressed and uncompressed points via
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.public_bytes`. Deprecated the previous method
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.encode_point`.


.. _v2-4-2:

2.4.2

~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
OpenSSL 1.1.0j.

.. _v2-4-1:

2.4.1

~~~~~~~~~~~~~~~~~~

* Fixed a build breakage in our ``manylinux1`` wheels.

.. _v2-4:

2.4

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.4.x.
* Deprecated OpenSSL 1.0.1 support. OpenSSL 1.0.1 is no longer supported by
the OpenSSL project. At this time there is no time table for dropping
support, however we strongly encourage all users to upgrade or install
``cryptography`` from a wheel.
* Added initial :doc:`OCSP </x509/ocsp>` support.
* Added support for :class:`~cryptography.x509.PrecertPoison`.

.. _v2-3-1:

Links

• PyPI: https://pypi.org/project/cryptography
• Changelog: https://pyup.io/changelogs/cryptography/
• Repo: https://github.com/pyca/cryptography

[codecov-io]

Codecov Report

Merging #980 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #980   +/-   ##
=======================================
  Coverage   35.38%   35.38%           
=======================================
  Files          30       30           
  Lines        3103     3103           
=======================================
  Hits         1098     1098           
  Misses       2005     2005           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7ab5b29...0e91fee. Read the comment docs.

[pyup-bot]

Closing this in favor of #1016