- Updated asn1crypto dependency to
0.18.1, oscrypto dependency to0.16.1.
- Updated for compatibility with oscrypto 0.16.0
- Backwards compability break: the
require_revocation_checksparameter was removed and a new keyword parameter,revocation_mode, was added toValidationContext(). Validation may now be in asoft-fail(default),hard-fail, orrequiremode. See the documentation for information about the behavior of each mode. - Added certificate signature hash algorithm checks, with a default blacklist
of
md2andmd5 - Trust roots no longer need to be self-signed, allowing for cross-signed roots
- Keys with no
key_usageextension are now permitted to sign CRLs - An OCSP or CRL check may fail and not result in an error if the other is successful
- Exceptions for expired or not-yet-valid certificates now include full date and time
- Self-signed certificates now have a unique exception message instead of a generic message indicating the issuer could not be found in the trust roots
crl_clientcan now handle CRLs that are PEM-encoded- Fixed encoding of URLs in Python 2 when fetching CRLs and OCSP responses
- Corrected an error when trying to check the signature of a certificate to determine if it is self-signed or not
- Fixed a bug with duplicate HTTP headers during OCSP requests on Python 3
- Fixed an exception that would be thrown if a signature not using RSA, DSA or ECDSA is found
- Fixed a bug with whitelisting certificates on Python 3.2
- Initial release