aboutsummaryrefslogtreecommitdiffstats
path: root/CHANGELOG.rst
Commit message (Collapse)AuthorAgeFilesLines
* disallow implicit tag truncation with finalize_with_tag (#4342)Paul Kehrer2018-07-171-0/+5
|
* add crl.get_revoked_certificate method (#4331)Paul Kehrer2018-07-161-0/+3
| | | | | | | | * add crl.get_revoked_certificate method * lexicographic is the best ographic * rename
* Change the exception we raise in keywrap unwrapping on invalid length (#4337)Alex Gaynor2018-07-161-0/+4
| | | I believe this can reasonably be considered backwards compatible since other invalid inputs already lead to InvalidUnwrap, and clients shouldn't be distinguishing between these two conditions, and ValueError wasn't documented anyways.
* Make RelativeDistinguishedName preserve attribtue order (#4306)Marti Raudsepp2018-07-091-0/+3
| | | | Duplicate attributes now raise an error instead of silently discarding duplicates.
* Add py37 (#4298)Paul Kehrer2018-06-271-0/+1
| | | | | | | | | | | | | | * test against python 3.7 for windows * update docs to say we test on 3.7 * more succinct * maybe make this actually work. * link properly * moar changes
* LibreSSL 2.7.x support (#4270)Paul Kehrer2018-05-301-0/+2
| | | | | | | | * libre 2.7.3 compatibility * add a changelog * actually build against 2.7.3
* deprecate pythons without hmac.compare_digest (#4261)Paul Kehrer2018-05-241-0/+3
| | | | | | * deprecate the constant time bytes comparison path old python 2.7.x uses * pep8
* Add support for extracting timestamp from a Fernet token (#4229)Paul Kehrer2018-05-121-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Add API for retrieving the seconds-to-expiry for the token, given a TTL. * Process PR feedback: * Do compute the TTL, but just the age of the token. The caller can decided what to do next. * Factored out the HMAC signature verification to a separate function. * Fixed a copy&paste mistake in the test cases * Tests cleanup. * `struct` no longer needed * Document `def age()` * typo in `age()` documentation * token, not data * remove test for TTL expiry that is already covered by the parameterized `test_invalid()`. * let's call this extract_timestamp and just return timestamp * review comments * it's UNIX I know this
* port changelog for 2.2.2 (#4172)Paul Kehrer2018-03-271-0/+8
|
* forward port 2.2.1 changelog (#4167)Alex Gaynor2018-03-201-0/+13
|
* open master for 2.3 (#4151)Paul Kehrer2018-03-181-0/+7
|
* 2.2 release! (#4150)Paul Kehrer2018-03-181-4/+3
| | | | | | * 2.2 release! * also change versions
* implement AES KW with padding (RFC 5649) (#3880)Paul Kehrer2018-03-181-0/+5
| | | | | | | | | | | | | | | | | | * implement AES KW with padding (RFC 5649) fixes #3791 * oops, 2.2 * make sure this is the right valueerror * more match * make key padding easier to read * review feedback * review feedback
* Brainpool curves (#4129)Paul Kehrer2018-03-151-0/+4
| | | | | | | | | | | | | | | | | | * added brainpool ec-curves key_length >= 256bit * limit brainpool curves to the set that appear required + docs * oops * typos all around me * add brainpool ECDH kex tests * switch to using rfc 7027 vectors * review feedback * empty commits are the best
* memory leak changelog (#4097)Paul Kehrer2018-02-051-0/+2
|
* The HKDF limit is actually 255 * digest_length_in_bytes (#4037)Paul Kehrer2018-01-061-0/+1
| | | | | | | | | | | * The HKDF limit is actually 255 * digest_length_in_bytes Previously we had a bug where we divided digest_size by 8...but HashAlgorithm.digest_size is already in bytes. * test longer output * changelog
* port changelog for 2.1.4 to master (#4031)Paul Kehrer2017-11-291-0/+7
|
* forward port changelog (#4009)Alex Gaynor2017-11-021-0/+8
|
* Forward port 2.1.2 changelog (#3998)Alex Gaynor2017-10-241-0/+8
|
* Add Multifernet.rotate method (#3979)Chris Wolfe2017-10-191-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * add rotate method * add some more tests for the failure modes * start adding some documentation for the rotate method * operate on a single token at a time, leave lists to the caller * add versionadded add versionadded, drop rotate from class doctest * give rotate a doctest * single level, not aligned * add changelog for mf.rotate * show that, once rotated, the old fernet instance can no longer decrypt the token * add the instead of just the how * update docs to reflect removal of ttl from rotate * update tests * refactor internal methods so that we can extract the timestamp * implement rotate * update wordlist (case sensitive?) * lints * consistent naming * get_token_data/get_unverified_token_data -> better name * doc changes * use the static method, do not treat as imethod * move up to MultiFernet docs * add to authors * alter wording * monkeypatch time to make it less possible for the test to pass simply due to calls occuring in less than one second * set the time after encryption to make sure that the time is preserved as part of re-encryption
* Make changelog for A-label more readable (#3977)Christian Heimes2017-10-171-7/+9
| | | | | "value, value, and value" isn't very helpful. Signed-off-by: Christian Heimes <cheimes@redhat.com>
* port 2.1.1 changelog (#3975)Paul Kehrer2017-10-121-0/+7
|
* expunge python 2.6 (#3962)Paul Kehrer2017-10-111-0/+1
| | | | | | | | | | * expunge python 2.6 * how did THAT happen * remove another unsupported python from the tox envlist * hypothesis can now be unconditionally imported
* start the twenty second release cycle (#3960)Paul Kehrer2017-10-111-0/+7
|
* update changelog release date and bump version for 2.1 release (#3958)Paul Kehrer2017-10-111-4/+2
|
* Update docs and changelog for URI, RFC822Name, and DNSName (#3955)Paul Kehrer2017-10-111-20/+14
| | | | | | | | | | | | | | | | * Update docs and changelog for URI, RFC822Name, and DNSName As of 2.1 we want users to pass A-label strings, but we still accept U-label strings and auto-encode on their behalf (with a deprecation warning). However, we do not return U-label in the value attribute so we are making a backwards incompatible change for users that utilize internationalized domain names. * language updates * add presentational to the word list * the linux dictionary is pathetic
* Add support for AES XTS (#3900)Paul Kehrer2017-10-011-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | * Add support for AES XTS We drop the non-byte aligned test vectors because according to NIST http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSVS.pdf "An implementation may support a data unit length that is not a multiple of 8 bits." OpenSSL does not support this, so we can't use those test vectors. * fix docs and pep8 * docs fix * the spellchecker is so frustrating * add note about AES 192 for XTS (it's not supported) * docs work * enforce key length on ECB mode in AES as well (thanks XTS) * a few more words about why we exclude some test vectors for XTS
* Declare that 2.1 is the last version to support Python 2.6 (#3944)Alex Gaynor2017-10-011-0/+2
| | | | | | * Declare that 2.1 is the last version to support Python 2.6 * It's the Final Countdown!
* add ChaCha20 support (#3919)Paul Kehrer2017-09-281-0/+5
| | | | | | | | | | * add ChaCha20 support * review feedback * 256 divided by 8 is what again? * ...
* both parse and encode the ASN1 string type for Name attributes (#3896)Paul Kehrer2017-09-251-0/+2
| | | | | | | | | | | | | | | * both parse and encode the ASN1 string type for Name attributes Previously cryptography encoded everything (except country names) as UTF8String. This caused problems with chain building in libraries like NSS where the subject and issuer are expected to match byte-for-byte. With this change we now parse and store the ASN1 string type as a private _type in NameAttribute. We then use this to encode when issuing a new certificate. This allows the CertificateBuilder to properly construct an identical issuer and fixes the issue with NSS. * make the sentinel private too
* FreshestCRL extension support (#3937)Paul Kehrer2017-09-231-0/+1
| | | | | | | | | | * add freshest CRL support * add tests * add changelog * add tests for FreshestCRL generation
* support delta crl indicator extension (#3936)Paul Kehrer2017-09-221-0/+1
| | | This is an extension for CRLs
* [WIP] add support for the TLSFeature extension in x509 (#3899)Paul Kehrer2017-09-101-1/+3
| | | | | | | | | | | | | | | | | | * add support for the TLSFeature extension in x509 This extension is used for OCSP Must-Staple. * fix changelog link * pep8 * refactor to support the sequence properly and add status_request_v2 * update some language * add test vector, implement eq/ne/hash on TLSFeature * address review comments
* RSA OAEP label support for OpenSSL 1.0.2+ (#3897)Paul Kehrer2017-09-081-0/+4
| | | | | | | | | | * RSA OAEP label support for OpenSSL 1.0.2+ * changelog * move around tests, address review feedback, use backend supported method * unsupported padding catches this now
* Switch to using the other style of environment markers (#3796)Alex Gaynor2017-08-241-0/+1
| | | | | | | | * Switch to using the other style of environment markers * We don't do py3.3 any more! * changelog
* add blake2b/blake2s support for hmac (#3873)Paul Kehrer2017-08-221-0/+3
| | | | | | | | | | * add blake2b/blake2s support for hmac This was a bug, but it turns out the noise protocol suggests using the HMAC construction with BLAKE2 (rather than BLAKE2's own keyed functionality) for a few reasons, so we should support it. * actually test the thing
* add changelog and a warning for is_signature_valid on crl (#3861)Paul Kehrer2017-08-121-0/+2
| | | | | | * add changelog and a warning * document this properly
* fixed a typo (#3847)Alex Gaynor2017-08-031-1/+1
|
* port 2.0.3 changelog (#3845)Paul Kehrer2017-08-031-0/+9
|
* Make changelog anchors stable ids (#3840)Christian Heimes2017-08-031-0/+165
| | | | | Closes: #3839 Signed-off-by: Christian Heimes <christian@python.org>
* deprecate unicode input for RFC822Name (#3836)Paul Kehrer2017-08-011-1/+7
| | | | | | * deprecate unicode input for RFC822Name * pep8...?
* deprecate auto-idna on UniformResourceIdentifier (#3832)Paul Kehrer2017-08-011-0/+8
| | | | | | | | | | * deprecate auto-idna on UniformResourceIdentifier * fix repr test * docs * some updated language
* Begin the deprecation of auto-idna for x509.DNSName (#3830)Alex Gaynor2017-07-301-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | * Begin the deprecation of auto-idna for x509.DNSName Refs #3357 * fix warning * py3k fixes * fix docs * sigh * flake8 * these are words * words * tests for coverage * another test * do idna things * more idna things
* port 2.0.2 changelog (#3828)Paul Kehrer2017-07-271-0/+6
|
* port 2.0.1 changelog (#3823)Paul Kehrer2017-07-261-0/+10
|
* remove deprecated items (#3794)Paul Kehrer2017-07-201-0/+4
| | | | | | | | | | * remove deprecated items whirlpool, ripemd160, unsupportedextension, and the old interfaces * flake8 and remove a test generator we no longe use * make it clear we warned you about these things
* Open master for 2.1 (#3788)Alex Gaynor2017-07-171-0/+5
|
* 2.0 version bump and changelog (#3787)Paul Kehrer2017-07-171-4/+2
| | | | | | * 2.0 version bump and changelog * dates are just an illusion
* add AESGCM AEAD support (#3785)Paul Kehrer2017-07-171-0/+3
| | | | | | | | * add AESGCM AEAD support * remove stray newline * move AESGCM docs above CCM
* AESCCM support (#3700)Paul Kehrer2017-07-161-0/+2
|