You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
459 lines
20 KiB
459 lines
20 KiB
# changelog
|
|
|
|
## 1.4.0
|
|
|
|
- `core.ObjectIdentifier` and all derived classes now obey X.660 §7.6 and
|
|
thus restrict the first arc to 0 to 2, and the second arc to less than
|
|
40 if the first arc is 0 or 1. This also fixes parsing of OIDs where the
|
|
first arc is 2 and the second arc is greater than 39.
|
|
- Fixed `keys.PublicKeyInfo.bit_size` to return an int rather than a float
|
|
on Python 3 when working with elliptic curve keys
|
|
- Fixed the `asn1crypto-tests` sdist on PyPi to work properly to generate a
|
|
.whl
|
|
|
|
## 1.3.0
|
|
|
|
- Added `encrypt_key_pref` (`1.2.840.113549.1.9.16.2.11`) to
|
|
`cms.CMSAttributeType()`, along with related structures
|
|
- Added Brainpool curves from RFC 5639 to `keys.NamedCurve()`
|
|
- Fixed `x509.Certificate().subject_directory_attributes_value`
|
|
- Fixed some incorrectly computed minimum elliptic curve primary key
|
|
encoding sizes in `keys.NamedCurve()`
|
|
- Fixed a `TypeError` when trying to call `.untag()` or `.copy()` on a
|
|
`core.UTCTime()` or `core.GeneralizedTime()`, or a value containing one,
|
|
when using Python 2
|
|
|
|
## 1.2.0
|
|
|
|
- Added `asn1crypto.load_order()`, which returns a `list` of unicode strings
|
|
of the names of the fully-qualified module names for all of submodules of
|
|
the package. The module names are listed in their dependency load order.
|
|
This is primarily intended for the sake of implementing hot reloading.
|
|
|
|
## 1.1.0
|
|
|
|
- Added User ID (`0.9.2342.19200300.100.1.1`) to `x509.NameType()`
|
|
- Added various EC named curves to `keys.NamedCurve()`
|
|
|
|
## 1.0.1
|
|
|
|
- Fix an absolute import in `keys` to a relative import
|
|
|
|
## 1.0.0
|
|
|
|
- Backwards Compatibility Breaks
|
|
- `cms.KeyEncryptionAlgorithmId().native` now returns the value
|
|
`"rsaes_pkcs1v15"` for OID `1.2.840.113549.1.1.1` instead of `"rsa"`
|
|
- Removed functionality to calculate public key values from private key
|
|
values. Alternatives have been added to oscrypto.
|
|
- `keys.PrivateKeyInfo().unwrap()` is now
|
|
`oscrypto.asymmetric.PrivateKey().unwrap()`
|
|
- `keys.PrivateKeyInfo().public_key` is now
|
|
`oscrypto.asymmetric.PrivateKey().public_key.unwrap()`
|
|
- `keys.PrivateKeyInfo().public_key_info` is now
|
|
`oscrypto.asymmetric.PrivateKey().public_key.asn1`
|
|
- `keys.PrivateKeyInfo().fingerprint` is now
|
|
`oscrypto.asymmetric.PrivateKey().fingerprint`
|
|
- `keys.PublicKeyInfo().unwrap()` is now
|
|
`oscrypto.asymmetric.PublicKey().unwrap()`
|
|
- `keys.PublicKeyInfo().fingerprint` is now
|
|
`oscrypto.asymmetric.PublicKey().fingerprint`
|
|
- Enhancements
|
|
- Significantly improved parsing of `core.UTCTime()` and
|
|
`core.GeneralizedTime()` values that include timezones and fractional
|
|
seconds
|
|
- `util.timezone` has a more complete implementation
|
|
- `core.Choice()` may now be constructed by a 2-element tuple or a 1-key
|
|
dict
|
|
- Added `x509.Certificate().not_valid_before` and
|
|
`x509.Certificate().not_valid_after`
|
|
- Added `core.BitString().unused_bits`
|
|
- Added `keys.NamedCurve.register()` for non-mainstream curve OIDs
|
|
- No longer try to load optional performance dependency, `libcrypto`,
|
|
on Mac or Linux
|
|
- `ocsp.CertStatus().native` will now return meaningful unicode string
|
|
values when the status choice is `"good"` or `"unknown"`. Previously
|
|
both returned `None` due to the way the structure was designed.
|
|
- Add support for explicit RSA SSA PSS (`1.2.840.113549.1.1.10`) to
|
|
`keys.PublicKeyInfo()` and `keys.PrivateKeyInfo()`
|
|
- Added structures for nested SHA-256 Windows PE signatures to
|
|
`cms.CMSAttribute()`
|
|
- Added RC4 (`1.2.840.113549.3.4`) to `algos.EncryptionAlgorithmId()`
|
|
- Added secp256k1 (`1.3.132.0.10`) to `keys.NamedCurve()`
|
|
- Added SHA-3 and SHAKE OIDs to `algos.DigestAlgorithmId()` and
|
|
`algos.HmacAlgorithmId()`
|
|
- Added RSA ES OAEP (`1.2.840.113549.1.1.7`) to
|
|
`cms.KeyEncryptionAlgorithmId()`
|
|
- Add IKE Intermediate (`1.3.6.1.5.5.8.2.2`) to `x509.KeyPurposeId()`
|
|
- `x509.EmailAddress()` and `x509.DNSName()` now handle invalidly-encoded
|
|
values using tags for `core.PrintableString()` and `core.UTF8String()`
|
|
- Add parameter structue from RFC 5084 for AES-CCM to
|
|
`algos.EncryptionAlgorithm()`
|
|
- Improved robustness of parsing broken `core.Sequence()` and
|
|
`core.SequenceOf()` values
|
|
- Bug Fixes
|
|
- Fixed encoding of tag values over 30
|
|
- `core.IntegerBitString()` and `core.IntegerOctetString()` now restrict
|
|
values to non-negative integers since negative values are not
|
|
implemented
|
|
- When copying or dumping a BER-encoded indefinite-length value,
|
|
automatically force re-encoding to DER. *To ensure all nested values are
|
|
always DER-encoded, `.dump(True)` must be called.*
|
|
- Fix `UnboundLocalError` when calling `x509.IPAddress().native` on an
|
|
encoded value that has a length of zero
|
|
- Fixed passing `class_` via unicode string name to `core.Asn1Value()`
|
|
- Fixed a bug where EC private keys with leading null bytes would be
|
|
encoded in `keys.ECPrivateKey()` more narrowly than RFC 5915 requires
|
|
- Fixed some edge-case bugs in `util.int_to_bytes()`
|
|
- `x509.URI()` now only normalizes values when comparing
|
|
- Fixed BER-decoding of indefinite length `core.BitString()`
|
|
- Fixed DER-encoding of empty `core.BitString()`
|
|
- Fixed a missing return value for `core.Choice().parse()`
|
|
- Fixed `core.Choice().contents` working when the chosen alternative is a
|
|
`core.Choice()` also
|
|
- Fixed parsing and encoding of nested `core.Choice()` objects
|
|
- Fixed a bug causing `core.ObjectIdentifier().native` to sometimes not
|
|
map the OID
|
|
- Packaging
|
|
- `wheel`, `sdist` and `bdist_egg` releases now all include LICENSE,
|
|
`sdist` includes docs
|
|
- Added `asn1crypto_tests` package to PyPi
|
|
|
|
## 0.24.0
|
|
|
|
- `x509.Certificate().self_signed` will no longer return `"yes"` under any
|
|
circumstances. This helps prevent confusion since the library does not
|
|
verify the signature. Instead a library like oscrypto should be used
|
|
to confirm if a certificate is self-signed.
|
|
- Added various OIDs to `x509.KeyPurposeId()`
|
|
- Added `x509.Certificate().private_key_usage_period_value`
|
|
- Added structures for parsing common subject directory attributes for
|
|
X.509 certificates, including `x509.SubjectDirectoryAttribute()`
|
|
- Added `algos.AnyAlgorithmIdentifier()` for situations where an
|
|
algorithm identifier may contain a digest, signed digest or encryption
|
|
algorithm OID
|
|
- Fixed a bug with `x509.Certificate().subject_directory_attributes_value`
|
|
not returning the correct value
|
|
- Fixed a bug where explicitly-tagged fields in a `core.Sequence()` would
|
|
not function properly when the field had a default value
|
|
- Fixed a bug with type checking in `pem.armor()`
|
|
|
|
## 0.23.0
|
|
|
|
- Backwards compatibility break: the `tag_type`, `explicit_tag` and
|
|
`explicit_class` attributes on `core.Asn1Value` no longer exist and were
|
|
replaced by the `implicit` and `explicit` attributes. Field param dicts
|
|
may use the new `explicit` and `implicit` keys, or the old `tag_type` and
|
|
`tag` keys. The attribute changes will likely to have little to no impact
|
|
since they were primarily an implementation detail.
|
|
- Teletex strings used inside of X.509 certificates are now interpreted
|
|
using Windows-1252 (a superset of ISO-8859-1). This enables compatibility
|
|
with certificates generated by OpenSSL. Strict parsing of Teletex strings
|
|
can be retained by using the `x509.strict_teletex()` context manager.
|
|
- Added support for nested explicit tagging, supporting values that are
|
|
defined with explicit tagging and then added as a field of another
|
|
structure using explicit tagging.
|
|
- Fixed a `UnicodeDecodeError` when trying to find the (optional) dependency
|
|
OpenSSL on Python 2
|
|
- Fixed `next_update` field of `crl.TbsCertList` to be optional
|
|
- Added the `x509.Certificate.sha256_fingerprint` property
|
|
- `x509.Certificate.ocsp_urls` and `x509.DistributionPoint.url` will now
|
|
return `https://`, `ldap://` and `ldaps://` URLs in addition to `http://`.
|
|
- Added CMS Attribute Protection definitions from RFC 6211
|
|
- Added OIDs from RFC 6962
|
|
|
|
## 0.22.0
|
|
|
|
- Added `parser.peek()`
|
|
- Implemented proper support for BER-encoded indefinite length strings of
|
|
all kinds - `core.BitString`, `core.OctetString` and all of the `core`
|
|
classes that are natively represented as Python unicode strings
|
|
- Fixed a bug with encoding LDAP URLs in `x509.URI`
|
|
- Correct `x509.DNSName` to allow a leading `.`, such as when used with
|
|
`x509.NameConstraints`
|
|
- Fixed an issue with dumping the parsed contents of `core.Any` when
|
|
explicitly tagged
|
|
- Custom `setup.py clean` now accepts the short `-a` flag for compatibility
|
|
|
|
## 0.21.1
|
|
|
|
- Fixed a regression where explicit tagging of a field containing a
|
|
`core.Choice` would result in an incorrect header
|
|
- Fixed a bug where an `IndexError` was being raised instead of a `ValueError`
|
|
when a value was truncated to not include enough bytes for the header
|
|
- Corrected the spec for the `value` field of `pkcs12.Attribute`
|
|
- Added support for `2.16.840.1.113894.746875.1.1` OID to
|
|
`pkcs12.AttributeType`
|
|
|
|
## 0.21.0
|
|
|
|
- Added `core.load()` for loading standard, universal types without knowing
|
|
the spec beforehand
|
|
- Added a `strict` keyword arg to the various `load()` methods and functions in
|
|
`core` that checks for trailing data and raises a `ValueError` when found
|
|
- Added `asn1crypto.parser` submodule with `emit()` and `parse()` functions for
|
|
low-level integration
|
|
- Added `asn1crypto.version` for version introspection without side-effects
|
|
- Added `algos.DSASignature`
|
|
- Fixed a bug with the `_header` attribute of explicitly-tagged values only
|
|
containing the explicit tag header instead of both the explicit tag header
|
|
and the encapsulated value header
|
|
|
|
## 0.20.0
|
|
|
|
- Added support for year 0
|
|
- Added the OID for unique identifier to `x509.NameType`
|
|
- Fixed a bug creating the native representation of a `core.BitString` with
|
|
leading null bytes
|
|
- Added a `.cast()` method to allow converting between different
|
|
representations of the same data, e.g. `core.BitString` and
|
|
`core.OctetBitString`
|
|
|
|
## 0.19.0
|
|
|
|
- Force `algos.DigestAlgorithm` to encoding `parameters` as `Null` when the
|
|
`algorithm` is `sha1`, `sha224`, `sha256`, `sha384` or `sha512` per RFC 4055
|
|
- Resolved an issue where a BER-encoded indefinite-length value could not be
|
|
properly parsed when embedded inside of a `core.Sequence` or `core.Set`
|
|
- Fix `x509.Name.build()` to properly handle dotted OID type values
|
|
- `core.Choice` can now be constructed from a single-element `dict` or a
|
|
two-element `tuple` to allow for better usability when constructing values
|
|
from native Python values
|
|
- All `core` objects can now be passed to `print()` with an exception being
|
|
raised
|
|
|
|
## 0.18.5
|
|
|
|
- Don't fail importing if `ctypes` or `_ctypes` is not available
|
|
|
|
## 0.18.4
|
|
|
|
- `core.Sequence` will now raise an exception when an unknown field is provided
|
|
- Prevent `UnicodeDecodeError` on Python 2 when calling
|
|
`core.OctetString.debug()`
|
|
- Corrected the default value for the `hash_algorithm` field of
|
|
`tsp.ESSCertIDv2`
|
|
- Fixed a bug constructing a `cms.SignedData` object
|
|
- Ensure that specific RSA OIDs are always paired with `parameters` set to
|
|
`core.Null`
|
|
|
|
## 0.18.3
|
|
|
|
- Fixed DER encoding of `core.BitString` when a `_map` is specified (i.e. a
|
|
"named bit list") to omit trailing zero bits. This fixes compliance of
|
|
various `x509` structures with RFC 5280.
|
|
- Corrected a side effect in `keys.PrivateKeyInfo.wrap()` that would cause the
|
|
original `keys.ECPrivateKey` structure to become corrupt
|
|
- `core.IntegerOctetString` now correctly encodes the integer as an unsigned
|
|
value when converting to bytes. Previously decoding was unsigned, but
|
|
encoding was signed.
|
|
- Fix `util.int_from_bytes()` on Python 2 to return `0` from an empty byte
|
|
string
|
|
|
|
## 0.18.2
|
|
|
|
- Allow `_perf` submodule to be removed from source tree when embedding
|
|
|
|
## 0.18.1
|
|
|
|
- Fixed DER encoding of `core.Set` and `core.SetOf`
|
|
- Fixed a bug in `x509.Name.build()` that could generate invalid DER encoding
|
|
- Improved exception messages when parsing nested structures via the `.native`
|
|
attribute
|
|
- `algos.SignedDigestAlgorithm` now ensures the `parameters` are set to
|
|
`Null` when `algorithm` is `sha224_rsa`, `sha256_rsa`, `sha384_rsa` or
|
|
`sha512_rsa`, per RFC 4055
|
|
- Corrected the definition of `pdf.AdobeTimestamp` to mark the
|
|
`requires_auth` field as optional
|
|
- Add support for the OID `1.2.840.113549.1.9.16.2.14` to
|
|
`cms.CMSAttributeType`
|
|
- Improve attribute support for `cms.AttributeCertificateV2`
|
|
- Handle `cms.AttributeCertificateV2` when incorrectly tagged as
|
|
`cms.AttributeCertificateV1` in `cms.CertificateChoices`
|
|
|
|
## 0.18.0
|
|
|
|
- Improved general parsing performance by 10-15%
|
|
- Add support for Windows XP
|
|
- Added `core.ObjectIdentifier.dotted` attribute to always return dotted
|
|
integer unicode string
|
|
- Added `core.ObjectIdentifier.map()` and `core.ObjectIdentifier.unmap()`
|
|
class methods to map dotted integer unicode strings to user-friendly unicode
|
|
strings and back
|
|
- Added various Apple OIDs to `x509.KeyPurposeId`
|
|
- Fixed a bug parsing nested indefinite-length-encoded values
|
|
- Fixed a bug with `x509.Certificate.issuer_alt_name_value` if it is the first
|
|
extension queried
|
|
- `keys.PublicKeyInfo.bit_size` and `keys.PrivateKeyInfo.bit_size` values are
|
|
now rounded up to the next closest multiple of 8
|
|
|
|
## 0.17.1
|
|
|
|
- Fix a bug in `x509.URI` parsing IRIs containing explicit port numbers on
|
|
Python 3.x
|
|
|
|
## 0.17.0
|
|
|
|
- Added `x509.TrustedCertificate` for handling OpenSSL auxiliary certificate
|
|
information appended after a certificate
|
|
- Added `core.Concat` class for situations such as `x509.TrustedCertificate`
|
|
- Allow "broken" X.509 certificates to use `core.IA5String` where an
|
|
`x509.DirectoryString` should be used instead
|
|
- Added `keys.PrivateKeyInfo.public_key_info` attribute
|
|
- Added a bunch of OIDs to `x509.KeyPurposeId`
|
|
|
|
## 0.16.0
|
|
|
|
- Added DH key exchange structures: `algos.KeyExchangeAlgorithm`,
|
|
`algos.KeyExchangeAlgorithmId` and `algos.DHParameters`.
|
|
- Added DH public key support to `keys.PublicKeyInfo`,
|
|
`keys.PublicKeyAlgorithm` and `keys.PublicKeyAlgorithmId`. New structures
|
|
include `keys.DomainParameters` and `keys.ValidationParms`.
|
|
|
|
## 0.15.1
|
|
|
|
- Fixed `cms.CMSAttributes` to be a `core.SetOf` instead of `core.SequenceOf`
|
|
- `cms.CMSAttribute` can now parse unknown attribute contrustruct without an
|
|
exception being raised
|
|
- `x509.PolicyMapping` now uses `x509.PolicyIdentifier` for field types
|
|
- Fixed `pdf.RevocationInfoArchival` so that all fields are now of the type
|
|
`core.SequenceOf` instead of a single value
|
|
- Added support for the `name_distinguisher`, `telephone_number` and
|
|
`organization_identifier` OIDs to `x509.Name`
|
|
- Fixed `x509.Name.native` to not accidentally create nested lists when three
|
|
of more values for a single type are part of the name
|
|
- `x509.Name.human_friendly` now reverses the order of fields when the data
|
|
in an `x509.Name` was encoded in most-specific to least-specific order, which
|
|
is the opposite of the standard way of least-specific to most-specific.
|
|
- `x509.NameType.human_friendly` no longer raises an exception when an
|
|
unknown OID is encountered
|
|
- Raise a `ValueError` when parsing a `core.Set` and an unknown field is
|
|
encountered
|
|
|
|
## 0.15.0
|
|
|
|
- Added support for the TLS feature extension from RFC 7633
|
|
- `x509.Name.build()` now accepts a keyword parameter `use_printable` to force
|
|
string encoding to be `core.PrintableString` instead of `core.UTF8String`
|
|
- Added the functions `util.uri_to_iri()` and `util.iri_to_uri()`
|
|
- Changed `algos.SignedDigestAlgorithmId` to use the preferred OIDs when
|
|
mapping a unicode string name to an OID. Previously there were multiple OIDs
|
|
for some algorithms, and different OIDs would sometimes be selected due to
|
|
the fact that the `_map` `dict` is not ordered.
|
|
|
|
## 0.14.1
|
|
|
|
- Fixed a bug generating `x509.Certificate.sha1_fingerprint` on Python 2
|
|
|
|
## 0.14.0
|
|
|
|
- Added the `x509.Certificate.sha1_fingerprint` attribute
|
|
|
|
## 0.13.0
|
|
|
|
- Backwards compatibility break: the native representation of some
|
|
`algos.EncryptionAlgorithmId` values changed. `aes128` became `aes128_cbc`,
|
|
`aes192` became `aes192_cbc` and `aes256` became `aes256_cbc`.
|
|
- Added more OIDs to `algos.EncryptionAlgorithmId`
|
|
- Added more OIDs to `cms.KeyEncryptionAlgorithmId`
|
|
- `x509.Name.human_friendly` now properly supports multiple values per
|
|
`x509.NameTypeAndValue` object
|
|
- Added `ocsp.OCSPResponse.basic_ocsp_response` and
|
|
`ocsp.OCSPResponse.response_data` properties
|
|
- Added `algos.EncryptionAlgorithm.encryption_mode` property
|
|
- Fixed a bug with parsing times containing timezone offsets in Python 3
|
|
- The `attributes` field of `csr.CertificationRequestInfo` is now optional,
|
|
for compatibility with other ASN.1 parsers
|
|
|
|
## 0.12.2
|
|
|
|
- Correct `core.Sequence.__setitem__()` so set `core.VOID` to an optional
|
|
field when `None` is set
|
|
|
|
## 0.12.1
|
|
|
|
- Fixed a `unicode`/`bytes` bug with `x509.URI.dump()` on Python 2
|
|
|
|
## 0.12.0
|
|
|
|
- Backwards Compatibility Break: `core.NoValue` was renamed to `core.Void` and
|
|
a singleton was added as `core.VOID`
|
|
- 20-30% improvement in parsing performance
|
|
- `core.Void` now implements `__nonzero__`
|
|
- `core.Asn1Value.copy()` now performs a deep copy
|
|
- All `core` value classes are now compatible with the `copy` module
|
|
- `core.SequenceOf` and `core.SetOf` now implement `__contains__`
|
|
- Added `x509.Name.__len__()`
|
|
- Fixed a bug where `core.Choice.validate()` would not properly account for
|
|
explicit tagging
|
|
- `core.Choice.load()` now properly passes itself as the spec when parsing
|
|
- `x509.Certificate.crl_distribution_points` no longer throws an exception if
|
|
the `DistributionPoint` does not have a value for the `distribution_point`
|
|
field
|
|
|
|
## 0.11.1
|
|
|
|
- Corrected `core.UTCTime` to interpret year <= 49 as 20xx and >= 50 as 19xx
|
|
- `keys.PublicKeyInfo.hash_algo` can now handle DSA keys without parameters
|
|
- Added `crl.CertificateList.sha256` and `crl.CertificateList.sha1`
|
|
- Fixed `x509.Name.build()` to properly encode `country_name`, `serial_number`
|
|
and `dn_qualifier` as `core.PrintableString` as specified in RFC 5280,
|
|
instead of `core.UTF8String`
|
|
|
|
## 0.11.0
|
|
|
|
- Added Python 2.6 support
|
|
- Added ability to compare primitive type objects
|
|
- Implemented proper support for internationalized domains, URLs and email
|
|
addresses in `x509.Certificate`
|
|
- Comparing `x509.Name` and `x509.GeneralName` objects adheres to RFC 5280
|
|
- `x509.Certificate.self_signed` and `x509.Certificate.self_issued` no longer
|
|
require that certificate is for a CA
|
|
- Fixed `x509.Certificate.valid_domains` to adhere to RFC 6125
|
|
- Added `x509.Certificate.is_valid_domain_ip()`
|
|
- Added `x509.Certificate.sha1` and `x509.Certificate.sha256`
|
|
- Exposed `util.inet_ntop()` and `util.inet_pton()` for IP address encoding
|
|
- Improved exception messages for improper types to include type's module name
|
|
|
|
## 0.10.1
|
|
|
|
- Fixed bug in `core.Sequence` affecting Python 2.7 and pypy
|
|
|
|
## 0.10.0
|
|
|
|
- Added PEM encoding/decoding functionality
|
|
- `core.BitString` now uses item access instead of attributes for named bit
|
|
access
|
|
- `core.BitString.native` now uses a `set` of unicode strings when `_map` is
|
|
present
|
|
- Removed `core.Asn1Value.pprint()` method
|
|
- Added `core.ParsableOctetString` class
|
|
- Added `core.ParsableOctetBitString` class
|
|
- Added `core.Asn1Value.copy()` method
|
|
- Added `core.Asn1Value.debug()` method
|
|
- Added `core.SequenceOf.append()` method
|
|
- Added `core.Sequence.spec()` and `core.SequenceOf.spec()` methods
|
|
- Added correct IP address parsing to `x509.GeneralName`
|
|
- `x509.Name` and `x509.GeneralName` are now compared according to rules in
|
|
RFC 5280
|
|
- Added convenience attributes to:
|
|
- `algos.SignedDigestAlgorithm`
|
|
- `crl.CertificateList`
|
|
- `crl.RevokedCertificate`
|
|
- `keys.PublicKeyInfo`
|
|
- `ocsp.OCSPRequest`
|
|
- `ocsp.Request`
|
|
- `ocsp.OCSPResponse`
|
|
- `ocsp.SingleResponse`
|
|
- `x509.Certificate`
|
|
- `x509.Name`
|
|
- Added `asn1crypto.util` module with the following items:
|
|
- `int_to_bytes()`
|
|
- `int_from_bytes()`
|
|
- `timezone.utc`
|
|
- Added `setup.py clean` command
|
|
|
|
## 0.9.0
|
|
|
|
- Initial release
|