You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

459 lines
20 KiB

# changelog
## 1.4.0
- `core.ObjectIdentifier` and all derived classes now obey X.660 §7.6 and
thus restrict the first arc to 0 to 2, and the second arc to less than
40 if the first arc is 0 or 1. This also fixes parsing of OIDs where the
first arc is 2 and the second arc is greater than 39.
- Fixed `keys.PublicKeyInfo.bit_size` to return an int rather than a float
on Python 3 when working with elliptic curve keys
- Fixed the `asn1crypto-tests` sdist on PyPi to work properly to generate a
.whl
## 1.3.0
- Added `encrypt_key_pref` (`1.2.840.113549.1.9.16.2.11`) to
`cms.CMSAttributeType()`, along with related structures
- Added Brainpool curves from RFC 5639 to `keys.NamedCurve()`
- Fixed `x509.Certificate().subject_directory_attributes_value`
- Fixed some incorrectly computed minimum elliptic curve primary key
encoding sizes in `keys.NamedCurve()`
- Fixed a `TypeError` when trying to call `.untag()` or `.copy()` on a
`core.UTCTime()` or `core.GeneralizedTime()`, or a value containing one,
when using Python 2
## 1.2.0
- Added `asn1crypto.load_order()`, which returns a `list` of unicode strings
of the names of the fully-qualified module names for all of submodules of
the package. The module names are listed in their dependency load order.
This is primarily intended for the sake of implementing hot reloading.
## 1.1.0
- Added User ID (`0.9.2342.19200300.100.1.1`) to `x509.NameType()`
- Added various EC named curves to `keys.NamedCurve()`
## 1.0.1
- Fix an absolute import in `keys` to a relative import
## 1.0.0
- Backwards Compatibility Breaks
- `cms.KeyEncryptionAlgorithmId().native` now returns the value
`"rsaes_pkcs1v15"` for OID `1.2.840.113549.1.1.1` instead of `"rsa"`
- Removed functionality to calculate public key values from private key
values. Alternatives have been added to oscrypto.
- `keys.PrivateKeyInfo().unwrap()` is now
`oscrypto.asymmetric.PrivateKey().unwrap()`
- `keys.PrivateKeyInfo().public_key` is now
`oscrypto.asymmetric.PrivateKey().public_key.unwrap()`
- `keys.PrivateKeyInfo().public_key_info` is now
`oscrypto.asymmetric.PrivateKey().public_key.asn1`
- `keys.PrivateKeyInfo().fingerprint` is now
`oscrypto.asymmetric.PrivateKey().fingerprint`
- `keys.PublicKeyInfo().unwrap()` is now
`oscrypto.asymmetric.PublicKey().unwrap()`
- `keys.PublicKeyInfo().fingerprint` is now
`oscrypto.asymmetric.PublicKey().fingerprint`
- Enhancements
- Significantly improved parsing of `core.UTCTime()` and
`core.GeneralizedTime()` values that include timezones and fractional
seconds
- `util.timezone` has a more complete implementation
- `core.Choice()` may now be constructed by a 2-element tuple or a 1-key
dict
- Added `x509.Certificate().not_valid_before` and
`x509.Certificate().not_valid_after`
- Added `core.BitString().unused_bits`
- Added `keys.NamedCurve.register()` for non-mainstream curve OIDs
- No longer try to load optional performance dependency, `libcrypto`,
on Mac or Linux
- `ocsp.CertStatus().native` will now return meaningful unicode string
values when the status choice is `"good"` or `"unknown"`. Previously
both returned `None` due to the way the structure was designed.
- Add support for explicit RSA SSA PSS (`1.2.840.113549.1.1.10`) to
`keys.PublicKeyInfo()` and `keys.PrivateKeyInfo()`
- Added structures for nested SHA-256 Windows PE signatures to
`cms.CMSAttribute()`
- Added RC4 (`1.2.840.113549.3.4`) to `algos.EncryptionAlgorithmId()`
- Added secp256k1 (`1.3.132.0.10`) to `keys.NamedCurve()`
- Added SHA-3 and SHAKE OIDs to `algos.DigestAlgorithmId()` and
`algos.HmacAlgorithmId()`
- Added RSA ES OAEP (`1.2.840.113549.1.1.7`) to
`cms.KeyEncryptionAlgorithmId()`
- Add IKE Intermediate (`1.3.6.1.5.5.8.2.2`) to `x509.KeyPurposeId()`
- `x509.EmailAddress()` and `x509.DNSName()` now handle invalidly-encoded
values using tags for `core.PrintableString()` and `core.UTF8String()`
- Add parameter structue from RFC 5084 for AES-CCM to
`algos.EncryptionAlgorithm()`
- Improved robustness of parsing broken `core.Sequence()` and
`core.SequenceOf()` values
- Bug Fixes
- Fixed encoding of tag values over 30
- `core.IntegerBitString()` and `core.IntegerOctetString()` now restrict
values to non-negative integers since negative values are not
implemented
- When copying or dumping a BER-encoded indefinite-length value,
automatically force re-encoding to DER. *To ensure all nested values are
always DER-encoded, `.dump(True)` must be called.*
- Fix `UnboundLocalError` when calling `x509.IPAddress().native` on an
encoded value that has a length of zero
- Fixed passing `class_` via unicode string name to `core.Asn1Value()`
- Fixed a bug where EC private keys with leading null bytes would be
encoded in `keys.ECPrivateKey()` more narrowly than RFC 5915 requires
- Fixed some edge-case bugs in `util.int_to_bytes()`
- `x509.URI()` now only normalizes values when comparing
- Fixed BER-decoding of indefinite length `core.BitString()`
- Fixed DER-encoding of empty `core.BitString()`
- Fixed a missing return value for `core.Choice().parse()`
- Fixed `core.Choice().contents` working when the chosen alternative is a
`core.Choice()` also
- Fixed parsing and encoding of nested `core.Choice()` objects
- Fixed a bug causing `core.ObjectIdentifier().native` to sometimes not
map the OID
- Packaging
- `wheel`, `sdist` and `bdist_egg` releases now all include LICENSE,
`sdist` includes docs
- Added `asn1crypto_tests` package to PyPi
## 0.24.0
- `x509.Certificate().self_signed` will no longer return `"yes"` under any
circumstances. This helps prevent confusion since the library does not
verify the signature. Instead a library like oscrypto should be used
to confirm if a certificate is self-signed.
- Added various OIDs to `x509.KeyPurposeId()`
- Added `x509.Certificate().private_key_usage_period_value`
- Added structures for parsing common subject directory attributes for
X.509 certificates, including `x509.SubjectDirectoryAttribute()`
- Added `algos.AnyAlgorithmIdentifier()` for situations where an
algorithm identifier may contain a digest, signed digest or encryption
algorithm OID
- Fixed a bug with `x509.Certificate().subject_directory_attributes_value`
not returning the correct value
- Fixed a bug where explicitly-tagged fields in a `core.Sequence()` would
not function properly when the field had a default value
- Fixed a bug with type checking in `pem.armor()`
## 0.23.0
- Backwards compatibility break: the `tag_type`, `explicit_tag` and
`explicit_class` attributes on `core.Asn1Value` no longer exist and were
replaced by the `implicit` and `explicit` attributes. Field param dicts
may use the new `explicit` and `implicit` keys, or the old `tag_type` and
`tag` keys. The attribute changes will likely to have little to no impact
since they were primarily an implementation detail.
- Teletex strings used inside of X.509 certificates are now interpreted
using Windows-1252 (a superset of ISO-8859-1). This enables compatibility
with certificates generated by OpenSSL. Strict parsing of Teletex strings
can be retained by using the `x509.strict_teletex()` context manager.
- Added support for nested explicit tagging, supporting values that are
defined with explicit tagging and then added as a field of another
structure using explicit tagging.
- Fixed a `UnicodeDecodeError` when trying to find the (optional) dependency
OpenSSL on Python 2
- Fixed `next_update` field of `crl.TbsCertList` to be optional
- Added the `x509.Certificate.sha256_fingerprint` property
- `x509.Certificate.ocsp_urls` and `x509.DistributionPoint.url` will now
return `https://`, `ldap://` and `ldaps://` URLs in addition to `http://`.
- Added CMS Attribute Protection definitions from RFC 6211
- Added OIDs from RFC 6962
## 0.22.0
- Added `parser.peek()`
- Implemented proper support for BER-encoded indefinite length strings of
all kinds - `core.BitString`, `core.OctetString` and all of the `core`
classes that are natively represented as Python unicode strings
- Fixed a bug with encoding LDAP URLs in `x509.URI`
- Correct `x509.DNSName` to allow a leading `.`, such as when used with
`x509.NameConstraints`
- Fixed an issue with dumping the parsed contents of `core.Any` when
explicitly tagged
- Custom `setup.py clean` now accepts the short `-a` flag for compatibility
## 0.21.1
- Fixed a regression where explicit tagging of a field containing a
`core.Choice` would result in an incorrect header
- Fixed a bug where an `IndexError` was being raised instead of a `ValueError`
when a value was truncated to not include enough bytes for the header
- Corrected the spec for the `value` field of `pkcs12.Attribute`
- Added support for `2.16.840.1.113894.746875.1.1` OID to
`pkcs12.AttributeType`
## 0.21.0
- Added `core.load()` for loading standard, universal types without knowing
the spec beforehand
- Added a `strict` keyword arg to the various `load()` methods and functions in
`core` that checks for trailing data and raises a `ValueError` when found
- Added `asn1crypto.parser` submodule with `emit()` and `parse()` functions for
low-level integration
- Added `asn1crypto.version` for version introspection without side-effects
- Added `algos.DSASignature`
- Fixed a bug with the `_header` attribute of explicitly-tagged values only
containing the explicit tag header instead of both the explicit tag header
and the encapsulated value header
## 0.20.0
- Added support for year 0
- Added the OID for unique identifier to `x509.NameType`
- Fixed a bug creating the native representation of a `core.BitString` with
leading null bytes
- Added a `.cast()` method to allow converting between different
representations of the same data, e.g. `core.BitString` and
`core.OctetBitString`
## 0.19.0
- Force `algos.DigestAlgorithm` to encoding `parameters` as `Null` when the
`algorithm` is `sha1`, `sha224`, `sha256`, `sha384` or `sha512` per RFC 4055
- Resolved an issue where a BER-encoded indefinite-length value could not be
properly parsed when embedded inside of a `core.Sequence` or `core.Set`
- Fix `x509.Name.build()` to properly handle dotted OID type values
- `core.Choice` can now be constructed from a single-element `dict` or a
two-element `tuple` to allow for better usability when constructing values
from native Python values
- All `core` objects can now be passed to `print()` with an exception being
raised
## 0.18.5
- Don't fail importing if `ctypes` or `_ctypes` is not available
## 0.18.4
- `core.Sequence` will now raise an exception when an unknown field is provided
- Prevent `UnicodeDecodeError` on Python 2 when calling
`core.OctetString.debug()`
- Corrected the default value for the `hash_algorithm` field of
`tsp.ESSCertIDv2`
- Fixed a bug constructing a `cms.SignedData` object
- Ensure that specific RSA OIDs are always paired with `parameters` set to
`core.Null`
## 0.18.3
- Fixed DER encoding of `core.BitString` when a `_map` is specified (i.e. a
"named bit list") to omit trailing zero bits. This fixes compliance of
various `x509` structures with RFC 5280.
- Corrected a side effect in `keys.PrivateKeyInfo.wrap()` that would cause the
original `keys.ECPrivateKey` structure to become corrupt
- `core.IntegerOctetString` now correctly encodes the integer as an unsigned
value when converting to bytes. Previously decoding was unsigned, but
encoding was signed.
- Fix `util.int_from_bytes()` on Python 2 to return `0` from an empty byte
string
## 0.18.2
- Allow `_perf` submodule to be removed from source tree when embedding
## 0.18.1
- Fixed DER encoding of `core.Set` and `core.SetOf`
- Fixed a bug in `x509.Name.build()` that could generate invalid DER encoding
- Improved exception messages when parsing nested structures via the `.native`
attribute
- `algos.SignedDigestAlgorithm` now ensures the `parameters` are set to
`Null` when `algorithm` is `sha224_rsa`, `sha256_rsa`, `sha384_rsa` or
`sha512_rsa`, per RFC 4055
- Corrected the definition of `pdf.AdobeTimestamp` to mark the
`requires_auth` field as optional
- Add support for the OID `1.2.840.113549.1.9.16.2.14` to
`cms.CMSAttributeType`
- Improve attribute support for `cms.AttributeCertificateV2`
- Handle `cms.AttributeCertificateV2` when incorrectly tagged as
`cms.AttributeCertificateV1` in `cms.CertificateChoices`
## 0.18.0
- Improved general parsing performance by 10-15%
- Add support for Windows XP
- Added `core.ObjectIdentifier.dotted` attribute to always return dotted
integer unicode string
- Added `core.ObjectIdentifier.map()` and `core.ObjectIdentifier.unmap()`
class methods to map dotted integer unicode strings to user-friendly unicode
strings and back
- Added various Apple OIDs to `x509.KeyPurposeId`
- Fixed a bug parsing nested indefinite-length-encoded values
- Fixed a bug with `x509.Certificate.issuer_alt_name_value` if it is the first
extension queried
- `keys.PublicKeyInfo.bit_size` and `keys.PrivateKeyInfo.bit_size` values are
now rounded up to the next closest multiple of 8
## 0.17.1
- Fix a bug in `x509.URI` parsing IRIs containing explicit port numbers on
Python 3.x
## 0.17.0
- Added `x509.TrustedCertificate` for handling OpenSSL auxiliary certificate
information appended after a certificate
- Added `core.Concat` class for situations such as `x509.TrustedCertificate`
- Allow "broken" X.509 certificates to use `core.IA5String` where an
`x509.DirectoryString` should be used instead
- Added `keys.PrivateKeyInfo.public_key_info` attribute
- Added a bunch of OIDs to `x509.KeyPurposeId`
## 0.16.0
- Added DH key exchange structures: `algos.KeyExchangeAlgorithm`,
`algos.KeyExchangeAlgorithmId` and `algos.DHParameters`.
- Added DH public key support to `keys.PublicKeyInfo`,
`keys.PublicKeyAlgorithm` and `keys.PublicKeyAlgorithmId`. New structures
include `keys.DomainParameters` and `keys.ValidationParms`.
## 0.15.1
- Fixed `cms.CMSAttributes` to be a `core.SetOf` instead of `core.SequenceOf`
- `cms.CMSAttribute` can now parse unknown attribute contrustruct without an
exception being raised
- `x509.PolicyMapping` now uses `x509.PolicyIdentifier` for field types
- Fixed `pdf.RevocationInfoArchival` so that all fields are now of the type
`core.SequenceOf` instead of a single value
- Added support for the `name_distinguisher`, `telephone_number` and
`organization_identifier` OIDs to `x509.Name`
- Fixed `x509.Name.native` to not accidentally create nested lists when three
of more values for a single type are part of the name
- `x509.Name.human_friendly` now reverses the order of fields when the data
in an `x509.Name` was encoded in most-specific to least-specific order, which
is the opposite of the standard way of least-specific to most-specific.
- `x509.NameType.human_friendly` no longer raises an exception when an
unknown OID is encountered
- Raise a `ValueError` when parsing a `core.Set` and an unknown field is
encountered
## 0.15.0
- Added support for the TLS feature extension from RFC 7633
- `x509.Name.build()` now accepts a keyword parameter `use_printable` to force
string encoding to be `core.PrintableString` instead of `core.UTF8String`
- Added the functions `util.uri_to_iri()` and `util.iri_to_uri()`
- Changed `algos.SignedDigestAlgorithmId` to use the preferred OIDs when
mapping a unicode string name to an OID. Previously there were multiple OIDs
for some algorithms, and different OIDs would sometimes be selected due to
the fact that the `_map` `dict` is not ordered.
## 0.14.1
- Fixed a bug generating `x509.Certificate.sha1_fingerprint` on Python 2
## 0.14.0
- Added the `x509.Certificate.sha1_fingerprint` attribute
## 0.13.0
- Backwards compatibility break: the native representation of some
`algos.EncryptionAlgorithmId` values changed. `aes128` became `aes128_cbc`,
`aes192` became `aes192_cbc` and `aes256` became `aes256_cbc`.
- Added more OIDs to `algos.EncryptionAlgorithmId`
- Added more OIDs to `cms.KeyEncryptionAlgorithmId`
- `x509.Name.human_friendly` now properly supports multiple values per
`x509.NameTypeAndValue` object
- Added `ocsp.OCSPResponse.basic_ocsp_response` and
`ocsp.OCSPResponse.response_data` properties
- Added `algos.EncryptionAlgorithm.encryption_mode` property
- Fixed a bug with parsing times containing timezone offsets in Python 3
- The `attributes` field of `csr.CertificationRequestInfo` is now optional,
for compatibility with other ASN.1 parsers
## 0.12.2
- Correct `core.Sequence.__setitem__()` so set `core.VOID` to an optional
field when `None` is set
## 0.12.1
- Fixed a `unicode`/`bytes` bug with `x509.URI.dump()` on Python 2
## 0.12.0
- Backwards Compatibility Break: `core.NoValue` was renamed to `core.Void` and
a singleton was added as `core.VOID`
- 20-30% improvement in parsing performance
- `core.Void` now implements `__nonzero__`
- `core.Asn1Value.copy()` now performs a deep copy
- All `core` value classes are now compatible with the `copy` module
- `core.SequenceOf` and `core.SetOf` now implement `__contains__`
- Added `x509.Name.__len__()`
- Fixed a bug where `core.Choice.validate()` would not properly account for
explicit tagging
- `core.Choice.load()` now properly passes itself as the spec when parsing
- `x509.Certificate.crl_distribution_points` no longer throws an exception if
the `DistributionPoint` does not have a value for the `distribution_point`
field
## 0.11.1
- Corrected `core.UTCTime` to interpret year <= 49 as 20xx and >= 50 as 19xx
- `keys.PublicKeyInfo.hash_algo` can now handle DSA keys without parameters
- Added `crl.CertificateList.sha256` and `crl.CertificateList.sha1`
- Fixed `x509.Name.build()` to properly encode `country_name`, `serial_number`
and `dn_qualifier` as `core.PrintableString` as specified in RFC 5280,
instead of `core.UTF8String`
## 0.11.0
- Added Python 2.6 support
- Added ability to compare primitive type objects
- Implemented proper support for internationalized domains, URLs and email
addresses in `x509.Certificate`
- Comparing `x509.Name` and `x509.GeneralName` objects adheres to RFC 5280
- `x509.Certificate.self_signed` and `x509.Certificate.self_issued` no longer
require that certificate is for a CA
- Fixed `x509.Certificate.valid_domains` to adhere to RFC 6125
- Added `x509.Certificate.is_valid_domain_ip()`
- Added `x509.Certificate.sha1` and `x509.Certificate.sha256`
- Exposed `util.inet_ntop()` and `util.inet_pton()` for IP address encoding
- Improved exception messages for improper types to include type's module name
## 0.10.1
- Fixed bug in `core.Sequence` affecting Python 2.7 and pypy
## 0.10.0
- Added PEM encoding/decoding functionality
- `core.BitString` now uses item access instead of attributes for named bit
access
- `core.BitString.native` now uses a `set` of unicode strings when `_map` is
present
- Removed `core.Asn1Value.pprint()` method
- Added `core.ParsableOctetString` class
- Added `core.ParsableOctetBitString` class
- Added `core.Asn1Value.copy()` method
- Added `core.Asn1Value.debug()` method
- Added `core.SequenceOf.append()` method
- Added `core.Sequence.spec()` and `core.SequenceOf.spec()` methods
- Added correct IP address parsing to `x509.GeneralName`
- `x509.Name` and `x509.GeneralName` are now compared according to rules in
RFC 5280
- Added convenience attributes to:
- `algos.SignedDigestAlgorithm`
- `crl.CertificateList`
- `crl.RevokedCertificate`
- `keys.PublicKeyInfo`
- `ocsp.OCSPRequest`
- `ocsp.Request`
- `ocsp.OCSPResponse`
- `ocsp.SingleResponse`
- `x509.Certificate`
- `x509.Name`
- Added `asn1crypto.util` module with the following items:
- `int_to_bytes()`
- `int_from_bytes()`
- `timezone.utc`
- Added `setup.py clean` command
## 0.9.0
- Initial release