| # changelog |
| |
| ## 1.4.0 |
| |
| - `core.ObjectIdentifier` and all derived classes now obey X.660 ยง7.6 and |
| thus restrict the first arc to 0 to 2, and the second arc to less than |
| 40 if the first arc is 0 or 1. This also fixes parsing of OIDs where the |
| first arc is 2 and the second arc is greater than 39. |
| - Fixed `keys.PublicKeyInfo.bit_size` to return an int rather than a float |
| on Python 3 when working with elliptic curve keys |
| - Fixed the `asn1crypto-tests` sdist on PyPi to work properly to generate a |
| .whl |
| |
| ## 1.3.0 |
| |
| - Added `encrypt_key_pref` (`1.2.840.113549.1.9.16.2.11`) to |
| `cms.CMSAttributeType()`, along with related structures |
| - Added Brainpool curves from RFC 5639 to `keys.NamedCurve()` |
| - Fixed `x509.Certificate().subject_directory_attributes_value` |
| - Fixed some incorrectly computed minimum elliptic curve primary key |
| encoding sizes in `keys.NamedCurve()` |
| - Fixed a `TypeError` when trying to call `.untag()` or `.copy()` on a |
| `core.UTCTime()` or `core.GeneralizedTime()`, or a value containing one, |
| when using Python 2 |
| |
| ## 1.2.0 |
| |
| - Added `asn1crypto.load_order()`, which returns a `list` of unicode strings |
| of the names of the fully-qualified module names for all of submodules of |
| the package. The module names are listed in their dependency load order. |
| This is primarily intended for the sake of implementing hot reloading. |
| |
| ## 1.1.0 |
| |
| - Added User ID (`0.9.2342.19200300.100.1.1`) to `x509.NameType()` |
| - Added various EC named curves to `keys.NamedCurve()` |
| |
| ## 1.0.1 |
| |
| - Fix an absolute import in `keys` to a relative import |
| |
| ## 1.0.0 |
| |
| - Backwards Compatibility Breaks |
| - `cms.KeyEncryptionAlgorithmId().native` now returns the value |
| `"rsaes_pkcs1v15"` for OID `1.2.840.113549.1.1.1` instead of `"rsa"` |
| - Removed functionality to calculate public key values from private key |
| values. Alternatives have been added to oscrypto. |
| - `keys.PrivateKeyInfo().unwrap()` is now |
| `oscrypto.asymmetric.PrivateKey().unwrap()` |
| - `keys.PrivateKeyInfo().public_key` is now |
| `oscrypto.asymmetric.PrivateKey().public_key.unwrap()` |
| - `keys.PrivateKeyInfo().public_key_info` is now |
| `oscrypto.asymmetric.PrivateKey().public_key.asn1` |
| - `keys.PrivateKeyInfo().fingerprint` is now |
| `oscrypto.asymmetric.PrivateKey().fingerprint` |
| - `keys.PublicKeyInfo().unwrap()` is now |
| `oscrypto.asymmetric.PublicKey().unwrap()` |
| - `keys.PublicKeyInfo().fingerprint` is now |
| `oscrypto.asymmetric.PublicKey().fingerprint` |
| - Enhancements |
| - Significantly improved parsing of `core.UTCTime()` and |
| `core.GeneralizedTime()` values that include timezones and fractional |
| seconds |
| - `util.timezone` has a more complete implementation |
| - `core.Choice()` may now be constructed by a 2-element tuple or a 1-key |
| dict |
| - Added `x509.Certificate().not_valid_before` and |
| `x509.Certificate().not_valid_after` |
| - Added `core.BitString().unused_bits` |
| - Added `keys.NamedCurve.register()` for non-mainstream curve OIDs |
| - No longer try to load optional performance dependency, `libcrypto`, |
| on Mac or Linux |
| - `ocsp.CertStatus().native` will now return meaningful unicode string |
| values when the status choice is `"good"` or `"unknown"`. Previously |
| both returned `None` due to the way the structure was designed. |
| - Add support for explicit RSA SSA PSS (`1.2.840.113549.1.1.10`) to |
| `keys.PublicKeyInfo()` and `keys.PrivateKeyInfo()` |
| - Added structures for nested SHA-256 Windows PE signatures to |
| `cms.CMSAttribute()` |
| - Added RC4 (`1.2.840.113549.3.4`) to `algos.EncryptionAlgorithmId()` |
| - Added secp256k1 (`1.3.132.0.10`) to `keys.NamedCurve()` |
| - Added SHA-3 and SHAKE OIDs to `algos.DigestAlgorithmId()` and |
| `algos.HmacAlgorithmId()` |
| - Added RSA ES OAEP (`1.2.840.113549.1.1.7`) to |
| `cms.KeyEncryptionAlgorithmId()` |
| - Add IKE Intermediate (`1.3.6.1.5.5.8.2.2`) to `x509.KeyPurposeId()` |
| - `x509.EmailAddress()` and `x509.DNSName()` now handle invalidly-encoded |
| values using tags for `core.PrintableString()` and `core.UTF8String()` |
| - Add parameter structue from RFC 5084 for AES-CCM to |
| `algos.EncryptionAlgorithm()` |
| - Improved robustness of parsing broken `core.Sequence()` and |
| `core.SequenceOf()` values |
| - Bug Fixes |
| - Fixed encoding of tag values over 30 |
| - `core.IntegerBitString()` and `core.IntegerOctetString()` now restrict |
| values to non-negative integers since negative values are not |
| implemented |
| - When copying or dumping a BER-encoded indefinite-length value, |
| automatically force re-encoding to DER. *To ensure all nested values are |
| always DER-encoded, `.dump(True)` must be called.* |
| - Fix `UnboundLocalError` when calling `x509.IPAddress().native` on an |
| encoded value that has a length of zero |
| - Fixed passing `class_` via unicode string name to `core.Asn1Value()` |
| - Fixed a bug where EC private keys with leading null bytes would be |
| encoded in `keys.ECPrivateKey()` more narrowly than RFC 5915 requires |
| - Fixed some edge-case bugs in `util.int_to_bytes()` |
| - `x509.URI()` now only normalizes values when comparing |
| - Fixed BER-decoding of indefinite length `core.BitString()` |
| - Fixed DER-encoding of empty `core.BitString()` |
| - Fixed a missing return value for `core.Choice().parse()` |
| - Fixed `core.Choice().contents` working when the chosen alternative is a |
| `core.Choice()` also |
| - Fixed parsing and encoding of nested `core.Choice()` objects |
| - Fixed a bug causing `core.ObjectIdentifier().native` to sometimes not |
| map the OID |
| - Packaging |
| - `wheel`, `sdist` and `bdist_egg` releases now all include LICENSE, |
| `sdist` includes docs |
| - Added `asn1crypto_tests` package to PyPi |
| |
| ## 0.24.0 |
| |
| - `x509.Certificate().self_signed` will no longer return `"yes"` under any |
| circumstances. This helps prevent confusion since the library does not |
| verify the signature. Instead a library like oscrypto should be used |
| to confirm if a certificate is self-signed. |
| - Added various OIDs to `x509.KeyPurposeId()` |
| - Added `x509.Certificate().private_key_usage_period_value` |
| - Added structures for parsing common subject directory attributes for |
| X.509 certificates, including `x509.SubjectDirectoryAttribute()` |
| - Added `algos.AnyAlgorithmIdentifier()` for situations where an |
| algorithm identifier may contain a digest, signed digest or encryption |
| algorithm OID |
| - Fixed a bug with `x509.Certificate().subject_directory_attributes_value` |
| not returning the correct value |
| - Fixed a bug where explicitly-tagged fields in a `core.Sequence()` would |
| not function properly when the field had a default value |
| - Fixed a bug with type checking in `pem.armor()` |
| |
| ## 0.23.0 |
| |
| - Backwards compatibility break: the `tag_type`, `explicit_tag` and |
| `explicit_class` attributes on `core.Asn1Value` no longer exist and were |
| replaced by the `implicit` and `explicit` attributes. Field param dicts |
| may use the new `explicit` and `implicit` keys, or the old `tag_type` and |
| `tag` keys. The attribute changes will likely to have little to no impact |
| since they were primarily an implementation detail. |
| - Teletex strings used inside of X.509 certificates are now interpreted |
| using Windows-1252 (a superset of ISO-8859-1). This enables compatibility |
| with certificates generated by OpenSSL. Strict parsing of Teletex strings |
| can be retained by using the `x509.strict_teletex()` context manager. |
| - Added support for nested explicit tagging, supporting values that are |
| defined with explicit tagging and then added as a field of another |
| structure using explicit tagging. |
| - Fixed a `UnicodeDecodeError` when trying to find the (optional) dependency |
| OpenSSL on Python 2 |
| - Fixed `next_update` field of `crl.TbsCertList` to be optional |
| - Added the `x509.Certificate.sha256_fingerprint` property |
| - `x509.Certificate.ocsp_urls` and `x509.DistributionPoint.url` will now |
| return `https://`, `ldap://` and `ldaps://` URLs in addition to `http://`. |
| - Added CMS Attribute Protection definitions from RFC 6211 |
| - Added OIDs from RFC 6962 |
| |
| ## 0.22.0 |
| |
| - Added `parser.peek()` |
| - Implemented proper support for BER-encoded indefinite length strings of |
| all kinds - `core.BitString`, `core.OctetString` and all of the `core` |
| classes that are natively represented as Python unicode strings |
| - Fixed a bug with encoding LDAP URLs in `x509.URI` |
| - Correct `x509.DNSName` to allow a leading `.`, such as when used with |
| `x509.NameConstraints` |
| - Fixed an issue with dumping the parsed contents of `core.Any` when |
| explicitly tagged |
| - Custom `setup.py clean` now accepts the short `-a` flag for compatibility |
| |
| ## 0.21.1 |
| |
| - Fixed a regression where explicit tagging of a field containing a |
| `core.Choice` would result in an incorrect header |
| - Fixed a bug where an `IndexError` was being raised instead of a `ValueError` |
| when a value was truncated to not include enough bytes for the header |
| - Corrected the spec for the `value` field of `pkcs12.Attribute` |
| - Added support for `2.16.840.1.113894.746875.1.1` OID to |
| `pkcs12.AttributeType` |
| |
| ## 0.21.0 |
| |
| - Added `core.load()` for loading standard, universal types without knowing |
| the spec beforehand |
| - Added a `strict` keyword arg to the various `load()` methods and functions in |
| `core` that checks for trailing data and raises a `ValueError` when found |
| - Added `asn1crypto.parser` submodule with `emit()` and `parse()` functions for |
| low-level integration |
| - Added `asn1crypto.version` for version introspection without side-effects |
| - Added `algos.DSASignature` |
| - Fixed a bug with the `_header` attribute of explicitly-tagged values only |
| containing the explicit tag header instead of both the explicit tag header |
| and the encapsulated value header |
| |
| ## 0.20.0 |
| |
| - Added support for year 0 |
| - Added the OID for unique identifier to `x509.NameType` |
| - Fixed a bug creating the native representation of a `core.BitString` with |
| leading null bytes |
| - Added a `.cast()` method to allow converting between different |
| representations of the same data, e.g. `core.BitString` and |
| `core.OctetBitString` |
| |
| ## 0.19.0 |
| |
| - Force `algos.DigestAlgorithm` to encoding `parameters` as `Null` when the |
| `algorithm` is `sha1`, `sha224`, `sha256`, `sha384` or `sha512` per RFC 4055 |
| - Resolved an issue where a BER-encoded indefinite-length value could not be |
| properly parsed when embedded inside of a `core.Sequence` or `core.Set` |
| - Fix `x509.Name.build()` to properly handle dotted OID type values |
| - `core.Choice` can now be constructed from a single-element `dict` or a |
| two-element `tuple` to allow for better usability when constructing values |
| from native Python values |
| - All `core` objects can now be passed to `print()` with an exception being |
| raised |
| |
| ## 0.18.5 |
| |
| - Don't fail importing if `ctypes` or `_ctypes` is not available |
| |
| ## 0.18.4 |
| |
| - `core.Sequence` will now raise an exception when an unknown field is provided |
| - Prevent `UnicodeDecodeError` on Python 2 when calling |
| `core.OctetString.debug()` |
| - Corrected the default value for the `hash_algorithm` field of |
| `tsp.ESSCertIDv2` |
| - Fixed a bug constructing a `cms.SignedData` object |
| - Ensure that specific RSA OIDs are always paired with `parameters` set to |
| `core.Null` |
| |
| ## 0.18.3 |
| |
| - Fixed DER encoding of `core.BitString` when a `_map` is specified (i.e. a |
| "named bit list") to omit trailing zero bits. This fixes compliance of |
| various `x509` structures with RFC 5280. |
| - Corrected a side effect in `keys.PrivateKeyInfo.wrap()` that would cause the |
| original `keys.ECPrivateKey` structure to become corrupt |
| - `core.IntegerOctetString` now correctly encodes the integer as an unsigned |
| value when converting to bytes. Previously decoding was unsigned, but |
| encoding was signed. |
| - Fix `util.int_from_bytes()` on Python 2 to return `0` from an empty byte |
| string |
| |
| ## 0.18.2 |
| |
| - Allow `_perf` submodule to be removed from source tree when embedding |
| |
| ## 0.18.1 |
| |
| - Fixed DER encoding of `core.Set` and `core.SetOf` |
| - Fixed a bug in `x509.Name.build()` that could generate invalid DER encoding |
| - Improved exception messages when parsing nested structures via the `.native` |
| attribute |
| - `algos.SignedDigestAlgorithm` now ensures the `parameters` are set to |
| `Null` when `algorithm` is `sha224_rsa`, `sha256_rsa`, `sha384_rsa` or |
| `sha512_rsa`, per RFC 4055 |
| - Corrected the definition of `pdf.AdobeTimestamp` to mark the |
| `requires_auth` field as optional |
| - Add support for the OID `1.2.840.113549.1.9.16.2.14` to |
| `cms.CMSAttributeType` |
| - Improve attribute support for `cms.AttributeCertificateV2` |
| - Handle `cms.AttributeCertificateV2` when incorrectly tagged as |
| `cms.AttributeCertificateV1` in `cms.CertificateChoices` |
| |
| ## 0.18.0 |
| |
| - Improved general parsing performance by 10-15% |
| - Add support for Windows XP |
| - Added `core.ObjectIdentifier.dotted` attribute to always return dotted |
| integer unicode string |
| - Added `core.ObjectIdentifier.map()` and `core.ObjectIdentifier.unmap()` |
| class methods to map dotted integer unicode strings to user-friendly unicode |
| strings and back |
| - Added various Apple OIDs to `x509.KeyPurposeId` |
| - Fixed a bug parsing nested indefinite-length-encoded values |
| - Fixed a bug with `x509.Certificate.issuer_alt_name_value` if it is the first |
| extension queried |
| - `keys.PublicKeyInfo.bit_size` and `keys.PrivateKeyInfo.bit_size` values are |
| now rounded up to the next closest multiple of 8 |
| |
| ## 0.17.1 |
| |
| - Fix a bug in `x509.URI` parsing IRIs containing explicit port numbers on |
| Python 3.x |
| |
| ## 0.17.0 |
| |
| - Added `x509.TrustedCertificate` for handling OpenSSL auxiliary certificate |
| information appended after a certificate |
| - Added `core.Concat` class for situations such as `x509.TrustedCertificate` |
| - Allow "broken" X.509 certificates to use `core.IA5String` where an |
| `x509.DirectoryString` should be used instead |
| - Added `keys.PrivateKeyInfo.public_key_info` attribute |
| - Added a bunch of OIDs to `x509.KeyPurposeId` |
| |
| ## 0.16.0 |
| |
| - Added DH key exchange structures: `algos.KeyExchangeAlgorithm`, |
| `algos.KeyExchangeAlgorithmId` and `algos.DHParameters`. |
| - Added DH public key support to `keys.PublicKeyInfo`, |
| `keys.PublicKeyAlgorithm` and `keys.PublicKeyAlgorithmId`. New structures |
| include `keys.DomainParameters` and `keys.ValidationParms`. |
| |
| ## 0.15.1 |
| |
| - Fixed `cms.CMSAttributes` to be a `core.SetOf` instead of `core.SequenceOf` |
| - `cms.CMSAttribute` can now parse unknown attribute contrustruct without an |
| exception being raised |
| - `x509.PolicyMapping` now uses `x509.PolicyIdentifier` for field types |
| - Fixed `pdf.RevocationInfoArchival` so that all fields are now of the type |
| `core.SequenceOf` instead of a single value |
| - Added support for the `name_distinguisher`, `telephone_number` and |
| `organization_identifier` OIDs to `x509.Name` |
| - Fixed `x509.Name.native` to not accidentally create nested lists when three |
| of more values for a single type are part of the name |
| - `x509.Name.human_friendly` now reverses the order of fields when the data |
| in an `x509.Name` was encoded in most-specific to least-specific order, which |
| is the opposite of the standard way of least-specific to most-specific. |
| - `x509.NameType.human_friendly` no longer raises an exception when an |
| unknown OID is encountered |
| - Raise a `ValueError` when parsing a `core.Set` and an unknown field is |
| encountered |
| |
| ## 0.15.0 |
| |
| - Added support for the TLS feature extension from RFC 7633 |
| - `x509.Name.build()` now accepts a keyword parameter `use_printable` to force |
| string encoding to be `core.PrintableString` instead of `core.UTF8String` |
| - Added the functions `util.uri_to_iri()` and `util.iri_to_uri()` |
| - Changed `algos.SignedDigestAlgorithmId` to use the preferred OIDs when |
| mapping a unicode string name to an OID. Previously there were multiple OIDs |
| for some algorithms, and different OIDs would sometimes be selected due to |
| the fact that the `_map` `dict` is not ordered. |
| |
| ## 0.14.1 |
| |
| - Fixed a bug generating `x509.Certificate.sha1_fingerprint` on Python 2 |
| |
| ## 0.14.0 |
| |
| - Added the `x509.Certificate.sha1_fingerprint` attribute |
| |
| ## 0.13.0 |
| |
| - Backwards compatibility break: the native representation of some |
| `algos.EncryptionAlgorithmId` values changed. `aes128` became `aes128_cbc`, |
| `aes192` became `aes192_cbc` and `aes256` became `aes256_cbc`. |
| - Added more OIDs to `algos.EncryptionAlgorithmId` |
| - Added more OIDs to `cms.KeyEncryptionAlgorithmId` |
| - `x509.Name.human_friendly` now properly supports multiple values per |
| `x509.NameTypeAndValue` object |
| - Added `ocsp.OCSPResponse.basic_ocsp_response` and |
| `ocsp.OCSPResponse.response_data` properties |
| - Added `algos.EncryptionAlgorithm.encryption_mode` property |
| - Fixed a bug with parsing times containing timezone offsets in Python 3 |
| - The `attributes` field of `csr.CertificationRequestInfo` is now optional, |
| for compatibility with other ASN.1 parsers |
| |
| ## 0.12.2 |
| |
| - Correct `core.Sequence.__setitem__()` so set `core.VOID` to an optional |
| field when `None` is set |
| |
| ## 0.12.1 |
| |
| - Fixed a `unicode`/`bytes` bug with `x509.URI.dump()` on Python 2 |
| |
| ## 0.12.0 |
| |
| - Backwards Compatibility Break: `core.NoValue` was renamed to `core.Void` and |
| a singleton was added as `core.VOID` |
| - 20-30% improvement in parsing performance |
| - `core.Void` now implements `__nonzero__` |
| - `core.Asn1Value.copy()` now performs a deep copy |
| - All `core` value classes are now compatible with the `copy` module |
| - `core.SequenceOf` and `core.SetOf` now implement `__contains__` |
| - Added `x509.Name.__len__()` |
| - Fixed a bug where `core.Choice.validate()` would not properly account for |
| explicit tagging |
| - `core.Choice.load()` now properly passes itself as the spec when parsing |
| - `x509.Certificate.crl_distribution_points` no longer throws an exception if |
| the `DistributionPoint` does not have a value for the `distribution_point` |
| field |
| |
| ## 0.11.1 |
| |
| - Corrected `core.UTCTime` to interpret year <= 49 as 20xx and >= 50 as 19xx |
| - `keys.PublicKeyInfo.hash_algo` can now handle DSA keys without parameters |
| - Added `crl.CertificateList.sha256` and `crl.CertificateList.sha1` |
| - Fixed `x509.Name.build()` to properly encode `country_name`, `serial_number` |
| and `dn_qualifier` as `core.PrintableString` as specified in RFC 5280, |
| instead of `core.UTF8String` |
| |
| ## 0.11.0 |
| |
| - Added Python 2.6 support |
| - Added ability to compare primitive type objects |
| - Implemented proper support for internationalized domains, URLs and email |
| addresses in `x509.Certificate` |
| - Comparing `x509.Name` and `x509.GeneralName` objects adheres to RFC 5280 |
| - `x509.Certificate.self_signed` and `x509.Certificate.self_issued` no longer |
| require that certificate is for a CA |
| - Fixed `x509.Certificate.valid_domains` to adhere to RFC 6125 |
| - Added `x509.Certificate.is_valid_domain_ip()` |
| - Added `x509.Certificate.sha1` and `x509.Certificate.sha256` |
| - Exposed `util.inet_ntop()` and `util.inet_pton()` for IP address encoding |
| - Improved exception messages for improper types to include type's module name |
| |
| ## 0.10.1 |
| |
| - Fixed bug in `core.Sequence` affecting Python 2.7 and pypy |
| |
| ## 0.10.0 |
| |
| - Added PEM encoding/decoding functionality |
| - `core.BitString` now uses item access instead of attributes for named bit |
| access |
| - `core.BitString.native` now uses a `set` of unicode strings when `_map` is |
| present |
| - Removed `core.Asn1Value.pprint()` method |
| - Added `core.ParsableOctetString` class |
| - Added `core.ParsableOctetBitString` class |
| - Added `core.Asn1Value.copy()` method |
| - Added `core.Asn1Value.debug()` method |
| - Added `core.SequenceOf.append()` method |
| - Added `core.Sequence.spec()` and `core.SequenceOf.spec()` methods |
| - Added correct IP address parsing to `x509.GeneralName` |
| - `x509.Name` and `x509.GeneralName` are now compared according to rules in |
| RFC 5280 |
| - Added convenience attributes to: |
| - `algos.SignedDigestAlgorithm` |
| - `crl.CertificateList` |
| - `crl.RevokedCertificate` |
| - `keys.PublicKeyInfo` |
| - `ocsp.OCSPRequest` |
| - `ocsp.Request` |
| - `ocsp.OCSPResponse` |
| - `ocsp.SingleResponse` |
| - `x509.Certificate` |
| - `x509.Name` |
| - Added `asn1crypto.util` module with the following items: |
| - `int_to_bytes()` |
| - `int_from_bytes()` |
| - `timezone.utc` |
| - Added `setup.py clean` command |
| |
| ## 0.9.0 |
| |
| - Initial release |
