38.0.0 - 2022-09-06
~~~~~~~~~~~~~~~~~~~
* Final deprecation of OpenSSL 1.1.0. The next release of ``cryptography``
will drop support.
* We no longer ship ``manylinux2010`` wheels. Users should upgrade to the
latest ``pip`` to ensure this doesn't cause issues downloading wheels on
their platform. We now ship ``manylinux_2_28`` wheels for users on new
enough platforms.
* Updated the minimum supported Rust version (MSRV) to 1.48.0, from 1.41.0.
Users with the latest ``pip`` will typically get a wheel and not need Rust
installed, but check :doc:`/installation` for documentation on installing a
newer ``rustc`` if required.
* :meth:`~cryptography.fernet.Fernet.decrypt` and related methods now accept
both ``str`` and ``bytes`` tokens.
* Parsing ``CertificateSigningRequest`` restores the behavior of enforcing
that the ``Extension`` ``critical`` field must be correctly encoded DER. See
`the issue <https://github.com/pyca/cryptography/issues/6368>`_ for complete
details.
* Added two new OpenSSL functions to the bindings to support an upcoming
``pyOpenSSL`` release.
* When parsing :class:`~cryptography.x509.CertificateRevocationList` and
:class:`~cryptography.x509.CertificateSigningRequest` values, it is now
enforced that the ``version`` value in the input must be valid according to
the rules of :rfc:`2986` and :rfc:`5280`.
* Using MD5 or SHA1 in :class:`~cryptography.x509.CertificateBuilder` and
other X.509 builders is deprecated and support will be removed in the next
version.
* Added additional APIs to
:class:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp`, including
:attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature_hash_algorithm`,
:attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature_algorithm`,
:attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature`, and
:attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.extension_bytes`.
* Added :attr:`~cryptography.x509.Certificate.tbs_precertificate_bytes`, allowing
users to access the to-be-signed pre-certificate data needed for signed
certificate timestamp verification.
* :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFHMAC` and
:class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC` now support
:attr:`~cryptography.hazmat.primitives.kdf.kbkdf.CounterLocation.MiddleFixed`
counter location.
* Fixed :rfc:`4514` name parsing to reverse the order of the RDNs according
to the section 2.1 of the RFC, affecting method
:meth:`~cryptography.x509.Name.from_rfc4514_string`.
* It is now possible to customize some aspects of encryption when serializing
private keys, using
:meth:`~cryptography.hazmat.primitives.serialization.PrivateFormat.encryption_builder`.
* Removed several legacy symbols from our OpenSSL bindings. Users of pyOpenSSL
versions older than 22.0 will need to upgrade.
* Added
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES128` and
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES256` classes.
These classes do not replace
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` (which
allows all AES key lengths), but are intended for applications where
developers want to be explicit about key length.
9ec5d3d1a2