1# changelog 2 3## 1.5.1 4 5 - Handle RSASSA-PSS in `keys.PrivateKeyInfo.bit_size` and 6 `keys.PublicKeyInfo.bit_size` 7 - Handle RSASSA-PSS in `keys.PrivateKeyInfo.wrap` and 8 `keys.PublicKeyInfo.wrap` 9 - Updated docs for `keys.PrivateKeyInfo.algorithm` and 10 `keys.PublicKeyInfo.algorithm` to reflect that they can return 11 `"rsassa_pss"` 12 13## 1.5.0 14 15 - Fix `tsp.TimeStampAndCRL` to be a `core.Sequence` instead of a 16 `core.SequenceOf` *via @joernheissler* 17 - Added OIDs for Edwards curves from RFC 8410 - via @MatthiasValvekens 18 - Fixed convenience attributes on `algos.EncryptionAlgorithm` when the 19 algorithm is RC2 *via @joernheissler* 20 - Added Microsoft OIDs `microsoft_enrollment_csp_provider` 21 (`1.3.6.1.4.1.311.13.2.2`), `microsoft_os_version` 22 (`1.3.6.1.4.1.311.13.2.3`) and `microsoft_request_client_info` 23 (`1.3.6.1.4.1.311.21.20`) 24 to `csr.CSRAttributeType` along with supporting extension structures 25 *via @qha* 26 - Added Microsoft OID `microsoft_enroll_certtype` (`1.3.6.1.4.1.311.20.2`) 27 to `x509.ExtensionId` *via @qha* 28 - Fixed a few bugs with parsing indefinite-length encodings *via @davidben* 29 - Added various bounds checks to parsing engine *via @davidben* 30 - Fixed a bug with tags not always being minimally encoded *via @davidben* 31 - Fixed `cms.RoleSyntax`, `cms.SecurityCategory` and `cms.AttCertIssuer` to 32 have explicit instead of implicit tagging *via @MatthiasValvekens* 33 - Fixed tagging of, and default value for fields in `cms.Clearance` *via 34 @MatthiasValvekens* 35 - Fixed calling `.dump(force=True)` when the value has undefined/unknown 36 `core.Sequence` fields. Previously the value would be truncated, now 37 the existing encoding is preserved. 38 - Added sMIME capabilities (`1.2.840.113549.1.9.15`) support from RFC 2633 39 to `cms.CMSAttribute` *via Hellzed* 40 41## 1.4.0 42 43 - `core.ObjectIdentifier` and all derived classes now obey X.660 §7.6 and 44 thus restrict the first arc to 0 to 2, and the second arc to less than 45 40 if the first arc is 0 or 1. This also fixes parsing of OIDs where the 46 first arc is 2 and the second arc is greater than 39. 47 - Fixed `keys.PublicKeyInfo.bit_size` to return an int rather than a float 48 on Python 3 when working with elliptic curve keys 49 - Fixed the `asn1crypto-tests` sdist on PyPi to work properly to generate a 50 .whl 51 52## 1.3.0 53 54 - Added `encrypt_key_pref` (`1.2.840.113549.1.9.16.2.11`) to 55 `cms.CMSAttributeType()`, along with related structures 56 - Added Brainpool curves from RFC 5639 to `keys.NamedCurve()` 57 - Fixed `x509.Certificate().subject_directory_attributes_value` 58 - Fixed some incorrectly computed minimum elliptic curve primary key 59 encoding sizes in `keys.NamedCurve()` 60 - Fixed a `TypeError` when trying to call `.untag()` or `.copy()` on a 61 `core.UTCTime()` or `core.GeneralizedTime()`, or a value containing one, 62 when using Python 2 63 64## 1.2.0 65 66 - Added `asn1crypto.load_order()`, which returns a `list` of unicode strings 67 of the names of the fully-qualified module names for all of submodules of 68 the package. The module names are listed in their dependency load order. 69 This is primarily intended for the sake of implementing hot reloading. 70 71## 1.1.0 72 73 - Added User ID (`0.9.2342.19200300.100.1.1`) to `x509.NameType()` 74 - Added various EC named curves to `keys.NamedCurve()` 75 76## 1.0.1 77 78 - Fix an absolute import in `keys` to a relative import 79 80## 1.0.0 81 82 - Backwards Compatibility Breaks 83 - `cms.KeyEncryptionAlgorithmId().native` now returns the value 84 `"rsaes_pkcs1v15"` for OID `1.2.840.113549.1.1.1` instead of `"rsa"` 85 - Removed functionality to calculate public key values from private key 86 values. Alternatives have been added to oscrypto. 87 - `keys.PrivateKeyInfo().unwrap()` is now 88 `oscrypto.asymmetric.PrivateKey().unwrap()` 89 - `keys.PrivateKeyInfo().public_key` is now 90 `oscrypto.asymmetric.PrivateKey().public_key.unwrap()` 91 - `keys.PrivateKeyInfo().public_key_info` is now 92 `oscrypto.asymmetric.PrivateKey().public_key.asn1` 93 - `keys.PrivateKeyInfo().fingerprint` is now 94 `oscrypto.asymmetric.PrivateKey().fingerprint` 95 - `keys.PublicKeyInfo().unwrap()` is now 96 `oscrypto.asymmetric.PublicKey().unwrap()` 97 - `keys.PublicKeyInfo().fingerprint` is now 98 `oscrypto.asymmetric.PublicKey().fingerprint` 99 - Enhancements 100 - Significantly improved parsing of `core.UTCTime()` and 101 `core.GeneralizedTime()` values that include timezones and fractional 102 seconds 103 - `util.timezone` has a more complete implementation 104 - `core.Choice()` may now be constructed by a 2-element tuple or a 1-key 105 dict 106 - Added `x509.Certificate().not_valid_before` and 107 `x509.Certificate().not_valid_after` 108 - Added `core.BitString().unused_bits` 109 - Added `keys.NamedCurve.register()` for non-mainstream curve OIDs 110 - No longer try to load optional performance dependency, `libcrypto`, 111 on Mac or Linux 112 - `ocsp.CertStatus().native` will now return meaningful unicode string 113 values when the status choice is `"good"` or `"unknown"`. Previously 114 both returned `None` due to the way the structure was designed. 115 - Add support for explicit RSA SSA PSS (`1.2.840.113549.1.1.10`) to 116 `keys.PublicKeyInfo()` and `keys.PrivateKeyInfo()` 117 - Added structures for nested SHA-256 Windows PE signatures to 118 `cms.CMSAttribute()` 119 - Added RC4 (`1.2.840.113549.3.4`) to `algos.EncryptionAlgorithmId()` 120 - Added secp256k1 (`1.3.132.0.10`) to `keys.NamedCurve()` 121 - Added SHA-3 and SHAKE OIDs to `algos.DigestAlgorithmId()` and 122 `algos.HmacAlgorithmId()` 123 - Added RSA ES OAEP (`1.2.840.113549.1.1.7`) to 124 `cms.KeyEncryptionAlgorithmId()` 125 - Add IKE Intermediate (`1.3.6.1.5.5.8.2.2`) to `x509.KeyPurposeId()` 126 - `x509.EmailAddress()` and `x509.DNSName()` now handle invalidly-encoded 127 values using tags for `core.PrintableString()` and `core.UTF8String()` 128 - Add parameter structue from RFC 5084 for AES-CCM to 129 `algos.EncryptionAlgorithm()` 130 - Improved robustness of parsing broken `core.Sequence()` and 131 `core.SequenceOf()` values 132 - Bug Fixes 133 - Fixed encoding of tag values over 30 134 - `core.IntegerBitString()` and `core.IntegerOctetString()` now restrict 135 values to non-negative integers since negative values are not 136 implemented 137 - When copying or dumping a BER-encoded indefinite-length value, 138 automatically force re-encoding to DER. *To ensure all nested values are 139 always DER-encoded, `.dump(True)` must be called.* 140 - Fix `UnboundLocalError` when calling `x509.IPAddress().native` on an 141 encoded value that has a length of zero 142 - Fixed passing `class_` via unicode string name to `core.Asn1Value()` 143 - Fixed a bug where EC private keys with leading null bytes would be 144 encoded in `keys.ECPrivateKey()` more narrowly than RFC 5915 requires 145 - Fixed some edge-case bugs in `util.int_to_bytes()` 146 - `x509.URI()` now only normalizes values when comparing 147 - Fixed BER-decoding of indefinite length `core.BitString()` 148 - Fixed DER-encoding of empty `core.BitString()` 149 - Fixed a missing return value for `core.Choice().parse()` 150 - Fixed `core.Choice().contents` working when the chosen alternative is a 151 `core.Choice()` also 152 - Fixed parsing and encoding of nested `core.Choice()` objects 153 - Fixed a bug causing `core.ObjectIdentifier().native` to sometimes not 154 map the OID 155 - Packaging 156 - `wheel`, `sdist` and `bdist_egg` releases now all include LICENSE, 157 `sdist` includes docs 158 - Added `asn1crypto_tests` package to PyPi 159 160## 0.24.0 161 162 - `x509.Certificate().self_signed` will no longer return `"yes"` under any 163 circumstances. This helps prevent confusion since the library does not 164 verify the signature. Instead a library like oscrypto should be used 165 to confirm if a certificate is self-signed. 166 - Added various OIDs to `x509.KeyPurposeId()` 167 - Added `x509.Certificate().private_key_usage_period_value` 168 - Added structures for parsing common subject directory attributes for 169 X.509 certificates, including `x509.SubjectDirectoryAttribute()` 170 - Added `algos.AnyAlgorithmIdentifier()` for situations where an 171 algorithm identifier may contain a digest, signed digest or encryption 172 algorithm OID 173 - Fixed a bug with `x509.Certificate().subject_directory_attributes_value` 174 not returning the correct value 175 - Fixed a bug where explicitly-tagged fields in a `core.Sequence()` would 176 not function properly when the field had a default value 177 - Fixed a bug with type checking in `pem.armor()` 178 179## 0.23.0 180 181 - Backwards compatibility break: the `tag_type`, `explicit_tag` and 182 `explicit_class` attributes on `core.Asn1Value` no longer exist and were 183 replaced by the `implicit` and `explicit` attributes. Field param dicts 184 may use the new `explicit` and `implicit` keys, or the old `tag_type` and 185 `tag` keys. The attribute changes will likely to have little to no impact 186 since they were primarily an implementation detail. 187 - Teletex strings used inside of X.509 certificates are now interpreted 188 using Windows-1252 (a superset of ISO-8859-1). This enables compatibility 189 with certificates generated by OpenSSL. Strict parsing of Teletex strings 190 can be retained by using the `x509.strict_teletex()` context manager. 191 - Added support for nested explicit tagging, supporting values that are 192 defined with explicit tagging and then added as a field of another 193 structure using explicit tagging. 194 - Fixed a `UnicodeDecodeError` when trying to find the (optional) dependency 195 OpenSSL on Python 2 196 - Fixed `next_update` field of `crl.TbsCertList` to be optional 197 - Added the `x509.Certificate.sha256_fingerprint` property 198 - `x509.Certificate.ocsp_urls` and `x509.DistributionPoint.url` will now 199 return `https://`, `ldap://` and `ldaps://` URLs in addition to `http://`. 200 - Added CMS Attribute Protection definitions from RFC 6211 201 - Added OIDs from RFC 6962 202 203## 0.22.0 204 205 - Added `parser.peek()` 206 - Implemented proper support for BER-encoded indefinite length strings of 207 all kinds - `core.BitString`, `core.OctetString` and all of the `core` 208 classes that are natively represented as Python unicode strings 209 - Fixed a bug with encoding LDAP URLs in `x509.URI` 210 - Correct `x509.DNSName` to allow a leading `.`, such as when used with 211 `x509.NameConstraints` 212 - Fixed an issue with dumping the parsed contents of `core.Any` when 213 explicitly tagged 214 - Custom `setup.py clean` now accepts the short `-a` flag for compatibility 215 216## 0.21.1 217 218 - Fixed a regression where explicit tagging of a field containing a 219 `core.Choice` would result in an incorrect header 220 - Fixed a bug where an `IndexError` was being raised instead of a `ValueError` 221 when a value was truncated to not include enough bytes for the header 222 - Corrected the spec for the `value` field of `pkcs12.Attribute` 223 - Added support for `2.16.840.1.113894.746875.1.1` OID to 224 `pkcs12.AttributeType` 225 226## 0.21.0 227 228 - Added `core.load()` for loading standard, universal types without knowing 229 the spec beforehand 230 - Added a `strict` keyword arg to the various `load()` methods and functions in 231 `core` that checks for trailing data and raises a `ValueError` when found 232 - Added `asn1crypto.parser` submodule with `emit()` and `parse()` functions for 233 low-level integration 234 - Added `asn1crypto.version` for version introspection without side-effects 235 - Added `algos.DSASignature` 236 - Fixed a bug with the `_header` attribute of explicitly-tagged values only 237 containing the explicit tag header instead of both the explicit tag header 238 and the encapsulated value header 239 240## 0.20.0 241 242 - Added support for year 0 243 - Added the OID for unique identifier to `x509.NameType` 244 - Fixed a bug creating the native representation of a `core.BitString` with 245 leading null bytes 246 - Added a `.cast()` method to allow converting between different 247 representations of the same data, e.g. `core.BitString` and 248 `core.OctetBitString` 249 250## 0.19.0 251 252 - Force `algos.DigestAlgorithm` to encoding `parameters` as `Null` when the 253 `algorithm` is `sha1`, `sha224`, `sha256`, `sha384` or `sha512` per RFC 4055 254 - Resolved an issue where a BER-encoded indefinite-length value could not be 255 properly parsed when embedded inside of a `core.Sequence` or `core.Set` 256 - Fix `x509.Name.build()` to properly handle dotted OID type values 257 - `core.Choice` can now be constructed from a single-element `dict` or a 258 two-element `tuple` to allow for better usability when constructing values 259 from native Python values 260 - All `core` objects can now be passed to `print()` with an exception being 261 raised 262 263## 0.18.5 264 265 - Don't fail importing if `ctypes` or `_ctypes` is not available 266 267## 0.18.4 268 269 - `core.Sequence` will now raise an exception when an unknown field is provided 270 - Prevent `UnicodeDecodeError` on Python 2 when calling 271 `core.OctetString.debug()` 272 - Corrected the default value for the `hash_algorithm` field of 273 `tsp.ESSCertIDv2` 274 - Fixed a bug constructing a `cms.SignedData` object 275 - Ensure that specific RSA OIDs are always paired with `parameters` set to 276 `core.Null` 277 278## 0.18.3 279 280 - Fixed DER encoding of `core.BitString` when a `_map` is specified (i.e. a 281 "named bit list") to omit trailing zero bits. This fixes compliance of 282 various `x509` structures with RFC 5280. 283 - Corrected a side effect in `keys.PrivateKeyInfo.wrap()` that would cause the 284 original `keys.ECPrivateKey` structure to become corrupt 285 - `core.IntegerOctetString` now correctly encodes the integer as an unsigned 286 value when converting to bytes. Previously decoding was unsigned, but 287 encoding was signed. 288 - Fix `util.int_from_bytes()` on Python 2 to return `0` from an empty byte 289 string 290 291## 0.18.2 292 293 - Allow `_perf` submodule to be removed from source tree when embedding 294 295## 0.18.1 296 297 - Fixed DER encoding of `core.Set` and `core.SetOf` 298 - Fixed a bug in `x509.Name.build()` that could generate invalid DER encoding 299 - Improved exception messages when parsing nested structures via the `.native` 300 attribute 301 - `algos.SignedDigestAlgorithm` now ensures the `parameters` are set to 302 `Null` when `algorithm` is `sha224_rsa`, `sha256_rsa`, `sha384_rsa` or 303 `sha512_rsa`, per RFC 4055 304 - Corrected the definition of `pdf.AdobeTimestamp` to mark the 305 `requires_auth` field as optional 306 - Add support for the OID `1.2.840.113549.1.9.16.2.14` to 307 `cms.CMSAttributeType` 308 - Improve attribute support for `cms.AttributeCertificateV2` 309 - Handle `cms.AttributeCertificateV2` when incorrectly tagged as 310 `cms.AttributeCertificateV1` in `cms.CertificateChoices` 311 312## 0.18.0 313 314 - Improved general parsing performance by 10-15% 315 - Add support for Windows XP 316 - Added `core.ObjectIdentifier.dotted` attribute to always return dotted 317 integer unicode string 318 - Added `core.ObjectIdentifier.map()` and `core.ObjectIdentifier.unmap()` 319 class methods to map dotted integer unicode strings to user-friendly unicode 320 strings and back 321 - Added various Apple OIDs to `x509.KeyPurposeId` 322 - Fixed a bug parsing nested indefinite-length-encoded values 323 - Fixed a bug with `x509.Certificate.issuer_alt_name_value` if it is the first 324 extension queried 325 - `keys.PublicKeyInfo.bit_size` and `keys.PrivateKeyInfo.bit_size` values are 326 now rounded up to the next closest multiple of 8 327 328## 0.17.1 329 330 - Fix a bug in `x509.URI` parsing IRIs containing explicit port numbers on 331 Python 3.x 332 333## 0.17.0 334 335 - Added `x509.TrustedCertificate` for handling OpenSSL auxiliary certificate 336 information appended after a certificate 337 - Added `core.Concat` class for situations such as `x509.TrustedCertificate` 338 - Allow "broken" X.509 certificates to use `core.IA5String` where an 339 `x509.DirectoryString` should be used instead 340 - Added `keys.PrivateKeyInfo.public_key_info` attribute 341 - Added a bunch of OIDs to `x509.KeyPurposeId` 342 343## 0.16.0 344 345 - Added DH key exchange structures: `algos.KeyExchangeAlgorithm`, 346 `algos.KeyExchangeAlgorithmId` and `algos.DHParameters`. 347 - Added DH public key support to `keys.PublicKeyInfo`, 348 `keys.PublicKeyAlgorithm` and `keys.PublicKeyAlgorithmId`. New structures 349 include `keys.DomainParameters` and `keys.ValidationParms`. 350 351## 0.15.1 352 353 - Fixed `cms.CMSAttributes` to be a `core.SetOf` instead of `core.SequenceOf` 354 - `cms.CMSAttribute` can now parse unknown attribute contrustruct without an 355 exception being raised 356 - `x509.PolicyMapping` now uses `x509.PolicyIdentifier` for field types 357 - Fixed `pdf.RevocationInfoArchival` so that all fields are now of the type 358 `core.SequenceOf` instead of a single value 359 - Added support for the `name_distinguisher`, `telephone_number` and 360 `organization_identifier` OIDs to `x509.Name` 361 - Fixed `x509.Name.native` to not accidentally create nested lists when three 362 of more values for a single type are part of the name 363 - `x509.Name.human_friendly` now reverses the order of fields when the data 364 in an `x509.Name` was encoded in most-specific to least-specific order, which 365 is the opposite of the standard way of least-specific to most-specific. 366 - `x509.NameType.human_friendly` no longer raises an exception when an 367 unknown OID is encountered 368 - Raise a `ValueError` when parsing a `core.Set` and an unknown field is 369 encountered 370 371## 0.15.0 372 373 - Added support for the TLS feature extension from RFC 7633 374 - `x509.Name.build()` now accepts a keyword parameter `use_printable` to force 375 string encoding to be `core.PrintableString` instead of `core.UTF8String` 376 - Added the functions `util.uri_to_iri()` and `util.iri_to_uri()` 377 - Changed `algos.SignedDigestAlgorithmId` to use the preferred OIDs when 378 mapping a unicode string name to an OID. Previously there were multiple OIDs 379 for some algorithms, and different OIDs would sometimes be selected due to 380 the fact that the `_map` `dict` is not ordered. 381 382## 0.14.1 383 384 - Fixed a bug generating `x509.Certificate.sha1_fingerprint` on Python 2 385 386## 0.14.0 387 388 - Added the `x509.Certificate.sha1_fingerprint` attribute 389 390## 0.13.0 391 392 - Backwards compatibility break: the native representation of some 393 `algos.EncryptionAlgorithmId` values changed. `aes128` became `aes128_cbc`, 394 `aes192` became `aes192_cbc` and `aes256` became `aes256_cbc`. 395 - Added more OIDs to `algos.EncryptionAlgorithmId` 396 - Added more OIDs to `cms.KeyEncryptionAlgorithmId` 397 - `x509.Name.human_friendly` now properly supports multiple values per 398 `x509.NameTypeAndValue` object 399 - Added `ocsp.OCSPResponse.basic_ocsp_response` and 400 `ocsp.OCSPResponse.response_data` properties 401 - Added `algos.EncryptionAlgorithm.encryption_mode` property 402 - Fixed a bug with parsing times containing timezone offsets in Python 3 403 - The `attributes` field of `csr.CertificationRequestInfo` is now optional, 404 for compatibility with other ASN.1 parsers 405 406## 0.12.2 407 408 - Correct `core.Sequence.__setitem__()` so set `core.VOID` to an optional 409 field when `None` is set 410 411## 0.12.1 412 413 - Fixed a `unicode`/`bytes` bug with `x509.URI.dump()` on Python 2 414 415## 0.12.0 416 417 - Backwards Compatibility Break: `core.NoValue` was renamed to `core.Void` and 418 a singleton was added as `core.VOID` 419 - 20-30% improvement in parsing performance 420 - `core.Void` now implements `__nonzero__` 421 - `core.Asn1Value.copy()` now performs a deep copy 422 - All `core` value classes are now compatible with the `copy` module 423 - `core.SequenceOf` and `core.SetOf` now implement `__contains__` 424 - Added `x509.Name.__len__()` 425 - Fixed a bug where `core.Choice.validate()` would not properly account for 426 explicit tagging 427 - `core.Choice.load()` now properly passes itself as the spec when parsing 428 - `x509.Certificate.crl_distribution_points` no longer throws an exception if 429 the `DistributionPoint` does not have a value for the `distribution_point` 430 field 431 432## 0.11.1 433 434 - Corrected `core.UTCTime` to interpret year <= 49 as 20xx and >= 50 as 19xx 435 - `keys.PublicKeyInfo.hash_algo` can now handle DSA keys without parameters 436 - Added `crl.CertificateList.sha256` and `crl.CertificateList.sha1` 437 - Fixed `x509.Name.build()` to properly encode `country_name`, `serial_number` 438 and `dn_qualifier` as `core.PrintableString` as specified in RFC 5280, 439 instead of `core.UTF8String` 440 441## 0.11.0 442 443 - Added Python 2.6 support 444 - Added ability to compare primitive type objects 445 - Implemented proper support for internationalized domains, URLs and email 446 addresses in `x509.Certificate` 447 - Comparing `x509.Name` and `x509.GeneralName` objects adheres to RFC 5280 448 - `x509.Certificate.self_signed` and `x509.Certificate.self_issued` no longer 449 require that certificate is for a CA 450 - Fixed `x509.Certificate.valid_domains` to adhere to RFC 6125 451 - Added `x509.Certificate.is_valid_domain_ip()` 452 - Added `x509.Certificate.sha1` and `x509.Certificate.sha256` 453 - Exposed `util.inet_ntop()` and `util.inet_pton()` for IP address encoding 454 - Improved exception messages for improper types to include type's module name 455 456## 0.10.1 457 458 - Fixed bug in `core.Sequence` affecting Python 2.7 and pypy 459 460## 0.10.0 461 462 - Added PEM encoding/decoding functionality 463 - `core.BitString` now uses item access instead of attributes for named bit 464 access 465 - `core.BitString.native` now uses a `set` of unicode strings when `_map` is 466 present 467 - Removed `core.Asn1Value.pprint()` method 468 - Added `core.ParsableOctetString` class 469 - Added `core.ParsableOctetBitString` class 470 - Added `core.Asn1Value.copy()` method 471 - Added `core.Asn1Value.debug()` method 472 - Added `core.SequenceOf.append()` method 473 - Added `core.Sequence.spec()` and `core.SequenceOf.spec()` methods 474 - Added correct IP address parsing to `x509.GeneralName` 475 - `x509.Name` and `x509.GeneralName` are now compared according to rules in 476 RFC 5280 477 - Added convenience attributes to: 478 - `algos.SignedDigestAlgorithm` 479 - `crl.CertificateList` 480 - `crl.RevokedCertificate` 481 - `keys.PublicKeyInfo` 482 - `ocsp.OCSPRequest` 483 - `ocsp.Request` 484 - `ocsp.OCSPResponse` 485 - `ocsp.SingleResponse` 486 - `x509.Certificate` 487 - `x509.Name` 488 - Added `asn1crypto.util` module with the following items: 489 - `int_to_bytes()` 490 - `int_from_bytes()` 491 - `timezone.utc` 492 - Added `setup.py clean` command 493 494## 0.9.0 495 496 - Initial release 497