1# changelog
2
3## 1.4.0
4
5 - `core.ObjectIdentifier` and all derived classes now obey X.660 §7.6 and
6   thus restrict the first arc to 0 to 2, and the second arc to less than
7   40 if the first arc is 0 or 1. This also fixes parsing of OIDs where the
8   first arc is 2 and the second arc is greater than 39.
9 - Fixed `keys.PublicKeyInfo.bit_size` to return an int rather than a float
10   on Python 3 when working with elliptic curve keys
11 - Fixed the `asn1crypto-tests` sdist on PyPi to work properly to generate a
12   .whl
13
14## 1.3.0
15
16 - Added `encrypt_key_pref` (`1.2.840.113549.1.9.16.2.11`) to
17   `cms.CMSAttributeType()`, along with related structures
18 - Added Brainpool curves from RFC 5639 to `keys.NamedCurve()`
19 - Fixed `x509.Certificate().subject_directory_attributes_value`
20 - Fixed some incorrectly computed minimum elliptic curve primary key
21   encoding sizes in `keys.NamedCurve()`
22 - Fixed a `TypeError` when trying to call `.untag()` or `.copy()` on a
23   `core.UTCTime()` or `core.GeneralizedTime()`, or a value containing one,
24   when using Python 2
25
26## 1.2.0
27
28 - Added `asn1crypto.load_order()`, which returns a `list` of unicode strings
29   of the names of the fully-qualified module names for all of submodules of
30   the package. The module names are listed in their dependency load order.
31   This is primarily intended for the sake of implementing hot reloading.
32
33## 1.1.0
34
35 - Added User ID (`0.9.2342.19200300.100.1.1`) to `x509.NameType()`
36 - Added various EC named curves to `keys.NamedCurve()`
37
38## 1.0.1
39
40 - Fix an absolute import in `keys` to a relative import
41
42## 1.0.0
43
44 - Backwards Compatibility Breaks
45    - `cms.KeyEncryptionAlgorithmId().native` now returns the value
46      `"rsaes_pkcs1v15"` for OID `1.2.840.113549.1.1.1` instead of `"rsa"`
47    - Removed functionality to calculate public key values from private key
48      values. Alternatives have been added to oscrypto.
49       - `keys.PrivateKeyInfo().unwrap()` is now
50         `oscrypto.asymmetric.PrivateKey().unwrap()`
51       - `keys.PrivateKeyInfo().public_key` is now
52         `oscrypto.asymmetric.PrivateKey().public_key.unwrap()`
53       - `keys.PrivateKeyInfo().public_key_info` is now
54         `oscrypto.asymmetric.PrivateKey().public_key.asn1`
55       - `keys.PrivateKeyInfo().fingerprint` is now
56         `oscrypto.asymmetric.PrivateKey().fingerprint`
57       - `keys.PublicKeyInfo().unwrap()` is now
58         `oscrypto.asymmetric.PublicKey().unwrap()`
59       - `keys.PublicKeyInfo().fingerprint` is now
60         `oscrypto.asymmetric.PublicKey().fingerprint`
61 - Enhancements
62    - Significantly improved parsing of `core.UTCTime()` and
63      `core.GeneralizedTime()` values that include timezones and fractional
64      seconds
65    - `util.timezone` has a more complete implementation
66    - `core.Choice()` may now be constructed by a 2-element tuple or a 1-key
67      dict
68    - Added `x509.Certificate().not_valid_before` and
69      `x509.Certificate().not_valid_after`
70    - Added `core.BitString().unused_bits`
71    - Added `keys.NamedCurve.register()` for non-mainstream curve OIDs
72    - No longer try to load optional performance dependency, `libcrypto`,
73      on Mac or Linux
74    - `ocsp.CertStatus().native` will now return meaningful unicode string
75      values when the status choice is `"good"` or `"unknown"`. Previously
76      both returned `None` due to the way the structure was designed.
77    - Add support for explicit RSA SSA PSS (`1.2.840.113549.1.1.10`) to
78      `keys.PublicKeyInfo()` and `keys.PrivateKeyInfo()`
79    - Added structures for nested SHA-256 Windows PE signatures to
80      `cms.CMSAttribute()`
81    - Added RC4 (`1.2.840.113549.3.4`) to `algos.EncryptionAlgorithmId()`
82    - Added secp256k1 (`1.3.132.0.10`) to `keys.NamedCurve()`
83    - Added SHA-3 and SHAKE OIDs to `algos.DigestAlgorithmId()` and
84      `algos.HmacAlgorithmId()`
85    - Added RSA ES OAEP (`1.2.840.113549.1.1.7`) to
86      `cms.KeyEncryptionAlgorithmId()`
87    - Add IKE Intermediate (`1.3.6.1.5.5.8.2.2`) to `x509.KeyPurposeId()`
88    - `x509.EmailAddress()` and `x509.DNSName()` now handle invalidly-encoded
89      values using tags for `core.PrintableString()` and `core.UTF8String()`
90    - Add parameter structue from RFC 5084 for AES-CCM to
91      `algos.EncryptionAlgorithm()`
92    - Improved robustness of parsing broken `core.Sequence()` and
93      `core.SequenceOf()` values
94 - Bug Fixes
95    - Fixed encoding of tag values over 30
96    - `core.IntegerBitString()` and `core.IntegerOctetString()` now restrict
97      values to non-negative integers since negative values are not
98      implemented
99    - When copying or dumping a BER-encoded indefinite-length value,
100      automatically force re-encoding to DER. *To ensure all nested values are
101      always DER-encoded, `.dump(True)` must be called.*
102    - Fix `UnboundLocalError` when calling `x509.IPAddress().native` on an
103      encoded value that has a length of zero
104    - Fixed passing `class_` via unicode string name to `core.Asn1Value()`
105    - Fixed a bug where EC private keys with leading null bytes would be
106      encoded in `keys.ECPrivateKey()` more narrowly than RFC 5915 requires
107    - Fixed some edge-case bugs in `util.int_to_bytes()`
108    - `x509.URI()` now only normalizes values when comparing
109    - Fixed BER-decoding of indefinite length `core.BitString()`
110    - Fixed DER-encoding of empty `core.BitString()`
111    - Fixed a missing return value for `core.Choice().parse()`
112    - Fixed `core.Choice().contents` working when the chosen alternative is a
113      `core.Choice()` also
114    - Fixed parsing and encoding of nested `core.Choice()` objects
115    - Fixed a bug causing `core.ObjectIdentifier().native` to sometimes not
116      map the OID
117 - Packaging
118    - `wheel`, `sdist` and `bdist_egg` releases now all include LICENSE,
119      `sdist` includes docs
120    - Added `asn1crypto_tests` package to PyPi
121
122## 0.24.0
123
124 - `x509.Certificate().self_signed` will no longer return `"yes"` under any
125   circumstances. This helps prevent confusion since the library does not
126   verify the signature. Instead a library like oscrypto should be used
127   to confirm if a certificate is self-signed.
128 - Added various OIDs to `x509.KeyPurposeId()`
129 - Added `x509.Certificate().private_key_usage_period_value`
130 - Added structures for parsing common subject directory attributes for
131   X.509 certificates, including `x509.SubjectDirectoryAttribute()`
132 - Added `algos.AnyAlgorithmIdentifier()` for situations where an
133   algorithm identifier may contain a digest, signed digest or encryption
134   algorithm OID
135 - Fixed a bug with `x509.Certificate().subject_directory_attributes_value`
136   not returning the correct value
137 - Fixed a bug where explicitly-tagged fields in a `core.Sequence()` would
138   not function properly when the field had a default value
139 - Fixed a bug with type checking in `pem.armor()`
140
141## 0.23.0
142
143 - Backwards compatibility break: the `tag_type`, `explicit_tag` and
144   `explicit_class` attributes on `core.Asn1Value` no longer exist and were
145   replaced by the `implicit` and `explicit` attributes. Field param dicts
146   may use the new `explicit` and `implicit` keys, or the old `tag_type` and
147   `tag` keys. The attribute changes will likely to have little to no impact
148   since they were primarily an implementation detail.
149 - Teletex strings used inside of X.509 certificates are now interpreted
150   using Windows-1252 (a superset of ISO-8859-1). This enables compatibility
151   with certificates generated by OpenSSL. Strict parsing of Teletex strings
152   can be retained by using the `x509.strict_teletex()` context manager.
153 - Added support for nested explicit tagging, supporting values that are
154   defined with explicit tagging and then added as a field of another
155   structure using explicit tagging.
156 - Fixed a `UnicodeDecodeError` when trying to find the (optional) dependency
157   OpenSSL on Python 2
158 - Fixed `next_update` field of `crl.TbsCertList` to be optional
159 - Added the `x509.Certificate.sha256_fingerprint` property
160 - `x509.Certificate.ocsp_urls` and `x509.DistributionPoint.url` will now
161   return `https://`, `ldap://` and `ldaps://` URLs in addition to `http://`.
162 - Added CMS Attribute Protection definitions from RFC 6211
163 - Added OIDs from RFC 6962
164
165## 0.22.0
166
167 - Added `parser.peek()`
168 - Implemented proper support for BER-encoded indefinite length strings of
169   all kinds - `core.BitString`, `core.OctetString` and all of the `core`
170   classes that are natively represented as Python unicode strings
171 - Fixed a bug with encoding LDAP URLs in `x509.URI`
172 - Correct `x509.DNSName` to allow a leading `.`, such as when used with
173   `x509.NameConstraints`
174 - Fixed an issue with dumping the parsed contents of `core.Any` when
175   explicitly tagged
176 - Custom `setup.py clean` now accepts the short `-a` flag for compatibility
177
178## 0.21.1
179
180 - Fixed a regression where explicit tagging of a field containing a
181   `core.Choice` would result in an incorrect header
182 - Fixed a bug where an `IndexError` was being raised instead of a `ValueError`
183   when a value was truncated to not include enough bytes for the header
184 - Corrected the spec for the `value` field of `pkcs12.Attribute`
185 - Added support for `2.16.840.1.113894.746875.1.1` OID to
186   `pkcs12.AttributeType`
187
188## 0.21.0
189
190 - Added `core.load()` for loading standard, universal types without knowing
191   the spec beforehand
192 - Added a `strict` keyword arg to the various `load()` methods and functions in
193   `core` that checks for trailing data and raises a `ValueError` when found
194 - Added `asn1crypto.parser` submodule with `emit()` and `parse()` functions for
195   low-level integration
196 - Added `asn1crypto.version` for version introspection without side-effects
197 - Added `algos.DSASignature`
198 - Fixed a bug with the `_header` attribute of explicitly-tagged values only
199   containing the explicit tag header instead of both the explicit tag header
200   and the encapsulated value header
201
202## 0.20.0
203
204 - Added support for year 0
205 - Added the OID for unique identifier to `x509.NameType`
206 - Fixed a bug creating the native representation of a `core.BitString` with
207   leading null bytes
208 - Added a `.cast()` method to allow converting between different
209   representations of the same data, e.g. `core.BitString` and
210   `core.OctetBitString`
211
212## 0.19.0
213
214 - Force `algos.DigestAlgorithm` to encoding `parameters` as `Null` when the
215   `algorithm` is `sha1`, `sha224`, `sha256`, `sha384` or `sha512` per RFC 4055
216 - Resolved an issue where a BER-encoded indefinite-length value could not be
217   properly parsed when embedded inside of a `core.Sequence` or `core.Set`
218 - Fix `x509.Name.build()` to properly handle dotted OID type values
219 - `core.Choice` can now be constructed from a single-element `dict` or a
220   two-element `tuple` to allow for better usability when constructing values
221   from native Python values
222 - All `core` objects can now be passed to `print()` with an exception being
223   raised
224
225## 0.18.5
226
227 - Don't fail importing if `ctypes` or `_ctypes` is not available
228
229## 0.18.4
230
231 - `core.Sequence` will now raise an exception when an unknown field is provided
232 - Prevent `UnicodeDecodeError` on Python 2 when calling
233   `core.OctetString.debug()`
234 - Corrected the default value for the `hash_algorithm` field of
235   `tsp.ESSCertIDv2`
236 - Fixed a bug constructing a `cms.SignedData` object
237 - Ensure that specific RSA OIDs are always paired with `parameters` set to
238   `core.Null`
239
240## 0.18.3
241
242 - Fixed DER encoding of `core.BitString` when a `_map` is specified (i.e. a
243   "named bit list") to omit trailing zero bits. This fixes compliance of
244   various `x509` structures with RFC 5280.
245 - Corrected a side effect in `keys.PrivateKeyInfo.wrap()` that would cause the
246   original `keys.ECPrivateKey` structure to become corrupt
247 - `core.IntegerOctetString` now correctly encodes the integer as an unsigned
248   value when converting to bytes. Previously decoding was unsigned, but
249   encoding was signed.
250 - Fix `util.int_from_bytes()` on Python 2 to return `0` from an empty byte
251   string
252
253## 0.18.2
254
255 - Allow `_perf` submodule to be removed from source tree when embedding
256
257## 0.18.1
258
259 - Fixed DER encoding of `core.Set` and `core.SetOf`
260 - Fixed a bug in `x509.Name.build()` that could generate invalid DER encoding
261 - Improved exception messages when parsing nested structures via the `.native`
262   attribute
263 - `algos.SignedDigestAlgorithm` now ensures the `parameters` are set to
264   `Null` when `algorithm` is `sha224_rsa`, `sha256_rsa`, `sha384_rsa` or
265   `sha512_rsa`, per RFC 4055
266 - Corrected the definition of `pdf.AdobeTimestamp` to mark the
267   `requires_auth` field as optional
268 - Add support for the OID `1.2.840.113549.1.9.16.2.14` to
269   `cms.CMSAttributeType`
270 - Improve attribute support for `cms.AttributeCertificateV2`
271 - Handle `cms.AttributeCertificateV2` when incorrectly tagged as
272   `cms.AttributeCertificateV1` in `cms.CertificateChoices`
273
274## 0.18.0
275
276 - Improved general parsing performance by 10-15%
277 - Add support for Windows XP
278 - Added `core.ObjectIdentifier.dotted` attribute to always return dotted
279   integer unicode string
280 - Added `core.ObjectIdentifier.map()` and `core.ObjectIdentifier.unmap()`
281   class methods to map dotted integer unicode strings to user-friendly unicode
282   strings and back
283 - Added various Apple OIDs to `x509.KeyPurposeId`
284 - Fixed a bug parsing nested indefinite-length-encoded values
285 - Fixed a bug with `x509.Certificate.issuer_alt_name_value` if it is the first
286   extension queried
287 - `keys.PublicKeyInfo.bit_size` and `keys.PrivateKeyInfo.bit_size` values are
288   now rounded up to the next closest multiple of 8
289
290## 0.17.1
291
292 - Fix a bug in `x509.URI` parsing IRIs containing explicit port numbers on
293   Python 3.x
294
295## 0.17.0
296
297 - Added `x509.TrustedCertificate` for handling OpenSSL auxiliary certificate
298   information appended after a certificate
299 - Added `core.Concat` class for situations such as `x509.TrustedCertificate`
300 - Allow "broken" X.509 certificates to use `core.IA5String` where an
301   `x509.DirectoryString` should be used instead
302 - Added `keys.PrivateKeyInfo.public_key_info` attribute
303 - Added a bunch of OIDs to `x509.KeyPurposeId`
304
305## 0.16.0
306
307 - Added DH key exchange structures: `algos.KeyExchangeAlgorithm`,
308   `algos.KeyExchangeAlgorithmId` and `algos.DHParameters`.
309 - Added DH public key support to `keys.PublicKeyInfo`,
310   `keys.PublicKeyAlgorithm` and `keys.PublicKeyAlgorithmId`. New structures
311   include `keys.DomainParameters` and `keys.ValidationParms`.
312
313## 0.15.1
314
315 - Fixed `cms.CMSAttributes` to be a `core.SetOf` instead of `core.SequenceOf`
316 - `cms.CMSAttribute` can now parse unknown attribute contrustruct without an
317   exception being raised
318 - `x509.PolicyMapping` now uses `x509.PolicyIdentifier` for field types
319 - Fixed `pdf.RevocationInfoArchival` so that all fields are now of the type
320   `core.SequenceOf` instead of a single value
321 - Added support for the `name_distinguisher`, `telephone_number` and
322   `organization_identifier` OIDs to `x509.Name`
323 - Fixed `x509.Name.native` to not accidentally create nested lists when three
324   of more values for a single type are part of the name
325 - `x509.Name.human_friendly` now reverses the order of fields when the data
326   in an `x509.Name` was encoded in most-specific to least-specific order, which
327   is the opposite of the standard way of least-specific to most-specific.
328 - `x509.NameType.human_friendly` no longer raises an exception when an
329   unknown OID is encountered
330 - Raise a `ValueError` when parsing a `core.Set` and an unknown field is
331   encountered
332
333## 0.15.0
334
335 - Added support for the TLS feature extension from RFC 7633
336 - `x509.Name.build()` now accepts a keyword parameter `use_printable` to force
337   string encoding to be `core.PrintableString` instead of `core.UTF8String`
338 - Added the functions `util.uri_to_iri()` and `util.iri_to_uri()`
339 - Changed `algos.SignedDigestAlgorithmId` to use the preferred OIDs when
340   mapping a unicode string name to an OID. Previously there were multiple OIDs
341   for some algorithms, and different OIDs would sometimes be selected due to
342   the fact that the `_map` `dict` is not ordered.
343
344## 0.14.1
345
346 - Fixed a bug generating `x509.Certificate.sha1_fingerprint` on Python 2
347
348## 0.14.0
349
350 - Added the `x509.Certificate.sha1_fingerprint` attribute
351
352## 0.13.0
353
354 - Backwards compatibility break: the native representation of some
355   `algos.EncryptionAlgorithmId` values changed. `aes128` became `aes128_cbc`,
356   `aes192` became `aes192_cbc` and `aes256` became `aes256_cbc`.
357 - Added more OIDs to `algos.EncryptionAlgorithmId`
358 - Added more OIDs to `cms.KeyEncryptionAlgorithmId`
359 - `x509.Name.human_friendly` now properly supports multiple values per
360   `x509.NameTypeAndValue` object
361 - Added `ocsp.OCSPResponse.basic_ocsp_response` and
362   `ocsp.OCSPResponse.response_data` properties
363 - Added `algos.EncryptionAlgorithm.encryption_mode` property
364 - Fixed a bug with parsing times containing timezone offsets in Python 3
365 - The `attributes` field of `csr.CertificationRequestInfo` is now optional,
366   for compatibility with other ASN.1 parsers
367
368## 0.12.2
369
370 - Correct `core.Sequence.__setitem__()` so set `core.VOID` to an optional
371   field when `None` is set
372
373## 0.12.1
374
375 - Fixed a `unicode`/`bytes` bug with `x509.URI.dump()` on Python 2
376
377## 0.12.0
378
379 - Backwards Compatibility Break: `core.NoValue` was renamed to `core.Void` and
380   a singleton was added as `core.VOID`
381 - 20-30% improvement in parsing performance
382 - `core.Void` now implements `__nonzero__`
383 - `core.Asn1Value.copy()` now performs a deep copy
384 - All `core` value classes are now compatible with the `copy` module
385 - `core.SequenceOf` and `core.SetOf` now implement `__contains__`
386 - Added `x509.Name.__len__()`
387 - Fixed a bug where `core.Choice.validate()` would not properly account for
388   explicit tagging
389 - `core.Choice.load()` now properly passes itself as the spec when parsing
390 - `x509.Certificate.crl_distribution_points` no longer throws an exception if
391   the `DistributionPoint` does not have a value for the `distribution_point`
392   field
393
394## 0.11.1
395
396 - Corrected `core.UTCTime` to interpret year <= 49 as 20xx and >= 50 as 19xx
397 - `keys.PublicKeyInfo.hash_algo` can now handle DSA keys without parameters
398 - Added `crl.CertificateList.sha256` and `crl.CertificateList.sha1`
399 - Fixed `x509.Name.build()` to properly encode `country_name`, `serial_number`
400   and `dn_qualifier` as `core.PrintableString` as specified in RFC 5280,
401   instead of `core.UTF8String`
402
403## 0.11.0
404
405 - Added Python 2.6 support
406 - Added ability to compare primitive type objects
407 - Implemented proper support for internationalized domains, URLs and email
408   addresses in `x509.Certificate`
409 - Comparing `x509.Name` and `x509.GeneralName` objects adheres to RFC 5280
410 - `x509.Certificate.self_signed` and `x509.Certificate.self_issued` no longer
411   require that certificate is for a CA
412 - Fixed `x509.Certificate.valid_domains` to adhere to RFC 6125
413 - Added `x509.Certificate.is_valid_domain_ip()`
414 - Added `x509.Certificate.sha1` and `x509.Certificate.sha256`
415 - Exposed `util.inet_ntop()` and `util.inet_pton()` for IP address encoding
416 - Improved exception messages for improper types to include type's module name
417
418## 0.10.1
419
420 - Fixed bug in `core.Sequence` affecting Python 2.7 and pypy
421
422## 0.10.0
423
424 - Added PEM encoding/decoding functionality
425 - `core.BitString` now uses item access instead of attributes for named bit
426   access
427 - `core.BitString.native` now uses a `set` of unicode strings when `_map` is
428   present
429 - Removed `core.Asn1Value.pprint()` method
430 - Added `core.ParsableOctetString` class
431 - Added `core.ParsableOctetBitString` class
432 - Added `core.Asn1Value.copy()` method
433 - Added `core.Asn1Value.debug()` method
434 - Added `core.SequenceOf.append()` method
435 - Added `core.Sequence.spec()` and `core.SequenceOf.spec()` methods
436 - Added correct IP address parsing to `x509.GeneralName`
437 - `x509.Name` and `x509.GeneralName` are now compared according to rules in
438   RFC 5280
439 - Added convenience attributes to:
440   - `algos.SignedDigestAlgorithm`
441   - `crl.CertificateList`
442   - `crl.RevokedCertificate`
443   - `keys.PublicKeyInfo`
444   - `ocsp.OCSPRequest`
445   - `ocsp.Request`
446   - `ocsp.OCSPResponse`
447   - `ocsp.SingleResponse`
448   - `x509.Certificate`
449   - `x509.Name`
450 - Added `asn1crypto.util` module with the following items:
451   - `int_to_bytes()`
452   - `int_from_bytes()`
453   - `timezone.utc`
454 - Added `setup.py clean` command
455
456## 0.9.0
457
458 - Initial release
459