1# changelog 2 3## 1.4.0 4 5 - `core.ObjectIdentifier` and all derived classes now obey X.660 §7.6 and 6 thus restrict the first arc to 0 to 2, and the second arc to less than 7 40 if the first arc is 0 or 1. This also fixes parsing of OIDs where the 8 first arc is 2 and the second arc is greater than 39. 9 - Fixed `keys.PublicKeyInfo.bit_size` to return an int rather than a float 10 on Python 3 when working with elliptic curve keys 11 - Fixed the `asn1crypto-tests` sdist on PyPi to work properly to generate a 12 .whl 13 14## 1.3.0 15 16 - Added `encrypt_key_pref` (`1.2.840.113549.1.9.16.2.11`) to 17 `cms.CMSAttributeType()`, along with related structures 18 - Added Brainpool curves from RFC 5639 to `keys.NamedCurve()` 19 - Fixed `x509.Certificate().subject_directory_attributes_value` 20 - Fixed some incorrectly computed minimum elliptic curve primary key 21 encoding sizes in `keys.NamedCurve()` 22 - Fixed a `TypeError` when trying to call `.untag()` or `.copy()` on a 23 `core.UTCTime()` or `core.GeneralizedTime()`, or a value containing one, 24 when using Python 2 25 26## 1.2.0 27 28 - Added `asn1crypto.load_order()`, which returns a `list` of unicode strings 29 of the names of the fully-qualified module names for all of submodules of 30 the package. The module names are listed in their dependency load order. 31 This is primarily intended for the sake of implementing hot reloading. 32 33## 1.1.0 34 35 - Added User ID (`0.9.2342.19200300.100.1.1`) to `x509.NameType()` 36 - Added various EC named curves to `keys.NamedCurve()` 37 38## 1.0.1 39 40 - Fix an absolute import in `keys` to a relative import 41 42## 1.0.0 43 44 - Backwards Compatibility Breaks 45 - `cms.KeyEncryptionAlgorithmId().native` now returns the value 46 `"rsaes_pkcs1v15"` for OID `1.2.840.113549.1.1.1` instead of `"rsa"` 47 - Removed functionality to calculate public key values from private key 48 values. Alternatives have been added to oscrypto. 49 - `keys.PrivateKeyInfo().unwrap()` is now 50 `oscrypto.asymmetric.PrivateKey().unwrap()` 51 - `keys.PrivateKeyInfo().public_key` is now 52 `oscrypto.asymmetric.PrivateKey().public_key.unwrap()` 53 - `keys.PrivateKeyInfo().public_key_info` is now 54 `oscrypto.asymmetric.PrivateKey().public_key.asn1` 55 - `keys.PrivateKeyInfo().fingerprint` is now 56 `oscrypto.asymmetric.PrivateKey().fingerprint` 57 - `keys.PublicKeyInfo().unwrap()` is now 58 `oscrypto.asymmetric.PublicKey().unwrap()` 59 - `keys.PublicKeyInfo().fingerprint` is now 60 `oscrypto.asymmetric.PublicKey().fingerprint` 61 - Enhancements 62 - Significantly improved parsing of `core.UTCTime()` and 63 `core.GeneralizedTime()` values that include timezones and fractional 64 seconds 65 - `util.timezone` has a more complete implementation 66 - `core.Choice()` may now be constructed by a 2-element tuple or a 1-key 67 dict 68 - Added `x509.Certificate().not_valid_before` and 69 `x509.Certificate().not_valid_after` 70 - Added `core.BitString().unused_bits` 71 - Added `keys.NamedCurve.register()` for non-mainstream curve OIDs 72 - No longer try to load optional performance dependency, `libcrypto`, 73 on Mac or Linux 74 - `ocsp.CertStatus().native` will now return meaningful unicode string 75 values when the status choice is `"good"` or `"unknown"`. Previously 76 both returned `None` due to the way the structure was designed. 77 - Add support for explicit RSA SSA PSS (`1.2.840.113549.1.1.10`) to 78 `keys.PublicKeyInfo()` and `keys.PrivateKeyInfo()` 79 - Added structures for nested SHA-256 Windows PE signatures to 80 `cms.CMSAttribute()` 81 - Added RC4 (`1.2.840.113549.3.4`) to `algos.EncryptionAlgorithmId()` 82 - Added secp256k1 (`1.3.132.0.10`) to `keys.NamedCurve()` 83 - Added SHA-3 and SHAKE OIDs to `algos.DigestAlgorithmId()` and 84 `algos.HmacAlgorithmId()` 85 - Added RSA ES OAEP (`1.2.840.113549.1.1.7`) to 86 `cms.KeyEncryptionAlgorithmId()` 87 - Add IKE Intermediate (`1.3.6.1.5.5.8.2.2`) to `x509.KeyPurposeId()` 88 - `x509.EmailAddress()` and `x509.DNSName()` now handle invalidly-encoded 89 values using tags for `core.PrintableString()` and `core.UTF8String()` 90 - Add parameter structue from RFC 5084 for AES-CCM to 91 `algos.EncryptionAlgorithm()` 92 - Improved robustness of parsing broken `core.Sequence()` and 93 `core.SequenceOf()` values 94 - Bug Fixes 95 - Fixed encoding of tag values over 30 96 - `core.IntegerBitString()` and `core.IntegerOctetString()` now restrict 97 values to non-negative integers since negative values are not 98 implemented 99 - When copying or dumping a BER-encoded indefinite-length value, 100 automatically force re-encoding to DER. *To ensure all nested values are 101 always DER-encoded, `.dump(True)` must be called.* 102 - Fix `UnboundLocalError` when calling `x509.IPAddress().native` on an 103 encoded value that has a length of zero 104 - Fixed passing `class_` via unicode string name to `core.Asn1Value()` 105 - Fixed a bug where EC private keys with leading null bytes would be 106 encoded in `keys.ECPrivateKey()` more narrowly than RFC 5915 requires 107 - Fixed some edge-case bugs in `util.int_to_bytes()` 108 - `x509.URI()` now only normalizes values when comparing 109 - Fixed BER-decoding of indefinite length `core.BitString()` 110 - Fixed DER-encoding of empty `core.BitString()` 111 - Fixed a missing return value for `core.Choice().parse()` 112 - Fixed `core.Choice().contents` working when the chosen alternative is a 113 `core.Choice()` also 114 - Fixed parsing and encoding of nested `core.Choice()` objects 115 - Fixed a bug causing `core.ObjectIdentifier().native` to sometimes not 116 map the OID 117 - Packaging 118 - `wheel`, `sdist` and `bdist_egg` releases now all include LICENSE, 119 `sdist` includes docs 120 - Added `asn1crypto_tests` package to PyPi 121 122## 0.24.0 123 124 - `x509.Certificate().self_signed` will no longer return `"yes"` under any 125 circumstances. This helps prevent confusion since the library does not 126 verify the signature. Instead a library like oscrypto should be used 127 to confirm if a certificate is self-signed. 128 - Added various OIDs to `x509.KeyPurposeId()` 129 - Added `x509.Certificate().private_key_usage_period_value` 130 - Added structures for parsing common subject directory attributes for 131 X.509 certificates, including `x509.SubjectDirectoryAttribute()` 132 - Added `algos.AnyAlgorithmIdentifier()` for situations where an 133 algorithm identifier may contain a digest, signed digest or encryption 134 algorithm OID 135 - Fixed a bug with `x509.Certificate().subject_directory_attributes_value` 136 not returning the correct value 137 - Fixed a bug where explicitly-tagged fields in a `core.Sequence()` would 138 not function properly when the field had a default value 139 - Fixed a bug with type checking in `pem.armor()` 140 141## 0.23.0 142 143 - Backwards compatibility break: the `tag_type`, `explicit_tag` and 144 `explicit_class` attributes on `core.Asn1Value` no longer exist and were 145 replaced by the `implicit` and `explicit` attributes. Field param dicts 146 may use the new `explicit` and `implicit` keys, or the old `tag_type` and 147 `tag` keys. The attribute changes will likely to have little to no impact 148 since they were primarily an implementation detail. 149 - Teletex strings used inside of X.509 certificates are now interpreted 150 using Windows-1252 (a superset of ISO-8859-1). This enables compatibility 151 with certificates generated by OpenSSL. Strict parsing of Teletex strings 152 can be retained by using the `x509.strict_teletex()` context manager. 153 - Added support for nested explicit tagging, supporting values that are 154 defined with explicit tagging and then added as a field of another 155 structure using explicit tagging. 156 - Fixed a `UnicodeDecodeError` when trying to find the (optional) dependency 157 OpenSSL on Python 2 158 - Fixed `next_update` field of `crl.TbsCertList` to be optional 159 - Added the `x509.Certificate.sha256_fingerprint` property 160 - `x509.Certificate.ocsp_urls` and `x509.DistributionPoint.url` will now 161 return `https://`, `ldap://` and `ldaps://` URLs in addition to `http://`. 162 - Added CMS Attribute Protection definitions from RFC 6211 163 - Added OIDs from RFC 6962 164 165## 0.22.0 166 167 - Added `parser.peek()` 168 - Implemented proper support for BER-encoded indefinite length strings of 169 all kinds - `core.BitString`, `core.OctetString` and all of the `core` 170 classes that are natively represented as Python unicode strings 171 - Fixed a bug with encoding LDAP URLs in `x509.URI` 172 - Correct `x509.DNSName` to allow a leading `.`, such as when used with 173 `x509.NameConstraints` 174 - Fixed an issue with dumping the parsed contents of `core.Any` when 175 explicitly tagged 176 - Custom `setup.py clean` now accepts the short `-a` flag for compatibility 177 178## 0.21.1 179 180 - Fixed a regression where explicit tagging of a field containing a 181 `core.Choice` would result in an incorrect header 182 - Fixed a bug where an `IndexError` was being raised instead of a `ValueError` 183 when a value was truncated to not include enough bytes for the header 184 - Corrected the spec for the `value` field of `pkcs12.Attribute` 185 - Added support for `2.16.840.1.113894.746875.1.1` OID to 186 `pkcs12.AttributeType` 187 188## 0.21.0 189 190 - Added `core.load()` for loading standard, universal types without knowing 191 the spec beforehand 192 - Added a `strict` keyword arg to the various `load()` methods and functions in 193 `core` that checks for trailing data and raises a `ValueError` when found 194 - Added `asn1crypto.parser` submodule with `emit()` and `parse()` functions for 195 low-level integration 196 - Added `asn1crypto.version` for version introspection without side-effects 197 - Added `algos.DSASignature` 198 - Fixed a bug with the `_header` attribute of explicitly-tagged values only 199 containing the explicit tag header instead of both the explicit tag header 200 and the encapsulated value header 201 202## 0.20.0 203 204 - Added support for year 0 205 - Added the OID for unique identifier to `x509.NameType` 206 - Fixed a bug creating the native representation of a `core.BitString` with 207 leading null bytes 208 - Added a `.cast()` method to allow converting between different 209 representations of the same data, e.g. `core.BitString` and 210 `core.OctetBitString` 211 212## 0.19.0 213 214 - Force `algos.DigestAlgorithm` to encoding `parameters` as `Null` when the 215 `algorithm` is `sha1`, `sha224`, `sha256`, `sha384` or `sha512` per RFC 4055 216 - Resolved an issue where a BER-encoded indefinite-length value could not be 217 properly parsed when embedded inside of a `core.Sequence` or `core.Set` 218 - Fix `x509.Name.build()` to properly handle dotted OID type values 219 - `core.Choice` can now be constructed from a single-element `dict` or a 220 two-element `tuple` to allow for better usability when constructing values 221 from native Python values 222 - All `core` objects can now be passed to `print()` with an exception being 223 raised 224 225## 0.18.5 226 227 - Don't fail importing if `ctypes` or `_ctypes` is not available 228 229## 0.18.4 230 231 - `core.Sequence` will now raise an exception when an unknown field is provided 232 - Prevent `UnicodeDecodeError` on Python 2 when calling 233 `core.OctetString.debug()` 234 - Corrected the default value for the `hash_algorithm` field of 235 `tsp.ESSCertIDv2` 236 - Fixed a bug constructing a `cms.SignedData` object 237 - Ensure that specific RSA OIDs are always paired with `parameters` set to 238 `core.Null` 239 240## 0.18.3 241 242 - Fixed DER encoding of `core.BitString` when a `_map` is specified (i.e. a 243 "named bit list") to omit trailing zero bits. This fixes compliance of 244 various `x509` structures with RFC 5280. 245 - Corrected a side effect in `keys.PrivateKeyInfo.wrap()` that would cause the 246 original `keys.ECPrivateKey` structure to become corrupt 247 - `core.IntegerOctetString` now correctly encodes the integer as an unsigned 248 value when converting to bytes. Previously decoding was unsigned, but 249 encoding was signed. 250 - Fix `util.int_from_bytes()` on Python 2 to return `0` from an empty byte 251 string 252 253## 0.18.2 254 255 - Allow `_perf` submodule to be removed from source tree when embedding 256 257## 0.18.1 258 259 - Fixed DER encoding of `core.Set` and `core.SetOf` 260 - Fixed a bug in `x509.Name.build()` that could generate invalid DER encoding 261 - Improved exception messages when parsing nested structures via the `.native` 262 attribute 263 - `algos.SignedDigestAlgorithm` now ensures the `parameters` are set to 264 `Null` when `algorithm` is `sha224_rsa`, `sha256_rsa`, `sha384_rsa` or 265 `sha512_rsa`, per RFC 4055 266 - Corrected the definition of `pdf.AdobeTimestamp` to mark the 267 `requires_auth` field as optional 268 - Add support for the OID `1.2.840.113549.1.9.16.2.14` to 269 `cms.CMSAttributeType` 270 - Improve attribute support for `cms.AttributeCertificateV2` 271 - Handle `cms.AttributeCertificateV2` when incorrectly tagged as 272 `cms.AttributeCertificateV1` in `cms.CertificateChoices` 273 274## 0.18.0 275 276 - Improved general parsing performance by 10-15% 277 - Add support for Windows XP 278 - Added `core.ObjectIdentifier.dotted` attribute to always return dotted 279 integer unicode string 280 - Added `core.ObjectIdentifier.map()` and `core.ObjectIdentifier.unmap()` 281 class methods to map dotted integer unicode strings to user-friendly unicode 282 strings and back 283 - Added various Apple OIDs to `x509.KeyPurposeId` 284 - Fixed a bug parsing nested indefinite-length-encoded values 285 - Fixed a bug with `x509.Certificate.issuer_alt_name_value` if it is the first 286 extension queried 287 - `keys.PublicKeyInfo.bit_size` and `keys.PrivateKeyInfo.bit_size` values are 288 now rounded up to the next closest multiple of 8 289 290## 0.17.1 291 292 - Fix a bug in `x509.URI` parsing IRIs containing explicit port numbers on 293 Python 3.x 294 295## 0.17.0 296 297 - Added `x509.TrustedCertificate` for handling OpenSSL auxiliary certificate 298 information appended after a certificate 299 - Added `core.Concat` class for situations such as `x509.TrustedCertificate` 300 - Allow "broken" X.509 certificates to use `core.IA5String` where an 301 `x509.DirectoryString` should be used instead 302 - Added `keys.PrivateKeyInfo.public_key_info` attribute 303 - Added a bunch of OIDs to `x509.KeyPurposeId` 304 305## 0.16.0 306 307 - Added DH key exchange structures: `algos.KeyExchangeAlgorithm`, 308 `algos.KeyExchangeAlgorithmId` and `algos.DHParameters`. 309 - Added DH public key support to `keys.PublicKeyInfo`, 310 `keys.PublicKeyAlgorithm` and `keys.PublicKeyAlgorithmId`. New structures 311 include `keys.DomainParameters` and `keys.ValidationParms`. 312 313## 0.15.1 314 315 - Fixed `cms.CMSAttributes` to be a `core.SetOf` instead of `core.SequenceOf` 316 - `cms.CMSAttribute` can now parse unknown attribute contrustruct without an 317 exception being raised 318 - `x509.PolicyMapping` now uses `x509.PolicyIdentifier` for field types 319 - Fixed `pdf.RevocationInfoArchival` so that all fields are now of the type 320 `core.SequenceOf` instead of a single value 321 - Added support for the `name_distinguisher`, `telephone_number` and 322 `organization_identifier` OIDs to `x509.Name` 323 - Fixed `x509.Name.native` to not accidentally create nested lists when three 324 of more values for a single type are part of the name 325 - `x509.Name.human_friendly` now reverses the order of fields when the data 326 in an `x509.Name` was encoded in most-specific to least-specific order, which 327 is the opposite of the standard way of least-specific to most-specific. 328 - `x509.NameType.human_friendly` no longer raises an exception when an 329 unknown OID is encountered 330 - Raise a `ValueError` when parsing a `core.Set` and an unknown field is 331 encountered 332 333## 0.15.0 334 335 - Added support for the TLS feature extension from RFC 7633 336 - `x509.Name.build()` now accepts a keyword parameter `use_printable` to force 337 string encoding to be `core.PrintableString` instead of `core.UTF8String` 338 - Added the functions `util.uri_to_iri()` and `util.iri_to_uri()` 339 - Changed `algos.SignedDigestAlgorithmId` to use the preferred OIDs when 340 mapping a unicode string name to an OID. Previously there were multiple OIDs 341 for some algorithms, and different OIDs would sometimes be selected due to 342 the fact that the `_map` `dict` is not ordered. 343 344## 0.14.1 345 346 - Fixed a bug generating `x509.Certificate.sha1_fingerprint` on Python 2 347 348## 0.14.0 349 350 - Added the `x509.Certificate.sha1_fingerprint` attribute 351 352## 0.13.0 353 354 - Backwards compatibility break: the native representation of some 355 `algos.EncryptionAlgorithmId` values changed. `aes128` became `aes128_cbc`, 356 `aes192` became `aes192_cbc` and `aes256` became `aes256_cbc`. 357 - Added more OIDs to `algos.EncryptionAlgorithmId` 358 - Added more OIDs to `cms.KeyEncryptionAlgorithmId` 359 - `x509.Name.human_friendly` now properly supports multiple values per 360 `x509.NameTypeAndValue` object 361 - Added `ocsp.OCSPResponse.basic_ocsp_response` and 362 `ocsp.OCSPResponse.response_data` properties 363 - Added `algos.EncryptionAlgorithm.encryption_mode` property 364 - Fixed a bug with parsing times containing timezone offsets in Python 3 365 - The `attributes` field of `csr.CertificationRequestInfo` is now optional, 366 for compatibility with other ASN.1 parsers 367 368## 0.12.2 369 370 - Correct `core.Sequence.__setitem__()` so set `core.VOID` to an optional 371 field when `None` is set 372 373## 0.12.1 374 375 - Fixed a `unicode`/`bytes` bug with `x509.URI.dump()` on Python 2 376 377## 0.12.0 378 379 - Backwards Compatibility Break: `core.NoValue` was renamed to `core.Void` and 380 a singleton was added as `core.VOID` 381 - 20-30% improvement in parsing performance 382 - `core.Void` now implements `__nonzero__` 383 - `core.Asn1Value.copy()` now performs a deep copy 384 - All `core` value classes are now compatible with the `copy` module 385 - `core.SequenceOf` and `core.SetOf` now implement `__contains__` 386 - Added `x509.Name.__len__()` 387 - Fixed a bug where `core.Choice.validate()` would not properly account for 388 explicit tagging 389 - `core.Choice.load()` now properly passes itself as the spec when parsing 390 - `x509.Certificate.crl_distribution_points` no longer throws an exception if 391 the `DistributionPoint` does not have a value for the `distribution_point` 392 field 393 394## 0.11.1 395 396 - Corrected `core.UTCTime` to interpret year <= 49 as 20xx and >= 50 as 19xx 397 - `keys.PublicKeyInfo.hash_algo` can now handle DSA keys without parameters 398 - Added `crl.CertificateList.sha256` and `crl.CertificateList.sha1` 399 - Fixed `x509.Name.build()` to properly encode `country_name`, `serial_number` 400 and `dn_qualifier` as `core.PrintableString` as specified in RFC 5280, 401 instead of `core.UTF8String` 402 403## 0.11.0 404 405 - Added Python 2.6 support 406 - Added ability to compare primitive type objects 407 - Implemented proper support for internationalized domains, URLs and email 408 addresses in `x509.Certificate` 409 - Comparing `x509.Name` and `x509.GeneralName` objects adheres to RFC 5280 410 - `x509.Certificate.self_signed` and `x509.Certificate.self_issued` no longer 411 require that certificate is for a CA 412 - Fixed `x509.Certificate.valid_domains` to adhere to RFC 6125 413 - Added `x509.Certificate.is_valid_domain_ip()` 414 - Added `x509.Certificate.sha1` and `x509.Certificate.sha256` 415 - Exposed `util.inet_ntop()` and `util.inet_pton()` for IP address encoding 416 - Improved exception messages for improper types to include type's module name 417 418## 0.10.1 419 420 - Fixed bug in `core.Sequence` affecting Python 2.7 and pypy 421 422## 0.10.0 423 424 - Added PEM encoding/decoding functionality 425 - `core.BitString` now uses item access instead of attributes for named bit 426 access 427 - `core.BitString.native` now uses a `set` of unicode strings when `_map` is 428 present 429 - Removed `core.Asn1Value.pprint()` method 430 - Added `core.ParsableOctetString` class 431 - Added `core.ParsableOctetBitString` class 432 - Added `core.Asn1Value.copy()` method 433 - Added `core.Asn1Value.debug()` method 434 - Added `core.SequenceOf.append()` method 435 - Added `core.Sequence.spec()` and `core.SequenceOf.spec()` methods 436 - Added correct IP address parsing to `x509.GeneralName` 437 - `x509.Name` and `x509.GeneralName` are now compared according to rules in 438 RFC 5280 439 - Added convenience attributes to: 440 - `algos.SignedDigestAlgorithm` 441 - `crl.CertificateList` 442 - `crl.RevokedCertificate` 443 - `keys.PublicKeyInfo` 444 - `ocsp.OCSPRequest` 445 - `ocsp.Request` 446 - `ocsp.OCSPResponse` 447 - `ocsp.SingleResponse` 448 - `x509.Certificate` 449 - `x509.Name` 450 - Added `asn1crypto.util` module with the following items: 451 - `int_to_bytes()` 452 - `int_from_bytes()` 453 - `timezone.utc` 454 - Added `setup.py clean` command 455 456## 0.9.0 457 458 - Initial release 459