Log message:
py-cryptography py-cryptography_vectors: updated to 39.0.2

39.0.2
Fixed a bug where the content type header was not properly encoded for PKCS7 \ 
signatures when using the Text option and SMIME encoding.

Log message:
py-cryptography py-cryptography_vectors: updated to 39.0.0

39.0.0 - 2023-01-01

* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.0 has been removed.
  Users on older version of OpenSSL will need to upgrade.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.5. The new
  minimum LibreSSL version is 3.5.0. Going forward our policy is to support
  versions of LibreSSL that are available in versions of OpenBSD that are
  still receiving security support.
* **BACKWARDS INCOMPATIBLE:** Removed the ``encode_point`` and
  ``from_encoded_point`` methods on
  :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers`,
  which had been deprecated for several years.
  \ 
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.publ \ 
ic_bytes`
  and
  \ 
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from \ 
_encoded_point`
  should be used instead.
* **BACKWARDS INCOMPATIBLE:** Support for using MD5 or SHA1 in
  :class:`~cryptography.x509.CertificateBuilder`, other X.509 builders, and
  PKCS7 has been removed.
* **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.10 and 10.11, macOS
  users must upgrade to 10.12 or newer.
* **ANNOUNCEMENT:** The next version of ``cryptography`` (40.0) will change
  the way we link OpenSSL. This will only impact users who build
  ``cryptography`` from source (i.e., not from a ``wheel``), and specify their
  own version of OpenSSL. For those users, the ``CFLAGS``, ``LDFLAGS``,
  ``INCLUDE``, ``LIB``, and ``CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS`` environment
  variables will no longer be respected. Instead, users will need to
  configure their builds `as documented here`_.
* Added support for
  :ref:`disabling the legacy provider in OpenSSL 3.0.x<legacy-provider>`.
* Added support for disabling RSA key validation checks when loading RSA
  keys via
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`,
  and
  \ 
:meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers.private_ \ 
key`.
  This speeds up key loading but is :term:`unsafe` if you are loading potentially
  attacker supplied keys.
* Significantly improved performance for
  :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`
  when repeatedly calling ``encrypt`` or ``decrypt`` with the same key.
* Added support for creating OCSP requests with precomputed hashes using
  :meth:`~cryptography.x509.ocsp.OCSPRequestBuilder.add_certificate_by_hash`.
* Added support for loading multiple PEM-encoded X.509 certificates from
  a single input via :func:`~cryptography.x509.load_pem_x509_certificates`.

Log message:
py-cryptography py-cryptography_vectors: updated to 38.0.4

38.0.4 - 2022-11-27

Fixed compilation when using LibreSSL 3.6.0.
Fixed error when using py2app to build an application with a cryptography dependency.

Log message:
py-cryptography: updated to 38.0.3

38.0.3 - 2022-11-01
~~~~~~~~~~~~~~~~~~~
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.7,
  which resolves *CVE-2022-3602* and *CVE-2022-3786*.

38.0.2 - 2022-10-11
~~~~~~~~~~~~~~~~~~~
This release was subsequently yanked from PyPI due to a regression in OpenSSL.

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.6.

Log message:
python: Special handling of py-cryptography for versioned_dependencies.mk

Log message:
py-cryptography py-cryptography_vectors: updated to 38.0.1

38.0.1
* Fixed parsing TLVs in ASN.1 with length greater than 65535 bytes (typically
  seen in large CRLs).

Log message:
py-cryptography py-cryptography_vectors: updated to 38.0.0

38.0.0 - 2022-09-06
~~~~~~~~~~~~~~~~~~~

* Final deprecation of OpenSSL 1.1.0. The next release of ``cryptography``
  will drop support.
* We no longer ship ``manylinux2010`` wheels. Users should upgrade to the
  latest ``pip`` to ensure this doesn't cause issues downloading wheels on
  their platform. We now ship ``manylinux_2_28`` wheels for users on new
  enough platforms.
* Updated the minimum supported Rust version (MSRV) to 1.48.0, from 1.41.0.
  Users with the latest ``pip`` will typically get a wheel and not need Rust
  installed, but check :doc:`/installation` for documentation on installing a
  newer ``rustc`` if required.
* :meth:`~cryptography.fernet.Fernet.decrypt` and related methods now accept
  both ``str`` and ``bytes`` tokens.
* Parsing ``CertificateSigningRequest`` restores the behavior of enforcing
  that the ``Extension`` ``critical`` field must be correctly encoded DER. See
  `the issue <https://github.com/pyca/cryptography/issues/6368>`_ for complete
  details.
* Added two new OpenSSL functions to the bindings to support an upcoming
  ``pyOpenSSL`` release.
* When parsing :class:`~cryptography.x509.CertificateRevocationList` and
  :class:`~cryptography.x509.CertificateSigningRequest` values, it is now
  enforced that the ``version`` value in the input must be valid according to
  the rules of :rfc:`2986` and :rfc:`5280`.
* Using MD5 or SHA1 in :class:`~cryptography.x509.CertificateBuilder` and
  other X.509 builders is deprecated and support will be removed in the next
  version.
* Added additional APIs to
  \ 
:class:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp`, \ 
including
  \ 
:attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.si \ 
gnature_hash_algorithm`,
  \ 
:attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.si \ 
gnature_algorithm`,
  \ 
:attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature`, \ 
and
  \ 
:attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.ex \ 
tension_bytes`.
* Added :attr:`~cryptography.x509.Certificate.tbs_precertificate_bytes`, allowing
  users to access the to-be-signed pre-certificate data needed for signed
  certificate timestamp verification.
* :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFHMAC` and
  :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC` now support
  :attr:`~cryptography.hazmat.primitives.kdf.kbkdf.CounterLocation.MiddleFixed`
  counter location.
* Fixed :rfc:`4514` name parsing to reverse the order of the RDNs according
  to the section 2.1 of the RFC, affecting method
  :meth:`~cryptography.x509.Name.from_rfc4514_string`.
* It is now possible to customize some aspects of encryption when serializing
  private keys, using
  \ 
:meth:`~cryptography.hazmat.primitives.serialization.PrivateFormat.encryption_bu \ 
ilder`.
* Removed several legacy symbols from our OpenSSL bindings. Users of pyOpenSSL
  versions older than 22.0 will need to upgrade.
* Added
  :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES128` and
  :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES256` classes.
  These classes do not replace
  :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` (which
  allows all AES key lengths), but are intended for applications where
  developers want to be explicit about key length.

Log message:
py-cryptography: fix Rust build dependency specification

As noted by Robert Swindells on pkgsrc-users@, we should not be directly
specifying lang/rust as a build dependency, as this will prevent builds
where rust-bin is preferred to select it accordingly. All this is
already handled in rust.mk, which is pulled in via cargo.mk.

Log message:
py-cryptography py-cryptography_vectors: updated too 37.0.4

37.0.4 - 2022-07-05
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.5.

37.0.3 - 2022-06-21
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.4.

Log message:
py-cryptography: update to 37.0.2.

Based mostly on work by adam@ in wip.

.. _v37-0-2:

37.0.2 - 2022-05-03
~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.3.
* Added a constant needed for an upcoming pyOpenSSL release.

.. _v37-0-1:

37.0.1 - 2022-04-27
~~~~~~~~~~~~~~~~~~~

* Fixed an issue where parsing an encrypted private key with the public
  loader functions would hang waiting for console input on OpenSSL 3.0.x rather
  than raising an error.
* Restored some legacy symbols for older ``pyOpenSSL`` users. These will be
  removed again in the future, so ``pyOpenSSL`` users should still upgrade
  to the latest version of that package when they upgrade ``cryptography``.

.. _v37-0-0:

37.0.0 - 2022-04-26
~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.9.x and 3.0.x.
  The new minimum LibreSSL version is 3.1+.
* **BACKWARDS INCOMPATIBLE:** Removed ``signer`` and ``verifier`` methods
  from the public key and private key classes. These methods were originally
  deprecated in version 2.0, but had an extended deprecation timeline due
  to usage. Any remaining users should transition to ``sign`` and ``verify``.
* Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by
  the OpenSSL project. The next release of ``cryptography`` will be the last
  to support compiling with OpenSSL 1.1.0.
* Deprecated Python 3.6 support. Python 3.6 is no longer supported by the
  Python core team. Support for Python 3.6 will be removed in a future
  ``cryptography`` release.
* Deprecated the current minimum supported Rust version (MSRV) of 1.41.0.
  In the next release we will raise MSRV to 1.48.0. Users with the latest
  ``pip`` will typically get a wheel and not need Rust installed, but check
  :doc:`/installation` for documentation on installing a newer ``rustc`` if
  required.
* Deprecated
  :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`,
  :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`,
  :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and
  :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish` because
  they are legacy algorithms with extremely low usage. These will be removed
  in a future version of ``cryptography``.
* Added limited support for distinguished names containing a bit string.
* We now ship ``universal2`` wheels on macOS, which contain both ``arm64``
  and ``x86_64`` architectures. Users on macOS should upgrade to the latest
  ``pip`` to ensure they can use this wheel, although we will continue to
  ship ``x86_64`` specific wheels for now to ease the transition.
* This will be the final release for which we ship ``manylinux2010`` wheels.
  Going forward the minimum supported ``manylinux`` ABI for our wheels will
  be ``manylinux2014``. The vast majority of users will continue to receive
  ``manylinux`` wheels provided they have an up to date ``pip``. For PyPy
  wheels this release already requires ``manylinux2014`` for compatibility
  with binaries distributed by upstream.
* Added support for multiple
  :class:`~cryptography.x509.ocsp.OCSPSingleResponse` in a
  :class:`~cryptography.x509.ocsp.OCSPResponse`.
* Restored support for signing certificates and other structures in
  :doc:`/x509/index` with SHA3 hash algorithms.
* :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` is
  disabled in FIPS mode.
* Added support for serialization of PKCS#12 CA friendly names/aliases in
  \ 
:func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_ce \ 
rtificates`
* Added support for 12-15 byte (96 to 120 bit) nonces to
  :class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`. This class
  previously supported only 12 byte (96 bit).
* Added support for
  :class:`~cryptography.hazmat.primitives.ciphers.aead.AESSIV` when using
  OpenSSL 3.0.0+.
* Added support for serializing PKCS7 structures from a list of
  certificates with
  \ 
:class:`~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificat \ 
es`.
* Added support for parsing :rfc:`4514` strings with
  :meth:`~cryptography.x509.Name.from_rfc4514_string`.
* Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.AUTO` to
  :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This can
  be used to verify a signature where the salt length is not already known.
* Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.DIGEST_LENGTH`
  to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This
  constant will set the salt length to the same length as the ``PSS`` hash
  algorithm.
* Added support for loading RSA-PSS key types with
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`
  and
  :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`.
  This functionality is limited to OpenSSL 1.1.1e+ and loads the key as a
  normal RSA private key, discarding the PSS constraint information.

.. _v36-0-2:

36.0.2 - 2022-03-15
~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1n.

.. _v36-0-1:

36.0.1 - 2021-12-14
~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1m.

.. _v36-0-0:

36.0.0 - 2021-11-21
~~~~~~~~~~~~~~~~~~~

* **FINAL DEPRECATION** Support for ``verifier`` and ``signer`` on our
  asymmetric key classes was deprecated in version 2.0. These functions had an
  extended deprecation due to usage, however the next version of
  ``cryptography`` will drop support. Users should migrate to ``sign`` and
  ``verify``.
* The entire :doc:`/x509/index` layer is now written in Rust. This allows
  alternate asymmetric key implementations that can support cloud key
  management services or hardware security modules provided they implement
  the necessary interface (for example:
  :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`).
* :ref:`Deprecated the backend argument<faq-missing-backend>` for all
  functions.
* Added support for
  :class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`.
* Added support for iterating over arbitrary request
  :attr:`~cryptography.x509.CertificateSigningRequest.attributes`.
* Deprecated the ``get_attribute_for_oid`` method on
  :class:`~cryptography.x509.CertificateSigningRequest` in favor of
  :meth:`~cryptography.x509.Attributes.get_attribute_for_oid` on the new
  :class:`~cryptography.x509.Attributes` object.
* Fixed handling of PEM files to allow loading when certificate and key are
  in the same file.
* Fixed parsing of :class:`~cryptography.x509.CertificatePolicies` extensions
  containing legacy ``BMPString`` values in their ``explicitText``.
* Allow parsing of negative serial numbers in certificates. Negative serial
  numbers are prohibited by :rfc:`5280` so a deprecation warning will be
  raised whenever they are encountered. A future version of ``cryptography``
  will drop support for parsing them.
* Added support for parsing PKCS12 files with friendly names for all
  certificates with
  :func:`~cryptography.hazmat.primitives.serialization.pkcs12.load_pkcs12`,
  which will return an object of type
  \ 
:class:`~cryptography.hazmat.primitives.serialization.pkcs12.PKCS12KeyAndCertifi \ 
cates`.
* :meth:`~cryptography.x509.Name.rfc4514_string` and related methods now have
  an optional ``attr_name_overrides`` parameter to supply custom OID to name
  mappings, which can be used to match vendor-specific extensions.
* **BACKWARDS INCOMPATIBLE:** Reverted the nonstandard formatting of
  email address fields as ``E`` in
  :meth:`~cryptography.x509.Name.rfc4514_string` methods from version 35.0.

  The previous behavior can be restored with:
  ``name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})``
* Allow
  :class:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey`
  and
  :class:`~cryptography.hazmat.primitives.asymmetric.x448.X448PublicKey` to
  be used as public keys when parsing certificates or creating them with
  :class:`~cryptography.x509.CertificateBuilder`. These key types must be
  signed with a different signing algorithm as ``X25519`` and ``X448`` do
  not support signing.
* Extension values can now be serialized to a DER byte string by calling
  :func:`~cryptography.x509.ExtensionType.public_bytes`.
* Added experimental support for compiling against BoringSSL. As BoringSSL
  does not commit to a stable API, ``cryptography`` tests against the
  latest commit only. Please note that several features are not available
  when building against BoringSSL.
* Parsing ``CertificateSigningRequest`` from DER and PEM now, for a limited
  time period, allows the ``Extension`` ``critical`` field to be incorrectly
  encoded. See `the issue <https://github.com/pyca/cryptography/issues/6368>`_
  for complete details. This will be reverted in a future ``cryptography``
  release.
* When :class:`~cryptography.x509.OCSPNonce` are parsed and generated their
  value is now correctly wrapped in an ASN.1 ``OCTET STRING``. This conforms
  to :rfc:`6960` but conflicts with the original behavior specified in
  :rfc:`2560`. For a temporary period for backwards compatibility, we will
  also parse values that are encoded as specified in :rfc:`2560` but this
  behavior will be removed in a future release.

.. _v35-0-0:

35.0.0 - 2021-09-29
~~~~~~~~~~~~~~~~~~~

* Changed the :ref:`version scheme <api-stability:versioning>`. This will
  result in us incrementing the major version more frequently, but does not
  change our existing backwards compatibility policy.
* **BACKWARDS INCOMPATIBLE:** The :doc:`/x509/index` PEM parsers now require
  that the PEM string passed have PEM delimiters of the correct type. For
  example, parsing a private key PEM concatenated with a certificate PEM will
  no longer be accepted by the PEM certificate parser.
* **BACKWARDS INCOMPATIBLE:** The X.509 certificate parser no longer allows
  negative serial numbers. :rfc:`5280` has always prohibited these.
* **BACKWARDS INCOMPATIBLE:** Additional forms of invalid ASN.1 found during
  :doc:`/x509/index` parsing will raise an error on initial parse rather than
  when the malformed field is accessed.
* Rust is now required for building ``cryptography``, the
  ``CRYPTOGRAPHY_DONT_BUILD_RUST`` environment variable is no longer
  respected.
* Parsers for :doc:`/x509/index` no longer use OpenSSL and have been
  rewritten in Rust. This should be backwards compatible (modulo the items
  listed above) and improve both security and performance.
* Added support for OpenSSL 3.0.0 as a compilation target.
* Added support for
  :class:`~cryptography.hazmat.primitives.hashes.SM3` and
  :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SM4`,
  when using OpenSSL 1.1.1. These algorithms are provided for compatibility
  in regions where they may be required, and are not generally recommended.
* We now ship ``manylinux_2_24`` and ``musllinux_1_1`` wheels, in addition to
  our ``manylinux2010`` and ``manylinux2014`` wheels. Users on distributions
  like Alpine Linux should ensure they upgrade to the latest ``pip`` to
  correctly receive wheels.
* Added ``rfc4514_attribute_name`` attribute to :attr:`x509.NameAttribute
  <cryptography.x509.NameAttribute.rfc4514_attribute_name>`.
* Added :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC`.

.. _v3-4-8:

3.4.8 - 2021-08-24
~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
  OpenSSL 1.1.1l.

.. _v3-4-7:

3.4.7 - 2021-03-25
~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
  OpenSSL 1.1.1k.

.. _v3-4-6:

3.4.6 - 2021-02-16
~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
  OpenSSL 1.1.1j.

.. _v3-4-5:

3.4.5 - 2021-02-13
~~~~~~~~~~~~~~~~~~

* Various improvements to type hints.
* Lower the minimum supported Rust version (MSRV) to >=1.41.0. This change
  improves compatibility with system-provided Rust on several Linux
  distributions.
* ``cryptography`` will be switching to a new versioning scheme with its next
  feature release. More information is available in our
  :doc:`/api-stability` documentation.

.. _v3-4-4:

3.4.4 - 2021-02-09
~~~~~~~~~~~~~~~~~~

* Added a ``py.typed`` file so that ``mypy`` will know to use our type
  annotations.
* Fixed an import cycle that could be triggered by certain import sequences.

.. _v3-4-3:

3.4.3 - 2021-02-08
~~~~~~~~~~~~~~~~~~

* Specify our supported Rust version (>=1.45.0) in our ``setup.py`` so users
  on older versions will get a clear error message.

.. _v3-4-2:

3.4.2 - 2021-02-08
~~~~~~~~~~~~~~~~~~

* Improvements to make the rust transition a bit easier. This includes some
  better error messages and small dependency fixes. If you experience
  installation problems **Be sure to update pip** first, then check the
  :doc:`FAQ </faq>`.

.. _v3-4-1:

3.4.1 - 2021-02-07
~~~~~~~~~~~~~~~~~~

* Fixed a circular import issue.
* Added additional debug output to assist users seeing installation errors
  due to outdated ``pip`` or missing ``rustc``.

.. _v3-4:

3.4 - 2021-02-07
~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Support for Python 2 has been removed.
* We now ship ``manylinux2014`` wheels and no longer ship ``manylinux1``
  wheels. Users should upgrade to the latest ``pip`` to ensure this doesn't
  cause issues downloading wheels on their platform.
* ``cryptography`` now incorporates Rust code. Users building ``cryptography``
  themselves will need to have the Rust toolchain installed. Users who use an
  officially produced wheel will not need to make any changes. The minimum
  supported Rust version is 1.45.0.
* ``cryptography`` now has :pep:`484` type hints on nearly all of of its public
  APIs. Users can begin using them to type check their code with ``mypy``.