- Handle RSASSA-PSS in
keys.PrivateKeyInfo.bit_size
andkeys.PublicKeyInfo.bit_size
- Handle RSASSA-PSS in
keys.PrivateKeyInfo.wrap
andkeys.PublicKeyInfo.wrap
- Updated docs for
keys.PrivateKeyInfo.algorithm
andkeys.PublicKeyInfo.algorithm
to reflect that they can return"rsassa_pss"
- Fix
tsp.TimeStampAndCRL
to be acore.Sequence
instead of acore.SequenceOf
via @joernheissler - Added OIDs for Edwards curves from RFC 8410 - via @MatthiasValvekens
- Fixed convenience attributes on
algos.EncryptionAlgorithm
when the algorithm is RC2 via @joernheissler - Added Microsoft OIDs
microsoft_enrollment_csp_provider
(1.3.6.1.4.1.311.13.2.2
),microsoft_os_version
(1.3.6.1.4.1.311.13.2.3
) andmicrosoft_request_client_info
(1.3.6.1.4.1.311.21.20
) tocsr.CSRAttributeType
along with supporting extension structures via @qha - Added Microsoft OID
microsoft_enroll_certtype
(1.3.6.1.4.1.311.20.2
) tox509.ExtensionId
via @qha - Fixed a few bugs with parsing indefinite-length encodings via @davidben
- Added various bounds checks to parsing engine via @davidben
- Fixed a bug with tags not always being minimally encoded via @davidben
- Fixed
cms.RoleSyntax
,cms.SecurityCategory
andcms.AttCertIssuer
to have explicit instead of implicit tagging via @MatthiasValvekens - Fixed tagging of, and default value for fields in
cms.Clearance
via @MatthiasValvekens - Fixed calling
.dump(force=True)
when the value has undefined/unknowncore.Sequence
fields. Previously the value would be truncated, now the existing encoding is preserved. - Added sMIME capabilities (
1.2.840.113549.1.9.15
) support from RFC 2633 tocms.CMSAttribute
via Hellzed
core.ObjectIdentifier
and all derived classes now obey X.660 §7.6 and thus restrict the first arc to 0 to 2, and the second arc to less than 40 if the first arc is 0 or 1. This also fixes parsing of OIDs where the first arc is 2 and the second arc is greater than 39.- Fixed
keys.PublicKeyInfo.bit_size
to return an int rather than a float on Python 3 when working with elliptic curve keys - Fixed the
asn1crypto-tests
sdist on PyPi to work properly to generate a .whl
- Added
encrypt_key_pref
(1.2.840.113549.1.9.16.2.11
) tocms.CMSAttributeType()
, along with related structures - Added Brainpool curves from RFC 5639 to
keys.NamedCurve()
- Fixed
x509.Certificate().subject_directory_attributes_value
- Fixed some incorrectly computed minimum elliptic curve primary key
encoding sizes in
keys.NamedCurve()
- Fixed a
TypeError
when trying to call.untag()
or.copy()
on acore.UTCTime()
orcore.GeneralizedTime()
, or a value containing one, when using Python 2
- Added
asn1crypto.load_order()
, which returns alist
of unicode strings of the names of the fully-qualified module names for all of submodules of the package. The module names are listed in their dependency load order. This is primarily intended for the sake of implementing hot reloading.
- Added User ID (
0.9.2342.19200300.100.1.1
) tox509.NameType()
- Added various EC named curves to
keys.NamedCurve()
- Fix an absolute import in
keys
to a relative import
- Backwards Compatibility Breaks
cms.KeyEncryptionAlgorithmId().native
now returns the value"rsaes_pkcs1v15"
for OID1.2.840.113549.1.1.1
instead of"rsa"
- Removed functionality to calculate public key values from private key
values. Alternatives have been added to oscrypto.
keys.PrivateKeyInfo().unwrap()
is nowoscrypto.asymmetric.PrivateKey().unwrap()
keys.PrivateKeyInfo().public_key
is nowoscrypto.asymmetric.PrivateKey().public_key.unwrap()
keys.PrivateKeyInfo().public_key_info
is nowoscrypto.asymmetric.PrivateKey().public_key.asn1
keys.PrivateKeyInfo().fingerprint
is nowoscrypto.asymmetric.PrivateKey().fingerprint
keys.PublicKeyInfo().unwrap()
is nowoscrypto.asymmetric.PublicKey().unwrap()
keys.PublicKeyInfo().fingerprint
is nowoscrypto.asymmetric.PublicKey().fingerprint
- Enhancements
- Significantly improved parsing of
core.UTCTime()
andcore.GeneralizedTime()
values that include timezones and fractional seconds util.timezone
has a more complete implementationcore.Choice()
may now be constructed by a 2-element tuple or a 1-key dict- Added
x509.Certificate().not_valid_before
andx509.Certificate().not_valid_after
- Added
core.BitString().unused_bits
- Added
keys.NamedCurve.register()
for non-mainstream curve OIDs - No longer try to load optional performance dependency,
libcrypto
, on Mac or Linux ocsp.CertStatus().native
will now return meaningful unicode string values when the status choice is"good"
or"unknown"
. Previously both returnedNone
due to the way the structure was designed.- Add support for explicit RSA SSA PSS (
1.2.840.113549.1.1.10
) tokeys.PublicKeyInfo()
andkeys.PrivateKeyInfo()
- Added structures for nested SHA-256 Windows PE signatures to
cms.CMSAttribute()
- Added RC4 (
1.2.840.113549.3.4
) toalgos.EncryptionAlgorithmId()
- Added secp256k1 (
1.3.132.0.10
) tokeys.NamedCurve()
- Added SHA-3 and SHAKE OIDs to
algos.DigestAlgorithmId()
andalgos.HmacAlgorithmId()
- Added RSA ES OAEP (
1.2.840.113549.1.1.7
) tocms.KeyEncryptionAlgorithmId()
- Add IKE Intermediate (
1.3.6.1.5.5.8.2.2
) tox509.KeyPurposeId()
x509.EmailAddress()
andx509.DNSName()
now handle invalidly-encoded values using tags forcore.PrintableString()
andcore.UTF8String()
- Add parameter structue from RFC 5084 for AES-CCM to
algos.EncryptionAlgorithm()
- Improved robustness of parsing broken
core.Sequence()
andcore.SequenceOf()
values
- Significantly improved parsing of
- Bug Fixes
- Fixed encoding of tag values over 30
core.IntegerBitString()
andcore.IntegerOctetString()
now restrict values to non-negative integers since negative values are not implemented- When copying or dumping a BER-encoded indefinite-length value,
automatically force re-encoding to DER. To ensure all nested values are
always DER-encoded,
.dump(True)
must be called. - Fix
UnboundLocalError
when callingx509.IPAddress().native
on an encoded value that has a length of zero - Fixed passing
class_
via unicode string name tocore.Asn1Value()
- Fixed a bug where EC private keys with leading null bytes would be
encoded in
keys.ECPrivateKey()
more narrowly than RFC 5915 requires - Fixed some edge-case bugs in
util.int_to_bytes()
x509.URI()
now only normalizes values when comparing- Fixed BER-decoding of indefinite length
core.BitString()
- Fixed DER-encoding of empty
core.BitString()
- Fixed a missing return value for
core.Choice().parse()
- Fixed
core.Choice().contents
working when the chosen alternative is acore.Choice()
also - Fixed parsing and encoding of nested
core.Choice()
objects - Fixed a bug causing
core.ObjectIdentifier().native
to sometimes not map the OID
- Packaging
wheel
,sdist
andbdist_egg
releases now all include LICENSE,sdist
includes docs- Added
asn1crypto_tests
package to PyPi
x509.Certificate().self_signed
will no longer return"yes"
under any circumstances. This helps prevent confusion since the library does not verify the signature. Instead a library like oscrypto should be used to confirm if a certificate is self-signed.- Added various OIDs to
x509.KeyPurposeId()
- Added
x509.Certificate().private_key_usage_period_value
- Added structures for parsing common subject directory attributes for
X.509 certificates, including
x509.SubjectDirectoryAttribute()
- Added
algos.AnyAlgorithmIdentifier()
for situations where an algorithm identifier may contain a digest, signed digest or encryption algorithm OID - Fixed a bug with
x509.Certificate().subject_directory_attributes_value
not returning the correct value - Fixed a bug where explicitly-tagged fields in a
core.Sequence()
would not function properly when the field had a default value - Fixed a bug with type checking in
pem.armor()
- Backwards compatibility break: the
tag_type
,explicit_tag
andexplicit_class
attributes oncore.Asn1Value
no longer exist and were replaced by theimplicit
andexplicit
attributes. Field param dicts may use the newexplicit
andimplicit
keys, or the oldtag_type
andtag
keys. The attribute changes will likely to have little to no impact since they were primarily an implementation detail. - Teletex strings used inside of X.509 certificates are now interpreted
using Windows-1252 (a superset of ISO-8859-1). This enables compatibility
with certificates generated by OpenSSL. Strict parsing of Teletex strings
can be retained by using the
x509.strict_teletex()
context manager. - Added support for nested explicit tagging, supporting values that are defined with explicit tagging and then added as a field of another structure using explicit tagging.
- Fixed a
UnicodeDecodeError
when trying to find the (optional) dependency OpenSSL on Python 2 - Fixed
next_update
field ofcrl.TbsCertList
to be optional - Added the
x509.Certificate.sha256_fingerprint
property x509.Certificate.ocsp_urls
andx509.DistributionPoint.url
will now returnhttps://
,ldap://
andldaps://
URLs in addition tohttp://
.- Added CMS Attribute Protection definitions from RFC 6211
- Added OIDs from RFC 6962
- Added
parser.peek()
- Implemented proper support for BER-encoded indefinite length strings of
all kinds -
core.BitString
,core.OctetString
and all of thecore
classes that are natively represented as Python unicode strings - Fixed a bug with encoding LDAP URLs in
x509.URI
- Correct
x509.DNSName
to allow a leading.
, such as when used withx509.NameConstraints
- Fixed an issue with dumping the parsed contents of
core.Any
when explicitly tagged - Custom
setup.py clean
now accepts the short-a
flag for compatibility
- Fixed a regression where explicit tagging of a field containing a
core.Choice
would result in an incorrect header - Fixed a bug where an
IndexError
was being raised instead of aValueError
when a value was truncated to not include enough bytes for the header - Corrected the spec for the
value
field ofpkcs12.Attribute
- Added support for
2.16.840.1.113894.746875.1.1
OID topkcs12.AttributeType
- Added
core.load()
for loading standard, universal types without knowing the spec beforehand - Added a
strict
keyword arg to the variousload()
methods and functions incore
that checks for trailing data and raises aValueError
when found - Added
asn1crypto.parser
submodule withemit()
andparse()
functions for low-level integration - Added
asn1crypto.version
for version introspection without side-effects - Added
algos.DSASignature
- Fixed a bug with the
_header
attribute of explicitly-tagged values only containing the explicit tag header instead of both the explicit tag header and the encapsulated value header
- Added support for year 0
- Added the OID for unique identifier to
x509.NameType
- Fixed a bug creating the native representation of a
core.BitString
with leading null bytes - Added a
.cast()
method to allow converting between different representations of the same data, e.g.core.BitString
andcore.OctetBitString
- Force
algos.DigestAlgorithm
to encodingparameters
asNull
when thealgorithm
issha1
,sha224
,sha256
,sha384
orsha512
per RFC 4055 - Resolved an issue where a BER-encoded indefinite-length value could not be
properly parsed when embedded inside of a
core.Sequence
orcore.Set
- Fix
x509.Name.build()
to properly handle dotted OID type values core.Choice
can now be constructed from a single-elementdict
or a two-elementtuple
to allow for better usability when constructing values from native Python values- All
core
objects can now be passed toprint()
with an exception being raised
- Don't fail importing if
ctypes
or_ctypes
is not available
core.Sequence
will now raise an exception when an unknown field is provided- Prevent
UnicodeDecodeError
on Python 2 when callingcore.OctetString.debug()
- Corrected the default value for the
hash_algorithm
field oftsp.ESSCertIDv2
- Fixed a bug constructing a
cms.SignedData
object - Ensure that specific RSA OIDs are always paired with
parameters
set tocore.Null
- Fixed DER encoding of
core.BitString
when a_map
is specified (i.e. a "named bit list") to omit trailing zero bits. This fixes compliance of variousx509
structures with RFC 5280. - Corrected a side effect in
keys.PrivateKeyInfo.wrap()
that would cause the originalkeys.ECPrivateKey
structure to become corrupt core.IntegerOctetString
now correctly encodes the integer as an unsigned value when converting to bytes. Previously decoding was unsigned, but encoding was signed.- Fix
util.int_from_bytes()
on Python 2 to return0
from an empty byte string
- Allow
_perf
submodule to be removed from source tree when embedding
- Fixed DER encoding of
core.Set
andcore.SetOf
- Fixed a bug in
x509.Name.build()
that could generate invalid DER encoding - Improved exception messages when parsing nested structures via the
.native
attribute algos.SignedDigestAlgorithm
now ensures theparameters
are set toNull
whenalgorithm
issha224_rsa
,sha256_rsa
,sha384_rsa
orsha512_rsa
, per RFC 4055- Corrected the definition of
pdf.AdobeTimestamp
to mark therequires_auth
field as optional - Add support for the OID
1.2.840.113549.1.9.16.2.14
tocms.CMSAttributeType
- Improve attribute support for
cms.AttributeCertificateV2
- Handle
cms.AttributeCertificateV2
when incorrectly tagged ascms.AttributeCertificateV1
incms.CertificateChoices
- Improved general parsing performance by 10-15%
- Add support for Windows XP
- Added
core.ObjectIdentifier.dotted
attribute to always return dotted integer unicode string - Added
core.ObjectIdentifier.map()
andcore.ObjectIdentifier.unmap()
class methods to map dotted integer unicode strings to user-friendly unicode strings and back - Added various Apple OIDs to
x509.KeyPurposeId
- Fixed a bug parsing nested indefinite-length-encoded values
- Fixed a bug with
x509.Certificate.issuer_alt_name_value
if it is the first extension queried keys.PublicKeyInfo.bit_size
andkeys.PrivateKeyInfo.bit_size
values are now rounded up to the next closest multiple of 8
- Fix a bug in
x509.URI
parsing IRIs containing explicit port numbers on Python 3.x
- Added
x509.TrustedCertificate
for handling OpenSSL auxiliary certificate information appended after a certificate - Added
core.Concat
class for situations such asx509.TrustedCertificate
- Allow "broken" X.509 certificates to use
core.IA5String
where anx509.DirectoryString
should be used instead - Added
keys.PrivateKeyInfo.public_key_info
attribute - Added a bunch of OIDs to
x509.KeyPurposeId
- Added DH key exchange structures:
algos.KeyExchangeAlgorithm
,algos.KeyExchangeAlgorithmId
andalgos.DHParameters
. - Added DH public key support to
keys.PublicKeyInfo
,keys.PublicKeyAlgorithm
andkeys.PublicKeyAlgorithmId
. New structures includekeys.DomainParameters
andkeys.ValidationParms
.
- Fixed
cms.CMSAttributes
to be acore.SetOf
instead ofcore.SequenceOf
cms.CMSAttribute
can now parse unknown attribute contrustruct without an exception being raisedx509.PolicyMapping
now usesx509.PolicyIdentifier
for field types- Fixed
pdf.RevocationInfoArchival
so that all fields are now of the typecore.SequenceOf
instead of a single value - Added support for the
name_distinguisher
,telephone_number
andorganization_identifier
OIDs tox509.Name
- Fixed
x509.Name.native
to not accidentally create nested lists when three of more values for a single type are part of the name x509.Name.human_friendly
now reverses the order of fields when the data in anx509.Name
was encoded in most-specific to least-specific order, which is the opposite of the standard way of least-specific to most-specific.x509.NameType.human_friendly
no longer raises an exception when an unknown OID is encountered- Raise a
ValueError
when parsing acore.Set
and an unknown field is encountered
- Added support for the TLS feature extension from RFC 7633
x509.Name.build()
now accepts a keyword parameteruse_printable
to force string encoding to becore.PrintableString
instead ofcore.UTF8String
- Added the functions
util.uri_to_iri()
andutil.iri_to_uri()
- Changed
algos.SignedDigestAlgorithmId
to use the preferred OIDs when mapping a unicode string name to an OID. Previously there were multiple OIDs for some algorithms, and different OIDs would sometimes be selected due to the fact that the_map
dict
is not ordered.
- Fixed a bug generating
x509.Certificate.sha1_fingerprint
on Python 2
- Added the
x509.Certificate.sha1_fingerprint
attribute
- Backwards compatibility break: the native representation of some
algos.EncryptionAlgorithmId
values changed.aes128
becameaes128_cbc
,aes192
becameaes192_cbc
andaes256
becameaes256_cbc
. - Added more OIDs to
algos.EncryptionAlgorithmId
- Added more OIDs to
cms.KeyEncryptionAlgorithmId
x509.Name.human_friendly
now properly supports multiple values perx509.NameTypeAndValue
object- Added
ocsp.OCSPResponse.basic_ocsp_response
andocsp.OCSPResponse.response_data
properties - Added
algos.EncryptionAlgorithm.encryption_mode
property - Fixed a bug with parsing times containing timezone offsets in Python 3
- The
attributes
field ofcsr.CertificationRequestInfo
is now optional, for compatibility with other ASN.1 parsers
- Correct
core.Sequence.__setitem__()
so setcore.VOID
to an optional field whenNone
is set
- Fixed a
unicode
/bytes
bug withx509.URI.dump()
on Python 2
- Backwards Compatibility Break:
core.NoValue
was renamed tocore.Void
and a singleton was added ascore.VOID
- 20-30% improvement in parsing performance
core.Void
now implements__nonzero__
core.Asn1Value.copy()
now performs a deep copy- All
core
value classes are now compatible with thecopy
module core.SequenceOf
andcore.SetOf
now implement__contains__
- Added
x509.Name.__len__()
- Fixed a bug where
core.Choice.validate()
would not properly account for explicit tagging core.Choice.load()
now properly passes itself as the spec when parsingx509.Certificate.crl_distribution_points
no longer throws an exception if theDistributionPoint
does not have a value for thedistribution_point
field
- Corrected
core.UTCTime
to interpret year <= 49 as 20xx and >= 50 as 19xx keys.PublicKeyInfo.hash_algo
can now handle DSA keys without parameters- Added
crl.CertificateList.sha256
andcrl.CertificateList.sha1
- Fixed
x509.Name.build()
to properly encodecountry_name
,serial_number
anddn_qualifier
ascore.PrintableString
as specified in RFC 5280, instead ofcore.UTF8String
- Added Python 2.6 support
- Added ability to compare primitive type objects
- Implemented proper support for internationalized domains, URLs and email
addresses in
x509.Certificate
- Comparing
x509.Name
andx509.GeneralName
objects adheres to RFC 5280 x509.Certificate.self_signed
andx509.Certificate.self_issued
no longer require that certificate is for a CA- Fixed
x509.Certificate.valid_domains
to adhere to RFC 6125 - Added
x509.Certificate.is_valid_domain_ip()
- Added
x509.Certificate.sha1
andx509.Certificate.sha256
- Exposed
util.inet_ntop()
andutil.inet_pton()
for IP address encoding - Improved exception messages for improper types to include type's module name
- Fixed bug in
core.Sequence
affecting Python 2.7 and pypy
- Added PEM encoding/decoding functionality
core.BitString
now uses item access instead of attributes for named bit accesscore.BitString.native
now uses aset
of unicode strings when_map
is present- Removed
core.Asn1Value.pprint()
method - Added
core.ParsableOctetString
class - Added
core.ParsableOctetBitString
class - Added
core.Asn1Value.copy()
method - Added
core.Asn1Value.debug()
method - Added
core.SequenceOf.append()
method - Added
core.Sequence.spec()
andcore.SequenceOf.spec()
methods - Added correct IP address parsing to
x509.GeneralName
x509.Name
andx509.GeneralName
are now compared according to rules in RFC 5280- Added convenience attributes to:
algos.SignedDigestAlgorithm
crl.CertificateList
crl.RevokedCertificate
keys.PublicKeyInfo
ocsp.OCSPRequest
ocsp.Request
ocsp.OCSPResponse
ocsp.SingleResponse
x509.Certificate
x509.Name
- Added
asn1crypto.util
module with the following items:int_to_bytes()
int_from_bytes()
timezone.utc
- Added
setup.py clean
command
- Initial release