./security/py-cryptography, Cryptographic recipes and primitives for Python

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ]

Branch: CURRENT, Version: 48.0.0, Package name: py313-cryptography-48.0.0, Maintainer: pkgsrc-users

cryptography is a package designed to expose cryptographic recipes
and primitives to Python developers. Our goal is for it to be your
"cryptographic standard library".

cryptography includes both high level recipes, and low level
interfaces to common cryptographic algorithms such as symmetric
ciphers, message digests and key derivation functions.


Required to run:
[security/openssl] [devel/py-setuptools] [devel/py-cffi] [devel/py-cparser] [lang/py-six] [www/py-idna] [security/py-asn1crypto] [lang/python37]

Required to build:
[pkgtools/cwrappers]

Master sites:

Filesize: 813.461 KB

Version history: (Expand)

CVS history: (Expand)


   2026-05-13 00:02:05 by Thomas Klausner | Files touched by this commit (1) 
Log message:
py-cryptography reqires openssl3, make it so

PR 60255 by riastradh
   2026-05-08 12:03:20 by Adam Ciarcinski | Files touched by this commit (5) | Package updated
Log message:
py-cryptography py-cryptography_vectors: updated to 48.0.0

48.0.0 - 2026-05-04

* **BACKWARDS INCOMPATIBLE:** Support for Python 3.8 has been removed.
  ``cryptography`` now requires Python 3.9 or later.
* **BACKWARDS INCOMPATIBLE:** Loading an X.509 CRL whose inner
  ``TBSCertList.signature`` algorithm does not match the outer
  ``signatureAlgorithm`` now raises ``ValueError``. Previously, such CRLs
  were parsed successfully and only rejected during signature validation.
* Added support for :doc:`/hazmat/primitives/asymmetric/mlkem` and
  :doc:`/hazmat/primitives/asymmetric/mldsa` when using OpenSSL 3.5.0 or
  later, in addition to the existing AWS-LC and BoringSSL support. This means
  post-quantum algorithms are now available to users of our wheels.

  * **Note:** Going forward, we do not guarantee that all functionality
    in ``cryptography`` will be available when building against
    OpenSSL. See :doc:`/statements/state-of-openssl` for more information.
   2026-04-26 11:01:43 by Adam Ciarcinski | Files touched by this commit (8) | Package updated
Log message:
py-cryptography py-cryptography_vectors: updated to 47.0.0

47.0.0 - 2026-04-24

Support for Python 3.8 is deprecated and will be removed in the next \ 
cryptography release.
BACKWARDS INCOMPATIBLE: Support for binary elliptic curves (SECT* classes) has \ 
been removed. These curves are rarely used and have additional security \ 
considerations that make them undesirable.
BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.1.x has been removed. OpenSSL \ 
3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC continue to be \ 
supported.
BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 4.1.
BACKWARDS INCOMPATIBLE: Loading keys with unsupported algorithms or keys with \ 
unsupported explicit curve encodings now raises \ 
:class:`~cryptography.exceptions.UnsupportedAlgorithm` instead of ValueError. \ 
This change affects \ 
:func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`, \ 
:func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`, \ 
:func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`, \ 
:func:`~cryptography.hazmat.primitives.serialization.load_der_public_key`, and \ 
:meth:`~cryptography.x509.Certificate.public_key` when called on certificates \ 
with unsupported public key algorithms.
BACKWARDS INCOMPATIBLE: When parsing elliptic curve private keys, we now reject \ 
keys that incorrectly encode a private key of the wrong length because such keys \ 
are impossible to process in a constant-time manner. We do not believe keys with \ 
this problem are in wide use, however we may revert this change based on the \ 
feedback we receive.
Deprecated passing 64-bit (8-byte) and 128-bit (16-byte) keys to \ 
:class:`~cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES`. In a future \ 
release, only 192-bit (24-byte) keys will be accepted. Users should expand \ 
shorter keys themselves (e.g., for single DES: key + key + key, for two-key: key \ 
+ key[:8]).
Updated the minimum supported Rust version (MSRV) to 1.83.0, from 1.74.0.
Support for x86_64 macOS (including publishing wheels) is deprecated and will be \ 
removed in the next release. We will switch to publishing an arm64 only wheel \ 
for macOS.
Support for 32-bit Windows (including publishing wheels) is deprecated and will \ 
be removed in the next release. Users should move to a 64-bit Python \ 
installation.
public_bytes and private_bytes methods on keys now raise TypeError (instead of \ 
ValueError) if an invalid encoding is provided for the given format.
Moved :class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB`, \ 
:class:`~cryptography.hazmat.decrepit.ciphers.modes.OFB`, and \ 
:class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB8` into \ 
:doc:`/hazmat/decrepit/index` and deprecated them in the modes module. They will \ 
be removed from the modes module in 49.0.0.
Moved :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Camellia` into \ 
:doc:`/hazmat/decrepit/index` and deprecated it in the cipher module. It will be \ 
removed from the cipher module in 49.0.0.
Added :meth:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF.extract` to \ 
:class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF`. The previous private \ 
implementation will be removed in 49.0.0.
Added support for loading elliptic curve keys that contain explicit encodings of \ 
the curves secp256r1, secp384r1, and secp521r1.
Added support for :class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2d` \ 
and :class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2i` when using \ 
OpenSSL 3.2.0+.
Added derive_into methods to \ 
:class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF`, \ 
:class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDFExpand`, \ 
:class:`~cryptography.hazmat.primitives.kdf.concatkdf.ConcatKDFHash`, \ 
:class:`~cryptography.hazmat.primitives.kdf.concatkdf.ConcatKDFHMAC`, \ 
:class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2id`, \ 
:class:`~cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC`, \ 
:class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFHMAC`, \ 
:class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC`, \ 
:class:`~cryptography.hazmat.primitives.kdf.scrypt.Scrypt`, and \ 
:class:`~cryptography.hazmat.primitives.kdf.x963kdf.X963KDF` to allow deriving \ 
keys directly into pre-allocated buffers.
Added encrypt_into and decrypt_into methods to \ 
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESCCM`, \ 
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCM`, \ 
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCMSIV`, \ 
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`, \ 
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESSIV`, and \ 
:class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305` to allow \ 
encrypting directly into a pre-allocated buffer.
Added support for PKCS1v15 signing without DigestInfo using \ 
:class:`~cryptography.hazmat.primitives.asymmetric.utils.NoDigestInfo`.
Added :meth:`~cryptography.hazmat.primitives.hashes.Hash.hash`, a one-shot \ 
method for computing hashes.
Added :doc:`/hazmat/primitives/hpke` support implementing RFC 9180 for hybrid \ 
authenticated encryption.
Added new :doc:`/hazmat/primitives/asymmetric/mlkem` module with support for \ 
ML-KEM key encapsulation with AWS-LC and BoringSSL.
Note: Post-quantum algorithm support requires AWS-LC or BoringSSL. As we ship \ 
our wheels with OpenSSL, most users will not have access to these APIs yet. See \ 
:doc:`/statements/state-of-openssl` for more information on OpenSSL support.
Added new :doc:`/hazmat/primitives/asymmetric/mldsa` module with support for \ 
ML-DSA signing and verification with AWS-LC and BoringSSL.
Note: Post-quantum algorithm support requires AWS-LC or BoringSSL. As we ship \ 
our wheels with OpenSSL, most users will not have access to these APIs yet. See \ 
:doc:`/statements/state-of-openssl` for more information on OpenSSL support.
Added new :doc:`/hazmat/asn1/index` module with support for declaratively \ 
defining custom ASN.1 types and encoding/decoding them.
Fixed compilation when using LibreSSL 4.3.0 and OpenSSL 4.0.0.
Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 4.0.0.
   2026-04-08 22:35:35 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
py-cryptography: update to 46.0.7.

46.0.7 - 2026-01-27
~~~~~~~~~~~~~~~~~~~

* **SECURITY ISSUE**: Fixed an issue where non-contiguous buffers could be
  passed to APIs that accept Python buffers, which could lead to buffer
  overflow. **CVE-2026-39892**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.6.
   2026-03-27 11:06:27 by Adam Ciarcinski | Files touched by this commit (4) | Package updated
Log message:
py-cryptography py-cryptography_vectors: updated to 46.0.6

46.0.6 - 2026-03-25

* **SECURITY ISSUE**: Fixed a bug where name constraints were not applied
  to peer names during verification when the leaf certificate contains a
  wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug,
  including those used by the Web PKI. Credit to **Oleh Konko (1seal)** for
  reporting the issue. **CVE-2026-34073**
   2026-02-17 07:32:37 by Adam Ciarcinski | Files touched by this commit (3) 
Log message:
py-cryptography: proper fix for Maturin 1.12
   2026-02-16 22:47:54 by Thomas Klausner | Files touched by this commit (2) 
Log message:
py-cryptography: manually delete newly installed files

Bug report filed upstream.

Bump PKGREVISION.
   2026-02-16 20:08:07 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
py-cryptography: fix PLIST

setuptools? maturin? update?

Bump PKGREVISION.