PyCA cryptography 42.0.0 has been released to PyPI. cryptography includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, asymmetric algorithms, message digests, X509, key derivation functions, and much more. We support Python 3.7+, and PyPy3 7.3.10+. Changelog (https://cryptography.io/en/latest/changelog/#v42-0-0): * BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.7. * BACKWARDS INCOMPATIBLE: Loading a PKCS7 with no content field using load_pem_pkcs7_certificates() or load_der_pkcs7_certificates() will now raise a ValueError rather than return an empty list. * Parsing SSH certificates no longer permits malformed critical options with values, as documented in the 41.0.2 release notes. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.0. * Updated the minimum supported Rust version (MSRV) to 1.63.0, from 1.56.0. * We now publish both py37 and py39 abi3 wheels. This should resolve some errors relating to initializing a module multiple times per process. * Support PSS for X.509 certificate signing requests and certificate revocation lists with the keyword-only argument rsa_padding on the sign methods for CertificateSigningRequestBuilder and CertificateRevocationListBuilder. * Added support for obtaining X.509 certificate signing request signature algorithm parameters (including PSS) via signature_algorithm_parameters(). * Added support for obtaining X.509 certificate revocation list signature algorithm parameters (including PSS) via signature_algorithm_parameters(). * Added mgf property to PSS. * Added algorithm and mgf properties to OAEP. * Added the following properties that return timezone-aware datetime objects: not_valid_before_utc(), not_valid_after_utc(), revocation_date_utc(), next_update_utc(), last_update_utc(). These are timezone-aware variants of existing properties that return naïve datetime objects. * Deprecated the following properties that return naïve datetime objects: not_valid_before(), not_valid_after(), revocation_date(), next_update(), last_update() in favor of the new timezone-aware variants mentioned above. * Added support for ChaCha20 on LibreSSL. * Added support for RSA PSS signatures in PKCS7 with add_signer(). * In the next release (43.0.0) of cryptography, loading an X.509 certificate with a negative serial number will raise an exception. This has been deprecated since 36.0.0. * Added support for AESGCMSIV when using OpenSSL 3.2.0+. * Added the X.509 path validation APIs for Certificate chains. These APIs should be considered unstable and not subject to our stability guarantees until documented as such in a future release. * Added support for SM4 GCM when using OpenSSL 3.0 or greater. -Paul Kehrer (reaperhulk)