Service-identity

Highlights

Only one visible change: if a certificate has not `subjectAltName`s, meaning there's nothing to verify against, a `service_identity.CertificateError` is raised now instead of a `VerificationError`. This change was prompted by the difficulty to debug the problem with certificates that still only carry a `commonName` that has been ignored since 23.1.0.


Special Thanks

This release would not be possible without my generous sponsors! Thank you to all of you making sustainable maintenance possible! If *you* would like to join them, go to <https://github.com/sponsors/hynek> and check out the sweet perks!


Above and Beyond

[Variomedia AG](https://www.variomedia.de/) ([variomedia](https://github.com/variomedia)), [Tidelift](https://www.tidelift.com/) ([tidelift](https://github.com/tidelift)), [FilePreviews](http://filepreviews.io/) ([filepreviews](https://github.com/filepreviews)), Daniel Fortunov ([asqui](https://github.com/asqui)), Kevin P. Fleming ([kpfleming](https://github.com/kpfleming)), and [Sören Weber](https://www.gedankenspieler.org/) ([SoerenWeber](https://github.com/SoerenWeber)).


Maintenance Sustainers

[Jeff Triplett](https://webology.dev) ([jefftriplett](https://github.com/jefftriplett)), [Adam Hill](https://adamghill.com) ([adamghill](https://github.com/adamghill)), Dan Groshev ([si14](https://github.com/si14)), Magnus Watn ([magnuswatn](https://github.com/magnuswatn)), [David Cramer](http://cra.mr) ([dcramer](https://github.com/dcramer)), Moving Content AG ([moving-content](https://github.com/moving-content)), [ProteinQure](https://proteinqure.com/) ([ProteinQure](https://github.com/ProteinQure)), Jesse Snyder ([jessesnyder](https://github.com/jessesnyder)), [Rivo Laks](https://rivolaks.com) ([rivol](https://github.com/rivol)), [Ionel Cristian Mărieș](https://blog.ionelmc.ro) ([ionelmc](https://github.com/ionelmc)), [The Westervelt Company](https://westervelt.com) ([westerveltco](https://github.com/westerveltco)), Philippe Galvan ([PhilippeGalvan](https://github.com/PhilippeGalvan)), [Birk Jernström](polar.sh) ([birkjernstrom](https://github.com/birkjernstrom)), [Tim Schilling](www.better-simple.com) ([tim-schilling](https://github.com/tim-schilling)), Chris Withers ([cjw296](https://github.com/cjw296)), [Christopher Dignam](https://christopher.xyz) ([chdsbd](https://github.com/chdsbd)), [Stefan Hagen](https://stefan-hagen.website) ([sthagen](https://github.com/sthagen)), [Sławomir Ehlert](slafs.net) ([slafs](https://github.com/slafs)), Mostafa Khalil ([khadrawy](https://github.com/khadrawy)), [Filip Mularczyk](fmularczyk.pl) ([mukiblejlok](https://github.com/mukiblejlok)), [Mike Fiedler](https://mike.fiedler.me) ([miketheman](https://github.com/miketheman)), and [Michel Vittória](https://www.linkedin.com/in/michelvittoria/) ([michelvittoria](https://github.com/michelvittoria)).

Not to forget 5 more amazing humans who chose to be generous but anonymous!


Full Changelog

Changed

- If a certificate doesn't contain any `subjectAltName`s, we now raise `service_identity.CertificateError` instead of `service_identity.VerificationError` to make the problem easier to debug. [\67](https://github.com/pyca/service-identity/pull/67)

Highlights

Since there wasn't any interest in adding more verification methods, this release makes the service identity pattern extraction from pyOpenSSL and PyCA _cryptography_ certificate public APIs. Check out [`service_identity.cryptography.extract_patterns()`](https://service-identity.readthedocs.io/en/stable/api.html#service_identity.cryptography.extract_patterns) and [`service_identity.pyopenssl.extract_patterns()`](https://service-identity.readthedocs.io/en/stable/api.html#service_identity.pyopenssl.extract_patterns)!

It also adds type hints and removes support for `commonName`. Otherwise there's no changes to how service identities are extracted or compared.


Special Thanks

This release would not be possible without my generous sponsors! Thank you to all of you making sustainable maintenance possible! If *you* would like to join them, go to <https://github.com/sponsors/hynek> and check out the sweet perks!

Above and Beyond

[Variomedia AG](https://www.variomedia.de/) (variomedia), [Tidelift](https://www.tidelift.com/) (tidelift), [Sentry](https://sentry.io) (getsentry), [HiredScore](https://hiredscore.com) (HiredScore), [FilePreviews](http://filepreviews.io/) (filepreviews), and Daniel Fortunov (asqui).


Maintenance Sustainers

[Adam Hill](https://adamghill.com) (adamghill), Dan Groshev (si14), Magnus Watn (magnuswatn), [David Cramer](http://cra.mr) (dcramer), Moving Content AG (moving-content), [Stein Magnus Jodal](https://jod.al) (jodal), [ProteinQure](https://proteinqure.com/) (ProteinQure), Jesse Snyder (jessesnyder), [Rivo Laks](https://rivolaks.com) (rivol), [Tom Ballinger](http://ballingt.com/) (thomasballinger), [Ionel Cristian Mărieș](https://blog.ionelmc.ro) (ionelmc), [The Westervelt Company](https://westervelt.com) (westerveltco), Philippe Galvan (PhilippeGalvan), [Birk Jernström](polar.sh) (birkjernstrom), [Tim Schilling](www.better-simple.com) (tim-schilling), Chris Withers (cjw296), [Christopher Dignam](https://christopher.xyz) (chdsbd), and [Stefan Hagen](https://stefan-hagen.website) (sthagen).

Not to forget 5 more amazing humans who chose to be generous but anonymous!

Full Changelog

Removed

- All Python versions up to and including 3.7 have been dropped.
- Support for `commonName` in certificates has been dropped. It has been deprecated since 2017 and isn't supported by any major browser.
- The oldest supported pyOpenSSL version (when using the `pyopenssl` backend) is now 17.0.0. When using such an old pyOpenSSL version, you have to pin *cryptography* yourself to ensure compatibility between them. Please check out [`contraints/oldest-pyopenssl.txt`](https://github.com/pyca/service-identity/blob/main/tests/constraints/oldest-pyopenssl.txt) to verify what we are testing against.

Deprecated

- If you've used `service_identity.(cryptography|pyopenssl).extract_ids()`, please switch to the new names `extract_patterns()`. [\56](https://github.com/pyca/service-identity/pull/56)

Added

- `service_identity.(cryptography|pyopenssl).extract_patterns()` are now public APIs (FKA `extract_ids()`). You can use them to extract the patterns from a certificate without verifying anything. [\55](https://github.com/pyca/service-identity/pull/55)
- *service-identity* is now fully typed. [\57](https://github.com/pyca/service-identity/pull/57)