Django-ca

Latest version: v1.28.0

Safety actively analyzes 629564 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 4 of 7

1.14.0

Not secure
* `regenerate_ocsp_keys` now has a quiet mode and only generates keys where the CA private key is available.
* Minor changes to make the release compatible with Django 3.0a1.
* Introduce a new, more flexible format for the The format of the [CA_PROFILES](https://django-ca.readthedocs.io/en/1.14.0/settings.html#settings-ca-profiles) setting. The new [Profiles](https://django-ca.readthedocs.io/en/1.14.0/profiles.html) page provides more information and [migration instructions](https://django-ca.readthedocs.io/en/1.14.0/profiles.html#profiles-pre-114-migration)
* New dependency: [six](https://pypi.org/project/six/), since Django 3.0 no longer includes it.
* New dependency: [asn1crypto](https://pypi.org/project/asn1crypto/), since cryptography no longer depends on it.
* Serials are now zero-padded when output so that the last element always consists of two characters.
* More consistently output serials with colons, use a monospace font in the admin interface.
* Fix profile selection in the admin interface.
* Fix display of values from CSR in the admin interface.
* Add a copy-button next to values from the CSR to enable easy copy/paste from the CSR.
* Test suite now includes Selenium tests for all JavaScript functionality.
* `dev.py coverage` can now output a text summary using `--format=text`.

Backwards incompatible changes

* Drop support for cryptography 2.3 and 2.4.
* Drop support for idna 2.7.
* Extensions now always expect a dict or a cryptography extension as a value. Anything else was unused in practice.
* [KeyUsage](https://django-ca.readthedocs.io/en/1.14.0/python/extensions.html#django_ca.extensions.KeyUsage), [ExtendedKeyUsage](https://django-ca.readthedocs.io/en/1.14.0/python/extensions.html#django_ca.extensions.ExtendedKeyUsage) and [TLSFeature](https://django-ca.readthedocs.io/en/1.14.0/python/extensions.html#django_ca.extensions.TLSFeature) now behave like an ordered set and support all operators that a set does.
* Running an OCSP responder using `oscrypto`/`ocspbuilder` is no longer supported.

Extensions
==========

* [KeyUsage](https://django-ca.readthedocs.io/en/1.14.0/python/extensions.html#django_ca.extensions.KeyUsage) is now marked as critical by default.
* [ExtendedKeyUsage](https://django-ca.readthedocs.io/en/1.14.0/python/extensions.html#django_ca.extensions.ExtendedKeyUsage) now supports the `anyExtendedKeyUsage` OID.

Deprecation notices
===================

* This is the last release to support Python 2.7.
* This is the last release to support cryptography 2.5 and 2.6.
* This is the last release to be tested with Alpine 3.7.
* This is the last release to support [updating CA private keys to the Filestorage API](https://django-ca.readthedocs.io/en/1.14.0/update.html#update-file-storage). `python manage.py migrate_ca` will be removed in the next release.
* This will be the last release to support the `ca_crl` setting in [CertificateRevocationListView](https://django-ca.readthedocs.io/en/1.14.0/crl.html#django_ca.views.CertificateRevocationListView).
* [Certificate.objects.init()](https://django-ca.readthedocs.io/en/1.14.0/python/models.html#django_ca.managers.CertificateManager.init) has been deprecated in favor of [Certificate.objects.create_cert()](https://django-ca.readthedocs.io/en/1.14.0/python/models.html#django_ca.managers.CertificateManager.create_cert). The old method will be removed in `django-ca==1.16`.
* [get_cert_profile_kwargs()](https://django-ca.readthedocs.io/en/1.14.0/python/profiles.html#django_ca.profiles.get_cert_profile_kwargs) was only used by [init()](https://django-ca.readthedocs.io/en/1.14.0/python/models.html#django_ca.managers.CertificateManager.init) and will thus also be removed in `django-ca==1.16`.
* The old format for `CA_PROFILES` will be supported until `django-ca==1.16`. Please see [Update from django-ca<=1.13](https://django-ca.readthedocs.io/en/1.14.0/profiles.html#profiles-pre-114-migration) for migration instructions.

1.13.0

Not secure
* Add support for cryptography 2.7.
* Moved `setup.py recreate_fixtures` to `recreate-fixtures.py`.
* Moved all other extra `setup.py` commands to `dev.py` to remove clutter.
* Move `fab init_demo` to `dev.py init-demo`.
* Use OpenSSL instead of LibreSSL in Dockerfile to enable testing for Alpine 3.7. The cryptography documentation also [suggests](https://cryptography.io/en/stable/installation/#alpine) OpenSSL.
* The Fabric file has been removed.
* Remove the `CA_PROVIDE_GENERIC_CRL` setting, the default URL configuration now includes it.
* The docker image is now based on Alpine Linux 3.10.
* **BACKWARDS INCOMPATIBLE:** Drop support for cryptography 2.2.
* **BACKWARDS INCOMPATIBLE:** Drop support for idna 2.6.

Deprecation Notices

* This is the last release to support cryptography 2.3 and 2.4.
* This is the last release to support idna 2.7.
* This is the last release to support OCSP using `oscrypto`/`ocspbuilder`.
* `CertificateRevocationListView.ca_cr` is deprecated in favor of the `scope` parameter. If you have set `ca_crl=True` just set `scope="ca"` instead.
* A new more extendable format for the [CA_PROFILES](https://django-ca.readthedocs.io/en/1.13.0/settings.html#settings-ca-profiles) setting will be introduced in 1.14.0. As a result, extensions will no longer support instantiation from lists or strings, so avoid usage whereever you can.

Extensions

* Implement the [CRLDistributionPoints](https://django-ca.readthedocs.io/en/1.13.0/python/extensions.html#django_ca.extensions.CRLDistributionPoints) extension and [CertificatePolicies](https://django-ca.readthedocs.io/en/1.13.0/python/extensions.html#django_ca.extensions.CertificatePolicies) extension.
* Add the `ipsecEndSystem`, `ipsecTunnel` and `ipsecUser` extended key usage types. These are actually very rare and only occur in the "TrustID Server A52" CA.
* Extensions now consistently serialize to dictionaries.

Command-line interface

* The `view_ca` command will now display the full path to the private key, if possible.
* The `migrate_ca` command now has a `--dry` parameter and has a updated help texts.
* The new `regenerate_ocsp_keys` command allows you to automatically generate OCSP keys that are used by the new default OCSP views.

Python API

* Add the `root` property to CAs and certificates returning the root Certificate Authority.
* [sign_cert()](https://django-ca.readthedocs.io/en/1.13.0/python/models.html#django_ca.managers.CertificateManager.sign_cert) now also accepts a [CertificateSigningRequest](https://cryptography.io/en/latest/x509/reference/#cryptography.x509.CertificateSigningRequest) as `csr` value.
* Add the `issuer_url`, `crl_url`, `ocsp_url` and `issuer_alternative_name` parameter to [sign_cert()](https://django-ca.readthedocs.io/en/1.13.0/python/models.html#django_ca.managers.CertificateManager.sign_cert) to allow overriding or disabling the default values from the CA. This can also be used to pass extensions that do not just contain the URL using the `extra_extensions` parameter.
* Add the [get_crl()](https://django-ca.readthedocs.io/en/1.13.0/python/models.html#django_ca.models.CertificateAuthority.get_crl) function to get a CRL for the CA.
* Add the [generate_ocsp_key()](https://django-ca.readthedocs.io/en/1.13.0/python/models.html#django_ca.models.CertificateAuthority.generate_ocsp_key) function to generate OCSP keys
that are automatically picked up by the generic OCSP views.
* Both [CertificateAuthority](https://django-ca.readthedocs.io/en/1.13.0/python/models.html#django_ca.models.CertificateAuthority) and [Certificate](https://django-ca.readthedocs.io/en/1.13.0/python/models.html#django_ca.models.Certificate) now have a `root` property pointing to the Root CA.

OCSP

* The [CA_DEFAULT_HOSTNAME](https://django-ca.readthedocs.io/en/1.13.0/settings.html#settings-ca-default-hostname) setting is now used to set generic OCSP urls by default.
* The `dump_ocsp_index` management command now excludes certificates expired for more then a day or are not yet valid.

CRLs

* Issued CRLs now confirm to [RFC 5280](https://tools.ietf.org/html/rfc5280.html):

* Add the [CRL Number](https://tools.ietf.org/html/rfc5280.html#section-5.2.3) extension.
* Add the [Authority Key Identifier](https://tools.ietf.org/html/rfc5280.html#section-5.2.1) extension.

* Add the [Issuing Distribution Point](https://tools.ietf.org/html/rfc5280.html#section-5.2.5) extension. This extension requires that you use `cryptography>=2.5`.
* Add support for setting an Invalidity Date (see [RFC 5280, 5.3.2](https://tools.ietf.org/html/rfc5280.html#section-5.3.2)) for CRLs, indicating when the certificate was compromised.
* CRL entries will no longer include a [Reason Code](https://tools.ietf.org/html/rfc5280#section-5.3.1) if the reason is unspecified (recommended in RFC 5280).
* Expose an API for creating CRLs via [CertificateAuthority.get_crl()](https://django-ca.readthedocs.io/en/1.13.0/python/models.html#django_ca.models.CertificateAuthority.get_crl).

1.12.0

Not secure
* Fix traceback when a certificate that does not exist is viewed in the admin interface.
* Add support cryptography 2.5 and 2.6.
* Start using [Django storage backends](https://docs.djangoproject.com/en/2.1/ref/files/storage/) for files used by django-ca. This allows you to store files on a shared storage system (e.g. one from [django-storages](https://django-storages.readthedocs.io/) to support a redundant setup.
* Add support for `PrecertPoison` and `OCSPNoCheck` extensions.
* Implement the `PrecertificateSignedCertificateTimestamps` extension, currently can only be used for reading existing certificates.
* Optimize PrecertificateSignedCertificateTimestamps in Django admin view.
* Make sure that all extensions are always hashable.
* Switch Docker image to [Alpine Linux 3.9](https://www.alpinelinux.org/posts/Alpine-3.9.0-released.html>).
* **BACKWARDS INCOMPATIBLE:** Drop support for Python 3.4.
* **BACKWARDS INCOMPATIBLE:** Drop support for Django 2.0.
* **BACKWARDS INCOMPATIBLE:** Drop support for cryptography 2.1.
* **DEPRECATION NOTICE:** This is the last release to support cryptography 2.2.
* **DEPRECATION NOTICE:** This is the last release to support idna 2.6.

Django File storage API

**django-ca** now uses the [File storage API](https://docs.djangoproject.com/en/2.1/ref/files/storage/) to store CA private keys as well as files configured for OCSP views. This allows you to use different storage backends (e.g. from [django-storages](https://django-storages.readthedocs.io/) to store files on a filesystem shared between different servers, e.g. to provide a redundant setup.

**NOTE:** The switch does require some manual intervention when upgrading. The old way of storing files is still supported and will continue to work until version 1.14. Please see the [upgrade notes](https://django-ca.readthedocs.io/en/1.12.0/update.html) for information on how to upgrade.

* Use file storage API for reading/writing private keys of CAs.
* Use file storage API for reading the responder key and certificate for OCSP.
* New settings [CA_FILE_STORAGE](https://django-ca.readthedocs.io/en/1.12.0/settings.html#settings-ca-file-storage) and [CA_FILE_STORAGE_KWARGS](https://django-ca.readthedocs.io/en/1.12.0/settings.html#settings-ca-file-storage-kwargs) to configure file storage.

OCSP

* Reimplement OCSP using cryptography, used only if `cryptography>=2.4` is installed.
* `django_ca.views.OCSPBaseView.responder_key` may now also be a relative path to be used with the Django storage system.
* `django_ca.views.OCSPBaseView.responder_cert` may now also be a relative path to be used with the Django storage system.
* `django_ca.views.OCSPBaseView.responder_cert` may now also be a pre-loaded certificate. If you still use `cryptography<2.4` use a `oscrypto.asymmetric.Certificate`, for newer versions you must use a `cryptography.x509.Certificate`.
* Fix log output string interpolation issue in OCSP responder.

1.11.0

Not secure
* Remove colons from CA private keys (fixes 29).
* Filenames for downloading certificates are based on the CommonName (fixes 53).
* Fix certificate bundle order (fixes 55).
* Management commands `dump_ca` and `dump_cert` can now dump whole certificate bundles.
* New setting [CA_DEFAULT_KEY_SIZE](https://django-ca.readthedocs.io/en/1.11.0/settings.html#settings-ca-default-key-size) to configure the default key size for new CAs.
* Fix display of the NameConstraints extension in the admin interface.
* Further optimize the Docker image size (~235MB -> ~140MB).

Deprecation Notices

This release will be the last release to support some software versions:

* This will be the last release that supports for Python 3.4 (see [Status of Python branches](https://devguide.python.org/#status-of-python-branches)).
* This will be the last release that supports for Django 2.0 (see [Supported Versions](https://www.djangoproject.com/download/#supported-versions)).
* This will be the last release that supports cryptography 2.1.

Python API

* **BACKWARDS INCOMPATIBLE:** Renamed the `subjectAltName` parameter of [Certificate.objects.init()](https://django-ca.readthedocs.io/en/1.11.0/python/models.html#django_ca.managers.CertificateManager.init) to `subject_alternative_name` to be consistent with other extensions.
* Document how to use the `name_constraints` parameter in [CertificateAuthority.objects.init()](https://django-ca.readthedocs.io/en/1.11.0/python/models.html#django_ca.managers.CertificateAuthorityManager.init).
* Extensions can now always be passed as [django_ca.extensions.Extension](https://django-ca.readthedocs.io/en/1.11.0/python/extensions.html#django_ca.extensions.Extension) subclass or as any value accepted by the constructor of the specific class.
* Add ability to add any custom additional extension using the `extra_extensions` parameter.
* [django_ca.subject.Subject](https://django-ca.readthedocs.io/en/1.11.0/python/subject.html#django_ca.subject.Subject) now implements every `dict` method.
* The [pre_issue_cert](https://django-ca.readthedocs.io/en/1.11.0/signals.html#django_ca.signals.pre_issue_cert) signal will now receive normalized values.
* The [pre_issue_cert](https://django-ca.readthedocs.io/en/1.11.0/signals.html#django_ca.signals.pre_issue_cert) signal is only invoked after all parameters are verified.
* Implement the [AuthorityInformationAccess](https://django-ca.readthedocs.io/en/1.11.0/python/extensions.html#django_ca.extensions.AuthorityInformationAccess), [BasicConstraints](https://django-ca.readthedocs.io/en/1.11.0/python/extensions.html#django_ca.extensions.BasicConstraints), [IssuerAlternativeName](https://django-ca.readthedocs.io/en/1.11.0/python/extensions.html#django_ca.extensions.IssuerAlternativeName), [SubjectAlternativeName](https://django-ca.readthedocs.io/en/1.11.0/python/extensions.html#django_ca.extensions.SubjectAlternativeName) and [NameConstraints](https://django-ca.readthedocs.io/en/1.11.0/python/extensions.html#django_ca.extensions.SubjectAlternativeName) extensions.

Testing

* Add cryptography 2.4.2 to the test-suite.
* Add the `docker_test` setup.py command to test the image using various alpine-based images.
* Test for certificates that are not yet valid.
* The child CA used for testing now contains more extensions.
* Freeze time in some test cases to avoid test failures when certificates eventually expire.
* Test some documentation pages, to make sure they are actually correct.

1.10.0

Not secure
* New dependency: [django-object-actions](https://github.com/crccheck/django-object-actions).
* Add ability to resign existing certificates.
* Management command `list_cas` now optionally supports a tree view.
* Use more consistent naming for extensions throughout the code and documentation.
* Renamed the `--tls-features` option of the `sign_cert` command to `--tls-feature`, in line with the actual name of the extension.
* Allow the `TLSFeature` extension in profiles.
* Add link in the admin interface to easily download certificate bundles.
* Support ECC private keys for new Certificate Authorities.
* Store CA private keys in the more secure [PKCS8 format](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#cryptography.hazmat.primitives.serialization.PrivateFormat.PKCS8).
* The Certificate change view now has a second "Revoke" button as object action next to the "History" button.

Python API

* Add the [Python API](https://django-ca.readthedocs.io/en/latest/python/intro.html) as a fully supported interface to **django-ca**.
* New module [django_ca.extensions](https://django-ca.readthedocs.io/en/latest/python/extensions.html#module-django_ca.extensions) to allow easy and consistent handling of X509 extensions.
* Fully document various member attributes of [CertificateAuthority](https://django-ca.readthedocs.io/en/latest/python/models.html#django_ca.models.CertificateAuthority) and [Certificate](https://django-ca.readthedocs.io/en/latest/python/models.html#django_ca.models.Certificate), as well [Subject](https://django-ca.readthedocs.io/en/latest/python/subject.html#django_ca.subject.Subject) and as all new Python code.
* The parameters for functions in [CertificateManager](https://django-ca.readthedocs.io/en/latest/python/models.html#django_ca.managers.CertificateManager) and [CertificateAuthorityManager](https://django-ca.readthedocs.io/en/latest/python/models.html#django_ca.managers.CertificateAuthorityManager) were cleaned up for consistent naming and so that a user no longer needs to use classes from the cryptography libary. Parameters are now optional if default settings exist.
* Variable names have been renamed to be more consistent to make the code more readable.

Testing

* Also test with Python 3.7.0.
* Add configuration for [tox](https://tox.readthedocs.io/en/latest/).
* Speed up test-suite by using [force_login()](https://docs.djangoproject.com/en/dev/topics/testing/tools/#django.test.Client.force_login) and [PASSWORD_HASHERS](https://docs.djangoproject.com/en/dev/topics/testing/overview/#password-hashing).
* Load keys and certs in for every testcase instead for every class, improving testcase isolation.
* Add two certificates that include all and no extensions at all respectively to be able to test edge cases more consistently and thoroughly.
* Add function `cmd_e2e` to call `manage.py` scripts in a way that arguments are passed by argparse as if they where called from the command-line. This allows more complete testing including parsing commandline arguments.
* Error on any warnings coming from django-ca when running the test-suite.

1.9.0

Not secure
* Allow the creation of Certificates with multiple OUs in their subject (command-line only).
* Fix issues with handling CAs with a password on the command-line.
* Fix handling of certificates with no CommonName and/or no x509 extensions.
* Add support for displaying Signed Certificate Timestamps (SCT) Lists, as described in [RFC 6962, section 3.3](https://tools.ietf.org/html/rfc6962#section-3.3).
* Add limited support for displaying Certificate Policies, as described in [RFC 5280, section 4.2.14](https://tools.ietf.org/html/rfc5280#section-4.2.1.4) and [RFC 3647](https://tools.ietf.org/html/rfc3647).
* Correctly display extensions with an OID unknown to django-ca or even cryptography.
* Properly escape x509 extensions to prevent any injection attacks.
* Django 2.1 is now fully supported.
* Fix example command to generate a CSR (had a stray '/').
* Run test-suite with template debugging enabled to catch silently skipped template errors.

Docker
======

* Base the Docker image on `python:3-alpine` (instead of `python:3`), yielding a much smaller image (~965MB -> ~235MB).
* Run complete test-suite in a separate build stage when building the image.
* Provide `uwsgi.ini` for fast deployments with the uwsgi protocol.
* Add support for passing additional parameters to uWSGI using the `DJANGO_CA_UWSGI_PARAMS` environment variable.
* Create user/group with a predefined uid/gid of 9000 to allow better sharing of containers.
* Add `/usr/share/django-ca/` as named volume, allowing a setup where an external webserver serves static files.
* Add documentation on how to run the container in combination with an external webserver.
* Add documentation on how to run the container as a different uid/gid.

Page 4 of 7

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.