Changes in python-pskc¶

changes from 1.1 to 1.2¶

portability fixes for test suite
add a remove_encryption() function
always write a 1.0 PSKC version, even when another version was read
correctly write a PSKC file with a global IV
correctly write a PSKC file without a MAC key
add a pskc2pskc script for converting a legacy PSKC file to a RFC 6030 compliant version and for adding or removing encryption
add a csv2pskc script for generating a PSKC file from a CSV file
make all the scripts (pskc2csv, pskc2pskc and csv2pskc) entry points so they are available on package installation

fix a bug in writing passphrase encrypted PSKC files on Python3
fix a typo in the pin_max_failed_attempts attribute (the old name is available as a deprecated property)
switch from pycrypto to cryptography as provider for encryption functions because the latter is better supported
switch to using the PBKDF2 implementation from hashlib which requires Python 2.7.8 or newer
use defusedxml when available (python-pskc now supports both standard xml.etree and lxml with and without defusedxml)
support checking and generating embedded XML signatures (this requires the signxml library which is not required for any other operations)
add limited support for very old draft PSKC versions (it is speculated that this resembles the “Verisign PSKC format” that some applications produce)
support Camellia-CBC and KW-Camellia encryption algorithms
support any hashing algorithm available in Python
add a –secret-encoding option to pskc2csv to allow base64 encoded binary output
support naming the CSV column headers in pskc2csv
add a manual page for pskc2csv
a number of documentation, code style and test suite improvements

numerous compatibility improvements for reading PSKC files that do not follow the RFC 6030 schema exactly: specifically accept a number of old Internet Draft specifications that preceded RFC 6030 and support an ActivIdentity file format
split device information from key information (keep old API available) to allow multiple keys per device (this is not allowed by RFC 6030 but was allowed in older Internet Drafts)
accept MAC to be over plaintext in addition to ciphertext
fall back to using encryption key as MAC key
refactoring of some encryption, parsing and serialising functionality into separate modules for better maintainability
add configuration for running test suite via Tox
addition of a large number of test cases, bringing the branch coverage to 100%
documentation improvements
drop official support for Python 2.6 (the module still works but is just no longer tested with it)

add support for writing encrypted PSKC files (with either a pre-shared key or PBKDF2 password-based encryption)
extend may_use() policy checking function to check for unknown policy elements and key expiry
add a number of tests for existing vendor PSKC files and have full line coverage with tests
be more lenient in handling a number of XML files (e.g. automatically sanitise encryption algorithm URIs, ignore XML namespaces and support more spellings of some properties)
support reading password or key files in pskc2csv
support Python 3 in the pskc2csv script (thanks Mathias Laurin)
refactoring and clean-ups to be more easily extendible (thanks Mathias Laurin)

raise exceptions on parsing, decryption and other problems
support Python 2.6 and multiple ElementTree implementations (lxml is required when using Python 2.6)
support more encryption algorithms (AES128-CBC, AES192-CBC, AES256-CBC, TripleDES-CBC, KW-AES128, KW-AES192, KW-AES256 and KW-TripleDES) and be more lenient in accepting algorithm URIs
support all HMAC algorithms that Python’s hashlib module has hash functions for (HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384 and HMAC-SHA512)
support PRF attribute of PBKDF2 algorithm
support creating PSKC objects and keys
when accessing values for which a MAC is present, a MAC failure will raise an exception (DecryptionError)
many code cleanups
improve test coverage

Initial release