Bump cryptography from 48.0.0 to 49.0.0

[dependabot]

Bumps cryptography from 48.0.0 to 49.0.0.

Changelog

Sourced from cryptography's changelog.

49.0.0 - 2026-06-12

* **BACKWARDS INCOMPATIBLE:** Support for ``x86_64`` macOS has been removed.
  We now only publish ``arm64`` wheels for macOS.
* **BACKWARDS INCOMPATIBLE:** Support for 32-bit Windows has been removed.
  Users should move to a 64-bit Python installation.
* **BACKWARDS INCOMPATIBLE:** Removed the deprecated
  ``PUBLIC_KEY_TYPES``, ``PRIVATE_KEY_TYPES``,
  ``CERTIFICATE_PRIVATE_KEY_TYPES``, ``CERTIFICATE_ISSUER_PUBLIC_KEY_TYPES``,
  and ``CERTIFICATE_PUBLIC_KEY_TYPES`` type aliases. Use
  ``PublicKeyTypes``, ``PrivateKeyTypes``, ``CertificateIssuerPrivateKeyTypes``,
  ``CertificateIssuerPublicKeyTypes``, and ``CertificatePublicKeyTypes``
  instead. These were deprecated in version 40.0.
* **BACKWARDS INCOMPATIBLE:** :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20`
  now treats the first 4 bytes of the ``nonce`` as a 32-bit little-endian block
  counter (as defined in :rfc:`7539`) and tracks the number of bytes processed.
  Attempting to encrypt or decrypt more data than the counter allows before it
  would overflow now raises a :class:`ValueError` rather than silently diverging
  from RFC 7539. Setting the counter portion of the ``nonce`` to zero allows
  encrypting up to 256 GiB with a given nonce.
* **BACKWARDS INCOMPATIBLE:** Loading an X.509 certificate whose ECDSA or DSA
  signature ``AlgorithmIdentifier`` contains encoded NULL parameters now raises
  a :class:`ValueError`. Such certificates are invalid, but older versions of
  Java emitted them; previously they loaded with a deprecation warning.
* Fixed cross-compilation of the CFFI bindings when ``PYO3_CROSS_LIB_DIR``
  is set. The build now derives the Python include directory from
  ``PYO3_CROSS_LIB_DIR`` instead of querying the host interpreter, which
  previously caused the build to fail during cross-compilations for embedded
  systems, on hosts which have same-version Python development headers
  installed as the target Python.
* Added support for signing and verifying X.509 certificates, certificate
  signing requests, and certificate revocation lists with
  :doc:`/hazmat/primitives/asymmetric/mldsa` keys, as well as loading
  certificates that contain ML-DSA public keys.
* Added :meth:`~cryptography.hazmat.primitives.hpke.KEM.enc_length` to
  :class:`~cryptography.hazmat.primitives.hpke.KEM` so callers can split the
  encapsulated key from the ciphertext returned by
  :meth:`~cryptography.hazmat.primitives.hpke.Suite.encrypt`.
* :meth:`~cryptography.x509.verification.ExtensionPolicy.require_present`,
  :meth:`~cryptography.x509.verification.ExtensionPolicy.may_be_present`, and
  :meth:`~cryptography.x509.verification.ExtensionPolicy.require_not_present`
  now accept any extension type. Previously only a fixed set of extension
  types was supported, which made it impossible to account for otherwise
  unrecognized critical extensions during path validation.
* Added support for using :class:`~cryptography.x509.Certificate`,
  :class:`~cryptography.x509.CertificateSigningRequest`, and
  :class:`~cryptography.x509.CertificateRevocationList` as field types in
  :doc:`/hazmat/asn1/index` structures.
* Added :func:`~cryptography.hazmat.asn1.value_set`, a class decorator that
</tr></table> 

... (truncated)

Commits

• e300bbe bump version and changelog for 49.0.0 (#15030)
• fa74cd8 Add external mu (message representative) support for ML-DSA (#14979)
• f594db3 chore(deps): bump openssl from 0.10.80 to 0.10.81 (#15029)
• 608e011 chore(deps): bump openssl-sys from 0.9.116 to 0.9.117 (#15028)
• a322bc4 chore(deps): bump cc from 1.2.63 to 1.2.64 (#15027)
• 33181a7 Reject critical nameConstraints extensions containing directoryName constrain...
• 6080dc7 Bump dependencies that dependabot isn't (#15026)
• 121faa3 chore(deps): bump virtualenv from 21.4.2 to 21.4.3 (#15023)
• 829520b Add more robust processing for DH parameters. (#15016)
• 0f05001 Bump downstream dependencies in CI (#15025)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)