0.102.8

Release notes

• Support for aws-lc-rs 1.9 added. This release adds supports for compressed EC public keys, when used with aws-lc-rs.

What's Changed

• Take aws-lc-rs 1.9 by @ctz in #284

Full Changelog: v/0.102.7...v/0.102.8

0.102.7

• Initial support for RFC 7250 "Raw public keys". A new RawPublicKeyEntity type has been added, offering a verify_signature() fn for verifying the signature over a given message using a raw public key produced from a pki_types::SubjectPublicKeyInfoDer instance.
• Relaxed CRL requirements for certificates with CRL distribution point extensions. Previously the revocation checking logic only considered a CRL authoritative for a certificate when it had a CRL distribution point extension if the CRL also had an issuing distribution point extension that matched. This has now been relaxed to consider a CRL without any issuing distribution point extension as authoritative for certificates with a matching issuer.

What's Changed

• build(deps): bump serde_json from 1.0.120 to 1.0.121 in the crates-io group by @dependabot in #274
• Update deny config by @djc in #277
• crl: CRL w/o IDP ext auth. for cert w/ DP by @cpu in #276
• build(deps): bump serde_json from 1.0.121 to 1.0.122 in the crates-io group by @dependabot in #278
• API for allowing signature validation given a SPKI/RPK by @holodorum in #275
• build(deps): bump the crates-io group with 2 updates by @dependabot in #279
• build(deps): bump the crates-io group with 2 updates by @dependabot in #280
• build(deps): bump the crates-io group with 2 updates by @dependabot in #283

New Contributors

• @holodorum made their first contribution in #275

Full Changelog: v/0.102.6...v/0.102.7

0.102.6

• Add support for P-521 curve with SHA-256/SHA-384 digests

What's Changed

• types: avoid markdown footnotes by @cpu in #268
• build(deps): bump serde from 1.0.203 to 1.0.204 in the crates-io group by @dependabot in #269
• Update EndEntityCert documentation by @djc in #271
• Add support for P-521 curve with SHA-256/SHA-384 digests by @samin-cf in #272

New Contributors

• @samin-cf made their first contribution in #272

Full Changelog: v/0.102.5...v/0.102.6

0.102.5

Notable changes

• EndEntityCert::subject_public_key_info() as added in 0.102.4 neglected to specify the return type's lifetime, limiting the visible lifetime to the lifetime of the EndEntityCert. The actual lifetime was 'static; we've made this explicit and enabled warnings for elided_lifetimes_in_paths to avoid similar issues in the future.

What's changed

• build(deps): bump the crates-io group with 2 updates by @dependabot in #257
• ci: update cargo-check-external-types toolchain by @cpu in #258
• build(deps): bump seanmiddleditch/gha-setup-ninja from 4 to 5 by @dependabot in #260
• build(deps): bump aws-lc-rs from 1.7.2 to 1.7.3 in the crates-io group by @dependabot in #261
• Enable some more warnings on lints by @djc in #262
• lib: warn for clippy::use_self by @cpu in #263
• build(deps): bump the crates-io group with 2 updates by @dependabot in #265
• Prepare 0.102.5 release by @djc in #266

v/0.102.4

• RevocationOptionsBuilder now offers a with_expiration_policy() fn for setting an ExpirationPolicy that will be used to determine how to handle CRLs that have a NextUpdate value in the past. The default behaviour is to ignore the NextUpdate. Users wishing to use a stricter policy can do so by specifying ExpirationPolicy::Enforce. Revocation checking against an expired CRL will then produce an Error::CrlExpired error.
• EndEntityCert now offers a subject_public_key_info() fn for accessing the RFC 5280 pki_types::SubjectPublicKeyInfoDer.

What's Changed

• build(deps): bump serde from 1.0.198 to 1.0.199 in the crates-io group by @dependabot in #250
• benches: ignore clippy::incompatible_msrv by @cpu in #251
• build(deps): bump the crates-io group with 3 updates by @dependabot in #252
• Add SubjectPublicKeyInfo methods for cert::Cert by @lvkv in #253
• build(deps): bump the crates-io group across 1 directory with 2 updates by @dependabot in #255
• Add support for enforcing CRL expiration using nextUpdate field by @jasperpatterson in #227
• Cargo: v0.102.3 -> v0.102.4 by @cpu in #256

New Contributors

• @lvkv made their first contribution in #253

Full Changelog: v/0.102.3...v/0.102.4

v/0.102.3

• New KeyUsage::required_if_present() fn for requiring a certificate to support the specified OID, if the certificate has EKUs.
• Updates aws-lc-rs to 1.7.0
• MSRV increased from 1.61 to 1.63

What's Changed

• build(deps): bump codecov/codecov-action from 3 to 4 by @dependabot in #226
• Allow "required if present" EKUs by @jasperpatterson in #229
• Synchronise codecov action settings with rustls by @ctz in #230
• ci: sync nightly for check-external-types by @cpu in #231
• build(deps): bump cryptography from 41.0.6 to 42.0.4 by @dependabot in #233
• Fix nightly compilation by @ctz in #234
• Fix windows build by @ctz in #235
• build(deps): bump base64 from 0.21.7 to 0.22.0 by @dependabot in #237
• build(deps): bump serde_json from 1.0.114 to 1.0.115 by @dependabot in #238
• Update semver-compatible dependencies by @djc in #241
• deps: rcgen 0.12 -> 0.13 by @cpu in #239
• Simplify test chain building by @djc in #244
• build(deps): bump serde_json from 1.0.115 to 1.0.116 by @dependabot in #245
• build(deps): bump serde from 1.0.197 to 1.0.198 by @dependabot in #247
• Update Dependabot config to match rustls by @djc in #249
• v0.102.3, bump aws-lc-rs from 1.6.4 to 1.7.0, MSRV 1.63 by @cpu in #248

New Contributors

• @jasperpatterson made their first contribution in #229

Full Changelog: v/0.102.2...v/0.102.3

0.102.2

What's Changed

• small nightly clippy fixes by @cpu in #222
• Cargo: avoid unused aws-lc-rs default features by @cpu in #224
• aws_lc_rs_algs: Expose FIPS status by @ctz in #225

Full Changelog: v/0.102.1...v/0.102.2

0.102.1

Headlines

• Added webpki::aws_lc_rs::ECDSA_P521_SHA512: support for P521-SHA512 signature verification.

What's Changed

• build(deps): bump cryptography from 41.0.4 to 41.0.6 by @dependabot in #215
• Introduce and test ECDSA_P521_SHA512 for aws-lc-rs by @ctz in #216
• build(deps): bump actions/setup-python from 4 to 5 by @dependabot in #218
• cert: fix clippy get_first finding by @cpu in #220
• build(deps): update rcgen requirement from 0.11.3 to 0.12.0 by @dependabot in #219

Full Changelog: v/0.102.0...v/0.102.1

0.102.0

Headlines

• More powerful certificate revocation list (CRL) support. There is now an API for explicitly configuring whether CRLs are mandatory or optional, and which parts of the certificate chain they apply to.
• Extensible and observable path building. This crate now returns an example of a found certificate path, and optionally allows callers to reject valid paths to continue the search.
• Improving API stability. This crate now uses types from rustls-pki-types; we expect this to reduce the number of breaking changes in rustls ecosystem.
• Pluggable crypto providers. This crate can now depend on signature verification algorithms provided externally. ring is now an optional (but default) dependency, and aws-lc-rs is a new optional dependency.

What's Changed

• cert: retain CRL distribution points extension. by @cpu in #127
• Tweak style in distribution point handling by @djc in #137
• crl: retain issuing distribution point extension by @cpu in #128
• Implement FromDer trait and DerIterator type by @djc in #139
• Make ring optional by @ctz in #134
• Name iterator by @djc in #140
• Impl FromDer for more types by @djc in #141
• fix no-std support by @japaric in #145
• Refactor DER parsing by @djc in #142
• revocation: more sophisticated revocation checking. by @cpu in #138
• build(deps): bump cryptography from 41.0.2 to 41.0.3 by @dependabot in #146
• Use doc_auto_cfg and remove manual doc(cfg()) gates by @ctz in #150
• bettertls: test both pathbuilding and nameconstraints. by @cpu in #151
• verify_cert: enforce maximum number of signatures. by @cpu in #152
• Fix build & clippy lints by @ctz in #156
• SECURITY.md: use github vuln reporting tool by @ctz in #155
• Enable warnings for cargo doc comments on private items by @cpu in #157
• Switch to using the pki-types crate by @djc in #147
• Bump version to alpha.1 with pki-types by @djc in #161
• build(deps): bump actions/checkout from 3 to 4 by @dependabot in #162
• Further limits on expensive path building by @ctz in #163
• Budget tweaks by @djc in #164
• Use signature verification trait from pki-types by @ctz in #166
• verify_cert: bound name constraint comparisons. by @cpu in #165
• Remove subject common name parsing by @hawkw in #169
• verify_cert: correct handling of fatal errors. by @cpu in #168
• subject_name: fix stale unused_imports allow. by @cpu in #171
• Extract PathNode from Cert by @djc in #173
• Use pki_types::UnixTime instead of local Time type by @djc in #175
• tests: local test speed optimizations, add cargo hack feature powerset by @cpu in #176
• docs: add CONTRIBUTING.md, ref'ing Rustls CONTRIBUTING by @cpu in #177
• Note that self-signed certificates are not supported. by @bdaehlie in #180
• properly test build chain call budget by @cpu in #179
• Use stable for coverage measurement by @ctz in #181
• Optionally support aws-lc-rs by @ctz in #158
• rework dns_names helper, remove alloc req. by @cpu in #178
• Let EndEntityCert deref to Cert by @djc in #184
• Refactor name verification flow by @djc in #188
• Cargo: remove rcgen git patch by @cpu in #189
• crl: rm Budget from verify_signature fn by @cpu in #190
• NFC: Correct name of mozilla::pkix in comment. by @cpu in #192
• Cargo: restore rcgen w/ no-default-features by @cpu in #195
• Upgrade to untrusted 0.9 and ring 0.17 by @djc in #193
• Prepare 0.102.0-alpha.4 by @ctz in #194
• build(deps): bump cryptography from 41.0.3 to 41.0.4 by @dependabot in #196
• Expose built path in public API by @djc in #174
• verify_cert: add test for rejecting candidate path by @cpu in #197
• Deny warnings from clippy by @djc in #198
• Use cargo-check-external-types to control type leakage in public API by @cpu in #202
• trust_anchor: fix stale note about EndEntityOrCA by @cpu in #204
• Improve CRL ergonomics, replace trait with enum by @cpu in #203
• trust_anchor: clarify and rename extract_trust_anchor by @cpu in #201
• Remove unused git exception from deny config by @djc in #208
• Migrate to pki-types ServerName by @djc in #207
• verify_cert: re-export VerifiedPath by @BiagioFesta in #210
• derive Debug for RingAlgorithm, AwsLcRsAlgorithm by @cpu in #212

New Contributors

• @japaric made their first contribution in #145
• @hawkw made their first contribution in #169
• @bdaehlie made their first contribution in #180
• @BiagioFesta made their first contribution in #210

Full Changelog: v/0.101.7...v/0.102.0

v/0.102.0-alpha.8

What's Changed

• trust_anchor: clarify and rename extract_trust_anchor by @cpu in #201
• Remove unused git exception from deny config by @djc in #208
• Migrate to pki-types ServerName by @djc in #207
• verify_cert: re-export VerifiedPath by @BiagioFesta in #210
• derive Debug for RingAlgorithm, AwsLcRsAlgorithm by @cpu in #212

New Contributors

• @BiagioFesta made their first contribution in #210

Full Changelog: v/0.102.0-alpha.6...v/0.102.0-alpha.8