0.13.2

Several improvements to the capabilities available when working with certificate signing requests.

What's Changed

• Clarify internal data dependencies for signing APIs by @djc in #269
• error: feature-gate ExternalError by @cpu in #271
• Pass extended key usage parameters when importing CertificateSigningRequestParams by @uglyoldbob in #264
• ci: update cargo-check-external-types toolchain, fix build by @cpu in #276
• Revert "ci: temp. pin nightly to avoid ICE" by @cpu in #277
• Expose algorithm field on PublicKey by @rickvanprim in #281
• Update semver-compatible dependencies by @djc in #283
• crl: avoid markdown footnotes by @cpu in #284
• Disable default features for aws-lc-rs by @daxpedda in #286
• Add KeyUsage support to CSR generation by @lvkv in #287
• Fix compilation issues of OpenSSL tests on 32-bit architectures by @decathorpe in #290
• Enable signing without private key by @djc in #291
• Clarify CSR signing docs by @lvkv in #295
• ci: adjust nightly for cargo-check-external-types by @cpu in #297
• Add PKCS#10 attributes to CSR serializer by @lvkv in #296
• Bump codecov/codecov-action from 4 to 5 by @dependabot in #299
• Update README.md example to match what's in lib.rs by @ghenry in #298
• rcgen: 0.13.1 -> 0.13.2 by @lvkv in #303

0.13.1

Fixed incorrect usage of the subject certificate's parameter's key identifier method when computing the key identifier of the issuer for the subject's authority key identifier (AKI) extension.

What's Changed

• Fix reference in changelog about RSA key generation by @djc in #258
• Set library version for CLI crate by @djc in #257
• cli: add more Cargo metadata by @djc in #259
• examples: sign-leaf-with-ca uses ca key for signing end entity cert by @markdingram in #263
• cert: use key_identifier_method of issuer for AKI by @cpu in #262

0.13.0

Breaking changes

• The API used to create/issue key pairs, certificates, certificate signing requests (CSRs), and certificate revocation lists (CRLs) has been restructured to emphasize consistency and avoid common errors with serialization.

  For each concrete type (cert, CSR, CRL) the process is now the same:

  1. generate or load a key pair and any information about issuers required.
  2. create parameters, customizing as appropriate.
  3. call a generation fn on the parameters, providing subject key pair and issuer information and as appropriate.
  4. call serialization fns on the finalized type, obtaining DER or PEM.

  For more information, see [rcgen/docs/0.12-to-0.13.md].

• Throughout the API DER inputs are now represented using types from the Rustls rustls-pki-types crate, e.g. PrivateKeyDer, CertificateDer, CertificateSigningRequestDer. Contributed by Tudyx.

• String types used in SanType and DnValue enums for non-UTF8 string types have been replaced with more specific types that prevent representation of illegal values. E.g. Ia5String, BmpString, PrintableString, TeletexString, and UniversalString. Contributed by Tudyx.

• Method names starting with get_ have been renamed to match Rust convention:

  • CertificateRevocationList::get_params() -> params()
  • Certificate::get_params() -> params()
  • Certificate::get_key_identifier() -> Certificate::key_identifier()
  • Certificate::get_times() -> Certificate::times()

Added

• RSA key generation support has been added. This support requires using the aws-lc-rs feature. By default using KeyPair::generate_for() with an RSA SignatureAlgorithm will generate an RSA 2048 keypair. See KeyPair::generate_rsa_for() for support for RSA 2048, 3072 and 4096 key sizes.

• Support for ECDSA P521 signatures and key generation has been added when using the aws-lc-rs feature. Contributed by Alvenix.

• Support for loading private keys that may be PKCS8, PKCS1, or SEC1 has been added when using the aws-lc-rs feature. Without this feature private keys must be PKCS8. See KeyPair::from_pem_and_sign_algo() and KeyPair::from_der_and_sign_algo() for more information. Contributed by Alvenix.

• Support has been added for Subject Alternative Name (SAN) names of type OtherName. Contributed by Tudyx.

• Support has been added for specifying custom "other" OIDs in extended key usage. Contributed by Tudyx.

• Support has been added for building rcgen without cryptography by omitting the new (default-enabled) crypto feature flag. Contributed by corrideat.

• Support for using aws-lc-rs in fips mode can now be activated by using the fips feature in combination with the aws-lc-rs feature. Contributed by BiagioFesta.

• A small command-line tool for certificate generation (rustls-cert-gen) was added. Contributed by tbro.

What's Changed

• Allow building without the pem crate feature by @daxpedda in #204
• ensure default serial generation fits 20 bytes by @BiagioFesta in #203
• A functional rustls-cert-gen with basic parameters. by @tbro in #190
• choose a crypto_provider for rustls_cert_gen by @stormshield-gt in #206
• Rework Certificate issuance API, make DER/PEM serialization stable by @cpu in #205
• add support for other oid in the extended key usage by @Tudyx in #210
• Upgrade webpki dev-dependency to 0.102 by @djc in #215
• build(deps): bump actions/cache from 3 to 4 by @dependabot in #216
• External keys by @djc in #213
• build(deps): bump shlex from 1.2.0 to 1.3.0 by @dependabot in #217
• Tighten up string type representations to prevent illegal values by @Tudyx in #214
• docs: update CHANGELOG for 0.12.1 by @cpu in #220
• Support compiling without cryptography primitives by @corrideat in #208
• Add basic support for Subject Alternative Name OtherName by @Tudyx in #209
• build(deps): bump codecov/codecov-action from 3 to 4 by @dependabot in #221
• codecov: disable pull-request annotations by @cpu in #225
• ci: sync nightly for check-external-types by @cpu in #226
• proj: fix new clippy unused imports finding by @cpu in #227
• Upgrade x509-parser to 0.16 by @djc in #231
• Remove get_() prefixes from method names by @djc in #232
• Add RSA key generation by @est31 in #230
• Update semver-compatible dependencies by @djc in #235
• FIPS support by @BiagioFesta in #234
• Split certificate module out of crate root by @djc in #237
• Apply most Clippy suggestions by @djc in #239
• Inline oid module by @djc in #238
• Streamline signing API by @djc in #233
• Use pki_types to improve the interoperability with the rustls ecosystem by @Tudyx in #223
• lib: export key_pair::RsaKeySize by @cpu in #245
• Unbreak doctests by @djc in #244
• Serialize CRL parameters into CertificateRevocationList by @djc in #240
• Follow-up from pki-types conversion by @djc in #246
• Fix unused import warning by @Alvenix in #248
• key_pair: emphasize PKCS8 input requirement in constructor fn names by @cpu in #249
• Support ECDSA_P521_SHA512 when using aws_lc_rs feature by @Alvenix in #241
• Minor API tweaks by @djc in #253
• Streamline CI jobs by @djc in #251
• Prefer aws-lc-rs over ring if both are enabled by @djc in #252
• lib: export csr::CertificateSigningRequest by @cpu in #255
• Support more private key formats when using aws_lc_rs feature by @Alvenix in #242
• docs: update CHANGELOG for 0.13.0 by @cpu in #254