v/0.101.2

Release notes

• MSRV increased to Rust 1.60.
• Correct bug in CRL processing where certificates with certain forms of serial number were not revocable.
• Added API for verifying certificate chain with a custom EKU, thanks to @sietseringers.
• TlsServerTrustAnchors, TlsClientTrustAnchors, verify_is_valid_tls_server_cert and verify_is_valid_tls_client_cert are deprecated: use verify_for_usage with KeyUsage::server_auth() or KeyUsage::client_auth() instead.

What's Changed

• v0.101.1 release prep by @cpu in #114
• ci: iterate on cross CI task. by @cpu in #115
• benches: CRL parsing/searching benchmarks. by @cpu in #108
• cargo: remove TODO about non-default alloc. by @cpu in #117
• tests: add BetterTLS path building test suite. by @cpu in #116
• project: increase MSRV, 1.57 -> 1.60 by @cpu in #120
• ci: match Rustls style, add cargo-semver-checks, dependabot by @cpu in #118
• docs: add attributes indicating req'd features. by @cpu in #123
• clippy fixes, base64 dev-dep 0.13 -> 0.21. by @cpu in #126
• crl/signed_data: add Debug and Clone as sensible. by @cpu in #129
• Add verification function with custom EKU by @sietseringers in #119
• Don't canonicalise serial numbers in CRL entries by @ctz in #132
• Turn free-standing construction functions into associated methods by @djc in #131
• build(deps): bump cryptography from 41.0.0 to 41.0.2 by @dependabot in #135
• RFC: change high-level API to make key usage explicit by @djc in #133
• Prepare release 0.101.2 by @ctz in #136

New Contributors

• @sietseringers made their first contribution in #119

Full Changelog: v/0.101.1...v/0.101.2

v/0.101.1

Release notes

• Fixed 32-bit architecture compatibility.

What's Changed

• codecov: use upload token to improve reliability by @ctz in #110
• v0.101.0 release prep by @cpu in #109
• crls: improve coverage of owned representation. by @cpu in #111
• fix 32 bit support, add i686-unknown-linux-gnu CI target by @cpu in #113

Full Changelog: v/0.101.0...v/0.101.1

v/0.101.0

Release notes

• Breaking change: added EndEntity::verify_is_valid_tls_client_cert
  argument for certificate revocation lists.
• Breaking change: removed Time::try_from.
• Breaking change: removed From<DnsNameRef<'_> impl for DnsName.
• Breaking change: replaced AsRef<[u8]> with AsRef<str> for DnsNameRef.
• Added certificate revocation list (CRL) support.
• Improved specificity of errors returned from
  EndEntityCert::verify_is_valid_tls_client_cert and
  EndEntityCert::verify_is_valid_tls_server_cert.
• Improved error specificity for malformed subject alternate names.
• Added EndEntityCert::dns_names method for returning a list of DNS subject
  alternate names from an end entity cert.
• Changed EndEntityCert::verify_is_valid_for_subject_name to ignore invalid
  names when verifying cert is valid for a provided subject.
• MSRV increased to Rust 1.57.

What's Changed

• Remove "very first prototype" language by @jsha in #41
• add a method to collect DNS names from a certificate by @cpu in #42
• stronger deprecations. by @cpu in #48
• cert verification rustdoc comment touchups. by @cpu in #51
• subject_name: more specific errs for invalid names. by @cpu in #60
• Update MSRV to 1.57 to match rustls by @djc in #62
• cert: retain parsed Cert serial number. by @cpu in #61
• More test generation (take 2) by @cpu in #64
• tests: further cleanup/generalization. by @cpu in #65
• tests: misc coverage for calendar.rs, der.rs by @cpu in #71
• Configure clippy in lib.rs, remove helper scripts. by @cpu in #72
• subject_name: rm unused err return for IP subj. cmp. by @cpu in #74
• ignore invalid value validating dns name list by @patricio78 in #69
• tests: rename name_constraints test suite to be more generalized. by @cpu in #75
• Replace license-file with license in Cargo manifest by @djc in #77
• Starting on webpki CRL parsing support. by @cpu in #44
• crl: remove exports of untrusted::Input. by @cpu in #83
• Continued webpki CRL support. by @cpu in #66
• der/signed_data: introduce support for larger DER values. by @cpu in #73
• Add CRL processing KeyUsage validation. by @cpu in #82
• docs: tidy README for fork. by @cpu in #78
• CRL structural tweaks by @djc in #84
• ci: forbid warnings from cargo test by @cpu in #86
• tests: avoid alloc requirement for client revocation tests. by @cpu in #87
• return most specific error from path building failures by @cpu in #89
• crl: explicitly number RevocationReason codes. by @cpu in #90
• Small breaking API changes removing deprecated items. by @cpu in #91
• tests: avoid messy testfile churn from generate.py by @cpu in #93
• Only check library against MSRV by @djc in #95
• ci: enforce generate.py produces no diff. by @cpu in #97
• lib: remove stale html_root_url doc attribute. by @cpu in #99
• der/crl: fix support for large CRL DER. by @cpu in #98
• build(deps): bump cryptography from 40.0.2 to 41.0.0 by @dependabot in #103
• ci: add merge_group trigger to ci tasks. by @cpu in #104
• Don't distribute 3-clause BSD test artifacts by @ctz in #102
• docs: sync SECURITY.md backport policy w/ Rustls. by @cpu in #106
• docs: fix small typo in SECURITY.md by @cpu in #107
• Owned CRL representation and associated updates. by @cpu in #100

New Contributors

• @jsha made their first contribution in #41
• @patricio78 made their first contribution in #69

Full Changelog: v/0.100.1...v/0.101.0

v/0.100.1

Release notes

• Relax constraint on serial number length.

What's Changed

• Relax rejection of large positive serial numbers by @ctz in #39
• Prepare 0.100.1 release by @djc in #40

Full Changelog: v/0.100.0...v/0.100.1

v/0.100.0

Release notes

First release of rustls-webpki crate.

• Allow verification of certificates with IP address subjectAltNames.
  EndEntityCert::verify_is_valid_for_subject_name was added, and
  EndEntityCert::verify_is_valid_for_dns_name was removed.
• Make Error type non-exhaustive.
• Reject non-contiguous netmasks in IP address name constraints.
• Name constraints of type dNSName and iPAddress now work and are tested.
  directoryName name constraints are not implemented and will prevent
  path building where they appear.
• Relax requirement that serial numbers are positive to deal with issuers
  that cannot generate correct ASN.1 but nevertheless persist in doing so.

What's Changed

• Modernize and update metadata for rustls fork by @djc in #1
• Add critical extensions test by @stormshield-guillaumed in #13
• Appease clippy explicit-auto-deref by @ctz in #15
• Use tarpaulin llvm-cov for coverage by @ctz in #16
• Defend --no-default-features by @ctz in #17
• IP address support by @ctz in #5
• Enforce unreachable_pub to clarify visibility by @djc in #22
• Prepare README and fork versions by @ctz in #25
• Improve name constraints testing and fix bugs found by @ctz in #18
• Restore webpki-0.22 naming and enact deprecations by @ctz in #27
• Declare MSRV for Clippy by @xfix in #32
• Allow validating V3 certificates that have no extensions by @fspreiss in #34
• Update GitHub Actions by @nickelc in #33
• cert: relax enforcing positive serial numbers. by @cpu in #36
• Prepare 0.100.0 by @ctz in #37

New Contributors

• @stormshield-guillaumed made their first contribution in #13
• @xfix made their first contribution in #32
• @fspreiss made their first contribution in #34
• @nickelc made their first contribution in #33

Full Changelog: 0.17.0...v/0.100.0