Skip to content

0.13.0
Compare
Choose a tag to compare
@djc djc released this 20 Dec 21:36
· 57 commits to main since this release
v0.13.0
This tag was signed with the committer’s verified signature.
djc Dirkjan Ochtman
SSH Key Fingerprint: 37smfZ/b9hCzt4lr8r1baBBAPt9mNWXkOPDefColTWI Learn about vigilant mode.
3daef5e

Breaking changes

  • The API used to create/issue key pairs, certificates, certificate signing requests (CSRs), and certificate revocation lists (CRLs) has been restructured to emphasize consistency and avoid common errors with serialization.

    For each concrete type (cert, CSR, CRL) the process is now the same:

    1. generate or load a key pair and any information about issuers required.
    2. create parameters, customizing as appropriate.
    3. call a generation fn on the parameters, providing subject key pair and issuer information and as appropriate.
    4. call serialization fns on the finalized type, obtaining DER or PEM.

    For more information, see [rcgen/docs/0.12-to-0.13.md].

  • Throughout the API DER inputs are now represented using types from the Rustls rustls-pki-types crate, e.g. PrivateKeyDer, CertificateDer, CertificateSigningRequestDer. Contributed by Tudyx.

  • String types used in SanType and DnValue enums for non-UTF8 string types have been replaced with more specific types that prevent representation of illegal values. E.g. Ia5String, BmpString, PrintableString, TeletexString, and UniversalString. Contributed by Tudyx.

  • Method names starting with get_ have been renamed to match Rust convention:

    • CertificateRevocationList::get_params() -> params()
    • Certificate::get_params() -> params()
    • Certificate::get_key_identifier() -> Certificate::key_identifier()
    • Certificate::get_times() -> Certificate::times()

Added

  • RSA key generation support has been added. This support requires using the aws-lc-rs feature. By default using KeyPair::generate_for() with an RSA SignatureAlgorithm will generate an RSA 2048 keypair. See KeyPair::generate_rsa_for() for support for RSA 2048, 3072 and 4096 key sizes.

  • Support for ECDSA P521 signatures and key generation has been added when using the aws-lc-rs feature. Contributed by Alvenix.

  • Support for loading private keys that may be PKCS8, PKCS1, or SEC1 has been added when using the aws-lc-rs feature. Without this feature private keys must be PKCS8. See KeyPair::from_pem_and_sign_algo() and KeyPair::from_der_and_sign_algo() for more information. Contributed by Alvenix.

  • Support has been added for Subject Alternative Name (SAN) names of type OtherName. Contributed by Tudyx.

  • Support has been added for specifying custom "other" OIDs in extended key usage. Contributed by Tudyx.

  • Support has been added for building rcgen without cryptography by omitting the new (default-enabled) crypto feature flag. Contributed by corrideat.

  • Support for using aws-lc-rs in fips mode can now be activated by using the fips feature in combination with the aws-lc-rs feature. Contributed by BiagioFesta.

  • A small command-line tool for certificate generation (rustls-cert-gen) was added. Contributed by tbro.

What's Changed

  • Allow building without the pem crate feature by @daxpedda in #204
  • ensure default serial generation fits 20 bytes by @BiagioFesta in #203
  • A functional rustls-cert-gen with basic parameters. by @tbro in #190
  • choose a crypto_provider for rustls_cert_gen by @stormshield-gt in #206
  • Rework Certificate issuance API, make DER/PEM serialization stable by @cpu in #205
  • add support for other oid in the extended key usage by @Tudyx in #210
  • Upgrade webpki dev-dependency to 0.102 by @djc in #215
  • build(deps): bump actions/cache from 3 to 4 by @dependabot in #216
  • External keys by @djc in #213
  • build(deps): bump shlex from 1.2.0 to 1.3.0 by @dependabot in #217
  • Tighten up string type representations to prevent illegal values by @Tudyx in #214
  • docs: update CHANGELOG for 0.12.1 by @cpu in #220
  • Support compiling without cryptography primitives by @corrideat in #208
  • Add basic support for Subject Alternative Name OtherName by @Tudyx in #209
  • build(deps): bump codecov/codecov-action from 3 to 4 by @dependabot in #221
  • codecov: disable pull-request annotations by @cpu in #225
  • ci: sync nightly for check-external-types by @cpu in #226
  • proj: fix new clippy unused imports finding by @cpu in #227
  • Upgrade x509-parser to 0.16 by @djc in #231
  • Remove get_() prefixes from method names by @djc in #232
  • Add RSA key generation by @est31 in #230
  • Update semver-compatible dependencies by @djc in #235
  • FIPS support by @BiagioFesta in #234
  • Split certificate module out of crate root by @djc in #237
  • Apply most Clippy suggestions by @djc in #239
  • Inline oid module by @djc in #238
  • Streamline signing API by @djc in #233
  • Use pki_types to improve the interoperability with the rustls ecosystem by @Tudyx in #223
  • lib: export key_pair::RsaKeySize by @cpu in #245
  • Unbreak doctests by @djc in #244
  • Serialize CRL parameters into CertificateRevocationList by @djc in #240
  • Follow-up from pki-types conversion by @djc in #246
  • Fix unused import warning by @Alvenix in #248
  • key_pair: emphasize PKCS8 input requirement in constructor fn names by @cpu in #249
  • Support ECDSA_P521_SHA512 when using aws_lc_rs feature by @Alvenix in #241
  • Minor API tweaks by @djc in #253
  • Streamline CI jobs by @djc in #251
  • Prefer aws-lc-rs over ring if both are enabled by @djc in #252
  • lib: export csr::CertificateSigningRequest by @cpu in #255
  • Support more private key formats when using aws_lc_rs feature by @Alvenix in #242
  • docs: update CHANGELOG for 0.13.0 by @cpu in #254

Contributors

djc, cpu, and 9 other contributors
Assets 2
Loading