# ChangeLog ## [Unreleased][unreleased] ### Added/Changed/Fixed ### Thanks ## 0.16.0 ### Added/Changed/Fixed Global: - Updated `*ring*` to 0.17.7 (#148) - Updated `time` to 0.3.20 (#148) - Updated asn1-rs to 0.6, der-parser and oid-registry - Set MSRV to 1.63 (due to `time`/`ring`) (#148) Code: - Added support for parsing CRL `IssuingDistributionPoint` extensions (#146) - Fixed lifetime signature on `TbsCertificate::subject_alt_names` function (#151) - Fixed parsing of certificate `UniqueIdentifier` fields to use implicit tagging instead of explicit (#145) - Fixed `clippy::manual_try_fold` findings (#147) ### Thanks - aggstam, Biagio Festa, Daniel McCarney ## 0.15.1 ### Added/Changed/Fixed - Attribute: fix parsing of BmpString string type to use UTF-16 (Closes #143) - `revocation_list`: use correct OID for CRL number. - Fix receiver lifetimes in `AttributeTypeAndValue` ### Thanks - Sergio Benitez, Daniel McCarney, Lily Ballard ## 0.15.0 ### Added/Changed/Fixed Global: - Use SPDX license format (#137) - Set MSRV to 1.57 (due to `ring`/`once_cell`) - Switch base64 decoding to `data-encoding` crate (#136) Code: - Add `verify` feature to verify a certificate revocation list by a public key - Fixed CriAttributes parser (#131) - Refactor code for parsing X509Version - Add verify signature method to revocation list (#130) - Add support for parsing challenge password attribute in CSR's (#129) - Add support for multi-word PEM labels (C#135) Docs: - Fix broken FromDer trait link in README ### Thanks - Bernd Krietenstein, Florian Zipperle, Jean-Baptiste Trystram, Daniel McCarney, Jeff Hiner, Campbell He, Sebastian Dröge ## 0.14.0 ### Added/Changed - Add support for parsing signature parameters and value (closes #94) - Change `ASN1Time::to_rfc2822()` to return a Result - ASN1Time: modify `from_timestamp` to return a Result - ASN1Time: implement Display - Upgrade versions of asn1-rs, oid-registry and der-parser - AlgorithmIdentifier: add const methods to create object/access fields - Globally: start using `asn1-rs` types, simplify parsers: - AlgorithmIdentifier: automatically derive struct, use type ANY - Merge old FromDer trait into `asn1_rs::FromDer` (using X509Error) - Replace BitStringObject with BitString - AttributeTypeAndValue: use Any instead of DerObject - Extensions: replace UnparsedObject with Any - X509Error: add methods to simplify conversions - CRI Attributes: rewrite and simplify parsers - Simplify parsers for multiple types and extensions ### Fixed - Fix ECDSA signature verification when CA and certificate use different curves ### Thanks ## 0.13.2 ### Fixed - Fix panic in ASN1Time::to_rfc2822() when year is less than 1900 ## 0.13.1 ### Fixed - Fix regression with certificate verification for ECDSA signatures using the P-256 curve and SHA-384 (#118) - Set minimum version of `time` to 0.3.7 (#119) - Allow empty SEQUENCE when OPTIONAL, for ex in CRL extensions (#120) ### Thanks - @SergioBenitez, @flavio, @acarlson0000 ## 0.13.0 ### Added/Changed/Fixed Crate: - Update to der-parser 7.0 and asn1-rs - Remove chrono (#111) - Set MSRV to 1.53 Validators: - Add `Deref` trait to `X509Certificate` - Add `Validator` trait and deprecate `Validate` * The previous validation is implemented in `X509StructureValidator` * Split some checks (not on structure) to `X509CertificateValidator` Extensions: - add support for nsComment - add support for IssuerAltName - start adding support for CT Signed Certificate Timestamp (rfc6962) - raise error if a SAN entry cannot be parsed - deprecate `TbsCertificate::find_extension()` and add preferred method `TbsCertificate::get_extension_unique()`: the latter checks for duplicate extensions (#113) Signatures: - Fix signature verification for EC curves (#116) Public Keys: - Add base functions for parsing public keys (RSA, DSA, GOST) ### Thanks - @lilyball, @g2p ## 0.12.0 ### Added/Changed/Fixed - Upgrade to nom 7 ## 0.11.0 ### Added - Add SubjectPublicKeyInfo::raw field ### Changed/Fixed - Fix der-parser dependency (#102) - Update oid-registry dependency (#77) - Set MSRV to 1.46 (indirect dependency on lexical-core and bitvec) - Extend the lifetimes exposed on TbsCertificate (#104) - Add missing test assets (#103) ### Thanks - @jgalenson, @g2p, @kpp ## 0.10.0 ### Added - Add the `Validate` trait to run post-parsing validations of X.509 structure - Add the `FromDer` trait to unify parsing methods and visibility (#85) - Add method to format X509Name using a given registry - Add `X509Certificate::public_key()` method - Add ED25519 as a signature algorithm (#95) - Add support for extensions (#86): - CRL Distribution Points - Add `X509CertificateParser` builder to allow specifying parsing options ### Changed/Fixed - Extensions are now stored in order of appearance in the certificate/CRL (#80) - `.extensions` field is not public anymore, but methods `.extensions()` and `.extensions_map()` have been added - Store CRI attributes in order - Fix parsing of CertificatePolicies, and use named types (closes #82) - Allow specifying registry in oid2sn and similar functions (closes #88) - Mark X509Extension::new as const fn + inline - Allow leading zeroes in serial number - Derive `Clone` for all types (when possible) (#89) - Fix certificate validity period check to be inclusive (#90) - Do not fail GeneralName parsing for x400Address and ediPartyName, read it as unparsed objects (#87) - Change visibility of fields in `X509Name` (replaced by accessors) ### Thanks - @lilyball for numerous issues, ideas and comments - @SergioBenitez for lifetimes fixes (#93) and validity period check fixes (#90) - @rappet for Ed25519 signature verification support (#95) - @xonatius for the work on CRLDistributionPoints (#96, #98) ## 0.9.3 ### Added/Changed/Fixed - Add functions oid2description() and oid_registry() (closes #79) - Fix typo 'ocsp_signing' (closes #84) - Extension: use specific variant if unsupported or failed to parse (closes #83) - Relax constrains on parsing to accept certificates that do not strictly respect DER encoding, but are widely accepted by other X.509 libraries: - SubjectAltName: accept non-ia5string characters - Extensions: accept boolean values not enoded as `00` or `ff` - Serial: build BigUint from raw bytes (do not check sign) ## 0.9.2 ### Added/Changed/Fixed - Remove der-oid-macro from dependencies, not used directly - Use der_parser::num_bigint, remove it from direct dependencies - Add methods to iterate all blocks from a PEM file (#75) - Update MSRV to 1.45.0 ## 0.9.1 ### Added/Changed/Fixed - Fix: X509Name::iter_state_or_province OID value - Re-export oid-registry, and add doc to show how to access OID ### Thanks - @0xazure for fixing X509Name::iter_state_or_province ## 0.9.0 ### Added/Changed/Fixed - Upgrade to `nom` 6.0 - Upgrade to `der-parser` 5.0 - Upgrade MSRV to 1.44.0 - Re-export crates so crate users do not have to import them - Add function parse_x509_pem and deprecate pem_to_der (#53) - Add helper methods to X509Name and simplify accessing values - Add support for ReasonCode extension - Add support for InvalidityDate extension - Add support for CRL Number extension - Add support for Certificate Signing Request (#58) - Change type of X509Version (now directly using the u32 value) - X509Name: relax check, allow some non-rfc compliant strings (#50) - Relax some constraints for invalid dates - CRL: extract raw serial, and add methods to access it - CRL: add method to iterate revoked certificates - RevokedCertificate: convert extensions list to hashmap - Refactor crate modules and visibility - Rename top-level functions to `parse_x509_certificate` and parse_x509_crl` - Refactor error handling, return meaningful errors when possible - Make many more functions public (parse_tbs_certificate, etc.) ### Thanks - Dirkjan Ochtman (@djc): support for Certificate Signing Request (CSR), code refactoring, etc. ## 0.8.0 ### Added/Changed - Upgrade to `der-parser` 4.0 - Move from `time` to `chrono` - `time 0.1 is very old, and time 0.2 broke compatibility and cannot parse timezones - Add public type `ASN1Time` object to abstract implementation - *this breaks API for direct access to `not_before`, `not_after` etc.* - Fix clippy warnings - `nid2obj` argument is now passed by copy, not reference - Add method to get a formatted string of the certificate serial number - Add method to get decoded version - Add convenience methods to access the most common fields (subject, issuer, etc.) - Expose the raw DER of an X509Name - Make `parse_x509_name` public, for parsing distinguished names - Make OID objects public - Implement parsing for some extensions - Support for extensions is not complete, support for more types will be added later - Add example to decode and print certificates - Add `verify` feature to verify cryptographic signature by a public key ### Fixed - Fix parsing of types not representable by string in X509Name (#36) - Fix parsing of certificates with empty subject (#37) ### Thanks - @jannschu, @g2p for the extensions parsing - @wayofthepie for the tests and contributions - @nicholasbishop for contributions ## 0.7.0 - Expose raw bytes of the certificate serial number - Set edition to 2018 ## 0.6.4 - Fix infinite loop when certificate has no END mark ## 0.6.3 - Fix infinite loop when reading non-pem data (#28) ## 0.6.2 - Remove debug code left in `Pem::read` ## 0.6.1 - Add CRL parser - Expose CRL tbs bytes - PEM: ignore lines before BEGIN label (#21) - Fix parsing default values for TbsCertificate version field (#24) - Use BerResult from der-parser for simpler function signatures - Expose tbsCertificate bytes - Upgrade dependencies (base64) ## 0.6.0 - Update to der-parser 3.0 and nom 5 - Breaks API, cleaner error types ## 0.5.1 - Add `time_to_expiration` to `Validity` object - Add method to read a `Pem` object from `BufRead + Seek` - Add method to `Pem` to decode and extract certificate ## 0.5.0 - Update to der-parser 2.0 ## 0.4.3 - Make `parse_subject_public_key_info` public - Add function `sn2oid` (get an OID by short name) ## 0.4.2 - Support GeneralizedTime conversion ## 0.4.1 - Fix case where certificate has no extensions ## 0.4.0 - Upgrade to der-parser 1.1, and Use num-bigint over num - Rename x509_parser to parse_x509_der - Do not export subparsers - Improve documentation ## 0.3.0 - Upgrade to nom 4 ## 0.2.0 - Rewrite X.509 structures and parsing code to work in one pass **Warning: this is a breaking change** - Add support for PEM-encoded certificates - Add some documentation