cli/vendor/rcgen/CHANGELOG.md

Changes

Newer releases can be found on GitHub.

Release 0.13.1 - April 4th, 2024

Fixed:

• Fixed incorrect usage of the subject certificate's parameter's key identifier method when computing the key identifier of the issuer for the subject's authority key identifier (AKI) extension.

Release 0.13.0 - March 28th, 2024

Breaking changes:

• The API used to create/issue key pairs, certificates, certificate signing requests (CSRs), and certificate revocation lists (CRLs) has been restructured to emphasize consistency and avoid common errors with serialization.

  For each concrete type (cert, CSR, CRL) the process is now the same:

  0. generate or load a key pair and any information about issuers required.
  1. create parameters, customizing as appropriate.
  2. call a generation fn on the parameters, providing subject key pair and issuer information and as appropriate.
  3. call serialization fns on the finalized type, obtaining DER or PEM.

  For more information, see [rcgen/docs/0.12-to-0.13.md].

• Throughout the API DER inputs are now represented using types from the Rustls rustls-pki-types crate, e.g. PrivateKeyDer, CertificateDer, CertificateSigningRequestDer. Contributed by Tudyx.

• String types used in SanType and DnValue enums for non-UTF8 string types have been replaced with more specific types that prevent representation of illegal values. E.g. Ia5String, BmpString, PrintableString, TeletexString, and UniversalString. Contributed by Tudyx.

• Method names starting with get_ have been renamed to match Rust convention: CertificateRevocationList::get_params() -> params() Certificate::get_params() -> params() Certificate::get_key_identifier() -> Certificate::key_identifier() Certificate::get_times() -> Certificate::times()

Added:

• RSA key generation support has been added. This support requires using the aws-lc-rs feature. By default using KeyPair::generate_for() with an RSA SignatureAlgorithm will generate an RSA 2048 keypair. See KeyPair::generate_rsa_for() for support for RSA 2048, 3072 and 4096 key sizes.

• Support for ECDSA P521 signatures and key generation has been added when using the aws-lc-rs feature. Contributed by Alvenix.

• Support for loading private keys that may be PKCS8, PKCS1, or SEC1 has been added when using the aws-lc-rs feature. Without this feature private keys must be PKCS8. See KeyPair::from_pem_and_sign_algo() and KeyPair::from_der_and_sign_algo() for more information. Contributed by Alvenix.

• Support has been added for Subject Alternative Name (SAN) names of type OtherName. Contributed by Tudyx.

• Support has been added for specifying custom "other" OIDs in extended key usage. Contributed by Tudyx.

• Support has been added for building rcgen without cryptography by omitting the new (default-enabled) crypto feature flag. Contributed by corrideat.

• Support for using aws-lc-rs in fips mode can now be activated by using the fips feature in combination with the aws-lc-rs feature. Contributed by BiagioFesta.

• A small command-line tool for certificate generation (rustls-cert-gen) was added. Contributed by tbro.

Release 0.12.1 - January 25th, 2024

• RFC 5280 specifies that a serial number must not be larger than 20 octets in length. Prior to this release an unintended interaction between rcgen and its underlying DER encoding library could result in 21 octet serials. This has now been fixed.
• A regression that caused build errors when the optional pem feature was omitted has been fixed.

Release 0.12.0 - December 16, 2023

• Rename RcgenError to Error. Contributed by thomaseizinger.
• The public interface of Error has been made not expose external library types: Error::PemError now holds a String value, and the Error type doesn't support From<_> based conversion any more. This allows rcgen to update dependencies without impacting downstream users.
• Upgrade to ring v0.17. Contributed by thomaseizinger.
• Make dependency on ring optional and allow usage of aws-lc-rs via a cargo feature. Ring remains the default. Contributed by BiagioFesta.
• Add Ia5String support for DistinguishedNames.
• Add a KeyIdMethod::PreSpecified variant to set, and not generate the SKI. CertificateParams::from_ca_cert_pem now uses it when building params from an existing CA certificate. Contributed by Brocar.

Release 0.11.3 - October 1, 2023

• Fix for import errors building without the optional pem feature.

Release 0.11.2 - September 21, 2023

• rcgen has joined the umbrella of the rustls organization.
• Support for retrieving signature algorithm from KeyPairs. Contributed by tindzk.
• Fix for writing certificate signing requests (CSRs) with custom extensions from parameters without subject alternative names.
• Support for certificate CRL distribution points extension.
• Corrected OID for ExtendedKeyUsagePurpose::Any. Contributed by jgallagher.
• Support for creating certificate revocation lists (CRLs).

Release 0.11.1 - June 17, 2023

• Make botan a dev-dependency again. Contributed by mbrubeck.

Release 0.11.0 - June 15, 2023

• Parse IP-address subject alternative names. Contributed by iamjpotts.
• Emit platform-apropriate line endings. Contributed by frjonsen.
• Support larger serial numbers. Contributed by andrenth.
• Parse more certificate parameters. Contributed by andrenth.
• Output SanType::IpAddress when calling CertificateParams::new or generate_simple_self_signed. Contributed by rukai.
• Update pem to 2.0. Contributed by koushiro.

Release 0.10.0 - September 29, 2022

• Update x509-parser to 0.14.
• Increase minimum supported Rust version to 1.58.1.
• Update edition to 2021.
• Change IsCa enum to have NoCa and ExplicitNoCa and Ca(...). Contributed by doraneko94.

Release 0.9.4 - September 28, 2022

• yanked due to breaking API changes, see 0.10.0 instead.

Release 0.9.3 - July 16, 2022

• Add a KeyPair::serialized_der function. Contributed by jean-airoldie.

Release 0.9.2 - February 21, 2022

• Update x509-parser to 0.13. Contributed by matze.

Release 0.9.1 - February 9, 2022

• Change edition to 2018 in order to support Rust 1.53.0.

Release 0.9.0 - February 2, 2022

• Add RemoteKeyError for usage by remote keys.
• Support non utf8 strings. Contributed by omjadas.
• Switch from chrono to time. Contributed by connec.
• Update edition to 2021.

Release 0.8.14 - October 14, 2021

• Update pem to 1.0.
• Update x509-parser to 0.12.

Release 0.8.13 - August 22, 2021

• Bugfix release to make Certificate Send and Sync again.

Release 0.8.12 - August 22, 2021

• Use public key as default serial number. Contributed by jpastuszek.
• Add support for PKCS_RSA_SHA512 and PKCS_RSA_SHA384 signature algorithms.
• Add support for the keyUsage extension. Contributed by jaredwolff.
• Ability to use remote keys. Contributed by daxpedda.

Release 0.8.11 - April 28, 2021

• Add getters for the criticality, content, and oid_components of a CustomExtension
• Update yasna to 0.4

Release 0.8.10 - April 15, 2021

• Implement some additional traits for some of the types. Contributed by zurborg.
• Adoption of intra-doc-links
• Addition of the ability to zero key pairs. Contributed by didier-wenzek.

Release 0.8.9 - December 4, 2020

• Switch CI to Github Actions.
• Strip nanos from DateTime as well. Contributed by @trevor-crypto.

Release 0.8.7 - December 1, 2020

• Turn botan back into a dev-dependency. Contributed by @nthuemmel.
• Fix signing when CA uses different signing algorithm . Contributed by @nthuemmel.

Release 0.8.6 - December 1, 2020

• Add KeyPair::from_der
• Add botan based test to the testsuite
• Update x509-parser to 0.9. Contributed by @djc.
• Ability to create certificates from CSRs. Contributed by @djc.

Release 0.8.5 - June 29, 2020

• Add some more DnTypes: OrganizationalUnitName, LocalityName, StateOrProvinceName
• Add remove function to DistinguishedName
• Add ability to specify NameConstraints

Release 0.8.4 - June 5, 2020

• Improve spec compliance in the notBefore/notAfter fields generated by using UTCTime if needed

Release 0.8.3 - May 24, 2020

• Fix regression of 0.8.1 that generated standards non compliant CSRs and broke Go toolchain parsers. Contributed by @thomastaylor312.

Release 0.8.2 - May 18, 2020

• Disable chrono default features to get rid of time crate
• Improve openssl tests to do a full handshake with the generated cert

Release 0.8.1 - April 2, 2020

• Fix non-standard-compliant SubjectKeyIdentifier X.509v3 extension format
• BasicConstraints X.509v3 extension is now marked as critical
• Use RFC 7093 to calculate calculate subject key identifiers
• Add option to insert AuthorityKeyIdentifier X.509v3 extension into non-self-signed certificates
• Update to x509-parser 0.7

Release 0.8.0 - March 12, 2020

• Update to pem 0.7
• Correct number of nanoseconds per second. Contributed by @samlich.
• Adoption of the non_exhaustive feature in the API

Release 0.7.0 - September 14, 2019

• Bugfix release for ip address subject alternative names. Turns out they aren't CIDR subnets after all :)

Release 0.6.0 - September 12, 2019

• Support for email and cidr subnet (ip address) subject alternative names
• Support for the extended key usage extension

Release 0.5.1 - August 19, 2019

• Update to x509-parser 0.6

Release 0.5.0 - July 19, 2019

• Update to ring 0.16 and webpki 0.21
• Update to x509-parser 0.5
• Expose an API to get the raw public key of a key pair

Release 0.4.1 - June 28, 2019

• Allow inspection of DistinguishedName via iterators and get functions
• Fix a bug in is_compatible not saying false. Contributed by @fzgregor.
• Extend the public interface of KeyPair. Contributed by @fzgregor.

Release 0.4.0 - June 18, 2019

• Support for user supplied keypairs. Contributed by @fzgregor.
• Support for signing with user supplied CA certificates. Contributed by @fzgregor.
• Correct a bug with distinguished name serialization (PR link). Contributed by @fzgregor.
• Addition of limited (no key generation) RSA support
• Proper error handling with Result and our own Error type
• Improvements of the testsuite

Release 0.3.1 - June 6, 2019

• Ability to disable the dependency on the pem crate
• Support for creating CSRs (Certificate Signing Requests). Contributed by @djc.
• Ability to specify custom extensions for certificates
• Ability to craft acmeIdentifier extensions
• Update yasna to 0.3.0

Release 0.3.0 - May 18, 2019

• Support for CA certificate generation. Contributed by @djc.
• Support for certificate signing. Contributed by @djc.
• Support for ED25519 certificates
• Support for SHA-384 certificates
• API cleanups (Future proofing CertificateParams, public constant renames)

Release 0.2.1 - April 26, 2019

• Updated to pem 0.6

Release 0.2 - January 10, 2019

• Updated to ring 0.14.0

Release 0.1 - January 7, 2019

Initial release. Ability to generate self-signed ECDSA keys.