What's Changed

• Move verify_signed_data() to SignedData::verify() by @djc in #397
• Correct OidDecoder output; test signature algorithm IDs by @ctz in #401
• impl Hash for revocation types by @ctz in #406
• Refactoring of parsing/matching extension identifiers by @ctz in #407
• Add valid_uri_names() method to Cert by @alex in #404
• Prepare 0.104.0-alpha.2 by @ctz in #409

Full Changelog: v/0.104.0-alpha.1...v/0.104.0-alpha.2

What's Changed

• backport valid_uri_names (#404) to rel-0.103 by @alex in #408

Full Changelog: v/0.103.7...v/0.103.8

What's Changed

• 0.104.0: Take MSRV of 1.83 by @ctz in #388
• Remove deprecated Error variants by @djc in #391
• ci: use cargo-deny-action directly by @djc in #393
• Simplify/clarify extended key usage validation API by @djc in #392
• Change version to 0.104.0-alpha.1 for now by @djc in #394

• New feature: Add KeyPurposeId::to_decoded_oid() to help external ExtendedKeyUsageValidators fill RequiredEkuNotFoundContext::present.

What's Changed

• Warn on unnameable types by @djc in #387
• Expose KeyPurposeId::to_decoded_oid() by @djc in #385
• Fix --cfg docsrs uses by @ctz in #390

Full Changelog: v/0.103.6...v/0.103.7

The extensible EKU validation released as part of 0.103.5 was actually not usable due to missing type exports, and contained a regression where empty ExtendedKeyUsage extensions would not trigger an error. Both issues are fixed in this release.

What's Changed

• Export more types to enable ExtendedKeyUsageValidator implementations by @djc in #381
• Error on empty EKU extensions by @djc in #382

• New feature: support verification of P256+SHA512 and P384-SHA512 ECDSA signatures with aws-lc-rs. This is not a recommended combination, but such signatures exist in the wild.

What's Changed

• Leverage extended API from rcgen 0.14.2 by @djc in #366
• Update semver-compatible dependencies by @djc in #369
• ci: take updated nightly for cargo-check-external-types by @cpu in #370
• build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #371
• build(deps): bump serde_json from 1.0.142 to 1.0.143 in the crates-io group by @dependabot[bot] in #374
• Clarify docs on Cert methods by @ctz in #375
• Extract trait for ExtendedKeyUsage validation by @djc in #376
• build(deps): bump actions/setup-python from 5 to 6 by @dependabot[bot] in #378
• 0.103.5: support P256+SHA512 and P384+SHA512 by @ctz in #379

Full Changelog: v/0.103.4...v/0.103.5

• Add unstable support for the post-quantum ML-DSA signature algorithms when using aws-lc-rs. Enable the aws-lc-rs-unstable feature to expose these algorithms (only works when aws-lc-rs-fips is not enabled).
• Use new UnsupportedSignatureAlgorithmContext, UnsupportedCrlSignatureAlgorithmContext, UnsupportedSignatureAlgorithmForPublicKeyContext and UnsupportedCrlSignatureAlgorithmForPublicKeyContext error variants which contain additional context about the error condition. The related contextless variants have been deprecated.

What's Changed

• Do not include bettertls README file in published crates by @decathorpe in #351
• deps: Update aws-lc-rs in lockfile by @ognevny in #355
• Inline signature verifications test macros by @djc in #358
• ci: test more feature flag combinations by @djc in #359
• Add unstable support for ML-DSA signature algorithms by @djc in #348
• Add context to signature-related errors by @djc in #357
• Upgrade to rcgen 0.14 by @djc in #363
• Declare ML-DSA as not FIPS approved in the API by @ctz in #364
• Bump version to 0.103.4 by @djc in #361

Add support for RSA signature algorithms that don't include parameters. Per RFC 4055 section 5, implementations of the SHA-1/SHA-2 one-way hash functions "MUST accept the parameters being absent as well as present".

What's Changed

• Support RSA PKCS#1 signatures with absent parameters by @ctz in #346

• Maintain context for key usage mismatch errors in order to make them easier to interpret.
• Accept certificates with an empty extension sequence.

What's Changed

• Fix CI build failures, tidy cargo-deny config by @cpu in #339
• Update semver-compatible dependencies by @djc in #341
• Remove tests from package that is published by @SwishSwushPow in #340
• Allow x509v3 empty extensions (redux) by @ctz in #342
• tests: use rcgen for client_auth tests by @djc in #343
• tests: remove test certs for client_auth tests by @djc in #344
• Maintain context for key usage mismatch errors by @djc in #337
• Refine CI workflow triggers by @djc in #345

Release Notes

• Avoids a possible type inference error when building in projects that also use jhpratt/deranged.

What's Changed

• Add new test case to integration tests by @dwhjames in #324
• Cargo: ring 0.17.8 -> 0.17.13 by @cpu in #329
• avoid inference hazard usize comparison by @cpu in #334

New Contributors

• @dwhjames made their first contribution in #324

Full Changelog: v/0.103.0...v/0.103.1