• Add unstable support for the post-quantum ML-DSA signature algorithms when using aws-lc-rs. Enable the aws-lc-rs-unstable feature to expose these algorithms (only works when aws-lc-rs-fips is not enabled).
• Use new UnsupportedSignatureAlgorithmContext, UnsupportedCrlSignatureAlgorithmContext, UnsupportedSignatureAlgorithmForPublicKeyContext and UnsupportedCrlSignatureAlgorithmForPublicKeyContext error variants which contain additional context about the error condition. The related contextless variants have been deprecated.

What's Changed

• Do not include bettertls README file in published crates by @decathorpe in #351
• deps: Update aws-lc-rs in lockfile by @ognevny in #355
• Inline signature verifications test macros by @djc in #358
• ci: test more feature flag combinations by @djc in #359
• Add unstable support for ML-DSA signature algorithms by @djc in #348
• Add context to signature-related errors by @djc in #357
• Upgrade to rcgen 0.14 by @djc in #363
• Declare ML-DSA as not FIPS approved in the API by @ctz in #364
• Bump version to 0.103.4 by @djc in #361

Add support for RSA signature algorithms that don't include parameters. Per RFC 4055 section 5, implementations of the SHA-1/SHA-2 one-way hash functions "MUST accept the parameters being absent as well as present".

What's Changed

• Support RSA PKCS#1 signatures with absent parameters by @ctz in #346

• Maintain context for key usage mismatch errors in order to make them easier to interpret.
• Accept certificates with an empty extension sequence.

What's Changed

• Fix CI build failures, tidy cargo-deny config by @cpu in #339
• Update semver-compatible dependencies by @djc in #341
• Remove tests from package that is published by @SwishSwushPow in #340
• Allow x509v3 empty extensions (redux) by @ctz in #342
• tests: use rcgen for client_auth tests by @djc in #343
• tests: remove test certs for client_auth tests by @djc in #344
• Maintain context for key usage mismatch errors by @djc in #337
• Refine CI workflow triggers by @djc in #345

Release Notes

• Avoids a possible type inference error when building in projects that also use jhpratt/deranged.

What's Changed

• Add new test case to integration tests by @dwhjames in #324
• Cargo: ring 0.17.8 -> 0.17.13 by @cpu in #329
• avoid inference hazard usize comparison by @cpu in #334

New Contributors

• @dwhjames made their first contribution in #324

Full Changelog: v/0.103.0...v/0.103.1

• Breaking change: add context to name validation errors. This adds a value to the CertNotValidForName error variant.
• Breaking change: stop Error being Copy -- the above change required this, as it started to have an allocated field.
• Breaking change: add context to time-based errors. This adds fields to the CertNotValidYet, CertExpired, and CrlExpired error variants.
• Breaking change: use algorithm identifiers from rustls-pki-types. This removes the alg_id module from this crate's public interface.
• Breaking change: remove reexport of rustls-pki-types.
• Breaking change: remove provider features from default feature set, and rename aws_lc_rs feature to aws-lc-rs.

What's Changed

• build(deps): bump the crates-io group with 2 updates by @dependabot in #285
• Update semver-compatible dependencies by @djc in #288
• build(deps): bump serde_json from 1.0.128 to 1.0.132 in the crates-io group by @dependabot in #289
• build(deps): bump serde from 1.0.210 to 1.0.214 in the crates-io group by @dependabot in #290
• aws-lc-rs prebuilt-nasm, update cargo check external types nightly version by @cpu in #291
• build(deps): bump codecov/codecov-action from 4 to 5 by @dependabot in #292
• Update dependencies & bump MSRV to 1.71 by @djc in #294
• proj: fix clippy 1.83 findings by @cpu in #296
• Update semver-compatible dependencies by @ctz in #298
• ci: use persist-credentials: false in testgen.yml by @cpu in #299
• build(deps): bump cryptography from 42.0.4 to 44.0.0 by @dependabot in #303
• Update dependencies by @djc in #306
• build(deps): bump serde from 1.0.216 to 1.0.217 in the crates-io group by @dependabot in #309
• add aws-lc-rs-fips feature, adjust sys dep by @cpu in #308
• build(deps): bump serde_json from 1.0.134 to 1.0.135 in the crates-io group by @dependabot in #310
• Add context in name validation errors by @djc in #301
• Simplify NameIterator by @djc in #311
• Remove providers from default features by @ctz in #302
• Use AlgorithmIdentifier values from rustls-pki-types by @ctz in #304
• Remove re-export of rustls-pki-types by @ctz in #313
• Add details to time-based errors by @ctz in #315
• build(deps): bump seanmiddleditch/gha-setup-ninja from 5 to 6 by @dependabot in #317
• rustfmt: style_edition 2024 by @ctz in #323
• build(deps): bump cryptography from 44.0.0 to 44.0.1 by @dependabot in #326
• Run all tests in CI by @ctz in #325

Full Changelog: v/0.102.8...v/0.103.0

Release notes

• Support for aws-lc-rs 1.9 added. This release adds supports for compressed EC public keys, when used with aws-lc-rs.

What's Changed

• Take aws-lc-rs 1.9 by @ctz in #284

Full Changelog: v/0.102.7...v/0.102.8

• Initial support for RFC 7250 "Raw public keys". A new RawPublicKeyEntity type has been added, offering a verify_signature() fn for verifying the signature over a given message using a raw public key produced from a pki_types::SubjectPublicKeyInfoDer instance.
• Relaxed CRL requirements for certificates with CRL distribution point extensions. Previously the revocation checking logic only considered a CRL authoritative for a certificate when it had a CRL distribution point extension if the CRL also had an issuing distribution point extension that matched. This has now been relaxed to consider a CRL without any issuing distribution point extension as authoritative for certificates with a matching issuer.

What's Changed

• build(deps): bump serde_json from 1.0.120 to 1.0.121 in the crates-io group by @dependabot in #274
• Update deny config by @djc in #277
• crl: CRL w/o IDP ext auth. for cert w/ DP by @cpu in #276
• build(deps): bump serde_json from 1.0.121 to 1.0.122 in the crates-io group by @dependabot in #278
• API for allowing signature validation given a SPKI/RPK by @holodorum in #275
• build(deps): bump the crates-io group with 2 updates by @dependabot in #279
• build(deps): bump the crates-io group with 2 updates by @dependabot in #280
• build(deps): bump the crates-io group with 2 updates by @dependabot in #283

New Contributors

• @holodorum made their first contribution in #275

Full Changelog: v/0.102.6...v/0.102.7

• Add support for P-521 curve with SHA-256/SHA-384 digests

What's Changed

• types: avoid markdown footnotes by @cpu in #268
• build(deps): bump serde from 1.0.203 to 1.0.204 in the crates-io group by @dependabot in #269
• Update EndEntityCert documentation by @djc in #271
• Add support for P-521 curve with SHA-256/SHA-384 digests by @samin-cf in #272

New Contributors

• @samin-cf made their first contribution in #272

Full Changelog: v/0.102.5...v/0.102.6

Notable changes

• EndEntityCert::subject_public_key_info() as added in 0.102.4 neglected to specify the return type's lifetime, limiting the visible lifetime to the lifetime of the EndEntityCert. The actual lifetime was 'static; we've made this explicit and enabled warnings for elided_lifetimes_in_paths to avoid similar issues in the future.

What's changed

• build(deps): bump the crates-io group with 2 updates by @dependabot in #257
• ci: update cargo-check-external-types toolchain by @cpu in #258
• build(deps): bump seanmiddleditch/gha-setup-ninja from 4 to 5 by @dependabot in #260
• build(deps): bump aws-lc-rs from 1.7.2 to 1.7.3 in the crates-io group by @dependabot in #261
• Enable some more warnings on lints by @djc in #262
• lib: warn for clippy::use_self by @cpu in #263
• build(deps): bump the crates-io group with 2 updates by @dependabot in #265
• Prepare 0.102.5 release by @djc in #266

• RevocationOptionsBuilder now offers a with_expiration_policy() fn for setting an ExpirationPolicy that will be used to determine how to handle CRLs that have a NextUpdate value in the past. The default behaviour is to ignore the NextUpdate. Users wishing to use a stricter policy can do so by specifying ExpirationPolicy::Enforce. Revocation checking against an expired CRL will then produce an Error::CrlExpired error.
• EndEntityCert now offers a subject_public_key_info() fn for accessing the RFC 5280 pki_types::SubjectPublicKeyInfoDer.

What's Changed

• build(deps): bump serde from 1.0.198 to 1.0.199 in the crates-io group by @dependabot in #250
• benches: ignore clippy::incompatible_msrv by @cpu in #251
• build(deps): bump the crates-io group with 3 updates by @dependabot in #252
• Add SubjectPublicKeyInfo methods for cert::Cert by @lvkv in #253
• build(deps): bump the crates-io group across 1 directory with 2 updates by @dependabot in #255
• Add support for enforcing CRL expiration using nextUpdate field by @jasperpatterson in #227
• Cargo: v0.102.3 -> v0.102.4 by @cpu in #256

New Contributors

• @lvkv made their first contribution in #253

Full Changelog: v/0.102.3...v/0.102.4