x509-parser 0.16.0

Parser for the X.509 v3 format (RFC 5280 certificates)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376

# ChangeLog

## [Unreleased][unreleased]

### Added/Changed/Fixed

### Thanks

## 0.16.0

### Added/Changed/Fixed

Global:
- Updated `*ring*` to 0.17.7 (#148)
- Updated `time` to 0.3.20 (#148)
- Updated asn1-rs to 0.6, der-parser and oid-registry
- Set MSRV to 1.63 (due to `time`/`ring`) (#148)

Code:
- Added support for parsing CRL `IssuingDistributionPoint` extensions (#146)
- Fixed lifetime signature on `TbsCertificate::subject_alt_names` function (#151)
- Fixed parsing of certificate `UniqueIdentifier` fields to use implicit tagging
  instead of explicit (#145)
- Fixed `clippy::manual_try_fold` findings (#147)

### Thanks

- aggstam, Biagio Festa, Daniel McCarney

## 0.15.1

### Added/Changed/Fixed

- Attribute: fix parsing of BmpString string type to use UTF-16 (Closes #143)
- `revocation_list`: use correct OID for CRL number.
- Fix receiver lifetimes in `AttributeTypeAndValue`

### Thanks

- Sergio Benitez, Daniel McCarney, Lily Ballard

## 0.15.0

### Added/Changed/Fixed

Global:
- Use SPDX license format (#137)
- Set MSRV to 1.57 (due to `ring`/`once_cell`)
- Switch base64 decoding to `data-encoding` crate (#136)

Code:
- Add `verify` feature to verify a certificate revocation list by a public key
- Fixed CriAttributes parser (#131)
- Refactor code for parsing X509Version
- Add verify signature method to revocation list (#130)
- Add support for parsing challenge password attribute in CSR's (#129)
- Add support for multi-word PEM labels (C#135)

Docs:
- Fix broken FromDer trait link in README

### Thanks

- Bernd Krietenstein, Florian Zipperle, Jean-Baptiste Trystram, Daniel McCarney,
  Jeff Hiner, Campbell He, Sebastian Dröge

## 0.14.0

### Added/Changed

- Add support for parsing signature parameters and value (closes #94)

- Change `ASN1Time::to_rfc2822()` to return a Result
- ASN1Time: modify `from_timestamp` to return a Result
- ASN1Time: implement Display
- Upgrade versions of asn1-rs, oid-registry and der-parser
- AlgorithmIdentifier: add const methods to create object/access fields
- Globally: start using `asn1-rs` types, simplify parsers:
  - AlgorithmIdentifier: automatically derive struct, use type ANY
  - Merge old FromDer trait into `asn1_rs::FromDer` (using X509Error)
  - Replace BitStringObject with BitString
  - AttributeTypeAndValue: use Any instead of DerObject
  - Extensions: replace UnparsedObject with Any
  - X509Error: add methods to simplify conversions
  - CRI Attributes: rewrite and simplify parsers
  - Simplify parsers for multiple types and extensions

### Fixed

- Fix ECDSA signature verification when CA and certificate use different curves

### Thanks

## 0.13.2

### Fixed

- Fix panic in ASN1Time::to_rfc2822() when year is less than 1900

## 0.13.1

### Fixed

- Fix regression with certificate verification for ECDSA signatures using the P-256 curve and SHA-384 (#118)
- Set minimum version of `time` to 0.3.7 (#119)
- Allow empty SEQUENCE when OPTIONAL, for ex in CRL extensions (#120)

### Thanks

- @SergioBenitez, @flavio, @acarlson0000

## 0.13.0

### Added/Changed/Fixed

Crate:
- Update to der-parser 7.0 and asn1-rs
- Remove chrono (#111)
- Set MSRV to 1.53

Validators:
- Add `Deref<Target=TbsCertificate>` trait to `X509Certificate`
- Add `Validator` trait and deprecate `Validate`
  * The previous validation is implemented in `X509StructureValidator`
  * Split some checks (not on structure) to `X509CertificateValidator`

Extensions:
- add support for nsComment
- add support for IssuerAltName
- start adding support for CT Signed Certificate Timestamp (rfc6962)
- raise error if a SAN entry cannot be parsed
- deprecate `TbsCertificate::find_extension()` and add preferred method `TbsCertificate::get_extension_unique()`:
  the latter checks for duplicate extensions (#113)

Signatures:
- Fix signature verification for EC curves (#116)

Public Keys:
- Add base functions for parsing public keys (RSA, DSA, GOST)

### Thanks

- @lilyball, @g2p

## 0.12.0

### Added/Changed/Fixed

- Upgrade to nom 7

## 0.11.0

### Added

- Add SubjectPublicKeyInfo::raw field

### Changed/Fixed

- Fix der-parser dependency (#102)
- Update oid-registry dependency (#77)
- Set MSRV to 1.46 (indirect dependency on lexical-core and bitvec)
- Extend the lifetimes exposed on TbsCertificate (#104)
- Add missing test assets (#103)

### Thanks

- @jgalenson, @g2p, @kpp

## 0.10.0

### Added

- Add the `Validate` trait to run post-parsing validations of X.509 structure
- Add the `FromDer` trait to unify parsing methods and visibility (#85)
- Add method to format X509Name using a given registry
- Add `X509Certificate::public_key()` method
- Add ED25519 as a signature algorithm (#95)
- Add support for extensions (#86):
  - CRL Distribution Points
- Add `X509CertificateParser` builder to allow specifying parsing options

### Changed/Fixed

- Extensions are now stored in order of appearance in the certificate/CRL (#80)
  - `.extensions` field is not public anymore, but methods `.extensions()` and `.extensions_map()`
    have been added
- Store CRI attributes in order
- Fix parsing of CertificatePolicies, and use named types (closes #82)
- Allow specifying registry in oid2sn and similar functions (closes #88)
- Mark X509Extension::new as const fn + inline
- Allow leading zeroes in serial number
- Derive `Clone` for all types (when possible) (#89)
- Fix certificate validity period check to be inclusive (#90)
- Do not fail GeneralName parsing for x400Address and ediPartyName, read it as unparsed objects (#87)
- Change visibility of fields in `X509Name` (replaced by accessors)

### Thanks

- @lilyball for numerous issues, ideas and comments
- @SergioBenitez for lifetimes fixes (#93) and validity period check fixes (#90)
- @rappet for Ed25519 signature verification support (#95)
- @xonatius for the work on CRLDistributionPoints (#96, #98)

## 0.9.3

### Added/Changed/Fixed

- Add functions oid2description() and oid_registry() (closes #79)
- Fix typo 'ocsp_signing' (closes #84)
- Extension: use specific variant if unsupported or failed to parse (closes #83)
- Relax constrains on parsing to accept certificates that do not strictly respect
  DER encoding, but are widely accepted by other X.509 libraries:
  - SubjectAltName: accept non-ia5string characters
  - Extensions: accept boolean values not enoded as `00` or `ff`
  - Serial: build BigUint from raw bytes (do not check sign)

## 0.9.2

### Added/Changed/Fixed

- Remove der-oid-macro from dependencies, not used directly
- Use der_parser::num_bigint, remove it from direct dependencies
- Add methods to iterate all blocks from a PEM file (#75)
- Update MSRV to 1.45.0

## 0.9.1

### Added/Changed/Fixed

- Fix: X509Name::iter_state_or_province OID value
- Re-export oid-registry, and add doc to show how to access OID

### Thanks

- @0xazure for fixing X509Name::iter_state_or_province

## 0.9.0

### Added/Changed/Fixed

- Upgrade to `nom` 6.0
- Upgrade to `der-parser` 5.0
- Upgrade MSRV to 1.44.0
- Re-export crates so crate users do not have to import them

- Add function parse_x509_pem and deprecate pem_to_der (#53)
- Add helper methods to X509Name and simplify accessing values
- Add support for ReasonCode extension
- Add support for InvalidityDate extension
- Add support for CRL Number extension
- Add support for Certificate Signing Request (#58)

- Change type of X509Version (now directly using the u32 value)
- X509Name: relax check, allow some non-rfc compliant strings (#50)
- Relax some constraints for invalid dates
- CRL: extract raw serial, and add methods to access it
- CRL: add method to iterate revoked certificates
- RevokedCertificate: convert extensions list to hashmap

- Refactor crate modules and visibility
- Rename top-level functions to `parse_x509_certificate` and parse_x509_crl`

- Refactor error handling, return meaningful errors when possible
- Make many more functions public (parse_tbs_certificate, etc.)

### Thanks

- Dirkjan Ochtman (@djc): support for Certificate Signing Request (CSR), code refactoring, etc.

## 0.8.0

### Added/Changed

- Upgrade to `der-parser` 4.0
- Move from `time` to `chrono`
  - `time 0.1 is very old, and time 0.2 broke compatibility and cannot parse timezones
  - Add public type `ASN1Time` object to abstract implementation
  - *this breaks API for direct access to `not_before`, `not_after` etc.*
- Fix clippy warnings
  - `nid2obj` argument is now passed by copy, not reference
- Add method to get a formatted string of the certificate serial number
- Add method to get decoded version
- Add convenience methods to access the most common fields (subject, issuer, etc.)
- Expose the raw DER of an X509Name
- Make `parse_x509_name` public, for parsing distinguished names
- Make OID objects public
- Implement parsing for some extensions
  - Support for extensions is not complete, support for more types will be added later
- Add example to decode and print certificates
- Add `verify` feature to verify cryptographic signature by a public key

### Fixed

- Fix parsing of types not representable by string in X509Name (#36)
- Fix parsing of certificates with empty subject (#37)

### Thanks

- @jannschu, @g2p for the extensions parsing
- @wayofthepie for the tests and contributions
- @nicholasbishop for contributions

## 0.7.0

- Expose raw bytes of the certificate serial number
- Set edition to 2018

## 0.6.4

- Fix infinite loop when certificate has no END mark

## 0.6.3

- Fix infinite loop when reading non-pem data (#28)

## 0.6.2

- Remove debug code left in `Pem::read`

## 0.6.1

- Add CRL parser
- Expose CRL tbs bytes
- PEM: ignore lines before BEGIN label (#21)
- Fix parsing default values for TbsCertificate version field (#24)
- Use BerResult from der-parser for simpler function signatures
- Expose tbsCertificate bytes
- Upgrade dependencies (base64)

## 0.6.0

- Update to der-parser 3.0 and nom 5
- Breaks API, cleaner error types

## 0.5.1

- Add `time_to_expiration` to `Validity` object
- Add method to read a `Pem` object from `BufRead + Seek`
- Add method to `Pem` to decode and extract certificate

## 0.5.0

- Update to der-parser 2.0

## 0.4.3

- Make `parse_subject_public_key_info` public
- Add function `sn2oid` (get an OID by short name)

## 0.4.2

- Support GeneralizedTime conversion

## 0.4.1

- Fix case where certificate has no extensions

## 0.4.0

- Upgrade to der-parser 1.1, and Use num-bigint over num
- Rename x509_parser to parse_x509_der
- Do not export subparsers
- Improve documentation

## 0.3.0

- Upgrade to nom 4

## 0.2.0

- Rewrite X.509 structures and parsing code to work in one pass
  **Warning: this is a breaking change**
- Add support for PEM-encoded certificates
- Add some documentation