0.16.1

CHANGES:

• Support ECDSA signatures where the hash algorithm output length exceeds the
  size of the elliptic curve (by truncating, and using the leftmost bits).
  Reported as #158 by @torinnd, fixed in #159 by @hannesm

0.16.0

CHANGES:

• Provide X509.Authenticator.of_string to construct an Authenticator.t from
  a string (@dinosaure #156, reviewed by @hannesm)
• Minor documentation fixes (#157 @hannesm)

0.15.2

CHANGES:

• Provide X509.Private_key.of_string (as used by awa and dns-certify). This
  takes a b64 encoded raw private key or a seed. (@reynir @hannesm #155)

0.15.1

CHANGES:

• avoid usae of deprecated functions of fmt (@hannesm)
• remove rresult dependency (@hannesm)

0.15.0

CHANGES:

• FEATURE support validation of an IP address in the leaf certificate
  (#152 #153 @reynir @hannesm)
• FEATURE provide Certificate.ips and Certificate.supports_ip
  (#152 @reynir @hannesm)
• BREAKING revise certificate and public key fingerprint authenticators API:
  now a single fingerprint is supported, previously a list of pairs of
  hostname and fingerprint was used (#153 @hannesm)
• BREAKING The Authenticator.t type has been extended with ?ip:Ipaddr.t
  (#153 @hannesm)

0.14.1

CHANGES:

• Use Cstruct.length instead of deprecated Cstruct.len, bump minimum cstruct
  to 6.0.0 (#151 by @hannesm)

v0.14.0

CHANGES:

• FEATURE support Online Certificate Status Protocol (OCSP, RFC 6960)
  (#148 @NightBlues, #149 @hannesm)

v0.13.0

CHANGES:

• FEATURE support for RFC 5915 "BEGIN EC PRIVATE KEY" pem encoded private keys
  (#147 @hannesm, requested by @ulrikstrid)
• BREAKING remove EC_pub _ from Public_key.t and EC _ from Certificate.key_type
  (#147 by @hannesm)
• BREAKING move Certificate.key_type to Key_type.t (#147 @hannesm)
• FEATURE some private key utilities (of_cstruct, generate, sign), and
  Public_key.verify (#report #146, fix #147 @hannesm)
• BREAKING rename hash_whitelist to allowed_hashes (#147 @hannesm)
• BREAKING provide Key_type.signature_scheme and use across the API
  (#147 @hannesm)

v0.12.1

CHANGES:

• FEATURE support for RFC 5915 "BEGIN EC PRIVATE KEY" pem encoded private keys
  (#147 @hannesm, requested by @ulrikstrid)
• BREAKING remove EC_pub _ from Public_key.t and EC _ from Certificate.key_type
  (#147 by @hannesm)
• BREAKING move Certificate.key_type to Key_type.t (#147 @hannesm)
• FEATURE some private key utilities (of_cstruct, generate, sign), and
  Public_key.verify (#report #146, fix #147 @hannesm)
• BREAKING rename hash_whitelist to allowed_hashes (#147 @hannesm)
• BREAKING provide Key_type.signature_scheme and use across the API
  (#147 @hannesm)

v0.12.0

CHANGES:

• FEATURE PKCS12 support (#114 by @hannesm)
• FEATURE ECDSA and EDDSA support via mirage-crypto-ec (#145 by @hannesm)
  This breaks some clients since the Private_key.t and Public_key.t variants
  are extended (may result in partial pattern matches of users of this library).
• CRL.is_revoked has crls as last parameter to avoid warning 16
  (4.12 compatibility) (#144 by @hannesm)
• Signing_request.sign: add optional labelled argument ~subject to allow
  changing the subject when signing a signing request (#139 by @reynir)
• BUGFIX Encoding of Distinguished_name components (adhere to specification)
  DomainComponent and EMail are now serialised using a IA5String; Serialnumber,
  CountryName and DnQualifier as PrintableString (reported in #69, fixed #140
  by @NightBlues)
• BREAKING Remove ~sloppy from Private_key.decode_{pem,der}. The seemingly
  bad RSA keys were valid and should have been accepted by mirage-crypto.
  (#142 by @psafont)