Releases: mirleft/ocaml-x509
Releases · mirleft/ocaml-x509
v0.11.2
CHANGES:
- Private_key.decode_{pem,der} now has a
~sloppyoption to recover from
bad keys (where e.g. the private exponent d is wrong).
(#135 by @hannesm, reported by @mattjbray in mirage/mirage-crypto#62)
v0.11.1
v0.11.0
CHANGES:
- BREAKING Validation.validate_raw_signature results in a
(unit, signature_error) resultand logs (Logs.warn) if a weak (non-SHA2)
hash algorithm was used. This function is used for verifying signatures
on certificates, signing requests, and certificate revocation lists. - The
`CAInvalidSelfSignatureconstructor (Validation.ca_error) and
`ChainInvalidSignatureconstructor (Validation.chain_validation_error)
have been removed. - BREAKING The polymorphic variant
Validation.chain_erroris now flat (the
tags`Chainand`Leafhave been removed) - BREAKING Adapted return type of CRL.validate and CRL.verify
- The pretty-printer Public_key.pp is now provided
- All implemented by @hannesm in #132 based on private conversation with @cfcs
(who kindly reviewed the changes)
v0.10.0
CHANGES:
- BREAKING #131 use mirage-crypto and mirage-crypto-pk instead of nocrypto
raise lower OCaml bound to 4.07.0, test 4.10.0 in CI - BREAKING #131 Certificate.Host_set is now Host.Set, and has pretty-printers
- BREAKING #131 Authenticator.null was removed (fixes #130, suggested by @emillon)
- BREAKING #131 Authenticator.t now requires (non-optional) ~host and ~time
arguments which may return an option. This allows to more easily spot the
cases where None is provided. Also, time is (unit -> Ptime.t option) instead
of Ptime.t -- thus the timestamp at the time of certificate verification is
used instead of the time of Authenticator construction. Similar changes in
Validation for verify_chain, verify_chain_of_trust, trust_key_fingerprint,
trust_cert_fingerprint.
fixes #130, suggested by @emillon
v0.9.0
CHANGES:
- BREAKING add a whitelist of hash algorithms used for signatures. The default
whitelist is the SHA-2 family (without SHA-224), Validation.valid_ca{,s} use
all algorithms as default
reported by @emillon in #123, fixed in #128 - BREAKING Certificate.hostnames and Signing_request.hostnames (new) return a
set of [Wildcard|Strict] * [`host] Domain_name.t (Certificate.Host_set.t)
reported by @mmaker in #88, fixed in #127 - BREAKING #127 Signing_request.sign returns a result type now, an error is
returned if the signing request was not properly signed - BREAKING #127 Validation.{verify_chain_of_trust, trust_key_fingerprint,
trust_cert_fingerptint} and the type Authenticator.t changed, no longer use
of a Certificate.host, but instead a [`host] Domain_name.t (previously, it was
a pair) - BUGFIX support AlgorithmIdentifier of RSA signature algorithms with parameter
not present
reported by @Ulrar in #108, fixed in #129 - BUGFIX #127 preserve a signed signing request (Country in a DN sometimes uses
a non-utf8 string encoding) - remove deprecation from Validation.trust_cert_fingerprint and
Authenticator.server_cert_fingerprint
requested by @mben-romdhane in #125, fixed in #126 - Certificate.signature_algorithm, CRL.signature_algorithm, and
Signing_request.signature_algorithm are now provided, returning a
([RSA|ECDSA] * Nocrypto.Hash.hash) option
requested by @psafont in #123, fixed in #128
v0.8.1
v0.8.0
CHANGES:
- export X509.Distinguished_name.common_name : t -> string option, which
extracts the common name of a distinguished name - Distinguished_name.t is now a Relative_distinguished_name.t list, a
Relative_distinguished_name is a Set.S with element type attribute, a variant.
It used to be an attribute (expressed as GADT) Gmap.t, but this representation
did not conform to RFC 5280, reported by @paurkedal (#117, fixed by #118) - Now using Set.find_first_opt, which bumps lower OCaml bound to 4.05.0
- Improved pretty-printing for DNs including RFC 4514 conformance (@paurkedal, #119).
- Extension.pp now outputs extension key and its value (#120)
- rename Distinguished_name.SP constructor (stateOrProvince) to ST, as widely used (#121)
- support Street and UID in Distinguished_name to satisfy RFC 4514 demands (#121)
v0.7.1
CHANGES:
- revert General_name.t (DNS and IP components) to string/Cstruct.t list
- NameConstraints uses DNSname with strings with leading dots (.example.com),
which are not valid RFC1034 domain names - NameConstraints uses IP with IP/netmask, i.e. using 8 octets for an IPv4
address - X509.Certificate.hostnames still return a Domain_name.Set.t
- reported by @reynir
- NameConstraints uses DNSname with strings with leading dots (.example.com),
- drop ipaddr dependency
0.7.0
CHANGES:
- major restructuring, it is unlikely any pre-0.7.0 users will work with 0.7.0+
- remove sexp de&encoders
- provide pretty-printers for validation errors (and types) instead of to_string functions
- use result type and Rresult instead of custom result types and control monad
- use a GADT map for certificate & csr extensions, distinguished names, general names (avoiding multiple extensions with the same OID, uses the gmap library)
- use domain-name library for hostname validation (instead of custom string matching)
- use ipaddr library for IPs in SubjectAlternativeName extension
- remove Encoding module, provide {en,de}code_{der,pem} in the respective modules (which decoders return (_, [> `Msg of string ]) result, no exceptions raised)
- fix DistributionPoint extension: the CRLissuer is a GeneralName, not a DistinguishedName
- remove Extension.reason_code (Extension.reason was there before, and is now used)
- remove bindings from toplevel, t is now Certificate.t, public_key is now Public_key.t
- use alcotest instead of oUnit
0.6.3
CHANGES:
- provide X509.Encoding.distinguished_name_of_cs -- similar to #87 which provided distinguished_name_to_cs
- provide X509.Encoding.{public_key_of_cstruct,public_key_to_cstruct}, as requested by @dinosaure
- support of cstruct 4.0.0, which split up the sexp de&encoders
- removes result dependency (now requires >= 4.04.2)
- upgrades opam file to version 2.0
- build system is now dune