Release x509 0.9.0 #15712
Merged
Release x509 0.9.0 #15712
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CHANGES:
* BREAKING add a whitelist of hash algorithms used for signatures. The default
whitelist is the SHA-2 family (without SHA-224), Validation.valid_ca{,s} use
all algorithms as default
reported by @emillon in mirleft/ocaml-x509#123, fixed in mirleft/ocaml-x509#128
* BREAKING Certificate.hostnames and Signing_request.hostnames (new) return a
set of [`Wildcard|`Strict] * [`host] Domain_name.t (Certificate.Host_set.t)
reported by @mmaker in mirleft/ocaml-x509#88, fixed in mirleft/ocaml-x509#127
* BREAKING mirleft/ocaml-x509#127 Signing_request.sign returns a result type now, an error is
returned if the signing request was not properly signed
* BREAKING mirleft/ocaml-x509#127 Validation.{verify_chain_of_trust, trust_key_fingerprint,
trust_cert_fingerptint} and the type Authenticator.t changed, no longer use
of a Certificate.host, but instead a [`host] Domain_name.t (previously, it was
a pair)
* BUGFIX support AlgorithmIdentifier of RSA signature algorithms with parameter
not present
reported by @Ulrar in mirleft/ocaml-x509#108, fixed in mirleft/ocaml-x509#129
* BUGFIX mirleft/ocaml-x509#127 preserve a signed signing request (Country in a DN sometimes uses
a non-utf8 string encoding)
* remove deprecation from Validation.trust_cert_fingerprint and
Authenticator.server_cert_fingerprint
requested by @mben-romdhane in mirleft/ocaml-x509#125, fixed in mirleft/ocaml-x509#126
* Certificate.signature_algorithm, CRL.signature_algorithm, and
Signing_request.signature_algorithm are now provided, returning a
([`RSA|`ECDSA] * Nocrypto.Hash.hash) option
requested by @psafont in mirleft/ocaml-x509#123, fixed in mirleft/ocaml-x509#128
|
CI failures are about lwt 5.0.0 not being compatible with tls -- if lwt is enabled and tests as well -- the expression from my point of view, this PR is good to be merged. |
|
Sounds good indeed. Thanks a lot! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CHANGES:
whitelist is the SHA-2 family (without SHA-224), Validation.valid_ca{,s} use
all algorithms as default
reported by @emillon in Certificate verification allows dangerous algorithms mirleft/ocaml-x509#123, fixed in hash algorithms used for signatures mirleft/ocaml-x509#128
set of
[`Wildcard|`Strict] * [`host] Domain_name.t (Certificate.Host_set.t)reported by @mmaker in to topkg mirleft/ocaml-x509#88, fixed in provide Signing_request.hostnames, revise validation to use a hostname (instead of a tuple) mirleft/ocaml-x509#127
returned if the signing request was not properly signed
trust_cert_fingerptint} and the type Authenticator.t changed, no longer use
of a Certificate.host, but instead a
[`host] Domain_name.t(previously, it wasa pair)
not present
reported by @Ulrar in Invalid_argument "X509: failed to parse certificate" when using X509.Encoding.Pem.Certificate.of_pem_cstruct1 mirleft/ocaml-x509#108, fixed in Algorithm: allow the parameter field of RSA Signature Algorithm to be not present mirleft/ocaml-x509#129
a non-utf8 string encoding)
Authenticator.server_cert_fingerprint
requested by @mben-romdhane in Why is Validation.trust_cert_fingerprint deprecated? mirleft/ocaml-x509#125, fixed in un-deprecate trust_cert_fingerprint and server_cert_fingerprint, both are valid approaches mirleft/ocaml-x509#126
Signing_request.signature_algorithm are now provided, returning a
([`RSA|`ECDSA] * Nocrypto.Hash.hash) optionrequested by @psafont in Certificate verification allows dangerous algorithms mirleft/ocaml-x509#123, fixed in hash algorithms used for signatures mirleft/ocaml-x509#128