0.104.0-alpha.3

What's Changed

• build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in #415
• Skip over issuerUniqueID and subjectUniqueID by @ctz in #419
• Align lints with rustls by @djc in #424
• ci: sync cargo-check-external-types nightly by @cpu in #425
• build(deps): bump taiki-e/cache-cargo-install-action from 2 to 3 by @dependabot[bot] in #430
• tests: port tls_server_certs tests to Rust by @djc in #434
• Tie lifetime of valid_dns_names/valid_uri_names to struct lifetime by @alex in #435
• generate.py: reformat for black 2026.1.0 by @ctz in #438
• tests: port signature tests to Rust by @djc in #440
• tests: group signature tests by algorithm by @djc in #441
• Start basic SCT support by @djc in #423

Full Changelog: v/0.104.0-alpha.2...v/0.104.0-alpha.3

0.103.9

What's Changed

• [backport] ci: avoid denying warnings on nightly toolchains by @alex in #437
• Backport lifetime change and bump version for release by @alex in #436

0.104.0-alpha.2

What's Changed

• Move verify_signed_data() to SignedData::verify() by @djc in #397
• Correct OidDecoder output; test signature algorithm IDs by @ctz in #401
• impl Hash for revocation types by @ctz in #406
• Refactoring of parsing/matching extension identifiers by @ctz in #407
• Add valid_uri_names() method to Cert by @alex in #404
• Prepare 0.104.0-alpha.2 by @ctz in #409

Full Changelog: v/0.104.0-alpha.1...v/0.104.0-alpha.2

0.103.8

What's Changed

• backport valid_uri_names (#404) to rel-0.103 by @alex in #408

Full Changelog: v/0.103.7...v/0.103.8

0.104.0-alpha.1

What's Changed

• 0.104.0: Take MSRV of 1.83 by @ctz in #388
• Remove deprecated Error variants by @djc in #391
• ci: use cargo-deny-action directly by @djc in #393
• Simplify/clarify extended key usage validation API by @djc in #392
• Change version to 0.104.0-alpha.1 for now by @djc in #394

0.103.7

• New feature: Add KeyPurposeId::to_decoded_oid() to help external ExtendedKeyUsageValidators fill RequiredEkuNotFoundContext::present.

What's Changed

• Warn on unnameable types by @djc in #387
• Expose KeyPurposeId::to_decoded_oid() by @djc in #385
• Fix --cfg docsrs uses by @ctz in #390

Full Changelog: v/0.103.6...v/0.103.7

0.103.6

The extensible EKU validation released as part of 0.103.5 was actually not usable due to missing type exports, and contained a regression where empty ExtendedKeyUsage extensions would not trigger an error. Both issues are fixed in this release.

What's Changed

• Export more types to enable ExtendedKeyUsageValidator implementations by @djc in #381
• Error on empty EKU extensions by @djc in #382

0.103.5

• New feature: support verification of P256+SHA512 and P384-SHA512 ECDSA signatures with aws-lc-rs. This is not a recommended combination, but such signatures exist in the wild.

What's Changed

• Leverage extended API from rcgen 0.14.2 by @djc in #366
• Update semver-compatible dependencies by @djc in #369
• ci: take updated nightly for cargo-check-external-types by @cpu in #370
• build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #371
• build(deps): bump serde_json from 1.0.142 to 1.0.143 in the crates-io group by @dependabot[bot] in #374
• Clarify docs on Cert methods by @ctz in #375
• Extract trait for ExtendedKeyUsage validation by @djc in #376
• build(deps): bump actions/setup-python from 5 to 6 by @dependabot[bot] in #378
• 0.103.5: support P256+SHA512 and P384+SHA512 by @ctz in #379

Full Changelog: v/0.103.4...v/0.103.5

0.103.4

• Add unstable support for the post-quantum ML-DSA signature algorithms when using aws-lc-rs. Enable the aws-lc-rs-unstable feature to expose these algorithms (only works when aws-lc-rs-fips is not enabled).
• Use new UnsupportedSignatureAlgorithmContext, UnsupportedCrlSignatureAlgorithmContext, UnsupportedSignatureAlgorithmForPublicKeyContext and UnsupportedCrlSignatureAlgorithmForPublicKeyContext error variants which contain additional context about the error condition. The related contextless variants have been deprecated.

What's Changed

• Do not include bettertls README file in published crates by @decathorpe in #351
• deps: Update aws-lc-rs in lockfile by @ognevny in #355
• Inline signature verifications test macros by @djc in #358
• ci: test more feature flag combinations by @djc in #359
• Add unstable support for ML-DSA signature algorithms by @djc in #348
• Add context to signature-related errors by @djc in #357
• Upgrade to rcgen 0.14 by @djc in #363
• Declare ML-DSA as not FIPS approved in the API by @ctz in #364
• Bump version to 0.103.4 by @djc in #361

0.103.3

Add support for RSA signature algorithms that don't include parameters. Per RFC 4055 section 5, implementations of the SHA-1/SHA-2 one-way hash functions "MUST accept the parameters being absent as well as present".

What's Changed

• Support RSA PKCS#1 signatures with absent parameters by @ctz in #346