Update Rust crate rcgen to 0.14.3

[oxide-renovate]

This PR contains the following updates:

Package	Type	Update	Change
rcgen	workspace.dependencies	minor	0.12.1 -> 0.14.3

---

Release Notes

rustls/rcgen (rcgen)

v0.14.3: 0.14.3

Compare Source

What's Changed

• docs: fix typo in PKCS_RSA_SHA384 doc comment by @​Bravo555 in #​367
• Fix regression in key usage purpose encoding by @​djc in #​369

v0.14.2: 0.14.2

Compare Source

• Add a CertifiedIssuer type (see #​363)

What's changed

• Add a CertifiedIssuer by @​djc in #​363
• Provide a non-owning constructor for Issuer by @​p-avital in #​362
• Allow access to the CertifiedIssuer's Certificate by @​djc in #​364

v0.14.1: 0.14.1

Compare Source

Declare 1.71 rust-version and check MSRV in CI.

What's Changed

• Check MSRV in CI by @​djc in #​361

v0.14.0: 0.14.0

Compare Source

0.14.0 contains a number of potentially breaking API changes, though hopefully the rate of API change should slow down after this. Here is a summary of the most noticeable changes you might run into:

• signed_by() methods now take a reference to an &Issuer type that contains both the issuer's relevant certificate parameters and the signing key (see #​356). The from_ca_cert_der() and from_ca_cert_pem() constructors that were previously attached to CertificateParams are now attached to Issuer instead, removing a number of documented caveats.
• The RemoteKeyPair trait is now called SigningKey and instead of KeyPair being an enum that contains a Remote variant, that variant has been removed in favor of KeyPair implementing the trait (see #​328). To align with this change, the CertifiedKey::key_pair field is now called signing_key, and CertifiedKey is generic over the signing key type.
• The KeyPair::public_key_der() method has moved to PublicKeyData::subject_public_key_info() (see #​328).
• Output types like Certificate no longer contain their originating CertificateParams. Instead, signed_by() and self_signed() now take &self, allowing the caller to retain access to the input parameters (see #​328). In order to make this possible, Certificate::key_identifier() can now be accessed via CertificateParams directly.
• String types have been moved into a module (see #​329).

What's Changed

• Revert impl AsRef issuer by @​audunhalland in #​325
• Move string types to separate module by @​est31 in #​329
• Unbundle params from output types by @​djc in #​328
• Deduplicate Issuer construction by @​djc in #​332
• Extract write_extensions() method, reducing rightward drift by @​djc in #​333
• Update 0.12-to-0.13.md by @​Alirexaa in #​338
• Distribute methods for parsing params elements from x509 by @​djc in #​336
• Eagerly derive Clone, Copy, where possible by @​lvkv in #​341
• Updated .gitignore to be more specific by @​Rynibami in #​342
• Eagerly implemented Debug trait by @​Rynibami in #​343
• Minor tweaks to Debug impls and other style improvements by @​djc in #​348
• tests: only test against openssl on Unix by @​djc in #​350
• Eagerly implemented PartialEq and Eq traits by @​Rynibami in #​344
• Use Issuer directly in the public API by @​djc in #​356
• Tweak docstring for PublicKeyData::subject_public_key_info() by @​djc in #​358

v0.13.3: 0.13.3

Compare Source

This release was yanked due to #​324

What's Changed

• Update dependencies by @​djc in #​305
• Add link to GitHub releases by @​djc in #​304
• change signature of signed_by to accept &impl AsRef issuer by @​audunhalland in #​307
• Clarify CertificateParams::signed_by() docs by @​djc in #​308
• refactor: Generalize csr/crl signed_by to take &impl AsRef issuer by @​audunhalland in #​312
• Fix: mark SAN as critical when subject is empty by @​howardjohn in #​311
• Elide private key in KeyPair Debug impl by @​lvkv in #​314
• derive Debug for non-sensitive struct types by @​cpu in #​316
• update LICENSE by @​jasmyhigh in #​318
• Make Certificate cloneable (derive Clone) by @​MadLittleMods in #​319
• Update dependencies by @​djc in #​321

v0.13.2: 0.13.2

Compare Source

Several improvements to the capabilities available when working with certificate signing requests.

What's Changed

• Clarify internal data dependencies for signing APIs by @​djc in #​269
• error: feature-gate ExternalError by @​cpu in #​271
• Pass extended key usage parameters when importing CertificateSigningRequestParams by @​uglyoldbob in #​264
• ci: update cargo-check-external-types toolchain, fix build by @​cpu in #​276
• Revert "ci: temp. pin nightly to avoid ICE" by @​cpu in #​277
• Expose algorithm field on PublicKey by @​rickvanprim in #​281
• Update semver-compatible dependencies by @​djc in #​283
• crl: avoid markdown footnotes by @​cpu in #​284
• Disable default features for aws-lc-rs by @​daxpedda in #​286
• Add KeyUsage support to CSR generation by @​lvkv in #​287
• Fix compilation issues of OpenSSL tests on 32-bit architectures by @​decathorpe in #​290
• Enable signing without private key by @​djc in #​291
• Clarify CSR signing docs by @​lvkv in #​295
• ci: adjust nightly for cargo-check-external-types by @​cpu in #​297
• Add PKCS#10 attributes to CSR serializer by @​lvkv in #​296
• Bump codecov/codecov-action from 4 to 5 by @​dependabot in #​299
• Update README.md example to match what's in lib.rs by @​ghenry in #​298
• rcgen: 0.13.1 -> 0.13.2 by @​lvkv in #​303

v0.13.1: 0.13.1

Compare Source

Fixed incorrect usage of the subject certificate's parameter's key identifier method when computing the key identifier of the issuer for the subject's authority key identifier (AKI) extension.

What's Changed

• Fix reference in changelog about RSA key generation by @​djc in #​258
• Set library version for CLI crate by @​djc in #​257
• cli: add more Cargo metadata by @​djc in #​259
• examples: sign-leaf-with-ca uses ca key for signing end entity cert by @​markdingram in #​263
• cert: use key_identifier_method of issuer for AKI by @​cpu in #​262

v0.13.0: 0.13.0

Compare Source

Breaking changes

• The API used to create/issue key pairs, certificates, certificate signing requests (CSRs), and certificate revocation lists (CRLs) has been restructured to emphasize consistency and avoid common errors with serialization.

  For each concrete type (cert, CSR, CRL) the process is now the same:

  1. generate or load a key pair and any information about issuers required.
  2. create parameters, customizing as appropriate.
  3. call a generation fn on the parameters, providing subject key pair and issuer information and as appropriate.
  4. call serialization fns on the finalized type, obtaining DER or PEM.

  For more information, see [rcgen/docs/0.12-to-0.13.md].

• Throughout the API DER inputs are now represented using types from the Rustls rustls-pki-types crate, e.g. PrivateKeyDer, CertificateDer, CertificateSigningRequestDer. Contributed by Tudyx.

• String types used in SanType and DnValue enums for non-UTF8 string types have been replaced with more specific types that prevent representation of illegal values. E.g. Ia5String, BmpString, PrintableString, TeletexString, and UniversalString. Contributed by Tudyx.

• Method names starting with get_ have been renamed to match Rust convention:

  • CertificateRevocationList::get_params() -> params()
  • Certificate::get_params() -> params()
  • Certificate::get_key_identifier() -> Certificate::key_identifier()
  • Certificate::get_times() -> Certificate::times()

Added

• RSA key generation support has been added. This support requires using the aws-lc-rs feature. By default using KeyPair::generate_for() with an RSA SignatureAlgorithm will generate an RSA 2048 keypair. See KeyPair::generate_rsa_for() for support for RSA 2048, 3072 and 4096 key sizes.

• Support for ECDSA P521 signatures and key generation has been added when using the aws-lc-rs feature. Contributed by Alvenix.

• Support for loading private keys that may be PKCS8, PKCS1, or SEC1 has been added when using the aws-lc-rs feature. Without this feature private keys must be PKCS8. See KeyPair::from_pem_and_sign_algo() and KeyPair::from_der_and_sign_algo() for more information. Contributed by Alvenix.

• Support has been added for Subject Alternative Name (SAN) names of type OtherName. Contributed by Tudyx.

• Support has been added for specifying custom "other" OIDs in extended key usage. Contributed by Tudyx.

• Support has been added for building rcgen without cryptography by omitting the new (default-enabled) crypto feature flag. Contributed by corrideat.

• Support for using aws-lc-rs in fips mode can now be activated by using the fips feature in combination with the aws-lc-rs feature. Contributed by BiagioFesta.

• A small command-line tool for certificate generation (rustls-cert-gen) was added. Contributed by tbro.

What's Changed

• Allow building without the pem crate feature by @​daxpedda in #​204
• ensure default serial generation fits 20 bytes by @​BiagioFesta in #​203
• A functional rustls-cert-gen with basic parameters. by @​tbro in #​190
• choose a crypto_provider for rustls_cert_gen by @​stormshield-gt in #​206
• Rework Certificate issuance API, make DER/PEM serialization stable by @​cpu in #​205
• add support for other oid in the extended key usage by @​Tudyx in #​210
• Upgrade webpki dev-dependency to 0.102 by @​djc in #​215
• build(deps): bump actions/cache from 3 to 4 by @​dependabot in #​216
• External keys by @​djc in #​213
• build(deps): bump shlex from 1.2.0 to 1.3.0 by @​dependabot in #​217
• Tighten up string type representations to prevent illegal values by @​Tudyx in #​214
• docs: update CHANGELOG for 0.12.1 by @​cpu in #​220
• Support compiling without cryptography primitives by @​corrideat in #​208
• Add basic support for Subject Alternative Name OtherName by @​Tudyx in #​209
• build(deps): bump codecov/codecov-action from 3 to 4 by @​dependabot in #​221
• codecov: disable pull-request annotations by @​cpu in #​225
• ci: sync nightly for check-external-types by @​cpu in #​226
• proj: fix new clippy unused imports finding by @​cpu in #​227
• Upgrade x509-parser to 0.16 by @​djc in #​231
• Remove get_() prefixes from method names by @​djc in #​232
• Add RSA key generation by @​est31 in #​230
• Update semver-compatible dependencies by @​djc in #​235
• FIPS support by @​BiagioFesta in #​234
• Split certificate module out of crate root by @​djc in #​237
• Apply most Clippy suggestions by @​djc in #​239
• Inline oid module by @​djc in #​238
• Streamline signing API by @​djc in #​233
• Use pki_types to improve the interoperability with the rustls ecosystem by @​Tudyx in #​223
• lib: export key_pair::RsaKeySize by @​cpu in #​245
• Unbreak doctests by @​djc in #​244
• Serialize CRL parameters into CertificateRevocationList by @​djc in #​240
• Follow-up from pki-types conversion by @​djc in #​246
• Fix unused import warning by @​Alvenix in #​248
• key_pair: emphasize PKCS8 input requirement in constructor fn names by @​cpu in #​249
• Support ECDSA_P521_SHA512 when using aws_lc_rs feature by @​Alvenix in #​241
• Minor API tweaks by @​djc in #​253
• Streamline CI jobs by @​djc in #​251
• Prefer aws-lc-rs over ring if both are enabled by @​djc in #​252
• lib: export csr::CertificateSigningRequest by @​cpu in #​255
• Support more private key formats when using aws_lc_rs feature by @​Alvenix in #​242
• docs: update CHANGELOG for 0.13.0 by @​cpu in #​254

---

Configuration

📅 Schedule: Branch creation - "after 8pm,before 6am" in timezone America/Los_Angeles, Automerge - "after 8pm,before 6am" in timezone America/Los_Angeles.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.