+ Operating on invalid curve points (those for which the
+ IsOnCurve method returns false, and which are never returned
+ by Unmarshal or by a Curve method operating on a
+ valid point) has always been undefined behavior and can lead to key
+ recovery attacks. If an invalid point is supplied to
+ Marshal,
+ MarshalCompressed,
+ Add,
+ Double, or
+ ScalarMult,
+ they will now panic.
+
+ ScalarBaseMult operations on the P224,
+ P384, and P521 curves are now up to three
+ times faster, leading to similar speedups in some ECDSA operations. The
+ generic (not platform optimized) P256 implementation was
+ replaced with one derived from a formally verified model; this might
+ lead to significant slowdowns on 32-bit platforms.
+
Read no longer buffers
- random data obtained from the operating system between calls.
+ random data obtained from the operating system between calls. Applications
+ that perform many small reads at high frequency might choose to wrap
+ Reader in a
+ bufio.Reader for performance
+ reasons, taking care to use
+ io.ReadFull
+ to ensure no partial reads occur.
On Plan 9, Read has been reimplemented, replacing the ANSI
- X9.31 algorithm with fast key erasure.
+ X9.31 algorithm with a fast key erasure generator.
+
+ The Prime
+ implementation was simplified. This will lead to different outputs for the
+ same random stream compared to the previous implementation. The internals
+ of Prime are not stable, should not be relied upon not to
+ change, and the output is now intentionally non-deterministic with respect
+ to the input stream.
CreateCertificate no longer accepts negative serial numbers.
+
+ CreateCertificate will not emit an empty SEQUENCE anymore
+ when the produced certificate has no extensions.
+
+ Removal of the x509sha1=1 GODEBUG option,
+ originally planned for Go 1.19, has been rescheduled to a future release.
+ Applications using it should work on migrating. Practical attacks against
+ SHA-1 have been demonstrated since 2017 and publicly trusted Certificate
+ Authorities have not issued SHA-1 certificates since 2015.
+
ParseCertificate
and ParseCertificateRequest
@@ -373,7 +428,7 @@ as well as support for rendering them to HTML, Markdown, and text.
The new CertPool.Clone
and CertPool.Equal
- methods allow cloning a CertPool and checking the equality of two
+ methods allow cloning a CertPool and checking the equivalence of two
CertPools respectively.
ParseRevocationList
provides a faster, safer to use CRL parser which returns a
RevocationList.
- To support this addition, RevocationList adds new fields
+ Parsing a CRL also populates the new RevocationList fields
RawIssuer, Signature,
- AuthorityKeyId, and Extensions.
-
+ AuthorityKeyId, and Extensions, which are ignored by
+ CreateRevocationList.
+
The new method RevocationList.CheckSignatureFrom
checks that the signature on a CRL is a valid signature from a
Certificate.
-
- With the new CRL functionality, the existing functions
- ParseCRL and
- ParseDERCRL are deprecated.
- Additionally the method Certificate.CheckCRLSignature
- is deprecated.
+
+ The ParseCRL and
+ ParseDERCRL functions
+ are now deprecated in favor of ParseRevocationList.
+ The Certificate.CheckCRLSignature
+ method is deprecated in favor of RevocationList.CheckSignatureFrom.
- When building paths, Certificate.Verify
- now considers certificates to be equal when the subjects, public keys, and SANs
- are all equal. Before, it required byte-for-byte equality.
+
+ The path builder of Certificate.Verify
+ was overhauled and should now produce better chains and/or be more efficient in complicated scenarios.
+ Name constraints are now also enforced on non-leaf certificates.