From 72a238bb5b9ae0099f2929eca260f24ca1cdb7fc Mon Sep 17 00:00:00 2001
From: Pierre Chifflier <chifflier@wzdftpd.net>
Date: Wed, 3 Sep 2025 10:17:25 +0200
Subject: [PATCH 01/10] Fix version number in CHANGELOG and UPGRADING files

---
 CHANGELOG.md | 26 ++++++++++++++++++++++++++
 UPGRADING.md |  6 +++---
 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e813581..8f4b501 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,32 @@
 
 ### Thanks
 
+## 0.18.0
+
+### Added/Changed
+
+- Update lock file and dependencies
+- Fix clippy warnings
+- Visitor: add method to visit unknown extension and those with parse errors
+- Add new feature `verify-aws` to used `aws-lc-rs` as crypto provider instead of `ring`
+  - The features are exclusive, so only one should be used
+  - If both are specified, `aws-lc-rs` is used (but both dependencies are included)
+- Add `as_raw` methods to `X509Certificate`, `CertificateRevocationList` and `X509CertificationRequest`
+  - This method exposes the raw ASN.1 DER bytes used to build the object (#217)
+
+Extensions:
+- Add support for SubjectInfoAccess extension
+- GeneralName: add a new variant `Invalid` so an invalid entry does not stop
+  parsing for the entire list of names (for ex in SAN)
+
+### Fixed
+
+- PEM: ignore lines in comments which contain invalid UTF-8 characters (#180)
+
+### Thanks
+
+- Daniel McCarney
+
 ## 0.17.0
 
 ### Added/Changed/Fixed
diff --git a/UPGRADING.md b/UPGRADING.md
index e60a49c..69a8a23 100644
--- a/UPGRADING.md
+++ b/UPGRADING.md
@@ -1,6 +1,6 @@
-## Upgrading from 0.17 to 0.18
+## Upgrading from 0.18 to 0.19
 
-The major changes in version 0.18 are described here.
+The major changes in version 0.19 are described here.
 
 ### Cargo and dependencies
 
@@ -53,4 +53,4 @@ The following changes are not part of this crate, but are exposed in `Any` objec
 
 - Many parsers have been replaced by derive attributes (like `Sequence` or `Choice`) when possible. This reduces risks of errors and makes code more easier to maintain
 	+ Encoders are not derived for now
-- File `extensions/mod.rs` has been split in multiple files
\ No newline at end of file
+- File `extensions/mod.rs` has been split in multiple files

From 476e129707cd4fdeebb200d10c457c72a92cb11b Mon Sep 17 00:00:00 2001
From: Pierre Chifflier <chifflier@wzdftpd.net>
Date: Wed, 3 Sep 2025 10:18:07 +0200
Subject: [PATCH 02/10] Update version to 0.19.0-beta.1

---
 Cargo.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Cargo.toml b/Cargo.toml
index 1eb3e11..9f07381 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "x509-parser"
-version = "0.18.0-beta.1"
+version = "0.19.0-beta.1"
 description = "Parser for the X.509 v3 format (RFC 5280 certificates)"
 license = "MIT OR Apache-2.0"
 keywords = ["X509","Certificate","parser","nom"]

From 132c62e2ce9b6dd82f6547abe66031bb135fb63c Mon Sep 17 00:00:00 2001
From: Pierre Chifflier <chifflier@wzdftpd.net>
Date: Wed, 3 Sep 2025 10:52:47 +0200
Subject: [PATCH 03/10] chore(cargo): update dependencies time and thiserror

---
 Cargo.lock | 39 +++++++++++++++++++--------------------
 1 file changed, 19 insertions(+), 20 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index b3d3b29..6196a5b 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -20,7 +20,7 @@ dependencies = [
  "asn1-rs-derive",
  "asn1-rs-impl",
  "bitvec",
- "deranged",
+ "deranged 0.4.0",
  "displaydoc",
  "nom 8.0.0",
  "num-bigint",
@@ -181,6 +181,12 @@ name = "deranged"
 version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c9e6a11ca8224451684bc0d7d5a7adbf8f2fd6887261a1cfc3c0432f9d4068e"
+
+[[package]]
+name = "deranged"
+version = "0.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d630bccd429a5bb5a64b5e94f693bfc48c9f8566418fda4c494cc94f911f87cc"
 dependencies = [
  "powerfmt",
 ]
@@ -283,12 +289,6 @@ dependencies = [
  "either",
 ]
 
-[[package]]
-name = "itoa"
-version = "1.0.15"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c"
-
 [[package]]
 name = "jobserver"
 version = "0.1.33"
@@ -592,18 +592,18 @@ checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369"
 
 [[package]]
 name = "thiserror"
-version = "2.0.14"
+version = "2.0.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0b0949c3a6c842cbde3f1686d6eea5a010516deb7085f79db747562d4102f41e"
+checksum = "3467d614147380f2e4e374161426ff399c91084acd2363eaf549172b3d5e60c0"
 dependencies = [
  "thiserror-impl",
 ]
 
 [[package]]
 name = "thiserror-impl"
-version = "2.0.14"
+version = "2.0.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cc5b44b4ab9c2fdd0e0512e6bece8388e214c0749f5862b114cc5b7a25daf227"
+checksum = "6c5e1be1c48b9172ee610da68fd9cd2770e7a4056cb3fc98710ee6906f0c7960"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -612,12 +612,11 @@ dependencies = [
 
 [[package]]
 name = "time"
-version = "0.3.41"
+version = "0.3.43"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8a7619e19bc266e0f9c5e6686659d394bc57973859340060a69221e57dbc0c40"
+checksum = "83bde6f1ec10e72d583d91623c939f623002284ef622b87de38cfd546cbf2031"
 dependencies = [
- "deranged",
- "itoa",
+ "deranged 0.5.3",
  "num-conv",
  "powerfmt",
  "serde",
@@ -627,15 +626,15 @@ dependencies = [
 
 [[package]]
 name = "time-core"
-version = "0.1.4"
+version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c9e9a38711f559d9e3ce1cdb06dd7c5b8ea546bc90052da6d06bb76da74bb07c"
+checksum = "40868e7c1d2f0b8d73e4a8c7f0ff63af4f6d19be117e90bd73eb1d62cf831c6b"
 
 [[package]]
 name = "time-macros"
-version = "0.2.22"
+version = "0.2.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3526739392ec93fd8b359c8e98514cb3e8e021beb4e5f597b00a0221f8ed8a49"
+checksum = "30cfb0125f12d9c277f35663a0a33f8c30190f4e4574868a330595412d34ebf3"
 dependencies = [
  "num-conv",
  "time-core",
@@ -868,7 +867,7 @@ dependencies = [
 
 [[package]]
 name = "x509-parser"
-version = "0.18.0-beta.1"
+version = "0.19.0-beta.1"
 dependencies = [
  "asn1-rs",
  "aws-lc-rs",

From de645db0b94a1fc7eb3f1d6a10b5e1ff678ca0cd Mon Sep 17 00:00:00 2001
From: Pierre Chifflier <chifflier@wzdftpd.net>
Date: Mon, 8 Sep 2025 09:44:42 +0200
Subject: [PATCH 04/10] Clarify MSRV policy in README

---
 README.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/README.md b/README.md
index 93492b6..c80cf49 100644
--- a/README.md
+++ b/README.md
@@ -111,6 +111,16 @@ dependencies and for proc-macro attributes support.
 [RFC5280]: https://tools.ietf.org/html/rfc5280
 <!-- cargo-sync-readme end -->
 
+## MSRV policy
+
+This projects tries to maintain compatibility with older version of the rust compiler for the following
+durations:
+- `master` branch: _12 months_ minimum
+- older releases: about 24 months
+
+However, due to dependencies and the fact that some crate writers tend to require very recent
+versions of the compiler, this can prove to be difficult. These numbers are given as _best-effort_.
+
 ## Changes
 
 See [CHANGELOG.md](CHANGELOG.md) and [`UPGRADING.md`](UPGRADING.md) for instructions for upgrading major versions.

From fe005007af027b0cbf24f8a8bd8fadac204df527 Mon Sep 17 00:00:00 2001
From: Pierre Chifflier <chifflier@wzdftpd.net>
Date: Mon, 8 Sep 2025 11:28:09 +0200
Subject: [PATCH 05/10] Switch to `cargo rdme`, add CI checks and update links

---
 .github/workflows/rust.yml | 14 +++++++++++
 Cargo.lock                 | 29 +++++++++++-----------
 README.md                  | 51 ++++++++++++++++++++++++++------------
 src/lib.rs                 | 48 +++++++++++++++++++----------------
 src/prelude.rs             |  2 +-
 5 files changed, 92 insertions(+), 52 deletions(-)

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 6330417..518f3ca 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -48,6 +48,9 @@ jobs:
       - uses: dtolnay/rust-toolchain@master
         with:
           toolchain: ${{ matrix.rust }}
+      - name: Cargo update (fix for MSRV)
+        run: cargo update -p time --precise 0.3.41
+        if: matrix.rust == '1.67.1'
       - run: RUSTFLAGS="-D warnings" cargo check --locked --all-targets --all-features
 
   test:
@@ -99,6 +102,17 @@ jobs:
           components: clippy
       - run: cargo clippy --locked --all-features -- -D warnings
 
+  readme:
+    name: Check if README is up to date
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - name: Install stable toolchain
+        uses: dtolnay/rust-toolchain@stable
+      - run: |
+          cargo install cargo-rdme
+          cargo rdme --check --no-fail-on-warnings
+
   doc:
     name: Build documentation
     needs: check
diff --git a/Cargo.lock b/Cargo.lock
index 6196a5b..324afc5 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -20,7 +20,7 @@ dependencies = [
  "asn1-rs-derive",
  "asn1-rs-impl",
  "bitvec",
- "deranged 0.4.0",
+ "deranged",
  "displaydoc",
  "nom 8.0.0",
  "num-bigint",
@@ -181,12 +181,6 @@ name = "deranged"
 version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c9e6a11ca8224451684bc0d7d5a7adbf8f2fd6887261a1cfc3c0432f9d4068e"
-
-[[package]]
-name = "deranged"
-version = "0.5.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d630bccd429a5bb5a64b5e94f693bfc48c9f8566418fda4c494cc94f911f87cc"
 dependencies = [
  "powerfmt",
 ]
@@ -289,6 +283,12 @@ dependencies = [
  "either",
 ]
 
+[[package]]
+name = "itoa"
+version = "1.0.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c"
+
 [[package]]
 name = "jobserver"
 version = "0.1.33"
@@ -612,11 +612,12 @@ dependencies = [
 
 [[package]]
 name = "time"
-version = "0.3.43"
+version = "0.3.41"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "83bde6f1ec10e72d583d91623c939f623002284ef622b87de38cfd546cbf2031"
+checksum = "8a7619e19bc266e0f9c5e6686659d394bc57973859340060a69221e57dbc0c40"
 dependencies = [
- "deranged 0.5.3",
+ "deranged",
+ "itoa",
  "num-conv",
  "powerfmt",
  "serde",
@@ -626,15 +627,15 @@ dependencies = [
 
 [[package]]
 name = "time-core"
-version = "0.1.6"
+version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "40868e7c1d2f0b8d73e4a8c7f0ff63af4f6d19be117e90bd73eb1d62cf831c6b"
+checksum = "c9e9a38711f559d9e3ce1cdb06dd7c5b8ea546bc90052da6d06bb76da74bb07c"
 
 [[package]]
 name = "time-macros"
-version = "0.2.24"
+version = "0.2.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "30cfb0125f12d9c277f35663a0a33f8c30190f4e4574868a330595412d34ebf3"
+checksum = "3526739392ec93fd8b359c8e98514cb3e8e021beb4e5f597b00a0221f8ed8a49"
 dependencies = [
  "num-conv",
  "time-core",
diff --git a/README.md b/README.md
index c80cf49..b049fd9 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,3 @@
-<!-- cargo-sync-readme start -->
-
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](./LICENSE-MIT)
 [![Apache License 2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](./LICENSE-APACHE)
 [![docs.rs](https://docs.rs/x509-parser/badge.svg)](https://docs.rs/x509-parser)
@@ -8,6 +6,8 @@
 [![Github CI](https://github.com/rusticata/x509-parser/workflows/Continuous%20integration/badge.svg)](https://github.com/rusticata/x509-parser/actions)
 [![Minimum rustc version](https://img.shields.io/badge/rustc-1.67.1+-lightgray.svg)](#rust-version-requirements)
 
+<!-- cargo-rdme start -->
+
 # X.509 Parser
 
 A X.509 v3 ([RFC5280]) parser, implemented with the [nom](https://github.com/Geal/nom)
@@ -22,25 +22,36 @@ and is part of the [Rusticata](https://github.com/rusticata) project.
 
 Certificates are usually encoded in two main formats: PEM (usually the most common format) or
 DER.  A PEM-encoded certificate is a container, storing a DER object. See the
-[`pem`](https://docs.rs/x509-parser/latest/x509_parser/pem/index.html) module for more documentation.
+[`pem`] module for more documentation.
 
 To decode a DER-encoded certificate, the main parsing method is
-`X509Certificate::from_der` (
-part of the [`FromDer`](https://docs.rs/x509-parser/latest/x509_parser/prelude/trait.FromDer.html) trait
-), which builds a
-[`X509Certificate`](https://docs.rs/x509-parser/latest/x509_parser/certificate/struct.X509Certificate.html) object.
+`X509Certificate::parse_der` (from the [`DerParser`](asn1_rs::DerParser) trait)
+which builds a [`X509Certificate`] object.
+
+The [`parse_der`](asn1_rs::DerParser) trait takes an [`Input`](asn1_rs::Input)
+object, which can be built from the input bytes. This helps tracking offsets (in case of
+error).
+For convenience,
+the [`X509Certificate::from_der`] method (part of the [`FromDer`] trait)
+does the same directly on the input bytes, but it can loose the precise error location.
 
 An alternative method is to use [`X509CertificateParser`](https://docs.rs/x509-parser/latest/x509_parser/certificate/struct.X509CertificateParser.html),
 which allows specifying parsing options (for example, not automatically parsing option contents).
 
+Similar methods are provided for other X.509 objects:
+- [`X509Certificate`] for X.509 Certificates
+- [`CertificateRevocationList`] for X.509 v2 Certificate Revocation List (CRL)
+- [`X509CertificationRequest`](https://docs.rs/x509-parser/latest/x509_parser/certification_request/struct.X509CertificationRequest.html) for Certification Signing Request (CSR)
+
 The returned objects for parsers follow the definitions of the RFC. This means that accessing
 fields is done by accessing struct members recursively. Some helper functions are provided, for
-example [`X509Certificate::issuer()`](https://docs.rs/x509-parser/latest/x509_parser/certificate/struct.X509Certificate.html#method.issuer) returns the
+example `X509Certificate::issuer()` returns the
 same as accessing `<object>.tbs_certificate.issuer`.
 
-For PEM-encoded certificates, use the [`pem`](https://docs.rs/x509-parser/latest/x509_parser/pem/index.html) module.
+For PEM-encoded certificates, use the [`pem`] module.
 
-This crate also provides visitor traits: [`X509CertificateVisitor`](crate::visitor::X509CertificateVisitor).
+This crate also provides visitor traits: `X509CertificateVisitor`, `CertificateRevocationListVisitor`.
+See the [`visitor`] module.
 
 # Examples
 
@@ -51,7 +62,8 @@ use x509_parser::prelude::*;
 
 static IGCA_DER: &[u8] = include_bytes!("../assets/IGC_A.der");
 
-let res = X509Certificate::from_der(IGCA_DER);
+let input = Input::from(IGCA_DER);
+let res = X509Certificate::parse_der(input);
 match res {
     Ok((rem, cert)) => {
         assert!(rem.is_empty());
@@ -65,9 +77,8 @@ match res {
 To parse a CRL and print information about revoked certificates:
 
 ```rust
-#
-#
-let res = CertificateRevocationList::from_der(DER);
+let input = Input::from(DER);
+let res = CertificateRevocationList::parse_der(input);
 match res {
     Ok((_rem, crl)) => {
         for revoked in crl.iter_revoked_certificates() {
@@ -85,7 +96,7 @@ See also `examples/print-cert.rs`.
 
 - The `verify` and `verify-aws` features adds support for (cryptographic) signature verification, based on `ring` or `aws-lc` respectively.
   It adds the
-  [`X509Certificate::verify_signature()`](https://docs.rs/x509-parser/latest/x509_parser/certificate/struct.X509Certificate.html#method.verify_signature)
+  [`X509Certificate::verify_signature()`] method
   to `X509Certificate`.
 
 ```rust
@@ -99,6 +110,13 @@ pub fn check_signature(cert: &X509Certificate<'_>, issuer: &X509Certificate<'_>)
 }
 ```
 
+- The `verify-aws` feature offers the same support for signature verification, but based on
+  `aws-lc-rs` instead of `ring`.
+
+- _Note_: if both `verify` and `verify-aws` features are enabled (which happens when using
+  `--all-features`), the verification will use `aws-lc-rs`. It also has the side-effect of
+  having a dependency on `ring`, even if it is not used.
+
 - The `validate` features add methods to run more validation functions on the certificate structure
   and values using the [`Validate`](https://docs.rs/x509-parser/latest/x509_parser/validate/trait.Validate.html) trait.
   It does not validate any cryptographic parameter (see `verify` above).
@@ -109,7 +127,8 @@ pub fn check_signature(cert: &X509Certificate<'_>, issuer: &X509Certificate<'_>)
 dependencies and for proc-macro attributes support.
 
 [RFC5280]: https://tools.ietf.org/html/rfc5280
-<!-- cargo-sync-readme end -->
+
+<!-- cargo-rdme end -->
 
 ## MSRV policy
 
diff --git a/src/lib.rs b/src/lib.rs
index d7e1908..d52deb6 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -1,11 +1,3 @@
-//! [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](./LICENSE-MIT)
-//! [![Apache License 2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](./LICENSE-APACHE)
-//! [![docs.rs](https://docs.rs/x509-parser/badge.svg)](https://docs.rs/x509-parser)
-//! [![crates.io](https://img.shields.io/crates/v/x509-parser.svg)](https://crates.io/crates/x509-parser)
-//! [![Download numbers](https://img.shields.io/crates/d/x509-parser.svg)](https://crates.io/crates/x509-parser)
-//! [![Github CI](https://github.com/rusticata/x509-parser/workflows/Continuous%20integration/badge.svg)](https://github.com/rusticata/x509-parser/actions)
-//! [![Minimum rustc version](https://img.shields.io/badge/rustc-1.67.1+-lightgray.svg)](#rust-version-requirements)
-//!
 //! # X.509 Parser
 //!
 //! A X.509 v3 ([RFC5280]) parser, implemented with the [nom](https://github.com/Geal/nom)
@@ -20,25 +12,37 @@
 //!
 //! Certificates are usually encoded in two main formats: PEM (usually the most common format) or
 //! DER.  A PEM-encoded certificate is a container, storing a DER object. See the
-//! [`pem`](pem/index.html) module for more documentation.
+//! [`pem`] module for more documentation.
 //!
 //! To decode a DER-encoded certificate, the main parsing method is
-//! `X509Certificate::from_der` (
-//! part of the [`FromDer`](prelude/trait.FromDer.html) trait
-//! ), which builds a
-//! [`X509Certificate`](certificate/struct.X509Certificate.html) object.
+//! `X509Certificate::parse_der` (from the [`DerParser`](asn1_rs::DerParser) trait)
+//! which builds a [`X509Certificate`] object.
+//!
+//! The [`parse_der`](asn1_rs::DerParser) trait takes an [`Input`](asn1_rs::Input)
+//! object, which can be built from the input bytes. This helps tracking offsets (in case of
+//! error).
+//! For convenience,
+//! the [`X509Certificate::from_der`] method (part of the [`FromDer`] trait)
+//! does the same directly on the input bytes, but it can loose the precise error location.
 //!
-//! An alternative method is to use [`X509CertificateParser`](certificate/struct.X509CertificateParser.html),
+//! An alternative method is to use [`X509CertificateParser`](crate::certificate::X509CertificateParser),
 //! which allows specifying parsing options (for example, not automatically parsing option contents).
+//!
+//! Similar methods are provided for other X.509 objects:
+//! - [`X509Certificate`] for X.509 Certificates
+//! - [`CertificateRevocationList`] for X.509 v2 Certificate Revocation List (CRL)
+//! - [`X509CertificationRequest`](crate::certification_request::X509CertificationRequest) for Certification Signing Request (CSR)
+
 //!
 //! The returned objects for parsers follow the definitions of the RFC. This means that accessing
 //! fields is done by accessing struct members recursively. Some helper functions are provided, for
-//! example [`X509Certificate::issuer()`](certificate/struct.X509Certificate.html#method.issuer) returns the
+//! example [`X509Certificate::issuer()`](crate::certificate::TbsCertificate::issuer()) returns the
 //! same as accessing `<object>.tbs_certificate.issuer`.
 //!
-//! For PEM-encoded certificates, use the [`pem`](pem/index.html) module.
+//! For PEM-encoded certificates, use the [`pem`] module.
 //!
-//! This crate also provides visitor traits: [`X509CertificateVisitor`](crate::visitor::X509CertificateVisitor).
+//! This crate also provides visitor traits: [`X509CertificateVisitor`](crate::visitor::X509CertificateVisitor), [`CertificateRevocationListVisitor`](crate::visitor::CertificateRevocationListVisitor).
+//! See the [`visitor`] module.
 //!
 //! # Examples
 //!
@@ -50,7 +54,8 @@
 //! static IGCA_DER: &[u8] = include_bytes!("../assets/IGC_A.der");
 //!
 //! # fn main() {
-//! let res = X509Certificate::from_der(IGCA_DER);
+//! let input = Input::from(IGCA_DER);
+//! let res = X509Certificate::parse_der(input);
 //! match res {
 //!     Ok((rem, cert)) => {
 //!         assert!(rem.is_empty());
@@ -70,7 +75,8 @@
 //! # static DER: &[u8] = include_bytes!("../assets/example.crl");
 //! #
 //! # fn main() {
-//! let res = CertificateRevocationList::from_der(DER);
+//! let input = Input::from(DER);
+//! let res = CertificateRevocationList::parse_der(input);
 //! match res {
 //!     Ok((_rem, crl)) => {
 //!         for revoked in crl.iter_revoked_certificates() {
@@ -89,7 +95,7 @@
 //!
 //! - The `verify` and `verify-aws` features adds support for (cryptographic) signature verification, based on `ring` or `aws-lc` respectively.
 //!   It adds the
-//!   [`X509Certificate::verify_signature()`](certificate/struct.X509Certificate.html#method.verify_signature)
+//!   [`X509Certificate::verify_signature()`] method
 //!   to `X509Certificate`.
 //!
 //! ```rust
@@ -113,7 +119,7 @@
 //!   having a dependency on `ring`, even if it is not used.
 //!
 //! - The `validate` features add methods to run more validation functions on the certificate structure
-//!   and values using the [`Validate`](validate/trait.Validate.html) trait.
+//!   and values using the [`Validate`](crate::validate::Validate) trait.
 //!   It does not validate any cryptographic parameter (see `verify` above).
 //!
 //! ## Rust version requirements
diff --git a/src/prelude.rs b/src/prelude.rs
index 7d0f6f6..1d453f5 100644
--- a/src/prelude.rs
+++ b/src/prelude.rs
@@ -14,4 +14,4 @@ pub use crate::validate::*;
 pub use crate::x509::*;
 pub use crate::*;
 
-pub use asn1_rs::{DerParser, FromDer};
+pub use asn1_rs::{DerParser, FromDer, Input};

From 7d94bc403b4249a5d342fb9b3b78683c9a98a0d1 Mon Sep 17 00:00:00 2001
From: Pierre Chifflier <chifflier@wzdftpd.net>
Date: Mon, 9 Feb 2026 11:07:50 +0100
Subject: [PATCH 06/10] chore(cargo): update dependency time

---
 Cargo.lock | 38 ++++++++++++++++++++++----------------
 1 file changed, 22 insertions(+), 16 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 324afc5..16c655a 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -20,7 +20,7 @@ dependencies = [
  "asn1-rs-derive",
  "asn1-rs-impl",
  "bitvec",
- "deranged",
+ "deranged 0.4.0",
  "displaydoc",
  "nom 8.0.0",
  "num-bigint",
@@ -181,6 +181,12 @@ name = "deranged"
 version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c9e6a11ca8224451684bc0d7d5a7adbf8f2fd6887261a1cfc3c0432f9d4068e"
+
+[[package]]
+name = "deranged"
+version = "0.5.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ececcb659e7ba858fb4f10388c250a7252eb0a27373f1a72b8748afdd248e587"
 dependencies = [
  "powerfmt",
 ]
@@ -382,9 +388,9 @@ dependencies = [
 
 [[package]]
 name = "num-conv"
-version = "0.1.0"
+version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
+checksum = "cf97ec579c3c42f953ef76dbf8d55ac91fb219dde70e49aa4a6b7d74e9919050"
 
 [[package]]
 name = "num-integer"
@@ -537,19 +543,19 @@ dependencies = [
 ]
 
 [[package]]
-name = "serde"
-version = "1.0.219"
+name = "serde_core"
+version = "1.0.228"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f0e2c6ed6606019b4e29e69dbaba95b11854410e5347d525002456dbbb786b6"
+checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
 dependencies = [
  "serde_derive",
 ]
 
 [[package]]
 name = "serde_derive"
-version = "1.0.219"
+version = "1.0.228"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5b0276cf7f2c73365f7157c8123c21cd9a50fbbd844757af28ca1f5925fc2a00"
+checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -612,30 +618,30 @@ dependencies = [
 
 [[package]]
 name = "time"
-version = "0.3.41"
+version = "0.3.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8a7619e19bc266e0f9c5e6686659d394bc57973859340060a69221e57dbc0c40"
+checksum = "743bd48c283afc0388f9b8827b976905fb217ad9e647fae3a379a9283c4def2c"
 dependencies = [
- "deranged",
+ "deranged 0.5.5",
  "itoa",
  "num-conv",
  "powerfmt",
- "serde",
+ "serde_core",
  "time-core",
  "time-macros",
 ]
 
 [[package]]
 name = "time-core"
-version = "0.1.4"
+version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c9e9a38711f559d9e3ce1cdb06dd7c5b8ea546bc90052da6d06bb76da74bb07c"
+checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca"
 
 [[package]]
 name = "time-macros"
-version = "0.2.22"
+version = "0.2.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3526739392ec93fd8b359c8e98514cb3e8e021beb4e5f597b00a0221f8ed8a49"
+checksum = "2e70e4c5a0e0a8a4823ad65dfe1a6930e4f4d756dcd9dd7939022b5e8c501215"
 dependencies = [
  "num-conv",
  "time-core",

From 1a2e8b43b05050d212c205ef2dcb55a09b5f205c Mon Sep 17 00:00:00 2001
From: Pierre Chifflier <chifflier@wzdftpd.net>
Date: Mon, 9 Feb 2026 11:22:16 +0100
Subject: [PATCH 07/10] CI: fix target `check` with MSRV

---
 .github/workflows/rust.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 518f3ca..2741e9f 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -22,6 +22,9 @@ jobs:
       - uses: dtolnay/rust-toolchain@master
         with:
           toolchain: ${{ matrix.rust }}
+      - name: Cargo update (fix for MSRV)
+        run: cargo update -p time --precise 0.3.41
+        if: matrix.rust == '1.67.1'
       - run: RUSTFLAGS="-D warnings" cargo check --locked
 
   check-notlocked:

From be8dfc7a016a1f516685538b879fb8958c442e6d Mon Sep 17 00:00:00 2001
From: Pierre Chifflier <chifflier@wzdftpd.net>
Date: Thu, 12 Feb 2026 09:44:34 +0100
Subject: [PATCH 08/10] Clarify MSRV policy in README

---
 README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/README.md b/README.md
index b049fd9..a4d8449 100644
--- a/README.md
+++ b/README.md
@@ -140,6 +140,11 @@ durations:
 However, due to dependencies and the fact that some crate writers tend to require very recent
 versions of the compiler, this can prove to be difficult. These numbers are given as _best-effort_.
 
+We do not consider MSRV changes to be breaking for the purposes of semver.
+
+We try to make no change to MSRV in stable branches and in security patches, with the exception of
+a dependency that must be updated for security and requires a new MSRV.
+
 ## Changes
 
 See [CHANGELOG.md](CHANGELOG.md) and [`UPGRADING.md`](UPGRADING.md) for instructions for upgrading major versions.

From 8b1afd6cdcef7791cd9455e321a62fa8bc5e5d63 Mon Sep 17 00:00:00 2001
From: Pierre Chifflier <chifflier@wzdftpd.net>
Date: Thu, 12 Feb 2026 09:45:27 +0100
Subject: [PATCH 09/10] Fix typos in README and update CHANGELOG

---
 CHANGELOG.md | 8 ++++----
 README.md    | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8f4b501..44c6716 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,15 +13,15 @@
 - Update lock file and dependencies
 - Fix clippy warnings
 - Visitor: add method to visit unknown extension and those with parse errors
-- Add new feature `verify-aws` to used `aws-lc-rs` as crypto provider instead of `ring`
+- Add new feature `verify-aws` to use `aws-lc-rs` as crypto provider instead of `ring`
   - The features are exclusive, so only one should be used
   - If both are specified, `aws-lc-rs` is used (but both dependencies are included)
 - Add `as_raw` methods to `X509Certificate`, `CertificateRevocationList` and `X509CertificationRequest`
   - This method exposes the raw ASN.1 DER bytes used to build the object (#217)
 
 Extensions:
-- Add support for SubjectInfoAccess extension
-- GeneralName: add a new variant `Invalid` so an invalid entry does not stop
+- Add support for `SubjectInfoAccess` extension
+- `GeneralName`: add a new variant `Invalid` so an invalid entry does not stop
   parsing for the entire list of names (for ex in SAN)
 
 ### Fixed
@@ -30,7 +30,7 @@ Extensions:
 
 ### Thanks
 
-- Daniel McCarney
+- Daniel McCarney, Lily Ballard, @stormshield-gt, @soundofspace
 
 ## 0.17.0
 
diff --git a/README.md b/README.md
index a4d8449..63db447 100644
--- a/README.md
+++ b/README.md
@@ -132,7 +132,7 @@ dependencies and for proc-macro attributes support.
 
 ## MSRV policy
 
-This projects tries to maintain compatibility with older version of the rust compiler for the following
+This projects tries to maintain compatibility with older versions of the rust compiler for the following
 durations:
 - `master` branch: _12 months_ minimum
 - older releases: about 24 months

From 694bcf105f2923c92b9927885c8b7c4e68dc5749 Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Mon, 15 Dec 2025 10:09:21 -0500
Subject: [PATCH 10/10] docs: fix small README typos

---
 README.md  | 4 ++--
 src/lib.rs | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 63db447..7409e4c 100644
--- a/README.md
+++ b/README.md
@@ -94,7 +94,7 @@ See also `examples/print-cert.rs`.
 
 # Features
 
-- The `verify` and `verify-aws` features adds support for (cryptographic) signature verification, based on `ring` or `aws-lc` respectively.
+- The `verify` and `verify-aws` features add support for (cryptographic) signature verification, based on `ring` or `aws-lc` respectively.
   It adds the
   [`X509Certificate::verify_signature()`] method
   to `X509Certificate`.
@@ -117,7 +117,7 @@ pub fn check_signature(cert: &X509Certificate<'_>, issuer: &X509Certificate<'_>)
   `--all-features`), the verification will use `aws-lc-rs`. It also has the side-effect of
   having a dependency on `ring`, even if it is not used.
 
-- The `validate` features add methods to run more validation functions on the certificate structure
+- The `validate` feature add methods to run more validation functions on the certificate structure
   and values using the [`Validate`](https://docs.rs/x509-parser/latest/x509_parser/validate/trait.Validate.html) trait.
   It does not validate any cryptographic parameter (see `verify` above).
 
diff --git a/src/lib.rs b/src/lib.rs
index d52deb6..1de79cc 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -93,7 +93,7 @@
 //!
 //! # Features
 //!
-//! - The `verify` and `verify-aws` features adds support for (cryptographic) signature verification, based on `ring` or `aws-lc` respectively.
+//! - The `verify` and `verify-aws` features add support for (cryptographic) signature verification, based on `ring` or `aws-lc` respectively.
 //!   It adds the
 //!   [`X509Certificate::verify_signature()`] method
 //!   to `X509Certificate`.
@@ -118,7 +118,7 @@
 //!   `--all-features`), the verification will use `aws-lc-rs`. It also has the side-effect of
 //!   having a dependency on `ring`, even if it is not used.
 //!
-//! - The `validate` features add methods to run more validation functions on the certificate structure
+//! - The `validate` feature add methods to run more validation functions on the certificate structure
 //!   and values using the [`Validate`](crate::validate::Validate) trait.
 //!   It does not validate any cryptographic parameter (see `verify` above).
 //!