1f59d82ffSelric2008-07-14 Love Hörnquist Åstrand <lha@kth.se> 2f59d82ffSelric 3f59d82ffSelric * hxtool.c: Break out print_eval_types(). 4f59d82ffSelric 5f59d82ffSelric2008-06-21 Love Hörnquist Åstrand <lha@kth.se> 6f59d82ffSelric 7f59d82ffSelric * ks_p12.c: pass in time_now to unevelope 8f59d82ffSelric 9f59d82ffSelric * cms.c: Pass in time_now to unevelope, us verify context time in 10f59d82ffSelric verify_signed. 11f59d82ffSelric 12f59d82ffSelric2008-05-23 Love Hörnquist Åstrand <lha@kth.se> 13f59d82ffSelric 14f59d82ffSelric * hx_locl.h: Include <limits.h> for TYPE_MAX defines. 15f59d82ffSelric 16f59d82ffSelric2008-04-29 Love Hörnquist Åstrand <lha@it.su.se> 17f59d82ffSelric 18f59d82ffSelric * sel-lex.l: Use _hx509_sel_yyerror() instead of error_message(). 19f59d82ffSelric 20f59d82ffSelric2008-04-20 Love Hörnquist Åstrand <lha@it.su.se> 21f59d82ffSelric 22f59d82ffSelric * sel-lex.l: Include <config.h> 23f59d82ffSelric 24f59d82ffSelric2008-04-17 Love Hörnquist Åstrand <lha@it.su.se> 25f59d82ffSelric 26f59d82ffSelric * Makefile.am: Update make-proto usage. 27f59d82ffSelric 28f59d82ffSelric2008-04-15 Love Hörnquist Åstrand <lha@it.su.se> 29f59d82ffSelric 30f59d82ffSelric * ca.c: BasicConstraints.pathLenConstraint unsigned int. 31f59d82ffSelric 32f59d82ffSelric * sel-lex.l: Prefix sel_error with _hx509_ since its global on 33f59d82ffSelric platforms w/o symbol versioning. 34f59d82ffSelric 35f59d82ffSelric * sel.h: rename yyerror to sel_yyerror in the whole library, not 36f59d82ffSelric just the lexer 37f59d82ffSelric 38f59d82ffSelric * sel-lex.l: rename yyerror to sel_yyerror in the whole library, 39f59d82ffSelric not just the lexer 40f59d82ffSelric 41f59d82ffSelric2008-04-14 Love Hörnquist Åstrand <lha@it.su.se> 42f59d82ffSelric 43f59d82ffSelric * sel-lex.l: Rename yyerror to sel_yyerror and make it static. 44f59d82ffSelric 45f59d82ffSelric2008-04-08 Love Hörnquist Åstrand <lha@it.su.se> 46f59d82ffSelric 47f59d82ffSelric * hx509.h: Make self-standing by including missing files. 48f59d82ffSelric 49f59d82ffSelric2008-04-07 Love Hörnquist Åstrand <lha@it.su.se> 50f59d82ffSelric 51f59d82ffSelric * ks_p11.c: Use unsigned where appropriate. 52f59d82ffSelric 53f59d82ffSelric * softp11.c: call va_start before using vsnprintf. 54f59d82ffSelric 55f59d82ffSelric * crypto.c: make refcount slightly more sane. 56f59d82ffSelric 57f59d82ffSelric * keyset.c: make refcount slightly more sane. 58f59d82ffSelric 59f59d82ffSelric * cert.c: make refcount slightly more sane. 60f59d82ffSelric 61f59d82ffSelric2008-03-19 Love Hörnquist Åstrand <lha@it.su.se> 62f59d82ffSelric 63f59d82ffSelric * test_nist2.in: Try to find unzip. 64f59d82ffSelric 65f59d82ffSelric2008-03-16 Love Hörnquist Åstrand <lha@it.su.se> 66f59d82ffSelric 67f59d82ffSelric * version-script.map: add missing symbols 68f59d82ffSelric 69f59d82ffSelric * spnego: Make delegated credentials delegated directly, Oleg 70f59d82ffSelric Sharoiko pointed out that it always didnt work with the old 71f59d82ffSelric code. Also add som missing cred and context pass-thou functions in 72f59d82ffSelric the SPNEGO layer. 73f59d82ffSelric 74f59d82ffSelric2008-03-14 Love Hörnquist Åstrand <lha@it.su.se> 75f59d82ffSelric 76f59d82ffSelric * rename to be more consistent, export for teting 77f59d82ffSelric 78f59d82ffSelric * Add language to support querying certificates to find a 79f59d82ffSelric match. Support constructs like "1.3.6.1.5.2.3.5" IN 80f59d82ffSelric %{certificate.eku} AND %{certificate.subject} TAILMATCH "C=SE". 81f59d82ffSelric 82f59d82ffSelric2008-02-26 Love Hörnquist Åstrand <lha@it.su.se> 83f59d82ffSelric 84f59d82ffSelric * version-script.map: add hx509_pem_read 85f59d82ffSelric 86f59d82ffSelric * hxtool-commands.in: Add --pem to cms-verify-sd. 87f59d82ffSelric 88f59d82ffSelric * test_cms.in: Test verifying PEM signature files. 89f59d82ffSelric 90f59d82ffSelric * hxtool.c: Support verifying PEM signature files. 91f59d82ffSelric 92f59d82ffSelric2008-02-25 Love Hörnquist Åstrand <lha@it.su.se> 93f59d82ffSelric 94f59d82ffSelric * Makefile.am: libhx509_la_OBJECTS depends on hx_locl.h 95f59d82ffSelric 96f59d82ffSelric2008-02-11 Love Hörnquist Åstrand <lha@it.su.se> 97f59d82ffSelric 98f59d82ffSelric * Use ldap-prep (with libwind) to compare names 99f59d82ffSelric 100f59d82ffSelric2008-01-27 Love Hörnquist Åstrand <lha@it.su.se> 101f59d82ffSelric 102f59d82ffSelric * cert.c (hx509_query_match_eku): update to support the NULL 103f59d82ffSelric eku (reset), clearify the old behaivor with regards repetitive 104f59d82ffSelric calls. 105f59d82ffSelric 106f59d82ffSelric * Add matching on EKU, validate EKUs, add hxtool matching glue, 107f59d82ffSelric add check. Adapted from pach from Tim Miller of Mitre 108f59d82ffSelric 109f59d82ffSelric2008-01-21 Love Hörnquist Åstrand <lha@it.su.se> 110f59d82ffSelric 111f59d82ffSelric * test_soft_pkcs11.c: use func for more C_ functions. 112f59d82ffSelric 113f59d82ffSelric2008-01-18 Love Hörnquist Åstrand <lha@it.su.se> 114f59d82ffSelric 115f59d82ffSelric * version-script.map: Export hx509_free_error_string(). 116f59d82ffSelric 117f59d82ffSelric2008-01-17 Love Hörnquist Åstrand <lha@it.su.se> 118f59d82ffSelric 119f59d82ffSelric * version-script.map: only export C_GetFunctionList 120f59d82ffSelric 121f59d82ffSelric * test_soft_pkcs11.c: use C_GetFunctionList 122f59d82ffSelric 123f59d82ffSelric * softp11.c: fix comment, remove label. 124f59d82ffSelric 125f59d82ffSelric * softp11.c: Add option app-fatal to control if softtoken should 126f59d82ffSelric abort() on erroneous input from applications. 127f59d82ffSelric 128f59d82ffSelric2008-01-16 Love Hörnquist Åstrand <lha@it.su.se> 129f59d82ffSelric 130f59d82ffSelric * test_pkcs11.in: Test password less certificates too 131f59d82ffSelric 132f59d82ffSelric * keyset.c: document HX509_CERTS_UNPROTECT_ALL 133f59d82ffSelric 134f59d82ffSelric * ks_file.c: Support HX509_CERTS_UNPROTECT_ALL. 135f59d82ffSelric 136f59d82ffSelric * hx509.h: Add HX509_CERTS_UNPROTECT_ALL. 137f59d82ffSelric 138f59d82ffSelric * test_soft_pkcs11.c: Only log in if needed. 139f59d82ffSelric 140f59d82ffSelric2008-01-15 Love Hörnquist Åstrand <lha@it.su.se> 141f59d82ffSelric 142f59d82ffSelric * softp11.c: Support PINs to login to the store. 143f59d82ffSelric 144f59d82ffSelric * Makefile.am: add java pkcs11 test 145f59d82ffSelric 146f59d82ffSelric * test_java_pkcs11.in: first version of disable java test 147f59d82ffSelric 148f59d82ffSelric * softp11.c: Drop unused stuff. 149f59d82ffSelric 150f59d82ffSelric * cert.c: Spelling, Add hx509_cert_get_SPKI_AlgorithmIdentifier, 151f59d82ffSelric remove unused stuff, add hx509_context to some functions. 152f59d82ffSelric 153f59d82ffSelric * softp11.c: Add more glue to figure out what keytype this 154f59d82ffSelric certificate is using. 155f59d82ffSelric 156f59d82ffSelric2008-01-14 Love Hörnquist Åstrand <lha@it.su.se> 157f59d82ffSelric 158f59d82ffSelric * test_pkcs11.in: test debug 159f59d82ffSelric 160f59d82ffSelric * Add a PKCS11 provider supporting signing and verifing sigatures. 161f59d82ffSelric 162f59d82ffSelric2008-01-13 Love Hörnquist Åstrand <lha@it.su.se> 163f59d82ffSelric 164f59d82ffSelric * version-script.map: Replace hx509_name_to_der_name with 165f59d82ffSelric hx509_name_binary. 166f59d82ffSelric 167f59d82ffSelric * print.c: make print_func static 168f59d82ffSelric 169f59d82ffSelric2007-12-26 Love Hörnquist Åstrand <lha@it.su.se> 170f59d82ffSelric 171f59d82ffSelric * print.c: doxygen 172f59d82ffSelric 173f59d82ffSelric * env.c: doxygen 174f59d82ffSelric 175f59d82ffSelric * doxygen.c: add more groups 176f59d82ffSelric 177f59d82ffSelric * ca.c: doxygen. 178f59d82ffSelric 179f59d82ffSelric2007-12-17 Love Hörnquist Åstrand <lha@it.su.se> 180f59d82ffSelric 181f59d82ffSelric * ca.c: doxygen 182f59d82ffSelric 183f59d82ffSelric2007-12-16 Love Hörnquist Åstrand <lha@it.su.se> 184f59d82ffSelric 185f59d82ffSelric * error.c: doxygen 186f59d82ffSelric 187f59d82ffSelric2007-12-15 Love Hörnquist Åstrand <lha@it.su.se> 188f59d82ffSelric 189f59d82ffSelric * More documentation 190f59d82ffSelric 191f59d82ffSelric * lock.c: Add page referance 192f59d82ffSelric 193f59d82ffSelric * keyset.c: some more documentation. 194f59d82ffSelric 195f59d82ffSelric * cms.c: Doxygen documentation. 196f59d82ffSelric 197f59d82ffSelric2007-12-11 Love Hörnquist Åstrand <lha@it.su.se> 198f59d82ffSelric 199f59d82ffSelric * *.[ch]: More documentation 200f59d82ffSelric 201f59d82ffSelric2007-12-09 Love Hörnquist Åstrand <lha@it.su.se> 202f59d82ffSelric 203f59d82ffSelric * handle refcount on NULL. 204f59d82ffSelric 205f59d82ffSelric * test_nist_pkcs12.in: drop echo -n, doesn't work with posix sh 206f59d82ffSelric 207f59d82ffSelric2007-12-08 Love Hörnquist Åstrand <lha@it.su.se> 208f59d82ffSelric 209f59d82ffSelric * test_nist2.in: Print that this is version 2 of the tests 210f59d82ffSelric 211f59d82ffSelric * test_nist.in: Drop printing of $id. 212f59d82ffSelric 213f59d82ffSelric * hx509.h: Add HX509_VHN_F_ALLOW_NO_MATCH. 214f59d82ffSelric 215f59d82ffSelric * name.c: spelling. 216f59d82ffSelric 217f59d82ffSelric * cert.c: make work the doxygen. 218f59d82ffSelric 219f59d82ffSelric * name.c: fix doxygen compiling. 220f59d82ffSelric 221f59d82ffSelric * Makefile.am: add doxygen.c 222f59d82ffSelric 223f59d82ffSelric * doxygen.c: Add doxygen main page. 224f59d82ffSelric 225f59d82ffSelric * cert.c: Add doxygen. 226f59d82ffSelric 227f59d82ffSelric * revoke.c (_hx509_revoke_ref): new function. 228f59d82ffSelric 229f59d82ffSelric2007-11-16 Love Hörnquist Åstrand <lha@it.su.se> 230f59d82ffSelric 231f59d82ffSelric * ks_keychain.c: Check if SecKeyGetCSPHandle needs prototype. 232f59d82ffSelric 233f59d82ffSelric2007-08-16 Love Hörnquist Åstrand <lha@it.su.se> 234f59d82ffSelric 235f59d82ffSelric * data/nist-data: Make work on case senstive filesystems too. 236f59d82ffSelric 237f59d82ffSelric2007-08-09 Love Hörnquist Åstrand <lha@it.su.se> 238f59d82ffSelric 239f59d82ffSelric * cert.c: match rfc822 contrains better, provide better error 240f59d82ffSelric strings. 241f59d82ffSelric 242f59d82ffSelric2007-08-08 Love Hörnquist Åstrand <lha@it.su.se> 243f59d82ffSelric 244f59d82ffSelric * cert.c: "self-signed doesn't count" doesn't apply to trust 245f59d82ffSelric anchor certificate. make trust anchor check consistant. 246f59d82ffSelric 247f59d82ffSelric * revoke.c: make compile. 248f59d82ffSelric 249f59d82ffSelric * revoke.c (verify_crl): set error strings. 250f59d82ffSelric 251f59d82ffSelric * revoke.c (verify_crl): handle with the signer is the 252f59d82ffSelric CRLsigner (shortcut). 253f59d82ffSelric 254f59d82ffSelric * cert.c: Fix NC, comment on how to use _hx509_check_key_usage. 255f59d82ffSelric 256f59d82ffSelric2007-08-03 Love Hörnquist Åstrand <lha@it.su.se> 257f59d82ffSelric 258f59d82ffSelric * test_nist2.in, Makefile, test/nist*: Add nist pkits tests. 259f59d82ffSelric 260f59d82ffSelric * revoke.c: Update to use CERT_REVOKED error, shortcut out of OCSP 261f59d82ffSelric checking when OCSP reply is a revocation reply. 262f59d82ffSelric 263f59d82ffSelric * hx509_err.et: Make CERT_REVOKED error OCSP/CRL agnostic. 264f59d82ffSelric 265f59d82ffSelric * name.c (_hx509_Name_to_string): make printableString handle 266f59d82ffSelric space (0x20) diffrences as required by rfc3280. 267f59d82ffSelric 268f59d82ffSelric * revoke.c: Search for the right issuer when looking for the 269f59d82ffSelric issuer of the CRL signer. 270f59d82ffSelric 271f59d82ffSelric2007-08-02 Love Hörnquist Åstrand <lha@it.su.se> 272f59d82ffSelric 273f59d82ffSelric * revoke.c: Handle CRL signing certificate better, try to not 274f59d82ffSelric revalidate invalid CRLs over and over. 275f59d82ffSelric 276f59d82ffSelric2007-08-01 Love Hörnquist Åstrand <lha@it.su.se> 277f59d82ffSelric 278f59d82ffSelric * cms.c: remove stale comment. 279f59d82ffSelric 280f59d82ffSelric * test_nist.in: Unpack PKITS_data.zip and run tests. 281f59d82ffSelric 282f59d82ffSelric * test_nist_cert.in: Adapt to new nist pkits framework. 283f59d82ffSelric 284f59d82ffSelric * test_nist_pkcs12.in: Adapt to new nist pkits framework. 285f59d82ffSelric 286f59d82ffSelric * Makefile.am: clean PKITS_data 287f59d82ffSelric 288f59d82ffSelric2007-07-16 Love Hörnquist Åstrand <lha@it.su.se> 289f59d82ffSelric 290f59d82ffSelric * Makefile.am: Add version-script.map to EXTRA_DIST 291f59d82ffSelric 292f59d82ffSelric2007-07-12 Love Hörnquist Åstrand <lha@it.su.se> 293f59d82ffSelric 294f59d82ffSelric * Makefile.am: Add depenency on asn1_compile for asn1 built files. 295f59d82ffSelric 296f59d82ffSelric2007-07-10 Love Hörnquist Åstrand <lha@it.su.se> 297f59d82ffSelric 298f59d82ffSelric * peer.c: update (c), indent. 299f59d82ffSelric 300f59d82ffSelric * Makefile.am: New library version. 301f59d82ffSelric 302f59d82ffSelric2007-06-28 Love Hörnquist Åstrand <lha@it.su.se> 303f59d82ffSelric 304f59d82ffSelric * ks_p11.c: Add sha2 types. 305f59d82ffSelric 306f59d82ffSelric * ref/pkcs11.h: Sync with scute. 307f59d82ffSelric 308f59d82ffSelric * ref/pkcs11.h: Add sha2 CKM's. 309f59d82ffSelric 310f59d82ffSelric * print.c: Print authorityInfoAccess. 311f59d82ffSelric 312f59d82ffSelric * cert.c: Rename proxyCertInfo oid. 313f59d82ffSelric 314f59d82ffSelric * ca.c: Rename proxyCertInfo oid. 315f59d82ffSelric 316f59d82ffSelric * print.c: Rename proxyCertInfo oid. 317f59d82ffSelric 318f59d82ffSelric2007-06-26 Love Hörnquist Åstrand <lha@it.su.se> 319f59d82ffSelric 320f59d82ffSelric * test_ca.in: Adapt to new request handling. 321f59d82ffSelric 322f59d82ffSelric * req.c: Allow export some of the request parameters. 323f59d82ffSelric 324f59d82ffSelric * hxtool-commands.in: Adapt to new request handling. 325f59d82ffSelric 326f59d82ffSelric * hxtool.c: Adapt to new request handling. 327f59d82ffSelric 328f59d82ffSelric * test_req.in: Adapt to new request handling. 329f59d82ffSelric 330f59d82ffSelric * version-script.map: Add initialize_hx_error_table_r. 331f59d82ffSelric 332f59d82ffSelric * req.c: Move _hx509_request_print here. 333f59d82ffSelric 334f59d82ffSelric * hxtool.c: use _hx509_request_print 335f59d82ffSelric 336f59d82ffSelric * version-script.map: Export more crap^W semiprivate functions. 337f59d82ffSelric 338f59d82ffSelric * hxtool.c: don't _hx509_abort 339f59d82ffSelric 340f59d82ffSelric * version-script.map: add missing ; 341f59d82ffSelric 342f59d82ffSelric2007-06-25 Love Hörnquist Åstrand <lha@it.su.se> 343f59d82ffSelric 344f59d82ffSelric * cms.c: Use hx509_crypto_random_iv. 345f59d82ffSelric 346f59d82ffSelric * crypto.c: Split out the iv creation from hx509_crypto_encrypt 347f59d82ffSelric since _hx509_pbe_encrypt needs to use the iv from the s2k 348f59d82ffSelric function. 349f59d82ffSelric 350f59d82ffSelric * test_cert.in: Test PEM and DER FILE writing functionallity. 351f59d82ffSelric 352f59d82ffSelric * ks_file.c: Add writing DER certificates. 353f59d82ffSelric 354f59d82ffSelric * hxtool.c: Update to new hx509_pem_write(). 355f59d82ffSelric 356f59d82ffSelric * test_cms.in: test creation of PEM signeddata. 357f59d82ffSelric 358f59d82ffSelric * hx509.h: PEM struct/function declarations. 359f59d82ffSelric 360f59d82ffSelric * ks_file.c: Use PEM encoding/decoding functions. 361f59d82ffSelric 362f59d82ffSelric * file.c: PEM encode/decoding functions. 363f59d82ffSelric 364f59d82ffSelric * ks_file.c: Use hx509_pem_write. 365f59d82ffSelric 366f59d82ffSelric * version-script.map: Export some semi-private functions. 367f59d82ffSelric 368f59d82ffSelric * hxtool.c: Enable writing out signed data as a pem attachment. 369f59d82ffSelric 370f59d82ffSelric * hxtool-commands.in (cms-create-signed): add --pem 371f59d82ffSelric 372f59d82ffSelric * file.c (hx509_pem_write): Add. 373f59d82ffSelric 374f59d82ffSelric * test_ca.in: Issue and test null subject cert. 375f59d82ffSelric 376f59d82ffSelric * cert.c: Match is first component is in a CN=. 377f59d82ffSelric 378f59d82ffSelric * test_ca.in: Test hostname if first CN. 379f59d82ffSelric 380f59d82ffSelric * Makefile.am: Add version script. 381f59d82ffSelric 382f59d82ffSelric * version-script.map: Limited exported symbols. 383f59d82ffSelric 384f59d82ffSelric * test_ca.in: test --hostname. 385f59d82ffSelric 386f59d82ffSelric * test_chain.in: test max-depth 387f59d82ffSelric 388f59d82ffSelric * hx509.h: fixate HX509_HN_HOSTNAME at 0. 389f59d82ffSelric 390f59d82ffSelric * hxtool-commands.in: add --hostname add --max-depth 391f59d82ffSelric 392f59d82ffSelric * cert.c: Verify hostname and max-depth. 393f59d82ffSelric 394f59d82ffSelric * hxtool.c: Verify hostname and test max-depth. 395f59d82ffSelric 396f59d82ffSelric2007-06-24 Love Hörnquist Åstrand <lha@it.su.se> 397f59d82ffSelric 398f59d82ffSelric * test_cms.in: Test --id-by-name. 399f59d82ffSelric 400f59d82ffSelric * hxtool-commands.in: add cms-create-sd --id-by-name 401f59d82ffSelric 402f59d82ffSelric * hxtool.c: Use HX509_CMS_SIGATURE_ID_NAME. 403f59d82ffSelric 404f59d82ffSelric * cms.c: Implement and use HX509_CMS_SIGATURE_ID_NAME. 405f59d82ffSelric 406f59d82ffSelric * hx509.h: Add HX509_CMS_SIGATURE_ID_NAME, use subject name for 407f59d82ffSelric CMS.Identifier. hx509_hostname_type: add hostname type for 408f59d82ffSelric matching. 409f59d82ffSelric 410f59d82ffSelric * cert.c (match_general_name): more strict rfc822Name matching. 411f59d82ffSelric (hx509_verify_hostname): add hostname type for matching. 412f59d82ffSelric 413f59d82ffSelric2007-06-19 Love Hörnquist Åstrand <lha@it.su.se> 414f59d82ffSelric 415f59d82ffSelric * hxtool.c: Make compile again. 416f59d82ffSelric 417f59d82ffSelric * hxtool.c: Added peap-server for to make windows peap clients 418f59d82ffSelric happy. 419f59d82ffSelric 420f59d82ffSelric * hxtool.c: Unify parse_oid code. 421f59d82ffSelric 422f59d82ffSelric * hxtool.c: Implement --content-type. 423f59d82ffSelric 424f59d82ffSelric * hxtool-commands.in: Add content-type. 425f59d82ffSelric 426f59d82ffSelric * test_cert.in: more cert and keyset tests. 427f59d82ffSelric 428f59d82ffSelric2007-06-18 Love Hörnquist Åstrand <lha@it.su.se> 429f59d82ffSelric 430f59d82ffSelric * revoke.c: Avoid stomping on NULL. 431f59d82ffSelric 432f59d82ffSelric * revoke.c: Avoid reusing i. 433f59d82ffSelric 434f59d82ffSelric * cert.c: Provide __attribute__ for _hx509_abort. 435f59d82ffSelric 436f59d82ffSelric * ks_file.c: Fail if not finding iv. 437f59d82ffSelric 438f59d82ffSelric * keyset.c: Avoid useing freed memory. 439f59d82ffSelric 440f59d82ffSelric * crypto.c: Free memory in failure case. 441f59d82ffSelric 442f59d82ffSelric * crypto.c: Free memory in failure case. 443f59d82ffSelric 444f59d82ffSelric2007-06-12 Love Hörnquist Åstrand <lha@it.su.se> 445f59d82ffSelric 446f59d82ffSelric * *.c: Add hx509_cert_init_data and use everywhere 447f59d82ffSelric 448f59d82ffSelric * hx_locl.h: Now that KEYCHAIN:system-anchors is fast again, use 449f59d82ffSelric that. 450f59d82ffSelric 451f59d82ffSelric * ks_keychain.c: Implement trust anchor support with 452f59d82ffSelric SecTrustCopyAnchorCertificates. 453f59d82ffSelric 454f59d82ffSelric * keyset.c: Set ref to 1 for the new object. 455f59d82ffSelric 456f59d82ffSelric * cert.c: Fix logic for allow_default_trust_anchors 457f59d82ffSelric 458f59d82ffSelric * keyset.c: Add refcounting to keystores. 459f59d82ffSelric 460f59d82ffSelric * cert.c: Change logic for default trust anchors, make it be 461f59d82ffSelric either default trust anchor, the user supplied, or non at all. 462f59d82ffSelric 463f59d82ffSelric2007-06-08 Love Hörnquist Åstrand <lha@it.su.se> 464f59d82ffSelric 465f59d82ffSelric * Makefile.am: Add data/j.pem. 466f59d82ffSelric 467f59d82ffSelric * Makefile.am: Add test_windows.in. 468f59d82ffSelric 469f59d82ffSelric2007-06-06 Love Hörnquist Åstrand <lha@it.su.se> 470f59d82ffSelric 471f59d82ffSelric * ks_keychain.c: rename functions, leaks less memory and more 472f59d82ffSelric paranoia. 473f59d82ffSelric 474f59d82ffSelric * test_cms.in: Test cms peer-alg. 475f59d82ffSelric 476f59d82ffSelric * crypto.c (rsa_create_signature): make oid_id_pkcs1_rsaEncryption 477f59d82ffSelric mean rsa-with-sha1 but oid oid_id_pkcs1_rsaEncryption in algorithm 478f59d82ffSelric field. XXX should probably use another algorithmIdentifier for 479f59d82ffSelric this. 480f59d82ffSelric 481f59d82ffSelric * peer.c: Make free function return void. 482f59d82ffSelric 483f59d82ffSelric * cms.c (hx509_cms_create_signed_1): Use hx509_peer_info to select 484f59d82ffSelric the signature algorithm too. 485f59d82ffSelric 486f59d82ffSelric * hxtool-commands.in: Add cms-create-sd --peer-alg. 487f59d82ffSelric 488f59d82ffSelric * req.c: Use _hx509_crypto_default_sig_alg. 489f59d82ffSelric 490f59d82ffSelric * test_windows.in: Create crl, because everyone needs one. 491f59d82ffSelric 492f59d82ffSelric * Makefile.am: add wcrl.crl 493f59d82ffSelric 494f59d82ffSelric2007-06-05 Love Hörnquist Åstrand <lha@it.su.se> 495f59d82ffSelric 496f59d82ffSelric * hx_locl.h: Disable KEYCHAIN for now, its slow. 497f59d82ffSelric 498f59d82ffSelric * cms.c: When we are not using pkcs7-data, avoid seing 499f59d82ffSelric signedAttributes since some clients get upset by that (pkcs7 based 500f59d82ffSelric or just plain broken). 501f59d82ffSelric 502f59d82ffSelric * ks_keychain.c: Provide rsa signatures. 503f59d82ffSelric 504f59d82ffSelric * ks_keychain.c: Limit the searches to the selected keychain. 505f59d82ffSelric 506f59d82ffSelric * ks_keychain.c: include -framework Security specific header files 507f59d82ffSelric after #ifdef 508f59d82ffSelric 509f59d82ffSelric * ks_keychain.c: Find and attach private key (does not provide 510f59d82ffSelric operations yet though). 511f59d82ffSelric 512f59d82ffSelric * ks_p11.c: Prefix rsa method with p11_ 513f59d82ffSelric 514f59d82ffSelric * ks_keychain.c: Allow opening a specific chain, making "system" 515f59d82ffSelric special and be the system X509Anchors file. By not specifing any 516f59d82ffSelric keychain ("KEYCHAIN:"), all keychains are probed. 517f59d82ffSelric 518f59d82ffSelric2007-06-04 Love Hörnquist Åstrand <lha@it.su.se> 519f59d82ffSelric 520f59d82ffSelric * hxtool.c (verify): Friendlier error message. 521f59d82ffSelric 522f59d82ffSelric * cert.c: Read in and use default trust anchors if they exists. 523f59d82ffSelric 524f59d82ffSelric * hx_locl.h: Add concept of default_trust_anchors. 525f59d82ffSelric 526f59d82ffSelric * ks_keychain.c: Remove err(), remove extra empty comment, fix 527f59d82ffSelric _iter function. 528f59d82ffSelric 529f59d82ffSelric * error.c (hx509_get_error_string): if the error code is not the 530f59d82ffSelric one we expect, punt and use the default com_err/strerror string 531f59d82ffSelric instead. 532f59d82ffSelric 533f59d82ffSelric * keyset.c (hx509_certs_merge): its ok to merge in the NULL set of 534f59d82ffSelric certs. 535f59d82ffSelric 536f59d82ffSelric * test_windows.in: Fix status string. 537f59d82ffSelric 538f59d82ffSelric * ks_p12.c (store_func): free whole CertBag, not just the data 539f59d82ffSelric part. 540f59d82ffSelric 541f59d82ffSelric * print.c: Check that the self-signed cert is really self-signed. 542f59d82ffSelric 543f59d82ffSelric * print.c: Use selfsigned for CRL DP whine, tell if its a 544f59d82ffSelric self-signed. 545f59d82ffSelric 546f59d82ffSelric * print.c: Whine if its a non CA/proxy and doesn't have CRL DP. 547f59d82ffSelric 548f59d82ffSelric * ca.c: Add cRLSign to CA certs. 549f59d82ffSelric 550f59d82ffSelric * cert.c: Register NULL and KEYCHAIN. 551f59d82ffSelric 552f59d82ffSelric * ks_null.c: register the NULL keystore. 553f59d82ffSelric 554f59d82ffSelric * Makefile.am: Add ks_keychain.c and related libs. 555f59d82ffSelric 556f59d82ffSelric * test_crypto.in: Print certificate with utf8. 557f59d82ffSelric 558f59d82ffSelric * print.c: Leak less memory. 559f59d82ffSelric 560f59d82ffSelric * hxtool.c: Leak less memory. 561f59d82ffSelric 562f59d82ffSelric * print.c: Leak less memory, use functions that does same but 563f59d82ffSelric more. 564f59d82ffSelric 565f59d82ffSelric * name.c (quote_string): don't sign extend the (signed) char to 566f59d82ffSelric avoid printing too much, add an assert to check that we didn't 567f59d82ffSelric overrun the buffer. 568f59d82ffSelric 569f59d82ffSelric * name.c: Use right element out of the CHOICE for printableString 570f59d82ffSelric and utf8String 571f59d82ffSelric 572f59d82ffSelric * ks_keychain.c: Certificate only KeyChain backend. 573f59d82ffSelric 574f59d82ffSelric * name.c: Reset name before parsing it. 575f59d82ffSelric 576f59d82ffSelric2007-06-03 Love Hörnquist Åstrand <lha@it.su.se> 577f59d82ffSelric 578f59d82ffSelric * revoke.c (hx509_crl_*): fix sizeof() mistakes to fix memory 579f59d82ffSelric corruption. 580f59d82ffSelric 581f59d82ffSelric * hxtool.c: Add lifetime to crls. 582f59d82ffSelric 583f59d82ffSelric * hxtool-commands.in: Add lifetime to crls. 584f59d82ffSelric 585f59d82ffSelric * revoke.c: Add lifetime to crls. 586f59d82ffSelric 587f59d82ffSelric * test_ca.in: More crl checks. 588f59d82ffSelric 589f59d82ffSelric * revoke.c: Add revoking certs. 590f59d82ffSelric 591f59d82ffSelric * hxtool-commands.in: argument is certificates.. for crl-sign 592f59d82ffSelric 593f59d82ffSelric * hxtool.c (certificate_copy): free lock 594f59d82ffSelric 595f59d82ffSelric * revoke.c: Fix hx509_set_error_string calls, add 596f59d82ffSelric hx509_crl_add_revoked_certs(), implement hx509_crl_{alloc,free}. 597f59d82ffSelric 598f59d82ffSelric * hxtool.c (crl_sign): free lock 599f59d82ffSelric 600f59d82ffSelric * cert.c (hx509_context_free): free querystat 601f59d82ffSelric 602f59d82ffSelric2007-06-02 Love Hörnquist Åstrand <lha@it.su.se> 603f59d82ffSelric 604f59d82ffSelric * test_chain.in: test ocsp-verify 605f59d82ffSelric 606f59d82ffSelric * revoke.c (hx509_ocsp_verify): explain what its useful for and 607f59d82ffSelric provide sane error message. 608f59d82ffSelric 609f59d82ffSelric * hx509_err.et: New error code, CERT_NOT_IN_OCSP 610f59d82ffSelric 611f59d82ffSelric * hxtool.c: New command ocsp-verify, check if ocsp contains all 612f59d82ffSelric certs and are valid (exist and non expired). 613f59d82ffSelric 614f59d82ffSelric * hxtool-commands.in: New command ocsp-verify. 615f59d82ffSelric 616f59d82ffSelric2007-06-01 Love Hörnquist Åstrand <lha@it.su.se> 617f59d82ffSelric 618f59d82ffSelric * test_ca.in: Create crl and verify that is works. 619f59d82ffSelric 620f59d82ffSelric * hxtool.c: Sign CRL command. 621f59d82ffSelric 622f59d82ffSelric * hx509.h: Add hx509_crl. 623f59d82ffSelric 624f59d82ffSelric * hxtool-commands.in: Add crl-sign commands. 625f59d82ffSelric 626f59d82ffSelric * revoke.c: Support to generate an empty CRL. 627f59d82ffSelric 628f59d82ffSelric * tst-crypto-select2: Switched default types. 629f59d82ffSelric 630f59d82ffSelric * tst-crypto-select1: Switched default types. 631f59d82ffSelric 632f59d82ffSelric * ca.c: Use default AlgorithmIdentifier. 633f59d82ffSelric 634f59d82ffSelric * cms.c: Use default AlgorithmIdentifier. 635f59d82ffSelric 636f59d82ffSelric * crypto.c: Provide default AlgorithmIdentifier and use them. 637f59d82ffSelric 638f59d82ffSelric * hx_locl.h: Provide default AlgorithmIdentifier. 639f59d82ffSelric 640f59d82ffSelric * keyset.c (hx509_certs_find): collects stats for queries. 641f59d82ffSelric 642f59d82ffSelric * cert.c: Sort and print more info. 643f59d82ffSelric 644f59d82ffSelric * hx_locl.h: Add querystat to hx509_context. 645f59d82ffSelric 646f59d82ffSelric * test_*.in: sprinle stat saveing 647f59d82ffSelric 648f59d82ffSelric * Makefile.am: Add stat and objdir. 649f59d82ffSelric 650f59d82ffSelric * collector.c (_hx509_collector_alloc): return error code instead 651f59d82ffSelric of pointer. 652f59d82ffSelric 653f59d82ffSelric * hxtool.c: Add statistic hook. 654f59d82ffSelric 655f59d82ffSelric * ks_file.c: Update _hx509_collector_alloc prototype. 656f59d82ffSelric 657f59d82ffSelric * ks_p12.c: Update _hx509_collector_alloc prototype. 658f59d82ffSelric 659f59d82ffSelric * ks_p11.c: Update _hx509_collector_alloc prototype. 660f59d82ffSelric 661f59d82ffSelric * hxtool-commands.in: Add statistics hook. 662f59d82ffSelric 663f59d82ffSelric * cert.c: Statistics printing. 664f59d82ffSelric 665f59d82ffSelric * ks_p12.c: plug memory leak 666f59d82ffSelric 667f59d82ffSelric * ca.c (hx509_ca_tbs_add_crl_dp_uri): plug memory leak 668f59d82ffSelric 669f59d82ffSelric2007-05-31 Love Hörnquist Åstrand <lha@it.su.se> 670f59d82ffSelric 671f59d82ffSelric * print.c: print utf8 type SAN's 672f59d82ffSelric 673f59d82ffSelric * Makefile.am: Fix windows client cert name. 674f59d82ffSelric 675f59d82ffSelric * test_windows.in: Add crl-uri for the ee certs. 676f59d82ffSelric 677f59d82ffSelric * print.c: Printf formating. 678f59d82ffSelric 679f59d82ffSelric * ca.c: Add glue for adding CRL dps. 680f59d82ffSelric 681f59d82ffSelric * test_ca.in: Readd the crl adding code, it works (somewhat) now. 682f59d82ffSelric 683f59d82ffSelric * print.c: Fix printing of CRL DPnames (I hate IMPLICIT encoded 684f59d82ffSelric structures). 685f59d82ffSelric 686f59d82ffSelric * hxtool-commands.in: make ca and alias of certificate-sign 687f59d82ffSelric 688f59d82ffSelric2007-05-30 Love Hörnquist Åstrand <lha@it.su.se> 689f59d82ffSelric 690f59d82ffSelric * crypto.c (hx509_crypto_select): copy AI to the right place. 691f59d82ffSelric 692f59d82ffSelric * hxtool-commands.in: Add ca --ms-upn. 693f59d82ffSelric 694f59d82ffSelric * hxtool.c: add --ms-upn and add more EKU's for pk-init client. 695f59d82ffSelric 696f59d82ffSelric * ca.c: Add hx509_ca_tbs_add_san_ms_upn and refactor code. 697f59d82ffSelric 698f59d82ffSelric * test_crypto.in: Resurect killed e. 699f59d82ffSelric 700f59d82ffSelric * test_crypto.in: check for aes256-cbc 701f59d82ffSelric 702f59d82ffSelric * tst-crypto-select7: check for aes256-cbc 703f59d82ffSelric 704f59d82ffSelric * test_windows.in: test windows stuff 705f59d82ffSelric 706f59d82ffSelric * hxtool.c: add ca --domain-controller option, add secret key 707f59d82ffSelric option to avaible. 708f59d82ffSelric 709f59d82ffSelric * ca.c: Add hx509_ca_tbs_set_domaincontroller. 710f59d82ffSelric 711f59d82ffSelric * hxtool-commands.in: add ca --domain-controller 712f59d82ffSelric 713f59d82ffSelric * hxtool.c: hook for testing secrety key algs 714f59d82ffSelric 715f59d82ffSelric * crypto.c: Add selection code for secret key crypto. 716f59d82ffSelric 717f59d82ffSelric * hx509.h: Add HX509_SELECT_SECRET_ENC. 718f59d82ffSelric 719f59d82ffSelric2007-05-13 Love Hörnquist Åstrand <lha@it.su.se> 720f59d82ffSelric 721f59d82ffSelric * ks_p11.c: add more mechtypes 722f59d82ffSelric 723f59d82ffSelric2007-05-10 Love Hörnquist Åstrand <lha@it.su.se> 724f59d82ffSelric 725f59d82ffSelric * print.c: Indent. 726f59d82ffSelric 727f59d82ffSelric * hxtool-commands.in: add test-crypto command 728f59d82ffSelric 729f59d82ffSelric * hxtool.c: test crypto command 730f59d82ffSelric 731f59d82ffSelric * cms.c (hx509_cms_create_signed_1): if no eContentType is given, 732f59d82ffSelric use pkcs7-data. 733f59d82ffSelric 734f59d82ffSelric * print.c: add Netscape cert comment 735f59d82ffSelric 736f59d82ffSelric * crypto.c: Try both the empty password and the NULL 737f59d82ffSelric password (nothing vs the octet string \x00\x00). 738f59d82ffSelric 739f59d82ffSelric * print.c: Add some US Fed PKI oids. 740f59d82ffSelric 741f59d82ffSelric * ks_p11.c: Add some more hashes. 742f59d82ffSelric 743f59d82ffSelric2007-04-24 Love Hörnquist Åstrand <lha@it.su.se> 744f59d82ffSelric 745f59d82ffSelric * hxtool.c (crypto_select): stop memory leak 746f59d82ffSelric 747f59d82ffSelric2007-04-19 Love Hörnquist Åstrand <lha@it.su.se> 748f59d82ffSelric 749f59d82ffSelric * peer.c (hx509_peer_info_free): free memory used too 750f59d82ffSelric 751f59d82ffSelric * hxtool.c (crypto_select): only free peer if it was used. 752f59d82ffSelric 753f59d82ffSelric2007-04-18 Love Hörnquist Åstrand <lha@it.su.se> 754f59d82ffSelric 755f59d82ffSelric * hxtool.c: free template 756f59d82ffSelric 757f59d82ffSelric * ks_mem.c (mem_free): free key array too 758f59d82ffSelric 759f59d82ffSelric * hxtool.c: free private key and tbs 760f59d82ffSelric 761f59d82ffSelric * hxtool.c (hxtool_ca): free signer 762f59d82ffSelric 763f59d82ffSelric * hxtool.c (crypto_available): free peer too. 764f59d82ffSelric 765f59d82ffSelric * ca.c (get_AuthorityKeyIdentifier): leak less memory 766f59d82ffSelric 767f59d82ffSelric * hxtool.c (hxtool_ca): free SPKI 768f59d82ffSelric 769f59d82ffSelric * hxtool.c (hxtool_ca): free cert 770f59d82ffSelric 771f59d82ffSelric * ks_mem.c (mem_getkeys): allocate one more the we have elements 772f59d82ffSelric so its possible to store the NULL pointer at the end. 773f59d82ffSelric 774f59d82ffSelric2007-04-16 Love Hörnquist Åstrand <lha@it.su.se> 775f59d82ffSelric 776f59d82ffSelric * Makefile.am: CLEANFILES += cert-null.pem cert-sub-ca2.pem 777f59d82ffSelric 778f59d82ffSelric2007-02-05 Love Hörnquist Åstrand <lha@it.su.se> 779f59d82ffSelric 780f59d82ffSelric * ca.c: Disable CRLDistributionPoints for now, its IMPLICIT code 781f59d82ffSelric in the asn1 parser. 782f59d82ffSelric 783f59d82ffSelric * print.c: Add some more \n's. 784f59d82ffSelric 785f59d82ffSelric2007-02-03 Love Hörnquist Åstrand <lha@it.su.se> 786f59d82ffSelric 787f59d82ffSelric * file.c: Allow mapping using heim_octet_string. 788f59d82ffSelric 789f59d82ffSelric * hxtool.c: Add options to generate detached signatures. 790f59d82ffSelric 791f59d82ffSelric * cms.c: Add flags to generate detached signatures. 792f59d82ffSelric 793f59d82ffSelric * hx509.h: Flag to generate detached signatures. 794f59d82ffSelric 795f59d82ffSelric * test_cms.in: Support detached sigatures. 796f59d82ffSelric 797f59d82ffSelric * name.c (hx509_general_name_unparse): unparse the other 798f59d82ffSelric GeneralName nametypes. 799f59d82ffSelric 800f59d82ffSelric * print.c: Use less printf. Use hx509_general_name_unparse. 801f59d82ffSelric 802f59d82ffSelric * cert.c: Fix printing and plug leak-on-error. 803f59d82ffSelric 804f59d82ffSelric2007-01-31 Love Hörnquist Åstrand <lha@it.su.se> 805f59d82ffSelric 806f59d82ffSelric * test_ca.in: Add test for ca --crl-uri. 807f59d82ffSelric 808f59d82ffSelric * hxtool.c: Add ca --crl-uri. 809f59d82ffSelric 810f59d82ffSelric * hxtool-commands.in: add ca --crl-uri 811f59d82ffSelric 812f59d82ffSelric * ca.c: Code to set CRLDistributionPoints in certificates. 813f59d82ffSelric 814f59d82ffSelric * print.c: Check CRLDistributionPointNames. 815f59d82ffSelric 816f59d82ffSelric * name.c (hx509_general_name_unparse): function for unparsing 817f59d82ffSelric GeneralName, only supports GeneralName.URI 818f59d82ffSelric 819f59d82ffSelric * cert.c (is_proxy_cert): free info if we wont return it. 820f59d82ffSelric 821f59d82ffSelric2007-01-30 Love Hörnquist Åstrand <lha@it.su.se> 822f59d82ffSelric 823f59d82ffSelric * hxtool.c: Try to help how to use this command. 824f59d82ffSelric 825f59d82ffSelric2007-01-21 Love Hörnquist Åstrand <lha@it.su.se> 826f59d82ffSelric 827f59d82ffSelric * switch to sha256 as default digest for signing 828f59d82ffSelric 829f59d82ffSelric2007-01-20 Love Hörnquist Åstrand <lha@it.su.se> 830f59d82ffSelric 831f59d82ffSelric * test_ca.in: Really test sub-ca code, add basic constraints tests 832f59d82ffSelric 833f59d82ffSelric2007-01-17 Love Hörnquist Åstrand <lha@it.su.se> 834f59d82ffSelric 835f59d82ffSelric * Makefile.am: Fix makefile problem. 836f59d82ffSelric 837f59d82ffSelric2007-01-16 Love Hörnquist Åstrand <lha@it.su.se> 838f59d82ffSelric 839f59d82ffSelric * hxtool.c: Set num of bits before we generate the key. 840f59d82ffSelric 841f59d82ffSelric2007-01-15 Love Hörnquist Åstrand <lha@it.su.se> 842f59d82ffSelric 843f59d82ffSelric * cms.c (hx509_cms_create_signed_1): use hx509_cert_binary 844f59d82ffSelric 845f59d82ffSelric * ks_p12.c (store_func): use hx509_cert_binary 846f59d82ffSelric 847f59d82ffSelric * ks_file.c (store_func): use hx509_cert_binary 848f59d82ffSelric 849f59d82ffSelric * cert.c (hx509_cert_binary): return binary encoded 850f59d82ffSelric certificate (DER format) 851f59d82ffSelric 852f59d82ffSelric2007-01-14 Love Hörnquist Åstrand <lha@it.su.se> 853f59d82ffSelric 854f59d82ffSelric * ca.c (hx509_ca_tbs_subject_expand): new function. 855f59d82ffSelric 856f59d82ffSelric * name.c (hx509_name_expand): if env is NULL, return directly 857f59d82ffSelric 858f59d82ffSelric * test_ca.in: test template handling 859f59d82ffSelric 860f59d82ffSelric * hx509.h: Add template flags. 861f59d82ffSelric 862f59d82ffSelric * Makefile.am: clean out new files 863f59d82ffSelric 864f59d82ffSelric * hxtool.c: Add certificate template processing, fix hx509_err 865f59d82ffSelric usage. 866f59d82ffSelric 867f59d82ffSelric * hxtool-commands.in: Add certificate template processing. 868f59d82ffSelric 869f59d82ffSelric * ca.c: Add certificate template processing. Fix return messages 870f59d82ffSelric from hx509_ca_tbs_add_eku. 871f59d82ffSelric 872f59d82ffSelric * cert.c: Export more stuff from certificate. 873f59d82ffSelric 874f59d82ffSelric2007-01-13 Love Hörnquist Åstrand <lha@it.su.se> 875f59d82ffSelric 876f59d82ffSelric * ca.c: update (c) 877f59d82ffSelric 878f59d82ffSelric * ca.c: (hx509_ca_tbs_add_eku): filter out dups. 879f59d82ffSelric 880f59d82ffSelric * hxtool.c: Add type email and add email eku when using option 881f59d82ffSelric --email. 882f59d82ffSelric 883f59d82ffSelric * Makefile.am: add env.c 884f59d82ffSelric 885f59d82ffSelric * name.c: Remove abort, add error handling. 886f59d82ffSelric 887f59d82ffSelric * test_name.c: test name expansion 888f59d82ffSelric 889f59d82ffSelric * name.c: add hx509_name_expand 890f59d82ffSelric 891f59d82ffSelric * env.c: key-value pair help functions 892f59d82ffSelric 893f59d82ffSelric2007-01-12 Love Hörnquist Åstrand <lha@it.su.se> 894f59d82ffSelric 895f59d82ffSelric * ca.c: Don't issue certs with subject DN that is NULL and have no 896f59d82ffSelric SANs 897f59d82ffSelric 898f59d82ffSelric * print.c: Fix previous test. 899f59d82ffSelric 900f59d82ffSelric * print.c: Check there is a SAN if subject DN is NULL. 901f59d82ffSelric 902f59d82ffSelric * test_ca.in: test email, null subject dn 903f59d82ffSelric 904f59d82ffSelric * hxtool.c: Allow setting parameters to private key generation. 905f59d82ffSelric 906f59d82ffSelric * hx_locl.h: Allow setting parameters to private key generation. 907f59d82ffSelric 908f59d82ffSelric * crypto.c: Allow setting parameters to private key generation. 909f59d82ffSelric 910f59d82ffSelric * hxtool.c (eval_types): add jid if user gave one 911f59d82ffSelric 912f59d82ffSelric * hxtool-commands.in (certificate-sign): add --jid 913f59d82ffSelric 914f59d82ffSelric * ca.c (hx509_ca_tbs_add_san_jid): Allow adding 915f59d82ffSelric id-pkix-on-xmppAddr OtherName. 916f59d82ffSelric 917f59d82ffSelric * print.c: Print id-pkix-on-xmppAddr OtherName. 918f59d82ffSelric 919f59d82ffSelric2007-01-11 Love Hörnquist Åstrand <lha@it.su.se> 920f59d82ffSelric 921f59d82ffSelric * no random, no RSA/DH tests 922f59d82ffSelric 923f59d82ffSelric * hxtool.c (info): print status of random generator 924f59d82ffSelric 925f59d82ffSelric * Makefile.am: remove files created by tests 926f59d82ffSelric 927f59d82ffSelric * error.c: constify 928f59d82ffSelric 929f59d82ffSelric * name.c: constify 930f59d82ffSelric 931f59d82ffSelric * revoke.c: constify 932f59d82ffSelric 933f59d82ffSelric * hx_locl.h: constify 934f59d82ffSelric 935f59d82ffSelric * keyset.c: constify 936f59d82ffSelric 937f59d82ffSelric * ks_p11.c: constify 938f59d82ffSelric 939f59d82ffSelric * hx_locl.h: make printinfo char * argument const. 940f59d82ffSelric 941f59d82ffSelric * cms.c: move _hx509_set_digest_alg from cms.c to crypto.c since 942f59d82ffSelric its only used there. 943f59d82ffSelric 944f59d82ffSelric * crypto.c: remove no longer used stuff, move set_digest_alg here 945f59d82ffSelric from cms.c since its only used here. 946f59d82ffSelric 947f59d82ffSelric * Makefile.am: add data/test-nopw.p12 to EXTRA_DIST 948f59d82ffSelric 949f59d82ffSelric2007-01-10 Love Hörnquist Åstrand <lha@it.su.se> 950f59d82ffSelric 951f59d82ffSelric * print.c: BasicConstraints vs criticality bit is complicated and 952f59d82ffSelric not really possible to evaluate on its own, silly RFC3280. 953f59d82ffSelric 954f59d82ffSelric * ca.c: Make basicConstraints critical if this is a CA. 955f59d82ffSelric 956f59d82ffSelric * print.c: fix the version vs extension test 957f59d82ffSelric 958f59d82ffSelric * print.c: More validation checks. 959f59d82ffSelric 960f59d82ffSelric * name.c (hx509_name_cmp): add 961f59d82ffSelric 962f59d82ffSelric2007-01-09 Love Hörnquist Åstrand <lha@it.su.se> 963f59d82ffSelric 964f59d82ffSelric * ks_p11.c (collect_private_key): Missing CKA_MODULUS is ok 965f59d82ffSelric too (XXX why should these be fetched given they are not used). 966f59d82ffSelric 967f59d82ffSelric * test_ca.in: rename all files to PEM files, since that is what 968f59d82ffSelric they are. 969f59d82ffSelric 970f59d82ffSelric * hxtool.c: copy out the key with the self signed CA cert 971f59d82ffSelric 972f59d82ffSelric * Factor out private key operation out of the signing, operations, 973f59d82ffSelric support import, export, and generation of private keys. Add 974f59d82ffSelric support for writing PEM and PKCS12 files with private keys in them. 975f59d82ffSelric 976f59d82ffSelric * data/gen-req.sh: Generate a no password pkcs12 file. 977f59d82ffSelric 978f59d82ffSelric2007-01-08 Love Hörnquist Åstrand <lha@it.su.se> 979f59d82ffSelric 980f59d82ffSelric * cms.c: Check for internal ASN1 encoder error. 981f59d82ffSelric 982f59d82ffSelric2007-01-05 Love Hörnquist Åstrand <lha@it.su.se> 983f59d82ffSelric 984f59d82ffSelric * Makefile.am: Drop most of the pkcs11 files. 985f59d82ffSelric 986f59d82ffSelric * test_ca.in: test reissueing ca certificate (xxx time 987f59d82ffSelric validAfter). 988f59d82ffSelric 989f59d82ffSelric * hxtool.c: Allow setting serialNumber (needed for reissuing 990f59d82ffSelric certificates) Change --key argument to --out-key. 991f59d82ffSelric 992f59d82ffSelric * hxtool-commands.in (issue-certificate): Allow setting 993f59d82ffSelric serialNumber (needed for reissuing certificates), Change --key 994f59d82ffSelric argument to --out-key. 995f59d82ffSelric 996f59d82ffSelric * ref: Replace with Marcus Brinkmann of g10 Code GmbH pkcs11 997f59d82ffSelric headerfile that is compatible with GPL (file taken from scute) 998f59d82ffSelric 999f59d82ffSelric2007-01-04 Love Hörnquist Åstrand <lha@it.su.se> 1000f59d82ffSelric 1001f59d82ffSelric * test_ca.in: Test to generate key and use them. 1002f59d82ffSelric 1003f59d82ffSelric * hxtool.c: handle other keys the pkcs10 requested keys 1004f59d82ffSelric 1005f59d82ffSelric * hxtool-commands.in: add generate key commands 1006f59d82ffSelric 1007f59d82ffSelric * req.c (_hx509_request_to_pkcs10): PKCS10 needs to have a subject 1008f59d82ffSelric 1009f59d82ffSelric * hxtool-commands.in: Spelling. 1010f59d82ffSelric 1011f59d82ffSelric * ca.c (hx509_ca_tbs_set_proxy): allow negative pathLenConstraint 1012f59d82ffSelric to signal no limit 1013f59d82ffSelric 1014f59d82ffSelric * ks_file.c: Try all formats on the binary file before giving up, 1015f59d82ffSelric this way we can handle binary rsa keys too. 1016f59d82ffSelric 1017f59d82ffSelric * data/key2.der: new test key 1018f59d82ffSelric 1019f59d82ffSelric2007-01-04 David Love <fx@gnu.org> 1020f59d82ffSelric 1021f59d82ffSelric * Makefile.am (hxtool_LDADD): Add libasn1.la 1022f59d82ffSelric 1023f59d82ffSelric * hxtool.c (pcert_verify): Fix format string. 1024f59d82ffSelric 1025f59d82ffSelric2006-12-31 Love Hörnquist Åstrand <lha@it.su.se> 1026f59d82ffSelric 1027f59d82ffSelric * hxtool.c: Allow setting path length 1028f59d82ffSelric 1029f59d82ffSelric * cert.c: Fix test for proxy certs chain length, it was too 1030f59d82ffSelric restrictive. 1031f59d82ffSelric 1032f59d82ffSelric * data: regen 1033f59d82ffSelric 1034f59d82ffSelric * data/openssl.cnf: (proxy_cert) make length 0 1035f59d82ffSelric 1036f59d82ffSelric * test_ca.in: Issue a long living cert. 1037f59d82ffSelric 1038f59d82ffSelric * hxtool.c: add --lifetime to ca command. 1039f59d82ffSelric 1040f59d82ffSelric * hxtool-commands.in: add --lifetime to ca command. 1041f59d82ffSelric 1042f59d82ffSelric * ca.c: allow setting notBefore and notAfter. 1043f59d82ffSelric 1044f59d82ffSelric * test_ca.in: Test generation of proxy certificates. 1045f59d82ffSelric 1046f59d82ffSelric * ca.c: Allow generation of proxy certificates, always include 1047f59d82ffSelric BasicConstraints, fix error codes. 1048f59d82ffSelric 1049f59d82ffSelric * hxtool.c: Allow generation of proxy certificates. 1050f59d82ffSelric 1051f59d82ffSelric * test_name.c: make hx509_parse_name take a hx509_context. 1052f59d82ffSelric 1053f59d82ffSelric * name.c: Split building RDN to a separate function. 1054f59d82ffSelric 1055f59d82ffSelric2006-12-30 Love Hörnquist Åstrand <lha@it.su.se> 1056f59d82ffSelric 1057f59d82ffSelric * Makefile.am: clean test_ca files. 1058f59d82ffSelric 1059f59d82ffSelric * test_ca.in: test issuing self-signed and CA certificates. 1060f59d82ffSelric 1061f59d82ffSelric * hxtool.c: Add bits to allow issuing self-signed and CA 1062f59d82ffSelric certificates. 1063f59d82ffSelric 1064f59d82ffSelric * hxtool-commands.in: Add bits to allow issuing self-signed and CA 1065f59d82ffSelric certificates. 1066f59d82ffSelric 1067f59d82ffSelric * ca.c: Add bits to allow issuing CA certificates. 1068f59d82ffSelric 1069f59d82ffSelric * revoke.c: use new OCSPSigning. 1070f59d82ffSelric 1071f59d82ffSelric * ca.c: Add Subject Key Identifier. 1072f59d82ffSelric 1073f59d82ffSelric * ca.c: Add Authority Key Identifier. 1074f59d82ffSelric 1075f59d82ffSelric * cert.c: Locally export _hx509_find_extension_subject_key_id. 1076f59d82ffSelric Handle AuthorityKeyIdentifier where only authorityCertSerialNumber 1077f59d82ffSelric and authorityCertSerialNumber is set. 1078f59d82ffSelric 1079f59d82ffSelric * hxtool-commands.in: Add dnsname and rfc822 SANs. 1080f59d82ffSelric 1081f59d82ffSelric * test_ca.in: Test dnsname and rfc822 SANs. 1082f59d82ffSelric 1083f59d82ffSelric * ca.c: Add dnsname and rfc822 SANs. 1084f59d82ffSelric 1085f59d82ffSelric * hxtool.c: Add dnsname and rfc822 SANs. 1086f59d82ffSelric 1087f59d82ffSelric * test_ca.in: test adding eku, ku and san to the 1088f59d82ffSelric certificate (https and pk-init) 1089f59d82ffSelric 1090f59d82ffSelric * hxtool.c: Add eku, ku and san to the certificate. 1091f59d82ffSelric 1092f59d82ffSelric * ca.c: Add eku, ku and san to the certificate. 1093f59d82ffSelric 1094f59d82ffSelric * hxtool-commands.in: Add --type and --pk-init-principal 1095f59d82ffSelric 1096f59d82ffSelric * ocsp.asn1: remove id-kp-OCSPSigning, its in rfc2459.asn1 now 1097f59d82ffSelric 1098f59d82ffSelric2006-12-29 Love Hörnquist Åstrand <lha@it.su.se> 1099f59d82ffSelric 1100f59d82ffSelric * ca.c: Add KeyUsage extension. 1101f59d82ffSelric 1102f59d82ffSelric * Makefile.am: add ca.c, add sign-certificate tests. 1103f59d82ffSelric 1104f59d82ffSelric * crypto.c: Add _hx509_create_signature_bitstring. 1105f59d82ffSelric 1106f59d82ffSelric * hxtool-commands.in: Add the sign-certificate tool. 1107f59d82ffSelric 1108f59d82ffSelric * hxtool.c: Add the sign-certificate tool. 1109f59d82ffSelric 1110f59d82ffSelric * cert.c: Add HX509_QUERY_OPTION_KU_KEYCERTSIGN. 1111f59d82ffSelric 1112f59d82ffSelric * hx509.h: Add hx509_ca_tbs and HX509_QUERY_OPTION_KU_KEYCERTSIGN. 1113f59d82ffSelric 1114f59d82ffSelric * test_ca.in: Basic test of generating a pkcs10 request, signing 1115f59d82ffSelric it and verifying the chain. 1116f59d82ffSelric 1117f59d82ffSelric * ca.c: Naive certificate signer. 1118f59d82ffSelric 1119f59d82ffSelric2006-12-28 Love Hörnquist Åstrand <lha@it.su.se> 1120f59d82ffSelric 1121f59d82ffSelric * hxtool.c: add hxtool_hex 1122f59d82ffSelric 1123f59d82ffSelric2006-12-22 Love Hörnquist Åstrand <lha@it.su.se> 1124f59d82ffSelric 1125f59d82ffSelric * Makefile.am: use top_builddir for libasn1.la 1126f59d82ffSelric 1127f59d82ffSelric2006-12-11 Love Hörnquist Åstrand <lha@it.su.se> 1128f59d82ffSelric 1129f59d82ffSelric * hxtool.c (print_certificate): print serial number. 1130f59d82ffSelric 1131f59d82ffSelric * name.c (no): add S=stateOrProvinceName 1132f59d82ffSelric 1133f59d82ffSelric2006-12-09 Love Hörnquist Åstrand <lha@it.su.se> 1134f59d82ffSelric 1135f59d82ffSelric * crypto.c (_hx509_private_key_assign_rsa): set a default sig alg 1136f59d82ffSelric 1137f59d82ffSelric * ks_file.c (try_decrypt): pass down AlgorithmIdentifier that key 1138f59d82ffSelric uses to do sigatures so there is no need to hardcode RSA into this 1139f59d82ffSelric function. 1140f59d82ffSelric 1141f59d82ffSelric2006-12-08 Love Hörnquist Åstrand <lha@it.su.se> 1142f59d82ffSelric 1143f59d82ffSelric * ks_file.c: Pass filename to the parse functions and use it in 1144f59d82ffSelric the error messages 1145f59d82ffSelric 1146f59d82ffSelric * test_chain.in: test proxy cert (third level) 1147f59d82ffSelric 1148f59d82ffSelric * hx509_err.et: fix errorstring for PROXY_CERT_NAME_WRONG 1149f59d82ffSelric 1150f59d82ffSelric * data: regen 1151f59d82ffSelric 1152f59d82ffSelric * Makefile.am: EXTRA_DIST: add 1153f59d82ffSelric data/proxy10-child-child-test.{key,crt} 1154f59d82ffSelric 1155f59d82ffSelric * data/gen-req.sh: Fix names and restrictions on the proxy 1156f59d82ffSelric certificates 1157f59d82ffSelric 1158f59d82ffSelric * cert.c: Clairfy and make proxy cert handling work for multiple 1159f59d82ffSelric levels, before it was too restrictive. More helpful error message. 1160f59d82ffSelric 1161f59d82ffSelric2006-12-07 Love Hörnquist Åstrand <lha@it.su.se> 1162f59d82ffSelric 1163f59d82ffSelric * cert.c (check_key_usage): tell what keyusages are missing 1164f59d82ffSelric 1165f59d82ffSelric * print.c: Split OtherName printing code to a oid lookup and print 1166f59d82ffSelric function. 1167f59d82ffSelric 1168f59d82ffSelric * print.c (Time2string): print hour as hour not min 1169f59d82ffSelric 1170f59d82ffSelric * Makefile.am: CLEANFILES += test 1171f59d82ffSelric 1172f59d82ffSelric2006-12-06 Love Hörnquist Åstrand <lha@it.su.se> 1173f59d82ffSelric 1174f59d82ffSelric * Makefile.am (EXTRA_DIST): add data/pkinit-proxy* files 1175f59d82ffSelric 1176f59d82ffSelric * Makefile.am (EXTRA_DIST): add tst-crypto* files 1177f59d82ffSelric 1178f59d82ffSelric * cert.c (hx509_query_match_issuer_serial): make a copy of the 1179f59d82ffSelric data 1180f59d82ffSelric 1181f59d82ffSelric * cert.c (hx509_query_match_issuer_serial): allow matching on 1182f59d82ffSelric issuer and serial num 1183f59d82ffSelric 1184f59d82ffSelric * cert.c (_hx509_calculate_path): add flag to allow leaving out 1185f59d82ffSelric trust anchor 1186f59d82ffSelric 1187f59d82ffSelric * cms.c (hx509_cms_create_signed_1): when building the path, omit 1188f59d82ffSelric the trust anchors. 1189f59d82ffSelric 1190f59d82ffSelric * crypto.c (rsa_create_signature): Abort when signature is longer, 1191f59d82ffSelric not shorter. 1192f59d82ffSelric 1193f59d82ffSelric * cms.c: Provide time to _hx509_calculate_path so we don't send no 1194f59d82ffSelric longer valid certs to our peer. 1195f59d82ffSelric 1196f59d82ffSelric * cert.c (find_parent): when checking for certs and its not a 1197f59d82ffSelric trust anchor, require time be in range. 1198f59d82ffSelric (_hx509_query_match_cert): Add time validity-testing to query mask 1199f59d82ffSelric 1200f59d82ffSelric * hx_locl.h: add time validity-testing to query mask 1201f59d82ffSelric 1202f59d82ffSelric * test_cms.in: Tests for CMS SignedData with incomplete chain from 1203f59d82ffSelric the signer. 1204f59d82ffSelric 1205f59d82ffSelric2006-11-28 Love Hörnquist Åstrand <lha@it.su.se> 1206f59d82ffSelric 1207f59d82ffSelric * cms.c (hx509_cms_verify_signed): specify what signature we 1208f59d82ffSelric failed to verify 1209f59d82ffSelric 1210f59d82ffSelric * Makefile.am: Depend on LIB_com_err for AIX. 1211f59d82ffSelric 1212f59d82ffSelric * keyset.c: Remove anther strndup that causes AIX to fall over. 1213f59d82ffSelric 1214f59d82ffSelric * cert.c: Don't check the trust anchors expiration time since they 1215f59d82ffSelric are transported out of band, from RFC3820. 1216f59d82ffSelric 1217f59d82ffSelric * cms.c: sprinkle more error strings 1218f59d82ffSelric 1219f59d82ffSelric * crypto.c: sprinkle more error strings 1220f59d82ffSelric 1221f59d82ffSelric * hxtool.c: use unsigned int as counter to fit better with the 1222f59d82ffSelric asn1 compiler 1223f59d82ffSelric 1224f59d82ffSelric * crypto.c: use unsigned int as counter to fit better with the 1225f59d82ffSelric asn1 compiler 1226f59d82ffSelric 1227f59d82ffSelric2006-11-27 Love Hörnquist Åstrand <lha@it.su.se> 1228f59d82ffSelric 1229f59d82ffSelric * cms.c: Remove trailing white space. 1230f59d82ffSelric 1231f59d82ffSelric * crypto.c: rewrite comment to make more sense 1232f59d82ffSelric 1233f59d82ffSelric * crypto.c (hx509_crypto_select): check sig_algs[j]->key_oid 1234f59d82ffSelric 1235f59d82ffSelric * hxtool-commands.in (crypto-available): add --type 1236f59d82ffSelric 1237f59d82ffSelric * crypto.c (hx509_crypto_available): let alg pass if its keyless 1238f59d82ffSelric 1239f59d82ffSelric * hxtool-commands.in: Expand crypto-select 1240f59d82ffSelric 1241f59d82ffSelric * cms.c: Rename hx509_select to hx509_crypto_select. 1242f59d82ffSelric 1243f59d82ffSelric * hxtool-commands.in: Add crypto-select and crypto-available. 1244f59d82ffSelric 1245f59d82ffSelric * hxtool.c: Add crypto-select and crypto-available. 1246f59d82ffSelric 1247f59d82ffSelric * crypto.c (hx509_crypto_available): use right index. 1248f59d82ffSelric (hx509_crypto_free_algs): new function 1249f59d82ffSelric 1250f59d82ffSelric * crypto.c (hx509_crypto_select): improve 1251f59d82ffSelric (hx509_crypto_available): new function 1252f59d82ffSelric 1253f59d82ffSelric2006-11-26 Love Hörnquist Åstrand <lha@it.su.se> 1254f59d82ffSelric 1255f59d82ffSelric * cert.c: Sprinkle more error string and hx509_contexts. 1256f59d82ffSelric 1257f59d82ffSelric * cms.c: Sprinkle more error strings. 1258f59d82ffSelric 1259f59d82ffSelric * crypto.c: Sprinkle error string and hx509_contexts. 1260f59d82ffSelric 1261f59d82ffSelric * crypto.c: Add some more comments about how this works. 1262f59d82ffSelric 1263f59d82ffSelric * crypto.c (hx509_select): new function. 1264f59d82ffSelric 1265f59d82ffSelric * Makefile.am: add peer.c 1266f59d82ffSelric 1267f59d82ffSelric * hxtool.c: Update hx509_cms_create_signed_1. 1268f59d82ffSelric 1269f59d82ffSelric * hx_locl.h: add struct hx509_peer_info 1270f59d82ffSelric 1271f59d82ffSelric * peer.c: Allow selection of digest/sig-alg 1272f59d82ffSelric 1273f59d82ffSelric * cms.c: Allow selection of a better digest using hx509_peer_info. 1274f59d82ffSelric 1275f59d82ffSelric * revoke.c: Handle that _hx509_verify_signature takes a context. 1276f59d82ffSelric 1277f59d82ffSelric * cert.c: Handle that _hx509_verify_signature takes a context. 1278f59d82ffSelric 1279f59d82ffSelric2006-11-25 Love Hörnquist Åstrand <lha@it.su.se> 1280f59d82ffSelric 1281f59d82ffSelric * cms.c: Sprinkle error strings. 1282f59d82ffSelric 1283f59d82ffSelric * crypto.c: Sprinkle context and error strings. 1284f59d82ffSelric 1285f59d82ffSelric2006-11-24 Love Hörnquist Åstrand <lha@it.su.se> 1286f59d82ffSelric 1287f59d82ffSelric * name.c: Handle printing and parsing raw oids in name. 1288f59d82ffSelric 1289f59d82ffSelric2006-11-23 Love Hörnquist Åstrand <lha@it.su.se> 1290f59d82ffSelric 1291f59d82ffSelric * cert.c (_hx509_calculate_path): allow to calculate optimistic 1292f59d82ffSelric path when we don't know the trust anchors, just follow the chain 1293f59d82ffSelric upward until we no longer find a parent or we hit the max limit. 1294f59d82ffSelric 1295f59d82ffSelric * cms.c (hx509_cms_create_signed_1): provide a best effort path to 1296f59d82ffSelric the trust anchors to be stored in the SignedData packet, if find 1297f59d82ffSelric parents until trust anchor or max length. 1298f59d82ffSelric 1299f59d82ffSelric * data: regen 1300f59d82ffSelric 1301f59d82ffSelric * data/gen-req.sh: Build pk-init proxy cert. 1302f59d82ffSelric 1303f59d82ffSelric2006-11-16 Love Hörnquist Åstrand <lha@it.su.se> 1304f59d82ffSelric 1305f59d82ffSelric * error.c (hx509_get_error_string): Put ", " between strings in 1306f59d82ffSelric error message. 1307f59d82ffSelric 1308f59d82ffSelric2006-11-13 Love Hörnquist Åstrand <lha@it.su.se> 1309f59d82ffSelric 1310f59d82ffSelric * data/openssl.cnf: Change realm to TEST.H5L.SE 1311f59d82ffSelric 1312f59d82ffSelric2006-11-07 Love Hörnquist Åstrand <lha@it.su.se> 1313f59d82ffSelric 1314f59d82ffSelric * revoke.c: Sprinkle error strings. 1315f59d82ffSelric 1316f59d82ffSelric2006-11-04 Love Hörnquist Åstrand <lha@it.su.se> 1317f59d82ffSelric 1318f59d82ffSelric * hx_locl.h: add context variable to cmp function. 1319f59d82ffSelric 1320f59d82ffSelric * cert.c (hx509_query_match_cmp_func): allow setting the match 1321f59d82ffSelric function. 1322f59d82ffSelric 1323f59d82ffSelric2006-10-24 Love Hörnquist Åstrand <lha@it.su.se> 1324f59d82ffSelric 1325f59d82ffSelric * ks_p11.c: Return less EINVAL. 1326f59d82ffSelric 1327f59d82ffSelric * hx509_err.et: add more pkcs11 errors 1328f59d82ffSelric 1329f59d82ffSelric * hx509_err.et: more error-codes 1330f59d82ffSelric 1331f59d82ffSelric * revoke.c: Return less EINVAL. 1332f59d82ffSelric 1333f59d82ffSelric * ks_dir.c: sprinkel more hx509_set_error_string 1334f59d82ffSelric 1335f59d82ffSelric * ks_file.c: Return less EINVAL. 1336f59d82ffSelric 1337f59d82ffSelric * hxtool.c: Pass in context to _hx509_parse_private_key. 1338f59d82ffSelric 1339f59d82ffSelric * ks_file.c: Sprinkle more hx509_context so we can return propper 1340f59d82ffSelric errors. 1341f59d82ffSelric 1342f59d82ffSelric * hx509_err.et: add HX509_PARSING_KEY_FAILED 1343f59d82ffSelric 1344f59d82ffSelric * crypto.c: Sprinkle more hx509_context so we can return propper 1345f59d82ffSelric errors. 1346f59d82ffSelric 1347f59d82ffSelric * collector.c: No more EINVAL. 1348f59d82ffSelric 1349f59d82ffSelric * hx509_err.et: add HX509_LOCAL_ATTRIBUTE_MISSING 1350f59d82ffSelric 1351f59d82ffSelric * cert.c (hx509_cert_get_base_subject): one less EINVAL 1352f59d82ffSelric (_hx509_cert_private_decrypt): one less EINVAL 1353f59d82ffSelric 1354f59d82ffSelric2006-10-22 Love Hörnquist Åstrand <lha@it.su.se> 1355f59d82ffSelric 1356f59d82ffSelric * collector.c: indent 1357f59d82ffSelric 1358f59d82ffSelric * hxtool.c: Try to not leak memory. 1359f59d82ffSelric 1360f59d82ffSelric * req.c: clean memory before free 1361f59d82ffSelric 1362f59d82ffSelric * crypto.c (_hx509_private_key2SPKI): indent 1363f59d82ffSelric 1364f59d82ffSelric * req.c: Try to not leak memory. 1365f59d82ffSelric 1366f59d82ffSelric2006-10-21 Love Hörnquist Åstrand <lha@it.su.se> 1367f59d82ffSelric 1368f59d82ffSelric * test_crypto.in: Read 50 kilobyte random data 1369f59d82ffSelric 1370f59d82ffSelric * revoke.c: Try to not leak memory. 1371f59d82ffSelric 1372f59d82ffSelric * hxtool.c: Try to not leak memory. 1373f59d82ffSelric 1374f59d82ffSelric * crypto.c (hx509_crypto_destroy): free oid. 1375f59d82ffSelric 1376f59d82ffSelric * error.c: Clean error string on failure just to make sure. 1377f59d82ffSelric 1378f59d82ffSelric * cms.c: Try to not leak memory (again). 1379f59d82ffSelric 1380f59d82ffSelric * hxtool.c: use a sensable content type 1381f59d82ffSelric 1382f59d82ffSelric * cms.c: Try harder to free certificate. 1383f59d82ffSelric 1384f59d82ffSelric2006-10-20 Love Hörnquist Åstrand <lha@it.su.se> 1385f59d82ffSelric 1386f59d82ffSelric * Makefile.am: Add make check data. 1387f59d82ffSelric 1388f59d82ffSelric2006-10-19 Love Hörnquist Åstrand <lha@it.su.se> 1389f59d82ffSelric 1390f59d82ffSelric * ks_p11.c (p11_list_keys): make element of search_data[0] 1391f59d82ffSelric constants and set them later 1392f59d82ffSelric 1393f59d82ffSelric * Makefile.am: Add more files. 1394f59d82ffSelric 1395f59d82ffSelric2006-10-17 Love Hörnquist Åstrand <lha@it.su.se> 1396f59d82ffSelric 1397f59d82ffSelric * ks_file.c: set ret, remember to free ivdata 1398f59d82ffSelric 1399f59d82ffSelric2006-10-16 Love Hörnquist Åstrand <lha@it.su.se> 1400f59d82ffSelric 1401f59d82ffSelric * hx_locl.h: Include <parse_bytes.h>. 1402f59d82ffSelric 1403f59d82ffSelric * test_crypto.in: Test random-data. 1404f59d82ffSelric 1405f59d82ffSelric * hxtool.c: RAND_bytes() return 1 for cryptographic strong data, 1406f59d82ffSelric check for that. 1407f59d82ffSelric 1408f59d82ffSelric * Makefile.am: clean random-data 1409f59d82ffSelric 1410f59d82ffSelric * hxtool.c: Add random-data command, use sl_slc_help. 1411f59d82ffSelric 1412f59d82ffSelric * hxtool-commands.in: Add random-data. 1413f59d82ffSelric 1414f59d82ffSelric * ks_p12.c: Remember to release certs. 1415f59d82ffSelric 1416f59d82ffSelric * ks_p11.c: Remember to release certs. 1417f59d82ffSelric 1418f59d82ffSelric2006-10-14 Love Hörnquist Åstrand <lha@it.su.se> 1419f59d82ffSelric 1420f59d82ffSelric * prefix der primitives with der_ 1421f59d82ffSelric 1422f59d82ffSelric * lock.c: Match the prompt type PROMPT exact. 1423f59d82ffSelric 1424f59d82ffSelric * hx_locl.h: Drop heim_any.h 1425f59d82ffSelric 1426f59d82ffSelric2006-10-11 Love Hörnquist Åstrand <lha@it.su.se> 1427f59d82ffSelric 1428f59d82ffSelric * ks_p11.c (p11_release_module): j needs to be used as inter loop 1429f59d82ffSelric index. From Douglas Engert. 1430f59d82ffSelric 1431f59d82ffSelric * ks_file.c (parse_rsa_private_key): try all passwords and 1432f59d82ffSelric prompter. 1433f59d82ffSelric 1434f59d82ffSelric2006-10-10 Love Hörnquist Åstrand <lha@it.su.se> 1435f59d82ffSelric 1436f59d82ffSelric * test_*.in: Parameterise the invocation of hxtool, so we can make 1437f59d82ffSelric it run under TESTS_ENVIRONMENT. From Andrew Bartlett 1438f59d82ffSelric 1439f59d82ffSelric2006-10-08 Love Hörnquist Åstrand <lha@it.su.se> 1440f59d82ffSelric 1441f59d82ffSelric * test_crypto.in: Put all test stuck at 2006-09-25 since all their 1442f59d82ffSelric chains where valied then. 1443f59d82ffSelric 1444f59d82ffSelric * hxtool.c: Implement --time= option. 1445f59d82ffSelric 1446f59d82ffSelric * hxtool-commands.in: Add option time. 1447f59d82ffSelric 1448f59d82ffSelric * Makefile.am: test_name is a PROGRAM_TESTS 1449f59d82ffSelric 1450f59d82ffSelric * ks_p11.c: Return HX509_PKCS11_NO_SLOT when there are no slots 1451f59d82ffSelric and HX509_PKCS11_NO_TOKEN when there are no token. For use in PAM 1452f59d82ffSelric modules that want to detect when to use smartcard login and when 1453f59d82ffSelric not to. Patched based on code from Douglas Engert. 1454f59d82ffSelric 1455f59d82ffSelric * hx509_err.et: Add new pkcs11 related errors in a new section: 1456f59d82ffSelric keystore related error. Patched based on code from Douglas 1457f59d82ffSelric Engert. 1458f59d82ffSelric 1459f59d82ffSelric2006-10-07 Love Hörnquist Åstrand <lha@it.su.se> 1460f59d82ffSelric 1461f59d82ffSelric * Makefile.am: Make depenency for slc built files just like 1462f59d82ffSelric everywhere else. 1463f59d82ffSelric 1464f59d82ffSelric * cert.c: Add all openssl algs and init asn1 et 1465f59d82ffSelric 1466f59d82ffSelric2006-10-06 Love Hörnquist Åstrand <lha@it.su.se> 1467f59d82ffSelric 1468f59d82ffSelric * ks_file.c (parse_rsa_private_key): free type earlier. 1469f59d82ffSelric 1470f59d82ffSelric * ks_file.c (parse_rsa_private_key): free type after use 1471f59d82ffSelric 1472f59d82ffSelric * name.c (_hx509_Name_to_string): remove dup const 1473f59d82ffSelric 1474f59d82ffSelric2006-10-02 Love Hörnquist Åstrand <lha@it.su.se> 1475f59d82ffSelric 1476f59d82ffSelric * Makefile.am: Add more libs to libhx509 1477f59d82ffSelric 1478f59d82ffSelric2006-10-01 Love Hörnquist Åstrand <lha@it.su.se> 1479f59d82ffSelric 1480f59d82ffSelric * ks_p11.c: Fix double free's, NULL ptr de-reference, and conform 1481f59d82ffSelric better to pkcs11. From Douglas Engert. 1482f59d82ffSelric 1483f59d82ffSelric * ref: remove ^M, it breaks solaris 10s cc. From Harald Barth 1484f59d82ffSelric 1485f59d82ffSelric2006-09-19 Love Hörnquist Åstrand <lha@it.su.se> 1486f59d82ffSelric 1487f59d82ffSelric * test_crypto.in: Bleichenbacher bad cert from Ralf-Philipp 1488f59d82ffSelric Weinmann and Andrew Pyshkin, pad right. 1489f59d82ffSelric 1490f59d82ffSelric * data: starfield test root cert and Ralf-Philipp and Andreis 1491f59d82ffSelric correctly padded bad cert 1492f59d82ffSelric 1493f59d82ffSelric2006-09-15 Love Hörnquist Åstrand <lha@it.su.se> 1494f59d82ffSelric 1495f59d82ffSelric * test_crypto.in: Add test for yutaka certs. 1496f59d82ffSelric 1497f59d82ffSelric * cert.c: Add a strict rfc3280 verification flag. rfc3280 requires 1498f59d82ffSelric certificates to have KeyUsage.keyCertSign if they are to be used 1499f59d82ffSelric for signing of certificates, but the step in the verifiation is 1500f59d82ffSelric optional. 1501f59d82ffSelric 1502f59d82ffSelric * hxtool.c: Improve printing and error reporting. 1503f59d82ffSelric 1504f59d82ffSelric2006-09-13 Love Hörnquist Åstrand <lha@it.su.se> 1505f59d82ffSelric 1506f59d82ffSelric * test_crypto.in,Makefile.am,data/bleichenbacher-{bad,good}.pem: 1507f59d82ffSelric test bleichenbacher from eay 1508f59d82ffSelric 1509f59d82ffSelric2006-09-12 Love Hörnquist Åstrand <lha@it.su.se> 1510f59d82ffSelric 1511f59d82ffSelric * hxtool.c: Make common function for all getarg_strings and 1512f59d82ffSelric hx509_certs_append commonly used. 1513f59d82ffSelric 1514f59d82ffSelric * cms.c: HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT is a negative 1515f59d82ffSelric flag, treat it was such. 1516f59d82ffSelric 1517f59d82ffSelric2006-09-11 Love Hörnquist Åstrand <lha@it.su.se> 1518f59d82ffSelric 1519f59d82ffSelric * req.c: Use the new add_GeneralNames function. 1520f59d82ffSelric 1521f59d82ffSelric * hx509.h: Add HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT. 1522f59d82ffSelric 1523f59d82ffSelric * ks_p12.c: Adapt to new signature of hx509_cms_unenvelope. 1524f59d82ffSelric 1525f59d82ffSelric * hxtool.c: Adapt to new signature of hx509_cms_unenvelope. 1526f59d82ffSelric 1527f59d82ffSelric * cms.c: Allow passing in encryptedContent and flag. Add new flag 1528f59d82ffSelric HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT. 1529f59d82ffSelric 1530f59d82ffSelric2006-09-08 Love Hörnquist Åstrand <lha@it.su.se> 1531f59d82ffSelric 1532f59d82ffSelric * ks_p11.c: cast void * to char * when using it for %s formating 1533f59d82ffSelric in printf. 1534f59d82ffSelric 1535f59d82ffSelric * name.c: New function _hx509_Name_to_string. 1536f59d82ffSelric 1537f59d82ffSelric2006-09-07 Love Hörnquist Åstrand <lha@it.su.se> 1538f59d82ffSelric 1539f59d82ffSelric * ks_file.c: Sprinkle error messages. 1540f59d82ffSelric 1541f59d82ffSelric * cms.c: Sprinkle even more error messages. 1542f59d82ffSelric 1543f59d82ffSelric * cms.c: Sprinkle some error messages. 1544f59d82ffSelric 1545f59d82ffSelric * cms.c (find_CMSIdentifier): only free string when we allocated 1546f59d82ffSelric one. 1547f59d82ffSelric 1548f59d82ffSelric * ks_p11.c: Don't build most of the pkcs11 module if there are no 1549f59d82ffSelric dlopen(). 1550f59d82ffSelric 1551f59d82ffSelric2006-09-06 Love Hörnquist Åstrand <lha@it.su.se> 1552f59d82ffSelric 1553f59d82ffSelric * cms.c (hx509_cms_unenvelope): try to save the error string from 1554f59d82ffSelric find_CMSIdentifier so we have one more bit of information what 1555f59d82ffSelric went wrong. 1556f59d82ffSelric 1557f59d82ffSelric * hxtool.c: More pretty printing, make verify_signed return the 1558f59d82ffSelric error string from the library. 1559f59d82ffSelric 1560f59d82ffSelric * cms.c: Try returning what certificates failed to parse or be 1561f59d82ffSelric found. 1562f59d82ffSelric 1563f59d82ffSelric * ks_p11.c (p11_list_keys): fetch CKA_LABEL and use it to set the 1564f59d82ffSelric friendlyname for the certificate. 1565f59d82ffSelric 1566f59d82ffSelric2006-09-05 Love Hörnquist Åstrand <lha@it.su.se> 1567f59d82ffSelric 1568f59d82ffSelric * crypto.c: check that there are no extra bytes in the checksum 1569f59d82ffSelric and that the parameters are NULL or the NULL-type. All to avoid 1570f59d82ffSelric having excess data that can be used to fake the signature. 1571f59d82ffSelric 1572f59d82ffSelric * hxtool.c: print keyusage 1573f59d82ffSelric 1574f59d82ffSelric * print.c: add hx509_cert_keyusage_print, simplify oid printing 1575f59d82ffSelric 1576f59d82ffSelric * cert.c: add _hx509_cert_get_keyusage 1577f59d82ffSelric 1578f59d82ffSelric * ks_p11.c: keep one session around for the whole life of the keyset 1579f59d82ffSelric 1580f59d82ffSelric * test_query.in: tests more selection 1581f59d82ffSelric 1582f59d82ffSelric * hxtool.c: improve pretty printing in print and query 1583f59d82ffSelric 1584f59d82ffSelric * hxtool{.c,-commands.in}: add selection on KU and printing to query 1585f59d82ffSelric 1586f59d82ffSelric * test_cms.in: Add cms test for digitalSignature and 1587f59d82ffSelric keyEncipherment certs. 1588f59d82ffSelric 1589f59d82ffSelric * name.c (no): Add serialNumber 1590f59d82ffSelric 1591f59d82ffSelric * ks_p11.c (p11_get_session): return better error messages 1592f59d82ffSelric 1593f59d82ffSelric2006-09-04 Love Hörnquist Åstrand <lha@it.su.se> 1594f59d82ffSelric 1595f59d82ffSelric * ref: update to pkcs11 reference files 2.20 1596f59d82ffSelric 1597f59d82ffSelric * ks_p11.c: add more mechflags 1598f59d82ffSelric 1599f59d82ffSelric * name.c (no): add OU and sort 1600f59d82ffSelric 1601f59d82ffSelric * revoke.c: pass context to _hx509_create_signature 1602f59d82ffSelric 1603f59d82ffSelric * ks_p11.c (p11_printinfo): print proper plural s 1604f59d82ffSelric 1605f59d82ffSelric * ks_p11.c: save the mechs supported when initing the token, print 1606f59d82ffSelric them in printinfo. 1607f59d82ffSelric 1608f59d82ffSelric * hx_locl.h: Include <parse_units.h>. 1609f59d82ffSelric 1610f59d82ffSelric * cms.c: pass context to _hx509_create_signature 1611f59d82ffSelric 1612f59d82ffSelric * req.c: pass context to _hx509_create_signature 1613f59d82ffSelric 1614f59d82ffSelric * keyset.c (hx509_certs_info): print information about the keyset. 1615f59d82ffSelric 1616f59d82ffSelric * hxtool.c (pcert_print) print keystore info when --info flag is 1617f59d82ffSelric given. 1618f59d82ffSelric 1619f59d82ffSelric * hxtool-commands.in: Add hxtool print --info. 1620f59d82ffSelric 1621f59d82ffSelric * test_query.in: Test hxtool print --info. 1622f59d82ffSelric 1623f59d82ffSelric * hx_locl.h (hx509_keyset_ops): add printinfo 1624f59d82ffSelric 1625f59d82ffSelric * crypto.c: Start to hang the private key operations of the 1626f59d82ffSelric private key, pass hx509_context to create_checksum. 1627f59d82ffSelric 1628f59d82ffSelric2006-05-29 Love Hörnquist Åstrand <lha@it.su.se> 1629f59d82ffSelric 1630f59d82ffSelric * ks_p11.c: Iterate over all slots, not just the first/selected 1631f59d82ffSelric one. 1632f59d82ffSelric 1633f59d82ffSelric2006-05-27 Love Hörnquist Åstrand <lha@it.su.se> 1634f59d82ffSelric 1635f59d82ffSelric * cert.c: Add release function for certifiates so backend knowns 1636f59d82ffSelric when its no longer used. 1637f59d82ffSelric 1638f59d82ffSelric * ks_p11.c: Add reference counting on certifiates, push out 1639f59d82ffSelric CK_SESSION_HANDLE from slot. 1640f59d82ffSelric 1641f59d82ffSelric * cms.c: sprinkle more hx509_clear_error_string 1642f59d82ffSelric 1643f59d82ffSelric2006-05-22 Love Hörnquist Åstrand <lha@it.su.se> 1644f59d82ffSelric 1645f59d82ffSelric * ks_p11.c: Sprinkle some hx509_set_error_strings 1646f59d82ffSelric 1647f59d82ffSelric2006-05-13 Love Hörnquist Åstrand <lha@it.su.se> 1648f59d82ffSelric 1649f59d82ffSelric * hxtool.c: Avoid shadowing. 1650f59d82ffSelric 1651f59d82ffSelric * revoke.c: Avoid shadowing. 1652f59d82ffSelric 1653f59d82ffSelric * ks_file.c: Avoid shadowing. 1654f59d82ffSelric 1655f59d82ffSelric * cert.c: Avoid shadowing. 1656f59d82ffSelric 1657f59d82ffSelric2006-05-12 Love Hörnquist Åstrand <lha@it.su.se> 1658f59d82ffSelric 1659f59d82ffSelric * lock.c (hx509_prompt_hidden): reshuffle to avoid gcc warning 1660f59d82ffSelric 1661f59d82ffSelric * hx509.h: Reshuffle the prompter types, remove the hidden field. 1662f59d82ffSelric 1663f59d82ffSelric * lock.c (hx509_prompt_hidden): return if the prompt should be 1664f59d82ffSelric hidden or not 1665f59d82ffSelric 1666f59d82ffSelric * revoke.c (hx509_revoke_free): allow free of NULL. 1667f59d82ffSelric 1668f59d82ffSelric2006-05-11 Love Hörnquist Åstrand <lha@it.su.se> 1669f59d82ffSelric 1670f59d82ffSelric * ks_file.c (file_init): Avoid shadowing ret (and thus avoiding 1671f59d82ffSelric crashing). 1672f59d82ffSelric 1673f59d82ffSelric * ks_dir.c: Implement DIR: caches useing FILE: caches. 1674f59d82ffSelric 1675f59d82ffSelric * ks_p11.c: Catch more errors. 1676f59d82ffSelric 1677f59d82ffSelric2006-05-08 Love Hörnquist Åstrand <lha@it.su.se> 1678f59d82ffSelric 1679f59d82ffSelric * crypto.c (hx509_crypto_encrypt): free correctly in error 1680f59d82ffSelric path. From Andrew Bartlett. 1681f59d82ffSelric 1682f59d82ffSelric * crypto.c: If RAND_bytes fails, then we will attempt to 1683f59d82ffSelric double-free crypt->key.data. From Andrew Bartlett. 1684f59d82ffSelric 1685f59d82ffSelric2006-05-05 Love Hörnquist Åstrand <lha@it.su.se> 1686f59d82ffSelric 1687f59d82ffSelric * name.c: Rename u_intXX_t to uintXX_t 1688f59d82ffSelric 1689f59d82ffSelric2006-05-03 Love Hörnquist Åstrand <lha@it.su.se> 1690f59d82ffSelric 1691f59d82ffSelric * TODO: More to do about the about the PKCS11 code. 1692f59d82ffSelric 1693f59d82ffSelric * ks_p11.c: Use the prompter from the lock function. 1694f59d82ffSelric 1695f59d82ffSelric * lock.c: Deal with that hx509_prompt.reply is no longer a 1696f59d82ffSelric pointer. 1697f59d82ffSelric 1698f59d82ffSelric * hx509.h: Make hx509_prompt.reply not a pointer. 1699f59d82ffSelric 1700f59d82ffSelric2006-05-02 Love Hörnquist Åstrand <lha@it.su.se> 1701f59d82ffSelric 1702f59d82ffSelric * keyset.c: Sprinkle setting error strings. 1703f59d82ffSelric 1704f59d82ffSelric * crypto.c: Sprinkle setting error strings. 1705f59d82ffSelric 1706f59d82ffSelric * collector.c: Sprinkle setting error strings. 1707f59d82ffSelric 1708f59d82ffSelric * cms.c: Sprinkle setting error strings. 1709f59d82ffSelric 1710f59d82ffSelric2006-05-01 Love Hörnquist Åstrand <lha@it.su.se> 1711f59d82ffSelric 1712f59d82ffSelric * test_name.c: renamed one error code 1713f59d82ffSelric 1714f59d82ffSelric * name.c: renamed one error code 1715f59d82ffSelric 1716f59d82ffSelric * ks_p11.c: _hx509_set_cert_attribute changed signature 1717f59d82ffSelric 1718f59d82ffSelric * hxtool.c (pcert_print): use hx509_err so I can test it 1719f59d82ffSelric 1720f59d82ffSelric * error.c (hx509_set_error_stringv): clear errors on malloc 1721f59d82ffSelric failure 1722f59d82ffSelric 1723f59d82ffSelric * hx509_err.et: Add some more errors 1724f59d82ffSelric 1725f59d82ffSelric * cert.c: Sprinkle setting error strings. 1726f59d82ffSelric 1727f59d82ffSelric * cms.c: _hx509_path_append changed signature. 1728f59d82ffSelric 1729f59d82ffSelric * revoke.c: changed signature of _hx509_check_key_usage 1730f59d82ffSelric 1731f59d82ffSelric * keyset.c: changed signature of _hx509_query_match_cert 1732f59d82ffSelric 1733f59d82ffSelric * hx509.h: Add support for error strings. 1734f59d82ffSelric 1735f59d82ffSelric * cms.c: changed signature of _hx509_check_key_usage 1736f59d82ffSelric 1737f59d82ffSelric * Makefile.am: ibhx509_la_files += error.c 1738f59d82ffSelric 1739f59d82ffSelric * ks_file.c: Sprinkel setting error strings. 1740f59d82ffSelric 1741f59d82ffSelric * cert.c: Sprinkel setting error strings. 1742f59d82ffSelric 1743f59d82ffSelric * hx_locl.h: Add support for error strings. 1744f59d82ffSelric 1745f59d82ffSelric * error.c: Add string error handling functions. 1746f59d82ffSelric 1747f59d82ffSelric * keyset.c (hx509_certs_init): pass the right error code back 1748f59d82ffSelric 1749f59d82ffSelric2006-04-30 Love Hörnquist Åstrand <lha@it.su.se> 1750f59d82ffSelric 1751f59d82ffSelric * revoke.c: Revert previous patch. 1752f59d82ffSelric (hx509_ocsp_verify): new function that returns the expiration of 1753f59d82ffSelric certificate in ocsp data-blob 1754f59d82ffSelric 1755f59d82ffSelric * cert.c: Reverse previous patch, lets do it another way. 1756f59d82ffSelric 1757f59d82ffSelric * cert.c (hx509_revoke_verify): update usage 1758f59d82ffSelric 1759f59d82ffSelric * revoke.c: Make compile. 1760f59d82ffSelric 1761f59d82ffSelric * revoke.c: Add the expiration time the crl/ocsp info expire 1762f59d82ffSelric 1763f59d82ffSelric * name.c: Add hx509_name_is_null_p 1764f59d82ffSelric 1765f59d82ffSelric * cert.c: remove _hx509_cert_private_sigature 1766f59d82ffSelric 1767f59d82ffSelric2006-04-29 Love Hörnquist Åstrand <lha@it.su.se> 1768f59d82ffSelric 1769f59d82ffSelric * name.c: Expose more of Name. 1770f59d82ffSelric 1771f59d82ffSelric * hxtool.c (main): add missing argument to printf 1772f59d82ffSelric 1773f59d82ffSelric * data/openssl.cnf: Add EKU for the KDC certificate 1774f59d82ffSelric 1775f59d82ffSelric * cert.c (hx509_cert_get_base_subject): reject un-canon proxy 1776f59d82ffSelric certs, not the reverse 1777f59d82ffSelric (add_to_list): constify and fix argument order to 1778f59d82ffSelric copy_octet_string 1779f59d82ffSelric (hx509_cert_find_subjectAltName_otherName): make work 1780f59d82ffSelric 1781f59d82ffSelric2006-04-28 Love Hörnquist Åstrand <lha@it.su.se> 1782f59d82ffSelric 1783f59d82ffSelric * data/{pkinit,kdc}.{crt,key}: pkinit certificates 1784f59d82ffSelric 1785f59d82ffSelric * data/gen-req.sh: Generate pkinit certificates. 1786f59d82ffSelric 1787f59d82ffSelric * data/openssl.cnf: Add pkinit glue. 1788f59d82ffSelric 1789f59d82ffSelric * cert.c (hx509_verify_hostname): implement stub function 1790f59d82ffSelric 1791f59d82ffSelric2006-04-27 Love Hörnquist Åstrand <lha@it.su.se> 1792f59d82ffSelric 1793f59d82ffSelric * TODO: CRL delta support 1794f59d82ffSelric 1795f59d82ffSelric2006-04-26 Love Hörnquist Åstrand <lha@it.su.se> 1796f59d82ffSelric 1797f59d82ffSelric * data/.cvsignore: ignore leftover from OpenSSL cert generation 1798f59d82ffSelric 1799f59d82ffSelric * hx509_err.et: Add name malformated error 1800f59d82ffSelric 1801f59d82ffSelric * name.c (hx509_parse_name): don't abort on error, rather return 1802f59d82ffSelric error 1803f59d82ffSelric 1804f59d82ffSelric * test_name.c: Test failure parsing name. 1805f59d82ffSelric 1806f59d82ffSelric * cert.c: When verifying certificates, store subject basename for 1807f59d82ffSelric later consumption. 1808f59d82ffSelric 1809f59d82ffSelric * test_name.c: test to parse and print name and check that they 1810f59d82ffSelric are the same. 1811f59d82ffSelric 1812f59d82ffSelric * name.c (hx509_parse_name): fix length argument to printf string 1813f59d82ffSelric 1814f59d82ffSelric * name.c (hx509_parse_name): fix length argument to stringtooid, 1 1815f59d82ffSelric too short. 1816f59d82ffSelric 1817f59d82ffSelric * cert.c: remove debug printf's 1818f59d82ffSelric 1819f59d82ffSelric * name.c (hx509_parse_name): make compile pre c99 1820f59d82ffSelric 1821f59d82ffSelric * data/gen-req.sh: OpenSSL have a serious issue of user confusion 1822f59d82ffSelric -subj in -ca takes the arguments in LDAP order. -subj for x509 1823f59d82ffSelric takes it in x509 order. 1824f59d82ffSelric 1825f59d82ffSelric * cert.c (hx509_verify_path): handle the case where the where two 1826f59d82ffSelric proxy certs in a chain. 1827f59d82ffSelric 1828f59d82ffSelric * test_chain.in: enable two proxy certificates in a chain test 1829f59d82ffSelric 1830f59d82ffSelric * test_chain.in: tests proxy certificates 1831f59d82ffSelric 1832f59d82ffSelric * data: re-gen 1833f59d82ffSelric 1834f59d82ffSelric * data/gen-req.sh: build proxy certificates 1835f59d82ffSelric 1836f59d82ffSelric * data/openssl.cnf: add def for proxy10_cert 1837f59d82ffSelric 1838f59d82ffSelric * hx509_err.et: Add another proxy certificate error. 1839f59d82ffSelric 1840f59d82ffSelric * cert.c (hx509_verify_path): Need to mangle name to remove the CN 1841f59d82ffSelric of the subject, copying issuer only works for one level but is 1842f59d82ffSelric better then doing no checking at all. 1843f59d82ffSelric 1844f59d82ffSelric * hxtool.c: Add verify --allow-proxy-certificate. 1845f59d82ffSelric 1846f59d82ffSelric * hxtool-commands.in: add verify --allow-proxy-certificate 1847f59d82ffSelric 1848f59d82ffSelric * hx509_err.et: Add proxy certificate errors. 1849f59d82ffSelric 1850f59d82ffSelric * cert.c: Fix comment about subject name of proxy certificate. 1851f59d82ffSelric 1852f59d82ffSelric * test_chain.in: tests for proxy certs 1853f59d82ffSelric 1854f59d82ffSelric * data/gen-req.sh: gen proxy and non-proxy tests certificates 1855f59d82ffSelric 1856f59d82ffSelric * data/openssl.cnf: Add definition for proxy certs 1857f59d82ffSelric 1858f59d82ffSelric * data/*proxy-test.*: Add proxy certificates 1859f59d82ffSelric 1860f59d82ffSelric * cert.c (hx509_verify_path): verify proxy certificate have no san 1861f59d82ffSelric or ian 1862f59d82ffSelric 1863f59d82ffSelric * cert.c (hx509_verify_set_proxy_certificate): Add 1864f59d82ffSelric (*): rename policy cert to proxy cert 1865f59d82ffSelric 1866f59d82ffSelric * cert.c: Initial support for proxy certificates. 1867f59d82ffSelric 1868f59d82ffSelric2006-04-24 Love Hörnquist Åstrand <lha@it.su.se> 1869f59d82ffSelric 1870f59d82ffSelric * hxtool.c: some error checking 1871f59d82ffSelric 1872f59d82ffSelric * name.c: Switch over to asn1 generaed oids. 1873f59d82ffSelric 1874f59d82ffSelric * TODO: merge with old todo file 1875f59d82ffSelric 1876f59d82ffSelric2006-04-23 Love Hörnquist Åstrand <lha@it.su.se> 1877f59d82ffSelric 1878f59d82ffSelric * test_query.in: make quiet 1879f59d82ffSelric 1880f59d82ffSelric * test_req.in: SKIP test if there is no RSA support. 1881f59d82ffSelric 1882f59d82ffSelric * hxtool.c: print dh method too 1883f59d82ffSelric 1884f59d82ffSelric * test_chain.in: SKIP test if there is no RSA support. 1885f59d82ffSelric 1886f59d82ffSelric * test_cms.in: SKIP test if there is no RSA support. 1887f59d82ffSelric 1888f59d82ffSelric * test_nist.in: SKIP test if there is no RSA support. 1889f59d82ffSelric 1890f59d82ffSelric2006-04-22 Love Hörnquist Åstrand <lha@it.su.se> 1891f59d82ffSelric 1892f59d82ffSelric * hxtool-commands.in: Allow passing in pool and anchor to 1893f59d82ffSelric signedData 1894f59d82ffSelric 1895f59d82ffSelric * hxtool.c: Allow passing in pool and anchor to signedData 1896f59d82ffSelric 1897f59d82ffSelric * test_cms.in: Test that certs in signed data is picked up. 1898f59d82ffSelric 1899f59d82ffSelric * hx_locl.h: Expose the path building function to internal 1900f59d82ffSelric functions. 1901f59d82ffSelric 1902f59d82ffSelric * cert.c: Expose the path building function to internal functions. 1903f59d82ffSelric 1904f59d82ffSelric * hxtool-commands.in: cms-envelope: Add support for choosing the 1905f59d82ffSelric encryption type 1906f59d82ffSelric 1907f59d82ffSelric * hxtool.c (cms_create_enveloped): Add support for choosing the 1908f59d82ffSelric encryption type 1909f59d82ffSelric 1910f59d82ffSelric * test_cms.in: Test generating des-ede3 aes-128 aes-256 enveloped 1911f59d82ffSelric data 1912f59d82ffSelric 1913f59d82ffSelric * crypto.c: Add names to cipher types. 1914f59d82ffSelric 1915f59d82ffSelric * cert.c (hx509_query_match_friendly_name): fix return value 1916f59d82ffSelric 1917f59d82ffSelric * data/gen-req.sh: generate tests for enveloped data using 1918f59d82ffSelric des-ede3 and aes256 1919f59d82ffSelric 1920f59d82ffSelric * test_cms.in: add tests for enveloped data using des-ede3 and 1921f59d82ffSelric aes256 1922f59d82ffSelric 1923f59d82ffSelric * cert.c (hx509_query_match_friendly_name): New function. 1924f59d82ffSelric 1925f59d82ffSelric2006-04-21 Love Hörnquist Åstrand <lha@it.su.se> 1926f59d82ffSelric 1927f59d82ffSelric * ks_p11.c: Add support for parsing slot-number. 1928f59d82ffSelric 1929f59d82ffSelric * crypto.c (oid_private_rc2_40): simply 1930f59d82ffSelric 1931f59d82ffSelric * crypto.c: Use oids from asn1 generator. 1932f59d82ffSelric 1933f59d82ffSelric * ks_file.c (file_init): reset length when done with a part 1934f59d82ffSelric 1935f59d82ffSelric * test_cms.in: check with test.combined.crt. 1936f59d82ffSelric 1937f59d82ffSelric * data/gen-req.sh: Create test.combined.crt. 1938f59d82ffSelric 1939f59d82ffSelric * test_cms.in: Test signed data using keyfile that is encrypted. 1940f59d82ffSelric 1941f59d82ffSelric * ks_file.c: Remove (commented out) debug printf 1942f59d82ffSelric 1943f59d82ffSelric * ks_file.c (parse_rsa_private_key): use EVP_get_cipherbyname 1944f59d82ffSelric 1945f59d82ffSelric * ks_file.c (parse_rsa_private_key): make working for one 1946f59d82ffSelric password. 1947f59d82ffSelric 1948f59d82ffSelric * ks_file.c (parse_rsa_private_key): Implement enought for 1949f59d82ffSelric testing. 1950f59d82ffSelric 1951f59d82ffSelric * hx_locl.h: Add <ctype.h> 1952f59d82ffSelric 1953f59d82ffSelric * ks_file.c: Add glue code for PEM encrypted password files. 1954f59d82ffSelric 1955f59d82ffSelric * test_cms.in: Add commeted out password protected PEM file, 1956f59d82ffSelric remove password for those tests that doesn't need it. 1957f59d82ffSelric 1958f59d82ffSelric * test_cms.in: adapt test now that we can use any certificate and 1959f59d82ffSelric trust anchor 1960f59d82ffSelric 1961f59d82ffSelric * collector.c: handle PEM RSA PRIVATE KEY files 1962f59d82ffSelric 1963f59d82ffSelric * cert.c: Remove unused function. 1964f59d82ffSelric 1965f59d82ffSelric * ks_dir.c: move code here from ks_file.c now that its no longer 1966f59d82ffSelric used. 1967f59d82ffSelric 1968f59d82ffSelric * ks_file.c: Add support for parsing unencrypted RSA PRIVATE KEY 1969f59d82ffSelric 1970f59d82ffSelric * crypto.c: Handle rsa private keys better. 1971f59d82ffSelric 1972f59d82ffSelric2006-04-20 Love Hörnquist Åstrand <lha@it.su.se> 1973f59d82ffSelric 1974f59d82ffSelric * hxtool.c: Use hx509_cms_{,un}wrap_ContentInfo 1975f59d82ffSelric 1976f59d82ffSelric * cms.c: Make hx509_cms_{,un}wrap_ContentInfo usable in asn1 1977f59d82ffSelric un-aware code. 1978f59d82ffSelric 1979f59d82ffSelric * cert.c (hx509_verify_path): if trust anchor is not self signed, 1980f59d82ffSelric don't check sig From Douglas Engert. 1981f59d82ffSelric 1982f59d82ffSelric * test_chain.in: test "sub-cert -> sub-ca" 1983f59d82ffSelric 1984f59d82ffSelric * crypto.c: Use the right length for the sha256 checksums. 1985f59d82ffSelric 1986f59d82ffSelric2006-04-15 Love Hörnquist Åstrand <lha@it.su.se> 1987f59d82ffSelric 1988f59d82ffSelric * crypto.c: Fix breakage from sha256 code. 1989f59d82ffSelric 1990f59d82ffSelric * crypto.c: Add SHA256 support, and symbols for the other new 1991f59d82ffSelric SHA-2 types. 1992f59d82ffSelric 1993f59d82ffSelric2006-04-14 Love Hörnquist Åstrand <lha@it.su.se> 1994f59d82ffSelric 1995f59d82ffSelric * test_cms.in: test rc2-40 rc2-64 rc2-128 enveloped data 1996f59d82ffSelric 1997f59d82ffSelric * data/test-enveloped-rc2-{40,64,128}: add tests cases for rc2 1998f59d82ffSelric 1999f59d82ffSelric * cms.c: Update prototypes changes for hx509_crypto_[gs]et_params. 2000f59d82ffSelric 2001f59d82ffSelric * crypto.c: Break out the parameter handling code for encrypting 2002f59d82ffSelric data to handle RC2. Needed for Windows 2k pk-init support. 2003f59d82ffSelric 2004f59d82ffSelric2006-04-04 Love Hörnquist Åstrand <lha@it.su.se> 2005f59d82ffSelric 2006f59d82ffSelric * Makefile.am: Split libhx509_la_SOURCES into build file and 2007f59d82ffSelric distributed files so we can avoid building prototypes for 2008f59d82ffSelric build-files. 2009f59d82ffSelric 2010f59d82ffSelric2006-04-03 Love Hörnquist Åstrand <lha@it.su.se> 2011f59d82ffSelric 2012f59d82ffSelric * TODO: split certificate request into pkcs10 and CRMF 2013f59d82ffSelric 2014f59d82ffSelric * hxtool-commands.in: Add nonce flag to ocsp-fetch 2015f59d82ffSelric 2016f59d82ffSelric * hxtool.c: control sending nonce 2017f59d82ffSelric 2018f59d82ffSelric * hxtool.c (request_create): store the request in a file, no in 2019f59d82ffSelric bitbucket. 2020f59d82ffSelric 2021f59d82ffSelric * cert.c: expose print_cert_subject internally 2022f59d82ffSelric 2023f59d82ffSelric * hxtool.c: Add ocsp_print. 2024f59d82ffSelric 2025f59d82ffSelric * hxtool-commands.in: New command "ocsp-print". 2026f59d82ffSelric 2027f59d82ffSelric * hx_locl.h: Include <hex.h>. 2028f59d82ffSelric 2029f59d82ffSelric * revoke.c (verify_ocsp): require issuer to match too. 2030f59d82ffSelric (free_ocsp): new function 2031f59d82ffSelric (hx509_revoke_ocsp_print): new function, print ocsp reply 2032f59d82ffSelric 2033f59d82ffSelric * Makefile.am: build CRMF files 2034f59d82ffSelric 2035f59d82ffSelric * data/key.der: needed for cert request test 2036f59d82ffSelric 2037f59d82ffSelric * test_req.in: adapt to rename of pkcs10-create to request-create 2038f59d82ffSelric 2039f59d82ffSelric * hxtool.c: adapt to rename of pkcs10-create to request-create 2040f59d82ffSelric 2041f59d82ffSelric * hxtool-commands.in: Rename pkcs10-create to request-create 2042f59d82ffSelric 2043f59d82ffSelric * crypto.c: (_hx509_parse_private_key): Avoid crashing on bad input. 2044f59d82ffSelric 2045f59d82ffSelric * hxtool.c (pkcs10_create): use opt->subject_string 2046f59d82ffSelric 2047f59d82ffSelric * hxtool-commands.in: Add pkcs10-create --subject 2048f59d82ffSelric 2049f59d82ffSelric * Makefile.am: Add test_req to tests. 2050f59d82ffSelric 2051f59d82ffSelric * test_req.in: Test for pkcs10 commands. 2052f59d82ffSelric 2053f59d82ffSelric * name.c (hx509_parse_name): new function. 2054f59d82ffSelric 2055f59d82ffSelric * hxtool.c (pkcs10_create): implement 2056f59d82ffSelric 2057f59d82ffSelric * hxtool-commands.in (pkcs10-create): Add arguments 2058f59d82ffSelric 2059f59d82ffSelric * crypto.c: Add _hx509_private_key2SPKI and support 2060f59d82ffSelric functions (only support RSA for now). 2061f59d82ffSelric 2062f59d82ffSelric2006-04-02 Love Hörnquist Åstrand <lha@it.su.se> 2063f59d82ffSelric 2064f59d82ffSelric * hxtool-commands.in: Add pkcs10-create command. 2065f59d82ffSelric 2066f59d82ffSelric * hx509.h: Add hx509_request. 2067f59d82ffSelric 2068f59d82ffSelric * TODO: more stuff 2069f59d82ffSelric 2070f59d82ffSelric * Makefile.am: Add req.c 2071f59d82ffSelric 2072f59d82ffSelric * req.c: Create certificate requests, prototype converts the 2073f59d82ffSelric request in a pkcs10 packet. 2074f59d82ffSelric 2075f59d82ffSelric * hxtool.c: Add pkcs10_create 2076f59d82ffSelric 2077f59d82ffSelric * name.c (hx509_name_copy): new function. 2078f59d82ffSelric 2079f59d82ffSelric2006-04-01 Love Hörnquist Åstrand <lha@it.su.se> 2080f59d82ffSelric 2081f59d82ffSelric * TODO: fill out what do 2082f59d82ffSelric 2083f59d82ffSelric * hxtool-commands.in: add pkcs10-print 2084f59d82ffSelric 2085f59d82ffSelric * hx_locl.h: Include <pkcs10_asn1.h>. 2086f59d82ffSelric 2087f59d82ffSelric * pkcs10.asn1: PKCS#10 2088f59d82ffSelric 2089f59d82ffSelric * hxtool.c (pkcs10_print): new function. 2090f59d82ffSelric 2091f59d82ffSelric * test_chain.in: test ocsp keyhash 2092f59d82ffSelric 2093f59d82ffSelric * data: generate ocsp keyhash version too 2094f59d82ffSelric 2095f59d82ffSelric * revoke.c (load_ocsp): test that we got back a BasicReponse 2096f59d82ffSelric 2097f59d82ffSelric * ocsp.asn1: Add asn1_id_pkix_ocsp*. 2098f59d82ffSelric 2099f59d82ffSelric * Makefile.am: Add asn1_id_pkix_ocsp*. 2100f59d82ffSelric 2101f59d82ffSelric * cert.c: Add HX509_QUERY_MATCH_KEY_HASH_SHA1 2102f59d82ffSelric 2103f59d82ffSelric * hx_locl.h: Add HX509_QUERY_MATCH_KEY_HASH_SHA1 2104f59d82ffSelric 2105f59d82ffSelric * revoke.c: Support OCSPResponderID.byKey, indent. 2106f59d82ffSelric 2107f59d82ffSelric * revoke.c (hx509_ocsp_request): Add nonce to ocsp request. 2108f59d82ffSelric 2109f59d82ffSelric * hxtool.c: Add nonce to ocsp request. 2110f59d82ffSelric 2111f59d82ffSelric * test_chain.in: Added crl tests 2112f59d82ffSelric 2113f59d82ffSelric * data/nist-data: rename missing-crl to missing-revoke 2114f59d82ffSelric 2115f59d82ffSelric * data: make ca use openssl ca command so we can add ocsp tests, 2116f59d82ffSelric and regen certs 2117f59d82ffSelric 2118f59d82ffSelric * test_chain.in: Add revoked ocsp cert test 2119f59d82ffSelric 2120f59d82ffSelric * cert.c: rename missing-crl to missing-revoke 2121f59d82ffSelric 2122f59d82ffSelric * revoke.c: refactor code, fix a un-init-ed variable 2123f59d82ffSelric 2124f59d82ffSelric * test_chain.in: rename missing-crl to missing-revoke add ocsp 2125f59d82ffSelric tests 2126f59d82ffSelric 2127f59d82ffSelric * test_cms.in: rename missing-crl to missing-revoke 2128f59d82ffSelric 2129f59d82ffSelric * hxtool.c: rename missing-crl to missing-revoke 2130f59d82ffSelric 2131f59d82ffSelric * hxtool-commands.in: rename missing-crl to missing-revoke 2132f59d82ffSelric 2133f59d82ffSelric * revoke.c: Plug one memory leak. 2134f59d82ffSelric 2135f59d82ffSelric * revoke.c: Renamed generic CRL related errors. 2136f59d82ffSelric 2137f59d82ffSelric * hx509_err.et: Comments and renamed generic CRL related errors 2138f59d82ffSelric 2139f59d82ffSelric * revoke.c: Add ocsp checker. 2140f59d82ffSelric 2141f59d82ffSelric * ocsp.asn1: Add id-kp-OCSPSigning 2142f59d82ffSelric 2143f59d82ffSelric * hxtool-commands.in: add url-path argument to ocsp-fetch 2144f59d82ffSelric 2145f59d82ffSelric * hxtool.c: implement ocsp-fetch 2146f59d82ffSelric 2147f59d82ffSelric * cert.c: Use HX509_DEFAULT_OCSP_TIME_DIFF. 2148f59d82ffSelric 2149f59d82ffSelric * hx_locl.h: Add ocsp_time_diff to hx509_context 2150f59d82ffSelric 2151f59d82ffSelric * crypto.c (_hx509_verify_signature_bitstring): new function, 2152f59d82ffSelric commonly use when checking certificates 2153f59d82ffSelric 2154f59d82ffSelric * cms.c (hx509_cms_envelope_1): check for internal ASN.1 encoder 2155f59d82ffSelric error 2156f59d82ffSelric 2157f59d82ffSelric * cert.c: Add ocsp glue, use new 2158f59d82ffSelric _hx509_verify_signature_bitstring, add eku checking function. 2159f59d82ffSelric 2160f59d82ffSelric2006-03-31 Love Hörnquist Åstrand <lha@it.su.se> 2161f59d82ffSelric 2162f59d82ffSelric * Makefile.am: add id_kp_OCSPSigning.x 2163f59d82ffSelric 2164f59d82ffSelric * revoke.c: Pick out certs in ocsp response 2165f59d82ffSelric 2166f59d82ffSelric * TODO: list of stuff to verify 2167f59d82ffSelric 2168f59d82ffSelric * revoke.c: Add code to load OCSPBasicOCSPResponse files, reload 2169f59d82ffSelric crl when its changed on disk. 2170f59d82ffSelric 2171f59d82ffSelric * cert.c: Update for ocsp merge. handle building path w/o 2172f59d82ffSelric subject (using subject key id) 2173f59d82ffSelric 2174f59d82ffSelric * ks_p12.c: _hx509_map_file changed prototype. 2175f59d82ffSelric 2176f59d82ffSelric * file.c: _hx509_map_file changed prototype, returns struct stat 2177f59d82ffSelric if requested. 2178f59d82ffSelric 2179f59d82ffSelric * ks_file.c: _hx509_map_file changed prototype. 2180f59d82ffSelric 2181f59d82ffSelric * hxtool.c: Add stub for ocsp-fetch, _hx509_map_file changed 2182f59d82ffSelric prototype, add ocsp parsing to verify command. 2183f59d82ffSelric 2184f59d82ffSelric * hx_locl.h: rename HX509_CTX_CRL_MISSING_OK to 2185f59d82ffSelric HX509_CTX_VERIFY_MISSING_OK now that we have OCSP glue 2186f59d82ffSelric 2187f59d82ffSelric2006-03-30 Love Hörnquist Åstrand <lha@it.su.se> 2188f59d82ffSelric 2189f59d82ffSelric * hx_locl.h: Add <krb5-types.h> to make it compile on Solaris, 2190f59d82ffSelric from Alex V. Labuta. 2191f59d82ffSelric 2192f59d82ffSelric2006-03-28 Love Hörnquist Åstrand <lha@it.su.se> 2193f59d82ffSelric 2194f59d82ffSelric * crypto.c (_hx509_pbe_decrypt): try all passwords, not just the 2195f59d82ffSelric first one. 2196f59d82ffSelric 2197f59d82ffSelric2006-03-27 Love Hörnquist Åstrand <lha@it.su.se> 2198f59d82ffSelric 2199f59d82ffSelric * print.c (check_altName): Print the othername oid. 2200f59d82ffSelric 2201f59d82ffSelric * crypto.c: Manual page claims RSA_public_decrypt will return -1 2202f59d82ffSelric on error, lets check for that 2203f59d82ffSelric 2204f59d82ffSelric * crypto.c (_hx509_pbe_decrypt): also try the empty password 2205f59d82ffSelric 2206f59d82ffSelric * collector.c (match_localkeyid): no need to add back the cert to 2207f59d82ffSelric the cert pool, its already there. 2208f59d82ffSelric 2209f59d82ffSelric * crypto.c: Add REQUIRE_SIGNER 2210f59d82ffSelric 2211f59d82ffSelric * cert.c (hx509_cert_free): ok to free NULL 2212f59d82ffSelric 2213f59d82ffSelric * hx509_err.et: Add new error code SIGNATURE_WITHOUT_SIGNER. 2214f59d82ffSelric 2215f59d82ffSelric * name.c (_hx509_name_ds_cmp): make DirectoryString case 2216f59d82ffSelric insenstive 2217f59d82ffSelric (hx509_name_to_string): less spacing 2218f59d82ffSelric 2219f59d82ffSelric * cms.c: Check for signature error, check consitency of error 2220f59d82ffSelric 2221f59d82ffSelric2006-03-26 Love Hörnquist Åstrand <lha@it.su.se> 2222f59d82ffSelric 2223f59d82ffSelric * collector.c (_hx509_collector_alloc): handle errors 2224f59d82ffSelric 2225f59d82ffSelric * cert.c (hx509_query_alloc): allocate slight more more then a 2226f59d82ffSelric sizeof(pointer) 2227f59d82ffSelric 2228f59d82ffSelric * crypto.c (_hx509_private_key_assign_key_file): ask for password 2229f59d82ffSelric if nothing matches. 2230f59d82ffSelric 2231f59d82ffSelric * cert.c: Expose more of the hx509_query interface. 2232f59d82ffSelric 2233f59d82ffSelric * collector.c: hx509_certs_find is now exposed. 2234f59d82ffSelric 2235f59d82ffSelric * cms.c: hx509_certs_find is now exposed. 2236f59d82ffSelric 2237f59d82ffSelric * revoke.c: hx509_certs_find is now exposed. 2238f59d82ffSelric 2239f59d82ffSelric * keyset.c (hx509_certs_free): allow free-ing NULL 2240f59d82ffSelric (hx509_certs_find): expose 2241f59d82ffSelric (hx509_get_one_cert): new function 2242f59d82ffSelric 2243f59d82ffSelric * hxtool.c: hx509_certs_find is now exposed. 2244f59d82ffSelric 2245f59d82ffSelric * hx_locl.h: Remove hx509_query, its exposed now. 2246f59d82ffSelric 2247f59d82ffSelric * hx509.h: Add hx509_query. 2248f59d82ffSelric 2249f59d82ffSelric2006-02-22 Love Hörnquist Åstrand <lha@it.su.se> 2250f59d82ffSelric 2251f59d82ffSelric * cert.c: Add exceptions for null (empty) subjectNames 2252f59d82ffSelric 2253f59d82ffSelric * data/nist-data: Add some more name constraints tests. 2254f59d82ffSelric 2255f59d82ffSelric * data/nist-data: Add some of the test from 4.13 Name Constraints. 2256f59d82ffSelric 2257f59d82ffSelric * cert.c: Name constraits needs to be evaluated in block as they 2258f59d82ffSelric appear in the certificates, they can not be joined to one 2259f59d82ffSelric list. One example of this is: 2260f59d82ffSelric 2261f59d82ffSelric - cert is cn=foo,dc=bar,dc=baz 2262f59d82ffSelric - subca is dc=foo,dc=baz with name restriction dc=kaka,dc=baz 2263f59d82ffSelric - ca is dc=baz with name restriction dc=baz 2264f59d82ffSelric 2265f59d82ffSelric If the name restrictions are merged to a list, the certificate 2266f59d82ffSelric will pass this test. 2267f59d82ffSelric 2268f59d82ffSelric2006-02-14 Love Hörnquist Åstrand <lha@it.su.se> 2269f59d82ffSelric 2270f59d82ffSelric * cert.c: Handle more name constraints cases. 2271f59d82ffSelric 2272f59d82ffSelric * crypto.c (dsa_verify_signature): if test if malloc failed 2273f59d82ffSelric 2274f59d82ffSelric2006-01-31 Love Hörnquist Åstrand <lha@it.su.se> 2275f59d82ffSelric 2276f59d82ffSelric * cms.c: Drop partial pkcs12 string2key implementation. 2277f59d82ffSelric 2278f59d82ffSelric2006-01-20 Love Hörnquist Åstrand <lha@it.su.se> 2279f59d82ffSelric 2280f59d82ffSelric * data/nist-data: Add commited out DSA tests (they fail). 2281f59d82ffSelric 2282f59d82ffSelric * data/nist-data: Add 4.2 Validity Periods. 2283f59d82ffSelric 2284f59d82ffSelric * test_nist.in: Make less verbose to use. 2285f59d82ffSelric 2286f59d82ffSelric * Makefile.am: Add test_nist_cert. 2287f59d82ffSelric 2288f59d82ffSelric * data/nist-data: Add some more CRL-tests. 2289f59d82ffSelric 2290f59d82ffSelric * test_nist.in: Print $id instead of . when running the tests. 2291f59d82ffSelric 2292f59d82ffSelric * test_nist.in: Drop verifying certifiates, its done in another 2293f59d82ffSelric test now. 2294f59d82ffSelric 2295f59d82ffSelric * data/nist-data: fixup kill-rectangle leftovers 2296f59d82ffSelric 2297f59d82ffSelric * data/nist-data: Drop verifying certifiates, its done in another 2298f59d82ffSelric test now. Add more crl tests. comment out all unused tests. 2299f59d82ffSelric 2300f59d82ffSelric * test_nist_cert.in: test parse all nist certs 2301f59d82ffSelric 2302f59d82ffSelric2006-01-19 Love Hörnquist Åstrand <lha@it.su.se> 2303f59d82ffSelric 2304f59d82ffSelric * hx509_err.et: Add HX509_CRL_UNKNOWN_EXTENSION. 2305f59d82ffSelric 2306f59d82ffSelric * revoke.c: Check for unknown extentions in CRLs and CRLEntries. 2307f59d82ffSelric 2308f59d82ffSelric * test_nist.in: Parse new format to handle CRL info. 2309f59d82ffSelric 2310f59d82ffSelric * test_chain.in: Add --missing-crl. 2311f59d82ffSelric 2312f59d82ffSelric * name.c (hx509_unparse_der_name): Rename from hx509_parse_name. 2313f59d82ffSelric (_hx509_unparse_Name): Add. 2314f59d82ffSelric 2315f59d82ffSelric * hxtool-commands.in: Add --missing-crl to verify commands. 2316f59d82ffSelric 2317f59d82ffSelric * hx509_err.et: Add CRL errors. 2318f59d82ffSelric 2319f59d82ffSelric * cert.c (hx509_context_set_missing_crl): new function Add CRL 2320f59d82ffSelric handling. 2321f59d82ffSelric 2322f59d82ffSelric * hx_locl.h: Add HX509_CTX_CRL_MISSING_OK. 2323f59d82ffSelric 2324f59d82ffSelric * revoke.c: Parse and verify CRLs (simplistic). 2325f59d82ffSelric 2326f59d82ffSelric * hxtool.c: Parse CRL info. 2327f59d82ffSelric 2328f59d82ffSelric * data/nist-data: Change format so we can deal with CRLs, also 2329f59d82ffSelric note the test-id from PKITS. 2330f59d82ffSelric 2331f59d82ffSelric * data: regenerate test 2332f59d82ffSelric 2333f59d82ffSelric * data/gen-req.sh: use static-file to generate tests 2334f59d82ffSelric 2335f59d82ffSelric * data/static-file: new file to use for commited tests 2336f59d82ffSelric 2337f59d82ffSelric * test_cms.in: Use static file, add --missing-crl. 2338f59d82ffSelric 2339f59d82ffSelric2006-01-18 Love Hörnquist Åstrand <lha@it.su.se> 2340f59d82ffSelric 2341f59d82ffSelric * print.c: Its cRLReason, not cRLReasons. 2342f59d82ffSelric 2343f59d82ffSelric * hxtool.c: Attach revoke context to verify context. 2344f59d82ffSelric 2345f59d82ffSelric * data/nist-data: change syntax to make match better with crl 2346f59d82ffSelric checks 2347f59d82ffSelric 2348f59d82ffSelric * cert.c: Verify no certificates has been revoked with the new 2349f59d82ffSelric revoke interface. 2350f59d82ffSelric 2351f59d82ffSelric * Makefile.am: libhx509_la_SOURCES += revoke.c 2352f59d82ffSelric 2353f59d82ffSelric * revoke.c: Add framework for handling CRLs. 2354f59d82ffSelric 2355f59d82ffSelric * hx509.h: Add hx509_revoke_ctx. 2356f59d82ffSelric 2357f59d82ffSelric2006-01-13 Love Hörnquist Åstrand <lha@it.su.se> 2358f59d82ffSelric 2359f59d82ffSelric * delete crypto_headers.h, use global file instead. 2360f59d82ffSelric 2361f59d82ffSelric * crypto.c (PBE_string2key): libdes now supports PKCS12_key_gen 2362f59d82ffSelric 2363f59d82ffSelric2006-01-12 Love Hörnquist Åstrand <lha@it.su.se> 2364f59d82ffSelric 2365f59d82ffSelric * crypto_headers.h: Need BN_is_negative too. 2366f59d82ffSelric 2367f59d82ffSelric2006-01-11 Love Hörnquist Åstrand <lha@it.su.se> 2368f59d82ffSelric 2369f59d82ffSelric * ks_p11.c (p11_rsa_public_decrypt): since is wrong, don't provide 2370f59d82ffSelric it. PKCS11 can't do public_decrypt, it support verify though. All 2371f59d82ffSelric this doesn't matter, since the code never go though this path. 2372f59d82ffSelric 2373f59d82ffSelric * crypto_headers.h: Provide glue to compile with less warnings 2374f59d82ffSelric with OpenSSL 2375f59d82ffSelric 2376f59d82ffSelric2006-01-08 Love Hörnquist Åstrand <lha@it.su.se> 2377f59d82ffSelric 2378f59d82ffSelric * Makefile.am: Depend on LIB_des 2379f59d82ffSelric 2380f59d82ffSelric * lock.c: Use "crypto_headers.h". 2381f59d82ffSelric 2382f59d82ffSelric * crypto_headers.h: Include the two diffrent implementation of 2383f59d82ffSelric crypto headers. 2384f59d82ffSelric 2385f59d82ffSelric * cert.c: Use "crypto-headers.h". Load ENGINE configuration. 2386f59d82ffSelric 2387f59d82ffSelric * crypto.c: Make compile with both OpenSSL and heimdal libdes. 2388f59d82ffSelric 2389f59d82ffSelric * ks_p11.c: Add code for public key decryption (not supported yet) 2390f59d82ffSelric and use "crypto-headers.h". 2391f59d82ffSelric 2392f59d82ffSelric 2393f59d82ffSelric2006-01-04 Love Hörnquist Åstrand <lha@it.su.se> 2394f59d82ffSelric 2395f59d82ffSelric * add a hx509_context where we can store configuration 2396f59d82ffSelric 2397f59d82ffSelric * p11.c,Makefile.am: pkcs11 is now supported by library, remove 2398f59d82ffSelric old files. 2399f59d82ffSelric 2400f59d82ffSelric * ks_p11.c: more paranoid on refcount, set refcounter ealier, 2401f59d82ffSelric reset pointers after free 2402f59d82ffSelric 2403f59d82ffSelric * collector.c (struct private_key): remove temporary key data 2404f59d82ffSelric storage, convert directly to a key 2405f59d82ffSelric (match_localkeyid): match certificate and key using localkeyid 2406f59d82ffSelric (match_keys): match certificate and key using _hx509_match_keys 2407f59d82ffSelric (_hx509_collector_collect): rewrite to use match_keys and 2408f59d82ffSelric match_localkeyid 2409f59d82ffSelric 2410f59d82ffSelric * crypto.c (_hx509_match_keys): function that determins if a 2411f59d82ffSelric private key matches a certificate, used when there is no 2412f59d82ffSelric localkeyid. 2413f59d82ffSelric (*) reset free pointer 2414f59d82ffSelric 2415f59d82ffSelric * ks_file.c: Rewrite to use collector and mapping support 2416f59d82ffSelric function. 2417f59d82ffSelric 2418f59d82ffSelric * ks_p11.c (rsa_pkcs1_method): constify 2419f59d82ffSelric 2420f59d82ffSelric * ks_p11.c: drop extra wrapping of p11_init 2421f59d82ffSelric 2422f59d82ffSelric * crypto.c (_hx509_private_key_assign_key_file): use function to 2423f59d82ffSelric extact rsa key 2424f59d82ffSelric 2425f59d82ffSelric * cert.c: Revert previous, refcounter is unsigned, so it can never 2426f59d82ffSelric be negative. 2427f59d82ffSelric 2428f59d82ffSelric * cert.c (hx509_cert_ref): more refcount paranoia 2429f59d82ffSelric 2430f59d82ffSelric * ks_p11.c: Implement rsa_private_decrypt and add stubs for public 2431f59d82ffSelric ditto. 2432f59d82ffSelric 2433*1c9681d1Schristos * ks_p11.c: Less __printf__, less memory leaks. 2434f59d82ffSelric 2435f59d82ffSelric * ks_p11.c: Implement signing using pkcs11. 2436f59d82ffSelric 2437f59d82ffSelric * ks_p11.c: Partly assign private key, enough to complete 2438f59d82ffSelric collection, but not any crypto functionallity. 2439f59d82ffSelric 2440f59d82ffSelric * collector.c: Use hx509_private_key to assign private keys. 2441f59d82ffSelric 2442f59d82ffSelric * crypto.c: Remove most of the EVP_PKEY code, and use RSA 2443f59d82ffSelric directly, this temporary removes DSA support. 2444f59d82ffSelric 2445f59d82ffSelric * hxtool.c (print_f): print if there is a friendly name and if 2446f59d82ffSelric there is a private key 2447f59d82ffSelric 2448f59d82ffSelric2006-01-03 Love Hörnquist Åstrand <lha@it.su.se> 2449f59d82ffSelric 2450f59d82ffSelric * name.c: Avoid warning from missing __attribute__((noreturn)) 2451f59d82ffSelric 2452f59d82ffSelric * lock.c (_hx509_lock_unlock_certs): return unlock certificates 2453f59d82ffSelric 2454f59d82ffSelric * crypto.c (_hx509_private_key_assign_ptr): new function, exposes 2455f59d82ffSelric EVP_PKEY 2456f59d82ffSelric (_hx509_private_key_assign_key_file): remember to free private key 2457f59d82ffSelric if there is one. 2458f59d82ffSelric 2459f59d82ffSelric * cert.c (_hx509_abort): add newline to output and flush stdout 2460f59d82ffSelric 2461f59d82ffSelric * Makefile.am: libhx509_la_SOURCES += collector.c 2462f59d82ffSelric 2463f59d82ffSelric * hx_locl.h: forward type declaration of struct hx509_collector. 2464f59d82ffSelric 2465f59d82ffSelric * collector.c: Support functions to collect certificates and 2466f59d82ffSelric private keys and then match them. 2467f59d82ffSelric 2468f59d82ffSelric * ks_p12.c: Use the new hx509_collector support functions. 2469f59d82ffSelric 2470f59d82ffSelric * ks_p11.c: Add enough glue to support certificate iteration. 2471f59d82ffSelric 2472f59d82ffSelric * test_nist_pkcs12.in: Less verbose. 2473f59d82ffSelric 2474f59d82ffSelric * cert.c (hx509_cert_free): if there is a private key assosited 2475f59d82ffSelric with this cert, free it 2476f59d82ffSelric 2477f59d82ffSelric * print.c: Use _hx509_abort. 2478f59d82ffSelric 2479f59d82ffSelric * ks_p12.c: Use _hx509_abort. 2480f59d82ffSelric 2481f59d82ffSelric * hxtool.c: Use _hx509_abort. 2482f59d82ffSelric 2483f59d82ffSelric * crypto.c: Use _hx509_abort. 2484f59d82ffSelric 2485f59d82ffSelric * cms.c: Use _hx509_abort. 2486f59d82ffSelric 2487f59d82ffSelric * cert.c: Use _hx509_abort. 2488f59d82ffSelric 2489f59d82ffSelric * name.c: use _hx509_abort 2490f59d82ffSelric 2491f59d82ffSelric2006-01-02 Love Hörnquist Åstrand <lha@it.su.se> 2492f59d82ffSelric 2493f59d82ffSelric * name.c (hx509_name_to_string): don't cut bmpString in half. 2494f59d82ffSelric 2495f59d82ffSelric * name.c (hx509_name_to_string): don't overwrite with 1 byte with 2496f59d82ffSelric bmpString. 2497f59d82ffSelric 2498f59d82ffSelric * ks_file.c (parse_certificate): avoid stomping before array 2499f59d82ffSelric 2500f59d82ffSelric * name.c (oidtostring): avoid leaking memory 2501f59d82ffSelric 2502f59d82ffSelric * keyset.c: Add _hx509_ks_dir_register. 2503f59d82ffSelric 2504f59d82ffSelric * Makefile.am (libhx509_la_SOURCES): += ks_dir.c 2505f59d82ffSelric 2506f59d82ffSelric * hxtool-commands.in: Remove pkcs11. 2507f59d82ffSelric 2508f59d82ffSelric * hxtool.c: Remove pcert_pkcs11. 2509f59d82ffSelric 2510f59d82ffSelric * ks_file.c: Factor out certificate parsing code. 2511f59d82ffSelric 2512f59d82ffSelric * ks_dir.c: Add new keystore that treats all files in a directory 2513f59d82ffSelric a keystore, useful for regression tests. 2514f59d82ffSelric 2515f59d82ffSelric2005-12-12 Love Hörnquist Åstrand <lha@it.su.se> 2516f59d82ffSelric 2517f59d82ffSelric * test_nist_pkcs12.in: Test parse PKCS12 files from NIST. 2518f59d82ffSelric 2519f59d82ffSelric * data/nist-data: Can handle DSA certificate. 2520f59d82ffSelric 2521f59d82ffSelric * hxtool.c: Print error code on failure. 2522f59d82ffSelric 2523f59d82ffSelric2005-10-29 Love Hörnquist Åstrand <lha@it.su.se> 2524f59d82ffSelric 2525f59d82ffSelric * crypto.c: Support DSA signature operations. 2526f59d82ffSelric 2527f59d82ffSelric2005-10-04 Love Hörnquist Åstrand <lha@it.su.se> 2528f59d82ffSelric 2529f59d82ffSelric * print.c: Validate that issuerAltName and subjectAltName isn't 2530f59d82ffSelric empty. 2531f59d82ffSelric 2532f59d82ffSelric2005-09-14 Love Hörnquist Åstrand <lha@it.su.se> 2533f59d82ffSelric 2534f59d82ffSelric * p11.c: Cast to unsigned char to avoid warning. 2535f59d82ffSelric 2536f59d82ffSelric * keyset.c: Register pkcs11 module. 2537f59d82ffSelric 2538f59d82ffSelric * Makefile.am: Add ks_p11.c, install hxtool. 2539f59d82ffSelric 2540f59d82ffSelric * ks_p11.c: Starting point of a pkcs11 module. 2541f59d82ffSelric 2542f59d82ffSelric2005-09-04 Love Hörnquist Åstrand <lha@it.su.se> 2543f59d82ffSelric 2544f59d82ffSelric * lock.c: Implement prompter. 2545f59d82ffSelric 2546f59d82ffSelric * hxtool-commands.in: add --content to print 2547f59d82ffSelric 2548f59d82ffSelric * hxtool.c: Split verify and print. 2549f59d82ffSelric 2550f59d82ffSelric * cms.c: _hx509_pbe_decrypt now takes a hx509_lock. 2551f59d82ffSelric 2552f59d82ffSelric * crypto.c: Make _hx509_pbe_decrypt take a hx509_lock, workaround 2553f59d82ffSelric for empty password. 2554f59d82ffSelric 2555f59d82ffSelric * name.c: Add DC, handle all Directory strings, fix signless 2556f59d82ffSelric problems. 2557f59d82ffSelric 2558f59d82ffSelric2005-09-03 Love Hörnquist Åstrand <lha@it.su.se> 2559f59d82ffSelric 2560f59d82ffSelric * test_query.in: Pass in --pass to all commands. 2561f59d82ffSelric 2562f59d82ffSelric * hxtool.c: Use option --pass. 2563f59d82ffSelric 2564f59d82ffSelric * hxtool-commands.in: Add --pass to all commands. 2565f59d82ffSelric 2566f59d82ffSelric * hx509_err.et: add UNKNOWN_LOCK_COMMAND and CRYPTO_NO_PROMPTER 2567f59d82ffSelric 2568f59d82ffSelric * test_cms.in: pass in password to cms-create-sd 2569f59d82ffSelric 2570f59d82ffSelric * crypto.c: Abstract out PBE_string2key so I can add PBE2 s2k 2571f59d82ffSelric later. Avoid signess warnings with OpenSSL. 2572f59d82ffSelric 2573f59d82ffSelric * cms.c: Use void * instead of char * for to avoid signedness 2574f59d82ffSelric issues 2575f59d82ffSelric 2576f59d82ffSelric * cert.c (hx509_cert_get_attribute): remove const, its not 2577f59d82ffSelric 2578f59d82ffSelric * ks_p12.c: Cast size_t to unsigned long when print. 2579f59d82ffSelric 2580f59d82ffSelric * name.c: Fix signedness warning. 2581f59d82ffSelric 2582f59d82ffSelric * test_query.in: Use echo, the function check isn't defined here. 2583f59d82ffSelric 2584f59d82ffSelric2005-08-11 Love Hörnquist Åstrand <lha@it.su.se> 2585f59d82ffSelric 2586f59d82ffSelric * hxtool-commands.in: Add more options that was missing. 2587f59d82ffSelric 2588f59d82ffSelric2005-07-28 Love Hörnquist Åstrand <lha@it.su.se> 2589f59d82ffSelric 2590f59d82ffSelric * test_cms.in: Use --certificate= for enveloped/unenvelope. 2591f59d82ffSelric 2592f59d82ffSelric * hxtool.c: Use --certificate= for enveloped/unenvelope. Clean 2593f59d82ffSelric up. 2594f59d82ffSelric 2595f59d82ffSelric * test_cms.in: add EnvelopeData tests 2596f59d82ffSelric 2597f59d82ffSelric * hxtool.c: use id-envelopedData for ContentInfo 2598f59d82ffSelric 2599f59d82ffSelric * hxtool-commands.in: add contentinfo wrapping for create/unwrap 2600f59d82ffSelric enveloped data 2601f59d82ffSelric 2602f59d82ffSelric * hxtool.c: add contentinfo wrapping for create/unwrap enveloped 2603f59d82ffSelric data 2604f59d82ffSelric 2605f59d82ffSelric * data/gen-req.sh: add enveloped data (aes128) 2606f59d82ffSelric 2607f59d82ffSelric * crypto.c: add "new" RC2 oid 2608f59d82ffSelric 2609f59d82ffSelric2005-07-27 Love Hörnquist Åstrand <lha@it.su.se> 2610f59d82ffSelric 2611f59d82ffSelric * hx_locl.h, cert.c: Add HX509_QUERY_MATCH_FUNCTION that allows 2612f59d82ffSelric caller to match by function, note that this doesn't not work 2613f59d82ffSelric directly for backends that implements ->query, they must do their 2614f59d82ffSelric own processing. (I'm running out of flags, only 12 left now) 2615f59d82ffSelric 2616f59d82ffSelric * test_cms.in: verify ContentInfo wrapping code in hxtool 2617f59d82ffSelric 2618f59d82ffSelric * hxtool-commands.in (cms_create_sd): support wrapping in content 2619f59d82ffSelric info spelling 2620f59d82ffSelric 2621f59d82ffSelric * hxtool.c (cms_create_sd): support wrapping in content info 2622f59d82ffSelric 2623f59d82ffSelric * test_cms.in: test more cms signeddata messages 2624f59d82ffSelric 2625f59d82ffSelric * data/gen-req.sh: generate SignedData 2626f59d82ffSelric 2627f59d82ffSelric * hxtool.c (cms_create_sd): support certificate store, add support 2628f59d82ffSelric to unwrap a ContentInfo the SignedData inside. 2629f59d82ffSelric 2630f59d82ffSelric * crypto.c: sprinkel rk_UNCONST 2631f59d82ffSelric 2632f59d82ffSelric * crypto.c: add DER NULL to the digest oid's 2633f59d82ffSelric 2634f59d82ffSelric * hxtool-commands.in: add --content-info to cms-verify-sd 2635f59d82ffSelric 2636f59d82ffSelric * cms.c (hx509_cms_create_signed_1): pass in a full 2637f59d82ffSelric AlgorithmIdentifier instead of heim_oid for digest_alg 2638f59d82ffSelric 2639f59d82ffSelric * crypto.c: make digest_alg a digest_oid, it's not needed right 2640f59d82ffSelric now 2641f59d82ffSelric 2642f59d82ffSelric * hx509_err.et: add CERT_NOT_FOUND 2643f59d82ffSelric 2644f59d82ffSelric * keyset.c (_hx509_certs_find): add error code for cert not 2645f59d82ffSelric found 2646f59d82ffSelric 2647f59d82ffSelric * cms.c (hx509_cms_verify_signed): add external store of 2648f59d82ffSelric certificates, use the right digest algorithm identifier. 2649f59d82ffSelric 2650f59d82ffSelric * cert.c: fix const warning 2651f59d82ffSelric 2652f59d82ffSelric * ks_p12.c: slightly less verbose 2653f59d82ffSelric 2654f59d82ffSelric * cert.c: add hx509_cert_find_subjectAltName_otherName, add 2655f59d82ffSelric HX509_QUERY_MATCH_FRIENDLY_NAME 2656f59d82ffSelric 2657f59d82ffSelric * hx509.h: add hx509_octet_string_list, remove bad comment 2658f59d82ffSelric 2659f59d82ffSelric * hx_locl.h: add HX509_QUERY_MATCH_FRIENDLY_NAME 2660f59d82ffSelric 2661f59d82ffSelric * keyset.c (hx509_certs_append): needs a hx509_lock, add one 2662f59d82ffSelric 2663f59d82ffSelric * Makefile.am: add test cases tempfiles to CLEANFILES 2664f59d82ffSelric 2665f59d82ffSelric * Makefile.am: add test_query to TESTS, fix dependency on hxtool 2666f59d82ffSelric sources on hxtool-commands.h 2667f59d82ffSelric 2668f59d82ffSelric * hxtool-commands.in: explain what signer is for create-sd 2669f59d82ffSelric 2670f59d82ffSelric * hxtool.c: add query, add more options to verify-sd and create-sd 2671f59d82ffSelric 2672f59d82ffSelric * test_cms.in: add more cms tests 2673f59d82ffSelric 2674f59d82ffSelric * hxtool-commands.in: add query, add more options to verify-sd 2675f59d82ffSelric 2676f59d82ffSelric * test_query.in: test query interface 2677f59d82ffSelric 2678f59d82ffSelric * data: fix filenames for ds/ke files, add pkcs12 files, regen 2679f59d82ffSelric 2680f59d82ffSelric * hxtool.c,Makefile.am,hxtool-commands.in: switch to slc 2681f59d82ffSelric 2682f59d82ffSelric2005-07-26 Love Hörnquist Åstrand <lha@it.su.se> 2683f59d82ffSelric 2684f59d82ffSelric * cert.c (hx509_verify_destroy_ctx): add 2685f59d82ffSelric 2686f59d82ffSelric * hxtool.c: free hx509_verify_ctx 2687f59d82ffSelric 2688f59d82ffSelric * name.c (_hx509_name_ds_cmp): make sure all strings are not equal 2689f59d82ffSelric 2690f59d82ffSelric2005-07-25 Love Hörnquist Åstrand <lha@it.su.se> 2691f59d82ffSelric 2692f59d82ffSelric * hxtool.c: return error 2693f59d82ffSelric 2694f59d82ffSelric * keyset.c: return errors from iterations 2695f59d82ffSelric 2696f59d82ffSelric * test_chain.in: clean up checks 2697f59d82ffSelric 2698f59d82ffSelric * ks_file.c (parse_certificate): return errno's not 1 in case of 2699f59d82ffSelric error 2700f59d82ffSelric 2701f59d82ffSelric * ks_file.c (file_iter): make sure endpointer is NULL 2702f59d82ffSelric 2703f59d82ffSelric * ks_mem.c (mem_iter): follow conversion and return NULL when we 2704f59d82ffSelric get to the end, not ENOENT. 2705f59d82ffSelric 2706f59d82ffSelric * Makefile.am: test_chain depends on hxtool 2707f59d82ffSelric 2708f59d82ffSelric * data: test certs that lasts 10 years 2709f59d82ffSelric 2710f59d82ffSelric * data/gen-req.sh: script to generate test certs 2711f59d82ffSelric 2712f59d82ffSelric * Makefile.am: Add regression tests. 2713f59d82ffSelric 2714f59d82ffSelric * data: test certificate and keys 2715f59d82ffSelric 2716f59d82ffSelric * test_chain.in: test chain 2717f59d82ffSelric 2718f59d82ffSelric * hxtool.c (cms_create_sd): add KU digitalSigature as a 2719f59d82ffSelric requirement to the query 2720f59d82ffSelric 2721f59d82ffSelric * hx_locl.h: add KeyUsage query bits 2722f59d82ffSelric 2723f59d82ffSelric * hx509_err.et: add KeyUsage error 2724f59d82ffSelric 2725f59d82ffSelric * cms.c: add checks for KeyUsage 2726f59d82ffSelric 2727f59d82ffSelric * cert.c: more checks on KeyUsage, allow to query on them too 2728f59d82ffSelric 2729f59d82ffSelric2005-07-24 Love Hörnquist Åstrand <lha@it.su.se> 2730f59d82ffSelric 2731f59d82ffSelric * cms.c: Add missing break. 2732f59d82ffSelric 2733f59d82ffSelric * hx_locl.h,cms.c,cert.c: allow matching on SubjectKeyId 2734f59d82ffSelric 2735f59d82ffSelric * hxtool.c: Use _hx509_map_file, _hx509_unmap_file and 2736f59d82ffSelric _hx509_write_file. 2737f59d82ffSelric 2738f59d82ffSelric * file.c (_hx509_write_file): in case of write error, return errno 2739f59d82ffSelric 2740f59d82ffSelric * file.c (_hx509_write_file): add a function that write a data 2741f59d82ffSelric blob to disk too 2742f59d82ffSelric 2743f59d82ffSelric * Fix id-tags 2744f59d82ffSelric 2745f59d82ffSelric * Import mostly complete X.509 and CMS library. Handles, PEM, DER, 2746f59d82ffSelric PKCS12 encoded certicates. Verificate RSA chains and handled 2747f59d82ffSelric CMS's SignedData, and EnvelopedData. 2748f59d82ffSelric 2749f59d82ffSelric 2750