aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/cert/x509
Commit message (Collapse)AuthorAgeFilesLines
* Move cert/x509 to top level and pem and pbes2 to pubkey.Jack Lloyd2016-11-0337-7052/+0
| | | | | | | | | The `cert` dir was just an artifact of having previously supported CVC (smartcard cert format), removed a long time ago. The pem and pbes2 code is directly related to the pubkey code, in fact the only caller of pbes2 (likely anywhere, not just in the library) is in pkcs8.cpp
* Build the docs during CIJack Lloyd2016-10-221-0/+4
| | | | Fix various doc building problems/warnings.
* Allow setting the validation time during PKIX path validationJack Lloyd2016-10-212-18/+29
| | | | | | | Previously validation asked the system clock which is not always the correct thing (for example when using Roughtime protocol). Had been on the todo list forever, forced into it by some of the test certs expiring today.
* Fix doxygen warnings [ci skip]René Korthaus2016-10-194-4/+6
|
* Maintainer mode fixesJack Lloyd2016-10-171-3/+5
|
* Merge GH #665 Add IncludeOS target, make filesystem/threads optionalJack Lloyd2016-10-1711-8/+28
|\
| * More no-filesystem fixesJack Lloyd2016-10-124-0/+8
| |
| * Abstract out mutex type. Make threads optional.Jack Lloyd2016-10-122-1/+2
| |
| * Add IncludeOS target. Make filesystem support optional.Jack Lloyd2016-10-105-7/+18
| |
* | Change Certificate_Store_in_SQL to take RNG as argument.Jack Lloyd2016-10-134-14/+19
| | | | | | | | | | Previously it created a new AutoSeeded_RNG in each function, sometimes without even using it.
* | Improve cert doxygen [ci skip]René Korthaus2016-10-1112-146/+395
|/
* Revert PK_Verifier change (don't require RNG there).Jack Lloyd2016-10-072-4/+2
| | | | | | | Verification is deterministic and public, so really no RNG is ever needed. Change provider handling - accepts "base", "openssl", or empty, otherwise throws a Provider_Not_Found exception.
* Remove Algo_Registry usage from public key code.Jack Lloyd2016-10-075-8/+27
| | | | | | | | Instead the key types exposes operations like `create_encryption_op` which will return the relevant operation if the algorithm supports it. Changes pubkey.h interface, now RNG is passed at init time. Blinder previous created its own RNG, now it takes it from app.
* 2nd review roundseu2016-10-021-50/+36
|
* remove superfluous includesKai Michaelis2016-10-022-9/+0
|
* 1st review roundKai Michaelis2016-10-023-15/+8
|
* Certificate store using SQLiteKai Michaelis2016-10-0215-82/+575
|
* Fix validation of self-issued certificates in chainsRené Korthaus2016-09-232-2/+5
| | | | | | | | | | | | | | | | | | Self-issued certificates are certificates where subject_dn == issuer_dn, but the signature is from a different key (ca key). Chains with such a certificate could not be verified, because self-issued certificates (1) would be taken for a self-signed certificate and (2) find_issuing_cert() would find the same self-issued certificate that we want to verify, generating a signature error during signature verification. To fix, we now first identify a certificate as self-signed only if subject_dn == issuer_dn AND if we can verify the cert signature with it's own key. Verification will bring some extra costs, but we only do it once, in X509_Certificate's constructor. Second, we make sure find_issuing_cert() does not return the very same certificate we want to verify. This should be no problem, since path validation currently does not seem to support validating a self-signed certificate.
* Make copy constructor and assignment defaultRené Korthaus2016-09-052-29/+2
|
* Call base class assignment operator in X509_CertificateRené Korthaus2016-09-041-0/+1
|
* Remove deprecated Nyberg-Rueppel and Rabin-Williams signaturesJack Lloyd2016-09-021-2/+1
|
* Merge GH #567/GH #457 TLS refactoring and Callbacks interfaceJack Lloyd2016-08-311-1/+0
|\
| * Reverted proposed constructor changes to X509_CA.Matthias Gierlings2016-06-193-41/+17
| | | | | | | | | | - Removed Certificate_Properties class used to wrap X509_CA parameters. - Whitespace cleanup.
| * Reduction of code complexity in MP & ECC classes.Matthias Gierlings2016-06-193-0/+3
| | | | | | | | | | | | - reduced number of parameters in various methods - introduced structures and renamed variables to improve code readability.
| * Reduction of code complexity in TLS classes.Matthias Gierlings2016-06-193-17/+37
| | | | | | | | | | | | | | -reduced number of parameters in various methods -reduced cyclomatic complexity (McCabe-Metric) -removed "TLSEXT_HEARTBEAT_SUPPORT" from tls_extensions.h (leftover from heartbeat extension removal?)
* | Change allowed_usage key usage checks to match RFC 5280Jack Lloyd2016-08-301-2/+4
| | | | | | | | GH #611
* | Fix TLS server cert validation problem GH #611Jack Lloyd2016-08-291-3/+3
| | | | | | | | Fallout from #591
* | Rename find_constraints() and let it throw instead of returning a combinationRené Korthaus2016-08-194-32/+59
| |
* | Fix allowed_usage() and add tests for key usageRené Korthaus2016-08-172-2/+2
| |
* | Fix GH #425 and run x509 tests with different signature algorithmsRené Korthaus2016-08-175-48/+24
| |
* | Merge GH #570 X509_Certificate APIsJack Lloyd2016-08-103-9/+58
| |
* | Merge GH #507 Add PKCS #11 supportJack Lloyd2016-07-041-1/+1
|\ \ | |/ |/|
| * add PKCS#11 supportDaniel Neus2016-06-171-1/+1
| |
* | Merge GH #487 Remove CVC certificates and EMSA1_BSI signature encodingJack Lloyd2016-06-171-3/+1
|\ \ | |/ |/|
| * remove all uses of EMSA1_BSIDaniel Neus2016-05-021-3/+1
| |
* | Add Not_Implemented exceptionJack Lloyd2016-06-073-7/+7
| |
* | Remove DN field requirements on generating certs and PKCS #10Jack Lloyd2016-05-233-22/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I have no idea why this is requiring the country code be set, but for many applications a country is not even meaningful. This change also allows CN to be empty/unset on the request or cert, since there is no actual requirement for any specific DN entry type and RFC 5280 specifically allows even an completely empty DN, with name information only in the subjectAltName extension. This change also allows generating a self-signed cert or cert request that expires before it starts. That could only happen with an explicit decision by the application to set it that way, and there is no harm in returning these non-secret bits. They will probably notice their problem as soon as the cert is rejected by any receiving system.
* | Merge GH #484 use explicit casts to avoids MSVC warning C4267Jack Lloyd2016-05-092-4/+4
|\ \ | |/ |/|
| * Add explicit static_cast operations to eliminate implicit cast compiler ↵Dan Brown2016-04-272-4/+4
| | | | | | | | warnings.
* | Add missing overrideJack Lloyd2016-04-281-1/+1
|/
* Move name constraints validation code to extension classRené Korthaus2016-04-173-101/+111
|
* Add Unknown_Critical_Extension typeRené Korthaus2016-04-103-16/+43
|
* Generate error on unknown critical extension during path validationRené Korthaus2016-04-069-19/+145
| | | | | | | | | | | | Previously unknown critical extensions were rejected during X509_Certificate constructor, which inhibited inspecting other parts of such a certificate. Refactored the certificate extensions code so that the path validation routine performs this check only. Additionally, added an interface for extensions to inspect the path during path validation. TODOs were added in places where existing path validation code can use the new interface. Fixes GH #449.
* Merge GH #454 X.509 name constraintsJack Lloyd2016-03-168-7/+630
|\
| * Changes from GH #454 reviewJack Lloyd2016-03-162-68/+72
| |
| * X.509 Name ConstraintsKai Michaelis2016-03-108-7/+626
| |
* | Trivial warning fixesJack Lloyd2016-03-091-8/+12
| |
* | Merge GH #437 add X509_Certificate::v3_extensionsJack Lloyd2016-03-064-20/+35
|\ \ | | | | | | | | | | | | Makes it possible for an application to interpret some extension not supported by the library.
| * | +added fields for custom x509 extensionsChristopher Bläsius2016-02-294-20/+33
| |/ | | | | | | +Extensions now uses std::unique_ptr
* | Remaining cppcheck fixes that are not covered by GH #444Daniel Neus2016-03-051-11/+5
| |
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-20 07:32:41 +0000