Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Add IncludeOS target. Make filesystem support optional. | Jack Lloyd | 2016-10-10 | 5 | -7/+18 |
| | |||||
* | Revert PK_Verifier change (don't require RNG there). | Jack Lloyd | 2016-10-07 | 2 | -4/+2 |
| | | | | | | | Verification is deterministic and public, so really no RNG is ever needed. Change provider handling - accepts "base", "openssl", or empty, otherwise throws a Provider_Not_Found exception. | ||||
* | Remove Algo_Registry usage from public key code. | Jack Lloyd | 2016-10-07 | 5 | -8/+27 |
| | | | | | | | | Instead the key types exposes operations like `create_encryption_op` which will return the relevant operation if the algorithm supports it. Changes pubkey.h interface, now RNG is passed at init time. Blinder previous created its own RNG, now it takes it from app. | ||||
* | 2nd review round | seu | 2016-10-02 | 1 | -50/+36 |
| | |||||
* | remove superfluous includes | Kai Michaelis | 2016-10-02 | 2 | -9/+0 |
| | |||||
* | 1st review round | Kai Michaelis | 2016-10-02 | 3 | -15/+8 |
| | |||||
* | Certificate store using SQLite | Kai Michaelis | 2016-10-02 | 15 | -82/+575 |
| | |||||
* | Fix validation of self-issued certificates in chains | René Korthaus | 2016-09-23 | 2 | -2/+5 |
| | | | | | | | | | | | | | | | | | | Self-issued certificates are certificates where subject_dn == issuer_dn, but the signature is from a different key (ca key). Chains with such a certificate could not be verified, because self-issued certificates (1) would be taken for a self-signed certificate and (2) find_issuing_cert() would find the same self-issued certificate that we want to verify, generating a signature error during signature verification. To fix, we now first identify a certificate as self-signed only if subject_dn == issuer_dn AND if we can verify the cert signature with it's own key. Verification will bring some extra costs, but we only do it once, in X509_Certificate's constructor. Second, we make sure find_issuing_cert() does not return the very same certificate we want to verify. This should be no problem, since path validation currently does not seem to support validating a self-signed certificate. | ||||
* | Make copy constructor and assignment default | René Korthaus | 2016-09-05 | 2 | -29/+2 |
| | |||||
* | Call base class assignment operator in X509_Certificate | René Korthaus | 2016-09-04 | 1 | -0/+1 |
| | |||||
* | Remove deprecated Nyberg-Rueppel and Rabin-Williams signatures | Jack Lloyd | 2016-09-02 | 1 | -2/+1 |
| | |||||
* | Merge GH #567/GH #457 TLS refactoring and Callbacks interface | Jack Lloyd | 2016-08-31 | 1 | -1/+0 |
|\ | |||||
| * | Reverted proposed constructor changes to X509_CA. | Matthias Gierlings | 2016-06-19 | 3 | -41/+17 |
| | | | | | | | | | | - Removed Certificate_Properties class used to wrap X509_CA parameters. - Whitespace cleanup. | ||||
| * | Reduction of code complexity in MP & ECC classes. | Matthias Gierlings | 2016-06-19 | 3 | -0/+3 |
| | | | | | | | | | | | | - reduced number of parameters in various methods - introduced structures and renamed variables to improve code readability. | ||||
| * | Reduction of code complexity in TLS classes. | Matthias Gierlings | 2016-06-19 | 3 | -17/+37 |
| | | | | | | | | | | | | | | -reduced number of parameters in various methods -reduced cyclomatic complexity (McCabe-Metric) -removed "TLSEXT_HEARTBEAT_SUPPORT" from tls_extensions.h (leftover from heartbeat extension removal?) | ||||
* | | Change allowed_usage key usage checks to match RFC 5280 | Jack Lloyd | 2016-08-30 | 1 | -2/+4 |
| | | | | | | | | GH #611 | ||||
* | | Fix TLS server cert validation problem GH #611 | Jack Lloyd | 2016-08-29 | 1 | -3/+3 |
| | | | | | | | | Fallout from #591 | ||||
* | | Rename find_constraints() and let it throw instead of returning a combination | René Korthaus | 2016-08-19 | 4 | -32/+59 |
| | | |||||
* | | Fix allowed_usage() and add tests for key usage | René Korthaus | 2016-08-17 | 2 | -2/+2 |
| | | |||||
* | | Fix GH #425 and run x509 tests with different signature algorithms | René Korthaus | 2016-08-17 | 5 | -48/+24 |
| | | |||||
* | | Merge GH #570 X509_Certificate APIs | Jack Lloyd | 2016-08-10 | 3 | -9/+58 |
| | | |||||
* | | Merge GH #507 Add PKCS #11 support | Jack Lloyd | 2016-07-04 | 1 | -1/+1 |
|\ \ | |/ |/| | |||||
| * | add PKCS#11 support | Daniel Neus | 2016-06-17 | 1 | -1/+1 |
| | | |||||
* | | Merge GH #487 Remove CVC certificates and EMSA1_BSI signature encoding | Jack Lloyd | 2016-06-17 | 19 | -2353/+1 |
|\ \ | |/ |/| | |||||
| * | remove the already bitrotting and probably broken CVC implementation | Daniel Neus | 2016-05-18 | 18 | -2350/+0 |
| | | |||||
| * | remove all uses of EMSA1_BSI | Daniel Neus | 2016-05-02 | 2 | -5/+3 |
| | | |||||
* | | Add Not_Implemented exception | Jack Lloyd | 2016-06-07 | 3 | -7/+7 |
| | | |||||
* | | Remove DN field requirements on generating certs and PKCS #10 | Jack Lloyd | 2016-05-23 | 3 | -22/+0 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I have no idea why this is requiring the country code be set, but for many applications a country is not even meaningful. This change also allows CN to be empty/unset on the request or cert, since there is no actual requirement for any specific DN entry type and RFC 5280 specifically allows even an completely empty DN, with name information only in the subjectAltName extension. This change also allows generating a self-signed cert or cert request that expires before it starts. That could only happen with an explicit decision by the application to set it that way, and there is no harm in returning these non-secret bits. They will probably notice their problem as soon as the cert is rejected by any receiving system. | ||||
* | | Merge GH #484 use explicit casts to avoids MSVC warning C4267 | Jack Lloyd | 2016-05-09 | 2 | -4/+4 |
|\ \ | |/ |/| | |||||
| * | Add explicit static_cast operations to eliminate implicit cast compiler ↵ | Dan Brown | 2016-04-27 | 2 | -4/+4 |
| | | | | | | | | warnings. | ||||
* | | Add missing override | Jack Lloyd | 2016-04-28 | 1 | -1/+1 |
|/ | |||||
* | Move name constraints validation code to extension class | René Korthaus | 2016-04-17 | 3 | -101/+111 |
| | |||||
* | Add Unknown_Critical_Extension type | René Korthaus | 2016-04-10 | 3 | -16/+43 |
| | |||||
* | Generate error on unknown critical extension during path validation | René Korthaus | 2016-04-06 | 9 | -19/+145 |
| | | | | | | | | | | | | Previously unknown critical extensions were rejected during X509_Certificate constructor, which inhibited inspecting other parts of such a certificate. Refactored the certificate extensions code so that the path validation routine performs this check only. Additionally, added an interface for extensions to inspect the path during path validation. TODOs were added in places where existing path validation code can use the new interface. Fixes GH #449. | ||||
* | Merge GH #454 X.509 name constraints | Jack Lloyd | 2016-03-16 | 8 | -7/+630 |
|\ | |||||
| * | Changes from GH #454 review | Jack Lloyd | 2016-03-16 | 2 | -68/+72 |
| | | |||||
| * | X.509 Name Constraints | Kai Michaelis | 2016-03-10 | 8 | -7/+626 |
| | | |||||
* | | Trivial warning fixes | Jack Lloyd | 2016-03-09 | 1 | -8/+12 |
| | | |||||
* | | Typos are easy to miss in code that is not compiled by default. | Jack Lloyd | 2016-03-06 | 1 | -1/+1 |
| | | |||||
* | | Merge GH #437 add X509_Certificate::v3_extensions | Jack Lloyd | 2016-03-06 | 4 | -20/+35 |
|\ \ | | | | | | | | | | | | | Makes it possible for an application to interpret some extension not supported by the library. | ||||
| * | | +added fields for custom x509 extensions | Christopher Bläsius | 2016-02-29 | 4 | -20/+33 |
| |/ | | | | | | | +Extensions now uses std::unique_ptr | ||||
* | | Fix ordering of Charset::transcode arguments | Jack Lloyd | 2016-03-06 | 1 | -1/+1 |
| | | | | | | | | GH #438 | ||||
* | | Remaining cppcheck fixes that are not covered by GH #444 | Daniel Neus | 2016-03-05 | 1 | -11/+5 |
| | | |||||
* | | cppcheck fixes: Class 'X' has a constructor with 1 argument that is not ↵ | Daniel Neus | 2016-03-05 | 8 | -25/+25 |
|/ | | | | explicit. | ||||
* | Fix remaining Wshadow warnings and enable on gcc and clang | René Korthaus | 2016-02-18 | 1 | -1/+1 |
| | |||||
* | Merge GH #408 Add final attribute on many classes | Jack Lloyd | 2016-01-12 | 6 | -17/+17 |
|\ | |||||
| * | Add final attribute to many classes | Jack Lloyd | 2016-01-10 | 6 | -17/+17 |
| | | | | | | | | | | | | | | In some cases this can offer better optimization, via devirtualization. And it lets the user know the class is not intended for derivation. Some discussion in GH #402 | ||||
* | | Prefix more member vars with m_ prefix | René Korthaus | 2016-01-11 | 2 | -85/+85 |
|/ | |||||
* | Mass-prefix member vars with m_ | René Korthaus | 2016-01-08 | 25 | -271/+283 |
| | |||||
* | String comparision fixes | Daniel Neus | 2016-01-04 | 8 | -11/+11 |
| | | | | fix PVS-Studio perfomance warnings |