aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/x509
Commit message (Collapse)AuthorAgeFilesLines
* Fix various SunCC and Solaris warnings and build problems.Jack Lloyd2017-01-241-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | Based on build output sent by @noloader. If RLIMIT_MEMLOCK is not defined, assume regular user is not able to call mlock. This probably also affected Clang/GCC on Solaris. Work around resolution issue in SIMD_4x32 where it finds ambiguity between arg taking uint32_t and __m128i. This is probably some artifact of how SunCC represents vector types, and seems highly bogus in general but is easy to work around here. Change constructor taking a single value to instead be `SIMD_4x32::splat` function. The SIMD class is internal, so no API implications. Fix various warnings about lambda functions that were missing return types and which were not a single return statement. AIUI C++11 doesn't guarantee that lambda return type will be deduced in that situation, though in practice every compiler including SunCC seems to handle it. Disable AVX2 usage, since SunCC's intrinsics seem to be broken - its _mm_loadu_si256 takes non-const pointer. Rename a few variables in the tests to avoid shadowed var warnings.
* Move Data_Store from utils to x509Jack Lloyd2017-01-044-4/+225
| | | | | It is not a general purpose util or something we want applications to use. It is only used by x509 and hopefully will be removed from there soon enough.
* Increase Path_Validation_Restrictions default min strength to 110Jack Lloyd2016-12-271-6/+8
| | | | | Effectively disables 1024 bit RSA as well as SHA-1. Edit the tests where required to enable it again.
* Remove unnecessary BOTAN_DLL annotationsJack Lloyd2016-12-271-1/+1
|
* Add CertificatePathStatusCodes typedefJack Lloyd2016-12-182-31/+37
| | | | Little easier to read perhaps, and helps prevent some astyle confusion.
* Convert to using standard uintN_t integer typesJack Lloyd2016-12-1826-184/+184
| | | | | | Renames a couple of functions for somewhat better name consistency, eg make_u32bit becomes make_uint32. The old typedefs remain for now since probably lots of application code uses them.
* Rename some methods, add more tests and docsRené Korthaus2016-12-043-12/+50
|
* Allow custom extensions in X509_Cert_OptionsRené Korthaus2016-12-027-25/+153
| | | | | Allow custom extensions in CA-signed cert requests Add templated getter for extensions
* Add OCSP stapling support to TLS clientJack Lloyd2016-11-264-17/+51
|
* Fix TLS tests wrt validation changesJack Lloyd2016-11-251-2/+2
| | | | Create empty CRLs so that revocation information is available.
* Add a test for to_string(Certificate_Status_Code)Jack Lloyd2016-11-251-5/+5
|
* Address review comments from @cordneyJack Lloyd2016-11-255-114/+249
| | | | | | | | | | | | Primarily doc updates but also expose some more logic in PKIX namespace, overall_status and merge_revocation_status. This allows calling more or less all of the logic used by the monolitic x509_path_validate in any way needed by an application. Add Certificate_Store_In_Memory::add_crl variant taking shared_ptr Add optional Certificate_Store_In_Memory* pointer to check_crl_online, valid CRLs are saved there.
* Fix popping empty container if no revocation data availableJack Lloyd2016-11-231-2/+2
|
* Add macro signalling support for online revocation checks.Jack Lloyd2016-11-232-3/+7
|
* Better OCSP tests including online testsJack Lloyd2016-11-232-2/+10
| | | | Tests touching network are gated by --run-online-tests flag.
* Add some simple OCSP testsJack Lloyd2016-11-231-0/+2
| | | | | | Nothing much but better than nothing. Also add a useful arg check to OCSP::Request constructor.
* Consult the response for matching certs also, fixes Symantec OCSPJack Lloyd2016-11-231-2/+20
|
* Refactor X.509 path validationJack Lloyd2016-11-237-356/+744
| | | | | | | | | Splits path building, path validation, CRL checks, and OCSP checks into distinct functions in namespace PKIX. The previous path validation APIs remain. Fixes to OCSP to store more information and to handle modern OCSP setups in at least some situations.
* Add find_cert_by_pubkey_sha1 to Certificate_Store_In_MemoryJack Lloyd2016-11-234-55/+64
|
* Add X509_Certificate helper functions for OCSPJack Lloyd2016-11-232-4/+43
| | | | | Using the SHA-1 of the public key to identify the signing cert is hardcoded in OCSP and unlikely to change.
* Explicitly number all Certificate_Status_Code enum valuesJack Lloyd2016-11-232-25/+146
| | | | Add a to_string function for this type.
* Add key_constraints_to_string, GOST-34.10 cert handlingJack Lloyd2016-11-183-5/+64
| | | | Add some try/catch blocks to the X.509 tests, and use create_private_key API
* Pubkey cleanupsJack Lloyd2016-11-123-4/+3
| | | | | | | | | | Add Public_Key::key_length usable for policy checking (as in TLS::Policy::check_peer_key_acceptable) Remove Public_Key::max_input_bits because it didn't make much sense for most algorithms actually. Remove message_parts and message_part_size from PK_Ops
* Simplify some code by using T::create_or_throwJack Lloyd2016-11-031-3/+1
|
* Remove ability to add OIDS at runtime. Remove global OID lock.Jack Lloyd2016-11-031-2/+1
| | | | | | | | | | | OID map is now generated from an input file on an as needed basis. Just uses a sequence of ifs - simple, fast, and small code size. Merges oid_lookup sub-module which was already required by asn1 anyway, so completely non-optional. Removes @neusdan's nice OID tests since without any runtime adds the tests are moot.
* Move cert/x509 to top level and pem and pbes2 to pubkey.Jack Lloyd2016-11-0337-0/+7052
The `cert` dir was just an artifact of having previously supported CVC (smartcard cert format), removed a long time ago. The pem and pbes2 code is directly related to the pubkey code, in fact the only caller of pbes2 (likely anywhere, not just in the library) is in pkcs8.cpp