aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/x509
Commit message (Collapse)AuthorAgeFilesLines
* DER improvementsJack Lloyd2018-05-225-69/+68
| | | | | | | | | | | Let DER_Encoder write to a user specified vector instead of only to an internal vector. This allows encoding to a std::vector without having to first write to a locked vector and then copying out the result. Add ASN1_Object::BER_encode convenience method. Replaces X509_Object::BER_encode which had the same logic but was restricted to a subtype. This replaces many cases where DER_Encoder was just used to encode a single object (X509_DN, AlgorithmIdentifier, etc).
* Use BER_Decoder::get_next to cleanup X.509 cert decoding codeJack Lloyd2018-05-211-14/+13
|
* Remove debug assignment [ci skip]Jack Lloyd2018-04-161-1/+0
|
* Truncate new SKIDs to 192 bitsJack Lloyd2018-04-162-6/+9
| | | | | More than long enough, and saves quite a bit of space especially for SHA-512 certificates.
* Extend Certificate_Store_In_Memory to load just a single cert from fileJack Lloyd2018-03-241-3/+9
|
* Bypass self-signed check in X509_Certificate if AKID and SKID are setJack Lloyd2018-03-241-12/+17
| | | | | | | | If they are they must be either equal (self-signed) or not equal (self-issued). This allows skipping the verification which reduces startup overhead eg when reading the system certificate store. On my systems's cert store it saves about 1/3 of the signature checks.
* Avoid creating a map from a DN when not requiredJack Lloyd2018-03-214-14/+18
|
* Store elements of a DN as a vectorJack Lloyd2018-03-212-59/+59
| | | | | | | This allows retreiving the original ordering which is required for DN string encoding as defined in RFC 4514 Fixes #336
* Support Ed25519 certificate formatJack Lloyd2018-03-202-38/+73
| | | | Able to create certificate chain and verify it with OpenSSL 1.1.1
* Support multiple DNS names through the command line interfaceJack Lloyd2018-03-192-0/+5
|
* Remove use of ;; to end linesJack Lloyd2018-03-191-1/+1
|
* Merge GH #1492 Support custom DN entriesJack Lloyd2018-03-142-67/+56
|\
| * Address review commentsJack Lloyd2018-03-141-2/+2
| |
| * Support custom DN entriesJack Lloyd2018-03-142-67/+56
| | | | | | | | GH #1490
* | Allow the caller to specify the serial number of a generated certJack Lloyd2018-03-142-12/+96
|/ | | | GH #1489
* Handle cert.subject_info("Email")Jack Lloyd2018-03-061-0/+3
| | | | GH #1446
* Include AKID in generated self signed certificatesJack Lloyd2018-03-062-4/+12
| | | | GH #1007
* Add X509_Certificate::subject_public_key_infoJack Lloyd2018-03-052-3/+16
| | | | Fixes #277
* Merge GH #1470 Use soft fail for OCSPJack Lloyd2018-03-046-20/+63
|\
| * Document OCSP softfail/hardfail check behaviour.souch2018-03-021-0/+3
| |
| * OCSP softfail revocation checkMathieu Souchaud2018-03-015-20/+60
| |
* | Fix check_crl_online segfaults, need tests.Mathieu Souchaud2018-03-021-11/+10
| |
* | Fix crash bug in check_crl_onlineJack Lloyd2018-03-011-1/+1
|/ | | | This function almost certainly needs more help. #951
* Add Path_Validation_Result::warnings_string() methodMathieu Souchaud2018-02-282-0/+19
|
* Fix Path_Validation_Result::no_warningsMathieu Souchaud2018-02-281-1/+4
|
* Load every certificates of files found.Mathieu Souchaud2018-02-011-2/+15
|
* Improve X.509 documentationJack Lloyd2018-01-291-1/+9
| | | | GH #1428
* Allow applications to easily override extensions in cert requestsJack Lloyd2018-01-238-121/+201
| | | | | | | | | | | | | Refactor the code so it's possible to create a cert request without going through x509self.h (PKCS10_Request::create). Add Extensions::add_new, so we can add an extension to a PKCS10 request without stomping on one already included by the application. Refactor the X509 unit tests to avoid (some) duplicated key creations. Just create a key once at the start and use it for all of the tests. GH #1428
* Prepare for making BER_Object members privateJack Lloyd2018-01-189-99/+98
| | | | | Now there are usable accessors that allow the library to avoid using BER_Object members directly.
* Avoid including x509_ext.h in pkcs10.hJack Lloyd2018-01-031-1/+1
| | | | No need, forward decl is sufficient.
* use range-based for loop instead of std::for_eachPatrik Fiedler2018-01-031-4/+2
|
* add the detection for the ca issuers field(1.3.6.1.5.5.7.48.2) in x509 ↵Patrik Fiedler2018-01-034-3/+42
| | | | certificates
* Fix build on old ClangJack Lloyd2018-01-011-1/+2
| | | | Clang 3.5 on mac didn't like this.
* Reorder fields of X509_Certificate_Data to reduce sizeJack Lloyd2017-12-301-8/+8
| | | | Just a few bytes but every bit helps.
* Change X509_Certificate to cache cert policies and name constraintsJack Lloyd2017-12-302-20/+20
|
* Deprecate X509_Certificate::policiesJack Lloyd2017-12-301-1/+1
| | | | In favor of the (new) function that returns the OIDs
* Add final annotation on Data_StoreJack Lloyd2017-12-281-1/+1
|
* Change X509_Certificate::subject_public_key_bitstring_sha1 to return const refJack Lloyd2017-12-272-2/+3
|
* Fix a couple Doxygen format errors [ci skip]Jack Lloyd2017-12-261-5/+7
|
* Move DN upper bound function to X509_DN static functionJack Lloyd2017-12-235-32/+17
| | | | | Avoids another public header, and it just makes sense that it be declared there.
* Initialize CRL_Code field in CRL_Entry dataJack Lloyd2017-12-231-1/+1
| | | | If no extensions in the CRL, the field was left uninitialized
* Increase size of CRL code enum to 32-bitsJack Lloyd2017-12-231-1/+1
| | | | BSI test is using a large enum value somewhere.
* Enable signing X509 structures with rsa-pssFabian Weissberg2017-12-225-14/+135
|
* Fix some shadow and unused parameter warningsJack Lloyd2017-12-202-6/+8
|
* Merge GH #1363 Fix various X509 path building and validation bugsJack Lloyd2017-12-2018-48/+683
|\
| * Fix various x509 path validation bugs + path building with ambiguous DNsFabian Weissberg2017-12-2018-48/+683
| | | | | | | | Signed-off-by: Fabian Weissberg <[email protected]>
* | Don't encode AlgorithmIdentifier parameters for ECDSA in X.509 objectsRené Korthaus2017-12-201-2/+5
|/ | | | | RFC 5758 and 4491 mandate that for DSA, ECDSA and GOST, the algorithm identifier "encoding MUST omit the parameters field".
* Merge GH #1364 Expose a function returning status when verifying X509 objectsJack Lloyd2017-12-196-59/+99
|\
| * Expose a function returning a status code for verifing X509 objectsJack Lloyd2017-12-196-59/+99
| | | | | | | | | | | | | | | | | | The versions returning bool just tell us if it could be verified but don't indicate the problem, everything got binned into "signature error" during verification. Now in the event that the params were invalid, or the signature algorithm couldn't be found, report that as a specific error. See GH #1362
* | Add accessors to ASN1_Attribute and AlgorithmIdentifierJack Lloyd2017-12-196-21/+23
|/