Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | DER improvements | Jack Lloyd | 2018-05-22 | 5 | -69/+68 |
| | | | | | | | | | | | Let DER_Encoder write to a user specified vector instead of only to an internal vector. This allows encoding to a std::vector without having to first write to a locked vector and then copying out the result. Add ASN1_Object::BER_encode convenience method. Replaces X509_Object::BER_encode which had the same logic but was restricted to a subtype. This replaces many cases where DER_Encoder was just used to encode a single object (X509_DN, AlgorithmIdentifier, etc). | ||||
* | Use BER_Decoder::get_next to cleanup X.509 cert decoding code | Jack Lloyd | 2018-05-21 | 1 | -14/+13 |
| | |||||
* | Remove debug assignment [ci skip] | Jack Lloyd | 2018-04-16 | 1 | -1/+0 |
| | |||||
* | Truncate new SKIDs to 192 bits | Jack Lloyd | 2018-04-16 | 2 | -6/+9 |
| | | | | | More than long enough, and saves quite a bit of space especially for SHA-512 certificates. | ||||
* | Extend Certificate_Store_In_Memory to load just a single cert from file | Jack Lloyd | 2018-03-24 | 1 | -3/+9 |
| | |||||
* | Bypass self-signed check in X509_Certificate if AKID and SKID are set | Jack Lloyd | 2018-03-24 | 1 | -12/+17 |
| | | | | | | | | If they are they must be either equal (self-signed) or not equal (self-issued). This allows skipping the verification which reduces startup overhead eg when reading the system certificate store. On my systems's cert store it saves about 1/3 of the signature checks. | ||||
* | Avoid creating a map from a DN when not required | Jack Lloyd | 2018-03-21 | 4 | -14/+18 |
| | |||||
* | Store elements of a DN as a vector | Jack Lloyd | 2018-03-21 | 2 | -59/+59 |
| | | | | | | | This allows retreiving the original ordering which is required for DN string encoding as defined in RFC 4514 Fixes #336 | ||||
* | Support Ed25519 certificate format | Jack Lloyd | 2018-03-20 | 2 | -38/+73 |
| | | | | Able to create certificate chain and verify it with OpenSSL 1.1.1 | ||||
* | Support multiple DNS names through the command line interface | Jack Lloyd | 2018-03-19 | 2 | -0/+5 |
| | |||||
* | Remove use of ;; to end lines | Jack Lloyd | 2018-03-19 | 1 | -1/+1 |
| | |||||
* | Merge GH #1492 Support custom DN entries | Jack Lloyd | 2018-03-14 | 2 | -67/+56 |
|\ | |||||
| * | Address review comments | Jack Lloyd | 2018-03-14 | 1 | -2/+2 |
| | | |||||
| * | Support custom DN entries | Jack Lloyd | 2018-03-14 | 2 | -67/+56 |
| | | | | | | | | GH #1490 | ||||
* | | Allow the caller to specify the serial number of a generated cert | Jack Lloyd | 2018-03-14 | 2 | -12/+96 |
|/ | | | | GH #1489 | ||||
* | Handle cert.subject_info("Email") | Jack Lloyd | 2018-03-06 | 1 | -0/+3 |
| | | | | GH #1446 | ||||
* | Include AKID in generated self signed certificates | Jack Lloyd | 2018-03-06 | 2 | -4/+12 |
| | | | | GH #1007 | ||||
* | Add X509_Certificate::subject_public_key_info | Jack Lloyd | 2018-03-05 | 2 | -3/+16 |
| | | | | Fixes #277 | ||||
* | Merge GH #1470 Use soft fail for OCSP | Jack Lloyd | 2018-03-04 | 6 | -20/+63 |
|\ | |||||
| * | Document OCSP softfail/hardfail check behaviour. | souch | 2018-03-02 | 1 | -0/+3 |
| | | |||||
| * | OCSP softfail revocation check | Mathieu Souchaud | 2018-03-01 | 5 | -20/+60 |
| | | |||||
* | | Fix check_crl_online segfaults, need tests. | Mathieu Souchaud | 2018-03-02 | 1 | -11/+10 |
| | | |||||
* | | Fix crash bug in check_crl_online | Jack Lloyd | 2018-03-01 | 1 | -1/+1 |
|/ | | | | This function almost certainly needs more help. #951 | ||||
* | Add Path_Validation_Result::warnings_string() method | Mathieu Souchaud | 2018-02-28 | 2 | -0/+19 |
| | |||||
* | Fix Path_Validation_Result::no_warnings | Mathieu Souchaud | 2018-02-28 | 1 | -1/+4 |
| | |||||
* | Load every certificates of files found. | Mathieu Souchaud | 2018-02-01 | 1 | -2/+15 |
| | |||||
* | Improve X.509 documentation | Jack Lloyd | 2018-01-29 | 1 | -1/+9 |
| | | | | GH #1428 | ||||
* | Allow applications to easily override extensions in cert requests | Jack Lloyd | 2018-01-23 | 8 | -121/+201 |
| | | | | | | | | | | | | | Refactor the code so it's possible to create a cert request without going through x509self.h (PKCS10_Request::create). Add Extensions::add_new, so we can add an extension to a PKCS10 request without stomping on one already included by the application. Refactor the X509 unit tests to avoid (some) duplicated key creations. Just create a key once at the start and use it for all of the tests. GH #1428 | ||||
* | Prepare for making BER_Object members private | Jack Lloyd | 2018-01-18 | 9 | -99/+98 |
| | | | | | Now there are usable accessors that allow the library to avoid using BER_Object members directly. | ||||
* | Avoid including x509_ext.h in pkcs10.h | Jack Lloyd | 2018-01-03 | 1 | -1/+1 |
| | | | | No need, forward decl is sufficient. | ||||
* | use range-based for loop instead of std::for_each | Patrik Fiedler | 2018-01-03 | 1 | -4/+2 |
| | |||||
* | add the detection for the ca issuers field(1.3.6.1.5.5.7.48.2) in x509 ↵ | Patrik Fiedler | 2018-01-03 | 4 | -3/+42 |
| | | | | certificates | ||||
* | Fix build on old Clang | Jack Lloyd | 2018-01-01 | 1 | -1/+2 |
| | | | | Clang 3.5 on mac didn't like this. | ||||
* | Reorder fields of X509_Certificate_Data to reduce size | Jack Lloyd | 2017-12-30 | 1 | -8/+8 |
| | | | | Just a few bytes but every bit helps. | ||||
* | Change X509_Certificate to cache cert policies and name constraints | Jack Lloyd | 2017-12-30 | 2 | -20/+20 |
| | |||||
* | Deprecate X509_Certificate::policies | Jack Lloyd | 2017-12-30 | 1 | -1/+1 |
| | | | | In favor of the (new) function that returns the OIDs | ||||
* | Add final annotation on Data_Store | Jack Lloyd | 2017-12-28 | 1 | -1/+1 |
| | |||||
* | Change X509_Certificate::subject_public_key_bitstring_sha1 to return const ref | Jack Lloyd | 2017-12-27 | 2 | -2/+3 |
| | |||||
* | Fix a couple Doxygen format errors [ci skip] | Jack Lloyd | 2017-12-26 | 1 | -5/+7 |
| | |||||
* | Move DN upper bound function to X509_DN static function | Jack Lloyd | 2017-12-23 | 5 | -32/+17 |
| | | | | | Avoids another public header, and it just makes sense that it be declared there. | ||||
* | Initialize CRL_Code field in CRL_Entry data | Jack Lloyd | 2017-12-23 | 1 | -1/+1 |
| | | | | If no extensions in the CRL, the field was left uninitialized | ||||
* | Increase size of CRL code enum to 32-bits | Jack Lloyd | 2017-12-23 | 1 | -1/+1 |
| | | | | BSI test is using a large enum value somewhere. | ||||
* | Enable signing X509 structures with rsa-pss | Fabian Weissberg | 2017-12-22 | 5 | -14/+135 |
| | |||||
* | Fix some shadow and unused parameter warnings | Jack Lloyd | 2017-12-20 | 2 | -6/+8 |
| | |||||
* | Merge GH #1363 Fix various X509 path building and validation bugs | Jack Lloyd | 2017-12-20 | 18 | -48/+683 |
|\ | |||||
| * | Fix various x509 path validation bugs + path building with ambiguous DNs | Fabian Weissberg | 2017-12-20 | 18 | -48/+683 |
| | | | | | | | | Signed-off-by: Fabian Weissberg <[email protected]> | ||||
* | | Don't encode AlgorithmIdentifier parameters for ECDSA in X.509 objects | René Korthaus | 2017-12-20 | 1 | -2/+5 |
|/ | | | | | RFC 5758 and 4491 mandate that for DSA, ECDSA and GOST, the algorithm identifier "encoding MUST omit the parameters field". | ||||
* | Merge GH #1364 Expose a function returning status when verifying X509 objects | Jack Lloyd | 2017-12-19 | 6 | -59/+99 |
|\ | |||||
| * | Expose a function returning a status code for verifing X509 objects | Jack Lloyd | 2017-12-19 | 6 | -59/+99 |
| | | | | | | | | | | | | | | | | | | The versions returning bool just tell us if it could be verified but don't indicate the problem, everything got binned into "signature error" during verification. Now in the event that the params were invalid, or the signature algorithm couldn't be found, report that as a specific error. See GH #1362 | ||||
* | | Add accessors to ASN1_Attribute and AlgorithmIdentifier | Jack Lloyd | 2017-12-19 | 6 | -21/+23 |
|/ |