aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/x509
Commit message (Collapse)AuthorAgeFilesLines
* Clean up use of <limits> headerJack Lloyd2017-09-031-0/+1
| | | | Don't include it where it is not needed, included it where it is used.
* Fix various MSVC warningsJack Lloyd2017-08-311-2/+2
| | | | Based on VC2017 output
* Remove unused includeJack Lloyd2017-08-291-1/+0
|
* In OCSP::CertID don't crash if SHA-1 not availableJack Lloyd2017-08-291-1/+1
| | | | Caught with Sonar
* add OCSP::Response::certificates() + unit testRené Meusel2017-07-211-0/+5
|
* Add position of end entity cert in x509_path_validate() doc [ci skip]René Korthaus2017-07-021-1/+1
| | | | | It's not so obvious to a user at which end of the chain the end entity certificate must be placed.
* Update Doxygen for X509_Certificate::subject_infoDaniel Neus2017-06-231-2/+4
|
* fix pathLenConstraint validationDaniel Neus2017-05-192-5/+34
| | | | | | | | | | | Fixes GH #991 The problem with the current implementation of the chain validation code is that is runs from the end certificate to the trust cert. @securitykernel and me tried to fix the pathLenConstraint validation within this reverse loop but we were not sure if we missed some edge cases. So we felt safer to use the algorithm listed in RFC 5280 which executes from the top to the bottom. It's probably best to rewrite the code to use the whole algorithm from RFC 5280, i.e. validating the chain from the trust to the end cert. Additionally, we wrote some tests including the one that raised this issue initially.
* Merge GH #900 Add ability to search by X509 DN hashJack Lloyd2017-04-048-39/+95
|\
| * Add certificate store lookup by subject DN hashNuno Goncalves2017-04-034-0/+38
| | | | | | | | Signed-off-by: Nuno Goncalves <[email protected]>
| * Add X509 issuer and subject DN hash methodsNuno Goncalves2017-04-032-0/+24
| | | | | | | | Signed-off-by: Nuno Goncalves <[email protected]>
| * Fix commentsNuno Goncalves2017-04-031-2/+2
| | | | | | | | Signed-off-by: Nuno Goncalves <[email protected]>
| * Throw exception for Not_ImplementedNuno Goncalves2017-04-031-2/+1
| | | | | | | | Signed-off-by: Nuno Goncalves <[email protected]>
| * Refactor find_cert_by_pubkey_sha1 to reuse hash objectNuno Goncalves2017-04-031-2/+6
| | | | | | | | Signed-off-by: Nuno Goncalves <[email protected]>
| * X509_CA: constantify X509_CA::sign_requestNuno Goncalves2017-04-032-2/+2
| | | | | | | | Signed-off-by: Nuno Goncalves <[email protected]>
| * Refactor and modernize files to be editedNuno Goncalves2017-04-031-33/+24
| | | | | | | | Signed-off-by: Nuno Goncalves <[email protected]>
* | Content:Tomasz Frydrych2017-04-039-26/+26
|/ | | | | | | | | * fixes for deprecated constructions in c++11 and later (explicit rule of 3/5 or implicit rule of 0 and other violations) * `default` specifier instead of `{}` in some places(probably all) * removal of unreachable code (for example `return` after `throw`) * removal of compilation unit only visible, but not used functions * fix for `throw()` specifier - used instead `BOTAN_NOEXCEPT` * removed not needed semicolons
* Remove "Dirty hack" for multiple defines in lex_me_harder()Simon Warta2017-04-023-5/+10
|
* Small fixes in API docs [ci skip]René Korthaus2017-03-091-1/+1
|
* Allow OCSP requests without the full subject certificateNuno Goncalves2017-03-045-16/+43
| | | | | | | | | | | | | | | | A OCSP request doesn't need the full subject certificate. This extends the API to require instead of the subject certificate: * OCSP::Request: subject serial. * OCSP::online_check: subject serial AND ocsp responder url. API breaking change: * removal of OCSP::Request::subject() as OCSP::Request doesn't need to hold the certificate, but only the serial. Signed-off-by: Nuno Goncalves <[email protected]>
* Remove verify_end() chained immediatly before end_cons() (close #890)Nuno Goncalves2017-02-253-4/+0
| | | | | | | BER_Decoder::end_cons() allready assures the verify_end() function, so it is redundant. Signed-off-by: Nuno Goncalves <[email protected]>
* Fix various SunCC and Solaris warnings and build problems.Jack Lloyd2017-01-241-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | Based on build output sent by @noloader. If RLIMIT_MEMLOCK is not defined, assume regular user is not able to call mlock. This probably also affected Clang/GCC on Solaris. Work around resolution issue in SIMD_4x32 where it finds ambiguity between arg taking uint32_t and __m128i. This is probably some artifact of how SunCC represents vector types, and seems highly bogus in general but is easy to work around here. Change constructor taking a single value to instead be `SIMD_4x32::splat` function. The SIMD class is internal, so no API implications. Fix various warnings about lambda functions that were missing return types and which were not a single return statement. AIUI C++11 doesn't guarantee that lambda return type will be deduced in that situation, though in practice every compiler including SunCC seems to handle it. Disable AVX2 usage, since SunCC's intrinsics seem to be broken - its _mm_loadu_si256 takes non-const pointer. Rename a few variables in the tests to avoid shadowed var warnings.
* Move Data_Store from utils to x509Jack Lloyd2017-01-044-4/+225
| | | | | It is not a general purpose util or something we want applications to use. It is only used by x509 and hopefully will be removed from there soon enough.
* Increase Path_Validation_Restrictions default min strength to 110Jack Lloyd2016-12-271-6/+8
| | | | | Effectively disables 1024 bit RSA as well as SHA-1. Edit the tests where required to enable it again.
* Remove unnecessary BOTAN_DLL annotationsJack Lloyd2016-12-271-1/+1
|
* Add CertificatePathStatusCodes typedefJack Lloyd2016-12-182-31/+37
| | | | Little easier to read perhaps, and helps prevent some astyle confusion.
* Convert to using standard uintN_t integer typesJack Lloyd2016-12-1826-184/+184
| | | | | | Renames a couple of functions for somewhat better name consistency, eg make_u32bit becomes make_uint32. The old typedefs remain for now since probably lots of application code uses them.
* Rename some methods, add more tests and docsRené Korthaus2016-12-043-12/+50
|
* Allow custom extensions in X509_Cert_OptionsRené Korthaus2016-12-027-25/+153
| | | | | Allow custom extensions in CA-signed cert requests Add templated getter for extensions
* Add OCSP stapling support to TLS clientJack Lloyd2016-11-264-17/+51
|
* Fix TLS tests wrt validation changesJack Lloyd2016-11-251-2/+2
| | | | Create empty CRLs so that revocation information is available.
* Add a test for to_string(Certificate_Status_Code)Jack Lloyd2016-11-251-5/+5
|
* Address review comments from @cordneyJack Lloyd2016-11-255-114/+249
| | | | | | | | | | | | Primarily doc updates but also expose some more logic in PKIX namespace, overall_status and merge_revocation_status. This allows calling more or less all of the logic used by the monolitic x509_path_validate in any way needed by an application. Add Certificate_Store_In_Memory::add_crl variant taking shared_ptr Add optional Certificate_Store_In_Memory* pointer to check_crl_online, valid CRLs are saved there.
* Fix popping empty container if no revocation data availableJack Lloyd2016-11-231-2/+2
|
* Add macro signalling support for online revocation checks.Jack Lloyd2016-11-232-3/+7
|
* Better OCSP tests including online testsJack Lloyd2016-11-232-2/+10
| | | | Tests touching network are gated by --run-online-tests flag.
* Add some simple OCSP testsJack Lloyd2016-11-231-0/+2
| | | | | | Nothing much but better than nothing. Also add a useful arg check to OCSP::Request constructor.
* Consult the response for matching certs also, fixes Symantec OCSPJack Lloyd2016-11-231-2/+20
|
* Refactor X.509 path validationJack Lloyd2016-11-237-356/+744
| | | | | | | | | Splits path building, path validation, CRL checks, and OCSP checks into distinct functions in namespace PKIX. The previous path validation APIs remain. Fixes to OCSP to store more information and to handle modern OCSP setups in at least some situations.
* Add find_cert_by_pubkey_sha1 to Certificate_Store_In_MemoryJack Lloyd2016-11-234-55/+64
|
* Add X509_Certificate helper functions for OCSPJack Lloyd2016-11-232-4/+43
| | | | | Using the SHA-1 of the public key to identify the signing cert is hardcoded in OCSP and unlikely to change.
* Explicitly number all Certificate_Status_Code enum valuesJack Lloyd2016-11-232-25/+146
| | | | Add a to_string function for this type.
* Add key_constraints_to_string, GOST-34.10 cert handlingJack Lloyd2016-11-183-5/+64
| | | | Add some try/catch blocks to the X.509 tests, and use create_private_key API
* Pubkey cleanupsJack Lloyd2016-11-123-4/+3
| | | | | | | | | | Add Public_Key::key_length usable for policy checking (as in TLS::Policy::check_peer_key_acceptable) Remove Public_Key::max_input_bits because it didn't make much sense for most algorithms actually. Remove message_parts and message_part_size from PK_Ops
* Simplify some code by using T::create_or_throwJack Lloyd2016-11-031-3/+1
|
* Remove ability to add OIDS at runtime. Remove global OID lock.Jack Lloyd2016-11-031-2/+1
| | | | | | | | | | | OID map is now generated from an input file on an as needed basis. Just uses a sequence of ifs - simple, fast, and small code size. Merges oid_lookup sub-module which was already required by asn1 anyway, so completely non-optional. Removes @neusdan's nice OID tests since without any runtime adds the tests are moot.
* Move cert/x509 to top level and pem and pbes2 to pubkey.Jack Lloyd2016-11-0337-0/+7052
The `cert` dir was just an artifact of having previously supported CVC (smartcard cert format), removed a long time ago. The pem and pbes2 code is directly related to the pubkey code, in fact the only caller of pbes2 (likely anywhere, not just in the library) is in pkcs8.cpp
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-11 19:27:10 +0000