xref: /freebsd/crypto/heimdal/lib/hx509/ChangeLog (revision 2a58b312b62f908ec92311d1bd8536dbaeb8e55b)
12008-07-14  Love Hörnquist Åstrand  <lha@kth.se>
2
3	* hxtool.c: Break out print_eval_types().
4
52008-06-21  Love Hörnquist Åstrand  <lha@kth.se>
6
7	* ks_p12.c: pass in time_now to unevelope
8
9	* cms.c: Pass in time_now to unevelope, us verify context time in
10	verify_signed.
11
122008-05-23  Love Hörnquist Åstrand  <lha@kth.se>
13
14	* hx_locl.h: Include <limits.h> for TYPE_MAX defines.
15
162008-04-29  Love Hörnquist Åstrand  <lha@it.su.se>
17
18	* sel-lex.l: Use _hx509_sel_yyerror() instead of error_message().
19
202008-04-20  Love Hörnquist Åstrand  <lha@it.su.se>
21
22	* sel-lex.l: Include <config.h>
23
242008-04-17  Love Hörnquist Åstrand  <lha@it.su.se>
25
26	* Makefile.am: Update make-proto usage.
27
282008-04-15  Love Hörnquist Åstrand  <lha@it.su.se>
29
30	* ca.c: BasicConstraints.pathLenConstraint unsigned int.
31
32	* sel-lex.l: Prefix sel_error with _hx509_ since its global on
33	platforms w/o symbol versioning.
34
35	* sel.h: rename yyerror to sel_yyerror in the whole library, not
36	just the lexer
37
38	* sel-lex.l: rename yyerror to sel_yyerror in the whole library,
39	not just the lexer
40
412008-04-14  Love Hörnquist Åstrand  <lha@it.su.se>
42
43	* sel-lex.l: Rename yyerror to sel_yyerror and make it static.
44
452008-04-08  Love Hörnquist Åstrand  <lha@it.su.se>
46
47	* hx509.h: Make self-standing by including missing files.
48
492008-04-07  Love Hörnquist Åstrand  <lha@it.su.se>
50
51	* ks_p11.c: Use unsigned where appropriate.
52
53	* softp11.c: call va_start before using vsnprintf.
54
55	* crypto.c: make refcount slightly more sane.
56
57	* keyset.c: make refcount slightly more sane.
58
59	* cert.c: make refcount slightly more sane.
60
612008-03-19  Love Hörnquist Åstrand  <lha@it.su.se>
62
63	* test_nist2.in: Try to find unzip.
64
652008-03-16  Love Hörnquist Åstrand  <lha@it.su.se>
66
67	* version-script.map: add missing symbols
68
69	* spnego: Make delegated credentials delegated directly, Oleg
70	Sharoiko pointed out that it always didnt work with the old
71	code. Also add som missing cred and context pass-thou functions in
72	the SPNEGO layer.
73
742008-03-14  Love Hörnquist Åstrand  <lha@it.su.se>
75
76	* rename to be more consistent, export for teting
77
78	* Add language to support querying certificates to find a
79	match. Support constructs like "1.3.6.1.5.2.3.5" IN
80	%{certificate.eku} AND %{certificate.subject} TAILMATCH "C=SE".
81
822008-02-26  Love Hörnquist Åstrand  <lha@it.su.se>
83
84	* version-script.map: add hx509_pem_read
85
86	* hxtool-commands.in: Add --pem to cms-verify-sd.
87
88	* test_cms.in: Test verifying PEM signature files.
89
90	* hxtool.c: Support verifying PEM signature files.
91
922008-02-25  Love Hörnquist Åstrand  <lha@it.su.se>
93
94	* Makefile.am: libhx509_la_OBJECTS depends on hx_locl.h
95
962008-02-11  Love Hörnquist Åstrand  <lha@it.su.se>
97
98	* Use ldap-prep (with libwind) to compare names
99
1002008-01-27  Love Hörnquist Åstrand  <lha@it.su.se>
101
102	* cert.c (hx509_query_match_eku): update to support the NULL
103	eku (reset), clearify the old behaivor with regards repetitive
104	calls.
105
106	* Add matching on EKU, validate EKUs, add hxtool matching glue,
107	add check. Adapted from pach from Tim Miller of Mitre
108
1092008-01-21  Love Hörnquist Åstrand  <lha@it.su.se>
110
111	* test_soft_pkcs11.c: use func for more C_ functions.
112
1132008-01-18  Love Hörnquist Åstrand  <lha@it.su.se>
114
115	* version-script.map: Export hx509_free_error_string().
116
1172008-01-17  Love Hörnquist Åstrand  <lha@it.su.se>
118
119	* version-script.map: only export C_GetFunctionList
120
121	* test_soft_pkcs11.c: use C_GetFunctionList
122
123	* softp11.c: fix comment, remove label.
124
125	* softp11.c: Add option app-fatal to control if softtoken should
126	abort() on erroneous input from applications.
127
1282008-01-16  Love Hörnquist Åstrand  <lha@it.su.se>
129
130	* test_pkcs11.in: Test password less certificates too
131
132	* keyset.c: document HX509_CERTS_UNPROTECT_ALL
133
134	* ks_file.c: Support HX509_CERTS_UNPROTECT_ALL.
135
136	* hx509.h: Add HX509_CERTS_UNPROTECT_ALL.
137
138	* test_soft_pkcs11.c: Only log in if needed.
139
1402008-01-15  Love Hörnquist Åstrand  <lha@it.su.se>
141
142	* softp11.c: Support PINs to login to the store.
143
144	* Makefile.am: add java pkcs11 test
145
146	* test_java_pkcs11.in: first version of disable java test
147
148	* softp11.c: Drop unused stuff.
149
150	* cert.c: Spelling, Add hx509_cert_get_SPKI_AlgorithmIdentifier,
151	remove unused stuff, add hx509_context to some functions.
152
153	* softp11.c: Add more glue to figure out what keytype this
154	certificate is using.
155
1562008-01-14  Love Hörnquist Åstrand  <lha@it.su.se>
157
158	* test_pkcs11.in: test debug
159
160	* Add a PKCS11 provider supporting signing and verifing sigatures.
161
1622008-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
163
164	* version-script.map: Replace hx509_name_to_der_name with
165	hx509_name_binary.
166
167	* print.c: make print_func static
168
1692007-12-26  Love Hörnquist Åstrand  <lha@it.su.se>
170
171	* print.c: doxygen
172
173	* env.c: doxygen
174
175	* doxygen.c: add more groups
176
177	* ca.c: doxygen.
178
1792007-12-17  Love Hörnquist Åstrand  <lha@it.su.se>
180
181	* ca.c: doxygen
182
1832007-12-16  Love Hörnquist Åstrand  <lha@it.su.se>
184
185	* error.c: doxygen
186
1872007-12-15  Love Hörnquist Åstrand  <lha@it.su.se>
188
189	* More documentation
190
191	* lock.c: Add page referance
192
193	* keyset.c: some more documentation.
194
195	* cms.c: Doxygen documentation.
196
1972007-12-11  Love Hörnquist Åstrand  <lha@it.su.se>
198
199	* *.[ch]: More documentation
200
2012007-12-09  Love Hörnquist Åstrand  <lha@it.su.se>
202
203	* handle refcount on NULL.
204
205	* test_nist_pkcs12.in: drop echo -n, doesn't work with posix sh
206
2072007-12-08  Love Hörnquist Åstrand  <lha@it.su.se>
208
209	* test_nist2.in: Print that this is version 2 of the tests
210
211	* test_nist.in: Drop printing of $id.
212
213	* hx509.h: Add HX509_VHN_F_ALLOW_NO_MATCH.
214
215	* name.c: spelling.
216
217	* cert.c: make work the doxygen.
218
219	* name.c: fix doxygen compiling.
220
221	* Makefile.am: add doxygen.c
222
223	* doxygen.c: Add doxygen main page.
224
225	* cert.c: Add doxygen.
226
227	* revoke.c (_hx509_revoke_ref): new function.
228
2292007-11-16  Love Hörnquist Åstrand  <lha@it.su.se>
230
231	* ks_keychain.c: Check if SecKeyGetCSPHandle needs prototype.
232
2332007-08-16  Love Hörnquist Åstrand  <lha@it.su.se>
234
235	* data/nist-data: Make work on case senstive filesystems too.
236
2372007-08-09  Love Hörnquist Åstrand  <lha@it.su.se>
238
239	* cert.c: match rfc822 contrains better, provide better error
240	strings.
241
2422007-08-08  Love Hörnquist Åstrand  <lha@it.su.se>
243
244	* cert.c: "self-signed doesn't count" doesn't apply to trust
245	anchor certificate.  make trust anchor check consistant.
246
247	* revoke.c: make compile.
248
249	* revoke.c (verify_crl): set error strings.
250
251	* revoke.c (verify_crl): handle with the signer is the
252	CRLsigner (shortcut).
253
254	* cert.c: Fix NC, comment on how to use _hx509_check_key_usage.
255
2562007-08-03  Love Hörnquist Åstrand  <lha@it.su.se>
257
258	* test_nist2.in, Makefile, test/nist*: Add nist pkits tests.
259
260	* revoke.c: Update to use CERT_REVOKED error, shortcut out of OCSP
261	checking when OCSP reply is a revocation reply.
262
263	* hx509_err.et: Make CERT_REVOKED error OCSP/CRL agnostic.
264
265	* name.c (_hx509_Name_to_string): make printableString handle
266	space (0x20) diffrences as required by rfc3280.
267
268	* revoke.c: Search for the right issuer when looking for the
269	issuer of the CRL signer.
270
2712007-08-02  Love Hörnquist Åstrand  <lha@it.su.se>
272
273	* revoke.c: Handle CRL signing certificate better, try to not
274	revalidate invalid CRLs over and over.
275
2762007-08-01  Love Hörnquist Åstrand  <lha@it.su.se>
277
278	* cms.c: remove stale comment.
279
280	* test_nist.in: Unpack PKITS_data.zip and run tests.
281
282	* test_nist_cert.in: Adapt to new nist pkits framework.
283
284	* test_nist_pkcs12.in: Adapt to new nist pkits framework.
285
286	* Makefile.am: clean PKITS_data
287
2882007-07-16  Love Hörnquist Åstrand  <lha@it.su.se>
289
290	* Makefile.am: Add version-script.map to EXTRA_DIST
291
2922007-07-12  Love Hörnquist Åstrand  <lha@it.su.se>
293
294	* Makefile.am: Add depenency on asn1_compile for asn1 built files.
295
2962007-07-10  Love Hörnquist Åstrand  <lha@it.su.se>
297
298	* peer.c: update (c), indent.
299
300	* Makefile.am: New library version.
301
3022007-06-28  Love Hörnquist Åstrand  <lha@it.su.se>
303
304	* ks_p11.c: Add sha2 types.
305
306	* ref/pkcs11.h: Sync with scute.
307
308	* ref/pkcs11.h: Add sha2 CKM's.
309
310	* print.c: Print authorityInfoAccess.
311
312	* cert.c: Rename proxyCertInfo oid.
313
314	* ca.c: Rename proxyCertInfo oid.
315
316	* print.c: Rename proxyCertInfo oid.
317
3182007-06-26  Love Hörnquist Åstrand  <lha@it.su.se>
319
320	* test_ca.in: Adapt to new request handling.
321
322	* req.c: Allow export some of the request parameters.
323
324	* hxtool-commands.in: Adapt to new request handling.
325
326	* hxtool.c: Adapt to new request handling.
327
328	* test_req.in: Adapt to new request handling.
329
330	* version-script.map: Add initialize_hx_error_table_r.
331
332	* req.c: Move _hx509_request_print here.
333
334	* hxtool.c: use _hx509_request_print
335
336	* version-script.map: Export more crap^W semiprivate functions.
337
338	* hxtool.c: don't _hx509_abort
339
340	* version-script.map: add missing ;
341
3422007-06-25  Love Hörnquist Åstrand  <lha@it.su.se>
343
344	* cms.c: Use hx509_crypto_random_iv.
345
346	* crypto.c: Split out the iv creation from hx509_crypto_encrypt
347	since _hx509_pbe_encrypt needs to use the iv from the s2k
348	function.
349
350	* test_cert.in: Test PEM and DER FILE writing functionallity.
351
352	* ks_file.c: Add writing DER certificates.
353
354	* hxtool.c: Update to new hx509_pem_write().
355
356	* test_cms.in: test creation of PEM signeddata.
357
358	* hx509.h: PEM struct/function declarations.
359
360	* ks_file.c: Use PEM encoding/decoding functions.
361
362	* file.c: PEM encode/decoding functions.
363
364	* ks_file.c: Use hx509_pem_write.
365
366	* version-script.map: Export some semi-private functions.
367
368	* hxtool.c: Enable writing out signed data as a pem attachment.
369
370	* hxtool-commands.in (cms-create-signed): add --pem
371
372	* file.c (hx509_pem_write): Add.
373
374	* test_ca.in: Issue and test null subject cert.
375
376	* cert.c: Match is first component is in a CN=.
377
378	* test_ca.in: Test hostname if first CN.
379
380	* Makefile.am: Add version script.
381
382	* version-script.map: Limited exported symbols.
383
384	* test_ca.in: test --hostname.
385
386	* test_chain.in: test max-depth
387
388	* hx509.h: fixate HX509_HN_HOSTNAME at 0.
389
390	* hxtool-commands.in: add --hostname add --max-depth
391
392	* cert.c: Verify hostname and max-depth.
393
394	* hxtool.c: Verify hostname and test max-depth.
395
3962007-06-24  Love Hörnquist Åstrand  <lha@it.su.se>
397
398	* test_cms.in: Test --id-by-name.
399
400	* hxtool-commands.in: add cms-create-sd --id-by-name
401
402	* hxtool.c: Use HX509_CMS_SIGATURE_ID_NAME.
403
404	* cms.c: Implement and use HX509_CMS_SIGATURE_ID_NAME.
405
406	* hx509.h: Add HX509_CMS_SIGATURE_ID_NAME, use subject name for
407	CMS.Identifier.  hx509_hostname_type: add hostname type for
408	matching.
409
410	* cert.c (match_general_name): more strict rfc822Name matching.
411	(hx509_verify_hostname): add hostname type for matching.
412
4132007-06-19  Love Hörnquist Åstrand  <lha@it.su.se>
414
415	* hxtool.c: Make compile again.
416
417	* hxtool.c: Added peap-server for to make windows peap clients
418	happy.
419
420	* hxtool.c: Unify parse_oid code.
421
422	* hxtool.c: Implement --content-type.
423
424	* hxtool-commands.in: Add content-type.
425
426	* test_cert.in: more cert and keyset tests.
427
4282007-06-18  Love Hörnquist Åstrand  <lha@it.su.se>
429
430	* revoke.c: Avoid stomping on NULL.
431
432	* revoke.c: Avoid reusing i.
433
434	* cert.c: Provide __attribute__ for _hx509_abort.
435
436	* ks_file.c: Fail if not finding iv.
437
438	* keyset.c: Avoid useing freed memory.
439
440	* crypto.c: Free memory in failure case.
441
442	* crypto.c: Free memory in failure case.
443
4442007-06-12  Love Hörnquist Åstrand  <lha@it.su.se>
445
446	* *.c: Add hx509_cert_init_data and use everywhere
447
448	* hx_locl.h: Now that KEYCHAIN:system-anchors is fast again, use
449	that.
450
451	* ks_keychain.c: Implement trust anchor support with
452	SecTrustCopyAnchorCertificates.
453
454	* keyset.c: Set ref to 1 for the new object.
455
456	* cert.c: Fix logic for allow_default_trust_anchors
457
458	* keyset.c: Add refcounting to keystores.
459
460	* cert.c: Change logic for default trust anchors, make it be
461	either default trust anchor, the user supplied, or non at all.
462
4632007-06-08  Love Hörnquist Åstrand  <lha@it.su.se>
464
465	* Makefile.am: Add data/j.pem.
466
467	* Makefile.am: Add test_windows.in.
468
4692007-06-06  Love Hörnquist Åstrand  <lha@it.su.se>
470
471	* ks_keychain.c: rename functions, leaks less memory and more
472	paranoia.
473
474	* test_cms.in: Test cms peer-alg.
475
476	* crypto.c (rsa_create_signature): make oid_id_pkcs1_rsaEncryption
477	mean rsa-with-sha1 but oid oid_id_pkcs1_rsaEncryption in algorithm
478	field.  XXX should probably use another algorithmIdentifier for
479	this.
480
481	* peer.c: Make free function return void.
482
483	* cms.c (hx509_cms_create_signed_1): Use hx509_peer_info to select
484	the signature algorithm too.
485
486	* hxtool-commands.in: Add cms-create-sd --peer-alg.
487
488	* req.c: Use _hx509_crypto_default_sig_alg.
489
490	* test_windows.in: Create crl, because everyone needs one.
491
492	* Makefile.am: add wcrl.crl
493
4942007-06-05  Love Hörnquist Åstrand  <lha@it.su.se>
495
496	* hx_locl.h: Disable KEYCHAIN for now, its slow.
497
498	* cms.c: When we are not using pkcs7-data, avoid seing
499	signedAttributes since some clients get upset by that (pkcs7 based
500	or just plain broken).
501
502	* ks_keychain.c: Provide rsa signatures.
503
504	* ks_keychain.c: Limit the searches to the selected keychain.
505
506	* ks_keychain.c: include -framework Security specific header files
507	after #ifdef
508
509	* ks_keychain.c: Find and attach private key (does not provide
510	operations yet though).
511
512	* ks_p11.c: Prefix rsa method with p11_
513
514	* ks_keychain.c: Allow opening a specific chain, making "system"
515	special and be the system X509Anchors file. By not specifing any
516	keychain ("KEYCHAIN:"), all keychains are probed.
517
5182007-06-04  Love Hörnquist Åstrand  <lha@it.su.se>
519
520	* hxtool.c (verify): Friendlier error message.
521
522	* cert.c: Read in and use default trust anchors if they exists.
523
524	* hx_locl.h: Add concept of default_trust_anchors.
525
526	* ks_keychain.c: Remove err(), remove extra empty comment, fix
527	_iter function.
528
529	* error.c (hx509_get_error_string): if the error code is not the
530	one we expect, punt and use the default com_err/strerror string
531	instead.
532
533	* keyset.c (hx509_certs_merge): its ok to merge in the NULL set of
534	certs.
535
536	* test_windows.in: Fix status string.
537
538	* ks_p12.c (store_func): free whole CertBag, not just the data
539	part.
540
541	* print.c: Check that the self-signed cert is really self-signed.
542
543	* print.c: Use selfsigned for CRL DP whine, tell if its a
544	self-signed.
545
546	* print.c: Whine if its a non CA/proxy and doesn't have CRL DP.
547
548	* ca.c: Add cRLSign to CA certs.
549
550	* cert.c: Register NULL and KEYCHAIN.
551
552	* ks_null.c: register the NULL keystore.
553
554	* Makefile.am: Add ks_keychain.c and related libs.
555
556	* test_crypto.in: Print certificate with utf8.
557
558	* print.c: Leak less memory.
559
560	* hxtool.c: Leak less memory.
561
562	* print.c: Leak less memory, use functions that does same but
563	more.
564
565	* name.c (quote_string): don't sign extend the (signed) char to
566	avoid printing too much, add an assert to check that we didn't
567	overrun the buffer.
568
569	* name.c: Use right element out of the CHOICE for printableString
570	and utf8String
571
572	* ks_keychain.c: Certificate only KeyChain backend.
573
574	* name.c: Reset name before parsing it.
575
5762007-06-03  Love Hörnquist Åstrand  <lha@it.su.se>
577
578	* revoke.c (hx509_crl_*): fix sizeof() mistakes to fix memory
579	corruption.
580
581	* hxtool.c: Add lifetime to crls.
582
583	* hxtool-commands.in: Add lifetime to crls.
584
585	* revoke.c: Add lifetime to crls.
586
587	* test_ca.in: More crl checks.
588
589	* revoke.c: Add revoking certs.
590
591	* hxtool-commands.in: argument is certificates.. for crl-sign
592
593	* hxtool.c (certificate_copy): free lock
594
595	* revoke.c: Fix hx509_set_error_string calls, add
596	hx509_crl_add_revoked_certs(), implement hx509_crl_{alloc,free}.
597
598	* hxtool.c (crl_sign): free lock
599
600	* cert.c (hx509_context_free): free querystat
601
6022007-06-02  Love Hörnquist Åstrand  <lha@it.su.se>
603
604	* test_chain.in: test ocsp-verify
605
606	* revoke.c (hx509_ocsp_verify): explain what its useful for and
607	provide sane error message.
608
609	* hx509_err.et: New error code, CERT_NOT_IN_OCSP
610
611	* hxtool.c: New command ocsp-verify, check if ocsp contains all
612	certs and are valid (exist and non expired).
613
614	* hxtool-commands.in: New command ocsp-verify.
615
6162007-06-01  Love Hörnquist Åstrand  <lha@it.su.se>
617
618	* test_ca.in: Create crl and verify that is works.
619
620	* hxtool.c: Sign CRL command.
621
622	* hx509.h: Add hx509_crl.
623
624	* hxtool-commands.in: Add crl-sign commands.
625
626	* revoke.c: Support to generate an empty CRL.
627
628	* tst-crypto-select2: Switched default types.
629
630	* tst-crypto-select1: Switched default types.
631
632	* ca.c: Use default AlgorithmIdentifier.
633
634	* cms.c: Use default AlgorithmIdentifier.
635
636	* crypto.c: Provide default AlgorithmIdentifier and use them.
637
638	* hx_locl.h: Provide default AlgorithmIdentifier.
639
640	* keyset.c (hx509_certs_find): collects stats for queries.
641
642	* cert.c: Sort and print more info.
643
644	* hx_locl.h: Add querystat to hx509_context.
645
646	* test_*.in: sprinle stat saveing
647
648	* Makefile.am: Add stat and objdir.
649
650	* collector.c (_hx509_collector_alloc): return error code instead
651	of pointer.
652
653	* hxtool.c: Add statistic hook.
654
655	* ks_file.c: Update _hx509_collector_alloc prototype.
656
657	* ks_p12.c: Update _hx509_collector_alloc prototype.
658
659	* ks_p11.c: Update _hx509_collector_alloc prototype.
660
661	* hxtool-commands.in: Add statistics hook.
662
663	* cert.c: Statistics printing.
664
665	* ks_p12.c: plug memory leak
666
667	* ca.c (hx509_ca_tbs_add_crl_dp_uri): plug memory leak
668
6692007-05-31  Love Hörnquist Åstrand  <lha@it.su.se>
670
671	* print.c: print utf8 type SAN's
672
673	* Makefile.am: Fix windows client cert name.
674
675	* test_windows.in: Add crl-uri for the ee certs.
676
677	* print.c: Printf formating.
678
679	* ca.c: Add glue for adding CRL dps.
680
681	* test_ca.in: Readd the crl adding code, it works (somewhat) now.
682
683	* print.c: Fix printing of CRL DPnames (I hate IMPLICIT encoded
684	structures).
685
686	* hxtool-commands.in: make ca and alias of certificate-sign
687
6882007-05-30  Love Hörnquist Åstrand  <lha@it.su.se>
689
690	* crypto.c (hx509_crypto_select): copy AI to the right place.
691
692	* hxtool-commands.in: Add ca --ms-upn.
693
694	* hxtool.c: add --ms-upn and add more EKU's for pk-init client.
695
696	* ca.c: Add hx509_ca_tbs_add_san_ms_upn and refactor code.
697
698	* test_crypto.in: Resurect killed e.
699
700	* test_crypto.in: check for aes256-cbc
701
702	* tst-crypto-select7: check for aes256-cbc
703
704	* test_windows.in: test windows stuff
705
706	* hxtool.c: add ca --domain-controller option, add secret key
707	option to avaible.
708
709	* ca.c: Add hx509_ca_tbs_set_domaincontroller.
710
711	* hxtool-commands.in: add ca --domain-controller
712
713	* hxtool.c: hook for testing secrety key algs
714
715	* crypto.c: Add selection code for secret key crypto.
716
717	* hx509.h: Add HX509_SELECT_SECRET_ENC.
718
7192007-05-13  Love Hörnquist Åstrand  <lha@it.su.se>
720
721	* ks_p11.c: add more mechtypes
722
7232007-05-10  Love Hörnquist Åstrand  <lha@it.su.se>
724
725	* print.c: Indent.
726
727	* hxtool-commands.in: add test-crypto command
728
729	* hxtool.c: test crypto command
730
731	* cms.c (hx509_cms_create_signed_1): if no eContentType is given,
732	use pkcs7-data.
733
734	* print.c: add Netscape cert comment
735
736	* crypto.c: Try both the empty password and the NULL
737	password (nothing vs the octet string \x00\x00).
738
739	* print.c: Add some US Fed PKI oids.
740
741	* ks_p11.c: Add some more hashes.
742
7432007-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
744
745	* hxtool.c (crypto_select): stop memory leak
746
7472007-04-19  Love Hörnquist Åstrand  <lha@it.su.se>
748
749	* peer.c (hx509_peer_info_free): free memory used too
750
751	* hxtool.c (crypto_select): only free peer if it was used.
752
7532007-04-18  Love Hörnquist Åstrand  <lha@it.su.se>
754
755	* hxtool.c: free template
756
757	* ks_mem.c (mem_free): free key array too
758
759	* hxtool.c: free private key and tbs
760
761	* hxtool.c (hxtool_ca): free signer
762
763	* hxtool.c (crypto_available): free peer too.
764
765	* ca.c (get_AuthorityKeyIdentifier): leak less memory
766
767	* hxtool.c (hxtool_ca): free SPKI
768
769	* hxtool.c (hxtool_ca): free cert
770
771	* ks_mem.c (mem_getkeys): allocate one more the we have elements
772	so its possible to store the NULL pointer at the end.
773
7742007-04-16  Love Hörnquist Åstrand  <lha@it.su.se>
775
776	* Makefile.am: CLEANFILES += cert-null.pem cert-sub-ca2.pem
777
7782007-02-05  Love Hörnquist Åstrand  <lha@it.su.se>
779
780	* ca.c: Disable CRLDistributionPoints for now, its IMPLICIT code
781	in the asn1 parser.
782
783	* print.c: Add some more \n's.
784
7852007-02-03  Love Hörnquist Åstrand  <lha@it.su.se>
786
787	* file.c: Allow mapping using heim_octet_string.
788
789	* hxtool.c: Add options to generate detached signatures.
790
791	* cms.c: Add flags to generate detached signatures.
792
793	* hx509.h: Flag to generate detached signatures.
794
795	* test_cms.in: Support detached sigatures.
796
797	* name.c (hx509_general_name_unparse): unparse the other
798	GeneralName nametypes.
799
800	* print.c: Use less printf. Use hx509_general_name_unparse.
801
802	* cert.c: Fix printing and plug leak-on-error.
803
8042007-01-31  Love Hörnquist Åstrand  <lha@it.su.se>
805
806	* test_ca.in: Add test for ca --crl-uri.
807
808	* hxtool.c: Add ca --crl-uri.
809
810	* hxtool-commands.in: add ca --crl-uri
811
812	* ca.c: Code to set CRLDistributionPoints in certificates.
813
814	* print.c: Check CRLDistributionPointNames.
815
816	* name.c (hx509_general_name_unparse): function for unparsing
817	GeneralName, only supports GeneralName.URI
818
819	* cert.c (is_proxy_cert): free info if we wont return it.
820
8212007-01-30  Love Hörnquist Åstrand  <lha@it.su.se>
822
823	* hxtool.c: Try to help how to use this command.
824
8252007-01-21  Love Hörnquist Åstrand  <lha@it.su.se>
826
827	* switch to sha256 as default digest for signing
828
8292007-01-20  Love Hörnquist Åstrand  <lha@it.su.se>
830
831	* test_ca.in: Really test sub-ca code, add basic constraints tests
832
8332007-01-17  Love Hörnquist Åstrand  <lha@it.su.se>
834
835	* Makefile.am: Fix makefile problem.
836
8372007-01-16  Love Hörnquist Åstrand  <lha@it.su.se>
838
839	* hxtool.c: Set num of bits before we generate the key.
840
8412007-01-15  Love Hörnquist Åstrand  <lha@it.su.se>
842
843	* cms.c (hx509_cms_create_signed_1): use hx509_cert_binary
844
845	* ks_p12.c (store_func): use hx509_cert_binary
846
847	* ks_file.c (store_func): use hx509_cert_binary
848
849	* cert.c (hx509_cert_binary): return binary encoded
850	certificate (DER format)
851
8522007-01-14  Love Hörnquist Åstrand  <lha@it.su.se>
853
854	* ca.c (hx509_ca_tbs_subject_expand): new function.
855
856	* name.c (hx509_name_expand): if env is NULL, return directly
857
858	* test_ca.in: test template handling
859
860	* hx509.h: Add template flags.
861
862	* Makefile.am: clean out new files
863
864	* hxtool.c: Add certificate template processing, fix hx509_err
865	usage.
866
867	* hxtool-commands.in: Add certificate template processing.
868
869	* ca.c: Add certificate template processing. Fix return messages
870	from hx509_ca_tbs_add_eku.
871
872	* cert.c: Export more stuff from certificate.
873
8742007-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
875
876	* ca.c: update (c)
877
878	* ca.c: (hx509_ca_tbs_add_eku): filter out dups.
879
880	* hxtool.c: Add type email and add email eku when using option
881	--email.
882
883	* Makefile.am: add env.c
884
885	* name.c: Remove abort, add error handling.
886
887	* test_name.c: test name expansion
888
889	* name.c: add hx509_name_expand
890
891	* env.c: key-value pair help functions
892
8932007-01-12  Love Hörnquist Åstrand  <lha@it.su.se>
894
895	* ca.c: Don't issue certs with subject DN that is NULL and have no
896	SANs
897
898	* print.c: Fix previous test.
899
900	* print.c: Check there is a SAN if subject DN is NULL.
901
902	* test_ca.in: test email, null subject dn
903
904	* hxtool.c: Allow setting parameters to private key generation.
905
906	* hx_locl.h: Allow setting parameters to private key generation.
907
908	* crypto.c: Allow setting parameters to private key generation.
909
910	* hxtool.c (eval_types): add jid if user gave one
911
912	* hxtool-commands.in (certificate-sign): add --jid
913
914	* ca.c (hx509_ca_tbs_add_san_jid): Allow adding
915	id-pkix-on-xmppAddr OtherName.
916
917	* print.c: Print id-pkix-on-xmppAddr OtherName.
918
9192007-01-11  Love Hörnquist Åstrand  <lha@it.su.se>
920
921	* no random, no RSA/DH tests
922
923	* hxtool.c (info): print status of random generator
924
925	* Makefile.am: remove files created by tests
926
927	* error.c: constify
928
929	* name.c: constify
930
931	* revoke.c: constify
932
933	* hx_locl.h: constify
934
935	* keyset.c: constify
936
937	* ks_p11.c: constify
938
939	* hx_locl.h: make printinfo char * argument const.
940
941	* cms.c: move _hx509_set_digest_alg from cms.c to crypto.c since
942	its only used there.
943
944	* crypto.c: remove no longer used stuff, move set_digest_alg here
945	from cms.c since its only used here.
946
947	* Makefile.am: add data/test-nopw.p12 to EXTRA_DIST
948
9492007-01-10  Love Hörnquist Åstrand  <lha@it.su.se>
950
951	* print.c: BasicConstraints vs criticality bit is complicated and
952	not really possible to evaluate on its own, silly RFC3280.
953
954	* ca.c: Make basicConstraints critical if this is a CA.
955
956	* print.c: fix the version vs extension test
957
958	* print.c: More validation checks.
959
960	* name.c (hx509_name_cmp): add
961
9622007-01-09  Love Hörnquist Åstrand  <lha@it.su.se>
963
964	* ks_p11.c (collect_private_key): Missing CKA_MODULUS is ok
965	too (XXX why should these be fetched given they are not used).
966
967	* test_ca.in: rename all files to PEM files, since that is what
968	they are.
969
970	* hxtool.c: copy out the key with the self signed CA cert
971
972	* Factor out private key operation out of the signing, operations,
973	support import, export, and generation of private keys. Add
974	support for writing PEM and PKCS12 files with private keys in them.
975
976	* data/gen-req.sh: Generate a no password pkcs12 file.
977
9782007-01-08  Love Hörnquist Åstrand  <lha@it.su.se>
979
980	* cms.c: Check for internal ASN1 encoder error.
981
9822007-01-05  Love Hörnquist Åstrand  <lha@it.su.se>
983
984	* Makefile.am: Drop most of the pkcs11 files.
985
986	* test_ca.in: test reissueing ca certificate (xxx time
987	validAfter).
988
989	* hxtool.c: Allow setting serialNumber (needed for reissuing
990	certificates) Change --key argument to --out-key.
991
992	* hxtool-commands.in (issue-certificate): Allow setting
993	serialNumber (needed for reissuing certificates), Change --key
994	argument to --out-key.
995
996	* ref: Replace with Marcus Brinkmann of g10 Code GmbH pkcs11
997	headerfile that is compatible with GPL (file taken from scute)
998
9992007-01-04  Love Hörnquist Åstrand  <lha@it.su.se>
1000
1001	* test_ca.in: Test to generate key and use them.
1002
1003	* hxtool.c: handle other keys the pkcs10 requested keys
1004
1005	* hxtool-commands.in: add generate key commands
1006
1007	* req.c (_hx509_request_to_pkcs10): PKCS10 needs to have a subject
1008
1009	* hxtool-commands.in: Spelling.
1010
1011	* ca.c (hx509_ca_tbs_set_proxy): allow negative pathLenConstraint
1012	to signal no limit
1013
1014	* ks_file.c: Try all formats on the binary file before giving up,
1015	this way we can handle binary rsa keys too.
1016
1017	* data/key2.der: new test key
1018
10192007-01-04  David Love  <fx@gnu.org>
1020
1021	* Makefile.am (hxtool_LDADD): Add libasn1.la
1022
1023	* hxtool.c (pcert_verify): Fix format string.
1024
10252006-12-31  Love Hörnquist Åstrand  <lha@it.su.se>
1026
1027	* hxtool.c: Allow setting path length
1028
1029	* cert.c: Fix test for proxy certs chain length, it was too
1030	restrictive.
1031
1032	* data: regen
1033
1034	* data/openssl.cnf: (proxy_cert) make length 0
1035
1036	* test_ca.in: Issue a long living cert.
1037
1038	* hxtool.c: add --lifetime to ca command.
1039
1040	* hxtool-commands.in: add --lifetime to ca command.
1041
1042	* ca.c: allow setting notBefore and notAfter.
1043
1044	* test_ca.in: Test generation of proxy certificates.
1045
1046	* ca.c: Allow generation of proxy certificates, always include
1047	BasicConstraints, fix error codes.
1048
1049	* hxtool.c: Allow generation of proxy certificates.
1050
1051	* test_name.c: make hx509_parse_name take a hx509_context.
1052
1053	* name.c: Split building RDN to a separate function.
1054
10552006-12-30  Love Hörnquist Åstrand  <lha@it.su.se>
1056
1057	* Makefile.am: clean test_ca files.
1058
1059	* test_ca.in: test issuing self-signed and CA certificates.
1060
1061	* hxtool.c: Add bits to allow issuing self-signed and CA
1062	certificates.
1063
1064	* hxtool-commands.in: Add bits to allow issuing self-signed and CA
1065	certificates.
1066
1067	* ca.c: Add bits to allow issuing CA certificates.
1068
1069	* revoke.c: use new OCSPSigning.
1070
1071	* ca.c: Add Subject Key Identifier.
1072
1073	* ca.c: Add Authority Key Identifier.
1074
1075	* cert.c: Locally export _hx509_find_extension_subject_key_id.
1076	Handle AuthorityKeyIdentifier where only authorityCertSerialNumber
1077	and authorityCertSerialNumber is set.
1078
1079	* hxtool-commands.in: Add dnsname and rfc822 SANs.
1080
1081	* test_ca.in: Test dnsname and rfc822 SANs.
1082
1083	* ca.c: Add dnsname and rfc822 SANs.
1084
1085	* hxtool.c: Add dnsname and rfc822 SANs.
1086
1087	* test_ca.in: test adding eku, ku and san to the
1088	certificate (https and pk-init)
1089
1090	* hxtool.c: Add eku, ku and san to the certificate.
1091
1092	* ca.c: Add eku, ku and san to the certificate.
1093
1094	* hxtool-commands.in: Add --type and --pk-init-principal
1095
1096	* ocsp.asn1: remove id-kp-OCSPSigning, its in rfc2459.asn1 now
1097
10982006-12-29  Love Hörnquist Åstrand  <lha@it.su.se>
1099
1100	* ca.c: Add KeyUsage extension.
1101
1102	* Makefile.am: add ca.c, add sign-certificate tests.
1103
1104	* crypto.c: Add _hx509_create_signature_bitstring.
1105
1106	* hxtool-commands.in: Add the sign-certificate tool.
1107
1108	* hxtool.c: Add the sign-certificate tool.
1109
1110	* cert.c: Add HX509_QUERY_OPTION_KU_KEYCERTSIGN.
1111
1112	* hx509.h: Add hx509_ca_tbs and HX509_QUERY_OPTION_KU_KEYCERTSIGN.
1113
1114	* test_ca.in: Basic test of generating a pkcs10 request, signing
1115	it and verifying the chain.
1116
1117	* ca.c: Naive certificate signer.
1118
11192006-12-28  Love Hörnquist Åstrand  <lha@it.su.se>
1120
1121	* hxtool.c: add hxtool_hex
1122
11232006-12-22  Love Hörnquist Åstrand  <lha@it.su.se>
1124
1125	* Makefile.am: use top_builddir for libasn1.la
1126
11272006-12-11  Love Hörnquist Åstrand  <lha@it.su.se>
1128
1129	* hxtool.c (print_certificate): print serial number.
1130
1131	* name.c (no): add S=stateOrProvinceName
1132
11332006-12-09  Love Hörnquist Åstrand  <lha@it.su.se>
1134
1135	* crypto.c (_hx509_private_key_assign_rsa): set a default sig alg
1136
1137	* ks_file.c (try_decrypt): pass down AlgorithmIdentifier that key
1138	uses to do sigatures so there is no need to hardcode RSA into this
1139	function.
1140
11412006-12-08  Love Hörnquist Åstrand  <lha@it.su.se>
1142
1143	* ks_file.c: Pass filename to the parse functions and use it in
1144	the error messages
1145
1146	* test_chain.in: test proxy cert (third level)
1147
1148	* hx509_err.et: fix errorstring for PROXY_CERT_NAME_WRONG
1149
1150	* data: regen
1151
1152	* Makefile.am: EXTRA_DIST: add
1153	data/proxy10-child-child-test.{key,crt}
1154
1155	* data/gen-req.sh: Fix names and restrictions on the proxy
1156	certificates
1157
1158	* cert.c: Clairfy and make proxy cert handling work for multiple
1159	levels, before it was too restrictive. More helpful error message.
1160
11612006-12-07  Love Hörnquist Åstrand  <lha@it.su.se>
1162
1163	* cert.c (check_key_usage): tell what keyusages are missing
1164
1165	* print.c: Split OtherName printing code to a oid lookup and print
1166	function.
1167
1168	* print.c (Time2string): print hour as hour not min
1169
1170	* Makefile.am: CLEANFILES += test
1171
11722006-12-06  Love Hörnquist Åstrand  <lha@it.su.se>
1173
1174	* Makefile.am (EXTRA_DIST): add data/pkinit-proxy* files
1175
1176	* Makefile.am (EXTRA_DIST): add tst-crypto* files
1177
1178	* cert.c (hx509_query_match_issuer_serial): make a copy of the
1179	data
1180
1181	* cert.c (hx509_query_match_issuer_serial): allow matching on
1182	issuer and serial num
1183
1184	* cert.c (_hx509_calculate_path): add flag to allow leaving out
1185	trust anchor
1186
1187	* cms.c (hx509_cms_create_signed_1): when building the path, omit
1188	the trust anchors.
1189
1190	* crypto.c (rsa_create_signature): Abort when signature is longer,
1191	not shorter.
1192
1193	* cms.c: Provide time to _hx509_calculate_path so we don't send no
1194	longer valid certs to our peer.
1195
1196	* cert.c (find_parent): when checking for certs and its not a
1197	trust anchor, require time be in range.
1198	(_hx509_query_match_cert): Add time validity-testing to query mask
1199
1200	* hx_locl.h: add time validity-testing to query mask
1201
1202	* test_cms.in: Tests for CMS SignedData with incomplete chain from
1203	the signer.
1204
12052006-11-28  Love Hörnquist Åstrand  <lha@it.su.se>
1206
1207	* cms.c (hx509_cms_verify_signed): specify what signature we
1208	failed to verify
1209
1210	* Makefile.am: Depend on LIB_com_err for AIX.
1211
1212	* keyset.c: Remove anther strndup that causes AIX to fall over.
1213
1214	* cert.c: Don't check the trust anchors expiration time since they
1215	are transported out of band, from RFC3820.
1216
1217	* cms.c: sprinkle more error strings
1218
1219	* crypto.c: sprinkle more error strings
1220
1221	* hxtool.c: use unsigned int as counter to fit better with the
1222	asn1 compiler
1223
1224	* crypto.c: use unsigned int as counter to fit better with the
1225	asn1 compiler
1226
12272006-11-27  Love Hörnquist Åstrand  <lha@it.su.se>
1228
1229	* cms.c: Remove trailing white space.
1230
1231	* crypto.c: rewrite comment to make more sense
1232
1233	* crypto.c (hx509_crypto_select): check sig_algs[j]->key_oid
1234
1235	* hxtool-commands.in (crypto-available): add --type
1236
1237	* crypto.c (hx509_crypto_available): let alg pass if its keyless
1238
1239	* hxtool-commands.in: Expand crypto-select
1240
1241	* cms.c: Rename hx509_select to hx509_crypto_select.
1242
1243	* hxtool-commands.in: Add crypto-select and crypto-available.
1244
1245	* hxtool.c: Add crypto-select and crypto-available.
1246
1247	* crypto.c (hx509_crypto_available): use right index.
1248	(hx509_crypto_free_algs): new function
1249
1250	* crypto.c (hx509_crypto_select): improve
1251	(hx509_crypto_available): new function
1252
12532006-11-26  Love Hörnquist Åstrand  <lha@it.su.se>
1254
1255	* cert.c: Sprinkle more error string and hx509_contexts.
1256
1257	* cms.c: Sprinkle more error strings.
1258
1259	* crypto.c: Sprinkle error string and hx509_contexts.
1260
1261	* crypto.c: Add some more comments about how this works.
1262
1263	* crypto.c (hx509_select): new function.
1264
1265	* Makefile.am: add peer.c
1266
1267	* hxtool.c: Update hx509_cms_create_signed_1.
1268
1269	* hx_locl.h: add struct hx509_peer_info
1270
1271	* peer.c: Allow selection of digest/sig-alg
1272
1273	* cms.c: Allow selection of a better digest using hx509_peer_info.
1274
1275	* revoke.c: Handle that _hx509_verify_signature takes a context.
1276
1277	* cert.c: Handle that _hx509_verify_signature takes a context.
1278
12792006-11-25  Love Hörnquist Åstrand  <lha@it.su.se>
1280
1281	* cms.c: Sprinkle error strings.
1282
1283	* crypto.c: Sprinkle context and error strings.
1284
12852006-11-24  Love Hörnquist Åstrand  <lha@it.su.se>
1286
1287	* name.c: Handle printing and parsing raw oids in name.
1288
12892006-11-23  Love Hörnquist Åstrand  <lha@it.su.se>
1290
1291	* cert.c (_hx509_calculate_path): allow to calculate optimistic
1292	path when we don't know the trust anchors, just follow the chain
1293	upward until we no longer find a parent or we hit the max limit.
1294
1295	* cms.c (hx509_cms_create_signed_1): provide a best effort path to
1296	the trust anchors to be stored in the SignedData packet, if find
1297	parents until trust anchor or max length.
1298
1299	* data: regen
1300
1301	* data/gen-req.sh: Build pk-init proxy cert.
1302
13032006-11-16  Love Hörnquist Åstrand  <lha@it.su.se>
1304
1305	* error.c (hx509_get_error_string): Put ", " between strings in
1306	error message.
1307
13082006-11-13  Love Hörnquist Åstrand  <lha@it.su.se>
1309
1310	* data/openssl.cnf: Change realm to TEST.H5L.SE
1311
13122006-11-07  Love Hörnquist Åstrand  <lha@it.su.se>
1313
1314	* revoke.c: Sprinkle error strings.
1315
13162006-11-04  Love Hörnquist Åstrand  <lha@it.su.se>
1317
1318	* hx_locl.h: add context variable to cmp function.
1319
1320	* cert.c (hx509_query_match_cmp_func): allow setting the match
1321	function.
1322
13232006-10-24  Love Hörnquist Åstrand  <lha@it.su.se>
1324
1325	* ks_p11.c: Return less EINVAL.
1326
1327	* hx509_err.et: add more pkcs11 errors
1328
1329	* hx509_err.et: more error-codes
1330
1331	* revoke.c: Return less EINVAL.
1332
1333	* ks_dir.c: sprinkel more hx509_set_error_string
1334
1335	* ks_file.c: Return less EINVAL.
1336
1337	* hxtool.c: Pass in context to _hx509_parse_private_key.
1338
1339	* ks_file.c: Sprinkle more hx509_context so we can return propper
1340	errors.
1341
1342	* hx509_err.et: add HX509_PARSING_KEY_FAILED
1343
1344	* crypto.c: Sprinkle more hx509_context so we can return propper
1345	errors.
1346
1347	* collector.c: No more EINVAL.
1348
1349	* hx509_err.et: add HX509_LOCAL_ATTRIBUTE_MISSING
1350
1351	* cert.c (hx509_cert_get_base_subject): one less EINVAL
1352	(_hx509_cert_private_decrypt): one less EINVAL
1353
13542006-10-22  Love Hörnquist Åstrand  <lha@it.su.se>
1355
1356	* collector.c: indent
1357
1358	* hxtool.c: Try to not leak memory.
1359
1360	* req.c: clean memory before free
1361
1362	* crypto.c (_hx509_private_key2SPKI): indent
1363
1364	* req.c: Try to not leak memory.
1365
13662006-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
1367
1368	* test_crypto.in: Read 50 kilobyte random data
1369
1370	* revoke.c: Try to not leak memory.
1371
1372	* hxtool.c: Try to not leak memory.
1373
1374	* crypto.c (hx509_crypto_destroy): free oid.
1375
1376	* error.c: Clean error string on failure just to make sure.
1377
1378	* cms.c: Try to not leak memory (again).
1379
1380	* hxtool.c: use a sensable content type
1381
1382	* cms.c: Try harder to free certificate.
1383
13842006-10-20  Love Hörnquist Åstrand  <lha@it.su.se>
1385
1386	* Makefile.am: Add make check data.
1387
13882006-10-19  Love Hörnquist Åstrand  <lha@it.su.se>
1389
1390	* ks_p11.c (p11_list_keys): make element of search_data[0]
1391	constants and set them later
1392
1393	* Makefile.am: Add more files.
1394
13952006-10-17  Love Hörnquist Åstrand  <lha@it.su.se>
1396
1397	* ks_file.c: set ret, remember to free ivdata
1398
13992006-10-16  Love Hörnquist Åstrand  <lha@it.su.se>
1400
1401	* hx_locl.h: Include <parse_bytes.h>.
1402
1403	* test_crypto.in: Test random-data.
1404
1405	* hxtool.c: RAND_bytes() return 1 for cryptographic strong data,
1406	check for that.
1407
1408	* Makefile.am: clean random-data
1409
1410	* hxtool.c: Add random-data command, use sl_slc_help.
1411
1412	* hxtool-commands.in: Add random-data.
1413
1414	* ks_p12.c: Remember to release certs.
1415
1416	* ks_p11.c: Remember to release certs.
1417
14182006-10-14  Love Hörnquist Åstrand  <lha@it.su.se>
1419
1420	* prefix der primitives with der_
1421
1422	* lock.c: Match the prompt type PROMPT exact.
1423
1424	* hx_locl.h: Drop heim_any.h
1425
14262006-10-11  Love Hörnquist Åstrand  <lha@it.su.se>
1427
1428	* ks_p11.c (p11_release_module): j needs to be used as inter loop
1429	index. From Douglas Engert.
1430
1431	* ks_file.c (parse_rsa_private_key): try all passwords and
1432	prompter.
1433
14342006-10-10  Love Hörnquist Åstrand  <lha@it.su.se>
1435
1436	* test_*.in: Parameterise the invocation of hxtool, so we can make
1437	it run under TESTS_ENVIRONMENT. From Andrew Bartlett
1438
14392006-10-08  Love Hörnquist Åstrand  <lha@it.su.se>
1440
1441	* test_crypto.in: Put all test stuck at 2006-09-25 since all their
1442	chains where valied then.
1443
1444	* hxtool.c: Implement --time= option.
1445
1446	* hxtool-commands.in: Add option time.
1447
1448	* Makefile.am: test_name is a PROGRAM_TESTS
1449
1450	* ks_p11.c: Return HX509_PKCS11_NO_SLOT when there are no slots
1451	and HX509_PKCS11_NO_TOKEN when there are no token. For use in PAM
1452	modules that want to detect when to use smartcard login and when
1453	not to. Patched based on code from Douglas Engert.
1454
1455	* hx509_err.et: Add new pkcs11 related errors in a new section:
1456	keystore related error.  Patched based on code from Douglas
1457	Engert.
1458
14592006-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
1460
1461	* Makefile.am: Make depenency for slc built files just like
1462	everywhere else.
1463
1464	* cert.c: Add all openssl algs and init asn1 et
1465
14662006-10-06  Love Hörnquist Åstrand  <lha@it.su.se>
1467
1468	* ks_file.c (parse_rsa_private_key): free type earlier.
1469
1470	* ks_file.c (parse_rsa_private_key): free type after use
1471
1472	* name.c (_hx509_Name_to_string): remove dup const
1473
14742006-10-02  Love Hörnquist Åstrand  <lha@it.su.se>
1475
1476	* Makefile.am: Add more libs to libhx509
1477
14782006-10-01  Love Hörnquist Åstrand  <lha@it.su.se>
1479
1480	* ks_p11.c: Fix double free's, NULL ptr de-reference, and conform
1481	better to pkcs11.  From Douglas Engert.
1482
1483	* ref: remove ^M, it breaks solaris 10s cc. From Harald Barth
1484
14852006-09-19  Love Hörnquist Åstrand  <lha@it.su.se>
1486
1487	* test_crypto.in: Bleichenbacher bad cert from Ralf-Philipp
1488	Weinmann and Andrew Pyshkin, pad right.
1489
1490	* data: starfield test root cert and Ralf-Philipp and Andreis
1491	correctly padded bad cert
1492
14932006-09-15  Love Hörnquist Åstrand  <lha@it.su.se>
1494
1495	* test_crypto.in: Add test for yutaka certs.
1496
1497	* cert.c: Add a strict rfc3280 verification flag. rfc3280 requires
1498	certificates to have KeyUsage.keyCertSign if they are to be used
1499	for signing of certificates, but the step in the verifiation is
1500	optional.
1501
1502	* hxtool.c: Improve printing and error reporting.
1503
15042006-09-13  Love Hörnquist Åstrand  <lha@it.su.se>
1505
1506	* test_crypto.in,Makefile.am,data/bleichenbacher-{bad,good}.pem:
1507	test bleichenbacher from eay
1508
15092006-09-12  Love Hörnquist Åstrand  <lha@it.su.se>
1510
1511	* hxtool.c: Make common function for all getarg_strings and
1512	hx509_certs_append commonly used.
1513
1514	* cms.c: HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT is a negative
1515	flag, treat it was such.
1516
15172006-09-11  Love Hörnquist Åstrand  <lha@it.su.se>
1518
1519	* req.c: Use the new add_GeneralNames function.
1520
1521	* hx509.h: Add HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT.
1522
1523	* ks_p12.c: Adapt to new signature of hx509_cms_unenvelope.
1524
1525	* hxtool.c: Adapt to new signature of hx509_cms_unenvelope.
1526
1527	* cms.c: Allow passing in encryptedContent and flag.  Add new flag
1528	HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT.
1529
15302006-09-08  Love Hörnquist Åstrand  <lha@it.su.se>
1531
1532	* ks_p11.c: cast void * to char * when using it for %s formating
1533	in printf.
1534
1535	* name.c: New function _hx509_Name_to_string.
1536
15372006-09-07  Love Hörnquist Åstrand  <lha@it.su.se>
1538
1539	* ks_file.c: Sprinkle error messages.
1540
1541	* cms.c: Sprinkle even more error messages.
1542
1543	* cms.c: Sprinkle some error messages.
1544
1545	* cms.c (find_CMSIdentifier): only free string when we allocated
1546	one.
1547
1548	* ks_p11.c: Don't build most of the pkcs11 module if there are no
1549	dlopen().
1550
15512006-09-06  Love Hörnquist Åstrand  <lha@it.su.se>
1552
1553	* cms.c (hx509_cms_unenvelope): try to save the error string from
1554	find_CMSIdentifier so we have one more bit of information what
1555	went wrong.
1556
1557	* hxtool.c: More pretty printing, make verify_signed return the
1558	error string from the library.
1559
1560	* cms.c: Try returning what certificates failed to parse or be
1561	found.
1562
1563	* ks_p11.c (p11_list_keys): fetch CKA_LABEL and use it to set the
1564	friendlyname for the certificate.
1565
15662006-09-05  Love Hörnquist Åstrand  <lha@it.su.se>
1567
1568	* crypto.c: check that there are no extra bytes in the checksum
1569	and that the parameters are NULL or the NULL-type. All to avoid
1570	having excess data that can be used to fake the signature.
1571
1572	* hxtool.c: print keyusage
1573
1574	* print.c: add hx509_cert_keyusage_print, simplify oid printing
1575
1576	* cert.c: add _hx509_cert_get_keyusage
1577
1578	* ks_p11.c: keep one session around for the whole life of the keyset
1579
1580	* test_query.in: tests more selection
1581
1582	* hxtool.c: improve pretty printing in print and query
1583
1584	* hxtool{.c,-commands.in}: add selection on KU and printing to query
1585
1586	* test_cms.in: Add cms test for digitalSignature and
1587	keyEncipherment certs.
1588
1589	* name.c (no): Add serialNumber
1590
1591	* ks_p11.c (p11_get_session): return better error messages
1592
15932006-09-04  Love Hörnquist Åstrand  <lha@it.su.se>
1594
1595	* ref: update to pkcs11 reference files 2.20
1596
1597	* ks_p11.c: add more mechflags
1598
1599	* name.c (no): add OU and sort
1600
1601	* revoke.c: pass context to _hx509_create_signature
1602
1603	* ks_p11.c (p11_printinfo): print proper plural s
1604
1605	* ks_p11.c: save the mechs supported when initing the token, print
1606	them in printinfo.
1607
1608	* hx_locl.h: Include <parse_units.h>.
1609
1610	* cms.c: pass context to _hx509_create_signature
1611
1612	* req.c: pass context to _hx509_create_signature
1613
1614	* keyset.c (hx509_certs_info): print information about the keyset.
1615
1616	* hxtool.c (pcert_print) print keystore info when --info flag is
1617	given.
1618
1619	* hxtool-commands.in: Add hxtool print --info.
1620
1621	* test_query.in: Test hxtool print --info.
1622
1623	* hx_locl.h (hx509_keyset_ops): add printinfo
1624
1625	* crypto.c: Start to hang the private key operations of the
1626	private key, pass hx509_context to create_checksum.
1627
16282006-05-29  Love Hörnquist Åstrand  <lha@it.su.se>
1629
1630	* ks_p11.c: Iterate over all slots, not just the first/selected
1631	one.
1632
16332006-05-27  Love Hörnquist Åstrand  <lha@it.su.se>
1634
1635	* cert.c: Add release function for certifiates so backend knowns
1636	when its no longer used.
1637
1638	* ks_p11.c: Add reference counting on certifiates, push out
1639	CK_SESSION_HANDLE from slot.
1640
1641	* cms.c: sprinkle more hx509_clear_error_string
1642
16432006-05-22  Love Hörnquist Åstrand  <lha@it.su.se>
1644
1645	* ks_p11.c: Sprinkle some hx509_set_error_strings
1646
16472006-05-13  Love Hörnquist Åstrand  <lha@it.su.se>
1648
1649	* hxtool.c: Avoid shadowing.
1650
1651	* revoke.c: Avoid shadowing.
1652
1653	* ks_file.c: Avoid shadowing.
1654
1655	* cert.c: Avoid shadowing.
1656
16572006-05-12  Love Hörnquist Åstrand  <lha@it.su.se>
1658
1659	* lock.c (hx509_prompt_hidden): reshuffle to avoid gcc warning
1660
1661	* hx509.h: Reshuffle the prompter types, remove the hidden field.
1662
1663	* lock.c (hx509_prompt_hidden): return if the prompt should be
1664	hidden or not
1665
1666	* revoke.c (hx509_revoke_free): allow free of NULL.
1667
16682006-05-11  Love Hörnquist Åstrand  <lha@it.su.se>
1669
1670	* ks_file.c (file_init): Avoid shadowing ret (and thus avoiding
1671	crashing).
1672
1673	* ks_dir.c: Implement DIR: caches useing FILE: caches.
1674
1675	* ks_p11.c: Catch more errors.
1676
16772006-05-08  Love Hörnquist Åstrand  <lha@it.su.se>
1678
1679	* crypto.c (hx509_crypto_encrypt): free correctly in error
1680	path. From Andrew Bartlett.
1681
1682	* crypto.c: If RAND_bytes fails, then we will attempt to
1683	double-free crypt->key.data.  From Andrew Bartlett.
1684
16852006-05-05  Love Hörnquist Åstrand  <lha@it.su.se>
1686
1687	* name.c: Rename u_intXX_t to uintXX_t
1688
16892006-05-03  Love Hörnquist Åstrand  <lha@it.su.se>
1690
1691	* TODO: More to do about the about the PKCS11 code.
1692
1693	* ks_p11.c: Use the prompter from the lock function.
1694
1695	* lock.c: Deal with that hx509_prompt.reply is no longer a
1696	pointer.
1697
1698	* hx509.h: Make hx509_prompt.reply not a pointer.
1699
17002006-05-02  Love Hörnquist Åstrand  <lha@it.su.se>
1701
1702	* keyset.c: Sprinkle setting error strings.
1703
1704	* crypto.c: Sprinkle setting error strings.
1705
1706	* collector.c: Sprinkle setting error strings.
1707
1708	* cms.c: Sprinkle setting error strings.
1709
17102006-05-01  Love Hörnquist Åstrand  <lha@it.su.se>
1711
1712	* test_name.c: renamed one error code
1713
1714	* name.c: renamed one error code
1715
1716	* ks_p11.c: _hx509_set_cert_attribute changed signature
1717
1718	* hxtool.c (pcert_print): use hx509_err so I can test it
1719
1720	* error.c (hx509_set_error_stringv): clear errors on malloc
1721	failure
1722
1723	* hx509_err.et: Add some more errors
1724
1725	* cert.c: Sprinkle setting error strings.
1726
1727	* cms.c: _hx509_path_append changed signature.
1728
1729	* revoke.c: changed signature of _hx509_check_key_usage
1730
1731	* keyset.c: changed signature of _hx509_query_match_cert
1732
1733	* hx509.h: Add support for error strings.
1734
1735	* cms.c: changed signature of _hx509_check_key_usage
1736
1737	* Makefile.am: ibhx509_la_files += error.c
1738
1739	* ks_file.c: Sprinkel setting error strings.
1740
1741	* cert.c: Sprinkel setting error strings.
1742
1743	* hx_locl.h: Add support for error strings.
1744
1745	* error.c: Add string error handling functions.
1746
1747	* keyset.c (hx509_certs_init): pass the right error code back
1748
17492006-04-30  Love Hörnquist Åstrand  <lha@it.su.se>
1750
1751	* revoke.c: Revert previous patch.
1752	(hx509_ocsp_verify): new function that returns the expiration of
1753	certificate in ocsp data-blob
1754
1755	* cert.c: Reverse previous patch, lets do it another way.
1756
1757	* cert.c (hx509_revoke_verify): update usage
1758
1759	* revoke.c: Make compile.
1760
1761	* revoke.c: Add the expiration time the crl/ocsp info expire
1762
1763	* name.c: Add hx509_name_is_null_p
1764
1765	* cert.c: remove _hx509_cert_private_sigature
1766
17672006-04-29  Love Hörnquist Åstrand  <lha@it.su.se>
1768
1769	* name.c: Expose more of Name.
1770
1771	* hxtool.c (main): add missing argument to printf
1772
1773	* data/openssl.cnf: Add EKU for the KDC certificate
1774
1775	* cert.c (hx509_cert_get_base_subject): reject un-canon proxy
1776	certs, not the reverse
1777	(add_to_list): constify and fix argument order to
1778	copy_octet_string
1779	(hx509_cert_find_subjectAltName_otherName): make work
1780
17812006-04-28  Love Hörnquist Åstrand  <lha@it.su.se>
1782
1783	* data/{pkinit,kdc}.{crt,key}: pkinit certificates
1784
1785	* data/gen-req.sh: Generate pkinit certificates.
1786
1787	* data/openssl.cnf: Add pkinit glue.
1788
1789	* cert.c (hx509_verify_hostname): implement stub function
1790
17912006-04-27  Love Hörnquist Åstrand  <lha@it.su.se>
1792
1793	* TODO: CRL delta support
1794
17952006-04-26 Love Hörnquist Åstrand <lha@it.su.se>
1796
1797	* data/.cvsignore: ignore leftover from OpenSSL cert generation
1798
1799	* hx509_err.et: Add name malformated error
1800
1801	* name.c (hx509_parse_name): don't abort on error, rather return
1802	error
1803
1804	* test_name.c: Test failure parsing name.
1805
1806	* cert.c: When verifying certificates, store subject basename for
1807	later consumption.
1808
1809	* test_name.c: test to parse and print name and check that they
1810	are the same.
1811
1812	* name.c (hx509_parse_name): fix length argument to printf string
1813
1814	* name.c (hx509_parse_name): fix length argument to stringtooid, 1
1815	too short.
1816
1817	* cert.c: remove debug printf's
1818
1819	* name.c (hx509_parse_name): make compile pre c99
1820
1821	* data/gen-req.sh: OpenSSL have a serious issue of user confusion
1822	-subj in -ca takes the arguments in LDAP order. -subj for x509
1823	takes it in x509 order.
1824
1825	* cert.c (hx509_verify_path): handle the case where the where two
1826	proxy certs in a chain.
1827
1828	* test_chain.in: enable two proxy certificates in a chain test
1829
1830	* test_chain.in: tests proxy certificates
1831
1832	* data: re-gen
1833
1834	* data/gen-req.sh: build proxy certificates
1835
1836	* data/openssl.cnf: add def for proxy10_cert
1837
1838	* hx509_err.et: Add another proxy certificate error.
1839
1840	* cert.c (hx509_verify_path): Need to mangle name to remove the CN
1841	of the subject, copying issuer only works for one level but is
1842	better then doing no checking at all.
1843
1844	* hxtool.c: Add verify --allow-proxy-certificate.
1845
1846	* hxtool-commands.in: add verify --allow-proxy-certificate
1847
1848	* hx509_err.et: Add proxy certificate errors.
1849
1850	* cert.c: Fix comment about subject name of proxy certificate.
1851
1852	* test_chain.in: tests for proxy certs
1853
1854	* data/gen-req.sh: gen proxy and non-proxy tests certificates
1855
1856	* data/openssl.cnf: Add definition for proxy certs
1857
1858	* data/*proxy-test.*: Add proxy certificates
1859
1860	* cert.c (hx509_verify_path): verify proxy certificate have no san
1861	or ian
1862
1863	* cert.c (hx509_verify_set_proxy_certificate): Add
1864	(*): rename policy cert to proxy cert
1865
1866	* cert.c: Initial support for proxy certificates.
1867
18682006-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
1869
1870	* hxtool.c: some error checking
1871
1872	* name.c: Switch over to asn1 generaed oids.
1873
1874	* TODO: merge with old todo file
1875
18762006-04-23 Love Hörnquist Åstrand <lha@it.su.se>
1877
1878	* test_query.in: make quiet
1879
1880	* test_req.in: SKIP test if there is no RSA support.
1881
1882	* hxtool.c: print dh method too
1883
1884	* test_chain.in: SKIP test if there is no RSA support.
1885
1886	* test_cms.in: SKIP test if there is no RSA support.
1887
1888	* test_nist.in: SKIP test if there is no RSA support.
1889
18902006-04-22  Love Hörnquist Åstrand  <lha@it.su.se>
1891
1892	* hxtool-commands.in: Allow passing in pool and anchor to
1893	signedData
1894
1895	* hxtool.c: Allow passing in pool and anchor to signedData
1896
1897	* test_cms.in: Test that certs in signed data is picked up.
1898
1899	* hx_locl.h: Expose the path building function to internal
1900	functions.
1901
1902	* cert.c: Expose the path building function to internal functions.
1903
1904	* hxtool-commands.in: cms-envelope: Add support for choosing the
1905	encryption type
1906
1907	* hxtool.c (cms_create_enveloped): Add support for choosing the
1908	encryption type
1909
1910	* test_cms.in: Test generating des-ede3 aes-128 aes-256 enveloped
1911	data
1912
1913	* crypto.c: Add names to cipher types.
1914
1915	* cert.c (hx509_query_match_friendly_name): fix return value
1916
1917	* data/gen-req.sh: generate tests for enveloped data using
1918	des-ede3 and aes256
1919
1920	* test_cms.in: add tests for enveloped data using des-ede3 and
1921	aes256
1922
1923	* cert.c (hx509_query_match_friendly_name): New function.
1924
19252006-04-21  Love Hörnquist Åstrand  <lha@it.su.se>
1926
1927	* ks_p11.c: Add support for parsing slot-number.
1928
1929	* crypto.c (oid_private_rc2_40): simply
1930
1931	* crypto.c: Use oids from asn1 generator.
1932
1933	* ks_file.c (file_init): reset length when done with a part
1934
1935	* test_cms.in: check with test.combined.crt.
1936
1937	* data/gen-req.sh: Create test.combined.crt.
1938
1939	* test_cms.in: Test signed data using keyfile that is encrypted.
1940
1941	* ks_file.c: Remove (commented out) debug printf
1942
1943	* ks_file.c (parse_rsa_private_key): use EVP_get_cipherbyname
1944
1945	* ks_file.c (parse_rsa_private_key): make working for one
1946	password.
1947
1948	* ks_file.c (parse_rsa_private_key): Implement enought for
1949	testing.
1950
1951	* hx_locl.h: Add <ctype.h>
1952
1953	* ks_file.c: Add glue code for PEM encrypted password files.
1954
1955	* test_cms.in: Add commeted out password protected PEM file,
1956	remove password for those tests that doesn't need it.
1957
1958	* test_cms.in: adapt test now that we can use any certificate and
1959	trust anchor
1960
1961	* collector.c: handle PEM RSA PRIVATE KEY files
1962
1963	* cert.c: Remove unused function.
1964
1965	* ks_dir.c: move code here from ks_file.c now that its no longer
1966	used.
1967
1968	* ks_file.c: Add support for parsing unencrypted RSA PRIVATE KEY
1969
1970	* crypto.c: Handle rsa private keys better.
1971
19722006-04-20  Love Hörnquist Åstrand <lha@it.su.se>
1973
1974	* hxtool.c: Use hx509_cms_{,un}wrap_ContentInfo
1975
1976	* cms.c: Make hx509_cms_{,un}wrap_ContentInfo usable in asn1
1977	un-aware code.
1978
1979	* cert.c (hx509_verify_path): if trust anchor is not self signed,
1980	don't check sig From Douglas Engert.
1981
1982	* test_chain.in: test "sub-cert -> sub-ca"
1983
1984	* crypto.c: Use the right length for the sha256 checksums.
1985
19862006-04-15  Love Hörnquist Åstrand  <lha@it.su.se>
1987
1988	* crypto.c: Fix breakage from sha256 code.
1989
1990	* crypto.c: Add SHA256 support, and symbols for the other new
1991	SHA-2 types.
1992
19932006-04-14  Love Hörnquist Åstrand  <lha@it.su.se>
1994
1995	* test_cms.in: test rc2-40 rc2-64 rc2-128 enveloped data
1996
1997	* data/test-enveloped-rc2-{40,64,128}: add tests cases for rc2
1998
1999	* cms.c: Update prototypes changes for hx509_crypto_[gs]et_params.
2000
2001	* crypto.c: Break out the parameter handling code for encrypting
2002	data to handle RC2.  Needed for Windows 2k pk-init support.
2003
20042006-04-04  Love Hörnquist Åstrand <lha@it.su.se>
2005
2006	* Makefile.am: Split libhx509_la_SOURCES into build file and
2007	distributed files so we can avoid building prototypes for
2008	build-files.
2009
20102006-04-03  Love Hörnquist Åstrand  <lha@it.su.se>
2011
2012	* TODO: split certificate request into pkcs10 and CRMF
2013
2014	* hxtool-commands.in: Add nonce flag to ocsp-fetch
2015
2016	* hxtool.c: control sending nonce
2017
2018	* hxtool.c (request_create): store the request in a file, no in
2019	bitbucket.
2020
2021	* cert.c: expose print_cert_subject internally
2022
2023	* hxtool.c: Add ocsp_print.
2024
2025	* hxtool-commands.in: New command "ocsp-print".
2026
2027	* hx_locl.h: Include <hex.h>.
2028
2029	* revoke.c (verify_ocsp): require issuer to match too.
2030	(free_ocsp): new function
2031	(hx509_revoke_ocsp_print): new function, print ocsp reply
2032
2033	* Makefile.am: build CRMF files
2034
2035	* data/key.der: needed for cert request test
2036
2037	* test_req.in: adapt to rename of pkcs10-create to request-create
2038
2039	* hxtool.c: adapt to rename of pkcs10-create to request-create
2040
2041	* hxtool-commands.in: Rename pkcs10-create to request-create
2042
2043	* crypto.c: (_hx509_parse_private_key): Avoid crashing on bad input.
2044
2045	* hxtool.c (pkcs10_create): use opt->subject_string
2046
2047	* hxtool-commands.in: Add pkcs10-create --subject
2048
2049	* Makefile.am: Add test_req to tests.
2050
2051	* test_req.in: Test for pkcs10 commands.
2052
2053	* name.c (hx509_parse_name): new function.
2054
2055	* hxtool.c (pkcs10_create): implement
2056
2057	* hxtool-commands.in (pkcs10-create): Add arguments
2058
2059	* crypto.c: Add _hx509_private_key2SPKI and support
2060	functions (only support RSA for now).
2061
20622006-04-02  Love Hörnquist Åstrand  <lha@it.su.se>
2063
2064	* hxtool-commands.in: Add pkcs10-create command.
2065
2066	* hx509.h: Add hx509_request.
2067
2068	* TODO: more stuff
2069
2070	* Makefile.am: Add req.c
2071
2072	* req.c: Create certificate requests, prototype converts the
2073	request in a pkcs10 packet.
2074
2075	* hxtool.c: Add pkcs10_create
2076
2077	* name.c (hx509_name_copy): new function.
2078
20792006-04-01  Love Hörnquist Åstrand  <lha@it.su.se>
2080
2081	* TODO: fill out what do
2082
2083	* hxtool-commands.in: add pkcs10-print
2084
2085	* hx_locl.h: Include <pkcs10_asn1.h>.
2086
2087	* pkcs10.asn1: PKCS#10
2088
2089	* hxtool.c (pkcs10_print): new function.
2090
2091	* test_chain.in: test ocsp keyhash
2092
2093	* data: generate ocsp keyhash version too
2094
2095	* revoke.c (load_ocsp): test that we got back a BasicReponse
2096
2097	* ocsp.asn1: Add asn1_id_pkix_ocsp*.
2098
2099	* Makefile.am: Add asn1_id_pkix_ocsp*.
2100
2101	* cert.c: Add HX509_QUERY_MATCH_KEY_HASH_SHA1
2102
2103	* hx_locl.h: Add HX509_QUERY_MATCH_KEY_HASH_SHA1
2104
2105	* revoke.c: Support OCSPResponderID.byKey, indent.
2106
2107	* revoke.c (hx509_ocsp_request): Add nonce to ocsp request.
2108
2109	* hxtool.c: Add nonce to ocsp request.
2110
2111	* test_chain.in: Added crl tests
2112
2113	* data/nist-data: rename missing-crl to missing-revoke
2114
2115	* data: make ca use openssl ca command so we can add ocsp tests,
2116	and regen certs
2117
2118	* test_chain.in: Add revoked ocsp cert test
2119
2120	* cert.c: rename missing-crl to missing-revoke
2121
2122	* revoke.c: refactor code, fix a un-init-ed variable
2123
2124	* test_chain.in: rename missing-crl to missing-revoke add ocsp
2125	tests
2126
2127	* test_cms.in: rename missing-crl to missing-revoke
2128
2129	* hxtool.c: rename missing-crl to missing-revoke
2130
2131	* hxtool-commands.in: rename missing-crl to missing-revoke
2132
2133	* revoke.c: Plug one memory leak.
2134
2135	* revoke.c: Renamed generic CRL related errors.
2136
2137	* hx509_err.et: Comments and renamed generic CRL related errors
2138
2139	* revoke.c: Add ocsp checker.
2140
2141	* ocsp.asn1: Add id-kp-OCSPSigning
2142
2143	* hxtool-commands.in: add url-path argument to ocsp-fetch
2144
2145	* hxtool.c: implement ocsp-fetch
2146
2147	* cert.c: Use HX509_DEFAULT_OCSP_TIME_DIFF.
2148
2149	* hx_locl.h: Add ocsp_time_diff to hx509_context
2150
2151	* crypto.c (_hx509_verify_signature_bitstring): new function,
2152	commonly use when checking certificates
2153
2154	* cms.c (hx509_cms_envelope_1): check for internal ASN.1 encoder
2155	error
2156
2157	* cert.c: Add ocsp glue, use new
2158	_hx509_verify_signature_bitstring, add eku checking function.
2159
21602006-03-31  Love Hörnquist Åstrand  <lha@it.su.se>
2161
2162	* Makefile.am: add id_kp_OCSPSigning.x
2163
2164	* revoke.c: Pick out certs in ocsp response
2165
2166	* TODO: list of stuff to verify
2167
2168	* revoke.c: Add code to load OCSPBasicOCSPResponse files, reload
2169	crl when its changed on disk.
2170
2171	* cert.c: Update for ocsp merge. handle building path w/o
2172	subject (using subject key id)
2173
2174	* ks_p12.c: _hx509_map_file changed prototype.
2175
2176	* file.c: _hx509_map_file changed prototype, returns struct stat
2177	if requested.
2178
2179	* ks_file.c: _hx509_map_file changed prototype.
2180
2181	* hxtool.c: Add stub for ocsp-fetch, _hx509_map_file changed
2182	prototype, add ocsp parsing to verify command.
2183
2184	* hx_locl.h: rename HX509_CTX_CRL_MISSING_OK to
2185	HX509_CTX_VERIFY_MISSING_OK now that we have OCSP glue
2186
21872006-03-30  Love Hörnquist Åstrand  <lha@it.su.se>
2188
2189	* hx_locl.h: Add <krb5-types.h> to make it compile on Solaris,
2190	from Alex V. Labuta.
2191
21922006-03-28  Love Hörnquist Åstrand  <lha@it.su.se>
2193
2194	* crypto.c (_hx509_pbe_decrypt): try all passwords, not just the
2195	first one.
2196
21972006-03-27  Love Hörnquist Åstrand  <lha@it.su.se>
2198
2199	* print.c (check_altName): Print the othername oid.
2200
2201	* crypto.c: Manual page claims RSA_public_decrypt will return -1
2202	on error, lets check for that
2203
2204	* crypto.c (_hx509_pbe_decrypt): also try the empty password
2205
2206	* collector.c (match_localkeyid): no need to add back the cert to
2207	the cert pool, its already there.
2208
2209	* crypto.c: Add REQUIRE_SIGNER
2210
2211	* cert.c (hx509_cert_free): ok to free NULL
2212
2213	* hx509_err.et: Add new error code SIGNATURE_WITHOUT_SIGNER.
2214
2215	* name.c (_hx509_name_ds_cmp): make DirectoryString case
2216	insenstive
2217	(hx509_name_to_string): less spacing
2218
2219	* cms.c: Check for signature error, check consitency of error
2220
22212006-03-26  Love Hörnquist Åstrand  <lha@it.su.se>
2222
2223	* collector.c (_hx509_collector_alloc): handle errors
2224
2225	* cert.c (hx509_query_alloc): allocate slight more more then a
2226	sizeof(pointer)
2227
2228	* crypto.c (_hx509_private_key_assign_key_file): ask for password
2229	if nothing matches.
2230
2231	* cert.c: Expose more of the hx509_query interface.
2232
2233	* collector.c: hx509_certs_find is now exposed.
2234
2235	* cms.c: hx509_certs_find is now exposed.
2236
2237	* revoke.c: hx509_certs_find is now exposed.
2238
2239	* keyset.c (hx509_certs_free): allow free-ing NULL
2240	(hx509_certs_find): expose
2241	(hx509_get_one_cert): new function
2242
2243	* hxtool.c: hx509_certs_find is now exposed.
2244
2245	* hx_locl.h: Remove hx509_query, its exposed now.
2246
2247	* hx509.h: Add hx509_query.
2248
22492006-02-22  Love Hörnquist Åstrand  <lha@it.su.se>
2250
2251	* cert.c: Add exceptions for null (empty) subjectNames
2252
2253	* data/nist-data: Add some more name constraints tests.
2254
2255	* data/nist-data: Add some of the test from 4.13 Name Constraints.
2256
2257	* cert.c: Name constraits needs to be evaluated in block as they
2258	appear in the certificates, they can not be joined to one
2259	list. One example of this is:
2260
2261	- cert is cn=foo,dc=bar,dc=baz
2262	- subca is dc=foo,dc=baz with name restriction dc=kaka,dc=baz
2263	- ca is dc=baz with name restriction dc=baz
2264
2265	If the name restrictions are merged to a list, the certificate
2266	will pass this test.
2267
22682006-02-14 Love Hörnquist Åstrand <lha@it.su.se>
2269
2270	* cert.c: Handle more name constraints cases.
2271
2272	* crypto.c (dsa_verify_signature): if test if malloc failed
2273
22742006-01-31  Love Hörnquist Åstrand  <lha@it.su.se>
2275
2276	* cms.c: Drop partial pkcs12 string2key implementation.
2277
22782006-01-20  Love Hörnquist Åstrand  <lha@it.su.se>
2279
2280	* data/nist-data: Add commited out DSA tests (they fail).
2281
2282	* data/nist-data: Add 4.2 Validity Periods.
2283
2284	* test_nist.in: Make less verbose to use.
2285
2286	* Makefile.am: Add test_nist_cert.
2287
2288	* data/nist-data: Add some more CRL-tests.
2289
2290	* test_nist.in: Print $id instead of . when running the tests.
2291
2292	* test_nist.in: Drop verifying certifiates, its done in another
2293	test now.
2294
2295	* data/nist-data: fixup kill-rectangle leftovers
2296
2297	* data/nist-data: Drop verifying certifiates, its done in another
2298	test now.  Add more crl tests. comment out all unused tests.
2299
2300	* test_nist_cert.in: test parse all nist certs
2301
23022006-01-19  Love Hörnquist Åstrand  <lha@it.su.se>
2303
2304	* hx509_err.et: Add HX509_CRL_UNKNOWN_EXTENSION.
2305
2306	* revoke.c: Check for unknown extentions in CRLs and CRLEntries.
2307
2308	* test_nist.in: Parse new format to handle CRL info.
2309
2310	* test_chain.in: Add --missing-crl.
2311
2312	* name.c (hx509_unparse_der_name): Rename from hx509_parse_name.
2313	(_hx509_unparse_Name): Add.
2314
2315	* hxtool-commands.in: Add --missing-crl to verify commands.
2316
2317	* hx509_err.et: Add CRL errors.
2318
2319	* cert.c (hx509_context_set_missing_crl): new function Add CRL
2320	handling.
2321
2322	* hx_locl.h: Add HX509_CTX_CRL_MISSING_OK.
2323
2324	* revoke.c: Parse and verify CRLs (simplistic).
2325
2326	* hxtool.c: Parse CRL info.
2327
2328	* data/nist-data: Change format so we can deal with CRLs, also
2329	note the test-id from PKITS.
2330
2331	* data: regenerate test
2332
2333	* data/gen-req.sh: use static-file to generate tests
2334
2335	* data/static-file: new file to use for commited tests
2336
2337	* test_cms.in: Use static file, add --missing-crl.
2338
23392006-01-18  Love Hörnquist Åstrand <lha@it.su.se>
2340
2341	* print.c: Its cRLReason, not cRLReasons.
2342
2343	* hxtool.c: Attach revoke context to verify context.
2344
2345	* data/nist-data: change syntax to make match better with crl
2346	checks
2347
2348	* cert.c: Verify no certificates has been revoked with the new
2349	revoke interface.
2350
2351	* Makefile.am: libhx509_la_SOURCES += revoke.c
2352
2353	* revoke.c: Add framework for handling CRLs.
2354
2355	* hx509.h: Add hx509_revoke_ctx.
2356
23572006-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
2358
2359	* delete crypto_headers.h, use global file instead.
2360
2361	* crypto.c (PBE_string2key): libdes now supports PKCS12_key_gen
2362
23632006-01-12  Love Hörnquist Åstrand  <lha@it.su.se>
2364
2365	* crypto_headers.h: Need BN_is_negative too.
2366
23672006-01-11  Love Hörnquist Åstrand  <lha@it.su.se>
2368
2369	* ks_p11.c (p11_rsa_public_decrypt): since is wrong, don't provide
2370	it. PKCS11 can't do public_decrypt, it support verify though. All
2371	this doesn't matter, since the code never go though this path.
2372
2373	* crypto_headers.h: Provide glue to compile with less warnings
2374	with OpenSSL
2375
23762006-01-08  Love Hörnquist Åstrand  <lha@it.su.se>
2377
2378	* Makefile.am: Depend on LIB_des
2379
2380	* lock.c: Use "crypto_headers.h".
2381
2382	* crypto_headers.h: Include the two diffrent implementation of
2383	crypto headers.
2384
2385	* cert.c: Use "crypto-headers.h". Load ENGINE configuration.
2386
2387	* crypto.c: Make compile with both OpenSSL and heimdal libdes.
2388
2389	* ks_p11.c: Add code for public key decryption (not supported yet)
2390	and use "crypto-headers.h".
2391
2392
23932006-01-04 Love Hörnquist Åstrand <lha@it.su.se>
2394
2395	* add a hx509_context where we can store configuration
2396
2397	* p11.c,Makefile.am: pkcs11 is now supported by library, remove
2398	old files.
2399
2400	* ks_p11.c: more paranoid on refcount, set refcounter ealier,
2401	reset pointers after free
2402
2403	* collector.c (struct private_key): remove temporary key data
2404	storage, convert directly to a key
2405	(match_localkeyid): match certificate and key using localkeyid
2406	(match_keys): match certificate and key using _hx509_match_keys
2407	(_hx509_collector_collect): rewrite to use match_keys and
2408	match_localkeyid
2409
2410	* crypto.c (_hx509_match_keys): function that determins if a
2411	private key matches a certificate, used when there is no
2412	localkeyid.
2413	(*) reset free pointer
2414
2415	* ks_file.c: Rewrite to use collector and mapping support
2416	function.
2417
2418	* ks_p11.c (rsa_pkcs1_method): constify
2419
2420	* ks_p11.c: drop extra wrapping of p11_init
2421
2422	* crypto.c (_hx509_private_key_assign_key_file): use function to
2423	extact rsa key
2424
2425	* cert.c: Revert previous, refcounter is unsigned, so it can never
2426	be negative.
2427
2428	* cert.c (hx509_cert_ref): more refcount paranoia
2429
2430	* ks_p11.c: Implement rsa_private_decrypt and add stubs for public
2431	ditto.
2432
2433	* ks_p11.c: Less printf, less memory leaks.
2434
2435	* ks_p11.c: Implement signing using pkcs11.
2436
2437	* ks_p11.c: Partly assign private key, enough to complete
2438	collection, but not any crypto functionallity.
2439
2440	* collector.c: Use hx509_private_key to assign private keys.
2441
2442	* crypto.c: Remove most of the EVP_PKEY code, and use RSA
2443	directly, this temporary removes DSA support.
2444
2445	* hxtool.c (print_f): print if there is a friendly name and if
2446	there is a private key
2447
24482006-01-03  Love Hörnquist Åstrand  <lha@it.su.se>
2449
2450	* name.c: Avoid warning from missing __attribute__((noreturn))
2451
2452	* lock.c (_hx509_lock_unlock_certs): return unlock certificates
2453
2454	* crypto.c (_hx509_private_key_assign_ptr): new function, exposes
2455	EVP_PKEY
2456	(_hx509_private_key_assign_key_file): remember to free private key
2457	if there is one.
2458
2459	* cert.c (_hx509_abort): add newline to output and flush stdout
2460
2461	* Makefile.am: libhx509_la_SOURCES += collector.c
2462
2463	* hx_locl.h: forward type declaration of struct hx509_collector.
2464
2465	* collector.c: Support functions to collect certificates and
2466	private keys and then match them.
2467
2468	* ks_p12.c: Use the new hx509_collector support functions.
2469
2470	* ks_p11.c: Add enough glue to support certificate iteration.
2471
2472	* test_nist_pkcs12.in: Less verbose.
2473
2474	* cert.c (hx509_cert_free): if there is a private key assosited
2475	with this cert, free it
2476
2477	* print.c: Use _hx509_abort.
2478
2479	* ks_p12.c: Use _hx509_abort.
2480
2481	* hxtool.c: Use _hx509_abort.
2482
2483	* crypto.c: Use _hx509_abort.
2484
2485	* cms.c: Use _hx509_abort.
2486
2487	* cert.c: Use _hx509_abort.
2488
2489	* name.c: use _hx509_abort
2490
24912006-01-02  Love Hörnquist Åstrand  <lha@it.su.se>
2492
2493	* name.c (hx509_name_to_string): don't cut bmpString in half.
2494
2495	* name.c (hx509_name_to_string): don't overwrite with 1 byte with
2496	bmpString.
2497
2498	* ks_file.c (parse_certificate): avoid stomping before array
2499
2500	* name.c (oidtostring): avoid leaking memory
2501
2502	* keyset.c: Add _hx509_ks_dir_register.
2503
2504	* Makefile.am (libhx509_la_SOURCES): += ks_dir.c
2505
2506	* hxtool-commands.in: Remove pkcs11.
2507
2508	* hxtool.c: Remove pcert_pkcs11.
2509
2510	* ks_file.c: Factor out certificate parsing code.
2511
2512	* ks_dir.c: Add new keystore that treats all files in a directory
2513	a keystore, useful for regression tests.
2514
25152005-12-12  Love Hörnquist Åstrand  <lha@it.su.se>
2516
2517	* test_nist_pkcs12.in: Test parse PKCS12 files from NIST.
2518
2519	* data/nist-data: Can handle DSA certificate.
2520
2521	* hxtool.c: Print error code on failure.
2522
25232005-10-29  Love Hörnquist Åstrand  <lha@it.su.se>
2524
2525	* crypto.c: Support DSA signature operations.
2526
25272005-10-04  Love Hörnquist Åstrand  <lha@it.su.se>
2528
2529	* print.c: Validate that issuerAltName and subjectAltName isn't
2530	empty.
2531
25322005-09-14  Love Hörnquist Åstrand  <lha@it.su.se>
2533
2534	* p11.c: Cast to unsigned char to avoid warning.
2535
2536	* keyset.c: Register pkcs11 module.
2537
2538	* Makefile.am: Add ks_p11.c, install hxtool.
2539
2540	* ks_p11.c: Starting point of a pkcs11 module.
2541
25422005-09-04  Love Hörnquist Åstrand  <lha@it.su.se>
2543
2544	* lock.c: Implement prompter.
2545
2546	* hxtool-commands.in: add --content to print
2547
2548	* hxtool.c: Split verify and print.
2549
2550	* cms.c: _hx509_pbe_decrypt now takes a hx509_lock.
2551
2552	* crypto.c: Make _hx509_pbe_decrypt take a hx509_lock, workaround
2553	for empty password.
2554
2555	* name.c: Add DC, handle all Directory strings, fix signless
2556	problems.
2557
25582005-09-03  Love Hörnquist Åstrand  <lha@it.su.se>
2559
2560	* test_query.in: Pass in --pass to all commands.
2561
2562	* hxtool.c: Use option --pass.
2563
2564	* hxtool-commands.in: Add --pass to all commands.
2565
2566	* hx509_err.et: add UNKNOWN_LOCK_COMMAND and CRYPTO_NO_PROMPTER
2567
2568	* test_cms.in: pass in password to cms-create-sd
2569
2570	* crypto.c: Abstract out PBE_string2key so I can add PBE2 s2k
2571	later.  Avoid signess warnings with OpenSSL.
2572
2573	* cms.c: Use void * instead of char * for to avoid signedness
2574	issues
2575
2576	* cert.c (hx509_cert_get_attribute): remove const, its not
2577
2578	* ks_p12.c: Cast size_t to unsigned long when print.
2579
2580	* name.c: Fix signedness warning.
2581
2582	* test_query.in: Use echo, the function check isn't defined here.
2583
25842005-08-11  Love Hörnquist Åstrand  <lha@it.su.se>
2585
2586	* hxtool-commands.in: Add more options that was missing.
2587
25882005-07-28  Love Hörnquist Åstrand  <lha@it.su.se>
2589
2590	* test_cms.in: Use --certificate= for enveloped/unenvelope.
2591
2592	* hxtool.c: Use --certificate= for enveloped/unenvelope.  Clean
2593	up.
2594
2595	* test_cms.in: add EnvelopeData tests
2596
2597	* hxtool.c: use id-envelopedData for ContentInfo
2598
2599	* hxtool-commands.in: add contentinfo wrapping for create/unwrap
2600	enveloped data
2601
2602	* hxtool.c: add contentinfo wrapping for create/unwrap enveloped
2603	data
2604
2605	* data/gen-req.sh: add enveloped data (aes128)
2606
2607	* crypto.c: add "new" RC2 oid
2608
26092005-07-27  Love Hörnquist Åstrand  <lha@it.su.se>
2610
2611	* hx_locl.h, cert.c: Add HX509_QUERY_MATCH_FUNCTION that allows
2612	caller to match by function, note that this doesn't not work
2613	directly for backends that implements ->query, they must do their
2614	own processing. (I'm running out of flags, only 12 left now)
2615
2616	* test_cms.in: verify ContentInfo wrapping code in hxtool
2617
2618	* hxtool-commands.in (cms_create_sd): support wrapping in content
2619	info spelling
2620
2621	* hxtool.c (cms_create_sd): support wrapping in content info
2622
2623	* test_cms.in: test more cms signeddata messages
2624
2625	* data/gen-req.sh: generate SignedData
2626
2627	* hxtool.c (cms_create_sd): support certificate store, add support
2628	to unwrap a ContentInfo the SignedData inside.
2629
2630	* crypto.c: sprinkel rk_UNCONST
2631
2632	* crypto.c: add DER NULL to the digest oid's
2633
2634	* hxtool-commands.in: add --content-info to cms-verify-sd
2635
2636	* cms.c (hx509_cms_create_signed_1): pass in a full
2637	AlgorithmIdentifier instead of heim_oid for digest_alg
2638
2639	* crypto.c: make digest_alg a digest_oid, it's not needed right
2640	now
2641
2642	* hx509_err.et: add CERT_NOT_FOUND
2643
2644	* keyset.c (_hx509_certs_find): add error code for cert not
2645	found
2646
2647	* cms.c (hx509_cms_verify_signed): add external store of
2648	certificates, use the right digest algorithm identifier.
2649
2650	* cert.c: fix const warning
2651
2652	* ks_p12.c: slightly less verbose
2653
2654	* cert.c: add hx509_cert_find_subjectAltName_otherName, add
2655	HX509_QUERY_MATCH_FRIENDLY_NAME
2656
2657	* hx509.h: add hx509_octet_string_list, remove bad comment
2658
2659	* hx_locl.h: add HX509_QUERY_MATCH_FRIENDLY_NAME
2660
2661	* keyset.c (hx509_certs_append): needs a hx509_lock, add one
2662
2663	* Makefile.am: add test cases tempfiles to CLEANFILES
2664
2665	* Makefile.am: add test_query to TESTS, fix dependency on hxtool
2666	sources on hxtool-commands.h
2667
2668	* hxtool-commands.in: explain what signer is for create-sd
2669
2670	* hxtool.c: add query, add more options to verify-sd and create-sd
2671
2672	* test_cms.in: add more cms tests
2673
2674	* hxtool-commands.in: add query, add more options to verify-sd
2675
2676	* test_query.in: test query interface
2677
2678	* data: fix filenames for ds/ke files, add pkcs12 files, regen
2679
2680	* hxtool.c,Makefile.am,hxtool-commands.in: switch to slc
2681
26822005-07-26  Love Hörnquist Åstrand  <lha@it.su.se>
2683
2684	* cert.c (hx509_verify_destroy_ctx): add
2685
2686	* hxtool.c: free hx509_verify_ctx
2687
2688	* name.c (_hx509_name_ds_cmp): make sure all strings are not equal
2689
26902005-07-25  Love Hörnquist Åstrand  <lha@it.su.se>
2691
2692	* hxtool.c: return error
2693
2694	* keyset.c: return errors from iterations
2695
2696	* test_chain.in: clean up checks
2697
2698	* ks_file.c (parse_certificate): return errno's not 1 in case of
2699	error
2700
2701	* ks_file.c (file_iter): make sure endpointer is NULL
2702
2703	* ks_mem.c (mem_iter): follow conversion and return NULL when we
2704	get to the end, not ENOENT.
2705
2706	* Makefile.am: test_chain depends on hxtool
2707
2708	* data: test certs that lasts 10 years
2709
2710	* data/gen-req.sh: script to generate test certs
2711
2712	* Makefile.am: Add regression tests.
2713
2714	* data: test certificate and keys
2715
2716	* test_chain.in: test chain
2717
2718	* hxtool.c (cms_create_sd): add KU digitalSigature as a
2719	requirement to the query
2720
2721	* hx_locl.h: add KeyUsage query bits
2722
2723	* hx509_err.et: add KeyUsage error
2724
2725	* cms.c: add checks for KeyUsage
2726
2727	* cert.c: more checks on KeyUsage, allow to query on them too
2728
27292005-07-24  Love Hörnquist Åstrand  <lha@it.su.se>
2730
2731	* cms.c: Add missing break.
2732
2733	* hx_locl.h,cms.c,cert.c: allow matching on SubjectKeyId
2734
2735	* hxtool.c: Use _hx509_map_file, _hx509_unmap_file and
2736	_hx509_write_file.
2737
2738	* file.c (_hx509_write_file): in case of write error, return errno
2739
2740	* file.c (_hx509_write_file): add a function that write a data
2741	blob to disk too
2742
2743	* Fix id-tags
2744
2745	* Import mostly complete X.509 and CMS library. Handles, PEM, DER,
2746	PKCS12 encoded certicates.  Verificate RSA chains and handled
2747	CMS's SignedData, and EnvelopedData.
2748
2749
2750