12008-07-14 Love Hörnquist Åstrand <lha@kth.se> 2 3 * hxtool.c: Break out print_eval_types(). 4 52008-06-21 Love Hörnquist Åstrand <lha@kth.se> 6 7 * ks_p12.c: pass in time_now to unevelope 8 9 * cms.c: Pass in time_now to unevelope, us verify context time in 10 verify_signed. 11 122008-05-23 Love Hörnquist Åstrand <lha@kth.se> 13 14 * hx_locl.h: Include <limits.h> for TYPE_MAX defines. 15 162008-04-29 Love Hörnquist Åstrand <lha@it.su.se> 17 18 * sel-lex.l: Use _hx509_sel_yyerror() instead of error_message(). 19 202008-04-20 Love Hörnquist Åstrand <lha@it.su.se> 21 22 * sel-lex.l: Include <config.h> 23 242008-04-17 Love Hörnquist Åstrand <lha@it.su.se> 25 26 * Makefile.am: Update make-proto usage. 27 282008-04-15 Love Hörnquist Åstrand <lha@it.su.se> 29 30 * ca.c: BasicConstraints.pathLenConstraint unsigned int. 31 32 * sel-lex.l: Prefix sel_error with _hx509_ since its global on 33 platforms w/o symbol versioning. 34 35 * sel.h: rename yyerror to sel_yyerror in the whole library, not 36 just the lexer 37 38 * sel-lex.l: rename yyerror to sel_yyerror in the whole library, 39 not just the lexer 40 412008-04-14 Love Hörnquist Åstrand <lha@it.su.se> 42 43 * sel-lex.l: Rename yyerror to sel_yyerror and make it static. 44 452008-04-08 Love Hörnquist Åstrand <lha@it.su.se> 46 47 * hx509.h: Make self-standing by including missing files. 48 492008-04-07 Love Hörnquist Åstrand <lha@it.su.se> 50 51 * ks_p11.c: Use unsigned where appropriate. 52 53 * softp11.c: call va_start before using vsnprintf. 54 55 * crypto.c: make refcount slightly more sane. 56 57 * keyset.c: make refcount slightly more sane. 58 59 * cert.c: make refcount slightly more sane. 60 612008-03-19 Love Hörnquist Åstrand <lha@it.su.se> 62 63 * test_nist2.in: Try to find unzip. 64 652008-03-16 Love Hörnquist Åstrand <lha@it.su.se> 66 67 * version-script.map: add missing symbols 68 69 * spnego: Make delegated credentials delegated directly, Oleg 70 Sharoiko pointed out that it always didnt work with the old 71 code. Also add som missing cred and context pass-thou functions in 72 the SPNEGO layer. 73 742008-03-14 Love Hörnquist Åstrand <lha@it.su.se> 75 76 * rename to be more consistent, export for teting 77 78 * Add language to support querying certificates to find a 79 match. Support constructs like "1.3.6.1.5.2.3.5" IN 80 %{certificate.eku} AND %{certificate.subject} TAILMATCH "C=SE". 81 822008-02-26 Love Hörnquist Åstrand <lha@it.su.se> 83 84 * version-script.map: add hx509_pem_read 85 86 * hxtool-commands.in: Add --pem to cms-verify-sd. 87 88 * test_cms.in: Test verifying PEM signature files. 89 90 * hxtool.c: Support verifying PEM signature files. 91 922008-02-25 Love Hörnquist Åstrand <lha@it.su.se> 93 94 * Makefile.am: libhx509_la_OBJECTS depends on hx_locl.h 95 962008-02-11 Love Hörnquist Åstrand <lha@it.su.se> 97 98 * Use ldap-prep (with libwind) to compare names 99 1002008-01-27 Love Hörnquist Åstrand <lha@it.su.se> 101 102 * cert.c (hx509_query_match_eku): update to support the NULL 103 eku (reset), clearify the old behaivor with regards repetitive 104 calls. 105 106 * Add matching on EKU, validate EKUs, add hxtool matching glue, 107 add check. Adapted from pach from Tim Miller of Mitre 108 1092008-01-21 Love Hörnquist Åstrand <lha@it.su.se> 110 111 * test_soft_pkcs11.c: use func for more C_ functions. 112 1132008-01-18 Love Hörnquist Åstrand <lha@it.su.se> 114 115 * version-script.map: Export hx509_free_error_string(). 116 1172008-01-17 Love Hörnquist Åstrand <lha@it.su.se> 118 119 * version-script.map: only export C_GetFunctionList 120 121 * test_soft_pkcs11.c: use C_GetFunctionList 122 123 * softp11.c: fix comment, remove label. 124 125 * softp11.c: Add option app-fatal to control if softtoken should 126 abort() on erroneous input from applications. 127 1282008-01-16 Love Hörnquist Åstrand <lha@it.su.se> 129 130 * test_pkcs11.in: Test password less certificates too 131 132 * keyset.c: document HX509_CERTS_UNPROTECT_ALL 133 134 * ks_file.c: Support HX509_CERTS_UNPROTECT_ALL. 135 136 * hx509.h: Add HX509_CERTS_UNPROTECT_ALL. 137 138 * test_soft_pkcs11.c: Only log in if needed. 139 1402008-01-15 Love Hörnquist Åstrand <lha@it.su.se> 141 142 * softp11.c: Support PINs to login to the store. 143 144 * Makefile.am: add java pkcs11 test 145 146 * test_java_pkcs11.in: first version of disable java test 147 148 * softp11.c: Drop unused stuff. 149 150 * cert.c: Spelling, Add hx509_cert_get_SPKI_AlgorithmIdentifier, 151 remove unused stuff, add hx509_context to some functions. 152 153 * softp11.c: Add more glue to figure out what keytype this 154 certificate is using. 155 1562008-01-14 Love Hörnquist Åstrand <lha@it.su.se> 157 158 * test_pkcs11.in: test debug 159 160 * Add a PKCS11 provider supporting signing and verifing sigatures. 161 1622008-01-13 Love Hörnquist Åstrand <lha@it.su.se> 163 164 * version-script.map: Replace hx509_name_to_der_name with 165 hx509_name_binary. 166 167 * print.c: make print_func static 168 1692007-12-26 Love Hörnquist Åstrand <lha@it.su.se> 170 171 * print.c: doxygen 172 173 * env.c: doxygen 174 175 * doxygen.c: add more groups 176 177 * ca.c: doxygen. 178 1792007-12-17 Love Hörnquist Åstrand <lha@it.su.se> 180 181 * ca.c: doxygen 182 1832007-12-16 Love Hörnquist Åstrand <lha@it.su.se> 184 185 * error.c: doxygen 186 1872007-12-15 Love Hörnquist Åstrand <lha@it.su.se> 188 189 * More documentation 190 191 * lock.c: Add page referance 192 193 * keyset.c: some more documentation. 194 195 * cms.c: Doxygen documentation. 196 1972007-12-11 Love Hörnquist Åstrand <lha@it.su.se> 198 199 * *.[ch]: More documentation 200 2012007-12-09 Love Hörnquist Åstrand <lha@it.su.se> 202 203 * handle refcount on NULL. 204 205 * test_nist_pkcs12.in: drop echo -n, doesn't work with posix sh 206 2072007-12-08 Love Hörnquist Åstrand <lha@it.su.se> 208 209 * test_nist2.in: Print that this is version 2 of the tests 210 211 * test_nist.in: Drop printing of $id. 212 213 * hx509.h: Add HX509_VHN_F_ALLOW_NO_MATCH. 214 215 * name.c: spelling. 216 217 * cert.c: make work the doxygen. 218 219 * name.c: fix doxygen compiling. 220 221 * Makefile.am: add doxygen.c 222 223 * doxygen.c: Add doxygen main page. 224 225 * cert.c: Add doxygen. 226 227 * revoke.c (_hx509_revoke_ref): new function. 228 2292007-11-16 Love Hörnquist Åstrand <lha@it.su.se> 230 231 * ks_keychain.c: Check if SecKeyGetCSPHandle needs prototype. 232 2332007-08-16 Love Hörnquist Åstrand <lha@it.su.se> 234 235 * data/nist-data: Make work on case senstive filesystems too. 236 2372007-08-09 Love Hörnquist Åstrand <lha@it.su.se> 238 239 * cert.c: match rfc822 contrains better, provide better error 240 strings. 241 2422007-08-08 Love Hörnquist Åstrand <lha@it.su.se> 243 244 * cert.c: "self-signed doesn't count" doesn't apply to trust 245 anchor certificate. make trust anchor check consistant. 246 247 * revoke.c: make compile. 248 249 * revoke.c (verify_crl): set error strings. 250 251 * revoke.c (verify_crl): handle with the signer is the 252 CRLsigner (shortcut). 253 254 * cert.c: Fix NC, comment on how to use _hx509_check_key_usage. 255 2562007-08-03 Love Hörnquist Åstrand <lha@it.su.se> 257 258 * test_nist2.in, Makefile, test/nist*: Add nist pkits tests. 259 260 * revoke.c: Update to use CERT_REVOKED error, shortcut out of OCSP 261 checking when OCSP reply is a revocation reply. 262 263 * hx509_err.et: Make CERT_REVOKED error OCSP/CRL agnostic. 264 265 * name.c (_hx509_Name_to_string): make printableString handle 266 space (0x20) diffrences as required by rfc3280. 267 268 * revoke.c: Search for the right issuer when looking for the 269 issuer of the CRL signer. 270 2712007-08-02 Love Hörnquist Åstrand <lha@it.su.se> 272 273 * revoke.c: Handle CRL signing certificate better, try to not 274 revalidate invalid CRLs over and over. 275 2762007-08-01 Love Hörnquist Åstrand <lha@it.su.se> 277 278 * cms.c: remove stale comment. 279 280 * test_nist.in: Unpack PKITS_data.zip and run tests. 281 282 * test_nist_cert.in: Adapt to new nist pkits framework. 283 284 * test_nist_pkcs12.in: Adapt to new nist pkits framework. 285 286 * Makefile.am: clean PKITS_data 287 2882007-07-16 Love Hörnquist Åstrand <lha@it.su.se> 289 290 * Makefile.am: Add version-script.map to EXTRA_DIST 291 2922007-07-12 Love Hörnquist Åstrand <lha@it.su.se> 293 294 * Makefile.am: Add depenency on asn1_compile for asn1 built files. 295 2962007-07-10 Love Hörnquist Åstrand <lha@it.su.se> 297 298 * peer.c: update (c), indent. 299 300 * Makefile.am: New library version. 301 3022007-06-28 Love Hörnquist Åstrand <lha@it.su.se> 303 304 * ks_p11.c: Add sha2 types. 305 306 * ref/pkcs11.h: Sync with scute. 307 308 * ref/pkcs11.h: Add sha2 CKM's. 309 310 * print.c: Print authorityInfoAccess. 311 312 * cert.c: Rename proxyCertInfo oid. 313 314 * ca.c: Rename proxyCertInfo oid. 315 316 * print.c: Rename proxyCertInfo oid. 317 3182007-06-26 Love Hörnquist Åstrand <lha@it.su.se> 319 320 * test_ca.in: Adapt to new request handling. 321 322 * req.c: Allow export some of the request parameters. 323 324 * hxtool-commands.in: Adapt to new request handling. 325 326 * hxtool.c: Adapt to new request handling. 327 328 * test_req.in: Adapt to new request handling. 329 330 * version-script.map: Add initialize_hx_error_table_r. 331 332 * req.c: Move _hx509_request_print here. 333 334 * hxtool.c: use _hx509_request_print 335 336 * version-script.map: Export more crap^W semiprivate functions. 337 338 * hxtool.c: don't _hx509_abort 339 340 * version-script.map: add missing ; 341 3422007-06-25 Love Hörnquist Åstrand <lha@it.su.se> 343 344 * cms.c: Use hx509_crypto_random_iv. 345 346 * crypto.c: Split out the iv creation from hx509_crypto_encrypt 347 since _hx509_pbe_encrypt needs to use the iv from the s2k 348 function. 349 350 * test_cert.in: Test PEM and DER FILE writing functionallity. 351 352 * ks_file.c: Add writing DER certificates. 353 354 * hxtool.c: Update to new hx509_pem_write(). 355 356 * test_cms.in: test creation of PEM signeddata. 357 358 * hx509.h: PEM struct/function declarations. 359 360 * ks_file.c: Use PEM encoding/decoding functions. 361 362 * file.c: PEM encode/decoding functions. 363 364 * ks_file.c: Use hx509_pem_write. 365 366 * version-script.map: Export some semi-private functions. 367 368 * hxtool.c: Enable writing out signed data as a pem attachment. 369 370 * hxtool-commands.in (cms-create-signed): add --pem 371 372 * file.c (hx509_pem_write): Add. 373 374 * test_ca.in: Issue and test null subject cert. 375 376 * cert.c: Match is first component is in a CN=. 377 378 * test_ca.in: Test hostname if first CN. 379 380 * Makefile.am: Add version script. 381 382 * version-script.map: Limited exported symbols. 383 384 * test_ca.in: test --hostname. 385 386 * test_chain.in: test max-depth 387 388 * hx509.h: fixate HX509_HN_HOSTNAME at 0. 389 390 * hxtool-commands.in: add --hostname add --max-depth 391 392 * cert.c: Verify hostname and max-depth. 393 394 * hxtool.c: Verify hostname and test max-depth. 395 3962007-06-24 Love Hörnquist Åstrand <lha@it.su.se> 397 398 * test_cms.in: Test --id-by-name. 399 400 * hxtool-commands.in: add cms-create-sd --id-by-name 401 402 * hxtool.c: Use HX509_CMS_SIGATURE_ID_NAME. 403 404 * cms.c: Implement and use HX509_CMS_SIGATURE_ID_NAME. 405 406 * hx509.h: Add HX509_CMS_SIGATURE_ID_NAME, use subject name for 407 CMS.Identifier. hx509_hostname_type: add hostname type for 408 matching. 409 410 * cert.c (match_general_name): more strict rfc822Name matching. 411 (hx509_verify_hostname): add hostname type for matching. 412 4132007-06-19 Love Hörnquist Åstrand <lha@it.su.se> 414 415 * hxtool.c: Make compile again. 416 417 * hxtool.c: Added peap-server for to make windows peap clients 418 happy. 419 420 * hxtool.c: Unify parse_oid code. 421 422 * hxtool.c: Implement --content-type. 423 424 * hxtool-commands.in: Add content-type. 425 426 * test_cert.in: more cert and keyset tests. 427 4282007-06-18 Love Hörnquist Åstrand <lha@it.su.se> 429 430 * revoke.c: Avoid stomping on NULL. 431 432 * revoke.c: Avoid reusing i. 433 434 * cert.c: Provide __attribute__ for _hx509_abort. 435 436 * ks_file.c: Fail if not finding iv. 437 438 * keyset.c: Avoid useing freed memory. 439 440 * crypto.c: Free memory in failure case. 441 442 * crypto.c: Free memory in failure case. 443 4442007-06-12 Love Hörnquist Åstrand <lha@it.su.se> 445 446 * *.c: Add hx509_cert_init_data and use everywhere 447 448 * hx_locl.h: Now that KEYCHAIN:system-anchors is fast again, use 449 that. 450 451 * ks_keychain.c: Implement trust anchor support with 452 SecTrustCopyAnchorCertificates. 453 454 * keyset.c: Set ref to 1 for the new object. 455 456 * cert.c: Fix logic for allow_default_trust_anchors 457 458 * keyset.c: Add refcounting to keystores. 459 460 * cert.c: Change logic for default trust anchors, make it be 461 either default trust anchor, the user supplied, or non at all. 462 4632007-06-08 Love Hörnquist Åstrand <lha@it.su.se> 464 465 * Makefile.am: Add data/j.pem. 466 467 * Makefile.am: Add test_windows.in. 468 4692007-06-06 Love Hörnquist Åstrand <lha@it.su.se> 470 471 * ks_keychain.c: rename functions, leaks less memory and more 472 paranoia. 473 474 * test_cms.in: Test cms peer-alg. 475 476 * crypto.c (rsa_create_signature): make oid_id_pkcs1_rsaEncryption 477 mean rsa-with-sha1 but oid oid_id_pkcs1_rsaEncryption in algorithm 478 field. XXX should probably use another algorithmIdentifier for 479 this. 480 481 * peer.c: Make free function return void. 482 483 * cms.c (hx509_cms_create_signed_1): Use hx509_peer_info to select 484 the signature algorithm too. 485 486 * hxtool-commands.in: Add cms-create-sd --peer-alg. 487 488 * req.c: Use _hx509_crypto_default_sig_alg. 489 490 * test_windows.in: Create crl, because everyone needs one. 491 492 * Makefile.am: add wcrl.crl 493 4942007-06-05 Love Hörnquist Åstrand <lha@it.su.se> 495 496 * hx_locl.h: Disable KEYCHAIN for now, its slow. 497 498 * cms.c: When we are not using pkcs7-data, avoid seing 499 signedAttributes since some clients get upset by that (pkcs7 based 500 or just plain broken). 501 502 * ks_keychain.c: Provide rsa signatures. 503 504 * ks_keychain.c: Limit the searches to the selected keychain. 505 506 * ks_keychain.c: include -framework Security specific header files 507 after #ifdef 508 509 * ks_keychain.c: Find and attach private key (does not provide 510 operations yet though). 511 512 * ks_p11.c: Prefix rsa method with p11_ 513 514 * ks_keychain.c: Allow opening a specific chain, making "system" 515 special and be the system X509Anchors file. By not specifing any 516 keychain ("KEYCHAIN:"), all keychains are probed. 517 5182007-06-04 Love Hörnquist Åstrand <lha@it.su.se> 519 520 * hxtool.c (verify): Friendlier error message. 521 522 * cert.c: Read in and use default trust anchors if they exists. 523 524 * hx_locl.h: Add concept of default_trust_anchors. 525 526 * ks_keychain.c: Remove err(), remove extra empty comment, fix 527 _iter function. 528 529 * error.c (hx509_get_error_string): if the error code is not the 530 one we expect, punt and use the default com_err/strerror string 531 instead. 532 533 * keyset.c (hx509_certs_merge): its ok to merge in the NULL set of 534 certs. 535 536 * test_windows.in: Fix status string. 537 538 * ks_p12.c (store_func): free whole CertBag, not just the data 539 part. 540 541 * print.c: Check that the self-signed cert is really self-signed. 542 543 * print.c: Use selfsigned for CRL DP whine, tell if its a 544 self-signed. 545 546 * print.c: Whine if its a non CA/proxy and doesn't have CRL DP. 547 548 * ca.c: Add cRLSign to CA certs. 549 550 * cert.c: Register NULL and KEYCHAIN. 551 552 * ks_null.c: register the NULL keystore. 553 554 * Makefile.am: Add ks_keychain.c and related libs. 555 556 * test_crypto.in: Print certificate with utf8. 557 558 * print.c: Leak less memory. 559 560 * hxtool.c: Leak less memory. 561 562 * print.c: Leak less memory, use functions that does same but 563 more. 564 565 * name.c (quote_string): don't sign extend the (signed) char to 566 avoid printing too much, add an assert to check that we didn't 567 overrun the buffer. 568 569 * name.c: Use right element out of the CHOICE for printableString 570 and utf8String 571 572 * ks_keychain.c: Certificate only KeyChain backend. 573 574 * name.c: Reset name before parsing it. 575 5762007-06-03 Love Hörnquist Åstrand <lha@it.su.se> 577 578 * revoke.c (hx509_crl_*): fix sizeof() mistakes to fix memory 579 corruption. 580 581 * hxtool.c: Add lifetime to crls. 582 583 * hxtool-commands.in: Add lifetime to crls. 584 585 * revoke.c: Add lifetime to crls. 586 587 * test_ca.in: More crl checks. 588 589 * revoke.c: Add revoking certs. 590 591 * hxtool-commands.in: argument is certificates.. for crl-sign 592 593 * hxtool.c (certificate_copy): free lock 594 595 * revoke.c: Fix hx509_set_error_string calls, add 596 hx509_crl_add_revoked_certs(), implement hx509_crl_{alloc,free}. 597 598 * hxtool.c (crl_sign): free lock 599 600 * cert.c (hx509_context_free): free querystat 601 6022007-06-02 Love Hörnquist Åstrand <lha@it.su.se> 603 604 * test_chain.in: test ocsp-verify 605 606 * revoke.c (hx509_ocsp_verify): explain what its useful for and 607 provide sane error message. 608 609 * hx509_err.et: New error code, CERT_NOT_IN_OCSP 610 611 * hxtool.c: New command ocsp-verify, check if ocsp contains all 612 certs and are valid (exist and non expired). 613 614 * hxtool-commands.in: New command ocsp-verify. 615 6162007-06-01 Love Hörnquist Åstrand <lha@it.su.se> 617 618 * test_ca.in: Create crl and verify that is works. 619 620 * hxtool.c: Sign CRL command. 621 622 * hx509.h: Add hx509_crl. 623 624 * hxtool-commands.in: Add crl-sign commands. 625 626 * revoke.c: Support to generate an empty CRL. 627 628 * tst-crypto-select2: Switched default types. 629 630 * tst-crypto-select1: Switched default types. 631 632 * ca.c: Use default AlgorithmIdentifier. 633 634 * cms.c: Use default AlgorithmIdentifier. 635 636 * crypto.c: Provide default AlgorithmIdentifier and use them. 637 638 * hx_locl.h: Provide default AlgorithmIdentifier. 639 640 * keyset.c (hx509_certs_find): collects stats for queries. 641 642 * cert.c: Sort and print more info. 643 644 * hx_locl.h: Add querystat to hx509_context. 645 646 * test_*.in: sprinle stat saveing 647 648 * Makefile.am: Add stat and objdir. 649 650 * collector.c (_hx509_collector_alloc): return error code instead 651 of pointer. 652 653 * hxtool.c: Add statistic hook. 654 655 * ks_file.c: Update _hx509_collector_alloc prototype. 656 657 * ks_p12.c: Update _hx509_collector_alloc prototype. 658 659 * ks_p11.c: Update _hx509_collector_alloc prototype. 660 661 * hxtool-commands.in: Add statistics hook. 662 663 * cert.c: Statistics printing. 664 665 * ks_p12.c: plug memory leak 666 667 * ca.c (hx509_ca_tbs_add_crl_dp_uri): plug memory leak 668 6692007-05-31 Love Hörnquist Åstrand <lha@it.su.se> 670 671 * print.c: print utf8 type SAN's 672 673 * Makefile.am: Fix windows client cert name. 674 675 * test_windows.in: Add crl-uri for the ee certs. 676 677 * print.c: Printf formating. 678 679 * ca.c: Add glue for adding CRL dps. 680 681 * test_ca.in: Readd the crl adding code, it works (somewhat) now. 682 683 * print.c: Fix printing of CRL DPnames (I hate IMPLICIT encoded 684 structures). 685 686 * hxtool-commands.in: make ca and alias of certificate-sign 687 6882007-05-30 Love Hörnquist Åstrand <lha@it.su.se> 689 690 * crypto.c (hx509_crypto_select): copy AI to the right place. 691 692 * hxtool-commands.in: Add ca --ms-upn. 693 694 * hxtool.c: add --ms-upn and add more EKU's for pk-init client. 695 696 * ca.c: Add hx509_ca_tbs_add_san_ms_upn and refactor code. 697 698 * test_crypto.in: Resurect killed e. 699 700 * test_crypto.in: check for aes256-cbc 701 702 * tst-crypto-select7: check for aes256-cbc 703 704 * test_windows.in: test windows stuff 705 706 * hxtool.c: add ca --domain-controller option, add secret key 707 option to avaible. 708 709 * ca.c: Add hx509_ca_tbs_set_domaincontroller. 710 711 * hxtool-commands.in: add ca --domain-controller 712 713 * hxtool.c: hook for testing secrety key algs 714 715 * crypto.c: Add selection code for secret key crypto. 716 717 * hx509.h: Add HX509_SELECT_SECRET_ENC. 718 7192007-05-13 Love Hörnquist Åstrand <lha@it.su.se> 720 721 * ks_p11.c: add more mechtypes 722 7232007-05-10 Love Hörnquist Åstrand <lha@it.su.se> 724 725 * print.c: Indent. 726 727 * hxtool-commands.in: add test-crypto command 728 729 * hxtool.c: test crypto command 730 731 * cms.c (hx509_cms_create_signed_1): if no eContentType is given, 732 use pkcs7-data. 733 734 * print.c: add Netscape cert comment 735 736 * crypto.c: Try both the empty password and the NULL 737 password (nothing vs the octet string \x00\x00). 738 739 * print.c: Add some US Fed PKI oids. 740 741 * ks_p11.c: Add some more hashes. 742 7432007-04-24 Love Hörnquist Åstrand <lha@it.su.se> 744 745 * hxtool.c (crypto_select): stop memory leak 746 7472007-04-19 Love Hörnquist Åstrand <lha@it.su.se> 748 749 * peer.c (hx509_peer_info_free): free memory used too 750 751 * hxtool.c (crypto_select): only free peer if it was used. 752 7532007-04-18 Love Hörnquist Åstrand <lha@it.su.se> 754 755 * hxtool.c: free template 756 757 * ks_mem.c (mem_free): free key array too 758 759 * hxtool.c: free private key and tbs 760 761 * hxtool.c (hxtool_ca): free signer 762 763 * hxtool.c (crypto_available): free peer too. 764 765 * ca.c (get_AuthorityKeyIdentifier): leak less memory 766 767 * hxtool.c (hxtool_ca): free SPKI 768 769 * hxtool.c (hxtool_ca): free cert 770 771 * ks_mem.c (mem_getkeys): allocate one more the we have elements 772 so its possible to store the NULL pointer at the end. 773 7742007-04-16 Love Hörnquist Åstrand <lha@it.su.se> 775 776 * Makefile.am: CLEANFILES += cert-null.pem cert-sub-ca2.pem 777 7782007-02-05 Love Hörnquist Åstrand <lha@it.su.se> 779 780 * ca.c: Disable CRLDistributionPoints for now, its IMPLICIT code 781 in the asn1 parser. 782 783 * print.c: Add some more \n's. 784 7852007-02-03 Love Hörnquist Åstrand <lha@it.su.se> 786 787 * file.c: Allow mapping using heim_octet_string. 788 789 * hxtool.c: Add options to generate detached signatures. 790 791 * cms.c: Add flags to generate detached signatures. 792 793 * hx509.h: Flag to generate detached signatures. 794 795 * test_cms.in: Support detached sigatures. 796 797 * name.c (hx509_general_name_unparse): unparse the other 798 GeneralName nametypes. 799 800 * print.c: Use less printf. Use hx509_general_name_unparse. 801 802 * cert.c: Fix printing and plug leak-on-error. 803 8042007-01-31 Love Hörnquist Åstrand <lha@it.su.se> 805 806 * test_ca.in: Add test for ca --crl-uri. 807 808 * hxtool.c: Add ca --crl-uri. 809 810 * hxtool-commands.in: add ca --crl-uri 811 812 * ca.c: Code to set CRLDistributionPoints in certificates. 813 814 * print.c: Check CRLDistributionPointNames. 815 816 * name.c (hx509_general_name_unparse): function for unparsing 817 GeneralName, only supports GeneralName.URI 818 819 * cert.c (is_proxy_cert): free info if we wont return it. 820 8212007-01-30 Love Hörnquist Åstrand <lha@it.su.se> 822 823 * hxtool.c: Try to help how to use this command. 824 8252007-01-21 Love Hörnquist Åstrand <lha@it.su.se> 826 827 * switch to sha256 as default digest for signing 828 8292007-01-20 Love Hörnquist Åstrand <lha@it.su.se> 830 831 * test_ca.in: Really test sub-ca code, add basic constraints tests 832 8332007-01-17 Love Hörnquist Åstrand <lha@it.su.se> 834 835 * Makefile.am: Fix makefile problem. 836 8372007-01-16 Love Hörnquist Åstrand <lha@it.su.se> 838 839 * hxtool.c: Set num of bits before we generate the key. 840 8412007-01-15 Love Hörnquist Åstrand <lha@it.su.se> 842 843 * cms.c (hx509_cms_create_signed_1): use hx509_cert_binary 844 845 * ks_p12.c (store_func): use hx509_cert_binary 846 847 * ks_file.c (store_func): use hx509_cert_binary 848 849 * cert.c (hx509_cert_binary): return binary encoded 850 certificate (DER format) 851 8522007-01-14 Love Hörnquist Åstrand <lha@it.su.se> 853 854 * ca.c (hx509_ca_tbs_subject_expand): new function. 855 856 * name.c (hx509_name_expand): if env is NULL, return directly 857 858 * test_ca.in: test template handling 859 860 * hx509.h: Add template flags. 861 862 * Makefile.am: clean out new files 863 864 * hxtool.c: Add certificate template processing, fix hx509_err 865 usage. 866 867 * hxtool-commands.in: Add certificate template processing. 868 869 * ca.c: Add certificate template processing. Fix return messages 870 from hx509_ca_tbs_add_eku. 871 872 * cert.c: Export more stuff from certificate. 873 8742007-01-13 Love Hörnquist Åstrand <lha@it.su.se> 875 876 * ca.c: update (c) 877 878 * ca.c: (hx509_ca_tbs_add_eku): filter out dups. 879 880 * hxtool.c: Add type email and add email eku when using option 881 --email. 882 883 * Makefile.am: add env.c 884 885 * name.c: Remove abort, add error handling. 886 887 * test_name.c: test name expansion 888 889 * name.c: add hx509_name_expand 890 891 * env.c: key-value pair help functions 892 8932007-01-12 Love Hörnquist Åstrand <lha@it.su.se> 894 895 * ca.c: Don't issue certs with subject DN that is NULL and have no 896 SANs 897 898 * print.c: Fix previous test. 899 900 * print.c: Check there is a SAN if subject DN is NULL. 901 902 * test_ca.in: test email, null subject dn 903 904 * hxtool.c: Allow setting parameters to private key generation. 905 906 * hx_locl.h: Allow setting parameters to private key generation. 907 908 * crypto.c: Allow setting parameters to private key generation. 909 910 * hxtool.c (eval_types): add jid if user gave one 911 912 * hxtool-commands.in (certificate-sign): add --jid 913 914 * ca.c (hx509_ca_tbs_add_san_jid): Allow adding 915 id-pkix-on-xmppAddr OtherName. 916 917 * print.c: Print id-pkix-on-xmppAddr OtherName. 918 9192007-01-11 Love Hörnquist Åstrand <lha@it.su.se> 920 921 * no random, no RSA/DH tests 922 923 * hxtool.c (info): print status of random generator 924 925 * Makefile.am: remove files created by tests 926 927 * error.c: constify 928 929 * name.c: constify 930 931 * revoke.c: constify 932 933 * hx_locl.h: constify 934 935 * keyset.c: constify 936 937 * ks_p11.c: constify 938 939 * hx_locl.h: make printinfo char * argument const. 940 941 * cms.c: move _hx509_set_digest_alg from cms.c to crypto.c since 942 its only used there. 943 944 * crypto.c: remove no longer used stuff, move set_digest_alg here 945 from cms.c since its only used here. 946 947 * Makefile.am: add data/test-nopw.p12 to EXTRA_DIST 948 9492007-01-10 Love Hörnquist Åstrand <lha@it.su.se> 950 951 * print.c: BasicConstraints vs criticality bit is complicated and 952 not really possible to evaluate on its own, silly RFC3280. 953 954 * ca.c: Make basicConstraints critical if this is a CA. 955 956 * print.c: fix the version vs extension test 957 958 * print.c: More validation checks. 959 960 * name.c (hx509_name_cmp): add 961 9622007-01-09 Love Hörnquist Åstrand <lha@it.su.se> 963 964 * ks_p11.c (collect_private_key): Missing CKA_MODULUS is ok 965 too (XXX why should these be fetched given they are not used). 966 967 * test_ca.in: rename all files to PEM files, since that is what 968 they are. 969 970 * hxtool.c: copy out the key with the self signed CA cert 971 972 * Factor out private key operation out of the signing, operations, 973 support import, export, and generation of private keys. Add 974 support for writing PEM and PKCS12 files with private keys in them. 975 976 * data/gen-req.sh: Generate a no password pkcs12 file. 977 9782007-01-08 Love Hörnquist Åstrand <lha@it.su.se> 979 980 * cms.c: Check for internal ASN1 encoder error. 981 9822007-01-05 Love Hörnquist Åstrand <lha@it.su.se> 983 984 * Makefile.am: Drop most of the pkcs11 files. 985 986 * test_ca.in: test reissueing ca certificate (xxx time 987 validAfter). 988 989 * hxtool.c: Allow setting serialNumber (needed for reissuing 990 certificates) Change --key argument to --out-key. 991 992 * hxtool-commands.in (issue-certificate): Allow setting 993 serialNumber (needed for reissuing certificates), Change --key 994 argument to --out-key. 995 996 * ref: Replace with Marcus Brinkmann of g10 Code GmbH pkcs11 997 headerfile that is compatible with GPL (file taken from scute) 998 9992007-01-04 Love Hörnquist Åstrand <lha@it.su.se> 1000 1001 * test_ca.in: Test to generate key and use them. 1002 1003 * hxtool.c: handle other keys the pkcs10 requested keys 1004 1005 * hxtool-commands.in: add generate key commands 1006 1007 * req.c (_hx509_request_to_pkcs10): PKCS10 needs to have a subject 1008 1009 * hxtool-commands.in: Spelling. 1010 1011 * ca.c (hx509_ca_tbs_set_proxy): allow negative pathLenConstraint 1012 to signal no limit 1013 1014 * ks_file.c: Try all formats on the binary file before giving up, 1015 this way we can handle binary rsa keys too. 1016 1017 * data/key2.der: new test key 1018 10192007-01-04 David Love <fx@gnu.org> 1020 1021 * Makefile.am (hxtool_LDADD): Add libasn1.la 1022 1023 * hxtool.c (pcert_verify): Fix format string. 1024 10252006-12-31 Love Hörnquist Åstrand <lha@it.su.se> 1026 1027 * hxtool.c: Allow setting path length 1028 1029 * cert.c: Fix test for proxy certs chain length, it was too 1030 restrictive. 1031 1032 * data: regen 1033 1034 * data/openssl.cnf: (proxy_cert) make length 0 1035 1036 * test_ca.in: Issue a long living cert. 1037 1038 * hxtool.c: add --lifetime to ca command. 1039 1040 * hxtool-commands.in: add --lifetime to ca command. 1041 1042 * ca.c: allow setting notBefore and notAfter. 1043 1044 * test_ca.in: Test generation of proxy certificates. 1045 1046 * ca.c: Allow generation of proxy certificates, always include 1047 BasicConstraints, fix error codes. 1048 1049 * hxtool.c: Allow generation of proxy certificates. 1050 1051 * test_name.c: make hx509_parse_name take a hx509_context. 1052 1053 * name.c: Split building RDN to a separate function. 1054 10552006-12-30 Love Hörnquist Åstrand <lha@it.su.se> 1056 1057 * Makefile.am: clean test_ca files. 1058 1059 * test_ca.in: test issuing self-signed and CA certificates. 1060 1061 * hxtool.c: Add bits to allow issuing self-signed and CA 1062 certificates. 1063 1064 * hxtool-commands.in: Add bits to allow issuing self-signed and CA 1065 certificates. 1066 1067 * ca.c: Add bits to allow issuing CA certificates. 1068 1069 * revoke.c: use new OCSPSigning. 1070 1071 * ca.c: Add Subject Key Identifier. 1072 1073 * ca.c: Add Authority Key Identifier. 1074 1075 * cert.c: Locally export _hx509_find_extension_subject_key_id. 1076 Handle AuthorityKeyIdentifier where only authorityCertSerialNumber 1077 and authorityCertSerialNumber is set. 1078 1079 * hxtool-commands.in: Add dnsname and rfc822 SANs. 1080 1081 * test_ca.in: Test dnsname and rfc822 SANs. 1082 1083 * ca.c: Add dnsname and rfc822 SANs. 1084 1085 * hxtool.c: Add dnsname and rfc822 SANs. 1086 1087 * test_ca.in: test adding eku, ku and san to the 1088 certificate (https and pk-init) 1089 1090 * hxtool.c: Add eku, ku and san to the certificate. 1091 1092 * ca.c: Add eku, ku and san to the certificate. 1093 1094 * hxtool-commands.in: Add --type and --pk-init-principal 1095 1096 * ocsp.asn1: remove id-kp-OCSPSigning, its in rfc2459.asn1 now 1097 10982006-12-29 Love Hörnquist Åstrand <lha@it.su.se> 1099 1100 * ca.c: Add KeyUsage extension. 1101 1102 * Makefile.am: add ca.c, add sign-certificate tests. 1103 1104 * crypto.c: Add _hx509_create_signature_bitstring. 1105 1106 * hxtool-commands.in: Add the sign-certificate tool. 1107 1108 * hxtool.c: Add the sign-certificate tool. 1109 1110 * cert.c: Add HX509_QUERY_OPTION_KU_KEYCERTSIGN. 1111 1112 * hx509.h: Add hx509_ca_tbs and HX509_QUERY_OPTION_KU_KEYCERTSIGN. 1113 1114 * test_ca.in: Basic test of generating a pkcs10 request, signing 1115 it and verifying the chain. 1116 1117 * ca.c: Naive certificate signer. 1118 11192006-12-28 Love Hörnquist Åstrand <lha@it.su.se> 1120 1121 * hxtool.c: add hxtool_hex 1122 11232006-12-22 Love Hörnquist Åstrand <lha@it.su.se> 1124 1125 * Makefile.am: use top_builddir for libasn1.la 1126 11272006-12-11 Love Hörnquist Åstrand <lha@it.su.se> 1128 1129 * hxtool.c (print_certificate): print serial number. 1130 1131 * name.c (no): add S=stateOrProvinceName 1132 11332006-12-09 Love Hörnquist Åstrand <lha@it.su.se> 1134 1135 * crypto.c (_hx509_private_key_assign_rsa): set a default sig alg 1136 1137 * ks_file.c (try_decrypt): pass down AlgorithmIdentifier that key 1138 uses to do sigatures so there is no need to hardcode RSA into this 1139 function. 1140 11412006-12-08 Love Hörnquist Åstrand <lha@it.su.se> 1142 1143 * ks_file.c: Pass filename to the parse functions and use it in 1144 the error messages 1145 1146 * test_chain.in: test proxy cert (third level) 1147 1148 * hx509_err.et: fix errorstring for PROXY_CERT_NAME_WRONG 1149 1150 * data: regen 1151 1152 * Makefile.am: EXTRA_DIST: add 1153 data/proxy10-child-child-test.{key,crt} 1154 1155 * data/gen-req.sh: Fix names and restrictions on the proxy 1156 certificates 1157 1158 * cert.c: Clairfy and make proxy cert handling work for multiple 1159 levels, before it was too restrictive. More helpful error message. 1160 11612006-12-07 Love Hörnquist Åstrand <lha@it.su.se> 1162 1163 * cert.c (check_key_usage): tell what keyusages are missing 1164 1165 * print.c: Split OtherName printing code to a oid lookup and print 1166 function. 1167 1168 * print.c (Time2string): print hour as hour not min 1169 1170 * Makefile.am: CLEANFILES += test 1171 11722006-12-06 Love Hörnquist Åstrand <lha@it.su.se> 1173 1174 * Makefile.am (EXTRA_DIST): add data/pkinit-proxy* files 1175 1176 * Makefile.am (EXTRA_DIST): add tst-crypto* files 1177 1178 * cert.c (hx509_query_match_issuer_serial): make a copy of the 1179 data 1180 1181 * cert.c (hx509_query_match_issuer_serial): allow matching on 1182 issuer and serial num 1183 1184 * cert.c (_hx509_calculate_path): add flag to allow leaving out 1185 trust anchor 1186 1187 * cms.c (hx509_cms_create_signed_1): when building the path, omit 1188 the trust anchors. 1189 1190 * crypto.c (rsa_create_signature): Abort when signature is longer, 1191 not shorter. 1192 1193 * cms.c: Provide time to _hx509_calculate_path so we don't send no 1194 longer valid certs to our peer. 1195 1196 * cert.c (find_parent): when checking for certs and its not a 1197 trust anchor, require time be in range. 1198 (_hx509_query_match_cert): Add time validity-testing to query mask 1199 1200 * hx_locl.h: add time validity-testing to query mask 1201 1202 * test_cms.in: Tests for CMS SignedData with incomplete chain from 1203 the signer. 1204 12052006-11-28 Love Hörnquist Åstrand <lha@it.su.se> 1206 1207 * cms.c (hx509_cms_verify_signed): specify what signature we 1208 failed to verify 1209 1210 * Makefile.am: Depend on LIB_com_err for AIX. 1211 1212 * keyset.c: Remove anther strndup that causes AIX to fall over. 1213 1214 * cert.c: Don't check the trust anchors expiration time since they 1215 are transported out of band, from RFC3820. 1216 1217 * cms.c: sprinkle more error strings 1218 1219 * crypto.c: sprinkle more error strings 1220 1221 * hxtool.c: use unsigned int as counter to fit better with the 1222 asn1 compiler 1223 1224 * crypto.c: use unsigned int as counter to fit better with the 1225 asn1 compiler 1226 12272006-11-27 Love Hörnquist Åstrand <lha@it.su.se> 1228 1229 * cms.c: Remove trailing white space. 1230 1231 * crypto.c: rewrite comment to make more sense 1232 1233 * crypto.c (hx509_crypto_select): check sig_algs[j]->key_oid 1234 1235 * hxtool-commands.in (crypto-available): add --type 1236 1237 * crypto.c (hx509_crypto_available): let alg pass if its keyless 1238 1239 * hxtool-commands.in: Expand crypto-select 1240 1241 * cms.c: Rename hx509_select to hx509_crypto_select. 1242 1243 * hxtool-commands.in: Add crypto-select and crypto-available. 1244 1245 * hxtool.c: Add crypto-select and crypto-available. 1246 1247 * crypto.c (hx509_crypto_available): use right index. 1248 (hx509_crypto_free_algs): new function 1249 1250 * crypto.c (hx509_crypto_select): improve 1251 (hx509_crypto_available): new function 1252 12532006-11-26 Love Hörnquist Åstrand <lha@it.su.se> 1254 1255 * cert.c: Sprinkle more error string and hx509_contexts. 1256 1257 * cms.c: Sprinkle more error strings. 1258 1259 * crypto.c: Sprinkle error string and hx509_contexts. 1260 1261 * crypto.c: Add some more comments about how this works. 1262 1263 * crypto.c (hx509_select): new function. 1264 1265 * Makefile.am: add peer.c 1266 1267 * hxtool.c: Update hx509_cms_create_signed_1. 1268 1269 * hx_locl.h: add struct hx509_peer_info 1270 1271 * peer.c: Allow selection of digest/sig-alg 1272 1273 * cms.c: Allow selection of a better digest using hx509_peer_info. 1274 1275 * revoke.c: Handle that _hx509_verify_signature takes a context. 1276 1277 * cert.c: Handle that _hx509_verify_signature takes a context. 1278 12792006-11-25 Love Hörnquist Åstrand <lha@it.su.se> 1280 1281 * cms.c: Sprinkle error strings. 1282 1283 * crypto.c: Sprinkle context and error strings. 1284 12852006-11-24 Love Hörnquist Åstrand <lha@it.su.se> 1286 1287 * name.c: Handle printing and parsing raw oids in name. 1288 12892006-11-23 Love Hörnquist Åstrand <lha@it.su.se> 1290 1291 * cert.c (_hx509_calculate_path): allow to calculate optimistic 1292 path when we don't know the trust anchors, just follow the chain 1293 upward until we no longer find a parent or we hit the max limit. 1294 1295 * cms.c (hx509_cms_create_signed_1): provide a best effort path to 1296 the trust anchors to be stored in the SignedData packet, if find 1297 parents until trust anchor or max length. 1298 1299 * data: regen 1300 1301 * data/gen-req.sh: Build pk-init proxy cert. 1302 13032006-11-16 Love Hörnquist Åstrand <lha@it.su.se> 1304 1305 * error.c (hx509_get_error_string): Put ", " between strings in 1306 error message. 1307 13082006-11-13 Love Hörnquist Åstrand <lha@it.su.se> 1309 1310 * data/openssl.cnf: Change realm to TEST.H5L.SE 1311 13122006-11-07 Love Hörnquist Åstrand <lha@it.su.se> 1313 1314 * revoke.c: Sprinkle error strings. 1315 13162006-11-04 Love Hörnquist Åstrand <lha@it.su.se> 1317 1318 * hx_locl.h: add context variable to cmp function. 1319 1320 * cert.c (hx509_query_match_cmp_func): allow setting the match 1321 function. 1322 13232006-10-24 Love Hörnquist Åstrand <lha@it.su.se> 1324 1325 * ks_p11.c: Return less EINVAL. 1326 1327 * hx509_err.et: add more pkcs11 errors 1328 1329 * hx509_err.et: more error-codes 1330 1331 * revoke.c: Return less EINVAL. 1332 1333 * ks_dir.c: sprinkel more hx509_set_error_string 1334 1335 * ks_file.c: Return less EINVAL. 1336 1337 * hxtool.c: Pass in context to _hx509_parse_private_key. 1338 1339 * ks_file.c: Sprinkle more hx509_context so we can return propper 1340 errors. 1341 1342 * hx509_err.et: add HX509_PARSING_KEY_FAILED 1343 1344 * crypto.c: Sprinkle more hx509_context so we can return propper 1345 errors. 1346 1347 * collector.c: No more EINVAL. 1348 1349 * hx509_err.et: add HX509_LOCAL_ATTRIBUTE_MISSING 1350 1351 * cert.c (hx509_cert_get_base_subject): one less EINVAL 1352 (_hx509_cert_private_decrypt): one less EINVAL 1353 13542006-10-22 Love Hörnquist Åstrand <lha@it.su.se> 1355 1356 * collector.c: indent 1357 1358 * hxtool.c: Try to not leak memory. 1359 1360 * req.c: clean memory before free 1361 1362 * crypto.c (_hx509_private_key2SPKI): indent 1363 1364 * req.c: Try to not leak memory. 1365 13662006-10-21 Love Hörnquist Åstrand <lha@it.su.se> 1367 1368 * test_crypto.in: Read 50 kilobyte random data 1369 1370 * revoke.c: Try to not leak memory. 1371 1372 * hxtool.c: Try to not leak memory. 1373 1374 * crypto.c (hx509_crypto_destroy): free oid. 1375 1376 * error.c: Clean error string on failure just to make sure. 1377 1378 * cms.c: Try to not leak memory (again). 1379 1380 * hxtool.c: use a sensable content type 1381 1382 * cms.c: Try harder to free certificate. 1383 13842006-10-20 Love Hörnquist Åstrand <lha@it.su.se> 1385 1386 * Makefile.am: Add make check data. 1387 13882006-10-19 Love Hörnquist Åstrand <lha@it.su.se> 1389 1390 * ks_p11.c (p11_list_keys): make element of search_data[0] 1391 constants and set them later 1392 1393 * Makefile.am: Add more files. 1394 13952006-10-17 Love Hörnquist Åstrand <lha@it.su.se> 1396 1397 * ks_file.c: set ret, remember to free ivdata 1398 13992006-10-16 Love Hörnquist Åstrand <lha@it.su.se> 1400 1401 * hx_locl.h: Include <parse_bytes.h>. 1402 1403 * test_crypto.in: Test random-data. 1404 1405 * hxtool.c: RAND_bytes() return 1 for cryptographic strong data, 1406 check for that. 1407 1408 * Makefile.am: clean random-data 1409 1410 * hxtool.c: Add random-data command, use sl_slc_help. 1411 1412 * hxtool-commands.in: Add random-data. 1413 1414 * ks_p12.c: Remember to release certs. 1415 1416 * ks_p11.c: Remember to release certs. 1417 14182006-10-14 Love Hörnquist Åstrand <lha@it.su.se> 1419 1420 * prefix der primitives with der_ 1421 1422 * lock.c: Match the prompt type PROMPT exact. 1423 1424 * hx_locl.h: Drop heim_any.h 1425 14262006-10-11 Love Hörnquist Åstrand <lha@it.su.se> 1427 1428 * ks_p11.c (p11_release_module): j needs to be used as inter loop 1429 index. From Douglas Engert. 1430 1431 * ks_file.c (parse_rsa_private_key): try all passwords and 1432 prompter. 1433 14342006-10-10 Love Hörnquist Åstrand <lha@it.su.se> 1435 1436 * test_*.in: Parameterise the invocation of hxtool, so we can make 1437 it run under TESTS_ENVIRONMENT. From Andrew Bartlett 1438 14392006-10-08 Love Hörnquist Åstrand <lha@it.su.se> 1440 1441 * test_crypto.in: Put all test stuck at 2006-09-25 since all their 1442 chains where valied then. 1443 1444 * hxtool.c: Implement --time= option. 1445 1446 * hxtool-commands.in: Add option time. 1447 1448 * Makefile.am: test_name is a PROGRAM_TESTS 1449 1450 * ks_p11.c: Return HX509_PKCS11_NO_SLOT when there are no slots 1451 and HX509_PKCS11_NO_TOKEN when there are no token. For use in PAM 1452 modules that want to detect when to use smartcard login and when 1453 not to. Patched based on code from Douglas Engert. 1454 1455 * hx509_err.et: Add new pkcs11 related errors in a new section: 1456 keystore related error. Patched based on code from Douglas 1457 Engert. 1458 14592006-10-07 Love Hörnquist Åstrand <lha@it.su.se> 1460 1461 * Makefile.am: Make depenency for slc built files just like 1462 everywhere else. 1463 1464 * cert.c: Add all openssl algs and init asn1 et 1465 14662006-10-06 Love Hörnquist Åstrand <lha@it.su.se> 1467 1468 * ks_file.c (parse_rsa_private_key): free type earlier. 1469 1470 * ks_file.c (parse_rsa_private_key): free type after use 1471 1472 * name.c (_hx509_Name_to_string): remove dup const 1473 14742006-10-02 Love Hörnquist Åstrand <lha@it.su.se> 1475 1476 * Makefile.am: Add more libs to libhx509 1477 14782006-10-01 Love Hörnquist Åstrand <lha@it.su.se> 1479 1480 * ks_p11.c: Fix double free's, NULL ptr de-reference, and conform 1481 better to pkcs11. From Douglas Engert. 1482 1483 * ref: remove ^M, it breaks solaris 10s cc. From Harald Barth 1484 14852006-09-19 Love Hörnquist Åstrand <lha@it.su.se> 1486 1487 * test_crypto.in: Bleichenbacher bad cert from Ralf-Philipp 1488 Weinmann and Andrew Pyshkin, pad right. 1489 1490 * data: starfield test root cert and Ralf-Philipp and Andreis 1491 correctly padded bad cert 1492 14932006-09-15 Love Hörnquist Åstrand <lha@it.su.se> 1494 1495 * test_crypto.in: Add test for yutaka certs. 1496 1497 * cert.c: Add a strict rfc3280 verification flag. rfc3280 requires 1498 certificates to have KeyUsage.keyCertSign if they are to be used 1499 for signing of certificates, but the step in the verifiation is 1500 optional. 1501 1502 * hxtool.c: Improve printing and error reporting. 1503 15042006-09-13 Love Hörnquist Åstrand <lha@it.su.se> 1505 1506 * test_crypto.in,Makefile.am,data/bleichenbacher-{bad,good}.pem: 1507 test bleichenbacher from eay 1508 15092006-09-12 Love Hörnquist Åstrand <lha@it.su.se> 1510 1511 * hxtool.c: Make common function for all getarg_strings and 1512 hx509_certs_append commonly used. 1513 1514 * cms.c: HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT is a negative 1515 flag, treat it was such. 1516 15172006-09-11 Love Hörnquist Åstrand <lha@it.su.se> 1518 1519 * req.c: Use the new add_GeneralNames function. 1520 1521 * hx509.h: Add HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT. 1522 1523 * ks_p12.c: Adapt to new signature of hx509_cms_unenvelope. 1524 1525 * hxtool.c: Adapt to new signature of hx509_cms_unenvelope. 1526 1527 * cms.c: Allow passing in encryptedContent and flag. Add new flag 1528 HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT. 1529 15302006-09-08 Love Hörnquist Åstrand <lha@it.su.se> 1531 1532 * ks_p11.c: cast void * to char * when using it for %s formating 1533 in printf. 1534 1535 * name.c: New function _hx509_Name_to_string. 1536 15372006-09-07 Love Hörnquist Åstrand <lha@it.su.se> 1538 1539 * ks_file.c: Sprinkle error messages. 1540 1541 * cms.c: Sprinkle even more error messages. 1542 1543 * cms.c: Sprinkle some error messages. 1544 1545 * cms.c (find_CMSIdentifier): only free string when we allocated 1546 one. 1547 1548 * ks_p11.c: Don't build most of the pkcs11 module if there are no 1549 dlopen(). 1550 15512006-09-06 Love Hörnquist Åstrand <lha@it.su.se> 1552 1553 * cms.c (hx509_cms_unenvelope): try to save the error string from 1554 find_CMSIdentifier so we have one more bit of information what 1555 went wrong. 1556 1557 * hxtool.c: More pretty printing, make verify_signed return the 1558 error string from the library. 1559 1560 * cms.c: Try returning what certificates failed to parse or be 1561 found. 1562 1563 * ks_p11.c (p11_list_keys): fetch CKA_LABEL and use it to set the 1564 friendlyname for the certificate. 1565 15662006-09-05 Love Hörnquist Åstrand <lha@it.su.se> 1567 1568 * crypto.c: check that there are no extra bytes in the checksum 1569 and that the parameters are NULL or the NULL-type. All to avoid 1570 having excess data that can be used to fake the signature. 1571 1572 * hxtool.c: print keyusage 1573 1574 * print.c: add hx509_cert_keyusage_print, simplify oid printing 1575 1576 * cert.c: add _hx509_cert_get_keyusage 1577 1578 * ks_p11.c: keep one session around for the whole life of the keyset 1579 1580 * test_query.in: tests more selection 1581 1582 * hxtool.c: improve pretty printing in print and query 1583 1584 * hxtool{.c,-commands.in}: add selection on KU and printing to query 1585 1586 * test_cms.in: Add cms test for digitalSignature and 1587 keyEncipherment certs. 1588 1589 * name.c (no): Add serialNumber 1590 1591 * ks_p11.c (p11_get_session): return better error messages 1592 15932006-09-04 Love Hörnquist Åstrand <lha@it.su.se> 1594 1595 * ref: update to pkcs11 reference files 2.20 1596 1597 * ks_p11.c: add more mechflags 1598 1599 * name.c (no): add OU and sort 1600 1601 * revoke.c: pass context to _hx509_create_signature 1602 1603 * ks_p11.c (p11_printinfo): print proper plural s 1604 1605 * ks_p11.c: save the mechs supported when initing the token, print 1606 them in printinfo. 1607 1608 * hx_locl.h: Include <parse_units.h>. 1609 1610 * cms.c: pass context to _hx509_create_signature 1611 1612 * req.c: pass context to _hx509_create_signature 1613 1614 * keyset.c (hx509_certs_info): print information about the keyset. 1615 1616 * hxtool.c (pcert_print) print keystore info when --info flag is 1617 given. 1618 1619 * hxtool-commands.in: Add hxtool print --info. 1620 1621 * test_query.in: Test hxtool print --info. 1622 1623 * hx_locl.h (hx509_keyset_ops): add printinfo 1624 1625 * crypto.c: Start to hang the private key operations of the 1626 private key, pass hx509_context to create_checksum. 1627 16282006-05-29 Love Hörnquist Åstrand <lha@it.su.se> 1629 1630 * ks_p11.c: Iterate over all slots, not just the first/selected 1631 one. 1632 16332006-05-27 Love Hörnquist Åstrand <lha@it.su.se> 1634 1635 * cert.c: Add release function for certifiates so backend knowns 1636 when its no longer used. 1637 1638 * ks_p11.c: Add reference counting on certifiates, push out 1639 CK_SESSION_HANDLE from slot. 1640 1641 * cms.c: sprinkle more hx509_clear_error_string 1642 16432006-05-22 Love Hörnquist Åstrand <lha@it.su.se> 1644 1645 * ks_p11.c: Sprinkle some hx509_set_error_strings 1646 16472006-05-13 Love Hörnquist Åstrand <lha@it.su.se> 1648 1649 * hxtool.c: Avoid shadowing. 1650 1651 * revoke.c: Avoid shadowing. 1652 1653 * ks_file.c: Avoid shadowing. 1654 1655 * cert.c: Avoid shadowing. 1656 16572006-05-12 Love Hörnquist Åstrand <lha@it.su.se> 1658 1659 * lock.c (hx509_prompt_hidden): reshuffle to avoid gcc warning 1660 1661 * hx509.h: Reshuffle the prompter types, remove the hidden field. 1662 1663 * lock.c (hx509_prompt_hidden): return if the prompt should be 1664 hidden or not 1665 1666 * revoke.c (hx509_revoke_free): allow free of NULL. 1667 16682006-05-11 Love Hörnquist Åstrand <lha@it.su.se> 1669 1670 * ks_file.c (file_init): Avoid shadowing ret (and thus avoiding 1671 crashing). 1672 1673 * ks_dir.c: Implement DIR: caches useing FILE: caches. 1674 1675 * ks_p11.c: Catch more errors. 1676 16772006-05-08 Love Hörnquist Åstrand <lha@it.su.se> 1678 1679 * crypto.c (hx509_crypto_encrypt): free correctly in error 1680 path. From Andrew Bartlett. 1681 1682 * crypto.c: If RAND_bytes fails, then we will attempt to 1683 double-free crypt->key.data. From Andrew Bartlett. 1684 16852006-05-05 Love Hörnquist Åstrand <lha@it.su.se> 1686 1687 * name.c: Rename u_intXX_t to uintXX_t 1688 16892006-05-03 Love Hörnquist Åstrand <lha@it.su.se> 1690 1691 * TODO: More to do about the about the PKCS11 code. 1692 1693 * ks_p11.c: Use the prompter from the lock function. 1694 1695 * lock.c: Deal with that hx509_prompt.reply is no longer a 1696 pointer. 1697 1698 * hx509.h: Make hx509_prompt.reply not a pointer. 1699 17002006-05-02 Love Hörnquist Åstrand <lha@it.su.se> 1701 1702 * keyset.c: Sprinkle setting error strings. 1703 1704 * crypto.c: Sprinkle setting error strings. 1705 1706 * collector.c: Sprinkle setting error strings. 1707 1708 * cms.c: Sprinkle setting error strings. 1709 17102006-05-01 Love Hörnquist Åstrand <lha@it.su.se> 1711 1712 * test_name.c: renamed one error code 1713 1714 * name.c: renamed one error code 1715 1716 * ks_p11.c: _hx509_set_cert_attribute changed signature 1717 1718 * hxtool.c (pcert_print): use hx509_err so I can test it 1719 1720 * error.c (hx509_set_error_stringv): clear errors on malloc 1721 failure 1722 1723 * hx509_err.et: Add some more errors 1724 1725 * cert.c: Sprinkle setting error strings. 1726 1727 * cms.c: _hx509_path_append changed signature. 1728 1729 * revoke.c: changed signature of _hx509_check_key_usage 1730 1731 * keyset.c: changed signature of _hx509_query_match_cert 1732 1733 * hx509.h: Add support for error strings. 1734 1735 * cms.c: changed signature of _hx509_check_key_usage 1736 1737 * Makefile.am: ibhx509_la_files += error.c 1738 1739 * ks_file.c: Sprinkel setting error strings. 1740 1741 * cert.c: Sprinkel setting error strings. 1742 1743 * hx_locl.h: Add support for error strings. 1744 1745 * error.c: Add string error handling functions. 1746 1747 * keyset.c (hx509_certs_init): pass the right error code back 1748 17492006-04-30 Love Hörnquist Åstrand <lha@it.su.se> 1750 1751 * revoke.c: Revert previous patch. 1752 (hx509_ocsp_verify): new function that returns the expiration of 1753 certificate in ocsp data-blob 1754 1755 * cert.c: Reverse previous patch, lets do it another way. 1756 1757 * cert.c (hx509_revoke_verify): update usage 1758 1759 * revoke.c: Make compile. 1760 1761 * revoke.c: Add the expiration time the crl/ocsp info expire 1762 1763 * name.c: Add hx509_name_is_null_p 1764 1765 * cert.c: remove _hx509_cert_private_sigature 1766 17672006-04-29 Love Hörnquist Åstrand <lha@it.su.se> 1768 1769 * name.c: Expose more of Name. 1770 1771 * hxtool.c (main): add missing argument to printf 1772 1773 * data/openssl.cnf: Add EKU for the KDC certificate 1774 1775 * cert.c (hx509_cert_get_base_subject): reject un-canon proxy 1776 certs, not the reverse 1777 (add_to_list): constify and fix argument order to 1778 copy_octet_string 1779 (hx509_cert_find_subjectAltName_otherName): make work 1780 17812006-04-28 Love Hörnquist Åstrand <lha@it.su.se> 1782 1783 * data/{pkinit,kdc}.{crt,key}: pkinit certificates 1784 1785 * data/gen-req.sh: Generate pkinit certificates. 1786 1787 * data/openssl.cnf: Add pkinit glue. 1788 1789 * cert.c (hx509_verify_hostname): implement stub function 1790 17912006-04-27 Love Hörnquist Åstrand <lha@it.su.se> 1792 1793 * TODO: CRL delta support 1794 17952006-04-26 Love Hörnquist Åstrand <lha@it.su.se> 1796 1797 * data/.cvsignore: ignore leftover from OpenSSL cert generation 1798 1799 * hx509_err.et: Add name malformated error 1800 1801 * name.c (hx509_parse_name): don't abort on error, rather return 1802 error 1803 1804 * test_name.c: Test failure parsing name. 1805 1806 * cert.c: When verifying certificates, store subject basename for 1807 later consumption. 1808 1809 * test_name.c: test to parse and print name and check that they 1810 are the same. 1811 1812 * name.c (hx509_parse_name): fix length argument to printf string 1813 1814 * name.c (hx509_parse_name): fix length argument to stringtooid, 1 1815 too short. 1816 1817 * cert.c: remove debug printf's 1818 1819 * name.c (hx509_parse_name): make compile pre c99 1820 1821 * data/gen-req.sh: OpenSSL have a serious issue of user confusion 1822 -subj in -ca takes the arguments in LDAP order. -subj for x509 1823 takes it in x509 order. 1824 1825 * cert.c (hx509_verify_path): handle the case where the where two 1826 proxy certs in a chain. 1827 1828 * test_chain.in: enable two proxy certificates in a chain test 1829 1830 * test_chain.in: tests proxy certificates 1831 1832 * data: re-gen 1833 1834 * data/gen-req.sh: build proxy certificates 1835 1836 * data/openssl.cnf: add def for proxy10_cert 1837 1838 * hx509_err.et: Add another proxy certificate error. 1839 1840 * cert.c (hx509_verify_path): Need to mangle name to remove the CN 1841 of the subject, copying issuer only works for one level but is 1842 better then doing no checking at all. 1843 1844 * hxtool.c: Add verify --allow-proxy-certificate. 1845 1846 * hxtool-commands.in: add verify --allow-proxy-certificate 1847 1848 * hx509_err.et: Add proxy certificate errors. 1849 1850 * cert.c: Fix comment about subject name of proxy certificate. 1851 1852 * test_chain.in: tests for proxy certs 1853 1854 * data/gen-req.sh: gen proxy and non-proxy tests certificates 1855 1856 * data/openssl.cnf: Add definition for proxy certs 1857 1858 * data/*proxy-test.*: Add proxy certificates 1859 1860 * cert.c (hx509_verify_path): verify proxy certificate have no san 1861 or ian 1862 1863 * cert.c (hx509_verify_set_proxy_certificate): Add 1864 (*): rename policy cert to proxy cert 1865 1866 * cert.c: Initial support for proxy certificates. 1867 18682006-04-24 Love Hörnquist Åstrand <lha@it.su.se> 1869 1870 * hxtool.c: some error checking 1871 1872 * name.c: Switch over to asn1 generaed oids. 1873 1874 * TODO: merge with old todo file 1875 18762006-04-23 Love Hörnquist Åstrand <lha@it.su.se> 1877 1878 * test_query.in: make quiet 1879 1880 * test_req.in: SKIP test if there is no RSA support. 1881 1882 * hxtool.c: print dh method too 1883 1884 * test_chain.in: SKIP test if there is no RSA support. 1885 1886 * test_cms.in: SKIP test if there is no RSA support. 1887 1888 * test_nist.in: SKIP test if there is no RSA support. 1889 18902006-04-22 Love Hörnquist Åstrand <lha@it.su.se> 1891 1892 * hxtool-commands.in: Allow passing in pool and anchor to 1893 signedData 1894 1895 * hxtool.c: Allow passing in pool and anchor to signedData 1896 1897 * test_cms.in: Test that certs in signed data is picked up. 1898 1899 * hx_locl.h: Expose the path building function to internal 1900 functions. 1901 1902 * cert.c: Expose the path building function to internal functions. 1903 1904 * hxtool-commands.in: cms-envelope: Add support for choosing the 1905 encryption type 1906 1907 * hxtool.c (cms_create_enveloped): Add support for choosing the 1908 encryption type 1909 1910 * test_cms.in: Test generating des-ede3 aes-128 aes-256 enveloped 1911 data 1912 1913 * crypto.c: Add names to cipher types. 1914 1915 * cert.c (hx509_query_match_friendly_name): fix return value 1916 1917 * data/gen-req.sh: generate tests for enveloped data using 1918 des-ede3 and aes256 1919 1920 * test_cms.in: add tests for enveloped data using des-ede3 and 1921 aes256 1922 1923 * cert.c (hx509_query_match_friendly_name): New function. 1924 19252006-04-21 Love Hörnquist Åstrand <lha@it.su.se> 1926 1927 * ks_p11.c: Add support for parsing slot-number. 1928 1929 * crypto.c (oid_private_rc2_40): simply 1930 1931 * crypto.c: Use oids from asn1 generator. 1932 1933 * ks_file.c (file_init): reset length when done with a part 1934 1935 * test_cms.in: check with test.combined.crt. 1936 1937 * data/gen-req.sh: Create test.combined.crt. 1938 1939 * test_cms.in: Test signed data using keyfile that is encrypted. 1940 1941 * ks_file.c: Remove (commented out) debug printf 1942 1943 * ks_file.c (parse_rsa_private_key): use EVP_get_cipherbyname 1944 1945 * ks_file.c (parse_rsa_private_key): make working for one 1946 password. 1947 1948 * ks_file.c (parse_rsa_private_key): Implement enought for 1949 testing. 1950 1951 * hx_locl.h: Add <ctype.h> 1952 1953 * ks_file.c: Add glue code for PEM encrypted password files. 1954 1955 * test_cms.in: Add commeted out password protected PEM file, 1956 remove password for those tests that doesn't need it. 1957 1958 * test_cms.in: adapt test now that we can use any certificate and 1959 trust anchor 1960 1961 * collector.c: handle PEM RSA PRIVATE KEY files 1962 1963 * cert.c: Remove unused function. 1964 1965 * ks_dir.c: move code here from ks_file.c now that its no longer 1966 used. 1967 1968 * ks_file.c: Add support for parsing unencrypted RSA PRIVATE KEY 1969 1970 * crypto.c: Handle rsa private keys better. 1971 19722006-04-20 Love Hörnquist Åstrand <lha@it.su.se> 1973 1974 * hxtool.c: Use hx509_cms_{,un}wrap_ContentInfo 1975 1976 * cms.c: Make hx509_cms_{,un}wrap_ContentInfo usable in asn1 1977 un-aware code. 1978 1979 * cert.c (hx509_verify_path): if trust anchor is not self signed, 1980 don't check sig From Douglas Engert. 1981 1982 * test_chain.in: test "sub-cert -> sub-ca" 1983 1984 * crypto.c: Use the right length for the sha256 checksums. 1985 19862006-04-15 Love Hörnquist Åstrand <lha@it.su.se> 1987 1988 * crypto.c: Fix breakage from sha256 code. 1989 1990 * crypto.c: Add SHA256 support, and symbols for the other new 1991 SHA-2 types. 1992 19932006-04-14 Love Hörnquist Åstrand <lha@it.su.se> 1994 1995 * test_cms.in: test rc2-40 rc2-64 rc2-128 enveloped data 1996 1997 * data/test-enveloped-rc2-{40,64,128}: add tests cases for rc2 1998 1999 * cms.c: Update prototypes changes for hx509_crypto_[gs]et_params. 2000 2001 * crypto.c: Break out the parameter handling code for encrypting 2002 data to handle RC2. Needed for Windows 2k pk-init support. 2003 20042006-04-04 Love Hörnquist Åstrand <lha@it.su.se> 2005 2006 * Makefile.am: Split libhx509_la_SOURCES into build file and 2007 distributed files so we can avoid building prototypes for 2008 build-files. 2009 20102006-04-03 Love Hörnquist Åstrand <lha@it.su.se> 2011 2012 * TODO: split certificate request into pkcs10 and CRMF 2013 2014 * hxtool-commands.in: Add nonce flag to ocsp-fetch 2015 2016 * hxtool.c: control sending nonce 2017 2018 * hxtool.c (request_create): store the request in a file, no in 2019 bitbucket. 2020 2021 * cert.c: expose print_cert_subject internally 2022 2023 * hxtool.c: Add ocsp_print. 2024 2025 * hxtool-commands.in: New command "ocsp-print". 2026 2027 * hx_locl.h: Include <hex.h>. 2028 2029 * revoke.c (verify_ocsp): require issuer to match too. 2030 (free_ocsp): new function 2031 (hx509_revoke_ocsp_print): new function, print ocsp reply 2032 2033 * Makefile.am: build CRMF files 2034 2035 * data/key.der: needed for cert request test 2036 2037 * test_req.in: adapt to rename of pkcs10-create to request-create 2038 2039 * hxtool.c: adapt to rename of pkcs10-create to request-create 2040 2041 * hxtool-commands.in: Rename pkcs10-create to request-create 2042 2043 * crypto.c: (_hx509_parse_private_key): Avoid crashing on bad input. 2044 2045 * hxtool.c (pkcs10_create): use opt->subject_string 2046 2047 * hxtool-commands.in: Add pkcs10-create --subject 2048 2049 * Makefile.am: Add test_req to tests. 2050 2051 * test_req.in: Test for pkcs10 commands. 2052 2053 * name.c (hx509_parse_name): new function. 2054 2055 * hxtool.c (pkcs10_create): implement 2056 2057 * hxtool-commands.in (pkcs10-create): Add arguments 2058 2059 * crypto.c: Add _hx509_private_key2SPKI and support 2060 functions (only support RSA for now). 2061 20622006-04-02 Love Hörnquist Åstrand <lha@it.su.se> 2063 2064 * hxtool-commands.in: Add pkcs10-create command. 2065 2066 * hx509.h: Add hx509_request. 2067 2068 * TODO: more stuff 2069 2070 * Makefile.am: Add req.c 2071 2072 * req.c: Create certificate requests, prototype converts the 2073 request in a pkcs10 packet. 2074 2075 * hxtool.c: Add pkcs10_create 2076 2077 * name.c (hx509_name_copy): new function. 2078 20792006-04-01 Love Hörnquist Åstrand <lha@it.su.se> 2080 2081 * TODO: fill out what do 2082 2083 * hxtool-commands.in: add pkcs10-print 2084 2085 * hx_locl.h: Include <pkcs10_asn1.h>. 2086 2087 * pkcs10.asn1: PKCS#10 2088 2089 * hxtool.c (pkcs10_print): new function. 2090 2091 * test_chain.in: test ocsp keyhash 2092 2093 * data: generate ocsp keyhash version too 2094 2095 * revoke.c (load_ocsp): test that we got back a BasicReponse 2096 2097 * ocsp.asn1: Add asn1_id_pkix_ocsp*. 2098 2099 * Makefile.am: Add asn1_id_pkix_ocsp*. 2100 2101 * cert.c: Add HX509_QUERY_MATCH_KEY_HASH_SHA1 2102 2103 * hx_locl.h: Add HX509_QUERY_MATCH_KEY_HASH_SHA1 2104 2105 * revoke.c: Support OCSPResponderID.byKey, indent. 2106 2107 * revoke.c (hx509_ocsp_request): Add nonce to ocsp request. 2108 2109 * hxtool.c: Add nonce to ocsp request. 2110 2111 * test_chain.in: Added crl tests 2112 2113 * data/nist-data: rename missing-crl to missing-revoke 2114 2115 * data: make ca use openssl ca command so we can add ocsp tests, 2116 and regen certs 2117 2118 * test_chain.in: Add revoked ocsp cert test 2119 2120 * cert.c: rename missing-crl to missing-revoke 2121 2122 * revoke.c: refactor code, fix a un-init-ed variable 2123 2124 * test_chain.in: rename missing-crl to missing-revoke add ocsp 2125 tests 2126 2127 * test_cms.in: rename missing-crl to missing-revoke 2128 2129 * hxtool.c: rename missing-crl to missing-revoke 2130 2131 * hxtool-commands.in: rename missing-crl to missing-revoke 2132 2133 * revoke.c: Plug one memory leak. 2134 2135 * revoke.c: Renamed generic CRL related errors. 2136 2137 * hx509_err.et: Comments and renamed generic CRL related errors 2138 2139 * revoke.c: Add ocsp checker. 2140 2141 * ocsp.asn1: Add id-kp-OCSPSigning 2142 2143 * hxtool-commands.in: add url-path argument to ocsp-fetch 2144 2145 * hxtool.c: implement ocsp-fetch 2146 2147 * cert.c: Use HX509_DEFAULT_OCSP_TIME_DIFF. 2148 2149 * hx_locl.h: Add ocsp_time_diff to hx509_context 2150 2151 * crypto.c (_hx509_verify_signature_bitstring): new function, 2152 commonly use when checking certificates 2153 2154 * cms.c (hx509_cms_envelope_1): check for internal ASN.1 encoder 2155 error 2156 2157 * cert.c: Add ocsp glue, use new 2158 _hx509_verify_signature_bitstring, add eku checking function. 2159 21602006-03-31 Love Hörnquist Åstrand <lha@it.su.se> 2161 2162 * Makefile.am: add id_kp_OCSPSigning.x 2163 2164 * revoke.c: Pick out certs in ocsp response 2165 2166 * TODO: list of stuff to verify 2167 2168 * revoke.c: Add code to load OCSPBasicOCSPResponse files, reload 2169 crl when its changed on disk. 2170 2171 * cert.c: Update for ocsp merge. handle building path w/o 2172 subject (using subject key id) 2173 2174 * ks_p12.c: _hx509_map_file changed prototype. 2175 2176 * file.c: _hx509_map_file changed prototype, returns struct stat 2177 if requested. 2178 2179 * ks_file.c: _hx509_map_file changed prototype. 2180 2181 * hxtool.c: Add stub for ocsp-fetch, _hx509_map_file changed 2182 prototype, add ocsp parsing to verify command. 2183 2184 * hx_locl.h: rename HX509_CTX_CRL_MISSING_OK to 2185 HX509_CTX_VERIFY_MISSING_OK now that we have OCSP glue 2186 21872006-03-30 Love Hörnquist Åstrand <lha@it.su.se> 2188 2189 * hx_locl.h: Add <krb5-types.h> to make it compile on Solaris, 2190 from Alex V. Labuta. 2191 21922006-03-28 Love Hörnquist Åstrand <lha@it.su.se> 2193 2194 * crypto.c (_hx509_pbe_decrypt): try all passwords, not just the 2195 first one. 2196 21972006-03-27 Love Hörnquist Åstrand <lha@it.su.se> 2198 2199 * print.c (check_altName): Print the othername oid. 2200 2201 * crypto.c: Manual page claims RSA_public_decrypt will return -1 2202 on error, lets check for that 2203 2204 * crypto.c (_hx509_pbe_decrypt): also try the empty password 2205 2206 * collector.c (match_localkeyid): no need to add back the cert to 2207 the cert pool, its already there. 2208 2209 * crypto.c: Add REQUIRE_SIGNER 2210 2211 * cert.c (hx509_cert_free): ok to free NULL 2212 2213 * hx509_err.et: Add new error code SIGNATURE_WITHOUT_SIGNER. 2214 2215 * name.c (_hx509_name_ds_cmp): make DirectoryString case 2216 insenstive 2217 (hx509_name_to_string): less spacing 2218 2219 * cms.c: Check for signature error, check consitency of error 2220 22212006-03-26 Love Hörnquist Åstrand <lha@it.su.se> 2222 2223 * collector.c (_hx509_collector_alloc): handle errors 2224 2225 * cert.c (hx509_query_alloc): allocate slight more more then a 2226 sizeof(pointer) 2227 2228 * crypto.c (_hx509_private_key_assign_key_file): ask for password 2229 if nothing matches. 2230 2231 * cert.c: Expose more of the hx509_query interface. 2232 2233 * collector.c: hx509_certs_find is now exposed. 2234 2235 * cms.c: hx509_certs_find is now exposed. 2236 2237 * revoke.c: hx509_certs_find is now exposed. 2238 2239 * keyset.c (hx509_certs_free): allow free-ing NULL 2240 (hx509_certs_find): expose 2241 (hx509_get_one_cert): new function 2242 2243 * hxtool.c: hx509_certs_find is now exposed. 2244 2245 * hx_locl.h: Remove hx509_query, its exposed now. 2246 2247 * hx509.h: Add hx509_query. 2248 22492006-02-22 Love Hörnquist Åstrand <lha@it.su.se> 2250 2251 * cert.c: Add exceptions for null (empty) subjectNames 2252 2253 * data/nist-data: Add some more name constraints tests. 2254 2255 * data/nist-data: Add some of the test from 4.13 Name Constraints. 2256 2257 * cert.c: Name constraits needs to be evaluated in block as they 2258 appear in the certificates, they can not be joined to one 2259 list. One example of this is: 2260 2261 - cert is cn=foo,dc=bar,dc=baz 2262 - subca is dc=foo,dc=baz with name restriction dc=kaka,dc=baz 2263 - ca is dc=baz with name restriction dc=baz 2264 2265 If the name restrictions are merged to a list, the certificate 2266 will pass this test. 2267 22682006-02-14 Love Hörnquist Åstrand <lha@it.su.se> 2269 2270 * cert.c: Handle more name constraints cases. 2271 2272 * crypto.c (dsa_verify_signature): if test if malloc failed 2273 22742006-01-31 Love Hörnquist Åstrand <lha@it.su.se> 2275 2276 * cms.c: Drop partial pkcs12 string2key implementation. 2277 22782006-01-20 Love Hörnquist Åstrand <lha@it.su.se> 2279 2280 * data/nist-data: Add commited out DSA tests (they fail). 2281 2282 * data/nist-data: Add 4.2 Validity Periods. 2283 2284 * test_nist.in: Make less verbose to use. 2285 2286 * Makefile.am: Add test_nist_cert. 2287 2288 * data/nist-data: Add some more CRL-tests. 2289 2290 * test_nist.in: Print $id instead of . when running the tests. 2291 2292 * test_nist.in: Drop verifying certifiates, its done in another 2293 test now. 2294 2295 * data/nist-data: fixup kill-rectangle leftovers 2296 2297 * data/nist-data: Drop verifying certifiates, its done in another 2298 test now. Add more crl tests. comment out all unused tests. 2299 2300 * test_nist_cert.in: test parse all nist certs 2301 23022006-01-19 Love Hörnquist Åstrand <lha@it.su.se> 2303 2304 * hx509_err.et: Add HX509_CRL_UNKNOWN_EXTENSION. 2305 2306 * revoke.c: Check for unknown extentions in CRLs and CRLEntries. 2307 2308 * test_nist.in: Parse new format to handle CRL info. 2309 2310 * test_chain.in: Add --missing-crl. 2311 2312 * name.c (hx509_unparse_der_name): Rename from hx509_parse_name. 2313 (_hx509_unparse_Name): Add. 2314 2315 * hxtool-commands.in: Add --missing-crl to verify commands. 2316 2317 * hx509_err.et: Add CRL errors. 2318 2319 * cert.c (hx509_context_set_missing_crl): new function Add CRL 2320 handling. 2321 2322 * hx_locl.h: Add HX509_CTX_CRL_MISSING_OK. 2323 2324 * revoke.c: Parse and verify CRLs (simplistic). 2325 2326 * hxtool.c: Parse CRL info. 2327 2328 * data/nist-data: Change format so we can deal with CRLs, also 2329 note the test-id from PKITS. 2330 2331 * data: regenerate test 2332 2333 * data/gen-req.sh: use static-file to generate tests 2334 2335 * data/static-file: new file to use for commited tests 2336 2337 * test_cms.in: Use static file, add --missing-crl. 2338 23392006-01-18 Love Hörnquist Åstrand <lha@it.su.se> 2340 2341 * print.c: Its cRLReason, not cRLReasons. 2342 2343 * hxtool.c: Attach revoke context to verify context. 2344 2345 * data/nist-data: change syntax to make match better with crl 2346 checks 2347 2348 * cert.c: Verify no certificates has been revoked with the new 2349 revoke interface. 2350 2351 * Makefile.am: libhx509_la_SOURCES += revoke.c 2352 2353 * revoke.c: Add framework for handling CRLs. 2354 2355 * hx509.h: Add hx509_revoke_ctx. 2356 23572006-01-13 Love Hörnquist Åstrand <lha@it.su.se> 2358 2359 * delete crypto_headers.h, use global file instead. 2360 2361 * crypto.c (PBE_string2key): libdes now supports PKCS12_key_gen 2362 23632006-01-12 Love Hörnquist Åstrand <lha@it.su.se> 2364 2365 * crypto_headers.h: Need BN_is_negative too. 2366 23672006-01-11 Love Hörnquist Åstrand <lha@it.su.se> 2368 2369 * ks_p11.c (p11_rsa_public_decrypt): since is wrong, don't provide 2370 it. PKCS11 can't do public_decrypt, it support verify though. All 2371 this doesn't matter, since the code never go though this path. 2372 2373 * crypto_headers.h: Provide glue to compile with less warnings 2374 with OpenSSL 2375 23762006-01-08 Love Hörnquist Åstrand <lha@it.su.se> 2377 2378 * Makefile.am: Depend on LIB_des 2379 2380 * lock.c: Use "crypto_headers.h". 2381 2382 * crypto_headers.h: Include the two diffrent implementation of 2383 crypto headers. 2384 2385 * cert.c: Use "crypto-headers.h". Load ENGINE configuration. 2386 2387 * crypto.c: Make compile with both OpenSSL and heimdal libdes. 2388 2389 * ks_p11.c: Add code for public key decryption (not supported yet) 2390 and use "crypto-headers.h". 2391 2392 23932006-01-04 Love Hörnquist Åstrand <lha@it.su.se> 2394 2395 * add a hx509_context where we can store configuration 2396 2397 * p11.c,Makefile.am: pkcs11 is now supported by library, remove 2398 old files. 2399 2400 * ks_p11.c: more paranoid on refcount, set refcounter ealier, 2401 reset pointers after free 2402 2403 * collector.c (struct private_key): remove temporary key data 2404 storage, convert directly to a key 2405 (match_localkeyid): match certificate and key using localkeyid 2406 (match_keys): match certificate and key using _hx509_match_keys 2407 (_hx509_collector_collect): rewrite to use match_keys and 2408 match_localkeyid 2409 2410 * crypto.c (_hx509_match_keys): function that determins if a 2411 private key matches a certificate, used when there is no 2412 localkeyid. 2413 (*) reset free pointer 2414 2415 * ks_file.c: Rewrite to use collector and mapping support 2416 function. 2417 2418 * ks_p11.c (rsa_pkcs1_method): constify 2419 2420 * ks_p11.c: drop extra wrapping of p11_init 2421 2422 * crypto.c (_hx509_private_key_assign_key_file): use function to 2423 extact rsa key 2424 2425 * cert.c: Revert previous, refcounter is unsigned, so it can never 2426 be negative. 2427 2428 * cert.c (hx509_cert_ref): more refcount paranoia 2429 2430 * ks_p11.c: Implement rsa_private_decrypt and add stubs for public 2431 ditto. 2432 2433 * ks_p11.c: Less printf, less memory leaks. 2434 2435 * ks_p11.c: Implement signing using pkcs11. 2436 2437 * ks_p11.c: Partly assign private key, enough to complete 2438 collection, but not any crypto functionallity. 2439 2440 * collector.c: Use hx509_private_key to assign private keys. 2441 2442 * crypto.c: Remove most of the EVP_PKEY code, and use RSA 2443 directly, this temporary removes DSA support. 2444 2445 * hxtool.c (print_f): print if there is a friendly name and if 2446 there is a private key 2447 24482006-01-03 Love Hörnquist Åstrand <lha@it.su.se> 2449 2450 * name.c: Avoid warning from missing __attribute__((noreturn)) 2451 2452 * lock.c (_hx509_lock_unlock_certs): return unlock certificates 2453 2454 * crypto.c (_hx509_private_key_assign_ptr): new function, exposes 2455 EVP_PKEY 2456 (_hx509_private_key_assign_key_file): remember to free private key 2457 if there is one. 2458 2459 * cert.c (_hx509_abort): add newline to output and flush stdout 2460 2461 * Makefile.am: libhx509_la_SOURCES += collector.c 2462 2463 * hx_locl.h: forward type declaration of struct hx509_collector. 2464 2465 * collector.c: Support functions to collect certificates and 2466 private keys and then match them. 2467 2468 * ks_p12.c: Use the new hx509_collector support functions. 2469 2470 * ks_p11.c: Add enough glue to support certificate iteration. 2471 2472 * test_nist_pkcs12.in: Less verbose. 2473 2474 * cert.c (hx509_cert_free): if there is a private key assosited 2475 with this cert, free it 2476 2477 * print.c: Use _hx509_abort. 2478 2479 * ks_p12.c: Use _hx509_abort. 2480 2481 * hxtool.c: Use _hx509_abort. 2482 2483 * crypto.c: Use _hx509_abort. 2484 2485 * cms.c: Use _hx509_abort. 2486 2487 * cert.c: Use _hx509_abort. 2488 2489 * name.c: use _hx509_abort 2490 24912006-01-02 Love Hörnquist Åstrand <lha@it.su.se> 2492 2493 * name.c (hx509_name_to_string): don't cut bmpString in half. 2494 2495 * name.c (hx509_name_to_string): don't overwrite with 1 byte with 2496 bmpString. 2497 2498 * ks_file.c (parse_certificate): avoid stomping before array 2499 2500 * name.c (oidtostring): avoid leaking memory 2501 2502 * keyset.c: Add _hx509_ks_dir_register. 2503 2504 * Makefile.am (libhx509_la_SOURCES): += ks_dir.c 2505 2506 * hxtool-commands.in: Remove pkcs11. 2507 2508 * hxtool.c: Remove pcert_pkcs11. 2509 2510 * ks_file.c: Factor out certificate parsing code. 2511 2512 * ks_dir.c: Add new keystore that treats all files in a directory 2513 a keystore, useful for regression tests. 2514 25152005-12-12 Love Hörnquist Åstrand <lha@it.su.se> 2516 2517 * test_nist_pkcs12.in: Test parse PKCS12 files from NIST. 2518 2519 * data/nist-data: Can handle DSA certificate. 2520 2521 * hxtool.c: Print error code on failure. 2522 25232005-10-29 Love Hörnquist Åstrand <lha@it.su.se> 2524 2525 * crypto.c: Support DSA signature operations. 2526 25272005-10-04 Love Hörnquist Åstrand <lha@it.su.se> 2528 2529 * print.c: Validate that issuerAltName and subjectAltName isn't 2530 empty. 2531 25322005-09-14 Love Hörnquist Åstrand <lha@it.su.se> 2533 2534 * p11.c: Cast to unsigned char to avoid warning. 2535 2536 * keyset.c: Register pkcs11 module. 2537 2538 * Makefile.am: Add ks_p11.c, install hxtool. 2539 2540 * ks_p11.c: Starting point of a pkcs11 module. 2541 25422005-09-04 Love Hörnquist Åstrand <lha@it.su.se> 2543 2544 * lock.c: Implement prompter. 2545 2546 * hxtool-commands.in: add --content to print 2547 2548 * hxtool.c: Split verify and print. 2549 2550 * cms.c: _hx509_pbe_decrypt now takes a hx509_lock. 2551 2552 * crypto.c: Make _hx509_pbe_decrypt take a hx509_lock, workaround 2553 for empty password. 2554 2555 * name.c: Add DC, handle all Directory strings, fix signless 2556 problems. 2557 25582005-09-03 Love Hörnquist Åstrand <lha@it.su.se> 2559 2560 * test_query.in: Pass in --pass to all commands. 2561 2562 * hxtool.c: Use option --pass. 2563 2564 * hxtool-commands.in: Add --pass to all commands. 2565 2566 * hx509_err.et: add UNKNOWN_LOCK_COMMAND and CRYPTO_NO_PROMPTER 2567 2568 * test_cms.in: pass in password to cms-create-sd 2569 2570 * crypto.c: Abstract out PBE_string2key so I can add PBE2 s2k 2571 later. Avoid signess warnings with OpenSSL. 2572 2573 * cms.c: Use void * instead of char * for to avoid signedness 2574 issues 2575 2576 * cert.c (hx509_cert_get_attribute): remove const, its not 2577 2578 * ks_p12.c: Cast size_t to unsigned long when print. 2579 2580 * name.c: Fix signedness warning. 2581 2582 * test_query.in: Use echo, the function check isn't defined here. 2583 25842005-08-11 Love Hörnquist Åstrand <lha@it.su.se> 2585 2586 * hxtool-commands.in: Add more options that was missing. 2587 25882005-07-28 Love Hörnquist Åstrand <lha@it.su.se> 2589 2590 * test_cms.in: Use --certificate= for enveloped/unenvelope. 2591 2592 * hxtool.c: Use --certificate= for enveloped/unenvelope. Clean 2593 up. 2594 2595 * test_cms.in: add EnvelopeData tests 2596 2597 * hxtool.c: use id-envelopedData for ContentInfo 2598 2599 * hxtool-commands.in: add contentinfo wrapping for create/unwrap 2600 enveloped data 2601 2602 * hxtool.c: add contentinfo wrapping for create/unwrap enveloped 2603 data 2604 2605 * data/gen-req.sh: add enveloped data (aes128) 2606 2607 * crypto.c: add "new" RC2 oid 2608 26092005-07-27 Love Hörnquist Åstrand <lha@it.su.se> 2610 2611 * hx_locl.h, cert.c: Add HX509_QUERY_MATCH_FUNCTION that allows 2612 caller to match by function, note that this doesn't not work 2613 directly for backends that implements ->query, they must do their 2614 own processing. (I'm running out of flags, only 12 left now) 2615 2616 * test_cms.in: verify ContentInfo wrapping code in hxtool 2617 2618 * hxtool-commands.in (cms_create_sd): support wrapping in content 2619 info spelling 2620 2621 * hxtool.c (cms_create_sd): support wrapping in content info 2622 2623 * test_cms.in: test more cms signeddata messages 2624 2625 * data/gen-req.sh: generate SignedData 2626 2627 * hxtool.c (cms_create_sd): support certificate store, add support 2628 to unwrap a ContentInfo the SignedData inside. 2629 2630 * crypto.c: sprinkel rk_UNCONST 2631 2632 * crypto.c: add DER NULL to the digest oid's 2633 2634 * hxtool-commands.in: add --content-info to cms-verify-sd 2635 2636 * cms.c (hx509_cms_create_signed_1): pass in a full 2637 AlgorithmIdentifier instead of heim_oid for digest_alg 2638 2639 * crypto.c: make digest_alg a digest_oid, it's not needed right 2640 now 2641 2642 * hx509_err.et: add CERT_NOT_FOUND 2643 2644 * keyset.c (_hx509_certs_find): add error code for cert not 2645 found 2646 2647 * cms.c (hx509_cms_verify_signed): add external store of 2648 certificates, use the right digest algorithm identifier. 2649 2650 * cert.c: fix const warning 2651 2652 * ks_p12.c: slightly less verbose 2653 2654 * cert.c: add hx509_cert_find_subjectAltName_otherName, add 2655 HX509_QUERY_MATCH_FRIENDLY_NAME 2656 2657 * hx509.h: add hx509_octet_string_list, remove bad comment 2658 2659 * hx_locl.h: add HX509_QUERY_MATCH_FRIENDLY_NAME 2660 2661 * keyset.c (hx509_certs_append): needs a hx509_lock, add one 2662 2663 * Makefile.am: add test cases tempfiles to CLEANFILES 2664 2665 * Makefile.am: add test_query to TESTS, fix dependency on hxtool 2666 sources on hxtool-commands.h 2667 2668 * hxtool-commands.in: explain what signer is for create-sd 2669 2670 * hxtool.c: add query, add more options to verify-sd and create-sd 2671 2672 * test_cms.in: add more cms tests 2673 2674 * hxtool-commands.in: add query, add more options to verify-sd 2675 2676 * test_query.in: test query interface 2677 2678 * data: fix filenames for ds/ke files, add pkcs12 files, regen 2679 2680 * hxtool.c,Makefile.am,hxtool-commands.in: switch to slc 2681 26822005-07-26 Love Hörnquist Åstrand <lha@it.su.se> 2683 2684 * cert.c (hx509_verify_destroy_ctx): add 2685 2686 * hxtool.c: free hx509_verify_ctx 2687 2688 * name.c (_hx509_name_ds_cmp): make sure all strings are not equal 2689 26902005-07-25 Love Hörnquist Åstrand <lha@it.su.se> 2691 2692 * hxtool.c: return error 2693 2694 * keyset.c: return errors from iterations 2695 2696 * test_chain.in: clean up checks 2697 2698 * ks_file.c (parse_certificate): return errno's not 1 in case of 2699 error 2700 2701 * ks_file.c (file_iter): make sure endpointer is NULL 2702 2703 * ks_mem.c (mem_iter): follow conversion and return NULL when we 2704 get to the end, not ENOENT. 2705 2706 * Makefile.am: test_chain depends on hxtool 2707 2708 * data: test certs that lasts 10 years 2709 2710 * data/gen-req.sh: script to generate test certs 2711 2712 * Makefile.am: Add regression tests. 2713 2714 * data: test certificate and keys 2715 2716 * test_chain.in: test chain 2717 2718 * hxtool.c (cms_create_sd): add KU digitalSigature as a 2719 requirement to the query 2720 2721 * hx_locl.h: add KeyUsage query bits 2722 2723 * hx509_err.et: add KeyUsage error 2724 2725 * cms.c: add checks for KeyUsage 2726 2727 * cert.c: more checks on KeyUsage, allow to query on them too 2728 27292005-07-24 Love Hörnquist Åstrand <lha@it.su.se> 2730 2731 * cms.c: Add missing break. 2732 2733 * hx_locl.h,cms.c,cert.c: allow matching on SubjectKeyId 2734 2735 * hxtool.c: Use _hx509_map_file, _hx509_unmap_file and 2736 _hx509_write_file. 2737 2738 * file.c (_hx509_write_file): in case of write error, return errno 2739 2740 * file.c (_hx509_write_file): add a function that write a data 2741 blob to disk too 2742 2743 * Fix id-tags 2744 2745 * Import mostly complete X.509 and CMS library. Handles, PEM, DER, 2746 PKCS12 encoded certicates. Verificate RSA chains and handled 2747 CMS's SignedData, and EnvelopedData. 2748 2749 2750