ChangeLog revision 178825 
12008-01-21  Love H�rnquist �strand  <lha@it.su.se>
2
3	* test_soft_pkcs11.c: use func for more C_ functions.
4	
52008-01-18  Love H�rnquist �strand  <lha@it.su.se>
6
7	* version-script.map: Export hx509_free_error_string().
8
92008-01-17  Love H�rnquist �strand  <lha@it.su.se>
10
11	* version-script.map: only export C_GetFunctionList
12
13	* test_soft_pkcs11.c: use C_GetFunctionList
14
15	* softp11.c: fix comment, remove label.
16
17	* softp11.c: Add option app-fatal to control if softtoken should
18	abort() on erroneous input from applications.
19
202008-01-16  Love H�rnquist �strand  <lha@it.su.se>
21
22	* test_pkcs11.in: Test password less certificates too
23
24	* keyset.c: document HX509_CERTS_UNPROTECT_ALL
25
26	* ks_file.c: Support HX509_CERTS_UNPROTECT_ALL.
27
28	* hx509.h: Add HX509_CERTS_UNPROTECT_ALL.
29
30	* test_soft_pkcs11.c: Only log in if needed.
31
322008-01-15  Love H�rnquist �strand  <lha@it.su.se>
33
34	* softp11.c: Support PINs to login to the store.
35
36	* Makefile.am: add java pkcs11 test
37
38	* test_java_pkcs11.in: first version of disable java test
39
40	* softp11.c: Drop unused stuff.
41
42	* cert.c: Spelling, Add hx509_cert_get_SPKI_AlgorithmIdentifier,
43	remove unused stuff, add hx509_context to some functions.
44	
45	* softp11.c: Add more glue to figure out what keytype this
46	certificate is using.
47
482008-01-14  Love H�rnquist �strand  <lha@it.su.se>
49
50	* test_pkcs11.in: test debug
51
52	* Add a PKCS11 provider supporting signing and verifing sigatures.
53
542008-01-13  Love H�rnquist �strand  <lha@it.su.se>
55
56	* version-script.map: Replace hx509_name_to_der_name with
57	hx509_name_binary.
58
59	* print.c: make print_func static
60
612007-12-26  Love H�rnquist �strand  <lha@it.su.se>
62
63	* print.c: doxygen
64
65	* env.c: doxygen
66
67	* doxygen.c: add more groups
68
69	* ca.c: doxygen.
70
712007-12-17  Love H�rnquist �strand  <lha@it.su.se>
72
73	* ca.c: doxygen
74
752007-12-16  Love H�rnquist �strand  <lha@it.su.se>
76
77	* error.c: doxygen
78	
792007-12-15  Love H�rnquist �strand  <lha@it.su.se>
80
81	* More documentation
82	
83	* lock.c: Add page referance
84
85	* keyset.c: some more documentation.
86
87	* cms.c: Doxygen documentation.
88
892007-12-11  Love H�rnquist �strand  <lha@it.su.se>
90
91	* *.[ch]: More documentation
92
932007-12-09  Love H�rnquist �strand  <lha@it.su.se>
94
95	* handle refcount on NULL.
96
97	* test_nist_pkcs12.in: drop echo -n, doesn't work with posix sh
98
992007-12-08  Love H�rnquist �strand  <lha@it.su.se>
100
101	* test_nist2.in: Print that this is version 2 of the tests
102
103	* test_nist.in: Drop printing of $id.
104
105	* hx509.h: Add HX509_VHN_F_ALLOW_NO_MATCH.
106
107	* name.c: spelling.
108
109	* cert.c: make work the doxygen.
110
111	* name.c: fix doxygen compiling.
112
113	* Makefile.am: add doxygen.c
114
115	* doxygen.c: Add doxygen main page.
116
117	* cert.c: Add doxygen.
118
119	* revoke.c (_hx509_revoke_ref): new function.
120
1212007-11-16  Love H�rnquist �strand  <lha@it.su.se>
122
123	* ks_keychain.c: Check if SecKeyGetCSPHandle needs prototype.
124
1252007-08-16  Love H�rnquist �strand  <lha@it.su.se>
126	
127	* data/nist-data: Make work on case senstive filesystems too.
128	
1292007-08-09  Love H�rnquist �strand  <lha@it.su.se>
130
131	* cert.c: match rfc822 contrains better, provide better error
132	strings.
133
1342007-08-08  Love H�rnquist �strand  <lha@it.su.se>
135
136	* cert.c: "self-signed doesn't count" doesn't apply to trust
137	anchor certificate.  make trust anchor check consistant.
138
139	* revoke.c: make compile.
140
141	* revoke.c (verify_crl): set error strings.
142	
143	* revoke.c (verify_crl): handle with the signer is the
144	CRLsigner (shortcut).
145
146	* cert.c: Fix NC, comment on how to use _hx509_check_key_usage.
147
1482007-08-03  Love H�rnquist �strand  <lha@it.su.se>
149
150	* test_nist2.in, Makefile, test/nist*: Add nist pkits tests. 
151
152	* revoke.c: Update to use CERT_REVOKED error, shortcut out of OCSP
153	checking when OCSP reply is a revocation reply.
154
155	* hx509_err.et: Make CERT_REVOKED error OCSP/CRL agnostic.
156
157	* name.c (_hx509_Name_to_string): make printableString handle
158	space (0x20) diffrences as required by rfc3280.
159
160	* revoke.c: Search for the right issuer when looking for the
161	issuer of the CRL signer.
162
1632007-08-02  Love H�rnquist �strand  <lha@it.su.se>
164
165	* revoke.c: Handle CRL signing certificate better, try to not
166	revalidate invalid CRLs over and over.
167
1682007-08-01  Love H�rnquist �strand  <lha@it.su.se>
169
170	* cms.c: remove stale comment.
171
172	* test_nist.in: Unpack PKITS_data.zip and run tests.
173	
174	* test_nist_cert.in: Adapt to new nist pkits framework.
175
176	* test_nist_pkcs12.in: Adapt to new nist pkits framework.
177
178	* Makefile.am: clean PKITS_data
179
1802007-07-16  Love H�rnquist �strand  <lha@it.su.se>
181
182	* Makefile.am: Add version-script.map to EXTRA_DIST
183
1842007-07-12  Love H�rnquist �strand  <lha@it.su.se>
185
186	* Makefile.am: Add depenency on asn1_compile for asn1 built files.
187	
1882007-07-10  Love H�rnquist �strand  <lha@it.su.se>
189
190	* peer.c: update (c), indent.
191
192	* Makefile.am: New library version.
193
1942007-06-28  Love H�rnquist �strand  <lha@it.su.se>
195
196	* ks_p11.c: Add sha2 types.
197
198	* ref/pkcs11.h: Sync with scute.
199
200	* ref/pkcs11.h: Add sha2 CKM's.
201
202	* print.c: Print authorityInfoAccess.
203
204	* cert.c: Rename proxyCertInfo oid.
205
206	* ca.c: Rename proxyCertInfo oid.
207
208	* print.c: Rename proxyCertInfo oid.
209	
2102007-06-26  Love H�rnquist �strand  <lha@it.su.se>
211
212	* test_ca.in: Adapt to new request handling.
213
214	* req.c: Allow export some of the request parameters.
215
216	* hxtool-commands.in: Adapt to new request handling.
217
218	* hxtool.c: Adapt to new request handling.
219
220	* test_req.in: Adapt to new request handling.
221
222	* version-script.map: Add initialize_hx_error_table_r.
223
224	* req.c: Move _hx509_request_print here.
225
226	* hxtool.c: use _hx509_request_print
227
228	* version-script.map: Export more crap^W semiprivate functions.
229
230	* hxtool.c: don't _hx509_abort
231
232	* version-script.map: add missing ;
233
2342007-06-25  Love H�rnquist �strand  <lha@it.su.se>
235
236	* cms.c: Use hx509_crypto_random_iv.
237
238	* crypto.c: Split out the iv creation from hx509_crypto_encrypt
239	since _hx509_pbe_encrypt needs to use the iv from the s2k
240	function.
241
242	* test_cert.in: Test PEM and DER FILE writing functionallity.
243
244	* ks_file.c: Add writing DER certificates.
245
246	* hxtool.c: Update to new hx509_pem_write().
247
248	* test_cms.in: test creation of PEM signeddata.
249
250	* hx509.h: PEM struct/function declarations.
251
252	* ks_file.c: Use PEM encoding/decoding functions.
253
254	* file.c: PEM encode/decoding functions.
255
256	* ks_file.c: Use hx509_pem_write.
257
258	* version-script.map: Export some semi-private functions.
259
260	* hxtool.c: Enable writing out signed data as a pem attachment.
261
262	* hxtool-commands.in (cms-create-signed): add --pem
263
264	* file.c (hx509_pem_write): Add.
265
266	* test_ca.in: Issue and test null subject cert.
267
268	* cert.c: Match is first component is in a CN=.
269
270	* test_ca.in: Test hostname if first CN.
271
272	* Makefile.am: Add version script.
273
274	* version-script.map: Limited exported symbols.
275
276	* test_ca.in: test --hostname.
277
278	* test_chain.in: test max-depth
279
280	* hx509.h: fixate HX509_HN_HOSTNAME at 0.
281
282	* hxtool-commands.in: add --hostname add --max-depth
283
284	* cert.c: Verify hostname and max-depth.
285
286	* hxtool.c: Verify hostname and test max-depth.
287
2882007-06-24  Love H�rnquist �strand  <lha@it.su.se>
289
290	* test_cms.in: Test --id-by-name.
291
292	* hxtool-commands.in: add cms-create-sd --id-by-name
293
294	* hxtool.c: Use HX509_CMS_SIGATURE_ID_NAME.
295
296	* cms.c: Implement and use HX509_CMS_SIGATURE_ID_NAME.
297
298	* hx509.h: Add HX509_CMS_SIGATURE_ID_NAME, use subject name for
299	CMS.Identifier.  hx509_hostname_type: add hostname type for
300	matching.
301
302	* cert.c (match_general_name): more strict rfc822Name matching.
303	(hx509_verify_hostname): add hostname type for matching.
304
3052007-06-19  Love H�rnquist �strand  <lha@it.su.se>
306
307	* hxtool.c: Make compile again.
308
309	* hxtool.c: Added peap-server for to make windows peap clients
310	happy.
311
312	* hxtool.c: Unify parse_oid code.
313
314	* hxtool.c: Implement --content-type.
315
316	* hxtool-commands.in: Add content-type.
317
318	* test_cert.in: more cert and keyset tests.
319
3202007-06-18  Love H�rnquist �strand  <lha@it.su.se>
321
322	* revoke.c: Avoid stomping on NULL.
323
324	* revoke.c: Avoid reusing i.
325
326	* cert.c: Provide __attribute__ for _hx509_abort.
327
328	* ks_file.c: Fail if not finding iv.
329
330	* keyset.c: Avoid useing freed memory.
331
332	* crypto.c: Free memory in failure case.
333
334	* crypto.c: Free memory in failure case.
335
3362007-06-12  Love H�rnquist �strand  <lha@it.su.se>
337
338	* *.c: Add hx509_cert_init_data and use everywhere
339
340	* hx_locl.h: Now that KEYCHAIN:system-anchors is fast again, use
341	that.
342
343	* ks_keychain.c: Implement trust anchor support with
344	SecTrustCopyAnchorCertificates.
345
346	* keyset.c: Set ref to 1 for the new object.
347
348	* cert.c: Fix logic for allow_default_trust_anchors
349
350	* keyset.c: Add refcounting to keystores.
351
352	* cert.c: Change logic for default trust anchors, make it be
353	either default trust anchor, the user supplied, or non at all.
354
3552007-06-08  Love H�rnquist �strand  <lha@it.su.se>
356
357	* Makefile.am: Add data/j.pem.
358
359	* Makefile.am: Add test_windows.in.
360	
3612007-06-06  Love H�rnquist �strand  <lha@it.su.se>
362
363	* ks_keychain.c: rename functions, leaks less memory and more
364	paranoia.
365
366	* test_cms.in: Test cms peer-alg.
367
368	* crypto.c (rsa_create_signature): make oid_id_pkcs1_rsaEncryption
369	mean rsa-with-sha1 but oid oid_id_pkcs1_rsaEncryption in algorithm
370	field.  XXX should probably use another algorithmIdentifier for
371	this.
372
373	* peer.c: Make free function return void.
374
375	* cms.c (hx509_cms_create_signed_1): Use hx509_peer_info to select
376	the signature algorithm too.
377
378	* hxtool-commands.in: Add cms-create-sd --peer-alg.
379
380	* req.c: Use _hx509_crypto_default_sig_alg.
381
382	* test_windows.in: Create crl, because everyone needs one.
383
384	* Makefile.am: add wcrl.crl
385	
3862007-06-05  Love H�rnquist �strand  <lha@it.su.se>
387
388	* hx_locl.h: Disable KEYCHAIN for now, its slow.
389
390	* cms.c: When we are not using pkcs7-data, avoid seing
391	signedAttributes since some clients get upset by that (pkcs7 based
392	or just plain broken).
393
394	* ks_keychain.c: Provide rsa signatures.
395
396	* ks_keychain.c: Limit the searches to the selected keychain.
397
398	* ks_keychain.c: include -framework Security specific header files
399	after #ifdef
400
401	* ks_keychain.c: Find and attach private key (does not provide
402	operations yet though).
403
404	* ks_p11.c: Prefix rsa method with p11_
405
406	* ks_keychain.c: Allow opening a specific chain, making "system"
407	special and be the system X509Anchors file. By not specifing any
408	keychain ("KEYCHAIN:"), all keychains are probed.
409	
4102007-06-04  Love H�rnquist �strand  <lha@it.su.se>
411
412	* hxtool.c (verify): Friendlier error message.
413
414	* cert.c: Read in and use default trust anchors if they exists.
415
416	* hx_locl.h: Add concept of default_trust_anchors.
417
418	* ks_keychain.c: Remove err(), remove extra empty comment, fix
419	_iter function.
420
421	* error.c (hx509_get_error_string): if the error code is not the
422	one we expect, punt and use the default com_err/strerror string
423	instead.
424
425	* keyset.c (hx509_certs_merge): its ok to merge in the NULL set of
426	certs.
427
428	* test_windows.in: Fix status string.
429
430	* ks_p12.c (store_func): free whole CertBag, not just the data
431	part.
432	
433	* print.c: Check that the self-signed cert is really self-signed.
434
435	* print.c: Use selfsigned for CRL DP whine, tell if its a
436	self-signed.
437
438	* print.c: Whine if its a non CA/proxy and doesn't have CRL DP.
439
440	* ca.c: Add cRLSign to CA certs.
441
442	* cert.c: Register NULL and KEYCHAIN.
443
444	* ks_null.c: register the NULL keystore.
445
446	* Makefile.am: Add ks_keychain.c and related libs.
447
448	* test_crypto.in: Print certificate with utf8.
449
450	* print.c: Leak less memory.
451
452	* hxtool.c: Leak less memory.
453
454	* print.c: Leak less memory, use functions that does same but
455	more.
456
457	* name.c (quote_string): don't sign extend the (signed) char to
458	avoid printing too much, add an assert to check that we didn't
459	overrun the buffer.
460
461	* name.c: Use right element out of the CHOICE for printableString
462	and utf8String
463
464	* ks_keychain.c: Certificate only KeyChain backend.
465
466	* name.c: Reset name before parsing it.
467	
4682007-06-03  Love H�rnquist �strand  <lha@it.su.se>
469	
470	* revoke.c (hx509_crl_*): fix sizeof() mistakes to fix memory
471	corruption.
472
473	* hxtool.c: Add lifetime to crls.
474
475	* hxtool-commands.in: Add lifetime to crls.
476
477	* revoke.c: Add lifetime to crls.
478
479	* test_ca.in: More crl checks.
480
481	* revoke.c: Add revoking certs.
482
483	* hxtool-commands.in: argument is certificates.. for crl-sign
484
485	* hxtool.c (certificate_copy): free lock
486
487	* revoke.c: Fix hx509_set_error_string calls, add
488	hx509_crl_add_revoked_certs(), implement hx509_crl_{alloc,free}.
489
490	* hxtool.c (crl_sign): free lock
491
492	* cert.c (hx509_context_free): free querystat
493	
4942007-06-02  Love H�rnquist �strand  <lha@it.su.se>
495
496	* test_chain.in: test ocsp-verify
497	
498	* revoke.c (hx509_ocsp_verify): explain what its useful for and
499	provide sane error message.
500
501	* hx509_err.et: New error code, CERT_NOT_IN_OCSP
502
503	* hxtool.c: New command ocsp-verify, check if ocsp contains all
504	certs and are valid (exist and non expired).
505
506	* hxtool-commands.in: New command ocsp-verify.
507	
5082007-06-01  Love H�rnquist �strand  <lha@it.su.se>
509
510	* test_ca.in: Create crl and verify that is works.
511
512	* hxtool.c: Sign CRL command.
513
514	* hx509.h: Add hx509_crl.
515
516	* hxtool-commands.in: Add crl-sign commands.
517
518	* revoke.c: Support to generate an empty CRL.
519
520	* tst-crypto-select2: Switched default types.
521
522	* tst-crypto-select1: Switched default types.
523
524	* ca.c: Use default AlgorithmIdentifier.
525
526	* cms.c: Use default AlgorithmIdentifier.
527
528	* crypto.c: Provide default AlgorithmIdentifier and use them.
529
530	* hx_locl.h: Provide default AlgorithmIdentifier.
531
532	* keyset.c (hx509_certs_find): collects stats for queries.
533
534	* cert.c: Sort and print more info.
535
536	* hx_locl.h: Add querystat to hx509_context.
537
538	* test_*.in: sprinle stat saveing
539
540	* Makefile.am: Add stat and objdir.
541
542	* collector.c (_hx509_collector_alloc): return error code instead
543	of pointer.
544
545	* hxtool.c: Add statistic hook.
546
547	* ks_file.c: Update _hx509_collector_alloc prototype.
548
549	* ks_p12.c: Update _hx509_collector_alloc prototype.
550
551	* ks_p11.c: Update _hx509_collector_alloc prototype.
552
553	* hxtool-commands.in: Add statistics hook.
554
555	* cert.c: Statistics printing.
556
557	* ks_p12.c: plug memory leak
558
559	* ca.c (hx509_ca_tbs_add_crl_dp_uri): plug memory leak
560	
5612007-05-31  Love H�rnquist �strand  <lha@it.su.se>
562
563	* print.c: print utf8 type SAN's
564
565	* Makefile.am: Fix windows client cert name.
566
567	* test_windows.in: Add crl-uri for the ee certs.
568
569	* print.c: Printf formating.
570
571	* ca.c: Add glue for adding CRL dps.
572
573	* test_ca.in: Readd the crl adding code, it works (somewhat) now.
574
575	* print.c: Fix printing of CRL DPnames (I hate IMPLICIT encoded
576	structures).
577
578	* hxtool-commands.in: make ca and alias of certificate-sign
579	
5802007-05-30  Love H�rnquist �strand  <lha@it.su.se>
581
582	* crypto.c (hx509_crypto_select): copy AI to the right place.
583
584	* hxtool-commands.in: Add ca --ms-upn.
585
586	* hxtool.c: add --ms-upn and add more EKU's for pk-init client.
587
588	* ca.c: Add hx509_ca_tbs_add_san_ms_upn and refactor code.
589
590	* test_crypto.in: Resurect killed e.
591
592	* test_crypto.in: check for aes256-cbc
593
594	* tst-crypto-select7: check for aes256-cbc
595
596	* test_windows.in: test windows stuff
597
598	* hxtool.c: add ca --domain-controller option, add secret key
599	option to avaible.
600
601	* ca.c: Add hx509_ca_tbs_set_domaincontroller.
602
603	* hxtool-commands.in: add ca --domain-controller
604
605	* hxtool.c: hook for testing secrety key algs
606
607	* crypto.c: Add selection code for secret key crypto.
608
609	* hx509.h: Add HX509_SELECT_SECRET_ENC.
610	
6112007-05-13  Love H�rnquist �strand  <lha@it.su.se>
612	
613	* ks_p11.c: add more mechtypes
614	
6152007-05-10  Love H�rnquist �strand  <lha@it.su.se>
616	
617	* print.c: Indent.
618
619	* hxtool-commands.in: add test-crypto command
620
621	* hxtool.c: test crypto command
622
623	* cms.c (hx509_cms_create_signed_1): if no eContentType is given,
624	use pkcs7-data.
625
626	* print.c: add Netscape cert comment
627
628	* crypto.c: Try both the empty password and the NULL
629	password (nothing vs the octet string \x00\x00).
630
631	* print.c: Add some US Fed PKI oids.
632
633	* ks_p11.c: Add some more hashes.
634	
6352007-04-24  Love H�rnquist �strand  <lha@it.su.se>
636
637	* hxtool.c (crypto_select): stop memory leak
638	
6392007-04-19  Love H�rnquist �strand  <lha@it.su.se>
640
641	* peer.c (hx509_peer_info_free): free memory used too
642
643	* hxtool.c (crypto_select): only free peer if it was used.
644	
6452007-04-18  Love H�rnquist �strand  <lha@it.su.se>
646
647	* hxtool.c: free template
648
649	* ks_mem.c (mem_free): free key array too
650
651	* hxtool.c: free private key and tbs
652
653	* hxtool.c (hxtool_ca): free signer
654
655	* hxtool.c (crypto_available): free peer too.
656
657	* ca.c (get_AuthorityKeyIdentifier): leak less memory
658
659	* hxtool.c (hxtool_ca): free SPKI
660
661	* hxtool.c (hxtool_ca): free cert
662
663	* ks_mem.c (mem_getkeys): allocate one more the we have elements
664	so its possible to store the NULL pointer at the end.
665	
6662007-04-16  Love H�rnquist �strand  <lha@it.su.se>
667	
668	* Makefile.am: CLEANFILES += cert-null.pem cert-sub-ca2.pem
669	
6702007-02-05  Love H�rnquist �strand  <lha@it.su.se>
671	
672	* ca.c: Disable CRLDistributionPoints for now, its IMPLICIT code
673	in the asn1 parser.
674
675	* print.c: Add some more \n's.
676	
6772007-02-03  Love H�rnquist �strand  <lha@it.su.se>
678	
679	* file.c: Allow mapping using heim_octet_string.
680
681	* hxtool.c: Add options to generate detached signatures.
682
683	* cms.c: Add flags to generate detached signatures.
684
685	* hx509.h: Flag to generate detached signatures.
686
687	* test_cms.in: Support detached sigatures.
688
689	* name.c (hx509_general_name_unparse): unparse the other
690	GeneralName nametypes.
691
692	* print.c: Use less printf. Use hx509_general_name_unparse.
693
694	* cert.c: Fix printing and plug leak-on-error.
695	
6962007-01-31  Love H�rnquist �strand  <lha@it.su.se>
697	
698	* test_ca.in: Add test for ca --crl-uri.
699
700	* hxtool.c: Add ca --crl-uri.
701
702	* hxtool-commands.in: add ca --crl-uri
703
704	* ca.c: Code to set CRLDistributionPoints in certificates.
705
706	* print.c: Check CRLDistributionPointNames.
707
708	* name.c (hx509_general_name_unparse): function for unparsing
709	GeneralName, only supports GeneralName.URI
710
711	* cert.c (is_proxy_cert): free info if we wont return it.
712	
7132007-01-30  Love H�rnquist �strand  <lha@it.su.se>
714	
715	* hxtool.c: Try to help how to use this command.
716	
7172007-01-21  Love H�rnquist �strand  <lha@it.su.se>
718	
719	* switch to sha256 as default digest for signing
720
7212007-01-20  Love H�rnquist �strand  <lha@it.su.se>
722
723	* test_ca.in: Really test sub-ca code, add basic constraints tests
724	
7252007-01-17  Love H�rnquist �strand  <lha@it.su.se>
726	
727	* Makefile.am: Fix makefile problem.
728	
7292007-01-16  Love H�rnquist �strand  <lha@it.su.se>
730
731	* hxtool.c: Set num of bits before we generate the key.
732	
7332007-01-15  Love H�rnquist �strand  <lha@it.su.se>
734	
735	* cms.c (hx509_cms_create_signed_1): use hx509_cert_binary
736
737	* ks_p12.c (store_func): use hx509_cert_binary
738
739	* ks_file.c (store_func): use hx509_cert_binary
740
741	* cert.c (hx509_cert_binary): return binary encoded
742	certificate (DER format)
743	
7442007-01-14  Love H�rnquist �strand  <lha@it.su.se>
745	
746	* ca.c (hx509_ca_tbs_subject_expand): new function.
747
748	* name.c (hx509_name_expand): if env is NULL, return directly
749
750	* test_ca.in: test template handling
751
752	* hx509.h: Add template flags.
753
754	* Makefile.am: clean out new files
755
756	* hxtool.c: Add certificate template processing, fix hx509_err
757	usage.
758
759	* hxtool-commands.in: Add certificate template processing.
760
761	* ca.c: Add certificate template processing. Fix return messages
762	from hx509_ca_tbs_add_eku.
763
764	* cert.c: Export more stuff from certificate.
765	
7662007-01-13  Love H�rnquist �strand  <lha@it.su.se>
767
768	* ca.c: update (c)
769
770	* ca.c: (hx509_ca_tbs_add_eku): filter out dups.
771	
772	* hxtool.c: Add type email and add email eku when using option
773	--email.
774
775	* Makefile.am: add env.c
776
777	* name.c: Remove abort, add error handling.
778
779	* test_name.c: test name expansion
780
781	* name.c: add hx509_name_expand
782
783	* env.c: key-value pair help functions
784	
7852007-01-12  Love H�rnquist �strand  <lha@it.su.se>
786	
787	* ca.c: Don't issue certs with subject DN that is NULL and have no
788	SANs
789
790	* print.c: Fix previous test.
791
792	* print.c: Check there is a SAN if subject DN is NULL.
793
794	* test_ca.in: test email, null subject dn
795
796	* hxtool.c: Allow setting parameters to private key generation.
797
798	* hx_locl.h: Allow setting parameters to private key generation.
799
800	* crypto.c: Allow setting parameters to private key generation.
801
802	* hxtool.c (eval_types): add jid if user gave one
803
804	* hxtool-commands.in (certificate-sign): add --jid
805
806	* ca.c (hx509_ca_tbs_add_san_jid): Allow adding
807	id-pkix-on-xmppAddr OtherName.
808
809	* print.c: Print id-pkix-on-xmppAddr OtherName.
810	
8112007-01-11  Love H�rnquist �strand  <lha@it.su.se>
812	
813	* no random, no RSA/DH tests
814
815	* hxtool.c (info): print status of random generator
816
817	* Makefile.am: remove files created by tests
818
819	* error.c: constify
820
821	* name.c: constify
822
823	* revoke.c: constify
824
825	* hx_locl.h: constify
826
827	* keyset.c: constify
828
829	* ks_p11.c: constify
830
831	* hx_locl.h: make printinfo char * argument const.
832
833	* cms.c: move _hx509_set_digest_alg from cms.c to crypto.c since
834	its only used there.
835
836	* crypto.c: remove no longer used stuff, move set_digest_alg here
837	from cms.c since its only used here.
838
839	* Makefile.am: add data/test-nopw.p12 to EXTRA_DIST
840	
8412007-01-10  Love H�rnquist �strand  <lha@it.su.se>
842	
843	* print.c: BasicConstraints vs criticality bit is complicated and
844	not really possible to evaluate on its own, silly RFC3280.
845
846	* ca.c: Make basicConstraints critical if this is a CA.
847
848	* print.c: fix the version vs extension test
849
850	* print.c: More validation checks.
851
852	* name.c (hx509_name_cmp): add
853	
8542007-01-09  Love H�rnquist �strand  <lha@it.su.se>
855
856	* ks_p11.c (collect_private_key): Missing CKA_MODULUS is ok
857	too (XXX why should these be fetched given they are not used).
858
859	* test_ca.in: rename all files to PEM files, since that is what
860	they are.
861
862	* hxtool.c: copy out the key with the self signed CA cert
863
864	* Factor out private key operation out of the signing, operations,
865	support import, export, and generation of private keys. Add
866	support for writing PEM and PKCS12 files with private keys in them.
867 
868	* data/gen-req.sh: Generate a no password pkcs12 file.
869	
8702007-01-08  Love H�rnquist �strand  <lha@it.su.se>
871
872	* cms.c: Check for internal ASN1 encoder error.
873	
8742007-01-05  Love H�rnquist �strand  <lha@it.su.se>
875	
876	* Makefile.am: Drop most of the pkcs11 files.
877
878	* test_ca.in: test reissueing ca certificate (xxx time
879	validAfter).
880
881	* hxtool.c: Allow setting serialNumber (needed for reissuing
882	certificates) Change --key argument to --out-key.
883
884	* hxtool-commands.in (issue-certificate): Allow setting
885	serialNumber (needed for reissuing certificates), Change --key
886	argument to --out-key.
887
888	* ref: Replace with Marcus Brinkmann of g10 Code GmbH pkcs11
889	headerfile that is compatible with GPL (file taken from scute)
890
8912007-01-04  Love H�rnquist �strand  <lha@it.su.se>
892
893	* test_ca.in: Test to generate key and use them.
894
895	* hxtool.c: handle other keys the pkcs10 requested keys
896
897	* hxtool-commands.in: add generate key commands
898
899	* req.c (_hx509_request_to_pkcs10): PKCS10 needs to have a subject
900
901	* hxtool-commands.in: Spelling.
902
903	* ca.c (hx509_ca_tbs_set_proxy): allow negative pathLenConstraint
904	to signal no limit
905
906	* ks_file.c: Try all formats on the binary file before giving up,
907	this way we can handle binary rsa keys too.
908
909	* data/key2.der: new test key
910
9112007-01-04  David Love  <fx@gnu.org>
912
913	* Makefile.am (hxtool_LDADD): Add libasn1.la
914
915	* hxtool.c (pcert_verify): Fix format string.
916
9172006-12-31  Love H�rnquist �strand  <lha@it.su.se>
918
919	* hxtool.c: Allow setting path length
920
921	* cert.c: Fix test for proxy certs chain length, it was too
922	restrictive.
923	
924	* data: regen
925	
926	* data/openssl.cnf: (proxy_cert) make length 0
927
928	* test_ca.in: Issue a long living cert.
929
930	* hxtool.c: add --lifetime to ca command.
931
932	* hxtool-commands.in: add --lifetime to ca command.
933
934	* ca.c: allow setting notBefore and notAfter.
935
936	* test_ca.in: Test generation of proxy certificates.
937
938	* ca.c: Allow generation of proxy certificates, always include
939	BasicConstraints, fix error codes.
940
941	* hxtool.c: Allow generation of proxy certificates.
942
943	* test_name.c: make hx509_parse_name take a hx509_context.
944
945	* name.c: Split building RDN to a separate function.
946	
9472006-12-30  Love H�rnquist �strand  <lha@it.su.se>
948	
949	* Makefile.am: clean test_ca files.
950
951	* test_ca.in: test issuing self-signed and CA certificates.
952
953	* hxtool.c: Add bits to allow issuing self-signed and CA
954	certificates.
955
956	* hxtool-commands.in: Add bits to allow issuing self-signed and CA
957	certificates.
958
959	* ca.c: Add bits to allow issuing CA certificates.
960
961	* revoke.c: use new OCSPSigning.
962
963	* ca.c: Add Subject Key Identifier.
964
965	* ca.c: Add Authority Key Identifier.
966	
967	* cert.c: Locally export _hx509_find_extension_subject_key_id.
968	Handle AuthorityKeyIdentifier where only authorityCertSerialNumber
969	and authorityCertSerialNumber is set.
970
971	* hxtool-commands.in: Add dnsname and rfc822 SANs.
972
973	* test_ca.in: Test dnsname and rfc822 SANs.
974
975	* ca.c: Add dnsname and rfc822 SANs.
976
977	* hxtool.c: Add dnsname and rfc822 SANs.
978
979	* test_ca.in: test adding eku, ku and san to the
980	certificate (https and pk-init)
981
982	* hxtool.c: Add eku, ku and san to the certificate.
983
984	* ca.c: Add eku, ku and san to the certificate.
985
986	* hxtool-commands.in: Add --type and --pk-init-principal
987
988	* ocsp.asn1: remove id-kp-OCSPSigning, its in rfc2459.asn1 now
989	
9902006-12-29  Love H�rnquist �strand  <lha@it.su.se>
991
992	* ca.c: Add KeyUsage extension.
993
994	* Makefile.am: add ca.c, add sign-certificate tests.
995
996	* crypto.c: Add _hx509_create_signature_bitstring.
997
998	* hxtool-commands.in: Add the sign-certificate tool.
999
1000	* hxtool.c: Add the sign-certificate tool.
1001
1002	* cert.c: Add HX509_QUERY_OPTION_KU_KEYCERTSIGN.
1003
1004	* hx509.h: Add hx509_ca_tbs and HX509_QUERY_OPTION_KU_KEYCERTSIGN.
1005
1006	* test_ca.in: Basic test of generating a pkcs10 request, signing
1007	it and verifying the chain.
1008
1009	* ca.c: Naive certificate signer.
1010	
10112006-12-28  Love H�rnquist �strand  <lha@it.su.se>
1012	
1013	* hxtool.c: add hxtool_hex
1014	
10152006-12-22  Love H�rnquist �strand  <lha@it.su.se>
1016	
1017	* Makefile.am: use top_builddir for libasn1.la
1018	
10192006-12-11  Love H�rnquist �strand  <lha@it.su.se>
1020	
1021	* hxtool.c (print_certificate): print serial number.
1022
1023	* name.c (no): add S=stateOrProvinceName
1024	
10252006-12-09  Love H�rnquist �strand  <lha@it.su.se>
1026	
1027	* crypto.c (_hx509_private_key_assign_rsa): set a default sig alg
1028
1029	* ks_file.c (try_decrypt): pass down AlgorithmIdentifier that key
1030	uses to do sigatures so there is no need to hardcode RSA into this
1031	function.
1032	
10332006-12-08  Love H�rnquist �strand  <lha@it.su.se>
1034
1035	* ks_file.c: Pass filename to the parse functions and use it in
1036	the error messages
1037
1038	* test_chain.in: test proxy cert (third level)
1039	
1040	* hx509_err.et: fix errorstring for PROXY_CERT_NAME_WRONG
1041
1042	* data: regen
1043
1044	* Makefile.am: EXTRA_DIST: add
1045	data/proxy10-child-child-test.{key,crt}
1046
1047	* data/gen-req.sh: Fix names and restrictions on the proxy
1048	certificates
1049
1050	* cert.c: Clairfy and make proxy cert handling work for multiple
1051	levels, before it was too restrictive. More helpful error message.
1052	
10532006-12-07  Love H�rnquist �strand  <lha@it.su.se>
1054	
1055	* cert.c (check_key_usage): tell what keyusages are missing
1056
1057	* print.c: Split OtherName printing code to a oid lookup and print
1058	function.
1059
1060	* print.c (Time2string): print hour as hour not min
1061
1062	* Makefile.am: CLEANFILES += test
1063	
10642006-12-06  Love H�rnquist �strand  <lha@it.su.se>
1065
1066	* Makefile.am (EXTRA_DIST): add data/pkinit-proxy* files
1067
1068	* Makefile.am (EXTRA_DIST): add tst-crypto* files
1069
1070	* cert.c (hx509_query_match_issuer_serial): make a copy of the
1071	data
1072
1073	* cert.c (hx509_query_match_issuer_serial): allow matching on
1074	issuer and serial num
1075
1076	* cert.c (_hx509_calculate_path): add flag to allow leaving out
1077	trust anchor
1078
1079	* cms.c (hx509_cms_create_signed_1): when building the path, omit
1080	the trust anchors.
1081
1082	* crypto.c (rsa_create_signature): Abort when signature is longer,
1083	not shorter.
1084
1085	* cms.c: Provide time to _hx509_calculate_path so we don't send no
1086	longer valid certs to our peer.
1087
1088	* cert.c (find_parent): when checking for certs and its not a
1089	trust anchor, require time be in range.
1090	(_hx509_query_match_cert): Add time validity-testing to query mask
1091
1092	* hx_locl.h: add time validity-testing to query mask
1093
1094	* test_cms.in: Tests for CMS SignedData with incomplete chain from
1095	the signer.
1096	
10972006-11-28  Love H�rnquist �strand  <lha@it.su.se>
1098
1099	* cms.c (hx509_cms_verify_signed): specify what signature we
1100	failed to verify
1101	
1102	* Makefile.am: Depend on LIB_com_err for AIX.
1103
1104	* keyset.c: Remove anther strndup that causes AIX to fall over.
1105
1106	* cert.c: Don't check the trust anchors expiration time since they
1107	are transported out of band, from RFC3820.
1108
1109	* cms.c: sprinkle more error strings
1110
1111	* crypto.c: sprinkle more error strings
1112
1113	* hxtool.c: use unsigned int as counter to fit better with the
1114	asn1 compiler
1115
1116	* crypto.c: use unsigned int as counter to fit better with the
1117	asn1 compiler
1118	
11192006-11-27  Love H�rnquist �strand  <lha@it.su.se>
1120	
1121	* cms.c: Remove trailing white space.
1122
1123	* crypto.c: rewrite comment to make more sense
1124
1125	* crypto.c (hx509_crypto_select): check sig_algs[j]->key_oid
1126
1127	* hxtool-commands.in (crypto-available): add --type
1128
1129	* crypto.c (hx509_crypto_available): let alg pass if its keyless
1130
1131	* hxtool-commands.in: Expand crypto-select
1132
1133	* cms.c: Rename hx509_select to hx509_crypto_select.
1134
1135	* hxtool-commands.in: Add crypto-select and crypto-available.
1136
1137	* hxtool.c: Add crypto-select and crypto-available.
1138
1139	* crypto.c (hx509_crypto_available): use right index.
1140	(hx509_crypto_free_algs): new function
1141
1142	* crypto.c (hx509_crypto_select): improve
1143	(hx509_crypto_available): new function
1144	
11452006-11-26  Love H�rnquist �strand  <lha@it.su.se>
1146	
1147	* cert.c: Sprinkle more error string and hx509_contexts.
1148
1149	* cms.c: Sprinkle more error strings.
1150
1151	* crypto.c: Sprinkle error string and hx509_contexts.
1152
1153	* crypto.c: Add some more comments about how this works.
1154
1155	* crypto.c (hx509_select): new function.
1156	
1157	* Makefile.am: add peer.c
1158
1159	* hxtool.c: Update hx509_cms_create_signed_1.
1160
1161	* hx_locl.h: add struct hx509_peer_info
1162
1163	* peer.c: Allow selection of digest/sig-alg
1164
1165	* cms.c: Allow selection of a better digest using hx509_peer_info.
1166
1167	* revoke.c: Handle that _hx509_verify_signature takes a context.
1168	
1169	* cert.c: Handle that _hx509_verify_signature takes a context.
1170	
11712006-11-25  Love H�rnquist �strand  <lha@it.su.se>
1172
1173	* cms.c: Sprinkle error strings.
1174
1175	* crypto.c: Sprinkle context and error strings.
1176	
11772006-11-24  Love H�rnquist �strand  <lha@it.su.se>
1178
1179	* name.c: Handle printing and parsing raw oids in name.
1180
11812006-11-23  Love H�rnquist �strand  <lha@it.su.se>
1182
1183	* cert.c (_hx509_calculate_path): allow to calculate optimistic
1184	path when we don't know the trust anchors, just follow the chain
1185	upward until we no longer find a parent or we hit the max limit.
1186
1187	* cms.c (hx509_cms_create_signed_1): provide a best effort path to
1188	the trust anchors to be stored in the SignedData packet, if find
1189	parents until trust anchor or max length.
1190
1191	* data: regen
1192
1193	* data/gen-req.sh: Build pk-init proxy cert.
1194	
11952006-11-16  Love H�rnquist �strand  <lha@it.su.se>
1196	
1197	* error.c (hx509_get_error_string): Put ", " between strings in
1198	error message.
1199	
12002006-11-13  Love H�rnquist �strand  <lha@it.su.se>
1201
1202	* data/openssl.cnf: Change realm to TEST.H5L.SE
1203	
12042006-11-07  Love H�rnquist �strand  <lha@it.su.se>
1205
1206	* revoke.c: Sprinkle error strings.
1207	
12082006-11-04  Love H�rnquist �strand  <lha@it.su.se>
1209	
1210	* hx_locl.h: add context variable to cmp function.
1211
1212	* cert.c (hx509_query_match_cmp_func): allow setting the match
1213	function.
1214	
12152006-10-24  Love H�rnquist �strand  <lha@it.su.se>
1216
1217	* ks_p11.c: Return less EINVAL.
1218
1219	* hx509_err.et: add more pkcs11 errors
1220
1221	* hx509_err.et: more error-codes
1222
1223	* revoke.c: Return less EINVAL.
1224
1225	* ks_dir.c: sprinkel more hx509_set_error_string
1226
1227	* ks_file.c: Return less EINVAL.
1228
1229	* hxtool.c: Pass in context to _hx509_parse_private_key.
1230
1231	* ks_file.c: Sprinkle more hx509_context so we can return propper
1232	errors.
1233
1234	* hx509_err.et: add HX509_PARSING_KEY_FAILED
1235
1236	* crypto.c: Sprinkle more hx509_context so we can return propper
1237	errors.
1238
1239	* collector.c: No more EINVAL.
1240
1241	* hx509_err.et: add HX509_LOCAL_ATTRIBUTE_MISSING
1242
1243	* cert.c (hx509_cert_get_base_subject): one less EINVAL
1244	(_hx509_cert_private_decrypt): one less EINVAL
1245	
12462006-10-22  Love H�rnquist �strand  <lha@it.su.se>
1247
1248	* collector.c: indent
1249
1250	* hxtool.c: Try to not leak memory.
1251
1252	* req.c: clean memory before free
1253
1254	* crypto.c (_hx509_private_key2SPKI): indent
1255
1256	* req.c: Try to not leak memory.
1257	
12582006-10-21  Love H�rnquist �strand  <lha@it.su.se>
1259
1260	* test_crypto.in: Read 50 kilobyte random data
1261	
1262	* revoke.c: Try to not leak memory.
1263
1264	* hxtool.c: Try to not leak memory.
1265
1266	* crypto.c (hx509_crypto_destroy): free oid.
1267
1268	* error.c: Clean error string on failure just to make sure.
1269
1270	* cms.c: Try to not leak memory (again).
1271
1272	* hxtool.c: use a sensable content type
1273
1274	* cms.c: Try harder to free certificate.
1275	
12762006-10-20  Love H�rnquist �strand  <lha@it.su.se>
1277
1278	* Makefile.am: Add make check data.
1279	
12802006-10-19  Love H�rnquist �strand  <lha@it.su.se>
1281	
1282	* ks_p11.c (p11_list_keys): make element of search_data[0]
1283	constants and set them later
1284
1285	* Makefile.am: Add more files.
1286	
12872006-10-17  Love H�rnquist �strand  <lha@it.su.se>
1288	
1289	* ks_file.c: set ret, remember to free ivdata
1290	
12912006-10-16  Love H�rnquist �strand  <lha@it.su.se>
1292
1293	* hx_locl.h: Include <parse_bytes.h>.
1294
1295	* test_crypto.in: Test random-data.
1296
1297	* hxtool.c: RAND_bytes() return 1 for cryptographic strong data,
1298	check for that.
1299
1300	* Makefile.am: clean random-data
1301
1302	* hxtool.c: Add random-data command, use sl_slc_help.
1303
1304	* hxtool-commands.in: Add random-data.
1305
1306	* ks_p12.c: Remember to release certs.
1307
1308	* ks_p11.c: Remember to release certs.
1309	
13102006-10-14  Love H�rnquist �strand  <lha@it.su.se>
1311	
1312	* prefix der primitives with der_
1313
1314	* lock.c: Match the prompt type PROMPT exact.
1315
1316	* hx_locl.h: Drop heim_any.h
1317	
13182006-10-11  Love H�rnquist �strand  <lha@it.su.se>
1319	
1320	* ks_p11.c (p11_release_module): j needs to be used as inter loop
1321	index. From Douglas Engert.
1322
1323	* ks_file.c (parse_rsa_private_key): try all passwords and
1324	prompter.
1325	
13262006-10-10  Love H�rnquist �strand  <lha@it.su.se>
1327	
1328	* test_*.in: Parameterise the invocation of hxtool, so we can make
1329	it run under TESTS_ENVIRONMENT. From Andrew Bartlett
1330
13312006-10-08  Love H�rnquist �strand  <lha@it.su.se>
1332
1333	* test_crypto.in: Put all test stuck at 2006-09-25 since all their
1334	chains where valied then.
1335
1336	* hxtool.c: Implement --time= option.
1337
1338	* hxtool-commands.in: Add option time.
1339
1340	* Makefile.am: test_name is a PROGRAM_TESTS
1341
1342	* ks_p11.c: Return HX509_PKCS11_NO_SLOT when there are no slots
1343	and HX509_PKCS11_NO_TOKEN when there are no token. For use in PAM
1344	modules that want to detect when to use smartcard login and when
1345	not to. Patched based on code from Douglas Engert.
1346
1347	* hx509_err.et: Add new pkcs11 related errors in a new section:
1348	keystore related error.  Patched based on code from Douglas
1349	Engert.
1350	
13512006-10-07  Love H�rnquist �strand  <lha@it.su.se>
1352
1353	* Makefile.am: Make depenency for slc built files just like
1354	everywhere else.
1355
1356	* cert.c: Add all openssl algs and init asn1 et
1357	
13582006-10-06  Love H�rnquist �strand  <lha@it.su.se>
1359
1360	* ks_file.c (parse_rsa_private_key): free type earlier.
1361
1362	* ks_file.c (parse_rsa_private_key): free type after use
1363
1364	* name.c (_hx509_Name_to_string): remove dup const
1365	
13662006-10-02  Love H�rnquist �strand  <lha@it.su.se>
1367	
1368	* Makefile.am: Add more libs to libhx509
1369	
13702006-10-01  Love H�rnquist �strand  <lha@it.su.se>
1371
1372	* ks_p11.c: Fix double free's, NULL ptr de-reference, and conform
1373	better to pkcs11.  From Douglas Engert.
1374
1375	* ref: remove ^M, it breaks solaris 10s cc. From Harald Barth
1376
13772006-09-19  Love H�rnquist �strand  <lha@it.su.se>
1378
1379	* test_crypto.in: Bleichenbacher bad cert from Ralf-Philipp
1380	Weinmann and Andrew Pyshkin, pad right.
1381
1382	* data: starfield test root cert and Ralf-Philipp and Andreis
1383	correctly padded bad cert
1384
13852006-09-15  Love H�rnquist �strand  <lha@it.su.se>
1386
1387	* test_crypto.in: Add test for yutaka certs.
1388
1389	* cert.c: Add a strict rfc3280 verification flag. rfc3280 requires
1390	certificates to have KeyUsage.keyCertSign if they are to be used
1391	for signing of certificates, but the step in the verifiation is
1392	optional.
1393
1394	* hxtool.c: Improve printing and error reporting.
1395	
13962006-09-13  Love H�rnquist �strand  <lha@it.su.se>
1397
1398	* test_crypto.in,Makefile.am,data/bleichenbacher-{bad,good}.pem:
1399	test bleichenbacher from eay
1400
14012006-09-12  Love H�rnquist �strand  <lha@it.su.se>
1402
1403	* hxtool.c: Make common function for all getarg_strings and
1404	hx509_certs_append commonly used.
1405
1406	* cms.c: HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT is a negative
1407	flag, treat it was such.
1408	
14092006-09-11  Love H�rnquist �strand  <lha@it.su.se>
1410
1411	* req.c: Use the new add_GeneralNames function.
1412
1413	* hx509.h: Add HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT.
1414
1415	* ks_p12.c: Adapt to new signature of hx509_cms_unenvelope.
1416
1417	* hxtool.c: Adapt to new signature of hx509_cms_unenvelope.
1418
1419	* cms.c: Allow passing in encryptedContent and flag.  Add new flag
1420	HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT.
1421	
14222006-09-08  Love H�rnquist �strand  <lha@it.su.se>
1423	
1424	* ks_p11.c: cast void * to char * when using it for %s formating
1425	in printf.
1426
1427	* name.c: New function _hx509_Name_to_string.
1428	
14292006-09-07  Love H�rnquist �strand  <lha@it.su.se>
1430
1431	* ks_file.c: Sprinkle error messages.
1432
1433	* cms.c: Sprinkle even more error messages.
1434	
1435	* cms.c: Sprinkle some error messages.
1436
1437	* cms.c (find_CMSIdentifier): only free string when we allocated
1438	one.
1439
1440	* ks_p11.c: Don't build most of the pkcs11 module if there are no
1441	dlopen().
1442	
14432006-09-06  Love H�rnquist �strand  <lha@it.su.se>
1444
1445	* cms.c (hx509_cms_unenvelope): try to save the error string from
1446	find_CMSIdentifier so we have one more bit of information what
1447	went wrong.
1448
1449	* hxtool.c: More pretty printing, make verify_signed return the
1450	error string from the library.
1451
1452	* cms.c: Try returning what certificates failed to parse or be
1453	found.
1454
1455	* ks_p11.c (p11_list_keys): fetch CKA_LABEL and use it to set the
1456	friendlyname for the certificate.
1457	
14582006-09-05  Love H�rnquist �strand  <lha@it.su.se>
1459	
1460	* crypto.c: check that there are no extra bytes in the checksum
1461	and that the parameters are NULL or the NULL-type. All to avoid
1462	having excess data that can be used to fake the signature.
1463
1464	* hxtool.c: print keyusage
1465
1466	* print.c: add hx509_cert_keyusage_print, simplify oid printing
1467
1468	* cert.c: add _hx509_cert_get_keyusage
1469
1470	* ks_p11.c: keep one session around for the whole life of the keyset
1471
1472	* test_query.in: tests more selection
1473
1474	* hxtool.c: improve pretty printing in print and query
1475
1476	* hxtool{.c,-commands.in}: add selection on KU and printing to query
1477
1478	* test_cms.in: Add cms test for digitalSignature and
1479	keyEncipherment certs.
1480
1481	* name.c (no): Add serialNumber
1482
1483	* ks_p11.c (p11_get_session): return better error messages
1484	
14852006-09-04  Love H�rnquist �strand  <lha@it.su.se>
1486
1487	* ref: update to pkcs11 reference files 2.20
1488
1489	* ks_p11.c: add more mechflags
1490
1491	* name.c (no): add OU and sort
1492
1493	* revoke.c: pass context to _hx509_create_signature
1494
1495	* ks_p11.c (p11_printinfo): print proper plural s
1496
1497	* ks_p11.c: save the mechs supported when initing the token, print
1498	them in printinfo.
1499
1500	* hx_locl.h: Include <parse_units.h>.
1501
1502	* cms.c: pass context to _hx509_create_signature
1503
1504	* req.c: pass context to _hx509_create_signature
1505
1506	* keyset.c (hx509_certs_info): print information about the keyset.
1507
1508	* hxtool.c (pcert_print) print keystore info when --info flag is
1509	given.
1510
1511	* hxtool-commands.in: Add hxtool print --info.
1512
1513	* test_query.in: Test hxtool print --info.
1514
1515	* hx_locl.h (hx509_keyset_ops): add printinfo
1516
1517	* crypto.c: Start to hang the private key operations of the
1518	private key, pass hx509_context to create_checksum.
1519	
15202006-05-29  Love H�rnquist �strand  <lha@it.su.se>
1521
1522	* ks_p11.c: Iterate over all slots, not just the first/selected
1523	one.
1524	
15252006-05-27  Love H�rnquist �strand  <lha@it.su.se>
1526
1527	* cert.c: Add release function for certifiates so backend knowns
1528	when its no longer used.
1529
1530	* ks_p11.c: Add reference counting on certifiates, push out
1531	CK_SESSION_HANDLE from slot.
1532
1533	* cms.c: sprinkle more hx509_clear_error_string
1534
15352006-05-22  Love H�rnquist �strand  <lha@it.su.se>
1536
1537	* ks_p11.c: Sprinkle some hx509_set_error_strings
1538	
15392006-05-13  Love H�rnquist �strand  <lha@it.su.se>
1540	
1541	* hxtool.c: Avoid shadowing.
1542
1543	* revoke.c: Avoid shadowing.
1544
1545	* ks_file.c: Avoid shadowing.
1546
1547	* cert.c: Avoid shadowing.
1548	
15492006-05-12  Love H�rnquist �strand  <lha@it.su.se>
1550
1551	* lock.c (hx509_prompt_hidden): reshuffle to avoid gcc warning
1552	
1553	* hx509.h: Reshuffle the prompter types, remove the hidden field.
1554
1555	* lock.c (hx509_prompt_hidden): return if the prompt should be
1556	hidden or not
1557
1558	* revoke.c (hx509_revoke_free): allow free of NULL.
1559	
15602006-05-11  Love H�rnquist �strand  <lha@it.su.se>
1561
1562	* ks_file.c (file_init): Avoid shadowing ret (and thus avoiding
1563	crashing).
1564
1565	* ks_dir.c: Implement DIR: caches useing FILE: caches.
1566
1567	* ks_p11.c: Catch more errors.
1568	
15692006-05-08  Love H�rnquist �strand  <lha@it.su.se>
1570	
1571	* crypto.c (hx509_crypto_encrypt): free correctly in error
1572	path. From Andrew Bartlett.
1573
1574	* crypto.c: If RAND_bytes fails, then we will attempt to
1575	double-free crypt->key.data.  From Andrew Bartlett.
1576	
15772006-05-05  Love H�rnquist �strand  <lha@it.su.se>
1578	
1579	* name.c: Rename u_intXX_t to uintXX_t
1580	
15812006-05-03  Love H�rnquist �strand  <lha@it.su.se>
1582
1583	* TODO: More to do about the about the PKCS11 code.
1584
1585	* ks_p11.c: Use the prompter from the lock function.
1586
1587	* lock.c: Deal with that hx509_prompt.reply is no longer a
1588	pointer.
1589
1590	* hx509.h: Make hx509_prompt.reply not a pointer.
1591	
15922006-05-02  Love H�rnquist �strand  <lha@it.su.se>
1593
1594	* keyset.c: Sprinkle setting error strings.
1595
1596	* crypto.c: Sprinkle setting error strings.
1597
1598	* collector.c: Sprinkle setting error strings.
1599
1600	* cms.c: Sprinkle setting error strings.
1601	
16022006-05-01  Love H�rnquist �strand  <lha@it.su.se>
1603	
1604	* test_name.c: renamed one error code
1605
1606	* name.c: renamed one error code
1607
1608	* ks_p11.c: _hx509_set_cert_attribute changed signature
1609
1610	* hxtool.c (pcert_print): use hx509_err so I can test it
1611
1612	* error.c (hx509_set_error_stringv): clear errors on malloc
1613	failure
1614
1615	* hx509_err.et: Add some more errors
1616
1617	* cert.c: Sprinkle setting error strings.
1618
1619	* cms.c: _hx509_path_append changed signature.
1620
1621	* revoke.c: changed signature of _hx509_check_key_usage
1622
1623	* keyset.c: changed signature of _hx509_query_match_cert
1624
1625	* hx509.h: Add support for error strings.
1626
1627	* cms.c: changed signature of _hx509_check_key_usage
1628
1629	* Makefile.am: ibhx509_la_files += error.c
1630
1631	* ks_file.c: Sprinkel setting error strings.
1632
1633	* cert.c: Sprinkel setting error strings.
1634
1635	* hx_locl.h: Add support for error strings.
1636
1637	* error.c: Add string error handling functions.
1638
1639	* keyset.c (hx509_certs_init): pass the right error code back
1640	
16412006-04-30  Love H�rnquist �strand  <lha@it.su.se>
1642
1643	* revoke.c: Revert previous patch.
1644	(hx509_ocsp_verify): new function that returns the expiration of
1645	certificate in ocsp data-blob
1646
1647	* cert.c: Reverse previous patch, lets do it another way.
1648
1649	* cert.c (hx509_revoke_verify): update usage
1650
1651	* revoke.c: Make compile.
1652
1653	* revoke.c: Add the expiration time the crl/ocsp info expire
1654
1655	* name.c: Add hx509_name_is_null_p
1656
1657	* cert.c: remove _hx509_cert_private_sigature
1658	
16592006-04-29  Love H�rnquist �strand  <lha@it.su.se>
1660	
1661	* name.c: Expose more of Name.
1662
1663	* hxtool.c (main): add missing argument to printf
1664
1665	* data/openssl.cnf: Add EKU for the KDC certificate
1666
1667	* cert.c (hx509_cert_get_base_subject): reject un-canon proxy
1668	certs, not the reverse
1669	(add_to_list): constify and fix argument order to
1670	copy_octet_string
1671	(hx509_cert_find_subjectAltName_otherName): make work
1672	
16732006-04-28  Love H�rnquist �strand  <lha@it.su.se>
1674
1675	* data/{pkinit,kdc}.{crt,key}: pkinit certificates
1676
1677	* data/gen-req.sh: Generate pkinit certificates.
1678
1679	* data/openssl.cnf: Add pkinit glue.
1680
1681	* cert.c (hx509_verify_hostname): implement stub function
1682	
16832006-04-27  Love H�rnquist �strand  <lha@it.su.se>
1684
1685	* TODO: CRL delta support
1686
16872006-04-26 Love H�rnquist �strand <lha@it.su.se>
1688	
1689	* data/.cvsignore: ignore leftover from OpenSSL cert generation
1690
1691	* hx509_err.et: Add name malformated error
1692
1693	* name.c (hx509_parse_name): don't abort on error, rather return
1694	error
1695
1696	* test_name.c: Test failure parsing name.
1697
1698	* cert.c: When verifying certificates, store subject basename for
1699	later consumption.
1700
1701	* test_name.c: test to parse and print name and check that they
1702	are the same.
1703
1704	* name.c (hx509_parse_name): fix length argument to printf string
1705
1706	* name.c (hx509_parse_name): fix length argument to stringtooid, 1
1707	too short.
1708
1709	* cert.c: remove debug printf's
1710
1711	* name.c (hx509_parse_name): make compile pre c99
1712
1713	* data/gen-req.sh: OpenSSL have a serious issue of user confusion
1714	-subj in -ca takes the arguments in LDAP order. -subj for x509
1715	takes it in x509 order.
1716
1717	* cert.c (hx509_verify_path): handle the case where the where two
1718	proxy certs in a chain.
1719
1720	* test_chain.in: enable two proxy certificates in a chain test
1721
1722	* test_chain.in: tests proxy certificates
1723
1724	* data: re-gen
1725
1726	* data/gen-req.sh: build proxy certificates
1727	
1728	* data/openssl.cnf: add def for proxy10_cert
1729
1730	* hx509_err.et: Add another proxy certificate error.
1731
1732	* cert.c (hx509_verify_path): Need to mangle name to remove the CN
1733	of the subject, copying issuer only works for one level but is
1734	better then doing no checking at all.
1735
1736	* hxtool.c: Add verify --allow-proxy-certificate.
1737
1738	* hxtool-commands.in: add verify --allow-proxy-certificate
1739
1740	* hx509_err.et: Add proxy certificate errors.
1741
1742	* cert.c: Fix comment about subject name of proxy certificate.
1743
1744	* test_chain.in: tests for proxy certs
1745
1746	* data/gen-req.sh: gen proxy and non-proxy tests certificates
1747
1748	* data/openssl.cnf: Add definition for proxy certs
1749
1750	* data/*proxy-test.*: Add proxy certificates
1751
1752	* cert.c (hx509_verify_path): verify proxy certificate have no san
1753	or ian
1754
1755	* cert.c (hx509_verify_set_proxy_certificate): Add
1756	(*): rename policy cert to proxy cert
1757
1758	* cert.c: Initial support for proxy certificates.
1759	
17602006-04-24  Love H�rnquist �strand  <lha@it.su.se>
1761
1762	* hxtool.c: some error checking
1763
1764	* name.c: Switch over to asn1 generaed oids.
1765
1766	* TODO: merge with old todo file
1767	
17682006-04-23 Love H�rnquist �strand <lha@it.su.se>
1769
1770	* test_query.in: make quiet
1771
1772	* test_req.in: SKIP test if there is no RSA support.
1773
1774	* hxtool.c: print dh method too
1775
1776	* test_chain.in: SKIP test if there is no RSA support.
1777	
1778	* test_cms.in: SKIP test if there is no RSA support.
1779
1780	* test_nist.in: SKIP test if there is no RSA support.
1781	
17822006-04-22  Love H�rnquist �strand  <lha@it.su.se>
1783
1784	* hxtool-commands.in: Allow passing in pool and anchor to
1785	signedData
1786
1787	* hxtool.c: Allow passing in pool and anchor to signedData
1788
1789	* test_cms.in: Test that certs in signed data is picked up.
1790
1791	* hx_locl.h: Expose the path building function to internal
1792	functions.
1793
1794	* cert.c: Expose the path building function to internal functions.
1795
1796	* hxtool-commands.in: cms-envelope: Add support for choosing the
1797	encryption type
1798
1799	* hxtool.c (cms_create_enveloped): Add support for choosing the
1800	encryption type
1801
1802	* test_cms.in: Test generating des-ede3 aes-128 aes-256 enveloped
1803	data
1804
1805	* crypto.c: Add names to cipher types.
1806
1807	* cert.c (hx509_query_match_friendly_name): fix return value
1808
1809	* data/gen-req.sh: generate tests for enveloped data using
1810	des-ede3 and aes256
1811
1812	* test_cms.in: add tests for enveloped data using des-ede3 and
1813	aes256
1814
1815	* cert.c (hx509_query_match_friendly_name): New function.
1816	
18172006-04-21  Love H�rnquist �strand  <lha@it.su.se>
1818	
1819	* ks_p11.c: Add support for parsing slot-number.
1820
1821	* crypto.c (oid_private_rc2_40): simply
1822
1823	* crypto.c: Use oids from asn1 generator.
1824
1825	* ks_file.c (file_init): reset length when done with a part
1826
1827	* test_cms.in: check with test.combined.crt.
1828
1829	* data/gen-req.sh: Create test.combined.crt.
1830
1831	* test_cms.in: Test signed data using keyfile that is encrypted.
1832
1833	* ks_file.c: Remove (commented out) debug printf
1834
1835	* ks_file.c (parse_rsa_private_key): use EVP_get_cipherbyname
1836
1837	* ks_file.c (parse_rsa_private_key): make working for one
1838	password.
1839
1840	* ks_file.c (parse_rsa_private_key): Implement enought for
1841	testing.
1842
1843	* hx_locl.h: Add <ctype.h>
1844
1845	* ks_file.c: Add glue code for PEM encrypted password files.
1846
1847	* test_cms.in: Add commeted out password protected PEM file,
1848	remove password for those tests that doesn't need it.
1849
1850	* test_cms.in: adapt test now that we can use any certificate and
1851	trust anchor
1852
1853	* collector.c: handle PEM RSA PRIVATE KEY files
1854
1855	* cert.c: Remove unused function.
1856
1857	* ks_dir.c: move code here from ks_file.c now that its no longer
1858	used.
1859
1860	* ks_file.c: Add support for parsing unencrypted RSA PRIVATE KEY
1861
1862	* crypto.c: Handle rsa private keys better.
1863	
18642006-04-20  Love H�rnquist �strand <lha@it.su.se>
1865
1866	* hxtool.c: Use hx509_cms_{,un}wrap_ContentInfo
1867
1868	* cms.c: Make hx509_cms_{,un}wrap_ContentInfo usable in asn1
1869	un-aware code.
1870
1871	* cert.c (hx509_verify_path): if trust anchor is not self signed,
1872	don't check sig From Douglas Engert.
1873
1874	* test_chain.in: test "sub-cert -> sub-ca"
1875	
1876	* crypto.c: Use the right length for the sha256 checksums.
1877	
18782006-04-15  Love H�rnquist �strand  <lha@it.su.se>
1879
1880	* crypto.c: Fix breakage from sha256 code.
1881
1882	* crypto.c: Add SHA256 support, and symbols for the other new
1883	SHA-2 types.
1884	
18852006-04-14  Love H�rnquist �strand  <lha@it.su.se>
1886
1887	* test_cms.in: test rc2-40 rc2-64 rc2-128 enveloped data
1888	
1889	* data/test-enveloped-rc2-{40,64,128}: add tests cases for rc2
1890
1891	* cms.c: Update prototypes changes for hx509_crypto_[gs]et_params.
1892
1893	* crypto.c: Break out the parameter handling code for encrypting
1894	data to handle RC2.  Needed for Windows 2k pk-init support.
1895	
18962006-04-04  Love H�rnquist �strand <lha@it.su.se>
1897
1898	* Makefile.am: Split libhx509_la_SOURCES into build file and
1899	distributed files so we can avoid building prototypes for
1900	build-files.
1901	
19022006-04-03  Love H�rnquist �strand  <lha@it.su.se>
1903
1904	* TODO: split certificate request into pkcs10 and CRMF
1905
1906	* hxtool-commands.in: Add nonce flag to ocsp-fetch
1907
1908	* hxtool.c: control sending nonce
1909
1910	* hxtool.c (request_create): store the request in a file, no in
1911	bitbucket.
1912
1913	* cert.c: expose print_cert_subject internally
1914
1915	* hxtool.c: Add ocsp_print.
1916
1917	* hxtool-commands.in: New command "ocsp-print".
1918
1919	* hx_locl.h: Include <hex.h>.
1920
1921	* revoke.c (verify_ocsp): require issuer to match too.
1922	(free_ocsp): new function
1923	(hx509_revoke_ocsp_print): new function, print ocsp reply
1924
1925	* Makefile.am: build CRMF files
1926
1927	* data/key.der: needed for cert request test
1928
1929	* test_req.in: adapt to rename of pkcs10-create to request-create
1930
1931	* hxtool.c: adapt to rename of pkcs10-create to request-create
1932
1933	* hxtool-commands.in: Rename pkcs10-create to request-create
1934
1935	* crypto.c: (_hx509_parse_private_key): Avoid crashing on bad input.
1936
1937	* hxtool.c (pkcs10_create): use opt->subject_string
1938
1939	* hxtool-commands.in: Add pkcs10-create --subject
1940
1941	* Makefile.am: Add test_req to tests.
1942	
1943	* test_req.in: Test for pkcs10 commands.
1944
1945	* name.c (hx509_parse_name): new function.
1946
1947	* hxtool.c (pkcs10_create): implement
1948
1949	* hxtool-commands.in (pkcs10-create): Add arguments
1950
1951	* crypto.c: Add _hx509_private_key2SPKI and support
1952	functions (only support RSA for now).
1953	
19542006-04-02  Love H�rnquist �strand  <lha@it.su.se>
1955	
1956	* hxtool-commands.in: Add pkcs10-create command.
1957
1958	* hx509.h: Add hx509_request.
1959
1960	* TODO: more stuff
1961
1962	* Makefile.am: Add req.c
1963
1964	* req.c: Create certificate requests, prototype converts the
1965	request in a pkcs10 packet.
1966
1967	* hxtool.c: Add pkcs10_create
1968
1969	* name.c (hx509_name_copy): new function.
1970	
19712006-04-01  Love H�rnquist �strand  <lha@it.su.se>
1972
1973	* TODO: fill out what do
1974
1975	* hxtool-commands.in: add pkcs10-print
1976
1977	* hx_locl.h: Include <pkcs10_asn1.h>.
1978
1979	* pkcs10.asn1: PKCS#10
1980
1981	* hxtool.c (pkcs10_print): new function.
1982
1983	* test_chain.in: test ocsp keyhash
1984
1985	* data: generate ocsp keyhash version too
1986
1987	* revoke.c (load_ocsp): test that we got back a BasicReponse
1988
1989	* ocsp.asn1: Add asn1_id_pkix_ocsp*.
1990
1991	* Makefile.am: Add asn1_id_pkix_ocsp*.
1992
1993	* cert.c: Add HX509_QUERY_MATCH_KEY_HASH_SHA1
1994
1995	* hx_locl.h: Add HX509_QUERY_MATCH_KEY_HASH_SHA1
1996
1997	* revoke.c: Support OCSPResponderID.byKey, indent.
1998
1999	* revoke.c (hx509_ocsp_request): Add nonce to ocsp request.
2000
2001	* hxtool.c: Add nonce to ocsp request.
2002
2003	* test_chain.in: Added crl tests
2004	
2005	* data/nist-data: rename missing-crl to missing-revoke
2006
2007	* data: make ca use openssl ca command so we can add ocsp tests,
2008	and regen certs
2009
2010	* test_chain.in: Add revoked ocsp cert test
2011
2012	* cert.c: rename missing-crl to missing-revoke
2013
2014	* revoke.c: refactor code, fix a un-init-ed variable
2015	
2016	* test_chain.in: rename missing-crl to missing-revoke add ocsp
2017	tests
2018
2019	* test_cms.in: rename missing-crl to missing-revoke
2020
2021	* hxtool.c: rename missing-crl to missing-revoke
2022
2023	* hxtool-commands.in: rename missing-crl to missing-revoke
2024	
2025	* revoke.c: Plug one memory leak.
2026
2027	* revoke.c: Renamed generic CRL related errors.
2028	
2029	* hx509_err.et: Comments and renamed generic CRL related errors
2030	
2031	* revoke.c: Add ocsp checker.
2032
2033	* ocsp.asn1: Add id-kp-OCSPSigning
2034
2035	* hxtool-commands.in: add url-path argument to ocsp-fetch
2036
2037	* hxtool.c: implement ocsp-fetch
2038
2039	* cert.c: Use HX509_DEFAULT_OCSP_TIME_DIFF.
2040	
2041	* hx_locl.h: Add ocsp_time_diff to hx509_context
2042
2043	* crypto.c (_hx509_verify_signature_bitstring): new function,
2044	commonly use when checking certificates
2045
2046	* cms.c (hx509_cms_envelope_1): check for internal ASN.1 encoder
2047	error
2048
2049	* cert.c: Add ocsp glue, use new
2050	_hx509_verify_signature_bitstring, add eku checking function.
2051	
20522006-03-31  Love H�rnquist �strand  <lha@it.su.se>
2053
2054	* Makefile.am: add id_kp_OCSPSigning.x
2055
2056	* revoke.c: Pick out certs in ocsp response
2057
2058	* TODO: list of stuff to verify
2059
2060	* revoke.c: Add code to load OCSPBasicOCSPResponse files, reload
2061	crl when its changed on disk.
2062
2063	* cert.c: Update for ocsp merge. handle building path w/o
2064	subject (using subject key id)
2065
2066	* ks_p12.c: _hx509_map_file changed prototype.
2067
2068	* file.c: _hx509_map_file changed prototype, returns struct stat
2069	if requested.
2070
2071	* ks_file.c: _hx509_map_file changed prototype.
2072
2073	* hxtool.c: Add stub for ocsp-fetch, _hx509_map_file changed
2074	prototype, add ocsp parsing to verify command.
2075
2076	* hx_locl.h: rename HX509_CTX_CRL_MISSING_OK to
2077	HX509_CTX_VERIFY_MISSING_OK now that we have OCSP glue
2078	
20792006-03-30  Love H�rnquist �strand  <lha@it.su.se>
2080
2081	* hx_locl.h: Add <krb5-types.h> to make it compile on Solaris,
2082	from Alex V. Labuta.
2083	
20842006-03-28  Love H�rnquist �strand  <lha@it.su.se>
2085	
2086	* crypto.c (_hx509_pbe_decrypt): try all passwords, not just the
2087	first one.
2088	
20892006-03-27  Love H�rnquist �strand  <lha@it.su.se>
2090
2091	* print.c (check_altName): Print the othername oid.
2092
2093	* crypto.c: Manual page claims RSA_public_decrypt will return -1
2094	on error, lets check for that
2095	
2096	* crypto.c (_hx509_pbe_decrypt): also try the empty password
2097
2098	* collector.c (match_localkeyid): no need to add back the cert to
2099	the cert pool, its already there.
2100
2101	* crypto.c: Add REQUIRE_SIGNER
2102
2103	* cert.c (hx509_cert_free): ok to free NULL
2104
2105	* hx509_err.et: Add new error code SIGNATURE_WITHOUT_SIGNER.
2106
2107	* name.c (_hx509_name_ds_cmp): make DirectoryString case
2108	insenstive
2109	(hx509_name_to_string): less spacing
2110
2111	* cms.c: Check for signature error, check consitency of error
2112	
21132006-03-26  Love H�rnquist �strand  <lha@it.su.se>
2114
2115	* collector.c (_hx509_collector_alloc): handle errors
2116
2117	* cert.c (hx509_query_alloc): allocate slight more more then a
2118	sizeof(pointer)
2119
2120	* crypto.c (_hx509_private_key_assign_key_file): ask for password
2121	if nothing matches.
2122
2123	* cert.c: Expose more of the hx509_query interface.
2124
2125	* collector.c: hx509_certs_find is now exposed.
2126
2127	* cms.c: hx509_certs_find is now exposed.
2128
2129	* revoke.c: hx509_certs_find is now exposed.
2130
2131	* keyset.c (hx509_certs_free): allow free-ing NULL
2132	(hx509_certs_find): expose
2133	(hx509_get_one_cert): new function
2134
2135	* hxtool.c: hx509_certs_find is now exposed.
2136
2137	* hx_locl.h: Remove hx509_query, its exposed now.
2138
2139	* hx509.h: Add hx509_query.
2140	
21412006-02-22  Love H�rnquist �strand  <lha@it.su.se>
2142
2143	* cert.c: Add exceptions for null (empty) subjectNames
2144
2145	* data/nist-data: Add some more name constraints tests.
2146
2147	* data/nist-data: Add some of the test from 4.13 Name Constraints.
2148
2149	* cert.c: Name constraits needs to be evaluated in block as they
2150	appear in the certificates, they can not be joined to one
2151	list. One example of this is:
2152	
2153	- cert is cn=foo,dc=bar,dc=baz
2154	- subca is dc=foo,dc=baz with name restriction dc=kaka,dc=baz
2155	- ca is dc=baz with name restriction dc=baz
2156	
2157	If the name restrictions are merged to a list, the certificate
2158	will pass this test.
2159
21602006-02-14 Love H�rnquist �strand <lha@it.su.se>
2161
2162	* cert.c: Handle more name constraints cases.
2163
2164	* crypto.c (dsa_verify_signature): if test if malloc failed
2165
21662006-01-31  Love H�rnquist �strand  <lha@it.su.se>
2167
2168	* cms.c: Drop partial pkcs12 string2key implementation.
2169	
21702006-01-20  Love H�rnquist �strand  <lha@it.su.se>
2171
2172	* data/nist-data: Add commited out DSA tests (they fail).
2173
2174	* data/nist-data: Add 4.2 Validity Periods.
2175
2176	* test_nist.in: Make less verbose to use.
2177
2178	* Makefile.am: Add test_nist_cert.
2179
2180	* data/nist-data: Add some more CRL-tests.
2181
2182	* test_nist.in: Print $id instead of . when running the tests.
2183
2184	* test_nist.in: Drop verifying certifiates, its done in another
2185	test now.
2186
2187	* data/nist-data: fixup kill-rectangle leftovers
2188
2189	* data/nist-data: Drop verifying certifiates, its done in another
2190	test now.  Add more crl tests. comment out all unused tests.
2191
2192	* test_nist_cert.in: test parse all nist certs
2193	
21942006-01-19  Love H�rnquist �strand  <lha@it.su.se>
2195
2196	* hx509_err.et: Add HX509_CRL_UNKNOWN_EXTENSION.
2197
2198	* revoke.c: Check for unknown extentions in CRLs and CRLEntries.
2199
2200	* test_nist.in: Parse new format to handle CRL info.
2201
2202	* test_chain.in: Add --missing-crl.
2203
2204	* name.c (hx509_unparse_der_name): Rename from hx509_parse_name.
2205	(_hx509_unparse_Name): Add.
2206
2207	* hxtool-commands.in: Add --missing-crl to verify commands.
2208
2209	* hx509_err.et: Add CRL errors.
2210
2211	* cert.c (hx509_context_set_missing_crl): new function Add CRL
2212	handling.
2213
2214	* hx_locl.h: Add HX509_CTX_CRL_MISSING_OK.
2215
2216	* revoke.c: Parse and verify CRLs (simplistic).
2217
2218	* hxtool.c: Parse CRL info.
2219
2220	* data/nist-data: Change format so we can deal with CRLs, also
2221	note the test-id from PKITS.
2222
2223	* data: regenerate test
2224	
2225	* data/gen-req.sh: use static-file to generate tests
2226	
2227	* data/static-file: new file to use for commited tests
2228
2229	* test_cms.in: Use static file, add --missing-crl.
2230	
22312006-01-18  Love H�rnquist �strand <lha@it.su.se>
2232
2233	* print.c: Its cRLReason, not cRLReasons.
2234
2235	* hxtool.c: Attach revoke context to verify context.
2236
2237	* data/nist-data: change syntax to make match better with crl
2238	checks
2239
2240	* cert.c: Verify no certificates has been revoked with the new
2241	revoke interface.
2242
2243	* Makefile.am: libhx509_la_SOURCES += revoke.c
2244
2245	* revoke.c: Add framework for handling CRLs.
2246
2247	* hx509.h: Add hx509_revoke_ctx.
2248	
22492006-01-13  Love H�rnquist �strand  <lha@it.su.se>
2250
2251	* delete crypto_headers.h, use global file instead.
2252
2253	* crypto.c (PBE_string2key): libdes now supports PKCS12_key_gen
2254	
22552006-01-12  Love H�rnquist �strand  <lha@it.su.se>
2256
2257	* crypto_headers.h: Need BN_is_negative too.
2258	
22592006-01-11  Love H�rnquist �strand  <lha@it.su.se>
2260	
2261	* ks_p11.c (p11_rsa_public_decrypt): since is wrong, don't provide
2262	it. PKCS11 can't do public_decrypt, it support verify though. All
2263	this doesn't matter, since the code never go though this path.
2264
2265	* crypto_headers.h: Provide glue to compile with less warnings
2266	with OpenSSL
2267	
22682006-01-08  Love H�rnquist �strand  <lha@it.su.se>
2269	
2270	* Makefile.am: Depend on LIB_des
2271
2272	* lock.c: Use "crypto_headers.h".
2273
2274	* crypto_headers.h: Include the two diffrent implementation of
2275	crypto headers.
2276
2277	* cert.c: Use "crypto-headers.h". Load ENGINE configuration.
2278
2279	* crypto.c: Make compile with both OpenSSL and heimdal libdes.
2280
2281	* ks_p11.c: Add code for public key decryption (not supported yet)
2282	and use "crypto-headers.h".
2283	
2284
22852006-01-04 Love H�rnquist �strand <lha@it.su.se>
2286	
2287	* add a hx509_context where we can store configuration
2288
2289	* p11.c,Makefile.am: pkcs11 is now supported by library, remove
2290	old files.
2291
2292	* ks_p11.c: more paranoid on refcount, set refcounter ealier,
2293	reset pointers after free
2294
2295	* collector.c (struct private_key): remove temporary key data
2296	storage, convert directly to a key
2297	(match_localkeyid): match certificate and key using localkeyid
2298	(match_keys): match certificate and key using _hx509_match_keys
2299	(_hx509_collector_collect): rewrite to use match_keys and
2300	match_localkeyid
2301
2302	* crypto.c (_hx509_match_keys): function that determins if a
2303	private key matches a certificate, used when there is no
2304	localkeyid.
2305	(*) reset free pointer
2306
2307	* ks_file.c: Rewrite to use collector and mapping support
2308	function.
2309
2310	* ks_p11.c (rsa_pkcs1_method): constify
2311
2312	* ks_p11.c: drop extra wrapping of p11_init
2313
2314	* crypto.c (_hx509_private_key_assign_key_file): use function to
2315	extact rsa key
2316
2317	* cert.c: Revert previous, refcounter is unsigned, so it can never
2318	be negative.
2319
2320	* cert.c (hx509_cert_ref): more refcount paranoia
2321
2322	* ks_p11.c: Implement rsa_private_decrypt and add stubs for public
2323	ditto.
2324
2325	* ks_p11.c: Less printf, less memory leaks.
2326
2327	* ks_p11.c: Implement signing using pkcs11.
2328	
2329	* ks_p11.c: Partly assign private key, enough to complete
2330	collection, but not any crypto functionallity.
2331
2332	* collector.c: Use hx509_private_key to assign private keys.
2333
2334	* crypto.c: Remove most of the EVP_PKEY code, and use RSA
2335	directly, this temporary removes DSA support.
2336
2337	* hxtool.c (print_f): print if there is a friendly name and if
2338	there is a private key
2339	
23402006-01-03  Love H�rnquist �strand  <lha@it.su.se>
2341
2342	* name.c: Avoid warning from missing __attribute__((noreturn))
2343
2344	* lock.c (_hx509_lock_unlock_certs): return unlock certificates
2345
2346	* crypto.c (_hx509_private_key_assign_ptr): new function, exposes
2347	EVP_PKEY
2348	(_hx509_private_key_assign_key_file): remember to free private key
2349	if there is one.
2350
2351	* cert.c (_hx509_abort): add newline to output and flush stdout
2352
2353	* Makefile.am: libhx509_la_SOURCES += collector.c
2354
2355	* hx_locl.h: forward type declaration of struct hx509_collector.
2356
2357	* collector.c: Support functions to collect certificates and
2358	private keys and then match them.
2359
2360	* ks_p12.c: Use the new hx509_collector support functions.
2361
2362	* ks_p11.c: Add enough glue to support certificate iteration.
2363
2364	* test_nist_pkcs12.in: Less verbose.
2365
2366	* cert.c (hx509_cert_free): if there is a private key assosited
2367	with this cert, free it
2368
2369	* print.c: Use _hx509_abort.
2370
2371	* ks_p12.c: Use _hx509_abort.
2372
2373	* hxtool.c: Use _hx509_abort.
2374
2375	* crypto.c: Use _hx509_abort.
2376
2377	* cms.c: Use _hx509_abort.
2378
2379	* cert.c: Use _hx509_abort.
2380
2381	* name.c: use _hx509_abort
2382	
23832006-01-02  Love H�rnquist �strand  <lha@it.su.se>
2384
2385	* name.c (hx509_name_to_string): don't cut bmpString in half.
2386
2387	* name.c (hx509_name_to_string): don't overwrite with 1 byte with
2388	bmpString.
2389
2390	* ks_file.c (parse_certificate): avoid stomping before array
2391
2392	* name.c (oidtostring): avoid leaking memory
2393
2394	* keyset.c: Add _hx509_ks_dir_register.
2395
2396	* Makefile.am (libhx509_la_SOURCES): += ks_dir.c
2397
2398	* hxtool-commands.in: Remove pkcs11.
2399
2400	* hxtool.c: Remove pcert_pkcs11.
2401
2402	* ks_file.c: Factor out certificate parsing code.
2403
2404	* ks_dir.c: Add new keystore that treats all files in a directory
2405	a keystore, useful for regression tests.
2406	
24072005-12-12  Love H�rnquist �strand  <lha@it.su.se>
2408
2409	* test_nist_pkcs12.in: Test parse PKCS12 files from NIST.
2410
2411	* data/nist-data: Can handle DSA certificate.
2412	
2413	* hxtool.c: Print error code on failure.
2414	
24152005-10-29  Love H�rnquist �strand  <lha@it.su.se>
2416
2417	* crypto.c: Support DSA signature operations.
2418	
24192005-10-04  Love H�rnquist �strand  <lha@it.su.se>
2420
2421	* print.c: Validate that issuerAltName and subjectAltName isn't
2422	empty.
2423	
24242005-09-14  Love H�rnquist �strand  <lha@it.su.se>
2425
2426	* p11.c: Cast to unsigned char to avoid warning.
2427
2428	* keyset.c: Register pkcs11 module.
2429
2430	* Makefile.am: Add ks_p11.c, install hxtool.
2431	
2432	* ks_p11.c: Starting point of a pkcs11 module.
2433	
24342005-09-04  Love H�rnquist �strand  <lha@it.su.se>
2435
2436	* lock.c: Implement prompter.
2437
2438	* hxtool-commands.in: add --content to print
2439
2440	* hxtool.c: Split verify and print.
2441
2442	* cms.c: _hx509_pbe_decrypt now takes a hx509_lock.
2443
2444	* crypto.c: Make _hx509_pbe_decrypt take a hx509_lock, workaround
2445	for empty password.
2446
2447	* name.c: Add DC, handle all Directory strings, fix signless
2448	problems.
2449	
24502005-09-03  Love H�rnquist �strand  <lha@it.su.se>
2451
2452	* test_query.in: Pass in --pass to all commands.
2453
2454	* hxtool.c: Use option --pass.
2455
2456	* hxtool-commands.in: Add --pass to all commands.
2457
2458	* hx509_err.et: add UNKNOWN_LOCK_COMMAND and CRYPTO_NO_PROMPTER
2459
2460	* test_cms.in: pass in password to cms-create-sd
2461
2462	* crypto.c: Abstract out PBE_string2key so I can add PBE2 s2k
2463	later.  Avoid signess warnings with OpenSSL.
2464
2465	* cms.c: Use void * instead of char * for to avoid signedness
2466	issues
2467
2468	* cert.c (hx509_cert_get_attribute): remove const, its not
2469
2470	* ks_p12.c: Cast size_t to unsigned long when print.
2471
2472	* name.c: Fix signedness warning.
2473
2474	* test_query.in: Use echo, the function check isn't defined here.
2475	
24762005-08-11  Love H�rnquist �strand  <lha@it.su.se>
2477
2478	* hxtool-commands.in: Add more options that was missing.
2479
24802005-07-28  Love H�rnquist �strand  <lha@it.su.se>
2481
2482	* test_cms.in: Use --certificate= for enveloped/unenvelope.
2483
2484	* hxtool.c: Use --certificate= for enveloped/unenvelope.  Clean
2485	up.
2486
2487	* test_cms.in: add EnvelopeData tests
2488	
2489	* hxtool.c: use id-envelopedData for ContentInfo
2490	
2491	* hxtool-commands.in: add contentinfo wrapping for create/unwrap
2492	enveloped data
2493
2494	* hxtool.c: add contentinfo wrapping for create/unwrap enveloped
2495	data
2496
2497	* data/gen-req.sh: add enveloped data (aes128)
2498	
2499	* crypto.c: add "new" RC2 oid
2500	
25012005-07-27  Love H�rnquist �strand  <lha@it.su.se>
2502
2503	* hx_locl.h, cert.c: Add HX509_QUERY_MATCH_FUNCTION that allows
2504	caller to match by function, note that this doesn't not work
2505	directly for backends that implements ->query, they must do their
2506	own processing. (I'm running out of flags, only 12 left now)
2507
2508	* test_cms.in: verify ContentInfo wrapping code in hxtool
2509	
2510	* hxtool-commands.in (cms_create_sd): support wrapping in content
2511	info spelling
2512
2513	* hxtool.c (cms_create_sd): support wrapping in content info
2514
2515	* test_cms.in: test more cms signeddata messages
2516	
2517	* data/gen-req.sh: generate SignedData
2518	
2519	* hxtool.c (cms_create_sd): support certificate store, add support
2520	to unwrap a ContentInfo the SignedData inside.
2521
2522	* crypto.c: sprinkel rk_UNCONST
2523
2524	* crypto.c: add DER NULL to the digest oid's
2525
2526	* hxtool-commands.in: add --content-info to cms-verify-sd
2527
2528	* cms.c (hx509_cms_create_signed_1): pass in a full
2529	AlgorithmIdentifier instead of heim_oid for digest_alg
2530
2531	* crypto.c: make digest_alg a digest_oid, it's not needed right
2532	now
2533
2534	* hx509_err.et: add CERT_NOT_FOUND
2535	
2536	* keyset.c (_hx509_certs_find): add error code for cert not
2537	found
2538
2539	* cms.c (hx509_cms_verify_signed): add external store of
2540	certificates, use the right digest algorithm identifier.
2541
2542	* cert.c: fix const warning
2543
2544	* ks_p12.c: slightly less verbose
2545	
2546	* cert.c: add hx509_cert_find_subjectAltName_otherName, add
2547	HX509_QUERY_MATCH_FRIENDLY_NAME
2548	
2549	* hx509.h: add hx509_octet_string_list, remove bad comment
2550	
2551	* hx_locl.h: add HX509_QUERY_MATCH_FRIENDLY_NAME
2552
2553	* keyset.c (hx509_certs_append): needs a hx509_lock, add one
2554
2555	* Makefile.am: add test cases tempfiles to CLEANFILES
2556	
2557	* Makefile.am: add test_query to TESTS, fix dependency on hxtool
2558	sources on hxtool-commands.h
2559
2560	* hxtool-commands.in: explain what signer is for create-sd
2561
2562	* hxtool.c: add query, add more options to verify-sd and create-sd
2563
2564	* test_cms.in: add more cms tests
2565	
2566	* hxtool-commands.in: add query, add more options to verify-sd
2567
2568	* test_query.in: test query interface
2569	
2570	* data: fix filenames for ds/ke files, add pkcs12 files, regen
2571	
2572	* hxtool.c,Makefile.am,hxtool-commands.in: switch to slc
2573
25742005-07-26  Love H�rnquist �strand  <lha@it.su.se>
2575
2576	* cert.c (hx509_verify_destroy_ctx): add
2577	
2578	* hxtool.c: free hx509_verify_ctx
2579	
2580	* name.c (_hx509_name_ds_cmp): make sure all strings are not equal
2581
25822005-07-25  Love H�rnquist �strand  <lha@it.su.se>
2583
2584	* hxtool.c: return error
2585	
2586	* keyset.c: return errors from iterations
2587	
2588	* test_chain.in: clean up checks
2589	
2590	* ks_file.c (parse_certificate): return errno's not 1 in case of
2591	error
2592	
2593	* ks_file.c (file_iter): make sure endpointer is NULL
2594
2595	* ks_mem.c (mem_iter): follow conversion and return NULL when we
2596	get to the end, not ENOENT.
2597	
2598	* Makefile.am: test_chain depends on hxtool
2599	
2600	* data: test certs that lasts 10 years
2601	
2602	* data/gen-req.sh: script to generate test certs
2603	
2604	* Makefile.am: Add regression tests.
2605
2606	* data: test certificate and keys
2607
2608	* test_chain.in: test chain
2609
2610	* hxtool.c (cms_create_sd): add KU digitalSigature as a
2611	requirement to the query
2612
2613	* hx_locl.h: add KeyUsage query bits
2614
2615	* hx509_err.et: add KeyUsage error
2616
2617	* cms.c: add checks for KeyUsage
2618
2619	* cert.c: more checks on KeyUsage, allow to query on them too
2620
26212005-07-24  Love H�rnquist �strand  <lha@it.su.se>
2622
2623	* cms.c: Add missing break.
2624	
2625	* hx_locl.h,cms.c,cert.c: allow matching on SubjectKeyId
2626
2627	* hxtool.c: Use _hx509_map_file, _hx509_unmap_file and
2628	_hx509_write_file.
2629
2630	* file.c (_hx509_write_file): in case of write error, return errno
2631
2632	* file.c (_hx509_write_file): add a function that write a data
2633	blob to disk too
2634
2635	* Fix id-tags
2636
2637	* Import mostly complete X.509 and CMS library. Handles, PEM, DER,
2638	PKCS12 encoded certicates.  Verificate RSA chains and handled
2639	CMS's SignedData, and EnvelopedData.
2640
2641
2642