ChangeLog revision 178825
12008-01-21 Love H�rnquist �strand <lha@it.su.se> 2 3 * test_soft_pkcs11.c: use func for more C_ functions. 4 52008-01-18 Love H�rnquist �strand <lha@it.su.se> 6 7 * version-script.map: Export hx509_free_error_string(). 8 92008-01-17 Love H�rnquist �strand <lha@it.su.se> 10 11 * version-script.map: only export C_GetFunctionList 12 13 * test_soft_pkcs11.c: use C_GetFunctionList 14 15 * softp11.c: fix comment, remove label. 16 17 * softp11.c: Add option app-fatal to control if softtoken should 18 abort() on erroneous input from applications. 19 202008-01-16 Love H�rnquist �strand <lha@it.su.se> 21 22 * test_pkcs11.in: Test password less certificates too 23 24 * keyset.c: document HX509_CERTS_UNPROTECT_ALL 25 26 * ks_file.c: Support HX509_CERTS_UNPROTECT_ALL. 27 28 * hx509.h: Add HX509_CERTS_UNPROTECT_ALL. 29 30 * test_soft_pkcs11.c: Only log in if needed. 31 322008-01-15 Love H�rnquist �strand <lha@it.su.se> 33 34 * softp11.c: Support PINs to login to the store. 35 36 * Makefile.am: add java pkcs11 test 37 38 * test_java_pkcs11.in: first version of disable java test 39 40 * softp11.c: Drop unused stuff. 41 42 * cert.c: Spelling, Add hx509_cert_get_SPKI_AlgorithmIdentifier, 43 remove unused stuff, add hx509_context to some functions. 44 45 * softp11.c: Add more glue to figure out what keytype this 46 certificate is using. 47 482008-01-14 Love H�rnquist �strand <lha@it.su.se> 49 50 * test_pkcs11.in: test debug 51 52 * Add a PKCS11 provider supporting signing and verifing sigatures. 53 542008-01-13 Love H�rnquist �strand <lha@it.su.se> 55 56 * version-script.map: Replace hx509_name_to_der_name with 57 hx509_name_binary. 58 59 * print.c: make print_func static 60 612007-12-26 Love H�rnquist �strand <lha@it.su.se> 62 63 * print.c: doxygen 64 65 * env.c: doxygen 66 67 * doxygen.c: add more groups 68 69 * ca.c: doxygen. 70 712007-12-17 Love H�rnquist �strand <lha@it.su.se> 72 73 * ca.c: doxygen 74 752007-12-16 Love H�rnquist �strand <lha@it.su.se> 76 77 * error.c: doxygen 78 792007-12-15 Love H�rnquist �strand <lha@it.su.se> 80 81 * More documentation 82 83 * lock.c: Add page referance 84 85 * keyset.c: some more documentation. 86 87 * cms.c: Doxygen documentation. 88 892007-12-11 Love H�rnquist �strand <lha@it.su.se> 90 91 * *.[ch]: More documentation 92 932007-12-09 Love H�rnquist �strand <lha@it.su.se> 94 95 * handle refcount on NULL. 96 97 * test_nist_pkcs12.in: drop echo -n, doesn't work with posix sh 98 992007-12-08 Love H�rnquist �strand <lha@it.su.se> 100 101 * test_nist2.in: Print that this is version 2 of the tests 102 103 * test_nist.in: Drop printing of $id. 104 105 * hx509.h: Add HX509_VHN_F_ALLOW_NO_MATCH. 106 107 * name.c: spelling. 108 109 * cert.c: make work the doxygen. 110 111 * name.c: fix doxygen compiling. 112 113 * Makefile.am: add doxygen.c 114 115 * doxygen.c: Add doxygen main page. 116 117 * cert.c: Add doxygen. 118 119 * revoke.c (_hx509_revoke_ref): new function. 120 1212007-11-16 Love H�rnquist �strand <lha@it.su.se> 122 123 * ks_keychain.c: Check if SecKeyGetCSPHandle needs prototype. 124 1252007-08-16 Love H�rnquist �strand <lha@it.su.se> 126 127 * data/nist-data: Make work on case senstive filesystems too. 128 1292007-08-09 Love H�rnquist �strand <lha@it.su.se> 130 131 * cert.c: match rfc822 contrains better, provide better error 132 strings. 133 1342007-08-08 Love H�rnquist �strand <lha@it.su.se> 135 136 * cert.c: "self-signed doesn't count" doesn't apply to trust 137 anchor certificate. make trust anchor check consistant. 138 139 * revoke.c: make compile. 140 141 * revoke.c (verify_crl): set error strings. 142 143 * revoke.c (verify_crl): handle with the signer is the 144 CRLsigner (shortcut). 145 146 * cert.c: Fix NC, comment on how to use _hx509_check_key_usage. 147 1482007-08-03 Love H�rnquist �strand <lha@it.su.se> 149 150 * test_nist2.in, Makefile, test/nist*: Add nist pkits tests. 151 152 * revoke.c: Update to use CERT_REVOKED error, shortcut out of OCSP 153 checking when OCSP reply is a revocation reply. 154 155 * hx509_err.et: Make CERT_REVOKED error OCSP/CRL agnostic. 156 157 * name.c (_hx509_Name_to_string): make printableString handle 158 space (0x20) diffrences as required by rfc3280. 159 160 * revoke.c: Search for the right issuer when looking for the 161 issuer of the CRL signer. 162 1632007-08-02 Love H�rnquist �strand <lha@it.su.se> 164 165 * revoke.c: Handle CRL signing certificate better, try to not 166 revalidate invalid CRLs over and over. 167 1682007-08-01 Love H�rnquist �strand <lha@it.su.se> 169 170 * cms.c: remove stale comment. 171 172 * test_nist.in: Unpack PKITS_data.zip and run tests. 173 174 * test_nist_cert.in: Adapt to new nist pkits framework. 175 176 * test_nist_pkcs12.in: Adapt to new nist pkits framework. 177 178 * Makefile.am: clean PKITS_data 179 1802007-07-16 Love H�rnquist �strand <lha@it.su.se> 181 182 * Makefile.am: Add version-script.map to EXTRA_DIST 183 1842007-07-12 Love H�rnquist �strand <lha@it.su.se> 185 186 * Makefile.am: Add depenency on asn1_compile for asn1 built files. 187 1882007-07-10 Love H�rnquist �strand <lha@it.su.se> 189 190 * peer.c: update (c), indent. 191 192 * Makefile.am: New library version. 193 1942007-06-28 Love H�rnquist �strand <lha@it.su.se> 195 196 * ks_p11.c: Add sha2 types. 197 198 * ref/pkcs11.h: Sync with scute. 199 200 * ref/pkcs11.h: Add sha2 CKM's. 201 202 * print.c: Print authorityInfoAccess. 203 204 * cert.c: Rename proxyCertInfo oid. 205 206 * ca.c: Rename proxyCertInfo oid. 207 208 * print.c: Rename proxyCertInfo oid. 209 2102007-06-26 Love H�rnquist �strand <lha@it.su.se> 211 212 * test_ca.in: Adapt to new request handling. 213 214 * req.c: Allow export some of the request parameters. 215 216 * hxtool-commands.in: Adapt to new request handling. 217 218 * hxtool.c: Adapt to new request handling. 219 220 * test_req.in: Adapt to new request handling. 221 222 * version-script.map: Add initialize_hx_error_table_r. 223 224 * req.c: Move _hx509_request_print here. 225 226 * hxtool.c: use _hx509_request_print 227 228 * version-script.map: Export more crap^W semiprivate functions. 229 230 * hxtool.c: don't _hx509_abort 231 232 * version-script.map: add missing ; 233 2342007-06-25 Love H�rnquist �strand <lha@it.su.se> 235 236 * cms.c: Use hx509_crypto_random_iv. 237 238 * crypto.c: Split out the iv creation from hx509_crypto_encrypt 239 since _hx509_pbe_encrypt needs to use the iv from the s2k 240 function. 241 242 * test_cert.in: Test PEM and DER FILE writing functionallity. 243 244 * ks_file.c: Add writing DER certificates. 245 246 * hxtool.c: Update to new hx509_pem_write(). 247 248 * test_cms.in: test creation of PEM signeddata. 249 250 * hx509.h: PEM struct/function declarations. 251 252 * ks_file.c: Use PEM encoding/decoding functions. 253 254 * file.c: PEM encode/decoding functions. 255 256 * ks_file.c: Use hx509_pem_write. 257 258 * version-script.map: Export some semi-private functions. 259 260 * hxtool.c: Enable writing out signed data as a pem attachment. 261 262 * hxtool-commands.in (cms-create-signed): add --pem 263 264 * file.c (hx509_pem_write): Add. 265 266 * test_ca.in: Issue and test null subject cert. 267 268 * cert.c: Match is first component is in a CN=. 269 270 * test_ca.in: Test hostname if first CN. 271 272 * Makefile.am: Add version script. 273 274 * version-script.map: Limited exported symbols. 275 276 * test_ca.in: test --hostname. 277 278 * test_chain.in: test max-depth 279 280 * hx509.h: fixate HX509_HN_HOSTNAME at 0. 281 282 * hxtool-commands.in: add --hostname add --max-depth 283 284 * cert.c: Verify hostname and max-depth. 285 286 * hxtool.c: Verify hostname and test max-depth. 287 2882007-06-24 Love H�rnquist �strand <lha@it.su.se> 289 290 * test_cms.in: Test --id-by-name. 291 292 * hxtool-commands.in: add cms-create-sd --id-by-name 293 294 * hxtool.c: Use HX509_CMS_SIGATURE_ID_NAME. 295 296 * cms.c: Implement and use HX509_CMS_SIGATURE_ID_NAME. 297 298 * hx509.h: Add HX509_CMS_SIGATURE_ID_NAME, use subject name for 299 CMS.Identifier. hx509_hostname_type: add hostname type for 300 matching. 301 302 * cert.c (match_general_name): more strict rfc822Name matching. 303 (hx509_verify_hostname): add hostname type for matching. 304 3052007-06-19 Love H�rnquist �strand <lha@it.su.se> 306 307 * hxtool.c: Make compile again. 308 309 * hxtool.c: Added peap-server for to make windows peap clients 310 happy. 311 312 * hxtool.c: Unify parse_oid code. 313 314 * hxtool.c: Implement --content-type. 315 316 * hxtool-commands.in: Add content-type. 317 318 * test_cert.in: more cert and keyset tests. 319 3202007-06-18 Love H�rnquist �strand <lha@it.su.se> 321 322 * revoke.c: Avoid stomping on NULL. 323 324 * revoke.c: Avoid reusing i. 325 326 * cert.c: Provide __attribute__ for _hx509_abort. 327 328 * ks_file.c: Fail if not finding iv. 329 330 * keyset.c: Avoid useing freed memory. 331 332 * crypto.c: Free memory in failure case. 333 334 * crypto.c: Free memory in failure case. 335 3362007-06-12 Love H�rnquist �strand <lha@it.su.se> 337 338 * *.c: Add hx509_cert_init_data and use everywhere 339 340 * hx_locl.h: Now that KEYCHAIN:system-anchors is fast again, use 341 that. 342 343 * ks_keychain.c: Implement trust anchor support with 344 SecTrustCopyAnchorCertificates. 345 346 * keyset.c: Set ref to 1 for the new object. 347 348 * cert.c: Fix logic for allow_default_trust_anchors 349 350 * keyset.c: Add refcounting to keystores. 351 352 * cert.c: Change logic for default trust anchors, make it be 353 either default trust anchor, the user supplied, or non at all. 354 3552007-06-08 Love H�rnquist �strand <lha@it.su.se> 356 357 * Makefile.am: Add data/j.pem. 358 359 * Makefile.am: Add test_windows.in. 360 3612007-06-06 Love H�rnquist �strand <lha@it.su.se> 362 363 * ks_keychain.c: rename functions, leaks less memory and more 364 paranoia. 365 366 * test_cms.in: Test cms peer-alg. 367 368 * crypto.c (rsa_create_signature): make oid_id_pkcs1_rsaEncryption 369 mean rsa-with-sha1 but oid oid_id_pkcs1_rsaEncryption in algorithm 370 field. XXX should probably use another algorithmIdentifier for 371 this. 372 373 * peer.c: Make free function return void. 374 375 * cms.c (hx509_cms_create_signed_1): Use hx509_peer_info to select 376 the signature algorithm too. 377 378 * hxtool-commands.in: Add cms-create-sd --peer-alg. 379 380 * req.c: Use _hx509_crypto_default_sig_alg. 381 382 * test_windows.in: Create crl, because everyone needs one. 383 384 * Makefile.am: add wcrl.crl 385 3862007-06-05 Love H�rnquist �strand <lha@it.su.se> 387 388 * hx_locl.h: Disable KEYCHAIN for now, its slow. 389 390 * cms.c: When we are not using pkcs7-data, avoid seing 391 signedAttributes since some clients get upset by that (pkcs7 based 392 or just plain broken). 393 394 * ks_keychain.c: Provide rsa signatures. 395 396 * ks_keychain.c: Limit the searches to the selected keychain. 397 398 * ks_keychain.c: include -framework Security specific header files 399 after #ifdef 400 401 * ks_keychain.c: Find and attach private key (does not provide 402 operations yet though). 403 404 * ks_p11.c: Prefix rsa method with p11_ 405 406 * ks_keychain.c: Allow opening a specific chain, making "system" 407 special and be the system X509Anchors file. By not specifing any 408 keychain ("KEYCHAIN:"), all keychains are probed. 409 4102007-06-04 Love H�rnquist �strand <lha@it.su.se> 411 412 * hxtool.c (verify): Friendlier error message. 413 414 * cert.c: Read in and use default trust anchors if they exists. 415 416 * hx_locl.h: Add concept of default_trust_anchors. 417 418 * ks_keychain.c: Remove err(), remove extra empty comment, fix 419 _iter function. 420 421 * error.c (hx509_get_error_string): if the error code is not the 422 one we expect, punt and use the default com_err/strerror string 423 instead. 424 425 * keyset.c (hx509_certs_merge): its ok to merge in the NULL set of 426 certs. 427 428 * test_windows.in: Fix status string. 429 430 * ks_p12.c (store_func): free whole CertBag, not just the data 431 part. 432 433 * print.c: Check that the self-signed cert is really self-signed. 434 435 * print.c: Use selfsigned for CRL DP whine, tell if its a 436 self-signed. 437 438 * print.c: Whine if its a non CA/proxy and doesn't have CRL DP. 439 440 * ca.c: Add cRLSign to CA certs. 441 442 * cert.c: Register NULL and KEYCHAIN. 443 444 * ks_null.c: register the NULL keystore. 445 446 * Makefile.am: Add ks_keychain.c and related libs. 447 448 * test_crypto.in: Print certificate with utf8. 449 450 * print.c: Leak less memory. 451 452 * hxtool.c: Leak less memory. 453 454 * print.c: Leak less memory, use functions that does same but 455 more. 456 457 * name.c (quote_string): don't sign extend the (signed) char to 458 avoid printing too much, add an assert to check that we didn't 459 overrun the buffer. 460 461 * name.c: Use right element out of the CHOICE for printableString 462 and utf8String 463 464 * ks_keychain.c: Certificate only KeyChain backend. 465 466 * name.c: Reset name before parsing it. 467 4682007-06-03 Love H�rnquist �strand <lha@it.su.se> 469 470 * revoke.c (hx509_crl_*): fix sizeof() mistakes to fix memory 471 corruption. 472 473 * hxtool.c: Add lifetime to crls. 474 475 * hxtool-commands.in: Add lifetime to crls. 476 477 * revoke.c: Add lifetime to crls. 478 479 * test_ca.in: More crl checks. 480 481 * revoke.c: Add revoking certs. 482 483 * hxtool-commands.in: argument is certificates.. for crl-sign 484 485 * hxtool.c (certificate_copy): free lock 486 487 * revoke.c: Fix hx509_set_error_string calls, add 488 hx509_crl_add_revoked_certs(), implement hx509_crl_{alloc,free}. 489 490 * hxtool.c (crl_sign): free lock 491 492 * cert.c (hx509_context_free): free querystat 493 4942007-06-02 Love H�rnquist �strand <lha@it.su.se> 495 496 * test_chain.in: test ocsp-verify 497 498 * revoke.c (hx509_ocsp_verify): explain what its useful for and 499 provide sane error message. 500 501 * hx509_err.et: New error code, CERT_NOT_IN_OCSP 502 503 * hxtool.c: New command ocsp-verify, check if ocsp contains all 504 certs and are valid (exist and non expired). 505 506 * hxtool-commands.in: New command ocsp-verify. 507 5082007-06-01 Love H�rnquist �strand <lha@it.su.se> 509 510 * test_ca.in: Create crl and verify that is works. 511 512 * hxtool.c: Sign CRL command. 513 514 * hx509.h: Add hx509_crl. 515 516 * hxtool-commands.in: Add crl-sign commands. 517 518 * revoke.c: Support to generate an empty CRL. 519 520 * tst-crypto-select2: Switched default types. 521 522 * tst-crypto-select1: Switched default types. 523 524 * ca.c: Use default AlgorithmIdentifier. 525 526 * cms.c: Use default AlgorithmIdentifier. 527 528 * crypto.c: Provide default AlgorithmIdentifier and use them. 529 530 * hx_locl.h: Provide default AlgorithmIdentifier. 531 532 * keyset.c (hx509_certs_find): collects stats for queries. 533 534 * cert.c: Sort and print more info. 535 536 * hx_locl.h: Add querystat to hx509_context. 537 538 * test_*.in: sprinle stat saveing 539 540 * Makefile.am: Add stat and objdir. 541 542 * collector.c (_hx509_collector_alloc): return error code instead 543 of pointer. 544 545 * hxtool.c: Add statistic hook. 546 547 * ks_file.c: Update _hx509_collector_alloc prototype. 548 549 * ks_p12.c: Update _hx509_collector_alloc prototype. 550 551 * ks_p11.c: Update _hx509_collector_alloc prototype. 552 553 * hxtool-commands.in: Add statistics hook. 554 555 * cert.c: Statistics printing. 556 557 * ks_p12.c: plug memory leak 558 559 * ca.c (hx509_ca_tbs_add_crl_dp_uri): plug memory leak 560 5612007-05-31 Love H�rnquist �strand <lha@it.su.se> 562 563 * print.c: print utf8 type SAN's 564 565 * Makefile.am: Fix windows client cert name. 566 567 * test_windows.in: Add crl-uri for the ee certs. 568 569 * print.c: Printf formating. 570 571 * ca.c: Add glue for adding CRL dps. 572 573 * test_ca.in: Readd the crl adding code, it works (somewhat) now. 574 575 * print.c: Fix printing of CRL DPnames (I hate IMPLICIT encoded 576 structures). 577 578 * hxtool-commands.in: make ca and alias of certificate-sign 579 5802007-05-30 Love H�rnquist �strand <lha@it.su.se> 581 582 * crypto.c (hx509_crypto_select): copy AI to the right place. 583 584 * hxtool-commands.in: Add ca --ms-upn. 585 586 * hxtool.c: add --ms-upn and add more EKU's for pk-init client. 587 588 * ca.c: Add hx509_ca_tbs_add_san_ms_upn and refactor code. 589 590 * test_crypto.in: Resurect killed e. 591 592 * test_crypto.in: check for aes256-cbc 593 594 * tst-crypto-select7: check for aes256-cbc 595 596 * test_windows.in: test windows stuff 597 598 * hxtool.c: add ca --domain-controller option, add secret key 599 option to avaible. 600 601 * ca.c: Add hx509_ca_tbs_set_domaincontroller. 602 603 * hxtool-commands.in: add ca --domain-controller 604 605 * hxtool.c: hook for testing secrety key algs 606 607 * crypto.c: Add selection code for secret key crypto. 608 609 * hx509.h: Add HX509_SELECT_SECRET_ENC. 610 6112007-05-13 Love H�rnquist �strand <lha@it.su.se> 612 613 * ks_p11.c: add more mechtypes 614 6152007-05-10 Love H�rnquist �strand <lha@it.su.se> 616 617 * print.c: Indent. 618 619 * hxtool-commands.in: add test-crypto command 620 621 * hxtool.c: test crypto command 622 623 * cms.c (hx509_cms_create_signed_1): if no eContentType is given, 624 use pkcs7-data. 625 626 * print.c: add Netscape cert comment 627 628 * crypto.c: Try both the empty password and the NULL 629 password (nothing vs the octet string \x00\x00). 630 631 * print.c: Add some US Fed PKI oids. 632 633 * ks_p11.c: Add some more hashes. 634 6352007-04-24 Love H�rnquist �strand <lha@it.su.se> 636 637 * hxtool.c (crypto_select): stop memory leak 638 6392007-04-19 Love H�rnquist �strand <lha@it.su.se> 640 641 * peer.c (hx509_peer_info_free): free memory used too 642 643 * hxtool.c (crypto_select): only free peer if it was used. 644 6452007-04-18 Love H�rnquist �strand <lha@it.su.se> 646 647 * hxtool.c: free template 648 649 * ks_mem.c (mem_free): free key array too 650 651 * hxtool.c: free private key and tbs 652 653 * hxtool.c (hxtool_ca): free signer 654 655 * hxtool.c (crypto_available): free peer too. 656 657 * ca.c (get_AuthorityKeyIdentifier): leak less memory 658 659 * hxtool.c (hxtool_ca): free SPKI 660 661 * hxtool.c (hxtool_ca): free cert 662 663 * ks_mem.c (mem_getkeys): allocate one more the we have elements 664 so its possible to store the NULL pointer at the end. 665 6662007-04-16 Love H�rnquist �strand <lha@it.su.se> 667 668 * Makefile.am: CLEANFILES += cert-null.pem cert-sub-ca2.pem 669 6702007-02-05 Love H�rnquist �strand <lha@it.su.se> 671 672 * ca.c: Disable CRLDistributionPoints for now, its IMPLICIT code 673 in the asn1 parser. 674 675 * print.c: Add some more \n's. 676 6772007-02-03 Love H�rnquist �strand <lha@it.su.se> 678 679 * file.c: Allow mapping using heim_octet_string. 680 681 * hxtool.c: Add options to generate detached signatures. 682 683 * cms.c: Add flags to generate detached signatures. 684 685 * hx509.h: Flag to generate detached signatures. 686 687 * test_cms.in: Support detached sigatures. 688 689 * name.c (hx509_general_name_unparse): unparse the other 690 GeneralName nametypes. 691 692 * print.c: Use less printf. Use hx509_general_name_unparse. 693 694 * cert.c: Fix printing and plug leak-on-error. 695 6962007-01-31 Love H�rnquist �strand <lha@it.su.se> 697 698 * test_ca.in: Add test for ca --crl-uri. 699 700 * hxtool.c: Add ca --crl-uri. 701 702 * hxtool-commands.in: add ca --crl-uri 703 704 * ca.c: Code to set CRLDistributionPoints in certificates. 705 706 * print.c: Check CRLDistributionPointNames. 707 708 * name.c (hx509_general_name_unparse): function for unparsing 709 GeneralName, only supports GeneralName.URI 710 711 * cert.c (is_proxy_cert): free info if we wont return it. 712 7132007-01-30 Love H�rnquist �strand <lha@it.su.se> 714 715 * hxtool.c: Try to help how to use this command. 716 7172007-01-21 Love H�rnquist �strand <lha@it.su.se> 718 719 * switch to sha256 as default digest for signing 720 7212007-01-20 Love H�rnquist �strand <lha@it.su.se> 722 723 * test_ca.in: Really test sub-ca code, add basic constraints tests 724 7252007-01-17 Love H�rnquist �strand <lha@it.su.se> 726 727 * Makefile.am: Fix makefile problem. 728 7292007-01-16 Love H�rnquist �strand <lha@it.su.se> 730 731 * hxtool.c: Set num of bits before we generate the key. 732 7332007-01-15 Love H�rnquist �strand <lha@it.su.se> 734 735 * cms.c (hx509_cms_create_signed_1): use hx509_cert_binary 736 737 * ks_p12.c (store_func): use hx509_cert_binary 738 739 * ks_file.c (store_func): use hx509_cert_binary 740 741 * cert.c (hx509_cert_binary): return binary encoded 742 certificate (DER format) 743 7442007-01-14 Love H�rnquist �strand <lha@it.su.se> 745 746 * ca.c (hx509_ca_tbs_subject_expand): new function. 747 748 * name.c (hx509_name_expand): if env is NULL, return directly 749 750 * test_ca.in: test template handling 751 752 * hx509.h: Add template flags. 753 754 * Makefile.am: clean out new files 755 756 * hxtool.c: Add certificate template processing, fix hx509_err 757 usage. 758 759 * hxtool-commands.in: Add certificate template processing. 760 761 * ca.c: Add certificate template processing. Fix return messages 762 from hx509_ca_tbs_add_eku. 763 764 * cert.c: Export more stuff from certificate. 765 7662007-01-13 Love H�rnquist �strand <lha@it.su.se> 767 768 * ca.c: update (c) 769 770 * ca.c: (hx509_ca_tbs_add_eku): filter out dups. 771 772 * hxtool.c: Add type email and add email eku when using option 773 --email. 774 775 * Makefile.am: add env.c 776 777 * name.c: Remove abort, add error handling. 778 779 * test_name.c: test name expansion 780 781 * name.c: add hx509_name_expand 782 783 * env.c: key-value pair help functions 784 7852007-01-12 Love H�rnquist �strand <lha@it.su.se> 786 787 * ca.c: Don't issue certs with subject DN that is NULL and have no 788 SANs 789 790 * print.c: Fix previous test. 791 792 * print.c: Check there is a SAN if subject DN is NULL. 793 794 * test_ca.in: test email, null subject dn 795 796 * hxtool.c: Allow setting parameters to private key generation. 797 798 * hx_locl.h: Allow setting parameters to private key generation. 799 800 * crypto.c: Allow setting parameters to private key generation. 801 802 * hxtool.c (eval_types): add jid if user gave one 803 804 * hxtool-commands.in (certificate-sign): add --jid 805 806 * ca.c (hx509_ca_tbs_add_san_jid): Allow adding 807 id-pkix-on-xmppAddr OtherName. 808 809 * print.c: Print id-pkix-on-xmppAddr OtherName. 810 8112007-01-11 Love H�rnquist �strand <lha@it.su.se> 812 813 * no random, no RSA/DH tests 814 815 * hxtool.c (info): print status of random generator 816 817 * Makefile.am: remove files created by tests 818 819 * error.c: constify 820 821 * name.c: constify 822 823 * revoke.c: constify 824 825 * hx_locl.h: constify 826 827 * keyset.c: constify 828 829 * ks_p11.c: constify 830 831 * hx_locl.h: make printinfo char * argument const. 832 833 * cms.c: move _hx509_set_digest_alg from cms.c to crypto.c since 834 its only used there. 835 836 * crypto.c: remove no longer used stuff, move set_digest_alg here 837 from cms.c since its only used here. 838 839 * Makefile.am: add data/test-nopw.p12 to EXTRA_DIST 840 8412007-01-10 Love H�rnquist �strand <lha@it.su.se> 842 843 * print.c: BasicConstraints vs criticality bit is complicated and 844 not really possible to evaluate on its own, silly RFC3280. 845 846 * ca.c: Make basicConstraints critical if this is a CA. 847 848 * print.c: fix the version vs extension test 849 850 * print.c: More validation checks. 851 852 * name.c (hx509_name_cmp): add 853 8542007-01-09 Love H�rnquist �strand <lha@it.su.se> 855 856 * ks_p11.c (collect_private_key): Missing CKA_MODULUS is ok 857 too (XXX why should these be fetched given they are not used). 858 859 * test_ca.in: rename all files to PEM files, since that is what 860 they are. 861 862 * hxtool.c: copy out the key with the self signed CA cert 863 864 * Factor out private key operation out of the signing, operations, 865 support import, export, and generation of private keys. Add 866 support for writing PEM and PKCS12 files with private keys in them. 867 868 * data/gen-req.sh: Generate a no password pkcs12 file. 869 8702007-01-08 Love H�rnquist �strand <lha@it.su.se> 871 872 * cms.c: Check for internal ASN1 encoder error. 873 8742007-01-05 Love H�rnquist �strand <lha@it.su.se> 875 876 * Makefile.am: Drop most of the pkcs11 files. 877 878 * test_ca.in: test reissueing ca certificate (xxx time 879 validAfter). 880 881 * hxtool.c: Allow setting serialNumber (needed for reissuing 882 certificates) Change --key argument to --out-key. 883 884 * hxtool-commands.in (issue-certificate): Allow setting 885 serialNumber (needed for reissuing certificates), Change --key 886 argument to --out-key. 887 888 * ref: Replace with Marcus Brinkmann of g10 Code GmbH pkcs11 889 headerfile that is compatible with GPL (file taken from scute) 890 8912007-01-04 Love H�rnquist �strand <lha@it.su.se> 892 893 * test_ca.in: Test to generate key and use them. 894 895 * hxtool.c: handle other keys the pkcs10 requested keys 896 897 * hxtool-commands.in: add generate key commands 898 899 * req.c (_hx509_request_to_pkcs10): PKCS10 needs to have a subject 900 901 * hxtool-commands.in: Spelling. 902 903 * ca.c (hx509_ca_tbs_set_proxy): allow negative pathLenConstraint 904 to signal no limit 905 906 * ks_file.c: Try all formats on the binary file before giving up, 907 this way we can handle binary rsa keys too. 908 909 * data/key2.der: new test key 910 9112007-01-04 David Love <fx@gnu.org> 912 913 * Makefile.am (hxtool_LDADD): Add libasn1.la 914 915 * hxtool.c (pcert_verify): Fix format string. 916 9172006-12-31 Love H�rnquist �strand <lha@it.su.se> 918 919 * hxtool.c: Allow setting path length 920 921 * cert.c: Fix test for proxy certs chain length, it was too 922 restrictive. 923 924 * data: regen 925 926 * data/openssl.cnf: (proxy_cert) make length 0 927 928 * test_ca.in: Issue a long living cert. 929 930 * hxtool.c: add --lifetime to ca command. 931 932 * hxtool-commands.in: add --lifetime to ca command. 933 934 * ca.c: allow setting notBefore and notAfter. 935 936 * test_ca.in: Test generation of proxy certificates. 937 938 * ca.c: Allow generation of proxy certificates, always include 939 BasicConstraints, fix error codes. 940 941 * hxtool.c: Allow generation of proxy certificates. 942 943 * test_name.c: make hx509_parse_name take a hx509_context. 944 945 * name.c: Split building RDN to a separate function. 946 9472006-12-30 Love H�rnquist �strand <lha@it.su.se> 948 949 * Makefile.am: clean test_ca files. 950 951 * test_ca.in: test issuing self-signed and CA certificates. 952 953 * hxtool.c: Add bits to allow issuing self-signed and CA 954 certificates. 955 956 * hxtool-commands.in: Add bits to allow issuing self-signed and CA 957 certificates. 958 959 * ca.c: Add bits to allow issuing CA certificates. 960 961 * revoke.c: use new OCSPSigning. 962 963 * ca.c: Add Subject Key Identifier. 964 965 * ca.c: Add Authority Key Identifier. 966 967 * cert.c: Locally export _hx509_find_extension_subject_key_id. 968 Handle AuthorityKeyIdentifier where only authorityCertSerialNumber 969 and authorityCertSerialNumber is set. 970 971 * hxtool-commands.in: Add dnsname and rfc822 SANs. 972 973 * test_ca.in: Test dnsname and rfc822 SANs. 974 975 * ca.c: Add dnsname and rfc822 SANs. 976 977 * hxtool.c: Add dnsname and rfc822 SANs. 978 979 * test_ca.in: test adding eku, ku and san to the 980 certificate (https and pk-init) 981 982 * hxtool.c: Add eku, ku and san to the certificate. 983 984 * ca.c: Add eku, ku and san to the certificate. 985 986 * hxtool-commands.in: Add --type and --pk-init-principal 987 988 * ocsp.asn1: remove id-kp-OCSPSigning, its in rfc2459.asn1 now 989 9902006-12-29 Love H�rnquist �strand <lha@it.su.se> 991 992 * ca.c: Add KeyUsage extension. 993 994 * Makefile.am: add ca.c, add sign-certificate tests. 995 996 * crypto.c: Add _hx509_create_signature_bitstring. 997 998 * hxtool-commands.in: Add the sign-certificate tool. 999 1000 * hxtool.c: Add the sign-certificate tool. 1001 1002 * cert.c: Add HX509_QUERY_OPTION_KU_KEYCERTSIGN. 1003 1004 * hx509.h: Add hx509_ca_tbs and HX509_QUERY_OPTION_KU_KEYCERTSIGN. 1005 1006 * test_ca.in: Basic test of generating a pkcs10 request, signing 1007 it and verifying the chain. 1008 1009 * ca.c: Naive certificate signer. 1010 10112006-12-28 Love H�rnquist �strand <lha@it.su.se> 1012 1013 * hxtool.c: add hxtool_hex 1014 10152006-12-22 Love H�rnquist �strand <lha@it.su.se> 1016 1017 * Makefile.am: use top_builddir for libasn1.la 1018 10192006-12-11 Love H�rnquist �strand <lha@it.su.se> 1020 1021 * hxtool.c (print_certificate): print serial number. 1022 1023 * name.c (no): add S=stateOrProvinceName 1024 10252006-12-09 Love H�rnquist �strand <lha@it.su.se> 1026 1027 * crypto.c (_hx509_private_key_assign_rsa): set a default sig alg 1028 1029 * ks_file.c (try_decrypt): pass down AlgorithmIdentifier that key 1030 uses to do sigatures so there is no need to hardcode RSA into this 1031 function. 1032 10332006-12-08 Love H�rnquist �strand <lha@it.su.se> 1034 1035 * ks_file.c: Pass filename to the parse functions and use it in 1036 the error messages 1037 1038 * test_chain.in: test proxy cert (third level) 1039 1040 * hx509_err.et: fix errorstring for PROXY_CERT_NAME_WRONG 1041 1042 * data: regen 1043 1044 * Makefile.am: EXTRA_DIST: add 1045 data/proxy10-child-child-test.{key,crt} 1046 1047 * data/gen-req.sh: Fix names and restrictions on the proxy 1048 certificates 1049 1050 * cert.c: Clairfy and make proxy cert handling work for multiple 1051 levels, before it was too restrictive. More helpful error message. 1052 10532006-12-07 Love H�rnquist �strand <lha@it.su.se> 1054 1055 * cert.c (check_key_usage): tell what keyusages are missing 1056 1057 * print.c: Split OtherName printing code to a oid lookup and print 1058 function. 1059 1060 * print.c (Time2string): print hour as hour not min 1061 1062 * Makefile.am: CLEANFILES += test 1063 10642006-12-06 Love H�rnquist �strand <lha@it.su.se> 1065 1066 * Makefile.am (EXTRA_DIST): add data/pkinit-proxy* files 1067 1068 * Makefile.am (EXTRA_DIST): add tst-crypto* files 1069 1070 * cert.c (hx509_query_match_issuer_serial): make a copy of the 1071 data 1072 1073 * cert.c (hx509_query_match_issuer_serial): allow matching on 1074 issuer and serial num 1075 1076 * cert.c (_hx509_calculate_path): add flag to allow leaving out 1077 trust anchor 1078 1079 * cms.c (hx509_cms_create_signed_1): when building the path, omit 1080 the trust anchors. 1081 1082 * crypto.c (rsa_create_signature): Abort when signature is longer, 1083 not shorter. 1084 1085 * cms.c: Provide time to _hx509_calculate_path so we don't send no 1086 longer valid certs to our peer. 1087 1088 * cert.c (find_parent): when checking for certs and its not a 1089 trust anchor, require time be in range. 1090 (_hx509_query_match_cert): Add time validity-testing to query mask 1091 1092 * hx_locl.h: add time validity-testing to query mask 1093 1094 * test_cms.in: Tests for CMS SignedData with incomplete chain from 1095 the signer. 1096 10972006-11-28 Love H�rnquist �strand <lha@it.su.se> 1098 1099 * cms.c (hx509_cms_verify_signed): specify what signature we 1100 failed to verify 1101 1102 * Makefile.am: Depend on LIB_com_err for AIX. 1103 1104 * keyset.c: Remove anther strndup that causes AIX to fall over. 1105 1106 * cert.c: Don't check the trust anchors expiration time since they 1107 are transported out of band, from RFC3820. 1108 1109 * cms.c: sprinkle more error strings 1110 1111 * crypto.c: sprinkle more error strings 1112 1113 * hxtool.c: use unsigned int as counter to fit better with the 1114 asn1 compiler 1115 1116 * crypto.c: use unsigned int as counter to fit better with the 1117 asn1 compiler 1118 11192006-11-27 Love H�rnquist �strand <lha@it.su.se> 1120 1121 * cms.c: Remove trailing white space. 1122 1123 * crypto.c: rewrite comment to make more sense 1124 1125 * crypto.c (hx509_crypto_select): check sig_algs[j]->key_oid 1126 1127 * hxtool-commands.in (crypto-available): add --type 1128 1129 * crypto.c (hx509_crypto_available): let alg pass if its keyless 1130 1131 * hxtool-commands.in: Expand crypto-select 1132 1133 * cms.c: Rename hx509_select to hx509_crypto_select. 1134 1135 * hxtool-commands.in: Add crypto-select and crypto-available. 1136 1137 * hxtool.c: Add crypto-select and crypto-available. 1138 1139 * crypto.c (hx509_crypto_available): use right index. 1140 (hx509_crypto_free_algs): new function 1141 1142 * crypto.c (hx509_crypto_select): improve 1143 (hx509_crypto_available): new function 1144 11452006-11-26 Love H�rnquist �strand <lha@it.su.se> 1146 1147 * cert.c: Sprinkle more error string and hx509_contexts. 1148 1149 * cms.c: Sprinkle more error strings. 1150 1151 * crypto.c: Sprinkle error string and hx509_contexts. 1152 1153 * crypto.c: Add some more comments about how this works. 1154 1155 * crypto.c (hx509_select): new function. 1156 1157 * Makefile.am: add peer.c 1158 1159 * hxtool.c: Update hx509_cms_create_signed_1. 1160 1161 * hx_locl.h: add struct hx509_peer_info 1162 1163 * peer.c: Allow selection of digest/sig-alg 1164 1165 * cms.c: Allow selection of a better digest using hx509_peer_info. 1166 1167 * revoke.c: Handle that _hx509_verify_signature takes a context. 1168 1169 * cert.c: Handle that _hx509_verify_signature takes a context. 1170 11712006-11-25 Love H�rnquist �strand <lha@it.su.se> 1172 1173 * cms.c: Sprinkle error strings. 1174 1175 * crypto.c: Sprinkle context and error strings. 1176 11772006-11-24 Love H�rnquist �strand <lha@it.su.se> 1178 1179 * name.c: Handle printing and parsing raw oids in name. 1180 11812006-11-23 Love H�rnquist �strand <lha@it.su.se> 1182 1183 * cert.c (_hx509_calculate_path): allow to calculate optimistic 1184 path when we don't know the trust anchors, just follow the chain 1185 upward until we no longer find a parent or we hit the max limit. 1186 1187 * cms.c (hx509_cms_create_signed_1): provide a best effort path to 1188 the trust anchors to be stored in the SignedData packet, if find 1189 parents until trust anchor or max length. 1190 1191 * data: regen 1192 1193 * data/gen-req.sh: Build pk-init proxy cert. 1194 11952006-11-16 Love H�rnquist �strand <lha@it.su.se> 1196 1197 * error.c (hx509_get_error_string): Put ", " between strings in 1198 error message. 1199 12002006-11-13 Love H�rnquist �strand <lha@it.su.se> 1201 1202 * data/openssl.cnf: Change realm to TEST.H5L.SE 1203 12042006-11-07 Love H�rnquist �strand <lha@it.su.se> 1205 1206 * revoke.c: Sprinkle error strings. 1207 12082006-11-04 Love H�rnquist �strand <lha@it.su.se> 1209 1210 * hx_locl.h: add context variable to cmp function. 1211 1212 * cert.c (hx509_query_match_cmp_func): allow setting the match 1213 function. 1214 12152006-10-24 Love H�rnquist �strand <lha@it.su.se> 1216 1217 * ks_p11.c: Return less EINVAL. 1218 1219 * hx509_err.et: add more pkcs11 errors 1220 1221 * hx509_err.et: more error-codes 1222 1223 * revoke.c: Return less EINVAL. 1224 1225 * ks_dir.c: sprinkel more hx509_set_error_string 1226 1227 * ks_file.c: Return less EINVAL. 1228 1229 * hxtool.c: Pass in context to _hx509_parse_private_key. 1230 1231 * ks_file.c: Sprinkle more hx509_context so we can return propper 1232 errors. 1233 1234 * hx509_err.et: add HX509_PARSING_KEY_FAILED 1235 1236 * crypto.c: Sprinkle more hx509_context so we can return propper 1237 errors. 1238 1239 * collector.c: No more EINVAL. 1240 1241 * hx509_err.et: add HX509_LOCAL_ATTRIBUTE_MISSING 1242 1243 * cert.c (hx509_cert_get_base_subject): one less EINVAL 1244 (_hx509_cert_private_decrypt): one less EINVAL 1245 12462006-10-22 Love H�rnquist �strand <lha@it.su.se> 1247 1248 * collector.c: indent 1249 1250 * hxtool.c: Try to not leak memory. 1251 1252 * req.c: clean memory before free 1253 1254 * crypto.c (_hx509_private_key2SPKI): indent 1255 1256 * req.c: Try to not leak memory. 1257 12582006-10-21 Love H�rnquist �strand <lha@it.su.se> 1259 1260 * test_crypto.in: Read 50 kilobyte random data 1261 1262 * revoke.c: Try to not leak memory. 1263 1264 * hxtool.c: Try to not leak memory. 1265 1266 * crypto.c (hx509_crypto_destroy): free oid. 1267 1268 * error.c: Clean error string on failure just to make sure. 1269 1270 * cms.c: Try to not leak memory (again). 1271 1272 * hxtool.c: use a sensable content type 1273 1274 * cms.c: Try harder to free certificate. 1275 12762006-10-20 Love H�rnquist �strand <lha@it.su.se> 1277 1278 * Makefile.am: Add make check data. 1279 12802006-10-19 Love H�rnquist �strand <lha@it.su.se> 1281 1282 * ks_p11.c (p11_list_keys): make element of search_data[0] 1283 constants and set them later 1284 1285 * Makefile.am: Add more files. 1286 12872006-10-17 Love H�rnquist �strand <lha@it.su.se> 1288 1289 * ks_file.c: set ret, remember to free ivdata 1290 12912006-10-16 Love H�rnquist �strand <lha@it.su.se> 1292 1293 * hx_locl.h: Include <parse_bytes.h>. 1294 1295 * test_crypto.in: Test random-data. 1296 1297 * hxtool.c: RAND_bytes() return 1 for cryptographic strong data, 1298 check for that. 1299 1300 * Makefile.am: clean random-data 1301 1302 * hxtool.c: Add random-data command, use sl_slc_help. 1303 1304 * hxtool-commands.in: Add random-data. 1305 1306 * ks_p12.c: Remember to release certs. 1307 1308 * ks_p11.c: Remember to release certs. 1309 13102006-10-14 Love H�rnquist �strand <lha@it.su.se> 1311 1312 * prefix der primitives with der_ 1313 1314 * lock.c: Match the prompt type PROMPT exact. 1315 1316 * hx_locl.h: Drop heim_any.h 1317 13182006-10-11 Love H�rnquist �strand <lha@it.su.se> 1319 1320 * ks_p11.c (p11_release_module): j needs to be used as inter loop 1321 index. From Douglas Engert. 1322 1323 * ks_file.c (parse_rsa_private_key): try all passwords and 1324 prompter. 1325 13262006-10-10 Love H�rnquist �strand <lha@it.su.se> 1327 1328 * test_*.in: Parameterise the invocation of hxtool, so we can make 1329 it run under TESTS_ENVIRONMENT. From Andrew Bartlett 1330 13312006-10-08 Love H�rnquist �strand <lha@it.su.se> 1332 1333 * test_crypto.in: Put all test stuck at 2006-09-25 since all their 1334 chains where valied then. 1335 1336 * hxtool.c: Implement --time= option. 1337 1338 * hxtool-commands.in: Add option time. 1339 1340 * Makefile.am: test_name is a PROGRAM_TESTS 1341 1342 * ks_p11.c: Return HX509_PKCS11_NO_SLOT when there are no slots 1343 and HX509_PKCS11_NO_TOKEN when there are no token. For use in PAM 1344 modules that want to detect when to use smartcard login and when 1345 not to. Patched based on code from Douglas Engert. 1346 1347 * hx509_err.et: Add new pkcs11 related errors in a new section: 1348 keystore related error. Patched based on code from Douglas 1349 Engert. 1350 13512006-10-07 Love H�rnquist �strand <lha@it.su.se> 1352 1353 * Makefile.am: Make depenency for slc built files just like 1354 everywhere else. 1355 1356 * cert.c: Add all openssl algs and init asn1 et 1357 13582006-10-06 Love H�rnquist �strand <lha@it.su.se> 1359 1360 * ks_file.c (parse_rsa_private_key): free type earlier. 1361 1362 * ks_file.c (parse_rsa_private_key): free type after use 1363 1364 * name.c (_hx509_Name_to_string): remove dup const 1365 13662006-10-02 Love H�rnquist �strand <lha@it.su.se> 1367 1368 * Makefile.am: Add more libs to libhx509 1369 13702006-10-01 Love H�rnquist �strand <lha@it.su.se> 1371 1372 * ks_p11.c: Fix double free's, NULL ptr de-reference, and conform 1373 better to pkcs11. From Douglas Engert. 1374 1375 * ref: remove ^M, it breaks solaris 10s cc. From Harald Barth 1376 13772006-09-19 Love H�rnquist �strand <lha@it.su.se> 1378 1379 * test_crypto.in: Bleichenbacher bad cert from Ralf-Philipp 1380 Weinmann and Andrew Pyshkin, pad right. 1381 1382 * data: starfield test root cert and Ralf-Philipp and Andreis 1383 correctly padded bad cert 1384 13852006-09-15 Love H�rnquist �strand <lha@it.su.se> 1386 1387 * test_crypto.in: Add test for yutaka certs. 1388 1389 * cert.c: Add a strict rfc3280 verification flag. rfc3280 requires 1390 certificates to have KeyUsage.keyCertSign if they are to be used 1391 for signing of certificates, but the step in the verifiation is 1392 optional. 1393 1394 * hxtool.c: Improve printing and error reporting. 1395 13962006-09-13 Love H�rnquist �strand <lha@it.su.se> 1397 1398 * test_crypto.in,Makefile.am,data/bleichenbacher-{bad,good}.pem: 1399 test bleichenbacher from eay 1400 14012006-09-12 Love H�rnquist �strand <lha@it.su.se> 1402 1403 * hxtool.c: Make common function for all getarg_strings and 1404 hx509_certs_append commonly used. 1405 1406 * cms.c: HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT is a negative 1407 flag, treat it was such. 1408 14092006-09-11 Love H�rnquist �strand <lha@it.su.se> 1410 1411 * req.c: Use the new add_GeneralNames function. 1412 1413 * hx509.h: Add HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT. 1414 1415 * ks_p12.c: Adapt to new signature of hx509_cms_unenvelope. 1416 1417 * hxtool.c: Adapt to new signature of hx509_cms_unenvelope. 1418 1419 * cms.c: Allow passing in encryptedContent and flag. Add new flag 1420 HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT. 1421 14222006-09-08 Love H�rnquist �strand <lha@it.su.se> 1423 1424 * ks_p11.c: cast void * to char * when using it for %s formating 1425 in printf. 1426 1427 * name.c: New function _hx509_Name_to_string. 1428 14292006-09-07 Love H�rnquist �strand <lha@it.su.se> 1430 1431 * ks_file.c: Sprinkle error messages. 1432 1433 * cms.c: Sprinkle even more error messages. 1434 1435 * cms.c: Sprinkle some error messages. 1436 1437 * cms.c (find_CMSIdentifier): only free string when we allocated 1438 one. 1439 1440 * ks_p11.c: Don't build most of the pkcs11 module if there are no 1441 dlopen(). 1442 14432006-09-06 Love H�rnquist �strand <lha@it.su.se> 1444 1445 * cms.c (hx509_cms_unenvelope): try to save the error string from 1446 find_CMSIdentifier so we have one more bit of information what 1447 went wrong. 1448 1449 * hxtool.c: More pretty printing, make verify_signed return the 1450 error string from the library. 1451 1452 * cms.c: Try returning what certificates failed to parse or be 1453 found. 1454 1455 * ks_p11.c (p11_list_keys): fetch CKA_LABEL and use it to set the 1456 friendlyname for the certificate. 1457 14582006-09-05 Love H�rnquist �strand <lha@it.su.se> 1459 1460 * crypto.c: check that there are no extra bytes in the checksum 1461 and that the parameters are NULL or the NULL-type. All to avoid 1462 having excess data that can be used to fake the signature. 1463 1464 * hxtool.c: print keyusage 1465 1466 * print.c: add hx509_cert_keyusage_print, simplify oid printing 1467 1468 * cert.c: add _hx509_cert_get_keyusage 1469 1470 * ks_p11.c: keep one session around for the whole life of the keyset 1471 1472 * test_query.in: tests more selection 1473 1474 * hxtool.c: improve pretty printing in print and query 1475 1476 * hxtool{.c,-commands.in}: add selection on KU and printing to query 1477 1478 * test_cms.in: Add cms test for digitalSignature and 1479 keyEncipherment certs. 1480 1481 * name.c (no): Add serialNumber 1482 1483 * ks_p11.c (p11_get_session): return better error messages 1484 14852006-09-04 Love H�rnquist �strand <lha@it.su.se> 1486 1487 * ref: update to pkcs11 reference files 2.20 1488 1489 * ks_p11.c: add more mechflags 1490 1491 * name.c (no): add OU and sort 1492 1493 * revoke.c: pass context to _hx509_create_signature 1494 1495 * ks_p11.c (p11_printinfo): print proper plural s 1496 1497 * ks_p11.c: save the mechs supported when initing the token, print 1498 them in printinfo. 1499 1500 * hx_locl.h: Include <parse_units.h>. 1501 1502 * cms.c: pass context to _hx509_create_signature 1503 1504 * req.c: pass context to _hx509_create_signature 1505 1506 * keyset.c (hx509_certs_info): print information about the keyset. 1507 1508 * hxtool.c (pcert_print) print keystore info when --info flag is 1509 given. 1510 1511 * hxtool-commands.in: Add hxtool print --info. 1512 1513 * test_query.in: Test hxtool print --info. 1514 1515 * hx_locl.h (hx509_keyset_ops): add printinfo 1516 1517 * crypto.c: Start to hang the private key operations of the 1518 private key, pass hx509_context to create_checksum. 1519 15202006-05-29 Love H�rnquist �strand <lha@it.su.se> 1521 1522 * ks_p11.c: Iterate over all slots, not just the first/selected 1523 one. 1524 15252006-05-27 Love H�rnquist �strand <lha@it.su.se> 1526 1527 * cert.c: Add release function for certifiates so backend knowns 1528 when its no longer used. 1529 1530 * ks_p11.c: Add reference counting on certifiates, push out 1531 CK_SESSION_HANDLE from slot. 1532 1533 * cms.c: sprinkle more hx509_clear_error_string 1534 15352006-05-22 Love H�rnquist �strand <lha@it.su.se> 1536 1537 * ks_p11.c: Sprinkle some hx509_set_error_strings 1538 15392006-05-13 Love H�rnquist �strand <lha@it.su.se> 1540 1541 * hxtool.c: Avoid shadowing. 1542 1543 * revoke.c: Avoid shadowing. 1544 1545 * ks_file.c: Avoid shadowing. 1546 1547 * cert.c: Avoid shadowing. 1548 15492006-05-12 Love H�rnquist �strand <lha@it.su.se> 1550 1551 * lock.c (hx509_prompt_hidden): reshuffle to avoid gcc warning 1552 1553 * hx509.h: Reshuffle the prompter types, remove the hidden field. 1554 1555 * lock.c (hx509_prompt_hidden): return if the prompt should be 1556 hidden or not 1557 1558 * revoke.c (hx509_revoke_free): allow free of NULL. 1559 15602006-05-11 Love H�rnquist �strand <lha@it.su.se> 1561 1562 * ks_file.c (file_init): Avoid shadowing ret (and thus avoiding 1563 crashing). 1564 1565 * ks_dir.c: Implement DIR: caches useing FILE: caches. 1566 1567 * ks_p11.c: Catch more errors. 1568 15692006-05-08 Love H�rnquist �strand <lha@it.su.se> 1570 1571 * crypto.c (hx509_crypto_encrypt): free correctly in error 1572 path. From Andrew Bartlett. 1573 1574 * crypto.c: If RAND_bytes fails, then we will attempt to 1575 double-free crypt->key.data. From Andrew Bartlett. 1576 15772006-05-05 Love H�rnquist �strand <lha@it.su.se> 1578 1579 * name.c: Rename u_intXX_t to uintXX_t 1580 15812006-05-03 Love H�rnquist �strand <lha@it.su.se> 1582 1583 * TODO: More to do about the about the PKCS11 code. 1584 1585 * ks_p11.c: Use the prompter from the lock function. 1586 1587 * lock.c: Deal with that hx509_prompt.reply is no longer a 1588 pointer. 1589 1590 * hx509.h: Make hx509_prompt.reply not a pointer. 1591 15922006-05-02 Love H�rnquist �strand <lha@it.su.se> 1593 1594 * keyset.c: Sprinkle setting error strings. 1595 1596 * crypto.c: Sprinkle setting error strings. 1597 1598 * collector.c: Sprinkle setting error strings. 1599 1600 * cms.c: Sprinkle setting error strings. 1601 16022006-05-01 Love H�rnquist �strand <lha@it.su.se> 1603 1604 * test_name.c: renamed one error code 1605 1606 * name.c: renamed one error code 1607 1608 * ks_p11.c: _hx509_set_cert_attribute changed signature 1609 1610 * hxtool.c (pcert_print): use hx509_err so I can test it 1611 1612 * error.c (hx509_set_error_stringv): clear errors on malloc 1613 failure 1614 1615 * hx509_err.et: Add some more errors 1616 1617 * cert.c: Sprinkle setting error strings. 1618 1619 * cms.c: _hx509_path_append changed signature. 1620 1621 * revoke.c: changed signature of _hx509_check_key_usage 1622 1623 * keyset.c: changed signature of _hx509_query_match_cert 1624 1625 * hx509.h: Add support for error strings. 1626 1627 * cms.c: changed signature of _hx509_check_key_usage 1628 1629 * Makefile.am: ibhx509_la_files += error.c 1630 1631 * ks_file.c: Sprinkel setting error strings. 1632 1633 * cert.c: Sprinkel setting error strings. 1634 1635 * hx_locl.h: Add support for error strings. 1636 1637 * error.c: Add string error handling functions. 1638 1639 * keyset.c (hx509_certs_init): pass the right error code back 1640 16412006-04-30 Love H�rnquist �strand <lha@it.su.se> 1642 1643 * revoke.c: Revert previous patch. 1644 (hx509_ocsp_verify): new function that returns the expiration of 1645 certificate in ocsp data-blob 1646 1647 * cert.c: Reverse previous patch, lets do it another way. 1648 1649 * cert.c (hx509_revoke_verify): update usage 1650 1651 * revoke.c: Make compile. 1652 1653 * revoke.c: Add the expiration time the crl/ocsp info expire 1654 1655 * name.c: Add hx509_name_is_null_p 1656 1657 * cert.c: remove _hx509_cert_private_sigature 1658 16592006-04-29 Love H�rnquist �strand <lha@it.su.se> 1660 1661 * name.c: Expose more of Name. 1662 1663 * hxtool.c (main): add missing argument to printf 1664 1665 * data/openssl.cnf: Add EKU for the KDC certificate 1666 1667 * cert.c (hx509_cert_get_base_subject): reject un-canon proxy 1668 certs, not the reverse 1669 (add_to_list): constify and fix argument order to 1670 copy_octet_string 1671 (hx509_cert_find_subjectAltName_otherName): make work 1672 16732006-04-28 Love H�rnquist �strand <lha@it.su.se> 1674 1675 * data/{pkinit,kdc}.{crt,key}: pkinit certificates 1676 1677 * data/gen-req.sh: Generate pkinit certificates. 1678 1679 * data/openssl.cnf: Add pkinit glue. 1680 1681 * cert.c (hx509_verify_hostname): implement stub function 1682 16832006-04-27 Love H�rnquist �strand <lha@it.su.se> 1684 1685 * TODO: CRL delta support 1686 16872006-04-26 Love H�rnquist �strand <lha@it.su.se> 1688 1689 * data/.cvsignore: ignore leftover from OpenSSL cert generation 1690 1691 * hx509_err.et: Add name malformated error 1692 1693 * name.c (hx509_parse_name): don't abort on error, rather return 1694 error 1695 1696 * test_name.c: Test failure parsing name. 1697 1698 * cert.c: When verifying certificates, store subject basename for 1699 later consumption. 1700 1701 * test_name.c: test to parse and print name and check that they 1702 are the same. 1703 1704 * name.c (hx509_parse_name): fix length argument to printf string 1705 1706 * name.c (hx509_parse_name): fix length argument to stringtooid, 1 1707 too short. 1708 1709 * cert.c: remove debug printf's 1710 1711 * name.c (hx509_parse_name): make compile pre c99 1712 1713 * data/gen-req.sh: OpenSSL have a serious issue of user confusion 1714 -subj in -ca takes the arguments in LDAP order. -subj for x509 1715 takes it in x509 order. 1716 1717 * cert.c (hx509_verify_path): handle the case where the where two 1718 proxy certs in a chain. 1719 1720 * test_chain.in: enable two proxy certificates in a chain test 1721 1722 * test_chain.in: tests proxy certificates 1723 1724 * data: re-gen 1725 1726 * data/gen-req.sh: build proxy certificates 1727 1728 * data/openssl.cnf: add def for proxy10_cert 1729 1730 * hx509_err.et: Add another proxy certificate error. 1731 1732 * cert.c (hx509_verify_path): Need to mangle name to remove the CN 1733 of the subject, copying issuer only works for one level but is 1734 better then doing no checking at all. 1735 1736 * hxtool.c: Add verify --allow-proxy-certificate. 1737 1738 * hxtool-commands.in: add verify --allow-proxy-certificate 1739 1740 * hx509_err.et: Add proxy certificate errors. 1741 1742 * cert.c: Fix comment about subject name of proxy certificate. 1743 1744 * test_chain.in: tests for proxy certs 1745 1746 * data/gen-req.sh: gen proxy and non-proxy tests certificates 1747 1748 * data/openssl.cnf: Add definition for proxy certs 1749 1750 * data/*proxy-test.*: Add proxy certificates 1751 1752 * cert.c (hx509_verify_path): verify proxy certificate have no san 1753 or ian 1754 1755 * cert.c (hx509_verify_set_proxy_certificate): Add 1756 (*): rename policy cert to proxy cert 1757 1758 * cert.c: Initial support for proxy certificates. 1759 17602006-04-24 Love H�rnquist �strand <lha@it.su.se> 1761 1762 * hxtool.c: some error checking 1763 1764 * name.c: Switch over to asn1 generaed oids. 1765 1766 * TODO: merge with old todo file 1767 17682006-04-23 Love H�rnquist �strand <lha@it.su.se> 1769 1770 * test_query.in: make quiet 1771 1772 * test_req.in: SKIP test if there is no RSA support. 1773 1774 * hxtool.c: print dh method too 1775 1776 * test_chain.in: SKIP test if there is no RSA support. 1777 1778 * test_cms.in: SKIP test if there is no RSA support. 1779 1780 * test_nist.in: SKIP test if there is no RSA support. 1781 17822006-04-22 Love H�rnquist �strand <lha@it.su.se> 1783 1784 * hxtool-commands.in: Allow passing in pool and anchor to 1785 signedData 1786 1787 * hxtool.c: Allow passing in pool and anchor to signedData 1788 1789 * test_cms.in: Test that certs in signed data is picked up. 1790 1791 * hx_locl.h: Expose the path building function to internal 1792 functions. 1793 1794 * cert.c: Expose the path building function to internal functions. 1795 1796 * hxtool-commands.in: cms-envelope: Add support for choosing the 1797 encryption type 1798 1799 * hxtool.c (cms_create_enveloped): Add support for choosing the 1800 encryption type 1801 1802 * test_cms.in: Test generating des-ede3 aes-128 aes-256 enveloped 1803 data 1804 1805 * crypto.c: Add names to cipher types. 1806 1807 * cert.c (hx509_query_match_friendly_name): fix return value 1808 1809 * data/gen-req.sh: generate tests for enveloped data using 1810 des-ede3 and aes256 1811 1812 * test_cms.in: add tests for enveloped data using des-ede3 and 1813 aes256 1814 1815 * cert.c (hx509_query_match_friendly_name): New function. 1816 18172006-04-21 Love H�rnquist �strand <lha@it.su.se> 1818 1819 * ks_p11.c: Add support for parsing slot-number. 1820 1821 * crypto.c (oid_private_rc2_40): simply 1822 1823 * crypto.c: Use oids from asn1 generator. 1824 1825 * ks_file.c (file_init): reset length when done with a part 1826 1827 * test_cms.in: check with test.combined.crt. 1828 1829 * data/gen-req.sh: Create test.combined.crt. 1830 1831 * test_cms.in: Test signed data using keyfile that is encrypted. 1832 1833 * ks_file.c: Remove (commented out) debug printf 1834 1835 * ks_file.c (parse_rsa_private_key): use EVP_get_cipherbyname 1836 1837 * ks_file.c (parse_rsa_private_key): make working for one 1838 password. 1839 1840 * ks_file.c (parse_rsa_private_key): Implement enought for 1841 testing. 1842 1843 * hx_locl.h: Add <ctype.h> 1844 1845 * ks_file.c: Add glue code for PEM encrypted password files. 1846 1847 * test_cms.in: Add commeted out password protected PEM file, 1848 remove password for those tests that doesn't need it. 1849 1850 * test_cms.in: adapt test now that we can use any certificate and 1851 trust anchor 1852 1853 * collector.c: handle PEM RSA PRIVATE KEY files 1854 1855 * cert.c: Remove unused function. 1856 1857 * ks_dir.c: move code here from ks_file.c now that its no longer 1858 used. 1859 1860 * ks_file.c: Add support for parsing unencrypted RSA PRIVATE KEY 1861 1862 * crypto.c: Handle rsa private keys better. 1863 18642006-04-20 Love H�rnquist �strand <lha@it.su.se> 1865 1866 * hxtool.c: Use hx509_cms_{,un}wrap_ContentInfo 1867 1868 * cms.c: Make hx509_cms_{,un}wrap_ContentInfo usable in asn1 1869 un-aware code. 1870 1871 * cert.c (hx509_verify_path): if trust anchor is not self signed, 1872 don't check sig From Douglas Engert. 1873 1874 * test_chain.in: test "sub-cert -> sub-ca" 1875 1876 * crypto.c: Use the right length for the sha256 checksums. 1877 18782006-04-15 Love H�rnquist �strand <lha@it.su.se> 1879 1880 * crypto.c: Fix breakage from sha256 code. 1881 1882 * crypto.c: Add SHA256 support, and symbols for the other new 1883 SHA-2 types. 1884 18852006-04-14 Love H�rnquist �strand <lha@it.su.se> 1886 1887 * test_cms.in: test rc2-40 rc2-64 rc2-128 enveloped data 1888 1889 * data/test-enveloped-rc2-{40,64,128}: add tests cases for rc2 1890 1891 * cms.c: Update prototypes changes for hx509_crypto_[gs]et_params. 1892 1893 * crypto.c: Break out the parameter handling code for encrypting 1894 data to handle RC2. Needed for Windows 2k pk-init support. 1895 18962006-04-04 Love H�rnquist �strand <lha@it.su.se> 1897 1898 * Makefile.am: Split libhx509_la_SOURCES into build file and 1899 distributed files so we can avoid building prototypes for 1900 build-files. 1901 19022006-04-03 Love H�rnquist �strand <lha@it.su.se> 1903 1904 * TODO: split certificate request into pkcs10 and CRMF 1905 1906 * hxtool-commands.in: Add nonce flag to ocsp-fetch 1907 1908 * hxtool.c: control sending nonce 1909 1910 * hxtool.c (request_create): store the request in a file, no in 1911 bitbucket. 1912 1913 * cert.c: expose print_cert_subject internally 1914 1915 * hxtool.c: Add ocsp_print. 1916 1917 * hxtool-commands.in: New command "ocsp-print". 1918 1919 * hx_locl.h: Include <hex.h>. 1920 1921 * revoke.c (verify_ocsp): require issuer to match too. 1922 (free_ocsp): new function 1923 (hx509_revoke_ocsp_print): new function, print ocsp reply 1924 1925 * Makefile.am: build CRMF files 1926 1927 * data/key.der: needed for cert request test 1928 1929 * test_req.in: adapt to rename of pkcs10-create to request-create 1930 1931 * hxtool.c: adapt to rename of pkcs10-create to request-create 1932 1933 * hxtool-commands.in: Rename pkcs10-create to request-create 1934 1935 * crypto.c: (_hx509_parse_private_key): Avoid crashing on bad input. 1936 1937 * hxtool.c (pkcs10_create): use opt->subject_string 1938 1939 * hxtool-commands.in: Add pkcs10-create --subject 1940 1941 * Makefile.am: Add test_req to tests. 1942 1943 * test_req.in: Test for pkcs10 commands. 1944 1945 * name.c (hx509_parse_name): new function. 1946 1947 * hxtool.c (pkcs10_create): implement 1948 1949 * hxtool-commands.in (pkcs10-create): Add arguments 1950 1951 * crypto.c: Add _hx509_private_key2SPKI and support 1952 functions (only support RSA for now). 1953 19542006-04-02 Love H�rnquist �strand <lha@it.su.se> 1955 1956 * hxtool-commands.in: Add pkcs10-create command. 1957 1958 * hx509.h: Add hx509_request. 1959 1960 * TODO: more stuff 1961 1962 * Makefile.am: Add req.c 1963 1964 * req.c: Create certificate requests, prototype converts the 1965 request in a pkcs10 packet. 1966 1967 * hxtool.c: Add pkcs10_create 1968 1969 * name.c (hx509_name_copy): new function. 1970 19712006-04-01 Love H�rnquist �strand <lha@it.su.se> 1972 1973 * TODO: fill out what do 1974 1975 * hxtool-commands.in: add pkcs10-print 1976 1977 * hx_locl.h: Include <pkcs10_asn1.h>. 1978 1979 * pkcs10.asn1: PKCS#10 1980 1981 * hxtool.c (pkcs10_print): new function. 1982 1983 * test_chain.in: test ocsp keyhash 1984 1985 * data: generate ocsp keyhash version too 1986 1987 * revoke.c (load_ocsp): test that we got back a BasicReponse 1988 1989 * ocsp.asn1: Add asn1_id_pkix_ocsp*. 1990 1991 * Makefile.am: Add asn1_id_pkix_ocsp*. 1992 1993 * cert.c: Add HX509_QUERY_MATCH_KEY_HASH_SHA1 1994 1995 * hx_locl.h: Add HX509_QUERY_MATCH_KEY_HASH_SHA1 1996 1997 * revoke.c: Support OCSPResponderID.byKey, indent. 1998 1999 * revoke.c (hx509_ocsp_request): Add nonce to ocsp request. 2000 2001 * hxtool.c: Add nonce to ocsp request. 2002 2003 * test_chain.in: Added crl tests 2004 2005 * data/nist-data: rename missing-crl to missing-revoke 2006 2007 * data: make ca use openssl ca command so we can add ocsp tests, 2008 and regen certs 2009 2010 * test_chain.in: Add revoked ocsp cert test 2011 2012 * cert.c: rename missing-crl to missing-revoke 2013 2014 * revoke.c: refactor code, fix a un-init-ed variable 2015 2016 * test_chain.in: rename missing-crl to missing-revoke add ocsp 2017 tests 2018 2019 * test_cms.in: rename missing-crl to missing-revoke 2020 2021 * hxtool.c: rename missing-crl to missing-revoke 2022 2023 * hxtool-commands.in: rename missing-crl to missing-revoke 2024 2025 * revoke.c: Plug one memory leak. 2026 2027 * revoke.c: Renamed generic CRL related errors. 2028 2029 * hx509_err.et: Comments and renamed generic CRL related errors 2030 2031 * revoke.c: Add ocsp checker. 2032 2033 * ocsp.asn1: Add id-kp-OCSPSigning 2034 2035 * hxtool-commands.in: add url-path argument to ocsp-fetch 2036 2037 * hxtool.c: implement ocsp-fetch 2038 2039 * cert.c: Use HX509_DEFAULT_OCSP_TIME_DIFF. 2040 2041 * hx_locl.h: Add ocsp_time_diff to hx509_context 2042 2043 * crypto.c (_hx509_verify_signature_bitstring): new function, 2044 commonly use when checking certificates 2045 2046 * cms.c (hx509_cms_envelope_1): check for internal ASN.1 encoder 2047 error 2048 2049 * cert.c: Add ocsp glue, use new 2050 _hx509_verify_signature_bitstring, add eku checking function. 2051 20522006-03-31 Love H�rnquist �strand <lha@it.su.se> 2053 2054 * Makefile.am: add id_kp_OCSPSigning.x 2055 2056 * revoke.c: Pick out certs in ocsp response 2057 2058 * TODO: list of stuff to verify 2059 2060 * revoke.c: Add code to load OCSPBasicOCSPResponse files, reload 2061 crl when its changed on disk. 2062 2063 * cert.c: Update for ocsp merge. handle building path w/o 2064 subject (using subject key id) 2065 2066 * ks_p12.c: _hx509_map_file changed prototype. 2067 2068 * file.c: _hx509_map_file changed prototype, returns struct stat 2069 if requested. 2070 2071 * ks_file.c: _hx509_map_file changed prototype. 2072 2073 * hxtool.c: Add stub for ocsp-fetch, _hx509_map_file changed 2074 prototype, add ocsp parsing to verify command. 2075 2076 * hx_locl.h: rename HX509_CTX_CRL_MISSING_OK to 2077 HX509_CTX_VERIFY_MISSING_OK now that we have OCSP glue 2078 20792006-03-30 Love H�rnquist �strand <lha@it.su.se> 2080 2081 * hx_locl.h: Add <krb5-types.h> to make it compile on Solaris, 2082 from Alex V. Labuta. 2083 20842006-03-28 Love H�rnquist �strand <lha@it.su.se> 2085 2086 * crypto.c (_hx509_pbe_decrypt): try all passwords, not just the 2087 first one. 2088 20892006-03-27 Love H�rnquist �strand <lha@it.su.se> 2090 2091 * print.c (check_altName): Print the othername oid. 2092 2093 * crypto.c: Manual page claims RSA_public_decrypt will return -1 2094 on error, lets check for that 2095 2096 * crypto.c (_hx509_pbe_decrypt): also try the empty password 2097 2098 * collector.c (match_localkeyid): no need to add back the cert to 2099 the cert pool, its already there. 2100 2101 * crypto.c: Add REQUIRE_SIGNER 2102 2103 * cert.c (hx509_cert_free): ok to free NULL 2104 2105 * hx509_err.et: Add new error code SIGNATURE_WITHOUT_SIGNER. 2106 2107 * name.c (_hx509_name_ds_cmp): make DirectoryString case 2108 insenstive 2109 (hx509_name_to_string): less spacing 2110 2111 * cms.c: Check for signature error, check consitency of error 2112 21132006-03-26 Love H�rnquist �strand <lha@it.su.se> 2114 2115 * collector.c (_hx509_collector_alloc): handle errors 2116 2117 * cert.c (hx509_query_alloc): allocate slight more more then a 2118 sizeof(pointer) 2119 2120 * crypto.c (_hx509_private_key_assign_key_file): ask for password 2121 if nothing matches. 2122 2123 * cert.c: Expose more of the hx509_query interface. 2124 2125 * collector.c: hx509_certs_find is now exposed. 2126 2127 * cms.c: hx509_certs_find is now exposed. 2128 2129 * revoke.c: hx509_certs_find is now exposed. 2130 2131 * keyset.c (hx509_certs_free): allow free-ing NULL 2132 (hx509_certs_find): expose 2133 (hx509_get_one_cert): new function 2134 2135 * hxtool.c: hx509_certs_find is now exposed. 2136 2137 * hx_locl.h: Remove hx509_query, its exposed now. 2138 2139 * hx509.h: Add hx509_query. 2140 21412006-02-22 Love H�rnquist �strand <lha@it.su.se> 2142 2143 * cert.c: Add exceptions for null (empty) subjectNames 2144 2145 * data/nist-data: Add some more name constraints tests. 2146 2147 * data/nist-data: Add some of the test from 4.13 Name Constraints. 2148 2149 * cert.c: Name constraits needs to be evaluated in block as they 2150 appear in the certificates, they can not be joined to one 2151 list. One example of this is: 2152 2153 - cert is cn=foo,dc=bar,dc=baz 2154 - subca is dc=foo,dc=baz with name restriction dc=kaka,dc=baz 2155 - ca is dc=baz with name restriction dc=baz 2156 2157 If the name restrictions are merged to a list, the certificate 2158 will pass this test. 2159 21602006-02-14 Love H�rnquist �strand <lha@it.su.se> 2161 2162 * cert.c: Handle more name constraints cases. 2163 2164 * crypto.c (dsa_verify_signature): if test if malloc failed 2165 21662006-01-31 Love H�rnquist �strand <lha@it.su.se> 2167 2168 * cms.c: Drop partial pkcs12 string2key implementation. 2169 21702006-01-20 Love H�rnquist �strand <lha@it.su.se> 2171 2172 * data/nist-data: Add commited out DSA tests (they fail). 2173 2174 * data/nist-data: Add 4.2 Validity Periods. 2175 2176 * test_nist.in: Make less verbose to use. 2177 2178 * Makefile.am: Add test_nist_cert. 2179 2180 * data/nist-data: Add some more CRL-tests. 2181 2182 * test_nist.in: Print $id instead of . when running the tests. 2183 2184 * test_nist.in: Drop verifying certifiates, its done in another 2185 test now. 2186 2187 * data/nist-data: fixup kill-rectangle leftovers 2188 2189 * data/nist-data: Drop verifying certifiates, its done in another 2190 test now. Add more crl tests. comment out all unused tests. 2191 2192 * test_nist_cert.in: test parse all nist certs 2193 21942006-01-19 Love H�rnquist �strand <lha@it.su.se> 2195 2196 * hx509_err.et: Add HX509_CRL_UNKNOWN_EXTENSION. 2197 2198 * revoke.c: Check for unknown extentions in CRLs and CRLEntries. 2199 2200 * test_nist.in: Parse new format to handle CRL info. 2201 2202 * test_chain.in: Add --missing-crl. 2203 2204 * name.c (hx509_unparse_der_name): Rename from hx509_parse_name. 2205 (_hx509_unparse_Name): Add. 2206 2207 * hxtool-commands.in: Add --missing-crl to verify commands. 2208 2209 * hx509_err.et: Add CRL errors. 2210 2211 * cert.c (hx509_context_set_missing_crl): new function Add CRL 2212 handling. 2213 2214 * hx_locl.h: Add HX509_CTX_CRL_MISSING_OK. 2215 2216 * revoke.c: Parse and verify CRLs (simplistic). 2217 2218 * hxtool.c: Parse CRL info. 2219 2220 * data/nist-data: Change format so we can deal with CRLs, also 2221 note the test-id from PKITS. 2222 2223 * data: regenerate test 2224 2225 * data/gen-req.sh: use static-file to generate tests 2226 2227 * data/static-file: new file to use for commited tests 2228 2229 * test_cms.in: Use static file, add --missing-crl. 2230 22312006-01-18 Love H�rnquist �strand <lha@it.su.se> 2232 2233 * print.c: Its cRLReason, not cRLReasons. 2234 2235 * hxtool.c: Attach revoke context to verify context. 2236 2237 * data/nist-data: change syntax to make match better with crl 2238 checks 2239 2240 * cert.c: Verify no certificates has been revoked with the new 2241 revoke interface. 2242 2243 * Makefile.am: libhx509_la_SOURCES += revoke.c 2244 2245 * revoke.c: Add framework for handling CRLs. 2246 2247 * hx509.h: Add hx509_revoke_ctx. 2248 22492006-01-13 Love H�rnquist �strand <lha@it.su.se> 2250 2251 * delete crypto_headers.h, use global file instead. 2252 2253 * crypto.c (PBE_string2key): libdes now supports PKCS12_key_gen 2254 22552006-01-12 Love H�rnquist �strand <lha@it.su.se> 2256 2257 * crypto_headers.h: Need BN_is_negative too. 2258 22592006-01-11 Love H�rnquist �strand <lha@it.su.se> 2260 2261 * ks_p11.c (p11_rsa_public_decrypt): since is wrong, don't provide 2262 it. PKCS11 can't do public_decrypt, it support verify though. All 2263 this doesn't matter, since the code never go though this path. 2264 2265 * crypto_headers.h: Provide glue to compile with less warnings 2266 with OpenSSL 2267 22682006-01-08 Love H�rnquist �strand <lha@it.su.se> 2269 2270 * Makefile.am: Depend on LIB_des 2271 2272 * lock.c: Use "crypto_headers.h". 2273 2274 * crypto_headers.h: Include the two diffrent implementation of 2275 crypto headers. 2276 2277 * cert.c: Use "crypto-headers.h". Load ENGINE configuration. 2278 2279 * crypto.c: Make compile with both OpenSSL and heimdal libdes. 2280 2281 * ks_p11.c: Add code for public key decryption (not supported yet) 2282 and use "crypto-headers.h". 2283 2284 22852006-01-04 Love H�rnquist �strand <lha@it.su.se> 2286 2287 * add a hx509_context where we can store configuration 2288 2289 * p11.c,Makefile.am: pkcs11 is now supported by library, remove 2290 old files. 2291 2292 * ks_p11.c: more paranoid on refcount, set refcounter ealier, 2293 reset pointers after free 2294 2295 * collector.c (struct private_key): remove temporary key data 2296 storage, convert directly to a key 2297 (match_localkeyid): match certificate and key using localkeyid 2298 (match_keys): match certificate and key using _hx509_match_keys 2299 (_hx509_collector_collect): rewrite to use match_keys and 2300 match_localkeyid 2301 2302 * crypto.c (_hx509_match_keys): function that determins if a 2303 private key matches a certificate, used when there is no 2304 localkeyid. 2305 (*) reset free pointer 2306 2307 * ks_file.c: Rewrite to use collector and mapping support 2308 function. 2309 2310 * ks_p11.c (rsa_pkcs1_method): constify 2311 2312 * ks_p11.c: drop extra wrapping of p11_init 2313 2314 * crypto.c (_hx509_private_key_assign_key_file): use function to 2315 extact rsa key 2316 2317 * cert.c: Revert previous, refcounter is unsigned, so it can never 2318 be negative. 2319 2320 * cert.c (hx509_cert_ref): more refcount paranoia 2321 2322 * ks_p11.c: Implement rsa_private_decrypt and add stubs for public 2323 ditto. 2324 2325 * ks_p11.c: Less printf, less memory leaks. 2326 2327 * ks_p11.c: Implement signing using pkcs11. 2328 2329 * ks_p11.c: Partly assign private key, enough to complete 2330 collection, but not any crypto functionallity. 2331 2332 * collector.c: Use hx509_private_key to assign private keys. 2333 2334 * crypto.c: Remove most of the EVP_PKEY code, and use RSA 2335 directly, this temporary removes DSA support. 2336 2337 * hxtool.c (print_f): print if there is a friendly name and if 2338 there is a private key 2339 23402006-01-03 Love H�rnquist �strand <lha@it.su.se> 2341 2342 * name.c: Avoid warning from missing __attribute__((noreturn)) 2343 2344 * lock.c (_hx509_lock_unlock_certs): return unlock certificates 2345 2346 * crypto.c (_hx509_private_key_assign_ptr): new function, exposes 2347 EVP_PKEY 2348 (_hx509_private_key_assign_key_file): remember to free private key 2349 if there is one. 2350 2351 * cert.c (_hx509_abort): add newline to output and flush stdout 2352 2353 * Makefile.am: libhx509_la_SOURCES += collector.c 2354 2355 * hx_locl.h: forward type declaration of struct hx509_collector. 2356 2357 * collector.c: Support functions to collect certificates and 2358 private keys and then match them. 2359 2360 * ks_p12.c: Use the new hx509_collector support functions. 2361 2362 * ks_p11.c: Add enough glue to support certificate iteration. 2363 2364 * test_nist_pkcs12.in: Less verbose. 2365 2366 * cert.c (hx509_cert_free): if there is a private key assosited 2367 with this cert, free it 2368 2369 * print.c: Use _hx509_abort. 2370 2371 * ks_p12.c: Use _hx509_abort. 2372 2373 * hxtool.c: Use _hx509_abort. 2374 2375 * crypto.c: Use _hx509_abort. 2376 2377 * cms.c: Use _hx509_abort. 2378 2379 * cert.c: Use _hx509_abort. 2380 2381 * name.c: use _hx509_abort 2382 23832006-01-02 Love H�rnquist �strand <lha@it.su.se> 2384 2385 * name.c (hx509_name_to_string): don't cut bmpString in half. 2386 2387 * name.c (hx509_name_to_string): don't overwrite with 1 byte with 2388 bmpString. 2389 2390 * ks_file.c (parse_certificate): avoid stomping before array 2391 2392 * name.c (oidtostring): avoid leaking memory 2393 2394 * keyset.c: Add _hx509_ks_dir_register. 2395 2396 * Makefile.am (libhx509_la_SOURCES): += ks_dir.c 2397 2398 * hxtool-commands.in: Remove pkcs11. 2399 2400 * hxtool.c: Remove pcert_pkcs11. 2401 2402 * ks_file.c: Factor out certificate parsing code. 2403 2404 * ks_dir.c: Add new keystore that treats all files in a directory 2405 a keystore, useful for regression tests. 2406 24072005-12-12 Love H�rnquist �strand <lha@it.su.se> 2408 2409 * test_nist_pkcs12.in: Test parse PKCS12 files from NIST. 2410 2411 * data/nist-data: Can handle DSA certificate. 2412 2413 * hxtool.c: Print error code on failure. 2414 24152005-10-29 Love H�rnquist �strand <lha@it.su.se> 2416 2417 * crypto.c: Support DSA signature operations. 2418 24192005-10-04 Love H�rnquist �strand <lha@it.su.se> 2420 2421 * print.c: Validate that issuerAltName and subjectAltName isn't 2422 empty. 2423 24242005-09-14 Love H�rnquist �strand <lha@it.su.se> 2425 2426 * p11.c: Cast to unsigned char to avoid warning. 2427 2428 * keyset.c: Register pkcs11 module. 2429 2430 * Makefile.am: Add ks_p11.c, install hxtool. 2431 2432 * ks_p11.c: Starting point of a pkcs11 module. 2433 24342005-09-04 Love H�rnquist �strand <lha@it.su.se> 2435 2436 * lock.c: Implement prompter. 2437 2438 * hxtool-commands.in: add --content to print 2439 2440 * hxtool.c: Split verify and print. 2441 2442 * cms.c: _hx509_pbe_decrypt now takes a hx509_lock. 2443 2444 * crypto.c: Make _hx509_pbe_decrypt take a hx509_lock, workaround 2445 for empty password. 2446 2447 * name.c: Add DC, handle all Directory strings, fix signless 2448 problems. 2449 24502005-09-03 Love H�rnquist �strand <lha@it.su.se> 2451 2452 * test_query.in: Pass in --pass to all commands. 2453 2454 * hxtool.c: Use option --pass. 2455 2456 * hxtool-commands.in: Add --pass to all commands. 2457 2458 * hx509_err.et: add UNKNOWN_LOCK_COMMAND and CRYPTO_NO_PROMPTER 2459 2460 * test_cms.in: pass in password to cms-create-sd 2461 2462 * crypto.c: Abstract out PBE_string2key so I can add PBE2 s2k 2463 later. Avoid signess warnings with OpenSSL. 2464 2465 * cms.c: Use void * instead of char * for to avoid signedness 2466 issues 2467 2468 * cert.c (hx509_cert_get_attribute): remove const, its not 2469 2470 * ks_p12.c: Cast size_t to unsigned long when print. 2471 2472 * name.c: Fix signedness warning. 2473 2474 * test_query.in: Use echo, the function check isn't defined here. 2475 24762005-08-11 Love H�rnquist �strand <lha@it.su.se> 2477 2478 * hxtool-commands.in: Add more options that was missing. 2479 24802005-07-28 Love H�rnquist �strand <lha@it.su.se> 2481 2482 * test_cms.in: Use --certificate= for enveloped/unenvelope. 2483 2484 * hxtool.c: Use --certificate= for enveloped/unenvelope. Clean 2485 up. 2486 2487 * test_cms.in: add EnvelopeData tests 2488 2489 * hxtool.c: use id-envelopedData for ContentInfo 2490 2491 * hxtool-commands.in: add contentinfo wrapping for create/unwrap 2492 enveloped data 2493 2494 * hxtool.c: add contentinfo wrapping for create/unwrap enveloped 2495 data 2496 2497 * data/gen-req.sh: add enveloped data (aes128) 2498 2499 * crypto.c: add "new" RC2 oid 2500 25012005-07-27 Love H�rnquist �strand <lha@it.su.se> 2502 2503 * hx_locl.h, cert.c: Add HX509_QUERY_MATCH_FUNCTION that allows 2504 caller to match by function, note that this doesn't not work 2505 directly for backends that implements ->query, they must do their 2506 own processing. (I'm running out of flags, only 12 left now) 2507 2508 * test_cms.in: verify ContentInfo wrapping code in hxtool 2509 2510 * hxtool-commands.in (cms_create_sd): support wrapping in content 2511 info spelling 2512 2513 * hxtool.c (cms_create_sd): support wrapping in content info 2514 2515 * test_cms.in: test more cms signeddata messages 2516 2517 * data/gen-req.sh: generate SignedData 2518 2519 * hxtool.c (cms_create_sd): support certificate store, add support 2520 to unwrap a ContentInfo the SignedData inside. 2521 2522 * crypto.c: sprinkel rk_UNCONST 2523 2524 * crypto.c: add DER NULL to the digest oid's 2525 2526 * hxtool-commands.in: add --content-info to cms-verify-sd 2527 2528 * cms.c (hx509_cms_create_signed_1): pass in a full 2529 AlgorithmIdentifier instead of heim_oid for digest_alg 2530 2531 * crypto.c: make digest_alg a digest_oid, it's not needed right 2532 now 2533 2534 * hx509_err.et: add CERT_NOT_FOUND 2535 2536 * keyset.c (_hx509_certs_find): add error code for cert not 2537 found 2538 2539 * cms.c (hx509_cms_verify_signed): add external store of 2540 certificates, use the right digest algorithm identifier. 2541 2542 * cert.c: fix const warning 2543 2544 * ks_p12.c: slightly less verbose 2545 2546 * cert.c: add hx509_cert_find_subjectAltName_otherName, add 2547 HX509_QUERY_MATCH_FRIENDLY_NAME 2548 2549 * hx509.h: add hx509_octet_string_list, remove bad comment 2550 2551 * hx_locl.h: add HX509_QUERY_MATCH_FRIENDLY_NAME 2552 2553 * keyset.c (hx509_certs_append): needs a hx509_lock, add one 2554 2555 * Makefile.am: add test cases tempfiles to CLEANFILES 2556 2557 * Makefile.am: add test_query to TESTS, fix dependency on hxtool 2558 sources on hxtool-commands.h 2559 2560 * hxtool-commands.in: explain what signer is for create-sd 2561 2562 * hxtool.c: add query, add more options to verify-sd and create-sd 2563 2564 * test_cms.in: add more cms tests 2565 2566 * hxtool-commands.in: add query, add more options to verify-sd 2567 2568 * test_query.in: test query interface 2569 2570 * data: fix filenames for ds/ke files, add pkcs12 files, regen 2571 2572 * hxtool.c,Makefile.am,hxtool-commands.in: switch to slc 2573 25742005-07-26 Love H�rnquist �strand <lha@it.su.se> 2575 2576 * cert.c (hx509_verify_destroy_ctx): add 2577 2578 * hxtool.c: free hx509_verify_ctx 2579 2580 * name.c (_hx509_name_ds_cmp): make sure all strings are not equal 2581 25822005-07-25 Love H�rnquist �strand <lha@it.su.se> 2583 2584 * hxtool.c: return error 2585 2586 * keyset.c: return errors from iterations 2587 2588 * test_chain.in: clean up checks 2589 2590 * ks_file.c (parse_certificate): return errno's not 1 in case of 2591 error 2592 2593 * ks_file.c (file_iter): make sure endpointer is NULL 2594 2595 * ks_mem.c (mem_iter): follow conversion and return NULL when we 2596 get to the end, not ENOENT. 2597 2598 * Makefile.am: test_chain depends on hxtool 2599 2600 * data: test certs that lasts 10 years 2601 2602 * data/gen-req.sh: script to generate test certs 2603 2604 * Makefile.am: Add regression tests. 2605 2606 * data: test certificate and keys 2607 2608 * test_chain.in: test chain 2609 2610 * hxtool.c (cms_create_sd): add KU digitalSigature as a 2611 requirement to the query 2612 2613 * hx_locl.h: add KeyUsage query bits 2614 2615 * hx509_err.et: add KeyUsage error 2616 2617 * cms.c: add checks for KeyUsage 2618 2619 * cert.c: more checks on KeyUsage, allow to query on them too 2620 26212005-07-24 Love H�rnquist �strand <lha@it.su.se> 2622 2623 * cms.c: Add missing break. 2624 2625 * hx_locl.h,cms.c,cert.c: allow matching on SubjectKeyId 2626 2627 * hxtool.c: Use _hx509_map_file, _hx509_unmap_file and 2628 _hx509_write_file. 2629 2630 * file.c (_hx509_write_file): in case of write error, return errno 2631 2632 * file.c (_hx509_write_file): add a function that write a data 2633 blob to disk too 2634 2635 * Fix id-tags 2636 2637 * Import mostly complete X.509 and CMS library. Handles, PEM, DER, 2638 PKCS12 encoded certicates. Verificate RSA chains and handled 2639 CMS's SignedData, and EnvelopedData. 2640 2641 2642