Branch: Tag:

2020-03-25

2020-03-25 09:53:37 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Use old syntax for compatibility.

Modules in Pike 8.0 need to be syntax-compatible with all released
versions of Pike 8.0 (or at least Pike 8.0.232 and later).

Fixes #10024.

2020-02-26

2020-02-26 21:34:04 by Tobias S. Josefowitz <tobij@tobij.de>

Standards.X509: options can be a bool

Check if it is a mapping before accessing it as such.

2020-02-25

2020-02-25 13:21:05 by Per Hedbor <ph@opera.com>

Addressed code review issues

Forward port from Pike 8.0 as noted in #10012.

2020-02-25 13:12:15 by Simon Brenner <simonb@opera.com>

TURBO2-1409: Allow extra intermediates in certificate chains

Forward port from Pike 8.0 as noted in #10012:

Some servers send extraneous intermediate certificates that aren't
used to validate the leaf certificate. The Pike implementation of this
was quite to the letter of RFC5280/5246, which does say that each cert
has to be signed by the next certificate in the chain.

Only require that the certificates are in order, but ignore extra
certificates we didn't need to verify the leaf certificate.

2020-02-25 12:43:22 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Documentation [Standards.X509]: Fixed some typos.

Fixes #10012.

2020-02-25 12:40:13 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Documentation [Standards.X509]: Fixed some typos.

Fixes #10012.

2020-02-24

2020-02-24 00:56:48 by Tobias S. Josefowitz <tobij@tobij.de>

Standards.X509: options can be a bool

Check if it is a mapping before accessing it as such.

2020-02-24 00:10:59 by Tobias S. Josefowitz <tobij@tobij.de>

Standard.X509: Make signature algorithms configurable

2020-02-24 00:09:58 by Tobias S. Josefowitz <tobij@tobij.de>

Standard.X509: Make signature algorithms configurable

2019-11-02

2019-11-02 20:18:26 by Peter Bortas <bortas@gmail.com>

Change "?->" to the new "->?" syntax throughout Pike

2019-06-09

2019-06-09 11:32:10 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Fixed compilation error when X509_VALIDATION_DEBUG.

2019-06-04

2019-06-04 14:11:55 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X4509: Added some support for validation of Ed25519 certificates.

2019-03-19

2019-03-19 12:33:55 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Merge commit '722771973bd' into patches/lyslyskom22891031

* commit '722771973bd': (6177 commits)
Verify that callablep responses are aligned with reality.
...

2019-03-14

2019-03-14 10:39:03 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Merge commit '2470270f500c728d10b8895314d8d8b07016e37b' into grubba/typechecker-automap

* commit '2470270f500c728d10b8895314d8d8b07016e37b': (18681 commits)
Removed the old typechecker.
...

2018-11-04

2018-11-04 16:11:11 by Arne Goedeke <el@laramies.com>

Merge remote-tracking branch 'origin/master' into new_utf8

2018-11-03

2018-11-03 14:21:37 by Marcus Comstedt <marcus@mc.pp.se>

Merge remote-tracking branch 'origin/8.1' into gobject-introspection

2018-02-15

2018-02-15 15:54:26 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Merge commit '75c9d1806f1a69ca21c27a2c2fe1b4a6ea38e77e' into patches/pike63

* commit '75c9d1806f1a69ca21c27a2c2fe1b4a6ea38e77e': (19587 commits)
...

2017-05-28

2017-05-28 17:22:41 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Reduce code duplication.

Use a common function for adding certificates in load_authorities().

Also some minor documentation updates.

2016-11-11

2016-11-11 23:29:57 by Martin Nilsson <nilsson@fastmail.com>

Fix issues with missing ECC curves.

2016-10-24

2016-10-24 17:10:45 by Martin Nilsson <nilsson@fastmail.com>

Crash with more grace when ECDSA uses unsupported curve.

2016-04-22

2016-04-22 13:22:40 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Added X509_VALIDATION_DEBUG.

The above macro is intended to be used to debug why certificates
fail to validate, without drowning in other debug.

Also adds some more stuff to TBSCertificate()->_sprintf().

2016-04-22 13:22:19 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509 [MacOS X]: Try a few more keychain files.

It seems the files "X509Anchors" and "X509Certificates" are obsolete,
and have been replaced by "SystemRootCertificates.keychain" and
"SystemCACertificates.keychain".

Also makes sure to validate the certificates from Apple.Keychain.

2016-04-22 13:18:39 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509 [MacOS X]: Try a few more keychain files.

It seems the files "X509Anchors" and "X509Certificates" are obsolete,
and have been replaced by "SystemRootCertificates.keychain" and
"SystemCACertificates.keychain".

Also makes sure to validate the certificates from Apple.Keychain.

2016-04-22 13:18:39 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Added X509_VALIDATION_DEBUG.

The above macro is intended to be used to debug why certificates
fail to validate, without drowning in other debug.

Also adds some more stuff to TBSCertificate()->_sprintf().

2016-04-21

2016-04-21 16:05:41 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Missed a line during forward porting.

2016-04-21 16:01:19 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: load_authorities() now knows about ca-bundle.crt.

The certificate bundle file seems to have been split up and had
a change of names in RHEL 7.

Fixes validation of SSL certificates on RHEL 7.

2016-04-21 15:56:13 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: load_authorities() now knows about ca-bundle.crt.

The certificate bundle file seems to have been split up and had
a change of names in RHEL 7.

Fixes validation of SSL certificates on RHEL 7.

2016-04-21 14:56:24 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: load_authorities() now knows about Apple.Keychain.

Improves likelyhood that the SSL root certificates will be found on MacOS X.

2016-04-21 14:54:16 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: load_authorities() now knows about Apple.Keychain.

Improves likelyhood that the SSL root certificates will be found on MacOS X.

2016-03-04

2016-03-04 13:59:59 by Per Hedbor <ph@opera.com>

Addressed code review issues

2016-03-04 13:38:56 by Simon Brenner <simonb@opera.com>

TURBO2-1409: Allow extra intermediates in certificate chains

Some servers send extraneous intermediate certificates that aren't
used to validate the leaf certificate. The Pike implementation of this
was quite to the letter of RFC5280/5246, which does say that each cert
has to be signed by the next certificate in the chain.

Only require that the certificates are in order, but ignore extra
certificates we didn't need to verify the leaf certificate.

2015-12-10

2015-12-10 15:37:45 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Documentation [Standards.X509]: Fixed typo.

2015-12-10 13:11:45 by Tobias S. Josefowitz <tobij@tobij.de>

Revert "Standards.X509: set m->verified once only."

This reverts commit 75edcd8465228ae7b3ad8ca11ed5b8ce99c58e7b.

2015-12-10 11:45:33 by Tobias S. Josefowitz <tobij@tobij.de>

Standards.X509: set m->verified once only.

2015-12-10 11:41:17 by Tobias S. Josefowitz <tobij@tobij.de>

Standards.X509: only claim cert chain verified when no errors occured

2015-11-08

2015-11-08 19:32:04 by Martin Nilsson <nilsson@fastmail.com>

load_authorities takes hundreds of milliseconds. Include an optional cache.

2015-11-08 01:33:09 by Martin Nilsson <nilsson@fastmail.com>

TBSCertificate fails with exception, so no need to check is tbs is 0. decode_signed can however return 0, so abort directly if that happens.

2015-11-08 00:59:50 by Martin Nilsson <nilsson@fastmail.com>

Updated documentation to mention that verify_certificate_chain also can return CERT_UNAUTHORIZED_CA and CERT_EXCEEDED_PATH_LENGTH.

2015-11-08 00:39:27 by Martin Nilsson <nilsson@fastmail.com>

Comment fixes.

2015-11-08 00:05:11 by Martin Nilsson <nilsson@fastmail.com>

Whitespace changes.

2015-09-26

2015-09-26 22:06:09 by Martin Nilsson <nilsson@fastmail.com>

Type cls and tag stronger.

2015-09-23

2015-09-23 15:43:40 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: parse_private_key() now knows about PKCS#8.

2015-09-23 15:42:13 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: parse_private_key() now knows about PKCS#8.

2015-08-22

2015-08-22 18:54:15 by Martin Nilsson <nilsson@fastmail.com>

Support linking direct to RFC anchor.

2015-08-21

2015-08-21 23:56:32 by Martin Nilsson <nilsson@fastmail.com>

Use @rfc{@} autodoc syntax.

2015-07-15

2015-07-15 09:40:09 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509.TBSCertificate: Added `hash().

This makes it much easier to get the hash algoritm from a TBS.

2015-05-28

2015-05-28 15:15:46 by Tobias S. Josefowitz <tobij@tobij.de>

And probably stop verifying after verification failure

2015-05-28 14:42:19 by Martin Nilsson <nilsson@opera.com>

We need to set verified to false for every certificate in the chain to fail properly.

2015-03-05

2015-03-05 17:11:04 by Martin Nilsson <nilsson@opera.com>

Trim ASN.1 APIs even more. Still need to decide on how to manage the internal DER cache.

2015-02-27

2015-02-27 16:49:39 by Martin Nilsson <nilsson@opera.com>

Allow verify_certificate_chain to have certificate objects in its chain argument.

2015-02-27 16:32:47 by Martin Nilsson <nilsson@opera.com>

Move verification code to more appropriate places.

2015-02-27 16:16:21 by Martin Nilsson <nilsson@opera.com>

Whitespace changes.

2015-02-27 16:13:08 by Martin Nilsson <nilsson@opera.com>

Use the .PKCS.Signature.Signed accessors instead of indexing raw ASN.1.

2015-02-01

2015-02-01 22:57:02 by Martin Nilsson <nilsson@opera.com>

Verify that the algorithm identifiers match in the certificate.

2015-01-20

2015-01-20 16:16:01 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.PKCS.Signature: Added decode_signed().

2014-12-04

2014-12-04 19:27:21 by Per Hedbor <ph@opera.com>

These softcasts generated "is noop" warning

2014-12-04 19:27:17 by Martin Nilsson <nilsson@opera.com>

Make illegal casts throw exception.

2014-12-04 19:27:12 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.PKCS: Updated to the new Crypto.Sign API.

2014-12-04 19:26:51 by Martin Nilsson <nilsson@opera.com>

Allow time to be set through ASN.1 UTC constructor

2014-12-04 19:26:49 by Martin Nilsson <nilsson@opera.com>

Some certficate conformance fixes. RFC 5280 4.1.2.2

2014-12-04 19:26:35 by Martin Nilsson <nilsson@opera.com>

Simplify the code a bit by not having cls and tag as constants.

2014-12-04 19:26:35 by Martin Nilsson <nilsson@opera.com>

Now that class and tag propagates, we don't have to make wrapper classes.

2014-12-04 19:26:31 by Martin Nilsson <nilsson@opera.com>

Basic constrants cA is declared false by default, so en empty sequence is legal (and more space efficient).

2014-12-04 19:26:24 by Martin Nilsson <nilsson@opera.com>

Subject and issuer DN were mixed up in make_site_certificate

2014-12-04 19:26:22 by Martin Nilsson <nilsson@opera.com>

Added ugly methods to generate root and site certificates.

2014-12-04 19:26:22 by Martin Nilsson <nilsson@opera.com>

Check the date of all certificates in the chain.

2014-12-04 19:26:22 by Martin Nilsson <nilsson@opera.com>

More generic fix.

2014-12-04 19:26:21 by Martin Nilsson <nilsson@opera.com>

Changed make_selfsigned_ceritificate API to take a mapping of extensions.

2014-12-04 19:26:18 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.ASN1: Added some AutoDoc mk II markup.

Also added some other comments.

2014-12-04 19:26:18 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Added generic parse_private_key().

Also adds variants of Standards.PKCS.{D,ECD,R}SA.parse_private_key()
that operate directly on ASN.1 sequences.

2014-12-04 19:26:16 by Martin Nilsson <nilsson@opera.com>

Better _sprintf.

2014-12-04 19:26:12 by Martin Nilsson <nilsson@opera.com>

Fixed extension values for self signed certificates.

2014-12-04 19:26:03 by Martin Nilsson <nilsson@opera.com>

Don't add duplicates to load_authorities response.

2014-12-04 19:26:02 by Martin Nilsson <nilsson@opera.com>

Implement the private types somewhat more properly.

2014-12-04 19:26:02 by Martin Nilsson <nilsson@opera.com>

Expose the keyUsage enum.

2014-12-04 19:26:02 by Martin Nilsson <nilsson@opera.com>

Implement the private types somewhat more properly.

2014-12-04 19:26:01 by Martin Nilsson <nilsson@opera.com>

Improved strict types a bit.

2014-12-04 19:26:01 by Martin Nilsson <nilsson@opera.com>

Added partial subjectAltName support.

2014-12-04 19:26:01 by Martin Nilsson <nilsson@opera.com>

Add extended key usage support.

2014-12-04 19:26:01 by Martin Nilsson <nilsson@opera.com>

Added support for extension local ASN1 types. Implemented parsing of authorityKeyIdentifier keyIdentifier (i.e. key hash).

2014-12-04 19:26:01 by Martin Nilsson <nilsson@opera.com>

Updated the documentation to verify_certificate_chain. Add the decoded certificates in the returned mapping. Don't check the keyUsage of the leaf node.

2014-12-04 19:25:59 by Martin Nilsson <nilsson@opera.com>

Move the certificate extension parsing into the TBSCertificate object. Not really a great API, but we need to start somewhere.

2014-12-04 19:25:59 by Martin Nilsson <nilsson@opera.com>

Handle the keyUsage properly. All 9 flags can now be extracted, and the BitString is now generated in its most compact form.

2014-12-04 19:25:59 by Martin Nilsson <nilsson@opera.com>

Verify time-validity of CA certificates.

2014-12-04 19:25:59 by Martin Nilsson <nilsson@opera.com>

verify_certificate_chain now stores all non-fatal errors.

2014-12-04 19:25:59 by Martin Nilsson <nilsson@opera.com>

Future proofing.

2014-12-04 19:25:59 by Martin Nilsson <nilsson@opera.com>

Improve the API a bit by having ext_basicConstraints_pathLenConstraint be the number of following certificates, instead of only intermediate certificates.

2014-12-04 19:25:59 by Martin Nilsson <nilsson@opera.com>

Added certificate check failure modes CERT_EXCEEDED_PATH_LENGTH and CERT_UNAUTHORIZED_SIGNING. Improved the extensions code somewhat and removed some debug left on.

2014-12-04 19:25:56 by Martin Nilsson <nilsson@opera.com>

Use multiset for critical flags everywhere.

2014-12-04 19:25:55 by Martin Nilsson <nilsson@opera.com>

ASN1 Identifiers can be compared directly. Remove some DER indirections.

2014-12-04 19:25:54 by Martin Nilsson <nilsson@opera.com>

Only check system time once per chain verification.

2014-12-04 19:25:54 by Martin Nilsson <nilsson@opera.com>

Verify that the root certificates can act as roots.

2014-12-04 19:25:44 by Martin Nilsson <nilsson@opera.com>

Added possibly working basic constraints check to verify_certificate_chain. Next step is probably to figure out want the API ought to look like...

2014-12-04 19:25:43 by Martin Nilsson <nilsson@opera.com>

The serialization of keyUsage was uglier than I thought. Fixed.

2014-12-04 19:25:43 by Martin Nilsson <nilsson@opera.com>

Something is not working with the keyUsage extension.

2014-12-04 19:25:42 by Martin Nilsson <nilsson@opera.com>

Generate appropriate extensions on self signed certificates. More WIP on certificate validation.

2014-12-04 19:25:39 by Martin Nilsson <nilsson@opera.com>

Ensure serial is positive (+ some insignificant changes)

2014-12-04 19:25:36 by Martin Nilsson <nilsson@opera.com>

Added FIXMEs

2014-12-04 19:25:29 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Added load_authorities().

Added a convenience function for loading a set of authorative
certificates (aka CA-certs).

2014-12-04 19:25:29 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Support multiple verifiers for a single auth.

Authorities may have several certificates valid at the same time,
make sure to test them all.

2014-12-04 19:25:22 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509.Verifier: Mark variables rsa and dsa deprecated.

2014-12-04 19:25:21 by Martin Nilsson <nilsson@opera.com>

Added ECDSA SHA1, and some additional debug.

2014-12-04 19:25:21 by Martin Nilsson <nilsson@opera.com>

With not only RSA certificates working, and the API made cipher-agnostic, there is no need to access crypto primitives directly. Deprecate the direct access (though it appears the neither prototypes nor getters/setters can actually use deprecation attributes).

2014-12-04 19:25:20 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Accept zero as last argument in make_tbs().

For compat reasons make_tbs() needs to also accept zero (and not
UNDEFINED) as the last argument (ie extensions).

Fixes testsuite failure.

2014-12-04 19:25:19 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Fixed some typos.

2014-12-04 19:25:17 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509.TBSCertificate: Support {issuer,subject}_id.

The optional fields issuerUniqueID and subjectUniqueID from X509v2
now seem to encode and decode properly.

2014-12-04 19:25:16 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Return TBSCertificate objects from make_tbs().

FIXME: Note that this patch also moves the function to after the
definition of the TBSCertificate class to work around a compiler bug.

2014-12-04 19:25:16 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: make_tbs() now returns a TBSCertificate.

This provides a somewhat nicer API.

2014-12-04 19:25:15 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Use sign_tbs() in sign_key().

Clean up the code in sign_key() by using the new sign_tbs().

Also some Autodoc markup adjustments.

2014-12-04 19:25:15 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.ASN1.TBSCertificate: Implement the ASN.1 API.

The TBSCertificate class is now a Standards.ASN1.Types.Sequence
that has been extended with some accessors and verifiers. It can
now be used just like any other Standards.ASN1.Types.* class.

2014-12-04 19:25:15 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Added sign_tbs().

This provides a simple way of (re-)signing a TBSCertificate.

2014-12-04 19:25:15 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509.TBSCertificate: Added some more entries.

Adds direct access to validity and keyinfo.

2014-12-04 19:25:15 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509.TBSCertificate: Some bugfixes.

Fixed clearing of extensions state when reducing version from 3.

Now supports reducing version from 3 to 2.

Fixed some state handling when parsing version 2 fields.

2014-12-04 19:25:15 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509.TBSCertificate: Fixed infinite loop.

`der() called get_der(), which starts by gets the value of
the der variable, looping ensued.

2014-12-04 19:25:10 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Crypto.ECC.Curve: Fixed pkcs_ec_parameters().

The curve identifier should not be wrapped in a sequence.

Fixes interoperability with OpenSSL and GNUTLS.

2014-12-04 19:25:09 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Crypto.Sign: Added base class for signature algorithms.

Crypto.Sign is to contain the APIs common to Crypto.RSA, Crypto.DSA
and Crypto.ECC.Curve.ECDSA.

2014-12-04 19:25:09 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Support ECDSA certificates.

Standards.X509.decode_certificate() now knows about ECDSA certificates.

2014-12-04 19:25:07 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Crypto.RSA: pkcs_algorithm_id() ==> pkcs_signature_algorithm_id()

Renamed the function above in Crypto.RSA and Crypto.DSA to
avoid confusion with the similar algorithm_identifier().

2014-12-04 19:24:52 by Martin Nilsson <nilsson@opera.com>

Simplify Verifier even more.

2014-12-04 19:24:48 by Martin Nilsson <nilsson@opera.com>

Removed the broken CA constraint check from verify_certificate_chain() and added a new method, verify_root_certificate() that does some minimal checking against the X.509 correctness for CA certificates. Incompatible change is that the exentions blob is now replaced with actually parsed data.

2014-12-04 19:24:45 by Martin Nilsson <nilsson@opera.com>

Some cleanup.

2014-12-04 19:24:44 by Martin Nilsson <nilsson@opera.com>

Changed internal time representation to posix time int.

2014-12-04 19:24:43 by Martin Nilsson <nilsson@opera.com>

Refactored RSA verification to reduct code duplication.

2014-12-04 19:24:43 by Martin Nilsson <nilsson@opera.com>

Unified signature and verification methods with RSA.

2014-12-04 19:24:43 by Martin Nilsson <nilsson@opera.com>

Refactoring of verifier internals.

2014-12-04 19:24:43 by Martin Nilsson <nilsson@opera.com>

Added support for validating DSA SHA224/SHA256 certificates.

2014-12-04 19:24:43 by Martin Nilsson <nilsson@opera.com>

Fix for old versions of Nettle.

2014-12-04 19:24:43 by Martin Nilsson <nilsson@opera.com>

Added support for generating certificates signed with RSA with MD2/MD5/SHA256/SHA384/SHA512 and DSA with SHA224/SHA256. The new default hash is SHA256 (old was SHA1).

2014-12-04 19:24:43 by Martin Nilsson <nilsson@opera.com>

A slightly more abstract interface for RSA PKCS sign/verify. Remove redundant code from X509.

2014-12-04 19:24:43 by Martin Nilsson <nilsson@opera.com>

Comment fix.

2014-12-04 19:24:42 by Martin Nilsson <nilsson@opera.com>

Simplified the Standards.PKCS.Certificate.build_distinguished_name().

2014-12-04 19:24:42 by Martin Nilsson <nilsson@opera.com>

Fixed DSA certificate generation.

2014-12-04 19:24:42 by Martin Nilsson <nilsson@opera.com>

Documentation updates

2014-12-04 19:24:41 by Martin Nilsson <nilsson@opera.com>

Don't crash on completely illegal RSA/DSA keys.

2014-12-04 19:24:40 by Martin Nilsson <nilsson@opera.com>

Can now verify DSA with SHA1.

2014-12-04 19:24:40 by Martin Nilsson <nilsson@opera.com>

Improved the _sprintf of TBSCertificate.

2014-12-04 19:24:40 by Martin Nilsson <nilsson@opera.com>

Added support for validating SHA-2 256/384/512 certificates.

2014-12-04 19:24:19 by Martin Nilsson <nilsson@opera.com>

Merged dsa_sign_key with rsa_sign key, and make_selfsigned_dsa_certificate with make_selfsigned_rsa_certificate. These are obsoleted by sign_key and make_selfsigned_certificate

2014-12-04 19:24:17 by Martin Nilsson <nilsson@opera.com>

Allow serial number to be set explicitly.

2014-12-04 19:24:04 by Martin Nilsson <nilsson@opera.com>

Added some conveience to compound ASN.1 objects.

2014-12-04 19:24:04 by Martin Nilsson <nilsson@opera.com>

Deprecate debug_string better.

2014-12-04 19:24:02 by Martin Nilsson <nilsson@opera.com>

Documentation update

2014-12-04 19:24:02 by Martin Nilsson <nilsson@opera.com>

Improved the types a bit. Use Calendar directly, since all code paths need it.

2014-12-04 19:24:02 by Martin Nilsson <nilsson@opera.com>

Polished the API a bit.

2014-12-04 19:24:01 by Martin Nilsson <nilsson@opera.com>

Copied from Tools

2014-11-03

2014-11-03 16:44:09 by Martin Nilsson <nilsson@opera.com>

Moved deprecated methods to compat.

2014-11-03 15:07:18 by Martin Nilsson <nilsson@opera.com>

Use the new PEM methods.

2014-10-20

2014-10-20 16:11:31 by Martin Nilsson <nilsson@opera.com>

When assignment runs code you'll get weird bugs like this.

2014-10-20 16:10:35 by Martin Nilsson <nilsson@opera.com>

When assignment runs code you'll get weird bugs like this.

2014-10-12

2014-10-12 18:55:42 by Martin Nilsson <nilsson@opera.com>

Don't import Standards.PKCS.

2014-09-30

2014-09-30 17:47:24 by Martin Nilsson <nilsson@opera.com>

Reworked some of the debug code.

2014-09-30 17:15:42 by Martin Nilsson <nilsson@opera.com>

Only attempt to import PEM CERTIFICATE parts.

2014-09-30 16:20:55 by Martin Nilsson <nilsson@opera.com>

this_program:: -> this::

2014-09-30 00:04:44 by Martin Nilsson <nilsson@opera.com>

No, I had it right the first time. (Though DSA wasn't.)

2014-09-29

2014-09-29 23:55:47 by Martin Nilsson <nilsson@opera.com>

Verify that no additional payload is hidden in ASN.1 structures.

2014-09-29 23:32:15 by Martin Nilsson <nilsson@opera.com>

No parameters means one element less, not a Null element.

2014-09-29 14:18:41 by Martin Nilsson <nilsson@opera.com>

Support dates beyond 2050.

2014-09-29 00:08:09 by Martin Nilsson <nilsson@opera.com>

Make make_key_usage_flags internal for now.

2014-09-28

2014-09-28 22:37:36 by Martin Nilsson <nilsson@opera.com>

Set keyAgreement flag on ECDSA certificates.

2014-09-04

2014-09-04 15:57:43 by Arne Goedeke <el@laramies.com>

Merge remote-tracking branch 'origin/8.0' into string_alloc

Conflicts:
src/stralloc.c

2014-08-27

2014-08-27 14:53:22 by Martin Nilsson <nilsson@opera.com>

Serialize TBSCertificate by storing the Sequence and regenerate the other fields.

2014-08-22

2014-08-22 18:02:24 by Arne Goedeke <el@laramies.com>

Merge remote-tracking branch 'origin/8.0' into string_alloc

2014-08-20

2014-08-20 09:58:12 by Per Hedbor <ph@opera.com>

These softcasts generated "is noop" warning

2014-08-16

2014-08-16 21:26:00 by Martin Nilsson <nilsson@opera.com>

Make illegal casts throw exception.

2014-08-14

2014-08-14 14:51:36 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.PKCS: Updated to the new Crypto.Sign API.

2014-07-16

2014-07-16 15:15:25 by Martin Nilsson <nilsson@opera.com>

Allow time to be set through ASN.1 UTC constructor

2014-07-14

2014-07-14 14:29:37 by Martin Nilsson <nilsson@opera.com>

Some certficate conformance fixes. RFC 5280 4.1.2.2

2014-06-09

2014-06-09 22:07:40 by Martin Nilsson <nilsson@opera.com>

Now that class and tag propagates, we don't have to make wrapper classes.

2014-06-09 14:14:02 by Martin Nilsson <nilsson@opera.com>

Simplify the code a bit by not having cls and tag as constants.

2014-05-27

2014-05-27 21:48:43 by Martin Nilsson <nilsson@opera.com>

Basic constrants cA is declared false by default, so en empty sequence is legal (and more space efficient).

2014-05-21

2014-05-21 14:49:13 by Martin Nilsson <nilsson@opera.com>

Subject and issuer DN were mixed up in make_site_certificate

2014-05-18

2014-05-18 16:05:22 by Martin Nilsson <nilsson@opera.com>

Check the date of all certificates in the chain.

2014-05-18 15:00:54 by Martin Nilsson <nilsson@opera.com>

More generic fix.

2014-05-18 10:31:02 by Martin Nilsson <nilsson@opera.com>

Added ugly methods to generate root and site certificates.

2014-05-16

2014-05-16 15:04:39 by Martin Nilsson <nilsson@opera.com>

Changed make_selfsigned_ceritificate API to take a mapping of extensions.

2014-05-14

2014-05-14 17:48:23 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.ASN1: Added some AutoDoc mk II markup.

Also added some other comments.

2014-05-13

2014-05-13 15:34:54 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Added generic parse_private_key().

Also adds variants of Standards.PKCS.{D,ECD,R}SA.parse_private_key()
that operate directly on ASN.1 sequences.

2014-05-12

2014-05-12 14:14:12 by Martin Nilsson <nilsson@opera.com>

Better _sprintf.

2014-05-08

2014-05-08 15:32:39 by Martin Nilsson <nilsson@opera.com>

Fixed extension values for self signed certificates.

2014-04-30

2014-04-30 15:59:55 by Martin Nilsson <nilsson@opera.com>

Don't add duplicates to load_authorities response.

2014-04-29

2014-04-29 17:03:23 by Martin Nilsson <nilsson@opera.com>

Expose the keyUsage enum.

2014-04-28

2014-04-28 17:01:38 by Martin Nilsson <nilsson@opera.com>

Implement the private types somewhat more properly.

2014-04-28 16:48:26 by Martin Nilsson <nilsson@opera.com>

Implement the private types somewhat more properly.

2014-04-28 15:49:33 by Martin Nilsson <nilsson@opera.com>

Added partial subjectAltName support.

2014-04-28 15:32:26 by Martin Nilsson <nilsson@opera.com>

Added support for extension local ASN1 types. Implemented parsing of authorityKeyIdentifier keyIdentifier (i.e. key hash).

2014-04-28 14:34:02 by Martin Nilsson <nilsson@opera.com>

Add extended key usage support.

2014-04-28 13:38:56 by Martin Nilsson <nilsson@opera.com>

Improved strict types a bit.

2014-04-28 11:52:23 by Martin Nilsson <nilsson@opera.com>

Updated the documentation to verify_certificate_chain. Add the decoded certificates in the returned mapping. Don't check the keyUsage of the leaf node.

2014-04-27

2014-04-27 15:39:16 by Martin Nilsson <nilsson@opera.com>

Improve the API a bit by having ext_basicConstraints_pathLenConstraint be the number of following certificates, instead of only intermediate certificates.

2014-04-27 15:32:51 by Martin Nilsson <nilsson@opera.com>

Added certificate check failure modes CERT_EXCEEDED_PATH_LENGTH and CERT_UNAUTHORIZED_SIGNING. Improved the extensions code somewhat and removed some debug left on.

2014-04-27 00:30:47 by Martin Nilsson <nilsson@opera.com>

verify_certificate_chain now stores all non-fatal errors.

2014-04-26

2014-04-26 21:23:42 by Martin Nilsson <nilsson@opera.com>

Future proofing.

2014-04-26 21:18:06 by Martin Nilsson <nilsson@opera.com>

Handle the keyUsage properly. All 9 flags can now be extracted, and the BitString is now generated in its most compact form.

2014-04-26 19:46:15 by Martin Nilsson <nilsson@opera.com>

Move the certificate extension parsing into the TBSCertificate object. Not really a great API, but we need to start somewhere.

2014-04-26 13:37:41 by Martin Nilsson <nilsson@opera.com>

Verify time-validity of CA certificates.

2014-04-25

2014-04-25 14:20:10 by Martin Nilsson <nilsson@opera.com>

Use multiset for critical flags everywhere.

2014-04-22

2014-04-22 12:37:42 by Martin Nilsson <nilsson@opera.com>

ASN1 Identifiers can be compared directly. Remove some DER indirections.

2014-04-21

2014-04-21 17:45:49 by Martin Nilsson <nilsson@opera.com>

Only check system time once per chain verification.

2014-04-21 17:36:27 by Martin Nilsson <nilsson@opera.com>

Verify that the root certificates can act as roots.

2014-04-05

2014-04-05 00:43:13 by Martin Nilsson <nilsson@opera.com>

Added possibly working basic constraints check to verify_certificate_chain. Next step is probably to figure out want the API ought to look like...

2014-04-03

2014-04-03 19:32:48 by Martin Nilsson <nilsson@opera.com>

The serialization of keyUsage was uglier than I thought. Fixed.

2014-04-01

2014-04-01 23:27:12 by Martin Nilsson <nilsson@opera.com>

Something is not working with the keyUsage extension.

2014-03-29

2014-03-29 22:39:21 by Martin Nilsson <nilsson@opera.com>

Generate appropriate extensions on self signed certificates. More WIP on certificate validation.

2014-03-24

2014-03-24 16:39:07 by Martin Nilsson <nilsson@opera.com>

Ensure serial is positive (+ some insignificant changes)

2014-03-19

2014-03-19 12:14:02 by Martin Nilsson <nilsson@opera.com>

Added FIXMEs

2014-03-05

2014-03-05 19:28:34 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Added load_authorities().

Added a convenience function for loading a set of authorative
certificates (aka CA-certs).

2014-03-04

2014-03-04 20:24:49 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Support multiple verifiers for a single auth.

Authorities may have several certificates valid at the same time,
make sure to test them all.

2014-02-21

2014-02-21 19:01:52 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509.Verifier: Mark variables rsa and dsa deprecated.

2014-02-21 15:52:01 by Martin Nilsson <nilsson@opera.com>

With not only RSA certificates working, and the API made cipher-agnostic, there is no need to access crypto primitives directly. Deprecate the direct access (though it appears the neither prototypes nor getters/setters can actually use deprecation attributes).

2014-02-20

2014-02-20 23:08:08 by Martin Nilsson <nilsson@opera.com>

Added ECDSA SHA1, and some additional debug.

2014-02-18

2014-02-18 13:02:16 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Accept zero as last argument in make_tbs().

For compat reasons make_tbs() needs to also accept zero (and not
UNDEFINED) as the last argument (ie extensions).

Fixes testsuite failure.

2014-02-17

2014-02-17 14:05:32 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Fixed some typos.

2014-02-13

2014-02-13 19:14:34 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509.TBSCertificate: Support {issuer,subject}_id.

The optional fields issuerUniqueID and subjectUniqueID from X509v2
now seem to encode and decode properly.

2014-02-11

2014-02-11 22:11:41 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: make_tbs() now returns a TBSCertificate.

This provides a somewhat nicer API.

2014-02-11 22:11:41 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Return TBSCertificate objects from make_tbs().

FIXME: Note that this patch also moves the function to after the
definition of the TBSCertificate class to work around a compiler bug.

2014-02-10

2014-02-10 18:11:19 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509.TBSCertificate: Some bugfixes.

Fixed clearing of extensions state when reducing version from 3.

Now supports reducing version from 3 to 2.

Fixed some state handling when parsing version 2 fields.

2014-02-09

2014-02-09 18:53:25 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509.TBSCertificate: Added some more entries.

Adds direct access to validity and keyinfo.

2014-02-08

2014-02-08 18:56:08 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509.TBSCertificate: Fixed infinite loop.

`der() called get_der(), which starts by gets the value of
the der variable, looping ensued.

2014-02-08 16:29:57 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.ASN1.TBSCertificate: Implement the ASN.1 API.

The TBSCertificate class is now a Standards.ASN1.Types.Sequence
that has been extended with some accessors and verifiers. It can
now be used just like any other Standards.ASN1.Types.* class.

2014-02-07

2014-02-07 17:40:42 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Use sign_tbs() in sign_key().

Clean up the code in sign_key() by using the new sign_tbs().

Also some Autodoc markup adjustments.

2014-02-06

2014-02-06 22:27:25 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Added sign_tbs().

This provides a simple way of (re-)signing a TBSCertificate.

2014-01-13

2014-01-13 16:49:43 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Crypto.ECC.Curve: Fixed pkcs_ec_parameters().

The curve identifier should not be wrapped in a sequence.

Fixes interoperability with OpenSSL and GNUTLS.

2014-01-13 14:24:08 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: Support ECDSA certificates.

Standards.X509.decode_certificate() now knows about ECDSA certificates.

2014-01-13 13:04:02 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Crypto.Sign: Added base class for signature algorithms.

Crypto.Sign is to contain the APIs common to Crypto.RSA, Crypto.DSA
and Crypto.ECC.Curve.ECDSA.

2014-01-11

2014-01-11 13:30:06 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Crypto.RSA: pkcs_algorithm_id() ==> pkcs_signature_algorithm_id()

Renamed the function above in Crypto.RSA and Crypto.DSA to
avoid confusion with the similar algorithm_identifier().

2014-01-05

2014-01-05 15:14:13 by Marcus Comstedt <marcus@mc.pp.se>

Merge branch '8.0' into gobject-introspection

2013-12-04

2013-12-04 16:42:45 by Martin Nilsson <nilsson@opera.com>

Simplify Verifier even more.

2013-11-28

2013-11-28 22:46:59 by Martin Nilsson <nilsson@opera.com>

Removed the broken CA constraint check from verify_certificate_chain() and added a new method, verify_root_certificate() that does some minimal checking against the X.509 correctness for CA certificates. Incompatible change is that the exentions blob is now replaced with actually parsed data.

2013-11-24

2013-11-24 14:53:39 by Martin Nilsson <nilsson@opera.com>

Some cleanup.

2013-11-22

2013-11-22 19:07:14 by Martin Nilsson <nilsson@opera.com>

Changed internal time representation to posix time int.

2013-11-22 00:20:43 by Martin Nilsson <nilsson@opera.com>

Added support for generating certificates signed with RSA with MD2/MD5/SHA256/SHA384/SHA512 and DSA with SHA224/SHA256. The new default hash is SHA256 (old was SHA1).

2013-11-21

2013-11-21 23:31:43 by Martin Nilsson <nilsson@opera.com>

Comment fix.

2013-11-21 23:29:42 by Martin Nilsson <nilsson@opera.com>

Refactoring of verifier internals.

2013-11-21 23:16:46 by Martin Nilsson <nilsson@opera.com>

Added support for validating DSA SHA224/SHA256 certificates.

2013-11-21 22:39:19 by Martin Nilsson <nilsson@opera.com>

Unified signature and verification methods with RSA.

2013-11-21 22:16:06 by Martin Nilsson <nilsson@opera.com>

A slightly more abstract interface for RSA PKCS sign/verify. Remove redundant code from X509.

2013-11-21 21:48:32 by Martin Nilsson <nilsson@opera.com>

Fix for old versions of Nettle.

2013-11-21 21:41:00 by Martin Nilsson <nilsson@opera.com>

Refactored RSA verification to reduct code duplication.

2013-11-21 15:49:09 by Martin Nilsson <nilsson@opera.com>

Documentation updates

2013-11-21 15:31:14 by Martin Nilsson <nilsson@opera.com>

Simplified the Standards.PKCS.Certificate.build_distinguished_name().

2013-11-21 14:40:36 by Martin Nilsson <nilsson@opera.com>

Fixed DSA certificate generation.

2013-11-21 13:48:14 by Martin Nilsson <nilsson@opera.com>

Don't crash on completely illegal RSA/DSA keys.

2013-11-19

2013-11-19 17:58:16 by Martin Nilsson <nilsson@opera.com>

Can now verify DSA with SHA1.

2013-11-19 14:05:50 by Martin Nilsson <nilsson@opera.com>

Added support for validating SHA-2 256/384/512 certificates.

2013-11-19 14:05:50 by Martin Nilsson <nilsson@opera.com>

Improved the _sprintf of TBSCertificate.

2013-10-29

2013-10-29 15:56:02 by Martin Nilsson <nilsson@opera.com>

Merged dsa_sign_key with rsa_sign key, and make_selfsigned_dsa_certificate with make_selfsigned_rsa_certificate. These are obsoleted by sign_key and make_selfsigned_certificate

2013-10-28

2013-10-28 14:23:17 by Martin Nilsson <nilsson@opera.com>

Allow serial number to be set explicitly.

2013-08-30

2013-08-30 16:06:30 by Martin Nilsson <nilsson@opera.com>

Added some conveience to compound ASN.1 objects.

2013-08-30 15:21:59 by Martin Nilsson <nilsson@opera.com>

Deprecate debug_string better.

2013-08-16

2013-08-16 15:00:28 by Martin Nilsson <nilsson@opera.com>

Improved the types a bit. Use Calendar directly, since all code paths need it.

2013-08-16 14:18:32 by Martin Nilsson <nilsson@opera.com>

Polished the API a bit.

2013-08-16 01:21:45 by Martin Nilsson <nilsson@opera.com>

Documentation update

2013-08-15

2013-08-15 20:01:18 by Martin Nilsson <nilsson@opera.com>

Copied from Tools