Commit Graph

297 Commits

Author SHA1 Message Date
Dr. Stephen Henson
5d7c222db8 New X509_VERIFY_PARAM structure and associated functionality.
This tidies up verify parameters and adds support for integrated policy
checking.

Add support for policy related command line options. Currently only in smime
application.

WARNING: experimental code subject to change.
2004-09-06 18:43:01 +00:00
Dr. Stephen Henson
eda52e175a Delete obsolete and unimplemented function. 2004-05-19 17:05:02 +00:00
Richard Levitte
c4fc8b5bf4 X509_policy_lib_init is declared but not defined, so it raises havoc
when trying to build a shared library on VMS or Windows...
2004-05-19 14:19:51 +00:00
Geoff Thorpe
9c52d2cc75 After the latest round of header-hacking, regenerate the dependencies in
the Makefiles. NB: this commit is probably going to generate a huge posting
and it is highly uninteresting to read.
2004-05-17 19:26:06 +00:00
Geoff Thorpe
c57bc2dc51 make update 2004-04-19 18:33:41 +00:00
Geoff Thorpe
60a938c6bc (oops) Apologies all, that last header-cleanup commit was from the wrong
tree. This further reduces header interdependencies, and makes some
associated cleanups.
2004-04-19 18:09:28 +00:00
Dr. Stephen Henson
b6a5fdb8a7 Don't use C++ reserved word. 2004-04-01 22:23:46 +00:00
Dr. Stephen Henson
e1a27eb34a Allow CRLs to be passed into X509_STORE_CTX. This is useful when the
verified structure can contain its own CRLs (such as PKCS#7 signedData).

Tidy up some of the verify code.
2004-03-27 22:49:28 +00:00
Dr. Stephen Henson
b79c82eaab Fix loads of warnings in policy code.
I'll remember to try to compile this with warnings enabled next time :-)
2004-03-25 13:45:58 +00:00
Dr. Stephen Henson
4acc3e907d Initial support for certificate policy checking and evaluation.
This is currently *very* experimental and needs to be more fully integrated
with the main verification code.
2004-03-23 14:14:35 +00:00
Richard Levitte
875a644a90 Constify d2i, s2i, c2i and r2i functions and other associated
functions and macros.

This change has associated tags: LEVITTE_before_const and
LEVITTE_after_const.  Those will be removed when this change has been
properly reviewed.
2004-03-15 23:15:26 +00:00
Dr. Stephen Henson
bc50157010 Various X509 fixes. Disable broken certificate workarounds
when X509_V_FLAG_X509_STRICT is set. Check for CRLSign in
CRL issuer certificates. Reject CRLs with unhandled (any)
critical extensions.
2004-03-05 17:16:35 +00:00
Richard Levitte
9d5c3c1939 Typo... 2004-01-22 22:36:46 +00:00
Richard Levitte
af6dab9b00 Adding a slash between the directoryt and the file is a problem with
VMS.  The C RTL can handle it well if the "directory" is a logical
name with no colon, therefore ending being 'logname/file'.  However,
if the given logical names actually has a colon, or if you use a full
VMS-syntax directory, you end up with 'logname:/file' or
'dev:[dir1.dir2]/file', and that isn't handled in any good way.

So, on VMS, we need to check if the directory string ends with a
separator (one of ':', ']' or '>' (< and > can be used instead [ and
])), and handle that by not inserting anything between the directory
spec and the file name.  In all other cases, it's assumed the
directory spec is a logical name, so we need to place a colon between
it and the file.

Notified by Kevin Greaney <kevin.greaney@hp.com>.
2004-01-10 18:04:38 +00:00
Richard Levitte
79b42e7654 Use sh explicitely to run point.sh
This is part of a large change submitted by Markus Friedl <markus@openbsd.org>
2003-12-27 14:59:07 +00:00
Richard Levitte
d420ac2c7d Use BUF_strlcpy() instead of strcpy().
Use BUF_strlcat() instead of strcat().
Use BIO_snprintf() instead of sprintf().
In some cases, keep better track of buffer lengths.
This is part of a large change submitted by Markus Friedl <markus@openbsd.org>
2003-12-27 14:40:17 +00:00
Richard Levitte
b727907ae8 1024 is the export key bits limit according to current regulations, not 512.
PR: 771
Submitted by: c zhang <czhang2005@hotmail.com>
2003-11-28 22:39:19 +00:00
Geoff Thorpe
2754597013 A general spring-cleaning (in autumn) to fix up signed/unsigned warnings.
I have tried to convert 'len' type variable declarations to unsigned as a
means to address these warnings when appropriate, but when in doubt I have
used casts in the comparisons instead. The better solution (that would get
us all lynched by API users) would be to go through and convert all the
function prototypes and structure definitions to use unsigned variables
except when signed is necessary. The proliferation of (signed) "int" for
strictly non-negative uses is unfortunate.
2003-10-29 20:24:15 +00:00
Geoff Thorpe
8ad7e3ad2a Remove duplicate prototypes have already been (correctly) added to rsa.h,
as this is already included by x509.h anyway.
2003-10-24 16:17:11 +00:00
Dr. Stephen Henson
2990244980 ASN1 parse fix and release file changes. 2003-09-30 16:47:33 +00:00
Dr. Stephen Henson
f96d1af449 Avoid clashes with Win32 names in WinCrypt.h 2003-07-23 00:10:43 +00:00
Richard Levitte
f6b9cd7f82 We set the export flag for 512 *bit* keys, not 512 *byte* ones.
PR: 587
2003-06-19 18:55:50 +00:00
Richard Levitte
33862b90bb Add an entry for X509_TRUST_OBJECT_SIGN in trstandard[].
PR: 617
2003-06-11 21:22:30 +00:00
Dr. Stephen Henson
50078051bd Really get X509_CRL_CHECK_ALL right this time... 2003-06-04 00:40:05 +00:00
Bodo Möller
eec7968f18 fix typo
Submitted by: Nils Larsch
2003-04-22 08:29:21 +00:00
Richard Levitte
e6526fbf4d Add functionality to help making self-signed certificate. 2003-04-03 22:27:24 +00:00
Richard Levitte
d5ef144222 Make sure we get the definition of a number of OPENSSL_NO_* macros. 2003-03-20 23:27:17 +00:00
Dr. Stephen Henson
9ed1fa4813 Fix Certificate and CRL adding in X509_load_cert_crl_file:
an X509_INFO structure can contain more than one object,
for example a certififcate and a CRL.
2003-03-19 13:55:48 +00:00
Richard Levitte
5e42f9ab46 make update 2002-12-29 01:38:15 +00:00
Richard Levitte
c17810b087 A memset() too many got converted into a OPENSSL_cleanse().
PR: 393
2002-12-10 08:26:05 +00:00
Richard Levitte
4ba8cabf62 SSL_CERT_FILE should be used in place of the system default file, not as
a first alternative to try
2002-12-05 21:07:26 +00:00
Richard Levitte
4387f47832 Make sure using SSL_CERT_FILE actually works, and has priority over system defaults.
PR: 376
2002-12-05 01:20:47 +00:00
Dr. Stephen Henson
e7b6228fd3 Typo in X509v3_get_ext_by_critical 2002-12-04 00:16:00 +00:00
Richard Levitte
4579924b7e Cleanse memory using the new OPENSSL_cleanse() function.
I've covered all the memset()s I felt safe modifying, but may have missed some.
2002-11-28 08:04:36 +00:00
Richard Levitte
711f1a3c26 Add the ASN.1 structures and functions for CertificatePair, which is
defined as follows (according to X.509_4thEditionDraftV6.pdf):

CertificatePair ::= SEQUENCE {
	forward		[0]	Certificate OPTIONAL,
	reverse		[1]	Certificate OPTIONAL,
	-- at least one of the pair shall be present -- }

The only thing I'm not sure about is if it's implicit or explicit tags
that I should count on.  For now, I'm thinking explicit, but will
gladly stand corrected.

Also implement the PEM functions to read and write certificate pairs,
and defined the PEM tag as "CERTIFICATE PAIR".

This needed to be defined, mostly for the sake of the LDAP attribute
crossCertificatePair, but may prove useful elsewhere as well.
2002-11-18 23:54:27 +00:00
Richard Levitte
527497a722 A variable of type time_t is supposed to be a time measurement starting at
Epoch.  offset isn't such a measurement, so let's stop pretend it is.
2002-11-18 13:04:08 +00:00
Ben Laurie
54a656ef08 Security fixes brought forward from 0.9.7. 2002-11-13 15:43:43 +00:00
Dr. Stephen Henson
c99935e32c Add header ctype.h 2002-11-13 00:42:11 +00:00
Richard Levitte
c81a15099a X509_NAME_cmp() now compares PrintableString and emailAddress with a value of type
ia5String correctly.
PR: 244
2002-11-09 21:52:20 +00:00
Richard Levitte
677532629d makedepend complains when a header file is included more than once in
the same source file.
2002-10-14 10:02:36 +00:00
Richard Levitte
001ab3abad Use double dashes so makedepend doesn't misunderstand the flags we
give it.
For 0.9.7 and up, that means util/domd needs to remove those double
dashes from the argument list when gcc is used to find the
dependencies.
2002-10-09 13:25:12 +00:00
Dr. Stephen Henson
9a48b07ee4 Various enhancements to PKCS#12 code, new
medium level API, improved PKCS12_create
and additional functionality in pkcs12
utility.
2002-10-03 23:53:52 +00:00
Dr. Stephen Henson
fc85ac20c7 Make -nameopt work in req and add support for -reqopt 2002-08-22 23:43:48 +00:00
Bodo Möller
5488bb6197 get rid of EVP_PKEY_ECDSA (now we have EVP_PKEY_EC instead)
Submitted by: Nils Larsch
2002-08-12 08:47:41 +00:00
Bodo Möller
74cc4903ef make update 2002-08-09 12:16:15 +00:00
Bodo Möller
e172d60ddb Add ECDH support.
Additional changes:
 - use EC_GROUP_get_degree() in apps/req.c
 - add ECDSA and ECDH to apps/speed.c
 - adds support for EC curves over binary fields to ECDSA
 - new function EC_KEY_up_ref() in crypto/ec/ec_key.c
 - reorganize crypto/ecdsa/ecdsatest.c
 - add engine support for ECDH
 - fix a few bugs in ECDSA engine support

Submitted by: Douglas Stebila <douglas.stebila@sun.com>
2002-08-09 08:43:04 +00:00
Bodo Möller
14a7cfb32a use a generic EC_KEY structure (EC keys are not ECDSA specific)
Submitted by: Nils Larsch
2002-08-07 10:49:54 +00:00
Lutz Jänicke
3aecef7697 "make update" 2002-07-30 12:44:33 +00:00
Bodo Möller
5dbd3efce7 Replace 'ecdsaparam' commandline utility by 'ecparam'
(the same keys can be used for ECC schemes other than ECDSA)
and add some new options.

Similarly, use string "EC PARAMETERS" instead of "ECDSA PARAMETERS"
in 'PEM' format.

Fix ec_asn1.c (take into account the desired conversion form).

'make update'.

Submitted by: Nils Larsch
2002-07-14 16:54:31 +00:00
Richard Levitte
17085b022c Pass CFLAG to dependency makers, so non-standard system include paths are
handled properly.
Part of PR 75
2002-06-27 16:39:25 +00:00