summaryrefslogtreecommitdiff
path: root/lib/x509
Commit message (Collapse)AuthorAgeFilesLines
...
* x509: Omit empty sequences of policyQualifiers.Daniel Kahn Gillmor2021-05-171-0/+10
| | | | | | | | | | When a certificate has a policy attached but no policyQualifiers, `certtool` should omit the policyQualifiers sequence entirely, rather than emitting an empty sequence. Closes: #1238 Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* x509: Write keyUsage extension with minimal BIT STRINGDaniel Kahn Gillmor2021-05-141-2/+29
| | | | | | | | | | | | | | Avoid embedding trailing cleared bits in the BIT STRING for the keyUsage extension. The overwhelming majority of this changeset is correcting the artifacts in the test suite, most of which had keyUsage with a non-minimal encoding. The only functional code change is in lib/x509/x509_ext.c. Closes: #1236 Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* spelling: The possessive pronoun "its" has no apostrophe.Daniel Kahn Gillmor2021-05-051-1/+1
| | | | | | | | "it's" is for contractions like "it is" or "it has". "its" is a possessive pronoun, like "his" or "hers" or "theirs", none of which have an apostrophe in them either. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* x509/verify: treat SHA-1 signed CA in the trusted set differentlyDaiki Ueno2021-05-041-9/+17
| | | | | | | | | | | | | | Suppose there is a certificate chain ending with an intermediate CA: EE → ICA1 → ICA2. If the system trust store contains a root CA generated with the same key as ICA2 but signed with a prohibited algorithm, such as SHA-1, the library previously reported a verification failure, though the situation is not uncommon during a transition period of root CA. This changes the library behavior such that the check on signature algorithm will be skipped when examining the trusted root CA. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* gnutls_x509_crt_get_dn: clarify null-termination of the outputDaiki Ueno2021-04-251-1/+2
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* build: avoid integer overflow in additionsDaiki Ueno2021-03-294-5/+72
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* build: avoid potential integer overflow in array allocationDaiki Ueno2021-03-297-56/+47
| | | | | | | | This relies on _gnutls_reallocarray for all occasions of array allocations, so that they can benefit from the built-in overflow checks. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* Merge branch 'wip/dueno/duplicate-certs-pkcs11' into 'master'Daiki Ueno2021-03-061-4/+4
|\ | | | | | | | | gnutls_x509_trust_list_verify_crt2: skip duplicated certs for PKCS#11 too See merge request gnutls/gnutls!1398
| * gnutls_x509_trust_list_verify_crt2: skip duped certs for PKCS11 tooDaiki Ueno2021-03-051-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The commit 09b40be6e0e0a59ba4bd764067eb353241043a70 (part of gnutls/gnutls!1370) didn't cover the case where the trust store is backed by PKCS #11, because it used _gnutls_trust_list_get_issuer, which only works with file based trust store. This patch replaces the call with more generic gnutls_x509_trust_list_get_issuer so it also works with other trust store implementations. Reported by Michal Ruprich. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | output UTF-8 decoded id-on-xmppAddr SAN'sSteffen Jaeckel2021-03-041-1/+1
|/ | | | | | | | | | | | | | | | tls_x509_crt_get_subject_alt_name()` makes a promise [1] "If an otherName OID is known, the data will be decoded. ... RFC 3920 id-on-xmppAddr SAN is recognized." which it didn't hold. Before this patch the output was still in DER format, e.g. for a id-on-xmppAddr which is always UTF-8 (0x0c): `0x0c <len> <xmppAddr>` This patch fixes the issue and now it returns the decoded string. [1] https://www.gnutls.org/manual/gnutls.html#gnutls_005fx509_005fcrt_005fget_005fsubject_005falt_005fname Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
* gnutls_x509_trust_list_verify_crt2: ignore duplicate certificatesDaiki Ueno2021-02-082-22/+143
| | | | | | | | | | | | | | The commit ebb19db9165fed30d73c83bab1b1b8740c132dfd caused a regression, where duplicate certificates in a certificate chain are no longer ignored but treated as a non-contiguous segment and that results in calling the issuer callback, or a verification failure. This adds a mechanism to record certificates already seen in the chain, and skip them while still allow the caller to inject missing certificates. Signed-off-by: Daiki Ueno <ueno@gnu.org> Co-authored-by: Andreas Metzler <ametzler@debian.org>
* fix invalid unsigned arithmetic.ihsinme2020-12-011-1/+1
| | | | Signed-off-by: ihsinme <ihsinme@gmail.com>
* Merge branch 'wip/dueno/aia-api' into 'master'Daiki Ueno2020-11-216-94/+199
|\ | | | | | | | | | | | | x509: check certificate trust status when adding CA through AIA Closes #1100 See merge request gnutls/gnutls!1354
| * x509: rework issuer callbackDaiki Ueno2020-11-192-39/+135
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The previous issuer callback API had a drawback: the callback is supposed to add CA to the trust list by itself. This was error-prone, because the callback must check the new CA is trusted by the already added CA. This instead moves the responsibility to the library. This also rewrites the chain amendment logic in a side-effect free manner. The application can assume that the trust information stored on gnutls_x509_trust_list_t shouldn't change after the verification. The missingissuer test has been extended to cover all the possible patterns exhaustively. Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * _gnutls_cert_log: assume that 'cert' is nonnullDaiki Ueno2020-11-191-1/+1
| | | | | | | | | | | | This makes static analyzers happy. Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * _gnutls_sort_clist: simplify the calling conventionDaiki Ueno2020-11-194-60/+69
| | | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | Merge branch 'wip/dueno/ocsp-oid' into 'master'Daiki Ueno2020-11-194-14/+26
|\ \ | | | | | | | | | | | | | | | | | | _gnutls_x509_read_value: don't count terminating null byte for OIDs Closes #805 See merge request gnutls/gnutls!1358
| * | _gnutls_x509_read_value: don't count terminating null byte for OIDsNikos Mavrogiannopoulos2020-11-124-14/+26
| |/ | | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> Co-authored-by: Daiki Ueno <ueno@gnu.org>
* | x509: clarify how to release memory allocated for DNDaiki Ueno2020-11-123-8/+8
|/ | | | | | | | The application can assume that DNs returned from _gnutls_x509_get_dn() are allocated with gnutls_malloc() and thus shall be freed with gnutls_free(). Signed-off-by: Daiki Ueno <ueno@gnu.org>
* Make y parameter optional in gnutls_privkey_import_dsa_raw().Hans Leidekker2020-11-031-6/+8
| | | | Signed-off-by: Hans Leidekker <hans@codeweavers.com>
* PKCS#12: switch default encryption to AES-256-CBCSahana Prasad2020-10-301-2/+2
| | | | Signed-off-by: Sahana Prasad <sahana@redhat.com>
* x509: correct argument of gnutls_verify_output_functiontmp-verify-outputDaiki Ueno2020-09-271-2/+3
| | | | | | | | This is a leftover of 52e78f1e. We need to call gnutls_verify_output_function with the replaced CA cert instead of the original cert. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* Merge branch 'tmp-clock_nanosleep' into 'master'Daiki Ueno2020-09-214-64/+46
|\ | | | | | | | | | | | | tests: allow clock_nanosleep in seccomp tests Closes #1086 See merge request gnutls/gnutls!1325
| * build: remove dead assignmentsDaiki Ueno2020-09-184-64/+46
| | | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | Merge branch 'rsa_privkey_prive' into 'master'Daiki Ueno2020-09-201-6/+8
|\ \ | |/ |/| | | | | Make private exponent optional in gnutls_privkey_import_rsa_raw() See merge request gnutls/gnutls!1323
| * Make private exponent optional in gnutls_privkey_import_rsa_raw().Nikolay Sivov2020-09-061-6/+8
| | | | | | | | Signed-off-by: Nikolay Sivov <nsivov@codeweavers.com>
* | build: ignore pointless -Wformat-y2k warningDaiki Ueno2020-09-171-0/+3
|/ | | | | | Printing UTCTime really needs last 2 digits of the year. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* Merge branch 'gnutls-cli-aia' into 'master'Daiki Ueno2020-09-041-0/+2
|\ | | | | | | | | | | | | Dynamic downloading of missing intermediate CAs via gnutls-cli using the option 'ca-auto-retrieve' Closes #968 See merge request gnutls/gnutls!1319
| * src/cli: adds new option '--ca-auto-retrieve' that can be used with ↵Sahana Prasad2020-09-021-0/+2
| | | | | | | | | | | | | | | | | | | | gnutls-cli to automatically download missing intermediate CAs in a certificate chain lib/cred-cert.c : adds set and get APIs to get user data in the gnutls_x509_trust_list_set_getissuer_function() callback. Signed-off-by: Sahana Prasad <sahana@redhat.com>
* | Use symbols defined for RSA key parameter indices in more places.Nikolay Sivov2020-09-011-5/+5
|/ | | | Signed-off-by: Nikolay Sivov <nsivov@codeweavers.com>
* gnutls_x509_crt_export2: return 0 instead of the lengthtmp-crt-export2Daiki Ueno2020-08-161-4/+9
| | | | | | This aligns the behavior to the documentation. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* doc: assorted typo fixestmp-typo-fixesDaiki Ueno2020-08-123-4/+4
| | | | | | Spotted by codespell. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* safe_memcmp: remove in favor of gnutls_memcmptmp-safe-memcmpDaiki Ueno2020-06-291-1/+2
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* Merge branch 'master' into 'master'Daiki Ueno2020-06-182-18/+22
|\ | | | | | | | | issues #1018- Modied the license to GPLv2.1+ to keep with LICENSE file. See merge request gnutls/gnutls!1285
| * Modied the license to GPLv2.1+ to keep with LICENSE file.Lei Maohui2020-06-082-18/+22
| | | | | | | | Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
* | build: avoid -Wenum-conversion warnings with GCC 10Daiki Ueno2020-06-152-3/+3
|/ | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* Implements a callback function gnutls_x509_trust_list_set_getissuer_function()Sahana Prasad2020-06-034-82/+123
| | | | Signed-off-by: Sahana Prasad <sahana@redhat.com>
* x509: trigger fallback verification path when cert is expiredDaiki Ueno2020-05-311-5/+7
| | | | | | | | | gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN to trigger the fallback verification path if the signer of the last certificate is not in the trust store. Previously, it doesn't take into account of the condition where the certificate is expired. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* _gnutls_pkcs11_verify_crt_status: check validity against system certDaiki Ueno2020-05-311-2/+5
| | | | | | | | | | | | | | | | To verify a certificate chain, this function replaces known certificates with the ones in the system trust store if possible. However, if it is found, the function checks the validity of the original certificate rather than the certificate found in the trust store. That reveals a problem in a scenario that (1) a certificate is signed by multiple issuers and (2) one of the issuers' certificate has expired and included in the input chain. This patch makes it a little robuster by actually retrieving the certificate from the trust store and perform check against it. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* gnulib: update git submoduleDaiki Ueno2020-05-291-3/+3
| | | | | | | | | | | This brings in the new fopen-gnu module and the RF_SENSITIVE flag for fread_file and read_file. This also adds the following changes to be consistent with the latest changes in Gnulib: - the callers of fread_file and read_file to be adjusted for the FLAGS argument - "attribute.h" needs to be used extensively Signed-off-by: Daiki Ueno <ueno@gnu.org>
* Merge branch 'x509-common-name' into 'master'Dmitry Baryshkov2020-05-241-0/+16
|\ | | | | | | | | | | | | x509: support commonName extension Closes #989 See merge request gnutls/gnutls!1250
| * x509: support commonName extensionDmitry Baryshkov2020-05-181-0/+16
| | | | | | | | | | | | | | | | Add support for Common Name certificate extension. Fixes #989 Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* | x509: aki: always print authorityCert infoDmitry Baryshkov2020-05-171-3/+6
|/ | | | | | | | | Always print authorityCertIssuer/SerialNumber. Currently it is output only if keyIdentifier is not present. Fixes #991 Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* output: add Russian security class policiesDmitry Baryshkov2020-05-141-0/+8
| | | | | | | Add Russian Security Class certificate policies (per draft-deremin-rfc4491-bis). Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* x509: print certificate policiy namesDmitry Baryshkov2020-05-141-1/+19
| | | | | | | | Add ability to print names for several pre-defined Certificate policies. Currently the list is populated with anyPolicy from X.509 and CA/B policies. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* pkcs7: add function to display signature informationDmitry Baryshkov2020-05-141-0/+31
| | | | | | | Basically export print_pkcs7_info() in a way usable by external applications. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* pkcs7: decode attribute OIDs when printingDmitry Baryshkov2020-05-141-2/+32
| | | | | | | Try printing symbolic names for well-known OIDs when printing PKCS7 signature info. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* x509: generify oid to str conversionsDmitry Baryshkov2020-05-142-43/+27
| | | | | | | Make oid to name conversion functions generic enough by allowing caller to specify a pointer to OID table. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* Compare DNs by comparing their string representationsPierre Ossman2020-04-031-3/+46
| | | | | | | | A binary comparison will not work in case the contents is the same but the ASN.1 type differ (e.g. PrintableString vs UTF8String). Such variations are permitted so we need to handle them. Signed-off-by: Pierre Ossman <ossman@cendio.se>
* Properly compare DNs when checking sortingPierre Ossman2020-04-031-11/+2
| | | | | | | We might want to do other things than a simple memcmp() so make sure we're using the right helper when comparing DNs. Signed-off-by: Pierre Ossman <ossman@cendio.se>
View Lorry Controller Status