Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Applied last patch of Micah Anderson on IKE status. | Nikos Mavrogiannopoulos | 2010-10-08 | 1 | -9/+12 |
| | |||||
* | Applied patch on IKE extension by Micah Anderson | Nikos Mavrogiannopoulos | 2010-10-02 | 1 | -19/+24 |
| | |||||
* | Fix some syntax-check errors. | Simon Josefsson | 2010-10-01 | 3 | -3/+2 |
| | |||||
* | Add new extended key usage ipsecIKE | Micah Anderson | 2010-09-29 | 3 | -1/+40 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | According to RFC 4945 § 5.1.3.12 section title "ExtendedKeyUsage"[0] the following extended key usage has been added: ... this document defines an ExtendedKeyUsage keyPurposeID that MAY be used to limit a certificate's use: id-kp-ipsecIKE OBJECT IDENTIFIER ::= { id-kp 17 } where id-kp is defined in RFC 3280 [5]. If a certificate is intended to be used with both IKE and other applications, and one of the other applications requires use of an EKU value, then such certificates MUST contain either the keyPurposeID id-kp-ipsecIKE or anyExtendedKeyUsage [5], as well as the keyPurposeID values associated with the other applications. Similarly, if a CA issues multiple otherwise-similar certificates for multiple applications including IKE, and it is intended that the IKE certificate NOT be used with another application, the IKE certificate MAY contain an EKU extension listing a keyPurposeID of id-kp-ipsecIKE to discourage its use with the other application. Recall, however, that EKU extensions in certificates meant for use in IKE are NOT RECOMMENDED. Conforming IKE implementations are not required to support EKU. If a critical EKU extension appears in a certificate and EKU is not supported by the implementation, then RFC 3280 requires that the certificate be rejected. Implementations that do support EKU MUST support the following logic for certificate validation: o If no EKU extension, continue. o If EKU present AND contains either id-kp-ipsecIKE or anyExtendedKeyUsage, continue. o Otherwise, reject cert. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> | ||||
* | --pkcs11-* in certtool was renamed to --p11-*. | Nikos Mavrogiannopoulos | 2010-09-27 | 2 | -104/+104 |
| | |||||
* | fflush stdout and stderr before the call to setbuf. This fixes issue in ↵ | Nikos Mavrogiannopoulos | 2010-09-23 | 1 | -0/+3 |
| | | | | solaris where lines dissappeared from output. Reported and suggested fix by Knut Anders Hatlen. | ||||
* | Added 3 levels of details in PKCS #11 URLs. | Nikos Mavrogiannopoulos | 2010-09-10 | 4 | -137/+139 |
| | | | | | | 1st level: Token level. Object is unique up to token. 2nd level: Object is unique up to token and module used to access it. 3rd level: Object is unique up to token and module and version of module used to access it. | ||||
* | PKCS#11 URL support updated to conform to draft-pechanec-pkcs11uri-02. | Nikos Mavrogiannopoulos | 2010-09-08 | 6 | -81/+99 |
| | | | | | Now in the URL the pkcs11 provider library (module) can be specified thus restricting objects within a single provider. | ||||
* | Show which option is the default for command line tools. | Brad Hards | 2010-08-29 | 2 | -2/+2 |
| | | | | | | | We use "y/N" is most places - this just adapts two places that use "Y/N" to match the behavior of read_yesno(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> | ||||
* | Avoid fixed size buffers (now handles the big >100 SAN cert). | Simon Josefsson | 2010-07-25 | 1 | -12/+37 |
| | |||||
* | gnutls_x509_privkey_import() will fallback to ↵ | Nikos Mavrogiannopoulos | 2010-07-24 | 1 | -11/+4 |
| | | | | gnutls_x509_privkey_import_pkcs8() without a password, if it is unable to decode the key. | ||||
* | Added GNUTLS_PK_DH to differentiate in the generation of parameters with PK_DSA | Nikos Mavrogiannopoulos | 2010-07-24 | 1 | -1/+1 |
| | | | | that requires special treatment. | ||||
* | Better handling of security parameters to key sizes matching (via a single ↵ | Nikos Mavrogiannopoulos | 2010-07-23 | 1 | -0/+2 |
| | | | | | | table). Added functions to return the security parameter of a private key. | ||||
* | Added option for certtool to print certificate public key. | Nikos Mavrogiannopoulos | 2010-07-22 | 5 | -121/+142 |
| | |||||
* | gnutls-serv: Do not print CR/LF if received, but instead print LF only. | Nikos Mavrogiannopoulos | 2010-07-11 | 1 | -0/+19 |
| | |||||
* | Do not crash if input is redirected from /dev/null. | Nikos Mavrogiannopoulos | 2010-07-05 | 1 | -0/+4 |
| | |||||
* | Changed the default pkcs-cipher to AES-128. Allowed specifying the 3des-pkcs12 | Nikos Mavrogiannopoulos | 2010-07-05 | 3 | -4/+12 |
| | | | | cipher with the --pkcs-cipher option. | ||||
* | Use double to count bytes. | Nikos Mavrogiannopoulos | 2010-07-04 | 1 | -3/+3 |
| | |||||
* | Print values in a human-readable format and do the calculations in fixed | Nikos Mavrogiannopoulos | 2010-07-03 | 1 | -14/+60 |
| | | | | time to prevent stalling in slow systems. | ||||
* | PIN callback supplies the token URL. The callback function in common.c | Nikos Mavrogiannopoulos | 2010-07-02 | 2 | -8/+58 |
| | | | | will cache PIN if requested for second time. | ||||
* | Reverted the SAVE_PIN approach in PIN callback. The new approach will be to ↵ | Nikos Mavrogiannopoulos | 2010-07-02 | 1 | -1/+1 |
| | | | | | | provide enough information for the callback to save the PIN itself. | ||||
* | When copying a private key the sensitive flag can be set or not. This allows | Nikos Mavrogiannopoulos | 2010-06-28 | 1 | -1/+1 |
| | | | | copying private keys that can be exported. | ||||
* | Combined object flags. No implicit login any more. Login has to be specified ↵ | Nikos Mavrogiannopoulos | 2010-06-28 | 3 | -9/+17 |
| | | | | | | with a flag on every call that could use it. | ||||
* | Allow flags when importing objects from PKCS11 URLs. The only flag supported | Nikos Mavrogiannopoulos | 2010-06-28 | 7 | -94/+125 |
| | | | | | now is the PKCS11_OBJ_FLAG_LOGIN, which forces login before accessing object on a token. The reason is that some tokens do not allow access of any data without login. | ||||
* | Added AES-128 to block ciphers. | Nikos Mavrogiannopoulos | 2010-06-27 | 1 | -5/+7 |
| | |||||
* | When generating private key allow usage of --pkcs-cipher flag. | Nikos Mavrogiannopoulos | 2010-06-26 | 1 | -28/+30 |
| | |||||
* | Corrected some tests. Added test to check whether the %COMPAT option is | Nikos Mavrogiannopoulos | 2010-06-19 | 3 | -47/+73 |
| | | | | required for this server. | ||||
* | Allow setting debug level via cmd. | Nikos Mavrogiannopoulos | 2010-06-19 | 1 | -4/+16 |
| | |||||
* | Allow listing of private keys only. Certtool has now the ↵ | Nikos Mavrogiannopoulos | 2010-06-18 | 5 | -73/+88 |
| | | | | --pkcs11-list-privkeya option. | ||||
* | Added option to the PKCS11 PIN callback to save PIN if the token is being used | Nikos Mavrogiannopoulos | 2010-06-17 | 2 | -1/+11 |
| | | | | with a single pkcs11_privkey structure. | ||||
* | gnutls-cli: Make --starttls work again. | Simon Josefsson | 2010-06-15 | 1 | -1/+1 |
| | | | | | Problem introduced in patch to use read() instead of fgets() committed on 2010-01-27. | ||||
* | Allow SHA224 hash in certtool. Added tests for SHA-256 and SHA-224 for DSA. | Nikos Mavrogiannopoulos | 2010-06-14 | 1 | -0/+2 |
| | |||||
* | Do not warn multiple times for the deprecation of --bits. | Nikos Mavrogiannopoulos | 2010-06-14 | 1 | -1/+7 |
| | |||||
* | Simplified and made more safe the packing of data for session storage. ↵ | Nikos Mavrogiannopoulos | 2010-06-13 | 2 | -35/+2 |
| | | | | | | | | | Extensions use the internal API to store/retrieve during resumption. Removed OPRFI since it was never standardized and was never actually included in gnutls since it was in inactive ifdef. This was instead of rewriting it to use the new API. | ||||
* | corrected tests. | Nikos Mavrogiannopoulos | 2010-06-09 | 1 | -12/+12 |
| | |||||
* | The get_preferred_hash_algorithm() functions have now an extra argument to ↵ | Nikos Mavrogiannopoulos | 2010-06-03 | 1 | -12/+7 |
| | | | | | | indicate whether it is mandatory to use this algorithm. | ||||
* | Added gnutls_pubkey_get_preferred_hash_algorithm() and ↵ | Nikos Mavrogiannopoulos | 2010-06-03 | 1 | -14/+38 |
| | | | | | | | gnutls_x509_crt_get_preferred_hash_algorithm() to allow determining the hash algorithm to use during signing. This is needed in the case of DSA that uses specific versions of SHA depending on the size of the parameters. | ||||
* | Several fixes after big rebase. | Nikos Mavrogiannopoulos | 2010-06-03 | 1 | -154/+10 |
| | |||||
* | use --sec-param to generate privkey. | Nikos Mavrogiannopoulos | 2010-06-03 | 1 | -2/+2 |
| | |||||
* | Print exp1 and exp2 if they are available. | Nikos Mavrogiannopoulos | 2010-06-03 | 1 | -6/+16 |
| | |||||
* | exported gnutls_rnd(). | Nikos Mavrogiannopoulos | 2010-06-03 | 2 | -2/+2 |
| | |||||
* | Generate dh-params also used --sec-param. | Nikos Mavrogiannopoulos | 2010-06-03 | 3 | -21/+35 |
| | |||||
* | Corrected certificate callback. | Nikos Mavrogiannopoulos | 2010-06-03 | 1 | -35/+34 |
| | |||||
* | Added gnutls_sec_param_to_pk_bits() et al. to allow select bit | Nikos Mavrogiannopoulos | 2010-06-03 | 4 | -90/+158 |
| | | | | sizes for private keys using a human understandable scale. | ||||
* | Simplified internal API. The only question that remains now is how to handle | Nikos Mavrogiannopoulos | 2010-06-03 | 1 | -2/+2 |
| | | | | | | | the gnutls_pkcs11_privkey_t. Currently it opens a session and maintains a handle to the object. This will require locks to be added on operations. Alternatively new sessions may be opened for each operation performed. This is guarranteed by PKCS #11 to be thread safe but will of course require to ask for the PIN again. | ||||
* | Added support to copy certificates and private keys to tokens. | Nikos Mavrogiannopoulos | 2010-06-03 | 7 | -103/+260 |
| | | | | | | | | | | | New functions: gnutls_pkcs11_copy_x509_crt() gnutls_pkcs11_copy_x509_privkey() gnutls_pkcs11_delete_url() Certtool was updated to allow copying certificates and private keys to tokens. Deleting an object has issues (segfault) but it seems to be related with libopensc and its pkcs11 API. | ||||
* | Added gnutls_pubkey_import_pkcs11(), gnutls_pubkey_import_rsa_raw(), | Nikos Mavrogiannopoulos | 2010-06-03 | 1 | -19/+69 |
| | | | | gnutls_pubkey_import_dsa_raw(), gnutls_pkcs11_obj_export(). | ||||
* | Added gnutls_pubkey_t abstract type to handle public keys. It can currently | Nikos Mavrogiannopoulos | 2010-06-03 | 3 | -5/+5 |
| | | | | | | | | | import/export public keys from existing certificate types as well as from PKCS #11 URL. This allows generating a certificate or certificate request from a given public key (currently one could only generate them from a given private key). PKCS#11 API augmented to allow reading arbitrary objects instead of just certificates. Certtool updated to list those objects. | ||||
* | Added several helper functions, to allow printing of tokens. | Nikos Mavrogiannopoulos | 2010-06-03 | 2 | -2/+79 |
| | |||||
* | Added ability to export certificates from PKCS #11 tokens. | Nikos Mavrogiannopoulos | 2010-06-03 | 4 | -3/+49 |
| | | | | | Added ability to list trusted certificates, or only certificates with a corresponding private key or just all. |