summaryrefslogtreecommitdiff
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Applied last patch of Micah Anderson on IKE status.Nikos Mavrogiannopoulos2010-10-081-9/+12
|
* Applied patch on IKE extension by Micah AndersonNikos Mavrogiannopoulos2010-10-021-19/+24
|
* Fix some syntax-check errors.Simon Josefsson2010-10-013-3/+2
|
* Add new extended key usage ipsecIKEMicah Anderson2010-09-293-1/+40
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | According to RFC 4945 § 5.1.3.12 section title "ExtendedKeyUsage"[0] the following extended key usage has been added: ... this document defines an ExtendedKeyUsage keyPurposeID that MAY be used to limit a certificate's use: id-kp-ipsecIKE OBJECT IDENTIFIER ::= { id-kp 17 } where id-kp is defined in RFC 3280 [5]. If a certificate is intended to be used with both IKE and other applications, and one of the other applications requires use of an EKU value, then such certificates MUST contain either the keyPurposeID id-kp-ipsecIKE or anyExtendedKeyUsage [5], as well as the keyPurposeID values associated with the other applications. Similarly, if a CA issues multiple otherwise-similar certificates for multiple applications including IKE, and it is intended that the IKE certificate NOT be used with another application, the IKE certificate MAY contain an EKU extension listing a keyPurposeID of id-kp-ipsecIKE to discourage its use with the other application. Recall, however, that EKU extensions in certificates meant for use in IKE are NOT RECOMMENDED. Conforming IKE implementations are not required to support EKU. If a critical EKU extension appears in a certificate and EKU is not supported by the implementation, then RFC 3280 requires that the certificate be rejected. Implementations that do support EKU MUST support the following logic for certificate validation: o If no EKU extension, continue. o If EKU present AND contains either id-kp-ipsecIKE or anyExtendedKeyUsage, continue. o Otherwise, reject cert. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* --pkcs11-* in certtool was renamed to --p11-*.Nikos Mavrogiannopoulos2010-09-272-104/+104
|
* fflush stdout and stderr before the call to setbuf. This fixes issue in ↵Nikos Mavrogiannopoulos2010-09-231-0/+3
| | | | solaris where lines dissappeared from output. Reported and suggested fix by Knut Anders Hatlen.
* Added 3 levels of details in PKCS #11 URLs.Nikos Mavrogiannopoulos2010-09-104-137/+139
| | | | | | 1st level: Token level. Object is unique up to token. 2nd level: Object is unique up to token and module used to access it. 3rd level: Object is unique up to token and module and version of module used to access it.
* PKCS#11 URL support updated to conform to draft-pechanec-pkcs11uri-02.Nikos Mavrogiannopoulos2010-09-086-81/+99
| | | | | Now in the URL the pkcs11 provider library (module) can be specified thus restricting objects within a single provider.
* Show which option is the default for command line tools.Brad Hards2010-08-292-2/+2
| | | | | | | We use "y/N" is most places - this just adapts two places that use "Y/N" to match the behavior of read_yesno(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Avoid fixed size buffers (now handles the big >100 SAN cert).Simon Josefsson2010-07-251-12/+37
|
* gnutls_x509_privkey_import() will fallback to ↵Nikos Mavrogiannopoulos2010-07-241-11/+4
| | | | gnutls_x509_privkey_import_pkcs8() without a password, if it is unable to decode the key.
* Added GNUTLS_PK_DH to differentiate in the generation of parameters with PK_DSANikos Mavrogiannopoulos2010-07-241-1/+1
| | | | that requires special treatment.
* Better handling of security parameters to key sizes matching (via a single ↵Nikos Mavrogiannopoulos2010-07-231-0/+2
| | | | | | table). Added functions to return the security parameter of a private key.
* Added option for certtool to print certificate public key.Nikos Mavrogiannopoulos2010-07-225-121/+142
|
* gnutls-serv: Do not print CR/LF if received, but instead print LF only.Nikos Mavrogiannopoulos2010-07-111-0/+19
|
* Do not crash if input is redirected from /dev/null.Nikos Mavrogiannopoulos2010-07-051-0/+4
|
* Changed the default pkcs-cipher to AES-128. Allowed specifying the 3des-pkcs12Nikos Mavrogiannopoulos2010-07-053-4/+12
| | | | cipher with the --pkcs-cipher option.
* Use double to count bytes.Nikos Mavrogiannopoulos2010-07-041-3/+3
|
* Print values in a human-readable format and do the calculations in fixedNikos Mavrogiannopoulos2010-07-031-14/+60
| | | | time to prevent stalling in slow systems.
* PIN callback supplies the token URL. The callback function in common.cNikos Mavrogiannopoulos2010-07-022-8/+58
| | | | will cache PIN if requested for second time.
* Reverted the SAVE_PIN approach in PIN callback. The new approach will be to ↵Nikos Mavrogiannopoulos2010-07-021-1/+1
| | | | | | provide enough information for the callback to save the PIN itself.
* When copying a private key the sensitive flag can be set or not. This allowsNikos Mavrogiannopoulos2010-06-281-1/+1
| | | | copying private keys that can be exported.
* Combined object flags. No implicit login any more. Login has to be specified ↵Nikos Mavrogiannopoulos2010-06-283-9/+17
| | | | | | with a flag on every call that could use it.
* Allow flags when importing objects from PKCS11 URLs. The only flag supportedNikos Mavrogiannopoulos2010-06-287-94/+125
| | | | | now is the PKCS11_OBJ_FLAG_LOGIN, which forces login before accessing object on a token. The reason is that some tokens do not allow access of any data without login.
* Added AES-128 to block ciphers.Nikos Mavrogiannopoulos2010-06-271-5/+7
|
* When generating private key allow usage of --pkcs-cipher flag.Nikos Mavrogiannopoulos2010-06-261-28/+30
|
* Corrected some tests. Added test to check whether the %COMPAT option isNikos Mavrogiannopoulos2010-06-193-47/+73
| | | | required for this server.
* Allow setting debug level via cmd.Nikos Mavrogiannopoulos2010-06-191-4/+16
|
* Allow listing of private keys only. Certtool has now the ↵Nikos Mavrogiannopoulos2010-06-185-73/+88
| | | | --pkcs11-list-privkeya option.
* Added option to the PKCS11 PIN callback to save PIN if the token is being usedNikos Mavrogiannopoulos2010-06-172-1/+11
| | | | with a single pkcs11_privkey structure.
* gnutls-cli: Make --starttls work again.Simon Josefsson2010-06-151-1/+1
| | | | | Problem introduced in patch to use read() instead of fgets() committed on 2010-01-27.
* Allow SHA224 hash in certtool. Added tests for SHA-256 and SHA-224 for DSA.Nikos Mavrogiannopoulos2010-06-141-0/+2
|
* Do not warn multiple times for the deprecation of --bits.Nikos Mavrogiannopoulos2010-06-141-1/+7
|
* Simplified and made more safe the packing of data for session storage. ↵Nikos Mavrogiannopoulos2010-06-132-35/+2
| | | | | | | | | Extensions use the internal API to store/retrieve during resumption. Removed OPRFI since it was never standardized and was never actually included in gnutls since it was in inactive ifdef. This was instead of rewriting it to use the new API.
* corrected tests.Nikos Mavrogiannopoulos2010-06-091-12/+12
|
* The get_preferred_hash_algorithm() functions have now an extra argument to ↵Nikos Mavrogiannopoulos2010-06-031-12/+7
| | | | | | indicate whether it is mandatory to use this algorithm.
* Added gnutls_pubkey_get_preferred_hash_algorithm() and ↵Nikos Mavrogiannopoulos2010-06-031-14/+38
| | | | | | | gnutls_x509_crt_get_preferred_hash_algorithm() to allow determining the hash algorithm to use during signing. This is needed in the case of DSA that uses specific versions of SHA depending on the size of the parameters.
* Several fixes after big rebase.Nikos Mavrogiannopoulos2010-06-031-154/+10
|
* use --sec-param to generate privkey.Nikos Mavrogiannopoulos2010-06-031-2/+2
|
* Print exp1 and exp2 if they are available.Nikos Mavrogiannopoulos2010-06-031-6/+16
|
* exported gnutls_rnd().Nikos Mavrogiannopoulos2010-06-032-2/+2
|
* Generate dh-params also used --sec-param.Nikos Mavrogiannopoulos2010-06-033-21/+35
|
* Corrected certificate callback.Nikos Mavrogiannopoulos2010-06-031-35/+34
|
* Added gnutls_sec_param_to_pk_bits() et al. to allow select bitNikos Mavrogiannopoulos2010-06-034-90/+158
| | | | sizes for private keys using a human understandable scale.
* Simplified internal API. The only question that remains now is how to handleNikos Mavrogiannopoulos2010-06-031-2/+2
| | | | | | | the gnutls_pkcs11_privkey_t. Currently it opens a session and maintains a handle to the object. This will require locks to be added on operations. Alternatively new sessions may be opened for each operation performed. This is guarranteed by PKCS #11 to be thread safe but will of course require to ask for the PIN again.
* Added support to copy certificates and private keys to tokens.Nikos Mavrogiannopoulos2010-06-037-103/+260
| | | | | | | | | | | New functions: gnutls_pkcs11_copy_x509_crt() gnutls_pkcs11_copy_x509_privkey() gnutls_pkcs11_delete_url() Certtool was updated to allow copying certificates and private keys to tokens. Deleting an object has issues (segfault) but it seems to be related with libopensc and its pkcs11 API.
* Added gnutls_pubkey_import_pkcs11(), gnutls_pubkey_import_rsa_raw(),Nikos Mavrogiannopoulos2010-06-031-19/+69
| | | | gnutls_pubkey_import_dsa_raw(), gnutls_pkcs11_obj_export().
* Added gnutls_pubkey_t abstract type to handle public keys. It can currentlyNikos Mavrogiannopoulos2010-06-033-5/+5
| | | | | | | | | import/export public keys from existing certificate types as well as from PKCS #11 URL. This allows generating a certificate or certificate request from a given public key (currently one could only generate them from a given private key). PKCS#11 API augmented to allow reading arbitrary objects instead of just certificates. Certtool updated to list those objects.
* Added several helper functions, to allow printing of tokens.Nikos Mavrogiannopoulos2010-06-032-2/+79
|
* Added ability to export certificates from PKCS #11 tokens.Nikos Mavrogiannopoulos2010-06-034-3/+49
| | | | | Added ability to list trusted certificates, or only certificates with a corresponding private key or just all.
View Lorry Controller Status