summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Release version 0.17.50.17.5Stef Walter2013-03-282-1/+5
|
* Don't try to guess at overflowing time values on 32-bit systemsStef Walter2013-03-285-5/+80
| | | | | | | | | Since CKA_START_DATE and CKA_END_DATE are the only places where we want to parse out times, and these are optional, just leave blank if the time overflows what libc can handle on a 32-bit system. https://bugs.freedesktop.org/show_bug.cgi?id=62825
* Fix testing of murmur hash on bigendian systemsStef Walter2013-03-251-37/+23
| | | | | | The murmur hash produces different output depending on the architecture https://bugzilla.redhat.com/show_bug.cgi?id=927394
* Release 0.17.40.17.4Stef Walter2013-03-202-1/+5
|
* Fix memory leaks reported by 'make leakcheck'Stef Walter2013-03-2022-27/+91
|
* Fix invalid memory accesses reported by 'make memcheck'Stef Walter2013-03-205-19/+34
| | | | These are things that showed up in valgrind while running the tests.
* Add a bit of infrastructure for running valgrindStef Walter2013-03-2013-10/+46
| | | | | * make memcheck: Runs basic memory checking * make leakcheck: Also runs leak checking
* trust: Predictable behavior with duplicate certificates in tokenStef Walter2013-03-203-16/+224
| | | | | | | | If duplicate certificates are present in a token, we warn about this, and don't really recommend it. However we have predictable behavior where blacklist is prefered to anchor is preferred to unknown trust. https://bugs.freedesktop.org/show_bug.cgi?id=62548
* trust: Rework index to be faster and more usableStef Walter2013-03-209-179/+437
| | | | | | | | | The index now uses a sort of cross between a hash table and a bloom filter internally to select matching items. This is needed for the massive amount of lookups we want to do during loading. In addition make p11_index_find() and p11_index_replace() easier to use.
* attrs: Print out the CKA_VALUE for certificates when debuggingStef Walter2013-03-205-20/+63
| | | | | | | | While it's true that we shouldn't be pritning out CKA_VALUE in certain cases, like for keys, we obviously can do so for certificates. We don't have keys anyway, but in the interest of being general purpose use the class to determine whether CKA_VALUE can be printed
* hash: Add the murmur2 hash and start using itStef Walter2013-03-2014-51/+234
| | | | | | | | | | | Add implementation of the murmur2 hash function, and start using it for our dictionaries. Our implementation is incremental like our other hash functions. Also remove p11_oid_hash() which wasn't being used. In addition fix several tests whose success was based on the way that the dictionary hashed. This was a hidden testing bug.
* hash: Rename file and functions for hashesStef Walter2013-03-2012-72/+72
| | | | | We're going to be adding other hashes. Also build as part of a different common library.
* Release version 0.17.30.17.3Stef Walter2013-03-192-1/+8
|
* trust: Use descriptive labels for tokensStef Walter2013-03-198-27/+112
| | | | | | | | Try to determine which one is the system trust input token, and which one is the default token by using datadir and sysconfdir respectively. https://bugs.freedesktop.org/show_bug.cgi?id=62534
* trust: Remove the temporary built in distrust objectsStef Walter2013-03-191-148/+0
| | | | These should now be loaded from the .p11-kit persist format.
* extract: Make extracted output directories read-onlyStef Walter2013-03-193-32/+61
| | | | | | This is not a security feature or anything like that, but a hint that the files are managed by the extract tool and should not be modified manually.
* trust: Don't use POSIX or GNU basename()Stef Walter2013-03-196-27/+137
| | | | | | Both are nasty. Do our own, and test it a bit https://bugs.freedesktop.org/show_bug.cgi?id=62479
* Do not export (de)constructorAndreas Metzler2013-03-191-4/+4
| | | | | | Rename p11_kit_init and p11_kit_fini to _p11_kit_init and _p11_kit_fini respectively to stop them from being exported in the ABI. It does not seem to be necessary.
* Release version 0.17.20.17.2Stef Walter2013-03-182-1/+5
|
* trust: Fix trust tests on 32-bit buildsStef Walter2013-03-181-2/+2
|
* trust: Fix invalid varargs call in the builderStef Walter2013-03-181-1/+1
|
* Release version 0.17.10.17.1Stef Walter2013-03-183-8/+39
| | | | * Fix distcheck bugs surrounding the strndup() workaround
* trust: Provide better debugging of trust module functionsStef Walter2013-03-181-5/+15
| | | | | Make C_FindObjects() and C_GetAttributeValue() functions dump the attributes that they're dealing with when in debug mode.
* attrs: Change p11_attrs_to_string() to allow static templatesStef Walter2013-03-184-8/+16
| | | | | Allow passing the number of attributes to print, which lets us use this directly on templates passed in by callers of the PKCS#11 API.
* trust: Handle incorrectly encoded CKA_SERIAL_NUMBER lookupsStef Walter2013-03-183-1/+114
| | | | | | | | Handle lookups for trust objects (by NSS) which expect CKA_SERIAL_NUMBER attributes without appropriate DER encoding. In addition allow creation of NSS trust objects as PKCS#11 session objects, so that we can test this behavior.
* Add workaround for broken strndup() in firefoxStef Walter2013-03-181-1/+6
| | | | | | | Unconditionally use our own strndup() until this issue is resolved and in the stable versions of various distros. See: https://bugzilla.mozilla.org/show_bug.cgi?id=826171
* compat: Fix trivial commentStef Walter2013-03-181-1/+1
|
* Use the nickname x-distrusted for CKA_X_DISTRUSTEDStef Walter2013-03-181-1/+1
| | | | | This is a non-standard PKCS#11 attribute, so has the X prefix like the other ones we've added.
* trust: Better generation of nss objects and assertions for serial+issuerStef Walter2013-03-183-225/+341
| | | | | | | In many cases certficates are distrusted by serial+issuer. Make sure this works, and fix various cases where we weren't generating compat NSS objects and compat trust assertions for these types of input.
* Refine looking up of attributes in arraysStef Walter2013-03-1813-163/+158
| | | | | | | | There was a class of bugs for looking up invalid or empty attributes in the internal PKCS#11 attribute arrays. * Refine what p11_attrs_find_valid() treats as valid * Rename p11_attrs_is_empty() to p11_attrs_terminator() for clarity
* trust: Remove file that's no longer usedStef Walter2013-03-171-301/+0
|
* Bump version numberStef Walter2013-03-151-1/+1
|
* Fix distcheck and documentationStef Walter2013-03-154-22/+19
|
* trust: Update frob-nss-tool so it can compare modules for trust infoStef Walter2013-03-153-35/+164
| | | | | Can run with two modules now so that it can compare tokens NSS trust info.
* trust: Support a p11-kit specific serialization formatStef Walter2013-03-1516-41/+1140
| | | | | | | This is documented in doc/internals/ subdirectory Add tests for the format as well. https://bugs.freedesktop.org/show_bug.cgi?id=62156
* url: Split out the URL encoding and decoding functionsStef Walter2013-03-156-108/+381
| | | | | | | We want to use these as the format for encoding binary data in our PKCS#11 attribute persistence https://bugs.freedesktop.org/show_bug.cgi?id=62156
* lexer: Make a lexer for our config file formatStef Walter2013-03-156-92/+644
| | | | | | This lexer will be used in our PKCS#11 persistence format as well. https://bugs.freedesktop.org/show_bug.cgi?id=62156
* trust: Use a SHA-1 hash of subjectPublicKeyInfo as CKA_ID by defaultStef Walter2013-03-158-39/+115
| | | | | | | This is what's recommended by the spec, and allows stapled extensions to hang off a predictable CKA_ID. https://bugs.freedesktop.org/show_bug.cgi?id=62329
* trust: Add a builder which builds objects out of parsed dataStef Walter2013-03-1517-1750/+3593
| | | | | | | | | | | The builder completes the objects from the parsed data and takes over the responsibilities that the parser and adapter previously shared. This is necessary to prepare for arbitrary data coming from the p11-kit specific input files. https://bugs.freedesktop.org/show_bug.cgi?id=62329
* attrs: Add info functions for constant names and valuesStef Walter2013-03-156-232/+566
| | | | | | | * For retrieving the name and/or nick of constants * The nick is what we'll use in the file format https://bugs.freedesktop.org/show_bug.cgi?id=62329
* trust: Refactor to include concept of the indexStef Walter2013-03-1514-384/+2097
| | | | | | | | | | * The index holds PKCS#11 objects whether for the token or for the session. * The index provides hook for a builder to expand or validate objects being added to the index. * In addition theres a change hook so that a builder can maintain state between objects, such as the compat NSS trust objects. https://bugs.freedesktop.org/show_bug.cgi?id=62329
* attrs: New p11_attrs_merge() functionStef Walter2013-03-153-6/+153
| | | | | | | This takes one set of attributes and merges them into another, without copying memory needlessly. https://bugs.freedesktop.org/show_bug.cgi?id=62329
* asn1: Implement a parsed ASN.1 tree cacheStef Walter2013-03-153-0/+177
| | | | | | | | | In order to unmarry the parser from the future builder, but still retain efficiency, we need to be able to cache parsed ASN.1 trees. The ASN.1 cache provides this. In addition it carries around the loaded ASN.1 definitions. https://bugs.freedesktop.org/show_bug.cgi?id=62329
* extract: Combine trust policy when extractingStef Walter2013-03-155-43/+313
| | | | | | | | | | * Collapse multiple identical certificates coming from different tokens. Note that if a certificate should not be placed multiple times on a token. We cannot know which one to respect. * Add a new extract filter: --trust-policy This extracts all anchor and blacklist information https://bugs.freedesktop.org/show_bug.cgi?id=61497
* extract: --comment option adds comments to PEM bundlesStef Walter2013-03-157-3/+103
| | | | | | | | * Placed before the certificate, simple one liner * No need to put comments in PEM files extracted into directories, as the file names are already descriptive. https://bugs.freedesktop.org/show_bug.cgi?id=62029
* extract: Allow p11_save_write() to automatically calculate lengthStef Walter2013-03-155-4/+62
| | | | | | | | | Also if automatically calculating length, then ignore input that is NULL, as something that shouldn't be written out. This allows easier chaining of optional output, such as comments. https://bugs.freedesktop.org/show_bug.cgi?id=62029
* p11-kit: New priority option and change trust-policy optionStef Walter2013-03-1515-54/+136
| | | | | | | | | | | | | | * Sort loaded modules appropriately using the 'priority' option. This allows us to have a predictable order for callers, when callers iterate through modules. * Modules default to having an 'priority' option of '0'. * If modules have the same order value, then sort by name. * The above assumes the role of ordering trust-policy sources. * Change the trust-policy option to a boolean * Some of this code will be rearranged when the managed branch is merged. https://bugs.freedesktop.org/show_bug.cgi?id=61978
* trust: Make each configured path its own tokenStef Walter2013-03-157-136/+460
| | | | | | | | | | | | | | | | | | | * Each source directory or file configured into the module or passed in as an initialization argument becomes its own token. Previously there was one token that contained certificates from all the configured paths. * These tokens are clearly labeled in the token info as to the directory or file that they represent. * Update PKCS#11 module logic to deal with multiple tokens, validate the slot ids and so on. * The order in which the paths are configured will become the order of trust priority. This is the same order in which they are listed through 'p11-kit list-modules' and C_GetSlotList. * Update the frob-token internal tool to only play with one path * Adjust tests where necessary to reflect the new state of things and add tests for modified trust module code https://bugs.freedesktop.org/show_bug.cgi?id=61499
* dict: Allow removal of current item in a p11_dict iterationStef Walter2013-03-152-0/+62
| | | | | | | * This was already possible to do safely before * Document and test this behavior https://bugs.freedesktop.org/show_bug.cgi?id=61499
* trust: Rework input path treatmentStef Walter2013-03-1520-140/+318
| | | | | | | | | | | | | | | | | | | | | * Accept a single --with-trust-paths argument to ./configure which cotnains all the input paths. * The --with-system-anchors and --with-system-certificates ./configure arguments are no longer supported. Since they were only present briefly, no provision is made for backwards compatibility. * Each input file is treated as containing anchors by default unless an input certificate contains detailed trust information. * The files in each input directory are not automatically treated as anchors unless a certificate contains detailed trust information. * The files in anchors/ subdirectory of each input directory are automatically marked as anchors. * The files in the blacklist/ subdirectory of each input directory are automatically marked as blacklisted. * Update tests and move around test certificates so we can test these changes. https://bugs.freedesktop.org/show_bug.cgi?id=62327
View Lorry Controller Status