aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan/plugins/x509
Commit message (Collapse)AuthorAgeFilesLines
* x509: Initialize signature params when parsing attribute certificatesTobias Brunner2017-11-151-1/+1
|
* x509: Add support for signature schemes with parametersTobias Brunner2017-11-085-143/+220
| | | | | Also adds support for specifying the hash algorithm for attribute certificate signatures.
* certificate: Return signature scheme and parameters from issued_by() methodTobias Brunner2017-11-086-30/+47
| | | | | This also required some include restructuring (avoid including library.h in headers) to avoid unresolvable circular dependencies.
* private-key: Add optional parameters argument to sign() methodTobias Brunner2017-11-085-5/+6
|
* public-key: Add optional parameters argument to verify() methodTobias Brunner2017-11-085-5/+8
|
* certificates: Use shared destructor for x509_cdp_tTobias Brunner2017-09-182-22/+4
|
* x509: Correctly encode nonce in OCSP requestTobias Brunner2017-07-071-1/+2
| | | | | The nonce value is encoded as OCTET STRING, however, the extension values themselves must also be encoded as OCTET STRING.
* x509: nameConstraints sequence does not require a loopAndreas Steffen2017-05-291-2/+1
| | | | Fixes: CVE-2017-9023
* asn1-parser: Fix CHOICE parsingAndreas Steffen2017-05-291-53/+59
| | | | Fixes: CVE-2017-9023
* Change interface for enumerator_create_filter() callbackTobias Brunner2017-05-263-54/+75
| | | | | This avoids the unportable 5 pointer hack, but requires enumerating in the callback.
* x509: Fix leak when parsing CDPs if an invalid one follows valid onesTobias Brunner2017-05-231-2/+2
|
* x509: Manually print CRL/OCSP URIs when fuzzingTobias Brunner2017-05-231-8/+25
| | | | This avoids a warning about the custom %Y printf specifier.
* x509: Fix leak if there is an empty CDPTobias Brunner2017-05-231-1/+7
|
* x509: Fix leak if a certificate contains multiple authorityKeyIdentifiersTobias Brunner2017-05-231-0/+1
|
* x509: Evaluate return codes of parsing functionsAndreas Steffen2017-05-084-52/+149
|
* x509: Do not mark generated addrblock extension as criticalMartin Willi2017-02-271-2/+1
| | | | | | | | | | | | | | While RFC 3779 says we SHOULD mark it is critical, this has severe side effects in practice. The addrblock extension is not widely used nor implemented, and only a few applications can handle this extension. By marking it critical, none of these applications can make use of such certificates where included addrblocks do not matter, such as TLS/HTTPS. If an application wants to make use of addrblocks, that is usually an explicit decision. Then the very same application obviously can handle addrblocks, and there is no need for the extension to be critical. In other words, for local policy checks it is a local matter to handle the extension, hence making it critical is usually not of much help.
* x509: Support encoding the RFC 3779 addrblock extensionMartin Willi2017-02-271-3/+134
|
* x509: Properly wrap keyid in authorityKeyIdentifier in attribute certificatesTobias Brunner2016-06-061-1/+2
| | | | | | | The correct encoding got lost in bdec2e4f5291 ("refactored openac and its attribute certificate factory"). Fixes #1370.
* Allow msSmartcardLogon EKU to be builtAndreas Steffen2015-12-111-2/+2
|
* Print OCSP single responsesAndreas Steffen2015-12-111-2/+40
|
* Explicitly mention SHA2 algorithm in BLISS OIDs and signature schemesAndreas Steffen2015-11-061-2/+2
|
* x509: Use subjectKeyIdentifier provided by issuer cert when checking CRL issuerTobias Brunner2015-03-061-18/+15
| | | | | | | | | Some CAs don't use SHA-1 hashes of the public key as subjectKeyIdentifier and authorityKeyIdentifier. If that's the case we can't force the calculation of the hash to compare that to authorityKeyIdentifier in the CRL, instead we use the subjectKeyIdentifier stored in the issuer certificate, if available. Otherwise, we fall back to the SHA-1 hash (or comparing the DNs) as before.
* x509: Fix public key reference leak if authority key identifier does not matchMartin Willi2015-02-061-10/+12
|
* Implemented full BLISS support for IKEv2 public key authentication and the ↵Andreas Steffen2014-11-295-7/+11
| | | | pki tool
* Skip the unused bits field of the ASN.1 BIT STRING encodingAndreas Steffen2014-11-291-1/+1
|
* x509: Check return value when signing attribute certificatesMartin Willi2014-06-041-9/+16
| | | | | | In addition that this lets AC generation fail properly if private key signing fails, it also fixes an issue when compiling on Windows with MinGW 4.8.1, where for some reason the attributeCertificateInfo got encoded incorrectly.
* x509: Undef OCSP_RESPONSE from <wincrypt.h> before using itMartin Willi2014-06-041-0/+5
|
* plugins: Don't link with -rdynamic on WindowsMartin Willi2014-06-041-1/+1
|
* x509: Remove some unused ASN1 OID constantsMartin Willi2014-05-162-25/+0
|
* x509: Don't include authKeyIdentifier in self-signed certificatesTobias Brunner2014-04-091-1/+1
| | | | | As the comment indicates this was the intention in d7be2906433a7dcfefc1fd732587865688dbfe1b all along.
* x509: Initialize certs when building optionalSignature for OCSP requestsTobias Brunner2014-04-091-1/+1
|
* Added support for msSmartcardLogon EKUAndreas Steffen2014-04-081-3/+10
|
* x509: CERT_DECODE actually requires KEY_ANYTobias Brunner2014-03-311-3/+1
| | | | | More specific decoders might still be needed, but the x509 plugin should not care which ones.
* x509: Match acert has_subject() against entityName or holder serialMartin Willi2014-03-311-5/+25
| | | | | This allows us to find attribute certificates for a subject certificate in credential sets.
* x509: Replace the comma separated string AC group builder with a list based oneMartin Willi2014-03-311-5/+5
|
* x509: Integrate IETF attribute handling, and obsolete ietf_attributes_tMartin Willi2014-03-311-9/+184
| | | | | The ietf_attributes_t class is used for attribute certificates only these days, and integrating them to x509_ac_t simplifies things significantly.
* x509: Replace fixed acert group string getter by a more dynamic group enumeratorMartin Willi2014-03-311-3/+3
|
* x509: Skip parsing of acert chargingIdentity, as we don't use it anywayMartin Willi2014-03-311-9/+1
|
* x509: Fix some whitespaces and do some minor style cleanups in acertMartin Willi2014-03-311-72/+76
|
* uclibc only defines strndup(3) if _GNU_SOURCE is definedTobias Brunner2014-02-191-2/+2
| | | | References #516.
* lib: All settings use configured namespaceTobias Brunner2014-02-122-2/+2
|
* automake: replace INCLUDES by AM_CPPFLAGSMartin Willi2013-07-181-3/+4
| | | | | | INCLUDES are now deprecated and throw warnings when using automake 1.13. We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and defines are passed to AM_CPPFLAGS only.
* Recognize critical IssuingDistributionPoint CRL extensionAndreas Steffen2013-07-121-0/+3
|
* certificate_t.has_subject() matches for certificate serialNumberMartin Willi2012-12-191-0/+4
|
* Moved debug.[ch] to utils folderTobias Brunner2012-10-246-6/+6
|
* Moved data structures to new collections subfolderTobias Brunner2012-10-246-6/+6
|
* Make sure first argument is an int when using %.*s to print e.g. chunksTobias Brunner2012-09-281-1/+1
|
* Properly initialize chunk for extension OID when parsing CRLsTobias Brunner2012-09-281-1/+1
|
* Add a return value to hasher_t.allocate_hash()Martin Willi2012-07-163-21/+28
|
* Check rng return value when generating OCSP noncesTobias Brunner2012-07-161-7/+7
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-29 01:08:47 +0000