| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6538)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL 1.1.0 made the X509_LOOKUP_METHOD structure opaque, so
applications that were previously able to define a custom lookup method
are not able to be ported.
This commit adds getters and setters for each of the current fields of
X509_LOOKUP_METHOD, along with getters and setters on several associated
opaque types (such as X509_LOOKUP and X509_OBJECT).
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6152)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many signature types define the digest and public key type by a single OID
such as ecdsa_with_sha256.
Some types (RSA-PSS for example) use a single OID to indicate the signature
scheme and additional parameters are encoded in the AlgorithmIdentifier.
Add an X509_SIG_INFO structure to contain details about the signature type:
specifically the digest algorithm, public key algorithm, security bits and
various flags. This supports both existing algorithms and more complex
types.
Add accessors for the structure and a special case that retrieves signature
information from a certificate.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3301)
|
|
|
|
|
| |
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2079)
|
|
|
|
|
|
|
| |
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1500
|
|
|
|
|
|
|
| |
... get_by_fingerprint() and get_by_alias()
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
|
|
| |
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
| |
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
| |
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
|
|
|
|
|
|
|
| |
Make X509_OBJECT, X509_STORE_CTX, X509_STORE, X509_LOOKUP,
and X509_LOOKUP_METHOD opaque.
Remove unused X509_CERT_FILE_CTX
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new X509_VERIFY_PARAM_set_auth_level() function sets the
authentication security level. For verification of SSL peers, this
is automatically set from the SSL security level. Otherwise, for
now, the authentication security level remains at (effectively) 0
by default.
The new "-auth_level" verify(1) option is available in all the
command-line tools that support the standard verify(1) options.
New verify(1) tests added to check enforcement of chain signature
and public key security levels. Also added new tests of enforcement
of the verify_depth limit.
Updated documentation.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
|
|
|
|
| |
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was done by the following
find . -name '*.[ch]' | /tmp/pl
where /tmp/pl is the following three-line script:
print unless $. == 1 && m@/\* .*\.[ch] \*/@;
close ARGV if eof; # Close file to reset $.
And then some hand-editing of other files.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
|
|
|
|
|
|
|
| |
Don't define stacks in C source files: it causes warnings
about unused functions in some compilers.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
|
|
|
|
|
| |
Now that X509_VERIFY_PARAM is opaque X509_VERIFY_PARAM_ID is no longer
needed.
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
|
|
| |
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
| |
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
| |
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
|
|
|
|
|
| |
The X509_ATTRIBUTE structure includes a hack to tolerate malformed
attributes that encode as the type instead of SET OF type. This form
is never created by OpenSSL and shouldn't be needed any more.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
|
|
| |
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
| |
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
| |
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
|
|
|
|
| |
Reduces number of silly casts in OpenSSL code and likely most
applications. Consistent with (char *) for "peername" value from
X509_check_host() and X509_VERIFY_PARAM_get0_peername().
|
|
|
|
| |
Declaration, memory management, accessor and documentation.
|
|
|
|
| |
Implemented as STACK_OF(OPENSSL_STRING).
|
|
|
|
|
| |
Just store NUL-terminated strings. This works better when we add
support for multiple hostnames.
|
|
|
|
|
|
|
|
| |
When looking for the issuer of a certificate, if current candidate is
expired, continue looking. Only return an expired certificate if no valid
certificates are found.
PR#3359
|
|
|