aboutsummaryrefslogtreecommitdiffstats
path: root/crypto/x509
Commit message (Collapse)AuthorAgeFilesLines
* Remove fipscanister build functionality from makefiles.Dr. Stephen Henson2014-12-081-1/+1
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* Remove all .cvsignore filesRich Salz2014-11-281-4/+0
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* RT1909: Omit version for v1 certificatesGeoff Keating2014-09-091-0/+6
| | | | | | | When calling X509_set_version to set v1 certificate, that should mean that the version number field is omitted. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
* RT2841: Extra return in check_issuedPaul Suhler2014-09-081-1/+0
| | | | Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
* Add i2d_re_X509_tbsEmilia Kasper2014-09-051-0/+2
| | | | | | | i2d_re_X509_tbs re-encodes the TBS portion of the certificate. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Dr Stephen Henson <steve@openssl.org>
* NETSCAPE_SPKI_b64_encode: free der_spki and b64_str on error pathJonas Maebe2014-08-171-0/+4
| | | | | Signed-off-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
* get_cert_by_subject: check for NULL when allocating hentJonas Maebe2014-08-171-0/+7
| | | | | Signed-off-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
* RT2751: Declare get_issuer_sk() earlier.Rich Salz2014-08-151-0/+1
| | | | | | | Add a declaration for get_issuer_sk() so that other functions in x509_vf.c could use it. (Planned work around cross-certification chains.) Reviewed-by: Kurt Roeckx <kurt@openssl.org>
* Update API to use (char *) for email addresses and hostnamesViktor Dukhovni2014-07-074-20/+22
| | | | | | Reduces number of silly casts in OpenSSL code and likely most applications. Consistent with (char *) for "peername" value from X509_check_host() and X509_VERIFY_PARAM_get0_peername().
* Set optional peername when X509_check_host() succeeds.Viktor Dukhovni2014-07-061-1/+2
| | | | | Pass address of X509_VERIFY_PARAM_ID peername to X509_check_host(). Document modified interface.
* New peername element in X509_VERIFY_PARAM_IDViktor Dukhovni2014-07-063-1/+10
| | | | Declaration, memory management, accessor and documentation.
* Make depend.Ben Laurie2014-06-301-1/+1
|
* One more typo when changing !result to result <= 0Viktor Dukhovni2014-06-231-1/+1
|
* Fix typo in last commitViktor Dukhovni2014-06-221-1/+1
|
* Multiple verifier reference identities.Viktor Dukhovni2014-06-224-10/+102
| | | | Implemented as STACK_OF(OPENSSL_STRING).
* X509_check_mumble() failure is <= 0, not just 0Viktor Dukhovni2014-06-221-3/+3
|
* Drop hostlen from X509_VERIFY_PARAM_ID.Viktor Dukhovni2014-06-223-8/+4
| | | | | Just store NUL-terminated strings. This works better when we add support for multiple hostnames.
* Don't use expired certificates if possible.Dr. Stephen Henson2014-05-253-9/+37
| | | | | | | | When looking for the issuer of a certificate, if current candidate is expired, continue looking. Only return an expired certificate if no valid certificates are found. PR#3359
* Rename vpm_int.h to x509_lcl.hDr. Stephen Henson2014-05-254-6/+6
|
* Fixes to host checking.Viktor Dukhovni2014-05-214-2/+13
| | | | | | Fixes to host checking wild card support and add support for setting host checking flags when verifying a certificate chain.
* For self signed root only indicate one error.Dr. Stephen Henson2014-03-031-2/+5
| | | | (cherry picked from commit bdfc0e284c89dd5781259cc19aa264aded538492)
* x509/by_dir.c: fix run-away pointer (and potential SEGV)Andy Polyakov2014-02-241-4/+2
| | | | | | | when adding duplicates in add_cert_dir. PR: 3261 Reported by: Marian Done
* make dependDr. Stephen Henson2014-02-191-2/+2
|
* Include TA in checks/callback with partial chains.Dr. Stephen Henson2014-02-141-1/+1
| | | | | | When a chain is complete and ends in a trusted root checks are also performed on the TA and the callback notified with ok==1. For consistency do the same for chains where the TA is not self signed.
* Don't do loop detection for self signed check.Dr. Stephen Henson2014-02-141-0/+2
|
* Compare encodings in X509_cmp as well as hash.Dr. Stephen Henson2014-01-261-1/+14
|
* Fix bug in X509_V_FLAG_IGNORE_CRITICAL CRL handling.Dr. Stephen Henson2014-01-091-3/+2
|
* Add opaque ID structure.Dr. Stephen Henson2013-12-135-37/+139
| | | | | | | | | | | | Move the IP, email and host checking fields from the public X509_VERIFY_PARAM structure into an opaque X509_VERIFY_PARAM_ID structure. By doing this the structure can be modified in future without risk of breaking any applications. (cherry picked from commit adc6bd73e3bd10ce6e76867482e8d137071298d7) Conflicts: crypto/x509/x509_vpm.c
* Fix for partial chain notification.Dr. Stephen Henson2013-12-131-1/+5
| | | | | | | For consistency with other cases if we are performing partial chain verification with just one certificate notify the callback with ok==1. (cherry picked from commit 852553d9005e13aed7feb986a5d71cb885b994c7)
* Partial path fix.Dr. Stephen Henson2013-09-081-11/+8
| | | | | When verifying a partial path always check to see if the EE certificate is explicitly trusted: the path could contain other untrusted certificates.
* Make no-ec compilation work.Dr. Stephen Henson2013-08-171-0/+16
|
* Fix verify loop with CRL checking.Dr. Stephen Henson2013-07-121-0/+11
| | | | | | | | | | | PR #3090 Reported by: Franck Youssef <fry@open.ch> If no new reason codes are obtained after checking a CRL exit with an error to avoid repeatedly checking the same CRL. This will only happen if verify errors such as invalid CRL scope are overridden in a callback.
* Reencode with X509_CRL_ctx_sign too.Dr. Stephen Henson2013-06-051-0/+1
|
* Reencode certificates in X509_sign_ctx.Dr. Stephen Henson2013-05-021-0/+1
| | | | | | | Reencode certificates in X509_sign_ctx as well as X509_sign. This was causing a problem in the x509 application when it modified an existing certificate.
* Make "make depend" work on MacOS out of the box.Ben Laurie2013-01-191-7/+9
|
* Fix warning.Ben Laurie2013-01-061-1/+1
|
* Make partial chain checking work if we only have the EE certificate inDr. Stephen Henson2012-12-211-0/+41
| | | | the trust store.
* New verify flag to return success if we have any certificate in theDr. Stephen Henson2012-12-132-0/+11
| | | | | trusted store instead of the default which is to return an error if we can't build the complete chain.
* Fix two bugs which affect delta CRL handling:Dr. Stephen Henson2012-12-061-2/+2
| | | | | Use -1 to check all extensions in CRLs. Always set flag for freshest CRL.
* Integrate host, email and IP address checks into X509_verify.Dr. Stephen Henson2012-12-054-0/+157
| | | | | | Add new verify options to set checks. Remove previous -check* commands from s_client and s_server.
* initial support for delta CRL generations by diffing two full CRLsDr. Stephen Henson2012-12-043-1/+140
|
* add wrapper function for certificate downloadDr. Stephen Henson2012-11-292-0/+7
|
* Generalise OCSP I/O functions to support dowloading of other ASN1Dr. Stephen Henson2012-11-282-0/+9
| | | | structures using HTTP. Add wrapper function to handle CRL download.
* New functions to set lookup_crls callback and to retrieve internal X509_STOREDr. Stephen Henson2012-11-272-0/+16
| | | | from X509_STORE_CTX.
* Rename Suite B functions for consistency.Dr. Stephen Henson2012-08-033-17/+27
| | | | | | New function X509_chain_up_ref to dup and up the reference count of a STACK_OF(X509): replace equivalent functionality in several places by the equivalent call.
* add suite B chain validation flags and associated verify errorsDr. Stephen Henson2012-08-035-0/+174
|
* Don't ignore (\!) reference count in X509_STORE_freeDr. Stephen Henson2012-07-191-0/+13
|
* New functions to retrieve certificate signatures and signature OID NID.Dr. Stephen Henson2012-06-131-0/+4
|
* print out issuer and subject unique identifier fields in certificatesDr. Stephen Henson2012-06-121-0/+1
|
* Minor compatibility fixes.Andy Polyakov2012-04-161-1/+1
| | | | | PR: 2790 Submitted by: Alexei Khlebnikov
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-08 22:46:24 +0000