2006-04-26 Love Hörnquist Åstrand * data/.cvsignore: ignore leftover from OpenSSL cert generation * hx509_err.et: Add name malformated error * name.c (hx509_parse_name): don't abort on error, rather return error * test_name.c: Test failure parsing name. * cert.c: When verifying certificates, store subject basename for later consumption. * test_name.c: test to parse and print name and check that they are the same. * name.c (hx509_parse_name): fix length argument to printf string * name.c (hx509_parse_name): fix length argument to stringtooid, 1 too short. * cert.c: remove debug printf's * name.c (hx509_parse_name): make compile pre c99 * data/gen-req.sh: OpenSSL have a serious issue of user confusion -subj in -ca takes the arguments in LDAP order. -subj for x509 takes it in x509 order. * cert.c (hx509_verify_path): handle the case where the where two proxy certs in a chain. * test_chain.in: enable two proxy certificates in a chain test * test_chain.in: tests proxy certificates * data: re-gen * data/gen-req.sh: build proxy certificates * data/openssl.cnf: add def for proxy10_cert * hx509_err.et: Add another proxy certificate error. * cert.c (hx509_verify_path): Need to mangle name to remove the CN of the subject, copying issuer only works for one level but is better then doing no checking at all. * hxtool.c: Add verify --allow-proxy-certificate. * hxtool-commands.in: add verify --allow-proxy-certificate * hx509_err.et: Add proxy certificate errors. * cert.c: Fix comment about subject name of proxy certificate. * test_chain.in: tests for proxy certs * data/gen-req.sh: gen proxy and non-proxy tests certificates * data/openssl.cnf: Add definition for proxy certs * data/*proxy-test.*: Add proxy certificates * cert.c (hx509_verify_path): verify proxy certificate have no san or ian * cert.c (hx509_verify_set_proxy_certificate): Add (*): rename policy cert to proxy cert * cert.c: Initial support for proxy certificates. 2006-04-24 Love Hörnquist Åstrand * hxtool.c: some error checking * name.c: Switch over to asn1 generaed oids. * TODO: merge with old todo file 2006-04-23 Love Hörnquist Åstrand * test_query.in: make quiet * test_req.in: SKIP test if there is no RSA support. * hxtool.c: print dh method too * test_chain.in: SKIP test if there is no RSA support. * test_cms.in: SKIP test if there is no RSA support. * test_nist.in: SKIP test if there is no RSA support. 2006-04-22 Love Hörnquist Åstrand * hxtool-commands.in: Allow passing in pool and anchor to signedData * hxtool.c: Allow passing in pool and anchor to signedData * test_cms.in: Test that certs in signed data is picked up. * hx_locl.h: Expose the path building function to internal functions. * cert.c: Expose the path building function to internal functions. * hxtool-commands.in: cms-envelope: Add support for choosing the encryption type * hxtool.c (cms_create_enveloped): Add support for choosing the encryption type * test_cms.in: Test generating des-ede3 aes-128 aes-256 enveloped data * crypto.c: Add names to cipher types. * cert.c (hx509_query_match_friendly_name): fix return value * data/gen-req.sh: generate tests for enveloped data using des-ede3 and aes256 * test_cms.in: add tests for enveloped data using des-ede3 and aes256 * cert.c (hx509_query_match_friendly_name): New function. 2006-04-21 Love Hörnquist Åstrand * ks_p11.c: Add support for parsing slot-number. * crypto.c (oid_private_rc2_40): simply * crypto.c: Use oids from asn1 generator. * ks_file.c (file_init): reset length when done with a part * test_cms.in: check with test.combined.crt. * data/gen-req.sh: Create test.combined.crt. * test_cms.in: Test signed data using keyfile that is encrypted. * ks_file.c: Remove (commented out) debug printf * ks_file.c (parse_rsa_private_key): use EVP_get_cipherbyname * ks_file.c (parse_rsa_private_key): make working for one password. * ks_file.c (parse_rsa_private_key): Implement enought for testing. * hx_locl.h: Add * ks_file.c: Add glue code for PEM encrypted password files. * test_cms.in: Add commeted out password protected PEM file, remove password for those tests that doesn't need it. * test_cms.in: adapt test now that we can use any certificate and trust anchor * collector.c: handle PEM RSA PRIVATE KEY files * cert.c: Remove unused function. * ks_dir.c: move code here from ks_file.c now that its no longer used. * ks_file.c: Add support for parsing unencrypted RSA PRIVATE KEY * crypto.c: Handle rsa private keys better. 2006-04-20 Love Hörnquist Åstrand * hxtool.c: Use hx509_cms_{,un}wrap_ContentInfo * cms.c: Make hx509_cms_{,un}wrap_ContentInfo usable in asn1 un-aware code. * cert.c (hx509_verify_path): if trust anchor is not self signed, don't check sig From Douglas Engert. * test_chain.in: test "sub-cert -> sub-ca" * crypto.c: Use the right length for the sha256 checksums. 2006-04-15 Love Hörnquist Åstrand * crypto.c: Fix breakage from sha256 code. * crypto.c: Add SHA256 support, and symbols for the other new SHA-2 types. 2006-04-14 Love Hörnquist Åstrand * test_cms.in: test rc2-40 rc2-64 rc2-128 enveloped data * data/test-enveloped-rc2-{40,64,128}: add tests cases for rc2 * cms.c: Update prototypes changes for hx509_crypto_[gs]et_params. * crypto.c: Break out the parameter handling code for encrypting data to handle RC2. Needed for Windows 2k pk-init support. 2006-04-04 Love Hörnquist Åstrand * Makefile.am: Split libhx509_la_SOURCES into build file and distributed files so we can avoid building prototypes for build-files. 2006-04-03 Love Hörnquist Åstrand * TODO: split certificate request into pkcs10 and CRMF * hxtool-commands.in: Add nonce flag to ocsp-fetch * hxtool.c: control sending nonce * hxtool.c (request_create): store the request in a file, no in bitbucket. * cert.c: expose print_cert_subject internally * hxtool.c: Add ocsp_print. * hxtool-commands.in: New command "ocsp-print". * hx_locl.h: Include . * revoke.c (verify_ocsp): require issuer to match too. (free_ocsp): new function (hx509_revoke_ocsp_print): new function, print ocsp reply * Makefile.am: build CRMF files * data/key.der: needed for cert request test * test_req.in: adapt to rename of pkcs10-create to request-create * hxtool.c: adapt to rename of pkcs10-create to request-create * hxtool-commands.in: Rename pkcs10-create to request-create * crypto.c: (_hx509_parse_private_key): Avoid crashing on bad input. * hxtool.c (pkcs10_create): use opt->subject_string * hxtool-commands.in: Add pkcs10-create --subject * Makefile.am: Add test_req to tests. * test_req.in: Test for pkcs10 commands. * name.c (hx509_parse_name): new function. * hxtool.c (pkcs10_create): implement * hxtool-commands.in (pkcs10-create): Add arguments * crypto.c: Add _hx509_private_key2SPKI and support functions (only support RSA for now). 2006-04-02 Love Hörnquist Åstrand * hxtool-commands.in: Add pkcs10-create command. * hx509.h: Add hx509_request. * TODO: more stuff * Makefile.am: Add req.c * req.c: Create certificate requests, prototype converts the request in a pkcs10 packet. * hxtool.c: Add pkcs10_create * name.c (hx509_name_copy): new function. 2006-04-01 Love Hörnquist Åstrand * TODO: fill out what do * hxtool-commands.in: add pkcs10-print * hx_locl.h: Include . * pkcs10.asn1: PKCS#10 * hxtool.c (pkcs10_print): new function. * test_chain.in: test ocsp keyhash * data: generate ocsp keyhash version too * revoke.c (load_ocsp): test that we got back a BasicReponse * ocsp.asn1: Add asn1_id_pkix_ocsp*. * Makefile.am: Add asn1_id_pkix_ocsp*. * cert.c: Add HX509_QUERY_MATCH_KEY_HASH_SHA1 * hx_locl.h: Add HX509_QUERY_MATCH_KEY_HASH_SHA1 * revoke.c: Support OCSPResponderID.byKey, indent. * revoke.c (hx509_ocsp_request): Add nonce to ocsp request. * hxtool.c: Add nonce to ocsp request. * test_chain.in: Added crl tests * data/nist-data: rename missing-crl to missing-revoke * data: make ca use openssl ca command so we can add ocsp tests, and regen certs * test_chain.in: Add revoked ocsp cert test * cert.c: rename missing-crl to missing-revoke * revoke.c: refactor code, fix a un-init-ed variable * test_chain.in: rename missing-crl to missing-revoke add ocsp tests * test_cms.in: rename missing-crl to missing-revoke * hxtool.c: rename missing-crl to missing-revoke * hxtool-commands.in: rename missing-crl to missing-revoke * revoke.c: Plug one memory leak. * revoke.c: Renamed generic CRL related errors. * hx509_err.et: Comments and renamed generic CRL related errors * revoke.c: Add ocsp checker. * ocsp.asn1: Add id-kp-OCSPSigning * hxtool-commands.in: add url-path argument to ocsp-fetch * hxtool.c: implement ocsp-fetch * cert.c: Use HX509_DEFAULT_OCSP_TIME_DIFF. * hx_locl.h: Add ocsp_time_diff to hx509_context * crypto.c (_hx509_verify_signature_bitstring): new function, commonly use when checking certificates * cms.c (hx509_cms_envelope_1): check for internal ASN.1 encoder error * cert.c: Add ocsp glue, use new _hx509_verify_signature_bitstring, add eku checking function. 2006-03-31 Love Hörnquist Åstrand * Makefile.am: add id_kp_OCSPSigning.x * revoke.c: Pick out certs in ocsp response * TODO: list of stuff to verify * revoke.c: Add code to load OCSPBasicOCSPResponse files, reload crl when its changed on disk. * cert.c: Update for ocsp merge. handle building path w/o subject (using subject key id) * ks_p12.c: _hx509_map_file changed prototype. * file.c: _hx509_map_file changed prototype, returns struct stat if requested. * ks_file.c: _hx509_map_file changed prototype. * hxtool.c: Add stub for ocsp-fetch, _hx509_map_file changed prototype, add ocsp parsing to verify command. * hx_locl.h: rename HX509_CTX_CRL_MISSING_OK to HX509_CTX_VERIFY_MISSING_OK now that we have OCSP glue 2006-03-30 Love Hörnquist Åstrand * hx_locl.h: Add to make it compile on Solaris, from Alex V. Labuta. 2006-03-28 Love Hörnquist Åstrand * crypto.c (_hx509_pbe_decrypt): try all passwords, not just the first one. 2006-03-27 Love Hörnquist Åstrand * print.c (check_altName): Print the othername oid. * crypto.c: Manual page claims RSA_public_decrypt will return -1 on error, lets check for that * crypto.c (_hx509_pbe_decrypt): also try the empty password * collector.c (match_localkeyid): no need to add back the cert to the cert pool, its already there. * crypto.c: Add REQUIRE_SIGNER * cert.c (hx509_cert_free): ok to free NULL * hx509_err.et: Add new error code SIGNATURE_WITHOUT_SIGNER. * name.c (_hx509_name_ds_cmp): make DirectoryString case insenstive (hx509_name_to_string): less spacing * cms.c: Check for signature error, check consitency of error 2006-03-26 Love Hörnquist Åstrand * collector.c (_hx509_collector_alloc): handle errors * cert.c (hx509_query_alloc): allocate slight more more then a sizeof(pointer) * crypto.c (_hx509_private_key_assign_key_file): ask for password if nothing matches. * cert.c: Expose more of the hx509_query interface. * collector.c: hx509_certs_find is now exposed. * cms.c: hx509_certs_find is now exposed. * revoke.c: hx509_certs_find is now exposed. * keyset.c (hx509_certs_free): allow free-ing NULL (hx509_certs_find): expose (hx509_get_one_cert): new function * hxtool.c: hx509_certs_find is now exposed. * hx_locl.h: Remove hx509_query, its exposed now. * hx509.h: Add hx509_query. 2006-02-22 Love Hörnquist Åstrand * cert.c: Add exceptions for null (empty) subjectNames * data/nist-data: Add some more name constraints tests. * data/nist-data: Add some of the test from 4.13 Name Constraints. * cert.c: Name constraits needs to be evaluated in block as they appear in the certificates, they can not be joined to one list. One example of this is: - cert is cn=foo,dc=bar,dc=baz - subca is dc=foo,dc=baz with name restriction dc=kaka,dc=baz - ca is dc=baz with name restriction dc=baz If the name restrictions are merged to a list, the certificate will pass this test. 2006-02-14 Love Hörnquist Åstrand * cert.c: Handle more name constraints cases. * crypto.c (dsa_verify_signature): if test if malloc failed 2006-01-31 Love Hörnquist Åstrand * cms.c: Drop partial pkcs12 string2key implementation. 2006-01-20 Love Hörnquist Åstrand * data/nist-data: Add commited out DSA tests (they fail). * data/nist-data: Add 4.2 Validity Periods. * test_nist.in: Make less verbose to use. * Makefile.am: Add test_nist_cert. * data/nist-data: Add some more CRL-tests. * test_nist.in: Print $id instead of . when running the tests. * test_nist.in: Drop verifying certifiates, its done in another test now. * data/nist-data: fixup kill-rectangle leftovers * data/nist-data: Drop verifying certifiates, its done in another test now. Add more crl tests. comment out all unused tests. * test_nist_cert.in: test parse all nist certs 2006-01-19 Love Hörnquist Åstrand * hx509_err.et: Add HX509_CRL_UNKNOWN_EXTENSION. * revoke.c: Check for unknown extentions in CRLs and CRLEntries. * test_nist.in: Parse new format to handle CRL info. * test_chain.in: Add --missing-crl. * name.c (hx509_unparse_der_name): Rename from hx509_parse_name. (_hx509_unparse_Name): Add. * hxtool-commands.in: Add --missing-crl to verify commands. * hx509_err.et: Add CRL errors. * cert.c (hx509_context_set_missing_crl): new function Add CRL handling. * hx_locl.h: Add HX509_CTX_CRL_MISSING_OK. * revoke.c: Parse and verify CRLs (simplistic). * hxtool.c: Parse CRL info. * data/nist-data: Change format so we can deal with CRLs, also note the test-id from PKITS. * data: regenerate test * data/gen-req.sh: use static-file to generate tests * data/static-file: new file to use for commited tests * test_cms.in: Use static file, add --missing-crl. 2006-01-18 Love Hörnquist Åstrand * print.c: Its cRLReason, not cRLReasons. * hxtool.c: Attach revoke context to verify context. * data/nist-data: change syntax to make match better with crl checks * cert.c: Verify no certificates has been revoked with the new revoke interface. * Makefile.am: libhx509_la_SOURCES += revoke.c * revoke.c: Add framework for handling CRLs. * hx509.h: Add hx509_revoke_ctx. 2006-01-13 Love Hörnquist Åstrand * delete crypto_headers.h, use global file instead. * crypto.c (PBE_string2key): libdes now supports PKCS12_key_gen 2006-01-12 Love Hörnquist Åstrand * crypto_headers.h: Need BN_is_negative too. 2006-01-11 Love Hörnquist Åstrand * ks_p11.c (p11_rsa_public_decrypt): since is wrong, don't provide it. PKCS11 can't do public_decrypt, it support verify though. All this doesn't matter, since the code never go though this path. * crypto_headers.h: Provide glue to compile with less warnings with OpenSSL 2006-01-08 Love Hörnquist Åstrand * Makefile.am: Depend on LIB_des * lock.c: Use "crypto_headers.h". * crypto_headers.h: Include the two diffrent implementation of crypto headers. * cert.c: Use "crypto-headers.h". Load ENGINE configuration. * crypto.c: Make compile with both OpenSSL and heimdal libdes. * ks_p11.c: Add code for public key decryption (not supported yet) and use "crypto-headers.h". 2006-01-04 Love Hörnquist Åstrand * add a hx509_context where we can store configuration * p11.c,Makefile.am: pkcs11 is now supported by library, remove old files. * ks_p11.c: more paranoid on refcount, set refcounter ealier, reset pointers after free * collector.c (struct private_key): remove temporary key data storage, convert directly to a key (match_localkeyid): match certificate and key using localkeyid (match_keys): match certificate and key using _hx509_match_keys (_hx509_collector_collect): rewrite to use match_keys and match_localkeyid * crypto.c (_hx509_match_keys): function that determins if a private key matches a certificate, used when there is no localkeyid. (*) reset free pointer * ks_file.c: Rewrite to use collector and mapping support function. * ks_p11.c (rsa_pkcs1_method): constify * ks_p11.c: drop extra wrapping of p11_init * crypto.c (_hx509_private_key_assign_key_file): use function to extact rsa key * cert.c: Revert previous, refcounter is unsigned, so it can never be negative. * cert.c (hx509_cert_ref): more refcount paranoia * ks_p11.c: Implement rsa_private_decrypt and add stubs for public ditto. * ks_p11.c: Less printf, less memory leaks. * ks_p11.c: Implement signing using pkcs11. * ks_p11.c: Partly assign private key, enough to complete collection, but not any crypto functionallity. * collector.c: Use hx509_private_key to assign private keys. * crypto.c: Remove most of the EVP_PKEY code, and use RSA directly, this temporary removes DSA support. * hxtool.c (print_f): print if there is a friendly name and if there is a private key 2006-01-03 Love Hörnquist Åstrand * name.c: Avoid warning from missing __attribute__((noreturn)) * lock.c (_hx509_lock_unlock_certs): return unlock certificates * crypto.c (_hx509_private_key_assign_ptr): new function, exposes EVP_PKEY (_hx509_private_key_assign_key_file): remember to free private key if there is one. * cert.c (_hx509_abort): add newline to output and flush stdout * Makefile.am: libhx509_la_SOURCES += collector.c * hx_locl.h: forward type declaration of struct hx509_collector. * collector.c: Support functions to collect certificates and private keys and then match them. * ks_p12.c: Use the new hx509_collector support functions. * ks_p11.c: Add enough glue to support certificate iteration. * test_nist_pkcs12.in: Less verbose. * cert.c (hx509_cert_free): if there is a private key assosited with this cert, free it * print.c: Use _hx509_abort. * ks_p12.c: Use _hx509_abort. * hxtool.c: Use _hx509_abort. * crypto.c: Use _hx509_abort. * cms.c: Use _hx509_abort. * cert.c: Use _hx509_abort. * name.c: use _hx509_abort 2006-01-02 Love Hörnquist Åstrand * name.c (hx509_name_to_string): don't cut bmpString in half. * name.c (hx509_name_to_string): don't overwrite with 1 byte with bmpString. * ks_file.c (parse_certificate): avoid stomping before array * name.c (oidtostring): avoid leaking memory * keyset.c: Add _hx509_ks_dir_register. * Makefile.am (libhx509_la_SOURCES): += ks_dir.c * hxtool-commands.in: Remove pkcs11. * hxtool.c: Remove pcert_pkcs11. * ks_file.c: Factor out certificate parsing code. * ks_dir.c: Add new keystore that treats all files in a directory a keystore, useful for regression tests. 2005-12-12 Love Hörnquist Åstrand * test_nist_pkcs12.in: Test parse PKCS12 files from NIST. * data/nist-data: Can handle DSA certificate. * hxtool.c: Print error code on failure. 2005-10-29 Love Hörnquist Åstrand * crypto.c: Support DSA signature operations. 2005-10-04 Love Hörnquist Åstrand * print.c: Validate that issuerAltName and subjectAltName isn't empty. 2005-09-14 Love Hörnquist Åstrand * p11.c: Cast to unsigned char to avoid warning. * keyset.c: Register pkcs11 module. * Makefile.am: Add ks_p11.c, install hxtool. * ks_p11.c: Starting point of a pkcs11 module. 2005-09-04 Love Hörnquist Åstrand * lock.c: Implement prompter. * hxtool-commands.in: add --content to print * hxtool.c: Split verify and print. * cms.c: _hx509_pbe_decrypt now takes a hx509_lock. * crypto.c: Make _hx509_pbe_decrypt take a hx509_lock, workaround for empty password. * name.c: Add DC, handle all Directory strings, fix signless problems. 2005-09-03 Love Hörnquist Åstrand * test_query.in: Pass in --pass to all commands. * hxtool.c: Use option --pass. * hxtool-commands.in: Add --pass to all commands. * hx509_err.et: add UNKNOWN_LOCK_COMMAND and CRYPTO_NO_PROMPTER * test_cms.in: pass in password to cms-create-sd * crypto.c: Abstract out PBE_string2key so I can add PBE2 s2k later. Avoid signess warnings with OpenSSL. * cms.c: Use void * instead of char * for to avoid signedness issues * cert.c (hx509_cert_get_attribute): remove const, its not * ks_p12.c: Cast size_t to unsigned long when print. * name.c: Fix signedness warning. * test_query.in: Use echo, the function check isn't defined here. 2005-08-11 Love Hörnquist Åstrand * hxtool-commands.in: Add more options that was missing. 2005-07-28 Love Hörnquist Åstrand * test_cms.in: Use --certificate= for enveloped/unenvelope. * hxtool.c: Use --certificate= for enveloped/unenvelope. Clean up. * test_cms.in: add EnvelopeData tests * hxtool.c: use id-envelopedData for ContentInfo * hxtool-commands.in: add contentinfo wrapping for create/unwrap enveloped data * hxtool.c: add contentinfo wrapping for create/unwrap enveloped data * data/gen-req.sh: add enveloped data (aes128) * crypto.c: add "new" RC2 oid 2005-07-27 Love Hörnquist Åstrand * hx_locl.h, cert.c: Add HX509_QUERY_MATCH_FUNCTION that allows caller to match by function, note that this doesn't not work directly for backends that implements ->query, they must do their own processing. (I'm running out of flags, only 12 left now) * test_cms.in: verify ContentInfo wrapping code in hxtool * hxtool-commands.in (cms_create_sd): support wrapping in content info spelling * hxtool.c (cms_create_sd): support wrapping in content info * test_cms.in: test more cms signeddata messages * data/gen-req.sh: generate SignedData * hxtool.c (cms_create_sd): support certificate store, add support to unwrap a ContentInfo the SignedData inside. * crypto.c: sprinkel rk_UNCONST * crypto.c: add DER NULL to the digest oid's * hxtool-commands.in: add --content-info to cms-verify-sd * cms.c (hx509_cms_create_signed_1): pass in a full AlgorithmIdentifier instead of heim_oid for digest_alg * crypto.c: make digest_alg a digest_oid, it's not needed right now * hx509_err.et: add CERT_NOT_FOUND * keyset.c (_hx509_certs_find): add error code for cert not found * cms.c (hx509_cms_verify_signed): add external store of certificates, use the right digest algorithm identifier. * cert.c: fix const warning * ks_p12.c: slightly less verbose * cert.c: add hx509_cert_find_subjectAltName_otherName, add HX509_QUERY_MATCH_FRIENDLY_NAME * hx509.h: add hx509_octet_string_list, remove bad comment * hx_locl.h: add HX509_QUERY_MATCH_FRIENDLY_NAME * keyset.c (hx509_certs_append): needs a hx509_lock, add one * Makefile.am: add test cases tempfiles to CLEANFILES * Makefile.am: add test_query to TESTS, fix dependency on hxtool sources on hxtool-commands.h * hxtool-commands.in: explain what signer is for create-sd * hxtool.c: add query, add more options to verify-sd and create-sd * test_cms.in: add more cms tests * hxtool-commands.in: add query, add more options to verify-sd * test_query.in: test query interface * data: fix filenames for ds/ke files, add pkcs12 files, regen * hxtool.c,Makefile.am,hxtool-commands.in: switch to slc 2005-07-26 Love Hörnquist Åstrand * cert.c (hx509_verify_destroy_ctx): add * hxtool.c: free hx509_verify_ctx * name.c (_hx509_name_ds_cmp): make sure all strings are not equal 2005-07-25 Love Hörnquist Åstrand * hxtool.c: return error * keyset.c: return errors from iterations * test_chain.in: clean up checks * ks_file.c (parse_certificate): return errno's not 1 in case of error * ks_file.c (file_iter): make sure endpointer is NULL * ks_mem.c (mem_iter): follow conversion and return NULL when we get to the end, not ENOENT. * Makefile.am: test_chain depends on hxtool * data: test certs that lasts 10 years * data/gen-req.sh: script to generate test certs * Makefile.am: Add regression tests. * data: test certificate and keys * test_chain.in: test chain * hxtool.c (cms_create_sd): add KU digitalSigature as a requirement to the query * hx_locl.h: add KeyUsage query bits * hx509_err.et: add KeyUsage error * cms.c: add checks for KeyUsage * cert.c: more checks on KeyUsage, allow to query on them too 2005-07-24 Love Hörnquist Åstrand * cms.c: Add missing break. * hx_locl.h,cms.c,cert.c: allow matching on SubjectKeyId * hxtool.c: Use _hx509_map_file, _hx509_unmap_file and _hx509_write_file. * file.c (_hx509_write_file): in case of write error, return errno * file.c (_hx509_write_file): add a function that write a data blob to disk too * Fix id-tags * Import mostly complete X.509 and CMS library. Handles, PEM, DER, PKCS12 encoded certicates. Verificate RSA chains and handled CMS's SignedData, and EnvelopedData.