 eec31b6bad
			
		
	
	eec31b6bad
	
	
	
		
			
			git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16999 ec53bebd-3082-4978-b11e-865c3cabbd6b
		
			
				
	
	
		
			741 lines
		
	
	
		
			19 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			741 lines
		
	
	
		
			19 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| 2006-04-03  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* TODO: split certificate request into pkcs10 and CRMF
 | |
| 
 | |
| 	* hxtool-commands.in: Add nonce flag to ocsp-fetch
 | |
| 
 | |
| 	* hxtool.c: control sending nonce
 | |
| 
 | |
| 	* hxtool.c (request_create): store the request in a file, no in
 | |
| 	bitbucket.
 | |
| 
 | |
| 	* cert.c: expose print_cert_subject internally
 | |
| 
 | |
| 	* hxtool.c: Add ocsp_print.
 | |
| 
 | |
| 	* hxtool-commands.in: New command "ocsp-print".
 | |
| 
 | |
| 	* hx_locl.h: Include <hex.h>.
 | |
| 
 | |
| 	* revoke.c (verify_ocsp): require issuer to match too.
 | |
| 	(free_ocsp): new function
 | |
| 	(hx509_revoke_ocsp_print): new function, print ocsp reply
 | |
| 
 | |
| 	* Makefile.am: build CRMF files
 | |
| 
 | |
| 	* data/key.der: needed for cert request test
 | |
| 
 | |
| 	* test_req.in: adapt to rename of pkcs10-create to request-create
 | |
| 
 | |
| 	* hxtool.c: adapt to rename of pkcs10-create to request-create
 | |
| 
 | |
| 	* hxtool-commands.in: Rename pkcs10-create to request-create
 | |
| 
 | |
| 	* crypto.c: (_hx509_parse_private_key): Avoid crashing on bad input.
 | |
| 
 | |
| 	* hxtool.c (pkcs10_create): use opt->subject_string
 | |
| 
 | |
| 	* hxtool-commands.in: Add pkcs10-create --subject
 | |
| 
 | |
| 	* Makefile.am: Add test_req to tests.
 | |
| 	
 | |
| 	* test_req.in: Test for pkcs10 commands.
 | |
| 
 | |
| 	* name.c (hx509_parse_name): new function.
 | |
| 
 | |
| 	* hxtool.c (pkcs10_create): implement
 | |
| 
 | |
| 	* hxtool-commands.in (pkcs10-create): Add arguments
 | |
| 
 | |
| 	* crypto.c: Add _hx509_private_key2SPKI and support
 | |
| 	functions (only support RSA for now).
 | |
| 	
 | |
| 2006-04-02  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 	
 | |
| 	* hxtool-commands.in: Add pkcs10-create command.
 | |
| 
 | |
| 	* hx509.h: Add hx509_request.
 | |
| 
 | |
| 	* TODO: more stuff
 | |
| 
 | |
| 	* Makefile.am: Add req.c
 | |
| 
 | |
| 	* req.c: Create certificate requests, prototype converts the
 | |
| 	request in a pkcs10 packet.
 | |
| 
 | |
| 	* hxtool.c: Add pkcs10_create
 | |
| 
 | |
| 	* name.c (hx509_name_copy): new function.
 | |
| 	
 | |
| 2006-04-01  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* TODO: fill out what do
 | |
| 
 | |
| 	* hxtool-commands.in: add pkcs10-print
 | |
| 
 | |
| 	* hx_locl.h: Include <pkcs10_asn1.h>.
 | |
| 
 | |
| 	* pkcs10.asn1: PKCS#10
 | |
| 
 | |
| 	* hxtool.c (pkcs10_print): new function.
 | |
| 
 | |
| 	* test_chain.in: test ocsp keyhash
 | |
| 
 | |
| 	* data: generate ocsp keyhash version too
 | |
| 
 | |
| 	* revoke.c (load_ocsp): test that we got back a BasicReponse
 | |
| 
 | |
| 	* ocsp.asn1: Add asn1_id_pkix_ocsp*.
 | |
| 
 | |
| 	* Makefile.am: Add asn1_id_pkix_ocsp*.
 | |
| 
 | |
| 	* cert.c: Add HX509_QUERY_MATCH_KEY_HASH_SHA1
 | |
| 
 | |
| 	* hx_locl.h: Add HX509_QUERY_MATCH_KEY_HASH_SHA1
 | |
| 
 | |
| 	* revoke.c: Support OCSPResponderID.byKey, indent.
 | |
| 
 | |
| 	* revoke.c (hx509_ocsp_request): Add nonce to ocsp request.
 | |
| 
 | |
| 	* hxtool.c: Add nonce to ocsp request.
 | |
| 
 | |
| 	* test_chain.in: Added crl tests
 | |
| 	
 | |
| 	* data/nist-data: rename missing-crl to missing-revoke
 | |
| 
 | |
| 	* data: make ca use openssl ca command so we can add ocsp tests,
 | |
| 	and regen certs
 | |
| 
 | |
| 	* test_chain.in: Add revoked ocsp cert test
 | |
| 
 | |
| 	* cert.c: rename missing-crl to missing-revoke
 | |
| 
 | |
| 	* revoke.c: refactor code, fix a un-init-ed variable
 | |
| 	
 | |
| 	* test_chain.in: rename missing-crl to missing-revoke add ocsp
 | |
| 	tests
 | |
| 
 | |
| 	* test_cms.in: rename missing-crl to missing-revoke
 | |
| 
 | |
| 	* hxtool.c: rename missing-crl to missing-revoke
 | |
| 
 | |
| 	* hxtool-commands.in: rename missing-crl to missing-revoke
 | |
| 	
 | |
| 	* revoke.c: Plug one memory leak.
 | |
| 
 | |
| 	* revoke.c: Renamed generic CRL related errors.
 | |
| 	
 | |
| 	* hx509_err.et: Comments and renamed generic CRL related errors
 | |
| 	
 | |
| 	* revoke.c: Add ocsp checker.
 | |
| 
 | |
| 	* ocsp.asn1: Add id-kp-OCSPSigning
 | |
| 
 | |
| 	* hxtool-commands.in: add url-path argument to ocsp-fetch
 | |
| 
 | |
| 	* hxtool.c: implement ocsp-fetch
 | |
| 
 | |
| 	* cert.c: Use HX509_DEFAULT_OCSP_TIME_DIFF.
 | |
| 	
 | |
| 	* hx_locl.h: Add ocsp_time_diff to hx509_context
 | |
| 
 | |
| 	* crypto.c (_hx509_verify_signature_bitstring): new function,
 | |
| 	commonly use when checking certificates
 | |
| 
 | |
| 	* cms.c (hx509_cms_envelope_1): check for internal ASN.1 encoder
 | |
| 	error
 | |
| 
 | |
| 	* cert.c: Add ocsp glue, use new
 | |
| 	_hx509_verify_signature_bitstring, add eku checking function.
 | |
| 	
 | |
| 2006-03-31  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* Makefile.am: add id_kp_OCSPSigning.x
 | |
| 
 | |
| 	* revoke.c: Pick out certs in ocsp response
 | |
| 
 | |
| 	* TODO: list of stuff to verify
 | |
| 
 | |
| 	* revoke.c: Add code to load OCSPBasicOCSPResponse files, reload
 | |
| 	crl when its changed on disk.
 | |
| 
 | |
| 	* cert.c: Update for ocsp merge. handle building path w/o
 | |
| 	subject (using subject key id)
 | |
| 
 | |
| 	* ks_p12.c: _hx509_map_file changed prototype.
 | |
| 
 | |
| 	* file.c: _hx509_map_file changed prototype, returns struct stat
 | |
| 	if requested.
 | |
| 
 | |
| 	* ks_file.c: _hx509_map_file changed prototype.
 | |
| 
 | |
| 	* hxtool.c: Add stub for ocsp-fetch, _hx509_map_file changed
 | |
| 	prototype, add ocsp parsing to verify command.
 | |
| 
 | |
| 	* hx_locl.h: rename HX509_CTX_CRL_MISSING_OK to
 | |
| 	HX509_CTX_VERIFY_MISSING_OK now that we have OCSP glue
 | |
| 	
 | |
| 2006-03-30  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* hx_locl.h: Add <krb5-types.h> to make it compile on Solaris,
 | |
| 	from Alex V. Labuta.
 | |
| 	
 | |
| 2006-03-28  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 	
 | |
| 	* crypto.c (_hx509_pbe_decrypt): try all passwords, not just the
 | |
| 	first one.
 | |
| 	
 | |
| 2006-03-27  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* print.c (check_altName): Print the othername oid.
 | |
| 
 | |
| 	* crypto.c: Manual page claims RSA_public_decrypt will return -1
 | |
| 	on error, lets check for that
 | |
| 	
 | |
| 	* crypto.c (_hx509_pbe_decrypt): also try the empty password
 | |
| 
 | |
| 	* collector.c (match_localkeyid): no need to add back the cert to
 | |
| 	the cert pool, its already there.
 | |
| 
 | |
| 	* crypto.c: Add REQUIRE_SIGNER
 | |
| 
 | |
| 	* cert.c (hx509_cert_free): ok to free NULL
 | |
| 
 | |
| 	* hx509_err.et: Add new error code SIGNATURE_WITHOUT_SIGNER.
 | |
| 
 | |
| 	* name.c (_hx509_name_ds_cmp): make DirectoryString case
 | |
| 	insenstive
 | |
| 	(hx509_name_to_string): less spacing
 | |
| 
 | |
| 	* cms.c: Check for signature error, check consitency of error
 | |
| 	
 | |
| 2006-03-26  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* collector.c (_hx509_collector_alloc): handle errors
 | |
| 
 | |
| 	* cert.c (hx509_query_alloc): allocate slight more more then a
 | |
| 	sizeof(pointer)
 | |
| 
 | |
| 	* crypto.c (_hx509_private_key_assign_key_file): ask for password
 | |
| 	if nothing matches.
 | |
| 
 | |
| 	* cert.c: Expose more of the hx509_query interface.
 | |
| 
 | |
| 	* collector.c: hx509_certs_find is now exposed.
 | |
| 
 | |
| 	* cms.c: hx509_certs_find is now exposed.
 | |
| 
 | |
| 	* revoke.c: hx509_certs_find is now exposed.
 | |
| 
 | |
| 	* keyset.c (hx509_certs_free): allow free-ing NULL
 | |
| 	(hx509_certs_find): expose
 | |
| 	(hx509_get_one_cert): new function
 | |
| 
 | |
| 	* hxtool.c: hx509_certs_find is now exposed.
 | |
| 
 | |
| 	* hx_locl.h: Remove hx509_query, its exposed now.
 | |
| 
 | |
| 	* hx509.h: Add hx509_query.
 | |
| 	
 | |
| 2006-02-22  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* cert.c: Add exceptions for null (empty) subjectNames
 | |
| 
 | |
| 	* data/nist-data: Add some more name constraints tests.
 | |
| 
 | |
| 	* data/nist-data: Add some of the test from 4.13 Name Constraints.
 | |
| 
 | |
| 	* cert.c: Name constraits needs to be evaluated in block as they
 | |
| 	appear in the certificates, they can not be joined to one
 | |
| 	list. One example of this is:
 | |
| 	
 | |
| 	- cert is cn=foo,dc=bar,dc=baz
 | |
| 	- subca is dc=foo,dc=baz with name restriction dc=kaka,dc=baz
 | |
| 	- ca is dc=baz with name restriction dc=baz
 | |
| 	
 | |
| 	If the name restrictions are merged to a list, the certificate
 | |
| 	will pass this test.
 | |
| 
 | |
| 2006-02-14 Love Hörnquist Åstrand <lha@it.su.se>
 | |
| 
 | |
| 	* cert.c: Handle more name constraints cases.
 | |
| 
 | |
| 	* crypto.c (dsa_verify_signature): if test if malloc failed
 | |
| 
 | |
| 2006-01-31  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* cms.c: Drop partial pkcs12 string2key implementation.
 | |
| 	
 | |
| 2006-01-20  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* data/nist-data: Add commited out DSA tests (they fail).
 | |
| 
 | |
| 	* data/nist-data: Add 4.2 Validity Periods.
 | |
| 
 | |
| 	* test_nist.in: Make less verbose to use.
 | |
| 
 | |
| 	* Makefile.am: Add test_nist_cert.
 | |
| 
 | |
| 	* data/nist-data: Add some more CRL-tests.
 | |
| 
 | |
| 	* test_nist.in: Print $id instead of . when running the tests.
 | |
| 
 | |
| 	* test_nist.in: Drop verifying certifiates, its done in another
 | |
| 	test now.
 | |
| 
 | |
| 	* data/nist-data: fixup kill-rectangle leftovers
 | |
| 
 | |
| 	* data/nist-data: Drop verifying certifiates, its done in another
 | |
| 	test now.  Add more crl tests. comment out all unused tests.
 | |
| 
 | |
| 	* test_nist_cert.in: test parse all nist certs
 | |
| 	
 | |
| 2006-01-19  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* hx509_err.et: Add HX509_CRL_UNKNOWN_EXTENSION.
 | |
| 
 | |
| 	* revoke.c: Check for unknown extentions in CRLs and CRLEntries.
 | |
| 
 | |
| 	* test_nist.in: Parse new format to handle CRL info.
 | |
| 
 | |
| 	* test_chain.in: Add --missing-crl.
 | |
| 
 | |
| 	* name.c (hx509_unparse_der_name): Rename from hx509_parse_name.
 | |
| 	(_hx509_unparse_Name): Add.
 | |
| 
 | |
| 	* hxtool-commands.in: Add --missing-crl to verify commands.
 | |
| 
 | |
| 	* hx509_err.et: Add CRL errors.
 | |
| 
 | |
| 	* cert.c (hx509_context_set_missing_crl): new function Add CRL
 | |
| 	handling.
 | |
| 
 | |
| 	* hx_locl.h: Add HX509_CTX_CRL_MISSING_OK.
 | |
| 
 | |
| 	* revoke.c: Parse and verify CRLs (simplistic).
 | |
| 
 | |
| 	* hxtool.c: Parse CRL info.
 | |
| 
 | |
| 	* data/nist-data: Change format so we can deal with CRLs, also
 | |
| 	note the test-id from PKITS.
 | |
| 
 | |
| 	* data: regenerate test
 | |
| 	
 | |
| 	* data/gen-req.sh: use static-file to generate tests
 | |
| 	
 | |
| 	* data/static-file: new file to use for commited tests
 | |
| 
 | |
| 	* test_cms.in: Use static file, add --missing-crl.
 | |
| 	
 | |
| 2006-01-18  Love Hörnquist Åstrand <lha@it.su.se>
 | |
| 
 | |
| 	* print.c: Its cRLReason, not cRLReasons.
 | |
| 
 | |
| 	* hxtool.c: Attach revoke context to verify context.
 | |
| 
 | |
| 	* data/nist-data: change syntax to make match better with crl
 | |
| 	checks
 | |
| 
 | |
| 	* cert.c: Verify no certificates has been revoked with the new
 | |
| 	revoke interface.
 | |
| 
 | |
| 	* Makefile.am: libhx509_la_SOURCES += revoke.c
 | |
| 
 | |
| 	* revoke.c: Add framework for handling CRLs.
 | |
| 
 | |
| 	* hx509.h: Add hx509_revoke_ctx.
 | |
| 	
 | |
| 2006-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* delete crypto_headers.h, use global file instead.
 | |
| 
 | |
| 	* crypto.c (PBE_string2key): libdes now supports PKCS12_key_gen
 | |
| 	
 | |
| 2006-01-12  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* crypto_headers.h: Need BN_is_negative too.
 | |
| 	
 | |
| 2006-01-11  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 	
 | |
| 	* ks_p11.c (p11_rsa_public_decrypt): since is wrong, don't provide
 | |
| 	it. PKCS11 can't do public_decrypt, it support verify though. All
 | |
| 	this doesn't matter, since the code never go though this path.
 | |
| 
 | |
| 	* crypto_headers.h: Provide glue to compile with less warnings
 | |
| 	with OpenSSL
 | |
| 	
 | |
| 2006-01-08  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 	
 | |
| 	* Makefile.am: Depend on LIB_des
 | |
| 
 | |
| 	* lock.c: Use "crypto_headers.h".
 | |
| 
 | |
| 	* crypto_headers.h: Include the two diffrent implementation of
 | |
| 	crypto headers.
 | |
| 
 | |
| 	* cert.c: Use "crypto-headers.h". Load ENGINE configuration.
 | |
| 
 | |
| 	* crypto.c: Make compile with both OpenSSL and heimdal libdes.
 | |
| 
 | |
| 	* ks_p11.c: Add code for public key decryption (not supported yet)
 | |
| 	and use "crypto-headers.h".
 | |
| 	
 | |
| 
 | |
| 2006-01-04 Love Hörnquist Åstrand <lha@it.su.se>
 | |
| 	
 | |
| 	* add a hx509_context where we can store configuration
 | |
| 
 | |
| 	* p11.c,Makefile.am: pkcs11 is now supported by library, remove
 | |
| 	old files.
 | |
| 
 | |
| 	* ks_p11.c: more paranoid on refcount, set refcounter ealier,
 | |
| 	reset pointers after free
 | |
| 
 | |
| 	* collector.c (struct private_key): remove temporary key data
 | |
| 	storage, convert directly to a key
 | |
| 	(match_localkeyid): match certificate and key using localkeyid
 | |
| 	(match_keys): match certificate and key using _hx509_match_keys
 | |
| 	(_hx509_collector_collect): rewrite to use match_keys and
 | |
| 	match_localkeyid
 | |
| 
 | |
| 	* crypto.c (_hx509_match_keys): function that determins if a
 | |
| 	private key matches a certificate, used when there is no
 | |
| 	localkeyid.
 | |
| 	(*) reset free pointer
 | |
| 
 | |
| 	* ks_file.c: Rewrite to use collector and mapping support
 | |
| 	function.
 | |
| 
 | |
| 	* ks_p11.c (rsa_pkcs1_method): constify
 | |
| 
 | |
| 	* ks_p11.c: drop extra wrapping of p11_init
 | |
| 
 | |
| 	* crypto.c (_hx509_private_key_assign_key_file): use function to
 | |
| 	extact rsa key
 | |
| 
 | |
| 	* cert.c: Revert previous, refcounter is unsigned, so it can never
 | |
| 	be negative.
 | |
| 
 | |
| 	* cert.c (hx509_cert_ref): more refcount paranoia
 | |
| 
 | |
| 	* ks_p11.c: Implement rsa_private_decrypt and add stubs for public
 | |
| 	ditto.
 | |
| 
 | |
| 	* ks_p11.c: Less printf, less memory leaks.
 | |
| 
 | |
| 	* ks_p11.c: Implement signing using pkcs11.
 | |
| 	
 | |
| 	* ks_p11.c: Partly assign private key, enough to complete
 | |
| 	collection, but not any crypto functionallity.
 | |
| 
 | |
| 	* collector.c: Use hx509_private_key to assign private keys.
 | |
| 
 | |
| 	* crypto.c: Remove most of the EVP_PKEY code, and use RSA
 | |
| 	directly, this temporary removes DSA support.
 | |
| 
 | |
| 	* hxtool.c (print_f): print if there is a friendly name and if
 | |
| 	there is a private key
 | |
| 	
 | |
| 2006-01-03  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* name.c: Avoid warning from missing __attribute__((noreturn))
 | |
| 
 | |
| 	* lock.c (_hx509_lock_unlock_certs): return unlock certificates
 | |
| 
 | |
| 	* crypto.c (_hx509_private_key_assign_ptr): new function, exposes
 | |
| 	EVP_PKEY
 | |
| 	(_hx509_private_key_assign_key_file): remember to free private key
 | |
| 	if there is one.
 | |
| 
 | |
| 	* cert.c (_hx509_abort): add newline to output and flush stdout
 | |
| 
 | |
| 	* Makefile.am: libhx509_la_SOURCES += collector.c
 | |
| 
 | |
| 	* hx_locl.h: forward type declaration of struct hx509_collector.
 | |
| 
 | |
| 	* collector.c: Support functions to collect certificates and
 | |
| 	private keys and then match them.
 | |
| 
 | |
| 	* ks_p12.c: Use the new hx509_collector support functions.
 | |
| 
 | |
| 	* ks_p11.c: Add enough glue to support certificate iteration.
 | |
| 
 | |
| 	* test_nist_pkcs12.in: Less verbose.
 | |
| 
 | |
| 	* cert.c (hx509_cert_free): if there is a private key assosited
 | |
| 	with this cert, free it
 | |
| 
 | |
| 	* print.c: Use _hx509_abort.
 | |
| 
 | |
| 	* ks_p12.c: Use _hx509_abort.
 | |
| 
 | |
| 	* hxtool.c: Use _hx509_abort.
 | |
| 
 | |
| 	* crypto.c: Use _hx509_abort.
 | |
| 
 | |
| 	* cms.c: Use _hx509_abort.
 | |
| 
 | |
| 	* cert.c: Use _hx509_abort.
 | |
| 
 | |
| 	* name.c: use _hx509_abort
 | |
| 	
 | |
| 2006-01-02  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* name.c (hx509_name_to_string): don't cut bmpString in half.
 | |
| 
 | |
| 	* name.c (hx509_name_to_string): don't overwrite with 1 byte with
 | |
| 	bmpString.
 | |
| 
 | |
| 	* ks_file.c (parse_certificate): avoid stomping before array
 | |
| 
 | |
| 	* name.c (oidtostring): avoid leaking memory
 | |
| 
 | |
| 	* keyset.c: Add _hx509_ks_dir_register.
 | |
| 
 | |
| 	* Makefile.am (libhx509_la_SOURCES): += ks_dir.c
 | |
| 
 | |
| 	* hxtool-commands.in: Remove pkcs11.
 | |
| 
 | |
| 	* hxtool.c: Remove pcert_pkcs11.
 | |
| 
 | |
| 	* ks_file.c: Factor out certificate parsing code.
 | |
| 
 | |
| 	* ks_dir.c: Add new keystore that treats all files in a directory
 | |
| 	a keystore, useful for regression tests.
 | |
| 	
 | |
| 2005-12-12  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* test_nist_pkcs12.in: Test parse PKCS12 files from NIST.
 | |
| 
 | |
| 	* data/nist-data: Can handle DSA certificate.
 | |
| 	
 | |
| 	* hxtool.c: Print error code on failure.
 | |
| 	
 | |
| 2005-10-29  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* crypto.c: Support DSA signature operations.
 | |
| 	
 | |
| 2005-10-04  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* print.c: Validate that issuerAltName and subjectAltName isn't
 | |
| 	empty.
 | |
| 	
 | |
| 2005-09-14  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* p11.c: Cast to unsigned char to avoid warning.
 | |
| 
 | |
| 	* keyset.c: Register pkcs11 module.
 | |
| 
 | |
| 	* Makefile.am: Add ks_p11.c, install hxtool.
 | |
| 	
 | |
| 	* ks_p11.c: Starting point of a pkcs11 module.
 | |
| 	
 | |
| 2005-09-04  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* lock.c: Implement prompter.
 | |
| 
 | |
| 	* hxtool-commands.in: add --content to print
 | |
| 
 | |
| 	* hxtool.c: Split verify and print.
 | |
| 
 | |
| 	* cms.c: _hx509_pbe_decrypt now takes a hx509_lock.
 | |
| 
 | |
| 	* crypto.c: Make _hx509_pbe_decrypt take a hx509_lock, workaround
 | |
| 	for empty password.
 | |
| 
 | |
| 	* name.c: Add DC, handle all Directory strings, fix signless
 | |
| 	problems.
 | |
| 	
 | |
| 2005-09-03  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* test_query.in: Pass in --pass to all commands.
 | |
| 
 | |
| 	* hxtool.c: Use option --pass.
 | |
| 
 | |
| 	* hxtool-commands.in: Add --pass to all commands.
 | |
| 
 | |
| 	* hx509_err.et: add UNKNOWN_LOCK_COMMAND and CRYPTO_NO_PROMPTER
 | |
| 
 | |
| 	* test_cms.in: pass in password to cms-create-sd
 | |
| 
 | |
| 	* crypto.c: Abstract out PBE_string2key so I can add PBE2 s2k
 | |
| 	later.  Avoid signess warnings with OpenSSL.
 | |
| 
 | |
| 	* cms.c: Use void * instead of char * for to avoid signedness
 | |
| 	issues
 | |
| 
 | |
| 	* cert.c (hx509_cert_get_attribute): remove const, its not
 | |
| 
 | |
| 	* ks_p12.c: Cast size_t to unsigned long when print.
 | |
| 
 | |
| 	* name.c: Fix signedness warning.
 | |
| 
 | |
| 	* test_query.in: Use echo, the function check isn't defined here.
 | |
| 	
 | |
| 2005-08-11  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* hxtool-commands.in: Add more options that was missing.
 | |
| 
 | |
| 2005-07-28  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* test_cms.in: Use --certificate= for enveloped/unenvelope.
 | |
| 
 | |
| 	* hxtool.c: Use --certificate= for enveloped/unenvelope.  Clean
 | |
| 	up.
 | |
| 
 | |
| 	* test_cms.in: add EnvelopeData tests
 | |
| 	
 | |
| 	* hxtool.c: use id-envelopedData for ContentInfo
 | |
| 	
 | |
| 	* hxtool-commands.in: add contentinfo wrapping for create/unwrap
 | |
| 	enveloped data
 | |
| 
 | |
| 	* hxtool.c: add contentinfo wrapping for create/unwrap enveloped
 | |
| 	data
 | |
| 
 | |
| 	* data/gen-req.sh: add enveloped data (aes128)
 | |
| 	
 | |
| 	* crypto.c: add "new" RC2 oid
 | |
| 	
 | |
| 2005-07-27  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* hx_locl.h, cert.c: Add HX509_QUERY_MATCH_FUNCTION that allows
 | |
| 	caller to match by function, note that this doesn't not work
 | |
| 	directly for backends that implements ->query, they must do their
 | |
| 	own processing. (I'm running out of flags, only 12 left now)
 | |
| 
 | |
| 	* test_cms.in: verify ContentInfo wrapping code in hxtool
 | |
| 	
 | |
| 	* hxtool-commands.in (cms_create_sd): support wrapping in content
 | |
| 	info spelling
 | |
| 
 | |
| 	* hxtool.c (cms_create_sd): support wrapping in content info
 | |
| 
 | |
| 	* test_cms.in: test more cms signeddata messages
 | |
| 	
 | |
| 	* data/gen-req.sh: generate SignedData
 | |
| 	
 | |
| 	* hxtool.c (cms_create_sd): support certificate store, add support
 | |
| 	to unwrap a ContentInfo the SignedData inside.
 | |
| 
 | |
| 	* crypto.c: sprinkel rk_UNCONST
 | |
| 
 | |
| 	* crypto.c: add DER NULL to the digest oid's
 | |
| 
 | |
| 	* hxtool-commands.in: add --content-info to cms-verify-sd
 | |
| 
 | |
| 	* cms.c (hx509_cms_create_signed_1): pass in a full
 | |
| 	AlgorithmIdentifier instead of heim_oid for digest_alg
 | |
| 
 | |
| 	* crypto.c: make digest_alg a digest_oid, it's not needed right
 | |
| 	now
 | |
| 
 | |
| 	* hx509_err.et: add CERT_NOT_FOUND
 | |
| 	
 | |
| 	* keyset.c (_hx509_certs_find): add error code for cert not
 | |
| 	found
 | |
| 
 | |
| 	* cms.c (hx509_cms_verify_signed): add external store of
 | |
| 	certificates, use the right digest algorithm identifier.
 | |
| 
 | |
| 	* cert.c: fix const warning
 | |
| 
 | |
| 	* ks_p12.c: slightly less verbose
 | |
| 	
 | |
| 	* cert.c: add hx509_cert_find_subjectAltName_otherName, add
 | |
| 	HX509_QUERY_MATCH_FRIENDLY_NAME
 | |
| 	
 | |
| 	* hx509.h: add hx509_octet_string_list, remove bad comment
 | |
| 	
 | |
| 	* hx_locl.h: add HX509_QUERY_MATCH_FRIENDLY_NAME
 | |
| 
 | |
| 	* keyset.c (hx509_certs_append): needs a hx509_lock, add one
 | |
| 
 | |
| 	* Makefile.am: add test cases tempfiles to CLEANFILES
 | |
| 	
 | |
| 	* Makefile.am: add test_query to TESTS, fix dependency on hxtool
 | |
| 	sources on hxtool-commands.h
 | |
| 
 | |
| 	* hxtool-commands.in: explain what signer is for create-sd
 | |
| 
 | |
| 	* hxtool.c: add query, add more options to verify-sd and create-sd
 | |
| 
 | |
| 	* test_cms.in: add more cms tests
 | |
| 	
 | |
| 	* hxtool-commands.in: add query, add more options to verify-sd
 | |
| 
 | |
| 	* test_query.in: test query interface
 | |
| 	
 | |
| 	* data: fix filenames for ds/ke files, add pkcs12 files, regen
 | |
| 	
 | |
| 	* hxtool.c,Makefile.am,hxtool-commands.in: switch to slc
 | |
| 
 | |
| 2005-07-26  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* cert.c (hx509_verify_destroy_ctx): add
 | |
| 	
 | |
| 	* hxtool.c: free hx509_verify_ctx
 | |
| 	
 | |
| 	* name.c (_hx509_name_ds_cmp): make sure all strings are not equal
 | |
| 
 | |
| 2005-07-25  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* hxtool.c: return error
 | |
| 	
 | |
| 	* keyset.c: return errors from iterations
 | |
| 	
 | |
| 	* test_chain.in: clean up checks
 | |
| 	
 | |
| 	* ks_file.c (parse_certificate): return errno's not 1 in case of
 | |
| 	error
 | |
| 	
 | |
| 	* ks_file.c (file_iter): make sure endpointer is NULL
 | |
| 
 | |
| 	* ks_mem.c (mem_iter): follow conversion and return NULL when we
 | |
| 	get to the end, not ENOENT.
 | |
| 	
 | |
| 	* Makefile.am: test_chain depends on hxtool
 | |
| 	
 | |
| 	* data: test certs that lasts 10 years
 | |
| 	
 | |
| 	* data/gen-req.sh: script to generate test certs
 | |
| 	
 | |
| 	* Makefile.am: Add regression tests.
 | |
| 
 | |
| 	* data: test certificate and keys
 | |
| 
 | |
| 	* test_chain.in: test chain
 | |
| 
 | |
| 	* hxtool.c (cms_create_sd): add KU digitalSigature as a
 | |
| 	requirement to the query
 | |
| 
 | |
| 	* hx_locl.h: add KeyUsage query bits
 | |
| 
 | |
| 	* hx509_err.et: add KeyUsage error
 | |
| 
 | |
| 	* cms.c: add checks for KeyUsage
 | |
| 
 | |
| 	* cert.c: more checks on KeyUsage, allow to query on them too
 | |
| 
 | |
| 2005-07-24  Love Hörnquist Åstrand  <lha@it.su.se>
 | |
| 
 | |
| 	* cms.c: Add missing break.
 | |
| 	
 | |
| 	* hx_locl.h,cms.c,cert.c: allow matching on SubjectKeyId
 | |
| 
 | |
| 	* hxtool.c: Use _hx509_map_file, _hx509_unmap_file and
 | |
| 	_hx509_write_file.
 | |
| 
 | |
| 	* file.c (_hx509_write_file): in case of write error, return errno
 | |
| 
 | |
| 	* file.c (_hx509_write_file): add a function that write a data
 | |
| 	blob to disk too
 | |
| 
 | |
| 	* Fix id-tags
 | |
| 
 | |
| 	* Import mostly complete X.509 and CMS library. Handles, PEM, DER,
 | |
| 	PKCS12 encoded certicates.  Verificate RSA chains and handled
 | |
| 	CMS's SignedData, and EnvelopedData.
 | |
| 
 | |
| 
 |