Commit graph

28 commits

Author SHA1 Message Date
Matt Caswell
fd38836ba8 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6538)
2018-06-20 15:29:23 +01:00
Mingtao Yang
0124f32a01 Add APIs for custom X509_LOOKUP_METHOD creation
OpenSSL 1.1.0 made the X509_LOOKUP_METHOD structure opaque, so
applications that were previously able to define a custom lookup method
are not able to be ported.

This commit adds getters and setters for each of the current fields of
X509_LOOKUP_METHOD, along with getters and setters on several associated
opaque types (such as X509_LOOKUP and X509_OBJECT).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6152)
2018-05-30 15:45:48 +02:00
Dr. Stephen Henson
786dd2c22c Add support for custom signature parameters
Many signature types define the digest and public key type by a single OID
such as ecdsa_with_sha256.

Some types (RSA-PSS for example) use a single OID to indicate the signature
scheme and additional parameters are encoded in the AlgorithmIdentifier.

Add an X509_SIG_INFO structure to contain details about the signature type:
specifically the digest algorithm, public key algorithm, security bits and
various flags. This supports both existing algorithms and more complex
types.

Add accessors for the structure and a special case that retrieves signature
information from a certificate.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3301)
2017-04-25 22:12:34 +01:00
Rich Salz
a47bc28317 Add X509_VERIFY_PARAM inheritance flag set/get
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2079)
2016-12-13 14:30:21 -05:00
Kurt Roeckx
2f545ae45d Add support for reference counting using C11 atomics
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

GH: #1500
2016-11-17 22:02:25 +01:00
FdaSilvaYY
cfc5e0aa73 Constify inputs of two X509_LOOKUP_METHOD methods
... get_by_fingerprint() and get_by_alias()

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-04 17:02:48 +02:00
Dr. Stephen Henson
0946a19886 Use X509_LOOKUP_TYPE for lookup type consistently.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-26 16:23:02 +01:00
Richard Levitte
0a5fe2eb94 Add setter and getter for X509_STORE's check_policy
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-25 17:20:58 +02:00
Rich Salz
b1322259d9 Copyright consolidation 09/10
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-17 14:53:16 -04:00
Rich Salz
f0e0fd51fd Make many X509_xxx types opaque.
Make X509_OBJECT, X509_STORE_CTX, X509_STORE, X509_LOOKUP,
and X509_LOOKUP_METHOD opaque.
Remove unused X509_CERT_FILE_CTX

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-04-15 13:21:43 -04:00
Viktor Dukhovni
fbb82a60dc Move peer chain security checks into x509_vfy.c
A new X509_VERIFY_PARAM_set_auth_level() function sets the
authentication security level.  For verification of SSL peers, this
is automatically set from the SSL security level.  Otherwise, for
now, the authentication security level remains at (effectively) 0
by default.

The new "-auth_level" verify(1) option is available in all the
command-line tools that support the standard verify(1) options.

New verify(1) tests added to check enforcement of chain signature
and public key security levels.  Also added new tests of enforcement
of the verify_depth limit.

Updated documentation.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-04-03 11:35:35 -04:00
Viktor Dukhovni
70dd3c6593 Tidy up x509_vfy callback handling
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-04-03 11:35:19 -04:00
Rich Salz
349807608f Remove /* foo.c */ comments
This was done by the following
        find . -name '*.[ch]' | /tmp/pl
where /tmp/pl is the following three-line script:
        print unless $. == 1 && m@/\* .*\.[ch] \*/@;
        close ARGV if eof; # Close file to reset $.

And then some hand-editing of other files.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-26 16:40:43 -05:00
Dr. Stephen Henson
4a1f3f2741 Only declare stacks in headers
Don't define stacks in C source files: it causes warnings
about unused functions in some compilers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 18:00:51 +00:00
Dr. Stephen Henson
9689a6aeed Remove X509_VERIFY_PARAM_ID
Now that X509_VERIFY_PARAM is opaque X509_VERIFY_PARAM_ID is no longer
needed.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-11-26 16:07:14 +00:00
Dr. Stephen Henson
4392479c08 embed value field of X509_EXTENSION
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-10-15 15:36:58 +01:00
Dr. Stephen Henson
1e898fb0f5 Move certificate request and CRL routines to x509 dir.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-22 16:35:55 +01:00
Dr. Stephen Henson
6f4d71ff9d make X509_VERIFY_PARAM opaque
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-02 14:15:00 +01:00
Dr. Stephen Henson
e20b57270d Remove X509_ATTRIBUTE hack.
The X509_ATTRIBUTE structure includes a hack to tolerate malformed
attributes that encode as the type instead of SET OF type. This form
is never created by OpenSSL and shouldn't be needed any more.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 15:46:54 +00:00
Dr. Stephen Henson
4903abd50a make X509_EXTENSION opaque
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-03-23 18:27:04 +00:00
Dr. Stephen Henson
9b0a453190 Make X509_ATTRIBUTE opaque.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-03-16 15:54:19 +00:00
Matt Caswell
0f113f3ee4 Run util/openssl-format-source -v -c .
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:09 +00:00
Viktor Dukhovni
297c67fcd8 Update API to use (char *) for email addresses and hostnames
Reduces number of silly casts in OpenSSL code and likely most
applications.  Consistent with (char *) for "peername" value from
X509_check_host() and X509_VERIFY_PARAM_get0_peername().
2014-07-07 19:11:38 +10:00
Viktor Dukhovni
6e661d458f New peername element in X509_VERIFY_PARAM_ID
Declaration, memory management, accessor and documentation.
2014-07-06 01:50:50 +10:00
Viktor Dukhovni
8abffa4a73 Multiple verifier reference identities.
Implemented as STACK_OF(OPENSSL_STRING).
2014-06-22 20:32:35 -04:00
Viktor Dukhovni
b3012c698a Drop hostlen from X509_VERIFY_PARAM_ID.
Just store NUL-terminated strings.  This works better when we add
support for multiple hostnames.
2014-06-22 19:52:44 -04:00
Dr. Stephen Henson
0930251df8 Don't use expired certificates if possible.
When looking for the issuer of a certificate, if current candidate is
expired, continue looking. Only return an expired certificate if no valid
certificates are found.

PR#3359
2014-05-25 04:50:15 +01:00
Dr. Stephen Henson
6c21b860ba Rename vpm_int.h to x509_lcl.h 2014-05-25 04:50:14 +01:00
Renamed from crypto/x509/vpm_int.h (Browse further)