Viktor Dukhovni
a2219f6be3
Fixes to host checking.
...
Fixes to host checking wild card support and add support for
setting host checking flags when verifying a certificate
chain.
(cherry picked from commit 397a8e747d
)
2014-05-21 11:32:19 +01:00
Dr. Stephen Henson
c00f8d697a
Include self-signed flag in certificates by checking SKID/AKID as well
...
as issuer and subject names. Although this is an incompatible change
it should have little impact in pratice because self-issued certificates
that are not self-signed are rarely encountered.
(cherry picked from commit b1efb7161f
)
2014-02-14 15:27:30 +00:00
Ben Laurie
984a30423d
Add extension free function.
2014-02-02 15:22:47 +00:00
Dr. Stephen Henson
45da1efcdb
Backport X509 hostname, IP address and email checking code from HEAD.
2012-12-19 15:01:59 +00:00
Ben Laurie
d65b8b2162
Backport OCSP fixes.
2012-12-14 12:53:53 +00:00
Dr. Stephen Henson
4386445c18
Change STRING to OPENSSL_STRING etc as common words such
...
as "STRING" cause conflicts with other headers/libraries.
2009-07-27 21:08:53 +00:00
Dr. Stephen Henson
52891f832f
Fix error header files and error files too.
2009-04-19 17:58:01 +00:00
Dr. Stephen Henson
2e5975285e
Update obsolete email address...
2008-11-05 18:39:08 +00:00
Ben Laurie
babb379849
Type-checked (and modern C compliant) OBJ_bsearch.
2008-10-12 14:32:47 +00:00
Dr. Stephen Henson
d43c4497ce
Initial support for delta CRLs. If "use deltas" flag is set attempt to find
...
a delta CRL in addition to a full CRL. Check and search delta in addition to
the base.
2008-09-01 15:15:16 +00:00
Dr. Stephen Henson
4b96839f06
Add support for CRLs partitioned by reason code.
...
Tidy CRL scoring system.
Add new CRL path validation error.
2008-08-29 11:37:21 +00:00
Dr. Stephen Henson
e9746e03ee
Initial support for name constraints certificate extension.
...
TODO: robustness checking on name forms.
2008-08-08 15:35:29 +00:00
Dr. Stephen Henson
3e727a3b37
Add support for nameRelativeToCRLIssuer field in distribution point name
...
fields.
2008-08-04 15:34:27 +00:00
Dr. Stephen Henson
db50661fce
X509 verification fixes.
...
Ignore self issued certificates when checking path length constraints.
Duplicate OIDs in policy tree in case they are allocated.
Use anyPolicy from certificate cache and not current tree level.
2008-07-13 14:25:36 +00:00
Ben Laurie
5ce278a77b
More type-checking.
2008-06-04 11:01:43 +00:00
Ben Laurie
3c1d6bbc92
LHASH revamp. make depend.
2008-05-26 11:24:29 +00:00
Dr. Stephen Henson
a5cdb7d5bd
Avoid warnings.
2008-04-01 16:29:42 +00:00
Dr. Stephen Henson
be86c7fc87
Add signed receipt ASN1 structures. Initial GENERAL_NAME utility functions.
2008-03-24 22:14:02 +00:00
Dr. Stephen Henson
67c8e7f414
Support for certificate status TLS extension.
2007-09-26 21:56:59 +00:00
Dr. Stephen Henson
3c07d3a3d3
Finish gcc 4.2 changes.
2007-06-07 13:14:42 +00:00
Dr. Stephen Henson
376bf1d4aa
Constification.
2007-04-11 12:26:53 +00:00
Dr. Stephen Henson
10ca15f3fa
Fix change to OPENSSL_NO_RFC3779
2006-12-06 13:36:48 +00:00
Dr. Stephen Henson
d137b56a5b
Win32 fixes from stable branch.
2006-11-30 13:39:34 +00:00
Ben Laurie
96ea4ae91c
Add RFC 3779 support.
2006-11-27 14:18:05 +00:00
Dr. Stephen Henson
bc7535bc7f
Support for AKID in CRLs and partial support for IDP. Overhaul of CRL
...
handling to support this.
2006-09-14 17:25:02 +00:00
Dr. Stephen Henson
4d50a2b4d6
Add verify callback functions to lookup a STACK of matching certs or CRLs
...
based on subject name.
New thread safe functions to retrieve matching STACK from X509_STORE.
Cache some IDP components.
2006-09-10 12:38:37 +00:00
Dr. Stephen Henson
edc540211c
Cache some CRL related extensions.
2006-07-24 12:39:22 +00:00
Ulf Möller
c7235be6e3
RFC 3161 compliant time stamp request creation, response generation
...
and response verification.
Submitted by: Zoltan Glozik <zglozik@opentsa.org>
Reviewed by: Ulf Moeller
2006-02-12 23:11:56 +00:00
Bodo Möller
51eb1b81f6
Avoid contradictive error code assignments.
...
"make errors".
2006-01-08 21:54:24 +00:00
Dr. Stephen Henson
8eb7217580
Add declaration for IDP ASN1 functions.
2005-07-26 11:43:11 +00:00
Dr. Stephen Henson
0537f9689c
Add support for setting IDP too.
2005-07-25 22:35:36 +00:00
Dr. Stephen Henson
0745d0892d
Allow setting of all fields in CRLDP. Few cosmetic changes to output.
2005-07-25 18:42:29 +00:00
Dr. Stephen Henson
231493c93c
Initial print only support for IDP CRL extension.
2005-07-23 23:33:06 +00:00
Bodo Möller
8afca8d9c6
Fix more error codes.
...
(Also improve util/ck_errf.pl script, and occasionally
fix source code formatting.)
2005-05-11 03:45:39 +00:00
Richard Levitte
a7201e9a1b
Changes concering RFC 3820 (proxy certificates) integration:
...
- Enforce that there should be no policy settings when the language
is one of id-ppl-independent or id-ppl-inheritAll.
- Add functionality to ssltest.c so that it can process proxy rights
and check that they are set correctly. Rights consist of ASCII
letters, and the condition is a boolean expression that includes
letters, parenthesis, &, | and ^.
- Change the proxy certificate configurations so they get proxy
rights that are understood by ssltest.c.
- Add a script that tests proxy certificates with SSL operations.
Other changes:
- Change the copyright end year in mkerr.pl.
- make update.
2005-01-17 17:06:58 +00:00
Richard Levitte
6951c23afd
Add functionality needed to process proxy certificates.
2004-12-28 00:21:35 +00:00
Dr. Stephen Henson
a0e7c8eede
Add lots of checks for memory allocation failure, error codes to indicate
...
failure and freeing up memory if a failure occurs.
PR:620
2004-12-05 01:03:15 +00:00
Richard Levitte
30b415b076
Make an explicit check during certificate validation to see that the
...
CA setting in each certificate on the chain is correct. As a side-
effect always do the following basic checks on extensions, not just
when there's an associated purpose to the check:
- if there is an unhandled critical extension (unless the user has
chosen to ignore this fault)
- if the path length has been exceeded (if one is set at all)
- that certain extensions fit the associated purpose (if one has been
given)
2004-11-29 11:28:08 +00:00
Dr. Stephen Henson
ecf139917d
New function X509_POLICY_NODE_print()
2004-03-31 12:17:24 +00:00
Dr. Stephen Henson
5d6383c83f
Make {i2v,v2i}_ASN1_BIT_STRING global.
...
make update
2004-03-28 12:40:11 +00:00
Dr. Stephen Henson
4acc3e907d
Initial support for certificate policy checking and evaluation.
...
This is currently *very* experimental and needs to be more fully integrated
with the main verification code.
2004-03-23 14:14:35 +00:00
Richard Levitte
875a644a90
Constify d2i, s2i, c2i and r2i functions and other associated
...
functions and macros.
This change has associated tags: LEVITTE_before_const and
LEVITTE_after_const. Those will be removed when this change has been
properly reviewed.
2004-03-15 23:15:26 +00:00
Dr. Stephen Henson
520b76ffd9
Support for name constraints.
2003-03-24 17:04:44 +00:00
Dr. Stephen Henson
f80153e20b
Support for policy constraints.
2003-03-21 16:26:20 +00:00
Dr. Stephen Henson
ea3675b5b6
New ASN1 macros to just implement and declare the new and free functions
...
and changes to mkdef.pl so it recognises them.
Use these in policyMappings extension.
2003-03-20 17:58:33 +00:00
Dr. Stephen Henson
a1d12daed2
Support for policyMappings
2003-03-20 17:26:44 +00:00
Dr. Stephen Henson
f0dc08e656
Support for dirName from config files in GeneralName extensions.
2003-02-27 01:54:11 +00:00
Dr. Stephen Henson
4e5d3a7f98
IPv6 display and input support for extensions usingh GeneralName.
2003-02-05 00:34:31 +00:00
Richard Levitte
b637670f03
DVCS (see RFC 3029) was missing among the possible purposes.
...
Notified privately to me by Peter Sylvester <Peter.Sylvester@EdelWeb.fr>,
one of the authors of said RFC
2003-01-29 15:06:35 +00:00
Dr. Stephen Henson
9ea1b87862
Initial ASN1 generation code. This can construct
...
arbitrary encodings from strings and config files.
Documentation to follow...
2002-11-12 13:34:51 +00:00