summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* psktool: do not assume any default key fileNikos Mavrogiannopoulos2017-06-051-4/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* clarify documentation and arguments for psktoolDaniel Kahn Gillmor2017-06-052-11/+18
| | | | | | | | | | | * psktool's -p argument should really be short for --pskfile, not --passwd. there is no passwd involved. * the example documentation switches names halfway through, which is confusing. * there is no prompt for a password. do not mention it in the example.
* tests: added unit test to verify that certificates with non-DER strict time ↵tmp-tolerate-certs-with-invalid-timeNikos Mavrogiannopoulos2017-06-055-117/+72
| | | | | | | | fields are accepted Also removed the old strict compliance DER test. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Tolerate DER time encoding errorsNikos Mavrogiannopoulos2017-06-051-1/+6
| | | | | | | | | | | | It seems that openssl generated certificates may contain invalid formatted times, and gnutls will no longer parse them. Ignore such formatting errors when DER decoding. We should reconsider this in the future (#207) Resolves #196 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: enhanced OID tests with OIDs for SHA3Nikos Mavrogiannopoulos2017-06-051-0/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: enhanced OID tests with OIDs for RSA-PSSNikos Mavrogiannopoulos2017-06-051-0/+7
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* .gitlab-ci.yml: added aarch64 build based on Debiantmp-aarch64-ciNikos Mavrogiannopoulos2017-06-042-1/+25
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* _gnutls_PRF: was made inline functionNikos Mavrogiannopoulos2017-06-012-32/+22
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added low-level unit tests on TLS 1.0 and 1.2 PRFsNikos Mavrogiannopoulos2017-06-014-2/+245
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* prf: implement the TLS 1.0 and 1.2 PRFs using nettleNikos Mavrogiannopoulos2017-06-016-216/+336
| | | | | | | That simplifies the existing PRF code and moves it in the crypto-backend component. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: refer to the site for commercial support optionsNikos Mavrogiannopoulos2017-05-311-31/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: mini-record-retvals: include AES-CBC testsNikos Mavrogiannopoulos2017-05-311-0/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: eliminated build warningsNikos Mavrogiannopoulos2017-05-315-11/+8
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: combined tables of sign-verify teststmp-rsa-pss-round-twoNikos Mavrogiannopoulos2017-05-317-175/+89
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Only accept known public key algorithms in the GNUTLS_PRIVKEY_EXT private keysNikos Mavrogiannopoulos2017-05-311-0/+8
| | | | | | | The reason is that this API, assumes very low level primitives which are not available for the newer RSA-PSS private keys. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* _gnutls_privkey_*_sign_params: added support for GNUTLS_PRIVKEY_EXT keysNikos Mavrogiannopoulos2017-05-311-0/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: added basic test on "external" keys with gnutls_privkey_import_ext2()Nikos Mavrogiannopoulos2017-05-312-1/+289
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gnutls_x509_privkey_sign_data: wrap over gnutls_privkey_sign_data()Nikos Mavrogiannopoulos2017-05-311-86/+28
| | | | | | That will allow this function to operate with the new key types. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added unit tests for the gnutls_x509_* sign/verify APIsNikos Mavrogiannopoulos2017-05-314-154/+345
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added tests signature validation using the sign/verify_data APIsNikos Mavrogiannopoulos2017-05-312-1/+201
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Separated use of GNUTLS_PRIVKEY_FLAG_PROVABLE and ↵Nikos Mavrogiannopoulos2017-05-313-4/+4
| | | | | | | | GNUTLS_PRIVKEY_SIGN_FLAG_REPRODUCIBLE For simplicity, rename GNUTLS_PRIVKEY_SIGN_FLAG_REPRODUCIBLE to GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_privkey_find_sign_params: renamed and simplifiedNikos Mavrogiannopoulos2017-05-317-72/+53
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_privkey_sign_hash: removed duplicate codeNikos Mavrogiannopoulos2017-05-311-15/+1
| | | | | | The same code was available in _gnutls_privkey_find_sign_params(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* GNUTLS_E_INSUFFICIENT_SECURITY: moved to fatal errorsNikos Mavrogiannopoulos2017-05-311-2/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tls-sig: re-organize and simplify the TLS signature generation and verificationNikos Mavrogiannopoulos2017-05-315-237/+310
| | | | | | | | That makes sure that the high level APIs are used when possible, and separate the TLS 1.2 from other code paths. This will allow supporting signature schemes like EdDSA and others. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: modify tests to allow signatures with SHA1Nikos Mavrogiannopoulos2017-05-317-22/+29
| | | | | | | There were several tests that were utilizing SHA1 signatures but were not failing due to the bug in gnutls_pubkey_verify_hash2(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_pubkey_verify_hash2: do not allow GNUTLS_VERIFY_USE_TLS1_RSA with ↵Nikos Mavrogiannopoulos2017-05-311-0/+2
| | | | | | non-RSA keys Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_pubkey_verify_hash2: check for broken signature algorithmsNikos Mavrogiannopoulos2017-05-311-2/+16
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_pubkey_verify_data2: do not utilize GNUTLS_VERIFY_USE_RSA_PSSNikos Mavrogiannopoulos2017-05-313-6/+12
| | | | | | | This flag is not required for verification since the signature algorithm is sufficient to detect RSA-PSS without requiring any flags. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: do not utilize GNUTLS_VERIFY_USE_RSA_PSSNikos Mavrogiannopoulos2017-05-311-23/+21
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: do not ask for password when exporting to PKCS#8 implicitlytmp-rsa-pss-additionNikos Mavrogiannopoulos2017-05-291-1/+6
| | | | | | | | | Previously --generate-privkey wouldn't ask for password unless --pkcs8 was explicitly given. Keep that behavior, and do not ask for any password even if we need to export to PKCS#8 for some key types. Always require the --pkcs8 option to encrypt with password. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* updated auto-generated filesNikos Mavrogiannopoulos2017-05-295-168/+289
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: mention RSA-PSS-SHA* signature algorithmsNikos Mavrogiannopoulos2017-05-291-1/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: replaced rsa-pss-sign with sign-params optionNikos Mavrogiannopoulos2017-05-293-9/+23
| | | | | | | This option could accomodate future enhancements/additions in certificate signining. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: better documentation on rsa-pss-signNikos Mavrogiannopoulos2017-05-291-1/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* replaced MAX_SIGNATURE_ALGORITHMS macro with MAX_ALGOSNikos Mavrogiannopoulos2017-05-292-4/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added unit test for gnutls_sign_supports_pk_algorithm()Nikos Mavrogiannopoulos2017-05-292-1/+69
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tls-fuzzer: ignore the incomplete RSA-PSS testsNikos Mavrogiannopoulos2017-05-291-1/+4
| | | | | | | These tests fail because tls-fuzzer currently does not properly implement RSA-PSS. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: verify that generated RSA-PSS keys can be read with certtool -kNikos Mavrogiannopoulos2017-05-291-0/+7
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: use PKCS#8 format for generated RSA-PSS keysNikos Mavrogiannopoulos2017-05-291-0/+5
| | | | | | | | An RSA-PSS key has additional parameters which cannot be stored in the "standard" PKCS#1 format. For that when asked to generate an RSA-PSS key, we export to the PKCS#8 form. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc updateNikos Mavrogiannopoulos2017-05-291-1/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: x509sign-verify: include ECDSA and RSA-PSS key testsNikos Mavrogiannopoulos2017-05-291-133/+119
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tlsfuzzer: the test-certificate-verify-malformed check now passesNikos Mavrogiannopoulos2017-05-291-3/+1
| | | | | | | | Previously it was expecting a different alert code than gnutls returned. Now gnutls returns the expected alert code (GNUTLS_A_DECRYPT_ERROR) on malformed signatures. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* alert: map GNUTLS_E_PK_SIG_VERIFY_FAILED to GNUTLS_A_DECRYPT_ERRORNikos Mavrogiannopoulos2017-05-291-1/+4
| | | | | | | This makes server respond with GNUTLS_A_DECRYPT_ERROR on malformed signatures, which is the expected behavior. Hinted by Hubert Kario. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Increased the maximum number of signature algorithmsNikos Mavrogiannopoulos2017-05-291-1/+1
| | | | | | That allows including all the existing signatures including DSA. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509sign-verify: corrected test to perform RSA tests on RSA keysNikos Mavrogiannopoulos2017-05-291-17/+21
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added tests for RSA-PSS key exchange under TLS 1.2Nikos Mavrogiannopoulos2017-05-299-132/+289
| | | | | | That includes tests with RSA and RSA-PSS server and client certificates. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* publickey: map RSA ciphersuites to GNUTLS_PK_RSA_PSSNikos Mavrogiannopoulos2017-05-291-0/+2
| | | | | | That is in addition to GNUTLS_PK_RSA Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Rework KX -> PK mappingsDmitry Eremin-Solenikov2017-05-296-55/+35
| | | | | | | | GOST VKO and PSS keys would support several public keys, so change the previous 1:1 kx->pk mapping into 1:many. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added TLS 1.2 tests with RSA-PSS signatures on RSA certificatesNikos Mavrogiannopoulos2017-05-291-0/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
View Lorry Controller Status