summaryrefslogtreecommitdiff
path: root/lib/x509
Commit message (Collapse)AuthorAgeFilesLines
* gnutls_x509_crl_get_issuer_dn: removed unnecessary constNikos Mavrogiannopoulos2017-08-181-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* fuzzer: added a fuzzer targetNikos Mavrogiannopoulos2017-08-161-1/+6
| | | | | | | | This allows to compile the library with flags which will add predictable random generation and eliminate some crypto checks, in order for the library to be used for testing (fuzzying). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_privkey_export: made a wrapper over gnutls_x509_privkey_export2()Nikos Mavrogiannopoulos2017-08-151-30/+18
| | | | | | In addition, improved function description. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* reduce common asserts to assist in debugging the libraryNikos Mavrogiannopoulos2017-08-154-4/+0
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_privkey_import_pkcs8: fixed memory leak on incorrect key importNikos Mavrogiannopoulos2017-08-091-2/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Fix memleaks in gnutls_x509_trust_list_add_crls()Tim Rühsen2017-08-081-5/+14
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Fix memleak in gnutls_x509_crl_list_import()Tim Rühsen2017-08-081-0/+1
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* gnutls_pk_params_st: separate flags/qbits and curveNikos Mavrogiannopoulos2017-08-087-18/+18
| | | | | | | | | | Previously we were using the field flags to store the size of q in case of GNUTLS_PK_DH, some key generation flags in case of GNUTLS_PK_RSA, and the curve in case of elliptic curve key. Separate this into multiple fields to reduce confusion on the field. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_privkey_verify_seed: improved error on missing validation parametersNikos Mavrogiannopoulos2017-08-071-2/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* x509: no longer emit the previous custom format for provable parametersNikos Mavrogiannopoulos2017-08-074-96/+19
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509: store and read provable seed in PKCS#8 form of keyNikos Mavrogiannopoulos2017-08-076-10/+201
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509: separated PKIX1 attributes parsing code for cert request handlingNikos Mavrogiannopoulos2017-08-074-266/+335
| | | | | | This allows other code to utilize it. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_fbase64_decode will always return non-zerotmp-base64-reject-zero-lengthNikos Mavrogiannopoulos2017-08-072-2/+2
| | | | | | | That is, document that fact and update its callers to remove checks for zero. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _decode_pkcs8_rsa_key: signal error in RSA privkey decodingNikos Mavrogiannopoulos2017-08-061-0/+1
| | | | | | | Addresses oss-fuzz issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2865 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gnutls_x509_privkey_import: allow importing ed25519 PKCS#8 keys in DER formNikos Mavrogiannopoulos2017-08-041-6/+10
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* sign/digest: separate "brokenness" of signatures and hash algorithmsNikos Mavrogiannopoulos2017-08-042-8/+11
| | | | | | | That is, allow digital signatures to be marked as broken irrespective of their used hash, and restrict hash brokenness to preimage resistance. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509_privkey: handle keys which can only have PKCS#8 form transparentlyNikos Mavrogiannopoulos2017-08-041-9/+26
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509/output: print error on invalid public key parameters on certificateNikos Mavrogiannopoulos2017-08-042-18/+36
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* spki: combined all exported functions to a single set and getNikos Mavrogiannopoulos2017-08-041-91/+29
| | | | | | | | This simplifies setting parameters for a particular key type, as well as getting them. The advantage is that they are set atomically, preventing an inadverterly half-filled structure. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* introduced error code GNUTLS_E_PK_INVALID_PUBKEY_PARAMSNikos Mavrogiannopoulos2017-08-041-2/+2
| | | | | | | This is being use to indicate errors in the public key parameters such as the RSA-PSS salt size or digest algorithm. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_privkey_generate*: allow specifying the SPKI parameters for key ↵Nikos Mavrogiannopoulos2017-08-041-12/+20
| | | | | | | | | | generation This in turn removes the need for reading the flag GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE on the key generation process. The flag is now only used during key signing which is also its documented purpose. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_privkey_set_spki: check validity of parameters setNikos Mavrogiannopoulos2017-08-041-0/+9
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_cr*_set_spki: check for validity of parameters setNikos Mavrogiannopoulos2017-08-042-54/+90
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_x509_check_pubkey_params: removed unnecessary parameterNikos Mavrogiannopoulos2017-08-043-6/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_privkey_import: immediately exit on GNUTLS_E_PK_INVALID_PRIVKEYNikos Mavrogiannopoulos2017-08-041-0/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_*_set_spki: removed arbitrary restrictions to setting parametersNikos Mavrogiannopoulos2017-08-042-21/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_x509_read_pkalgo_params: initialize params structureNikos Mavrogiannopoulos2017-08-041-2/+4
| | | | | | | | That is the primary call on these parameters, thus it should initialize the structure with something reasonable. That is similar to behavior of _gnutls_x509_read_rsa_pss_params. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* RSA-PSS parameter checking was moved to lower level functionsNikos Mavrogiannopoulos2017-08-042-2/+2
| | | | | | That way all PKI callers get protected by the checks. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* signature security level check were moved to lower level functionsNikos Mavrogiannopoulos2017-08-042-7/+9
| | | | | | | That way all callers (including PKI functions) get protected by the available checks. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* verify_crt: translate GNUTLS_E_CONSTRAINT_ERROR to verification status flagNikos Mavrogiannopoulos2017-08-041-0/+6
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509/sign: in debugging mode print the signature algorithmNikos Mavrogiannopoulos2017-08-041-0/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_x509_validate_sign_params: use GNUTLS_E_CONSTRAINT_ERROR for ↵Nikos Mavrogiannopoulos2017-08-041-2/+2
| | | | | | mismatch of RSA-PSS parameters Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_x509_read_rsa_pss_params: fail early on unknown hash algorithmsNikos Mavrogiannopoulos2017-08-041-4/+12
| | | | | | | Also utilize GNUTLS_E_CONSTRAINT_ERROR for signaling differences between the hash functions. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509/output: Subject Public Key parameters are printed just before actual keyNikos Mavrogiannopoulos2017-08-041-65/+28
| | | | | | | That allows to easier figure out algorithm and basic parameters, rather than having them at the end of long key output. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_crt_set_spki: be more verbose in parameter restrictionsNikos Mavrogiannopoulos2017-08-041-4/+14
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_x509_write_rsa_pss_params: refuse to write RSA-PSS parameters we ↵Nikos Mavrogiannopoulos2017-08-041-0/+4
| | | | | | cannot use Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_*_get_signature_algorithm: simplified error handlingNikos Mavrogiannopoulos2017-08-034-18/+22
| | | | | | | | | These functions were documented to return a negative error code on failure, as well as GNUTLS_SIGN_UNKNOWN on unknown algorithms. Simplify them by only returning GNUTLS_SIGN_UNKNOWN on all error conditions. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_x509_get_signature_algorithm: return negative error code on unknown ↵Nikos Mavrogiannopoulos2017-08-031-3/+6
| | | | | | | | algorithm This allows internal callers to quickly fail on errors. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* compare_sig_algorithm: modify to work even for certs with unsupported ↵Nikos Mavrogiannopoulos2017-08-031-9/+16
| | | | | | signature algorithm Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* pubkey_verify_data: accept signature entry instead of PK and hashNikos Mavrogiannopoulos2017-08-032-13/+9
| | | | | | | That aligns better with current callers which know the signature algorithm in use. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Added convention for missing SubjectPublicKeyInfo params fieldNikos Mavrogiannopoulos2017-08-039-34/+60
| | | | | | | | That is, when that field is missing, the spki_st structure field pk will be set to GNUTLS_PK_UNKNOWN. In that case other fields are undefined. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* *set_spki(): return error on incompatible algorithmsNikos Mavrogiannopoulos2017-08-033-0/+11
| | | | | | | In addition update the public key algorithm field in the respective structure. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_privkey_generate2: do not hardcode the RSA-PSS hash to SHA256Nikos Mavrogiannopoulos2017-08-031-1/+1
| | | | | | | | Instead use _gnutls_pk_bits_to_sha_hash() to set an appropriate hash for the number of bits of the key. This matches better the "intention" of RSA-PSS or tying the security parameter with the salt and hash. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _decode_pkcs8_rsa_pss_key: ensure we set the PSS PK identifierNikos Mavrogiannopoulos2017-08-031-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_privkey_int: eliminated duplicate pk_algorithm fieldNikos Mavrogiannopoulos2017-08-035-51/+44
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* cleanup: removed unnecessary/duplicate parameters in functionsNikos Mavrogiannopoulos2017-08-034-15/+17
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* cleanup: removed unnecessary/duplicate parameters in functionsNikos Mavrogiannopoulos2017-08-0310-46/+23
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_privkey_set_spki: introduced function to update SPKI on a keyNikos Mavrogiannopoulos2017-08-031-0/+24
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509.h: Renamed SPKI related functionsNikos Mavrogiannopoulos2017-08-034-110/+96
| | | | | | | | This better reflects their purpose as providers of information for subject public key. In addition use 'const' for fields that should be left intact. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_pk_params_st: renamed sign field to spkiNikos Mavrogiannopoulos2017-08-035-15/+15
| | | | | | | | | | The name "sign" was ambiguous with regard to its intented use, as it could refer to digital signature parameters which was not exactly the case. That field contains parameters present in the subject public key info (SPKI), which could be used in a digital signature, but not necessarily. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
View Lorry Controller Status