| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
| |
This replaces the --rsa-pss and --eddsa options.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
This adds support for draft-ietf-curdle-pkix-04.
Resolves #25
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Previously --generate-privkey wouldn't ask for password unless --pkcs8
was explicitly given. Keep that behavior, and do not ask for any password
even if we need to export to PKCS#8 for some key types. Always require
the --pkcs8 option to encrypt with password.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
This option could accomodate future enhancements/additions in
certificate signining.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
An RSA-PSS key has additional parameters which cannot be stored
in the "standard" PKCS#1 format. For that when asked to generate
an RSA-PSS key, we export to the PKCS#8 form.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enables RSA-PSS signature scheme in the X.509 functions and
certtool.
When creating RSA-PSS signature, there are 3 different scenarios:
a. both a private key and a certificate are RSA-PSS
b. the private key is RSA, while the certificate is RSA-PSS
c. both the private key and the certificate are RSA
For (a) and (b), the RSA-PSS parameters are read from the certificate.
Any conflicts in parameters between the private key and the certificate
are reported as an error.
For (c), the sign functions, such as gnutls_x509_crt_privkey_sign() or
gnutls_privkey_sign_data(), shall be instructed to generate an RSA-PSS
signature. This can be done with the new flag
GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS.
Verification is similar to signing, except for the case (c), use the
flag GNUTLS_VERIFY_USE_RSA_PSS instead of
GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS.
From the command line, certtool has a couple of new options: --rsa-pss
and --rsa-pss-sign. The --rsa-pss option indicates that the generated
private key or certificate is restricted to RSA-PSS, while the
--rsa-pss-sign option indicates that the generated certificate is signed
with RSA-PSS.
For simplicity, there is no means of choosing arbitrary salt length.
When it is not given by a private key or a certificate, it is
automatically calculated from the underlying hash algorithm and the
RSA modulus bits.
[minor naming changes by nmav]
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Karl Tarbe <karl.tarbe@cyber.ee>
|
|
|
|
|
|
|
|
| |
This option was introduced in documentation for certtool without
an implementation of it. It is a shortcut for option
key_purpose_oid = 1.3.6.1.5.5.7.3.4
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
| |
This allows static analysers to properly warn on unchecked return values.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
| |
This utilizes assert() as it cannot be triggered in practice.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
In addition fallback to DER when --load-crl fails importing a PEM
encoded CRL due to PEM issues.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
That is, combined how CA certificates are loaded for --verify-chain,
--verify and --p7-verify. It is based on the trust list high level
functions, something that allows PKCS#11 URLs to be specified in
--load-ca-certificate.
|
|
|
|
| |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
|
| |
We do not know whether their allocated size allows for that additional
null, and we do not need the null termination.
|
|
|
|
| |
Signed-off-by: Andreas Schneider <asn@samba.org>
|
| |
|
|
|
|
|
|
| |
That is, allow setting code signing, or time stamping key purpose
in certificates that are not marked as CA. The previous restriction
served no purpose.
|
| |
|
| |
|
|
|
|
| |
This reverts commit 7daed1fd0602bce7495d252f1a9b638fc41e38d3.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
That is, do not allow specifying --generate-request --load-pubkey without
specifying --load-privkey. Previously if --load-pubkey would have been
used, it would have been ignored, causing confusion to the users.
|
|
|
|
|
|
|
|
| |
Previously certtool complained about key size if --curve is given:
$ certtool --generate-privkey --ecc --curve secp256r1 --outfile key.pem
Generating a -2147483646 bit EC/ECDSA private key...
Note that ECDSA keys with size less than 256 are not widely supported.
|
|
|
|
| |
That is, allow generating PKCS#12 files with private keys only as well.
|
| |
|
|
|
|
|
|
|
|
| |
This allows setting arbitrary extensions using the following new template options:
add_extension = "5.6.7.8 0x0001020304050607AAABCD"
add_critical_extension = "9.10.11.12.13.14.15.16.17.1.5 0xCAFE"
The "0x" prefix can be omitted.
|
|
|
|
| |
This introduces the honor_crq_extension multi-line template option.
|
|
|
|
| |
template file.
|
|
|
|
|
| |
That is, handle GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if returned
from gnutls_x509_crt_get_dn() on the end certificate.
|
| |
|
|
|
|
|
| |
That not only simplifies the code, but also allows decoding hex strings
which contain not hex chars (and that allows decoding hex of the form XX:XX:XX)
|
| |
|
|
|
|
| |
There is no such support in the library.
|