summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* trust: Add pem-directory-hash extract formatAdam Williamson2015-01-146-52/+139
| | | | | | | | | | | | This allows extraction of a directory of standard PEM files with the OpenSSL hash symlinks; this is a format used by some popular platforms (Debian's /etc/ssl/certs is in this form, and OpenSUSE provides it for compatibility). Initially by: Ludwig Nussel <ludwig.nussel@suse.de> Signed-off-by: Stef Walter <stefw@redhat.com> * Added header, fixed compiler warnings
* uri: Accept 'type' in additon to 'object-type' in PKCS#11 URIsStef Walter2014-11-142-2/+30
| | | | This was a later change to the PKCS#11 specification drafts
* compat: Add definition for setenv for Win32Michael Cronenworth2014-11-122-0/+5
| | | | Signed-off-by: Michael Cronenworth <mike@cchtml.com>
* Release version 0.22.1Stef Walter2014-10-092-1/+7
|
* trust: Certificate CKA_ID is SubjectKeyIdentifier if possibleStef Walter2014-10-097-46/+91
| | | | | | | | | | | | | | | | | | | | | | The PKCS#11 spec states that the CKA_ID should match the SubjectKeyIdentifier if such an extension is present. We delay the filling of CKA_ID until the builder phase of populating attributes which allows us to have more control over how this works. Note that we don't make CKA_ID reflect SubjectKeyIdentifier *attached* extensions. The CKA_ID isn't supposed to change after object creation. Making it dependent on attached extensions would be making promises we cannot keep, since attached extensions can be added/removed at any time. This also means the CKA_ID of attached extensions and certificates won't necessarily match up, but that was never promised, and not how attached extensions should be matched to their certificate anyway. Based on a patch and research done by David Woodhouse. https://bugs.freedesktop.org/show_bug.cgi?id=84761
* trust: Allow 'BEGIN PUBLIC KEY' PEM blocks in .p11-kit filesStef Walter2014-10-094-4/+82
| | | | | | | These PEM blocks contribute a CKA_PUBLIC_KEY_INFO to the object being read/written. https://bugs.freedesktop.org/show_bug.cgi?id=83799
* trust: add missing libtasn1 cflagsRoman Bogorodskiy2014-10-071-0/+39
| | | | Add a number of missing LIBTASN1_CFLAGS where it's required
* Bump libtool versioning for added APIsStef Walter2014-10-061-2/+2
|
* Unbreak build on OpenBSDAntoine Jacoutot2014-10-061-0/+5
| | | | | | | Add missing header for strdup(3). When EPROTO is not available, fallback to EIO. https://bugs.freedesktop.org/show_bug.cgi?id=84665
* makefile: Rename DATADIR to not conflict with Win32 defineMichael Cronenworth2014-10-053-3/+3
| | | | Signed-off-by: Michael Cronenworth <mike@cchtml.com>
* Release version 0.22.0Stef Walter2014-10-042-1/+7
|
* p11-kit: Use pthread_atfork() in a safe mannerStef Walter2014-10-039-117/+63
| | | | | | | | | | | | | Instead of trying to perform actions in pthread_atfork() which are not async-signal-safe, just increment a counter so we can later tell if the process has forked. Note this does not make it safe to mix threads and forking without immediately execing. This is a far broader problem that p11-kit, however we now do the right thing when fork+exec is used from a thread. https://bugs.freedesktop.org/show_bug.cgi?id=84567
* remote: Run separate executable binary for 'p11-kit remote'Stef Walter2014-10-025-157/+164
| | | | | This allows security frameworks like SELinux or AppArmor to target it specifically.
* p11-kit: P11_KIT_PRIVATEDIR env var overrides private binary dirStef Walter2014-10-022-1/+7
| | | | | | External binaries are searched for in $(libdir)/p11-kit. The P11_KIT_PRIVATEDIR can be used to override that, for example during 'make check'
* common: Use secure_getenv() implementation when setuidStef Walter2014-10-028-4/+113
| | | | | In anything security sensitive, use secure_getenv() implementation for retrieving environment variables.
* common: In tests preserve parent environment for childrenStef Walter2014-10-021-1/+1
|
* p11-kit: Remove the 'isolated' option for nowStef Walter2014-10-013-24/+5
| | | | | | This option was not completed in time, and as implemented suffers from limitations that the module is not really completely isolated as it still runs under the same user id as the calling process.
* common: Move unistd include to define getopt and friendsMichael Cronenworth2014-09-181-1/+1
| | | | | | Needed to fix MinGW builds. Signed-off-by: Michael Cronenworth <mike@cchtml.com>
* Release version 2.21.3Stef Walter2014-09-172-1/+9
|
* trust: Use term 'attached extensions' instead of 'stapled'Stef Walter2014-09-108-72/+72
| | | | | | | The term 'stapled extensions' is confusing because it overloads terminology used with OSCP stapling. Suggested by Daniel Kahn Gillmor.
* common: New public pkcs11x.h header containing extensionsStef Walter2014-09-1012-457/+520
| | | | | | | Move our internal stuff to pkcs11i.h, and install the pkcs11x.h header containing extensions. https://bugs.freedesktop.org/show_bug.cgi?id=83495
* common: Change the CKA_X_PUBLIC_KEY_INFO constant to CKA_PUBLIC_KEY_INFOStef Walter2014-09-1011-48/+52
| | | | | | | | | CKA_PUBLIC_KEY_INFO is defined in the PKCS#11 2.40 draft, so use that rather than defining our own. * Fixed up by Nikos Mavrogiannopoulos <nmav@redhat.com> https://bugs.freedesktop.org/show_bug.cgi?id=83495
* common: Add support for multiple field names (ie: nicks) per constantStef Walter2014-09-103-21/+22
| | | | | | This allows us to have old/new names for a given constant. https://bugs.freedesktop.org/show_bug.cgi?id=83495
* p11-kit: Fix tests when building with MinGWMichael Cronenworth2014-09-093-0/+30
| | | | Signed-off-by: Michael Cronenworth <mike@cchtml.com>
* trust: Fix token test when building with MinGWMichael Cronenworth2014-09-091-0/+4
| | | | Signed-off-by: Michael Cronenworth <mike@cchtml.com>
* configure: Check for pthread_create() in pthread libraryRoman Bogorodskiy2014-09-091-3/+3
| | | | | | | Check for pthread_create() in pthread library instaed of pthread_mutexattr_init(). This fixes a linking error on FreeBSD. https://bugs.freedesktop.org/show_bug.cgi?id=75674
* p11-kit: Compilation fixes for previous commitStef Walter2014-09-091-4/+1
| | | | Pushed the wrong version
* p11-kit: Make proxy module respect critical = noStef Walter2014-09-091-37/+47
| | | | | | | The p11-kit-proxy.so module would not respect the critical = no setting in module configuration, and fail if any module failed to initialize. https://bugs.freedesktop.org/show_bug.cgi?id=83651
* Fix build without debugRoman Bogorodskiy2014-09-091-0/+2
| | | | | | | | | | | | | When building without debug build fails with: CCLD p11-kit/p11-kit ./.libs/libp11-kit.so: undefined reference to `P11_RPC_CHECK_CALLS' cc: error: linker command failed with exit code 1 (use -v to see invocation) gmake[2]: *** [p11-kit/p11-kit] Error 1 This happens because P11_RPC_CHECK_CALLS is not defined when debugging is enabled, so provide a noop macro for that case.
* trust: Show public-key-info in 'trust list --details'Stef Walter2014-09-051-0/+14
| | | | | Since the public-key-info is an important part of the way we represent trust, show it in 'trust list' if --details is present.
* Release version 0.21.2Stef Walter2014-09-052-1/+11
|
* trust: Produce a proper message for an invalid stapled extensionStef Walter2014-09-051-1/+10
| | | | | | Previously we would output a line like this: p11-kit: 'node != NULL' not true at lookup_extension
* Move to non-recursive Makefile for building bins and libsStef Walter2014-08-15133-589/+632
| | | | Still use recursive for documentation and translation.
* common: Fix regression introduced by last commitStef Walter2014-08-151-1/+1
| | | | | | The last commit caused dirfd() to become undefined. https://bugs.freedesktop.org/show_bug.cgi?id=82617
* Fix build against older pthreads implementationsBaruch Siach2014-08-141-0/+6
| | | | | | | | | | | | | | | | | Older pthreads implementations like glibc NPTL prior to version 2.12, and uClibc linuxthreads (both), need _XOPEN_SOURCE to expose pthread_mutexattr_settype() and THREAD_MUTEX_DEFAULT. The value 600 (SuSv3, POSIX.1-2001) is equivalent to _POSIX_C_SOURCE 200112L. Fixes the following build error: CC compat.lo compat.c: In function 'p11_mutex_init': compat.c:164:2: warning: implicit declaration of function 'pthread_mutexattr_settype' [-Wimplicit-function-declaration] compat.c:164:2: warning: nested extern declaration of 'pthread_mutexattr_settype' [-Wnested-externs] compat.c:164:36: error: 'PTHREAD_MUTEX_DEFAULT' undeclared (first use in this function) https://bugs.freedesktop.org/show_bug.cgi?id=82617
* Fix 'make upload-release' targetStef Walter2014-08-141-2/+2
|
* doc: Fix missing tag in p11-kit-sharing.xmlStef Walter2014-08-111-0/+1
|
* p11-kit: Fix various noise/issues highlighted by clangStef Walter2014-08-114-13/+13
|
* Ignore clang scanner litterStef Walter2014-08-081-0/+1
|
* trust: Don't use invalid public keys for looking up stapled extensionsStef Walter2014-08-081-1/+1
| | | | https://bugs.freedesktop.org/show_bug.cgi?id=82328
* trust: Print label of certificate when complaining about basic constraintsStef Walter2014-08-081-1/+5
| | | | https://bugs.freedesktop.org/show_bug.cgi?id=82328
* trust: Double check that index bucket is valid before accessStef Walter2014-08-081-2/+2
|
* p11-kit: Remove use after free in debug output code pathStef Walter2014-08-081-1/+1
|
* Quiten down scanner warnings about unused variablesStef Walter2014-08-082-8/+2
|
* common: Quiet down clang scanner with assertionsStef Walter2014-08-081-1/+1
| | | | | Quieten down the clang scanner by telling it to expect that our test assertions fail
* Fix mostly erroneous scanner warnings in testsStef Walter2014-08-0811-2/+22
|
* trust: Fix leak in token loading error pathStef Walter2014-08-081-0/+1
|
* trust: Fix unlikely use of uninitialized memory in token loadingStef Walter2014-08-081-3/+3
|
* trust: Fix leak in trust list commandStef Walter2014-08-081-0/+1
|
* trust: Fix use after free and double free in extract commandStef Walter2014-08-081-7/+4
|