| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Still use recursive for documentation and translation.
|
| |
|
|
|
|
|
|
| |
openssl sometimes outputs TRUSTED CERTIFICATE PEM files without the
additional CertAux (ie: trust fields) information. It simply leaves
that block out. This happens with a command like:
$ openssl x509 -in my-cert.pem -out output -trustout
|
| |
|
|
|
|
| |
As a side effect we can also not use the dirent.d_type field
https://bugs.freedesktop.org/show_bug.cgi?id=68525
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
* Use the concepts and PKCS#11 objects described in the
recently updated (still work in progress) storing trust spec.
* Define our own CKA_X_PUBLIC_KEY_INFO define for now, since the
the CKA_PUBLIC_KEY_INFO isn't defined yet.
* Most notably, the association between certificates and stapled
extensions is by public key.
* Rework some of the tests to take into account the above.
|
| |
|
|
|
| |
* The objects are written out in the p11-kit persist format
* Parser marks files in p11-kit persist format as modifiable
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Reload token data whenever a new session is opened.
* Only reload files/directories that have changed.
* Move duplicate anchor/blacklist detection logic into
the extract code. This is in line with the approach
being discussed on the mailing lists and spec document.
* New internal attribute CKA_X_ORIGIN set on all objects
so we can track where an object came from, and replace
it when reloaded.
In general this is a prerequisite for modification of objects
reload before modify is necessary to prevent multiple callers
clobbering each other's changes.
|
| |
|
|
|
|
|
|
| |
* Support the TAP protocol
* Much cleaner without having to carry around state
* First class support for setup/teardown
* Port the common tests
* Wait on porting other tests until we've merged outstanding code
|
| |
|
|
|
|
|
|
|
|
|
| |
Put library init/uninit code its into their own statically
linked library so that they don't get linked into the p11-kit
executable.
Refactor the message code so that the library initialization can
plug in its per thread message buffer.
https://bugs.freedesktop.org/show_bug.cgi?id=63046
|
| |
|
|
|
|
|
|
| |
If duplicate certificates are present in a token, we warn about this,
and don't really recommend it. However we have predictable behavior
where blacklist is prefered to anchor is preferred to unknown trust.
https://bugs.freedesktop.org/show_bug.cgi?id=62548
|
| |
|
|
|
|
|
|
|
| |
The index now uses a sort of cross between a hash table and a bloom
filter internally to select matching items. This is needed for the
massive amount of lookups we want to do during loading.
In addition make p11_index_find() and p11_index_replace() easier
to use.
|
| |
|
|
|
|
|
|
|
|
|
| |
Add implementation of the murmur2 hash function, and start using
it for our dictionaries. Our implementation is incremental
like our other hash functions.
Also remove p11_oid_hash() which wasn't being used.
In addition fix several tests whose success was based on the
way that the dictionary hashed. This was a hidden testing bug.
|
| |
|
|
|
|
|
| |
This is documented in doc/internals/ subdirectory
Add tests for the format as well.
https://bugs.freedesktop.org/show_bug.cgi?id=62156
|
| |
|
|
|
|
|
| |
This is what's recommended by the spec, and allows stapled extensions
to hang off a predictable CKA_ID.
https://bugs.freedesktop.org/show_bug.cgi?id=62329
|
| |
|
|
|
|
|
|
|
|
|
| |
The builder completes the objects from the parsed data and takes
over the responsibilities that the parser and adapter previously
shared.
This is necessary to prepare for arbitrary data coming from
the p11-kit specific input files.
https://bugs.freedesktop.org/show_bug.cgi?id=62329
|
| |
|
|
|
| |
NSS had subtly changed the values of the distrust CK_TRUST codes
so update them to stay in sync.
|
| |
|
|
| |
This fixes hangs when running tests on windows
|
| |
|
|
| |
Since older operating systems don't support setenv()
|
| |
|
|
|
| |
* This is in cases where the certificate information does not
already have a friendly name or alias.
|
| |
|
|
|
|
| |
* Implement trust assertions for anchored and distrusted certs
* Pinned certificate trust assertions are not implemented yet
* Add an internal tool for pulling apart bits of certificates
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Fill in CKA_CERTIFICATE_CATEGORY properly for authorities
based on the presence of BasicConstraints and/or v1 certificates
* Fill in CKA_TRUSTED and CKA_X_DISTRUSTED based on whether the
parser is running for anchors or blacklist
* In addition support the concept of blacklisted certificates mixed
in with the anchors (without any purposes) since that's what exists
in the real world.
* We do this after the various hooks have had a chance to mess
with the certificate extensions and such.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Use stapled certificate extensions to represent loaded trust policy
* Build NSS trust objects from stapled certificate extensions
* Add further attribute debugging for NSS trust objects
* Use a custom certificate extension for the OpenSSL reject purpose data
* Use SubjectKeyIdentifier for OpenSSL keyid data
* Use ExtendedKeyUsage for OpenSSL trust purpose data
* Implement simple way to handle binary DER OIDs, using the DER TLV
length. DER OIDs are used in the CKA_OBJECT_ID value, and elsewhere.
* Split out the building of NSS trust objects from the main parser
|
| | |
|
| | |
|
| | |
|
| | |
|
|
|
This is based off the roots-store from gnome-keyring and loads
certificates from a root directory and exposes them as PKCS#11
objects.
|
