| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=92864
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows extraction of a directory of standard PEM files
with the OpenSSL hash symlinks; this is a format used by
some popular platforms (Debian's /etc/ssl/certs is in this
form, and OpenSUSE provides it for compatibility).
Initially by: Ludwig Nussel <ludwig.nussel@suse.de>
Signed-off-by: Stef Walter <stefw@redhat.com>
* Added header, fixed compiler warnings
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKCS#11 spec states that the CKA_ID should match the
SubjectKeyIdentifier if such an extension is present.
We delay the filling of CKA_ID until the builder phase of populating
attributes which allows us to have more control over how this works.
Note that we don't make CKA_ID reflect SubjectKeyIdentifier *attached*
extensions. The CKA_ID isn't supposed to change after object creation.
Making it dependent on attached extensions would be making promises
we cannot keep, since attached extensions can be added/removed at any
time.
This also means the CKA_ID of attached extensions and certificates
won't necessarily match up, but that was never promised, and not how
attached extensions should be matched to their certificate anyway.
Based on a patch and research done by David Woodhouse.
https://bugs.freedesktop.org/show_bug.cgi?id=84761
|
|
|
|
|
|
|
| |
These PEM blocks contribute a CKA_PUBLIC_KEY_INFO to the object
being read/written.
https://bugs.freedesktop.org/show_bug.cgi?id=83799
|
|
|
|
| |
Add a number of missing LIBTASN1_CFLAGS where it's required
|
|
|
|
| |
Signed-off-by: Michael Cronenworth <mike@cchtml.com>
|
|
|
|
|
|
|
| |
The term 'stapled extensions' is confusing because it overloads
terminology used with OSCP stapling.
Suggested by Daniel Kahn Gillmor.
|
|
|
|
|
|
|
| |
Move our internal stuff to pkcs11i.h, and install the pkcs11x.h
header containing extensions.
https://bugs.freedesktop.org/show_bug.cgi?id=83495
|
|
|
|
|
|
|
|
|
| |
CKA_PUBLIC_KEY_INFO is defined in the PKCS#11 2.40 draft, so use that
rather than defining our own.
* Fixed up by Nikos Mavrogiannopoulos <nmav@redhat.com>
https://bugs.freedesktop.org/show_bug.cgi?id=83495
|
|
|
|
| |
Signed-off-by: Michael Cronenworth <mike@cchtml.com>
|
|
|
|
|
| |
Since the public-key-info is an important part of the way we
represent trust, show it in 'trust list' if --details is present.
|
|
|
|
|
|
| |
Previously we would output a line like this:
p11-kit: 'node != NULL' not true at lookup_extension
|
|
|
|
| |
Still use recursive for documentation and translation.
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=82328
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=82328
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
openssl sometimes outputs TRUSTED CERTIFICATE PEM files without the
additional CertAux (ie: trust fields) information. It simply leaves
that block out. This happens with a command like:
$ openssl x509 -in my-cert.pem -out output -trustout
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
This is an integration test that the extract and blacklist
functionality basics work.
More integration tests should follow, at which point we should
place the various generic testing bits into their own file.
|
|
|
|
|
|
|
| |
This fixes an issue where a blacklist in one token wasn't properly
skipping anchors being extracted with extract-compat
https://bugs.freedesktop.org/show_bug.cgi?id=73558
|
|
|
|
|
|
| |
This gives a little broader testing of the enumerator
https://bugs.freedesktop.org/show_bug.cgi?id=73558
|
|
|
|
|
|
| |
Related to the following bug:
https://bugs.freedesktop.org/show_bug.cgi?id=69314
|
| |
|
|
|
|
|
| |
When the 'trust anchor' tool changes something, run
'trust extract-compat' after that point
|
|
|
|
|
| |
This will change once the spec has a specific attribute and code
to signify deletability.
|
| |
|
| |
|
|
|
|
|
|
| |
The actual command is 'trust extract-compat'. Make installed placeholder
script reflect this. We still support the old placeholder script
if it is present.
|
|
|
|
| |
Also prevent --store from storing an anchor multiple times
|
|
|
|
| |
Lists with PKCS#11 URI's and some basic fields.
|
| |
|
|
|
|
| |
Because we want to use this same logic for listing trust
|
|
|
|
|
| |
So that validation/storage logic doesn't kick in if a file was
removed outside of p11-kit trust module.
|
|
|
|
| |
This allows a token to remove the file if desired
|
|
|
|
|
| |
This is because the persist format contains PEM, and if the PEM
parser gets it first, then it'll ignore the other non PEM data.
|
|
|
|
|
| |
There was a bug where we were rewriting the modified object
multiple times.
|
|
|
|
|
|
| |
As a side effect we can also not use the dirent.d_type field
https://bugs.freedesktop.org/show_bug.cgi?id=68525
|
| |
|