| Age | Commit message (Collapse) | Author |
|---|
|
OpenSSL 1.1 will include some backwards-compatible API changes. In
some cases, the new API won't be available until OpenSSL 1.1, but a
lot of the new API already exists in OpenSSL 1.0.2.
This commit switches the parts that can be switched with OpenSSL 1.0.
Other changes deferred until OpenSSL 1.1 public release.
svn path=/branches/tk705/; revision=6351
|
|
svn path=/branches/tk705/; revision=6242
|
|
svn path=/branches/tk705/; revision=6216
|
|
svn path=/branches/tk705/; revision=6214
|
|
verification per se. Clean up nasty mess in profile conformance
checks for router certificates.
svn path=/branches/tk705/; revision=6211
|
|
svn path=/branches/tk705/; revision=6210
|
|
keys.
svn path=/branches/tk705/; revision=6209
|
|
cleanup of POW.c RPKI conformance checking code.
svn path=/branches/tk705/; revision=6208
|
|
svn path=/branches/tk705/; revision=6207
|
|
svn path=/branches/tk705/; revision=6205
|
|
from having SIA extensions, unlike all other RPKI certificates which
are required to have them.
Start moving RPKI conformance checks which can be performed in Python
out of POW.c, tag a bunch more for consideration.
svn path=/branches/tk705/; revision=6204
|
|
which hasn't previously had X509_check_ca() called on it.
svn path=/branches/tk705/; revision=6197
|
|
svn path=/branches/tk705/; revision=6185
|
|
issuer. Not sure we really need the complex issuer-finding code at
all anymore, but dumping core is not an appropriate form of social
criticism.
svn path=/branches/tk705/; revision=6183
|
|
OpenSSL certificate verification errors.
svn path=/branches/tk705/; revision=6181
|
|
makes the C code considerably simpler.
svn path=/branches/tk705/; revision=6180
|
|
left to do, still need to add in stuff that we pushed out to Python
rather than trying to do in C (eg, a lot of the URI tests), but basics
seem to work. Checkpointing before attempting a major simplification
of the StatusCode mechanism.
svn path=/branches/tk705/; revision=6179
|
|
svn path=/branches/tk705/; revision=6178
|
|
svn path=/branches/tk705/; revision=6177
|
|
X509Store.verify() to X509.verify(). Result seems to run properly
with trivial modification to existing Python BPKI code.
RPKI extended validation via this interface (the real point of this
exercise) still not tested.
svn path=/branches/tk705/; revision=6176
|
|
POW.c, still totally untested. X.509 certificate validation is in a
transitional state, currently spiced with awful kludges so that we're
still doing the right thing cryptographically, albeit in a completely
disgusting way as far as the API is concerned. Serious cleanup
needed, but wanted to get a post-merge version with CMS and X.509
working again after the merge into the repository for backup.
svn path=/branches/tk705/; revision=6175
|
|
rcynic.c. New functionality not yet tested, but doesn't seem to have
broken break anything in the CA software.
(Previous commit accidently included POW.c, oops, but no harm done.)
svn path=/branches/tk705/; revision=6174
|
|
svn path=/branches/tk705/; revision=6173
|
|
understands Django's exotic metaclasses, which in turn allows us to
re-enable a number of pylint checks we had disabled. While we were at
this, stripped out a bunch of old pylint pragmas, then added back the
subset that were really needed. As usual with pylint, this turned up
a few real bugs along with an awful lot of noise.
svn path=/branches/tk705/; revision=6162
|
|
through to X509 verification callback handler so it can record status
properly.
svn path=/branches/tk705/; revision=6159
|
|
RPKI validation in POW.c. So far this is mostly notes and the support
for the status code mechanism.
svn path=/branches/tk705/; revision=6158
|
|
This needs rewriting, but doing it properly requires a minor database
schema change, and I'm trying to get a test case running by tomorrow
morning.
svn path=/branches/tk705/; revision=6015
|
|
svn path=/trunk/; revision=5846
|
|
svn path=/trunk/; revision=5845
|
|
svn path=/trunk/; revision=5828
|
|
specificCurve format. OpenSSL's documentation claims that namedCurve
is the default, but the code generates specificCurve unless one sets
the key's asn1_flag field to OPENSSL_EC_NAMED_CURVE.
In the immortal words of the late John Brunner: "It's Supposed To Be
Automatic But Actually You Have To Press This Button."
svn path=/trunk/; revision=5827
|
|
svn path=/trunk/; revision=5791
|
|
This is just a more readable and slightly more efficient (no X509Store
object required) idiom for what some code was already doing using the
.verify() methods with flag settings to disable verification. Big
warnings not to do this with unverified data, but programs intended to
post-process data which has already been verified shouldn't have to be
unreadable just to rub the programmer's nose in the verification API.
svn path=/trunk/; revision=5788
|
|
svn path=/branches/tk685/; revision=5764
|
|
svn path=/branches/tk685/; revision=5757
|
