summaryrefslogtreecommitdiffstats
path: root/crypto/heimdal/lib/hx509/ChangeLog
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/heimdal/lib/hx509/ChangeLog')
-rw-r--r--crypto/heimdal/lib/hx509/ChangeLog2641
1 files changed, 2641 insertions, 0 deletions
diff --git a/crypto/heimdal/lib/hx509/ChangeLog b/crypto/heimdal/lib/hx509/ChangeLog
new file mode 100644
index 0000000..cb29cee
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/ChangeLog
@@ -0,0 +1,2641 @@
+2008-01-21 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_soft_pkcs11.c: use func for more C_ functions.
+
+2008-01-18 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * version-script.map: Export hx509_free_error_string().
+
+2008-01-17 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * version-script.map: only export C_GetFunctionList
+
+ * test_soft_pkcs11.c: use C_GetFunctionList
+
+ * softp11.c: fix comment, remove label.
+
+ * softp11.c: Add option app-fatal to control if softtoken should
+ abort() on erroneous input from applications.
+
+2008-01-16 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_pkcs11.in: Test password less certificates too
+
+ * keyset.c: document HX509_CERTS_UNPROTECT_ALL
+
+ * ks_file.c: Support HX509_CERTS_UNPROTECT_ALL.
+
+ * hx509.h: Add HX509_CERTS_UNPROTECT_ALL.
+
+ * test_soft_pkcs11.c: Only log in if needed.
+
+2008-01-15 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * softp11.c: Support PINs to login to the store.
+
+ * Makefile.am: add java pkcs11 test
+
+ * test_java_pkcs11.in: first version of disable java test
+
+ * softp11.c: Drop unused stuff.
+
+ * cert.c: Spelling, Add hx509_cert_get_SPKI_AlgorithmIdentifier,
+ remove unused stuff, add hx509_context to some functions.
+
+ * softp11.c: Add more glue to figure out what keytype this
+ certificate is using.
+
+2008-01-14 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_pkcs11.in: test debug
+
+ * Add a PKCS11 provider supporting signing and verifing sigatures.
+
+2008-01-13 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * version-script.map: Replace hx509_name_to_der_name with
+ hx509_name_binary.
+
+ * print.c: make print_func static
+
+2007-12-26 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * print.c: doxygen
+
+ * env.c: doxygen
+
+ * doxygen.c: add more groups
+
+ * ca.c: doxygen.
+
+2007-12-17 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ca.c: doxygen
+
+2007-12-16 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * error.c: doxygen
+
+2007-12-15 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * More documentation
+
+ * lock.c: Add page referance
+
+ * keyset.c: some more documentation.
+
+ * cms.c: Doxygen documentation.
+
+2007-12-11 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * *.[ch]: More documentation
+
+2007-12-09 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * handle refcount on NULL.
+
+ * test_nist_pkcs12.in: drop echo -n, doesn't work with posix sh
+
+2007-12-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_nist2.in: Print that this is version 2 of the tests
+
+ * test_nist.in: Drop printing of $id.
+
+ * hx509.h: Add HX509_VHN_F_ALLOW_NO_MATCH.
+
+ * name.c: spelling.
+
+ * cert.c: make work the doxygen.
+
+ * name.c: fix doxygen compiling.
+
+ * Makefile.am: add doxygen.c
+
+ * doxygen.c: Add doxygen main page.
+
+ * cert.c: Add doxygen.
+
+ * revoke.c (_hx509_revoke_ref): new function.
+
+2007-11-16 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ks_keychain.c: Check if SecKeyGetCSPHandle needs prototype.
+
+2007-08-16 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * data/nist-data: Make work on case senstive filesystems too.
+
+2007-08-09 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cert.c: match rfc822 contrains better, provide better error
+ strings.
+
+2007-08-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cert.c: "self-signed doesn't count" doesn't apply to trust
+ anchor certificate. make trust anchor check consistant.
+
+ * revoke.c: make compile.
+
+ * revoke.c (verify_crl): set error strings.
+
+ * revoke.c (verify_crl): handle with the signer is the
+ CRLsigner (shortcut).
+
+ * cert.c: Fix NC, comment on how to use _hx509_check_key_usage.
+
+2007-08-03 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_nist2.in, Makefile, test/nist*: Add nist pkits tests.
+
+ * revoke.c: Update to use CERT_REVOKED error, shortcut out of OCSP
+ checking when OCSP reply is a revocation reply.
+
+ * hx509_err.et: Make CERT_REVOKED error OCSP/CRL agnostic.
+
+ * name.c (_hx509_Name_to_string): make printableString handle
+ space (0x20) diffrences as required by rfc3280.
+
+ * revoke.c: Search for the right issuer when looking for the
+ issuer of the CRL signer.
+
+2007-08-02 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * revoke.c: Handle CRL signing certificate better, try to not
+ revalidate invalid CRLs over and over.
+
+2007-08-01 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cms.c: remove stale comment.
+
+ * test_nist.in: Unpack PKITS_data.zip and run tests.
+
+ * test_nist_cert.in: Adapt to new nist pkits framework.
+
+ * test_nist_pkcs12.in: Adapt to new nist pkits framework.
+
+ * Makefile.am: clean PKITS_data
+
+2007-07-16 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: Add version-script.map to EXTRA_DIST
+
+2007-07-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: Add depenency on asn1_compile for asn1 built files.
+
+2007-07-10 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * peer.c: update (c), indent.
+
+ * Makefile.am: New library version.
+
+2007-06-28 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ks_p11.c: Add sha2 types.
+
+ * ref/pkcs11.h: Sync with scute.
+
+ * ref/pkcs11.h: Add sha2 CKM's.
+
+ * print.c: Print authorityInfoAccess.
+
+ * cert.c: Rename proxyCertInfo oid.
+
+ * ca.c: Rename proxyCertInfo oid.
+
+ * print.c: Rename proxyCertInfo oid.
+
+2007-06-26 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_ca.in: Adapt to new request handling.
+
+ * req.c: Allow export some of the request parameters.
+
+ * hxtool-commands.in: Adapt to new request handling.
+
+ * hxtool.c: Adapt to new request handling.
+
+ * test_req.in: Adapt to new request handling.
+
+ * version-script.map: Add initialize_hx_error_table_r.
+
+ * req.c: Move _hx509_request_print here.
+
+ * hxtool.c: use _hx509_request_print
+
+ * version-script.map: Export more crap^W semiprivate functions.
+
+ * hxtool.c: don't _hx509_abort
+
+ * version-script.map: add missing ;
+
+2007-06-25 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cms.c: Use hx509_crypto_random_iv.
+
+ * crypto.c: Split out the iv creation from hx509_crypto_encrypt
+ since _hx509_pbe_encrypt needs to use the iv from the s2k
+ function.
+
+ * test_cert.in: Test PEM and DER FILE writing functionallity.
+
+ * ks_file.c: Add writing DER certificates.
+
+ * hxtool.c: Update to new hx509_pem_write().
+
+ * test_cms.in: test creation of PEM signeddata.
+
+ * hx509.h: PEM struct/function declarations.
+
+ * ks_file.c: Use PEM encoding/decoding functions.
+
+ * file.c: PEM encode/decoding functions.
+
+ * ks_file.c: Use hx509_pem_write.
+
+ * version-script.map: Export some semi-private functions.
+
+ * hxtool.c: Enable writing out signed data as a pem attachment.
+
+ * hxtool-commands.in (cms-create-signed): add --pem
+
+ * file.c (hx509_pem_write): Add.
+
+ * test_ca.in: Issue and test null subject cert.
+
+ * cert.c: Match is first component is in a CN=.
+
+ * test_ca.in: Test hostname if first CN.
+
+ * Makefile.am: Add version script.
+
+ * version-script.map: Limited exported symbols.
+
+ * test_ca.in: test --hostname.
+
+ * test_chain.in: test max-depth
+
+ * hx509.h: fixate HX509_HN_HOSTNAME at 0.
+
+ * hxtool-commands.in: add --hostname add --max-depth
+
+ * cert.c: Verify hostname and max-depth.
+
+ * hxtool.c: Verify hostname and test max-depth.
+
+2007-06-24 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_cms.in: Test --id-by-name.
+
+ * hxtool-commands.in: add cms-create-sd --id-by-name
+
+ * hxtool.c: Use HX509_CMS_SIGATURE_ID_NAME.
+
+ * cms.c: Implement and use HX509_CMS_SIGATURE_ID_NAME.
+
+ * hx509.h: Add HX509_CMS_SIGATURE_ID_NAME, use subject name for
+ CMS.Identifier. hx509_hostname_type: add hostname type for
+ matching.
+
+ * cert.c (match_general_name): more strict rfc822Name matching.
+ (hx509_verify_hostname): add hostname type for matching.
+
+2007-06-19 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hxtool.c: Make compile again.
+
+ * hxtool.c: Added peap-server for to make windows peap clients
+ happy.
+
+ * hxtool.c: Unify parse_oid code.
+
+ * hxtool.c: Implement --content-type.
+
+ * hxtool-commands.in: Add content-type.
+
+ * test_cert.in: more cert and keyset tests.
+
+2007-06-18 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * revoke.c: Avoid stomping on NULL.
+
+ * revoke.c: Avoid reusing i.
+
+ * cert.c: Provide __attribute__ for _hx509_abort.
+
+ * ks_file.c: Fail if not finding iv.
+
+ * keyset.c: Avoid useing freed memory.
+
+ * crypto.c: Free memory in failure case.
+
+ * crypto.c: Free memory in failure case.
+
+2007-06-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * *.c: Add hx509_cert_init_data and use everywhere
+
+ * hx_locl.h: Now that KEYCHAIN:system-anchors is fast again, use
+ that.
+
+ * ks_keychain.c: Implement trust anchor support with
+ SecTrustCopyAnchorCertificates.
+
+ * keyset.c: Set ref to 1 for the new object.
+
+ * cert.c: Fix logic for allow_default_trust_anchors
+
+ * keyset.c: Add refcounting to keystores.
+
+ * cert.c: Change logic for default trust anchors, make it be
+ either default trust anchor, the user supplied, or non at all.
+
+2007-06-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: Add data/j.pem.
+
+ * Makefile.am: Add test_windows.in.
+
+2007-06-06 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ks_keychain.c: rename functions, leaks less memory and more
+ paranoia.
+
+ * test_cms.in: Test cms peer-alg.
+
+ * crypto.c (rsa_create_signature): make oid_id_pkcs1_rsaEncryption
+ mean rsa-with-sha1 but oid oid_id_pkcs1_rsaEncryption in algorithm
+ field. XXX should probably use another algorithmIdentifier for
+ this.
+
+ * peer.c: Make free function return void.
+
+ * cms.c (hx509_cms_create_signed_1): Use hx509_peer_info to select
+ the signature algorithm too.
+
+ * hxtool-commands.in: Add cms-create-sd --peer-alg.
+
+ * req.c: Use _hx509_crypto_default_sig_alg.
+
+ * test_windows.in: Create crl, because everyone needs one.
+
+ * Makefile.am: add wcrl.crl
+
+2007-06-05 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hx_locl.h: Disable KEYCHAIN for now, its slow.
+
+ * cms.c: When we are not using pkcs7-data, avoid seing
+ signedAttributes since some clients get upset by that (pkcs7 based
+ or just plain broken).
+
+ * ks_keychain.c: Provide rsa signatures.
+
+ * ks_keychain.c: Limit the searches to the selected keychain.
+
+ * ks_keychain.c: include -framework Security specific header files
+ after #ifdef
+
+ * ks_keychain.c: Find and attach private key (does not provide
+ operations yet though).
+
+ * ks_p11.c: Prefix rsa method with p11_
+
+ * ks_keychain.c: Allow opening a specific chain, making "system"
+ special and be the system X509Anchors file. By not specifing any
+ keychain ("KEYCHAIN:"), all keychains are probed.
+
+2007-06-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hxtool.c (verify): Friendlier error message.
+
+ * cert.c: Read in and use default trust anchors if they exists.
+
+ * hx_locl.h: Add concept of default_trust_anchors.
+
+ * ks_keychain.c: Remove err(), remove extra empty comment, fix
+ _iter function.
+
+ * error.c (hx509_get_error_string): if the error code is not the
+ one we expect, punt and use the default com_err/strerror string
+ instead.
+
+ * keyset.c (hx509_certs_merge): its ok to merge in the NULL set of
+ certs.
+
+ * test_windows.in: Fix status string.
+
+ * ks_p12.c (store_func): free whole CertBag, not just the data
+ part.
+
+ * print.c: Check that the self-signed cert is really self-signed.
+
+ * print.c: Use selfsigned for CRL DP whine, tell if its a
+ self-signed.
+
+ * print.c: Whine if its a non CA/proxy and doesn't have CRL DP.
+
+ * ca.c: Add cRLSign to CA certs.
+
+ * cert.c: Register NULL and KEYCHAIN.
+
+ * ks_null.c: register the NULL keystore.
+
+ * Makefile.am: Add ks_keychain.c and related libs.
+
+ * test_crypto.in: Print certificate with utf8.
+
+ * print.c: Leak less memory.
+
+ * hxtool.c: Leak less memory.
+
+ * print.c: Leak less memory, use functions that does same but
+ more.
+
+ * name.c (quote_string): don't sign extend the (signed) char to
+ avoid printing too much, add an assert to check that we didn't
+ overrun the buffer.
+
+ * name.c: Use right element out of the CHOICE for printableString
+ and utf8String
+
+ * ks_keychain.c: Certificate only KeyChain backend.
+
+ * name.c: Reset name before parsing it.
+
+2007-06-03 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * revoke.c (hx509_crl_*): fix sizeof() mistakes to fix memory
+ corruption.
+
+ * hxtool.c: Add lifetime to crls.
+
+ * hxtool-commands.in: Add lifetime to crls.
+
+ * revoke.c: Add lifetime to crls.
+
+ * test_ca.in: More crl checks.
+
+ * revoke.c: Add revoking certs.
+
+ * hxtool-commands.in: argument is certificates.. for crl-sign
+
+ * hxtool.c (certificate_copy): free lock
+
+ * revoke.c: Fix hx509_set_error_string calls, add
+ hx509_crl_add_revoked_certs(), implement hx509_crl_{alloc,free}.
+
+ * hxtool.c (crl_sign): free lock
+
+ * cert.c (hx509_context_free): free querystat
+
+2007-06-02 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_chain.in: test ocsp-verify
+
+ * revoke.c (hx509_ocsp_verify): explain what its useful for and
+ provide sane error message.
+
+ * hx509_err.et: New error code, CERT_NOT_IN_OCSP
+
+ * hxtool.c: New command ocsp-verify, check if ocsp contains all
+ certs and are valid (exist and non expired).
+
+ * hxtool-commands.in: New command ocsp-verify.
+
+2007-06-01 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_ca.in: Create crl and verify that is works.
+
+ * hxtool.c: Sign CRL command.
+
+ * hx509.h: Add hx509_crl.
+
+ * hxtool-commands.in: Add crl-sign commands.
+
+ * revoke.c: Support to generate an empty CRL.
+
+ * tst-crypto-select2: Switched default types.
+
+ * tst-crypto-select1: Switched default types.
+
+ * ca.c: Use default AlgorithmIdentifier.
+
+ * cms.c: Use default AlgorithmIdentifier.
+
+ * crypto.c: Provide default AlgorithmIdentifier and use them.
+
+ * hx_locl.h: Provide default AlgorithmIdentifier.
+
+ * keyset.c (hx509_certs_find): collects stats for queries.
+
+ * cert.c: Sort and print more info.
+
+ * hx_locl.h: Add querystat to hx509_context.
+
+ * test_*.in: sprinle stat saveing
+
+ * Makefile.am: Add stat and objdir.
+
+ * collector.c (_hx509_collector_alloc): return error code instead
+ of pointer.
+
+ * hxtool.c: Add statistic hook.
+
+ * ks_file.c: Update _hx509_collector_alloc prototype.
+
+ * ks_p12.c: Update _hx509_collector_alloc prototype.
+
+ * ks_p11.c: Update _hx509_collector_alloc prototype.
+
+ * hxtool-commands.in: Add statistics hook.
+
+ * cert.c: Statistics printing.
+
+ * ks_p12.c: plug memory leak
+
+ * ca.c (hx509_ca_tbs_add_crl_dp_uri): plug memory leak
+
+2007-05-31 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * print.c: print utf8 type SAN's
+
+ * Makefile.am: Fix windows client cert name.
+
+ * test_windows.in: Add crl-uri for the ee certs.
+
+ * print.c: Printf formating.
+
+ * ca.c: Add glue for adding CRL dps.
+
+ * test_ca.in: Readd the crl adding code, it works (somewhat) now.
+
+ * print.c: Fix printing of CRL DPnames (I hate IMPLICIT encoded
+ structures).
+
+ * hxtool-commands.in: make ca and alias of certificate-sign
+
+2007-05-30 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * crypto.c (hx509_crypto_select): copy AI to the right place.
+
+ * hxtool-commands.in: Add ca --ms-upn.
+
+ * hxtool.c: add --ms-upn and add more EKU's for pk-init client.
+
+ * ca.c: Add hx509_ca_tbs_add_san_ms_upn and refactor code.
+
+ * test_crypto.in: Resurect killed e.
+
+ * test_crypto.in: check for aes256-cbc
+
+ * tst-crypto-select7: check for aes256-cbc
+
+ * test_windows.in: test windows stuff
+
+ * hxtool.c: add ca --domain-controller option, add secret key
+ option to avaible.
+
+ * ca.c: Add hx509_ca_tbs_set_domaincontroller.
+
+ * hxtool-commands.in: add ca --domain-controller
+
+ * hxtool.c: hook for testing secrety key algs
+
+ * crypto.c: Add selection code for secret key crypto.
+
+ * hx509.h: Add HX509_SELECT_SECRET_ENC.
+
+2007-05-13 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ks_p11.c: add more mechtypes
+
+2007-05-10 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * print.c: Indent.
+
+ * hxtool-commands.in: add test-crypto command
+
+ * hxtool.c: test crypto command
+
+ * cms.c (hx509_cms_create_signed_1): if no eContentType is given,
+ use pkcs7-data.
+
+ * print.c: add Netscape cert comment
+
+ * crypto.c: Try both the empty password and the NULL
+ password (nothing vs the octet string \x00\x00).
+
+ * print.c: Add some US Fed PKI oids.
+
+ * ks_p11.c: Add some more hashes.
+
+2007-04-24 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hxtool.c (crypto_select): stop memory leak
+
+2007-04-19 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * peer.c (hx509_peer_info_free): free memory used too
+
+ * hxtool.c (crypto_select): only free peer if it was used.
+
+2007-04-18 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hxtool.c: free template
+
+ * ks_mem.c (mem_free): free key array too
+
+ * hxtool.c: free private key and tbs
+
+ * hxtool.c (hxtool_ca): free signer
+
+ * hxtool.c (crypto_available): free peer too.
+
+ * ca.c (get_AuthorityKeyIdentifier): leak less memory
+
+ * hxtool.c (hxtool_ca): free SPKI
+
+ * hxtool.c (hxtool_ca): free cert
+
+ * ks_mem.c (mem_getkeys): allocate one more the we have elements
+ so its possible to store the NULL pointer at the end.
+
+2007-04-16 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: CLEANFILES += cert-null.pem cert-sub-ca2.pem
+
+2007-02-05 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ca.c: Disable CRLDistributionPoints for now, its IMPLICIT code
+ in the asn1 parser.
+
+ * print.c: Add some more \n's.
+
+2007-02-03 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * file.c: Allow mapping using heim_octet_string.
+
+ * hxtool.c: Add options to generate detached signatures.
+
+ * cms.c: Add flags to generate detached signatures.
+
+ * hx509.h: Flag to generate detached signatures.
+
+ * test_cms.in: Support detached sigatures.
+
+ * name.c (hx509_general_name_unparse): unparse the other
+ GeneralName nametypes.
+
+ * print.c: Use less printf. Use hx509_general_name_unparse.
+
+ * cert.c: Fix printing and plug leak-on-error.
+
+2007-01-31 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_ca.in: Add test for ca --crl-uri.
+
+ * hxtool.c: Add ca --crl-uri.
+
+ * hxtool-commands.in: add ca --crl-uri
+
+ * ca.c: Code to set CRLDistributionPoints in certificates.
+
+ * print.c: Check CRLDistributionPointNames.
+
+ * name.c (hx509_general_name_unparse): function for unparsing
+ GeneralName, only supports GeneralName.URI
+
+ * cert.c (is_proxy_cert): free info if we wont return it.
+
+2007-01-30 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hxtool.c: Try to help how to use this command.
+
+2007-01-21 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * switch to sha256 as default digest for signing
+
+2007-01-20 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_ca.in: Really test sub-ca code, add basic constraints tests
+
+2007-01-17 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: Fix makefile problem.
+
+2007-01-16 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hxtool.c: Set num of bits before we generate the key.
+
+2007-01-15 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cms.c (hx509_cms_create_signed_1): use hx509_cert_binary
+
+ * ks_p12.c (store_func): use hx509_cert_binary
+
+ * ks_file.c (store_func): use hx509_cert_binary
+
+ * cert.c (hx509_cert_binary): return binary encoded
+ certificate (DER format)
+
+2007-01-14 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ca.c (hx509_ca_tbs_subject_expand): new function.
+
+ * name.c (hx509_name_expand): if env is NULL, return directly
+
+ * test_ca.in: test template handling
+
+ * hx509.h: Add template flags.
+
+ * Makefile.am: clean out new files
+
+ * hxtool.c: Add certificate template processing, fix hx509_err
+ usage.
+
+ * hxtool-commands.in: Add certificate template processing.
+
+ * ca.c: Add certificate template processing. Fix return messages
+ from hx509_ca_tbs_add_eku.
+
+ * cert.c: Export more stuff from certificate.
+
+2007-01-13 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ca.c: update (c)
+
+ * ca.c: (hx509_ca_tbs_add_eku): filter out dups.
+
+ * hxtool.c: Add type email and add email eku when using option
+ --email.
+
+ * Makefile.am: add env.c
+
+ * name.c: Remove abort, add error handling.
+
+ * test_name.c: test name expansion
+
+ * name.c: add hx509_name_expand
+
+ * env.c: key-value pair help functions
+
+2007-01-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ca.c: Don't issue certs with subject DN that is NULL and have no
+ SANs
+
+ * print.c: Fix previous test.
+
+ * print.c: Check there is a SAN if subject DN is NULL.
+
+ * test_ca.in: test email, null subject dn
+
+ * hxtool.c: Allow setting parameters to private key generation.
+
+ * hx_locl.h: Allow setting parameters to private key generation.
+
+ * crypto.c: Allow setting parameters to private key generation.
+
+ * hxtool.c (eval_types): add jid if user gave one
+
+ * hxtool-commands.in (certificate-sign): add --jid
+
+ * ca.c (hx509_ca_tbs_add_san_jid): Allow adding
+ id-pkix-on-xmppAddr OtherName.
+
+ * print.c: Print id-pkix-on-xmppAddr OtherName.
+
+2007-01-11 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * no random, no RSA/DH tests
+
+ * hxtool.c (info): print status of random generator
+
+ * Makefile.am: remove files created by tests
+
+ * error.c: constify
+
+ * name.c: constify
+
+ * revoke.c: constify
+
+ * hx_locl.h: constify
+
+ * keyset.c: constify
+
+ * ks_p11.c: constify
+
+ * hx_locl.h: make printinfo char * argument const.
+
+ * cms.c: move _hx509_set_digest_alg from cms.c to crypto.c since
+ its only used there.
+
+ * crypto.c: remove no longer used stuff, move set_digest_alg here
+ from cms.c since its only used here.
+
+ * Makefile.am: add data/test-nopw.p12 to EXTRA_DIST
+
+2007-01-10 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * print.c: BasicConstraints vs criticality bit is complicated and
+ not really possible to evaluate on its own, silly RFC3280.
+
+ * ca.c: Make basicConstraints critical if this is a CA.
+
+ * print.c: fix the version vs extension test
+
+ * print.c: More validation checks.
+
+ * name.c (hx509_name_cmp): add
+
+2007-01-09 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ks_p11.c (collect_private_key): Missing CKA_MODULUS is ok
+ too (XXX why should these be fetched given they are not used).
+
+ * test_ca.in: rename all files to PEM files, since that is what
+ they are.
+
+ * hxtool.c: copy out the key with the self signed CA cert
+
+ * Factor out private key operation out of the signing, operations,
+ support import, export, and generation of private keys. Add
+ support for writing PEM and PKCS12 files with private keys in them.
+
+ * data/gen-req.sh: Generate a no password pkcs12 file.
+
+2007-01-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cms.c: Check for internal ASN1 encoder error.
+
+2007-01-05 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: Drop most of the pkcs11 files.
+
+ * test_ca.in: test reissueing ca certificate (xxx time
+ validAfter).
+
+ * hxtool.c: Allow setting serialNumber (needed for reissuing
+ certificates) Change --key argument to --out-key.
+
+ * hxtool-commands.in (issue-certificate): Allow setting
+ serialNumber (needed for reissuing certificates), Change --key
+ argument to --out-key.
+
+ * ref: Replace with Marcus Brinkmann of g10 Code GmbH pkcs11
+ headerfile that is compatible with GPL (file taken from scute)
+
+2007-01-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_ca.in: Test to generate key and use them.
+
+ * hxtool.c: handle other keys the pkcs10 requested keys
+
+ * hxtool-commands.in: add generate key commands
+
+ * req.c (_hx509_request_to_pkcs10): PKCS10 needs to have a subject
+
+ * hxtool-commands.in: Spelling.
+
+ * ca.c (hx509_ca_tbs_set_proxy): allow negative pathLenConstraint
+ to signal no limit
+
+ * ks_file.c: Try all formats on the binary file before giving up,
+ this way we can handle binary rsa keys too.
+
+ * data/key2.der: new test key
+
+2007-01-04 David Love <fx@gnu.org>
+
+ * Makefile.am (hxtool_LDADD): Add libasn1.la
+
+ * hxtool.c (pcert_verify): Fix format string.
+
+2006-12-31 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hxtool.c: Allow setting path length
+
+ * cert.c: Fix test for proxy certs chain length, it was too
+ restrictive.
+
+ * data: regen
+
+ * data/openssl.cnf: (proxy_cert) make length 0
+
+ * test_ca.in: Issue a long living cert.
+
+ * hxtool.c: add --lifetime to ca command.
+
+ * hxtool-commands.in: add --lifetime to ca command.
+
+ * ca.c: allow setting notBefore and notAfter.
+
+ * test_ca.in: Test generation of proxy certificates.
+
+ * ca.c: Allow generation of proxy certificates, always include
+ BasicConstraints, fix error codes.
+
+ * hxtool.c: Allow generation of proxy certificates.
+
+ * test_name.c: make hx509_parse_name take a hx509_context.
+
+ * name.c: Split building RDN to a separate function.
+
+2006-12-30 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: clean test_ca files.
+
+ * test_ca.in: test issuing self-signed and CA certificates.
+
+ * hxtool.c: Add bits to allow issuing self-signed and CA
+ certificates.
+
+ * hxtool-commands.in: Add bits to allow issuing self-signed and CA
+ certificates.
+
+ * ca.c: Add bits to allow issuing CA certificates.
+
+ * revoke.c: use new OCSPSigning.
+
+ * ca.c: Add Subject Key Identifier.
+
+ * ca.c: Add Authority Key Identifier.
+
+ * cert.c: Locally export _hx509_find_extension_subject_key_id.
+ Handle AuthorityKeyIdentifier where only authorityCertSerialNumber
+ and authorityCertSerialNumber is set.
+
+ * hxtool-commands.in: Add dnsname and rfc822 SANs.
+
+ * test_ca.in: Test dnsname and rfc822 SANs.
+
+ * ca.c: Add dnsname and rfc822 SANs.
+
+ * hxtool.c: Add dnsname and rfc822 SANs.
+
+ * test_ca.in: test adding eku, ku and san to the
+ certificate (https and pk-init)
+
+ * hxtool.c: Add eku, ku and san to the certificate.
+
+ * ca.c: Add eku, ku and san to the certificate.
+
+ * hxtool-commands.in: Add --type and --pk-init-principal
+
+ * ocsp.asn1: remove id-kp-OCSPSigning, its in rfc2459.asn1 now
+
+2006-12-29 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ca.c: Add KeyUsage extension.
+
+ * Makefile.am: add ca.c, add sign-certificate tests.
+
+ * crypto.c: Add _hx509_create_signature_bitstring.
+
+ * hxtool-commands.in: Add the sign-certificate tool.
+
+ * hxtool.c: Add the sign-certificate tool.
+
+ * cert.c: Add HX509_QUERY_OPTION_KU_KEYCERTSIGN.
+
+ * hx509.h: Add hx509_ca_tbs and HX509_QUERY_OPTION_KU_KEYCERTSIGN.
+
+ * test_ca.in: Basic test of generating a pkcs10 request, signing
+ it and verifying the chain.
+
+ * ca.c: Naive certificate signer.
+
+2006-12-28 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hxtool.c: add hxtool_hex
+
+2006-12-22 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: use top_builddir for libasn1.la
+
+2006-12-11 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hxtool.c (print_certificate): print serial number.
+
+ * name.c (no): add S=stateOrProvinceName
+
+2006-12-09 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * crypto.c (_hx509_private_key_assign_rsa): set a default sig alg
+
+ * ks_file.c (try_decrypt): pass down AlgorithmIdentifier that key
+ uses to do sigatures so there is no need to hardcode RSA into this
+ function.
+
+2006-12-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ks_file.c: Pass filename to the parse functions and use it in
+ the error messages
+
+ * test_chain.in: test proxy cert (third level)
+
+ * hx509_err.et: fix errorstring for PROXY_CERT_NAME_WRONG
+
+ * data: regen
+
+ * Makefile.am: EXTRA_DIST: add
+ data/proxy10-child-child-test.{key,crt}
+
+ * data/gen-req.sh: Fix names and restrictions on the proxy
+ certificates
+
+ * cert.c: Clairfy and make proxy cert handling work for multiple
+ levels, before it was too restrictive. More helpful error message.
+
+2006-12-07 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cert.c (check_key_usage): tell what keyusages are missing
+
+ * print.c: Split OtherName printing code to a oid lookup and print
+ function.
+
+ * print.c (Time2string): print hour as hour not min
+
+ * Makefile.am: CLEANFILES += test
+
+2006-12-06 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am (EXTRA_DIST): add data/pkinit-proxy* files
+
+ * Makefile.am (EXTRA_DIST): add tst-crypto* files
+
+ * cert.c (hx509_query_match_issuer_serial): make a copy of the
+ data
+
+ * cert.c (hx509_query_match_issuer_serial): allow matching on
+ issuer and serial num
+
+ * cert.c (_hx509_calculate_path): add flag to allow leaving out
+ trust anchor
+
+ * cms.c (hx509_cms_create_signed_1): when building the path, omit
+ the trust anchors.
+
+ * crypto.c (rsa_create_signature): Abort when signature is longer,
+ not shorter.
+
+ * cms.c: Provide time to _hx509_calculate_path so we don't send no
+ longer valid certs to our peer.
+
+ * cert.c (find_parent): when checking for certs and its not a
+ trust anchor, require time be in range.
+ (_hx509_query_match_cert): Add time validity-testing to query mask
+
+ * hx_locl.h: add time validity-testing to query mask
+
+ * test_cms.in: Tests for CMS SignedData with incomplete chain from
+ the signer.
+
+2006-11-28 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cms.c (hx509_cms_verify_signed): specify what signature we
+ failed to verify
+
+ * Makefile.am: Depend on LIB_com_err for AIX.
+
+ * keyset.c: Remove anther strndup that causes AIX to fall over.
+
+ * cert.c: Don't check the trust anchors expiration time since they
+ are transported out of band, from RFC3820.
+
+ * cms.c: sprinkle more error strings
+
+ * crypto.c: sprinkle more error strings
+
+ * hxtool.c: use unsigned int as counter to fit better with the
+ asn1 compiler
+
+ * crypto.c: use unsigned int as counter to fit better with the
+ asn1 compiler
+
+2006-11-27 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cms.c: Remove trailing white space.
+
+ * crypto.c: rewrite comment to make more sense
+
+ * crypto.c (hx509_crypto_select): check sig_algs[j]->key_oid
+
+ * hxtool-commands.in (crypto-available): add --type
+
+ * crypto.c (hx509_crypto_available): let alg pass if its keyless
+
+ * hxtool-commands.in: Expand crypto-select
+
+ * cms.c: Rename hx509_select to hx509_crypto_select.
+
+ * hxtool-commands.in: Add crypto-select and crypto-available.
+
+ * hxtool.c: Add crypto-select and crypto-available.
+
+ * crypto.c (hx509_crypto_available): use right index.
+ (hx509_crypto_free_algs): new function
+
+ * crypto.c (hx509_crypto_select): improve
+ (hx509_crypto_available): new function
+
+2006-11-26 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cert.c: Sprinkle more error string and hx509_contexts.
+
+ * cms.c: Sprinkle more error strings.
+
+ * crypto.c: Sprinkle error string and hx509_contexts.
+
+ * crypto.c: Add some more comments about how this works.
+
+ * crypto.c (hx509_select): new function.
+
+ * Makefile.am: add peer.c
+
+ * hxtool.c: Update hx509_cms_create_signed_1.
+
+ * hx_locl.h: add struct hx509_peer_info
+
+ * peer.c: Allow selection of digest/sig-alg
+
+ * cms.c: Allow selection of a better digest using hx509_peer_info.
+
+ * revoke.c: Handle that _hx509_verify_signature takes a context.
+
+ * cert.c: Handle that _hx509_verify_signature takes a context.
+
+2006-11-25 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cms.c: Sprinkle error strings.
+
+ * crypto.c: Sprinkle context and error strings.
+
+2006-11-24 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * name.c: Handle printing and parsing raw oids in name.
+
+2006-11-23 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cert.c (_hx509_calculate_path): allow to calculate optimistic
+ path when we don't know the trust anchors, just follow the chain
+ upward until we no longer find a parent or we hit the max limit.
+
+ * cms.c (hx509_cms_create_signed_1): provide a best effort path to
+ the trust anchors to be stored in the SignedData packet, if find
+ parents until trust anchor or max length.
+
+ * data: regen
+
+ * data/gen-req.sh: Build pk-init proxy cert.
+
+2006-11-16 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * error.c (hx509_get_error_string): Put ", " between strings in
+ error message.
+
+2006-11-13 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * data/openssl.cnf: Change realm to TEST.H5L.SE
+
+2006-11-07 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * revoke.c: Sprinkle error strings.
+
+2006-11-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hx_locl.h: add context variable to cmp function.
+
+ * cert.c (hx509_query_match_cmp_func): allow setting the match
+ function.
+
+2006-10-24 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ks_p11.c: Return less EINVAL.
+
+ * hx509_err.et: add more pkcs11 errors
+
+ * hx509_err.et: more error-codes
+
+ * revoke.c: Return less EINVAL.
+
+ * ks_dir.c: sprinkel more hx509_set_error_string
+
+ * ks_file.c: Return less EINVAL.
+
+ * hxtool.c: Pass in context to _hx509_parse_private_key.
+
+ * ks_file.c: Sprinkle more hx509_context so we can return propper
+ errors.
+
+ * hx509_err.et: add HX509_PARSING_KEY_FAILED
+
+ * crypto.c: Sprinkle more hx509_context so we can return propper
+ errors.
+
+ * collector.c: No more EINVAL.
+
+ * hx509_err.et: add HX509_LOCAL_ATTRIBUTE_MISSING
+
+ * cert.c (hx509_cert_get_base_subject): one less EINVAL
+ (_hx509_cert_private_decrypt): one less EINVAL
+
+2006-10-22 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * collector.c: indent
+
+ * hxtool.c: Try to not leak memory.
+
+ * req.c: clean memory before free
+
+ * crypto.c (_hx509_private_key2SPKI): indent
+
+ * req.c: Try to not leak memory.
+
+2006-10-21 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_crypto.in: Read 50 kilobyte random data
+
+ * revoke.c: Try to not leak memory.
+
+ * hxtool.c: Try to not leak memory.
+
+ * crypto.c (hx509_crypto_destroy): free oid.
+
+ * error.c: Clean error string on failure just to make sure.
+
+ * cms.c: Try to not leak memory (again).
+
+ * hxtool.c: use a sensable content type
+
+ * cms.c: Try harder to free certificate.
+
+2006-10-20 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: Add make check data.
+
+2006-10-19 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ks_p11.c (p11_list_keys): make element of search_data[0]
+ constants and set them later
+
+ * Makefile.am: Add more files.
+
+2006-10-17 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ks_file.c: set ret, remember to free ivdata
+
+2006-10-16 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hx_locl.h: Include <parse_bytes.h>.
+
+ * test_crypto.in: Test random-data.
+
+ * hxtool.c: RAND_bytes() return 1 for cryptographic strong data,
+ check for that.
+
+ * Makefile.am: clean random-data
+
+ * hxtool.c: Add random-data command, use sl_slc_help.
+
+ * hxtool-commands.in: Add random-data.
+
+ * ks_p12.c: Remember to release certs.
+
+ * ks_p11.c: Remember to release certs.
+
+2006-10-14 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * prefix der primitives with der_
+
+ * lock.c: Match the prompt type PROMPT exact.
+
+ * hx_locl.h: Drop heim_any.h
+
+2006-10-11 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ks_p11.c (p11_release_module): j needs to be used as inter loop
+ index. From Douglas Engert.
+
+ * ks_file.c (parse_rsa_private_key): try all passwords and
+ prompter.
+
+2006-10-10 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_*.in: Parameterise the invocation of hxtool, so we can make
+ it run under TESTS_ENVIRONMENT. From Andrew Bartlett
+
+2006-10-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_crypto.in: Put all test stuck at 2006-09-25 since all their
+ chains where valied then.
+
+ * hxtool.c: Implement --time= option.
+
+ * hxtool-commands.in: Add option time.
+
+ * Makefile.am: test_name is a PROGRAM_TESTS
+
+ * ks_p11.c: Return HX509_PKCS11_NO_SLOT when there are no slots
+ and HX509_PKCS11_NO_TOKEN when there are no token. For use in PAM
+ modules that want to detect when to use smartcard login and when
+ not to. Patched based on code from Douglas Engert.
+
+ * hx509_err.et: Add new pkcs11 related errors in a new section:
+ keystore related error. Patched based on code from Douglas
+ Engert.
+
+2006-10-07 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: Make depenency for slc built files just like
+ everywhere else.
+
+ * cert.c: Add all openssl algs and init asn1 et
+
+2006-10-06 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ks_file.c (parse_rsa_private_key): free type earlier.
+
+ * ks_file.c (parse_rsa_private_key): free type after use
+
+ * name.c (_hx509_Name_to_string): remove dup const
+
+2006-10-02 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: Add more libs to libhx509
+
+2006-10-01 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ks_p11.c: Fix double free's, NULL ptr de-reference, and conform
+ better to pkcs11. From Douglas Engert.
+
+ * ref: remove ^M, it breaks solaris 10s cc. From Harald Barth
+
+2006-09-19 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_crypto.in: Bleichenbacher bad cert from Ralf-Philipp
+ Weinmann and Andrew Pyshkin, pad right.
+
+ * data: starfield test root cert and Ralf-Philipp and Andreis
+ correctly padded bad cert
+
+2006-09-15 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_crypto.in: Add test for yutaka certs.
+
+ * cert.c: Add a strict rfc3280 verification flag. rfc3280 requires
+ certificates to have KeyUsage.keyCertSign if they are to be used
+ for signing of certificates, but the step in the verifiation is
+ optional.
+
+ * hxtool.c: Improve printing and error reporting.
+
+2006-09-13 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_crypto.in,Makefile.am,data/bleichenbacher-{bad,good}.pem:
+ test bleichenbacher from eay
+
+2006-09-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hxtool.c: Make common function for all getarg_strings and
+ hx509_certs_append commonly used.
+
+ * cms.c: HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT is a negative
+ flag, treat it was such.
+
+2006-09-11 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * req.c: Use the new add_GeneralNames function.
+
+ * hx509.h: Add HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT.
+
+ * ks_p12.c: Adapt to new signature of hx509_cms_unenvelope.
+
+ * hxtool.c: Adapt to new signature of hx509_cms_unenvelope.
+
+ * cms.c: Allow passing in encryptedContent and flag. Add new flag
+ HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT.
+
+2006-09-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ks_p11.c: cast void * to char * when using it for %s formating
+ in printf.
+
+ * name.c: New function _hx509_Name_to_string.
+
+2006-09-07 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ks_file.c: Sprinkle error messages.
+
+ * cms.c: Sprinkle even more error messages.
+
+ * cms.c: Sprinkle some error messages.
+
+ * cms.c (find_CMSIdentifier): only free string when we allocated
+ one.
+
+ * ks_p11.c: Don't build most of the pkcs11 module if there are no
+ dlopen().
+
+2006-09-06 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cms.c (hx509_cms_unenvelope): try to save the error string from
+ find_CMSIdentifier so we have one more bit of information what
+ went wrong.
+
+ * hxtool.c: More pretty printing, make verify_signed return the
+ error string from the library.
+
+ * cms.c: Try returning what certificates failed to parse or be
+ found.
+
+ * ks_p11.c (p11_list_keys): fetch CKA_LABEL and use it to set the
+ friendlyname for the certificate.
+
+2006-09-05 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * crypto.c: check that there are no extra bytes in the checksum
+ and that the parameters are NULL or the NULL-type. All to avoid
+ having excess data that can be used to fake the signature.
+
+ * hxtool.c: print keyusage
+
+ * print.c: add hx509_cert_keyusage_print, simplify oid printing
+
+ * cert.c: add _hx509_cert_get_keyusage
+
+ * ks_p11.c: keep one session around for the whole life of the keyset
+
+ * test_query.in: tests more selection
+
+ * hxtool.c: improve pretty printing in print and query
+
+ * hxtool{.c,-commands.in}: add selection on KU and printing to query
+
+ * test_cms.in: Add cms test for digitalSignature and
+ keyEncipherment certs.
+
+ * name.c (no): Add serialNumber
+
+ * ks_p11.c (p11_get_session): return better error messages
+
+2006-09-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ref: update to pkcs11 reference files 2.20
+
+ * ks_p11.c: add more mechflags
+
+ * name.c (no): add OU and sort
+
+ * revoke.c: pass context to _hx509_create_signature
+
+ * ks_p11.c (p11_printinfo): print proper plural s
+
+ * ks_p11.c: save the mechs supported when initing the token, print
+ them in printinfo.
+
+ * hx_locl.h: Include <parse_units.h>.
+
+ * cms.c: pass context to _hx509_create_signature
+
+ * req.c: pass context to _hx509_create_signature
+
+ * keyset.c (hx509_certs_info): print information about the keyset.
+
+ * hxtool.c (pcert_print) print keystore info when --info flag is
+ given.
+
+ * hxtool-commands.in: Add hxtool print --info.
+
+ * test_query.in: Test hxtool print --info.
+
+ * hx_locl.h (hx509_keyset_ops): add printinfo
+
+ * crypto.c: Start to hang the private key operations of the
+ private key, pass hx509_context to create_checksum.
+
+2006-05-29 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ks_p11.c: Iterate over all slots, not just the first/selected
+ one.
+
+2006-05-27 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cert.c: Add release function for certifiates so backend knowns
+ when its no longer used.
+
+ * ks_p11.c: Add reference counting on certifiates, push out
+ CK_SESSION_HANDLE from slot.
+
+ * cms.c: sprinkle more hx509_clear_error_string
+
+2006-05-22 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ks_p11.c: Sprinkle some hx509_set_error_strings
+
+2006-05-13 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hxtool.c: Avoid shadowing.
+
+ * revoke.c: Avoid shadowing.
+
+ * ks_file.c: Avoid shadowing.
+
+ * cert.c: Avoid shadowing.
+
+2006-05-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lock.c (hx509_prompt_hidden): reshuffle to avoid gcc warning
+
+ * hx509.h: Reshuffle the prompter types, remove the hidden field.
+
+ * lock.c (hx509_prompt_hidden): return if the prompt should be
+ hidden or not
+
+ * revoke.c (hx509_revoke_free): allow free of NULL.
+
+2006-05-11 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ks_file.c (file_init): Avoid shadowing ret (and thus avoiding
+ crashing).
+
+ * ks_dir.c: Implement DIR: caches useing FILE: caches.
+
+ * ks_p11.c: Catch more errors.
+
+2006-05-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * crypto.c (hx509_crypto_encrypt): free correctly in error
+ path. From Andrew Bartlett.
+
+ * crypto.c: If RAND_bytes fails, then we will attempt to
+ double-free crypt->key.data. From Andrew Bartlett.
+
+2006-05-05 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * name.c: Rename u_intXX_t to uintXX_t
+
+2006-05-03 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * TODO: More to do about the about the PKCS11 code.
+
+ * ks_p11.c: Use the prompter from the lock function.
+
+ * lock.c: Deal with that hx509_prompt.reply is no longer a
+ pointer.
+
+ * hx509.h: Make hx509_prompt.reply not a pointer.
+
+2006-05-02 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * keyset.c: Sprinkle setting error strings.
+
+ * crypto.c: Sprinkle setting error strings.
+
+ * collector.c: Sprinkle setting error strings.
+
+ * cms.c: Sprinkle setting error strings.
+
+2006-05-01 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_name.c: renamed one error code
+
+ * name.c: renamed one error code
+
+ * ks_p11.c: _hx509_set_cert_attribute changed signature
+
+ * hxtool.c (pcert_print): use hx509_err so I can test it
+
+ * error.c (hx509_set_error_stringv): clear errors on malloc
+ failure
+
+ * hx509_err.et: Add some more errors
+
+ * cert.c: Sprinkle setting error strings.
+
+ * cms.c: _hx509_path_append changed signature.
+
+ * revoke.c: changed signature of _hx509_check_key_usage
+
+ * keyset.c: changed signature of _hx509_query_match_cert
+
+ * hx509.h: Add support for error strings.
+
+ * cms.c: changed signature of _hx509_check_key_usage
+
+ * Makefile.am: ibhx509_la_files += error.c
+
+ * ks_file.c: Sprinkel setting error strings.
+
+ * cert.c: Sprinkel setting error strings.
+
+ * hx_locl.h: Add support for error strings.
+
+ * error.c: Add string error handling functions.
+
+ * keyset.c (hx509_certs_init): pass the right error code back
+
+2006-04-30 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * revoke.c: Revert previous patch.
+ (hx509_ocsp_verify): new function that returns the expiration of
+ certificate in ocsp data-blob
+
+ * cert.c: Reverse previous patch, lets do it another way.
+
+ * cert.c (hx509_revoke_verify): update usage
+
+ * revoke.c: Make compile.
+
+ * revoke.c: Add the expiration time the crl/ocsp info expire
+
+ * name.c: Add hx509_name_is_null_p
+
+ * cert.c: remove _hx509_cert_private_sigature
+
+2006-04-29 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * name.c: Expose more of Name.
+
+ * hxtool.c (main): add missing argument to printf
+
+ * data/openssl.cnf: Add EKU for the KDC certificate
+
+ * cert.c (hx509_cert_get_base_subject): reject un-canon proxy
+ certs, not the reverse
+ (add_to_list): constify and fix argument order to
+ copy_octet_string
+ (hx509_cert_find_subjectAltName_otherName): make work
+
+2006-04-28 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * data/{pkinit,kdc}.{crt,key}: pkinit certificates
+
+ * data/gen-req.sh: Generate pkinit certificates.
+
+ * data/openssl.cnf: Add pkinit glue.
+
+ * cert.c (hx509_verify_hostname): implement stub function
+
+2006-04-27 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * TODO: CRL delta support
+
+2006-04-26 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * data/.cvsignore: ignore leftover from OpenSSL cert generation
+
+ * hx509_err.et: Add name malformated error
+
+ * name.c (hx509_parse_name): don't abort on error, rather return
+ error
+
+ * test_name.c: Test failure parsing name.
+
+ * cert.c: When verifying certificates, store subject basename for
+ later consumption.
+
+ * test_name.c: test to parse and print name and check that they
+ are the same.
+
+ * name.c (hx509_parse_name): fix length argument to printf string
+
+ * name.c (hx509_parse_name): fix length argument to stringtooid, 1
+ too short.
+
+ * cert.c: remove debug printf's
+
+ * name.c (hx509_parse_name): make compile pre c99
+
+ * data/gen-req.sh: OpenSSL have a serious issue of user confusion
+ -subj in -ca takes the arguments in LDAP order. -subj for x509
+ takes it in x509 order.
+
+ * cert.c (hx509_verify_path): handle the case where the where two
+ proxy certs in a chain.
+
+ * test_chain.in: enable two proxy certificates in a chain test
+
+ * test_chain.in: tests proxy certificates
+
+ * data: re-gen
+
+ * data/gen-req.sh: build proxy certificates
+
+ * data/openssl.cnf: add def for proxy10_cert
+
+ * hx509_err.et: Add another proxy certificate error.
+
+ * cert.c (hx509_verify_path): Need to mangle name to remove the CN
+ of the subject, copying issuer only works for one level but is
+ better then doing no checking at all.
+
+ * hxtool.c: Add verify --allow-proxy-certificate.
+
+ * hxtool-commands.in: add verify --allow-proxy-certificate
+
+ * hx509_err.et: Add proxy certificate errors.
+
+ * cert.c: Fix comment about subject name of proxy certificate.
+
+ * test_chain.in: tests for proxy certs
+
+ * data/gen-req.sh: gen proxy and non-proxy tests certificates
+
+ * data/openssl.cnf: Add definition for proxy certs
+
+ * data/*proxy-test.*: Add proxy certificates
+
+ * cert.c (hx509_verify_path): verify proxy certificate have no san
+ or ian
+
+ * cert.c (hx509_verify_set_proxy_certificate): Add
+ (*): rename policy cert to proxy cert
+
+ * cert.c: Initial support for proxy certificates.
+
+2006-04-24 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hxtool.c: some error checking
+
+ * name.c: Switch over to asn1 generaed oids.
+
+ * TODO: merge with old todo file
+
+2006-04-23 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_query.in: make quiet
+
+ * test_req.in: SKIP test if there is no RSA support.
+
+ * hxtool.c: print dh method too
+
+ * test_chain.in: SKIP test if there is no RSA support.
+
+ * test_cms.in: SKIP test if there is no RSA support.
+
+ * test_nist.in: SKIP test if there is no RSA support.
+
+2006-04-22 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hxtool-commands.in: Allow passing in pool and anchor to
+ signedData
+
+ * hxtool.c: Allow passing in pool and anchor to signedData
+
+ * test_cms.in: Test that certs in signed data is picked up.
+
+ * hx_locl.h: Expose the path building function to internal
+ functions.
+
+ * cert.c: Expose the path building function to internal functions.
+
+ * hxtool-commands.in: cms-envelope: Add support for choosing the
+ encryption type
+
+ * hxtool.c (cms_create_enveloped): Add support for choosing the
+ encryption type
+
+ * test_cms.in: Test generating des-ede3 aes-128 aes-256 enveloped
+ data
+
+ * crypto.c: Add names to cipher types.
+
+ * cert.c (hx509_query_match_friendly_name): fix return value
+
+ * data/gen-req.sh: generate tests for enveloped data using
+ des-ede3 and aes256
+
+ * test_cms.in: add tests for enveloped data using des-ede3 and
+ aes256
+
+ * cert.c (hx509_query_match_friendly_name): New function.
+
+2006-04-21 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ks_p11.c: Add support for parsing slot-number.
+
+ * crypto.c (oid_private_rc2_40): simply
+
+ * crypto.c: Use oids from asn1 generator.
+
+ * ks_file.c (file_init): reset length when done with a part
+
+ * test_cms.in: check with test.combined.crt.
+
+ * data/gen-req.sh: Create test.combined.crt.
+
+ * test_cms.in: Test signed data using keyfile that is encrypted.
+
+ * ks_file.c: Remove (commented out) debug printf
+
+ * ks_file.c (parse_rsa_private_key): use EVP_get_cipherbyname
+
+ * ks_file.c (parse_rsa_private_key): make working for one
+ password.
+
+ * ks_file.c (parse_rsa_private_key): Implement enought for
+ testing.
+
+ * hx_locl.h: Add <ctype.h>
+
+ * ks_file.c: Add glue code for PEM encrypted password files.
+
+ * test_cms.in: Add commeted out password protected PEM file,
+ remove password for those tests that doesn't need it.
+
+ * test_cms.in: adapt test now that we can use any certificate and
+ trust anchor
+
+ * collector.c: handle PEM RSA PRIVATE KEY files
+
+ * cert.c: Remove unused function.
+
+ * ks_dir.c: move code here from ks_file.c now that its no longer
+ used.
+
+ * ks_file.c: Add support for parsing unencrypted RSA PRIVATE KEY
+
+ * crypto.c: Handle rsa private keys better.
+
+2006-04-20 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hxtool.c: Use hx509_cms_{,un}wrap_ContentInfo
+
+ * cms.c: Make hx509_cms_{,un}wrap_ContentInfo usable in asn1
+ un-aware code.
+
+ * cert.c (hx509_verify_path): if trust anchor is not self signed,
+ don't check sig From Douglas Engert.
+
+ * test_chain.in: test "sub-cert -> sub-ca"
+
+ * crypto.c: Use the right length for the sha256 checksums.
+
+2006-04-15 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * crypto.c: Fix breakage from sha256 code.
+
+ * crypto.c: Add SHA256 support, and symbols for the other new
+ SHA-2 types.
+
+2006-04-14 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_cms.in: test rc2-40 rc2-64 rc2-128 enveloped data
+
+ * data/test-enveloped-rc2-{40,64,128}: add tests cases for rc2
+
+ * cms.c: Update prototypes changes for hx509_crypto_[gs]et_params.
+
+ * crypto.c: Break out the parameter handling code for encrypting
+ data to handle RC2. Needed for Windows 2k pk-init support.
+
+2006-04-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: Split libhx509_la_SOURCES into build file and
+ distributed files so we can avoid building prototypes for
+ build-files.
+
+2006-04-03 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * TODO: split certificate request into pkcs10 and CRMF
+
+ * hxtool-commands.in: Add nonce flag to ocsp-fetch
+
+ * hxtool.c: control sending nonce
+
+ * hxtool.c (request_create): store the request in a file, no in
+ bitbucket.
+
+ * cert.c: expose print_cert_subject internally
+
+ * hxtool.c: Add ocsp_print.
+
+ * hxtool-commands.in: New command "ocsp-print".
+
+ * hx_locl.h: Include <hex.h>.
+
+ * revoke.c (verify_ocsp): require issuer to match too.
+ (free_ocsp): new function
+ (hx509_revoke_ocsp_print): new function, print ocsp reply
+
+ * Makefile.am: build CRMF files
+
+ * data/key.der: needed for cert request test
+
+ * test_req.in: adapt to rename of pkcs10-create to request-create
+
+ * hxtool.c: adapt to rename of pkcs10-create to request-create
+
+ * hxtool-commands.in: Rename pkcs10-create to request-create
+
+ * crypto.c: (_hx509_parse_private_key): Avoid crashing on bad input.
+
+ * hxtool.c (pkcs10_create): use opt->subject_string
+
+ * hxtool-commands.in: Add pkcs10-create --subject
+
+ * Makefile.am: Add test_req to tests.
+
+ * test_req.in: Test for pkcs10 commands.
+
+ * name.c (hx509_parse_name): new function.
+
+ * hxtool.c (pkcs10_create): implement
+
+ * hxtool-commands.in (pkcs10-create): Add arguments
+
+ * crypto.c: Add _hx509_private_key2SPKI and support
+ functions (only support RSA for now).
+
+2006-04-02 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hxtool-commands.in: Add pkcs10-create command.
+
+ * hx509.h: Add hx509_request.
+
+ * TODO: more stuff
+
+ * Makefile.am: Add req.c
+
+ * req.c: Create certificate requests, prototype converts the
+ request in a pkcs10 packet.
+
+ * hxtool.c: Add pkcs10_create
+
+ * name.c (hx509_name_copy): new function.
+
+2006-04-01 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * TODO: fill out what do
+
+ * hxtool-commands.in: add pkcs10-print
+
+ * hx_locl.h: Include <pkcs10_asn1.h>.
+
+ * pkcs10.asn1: PKCS#10
+
+ * hxtool.c (pkcs10_print): new function.
+
+ * test_chain.in: test ocsp keyhash
+
+ * data: generate ocsp keyhash version too
+
+ * revoke.c (load_ocsp): test that we got back a BasicReponse
+
+ * ocsp.asn1: Add asn1_id_pkix_ocsp*.
+
+ * Makefile.am: Add asn1_id_pkix_ocsp*.
+
+ * cert.c: Add HX509_QUERY_MATCH_KEY_HASH_SHA1
+
+ * hx_locl.h: Add HX509_QUERY_MATCH_KEY_HASH_SHA1
+
+ * revoke.c: Support OCSPResponderID.byKey, indent.
+
+ * revoke.c (hx509_ocsp_request): Add nonce to ocsp request.
+
+ * hxtool.c: Add nonce to ocsp request.
+
+ * test_chain.in: Added crl tests
+
+ * data/nist-data: rename missing-crl to missing-revoke
+
+ * data: make ca use openssl ca command so we can add ocsp tests,
+ and regen certs
+
+ * test_chain.in: Add revoked ocsp cert test
+
+ * cert.c: rename missing-crl to missing-revoke
+
+ * revoke.c: refactor code, fix a un-init-ed variable
+
+ * test_chain.in: rename missing-crl to missing-revoke add ocsp
+ tests
+
+ * test_cms.in: rename missing-crl to missing-revoke
+
+ * hxtool.c: rename missing-crl to missing-revoke
+
+ * hxtool-commands.in: rename missing-crl to missing-revoke
+
+ * revoke.c: Plug one memory leak.
+
+ * revoke.c: Renamed generic CRL related errors.
+
+ * hx509_err.et: Comments and renamed generic CRL related errors
+
+ * revoke.c: Add ocsp checker.
+
+ * ocsp.asn1: Add id-kp-OCSPSigning
+
+ * hxtool-commands.in: add url-path argument to ocsp-fetch
+
+ * hxtool.c: implement ocsp-fetch
+
+ * cert.c: Use HX509_DEFAULT_OCSP_TIME_DIFF.
+
+ * hx_locl.h: Add ocsp_time_diff to hx509_context
+
+ * crypto.c (_hx509_verify_signature_bitstring): new function,
+ commonly use when checking certificates
+
+ * cms.c (hx509_cms_envelope_1): check for internal ASN.1 encoder
+ error
+
+ * cert.c: Add ocsp glue, use new
+ _hx509_verify_signature_bitstring, add eku checking function.
+
+2006-03-31 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: add id_kp_OCSPSigning.x
+
+ * revoke.c: Pick out certs in ocsp response
+
+ * TODO: list of stuff to verify
+
+ * revoke.c: Add code to load OCSPBasicOCSPResponse files, reload
+ crl when its changed on disk.
+
+ * cert.c: Update for ocsp merge. handle building path w/o
+ subject (using subject key id)
+
+ * ks_p12.c: _hx509_map_file changed prototype.
+
+ * file.c: _hx509_map_file changed prototype, returns struct stat
+ if requested.
+
+ * ks_file.c: _hx509_map_file changed prototype.
+
+ * hxtool.c: Add stub for ocsp-fetch, _hx509_map_file changed
+ prototype, add ocsp parsing to verify command.
+
+ * hx_locl.h: rename HX509_CTX_CRL_MISSING_OK to
+ HX509_CTX_VERIFY_MISSING_OK now that we have OCSP glue
+
+2006-03-30 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hx_locl.h: Add <krb5-types.h> to make it compile on Solaris,
+ from Alex V. Labuta.
+
+2006-03-28 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * crypto.c (_hx509_pbe_decrypt): try all passwords, not just the
+ first one.
+
+2006-03-27 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * print.c (check_altName): Print the othername oid.
+
+ * crypto.c: Manual page claims RSA_public_decrypt will return -1
+ on error, lets check for that
+
+ * crypto.c (_hx509_pbe_decrypt): also try the empty password
+
+ * collector.c (match_localkeyid): no need to add back the cert to
+ the cert pool, its already there.
+
+ * crypto.c: Add REQUIRE_SIGNER
+
+ * cert.c (hx509_cert_free): ok to free NULL
+
+ * hx509_err.et: Add new error code SIGNATURE_WITHOUT_SIGNER.
+
+ * name.c (_hx509_name_ds_cmp): make DirectoryString case
+ insenstive
+ (hx509_name_to_string): less spacing
+
+ * cms.c: Check for signature error, check consitency of error
+
+2006-03-26 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * collector.c (_hx509_collector_alloc): handle errors
+
+ * cert.c (hx509_query_alloc): allocate slight more more then a
+ sizeof(pointer)
+
+ * crypto.c (_hx509_private_key_assign_key_file): ask for password
+ if nothing matches.
+
+ * cert.c: Expose more of the hx509_query interface.
+
+ * collector.c: hx509_certs_find is now exposed.
+
+ * cms.c: hx509_certs_find is now exposed.
+
+ * revoke.c: hx509_certs_find is now exposed.
+
+ * keyset.c (hx509_certs_free): allow free-ing NULL
+ (hx509_certs_find): expose
+ (hx509_get_one_cert): new function
+
+ * hxtool.c: hx509_certs_find is now exposed.
+
+ * hx_locl.h: Remove hx509_query, its exposed now.
+
+ * hx509.h: Add hx509_query.
+
+2006-02-22 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cert.c: Add exceptions for null (empty) subjectNames
+
+ * data/nist-data: Add some more name constraints tests.
+
+ * data/nist-data: Add some of the test from 4.13 Name Constraints.
+
+ * cert.c: Name constraits needs to be evaluated in block as they
+ appear in the certificates, they can not be joined to one
+ list. One example of this is:
+
+ - cert is cn=foo,dc=bar,dc=baz
+ - subca is dc=foo,dc=baz with name restriction dc=kaka,dc=baz
+ - ca is dc=baz with name restriction dc=baz
+
+ If the name restrictions are merged to a list, the certificate
+ will pass this test.
+
+2006-02-14 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cert.c: Handle more name constraints cases.
+
+ * crypto.c (dsa_verify_signature): if test if malloc failed
+
+2006-01-31 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cms.c: Drop partial pkcs12 string2key implementation.
+
+2006-01-20 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * data/nist-data: Add commited out DSA tests (they fail).
+
+ * data/nist-data: Add 4.2 Validity Periods.
+
+ * test_nist.in: Make less verbose to use.
+
+ * Makefile.am: Add test_nist_cert.
+
+ * data/nist-data: Add some more CRL-tests.
+
+ * test_nist.in: Print $id instead of . when running the tests.
+
+ * test_nist.in: Drop verifying certifiates, its done in another
+ test now.
+
+ * data/nist-data: fixup kill-rectangle leftovers
+
+ * data/nist-data: Drop verifying certifiates, its done in another
+ test now. Add more crl tests. comment out all unused tests.
+
+ * test_nist_cert.in: test parse all nist certs
+
+2006-01-19 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hx509_err.et: Add HX509_CRL_UNKNOWN_EXTENSION.
+
+ * revoke.c: Check for unknown extentions in CRLs and CRLEntries.
+
+ * test_nist.in: Parse new format to handle CRL info.
+
+ * test_chain.in: Add --missing-crl.
+
+ * name.c (hx509_unparse_der_name): Rename from hx509_parse_name.
+ (_hx509_unparse_Name): Add.
+
+ * hxtool-commands.in: Add --missing-crl to verify commands.
+
+ * hx509_err.et: Add CRL errors.
+
+ * cert.c (hx509_context_set_missing_crl): new function Add CRL
+ handling.
+
+ * hx_locl.h: Add HX509_CTX_CRL_MISSING_OK.
+
+ * revoke.c: Parse and verify CRLs (simplistic).
+
+ * hxtool.c: Parse CRL info.
+
+ * data/nist-data: Change format so we can deal with CRLs, also
+ note the test-id from PKITS.
+
+ * data: regenerate test
+
+ * data/gen-req.sh: use static-file to generate tests
+
+ * data/static-file: new file to use for commited tests
+
+ * test_cms.in: Use static file, add --missing-crl.
+
+2006-01-18 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * print.c: Its cRLReason, not cRLReasons.
+
+ * hxtool.c: Attach revoke context to verify context.
+
+ * data/nist-data: change syntax to make match better with crl
+ checks
+
+ * cert.c: Verify no certificates has been revoked with the new
+ revoke interface.
+
+ * Makefile.am: libhx509_la_SOURCES += revoke.c
+
+ * revoke.c: Add framework for handling CRLs.
+
+ * hx509.h: Add hx509_revoke_ctx.
+
+2006-01-13 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * delete crypto_headers.h, use global file instead.
+
+ * crypto.c (PBE_string2key): libdes now supports PKCS12_key_gen
+
+2006-01-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * crypto_headers.h: Need BN_is_negative too.
+
+2006-01-11 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ks_p11.c (p11_rsa_public_decrypt): since is wrong, don't provide
+ it. PKCS11 can't do public_decrypt, it support verify though. All
+ this doesn't matter, since the code never go though this path.
+
+ * crypto_headers.h: Provide glue to compile with less warnings
+ with OpenSSL
+
+2006-01-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: Depend on LIB_des
+
+ * lock.c: Use "crypto_headers.h".
+
+ * crypto_headers.h: Include the two diffrent implementation of
+ crypto headers.
+
+ * cert.c: Use "crypto-headers.h". Load ENGINE configuration.
+
+ * crypto.c: Make compile with both OpenSSL and heimdal libdes.
+
+ * ks_p11.c: Add code for public key decryption (not supported yet)
+ and use "crypto-headers.h".
+
+
+2006-01-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * add a hx509_context where we can store configuration
+
+ * p11.c,Makefile.am: pkcs11 is now supported by library, remove
+ old files.
+
+ * ks_p11.c: more paranoid on refcount, set refcounter ealier,
+ reset pointers after free
+
+ * collector.c (struct private_key): remove temporary key data
+ storage, convert directly to a key
+ (match_localkeyid): match certificate and key using localkeyid
+ (match_keys): match certificate and key using _hx509_match_keys
+ (_hx509_collector_collect): rewrite to use match_keys and
+ match_localkeyid
+
+ * crypto.c (_hx509_match_keys): function that determins if a
+ private key matches a certificate, used when there is no
+ localkeyid.
+ (*) reset free pointer
+
+ * ks_file.c: Rewrite to use collector and mapping support
+ function.
+
+ * ks_p11.c (rsa_pkcs1_method): constify
+
+ * ks_p11.c: drop extra wrapping of p11_init
+
+ * crypto.c (_hx509_private_key_assign_key_file): use function to
+ extact rsa key
+
+ * cert.c: Revert previous, refcounter is unsigned, so it can never
+ be negative.
+
+ * cert.c (hx509_cert_ref): more refcount paranoia
+
+ * ks_p11.c: Implement rsa_private_decrypt and add stubs for public
+ ditto.
+
+ * ks_p11.c: Less printf, less memory leaks.
+
+ * ks_p11.c: Implement signing using pkcs11.
+
+ * ks_p11.c: Partly assign private key, enough to complete
+ collection, but not any crypto functionallity.
+
+ * collector.c: Use hx509_private_key to assign private keys.
+
+ * crypto.c: Remove most of the EVP_PKEY code, and use RSA
+ directly, this temporary removes DSA support.
+
+ * hxtool.c (print_f): print if there is a friendly name and if
+ there is a private key
+
+2006-01-03 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * name.c: Avoid warning from missing __attribute__((noreturn))
+
+ * lock.c (_hx509_lock_unlock_certs): return unlock certificates
+
+ * crypto.c (_hx509_private_key_assign_ptr): new function, exposes
+ EVP_PKEY
+ (_hx509_private_key_assign_key_file): remember to free private key
+ if there is one.
+
+ * cert.c (_hx509_abort): add newline to output and flush stdout
+
+ * Makefile.am: libhx509_la_SOURCES += collector.c
+
+ * hx_locl.h: forward type declaration of struct hx509_collector.
+
+ * collector.c: Support functions to collect certificates and
+ private keys and then match them.
+
+ * ks_p12.c: Use the new hx509_collector support functions.
+
+ * ks_p11.c: Add enough glue to support certificate iteration.
+
+ * test_nist_pkcs12.in: Less verbose.
+
+ * cert.c (hx509_cert_free): if there is a private key assosited
+ with this cert, free it
+
+ * print.c: Use _hx509_abort.
+
+ * ks_p12.c: Use _hx509_abort.
+
+ * hxtool.c: Use _hx509_abort.
+
+ * crypto.c: Use _hx509_abort.
+
+ * cms.c: Use _hx509_abort.
+
+ * cert.c: Use _hx509_abort.
+
+ * name.c: use _hx509_abort
+
+2006-01-02 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * name.c (hx509_name_to_string): don't cut bmpString in half.
+
+ * name.c (hx509_name_to_string): don't overwrite with 1 byte with
+ bmpString.
+
+ * ks_file.c (parse_certificate): avoid stomping before array
+
+ * name.c (oidtostring): avoid leaking memory
+
+ * keyset.c: Add _hx509_ks_dir_register.
+
+ * Makefile.am (libhx509_la_SOURCES): += ks_dir.c
+
+ * hxtool-commands.in: Remove pkcs11.
+
+ * hxtool.c: Remove pcert_pkcs11.
+
+ * ks_file.c: Factor out certificate parsing code.
+
+ * ks_dir.c: Add new keystore that treats all files in a directory
+ a keystore, useful for regression tests.
+
+2005-12-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_nist_pkcs12.in: Test parse PKCS12 files from NIST.
+
+ * data/nist-data: Can handle DSA certificate.
+
+ * hxtool.c: Print error code on failure.
+
+2005-10-29 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * crypto.c: Support DSA signature operations.
+
+2005-10-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * print.c: Validate that issuerAltName and subjectAltName isn't
+ empty.
+
+2005-09-14 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * p11.c: Cast to unsigned char to avoid warning.
+
+ * keyset.c: Register pkcs11 module.
+
+ * Makefile.am: Add ks_p11.c, install hxtool.
+
+ * ks_p11.c: Starting point of a pkcs11 module.
+
+2005-09-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lock.c: Implement prompter.
+
+ * hxtool-commands.in: add --content to print
+
+ * hxtool.c: Split verify and print.
+
+ * cms.c: _hx509_pbe_decrypt now takes a hx509_lock.
+
+ * crypto.c: Make _hx509_pbe_decrypt take a hx509_lock, workaround
+ for empty password.
+
+ * name.c: Add DC, handle all Directory strings, fix signless
+ problems.
+
+2005-09-03 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_query.in: Pass in --pass to all commands.
+
+ * hxtool.c: Use option --pass.
+
+ * hxtool-commands.in: Add --pass to all commands.
+
+ * hx509_err.et: add UNKNOWN_LOCK_COMMAND and CRYPTO_NO_PROMPTER
+
+ * test_cms.in: pass in password to cms-create-sd
+
+ * crypto.c: Abstract out PBE_string2key so I can add PBE2 s2k
+ later. Avoid signess warnings with OpenSSL.
+
+ * cms.c: Use void * instead of char * for to avoid signedness
+ issues
+
+ * cert.c (hx509_cert_get_attribute): remove const, its not
+
+ * ks_p12.c: Cast size_t to unsigned long when print.
+
+ * name.c: Fix signedness warning.
+
+ * test_query.in: Use echo, the function check isn't defined here.
+
+2005-08-11 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hxtool-commands.in: Add more options that was missing.
+
+2005-07-28 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_cms.in: Use --certificate= for enveloped/unenvelope.
+
+ * hxtool.c: Use --certificate= for enveloped/unenvelope. Clean
+ up.
+
+ * test_cms.in: add EnvelopeData tests
+
+ * hxtool.c: use id-envelopedData for ContentInfo
+
+ * hxtool-commands.in: add contentinfo wrapping for create/unwrap
+ enveloped data
+
+ * hxtool.c: add contentinfo wrapping for create/unwrap enveloped
+ data
+
+ * data/gen-req.sh: add enveloped data (aes128)
+
+ * crypto.c: add "new" RC2 oid
+
+2005-07-27 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hx_locl.h, cert.c: Add HX509_QUERY_MATCH_FUNCTION that allows
+ caller to match by function, note that this doesn't not work
+ directly for backends that implements ->query, they must do their
+ own processing. (I'm running out of flags, only 12 left now)
+
+ * test_cms.in: verify ContentInfo wrapping code in hxtool
+
+ * hxtool-commands.in (cms_create_sd): support wrapping in content
+ info spelling
+
+ * hxtool.c (cms_create_sd): support wrapping in content info
+
+ * test_cms.in: test more cms signeddata messages
+
+ * data/gen-req.sh: generate SignedData
+
+ * hxtool.c (cms_create_sd): support certificate store, add support
+ to unwrap a ContentInfo the SignedData inside.
+
+ * crypto.c: sprinkel rk_UNCONST
+
+ * crypto.c: add DER NULL to the digest oid's
+
+ * hxtool-commands.in: add --content-info to cms-verify-sd
+
+ * cms.c (hx509_cms_create_signed_1): pass in a full
+ AlgorithmIdentifier instead of heim_oid for digest_alg
+
+ * crypto.c: make digest_alg a digest_oid, it's not needed right
+ now
+
+ * hx509_err.et: add CERT_NOT_FOUND
+
+ * keyset.c (_hx509_certs_find): add error code for cert not
+ found
+
+ * cms.c (hx509_cms_verify_signed): add external store of
+ certificates, use the right digest algorithm identifier.
+
+ * cert.c: fix const warning
+
+ * ks_p12.c: slightly less verbose
+
+ * cert.c: add hx509_cert_find_subjectAltName_otherName, add
+ HX509_QUERY_MATCH_FRIENDLY_NAME
+
+ * hx509.h: add hx509_octet_string_list, remove bad comment
+
+ * hx_locl.h: add HX509_QUERY_MATCH_FRIENDLY_NAME
+
+ * keyset.c (hx509_certs_append): needs a hx509_lock, add one
+
+ * Makefile.am: add test cases tempfiles to CLEANFILES
+
+ * Makefile.am: add test_query to TESTS, fix dependency on hxtool
+ sources on hxtool-commands.h
+
+ * hxtool-commands.in: explain what signer is for create-sd
+
+ * hxtool.c: add query, add more options to verify-sd and create-sd
+
+ * test_cms.in: add more cms tests
+
+ * hxtool-commands.in: add query, add more options to verify-sd
+
+ * test_query.in: test query interface
+
+ * data: fix filenames for ds/ke files, add pkcs12 files, regen
+
+ * hxtool.c,Makefile.am,hxtool-commands.in: switch to slc
+
+2005-07-26 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cert.c (hx509_verify_destroy_ctx): add
+
+ * hxtool.c: free hx509_verify_ctx
+
+ * name.c (_hx509_name_ds_cmp): make sure all strings are not equal
+
+2005-07-25 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * hxtool.c: return error
+
+ * keyset.c: return errors from iterations
+
+ * test_chain.in: clean up checks
+
+ * ks_file.c (parse_certificate): return errno's not 1 in case of
+ error
+
+ * ks_file.c (file_iter): make sure endpointer is NULL
+
+ * ks_mem.c (mem_iter): follow conversion and return NULL when we
+ get to the end, not ENOENT.
+
+ * Makefile.am: test_chain depends on hxtool
+
+ * data: test certs that lasts 10 years
+
+ * data/gen-req.sh: script to generate test certs
+
+ * Makefile.am: Add regression tests.
+
+ * data: test certificate and keys
+
+ * test_chain.in: test chain
+
+ * hxtool.c (cms_create_sd): add KU digitalSigature as a
+ requirement to the query
+
+ * hx_locl.h: add KeyUsage query bits
+
+ * hx509_err.et: add KeyUsage error
+
+ * cms.c: add checks for KeyUsage
+
+ * cert.c: more checks on KeyUsage, allow to query on them too
+
+2005-07-24 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cms.c: Add missing break.
+
+ * hx_locl.h,cms.c,cert.c: allow matching on SubjectKeyId
+
+ * hxtool.c: Use _hx509_map_file, _hx509_unmap_file and
+ _hx509_write_file.
+
+ * file.c (_hx509_write_file): in case of write error, return errno
+
+ * file.c (_hx509_write_file): add a function that write a data
+ blob to disk too
+
+ * Fix id-tags
+
+ * Import mostly complete X.509 and CMS library. Handles, PEM, DER,
+ PKCS12 encoded certicates. Verificate RSA chains and handled
+ CMS's SignedData, and EnvelopedData.
+
+
OpenPOWER on IntegriCloud