Tobias Brunner
dd4bd21c5a
pki: Query private key for supported signature schemes
2018-10-26 09:03:26 +02:00
Tobias Brunner
66aca84eba
signcrl: Remove useless assignment
2018-09-17 18:51:41 +02:00
Tobias Brunner
1b67166921
Unify format of HSR copyright statements
2018-05-23 16:32:53 +02:00
Tobias Brunner
943f3929f4
pki: --verify command optionally takes directories for CAs and CRLs
2018-05-18 17:29:00 +02:00
Andreas Steffen
3e7a19bfa9
pki: Extend pki --print with --keyid parameter
2017-12-10 19:31:10 +01:00
Tobias Brunner
27a79326c7
pki: Enable PSS padding if enabled in strongswan.conf
2017-11-08 16:48:10 +01:00
Tobias Brunner
d57af8dde0
pki: Optionally generate RSA/PSS signatures
2017-11-08 16:48:10 +01:00
Tobias Brunner
9b828ee85f
pki: Indent usage lines properly automatically
2017-11-08 16:48:10 +01:00
Tobias Brunner
dc83bc147e
pki: Properly forward digest to attribute certificate builder
2017-11-08 16:48:10 +01:00
Tobias Brunner
4e7b7db62f
certificates: Use shared destructor for x509_cdp_t
2017-09-18 10:54:19 +02:00
Tobias Brunner
525cc46cab
Change interface for enumerator_create_filter() callback
...
This avoids the unportable 5 pointer hack, but requires enumerating in
the callback.
2017-05-26 13:56:44 +02:00
Tobias Brunner
069bf10d3f
pki: Reset variable so error handling works properly
...
If we jump to `end` without this we crash (not necessarily visibly) due
to a double free and the actual error message is not printed.
2017-04-19 18:56:43 +02:00
Tobias Brunner
3207193cbf
pki: Actually make the default key type KEY_ANY for --self
...
Fixes: 05ccde0a8b
("pki: Add generic 'priv' key type that loads any
type of private key")
2017-03-24 10:45:58 +01:00
Andreas Steffen
ab94f76df6
pki: Add key object handle of smartcard or TPM private key as an argument to pki --keyid
2017-03-06 18:54:09 +01:00
Andreas Steffen
2d41e1c51c
pki: Edited keyid parameter use in various pki man pages and usage outputs
2017-03-06 18:54:09 +01:00
Andreas Steffen
2da6a5f541
Add keyid of smartcard or TPM private key as an argument to pki --req
2017-03-02 20:30:24 +01:00
Martin Willi
ead1dd3bcb
pki: Support an --addrblock option for issued certificates
2017-02-27 09:36:48 +01:00
Martin Willi
b6c371fbf1
pki: Support an --addrblock option for self-signed certificates
2017-02-27 09:36:48 +01:00
Andreas Steffen
35bc60cc68
Added support of EdDSA signatures
2016-12-14 11:15:47 +01:00
Tobias Brunner
790847d17c
pki: Don't remove zero bytes in CRL serials anymore
...
This was added a few years ago because pki --signcrl once encoded serials
incorrectly as eight byte blobs. But still ensure we have can handle
overflows in case the serial is encoded incorrectly without zero-prefix.
2016-10-11 17:18:22 +02:00
Tobias Brunner
49d9266c31
pki: Use serial of base CRL for delta CRLs
...
According to RFC 5280 delta CRLs and complete CRLs MUST share one
numbering sequence.
2016-10-11 17:18:22 +02:00
Tobias Brunner
05ccde0a8b
pki: Add generic 'priv' key type that loads any type of private key
2016-10-05 11:32:52 +02:00
Tobias Brunner
1798e490da
pki: Drop -priv suffix to specify private key types
2016-10-05 11:32:52 +02:00
Tobias Brunner
09d8215d3f
pki: Allow to load CRLs from files in --verify
2016-08-25 11:07:35 +02:00
Andreas Steffen
3317d0e77b
Standardized printing of certificate information
...
The certificate_printer class allows the printing of certificate
information to a text file (usually stdout). This class is used
by the pki --print and swanctl --list-certs commands as well as
by the stroke plugin.
2015-12-11 18:26:53 +01:00
Andreas Steffen
f6fede934b
Support BLISS signatures with SHA-3 hash
2015-11-03 21:35:09 +01:00
Tobias Brunner
592f31f5af
pki: Add new type options to --issue command usage output
2015-08-27 17:55:15 +02:00
Tobias Brunner
6ef4668626
pki: Add --dn command to extract the subject DN of a certificate
2015-08-17 11:34:01 +02:00
Tobias Brunner
1bc2549914
pki: Optionally extract public key from given private key in --issue
...
Fixes #618 .
2015-08-10 12:33:02 +02:00
Tobias Brunner
2872f77829
pki: Choose default digest based on the signature key
2015-03-23 17:22:31 +01:00
Tobias Brunner
ae0604f583
pki: Use SHA-256 as default for signatures
...
Since the BLISS private key supports this we don't do any special
handling anymore (if the user choses a digest that is not supported,
signing will simply fail later because no signature scheme will be found).
2015-03-23 17:22:31 +01:00
Andreas Steffen
27bd0fed93
Allow SHA256 and SHA384 data hash for BLISS signatures.
...
The default is SHA512 since this hash function is also
used for the c_indices random oracle.
2015-02-26 08:56:12 +01:00
Tobias Brunner
6683cf6a5a
pki: Document correct output formats for --pkcs12 --export
2014-12-19 16:31:36 +01:00
Tobias Brunner
a6c0dec0e5
pki: Properly clean up if output format for --pkcs12 is wrong
2014-12-19 16:30:10 +01:00
Tobias Brunner
3a26566fa9
pki: Add command to export certificates and keys from PKCS#12 containers
2014-12-12 13:11:29 +01:00
Tobias Brunner
c20f962732
pki: Reformat PKCS#12 output and add an index for each certificate/key
2014-12-12 13:11:29 +01:00
Tobias Brunner
374b569ed0
pki: Add simple PKCS#12 display command
2014-12-12 13:11:29 +01:00
Andreas Steffen
b6bb32e658
Implemented full BLISS support for IKEv2 public key authentication and the pki tool
2014-11-29 14:51:18 +01:00
Andreas Steffen
f673966b9f
Started implementing BLISS signature generation
2014-11-29 14:51:16 +01:00
Andreas Steffen
56009f2001
Store and parse BLISS private and public keys in DER and PEM format
...
Additionally generate SHA-1 fingerprints of raw BLISS subjectPublicKey
and subjectPublicKeyInfo objects.
Some basic functions used by the bliss_public_key class are shared
with the bliss_private_key class.
2014-11-29 14:51:16 +01:00
Andreas Steffen
9d5b91d198
Created framework for BLISS post-quantum signature algorithm
2014-11-29 14:51:14 +01:00
Martin Willi
b9d38c9fa2
pki: Print and document the name constraint type for DNS or email constraints
...
As email constraints may be for a specific host, it is not clear from the
name itself if it is a DNS or email constraint.
2014-10-30 11:40:48 +01:00
Martin Willi
f48c26bce3
pki: Support complex trustchain and revocation checking in --verify
2014-06-04 16:34:16 +02:00
Martin Willi
13298719e3
pki: Switch to binary mode on Windows when reading/writing DER to FDs
2014-06-04 15:53:11 +02:00
Martin Willi
064fe9c963
enum: Return boolean result for enum_from_name() lookup
...
Handling the result for enum_from_name() is difficult, as checking for
negative return values requires a cast if the enum type is unsigned. The new
signature clearly differentiates lookup result from lookup value.
Further, this actually allows to convert real -1 enum values, which could not
be distinguished from "not-found" and the -1 return value.
This also fixes several clang warnings where enums are unsigned.
2014-05-16 15:42:07 +02:00
Tobias Brunner
297bc06ca9
pki: Fix memory leak when printing unknown AC group OIDs
2014-04-09 15:56:11 +02:00
Tobias Brunner
ce845838ea
pki: Removed extra continue statement
2014-04-09 15:12:27 +02:00
Andreas Steffen
98ae0492b6
Added support for msSmartcardLogon EKU
2014-04-08 13:09:03 +02:00
Martin Willi
2769a22e1f
pki: Support absolute --this/next-update CRL lifetimes
2014-03-31 11:14:59 +02:00
Martin Willi
d6e921181a
pki: Support absolute --not-before/after issued certificate lifetimes
2014-03-31 11:14:59 +02:00