Martin Willi
3941d55f01
pki: Document --not-before/after and --dateform options in manpages
2014-03-31 11:39:25 +02:00
Martin Willi
2769a22e1f
pki: Support absolute --this/next-update CRL lifetimes
2014-03-31 11:14:59 +02:00
Martin Willi
d6e921181a
pki: Support absolute --not-before/after issued certificate lifetimes
2014-03-31 11:14:59 +02:00
Martin Willi
aa8732eb68
pki: Support absolute --not-before/after self-signed certificate lifetimes
2014-03-31 11:14:59 +02:00
Martin Willi
6f90e8e664
pki: Support absolute --not-before/after acert lifetimes
2014-03-31 11:14:59 +02:00
Martin Willi
06d3b6e9c9
pki: Add a certificate lifetime calculation helper function
2014-03-31 11:14:59 +02:00
Martin Willi
3a2deb98bc
ikev2: Cache all received attribute certificates to auth config
2014-03-31 11:14:59 +02:00
Martin Willi
d417900335
ikev2: Send all known and valid attribute certificates for subject cert
2014-03-31 11:14:59 +02:00
Martin Willi
a14f7edfb2
ikev2: Slightly refactor certificate payload construction to separate functions
2014-03-31 11:14:58 +02:00
Martin Willi
f316116c88
ike: Support encoding of attribute certificates in CERT payloads
2014-03-31 11:14:58 +02:00
Martin Willi
83f8cdde46
auth-cfg: Declare an attribute certificate helper type to exchange acerts
2014-03-31 11:14:58 +02:00
Martin Willi
5ac0e66879
acert: Implement a plugin finding, validating and evaluating attribute certs
...
This validator checks for any attribute certificate it can find for validated
end entity certificates and tries to extract group membership information
used for connection authorization rules.
2014-03-31 11:14:58 +02:00
Martin Willi
b06283f1e3
x509: Match acert has_subject() against entityName or holder serial
...
This allows us to find attribute certificates for a subject certificate in
credential sets.
2014-03-31 11:14:58 +02:00
Martin Willi
6e8c665a51
pki: Add acert and extend pki/print manpages
2014-03-31 11:14:58 +02:00
Martin Willi
35a783cff7
pki: Implement an acert command to issue attribute certificates
2014-03-31 11:14:58 +02:00
Martin Willi
20ea84daec
pki: Support printing attribute certificates
2014-03-31 11:14:58 +02:00
Martin Willi
e49197f15e
pki: Don't generate negative random serial numbers in X.509 certificates
...
According to RFC 5280 4.1.2.2 we MUST force non-negative serial numbers.
2014-03-31 11:14:58 +02:00
Martin Willi
0226ca886d
pem: Support encoding of attribute certificates
...
While there is no widely used PEM header for attribute certificates, at least
IAIK-JCE uses BEGIN ATTRIBUTE CERTIFICATE:
http://javadoc.iaik.tugraz.at/iaik_jce/current/iaik/utils/Util.html#toPemString(iaik.x509.attr.AttributeCertificate)
2014-03-31 11:14:58 +02:00
Martin Willi
8f9e2dbcd5
x509: Replace the comma separated string AC group builder with a list based one
2014-03-31 11:14:58 +02:00
Martin Willi
a17598bc69
x509: Integrate IETF attribute handling, and obsolete ietf_attributes_t
...
The ietf_attributes_t class is used for attribute certificates only these days,
and integrating them to x509_ac_t simplifies things significantly.
2014-03-31 11:14:58 +02:00
Martin Willi
61b2d815b9
x509: Replace fixed acert group string getter by a more dynamic group enumerator
2014-03-31 11:14:58 +02:00
Martin Willi
a9bfd4b055
x509: Skip parsing of acert chargingIdentity, as we don't use it anyway
2014-03-31 11:14:58 +02:00
Martin Willi
3134379ac7
x509: Fix some whitespaces and do some minor style cleanups in acert
2014-03-31 11:14:57 +02:00
Martin Willi
883a63adc1
ac: Remove unimplemented equals_holder() method from ac_t
2014-03-31 11:14:57 +02:00
Tobias Brunner
0462304dbb
unit-tests: Fix filtered enumerator tests on 64-bit big-endian platforms
...
In case of sizeof(void*) == 8 and sizeof(int) == 4 on big-endian hosts
the tests failed as the actual integer value got cut off.
2014-03-27 15:35:32 +01:00
Tobias Brunner
58d8c52190
unit-tests: Fix memory leak in ntru tests
2014-03-27 10:52:45 +01:00
Andreas Steffen
f0388684cd
unit-test: added missing TEST_FUNCTION macros
2014-03-22 10:26:02 +01:00
Tobias Brunner
01632eccf3
openssl: Add default fallback when calculating fingerprints of RSA keys
...
We still try to calculate these directly as it can avoid a dependency on
the pkcs1 or other plugins. But for e.g. PGPv3 keys we need to delegate the
actual fingerprint calculation to the pgp plugin.
2014-03-22 09:55:03 +01:00
Andreas Steffen
22e1aa51f9
Completed integration of ntru_crypto library into ntru plugin
2014-03-22 09:51:00 +01:00
Tobias Brunner
510c900479
crypto-tester: Don't fail if key size is not supported
...
The Blowfish and Twofish implementations provided by the gcrypt plugin
only support specific key lengths, which we don't know when testing
against vectors (either during unit tests or during algorithm
registration). The on_create test with a specific key length will be
skipped anyway, so there is no point in treating this failure differently.
2014-03-20 15:49:05 +01:00
Tobias Brunner
5dd638f45c
unit-tests: Add an option to increase the verbosity when running tests
...
The TESTS_VERBOSITY option takes an integer from -1 to 4 that sets the
default debug level.
2014-03-20 15:49:05 +01:00
Tobias Brunner
77603e98a3
unit-tests: Add an option to run only a subset of all test suites
...
The TESTS_SUITES environment variable can contain a comma separated list
of names of test suites to run.
2014-03-20 15:49:05 +01:00
Tobias Brunner
636076d45d
unit-tests: Actually verify registered algorithms against test vectors
...
Previously, the {ns}.crypto_test.on_add option had to be enabled to
actually test the algorithms, which we can't enforce for the tests in
the test_runner as the option is already read when the crypto factory
is initialized. Even so, we wouldn't want to do this for every unit
test, which would be the result of enabling that option.
2014-03-20 15:49:05 +01:00
Tobias Brunner
6ce5aee0b2
unit-tests: Use TEST_FUNCTION macro in ntru tests
2014-03-20 15:49:05 +01:00
Tobias Brunner
b751f6f25a
unit-tests: Implement registered functions without __builtin_apply()
...
This makes the tests work with clang, which does not implement said
builtin.
2014-03-20 15:37:44 +01:00
Tobias Brunner
31b3bb2211
unit-tests: Call functions with TEST_ prefix in ntru test
2014-03-20 15:37:44 +01:00
Tobias Brunner
2c687b3cb3
unit-tests: Prefix imported testable functions with TEST_
...
This avoids any clashes with existing functions in the monolithic build.
2014-03-20 15:29:27 +01:00
Tobias Brunner
f51169eb09
unit-tests: Change how hashtable for testable functions is created
...
Because GCC does not adhere to the priorities defined for constructors
when building with --enable-monolithic (not sure if it was just luck
that it worked in non-monolithic mode - anyway, it's not very portable)
function registration would fail because the hashtable would not be
created yet.
2014-03-20 15:29:27 +01:00
Tobias Brunner
48ac56e2aa
unit-tests: Generate weak keys with gcrypt plugin (but quickly)
2014-03-20 15:29:27 +01:00
Tobias Brunner
fc4f8fc30e
tnc-pdp: Fix monolithic build
2014-03-20 15:29:27 +01:00
Tobias Brunner
27b3358fed
plugin-feature: Hash only the actually used feature argument
...
Clang does not initialize padding in union members so hashing the
complete "arg" union could lead to different hashes if the hashed
plugin_feature_t does not have static storage duration.
Fixes #549 .
2014-03-20 13:42:57 +01:00
Andreas Steffen
0b408faef1
Added TPMRA workitem support for [dummy] Trusted Boot measurements
2014-03-19 20:26:31 +01:00
Martin Willi
0a8c399a21
pki: When dispatching commands, don't look beyond non-null-terminated array
2014-03-19 09:37:46 +01:00
Martin Willi
87e53819a6
pki: Check length of commands array before accessing command in --help
...
As --help is counted as command as well, the array is not null-terminated
and we have to check for MAX_COMMANDS.
Fixes #550 .
2014-03-19 09:25:29 +01:00
Tobias Brunner
c489c5881a
charon-nm: No additional secrets are required once a password has been entered
...
Recent versions of NM will call need_secrets() as long as it returns TRUE,
but then fail as the number of calls is limited by an assert.
Fixes #547 .
2014-03-18 14:53:40 +01:00
Tobias Brunner
11f31ceb6a
array: Fix removal of elements in the second half of an array
...
Memory beyond the end of the array was moved when array elements in the
second half of an array were removed.
Fixes #548 .
2014-03-18 14:46:16 +01:00
Tobias Brunner
0ab7d5f1f9
plugin-loader: Properly initialize modular plugin list if no plugins are enabled
2014-03-18 10:56:39 +01:00
Andreas Steffen
337f0c8a2f
Implemented ntru_private_key class
2014-03-18 10:03:16 +01:00
Andreas Steffen
3933798cb1
11 bits are needed to encode a maximum index of 1086
2014-03-15 19:22:16 +01:00
Tobias Brunner
67dc5d393c
tnc-ifmap: Get a reference to the client cert as it is also used in an auth config
2014-03-10 14:31:42 +01:00