27bd0fed93
Allow SHA256 and SHA384 data hash for BLISS signatures.
...
The default is SHA512 since this hash function is also
used for the c_indices random oracle.
2015-02-26 08:56:12 +01:00
6683cf6a5a
pki: Document correct output formats for --pkcs12 --export
2014-12-19 16:31:36 +01:00
a6c0dec0e5
pki: Properly clean up if output format for --pkcs12 is wrong
2014-12-19 16:30:10 +01:00
3a26566fa9
pki: Add command to export certificates and keys from PKCS#12 containers
2014-12-12 13:11:29 +01:00
c20f962732
pki: Reformat PKCS#12 output and add an index for each certificate/key
2014-12-12 13:11:29 +01:00
374b569ed0
pki: Add simple PKCS#12 display command
2014-12-12 13:11:29 +01:00
ec846f9e52
pki: Cache entered secrets in case they are needed more than once
2014-12-12 13:11:29 +01:00
b6bb32e658
Implemented full BLISS support for IKEv2 public key authentication and the pki tool
2014-11-29 14:51:18 +01:00
f673966b9f
Started implementing BLISS signature generation
2014-11-29 14:51:16 +01:00
56009f2001
Store and parse BLISS private and public keys in DER and PEM format
...
Additionally generate SHA-1 fingerprints of raw BLISS subjectPublicKey
and subjectPublicKeyInfo objects.
Some basic functions used by the bliss_public_key class are shared
with the bliss_private_key class.
2014-11-29 14:51:16 +01:00
9d5b91d198
Created framework for BLISS post-quantum signature algorithm
2014-11-29 14:51:14 +01:00
b9d38c9fa2
pki: Print and document the name constraint type for DNS or email constraints
...
As email constraints may be for a specific host, it is not clear from the
name itself if it is a DNS or email constraint.
2014-10-30 11:40:48 +01:00
ba2805c106
pki: Document --online option for pki --verify and all exit codes
2014-06-30 13:25:13 +02:00
bb91109af8
pki: Also check for MAX_COMMANDS when building getopt_long arguments
...
Completes 87e53819a60a8c399a21
2014-06-24 15:11:27 +02:00
f48c26bce3
pki: Support complex trustchain and revocation checking in --verify
2014-06-04 16:34:16 +02:00
5cd28cd25a
pki: Provide a fallback if strptime() not supported
...
For simplicity, we support the default pki datetime format only, but optionally
accept four digit years for longer lifetimes.
2014-06-04 15:53:11 +02:00
13298719e3
pki: Switch to binary mode on Windows when reading/writing DER to FDs
2014-06-04 15:53:11 +02:00
f1e7b9b0d7
pki: Stop prompting for password when entering empty string
2014-06-04 15:53:11 +02:00
b2b54bd71d
Make sure getpass() is available
...
It's not on Android for example.
2014-05-29 12:28:53 +02:00
064fe9c963
enum: Return boolean result for enum_from_name() lookup
...
Handling the result for enum_from_name() is difficult, as checking for
negative return values requires a cast if the enum type is unsigned. The new
signature clearly differentiates lookup result from lookup value.
Further, this actually allows to convert real -1 enum values, which could not
be distinguished from "not-found" and the -1 return value.
This also fixes several clang warnings where enums are unsigned.
2014-05-16 15:42:07 +02:00
297bc06ca9
pki: Fix memory leak when printing unknown AC group OIDs
2014-04-09 15:56:11 +02:00
ce845838ea
pki: Removed extra continue statement
2014-04-09 15:12:27 +02:00
98ae0492b6
Added support for msSmartcardLogon EKU
2014-04-08 13:09:03 +02:00
3941d55f01
pki: Document --not-before/after and --dateform options in manpages
2014-03-31 11:39:25 +02:00
2769a22e1f
pki: Support absolute --this/next-update CRL lifetimes
2014-03-31 11:14:59 +02:00
d6e921181a
pki: Support absolute --not-before/after issued certificate lifetimes
2014-03-31 11:14:59 +02:00
aa8732eb68
pki: Support absolute --not-before/after self-signed certificate lifetimes
2014-03-31 11:14:59 +02:00
6f90e8e664
pki: Support absolute --not-before/after acert lifetimes
2014-03-31 11:14:59 +02:00
06d3b6e9c9
pki: Add a certificate lifetime calculation helper function
2014-03-31 11:14:59 +02:00
6e8c665a51
pki: Add acert and extend pki/print manpages
2014-03-31 11:14:58 +02:00
35a783cff7
pki: Implement an acert command to issue attribute certificates
2014-03-31 11:14:58 +02:00
20ea84daec
pki: Support printing attribute certificates
2014-03-31 11:14:58 +02:00
e49197f15e
pki: Don't generate negative random serial numbers in X.509 certificates
...
According to RFC 5280 4.1.2.2 we MUST force non-negative serial numbers.
2014-03-31 11:14:58 +02:00
0a8c399a21
pki: When dispatching commands, don't look beyond non-null-terminated array
2014-03-19 09:37:46 +01:00
87e53819a6
pki: Check length of commands array before accessing command in --help
...
As --help is counted as command as well, the array is not null-terminated
and we have to check for MAX_COMMANDS.
Fixes #550 .
2014-03-19 09:25:29 +01:00
1c667bce3f
pki: Make cmds array static, ensuring that it is zero-initialized
...
As pki --help relies on a zero-terminated array, make the actually non-public
cmds array static to ensure initialization.
2014-02-20 11:45:51 +01:00
435aed8287
pki: Fix minor resource leak on failure to read the private key in --req
2014-02-18 16:46:25 +01:00
34d3bfcf14
lib: Add global config namespace
2014-02-12 14:34:31 +01:00
3114cecdbe
pki: Declare correct section in pki --issue man page
2014-01-24 16:17:46 +01:00
1c4a3459f7
chunk: Use dynamically allocated buffer in chunk_from_fd()
...
When acting on files, we can use fstat() to estimate the buffer size. On
non-file FDs, we dynamically increase an allocated buffer.
Additionally we slightly change the function signature to properly handle
zero-length files and add appropriate unit tests.
2014-01-23 15:55:32 +01:00
040cf911a6
pki: Make sure no command registers too many options
2014-01-23 10:12:24 +01:00
079e6c2b04
pki: Increase MAX_COMMANDS to cover all currently available commands
...
Fixes #452 .
2014-01-23 10:12:15 +01:00
2b8224fce3
pki: Print a warning if MAX_COMMANDS is too low
2014-01-23 10:10:53 +01:00
b0e14fcba6
pki: Properly use ?: when defining option arrays
2014-01-23 10:10:53 +01:00
71c9565a3a
pki: Replace BUILD_FROM_FD with passing a chunk via BUILD_BLOB
...
This allows more than one builder to try parsing the data read from STDIN.
2013-10-23 17:20:39 +02:00
ab155e6907
ignore *.1 manpage files
2013-09-17 10:58:53 +02:00
90afd2c929
pki: --pub also accepts public keys (i.e. to convert them to a different format)
2013-09-13 15:23:49 +02:00
21626bdf77
pki: Add support to encode public keys in SSH key format
2013-09-13 15:23:49 +02:00
ed56c86ec1
pki: Don't print an error if no arguments are given
2013-09-13 15:14:00 +02:00
0dc8ba8779
pki: Install pki(1) as utility directly in $prefix/bin
...
ipsec pki is maintained as alias.
2013-09-13 15:07:36 +02:00
1a8ffea315
pki: Add example commands to setup a simple CA
2013-09-13 15:07:36 +02:00
b068c4ec9d
pki: Add pki --verify man page
2013-09-13 15:07:36 +02:00
4adeaa5eb9
pki: Add pki --pub man page
2013-09-13 15:07:36 +02:00
a319eff80d
pki: Add pki --print man page
2013-09-13 15:07:35 +02:00
e69fd30538
pki: Add pki --keyid man page
2013-09-13 15:07:35 +02:00
558771400e
pki: Add pki --pkcs7 man page
2013-09-13 15:07:35 +02:00
bb8e2e1759
pki: Add pki --req man page
2013-09-13 15:07:35 +02:00
96aa5a1ddd
pki: Add pki --signcrl man page
2013-09-13 15:07:35 +02:00
42e3a21e24
pki: Add pki --issue man page
2013-09-13 15:07:35 +02:00
3a643b8901
pki: Add pki --self man page
...
Can be opened with "man pki --self".
2013-09-13 15:07:35 +02:00
a612f6e338
pki: Add pki --gen man page
...
Can be opened with "man pki --gen".
2013-09-13 15:07:29 +02:00
34cff9349b
pki: Add ipsec-pki(8) man page
...
Can be opened either with "man ipsec pki" or "man ipsec-pki".
Since man(1) only supports one level of subpages, the forthcoming man
pages for each command will have to be opened with "man pki --<command>".
2013-09-13 14:32:51 +02:00
19cb07b890
automake: replace INCLUDES by AM_CPPFLAGS
...
INCLUDES are now deprecated and throw warnings when using automake 1.13.
We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and
defines are passed to AM_CPPFLAGS only.
2013-07-18 14:59:19 +02:00
b18a531715
plugin-loader: Removed unused path argument of load() method
...
Multiple additional search paths can be added with the add_path()
method.
2013-06-28 10:44:15 +02:00
11adf114c1
Fixed Doxygen comments after scanning complete src directory
2013-03-02 18:31:53 +01:00
a4ddc0bb26
Encode RSA public keys in RFC 3110 DNSKEY format
2013-02-19 12:25:00 +01:00
4cd3fb788d
Properly read data from stream in pki --pkcs7
2013-01-24 19:13:41 +01:00
27a814b527
Properly destroy mem_cred object on pki --pkcs7 --help
2013-01-24 19:13:41 +01:00
063ae4e52a
Allocate data returned by pkcs7_t.get_attribute()
2012-12-19 10:32:08 +01:00
24b2dae2b6
Add a --show option to pki --pkcs7 to print contained certificates
2012-12-19 10:32:08 +01:00
9afbe59953
pki --pkcs7 --verify shows prints the signing time, if available
2012-12-19 10:32:08 +01:00
5a50bec9d2
Fix leak in pki --pkcs7 --decrypt
2012-12-19 10:32:08 +01:00
47120d4977
Add a pki command to sign, verify, encrypt and decrypt PKCS#7 containers
2012-12-19 10:32:07 +01:00
48b23d06a8
allow the optional sharing if RSA private keys
2012-11-22 00:34:42 +01:00
168ee460c6
implemented generation of safe primes
2012-11-18 19:22:31 +01:00
f05b427265
Moved debug.[ch] to utils folder
2012-10-24 16:00:51 +02:00
12642a6831
Moved data structures to new collections subfolder
2012-10-24 16:00:49 +02:00
8b0dce08f2
Avoid overrunning array when registering pki command line options
2012-09-28 18:22:54 +02:00
c63fb853e8
Use centralized hasher names in pki utility
2012-07-17 17:32:05 +02:00
e93bb353d5
Check rng return value when generating serial numbers in pki utility
2012-07-16 14:53:35 +02:00
a37f2d2006
certificate_t->issued_by takes an argument to receive signature scheme
2012-06-12 14:24:49 +02:00
b24be29646
Merge branch 'ikev1'
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/encoding/generator.c
src/libcharon/encoding/payloads/notify_payload.c
src/libcharon/encoding/payloads/notify_payload.h
src/libcharon/encoding/payloads/payload.c
src/libcharon/network/receiver.c
src/libcharon/sa/authenticator.c
src/libcharon/sa/authenticator.h
src/libcharon/sa/ikev2/tasks/ike_init.c
src/libcharon/sa/task_manager.c
src/libstrongswan/credentials/auth_cfg.c
2012-05-02 11:12:31 +02:00
5ff99529e6
ASN.1 two's complement encoding prevents overflow in CRL serial number
2012-04-04 11:29:12 +02:00
320fd5fe62
moved chunk_skip_zero to chunk.h
2012-04-03 14:12:50 +02:00
e464894e8b
remove leading zeros in ASN.1 encoded serial numbers
2012-03-27 15:05:36 +02:00
b1f2f05c92
Merge branch 'ikev1-clean' into ikev1-master
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/daemon.c
src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
src/libcharon/plugins/eap_radius/eap_radius_accounting.c
src/libcharon/plugins/eap_radius/eap_radius_forward.c
src/libcharon/plugins/farp/farp_listener.c
src/libcharon/sa/ike_sa.c
src/libcharon/sa/keymat.c
src/libcharon/sa/task_manager.c
src/libcharon/sa/trap_manager.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/utils.h
Applied lost changes of moved files keymat.c and task_manager.c.
Updated listener_t.message hook signature in new plugins.
2012-03-20 17:57:53 +01:00
4bc4e8e17b
Added support for iKEIntermediate flag to ipsec pki.
2012-03-20 17:31:25 +01:00
f1ba06c1c6
Cache list of plugin names to further simplify its usage.
...
Also helpful for ipsec statusall to avoid having to enumerate plugins.
2012-01-19 12:37:42 +01:00
fdf1f239ef
Log list of loaded plugins in main PKI help output.
2012-01-19 11:56:43 +01:00
20d752b4ff
pki: Avoid integer overflow when calculating certificate lifetimes.
...
This only works properly if sizeof(time_t) > 4.
2011-12-23 16:33:24 +01:00
29388829fa
Do proper cleanup in error case in pki req.
2011-04-14 18:11:45 +02:00
3fe6c0b27e
Do proper cleanup in some error cases in pki signcrl.
2011-04-14 18:11:44 +02:00
eead71eb75
use DN from pkcs10 request if it exists
2011-02-07 23:41:54 +01:00
3fd3f8dea8
Added support for empty subjects DNs to pki --issue
2011-01-05 16:46:07 +01:00
0110c26a04
Use incremented serial of base CRL when signing delta CRL
2011-01-05 16:46:06 +01:00
b088fd4a76
Slightly renamed different policyConstraints to distinguish them better
2011-01-05 16:46:05 +01:00
6a339fffc7
Added inhibitAnyPolicy constraint support to pki tool
2011-01-05 16:46:05 +01:00
b3d359e58f
Use a generic getter for all numerical X.509 constraints
2011-01-05 16:46:05 +01:00
de8521f6f2
Added support for delta CRLs to pki tool
2011-01-05 16:46:04 +01:00
a6478a0402
Simplified format of x509 CRL URI parsing/enumerator
2011-01-05 16:46:03 +01:00
Andreas Steffen