Martin Willi
dbd4fc074a
openac: Remove obsolete openac utility
...
The same functionality is now provided by the pki --acert subcommand.
2014-03-31 11:39:25 +02:00
Martin Willi
3941d55f01
pki: Document --not-before/after and --dateform options in manpages
2014-03-31 11:39:25 +02:00
Martin Willi
2769a22e1f
pki: Support absolute --this/next-update CRL lifetimes
2014-03-31 11:14:59 +02:00
Martin Willi
d6e921181a
pki: Support absolute --not-before/after issued certificate lifetimes
2014-03-31 11:14:59 +02:00
Martin Willi
aa8732eb68
pki: Support absolute --not-before/after self-signed certificate lifetimes
2014-03-31 11:14:59 +02:00
Martin Willi
6f90e8e664
pki: Support absolute --not-before/after acert lifetimes
2014-03-31 11:14:59 +02:00
Martin Willi
06d3b6e9c9
pki: Add a certificate lifetime calculation helper function
2014-03-31 11:14:59 +02:00
Martin Willi
babd848778
testing: Add an acert test that forces a fallback connection based on groups
2014-03-31 11:14:59 +02:00
Martin Willi
1a4d3222be
testing: Add an acert test case sending attribute certificates inline
2014-03-31 11:14:59 +02:00
Martin Willi
9f676321a9
testing: Add an acert test using locally cached attribute certificates
2014-03-31 11:14:59 +02:00
Martin Willi
c602ee65dc
testing: build strongSwan with acert plugin
2014-03-31 11:14:59 +02:00
Martin Willi
3a2deb98bc
ikev2: Cache all received attribute certificates to auth config
2014-03-31 11:14:59 +02:00
Martin Willi
d417900335
ikev2: Send all known and valid attribute certificates for subject cert
2014-03-31 11:14:59 +02:00
Martin Willi
a14f7edfb2
ikev2: Slightly refactor certificate payload construction to separate functions
2014-03-31 11:14:58 +02:00
Martin Willi
f316116c88
ike: Support encoding of attribute certificates in CERT payloads
2014-03-31 11:14:58 +02:00
Martin Willi
83f8cdde46
auth-cfg: Declare an attribute certificate helper type to exchange acerts
2014-03-31 11:14:58 +02:00
Martin Willi
5ac0e66879
acert: Implement a plugin finding, validating and evaluating attribute certs
...
This validator checks for any attribute certificate it can find for validated
end entity certificates and tries to extract group membership information
used for connection authorization rules.
2014-03-31 11:14:58 +02:00
Martin Willi
b06283f1e3
x509: Match acert has_subject() against entityName or holder serial
...
This allows us to find attribute certificates for a subject certificate in
credential sets.
2014-03-31 11:14:58 +02:00
Martin Willi
6e8c665a51
pki: Add acert and extend pki/print manpages
2014-03-31 11:14:58 +02:00
Martin Willi
35a783cff7
pki: Implement an acert command to issue attribute certificates
2014-03-31 11:14:58 +02:00
Martin Willi
20ea84daec
pki: Support printing attribute certificates
2014-03-31 11:14:58 +02:00
Martin Willi
e49197f15e
pki: Don't generate negative random serial numbers in X.509 certificates
...
According to RFC 5280 4.1.2.2 we MUST force non-negative serial numbers.
2014-03-31 11:14:58 +02:00
Martin Willi
0226ca886d
pem: Support encoding of attribute certificates
...
While there is no widely used PEM header for attribute certificates, at least
IAIK-JCE uses BEGIN ATTRIBUTE CERTIFICATE:
http://javadoc.iaik.tugraz.at/iaik_jce/current/iaik/utils/Util.html#toPemString(iaik.x509.attr.AttributeCertificate)
2014-03-31 11:14:58 +02:00
Martin Willi
8f9e2dbcd5
x509: Replace the comma separated string AC group builder with a list based one
2014-03-31 11:14:58 +02:00
Martin Willi
a17598bc69
x509: Integrate IETF attribute handling, and obsolete ietf_attributes_t
...
The ietf_attributes_t class is used for attribute certificates only these days,
and integrating them to x509_ac_t simplifies things significantly.
2014-03-31 11:14:58 +02:00
Martin Willi
61b2d815b9
x509: Replace fixed acert group string getter by a more dynamic group enumerator
2014-03-31 11:14:58 +02:00
Martin Willi
a9bfd4b055
x509: Skip parsing of acert chargingIdentity, as we don't use it anyway
2014-03-31 11:14:58 +02:00
Martin Willi
3134379ac7
x509: Fix some whitespaces and do some minor style cleanups in acert
2014-03-31 11:14:57 +02:00
Martin Willi
883a63adc1
ac: Remove unimplemented equals_holder() method from ac_t
2014-03-31 11:14:57 +02:00
Andreas Steffen
959ef1a2e4
Added libipsec/net2net-3des scenario
2014-03-28 09:21:51 +01:00
Andreas Steffen
7afd217ff9
Renewed self-signed OCSP signer certificate
2014-03-27 22:52:11 +01:00
Tobias Brunner
0462304dbb
unit-tests: Fix filtered enumerator tests on 64-bit big-endian platforms
...
In case of sizeof(void*) == 8 and sizeof(int) == 4 on big-endian hosts
the tests failed as the actual integer value got cut off.
2014-03-27 15:35:32 +01:00
Tobias Brunner
29b7377530
travis: Run the "all" test case with leak detective enabled
...
But disable the gcrypt plugin, as it causes leaks.
Also disable the backtraces by libunwind as they seem to cause
threads to get cleaned up after the leak detective already has been
disabled, which leads to invalid free()s.
2014-03-27 10:52:45 +01:00
Tobias Brunner
58d8c52190
unit-tests: Fix memory leak in ntru tests
2014-03-27 10:52:45 +01:00
Andreas Steffen
045f25fc81
Version bump to 5.1.3rc1
2014-03-26 22:00:00 +01:00
Andreas Steffen
c6d173a1f1
Check that valid OCSP responses are received in the ikev2/ocsp-multi-level scenario
2014-03-24 23:57:55 +01:00
Andreas Steffen
bee64a82d7
Updated expired certificates issued by the Research and Sales Intermediate CAs
2014-03-24 23:38:45 +01:00
Andreas Steffen
2d79f6d81e
Renewed revoked Research CA certificate
2014-03-22 15:16:15 +01:00
Andreas Steffen
f0388684cd
unit-test: added missing TEST_FUNCTION macros
2014-03-22 10:26:02 +01:00
Andreas Steffen
07e7cb146f
Added openssl-ikev2/net2net-pgp-v3 scenario
2014-03-22 09:55:03 +01:00
Tobias Brunner
01632eccf3
openssl: Add default fallback when calculating fingerprints of RSA keys
...
We still try to calculate these directly as it can avoid a dependency on
the pkcs1 or other plugins. But for e.g. PGPv3 keys we need to delegate the
actual fingerprint calculation to the pgp plugin.
2014-03-22 09:55:03 +01:00
Andreas Steffen
22e1aa51f9
Completed integration of ntru_crypto library into ntru plugin
2014-03-22 09:51:00 +01:00
Tobias Brunner
b517912848
Merge branch 'travis-ci'
...
Adds a config file and build script for Travis CI. Makes the unit tests
buildable with Clang, and test vectors are now actually verified when
the unit tests are executed.
Also adds options to run only selected test suites and to increase the debug
level during unit tests.
The --enable/disable configure options have been reordered and grouped, and
an option to enable all the features has been added (plus an option to
select a specific printf-hook implementation).
2014-03-20 18:50:57 +01:00
Tobias Brunner
6548f50cf9
travis: Use parallel build
...
Not sure if 4 jobs is optimal, but according to the docs each build host
has 1.5 virtual cores available (although "getconf _NPROCESSORS_ONLN"
returns 32, which is probably the number of real cores underneath), so
more jobs might not actually reduce the build time much more.
2014-03-20 18:48:13 +01:00
Tobias Brunner
510c900479
crypto-tester: Don't fail if key size is not supported
...
The Blowfish and Twofish implementations provided by the gcrypt plugin
only support specific key lengths, which we don't know when testing
against vectors (either during unit tests or during algorithm
registration). The on_create test with a specific key length will be
skipped anyway, so there is no point in treating this failure differently.
2014-03-20 15:49:05 +01:00
Tobias Brunner
5dd638f45c
unit-tests: Add an option to increase the verbosity when running tests
...
The TESTS_VERBOSITY option takes an integer from -1 to 4 that sets the
default debug level.
2014-03-20 15:49:05 +01:00
Tobias Brunner
77603e98a3
unit-tests: Add an option to run only a subset of all test suites
...
The TESTS_SUITES environment variable can contain a comma separated list
of names of test suites to run.
2014-03-20 15:49:05 +01:00
Tobias Brunner
636076d45d
unit-tests: Actually verify registered algorithms against test vectors
...
Previously, the {ns}.crypto_test.on_add option had to be enabled to
actually test the algorithms, which we can't enforce for the tests in
the test_runner as the option is already read when the crypto factory
is initialized. Even so, we wouldn't want to do this for every unit
test, which would be the result of enabling that option.
2014-03-20 15:49:05 +01:00
Tobias Brunner
316aa4b43b
travis: Add tests for builtin printf hook implementation
...
We can't test Vstr as it does not properly handle negative int arguments
for custom format callbacks, so some of the enum tests would fail.
2014-03-20 15:49:05 +01:00
Tobias Brunner
4ffe02a75d
configure: Add an option to select a specific printf hook implementation
2014-03-20 15:49:05 +01:00