| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
when X509_V_FLAG_X509_STRICT is set. Check for CRLSign in
CRL issuer certificates. Reject CRLs with unhandled (any)
critical extensions.
|
|
This is part of a large change submitted by Markus Friedl <markus@openbsd.org>
|
|
Use BUF_strlcat() instead of strcat().
Use BIO_snprintf() instead of sprintf().
In some cases, keep better track of buffer lengths.
This is part of a large change submitted by Markus Friedl <markus@openbsd.org>
|
|
Max req -x509 use V1 if extensions section absent.
|
|
PR: 657
|
|
Allocate certificatePolicies correctly if CPS field is absent.
Fix various memory leaks in certificatePolicies.
|
|
Submitted by: Doug Sauder <dws+001@hunnysoft.com>
Fix bug in X509V3_get_d2i() when idx in not NULL.
|
|
|
|
PR: 559
|
|
PR: 358
|
|
Notified privately to me by Peter Sylvester <Peter.Sylvester@EdelWeb.fr>,
one of the authors of said RFC
|
|
PR: 428
|
|
|
|
|
|
give it.
For 0.9.7 and up, that means util/domd needs to remove those double
dashes from the argument list when gcc is used to find the
dependencies.
|
|
Submitted by:
Reviewed by:
PR:
|
|
handled properly.
Part of PR 75
|
|
Reinstate -reqout code.
Avoid coredump in ocsp if setup_verify
fails.
Fix typo in ocsp usage message.
|
|
structures for fields that are not OPTIONAL.
However in the AUTHORITY_INFO_ACCESS case
the 'location' field was set to NULL in
the old code.
So in 0.9.7+ we should free up the field before
overwriting it in v2i_AUTHORITY_INFO_ACCESS.
|
|
PR: 49
|
|
|
|
[See
Message-ID: <3BB07999.30432AD2@celocom.com>
Date: Tue, 25 Sep 2001 13:33:29 +0100
From: Dr S N Henson <drh@celocom.com>
To: openssl-dev@openssl.org
Subject: Re: Error in v3_purp.c
]
|
|
making X509_check_issued() properly match an issuer that's found in a
Authority Key Identifier.
|
|
|
|
|
|
|
|
with existing code.
Modify library to use digest *_ex() functions.
|
|
|
|
Fix X509V3 macro so they compile.
|
|
|
|
|
|
|
|
Split private key PEM and normal PEM handling. Private key
handling needs to link in stuff like PKCS#8.
Relocate the ASN1 *_dup() functions, to the relevant ASN1
modules using new macro IMPLEMENT_ASN1_DUP_FUNCTION. Previously
these were all in crypto/x509/x_all.c along with every ASN1
BIO/fp function which linked in *every* ASN1 function if
a single dup was used.
Move the authority key id ASN1 structure to a separate file.
This is used in the X509 routines and its previous location
linked in all the v3 extension code.
Also move ASN1_tag2bit to avoid linking in a_bytes.c which
is now largely obsolete.
So far under Linux stripped binary with single PEM_read_X509
is now 238K compared to 380K before these changes.
|
|
Add new extension functions which work with NCONF.
Tidy up extension config routines and remove redundant code.
Fix NCONF_get_number().
Todo: more testing of apps to see they still work...
|
|
Tidy existing code.
|
|
extension instead of just copying it. That makes a certificate comply
even more with PKIX recommendations according to RFC 2459.
|
|
the 'ca' utility. This can now be extensively
customised in the configuration file and handles
multibyte strings and extensions properly.
This is required when extensions copying from
certificate requests is supported: the user
must be able to view the extensions before
allowing a certificate to be issued.
|
|
errors can be tolerated, hide the error from 'make'.
This gives shorter output both if ranlib fails and if
it works.
|
|
find emailAddress at start of subject name.
|
|
Note that all *_it variables are suddenly non-existant according to
libeay.num. This is a bug that will be corrected. Please be patient.
|
|
prototype hack. This unfortunately means that
every ASN1_*_END construct cannot have a
trailing ;
|
|
change the way ASN1 modules are exported.
Still needs a bit of work for example the hack which a
dummy function prototype to avoid compilers warning about
multiple ;s.
|
|
and make all files the depend on it include it without prefixing it
with openssl/.
This means that all Makefiles will have $(TOP) as one of the include
directories.
|
|
sure they are available in opensslconf.h, by giving them names starting
with "OPENSSL_" to avoid conflicts with other packages and by making
sure e_os2.h will cover all platform-specific cases together with
opensslconf.h.
I've checked fairly well that nothing breaks with this (apart from
external software that will adapt if they have used something like
NO_KRB5), but I can't guarantee it completely, so a review of this
change would be a good thing.
|
|
Add revelant new X509V3 extensions.
Add OIDs.
Fix ASN1 memory leak code to pop info if external allocation used.
|
|
|
|
|
|
certificates.
One is a valid CA which has no basicConstraints
but does have certSign keyUsage.
Other is S/MIME signer with nonRepudiation but
no digitalSignature.
|
