| #
da1c088f |
| 07-Sep-2023 |
Matt Caswell |
Copyright year updates
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
|
| #
a4e72642 |
| 07-Mar-2023 |
Matt Caswell |
Generate some certificates with the certificatePolicies extension
Related-to: CVE-2023-0465
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl
Generate some certificates with the certificatePolicies extension
Related-to: CVE-2023-0465
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20585)
show more ...
|
| #
61a97676 |
| 15-Jun-2022 |
Lutz Jaenicke |
X509: add tests for purpose code signing in verify application
Correct configuration according to CA Browser forum:
KU: critical,digitalSignature
XKU: codeSiging
Note: I
X509: add tests for purpose code signing in verify application
Correct configuration according to CA Browser forum:
KU: critical,digitalSignature
XKU: codeSiging
Note: I did not find any other document formally defining the requirements
for code signing certificates.
Some combinations are explicitly forbidden, some flags can be ignored
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18567)
show more ...
|
| #
3269c8bd |
| 02-Dec-2021 |
Matt Caswell |
Add a new Name Constraints test cert
Add a cert which complies with the name constraints but has no
SAN extension
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
| #
80070e47 |
| 08-Jun-2021 |
Dr. David von Oheimb |
test/certs/mkcert.sh: Correct description of geneealt parameters
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15656)
|
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13, openssl-3.0.0-alpha12, OpenSSL_1_1_1j, openssl-3.0.0-alpha11 |
|
| #
199df4a9 |
| 26-Jan-2021 |
Dr. David von Oheimb |
check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS
This is an upstream fix for #13931
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged fro
check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS
This is an upstream fix for #13931
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13968)
show more ...
|
| #
4333b89f |
| 28-Jan-2021 |
Richard Levitte |
Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13999)
|
|
Revision tags: openssl-3.0.0-alpha10 |
|
| #
9495cfbc |
| 12-Dec-2020 |
Dr. David von Oheimb |
make various test CA certs RFC 5280 compliant w.r.t. X509 extensions
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13719)
|
|
Revision tags: OpenSSL_1_1_1i, openssl-3.0.0-alpha9, openssl-3.0.0-alpha8, openssl-3.0.0-alpha7 |
|
| #
cf61b97d |
| 23-Sep-2020 |
Tomas Mraz |
Generate a certificate with critical id-pkix-ocsp-nocheck extension
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/1294
Generate a certificate with critical id-pkix-ocsp-nocheck extension
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12947)
show more ...
|
|
Revision tags: OpenSSL_1_1_1h, openssl-3.0.0-alpha6, openssl-3.0.0-alpha5, openssl-3.0.0-alpha4, openssl-3.0.0-alpha3, openssl-3.0.0-alpha2, openssl-3.0.0-alpha1 |
|
| #
33388b44 |
| 23-Apr-2020 |
Matt Caswell |
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11616)
|
|
Revision tags: OpenSSL_1_1_1g, OpenSSL_1_1_1f, OpenSSL_1_1_1e |
|
| #
4d9e8c95 |
| 22-Jan-2020 |
Kurt Roeckx |
Create a new embeddedSCTs1 that's signed using SHA256
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
GH: #10786
|
|
Revision tags: OpenSSL_1_0_2u, OpenSSL_1_0_2t, OpenSSL_1_1_0l, OpenSSL_1_1_1d |
|
| #
39d9ea5e |
| 08-Aug-2019 |
Matt Caswell |
Add Restricted PSS certificate and key
Create a PSS certificate with parameter restrictions
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl
Add Restricted PSS certificate and key
Create a PSS certificate with parameter restrictions
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9553)
show more ...
|
|
Revision tags: OpenSSL_1_1_1c, OpenSSL_1_1_0k, OpenSSL_1_0_2s, OpenSSL_1_0_2r, OpenSSL_1_1_1b |
|
| #
909f1a2e |
| 06-Dec-2018 |
Richard Levitte |
Following the license change, modify the boilerplates in test/
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7767)
|
|
Revision tags: OpenSSL_1_0_2q, OpenSSL_1_1_0j, OpenSSL_1_1_1a, OpenSSL_1_1_1, OpenSSL_1_1_1-pre9, OpenSSL_1_0_2p, OpenSSL_1_1_0i, OpenSSL_1_1_1-pre8, OpenSSL_1_1_1-pre7, OpenSSL_1_1_1-pre6, OpenSSL_1_1_1-pre5, OpenSSL_1_1_1-pre4, OpenSSL_1_0_2o, OpenSSL_1_1_0h, OpenSSL_1_1_1-pre3 |
|
| #
b0edda11 |
| 20-Mar-2018 |
Matt Caswell |
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5689)
|
|
Revision tags: OpenSSL_1_1_1-pre2 |
|
| #
fe93b010 |
| 27-Feb-2018 |
Matt Caswell |
Update tests for TLS Ed448
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5470)
|
|
Revision tags: OpenSSL_1_1_1-pre1, OpenSSL_1_0_2n |
|
| #
46f4e1be |
| 12-Nov-2017 |
Josh Soref |
Many spelling fixes/typo's corrected.
Around 138 distinct errors found and fixed; thanks!
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Many spelling fixes/typo's corrected.
Around 138 distinct errors found and fixed; thanks!
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3459)
show more ...
|
|
Revision tags: OpenSSL_1_0_2m, OpenSSL_1_1_0g |
|
| #
624265c6 |
| 15-Jun-2017 |
Rich Salz |
Cleanup some copyright stuff
Remove some incorrect copyright references.
Move copyright to standard place
Add OpenSSL copyright where missing.
Remove copyrighted file that we don
Cleanup some copyright stuff
Remove some incorrect copyright references.
Move copyright to standard place
Add OpenSSL copyright where missing.
Remove copyrighted file that we don't use any more
Remove Itanium assembler for RC4 and MD5 (assembler versions of old and
weak algorithms for an old chip)
Standardize apps/rehash copyright comment; approved by Timo
Put dual-copyright notice on mkcert
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3691)
show more ...
|
| #
bc88fc79 |
| 14-Jun-2017 |
Dr. Stephen Henson |
Ed25519 support for mkcert.sh
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3585)
|
|
Revision tags: OpenSSL_1_0_2l, OpenSSL_1_1_0f, OpenSSL-fips-2_0_16 |
|
| #
0c8736f4 |
| 17-Feb-2017 |
Dr. Stephen Henson |
Add DSA support to mkcert.sh
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2667)
|
|
Revision tags: OpenSSL_1_1_0e, OpenSSL_1_0_2k, OpenSSL_1_1_0d, OpenSSL-fips-2_0_15, OpenSSL-fips-2_0_14, OpenSSL_1_1_0c, OpenSSL_1_0_2j, OpenSSL_1_1_0b, OpenSSL_1_0_1u, OpenSSL_1_0_2i, OpenSSL_1_1_0a, OpenSSL_1_1_0, OpenSSL_1_1_0-pre6 |
|
| #
d83b7e1a |
| 22-Jun-2016 |
Dr. Stephen Henson |
Extend mkcert.sh to support nameConstraints generation and more complex
subject alternate names.
Add nameConstraints tests incluing DNS, IP and email tests both in
subject alt name e
Extend mkcert.sh to support nameConstraints generation and more complex
subject alternate names.
Add nameConstraints tests incluing DNS, IP and email tests both in
subject alt name extension and subject name.
Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
| #
615dd78b |
| 23-Jun-2016 |
Viktor Dukhovni |
Drop extraneous printf argument in mkcert.sh
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
| #
b58614d7 |
| 22-Jun-2016 |
Dr. Stephen Henson |
Fix generation of expired CA certificate.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Revision tags: OpenSSL-fips-2_0_13 |
|
| #
71c8cd20 |
| 19-Jun-2016 |
Richard Levitte |
Make it possible to generate proxy certs with test/certs/mkcert.sh
This extends 'req' to take more than one DN component, and to take
them as full DN components and not just CN values.
Make it possible to generate proxy certs with test/certs/mkcert.sh
This extends 'req' to take more than one DN component, and to take
them as full DN components and not just CN values. All other commands
are changed to pass "CN = $cn" instead of just a CN value.
This adds 'genpc', which differs from the other 'gen*' commands by not
calling 'req', and expect the result from 'req' to come through stdin.
Finally, test/certs/setup.sh gets the commands needed to generate a
few proxy certificates.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
show more ...
|
| #
a7be5759 |
| 13-Jun-2016 |
Rich Salz |
RT3809: basicConstraints is critical
This is really a security bugfix, not enhancement any more.
Everyone knows critical extensions.
Reviewed-by: Dr. Stephen Henson <steve@opens
RT3809: basicConstraints is critical
This is really a security bugfix, not enhancement any more.
Everyone knows critical extensions.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
show more ...
|
|
Revision tags: OpenSSL_1_0_1t, OpenSSL_1_0_2h, OpenSSL_1_1_0-pre5 |
|
| #
fbb82a60 |
| 19-Mar-2016 |
Viktor Dukhovni |
Move peer chain security checks into x509_vfy.c
A new X509_VERIFY_PARAM_set_auth_level() function sets the
authentication security level. For verification of SSL peers, this
is auto
Move peer chain security checks into x509_vfy.c
A new X509_VERIFY_PARAM_set_auth_level() function sets the
authentication security level. For verification of SSL peers, this
is automatically set from the SSL security level. Otherwise, for
now, the authentication security level remains at (effectively) 0
by default.
The new "-auth_level" verify(1) option is available in all the
command-line tools that support the standard verify(1) options.
New verify(1) tests added to check enforcement of chain signature
and public key security levels. Also added new tests of enforcement
of the verify_depth limit.
Updated documentation.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
show more ...
|
