** libgnutls: gnutls_privkey_sign_hash2 now accepts the GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA
flag as documented. This makes it a complete replacement of gnutls_privkey_sign_hash().
+** libgnutls: Added support for Generalname registeredID.
+
** The priority configuration was enhanced to allow more elaborate
system-wide configuration of the library (#587).
The following changes were included:
GNUTLS_MAC_AES_GMAC_128: Added
GNUTLS_MAC_AES_GMAC_192: Added
GNUTLS_MAC_AES_CMAC_256: Added
+GNUTLS_SAN_REGISTERED_ID: Added
* Version 3.6.8 (released 2019-05-28)
* @GNUTLS_SAN_IPADDRESS: IP address SAN.
* @GNUTLS_SAN_OTHERNAME: OtherName SAN.
* @GNUTLS_SAN_DN: DN SAN.
+ * @GNUTLS_SAN_REGISTERED_ID: RegisteredID.
* @GNUTLS_SAN_OTHERNAME_XMPP: Virtual SAN, used by certain functions for convenience.
* @GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL: Virtual SAN, used by certain functions for convenience.
*
GNUTLS_SAN_IPADDRESS = 4,
GNUTLS_SAN_OTHERNAME = 5,
GNUTLS_SAN_DN = 6,
- GNUTLS_SAN_MAX = GNUTLS_SAN_DN,
+ GNUTLS_SAN_REGISTERED_ID = 7,
+ GNUTLS_SAN_MAX = GNUTLS_SAN_REGISTERED_ID,
/* The following are "virtual" subject alternative name types, in
that they are represented by an otherName value and an OID.
Used by gnutls_x509_crt_get_subject_alt_othername_oid. */
return GNUTLS_SAN_OTHERNAME;
if (strcmp(str_type, "directoryName") == 0)
return GNUTLS_SAN_DN;
+ if (strcmp(str_type, "registeredID") == 0)
+ return GNUTLS_SAN_REGISTERED_ID;
+
return (gnutls_x509_subject_alt_name_t) - 1;
}
if (result == 0 && allow_null == 0 && len == 0) {
/* don't allow null strings */
return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR);
+ } else if (result == 0 && allow_null == 0 && etype == ASN1_ETYPE_OBJECT_ID && len == 1) {
+ return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR);
}
if (result != ASN1_MEM_ERROR) {
case GNUTLS_SAN_IPADDRESS:
str = "iPAddress";
break;
+ case GNUTLS_SAN_REGISTERED_ID:
+ str = "registeredID";
+ break;
default:
gnutls_assert();
return GNUTLS_E_INTERNAL_ERROR;
addf(str, _("%sdirectoryName: %.*s\n"), prefix, name->size, NON_NULL(name->data));
break;
+ case GNUTLS_SAN_REGISTERED_ID:
+ addf(str, _("%sRegistered ID: %.*s\n"), prefix, name->size, NON_NULL(name->data));
+ break;
+
case GNUTLS_SAN_OTHERNAME_XMPP:
addf(str, _("%sXMPP Address: %.*s\n"), prefix, name->size, NON_NULL(name->data));
break;
{
if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME ||
type == GNUTLS_SAN_URI || type == GNUTLS_SAN_OTHERNAME_XMPP ||
- type == GNUTLS_SAN_OTHERNAME)
+ type == GNUTLS_SAN_OTHERNAME || type == GNUTLS_SAN_REGISTERED_ID)
return 1;
else
return 0;
len = sizeof(choice_type);
result = asn1_read_value(src, nptr, choice_type, &len);
-
if (result == ASN1_VALUE_NOT_FOUND
|| result == ASN1_ELEMENT_NOT_FOUND) {
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
return ret;
}
+ if (type == GNUTLS_SAN_REGISTERED_ID && tmp.size > 0) {
+ /* see #805; OIDs contain the null termination byte */
+ assert(tmp.data[tmp.size-1] == 0);
+ tmp.size--;
+ }
+
/* _gnutls_x509_read_value() null terminates */
dname->size = tmp.size;
dname->data = tmp.data;
certs-interesting/README.md certs-interesting/cert1.der certs-interesting/cert1.der.err \
certs-interesting/cert2.der certs-interesting/cert2.der.err certs-interesting/cert3.der \
certs-interesting/cert3.der.err certs-interesting/cert4.der certs-interesting/cert5.der \
- certs-interesting/cert6.der certs-interesting/cert6.der.err \
+ certs-interesting/cert5.der.err certs-interesting/cert6.der certs-interesting/cert6.der.err \
certs-interesting/cert7.der certs-interesting/cert8.der \
- certs-interesting/cert9.der certs-interesting/cert5.der.err \
+ certs-interesting/cert9.der certs-interesting/cert10.der \
certs-interesting/cert3.der.err certs-interesting/cert4.der \
scripts/common.sh scripts/starttls-common.sh \
rng-op.c x509sign-verify-common.h common-key-tests.h \
static unsigned char saved_crt_pem[] =
"-----BEGIN CERTIFICATE-----\n"
- "MIICWTCCAcKgAwIBAgIDChEAMA0GCSqGSIb3DQEBCwUAMCsxDjAMBgNVBAMTBW5p\n"
+ "MIICWjCCAcOgAwIBAgIDChEAMA0GCSqGSIb3DQEBCwUAMCsxDjAMBgNVBAMTBW5p\n"
"a29zMRkwFwYDVQQKExBub25lIHRvLCBtZW50aW9uMCAXDTA4MDMzMTIyMDAwMFoY\n"
"Dzk5OTkxMjMxMjM1OTU5WjArMQ4wDAYDVQQDEwVuaWtvczEZMBcGA1UEChMQbm9u\n"
"ZSB0bywgbWVudGlvbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAu2ZD9fLF\n"
"17aMzMXf9Yg7sclLag6hrSBQQAiAoU9co9D4bM/mPPfsBHYTF4tkiSJbwN1TfDvt\n"
"fAS7gLkovo6bxo6gpRLL9Vceoue7tzNJn+O7Sq5qTWj/yRHiMo3OPYALjXXv2ACB\n"
- "jygEA6AijWEEB/q2N30hB0nSCWFpmJCjWKkCAwEAAYEFAAABAgOCBQAEAwIBo3sw\n"
- "eTAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHgAAwNgYDVR0RBC8wLYIDYXBh\n"
- "ghF4bi0tbXhhYTRhczZkLmNvbYETdGVzdEB4bi0ta3hhd2hrLm9yZzAgBgNVHSUB\n"
- "Af8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADgYEAsCHT\n"
- "vpIFkQG8th0DbEU3BE3KP5aa93HDLpZPu5PVLkoBb4PPWjKPK+737mwaSs9zXe58\n"
- "awhM0ycZ1ymSC+MiRuQlzt4Opx1Fm8WFsDr7d0g/C96Arr1Ss4ZhNi15nyoYeaWJ\n"
- "1n7nX+msWnuc+aABt1d8aAhAvaU8do0+WI2jY90=\n"
+ "jygEA6AijWEEB/q2N30hB0nSCWFpmJCjWKkCAwEAAYEFAAABAgOCBQAEAwIBo3ww\n"
+ "ejAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHgAAwNwYDVR0RBDAwLogEKgME\n"
+ "BYIReG4tLW14YWE0YXM2ZC5jb22BE3Rlc3RAeG4tLWt4YXdoay5vcmcwIAYDVR0l\n"
+ "AQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4GBADzP\n"
+ "piA0s50R+oM/OWcHrARRMFhmOv8oj4mQeXjePCUJub8CDj1XnZwseIY9K9IU6Lxm\n"
+ "43p7kw1jFzPRBJyuZC5X92AdG1meR1RKd91M3VEvn2cgfesX7/MbhZIYJ8ZD2S1L\n"
+ "rqzVabXTZjKdHT727mCJdqzjDh7CFmb9Q2ZU6jDR\n"
"-----END CERTIFICATE-----\n";
const gnutls_datum_t saved_crt = { saved_crt_pem, sizeof(saved_crt_pem)-1 };
return then;
}
+#define REGISTERED_OID "1.2.3.4.5"
+
void doit(void)
{
gnutls_x509_privkey_t pkey;
const char *err = NULL;
unsigned char buf[64];
unsigned char large_buf[5*1024];
- unsigned int status;
+ unsigned int status, san_type;
gnutls_datum_t out;
- size_t s = 0;
+ size_t s = 0, i;
int ret;
ret = global_init();
if (ret != 0)
fail("gnutls_x509_crt_set_subject_alt_name\n");
+ ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_REGISTERED_ID,
+ REGISTERED_OID, strlen(REGISTERED_OID), 0);
+ if (ret != 0)
+ fail("gnutls_x509_crt_set_subject_alt_name\n");
+
ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME,
"απαλό.com", strlen("απαλό.com"), 1);
#if defined(HAVE_LIBIDN2) || defined(HAVE_LIBIDN)
assert(s == out.size);
assert(memcmp(large_buf, out.data, out.size) == 0);
+ /* verify some values written in the original cert */
+ gnutls_x509_crt_deinit(crt2);
+ ret = gnutls_x509_crt_init(&crt2);
+ if (ret != 0)
+ fail("gnutls_x509_crt_init\n");
+
+ ret = gnutls_x509_crt_import(crt2, &out, GNUTLS_X509_FMT_DER);
+ if (ret != 0)
+ fail("gnutls_x509_crt_import\n");
+
+ i = 0;
+ do {
+ s = sizeof(buf);
+ ret = gnutls_x509_crt_get_subject_alt_name2(crt2, i++, buf, &s, &san_type, NULL);
+ if (ret < 0)
+ fail("gnutls_x509_crt_get_subject_alt_name2: %s\n", gnutls_strerror(ret));
+ } while (san_type != GNUTLS_SAN_REGISTERED_ID);
+
+ assert(san_type == GNUTLS_SAN_REGISTERED_ID);
+ assert(s == strlen(REGISTERED_OID));
+ assert(memcmp(buf, REGISTERED_OID, s) == 0);
+
gnutls_free(out.data);
gnutls_x509_crt_deinit(crt);
projects / thirdparty / gnutls.git / commitdiff
