| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
* legoscia/ssl_crl_hash_dir-bis/PR-982/OTP-13530:
Skip crl_hash_dir_expired test for LibreSSL
Add ssl_crl_hash_dir module
Function for generating OpenSSL-style name hashes
Add public_key:pkix_match_dist_point
Improve formatting for crl_{check,cache} options
Add issuer arg to ssl_crl_cache_api lookup callback
Conflicts:
lib/public_key/test/public_key_SUITE.erl
|
|
|
|
public_key use cases are cryptographical so use
crypto:strong_rand_bytes/1 instead.
|
|
OpenSSL has functions to generate short (eight hex digits) hashes of
issuers of certificates and CRLs. These hashes are used by the
"c_rehash" script to populate directories of CA certificates and CRLs,
e.g. in the Apache web server. Adding this function lets an Erlang
program find the right CRL for a given certificate in such a
directory.
|
|
|
|
Also add missing test for PEM encoded private EC keys.
|
|
|
|
|
|
Also tool (public_key:gen_moduli_hrl) to convert an openssh moduli file to erlang format.
|
|
|
|
Line number references are with respect to sources
in public_key.erl
Changes:
- pkix_sign replaced public with private (L510)
(Certificates are signed by private keys)
- pki_asn1_type() added 'CertificateList' (L73)
- pkix_sign_types added ecdsa (L404)
- pkix_verify added ec_public_key() (L530)
- pkix_is_issuer added 'CertificateList' (L569)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* mururu/fix-type:
Fix typos in the public_key doc
OTP-12549
|
|
|
|
|
|
|
|
Check that the certificate chain ends with a trusted ROOT CA e.i. a
self-signed certificate, but provide an option partial_chain to
enable the application to define an intermediat CA as trusted.
TLS RFC says:
"unknown_ca
A valid certificate chain or partial chain was received, but the
certificate was not accepted because the CA certificate could not
be located or couldn't be matched with a known, trusted CA. This
message is always fatal."
and also states:
"certificate_list
This is a sequence (chain) of certificates. The sender's
certificate MUST come first in the list. Each following
certificate MUST directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate that specifies the root
certificate authority MAY be omitted from the chain, under the
assumption that the remote end must already possess it in order to
validate it in any case."
X509 RFC says:
"The selection of a trust anchor is a matter of policy: it could be
the top CA in a hierarchical PKI, the CA that issued the verifier's
own certificate(s), or any other CA in a network PKI. The path
validation procedure is the same regardless of the choice of trust
anchor. In addition, different applications may rely on different
trust anchors, or may accept paths that begin with any of a set of
trust anchors."
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
When documenting public_key/0 and private_key/0, I noticed the
inconsistent state of formatting in public_key(3)'s Data Types section.
This should be fixed for consistency and readability.
|
|
public_key:private_key/0 was referenced but undefined, and lib/ssl had a
local definition of private_key/0.
To fix that, make the following changes:
* add public_key:private_key/0 type
* document public_key/0 and private_key/0
* fix incorrect definitions and references
|
|
ssh and public_key were referring to proplists:proplists/0
which does not exist. Fix by using the correct type proplists:proplist/0.
|
|
|
|
* ia/public_key/crypto/prepare-for-release:
public_key & ssl: Add ASN-1 dependency
crypto & public_key: prepare for release
|
|
|
|
|
|
As the ASN-1 application relies on a nif in R16 for decodeing (that
was not the case in R15), public_key currently has a runtime
dependency on ASN-1. Hopefully we will be able to remove this
dependency again in the future.
|
|
Conflicts:
lib/crypto/doc/src/crypto_app.xml
|
|
|
|
|
|
|
|
|
|
|
|
Some certificates may use these OIDs instead of the ones defined by
PKIX/PKCS standard.
Refactor code so that all handling of the "duplicate" oids is done by
public_key.
Update algorithm information in documentation.
|
