Age | Commit message (Collapse) | Author |
|
|
|
OTP-12986
|
|
|
|
Line number references are with respect to sources
in public_key.erl
Changes:
- pkix_sign replaced public with private (L510)
(Certificates are signed by private keys)
- pki_asn1_type() added 'CertificateList' (L73)
- pkix_sign_types added ecdsa (L404)
- pkix_verify added ec_public_key() (L530)
- pkix_is_issuer added 'CertificateList' (L569)
|
|
|
|
|
|
This reverts commit e09dd66dc4d89c62ddfd8c19791f9678d5d787c6.
|
|
|
|
|
|
Make sure that links from ssl to public_key work.
OTP-12670 - Ignoring 1.2 extension in 1.0 or TLS-1.1
solved by 5edda23ee854038c9d4bcddd0d676ee0ffd20da5
is mentioned here to make the release scripts happy,
as the branch solving this accidently had a name ending 1267
instead of 12670
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Erlang bitstring type only uses as many bits as required, and
does not use padding to create complete bytes as ASN1 compact_bitstring
did. crypto:verify/5 will now fail, for some incorrect signatures
as it expects complete bytes which an incorrect signature may not have.
Instead of catching the failing crypto function and then returning
false we check the input and reject it right away.
|
|
* E.I bitstrings will not be decode as {Unused, Binary}, they are now
Erlang bitstrings.
* Also the compact_bit_string implies the legacy_erlang_types switch
- So removing the switch will also make OCTET STRING values be represented
as binaries.
- Undecoded open type will now be wrapped in a asn1_OPENTYPE tuple.
We need to handle this in pubkey_pbe.erl, maybe this can be eliminated
later by updating/refreshing ASN1-specs.
This will change some values in records returned by the public_key API
making this change a potentiall incompatibility.
|
|
=== OTP-17.5 ===
Changed Applications:
- asn1-3.0.4
- common_test-1.10
- compiler-5.0.4
- crypto-3.5
- debugger-4.0.3
- dialyzer-2.7.4
- diameter-1.9
- eldap-1.1.1
- erts-6.4
- hipe-3.11.3
- inets-5.10.6
- kernel-3.2
- mnesia-4.12.5
- observer-2.0.4
- os_mon-2.3.1
- public_key-0.23
- runtime_tools-1.8.16
- ssh-3.2
- ssl-6.0
- stdlib-2.4
- syntax_tools-1.6.18
- test_server-3.8
- tools-2.7.2
- wx-1.3.3
Unchanged Applications:
- cosEvent-2.1.15
- cosEventDomain-1.1.14
- cosFileTransfer-1.1.16
- cosNotification-1.1.21
- cosProperty-1.1.17
- cosTime-1.1.14
- cosTransactions-1.2.14
- edoc-0.7.16
- erl_docgen-0.3.7
- erl_interface-3.7.20
- et-1.5
- eunit-2.2.9
- gs-1.5.16
- ic-4.3.6
- jinterface-1.5.12
- megaco-3.17.3
- odbc-2.10.22
- orber-3.7.1
- ose-1.0.2
- otp_mibs-1.0.10
- parsetools-2.0.12
- percept-0.8.10
- reltool-0.6.6
- sasl-2.4.1
- snmp-5.1.1
- typer-0.9.8
- webtool-0.8.10
- xmerl-1.3.7
Conflicts:
OTP_VERSION
erts/vsn.mk
lib/ssl/vsn.mk
|
|
|
|
|
|
|
|
|
|
* mururu/fix-type:
Fix typos in the public_key doc
OTP-12549
|
|
|
|
|
|
|
|
See #535
Signed-off-by: Peter Lemenkov <[email protected]>
|
|
|
|
|
|
|
|
Check that the certificate chain ends with a trusted ROOT CA e.i. a
self-signed certificate, but provide an option partial_chain to
enable the application to define an intermediat CA as trusted.
TLS RFC says:
"unknown_ca
A valid certificate chain or partial chain was received, but the
certificate was not accepted because the CA certificate could not
be located or couldn't be matched with a known, trusted CA. This
message is always fatal."
and also states:
"certificate_list
This is a sequence (chain) of certificates. The sender's
certificate MUST come first in the list. Each following
certificate MUST directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate that specifies the root
certificate authority MAY be omitted from the chain, under the
assumption that the remote end must already possess it in order to
validate it in any case."
X509 RFC says:
"The selection of a trust anchor is a matter of policy: it could be
the top CA in a hierarchical PKI, the CA that issued the verifier's
own certificate(s), or any other CA in a network PKI. The path
validation procedure is the same regardless of the choice of trust
anchor. In addition, different applications may rely on different
trust anchors, or may accept paths that begin with any of a set of
trust anchors."
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* Handle v1 CRLs, with no extensions.
* Compare the IDP on a CRL correctly, if present
* Don't try to double-decode altnames
Tests are also included, and the make_certs testing tool in the SSL
application has been greatly extended.
|
|
|
|
Most dependencies introduced are exactly the dependencies to other
applications found by xref. That is, there might be real dependencies
missing. There might also be pure debug dependencies listed that
probably should be removed. Each application has to be manually
inspected in order to ensure that all real dependencies are listed.
All dependencies introduced are to application versions used in
OTP 17.0. This since the previously used version scheme wasn't
designed for this, and in order to minimize the work of introducing
the dependencies.
|