Brian Smith
4bab386cc6
Treat *.der as binary in .gitattributes.
2016-11-21 12:30:09 -10:00
Joseph Birr-Pixton
cc7b1fabc5
appveyor: bump rust version; latest ring requires it
2016-11-21 12:30:08 -10:00
Brian Smith
c26bca4700
0.7.0: Remove NIST Open Systems Environment (OSE) SHA-1 OID.
...
This enables us to support exactly one OID per signature algorithm.
A Censys search found no publicly-trusted certificates using this OID:
https://censys.io/certificates?q=parsed.signature.signature_algorithm.oid%3A+1.3.14.3.2.29
This won't impact uses of RSA PKCS#1 SHA-1 for ServerKeyExchange
signatures since those signatures don't identify the algorithm using
OIDS.
2016-11-17 11:28:16 -10:00
Brian Smith
a830244795
Remove ECDSA_P256_SHA512 and ECDSA_P384_SHA512.
...
The Chromium/BoringSSL team showed that it isn't necessary to support
ECDSA with SHA-512 for the P-256 and P-384 curves for HTTPS; see
https://groups.google.com/a/chromium.org/d/msg/security-dev/SlfABuvvQas/qOil2X4UBQAJ
and
https://groups.google.com/a/chromium.org/d/msg/security-dev/SlfABuvvQas/HXaWVhZkBQAJ ,
in particular "I'd also found no ECDSA/SHA-1 or ECDSA/SHA-512
certificates in CT logs."
2016-11-05 20:47:06 -10:00
Brian Smith
7255c5537e
Remove ECDSA-SHA1 support; Bump version to 0.6.0.
2016-10-27 23:31:52 -10:00
Brian Smith
0b49d9da61
0.5.1; Require *ring* 0.5.3+.
...
*ring* 0.5.3 includes a fix for ECDSA verification.
2016-10-26 19:37:18 -10:00
Brian Smith
1778bb3926
Work around rustc/libstd bug regarding `unused_qualifications` lint.
2016-10-26 19:36:29 -10:00
Brian Smith
d5f9073f01
Remove use of `match_of_unit_variant_via_paren_dotdot`.
2016-10-26 19:34:58 -10:00
Brian Smith
b42df860ce
webpki 0.5; Require *ring* 0.5.1.
...
This also aligns the version numbers, at least temporarily.
2016-10-25 11:21:45 -10:00
Brian Smith
865f8eb23c
Clean up build status in README.md, removing badges.
...
The badges are tracking beacons and aren't so useful.
2016-10-25 10:52:46 -10:00
Brian Smith
161d01cd79
Upgrade to *ring* 0.5; Update version to 0.4.
...
*ring* 0.5 includes fixes for building on BSDs.
2016-10-24 18:42:27 -10:00
Brian Smith
7b99d68568
Update to *ring* 0.4.0.
2016-08-28 18:37:51 -10:00
Brian Smith
12265db4d5
Fix build breakage with Rust Nightly.
...
`drop_with_repr_extern` was removed when Drop flags were removed.
2016-08-27 10:38:45 -10:00
Brian Smith
220acd14a9
Bump version number for publication.
2016-08-26 12:04:05 -10:00
Joseph Birr-Pixton
8fd9a8975b
Add tests for -ve and zero serials in roots
...
I agree to license my contributions to each file under the
terms given at the top of each file I changed.
2016-08-26 12:01:43 -10:00
Brian Smith
8d3309988d
Allow trust anchors with invalid serial numbers.
2016-08-26 12:01:02 -10:00
Brian Smith
591a11b6b0
Clarify error handling in cert_der_as_trust_anchor.
2016-08-26 12:00:09 -10:00
Brian Smith
898085122e
Fix warnings about unused results in trust_anchor_util.rs.
2016-08-26 11:58:16 -10:00
Joseph Birr-Pixton
d4d2886295
Parse v1 implicit certs for trust_anchor_util.
...
This is needed to make the previous Netflix integration test work.
We fall back to parsing as v1 only if v3 fails, and even then don't
discard the v3 error.
I agree to license my contributions to each file under the terms
given at the top of each file I changed.
2016-08-26 11:58:15 -10:00
Joseph Birr-Pixton
9262f3368c
Add some basic integration tests.
...
This first represents the current state of Netflix usage. They have a
root certificate (one of the old Verisign ones) which cannot be parsed
by trust_anchor_util.
I agree to license my contributions to each file under the
terms given at the top of each file I changed.
2016-08-26 11:56:05 -10:00
Brian Smith
dcbebfae70
Bump versions.
...
* Update *ring* requirement to 0.3.0.
* Update Appveyor configuration to use Rust 1.11.0 on stable, which is
the latest Rust version and the minimum required by *ring*.
* Bump version number to indicate these are incompatible changes.
* Drop leftover remnants of MSVC 2013 testing on Appveyor.
2016-08-24 00:46:09 -10:00
Brian Smith
f812333a3d
Prepare for publishing on crates.io.
2016-08-15 15:32:19 -10:00
Brian Smith
5f73366ecc
Use *ring* from crates.io.
2016-08-15 15:28:00 -10:00
Brian Smith
ba9d1e4e5e
Fix documentation for `EndEntityCert.verify_signature`.
2016-08-15 11:46:17 -10:00
Brian Smith
272de41132
Use `use` more consistently.
...
Follow the way it is done in *ring* (mostly).
2016-08-12 23:08:27 -10:00
Brian Smith
01025339d9
Fix typos in documentation of der::optional_boolean.
2016-08-12 21:54:33 -10:00
Brian Smith
011adae3af
Rename {expect,read}_tag_and_get_input -> {expect,read}_tag_and_get_value.
...
Be consistent with the *ring* names.
2016-08-12 21:52:59 -10:00
Brian Smith
41da466c3f
Add GitHub link to the documentation.
2016-08-12 17:08:14 -10:00
Brian Smith
0366b88c22
Document the multi-step certificate validation process for TLS.
2016-08-12 16:12:59 -10:00
Brian Smith
42bba83cce
Add ability to verify signatures with end-entity public key.
2016-08-12 16:11:53 -10:00
Brian Smith
870654884f
Refactor signed_data to prepare for verifying end-entity signatures.
2016-08-12 16:11:53 -10:00
Brian Smith
5e74d88a6f
Clarify SPKI parsing by using a structure instead of a tuple.
2016-08-12 16:11:53 -10:00
Brian Smith
f7cfa50cd3
Create a new public API.
2016-08-12 16:11:52 -10:00
Brian Smith
cee177915f
Add documentation links.
2016-08-12 16:05:12 -10:00
Brian Smith
fc7d64f852
Fix typo in documentation for Error::UnsupportedSignatureAlgorithm.
2016-08-12 16:05:12 -10:00
Brian Smith
6fedeba29b
Remove commented-out code.
2016-08-12 16:05:11 -10:00
Brian Smith
8ac95e05e3
Rename Error::BadSignature -> Error::InvalidSignatureForPublicKey.
...
The new name is clearer about what the actual problem is.
2016-08-11 16:40:01 -10:00
Brian Smith
83cec92588
Expose `verify_signed_data` and `SignedData`.
...
This is the minimum amount of support needed to support verifying
signatures using the end-entity certificate's public key.
2016-08-11 16:40:00 -10:00
Brian Smith
534c6d5799
Enable the missing_docs lint.
2016-08-11 16:40:00 -10:00
Brian Smith
22970ae330
Document TrustAnchor.
2016-08-11 16:39:59 -10:00
Brian Smith
0de65f7e50
Add summery of crate as a doc comment.
2016-08-11 16:39:59 -10:00
Brian Smith
6f3d48ef4f
Add **Important** notes about the two-step validation process.
2016-08-11 16:39:59 -10:00
Brian Smith
2bdb798540
Convert documentation for `verify_cert_dns_name` to doc comments.
...
Also improve the documentation a bit.
2016-08-11 16:39:58 -10:00
Brian Smith
859f3905e3
Add documentation for `verify_tls_cert`.
2016-08-11 16:39:58 -10:00
Brian Smith
50357d977e
Add documentation for signature algorithms.
2016-08-11 16:39:57 -10:00
Brian Smith
5b65702d52
Add documentation for errors (webpki::Error).
2016-08-11 16:39:57 -10:00
Brian Smith
30c8ed1a8c
Remove the unneeded concept of fatal errors.
...
`InvalidTrustAnchor` wasn't even used. `ImpossibleState` was replaced
with a panic.
2016-08-11 15:40:06 -10:00
Brian Smith
ee2161856e
Enable unused_qualifications lint.
2016-08-11 15:35:38 -10:00
Brian Smith
de83e4810a
Enable unused_results lint.
2016-08-11 15:33:20 -10:00
Brian Smith
5af33dfc4d
Enable more lints.
2016-08-11 15:31:49 -10:00