rust
/
webpki
mirror of https://github.com/briansmith/webpki
1
0
Fork 0
Code Issues Releases Wiki Activity
115 Commits 13 Branches 12 Tags 1.3 MiB
Commit Graph

115 Commits

Author SHA1 Message Date
Brian Smith 4bab386cc6 Treat *.der as binary in .gitattributes. 2016-11-21 12:30:09 -10:00
Joseph Birr-Pixton cc7b1fabc5 appveyor: bump rust version; latest ring requires it 2016-11-21 12:30:08 -10:00
Brian Smith c26bca4700 0.7.0: Remove NIST Open Systems Environment (OSE) SHA-1 OID. 
This enables us to support exactly one OID per signature algorithm.
A Censys search found no publicly-trusted certificates using this OID:
https://censys.io/certificates?q=parsed.signature.signature_algorithm.oid%3A+1.3.14.3.2.29

This won't impact uses of RSA PKCS#1 SHA-1 for ServerKeyExchange
signatures since those signatures don't identify the algorithm using
OIDS.
 2016-11-17 11:28:16 -10:00
Brian Smith a830244795 Remove ECDSA_P256_SHA512 and ECDSA_P384_SHA512. 
The Chromium/BoringSSL team showed that it isn't necessary to support
ECDSA with SHA-512 for the P-256 and P-384 curves for HTTPS; see
https://groups.google.com/a/chromium.org/d/msg/security-dev/SlfABuvvQas/qOil2X4UBQAJ
and
https://groups.google.com/a/chromium.org/d/msg/security-dev/SlfABuvvQas/HXaWVhZkBQAJ,
in particular "I'd also found no ECDSA/SHA-1 or ECDSA/SHA-512
certificates in CT logs."
 2016-11-05 20:47:06 -10:00
Brian Smith 7255c5537e Remove ECDSA-SHA1 support; Bump version to 0.6.0. 2016-10-27 23:31:52 -10:00
Brian Smith 0b49d9da61 0.5.1; Require *ring* 0.5.3+. 
*ring* 0.5.3 includes a fix for ECDSA verification.
 2016-10-26 19:37:18 -10:00
Brian Smith 1778bb3926 Work around rustc/libstd bug regarding `unused_qualifications` lint. 2016-10-26 19:36:29 -10:00
Brian Smith d5f9073f01 Remove use of `match_of_unit_variant_via_paren_dotdot`. 2016-10-26 19:34:58 -10:00
Brian Smith b42df860ce webpki 0.5; Require *ring* 0.5.1. 
This also aligns the version numbers, at least temporarily.
 2016-10-25 11:21:45 -10:00
Brian Smith 865f8eb23c Clean up build status in README.md, removing badges. 
The badges are tracking beacons and aren't so useful.
 2016-10-25 10:52:46 -10:00
Brian Smith 161d01cd79 Upgrade to *ring* 0.5; Update version to 0.4. 
*ring* 0.5 includes fixes for building on BSDs.
 2016-10-24 18:42:27 -10:00
Brian Smith 7b99d68568 Update to *ring* 0.4.0. 2016-08-28 18:37:51 -10:00
Brian Smith 12265db4d5 Fix build breakage with Rust Nightly. 
`drop_with_repr_extern` was removed when Drop flags were removed.
 2016-08-27 10:38:45 -10:00
Brian Smith 220acd14a9 Bump version number for publication. 2016-08-26 12:04:05 -10:00
Joseph Birr-Pixton 8fd9a8975b Add tests for -ve and zero serials in roots 
I agree to license my contributions to each file under the
terms given at the top of each file I changed.
 2016-08-26 12:01:43 -10:00
Brian Smith 8d3309988d Allow trust anchors with invalid serial numbers. 2016-08-26 12:01:02 -10:00
Brian Smith 591a11b6b0 Clarify error handling in cert_der_as_trust_anchor. 2016-08-26 12:00:09 -10:00
Brian Smith 898085122e Fix warnings about unused results in trust_anchor_util.rs. 2016-08-26 11:58:16 -10:00
Joseph Birr-Pixton d4d2886295 Parse v1 implicit certs for trust_anchor_util. 
This is needed to make the previous Netflix integration test work.
We fall back to parsing as v1 only if v3 fails, and even then don't
discard the v3 error.

I agree to license my contributions to each file under the terms
given at the top of each file I changed.
 2016-08-26 11:58:15 -10:00
Joseph Birr-Pixton 9262f3368c Add some basic integration tests. 
This first represents the current state of Netflix usage. They have a
root certificate (one of the old Verisign ones) which cannot be parsed
by trust_anchor_util.

I agree to license my contributions to each file under the
terms given at the top of each file I changed.
 2016-08-26 11:56:05 -10:00
Brian Smith dcbebfae70 Bump versions. 
* Update *ring* requirement to 0.3.0.
* Update Appveyor configuration to use Rust 1.11.0 on stable, which is
  the latest Rust version and the minimum required by *ring*.
* Bump version number to indicate these are incompatible changes.
* Drop leftover remnants of MSVC 2013 testing on Appveyor.
 2016-08-24 00:46:09 -10:00
Brian Smith f812333a3d Prepare for publishing on crates.io. 2016-08-15 15:32:19 -10:00
Brian Smith 5f73366ecc Use *ring* from crates.io. 2016-08-15 15:28:00 -10:00
Brian Smith ba9d1e4e5e Fix documentation for `EndEntityCert.verify_signature`. 2016-08-15 11:46:17 -10:00
Brian Smith 272de41132 Use `use` more consistently. 
Follow the way it is done in *ring* (mostly).
 2016-08-12 23:08:27 -10:00
Brian Smith 01025339d9 Fix typos in documentation of der::optional_boolean. 2016-08-12 21:54:33 -10:00
Brian Smith 011adae3af Rename {expect,read}_tag_and_get_input -> {expect,read}_tag_and_get_value. 
Be consistent with the *ring* names.
 2016-08-12 21:52:59 -10:00
Brian Smith 41da466c3f Add GitHub link to the documentation. 2016-08-12 17:08:14 -10:00
Brian Smith 0366b88c22 Document the multi-step certificate validation process for TLS. 2016-08-12 16:12:59 -10:00
Brian Smith 42bba83cce Add ability to verify signatures with end-entity public key. 2016-08-12 16:11:53 -10:00
Brian Smith 870654884f Refactor signed_data to prepare for verifying end-entity signatures. 2016-08-12 16:11:53 -10:00
Brian Smith 5e74d88a6f Clarify SPKI parsing by using a structure instead of a tuple. 2016-08-12 16:11:53 -10:00
Brian Smith f7cfa50cd3 Create a new public API. 2016-08-12 16:11:52 -10:00
Brian Smith cee177915f Add documentation links. 2016-08-12 16:05:12 -10:00
Brian Smith fc7d64f852 Fix typo in documentation for Error::UnsupportedSignatureAlgorithm. 2016-08-12 16:05:12 -10:00
Brian Smith 6fedeba29b Remove commented-out code. 2016-08-12 16:05:11 -10:00
Brian Smith 8ac95e05e3 Rename Error::BadSignature -> Error::InvalidSignatureForPublicKey. 
The new name is clearer about what the actual problem is.
 2016-08-11 16:40:01 -10:00
Brian Smith 83cec92588 Expose `verify_signed_data` and `SignedData`. 
This is the minimum amount of support needed to support verifying
signatures using the end-entity certificate's public key.
 2016-08-11 16:40:00 -10:00
Brian Smith 534c6d5799 Enable the missing_docs lint. 2016-08-11 16:40:00 -10:00
Brian Smith 22970ae330 Document TrustAnchor. 2016-08-11 16:39:59 -10:00
Brian Smith 0de65f7e50 Add summery of crate as a doc comment. 2016-08-11 16:39:59 -10:00
Brian Smith 6f3d48ef4f Add **Important** notes about the two-step validation process. 2016-08-11 16:39:59 -10:00
Brian Smith 2bdb798540 Convert documentation for `verify_cert_dns_name` to doc comments. 
Also improve the documentation a bit.
 2016-08-11 16:39:58 -10:00
Brian Smith 859f3905e3 Add documentation for `verify_tls_cert`. 2016-08-11 16:39:58 -10:00
Brian Smith 50357d977e Add documentation for signature algorithms. 2016-08-11 16:39:57 -10:00
Brian Smith 5b65702d52 Add documentation for errors (webpki::Error). 2016-08-11 16:39:57 -10:00
Brian Smith 30c8ed1a8c Remove the unneeded concept of fatal errors. 
`InvalidTrustAnchor` wasn't even used. `ImpossibleState` was replaced
with a panic.
 2016-08-11 15:40:06 -10:00
Brian Smith ee2161856e Enable unused_qualifications lint. 2016-08-11 15:35:38 -10:00
Brian Smith de83e4810a Enable unused_results lint. 2016-08-11 15:33:20 -10:00
Brian Smith 5af33dfc4d Enable more lints. 2016-08-11 15:31:49 -10:00