summaryrefslogtreecommitdiffstats
path: root/doc (follow)
Commit message (Collapse)AuthorAgeFilesLines
* EVP: Add the internal convenience function evp_keymgmt_util_export()Richard Levitte2020-09-121-0/+6
| | | | | | | | | This is purely to allow exporting without having to repeatedly specify the keymgmt and keydata from the EVP_PKEY. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12853)
* Fix EVP_PKEY_CTX_ctrl() documentationShane Lontis2020-09-121-114/+95
| | | | | | | | | Remove references to 'macro' from EVP_PKEY_CTX_ctrl() as they are all functions now, and update the HISTORY section. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12853)
* Update doc for EVP_PKEY_CTX_set_ec_param_enc()Shane Lontis2020-09-121-3/+4
| | | | | | Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12853)
* keygen: add FIPS error state management to conditional self testsShane Lontis2020-09-121-0/+18
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12801)
* apps/ca: allow CRL lastUpdate/nextUpdate fields to be specifiedChris Novakovic2020-09-111-1/+19
| | | | | | | | | | When generating a CRL using the "ca" utility, allow values for the lastUpdate and nextUpdate fields to be specified using the command line options -crl_lastupdate and -crl_nextupdate respectively. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12784)
* apps/cmp.c: Improve example given for -geninfo option (also in man page)Dr. David von Oheimb2020-09-111-1/+1
| | | | | | Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12825)
* OSSL_CMP_CTX_new.pod: improve doc of OSSL_CMP_CTX_get1_{extraCertsIn,caPubs}Dr. David von Oheimb2020-09-111-2/+3
| | | | | | Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12825)
* openssl-cmp.pod.in: Update Insta Demo CA port number in case neededDr. David von Oheimb2020-09-111-1/+1
| | | | | | Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12825)
* apps/cmp.c: Improve documentation of -extracerts, -untrusted, and -otherpassDr. David von Oheimb2020-09-111-6/+10
| | | | | | Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12825)
* apps/cmp.c: Improve documentation of -secret, -cert, and -key optionsDr. David von Oheimb2020-09-111-5/+10
| | | | | | Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12825)
* Extend X509 cert checks and error reporting in v3_{purp,crld}.c and ↵Dr. David von Oheimb2020-09-112-0/+41
| | | | | | | | | | | | | | x509_{set,vfy}.c add various checks for malformedness to static check_chain_extensions() in x509_vfc.c improve error reporting of X509v3_cache_extensions() in v3_purp.c add error reporting to x509_init_sig_info() in x509_set.c improve static setup_dp() and related functions in v3_purp.c and v3_crld.c add test case for non-conforming cert from https://tools.ietf.org/html/rfc8410#section-10.2 Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12478)
* apps_ui.c: Correct password prompt for ui_methodDr. David von Oheimb2020-09-101-4/+6
| | | | | Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12493)
* Fix fipsinstall module pathShane Lontis2020-09-101-0/+2
| | | | | | | | | | If a path is specified with the -module option it will use this path to load the library when the provider is activated, instead of also having to set the environment variable OPENSSL_MODULES. Added a platform specific opt_path_end() function that uses existing functionality used by opt_progname(). Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12761)
* Add/harmonize multi-valued RDN support and doc of ca, cmp, req, storeutl, ↵Dr. David von Oheimb2020-09-105-36/+51
| | | | | | | and x509 apps Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12769)
* X509_NAME_cmp(): Clearly document its semantics, referencing relevant RFCsDr. David von Oheimb2020-09-101-7/+11
| | | | | | | Fixes #12765 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12769)
* X509_NAME_add_entry_by_txt.pod: Improve documentation w.r.t. multi-valued ↵Dr. David von Oheimb2020-09-101-6/+6
| | | | | | | RDNs (containing sets of AVAs) Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12769)
* X509_NAME_cmp: restrict normal return values to {-1,0,1} to avoid confusion ↵Dr. David von Oheimb2020-09-101-3/+2
| | | | | | | with -2 for error Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12769)
* X509_NAME_oneline(): Fix output of multi-valued RDNs, escaping '/' and '+' ↵Dr. David von Oheimb2020-09-101-11/+12
| | | | | | | in values Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12769)
* X509_NAME_print_ex.pod: re-format lines to fit within 80 chars limitDr. David von Oheimb2020-09-101-26/+34
| | | | | Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12769)
* bugfix in apps/cmp.c and cmp_client.c: inconsistencies on retrieving ↵Dr. David von Oheimb2020-09-102-9/+9
| | | | | | | extraCerts in code and doc Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12822)
* Replace all wrong usages of 'B<...>' (typically by 'I<...>') in ↵Dr. David von Oheimb2020-09-101-80/+84
| | | | | | | OSSL_CMP_CTX_new.pod Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12741)
* Clean up CMP chain building for CMP signer, TLS client, and newly enrolled certsDr. David von Oheimb2020-09-104-16/+21
| | | | | | | | | | * Use strenghtened cert chain building, verifying chain using optional trust store while making sure that no certificate status (e.g., CRL) checks are done * Use OSSL_CMP_certConf_cb() by default and move its doc to OSSL_CMP_CTX_new.pod * Simplify certificate and cert store loading in apps/cmp.c Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12741)
* Support writing RSA keys using the traditional format againKurt Roeckx2020-09-093-8/+11
| | | | | | | Fixes: #6855 Reviewed-by: Richard Levitte <levitte@openssl.org> GH: #8743
* Allow unauthenticated CMP server if missing -trusted, -srvcert, and -secret ↵Dr. David von Oheimb2020-09-081-0/+8
| | | | | | | options Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12806)
* PEM: Make PEM_write_bio_PrivateKey_traditional() handle provider-native keysRichard Levitte2020-09-081-1/+9
| | | | | | | | | | | | | | | | PEM_write_bio_PrivateKey_traditional() didn't handle provider-native keys very well. Originally, it would simply use the corresponding encoder, which is likely to output modern PEM (not "traditional"). PEM_write_bio_PrivateKey_traditional() is now changed to try and get a legacy copy of the input EVP_PKEY, and use that copy for traditional output, if it has such support. Internally, evp_pkey_copy_downgraded() is added, to be used when evp_pkey_downgrade() is too intrusive for what it's needed for. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12738)
* Add CMS AuthEnvelopedData with AES-GCM supportJakub Zelenka2020-09-084-28/+51
| | | | | | | | | Add the AuthEnvelopedData as defined in RFC 5083 with AES-GCM parameter as defined in RFC 5084. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/8024)
* apps/cmp.c: Allow default HTTP path (aka CMP alias) given with -server optionDr. David von Oheimb2020-09-081-3/+4
| | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12786)
* OSSL_HTTP_parse_url(): add optional port number return parameter and ↵Dr. David von Oheimb2020-09-081-62/+74
| | | | | | | strengthen documentation Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12786)
* DOC: Fix check of EVP_PKEY_fromdata{,_init} in examplesRichard Levitte2020-09-061-4/+4
| | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12389)
* DOC: Modify one example in EVP_PKEY_fromdata(3)Richard Levitte2020-09-061-24/+45
| | | | | | | | | | | | | The example to create an EC key from user data didn't show what one could expect and application to do, especially with regard to how it's done with raw EC functions. We therefore refactor it to make proper use of a BIGNUM where expected, and also use OSSL_PARAM_BLD(3) for easier handling of the OSSL_PARAM array. Fixes #12388 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12389)
* OSSL_CMP_CTX: rename field and its getter/setter from 'untrusted_certs' to ↵Dr. David von Oheimb2020-09-052-9/+8
| | | | | | | 'untrusted Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12788)
* Strengthen chain building for CMPDr. David von Oheimb2020-09-053-18/+43
| | | | | | | | | | * Add -own_trusted option to CMP app * Add OSSL_CMP_CTX_build_cert_chain() * Add optional trust store arg to ossl_cmp_build_cert_chain() * Extend the tests in cmp_protect_test.c and the documentation accordingly Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12791)
* Add OSSL_CMP_CTX_get1_newChain() and related CLI option -chainoutDr. David von Oheimb2020-09-052-1/+13
| | | | | | | Also simplify certificate saving in apps/cmp.c Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12790)
* STORE: Deprecate legacy / ENGINE functionsRichard Levitte2020-09-033-21/+23
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12587)
* STORE: Move the built-in 'file:' loader to become an engine moduleRichard Levitte2020-09-031-3/+20
| | | | | | | | | | | | | | | | | | | | From this point on, this engine must be specifically specified. To replace the internal EMBEDDED hack with something unique for the new module, functions to create application specific OSSL_STORE_INFO types were added. Furthermore, the following function had to be exported: ossl_do_blob_header() ossl_do_PVK_header() asn1_d2i_read_bio() Finally, evp_pkcs82pkey_int() has become public under a new name, EVP_PKCS82PKEY_with_libctx() Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12587)
* Update the EVP_PKEY MAC documentationMatt Caswell2020-09-038-16/+55
| | | | | | | | Include more information about the new HMAC parameter. Also fill in some missing documentation about the EVP_PKEY MAC bridge. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12732)
* apps/cmp.c: Clean up loading of certificates and CRLsDr. David von Oheimb2020-09-021-1/+1
| | | | | Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12751)
* Add -verbosity option to apps/cmp.c and add log output also in crypto/cmpDr. David von Oheimb2020-09-012-0/+11
| | | | | | | | | | | | * In the cmp app so far the -verbosity option had been missing. * Extend log output helpful for debugging CMP applications in setup_ssl_ctx() of the cmp app, ossl_cmp_msg_add_extraCerts(), OSSL_CMP_validate_msg(), and OSSL_CMP_MSG_http_perform(). * Correct suppression of log output with insufficient severity. * Add logging/severity level OSSL_CMP_LOG_TRACE = OSSL_CMP_LOG_MAX. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12739)
* Add some documentation about the EVP_PKEY MAC interfaceMatt Caswell2020-08-293-4/+140
| | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12637)
* Document the EVP_PKEY_new_CMAC_key_with_libctx() functionMatt Caswell2020-08-291-22/+35
| | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12637)
* Correct description of BN_mask_bitsT.Yanagisawa2020-08-281-1/+1
| | | | | | | | | | | CLA: trivial Correct right shift to left shift. Pseudo code `a&=~((~0)>>n)` means "get higher n-bits of a", but actually crypto lib gives lower n-bits. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12727)
* conf: add diagnostic optionPauli2020-08-282-1/+9
| | | | | | | | | | Add an option to configuration files "config_diagnostics" that when set to a non-zero value, overrides the error ignoring flags. The outcome is that diagnostic option is produced when e.g. sections are missing. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12663)
* apps/pkcs12.c: Add -untrusted optionDr. David von Oheimb2020-08-271-15/+27
| | | | | | | Also improve EE cert selection, user guidance, and documentation. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12643)
* X509_add_certs(): Add to doc some warning notes on memory managementDr. David von Oheimb2020-08-271-0/+12
| | | | | Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12643)
* Add OCSP_PARTIAL_CHAIN to OCSP_basic_verify()Rich Salz2020-08-272-3/+8
| | | | | | | | | | | This adds a flag, OCSP_PARTIAL_CHAIN, to the OCSP_basic_verify() function. This is equivlent to X509_V_FLAG_PARTIAL_CHAIN, in that if any certificate in the OCSP response is in the trust store, then trust it. Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12666)
* Replace hierogliphs with stub to pass testsDmitry Belyavskiy2020-08-261-1/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9654)
* Documentation for internal PUNYCODE-related functionsDmitry Belyavskiy2020-08-261-0/+60
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9654)
* RFC 8398: documentationDmitry Belyavskiy2020-08-262-2/+15
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9654)
* STORE: Modify to support loading with provider based loadersRichard Levitte2020-08-241-8/+11
| | | | | | | | | | | | | | | | | | | | | | | This adds the needed code to make the OSSL_STORE API functions handle provided STORE implementations. This also modifies OSSL_STORE_attach() for have the URI, the library context and the properties in the same order as OSSL_STORE_open_with_libctx(). The most notable change, though, is how this creates a division of labor between libcrypto and any storemgmt implementation that wants to pass X.509, X.509 CRL, etc structures back to libcrypto. Since those structures aren't directly supported in the libcrypto <-> provider interface (asymmetric keys being the only exception so far), we resort to a libcrypto object callback that can handle passed data in DER form and does its part of figuring out what the DER content actually is. This also adds the internal x509_crl_set0_libctx(), which works just like x509_set0_libctx(), but for X509_CRL. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12512)
* DECODER: Add function to set an OSSL_PASSPHRASE_CALLBACK type callbackRichard Levitte2020-08-241-12/+13
| | | | | | | | This makes it possible to use OSSL_DECODER in functions that are passed a OSSL_PASSPHRASE_CALLBACK already. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12512)