[Botan-announce] Botan 1.2.3

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Botan 1.2.3 was released this afternoon. As I noted in an earlier mail, it
turns out that there were several serious bugs in Botan 1.2.2. Most
notably, trying to generate a DSA key would result in an Internal_Error
exception being thrown by the library. This has been fixed, and I have
added tests in the check application to ensure it never happens again.

In addition, there were several bugs in the X.509 code which I didn't find
until recently. These were:

  *) All certificates created by X509_CA before 1.2.3 have an invalid
     encoding of the authorityKeyIdentifier. I never caught this because
     OpenSSL's x509 utility apparently works around this particular bad
     encoding. I apologize to anyone who now has ill-formed certificates
     due to this.

  *) If a root CA had a subjectAlternativeName entry, OR a PKCS#9 email
     address attribute in it's distinguished name, it would be rejected by
     X509_Store as not being a self-signed certificate.

  *) Fixed a BER decoding error - even when reading a *valid* X.509
     authorityKeyIdentifier, there was a bug that resulted in it not being
     read correctly (it would be flagged as an error and ignored).

In other changes, I cleaned up some of the examples, and added a new one,
ca.cpp, which implements a (very) simple certificate authority. A new check
in PBKDF2 prevents a fairly obscure error message if an empty passphrase is
supplied to it, and there are new versions of X509::load_key and
PKCS8::load_key that take a filename.

X509_CA now generates 128 bit serial numbers instead of 80; this is to
prevent any possibility of duplicate serial numbers being generated by a
CA. Now, if a CA generated a billion new certificates every second, it
would still take roughly 500 years before it generated two with the same
serial number.

I've also added a bit of documentation about something that I think is
going to be pretty important in the future, Certificate_Store, which is
basically a generic interface to something that keeps certificates (a
database, a web server, etc). X509_Store doesn't support this abstraction
as well as it should right now, but I'm planning on extending it in the
development branch.

Regards,
  Jack