Activity for Martin Peylo
-
Martin Peylo modified ticket #48
Have CTX functions to get info relevant for transfer Callback
-
unified naming approach for functions setting callbacks
-
univied naming approach for functions setting callbacks
-
Have CTX functions to get info relevant for transfer Callback
-
Have CTX functions to get info relevant for transfer Callback
-
aimed to be fixed with commit 1efc1f8fa13eaf43a4fa7bec411bd9f762c69e5d
-
100% CPU usage after receiving rejection message with failInfo badCertTemplate
-
After closer look at ASN1_INTEGER_get that might have come from some fun compiler-dependent issue when casting uint64_t to long and bad MAX_LONG definitions. changing to ASN1_INTEGER_get_uint64 might avoid that. Also catching suspiciously high iteration counts might help to avoid intentional DoS through manipulated iterationCounts (which are naturally evaluated before their protection can be verified).
-
NID_hmac_sha1 and NID_hmac_sha1 in crmf_pbm.c
-
closed in 3ebcf15b95c20e335c2d0cbad53da243218b6f02
-
Generally one should be careful how to implement that. It should likely best also consider potential x-signing and therefore not only include the chain to the currently used trust anchor but also incomplete potentally possible branches.
-
configurable lengt for autogenerated TransactionID + nonce
-
fixed in 404d56c0e8bef252c428a933f93f457184869f10
-
move openssl/doc/cyrpto/CMP to appropriate folders
-
Check CMP message version and handle cmp1999 messages
-
Move creation of transactionID to from cmp_lib.c to cmp_ctx.c
-
The following needs to be fixed then: CMP_PKIMESSAGE_free() is not in exported API while CMP_certreq_new() is exported.
-
Possibility to check specifics of CMP server certificate
-
validate the need for the functions setting regToken
-
removed on 2017-11-08 commit 83efa7fc3f107295e540e984f3e526aa8ba286a0
-
IR with MSG_MAC_ALG should set "sender" if subject name is given
-
fixed on 2017-11-08 commit aa2a2a611212a3f7aca9642e5b5c1f41cc2a35c7
-
Documentation in https://wiki.openssl.org/index.php/Unit_Testing
-
IR with MSG_MAC_ALG should set "sender" if subject name is given
-
GeneralName for sender and recipient
-
proposal to remove in bug35-remove-unused-proprietary-regInfo-regToken branch
-
proposal in bug48-subject-sets-sender-if-no-clcert branch, moving idea to have "-sender" to feature request #41
-
have -sender option to set header field
-
added warning to README that SVN is legacy
-
check that server cert has digitalSignature keyUsage
-
have ctx->untrusted_store as STACK_OF(X509) instead of X509_STORE
-
risk for signature verification failure if two certs with same subject and subject key id
-
risk for signature verification failure if sender sets no senderKID
-
Actually, in case of multiple possible server certs in ctx->un/trusted_store, the senderKID is not checked at all. So that raises the risk to identify the wrong certificate.
-
NID_hmac_sha1 and NID_hmac_sha1 in crmf_pbm.c
-
Copy all SubjectAltNames for KUR from oldCert
-
Allow requesting a specific validity period
-
CLI option to adjust verbosity, and related messages
-
Revocation Request for multiple certificates
-
Return reason for waiting status to user
-
Send multiple ITAV in a GENM
-
DHBasedMac
-
check that server cert has digitalSignature keyUsage
-
missing CLI arguments don't lead to a meaningful info displayed
-
proxy option inconsistent with server option
-
handle transactionIdInUse PKIFailureInfo automatically
-
Add unit and regression tests
-
Consolidate API
-
IR with MSG_SIG_ALG should set "sender" if subject name is given
-
using passwords on loading certificates from p12 files not documented
-
Using the engine leads to memory leaks
-
For KUR, cert to be updated not taken from "-cert" if "-oldcert" is not present
-
Check CMP message version and handle cmp1999 messages
-
manipulation of PKIStatusString in CMP message on evaluation desired?
-
have ctx->untrusted_store as STACK_OF(X509) instead of X509_STORE
-
Ensure consistent treatment of info/warning/error messages
-
Validate need for crmf functions, document or delete
-
all documented now
-
callback function parameters not documented
-
Validate how subject/alt/names are set in certreq_new() are set
-
validate the need for the functions setting regToken
-
Move creation of transactionID to from cmp_lib.c to cmp_ctx.c
-
Adapt openSSL coding style
-
move openssl/doc/cyrpto/CMP to appropriate folders
-
risk for signature verification failure if two certs with same subject and subject key id
-
risk for signature verification failure if sender sets no senderKID
-
100% CPU usage after receiving rejection message with failInfo badCertTemplate
-
100% CPU usage after receiving rejection message with failInfo badCertTemplate
-
misc improvements including minor bugfixes and new options: -digest, -issuer, -raverified, -implicitconfirm, -timeout
-
POPODecKeyChallContent (CMP_CHALLENGE)
-
Key Recovery Request
-
Cross Certification Request
-
Support all 3 RFC 4210 section 4.1 POP methods
-
support centralized key generation
-
remember message protection for caPubs handling
-
Create functions to setting PBM parameters through CTX and CLI
-
Send certConf with error in case cert for wrong key is received
-
optionally, load private keys from same file as certificates
-
Handle ErrorMsg on unsupported CMP protocol version
-
Handle ErrorMsg on unsupported CMP protocol version
-
Store PBM Basekey for reuse when protecting/validating future messages
-
Make use of information obtained through GenMsg in subsequent requst
-
Request and use CAKeyUpdAnnContent to enable updating EE trusted store
-
Also be able to load certificates from engines
-
Support PKCS#10 requests (p10cr CertificationRequest)
-
Support for CRL Announcement PKI Message.
-
Handle more than one CMP_CERTREPMESSAGE
-
Support for CRL
-
newkey generation integrated into CLI
-
available in CLI now: -msgtimeout int Timeout per CMP message round trip (or 0 for none). Default 120 seconds -maxpolltime int Maximum total number of seconds to poll for certificates (default: 0 = infinite)
-
set timeouts from command line
-
This would require the key to be either centralized generated (and stored) - or generated by the EE and stored during the request using the id-regCtrl-pkiArchiveOptions control according to RFC 4211, section 6.4
-
Request and use CAKeyUpdAnnContent to enable updating EE trusted store
-
have calls to transfer functionality functions as callbacks
-
Possibility to check specifics of CMP server certificate
-
Allow for no message protection for all message types
-
Support adding X509 extensions to CertTemplate
1 >