Skip to content
  1. Nov 23, 2018
    • Richard Levitte's avatar
      Change tarball making procedure · f68bfdf6
      Richard Levitte authored
      
      
      Since recently, OpenSSL tarballs are produced with 'make tar' rather
      than 'make dist', as the latter has turned out to be more troublesome
      than useful.
      
      The next step to look at is why we would need to configure at all to
      produce a Makefile just to produce a tarball.  After all, the tarball
      should now only contain source files that are present even without
      configuring.
      
      Furthermore, the current method for producing tarballs is a bit
      complex, and can be greatly simplified with the right tools.  Since we
      have everything versioned with git, we might as well use the tool that
      comes with it.
      
      Added: util/mktar.sh, a simple script to produce OpenSSL tarballs.  It
      takes the options --name to modify the prefix of the distribution, and
      --tarfile tp modify the tarball file name specifically.
      
      This also adds a few entries in .gitattributes to specify files that
      should never end up in a distribution tarball.
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/7692)
      
      (cherry picked from commit 8c209eee)
      f68bfdf6
  2. Nov 20, 2018
  3. Nov 13, 2018
  4. Nov 10, 2018
  5. Nov 09, 2018
  6. Nov 01, 2018
  7. Oct 30, 2018
  8. Oct 28, 2018
  9. Oct 22, 2018
  10. Oct 19, 2018
  11. Oct 18, 2018
    • Viktor Dukhovni's avatar
      Apply self-imposed path length also to root CAs · d46f9173
      Viktor Dukhovni authored
      
      
      Also, some readers of the code find starting the count at 1 for EE
      cert confusing (since RFC5280 counts only non-self-issued intermediate
      CAs, but we also counted the leaf).  Therefore, never count the EE
      cert, and adjust the path length comparison accordinly.  This may
      be more clear to the reader.
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (cherry picked from commit dc5831da)
      d46f9173
    • Viktor Dukhovni's avatar
      Only CA certificates can be self-issued · cc54a2a0
      Viktor Dukhovni authored
      At the bottom of https://tools.ietf.org/html/rfc5280#page-12 and
      top of https://tools.ietf.org/html/rfc5280#page-13 (last paragraph
      of above https://tools.ietf.org/html/rfc5280#section-3.3), we see:
      
         This specification covers two classes of certificates: CA
         certificates and end entity certificates.  CA certificates may be
         further divided into three classes: cross-certificates, self-issued
         certificates, and self-signed certificates.  Cross-certificates are
         CA certificates in which the issuer and subject are different
         entities.  Cross-certificates describe a trust relationship between
         the two CAs.  Self-issued certificates are CA certificates in which
         the issuer and subject are the same entity.  Self-issued certificates
         are generated to support changes in policy or operations.  Self-
         signed certificates are self-issued certificates where the digital
         signature may be verified by the public key bound into the
         certificate.  Self-signed certificates are used to convey a public
         key for use to begin certification paths.  End entity certificates
         are issued to subjects that are not authorized to issue certificates.
      
      that the term "self-issued" is only applicable to CAs, not end-entity
      certificates.  In https://tools.ietf.org/html/rfc5280#section-4.2.1.9
      
      
      the description of path length constraints says:
      
         The pathLenConstraint field is meaningful only if the cA boolean is
         asserted and the key usage extension, if present, asserts the
         keyCertSign bit (Section 4.2.1.3).  In this case, it gives the
         maximum number of non-self-issued intermediate certificates that may
         follow this certificate in a valid certification path.  (Note: The
         last certificate in the certification path is not an intermediate
         certificate, and is not included in this limit.  Usually, the last
         certificate is an end entity certificate, but it can be a CA
         certificate.)
      
      This makes it clear that exclusion of self-issued certificates from
      the path length count applies only to some *intermediate* CA
      certificates.  A leaf certificate whether it has identical issuer
      and subject or whether it is a CA or not is never part of the
      intermediate certificate count.  The handling of all leaf certificates
      must be the same, in the case of our code to post-increment the
      path count by 1, so that we ultimately reach a non-self-issued
      intermediate it will be the first one (not zeroth) in the chain
      of intermediates.
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (cherry picked from commit ed422a2d)
      cc54a2a0
  12. Oct 17, 2018
  13. Oct 15, 2018
    • Benjamin Kaduk's avatar
      apps: allow empty attribute values with -subj · 77078e6b
      Benjamin Kaduk authored
      Historically (i.e., OpenSSL 1.0.x), the openssl applications would
      allow for empty subject attributes to be passed via the -subj argument,
      e.g., `opensl req -subj '/CN=joe/O=/OU=local' ...`.  Commit
      db4c08f0 applied a badly needed rewrite
      to the parse_name() helper function that parses these strings, but
      in the process dropped a check that would skip attributes with no
      associated value.  As a result, such strings are now treated as
      hard errors and the operation fails.
      
      Restore the check to skip empty attribute values and restore
      the historical behavior.
      
      Document the behavior for empty subject attribute values in the
      corresponding applications' manual pages.
      
      (cherry picked from commit 3d362f19)
      (cherry picked from commit a7ee1ef6
      
      )
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/7368)
      77078e6b
  14. Oct 13, 2018
  15. Oct 12, 2018
  16. Oct 04, 2018
  17. Oct 02, 2018
  18. Sep 29, 2018
  19. Sep 24, 2018
  20. Sep 21, 2018
  21. Sep 20, 2018
  22. Sep 16, 2018