aboutsummaryrefslogtreecommitdiffstats
path: root/lib/hx509
diff options
context:
space:
mode:
Diffstat (limited to 'lib/hx509')
-rw-r--r--lib/hx509/Makefile.am107
-rw-r--r--lib/hx509/Makefile.in1688
-rw-r--r--lib/hx509/NTMakefile10
-rw-r--r--lib/hx509/ca.c65
-rw-r--r--lib/hx509/cert.c148
-rw-r--r--lib/hx509/cms.c46
-rw-r--r--lib/hx509/crypto-ec.c533
-rw-r--r--lib/hx509/crypto.c635
-rw-r--r--lib/hx509/data/PKITS_data.zipbin0 -> 2149008 bytes
-rw-r--r--lib/hx509/data/eccurve.pem3
-rw-r--r--lib/hx509/data/https.crt53
-rw-r--r--lib/hx509/data/https.key16
-rwxr-xr-xlib/hx509/data/mkcert.sh84
-rw-r--r--lib/hx509/data/nist-result231
-rw-r--r--lib/hx509/data/openssl.cnf2
-rw-r--r--lib/hx509/data/secp160r1TestCA.cert.pem12
-rw-r--r--lib/hx509/data/secp160r1TestCA.key.pem4
-rw-r--r--lib/hx509/data/secp160r1TestCA.pem18
-rw-r--r--lib/hx509/data/secp160r2TestClient.cert.pem9
-rw-r--r--lib/hx509/data/secp160r2TestClient.key.pem4
-rw-r--r--lib/hx509/data/secp160r2TestClient.pem15
-rw-r--r--lib/hx509/data/secp160r2TestServer.cert.pem9
-rw-r--r--lib/hx509/data/secp160r2TestServer.key.pem4
-rw-r--r--lib/hx509/data/secp160r2TestServer.pem15
-rw-r--r--lib/hx509/data/secp256r1TestCA.cert.pem12
-rw-r--r--lib/hx509/data/secp256r1TestCA.key.pem5
-rw-r--r--lib/hx509/data/secp256r1TestCA.pem17
-rw-r--r--lib/hx509/data/secp256r2TestClient.cert.pem12
-rw-r--r--lib/hx509/data/secp256r2TestClient.key.pem5
-rw-r--r--lib/hx509/data/secp256r2TestClient.pem17
-rw-r--r--lib/hx509/data/secp256r2TestServer.cert.pem12
-rw-r--r--lib/hx509/data/secp256r2TestServer.key.pem5
-rw-r--r--lib/hx509/data/secp256r2TestServer.pem17
-rw-r--r--lib/hx509/doxygen.c2
-rw-r--r--lib/hx509/env.c16
-rw-r--r--lib/hx509/error.c66
-rw-r--r--lib/hx509/file.c4
-rw-r--r--lib/hx509/hx509-private.h20
-rw-r--r--lib/hx509/hx509-protos.h1925
-rw-r--r--lib/hx509/hx509.h1
-rw-r--r--lib/hx509/hx509_err.et22
-rw-r--r--lib/hx509/hx_locl.h103
-rw-r--r--lib/hx509/hxtool-commands.in20
-rw-r--r--lib/hx509/hxtool.c67
-rw-r--r--lib/hx509/keyset.c30
-rw-r--r--lib/hx509/ks_dir.c5
-rw-r--r--lib/hx509/ks_file.c15
-rw-r--r--lib/hx509/ks_keychain.c25
-rw-r--r--lib/hx509/ks_null.c5
-rw-r--r--lib/hx509/ks_p11.c70
-rw-r--r--lib/hx509/ks_p12.c13
-rw-r--r--lib/hx509/libhx509-exports.def3
-rw-r--r--lib/hx509/lock.c5
-rw-r--r--lib/hx509/name.c20
-rw-r--r--lib/hx509/print.c4
-rw-r--r--lib/hx509/ref/pkcs11.h387
-rw-r--r--lib/hx509/revoke.c234
-rw-r--r--lib/hx509/sel-gram.c76
-rw-r--r--lib/hx509/sel-gram.h2
-rw-r--r--lib/hx509/sel-gram.y14
-rw-r--r--lib/hx509/sel-lex.c49
-rw-r--r--lib/hx509/sel-lex.l12
-rw-r--r--lib/hx509/sel.h8
-rw-r--r--lib/hx509/softp11.c31
-rw-r--r--lib/hx509/test_ca.in28
-rw-r--r--lib/hx509/test_cert.in2
-rw-r--r--lib/hx509/test_chain.in8
-rw-r--r--lib/hx509/test_cms.in12
-rw-r--r--lib/hx509/test_name.c16
-rw-r--r--lib/hx509/test_soft_pkcs11.c2
-rw-r--r--lib/hx509/version-script.map7
71 files changed, 5076 insertions, 1866 deletions
diff --git a/lib/hx509/Makefile.am b/lib/hx509/Makefile.am
index 53669cb7c523..b58deb3e37aa 100644
--- a/lib/hx509/Makefile.am
+++ b/lib/hx509/Makefile.am
@@ -1,5 +1,7 @@
include $(top_srcdir)/Makefile.am.common
+AM_CPPFLAGS += $(INCLUDE_openssl_crypto)
+
lib_LTLIBRARIES = libhx509.la
libhx509_la_LDFLAGS = -version-info 5:0:0
@@ -58,12 +60,11 @@ dist_libhx509_la_SOURCES = \
cms.c \
collector.c \
crypto.c \
+ crypto-ec.c \
doxygen.c \
error.c \
env.c \
file.c \
- hx509-private.h \
- hx509-protos.h \
hx509.h \
hx_locl.h \
sel.c \
@@ -94,8 +95,10 @@ libhx509_la_DEPENDENCIES = version-script.map
libhx509_la_LIBADD = \
$(LIB_com_err) \
$(LIB_hcrypto) \
+ $(LIB_openssl_crypto) \
$(top_builddir)/lib/asn1/libasn1.la \
$(top_builddir)/lib/wind/libwind.la \
+ $(top_builddir)/lib/base/libheimbase.la \
$(LIBADD_roken) \
$(LIB_dlopen)
@@ -108,14 +111,15 @@ libhx509_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
endif
$(libhx509_la_OBJECTS): $(srcdir)/version-script.map $(nodist_include_HEADERS) $(priv_headers)
-libhx509_la_CPPFLAGS = -I$(srcdir)/ref $(INCLUDE_hcrypto)
nodist_libhx509_la_SOURCES = $(BUILT_SOURCES)
$(gen_files_ocsp) ocsp_asn1.hx ocsp_asn1-priv.hx: ocsp_asn1_files
$(gen_files_pkcs10) pkcs10_asn1.hx pkcs10_asn1-priv.hx: pkcs10_asn1_files
$(gen_files_crmf) crmf_asn1.hx crmf_asn1-priv.hx: crmf_asn1_files
-dist_include_HEADERS = hx509.h hx509-protos.h
+dist_include_HEADERS = hx509.h $(srcdir)/hx509-protos.h
+
+noinst_HEADERS = $(srcdir)/hx509-private.h
nodist_include_HEADERS = hx509_err.h
nodist_include_HEADERS += ocsp_asn1.h
@@ -128,34 +132,40 @@ priv_headers += crmf_asn1-priv.h
ocsp_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/ocsp.asn1 $(srcdir)/ocsp.opt
- $(ASN1_COMPILE) --option-file=$(srcdir)/ocsp.opt $(srcdir)/ocsp.asn1 ocsp_asn1 || (rm -f ocsp_asn1_files ; exit 1)
+ $(heim_verbose)$(ASN1_COMPILE) --option-file=$(srcdir)/ocsp.opt $(srcdir)/ocsp.asn1 ocsp_asn1 || (rm -f ocsp_asn1_files ; exit 1)
pkcs10_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/pkcs10.asn1 $(srcdir)/pkcs10.opt
- $(ASN1_COMPILE) --option-file=$(srcdir)/pkcs10.opt $(srcdir)/pkcs10.asn1 pkcs10_asn1 || (rm -f pkcs10_asn1_files ; exit 1)
+ $(heim_verbose)$(ASN1_COMPILE) --option-file=$(srcdir)/pkcs10.opt $(srcdir)/pkcs10.asn1 pkcs10_asn1 || (rm -f pkcs10_asn1_files ; exit 1)
crmf_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/crmf.asn1
- $(ASN1_COMPILE) $(srcdir)/crmf.asn1 crmf_asn1 || (rm -f crmf_asn1_files ; exit 1)
+ $(heim_verbose)$(ASN1_COMPILE) $(srcdir)/crmf.asn1 crmf_asn1 || (rm -f crmf_asn1_files ; exit 1)
+
+ALL_OBJECTS = $(libhx509_la_OBJECTS)
+ALL_OBJECTS += $(hxtool_OBJECTS)
+
+HX509_PROTOS = $(srcdir)/hx509-protos.h $(srcdir)/hx509-private.h
+
+$(ALL_OBJECTS): $(HX509_PROTOS)
-$(libhx509_la_OBJECTS): $(srcdir)/hx509-protos.h $(srcdir)/hx509-private.h $(srcdir)/hx_locl.h
+$(libhx509_la_OBJECTS): $(srcdir)/hx_locl.h
$(libhx509_la_OBJECTS): ocsp_asn1.h pkcs10_asn1.h
-$(srcdir)/hx509-protos.h:
- cd $(srcdir) && perl ../../cf/make-proto.pl -R '^(_|^C)' -E HX509_LIB -q -P comment -o hx509-protos.h $(dist_libhx509_la_SOURCES) || rm -f hx509-protos.h
+$(srcdir)/hx509-protos.h: $(dist_libhx509_la_SOURCES)
+ $(heim_verbose)cd $(srcdir) && perl ../../cf/make-proto.pl -R '^(_|^C)' -E HX509_LIB -q -P comment -o hx509-protos.h $(dist_libhx509_la_SOURCES) || rm -f hx509-protos.h
-$(srcdir)/hx509-private.h:
- cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p hx509-private.h $(dist_libhx509_la_SOURCES) || rm -f hx509-private.h
+$(srcdir)/hx509-private.h: $(dist_libhx509_la_SOURCES)
+ $(heim_verbose)cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p hx509-private.h $(dist_libhx509_la_SOURCES) || rm -f hx509-private.h
bin_PROGRAMS = hxtool
hxtool-commands.c hxtool-commands.h: hxtool-commands.in $(SLC)
- $(SLC) $(srcdir)/hxtool-commands.in
+ $(heim_verbose)$(SLC) $(srcdir)/hxtool-commands.in
dist_hxtool_SOURCES = hxtool.c
nodist_hxtool_SOURCES = hxtool-commands.c hxtool-commands.h
-$(hxtool_OBJECTS): hxtool-commands.h
+$(hxtool_OBJECTS): hxtool-commands.h hx509_err.h
-hxtool_CPPFLAGS = $(INCLUDE_hcrypto)
hxtool_LDADD = \
libhx509.la \
$(top_builddir)/lib/asn1/libasn1.la \
@@ -165,11 +175,11 @@ hxtool_LDADD = \
CLEANFILES = $(BUILT_SOURCES) sel-gram.c sel-lex.c \
$(gen_files_ocsp) ocsp_asn1_files ocsp_asn1{,-priv}.h* \
- ocsp_asn1-template.[ch]* \
+ ocsp_asn1-template.[chx]* \
$(gen_files_pkcs10) pkcs10_asn1_files pkcs10_asn1{,-priv}.h* \
- pkcs10_asn1-template.[ch]* \
+ pkcs10_asn1-template.[chx]* \
$(gen_files_crmf) crmf_asn1_files crmf_asn1{,-priv}.h* \
- crmf_asn1-template.[ch]* \
+ crmf_asn1-template.[chx]* \
$(TESTS) \
hxtool-commands.c hxtool-commands.h *.tmp \
request.out \
@@ -198,11 +208,10 @@ check_PROGRAMS = $(PROGRAM_TESTS) test_soft_pkcs11
LDADD = libhx509.la
-test_soft_pkcs11_LDADD = libhx509.la
-test_soft_pkcs11_CPPFLAGS = -I$(srcdir)/ref
+test_soft_pkcs11_LDADD = libhx509.la $(top_builddir)/lib/asn1/libasn1.la
-test_name_CPPFLAGS = $(INCLUDE_hcrypto)
-test_name_LDADD = libhx509.la $(LIB_roken)
+test_name_LDADD = libhx509.la $(LIB_roken) $(top_builddir)/lib/asn1/libasn1.la
+test_expr_LDADD = libhx509.la $(LIB_roken) $(top_builddir)/lib/asn1/libasn1.la
TESTS = $(SCRIPT_TESTS) $(PROGRAM_TESTS)
@@ -226,78 +235,78 @@ SCRIPT_TESTS = \
test_windows \
test_query
-do_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+do_subst = $(heim_verbose)sed -e 's,[@]srcdir[@],$(srcdir),g' \
-e 's,[@]objdir[@],$(top_builddir)/lib/hx509,g' \
-e 's,[@]egrep[@],$(EGREP),g'
test_ca: test_ca.in Makefile
$(do_subst) < $(srcdir)/test_ca.in > test_ca.tmp
- chmod +x test_ca.tmp
+ $(heim_verbose)chmod +x test_ca.tmp
mv test_ca.tmp test_ca
test_cert: test_cert.in Makefile
$(do_subst) < $(srcdir)/test_cert.in > test_cert.tmp
- chmod +x test_cert.tmp
+ $(heim_verbose)chmod +x test_cert.tmp
mv test_cert.tmp test_cert
test_chain: test_chain.in Makefile
$(do_subst) < $(srcdir)/test_chain.in > test_chain.tmp
- chmod +x test_chain.tmp
+ $(heim_verbose)chmod +x test_chain.tmp
mv test_chain.tmp test_chain
test_cms: test_cms.in Makefile
$(do_subst) < $(srcdir)/test_cms.in > test_cms.tmp
- chmod +x test_cms.tmp
+ $(heim_verbose)chmod +x test_cms.tmp
mv test_cms.tmp test_cms
test_crypto: test_crypto.in Makefile
$(do_subst) < $(srcdir)/test_crypto.in > test_crypto.tmp
- chmod +x test_crypto.tmp
+ $(heim_verbose)chmod +x test_crypto.tmp
mv test_crypto.tmp test_crypto
test_nist: test_nist.in Makefile
$(do_subst) < $(srcdir)/test_nist.in > test_nist.tmp
- chmod +x test_nist.tmp
+ $(heim_verbose)chmod +x test_nist.tmp
mv test_nist.tmp test_nist
test_nist2: test_nist2.in Makefile
$(do_subst) < $(srcdir)/test_nist2.in > test_nist2.tmp
- chmod +x test_nist2.tmp
+ $(heim_verbose)chmod +x test_nist2.tmp
mv test_nist2.tmp test_nist2
test_pkcs11: test_pkcs11.in Makefile
$(do_subst) < $(srcdir)/test_pkcs11.in > test_pkcs11.tmp
- chmod +x test_pkcs11.tmp
+ $(heim_verbose)chmod +x test_pkcs11.tmp
mv test_pkcs11.tmp test_pkcs11
test_java_pkcs11: test_java_pkcs11.in Makefile
$(do_subst) < $(srcdir)/test_java_pkcs11.in > test_java_pkcs11.tmp
- chmod +x test_java_pkcs11.tmp
+ $(heim_verbose)chmod +x test_java_pkcs11.tmp
mv test_java_pkcs11.tmp test_java_pkcs11
test_nist_cert: test_nist_cert.in Makefile
$(do_subst) < $(srcdir)/test_nist_cert.in > test_nist_cert.tmp
- chmod +x test_nist_cert.tmp
+ $(heim_verbose)chmod +x test_nist_cert.tmp
mv test_nist_cert.tmp test_nist_cert
test_nist_pkcs12: test_nist_pkcs12.in Makefile
$(do_subst) < $(srcdir)/test_nist_pkcs12.in > test_nist_pkcs12.tmp
- chmod +x test_nist_pkcs12.tmp
+ $(heim_verbose)chmod +x test_nist_pkcs12.tmp
mv test_nist_pkcs12.tmp test_nist_pkcs12
test_req: test_req.in Makefile
$(do_subst) < $(srcdir)/test_req.in > test_req.tmp
- chmod +x test_req.tmp
+ $(heim_verbose)chmod +x test_req.tmp
mv test_req.tmp test_req
test_windows: test_windows.in Makefile
$(do_subst) < $(srcdir)/test_windows.in > test_windows.tmp
- chmod +x test_windows.tmp
+ $(heim_verbose)chmod +x test_windows.tmp
mv test_windows.tmp test_windows
test_query: test_query.in Makefile
$(do_subst) < $(srcdir)/test_query.in > test_query.tmp
- chmod +x test_query.tmp
+ $(heim_verbose)chmod +x test_query.tmp
mv test_query.tmp test_query
EXTRA_DIST = \
@@ -338,16 +347,22 @@ EXTRA_DIST = \
tst-crypto-select5 \
tst-crypto-select6 \
tst-crypto-select7 \
+ data/PKITS_data.zip \
+ data/eccurve.pem \
+ data/https.crt \
+ data/https.key \
+ data/mkcert.sh \
+ data/nist-result2 \
data/n0ll.pem \
- data/secp160r1TestCA.cert.pem \
- data/secp160r1TestCA.key.pem \
- data/secp160r1TestCA.pem \
- data/secp160r2TestClient.cert.pem \
- data/secp160r2TestClient.key.pem \
- data/secp160r2TestClient.pem \
- data/secp160r2TestServer.cert.pem \
- data/secp160r2TestServer.key.pem \
- data/secp160r2TestServer.pem \
+ data/secp256r1TestCA.cert.pem \
+ data/secp256r1TestCA.key.pem \
+ data/secp256r1TestCA.pem \
+ data/secp256r2TestClient.cert.pem \
+ data/secp256r2TestClient.key.pem \
+ data/secp256r2TestClient.pem \
+ data/secp256r2TestServer.cert.pem \
+ data/secp256r2TestServer.key.pem \
+ data/secp256r2TestServer.pem \
data/bleichenbacher-bad.pem \
data/bleichenbacher-good.pem \
data/bleichenbacher-sf-pad-correct.pem \
diff --git a/lib/hx509/Makefile.in b/lib/hx509/Makefile.in
index 98de7d540dd6..cca95bbc04ae 100644
--- a/lib/hx509/Makefile.in
+++ b/lib/hx509/Makefile.in
@@ -1,9 +1,8 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.15.1 from Makefile.am.
# @configure_input@
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
-# Inc.
+# Copyright (C) 1994-2017 Free Software Foundation, Inc.
+
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
@@ -22,6 +21,61 @@
VPATH = @srcdir@
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
+am__make_running_with_option = \
+ case $${target_option-} in \
+ ?) ;; \
+ *) echo "am__make_running_with_option: internal error: invalid" \
+ "target option '$${target_option-}' specified" >&2; \
+ exit 1;; \
+ esac; \
+ has_opt=no; \
+ sane_makeflags=$$MAKEFLAGS; \
+ if $(am__is_gnu_make); then \
+ sane_makeflags=$$MFLAGS; \
+ else \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ bs=\\; \
+ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
+ esac; \
+ fi; \
+ skip_next=no; \
+ strip_trailopt () \
+ { \
+ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+ }; \
+ for flg in $$sane_makeflags; do \
+ test $$skip_next = yes && { skip_next=no; continue; }; \
+ case $$flg in \
+ *=*|--*) continue;; \
+ -*I) strip_trailopt 'I'; skip_next=yes;; \
+ -*I?*) strip_trailopt 'I';; \
+ -*O) strip_trailopt 'O'; skip_next=yes;; \
+ -*O?*) strip_trailopt 'O';; \
+ -*l) strip_trailopt 'l'; skip_next=yes;; \
+ -*l?*) strip_trailopt 'l';; \
+ -[dEDm]) skip_next=yes;; \
+ -[JT]) skip_next=yes;; \
+ esac; \
+ case $$flg in \
+ *$$target_option*) has_opt=yes; break;; \
+ esac; \
+ done; \
+ test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -40,10 +94,6 @@ PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
-DIST_COMMON = $(dist_include_HEADERS) $(srcdir)/Makefile.am \
- $(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \
- $(top_srcdir)/cf/Makefile.am.common ChangeLog TODO sel-gram.c \
- sel-gram.h sel-lex.c
@FRAMEWORK_SECURITY_TRUE@am__append_1 = -framework Security -framework CoreFoundation
@versionscript_TRUE@am__append_2 = $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
bin_PROGRAMS = hxtool$(EXEEXT)
@@ -64,8 +114,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
$(top_srcdir)/cf/check-man.m4 \
$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
$(top_srcdir)/cf/check-type-extra.m4 \
- $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
- $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+ $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/crypto.m4 \
$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
$(top_srcdir)/cf/dispatch.m4 $(top_srcdir)/cf/dlopen.m4 \
$(top_srcdir)/cf/find-func-no-libs.m4 \
@@ -78,6 +127,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
$(top_srcdir)/cf/krb-bigendian.m4 \
$(top_srcdir)/cf/krb-func-getlogin.m4 \
$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+ $(top_srcdir)/cf/krb-prog-perl.m4 \
$(top_srcdir)/cf/krb-readline.m4 \
$(top_srcdir)/cf/krb-struct-spwd.m4 \
$(top_srcdir)/cf/krb-struct-winsize.m4 \
@@ -97,6 +147,8 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(dist_include_HEADERS) \
+ $(noinst_HEADERS) $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/include/config.h
CONFIG_CLEAN_FILES =
@@ -122,106 +174,335 @@ am__nobase_list = $(am__nobase_strip_setup); \
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+ test -z "$$files" \
+ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+ $(am__cd) "$$dir" && rm -f $$files; }; \
+ }
am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" \
"$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)"
LTLIBRARIES = $(lib_LTLIBRARIES)
am__DEPENDENCIES_1 =
-dist_libhx509_la_OBJECTS = libhx509_la-ca.lo libhx509_la-cert.lo \
- libhx509_la-cms.lo libhx509_la-collector.lo \
- libhx509_la-crypto.lo libhx509_la-doxygen.lo \
- libhx509_la-error.lo libhx509_la-env.lo libhx509_la-file.lo \
- libhx509_la-sel.lo libhx509_la-sel-gram.lo \
- libhx509_la-sel-lex.lo libhx509_la-keyset.lo \
- libhx509_la-ks_dir.lo libhx509_la-ks_file.lo \
- libhx509_la-ks_mem.lo libhx509_la-ks_null.lo \
- libhx509_la-ks_p11.lo libhx509_la-ks_p12.lo \
- libhx509_la-ks_keychain.lo libhx509_la-lock.lo \
- libhx509_la-name.lo libhx509_la-peer.lo libhx509_la-print.lo \
- libhx509_la-softp11.lo libhx509_la-req.lo \
- libhx509_la-revoke.lo
-am__objects_1 = libhx509_la-asn1_OCSPBasicOCSPResponse.lo \
- libhx509_la-asn1_OCSPCertID.lo \
- libhx509_la-asn1_OCSPCertStatus.lo \
- libhx509_la-asn1_OCSPInnerRequest.lo \
- libhx509_la-asn1_OCSPKeyHash.lo \
- libhx509_la-asn1_OCSPRequest.lo \
- libhx509_la-asn1_OCSPResponderID.lo \
- libhx509_la-asn1_OCSPResponse.lo \
- libhx509_la-asn1_OCSPResponseBytes.lo \
- libhx509_la-asn1_OCSPResponseData.lo \
- libhx509_la-asn1_OCSPResponseStatus.lo \
- libhx509_la-asn1_OCSPSignature.lo \
- libhx509_la-asn1_OCSPSingleResponse.lo \
- libhx509_la-asn1_OCSPTBSRequest.lo \
- libhx509_la-asn1_OCSPVersion.lo \
- libhx509_la-asn1_id_pkix_ocsp.lo \
- libhx509_la-asn1_id_pkix_ocsp_basic.lo \
- libhx509_la-asn1_id_pkix_ocsp_nonce.lo
-am__objects_2 = libhx509_la-asn1_CertificationRequestInfo.lo \
- libhx509_la-asn1_CertificationRequest.lo
-am__objects_3 = $(am__objects_1) $(am__objects_2) \
- libhx509_la-hx509_err.lo
+dist_libhx509_la_OBJECTS = ca.lo cert.lo cms.lo collector.lo crypto.lo \
+ crypto-ec.lo doxygen.lo error.lo env.lo file.lo sel.lo \
+ sel-gram.lo sel-lex.lo keyset.lo ks_dir.lo ks_file.lo \
+ ks_mem.lo ks_null.lo ks_p11.lo ks_p12.lo ks_keychain.lo \
+ lock.lo name.lo peer.lo print.lo softp11.lo req.lo revoke.lo
+am__objects_1 = asn1_OCSPBasicOCSPResponse.lo asn1_OCSPCertID.lo \
+ asn1_OCSPCertStatus.lo asn1_OCSPInnerRequest.lo \
+ asn1_OCSPKeyHash.lo asn1_OCSPRequest.lo \
+ asn1_OCSPResponderID.lo asn1_OCSPResponse.lo \
+ asn1_OCSPResponseBytes.lo asn1_OCSPResponseData.lo \
+ asn1_OCSPResponseStatus.lo asn1_OCSPSignature.lo \
+ asn1_OCSPSingleResponse.lo asn1_OCSPTBSRequest.lo \
+ asn1_OCSPVersion.lo asn1_id_pkix_ocsp.lo \
+ asn1_id_pkix_ocsp_basic.lo asn1_id_pkix_ocsp_nonce.lo
+am__objects_2 = asn1_CertificationRequestInfo.lo \
+ asn1_CertificationRequest.lo
+am__objects_3 = $(am__objects_1) $(am__objects_2) hx509_err.lo
nodist_libhx509_la_OBJECTS = $(am__objects_3)
libhx509_la_OBJECTS = $(dist_libhx509_la_OBJECTS) \
$(nodist_libhx509_la_OBJECTS)
-libhx509_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 =
+libhx509_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
$(libhx509_la_LDFLAGS) $(LDFLAGS) -o $@
am__EXEEXT_1 = test_name$(EXEEXT) test_expr$(EXEEXT)
PROGRAMS = $(bin_PROGRAMS)
-dist_hxtool_OBJECTS = hxtool-hxtool.$(OBJEXT)
-nodist_hxtool_OBJECTS = hxtool-hxtool-commands.$(OBJEXT)
+dist_hxtool_OBJECTS = hxtool.$(OBJEXT)
+nodist_hxtool_OBJECTS = hxtool-commands.$(OBJEXT)
hxtool_OBJECTS = $(dist_hxtool_OBJECTS) $(nodist_hxtool_OBJECTS)
hxtool_DEPENDENCIES = libhx509.la $(top_builddir)/lib/asn1/libasn1.la \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(top_builddir)/lib/sl/libsl.la
test_expr_SOURCES = test_expr.c
test_expr_OBJECTS = test_expr.$(OBJEXT)
-test_expr_LDADD = $(LDADD)
-test_expr_DEPENDENCIES = libhx509.la
+test_expr_DEPENDENCIES = libhx509.la $(am__DEPENDENCIES_1) \
+ $(top_builddir)/lib/asn1/libasn1.la
test_name_SOURCES = test_name.c
-test_name_OBJECTS = test_name-test_name.$(OBJEXT)
-test_name_DEPENDENCIES = libhx509.la $(am__DEPENDENCIES_1)
+test_name_OBJECTS = test_name.$(OBJEXT)
+test_name_DEPENDENCIES = libhx509.la $(am__DEPENDENCIES_1) \
+ $(top_builddir)/lib/asn1/libasn1.la
test_soft_pkcs11_SOURCES = test_soft_pkcs11.c
-test_soft_pkcs11_OBJECTS = \
- test_soft_pkcs11-test_soft_pkcs11.$(OBJEXT)
-test_soft_pkcs11_DEPENDENCIES = libhx509.la
+test_soft_pkcs11_OBJECTS = test_soft_pkcs11.$(OBJEXT)
+test_soft_pkcs11_DEPENDENCIES = libhx509.la \
+ $(top_builddir)/lib/asn1/libasn1.la
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_1 =
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 =
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__depfiles_maybe = depfiles
am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
- --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
- $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo " CC " $@;
+am__v_CC_1 =
CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
- --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
- $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo " CCLD " $@;
+am__v_CCLD_1 =
@MAINTAINER_MODE_FALSE@am__skiplex = test -f $@ ||
-LEXCOMPILE = $(LEX) $(LFLAGS) $(AM_LFLAGS)
-LTLEXCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
- --mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS)
+LEXCOMPILE = $(LEX) $(AM_LFLAGS) $(LFLAGS)
+LTLEXCOMPILE = $(LIBTOOL) $(AM_V_lt) $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(LEX) $(AM_LFLAGS) $(LFLAGS)
+AM_V_LEX = $(am__v_LEX_@AM_V@)
+am__v_LEX_ = $(am__v_LEX_@AM_DEFAULT_V@)
+am__v_LEX_0 = @echo " LEX " $@;
+am__v_LEX_1 =
YLWRAP = $(top_srcdir)/ylwrap
@MAINTAINER_MODE_FALSE@am__skipyacc = test -f $@ ||
-YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS)
-LTYACCCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
- --mode=compile $(YACC) $(YFLAGS) $(AM_YFLAGS)
+am__yacc_c2h = sed -e s/cc$$/hh/ -e s/cpp$$/hpp/ -e s/cxx$$/hxx/ \
+ -e s/c++$$/h++/ -e s/c$$/h/
+YACCCOMPILE = $(YACC) $(AM_YFLAGS) $(YFLAGS)
+LTYACCCOMPILE = $(LIBTOOL) $(AM_V_lt) $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(YACC) $(AM_YFLAGS) $(YFLAGS)
+AM_V_YACC = $(am__v_YACC_@AM_V@)
+am__v_YACC_ = $(am__v_YACC_@AM_DEFAULT_V@)
+am__v_YACC_0 = @echo " YACC " $@;
+am__v_YACC_1 =
SOURCES = $(dist_libhx509_la_SOURCES) $(nodist_libhx509_la_SOURCES) \
$(dist_hxtool_SOURCES) $(nodist_hxtool_SOURCES) test_expr.c \
test_name.c test_soft_pkcs11.c
DIST_SOURCES = $(dist_libhx509_la_SOURCES) $(dist_hxtool_SOURCES) \
test_expr.c test_name.c test_soft_pkcs11.c
-HEADERS = $(dist_include_HEADERS) $(nodist_include_HEADERS)
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
+HEADERS = $(dist_include_HEADERS) $(nodist_include_HEADERS) \
+ $(noinst_HEADERS)
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates. Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+ BEGIN { nonempty = 0; } \
+ { items[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique. This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+ list='$(am__tagged_files)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
-am__tty_colors = \
-red=; grn=; lgn=; blu=; std=
+am__tty_colors_dummy = \
+ mgn= red= grn= lgn= blu= brg= std=; \
+ am__color_tests=no
+am__tty_colors = { \
+ $(am__tty_colors_dummy); \
+ if test "X$(AM_COLOR_TESTS)" = Xno; then \
+ am__color_tests=no; \
+ elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
+ am__color_tests=yes; \
+ elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
+ am__color_tests=yes; \
+ fi; \
+ if test $$am__color_tests = yes; then \
+ red=''; \
+ grn=''; \
+ lgn=''; \
+ blu=''; \
+ mgn=''; \
+ brg=''; \
+ std=''; \
+ fi; \
+}
+am__recheck_rx = ^[ ]*:recheck:[ ]*
+am__global_test_result_rx = ^[ ]*:global-test-result:[ ]*
+am__copy_in_global_log_rx = ^[ ]*:copy-in-global-log:[ ]*
+# A command that, given a newline-separated list of test names on the
+# standard input, print the name of the tests that are to be re-run
+# upon "make recheck".
+am__list_recheck_tests = $(AWK) '{ \
+ recheck = 1; \
+ while ((rc = (getline line < ($$0 ".trs"))) != 0) \
+ { \
+ if (rc < 0) \
+ { \
+ if ((getline line2 < ($$0 ".log")) < 0) \
+ recheck = 0; \
+ break; \
+ } \
+ else if (line ~ /$(am__recheck_rx)[nN][Oo]/) \
+ { \
+ recheck = 0; \
+ break; \
+ } \
+ else if (line ~ /$(am__recheck_rx)[yY][eE][sS]/) \
+ { \
+ break; \
+ } \
+ }; \
+ if (recheck) \
+ print $$0; \
+ close ($$0 ".trs"); \
+ close ($$0 ".log"); \
+}'
+# A command that, given a newline-separated list of test names on the
+# standard input, create the global log from their .trs and .log files.
+am__create_global_log = $(AWK) ' \
+function fatal(msg) \
+{ \
+ print "fatal: making $@: " msg | "cat >&2"; \
+ exit 1; \
+} \
+function rst_section(header) \
+{ \
+ print header; \
+ len = length(header); \
+ for (i = 1; i <= len; i = i + 1) \
+ printf "="; \
+ printf "\n\n"; \
+} \
+{ \
+ copy_in_global_log = 1; \
+ global_test_result = "RUN"; \
+ while ((rc = (getline line < ($$0 ".trs"))) != 0) \
+ { \
+ if (rc < 0) \
+ fatal("failed to read from " $$0 ".trs"); \
+ if (line ~ /$(am__global_test_result_rx)/) \
+ { \
+ sub("$(am__global_test_result_rx)", "", line); \
+ sub("[ ]*$$", "", line); \
+ global_test_result = line; \
+ } \
+ else if (line ~ /$(am__copy_in_global_log_rx)[nN][oO]/) \
+ copy_in_global_log = 0; \
+ }; \
+ if (copy_in_global_log) \
+ { \
+ rst_section(global_test_result ": " $$0); \
+ while ((rc = (getline line < ($$0 ".log"))) != 0) \
+ { \
+ if (rc < 0) \
+ fatal("failed to read from " $$0 ".log"); \
+ print line; \
+ }; \
+ printf "\n"; \
+ }; \
+ close ($$0 ".trs"); \
+ close ($$0 ".log"); \
+}'
+# Restructured Text title.
+am__rst_title = { sed 's/.*/ & /;h;s/./=/g;p;x;s/ *$$//;p;g' && echo; }
+# Solaris 10 'make', and several other traditional 'make' implementations,
+# pass "-e" to $(SHELL), and POSIX 2008 even requires this. Work around it
+# by disabling -e (using the XSI extension "set +e") if it's set.
+am__sh_e_setup = case $$- in *e*) set +e;; esac
+# Default flags passed to test drivers.
+am__common_driver_flags = \
+ --color-tests "$$am__color_tests" \
+ --enable-hard-errors "$$am__enable_hard_errors" \
+ --expect-failure "$$am__expect_failure"
+# To be inserted before the command running the test. Creates the
+# directory for the log if needed. Stores in $dir the directory
+# containing $f, in $tst the test, in $log the log. Executes the
+# developer- defined test setup AM_TESTS_ENVIRONMENT (if any), and
+# passes TESTS_ENVIRONMENT. Set up options for the wrapper that
+# will run the test scripts (or their associated LOG_COMPILER, if
+# thy have one).
+am__check_pre = \
+$(am__sh_e_setup); \
+$(am__vpath_adj_setup) $(am__vpath_adj) \
+$(am__tty_colors); \
+srcdir=$(srcdir); export srcdir; \
+case "$@" in \
+ */*) am__odir=`echo "./$@" | sed 's|/[^/]*$$||'`;; \
+ *) am__odir=.;; \
+esac; \
+test "x$$am__odir" = x"." || test -d "$$am__odir" \
+ || $(MKDIR_P) "$$am__odir" || exit $$?; \
+if test -f "./$$f"; then dir=./; \
+elif test -f "$$f"; then dir=; \
+else dir="$(srcdir)/"; fi; \
+tst=$$dir$$f; log='$@'; \
+if test -n '$(DISABLE_HARD_ERRORS)'; then \
+ am__enable_hard_errors=no; \
+else \
+ am__enable_hard_errors=yes; \
+fi; \
+case " $(XFAIL_TESTS) " in \
+ *[\ \ ]$$f[\ \ ]* | *[\ \ ]$$dir$$f[\ \ ]*) \
+ am__expect_failure=yes;; \
+ *) \
+ am__expect_failure=no;; \
+esac; \
+$(AM_TESTS_ENVIRONMENT) $(TESTS_ENVIRONMENT)
+# A shell command to get the names of the tests scripts with any registered
+# extension removed (i.e., equivalently, the names of the test logs, with
+# the '.log' extension removed). The result is saved in the shell variable
+# '$bases'. This honors runtime overriding of TESTS and TEST_LOGS. Sadly,
+# we cannot use something simpler, involving e.g., "$(TEST_LOGS:.log=)",
+# since that might cause problem with VPATH rewrites for suffix-less tests.
+# See also 'test-harness-vpath-rewrite.sh' and 'test-trs-basic.sh'.
+am__set_TESTS_bases = \
+ bases='$(TEST_LOGS)'; \
+ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
+ bases=`echo $$bases`
+RECHECK_LOGS = $(TEST_LOGS)
+AM_RECURSIVE_TARGETS = check recheck
+TEST_SUITE_LOG = test-suite.log
+TEST_EXTENSIONS = @EXEEXT@ .test
+LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
+LOG_COMPILE = $(LOG_COMPILER) $(AM_LOG_FLAGS) $(LOG_FLAGS)
+am__set_b = \
+ case '$@' in \
+ */*) \
+ case '$*' in \
+ */*) b='$*';; \
+ *) b=`echo '$@' | sed 's/\.log$$//'`; \
+ esac;; \
+ *) \
+ b='$*';; \
+ esac
+am__test_logs1 = $(TESTS:=.log)
+am__test_logs2 = $(am__test_logs1:@EXEEXT@.log=.log)
+TEST_LOGS = $(am__test_logs2:.test.log=.log)
+TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
+TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \
+ $(TEST_LOG_FLAGS)
+am__DIST_COMMON = $(srcdir)/Makefile.in \
+ $(top_srcdir)/Makefile.am.common \
+ $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/depcomp \
+ $(top_srcdir)/test-driver $(top_srcdir)/ylwrap ChangeLog TODO \
+ sel-gram.c sel-gram.h sel-lex.c
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
+AS = @AS@
ASN1_COMPILE = @ASN1_COMPILE@
ASN1_COMPILE_DEP = @ASN1_COMPILE_DEP@
AUTOCONF = @AUTOCONF@
@@ -240,12 +521,12 @@ COMPILE_ET = @COMPILE_ET@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
+DB1LIB = @DB1LIB@
+DB3LIB = @DB3LIB@
DBHEADER = @DBHEADER@
-DBLIB = @DBLIB@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DIR_com_err = @DIR_com_err@
-DIR_hcrypto = @DIR_hcrypto@
DIR_hdbdir = @DIR_hdbdir@
DIR_roken = @DIR_roken@
DLLTOOL = @DLLTOOL@
@@ -255,17 +536,17 @@ ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
+ENABLE_AFS_STRING_TO_KEY = @ENABLE_AFS_STRING_TO_KEY@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
+GCD_MIG = @GCD_MIG@
GREP = @GREP@
GROFF = @GROFF@
INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_hcrypto = @INCLUDE_hcrypto@
-INCLUDE_hesiod = @INCLUDE_hesiod@
-INCLUDE_krb4 = @INCLUDE_krb4@
INCLUDE_libedit = @INCLUDE_libedit@
INCLUDE_libintl = @INCLUDE_libintl@
INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_openssl_crypto = @INCLUDE_openssl_crypto@
INCLUDE_readline = @INCLUDE_readline@
INCLUDE_sqlite3 = @INCLUDE_sqlite3@
INSTALL = @INSTALL@
@@ -284,12 +565,9 @@ LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
-LIB_NDBM = @LIB_NDBM@
-LIB_XauFileName = @LIB_XauFileName@
-LIB_XauReadAuth = @LIB_XauReadAuth@
-LIB_XauWriteAuth = @LIB_XauWriteAuth@
LIB_bswap16 = @LIB_bswap16@
LIB_bswap32 = @LIB_bswap32@
+LIB_bswap64 = @LIB_bswap64@
LIB_com_err = @LIB_com_err@
LIB_com_err_a = @LIB_com_err_a@
LIB_com_err_so = @LIB_com_err_so@
@@ -298,6 +576,7 @@ LIB_db_create = @LIB_db_create@
LIB_dbm_firstkey = @LIB_dbm_firstkey@
LIB_dbopen = @LIB_dbopen@
LIB_dispatch_async_f = @LIB_dispatch_async_f@
+LIB_dladdr = @LIB_dladdr@
LIB_dlopen = @LIB_dlopen@
LIB_dn_expand = @LIB_dn_expand@
LIB_dns_search = @LIB_dns_search@
@@ -314,10 +593,8 @@ LIB_hcrypto = @LIB_hcrypto@
LIB_hcrypto_a = @LIB_hcrypto_a@
LIB_hcrypto_appl = @LIB_hcrypto_appl@
LIB_hcrypto_so = @LIB_hcrypto_so@
-LIB_hesiod = @LIB_hesiod@
LIB_hstrerror = @LIB_hstrerror@
LIB_kdb = @LIB_kdb@
-LIB_krb4 = @LIB_krb4@
LIB_libedit = @LIB_libedit@
LIB_libintl = @LIB_libintl@
LIB_loadquery = @LIB_loadquery@
@@ -325,6 +602,7 @@ LIB_logout = @LIB_logout@
LIB_logwtmp = @LIB_logwtmp@
LIB_openldap = @LIB_openldap@
LIB_openpty = @LIB_openpty@
+LIB_openssl_crypto = @LIB_openssl_crypto@
LIB_otp = @LIB_otp@
LIB_pidfile = @LIB_pidfile@
LIB_readline = @LIB_readline@
@@ -339,12 +617,15 @@ LIB_sqlite3 = @LIB_sqlite3@
LIB_syslog = @LIB_syslog@
LIB_tgetent = @LIB_tgetent@
LIPO = @LIPO@
+LMDBLIB = @LMDBLIB@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAINT = @MAINT@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
+NDBMLIB = @NDBMLIB@
NM = @NM@
NMEDIT = @NMEDIT@
NO_AFS = @NO_AFS@
@@ -361,6 +642,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
PTHREAD_LDADD = @PTHREAD_LDADD@
@@ -375,13 +657,7 @@ STRIP = @STRIP@
VERSION = @VERSION@
VERSIONING = @VERSIONING@
WFLAGS = @WFLAGS@
-WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
-WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
-XMKMF = @XMKMF@
-X_CFLAGS = @X_CFLAGS@
-X_EXTRA_LIBS = @X_EXTRA_LIBS@
-X_LIBS = @X_LIBS@
-X_PRE_LIBS = @X_PRE_LIBS@
+WFLAGS_LITE = @WFLAGS_LITE@
YACC = @YACC@
YFLAGS = @YFLAGS@
abs_builddir = @abs_builddir@
@@ -405,6 +681,8 @@ build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
+db_type = @db_type@
+db_type_preference = @db_type_preference@
docdir = @docdir@
dpagaix_cflags = @dpagaix_cflags@
dpagaix_ldadd = @dpagaix_ldadd@
@@ -440,29 +718,37 @@ target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
-SUFFIXES = .et .h .x .z .hx .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+SUFFIXES = .et .h .pc.in .pc .x .z .hx .1 .3 .5 .7 .8 .cat1 .cat3 \
+ .cat5 .cat7 .cat8
DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -I$(top_srcdir)/include
-AM_CPPFLAGS = $(INCLUDES_roken)
+AM_CPPFLAGS = $(INCLUDES_roken) $(INCLUDE_openssl_crypto)
@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
AM_CFLAGS = $(WFLAGS)
CP = cp
buildinclude = $(top_builddir)/include
+LIB_XauReadAuth = @LIB_XauReadAuth@
LIB_el_init = @LIB_el_init@
LIB_getattr = @LIB_getattr@
LIB_getpwent_r = @LIB_getpwent_r@
LIB_odm_initialize = @LIB_odm_initialize@
LIB_setpcred = @LIB_setpcred@
-HESIODLIB = @HESIODLIB@
-HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
libexec_heimdaldir = $(libexecdir)/heimdal
NROFF_MAN = groff -mandoc -Tascii
-LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@NO_AFS_FALSE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@NO_AFS_TRUE@LIB_kafs =
@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la
@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
-LIB_heimbase = $(top_builddir)/base/libheimbase.la
+LIB_heimbase = $(top_builddir)/lib/base/libheimbase.la
@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+
+#silent-rules
+heim_verbose = $(heim_verbose_$(V))
+heim_verbose_ = $(heim_verbose_$(AM_DEFAULT_VERBOSITY))
+heim_verbose_0 = @echo " GEN "$@;
lib_LTLIBRARIES = libhx509.la
libhx509_la_LDFLAGS = -version-info 5:0:0 $(am__append_1) \
$(am__append_2)
@@ -520,12 +806,11 @@ dist_libhx509_la_SOURCES = \
cms.c \
collector.c \
crypto.c \
+ crypto-ec.c \
doxygen.c \
error.c \
env.c \
file.c \
- hx509-private.h \
- hx509-protos.h \
hx509.h \
hx_locl.h \
sel.c \
@@ -553,20 +838,23 @@ libhx509_la_DEPENDENCIES = version-script.map
libhx509_la_LIBADD = \
$(LIB_com_err) \
$(LIB_hcrypto) \
+ $(LIB_openssl_crypto) \
$(top_builddir)/lib/asn1/libasn1.la \
$(top_builddir)/lib/wind/libwind.la \
+ $(top_builddir)/lib/base/libheimbase.la \
$(LIBADD_roken) \
$(LIB_dlopen)
-libhx509_la_CPPFLAGS = -I$(srcdir)/ref $(INCLUDE_hcrypto)
nodist_libhx509_la_SOURCES = $(BUILT_SOURCES)
-dist_include_HEADERS = hx509.h hx509-protos.h
+dist_include_HEADERS = hx509.h $(srcdir)/hx509-protos.h
+noinst_HEADERS = $(srcdir)/hx509-private.h
nodist_include_HEADERS = hx509_err.h ocsp_asn1.h pkcs10_asn1.h \
crmf_asn1.h
priv_headers = ocsp_asn1-priv.h pkcs10_asn1-priv.h crmf_asn1-priv.h
+ALL_OBJECTS = $(libhx509_la_OBJECTS) $(hxtool_OBJECTS)
+HX509_PROTOS = $(srcdir)/hx509-protos.h $(srcdir)/hx509-private.h
dist_hxtool_SOURCES = hxtool.c
nodist_hxtool_SOURCES = hxtool-commands.c hxtool-commands.h
-hxtool_CPPFLAGS = $(INCLUDE_hcrypto)
hxtool_LDADD = \
libhx509.la \
$(top_builddir)/lib/asn1/libasn1.la \
@@ -576,11 +864,11 @@ hxtool_LDADD = \
CLEANFILES = $(BUILT_SOURCES) sel-gram.c sel-lex.c \
$(gen_files_ocsp) ocsp_asn1_files ocsp_asn1{,-priv}.h* \
- ocsp_asn1-template.[ch]* \
+ ocsp_asn1-template.[chx]* \
$(gen_files_pkcs10) pkcs10_asn1_files pkcs10_asn1{,-priv}.h* \
- pkcs10_asn1-template.[ch]* \
+ pkcs10_asn1-template.[chx]* \
$(gen_files_crmf) crmf_asn1_files crmf_asn1{,-priv}.h* \
- crmf_asn1-template.[ch]* \
+ crmf_asn1-template.[chx]* \
$(TESTS) \
hxtool-commands.c hxtool-commands.h *.tmp \
request.out \
@@ -603,10 +891,9 @@ CLEANFILES = $(BUILT_SOURCES) sel-gram.c sel-lex.c \
#
check_SCRIPTS = $(SCRIPT_TESTS)
LDADD = libhx509.la
-test_soft_pkcs11_LDADD = libhx509.la
-test_soft_pkcs11_CPPFLAGS = -I$(srcdir)/ref
-test_name_CPPFLAGS = $(INCLUDE_hcrypto)
-test_name_LDADD = libhx509.la $(LIB_roken)
+test_soft_pkcs11_LDADD = libhx509.la $(top_builddir)/lib/asn1/libasn1.la
+test_name_LDADD = libhx509.la $(LIB_roken) $(top_builddir)/lib/asn1/libasn1.la
+test_expr_LDADD = libhx509.la $(LIB_roken) $(top_builddir)/lib/asn1/libasn1.la
PROGRAM_TESTS = \
test_name \
test_expr
@@ -627,7 +914,7 @@ SCRIPT_TESTS = \
test_windows \
test_query
-do_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+do_subst = $(heim_verbose)sed -e 's,[@]srcdir[@],$(srcdir),g' \
-e 's,[@]objdir[@],$(top_builddir)/lib/hx509,g' \
-e 's,[@]egrep[@],$(EGREP),g'
@@ -669,16 +956,22 @@ EXTRA_DIST = \
tst-crypto-select5 \
tst-crypto-select6 \
tst-crypto-select7 \
+ data/PKITS_data.zip \
+ data/eccurve.pem \
+ data/https.crt \
+ data/https.key \
+ data/mkcert.sh \
+ data/nist-result2 \
data/n0ll.pem \
- data/secp160r1TestCA.cert.pem \
- data/secp160r1TestCA.key.pem \
- data/secp160r1TestCA.pem \
- data/secp160r2TestClient.cert.pem \
- data/secp160r2TestClient.key.pem \
- data/secp160r2TestClient.pem \
- data/secp160r2TestServer.cert.pem \
- data/secp160r2TestServer.key.pem \
- data/secp160r2TestServer.pem \
+ data/secp256r1TestCA.cert.pem \
+ data/secp256r1TestCA.key.pem \
+ data/secp256r1TestCA.pem \
+ data/secp256r2TestClient.cert.pem \
+ data/secp256r2TestClient.key.pem \
+ data/secp256r2TestClient.pem \
+ data/secp256r2TestServer.cert.pem \
+ data/secp256r2TestServer.key.pem \
+ data/secp256r2TestServer.pem \
data/bleichenbacher-bad.pem \
data/bleichenbacher-good.pem \
data/bleichenbacher-sf-pad-correct.pem \
@@ -770,7 +1063,7 @@ all: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) all-am
.SUFFIXES:
-.SUFFIXES: .et .h .x .z .hx .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .l .lo .o .obj .y
+.SUFFIXES: .et .h .pc.in .pc .x .z .hx .1 .3 .5 .7 .8 .cat1 .cat3 .cat5 .cat7 .cat8 .c .l .lo .log .o .obj .test .test$(EXEEXT) .trs .y
$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
@@ -783,7 +1076,6 @@ $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/hx509/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign lib/hx509/Makefile
-.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
@@ -792,6 +1084,7 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
esac;
+$(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__empty):
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
@@ -801,9 +1094,9 @@ $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
+
install-libLTLIBRARIES: $(lib_LTLIBRARIES)
@$(NORMAL_INSTALL)
- test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
list2=; for p in $$list; do \
if test -f $$p; then \
@@ -811,6 +1104,8 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
else :; fi; \
done; \
test -z "$$list2" || { \
+ echo " $(MKDIR_P) '$(DESTDIR)$(libdir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(libdir)" || exit 1; \
echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \
$(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \
}
@@ -826,29 +1121,35 @@ uninstall-libLTLIBRARIES:
clean-libLTLIBRARIES:
-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
- @list='$(lib_LTLIBRARIES)'; for p in $$list; do \
- dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
- test "$$dir" != "$$p" || dir=.; \
- echo "rm -f \"$${dir}/so_locations\""; \
- rm -f "$${dir}/so_locations"; \
- done
+ @list='$(lib_LTLIBRARIES)'; \
+ locs=`for p in $$list; do echo $$p; done | \
+ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ sort -u`; \
+ test -z "$$locs" || { \
+ echo rm -f $${locs}; \
+ rm -f $${locs}; \
+ }
sel-gram.h: sel-gram.c
- @if test ! -f $@; then \
- rm -f sel-gram.c; \
- $(MAKE) $(AM_MAKEFLAGS) sel-gram.c; \
- else :; fi
-libhx509.la: $(libhx509_la_OBJECTS) $(libhx509_la_DEPENDENCIES)
- $(libhx509_la_LINK) -rpath $(libdir) $(libhx509_la_OBJECTS) $(libhx509_la_LIBADD) $(LIBS)
+ @if test ! -f $@; then rm -f sel-gram.c; else :; fi
+ @if test ! -f $@; then $(MAKE) $(AM_MAKEFLAGS) sel-gram.c; else :; fi
+
+libhx509.la: $(libhx509_la_OBJECTS) $(libhx509_la_DEPENDENCIES) $(EXTRA_libhx509_la_DEPENDENCIES)
+ $(AM_V_CCLD)$(libhx509_la_LINK) -rpath $(libdir) $(libhx509_la_OBJECTS) $(libhx509_la_LIBADD) $(LIBS)
install-binPROGRAMS: $(bin_PROGRAMS)
@$(NORMAL_INSTALL)
- test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
+ if test -n "$$list"; then \
+ echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \
+ fi; \
for p in $$list; do echo "$$p $$p"; done | \
sed 's/$(EXEEXT)$$//' | \
- while read p p1; do if test -f $$p || test -f $$p1; \
- then echo "$$p"; echo "$$p"; else :; fi; \
+ while read p p1; do if test -f $$p \
+ || test -f $$p1 \
+ ; then echo "$$p"; echo "$$p"; else :; fi; \
done | \
- sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+ sed -e 'p;s,.*/,,;n;h' \
+ -e 's|.*|.|' \
-e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
sed 'N;N;N;s,\n, ,g' | \
$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
@@ -869,7 +1170,8 @@ uninstall-binPROGRAMS:
@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
files=`for p in $$list; do echo "$$p"; done | \
sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
- -e 's/$$/$(EXEEXT)/' `; \
+ -e 's/$$/$(EXEEXT)/' \
+ `; \
test -n "$$list" || exit 0; \
echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(bindir)" && rm -f $$files
@@ -891,18 +1193,22 @@ clean-checkPROGRAMS:
list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
echo " rm -f" $$list; \
rm -f $$list
-hxtool$(EXEEXT): $(hxtool_OBJECTS) $(hxtool_DEPENDENCIES)
+
+hxtool$(EXEEXT): $(hxtool_OBJECTS) $(hxtool_DEPENDENCIES) $(EXTRA_hxtool_DEPENDENCIES)
@rm -f hxtool$(EXEEXT)
- $(LINK) $(hxtool_OBJECTS) $(hxtool_LDADD) $(LIBS)
-test_expr$(EXEEXT): $(test_expr_OBJECTS) $(test_expr_DEPENDENCIES)
+ $(AM_V_CCLD)$(LINK) $(hxtool_OBJECTS) $(hxtool_LDADD) $(LIBS)
+
+test_expr$(EXEEXT): $(test_expr_OBJECTS) $(test_expr_DEPENDENCIES) $(EXTRA_test_expr_DEPENDENCIES)
@rm -f test_expr$(EXEEXT)
- $(LINK) $(test_expr_OBJECTS) $(test_expr_LDADD) $(LIBS)
-test_name$(EXEEXT): $(test_name_OBJECTS) $(test_name_DEPENDENCIES)
+ $(AM_V_CCLD)$(LINK) $(test_expr_OBJECTS) $(test_expr_LDADD) $(LIBS)
+
+test_name$(EXEEXT): $(test_name_OBJECTS) $(test_name_DEPENDENCIES) $(EXTRA_test_name_DEPENDENCIES)
@rm -f test_name$(EXEEXT)
- $(LINK) $(test_name_OBJECTS) $(test_name_LDADD) $(LIBS)
-test_soft_pkcs11$(EXEEXT): $(test_soft_pkcs11_OBJECTS) $(test_soft_pkcs11_DEPENDENCIES)
+ $(AM_V_CCLD)$(LINK) $(test_name_OBJECTS) $(test_name_LDADD) $(LIBS)
+
+test_soft_pkcs11$(EXEEXT): $(test_soft_pkcs11_OBJECTS) $(test_soft_pkcs11_DEPENDENCIES) $(EXTRA_test_soft_pkcs11_DEPENDENCIES)
@rm -f test_soft_pkcs11$(EXEEXT)
- $(LINK) $(test_soft_pkcs11_OBJECTS) $(test_soft_pkcs11_LDADD) $(LIBS)
+ $(AM_V_CCLD)$(LINK) $(test_soft_pkcs11_OBJECTS) $(test_soft_pkcs11_LDADD) $(LIBS)
mostlyclean-compile:
-rm -f *.$(OBJEXT)
@@ -910,478 +1216,87 @@ mostlyclean-compile:
distclean-compile:
-rm -f *.tab.c
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hxtool-hxtool-commands.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hxtool-hxtool.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_CertificationRequest.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_CertificationRequestInfo.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPBasicOCSPResponse.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPCertID.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPCertStatus.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPInnerRequest.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPKeyHash.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPRequest.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPResponderID.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPResponse.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPResponseBytes.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPResponseData.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPResponseStatus.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPSignature.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPSingleResponse.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPTBSRequest.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPVersion.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp_basic.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp_nonce.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-ca.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-cert.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-cms.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-collector.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-crypto.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-doxygen.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-env.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-error.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-file.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-hx509_err.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-keyset.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-ks_dir.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-ks_file.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-ks_keychain.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-ks_mem.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-ks_null.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-ks_p11.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-ks_p12.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-lock.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-name.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-peer.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-print.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-req.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-revoke.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-sel-gram.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-sel-lex.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-sel.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-softp11.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_CertificationRequest.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_CertificationRequestInfo.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPBasicOCSPResponse.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPCertID.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPCertStatus.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPInnerRequest.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPKeyHash.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPRequest.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPResponderID.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPResponse.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPResponseBytes.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPResponseData.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPResponseStatus.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPSignature.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPSingleResponse.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPTBSRequest.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPVersion.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_id_pkix_ocsp.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_id_pkix_ocsp_basic.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_id_pkix_ocsp_nonce.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ca.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cms.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/collector.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto-ec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/doxygen.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/env.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/error.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/file.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hx509_err.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hxtool-commands.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hxtool.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyset.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_dir.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_file.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_keychain.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_mem.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_null.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_p11.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_p12.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lock.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/peer.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/print.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/req.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/revoke.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sel-gram.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sel-lex.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sel.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/softp11.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_expr.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_name-test_name.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_soft_pkcs11-test_soft_pkcs11.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_name.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_soft_pkcs11.Po@am__quote@
.c.o:
-@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
.c.obj:
-@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
.c.lo:
-@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
-
-libhx509_la-ca.lo: ca.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-ca.lo -MD -MP -MF $(DEPDIR)/libhx509_la-ca.Tpo -c -o libhx509_la-ca.lo `test -f 'ca.c' || echo '$(srcdir)/'`ca.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-ca.Tpo $(DEPDIR)/libhx509_la-ca.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ca.c' object='libhx509_la-ca.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ca.lo `test -f 'ca.c' || echo '$(srcdir)/'`ca.c
-
-libhx509_la-cert.lo: cert.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-cert.lo -MD -MP -MF $(DEPDIR)/libhx509_la-cert.Tpo -c -o libhx509_la-cert.lo `test -f 'cert.c' || echo '$(srcdir)/'`cert.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-cert.Tpo $(DEPDIR)/libhx509_la-cert.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='cert.c' object='libhx509_la-cert.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-cert.lo `test -f 'cert.c' || echo '$(srcdir)/'`cert.c
-
-libhx509_la-cms.lo: cms.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-cms.lo -MD -MP -MF $(DEPDIR)/libhx509_la-cms.Tpo -c -o libhx509_la-cms.lo `test -f 'cms.c' || echo '$(srcdir)/'`cms.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-cms.Tpo $(DEPDIR)/libhx509_la-cms.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='cms.c' object='libhx509_la-cms.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-cms.lo `test -f 'cms.c' || echo '$(srcdir)/'`cms.c
-
-libhx509_la-collector.lo: collector.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-collector.lo -MD -MP -MF $(DEPDIR)/libhx509_la-collector.Tpo -c -o libhx509_la-collector.lo `test -f 'collector.c' || echo '$(srcdir)/'`collector.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-collector.Tpo $(DEPDIR)/libhx509_la-collector.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='collector.c' object='libhx509_la-collector.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-collector.lo `test -f 'collector.c' || echo '$(srcdir)/'`collector.c
-
-libhx509_la-crypto.lo: crypto.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-crypto.lo -MD -MP -MF $(DEPDIR)/libhx509_la-crypto.Tpo -c -o libhx509_la-crypto.lo `test -f 'crypto.c' || echo '$(srcdir)/'`crypto.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-crypto.Tpo $(DEPDIR)/libhx509_la-crypto.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto.c' object='libhx509_la-crypto.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-crypto.lo `test -f 'crypto.c' || echo '$(srcdir)/'`crypto.c
-
-libhx509_la-doxygen.lo: doxygen.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-doxygen.lo -MD -MP -MF $(DEPDIR)/libhx509_la-doxygen.Tpo -c -o libhx509_la-doxygen.lo `test -f 'doxygen.c' || echo '$(srcdir)/'`doxygen.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-doxygen.Tpo $(DEPDIR)/libhx509_la-doxygen.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='doxygen.c' object='libhx509_la-doxygen.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-doxygen.lo `test -f 'doxygen.c' || echo '$(srcdir)/'`doxygen.c
-
-libhx509_la-error.lo: error.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-error.lo -MD -MP -MF $(DEPDIR)/libhx509_la-error.Tpo -c -o libhx509_la-error.lo `test -f 'error.c' || echo '$(srcdir)/'`error.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-error.Tpo $(DEPDIR)/libhx509_la-error.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='error.c' object='libhx509_la-error.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-error.lo `test -f 'error.c' || echo '$(srcdir)/'`error.c
-
-libhx509_la-env.lo: env.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-env.lo -MD -MP -MF $(DEPDIR)/libhx509_la-env.Tpo -c -o libhx509_la-env.lo `test -f 'env.c' || echo '$(srcdir)/'`env.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-env.Tpo $(DEPDIR)/libhx509_la-env.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='env.c' object='libhx509_la-env.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-env.lo `test -f 'env.c' || echo '$(srcdir)/'`env.c
-
-libhx509_la-file.lo: file.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-file.lo -MD -MP -MF $(DEPDIR)/libhx509_la-file.Tpo -c -o libhx509_la-file.lo `test -f 'file.c' || echo '$(srcdir)/'`file.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-file.Tpo $(DEPDIR)/libhx509_la-file.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='file.c' object='libhx509_la-file.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-file.lo `test -f 'file.c' || echo '$(srcdir)/'`file.c
-
-libhx509_la-sel.lo: sel.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-sel.lo -MD -MP -MF $(DEPDIR)/libhx509_la-sel.Tpo -c -o libhx509_la-sel.lo `test -f 'sel.c' || echo '$(srcdir)/'`sel.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-sel.Tpo $(DEPDIR)/libhx509_la-sel.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sel.c' object='libhx509_la-sel.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-sel.lo `test -f 'sel.c' || echo '$(srcdir)/'`sel.c
-
-libhx509_la-sel-gram.lo: sel-gram.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-sel-gram.lo -MD -MP -MF $(DEPDIR)/libhx509_la-sel-gram.Tpo -c -o libhx509_la-sel-gram.lo `test -f 'sel-gram.c' || echo '$(srcdir)/'`sel-gram.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-sel-gram.Tpo $(DEPDIR)/libhx509_la-sel-gram.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sel-gram.c' object='libhx509_la-sel-gram.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-sel-gram.lo `test -f 'sel-gram.c' || echo '$(srcdir)/'`sel-gram.c
-
-libhx509_la-sel-lex.lo: sel-lex.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-sel-lex.lo -MD -MP -MF $(DEPDIR)/libhx509_la-sel-lex.Tpo -c -o libhx509_la-sel-lex.lo `test -f 'sel-lex.c' || echo '$(srcdir)/'`sel-lex.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-sel-lex.Tpo $(DEPDIR)/libhx509_la-sel-lex.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sel-lex.c' object='libhx509_la-sel-lex.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-sel-lex.lo `test -f 'sel-lex.c' || echo '$(srcdir)/'`sel-lex.c
-
-libhx509_la-keyset.lo: keyset.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-keyset.lo -MD -MP -MF $(DEPDIR)/libhx509_la-keyset.Tpo -c -o libhx509_la-keyset.lo `test -f 'keyset.c' || echo '$(srcdir)/'`keyset.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-keyset.Tpo $(DEPDIR)/libhx509_la-keyset.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='keyset.c' object='libhx509_la-keyset.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-keyset.lo `test -f 'keyset.c' || echo '$(srcdir)/'`keyset.c
-
-libhx509_la-ks_dir.lo: ks_dir.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-ks_dir.lo -MD -MP -MF $(DEPDIR)/libhx509_la-ks_dir.Tpo -c -o libhx509_la-ks_dir.lo `test -f 'ks_dir.c' || echo '$(srcdir)/'`ks_dir.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-ks_dir.Tpo $(DEPDIR)/libhx509_la-ks_dir.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ks_dir.c' object='libhx509_la-ks_dir.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_dir.lo `test -f 'ks_dir.c' || echo '$(srcdir)/'`ks_dir.c
-
-libhx509_la-ks_file.lo: ks_file.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-ks_file.lo -MD -MP -MF $(DEPDIR)/libhx509_la-ks_file.Tpo -c -o libhx509_la-ks_file.lo `test -f 'ks_file.c' || echo '$(srcdir)/'`ks_file.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-ks_file.Tpo $(DEPDIR)/libhx509_la-ks_file.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ks_file.c' object='libhx509_la-ks_file.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_file.lo `test -f 'ks_file.c' || echo '$(srcdir)/'`ks_file.c
-
-libhx509_la-ks_mem.lo: ks_mem.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-ks_mem.lo -MD -MP -MF $(DEPDIR)/libhx509_la-ks_mem.Tpo -c -o libhx509_la-ks_mem.lo `test -f 'ks_mem.c' || echo '$(srcdir)/'`ks_mem.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-ks_mem.Tpo $(DEPDIR)/libhx509_la-ks_mem.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ks_mem.c' object='libhx509_la-ks_mem.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_mem.lo `test -f 'ks_mem.c' || echo '$(srcdir)/'`ks_mem.c
-
-libhx509_la-ks_null.lo: ks_null.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-ks_null.lo -MD -MP -MF $(DEPDIR)/libhx509_la-ks_null.Tpo -c -o libhx509_la-ks_null.lo `test -f 'ks_null.c' || echo '$(srcdir)/'`ks_null.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-ks_null.Tpo $(DEPDIR)/libhx509_la-ks_null.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ks_null.c' object='libhx509_la-ks_null.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_null.lo `test -f 'ks_null.c' || echo '$(srcdir)/'`ks_null.c
-
-libhx509_la-ks_p11.lo: ks_p11.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-ks_p11.lo -MD -MP -MF $(DEPDIR)/libhx509_la-ks_p11.Tpo -c -o libhx509_la-ks_p11.lo `test -f 'ks_p11.c' || echo '$(srcdir)/'`ks_p11.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-ks_p11.Tpo $(DEPDIR)/libhx509_la-ks_p11.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ks_p11.c' object='libhx509_la-ks_p11.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_p11.lo `test -f 'ks_p11.c' || echo '$(srcdir)/'`ks_p11.c
-
-libhx509_la-ks_p12.lo: ks_p12.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-ks_p12.lo -MD -MP -MF $(DEPDIR)/libhx509_la-ks_p12.Tpo -c -o libhx509_la-ks_p12.lo `test -f 'ks_p12.c' || echo '$(srcdir)/'`ks_p12.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-ks_p12.Tpo $(DEPDIR)/libhx509_la-ks_p12.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ks_p12.c' object='libhx509_la-ks_p12.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_p12.lo `test -f 'ks_p12.c' || echo '$(srcdir)/'`ks_p12.c
-
-libhx509_la-ks_keychain.lo: ks_keychain.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-ks_keychain.lo -MD -MP -MF $(DEPDIR)/libhx509_la-ks_keychain.Tpo -c -o libhx509_la-ks_keychain.lo `test -f 'ks_keychain.c' || echo '$(srcdir)/'`ks_keychain.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-ks_keychain.Tpo $(DEPDIR)/libhx509_la-ks_keychain.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ks_keychain.c' object='libhx509_la-ks_keychain.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_keychain.lo `test -f 'ks_keychain.c' || echo '$(srcdir)/'`ks_keychain.c
-
-libhx509_la-lock.lo: lock.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-lock.lo -MD -MP -MF $(DEPDIR)/libhx509_la-lock.Tpo -c -o libhx509_la-lock.lo `test -f 'lock.c' || echo '$(srcdir)/'`lock.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-lock.Tpo $(DEPDIR)/libhx509_la-lock.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='lock.c' object='libhx509_la-lock.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-lock.lo `test -f 'lock.c' || echo '$(srcdir)/'`lock.c
-
-libhx509_la-name.lo: name.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-name.lo -MD -MP -MF $(DEPDIR)/libhx509_la-name.Tpo -c -o libhx509_la-name.lo `test -f 'name.c' || echo '$(srcdir)/'`name.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-name.Tpo $(DEPDIR)/libhx509_la-name.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='name.c' object='libhx509_la-name.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-name.lo `test -f 'name.c' || echo '$(srcdir)/'`name.c
-
-libhx509_la-peer.lo: peer.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-peer.lo -MD -MP -MF $(DEPDIR)/libhx509_la-peer.Tpo -c -o libhx509_la-peer.lo `test -f 'peer.c' || echo '$(srcdir)/'`peer.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-peer.Tpo $(DEPDIR)/libhx509_la-peer.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='peer.c' object='libhx509_la-peer.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-peer.lo `test -f 'peer.c' || echo '$(srcdir)/'`peer.c
-
-libhx509_la-print.lo: print.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-print.lo -MD -MP -MF $(DEPDIR)/libhx509_la-print.Tpo -c -o libhx509_la-print.lo `test -f 'print.c' || echo '$(srcdir)/'`print.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-print.Tpo $(DEPDIR)/libhx509_la-print.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='print.c' object='libhx509_la-print.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-print.lo `test -f 'print.c' || echo '$(srcdir)/'`print.c
-
-libhx509_la-softp11.lo: softp11.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-softp11.lo -MD -MP -MF $(DEPDIR)/libhx509_la-softp11.Tpo -c -o libhx509_la-softp11.lo `test -f 'softp11.c' || echo '$(srcdir)/'`softp11.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-softp11.Tpo $(DEPDIR)/libhx509_la-softp11.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='softp11.c' object='libhx509_la-softp11.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-softp11.lo `test -f 'softp11.c' || echo '$(srcdir)/'`softp11.c
-
-libhx509_la-req.lo: req.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-req.lo -MD -MP -MF $(DEPDIR)/libhx509_la-req.Tpo -c -o libhx509_la-req.lo `test -f 'req.c' || echo '$(srcdir)/'`req.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-req.Tpo $(DEPDIR)/libhx509_la-req.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='req.c' object='libhx509_la-req.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-req.lo `test -f 'req.c' || echo '$(srcdir)/'`req.c
-
-libhx509_la-revoke.lo: revoke.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-revoke.lo -MD -MP -MF $(DEPDIR)/libhx509_la-revoke.Tpo -c -o libhx509_la-revoke.lo `test -f 'revoke.c' || echo '$(srcdir)/'`revoke.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-revoke.Tpo $(DEPDIR)/libhx509_la-revoke.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='revoke.c' object='libhx509_la-revoke.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-revoke.lo `test -f 'revoke.c' || echo '$(srcdir)/'`revoke.c
-
-libhx509_la-asn1_OCSPBasicOCSPResponse.lo: asn1_OCSPBasicOCSPResponse.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPBasicOCSPResponse.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPBasicOCSPResponse.Tpo -c -o libhx509_la-asn1_OCSPBasicOCSPResponse.lo `test -f 'asn1_OCSPBasicOCSPResponse.c' || echo '$(srcdir)/'`asn1_OCSPBasicOCSPResponse.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPBasicOCSPResponse.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPBasicOCSPResponse.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_OCSPBasicOCSPResponse.c' object='libhx509_la-asn1_OCSPBasicOCSPResponse.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPBasicOCSPResponse.lo `test -f 'asn1_OCSPBasicOCSPResponse.c' || echo '$(srcdir)/'`asn1_OCSPBasicOCSPResponse.c
-
-libhx509_la-asn1_OCSPCertID.lo: asn1_OCSPCertID.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPCertID.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPCertID.Tpo -c -o libhx509_la-asn1_OCSPCertID.lo `test -f 'asn1_OCSPCertID.c' || echo '$(srcdir)/'`asn1_OCSPCertID.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPCertID.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPCertID.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_OCSPCertID.c' object='libhx509_la-asn1_OCSPCertID.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPCertID.lo `test -f 'asn1_OCSPCertID.c' || echo '$(srcdir)/'`asn1_OCSPCertID.c
-
-libhx509_la-asn1_OCSPCertStatus.lo: asn1_OCSPCertStatus.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPCertStatus.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPCertStatus.Tpo -c -o libhx509_la-asn1_OCSPCertStatus.lo `test -f 'asn1_OCSPCertStatus.c' || echo '$(srcdir)/'`asn1_OCSPCertStatus.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPCertStatus.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPCertStatus.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_OCSPCertStatus.c' object='libhx509_la-asn1_OCSPCertStatus.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPCertStatus.lo `test -f 'asn1_OCSPCertStatus.c' || echo '$(srcdir)/'`asn1_OCSPCertStatus.c
-
-libhx509_la-asn1_OCSPInnerRequest.lo: asn1_OCSPInnerRequest.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPInnerRequest.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPInnerRequest.Tpo -c -o libhx509_la-asn1_OCSPInnerRequest.lo `test -f 'asn1_OCSPInnerRequest.c' || echo '$(srcdir)/'`asn1_OCSPInnerRequest.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPInnerRequest.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPInnerRequest.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_OCSPInnerRequest.c' object='libhx509_la-asn1_OCSPInnerRequest.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPInnerRequest.lo `test -f 'asn1_OCSPInnerRequest.c' || echo '$(srcdir)/'`asn1_OCSPInnerRequest.c
-
-libhx509_la-asn1_OCSPKeyHash.lo: asn1_OCSPKeyHash.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPKeyHash.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPKeyHash.Tpo -c -o libhx509_la-asn1_OCSPKeyHash.lo `test -f 'asn1_OCSPKeyHash.c' || echo '$(srcdir)/'`asn1_OCSPKeyHash.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPKeyHash.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPKeyHash.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_OCSPKeyHash.c' object='libhx509_la-asn1_OCSPKeyHash.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPKeyHash.lo `test -f 'asn1_OCSPKeyHash.c' || echo '$(srcdir)/'`asn1_OCSPKeyHash.c
-
-libhx509_la-asn1_OCSPRequest.lo: asn1_OCSPRequest.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPRequest.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPRequest.Tpo -c -o libhx509_la-asn1_OCSPRequest.lo `test -f 'asn1_OCSPRequest.c' || echo '$(srcdir)/'`asn1_OCSPRequest.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPRequest.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPRequest.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_OCSPRequest.c' object='libhx509_la-asn1_OCSPRequest.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPRequest.lo `test -f 'asn1_OCSPRequest.c' || echo '$(srcdir)/'`asn1_OCSPRequest.c
-
-libhx509_la-asn1_OCSPResponderID.lo: asn1_OCSPResponderID.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPResponderID.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPResponderID.Tpo -c -o libhx509_la-asn1_OCSPResponderID.lo `test -f 'asn1_OCSPResponderID.c' || echo '$(srcdir)/'`asn1_OCSPResponderID.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPResponderID.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPResponderID.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_OCSPResponderID.c' object='libhx509_la-asn1_OCSPResponderID.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPResponderID.lo `test -f 'asn1_OCSPResponderID.c' || echo '$(srcdir)/'`asn1_OCSPResponderID.c
-
-libhx509_la-asn1_OCSPResponse.lo: asn1_OCSPResponse.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPResponse.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPResponse.Tpo -c -o libhx509_la-asn1_OCSPResponse.lo `test -f 'asn1_OCSPResponse.c' || echo '$(srcdir)/'`asn1_OCSPResponse.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPResponse.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPResponse.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_OCSPResponse.c' object='libhx509_la-asn1_OCSPResponse.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPResponse.lo `test -f 'asn1_OCSPResponse.c' || echo '$(srcdir)/'`asn1_OCSPResponse.c
-
-libhx509_la-asn1_OCSPResponseBytes.lo: asn1_OCSPResponseBytes.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPResponseBytes.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPResponseBytes.Tpo -c -o libhx509_la-asn1_OCSPResponseBytes.lo `test -f 'asn1_OCSPResponseBytes.c' || echo '$(srcdir)/'`asn1_OCSPResponseBytes.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPResponseBytes.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPResponseBytes.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_OCSPResponseBytes.c' object='libhx509_la-asn1_OCSPResponseBytes.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPResponseBytes.lo `test -f 'asn1_OCSPResponseBytes.c' || echo '$(srcdir)/'`asn1_OCSPResponseBytes.c
-
-libhx509_la-asn1_OCSPResponseData.lo: asn1_OCSPResponseData.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPResponseData.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPResponseData.Tpo -c -o libhx509_la-asn1_OCSPResponseData.lo `test -f 'asn1_OCSPResponseData.c' || echo '$(srcdir)/'`asn1_OCSPResponseData.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPResponseData.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPResponseData.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_OCSPResponseData.c' object='libhx509_la-asn1_OCSPResponseData.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPResponseData.lo `test -f 'asn1_OCSPResponseData.c' || echo '$(srcdir)/'`asn1_OCSPResponseData.c
-
-libhx509_la-asn1_OCSPResponseStatus.lo: asn1_OCSPResponseStatus.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPResponseStatus.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPResponseStatus.Tpo -c -o libhx509_la-asn1_OCSPResponseStatus.lo `test -f 'asn1_OCSPResponseStatus.c' || echo '$(srcdir)/'`asn1_OCSPResponseStatus.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPResponseStatus.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPResponseStatus.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_OCSPResponseStatus.c' object='libhx509_la-asn1_OCSPResponseStatus.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPResponseStatus.lo `test -f 'asn1_OCSPResponseStatus.c' || echo '$(srcdir)/'`asn1_OCSPResponseStatus.c
-
-libhx509_la-asn1_OCSPSignature.lo: asn1_OCSPSignature.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPSignature.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPSignature.Tpo -c -o libhx509_la-asn1_OCSPSignature.lo `test -f 'asn1_OCSPSignature.c' || echo '$(srcdir)/'`asn1_OCSPSignature.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPSignature.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPSignature.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_OCSPSignature.c' object='libhx509_la-asn1_OCSPSignature.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPSignature.lo `test -f 'asn1_OCSPSignature.c' || echo '$(srcdir)/'`asn1_OCSPSignature.c
-
-libhx509_la-asn1_OCSPSingleResponse.lo: asn1_OCSPSingleResponse.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPSingleResponse.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPSingleResponse.Tpo -c -o libhx509_la-asn1_OCSPSingleResponse.lo `test -f 'asn1_OCSPSingleResponse.c' || echo '$(srcdir)/'`asn1_OCSPSingleResponse.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPSingleResponse.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPSingleResponse.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_OCSPSingleResponse.c' object='libhx509_la-asn1_OCSPSingleResponse.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPSingleResponse.lo `test -f 'asn1_OCSPSingleResponse.c' || echo '$(srcdir)/'`asn1_OCSPSingleResponse.c
-
-libhx509_la-asn1_OCSPTBSRequest.lo: asn1_OCSPTBSRequest.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPTBSRequest.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPTBSRequest.Tpo -c -o libhx509_la-asn1_OCSPTBSRequest.lo `test -f 'asn1_OCSPTBSRequest.c' || echo '$(srcdir)/'`asn1_OCSPTBSRequest.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPTBSRequest.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPTBSRequest.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_OCSPTBSRequest.c' object='libhx509_la-asn1_OCSPTBSRequest.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPTBSRequest.lo `test -f 'asn1_OCSPTBSRequest.c' || echo '$(srcdir)/'`asn1_OCSPTBSRequest.c
-
-libhx509_la-asn1_OCSPVersion.lo: asn1_OCSPVersion.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPVersion.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPVersion.Tpo -c -o libhx509_la-asn1_OCSPVersion.lo `test -f 'asn1_OCSPVersion.c' || echo '$(srcdir)/'`asn1_OCSPVersion.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPVersion.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPVersion.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_OCSPVersion.c' object='libhx509_la-asn1_OCSPVersion.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPVersion.lo `test -f 'asn1_OCSPVersion.c' || echo '$(srcdir)/'`asn1_OCSPVersion.c
-
-libhx509_la-asn1_id_pkix_ocsp.lo: asn1_id_pkix_ocsp.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_id_pkix_ocsp.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp.Tpo -c -o libhx509_la-asn1_id_pkix_ocsp.lo `test -f 'asn1_id_pkix_ocsp.c' || echo '$(srcdir)/'`asn1_id_pkix_ocsp.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp.Tpo $(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_id_pkix_ocsp.c' object='libhx509_la-asn1_id_pkix_ocsp.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_id_pkix_ocsp.lo `test -f 'asn1_id_pkix_ocsp.c' || echo '$(srcdir)/'`asn1_id_pkix_ocsp.c
-
-libhx509_la-asn1_id_pkix_ocsp_basic.lo: asn1_id_pkix_ocsp_basic.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_id_pkix_ocsp_basic.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp_basic.Tpo -c -o libhx509_la-asn1_id_pkix_ocsp_basic.lo `test -f 'asn1_id_pkix_ocsp_basic.c' || echo '$(srcdir)/'`asn1_id_pkix_ocsp_basic.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp_basic.Tpo $(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp_basic.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_id_pkix_ocsp_basic.c' object='libhx509_la-asn1_id_pkix_ocsp_basic.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_id_pkix_ocsp_basic.lo `test -f 'asn1_id_pkix_ocsp_basic.c' || echo '$(srcdir)/'`asn1_id_pkix_ocsp_basic.c
-
-libhx509_la-asn1_id_pkix_ocsp_nonce.lo: asn1_id_pkix_ocsp_nonce.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_id_pkix_ocsp_nonce.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp_nonce.Tpo -c -o libhx509_la-asn1_id_pkix_ocsp_nonce.lo `test -f 'asn1_id_pkix_ocsp_nonce.c' || echo '$(srcdir)/'`asn1_id_pkix_ocsp_nonce.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp_nonce.Tpo $(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp_nonce.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_id_pkix_ocsp_nonce.c' object='libhx509_la-asn1_id_pkix_ocsp_nonce.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_id_pkix_ocsp_nonce.lo `test -f 'asn1_id_pkix_ocsp_nonce.c' || echo '$(srcdir)/'`asn1_id_pkix_ocsp_nonce.c
-
-libhx509_la-asn1_CertificationRequestInfo.lo: asn1_CertificationRequestInfo.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_CertificationRequestInfo.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_CertificationRequestInfo.Tpo -c -o libhx509_la-asn1_CertificationRequestInfo.lo `test -f 'asn1_CertificationRequestInfo.c' || echo '$(srcdir)/'`asn1_CertificationRequestInfo.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-asn1_CertificationRequestInfo.Tpo $(DEPDIR)/libhx509_la-asn1_CertificationRequestInfo.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_CertificationRequestInfo.c' object='libhx509_la-asn1_CertificationRequestInfo.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_CertificationRequestInfo.lo `test -f 'asn1_CertificationRequestInfo.c' || echo '$(srcdir)/'`asn1_CertificationRequestInfo.c
-
-libhx509_la-asn1_CertificationRequest.lo: asn1_CertificationRequest.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_CertificationRequest.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_CertificationRequest.Tpo -c -o libhx509_la-asn1_CertificationRequest.lo `test -f 'asn1_CertificationRequest.c' || echo '$(srcdir)/'`asn1_CertificationRequest.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-asn1_CertificationRequest.Tpo $(DEPDIR)/libhx509_la-asn1_CertificationRequest.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1_CertificationRequest.c' object='libhx509_la-asn1_CertificationRequest.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_CertificationRequest.lo `test -f 'asn1_CertificationRequest.c' || echo '$(srcdir)/'`asn1_CertificationRequest.c
-
-libhx509_la-hx509_err.lo: hx509_err.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-hx509_err.lo -MD -MP -MF $(DEPDIR)/libhx509_la-hx509_err.Tpo -c -o libhx509_la-hx509_err.lo `test -f 'hx509_err.c' || echo '$(srcdir)/'`hx509_err.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libhx509_la-hx509_err.Tpo $(DEPDIR)/libhx509_la-hx509_err.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hx509_err.c' object='libhx509_la-hx509_err.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-hx509_err.lo `test -f 'hx509_err.c' || echo '$(srcdir)/'`hx509_err.c
-
-hxtool-hxtool.o: hxtool.c
-@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(hxtool_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hxtool-hxtool.o -MD -MP -MF $(DEPDIR)/hxtool-hxtool.Tpo -c -o hxtool-hxtool.o `test -f 'hxtool.c' || echo '$(srcdir)/'`hxtool.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/hxtool-hxtool.Tpo $(DEPDIR)/hxtool-hxtool.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hxtool.c' object='hxtool-hxtool.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(hxtool_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hxtool-hxtool.o `test -f 'hxtool.c' || echo '$(srcdir)/'`hxtool.c
-
-hxtool-hxtool.obj: hxtool.c
-@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(hxtool_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hxtool-hxtool.obj -MD -MP -MF $(DEPDIR)/hxtool-hxtool.Tpo -c -o hxtool-hxtool.obj `if test -f 'hxtool.c'; then $(CYGPATH_W) 'hxtool.c'; else $(CYGPATH_W) '$(srcdir)/hxtool.c'; fi`
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/hxtool-hxtool.Tpo $(DEPDIR)/hxtool-hxtool.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hxtool.c' object='hxtool-hxtool.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(hxtool_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hxtool-hxtool.obj `if test -f 'hxtool.c'; then $(CYGPATH_W) 'hxtool.c'; else $(CYGPATH_W) '$(srcdir)/hxtool.c'; fi`
-
-hxtool-hxtool-commands.o: hxtool-commands.c
-@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(hxtool_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hxtool-hxtool-commands.o -MD -MP -MF $(DEPDIR)/hxtool-hxtool-commands.Tpo -c -o hxtool-hxtool-commands.o `test -f 'hxtool-commands.c' || echo '$(srcdir)/'`hxtool-commands.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/hxtool-hxtool-commands.Tpo $(DEPDIR)/hxtool-hxtool-commands.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hxtool-commands.c' object='hxtool-hxtool-commands.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(hxtool_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hxtool-hxtool-commands.o `test -f 'hxtool-commands.c' || echo '$(srcdir)/'`hxtool-commands.c
-
-hxtool-hxtool-commands.obj: hxtool-commands.c
-@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(hxtool_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hxtool-hxtool-commands.obj -MD -MP -MF $(DEPDIR)/hxtool-hxtool-commands.Tpo -c -o hxtool-hxtool-commands.obj `if test -f 'hxtool-commands.c'; then $(CYGPATH_W) 'hxtool-commands.c'; else $(CYGPATH_W) '$(srcdir)/hxtool-commands.c'; fi`
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/hxtool-hxtool-commands.Tpo $(DEPDIR)/hxtool-hxtool-commands.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hxtool-commands.c' object='hxtool-hxtool-commands.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(hxtool_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hxtool-hxtool-commands.obj `if test -f 'hxtool-commands.c'; then $(CYGPATH_W) 'hxtool-commands.c'; else $(CYGPATH_W) '$(srcdir)/hxtool-commands.c'; fi`
-
-test_name-test_name.o: test_name.c
-@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(test_name_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_name-test_name.o -MD -MP -MF $(DEPDIR)/test_name-test_name.Tpo -c -o test_name-test_name.o `test -f 'test_name.c' || echo '$(srcdir)/'`test_name.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/test_name-test_name.Tpo $(DEPDIR)/test_name-test_name.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='test_name.c' object='test_name-test_name.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(test_name_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_name-test_name.o `test -f 'test_name.c' || echo '$(srcdir)/'`test_name.c
-
-test_name-test_name.obj: test_name.c
-@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(test_name_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_name-test_name.obj -MD -MP -MF $(DEPDIR)/test_name-test_name.Tpo -c -o test_name-test_name.obj `if test -f 'test_name.c'; then $(CYGPATH_W) 'test_name.c'; else $(CYGPATH_W) '$(srcdir)/test_name.c'; fi`
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/test_name-test_name.Tpo $(DEPDIR)/test_name-test_name.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='test_name.c' object='test_name-test_name.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(test_name_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_name-test_name.obj `if test -f 'test_name.c'; then $(CYGPATH_W) 'test_name.c'; else $(CYGPATH_W) '$(srcdir)/test_name.c'; fi`
-
-test_soft_pkcs11-test_soft_pkcs11.o: test_soft_pkcs11.c
-@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(test_soft_pkcs11_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_soft_pkcs11-test_soft_pkcs11.o -MD -MP -MF $(DEPDIR)/test_soft_pkcs11-test_soft_pkcs11.Tpo -c -o test_soft_pkcs11-test_soft_pkcs11.o `test -f 'test_soft_pkcs11.c' || echo '$(srcdir)/'`test_soft_pkcs11.c
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/test_soft_pkcs11-test_soft_pkcs11.Tpo $(DEPDIR)/test_soft_pkcs11-test_soft_pkcs11.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='test_soft_pkcs11.c' object='test_soft_pkcs11-test_soft_pkcs11.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(test_soft_pkcs11_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_soft_pkcs11-test_soft_pkcs11.o `test -f 'test_soft_pkcs11.c' || echo '$(srcdir)/'`test_soft_pkcs11.c
-
-test_soft_pkcs11-test_soft_pkcs11.obj: test_soft_pkcs11.c
-@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(test_soft_pkcs11_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_soft_pkcs11-test_soft_pkcs11.obj -MD -MP -MF $(DEPDIR)/test_soft_pkcs11-test_soft_pkcs11.Tpo -c -o test_soft_pkcs11-test_soft_pkcs11.obj `if test -f 'test_soft_pkcs11.c'; then $(CYGPATH_W) 'test_soft_pkcs11.c'; else $(CYGPATH_W) '$(srcdir)/test_soft_pkcs11.c'; fi`
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/test_soft_pkcs11-test_soft_pkcs11.Tpo $(DEPDIR)/test_soft_pkcs11-test_soft_pkcs11.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='test_soft_pkcs11.c' object='test_soft_pkcs11-test_soft_pkcs11.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(test_soft_pkcs11_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_soft_pkcs11-test_soft_pkcs11.obj `if test -f 'test_soft_pkcs11.c'; then $(CYGPATH_W) 'test_soft_pkcs11.c'; else $(CYGPATH_W) '$(srcdir)/test_soft_pkcs11.c'; fi`
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
.l.c:
- $(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)
+ $(AM_V_LEX)$(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)
.y.c:
- $(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h $*.h y.output $*.output -- $(YACCCOMPILE)
+ $(AM_V_YACC)$(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h `echo $@ | $(am__yacc_c2h)` y.output $*.output -- $(YACCCOMPILE)
mostlyclean-libtool:
-rm -f *.lo
@@ -1390,8 +1305,11 @@ clean-libtool:
-rm -rf .libs _libs
install-dist_includeHEADERS: $(dist_include_HEADERS)
@$(NORMAL_INSTALL)
- test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
@list='$(dist_include_HEADERS)'; test -n "$(includedir)" || list=; \
+ if test -n "$$list"; then \
+ echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \
+ fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
@@ -1405,13 +1323,14 @@ uninstall-dist_includeHEADERS:
@$(NORMAL_UNINSTALL)
@list='$(dist_include_HEADERS)'; test -n "$(includedir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
- test -n "$$files" || exit 0; \
- echo " ( cd '$(DESTDIR)$(includedir)' && rm -f" $$files ")"; \
- cd "$(DESTDIR)$(includedir)" && rm -f $$files
+ dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir)
install-nodist_includeHEADERS: $(nodist_include_HEADERS)
@$(NORMAL_INSTALL)
- test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
@list='$(nodist_include_HEADERS)'; test -n "$(includedir)" || list=; \
+ if test -n "$$list"; then \
+ echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \
+ fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
@@ -1425,30 +1344,17 @@ uninstall-nodist_includeHEADERS:
@$(NORMAL_UNINSTALL)
@list='$(nodist_include_HEADERS)'; test -n "$(includedir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
- test -n "$$files" || exit 0; \
- echo " ( cd '$(DESTDIR)$(includedir)' && rm -f" $$files ")"; \
- cd "$(DESTDIR)$(includedir)" && rm -f $$files
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
- list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
- unique=`for i in $$list; do \
- if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
- done | \
- $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
- END { if (nonempty) { for (i in files) print i; }; }'`; \
- mkid -fID $$unique
-tags: TAGS
-
-TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
- $(TAGS_FILES) $(LISP)
+ dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir)
+
+ID: $(am__tagged_files)
+ $(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
set x; \
here=`pwd`; \
- list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
- unique=`for i in $$list; do \
- if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
- done | \
- $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
- END { if (nonempty) { for (i in files) print i; }; }'`; \
+ $(am__define_uniq_tagged_files); \
shift; \
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
@@ -1460,15 +1366,11 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
$$unique; \
fi; \
fi
-ctags: CTAGS
-CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
- $(TAGS_FILES) $(LISP)
- list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
- unique=`for i in $$list; do \
- if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
- done | \
- $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
- END { if (nonempty) { for (i in files) print i; }; }'`; \
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ $(am__define_uniq_tagged_files); \
test -z "$(CTAGS_ARGS)$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
$$unique
@@ -1477,101 +1379,292 @@ GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
&& $(am__cd) $(top_srcdir) \
&& gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+ list='$(am__tagged_files)'; \
+ case "$(srcdir)" in \
+ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+ *) sdir=$(subdir)/$(srcdir) ;; \
+ esac; \
+ for i in $$list; do \
+ if test -f "$$i"; then \
+ echo "$(subdir)/$$i"; \
+ else \
+ echo "$$sdir/$$i"; \
+ fi; \
+ done >> $(top_builddir)/cscope.files
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-check-TESTS: $(TESTS)
- @failed=0; all=0; xfail=0; xpass=0; skip=0; \
- srcdir=$(srcdir); export srcdir; \
- list=' $(TESTS) '; \
- $(am__tty_colors); \
- if test -n "$$list"; then \
- for tst in $$list; do \
- if test -f ./$$tst; then dir=./; \
- elif test -f $$tst; then dir=; \
- else dir="$(srcdir)/"; fi; \
- if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
- all=`expr $$all + 1`; \
- case " $(XFAIL_TESTS) " in \
- *[\ \ ]$$tst[\ \ ]*) \
- xpass=`expr $$xpass + 1`; \
- failed=`expr $$failed + 1`; \
- col=$$red; res=XPASS; \
- ;; \
- *) \
- col=$$grn; res=PASS; \
- ;; \
- esac; \
- elif test $$? -ne 77; then \
- all=`expr $$all + 1`; \
- case " $(XFAIL_TESTS) " in \
- *[\ \ ]$$tst[\ \ ]*) \
- xfail=`expr $$xfail + 1`; \
- col=$$lgn; res=XFAIL; \
- ;; \
- *) \
- failed=`expr $$failed + 1`; \
- col=$$red; res=FAIL; \
- ;; \
- esac; \
- else \
- skip=`expr $$skip + 1`; \
- col=$$blu; res=SKIP; \
- fi; \
- echo "$${col}$$res$${std}: $$tst"; \
- done; \
- if test "$$all" -eq 1; then \
- tests="test"; \
- All=""; \
- else \
- tests="tests"; \
- All="All "; \
+# Recover from deleted '.trs' file; this should ensure that
+# "rm -f foo.log; make foo.trs" re-run 'foo.test', and re-create
+# both 'foo.log' and 'foo.trs'. Break the recipe in two subshells
+# to avoid problems with "make -n".
+.log.trs:
+ rm -f $< $@
+ $(MAKE) $(AM_MAKEFLAGS) $<
+
+# Leading 'am--fnord' is there to ensure the list of targets does not
+# expand to empty, as could happen e.g. with make check TESTS=''.
+am--fnord $(TEST_LOGS) $(TEST_LOGS:.log=.trs): $(am__force_recheck)
+am--force-recheck:
+ @:
+
+$(TEST_SUITE_LOG): $(TEST_LOGS)
+ @$(am__set_TESTS_bases); \
+ am__f_ok () { test -f "$$1" && test -r "$$1"; }; \
+ redo_bases=`for i in $$bases; do \
+ am__f_ok $$i.trs && am__f_ok $$i.log || echo $$i; \
+ done`; \
+ if test -n "$$redo_bases"; then \
+ redo_logs=`for i in $$redo_bases; do echo $$i.log; done`; \
+ redo_results=`for i in $$redo_bases; do echo $$i.trs; done`; \
+ if $(am__make_dryrun); then :; else \
+ rm -f $$redo_logs && rm -f $$redo_results || exit 1; \
fi; \
- if test "$$failed" -eq 0; then \
- if test "$$xfail" -eq 0; then \
- banner="$$All$$all $$tests passed"; \
- else \
- if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
- banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
- fi; \
- else \
- if test "$$xpass" -eq 0; then \
- banner="$$failed of $$all $$tests failed"; \
+ fi; \
+ if test -n "$$am__remaking_logs"; then \
+ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \
+ "recursion detected" >&2; \
+ elif test -n "$$redo_logs"; then \
+ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \
+ fi; \
+ if $(am__make_dryrun); then :; else \
+ st=0; \
+ errmsg="fatal: making $(TEST_SUITE_LOG): failed to create"; \
+ for i in $$redo_bases; do \
+ test -f $$i.trs && test -r $$i.trs \
+ || { echo "$$errmsg $$i.trs" >&2; st=1; }; \
+ test -f $$i.log && test -r $$i.log \
+ || { echo "$$errmsg $$i.log" >&2; st=1; }; \
+ done; \
+ test $$st -eq 0 || exit 1; \
+ fi
+ @$(am__sh_e_setup); $(am__tty_colors); $(am__set_TESTS_bases); \
+ ws='[ ]'; \
+ results=`for b in $$bases; do echo $$b.trs; done`; \
+ test -n "$$results" || results=/dev/null; \
+ all=` grep "^$$ws*:test-result:" $$results | wc -l`; \
+ pass=` grep "^$$ws*:test-result:$$ws*PASS" $$results | wc -l`; \
+ fail=` grep "^$$ws*:test-result:$$ws*FAIL" $$results | wc -l`; \
+ skip=` grep "^$$ws*:test-result:$$ws*SKIP" $$results | wc -l`; \
+ xfail=`grep "^$$ws*:test-result:$$ws*XFAIL" $$results | wc -l`; \
+ xpass=`grep "^$$ws*:test-result:$$ws*XPASS" $$results | wc -l`; \
+ error=`grep "^$$ws*:test-result:$$ws*ERROR" $$results | wc -l`; \
+ if test `expr $$fail + $$xpass + $$error` -eq 0; then \
+ success=true; \
+ else \
+ success=false; \
+ fi; \
+ br='==================='; br=$$br$$br$$br$$br; \
+ result_count () \
+ { \
+ if test x"$$1" = x"--maybe-color"; then \
+ maybe_colorize=yes; \
+ elif test x"$$1" = x"--no-color"; then \
+ maybe_colorize=no; \
else \
- if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
- banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+ echo "$@: invalid 'result_count' usage" >&2; exit 4; \
fi; \
- fi; \
- dashes="$$banner"; \
- skipped=""; \
- if test "$$skip" -ne 0; then \
- if test "$$skip" -eq 1; then \
- skipped="($$skip test was not run)"; \
+ shift; \
+ desc=$$1 count=$$2; \
+ if test $$maybe_colorize = yes && test $$count -gt 0; then \
+ color_start=$$3 color_end=$$std; \
else \
- skipped="($$skip tests were not run)"; \
+ color_start= color_end=; \
fi; \
- test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
- dashes="$$skipped"; \
- fi; \
- report=""; \
- if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
- report="Please report to $(PACKAGE_BUGREPORT)"; \
- test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
- dashes="$$report"; \
- fi; \
- dashes=`echo "$$dashes" | sed s/./=/g`; \
- if test "$$failed" -eq 0; then \
- echo "$$grn$$dashes"; \
- else \
- echo "$$red$$dashes"; \
- fi; \
- echo "$$banner"; \
- test -z "$$skipped" || echo "$$skipped"; \
- test -z "$$report" || echo "$$report"; \
- echo "$$dashes$$std"; \
- test "$$failed" -eq 0; \
- else :; fi
+ echo "$${color_start}# $$desc $$count$${color_end}"; \
+ }; \
+ create_testsuite_report () \
+ { \
+ result_count $$1 "TOTAL:" $$all "$$brg"; \
+ result_count $$1 "PASS: " $$pass "$$grn"; \
+ result_count $$1 "SKIP: " $$skip "$$blu"; \
+ result_count $$1 "XFAIL:" $$xfail "$$lgn"; \
+ result_count $$1 "FAIL: " $$fail "$$red"; \
+ result_count $$1 "XPASS:" $$xpass "$$red"; \
+ result_count $$1 "ERROR:" $$error "$$mgn"; \
+ }; \
+ { \
+ echo "$(PACKAGE_STRING): $(subdir)/$(TEST_SUITE_LOG)" | \
+ $(am__rst_title); \
+ create_testsuite_report --no-color; \
+ echo; \
+ echo ".. contents:: :depth: 2"; \
+ echo; \
+ for b in $$bases; do echo $$b; done \
+ | $(am__create_global_log); \
+ } >$(TEST_SUITE_LOG).tmp || exit 1; \
+ mv $(TEST_SUITE_LOG).tmp $(TEST_SUITE_LOG); \
+ if $$success; then \
+ col="$$grn"; \
+ else \
+ col="$$red"; \
+ test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \
+ fi; \
+ echo "$${col}$$br$${std}"; \
+ echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \
+ echo "$${col}$$br$${std}"; \
+ create_testsuite_report --maybe-color; \
+ echo "$$col$$br$$std"; \
+ if $$success; then :; else \
+ echo "$${col}See $(subdir)/$(TEST_SUITE_LOG)$${std}"; \
+ if test -n "$(PACKAGE_BUGREPORT)"; then \
+ echo "$${col}Please report to $(PACKAGE_BUGREPORT)$${std}"; \
+ fi; \
+ echo "$$col$$br$$std"; \
+ fi; \
+ $$success || exit 1
+
+check-TESTS:
+ @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list
+ @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list
+ @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
+ @set +e; $(am__set_TESTS_bases); \
+ log_list=`for i in $$bases; do echo $$i.log; done`; \
+ trs_list=`for i in $$bases; do echo $$i.trs; done`; \
+ log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \
+ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \
+ exit $$?;
+recheck: all $(check_PROGRAMS) $(check_SCRIPTS)
+ @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
+ @set +e; $(am__set_TESTS_bases); \
+ bases=`for i in $$bases; do echo $$i; done \
+ | $(am__list_recheck_tests)` || exit 1; \
+ log_list=`for i in $$bases; do echo $$i.log; done`; \
+ log_list=`echo $$log_list`; \
+ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) \
+ am__force_recheck=am--force-recheck \
+ TEST_LOGS="$$log_list"; \
+ exit $$?
+test_ca.log: test_ca
+ @p='test_ca'; \
+ b='test_ca'; \
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+test_cert.log: test_cert
+ @p='test_cert'; \
+ b='test_cert'; \
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+test_chain.log: test_chain
+ @p='test_chain'; \
+ b='test_chain'; \
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+test_cms.log: test_cms
+ @p='test_cms'; \
+ b='test_cms'; \
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+test_crypto.log: test_crypto
+ @p='test_crypto'; \
+ b='test_crypto'; \
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+test_nist.log: test_nist
+ @p='test_nist'; \
+ b='test_nist'; \
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+test_nist2.log: test_nist2
+ @p='test_nist2'; \
+ b='test_nist2'; \
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+test_pkcs11.log: test_pkcs11
+ @p='test_pkcs11'; \
+ b='test_pkcs11'; \
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+test_java_pkcs11.log: test_java_pkcs11
+ @p='test_java_pkcs11'; \
+ b='test_java_pkcs11'; \
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+test_nist_cert.log: test_nist_cert
+ @p='test_nist_cert'; \
+ b='test_nist_cert'; \
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+test_nist_pkcs12.log: test_nist_pkcs12
+ @p='test_nist_pkcs12'; \
+ b='test_nist_pkcs12'; \
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+test_req.log: test_req
+ @p='test_req'; \
+ b='test_req'; \
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+test_windows.log: test_windows
+ @p='test_windows'; \
+ b='test_windows'; \
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+test_query.log: test_query
+ @p='test_query'; \
+ b='test_query'; \
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+test_name.log: test_name$(EXEEXT)
+ @p='test_name$(EXEEXT)'; \
+ b='test_name'; \
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+test_expr.log: test_expr$(EXEEXT)
+ @p='test_expr$(EXEEXT)'; \
+ b='test_expr'; \
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+.test.log:
+ @p='$<'; \
+ $(am__set_b); \
+ $(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+@am__EXEEXT_TRUE@.test$(EXEEXT).log:
+@am__EXEEXT_TRUE@ @p='$<'; \
+@am__EXEEXT_TRUE@ $(am__set_b); \
+@am__EXEEXT_TRUE@ $(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \
+@am__EXEEXT_TRUE@ --log-file $$b.log --trs-file $$b.trs \
+@am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
+@am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT)
distdir: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
@@ -1629,11 +1722,19 @@ install-am: all-am
installcheck: installcheck-am
install-strip:
- $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
- install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
- `test -z '$(STRIP)' || \
- echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
mostlyclean-generic:
+ -test -z "$(TEST_LOGS)" || rm -f $(TEST_LOGS)
+ -test -z "$(TEST_LOGS:.log=.trs)" || rm -f $(TEST_LOGS:.log=.trs)
+ -test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
@@ -1680,9 +1781,9 @@ install-dvi: install-dvi-am
install-dvi-am:
-install-exec-am: install-binPROGRAMS install-libLTLIBRARIES
- @$(NORMAL_INSTALL)
- $(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec-am: install-binPROGRAMS install-exec-local \
+ install-libLTLIBRARIES
+
install-html: install-html-am
install-html-am:
@@ -1726,17 +1827,18 @@ uninstall-am: uninstall-binPROGRAMS uninstall-dist_includeHEADERS \
@$(NORMAL_INSTALL)
$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
.MAKE: all check check-am install install-am install-data-am \
- install-exec-am install-strip uninstall-am
+ install-strip uninstall-am
-.PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \
- check-local clean clean-binPROGRAMS clean-checkPROGRAMS \
- clean-generic clean-libLTLIBRARIES clean-libtool clean-local \
- ctags dist-hook distclean distclean-compile distclean-generic \
+.PHONY: CTAGS GTAGS TAGS all all-am all-local check check-TESTS \
+ check-am check-local clean clean-binPROGRAMS \
+ clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \
+ clean-libtool clean-local cscopelist-am ctags ctags-am \
+ dist-hook distclean distclean-compile distclean-generic \
distclean-libtool distclean-tags distdir dvi dvi-am html \
html-am info info-am install install-am install-binPROGRAMS \
install-data install-data-am install-data-hook \
install-dist_includeHEADERS install-dvi install-dvi-am \
- install-exec install-exec-am install-exec-hook install-html \
+ install-exec install-exec-am install-exec-local install-html \
install-html-am install-info install-info-am \
install-libLTLIBRARIES install-man \
install-nodist_includeHEADERS install-pdf install-pdf-am \
@@ -1744,25 +1846,40 @@ uninstall-am: uninstall-binPROGRAMS uninstall-dist_includeHEADERS \
installcheck-am installdirs maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-compile \
mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
- tags uninstall uninstall-am uninstall-binPROGRAMS \
- uninstall-dist_includeHEADERS uninstall-hook \
- uninstall-libLTLIBRARIES uninstall-nodist_includeHEADERS
+ recheck tags tags-am uninstall uninstall-am \
+ uninstall-binPROGRAMS uninstall-dist_includeHEADERS \
+ uninstall-hook uninstall-libLTLIBRARIES \
+ uninstall-nodist_includeHEADERS
+
+.PRECIOUS: Makefile
install-suid-programs:
@foo='$(bin_SUIDS)'; \
for file in $$foo; do \
- x=$(DESTDIR)$(bindir)/$$file; \
- if chown 0:0 $$x && chmod u+s $$x; then :; else \
- echo "*"; \
- echo "* Failed to install $$x setuid root"; \
- echo "*"; \
- fi; done
+ x=$(DESTDIR)$(bindir)/$$file; \
+ if chown 0:0 $$x && chmod u+s $$x; then :; else \
+ echo "*"; \
+ echo "* Failed to install $$x setuid root"; \
+ echo "*"; \
+ fi; \
+ done
+
+install-exec-local: install-suid-programs
-install-exec-hook: install-suid-programs
+codesign-all:
+ @if [ X"$$CODE_SIGN_IDENTITY" != X ] ; then \
+ foo='$(bin_PROGRAMS) $(sbin_PROGRAMS) $(libexec_PROGRAMS)' ; \
+ for file in $$foo ; do \
+ echo "CODESIGN $$file" ; \
+ codesign -f -s "$$CODE_SIGN_IDENTITY" $$file || exit 1 ; \
+ done ; \
+ fi
-install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
- @foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+all-local: codesign-all
+
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS) $(noinst_HEADERS)
+ @foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(noinst_HEADERS)'; \
for f in $$foo; do \
f=`basename $$f`; \
if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -1770,7 +1887,7 @@ install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_incl
if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \
: ; else \
echo " $(CP) $$file $(buildinclude)/$$f"; \
- $(CP) $$file $(buildinclude)/$$f; \
+ $(CP) $$file $(buildinclude)/$$f || true; \
fi ; \
done ; \
foo='$(nobase_include_HEADERS)'; \
@@ -1827,6 +1944,8 @@ check-local::
$(NROFF_MAN) $< > $@
.5.cat5:
$(NROFF_MAN) $< > $@
+.7.cat7:
+ $(NROFF_MAN) $< > $@
.8.cat8:
$(NROFF_MAN) $< > $@
@@ -1869,6 +1988,19 @@ dist-cat5-mans:
$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
done
+dist-cat7-mans:
+ @foo='$(man7_MANS)'; \
+ bar='$(man_MANS)'; \
+ for i in $$bar; do \
+ case $$i in \
+ *.7) foo="$$foo $$i";; \
+ esac; done ;\
+ for i in $$foo; do \
+ x=`echo $$i | sed 's/\.[^.]*$$/.cat7/'`; \
+ echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+ $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+ done
+
dist-cat8-mans:
@foo='$(man8_MANS)'; \
bar='$(man_MANS)'; \
@@ -1882,13 +2014,13 @@ dist-cat8-mans:
$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
done
-dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat7-mans dist-cat8-mans
install-cat-mans:
- $(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+ $(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man7_MANS) $(man8_MANS)
uninstall-cat-mans:
- $(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+ $(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man7_MANS) $(man8_MANS)
install-data-hook: install-cat-mans
uninstall-hook: uninstall-cat-mans
@@ -1927,99 +2059,101 @@ $(gen_files_pkcs10) pkcs10_asn1.hx pkcs10_asn1-priv.hx: pkcs10_asn1_files
$(gen_files_crmf) crmf_asn1.hx crmf_asn1-priv.hx: crmf_asn1_files
ocsp_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/ocsp.asn1 $(srcdir)/ocsp.opt
- $(ASN1_COMPILE) --option-file=$(srcdir)/ocsp.opt $(srcdir)/ocsp.asn1 ocsp_asn1 || (rm -f ocsp_asn1_files ; exit 1)
+ $(heim_verbose)$(ASN1_COMPILE) --option-file=$(srcdir)/ocsp.opt $(srcdir)/ocsp.asn1 ocsp_asn1 || (rm -f ocsp_asn1_files ; exit 1)
pkcs10_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/pkcs10.asn1 $(srcdir)/pkcs10.opt
- $(ASN1_COMPILE) --option-file=$(srcdir)/pkcs10.opt $(srcdir)/pkcs10.asn1 pkcs10_asn1 || (rm -f pkcs10_asn1_files ; exit 1)
+ $(heim_verbose)$(ASN1_COMPILE) --option-file=$(srcdir)/pkcs10.opt $(srcdir)/pkcs10.asn1 pkcs10_asn1 || (rm -f pkcs10_asn1_files ; exit 1)
crmf_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/crmf.asn1
- $(ASN1_COMPILE) $(srcdir)/crmf.asn1 crmf_asn1 || (rm -f crmf_asn1_files ; exit 1)
+ $(heim_verbose)$(ASN1_COMPILE) $(srcdir)/crmf.asn1 crmf_asn1 || (rm -f crmf_asn1_files ; exit 1)
+
+$(ALL_OBJECTS): $(HX509_PROTOS)
-$(libhx509_la_OBJECTS): $(srcdir)/hx509-protos.h $(srcdir)/hx509-private.h $(srcdir)/hx_locl.h
+$(libhx509_la_OBJECTS): $(srcdir)/hx_locl.h
$(libhx509_la_OBJECTS): ocsp_asn1.h pkcs10_asn1.h
-$(srcdir)/hx509-protos.h:
- cd $(srcdir) && perl ../../cf/make-proto.pl -R '^(_|^C)' -E HX509_LIB -q -P comment -o hx509-protos.h $(dist_libhx509_la_SOURCES) || rm -f hx509-protos.h
+$(srcdir)/hx509-protos.h: $(dist_libhx509_la_SOURCES)
+ $(heim_verbose)cd $(srcdir) && perl ../../cf/make-proto.pl -R '^(_|^C)' -E HX509_LIB -q -P comment -o hx509-protos.h $(dist_libhx509_la_SOURCES) || rm -f hx509-protos.h
-$(srcdir)/hx509-private.h:
- cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p hx509-private.h $(dist_libhx509_la_SOURCES) || rm -f hx509-private.h
+$(srcdir)/hx509-private.h: $(dist_libhx509_la_SOURCES)
+ $(heim_verbose)cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p hx509-private.h $(dist_libhx509_la_SOURCES) || rm -f hx509-private.h
hxtool-commands.c hxtool-commands.h: hxtool-commands.in $(SLC)
- $(SLC) $(srcdir)/hxtool-commands.in
+ $(heim_verbose)$(SLC) $(srcdir)/hxtool-commands.in
-$(hxtool_OBJECTS): hxtool-commands.h
+$(hxtool_OBJECTS): hxtool-commands.h hx509_err.h
clean-local:
@echo "cleaning PKITS" ; rm -rf PKITS_data
test_ca: test_ca.in Makefile
$(do_subst) < $(srcdir)/test_ca.in > test_ca.tmp
- chmod +x test_ca.tmp
+ $(heim_verbose)chmod +x test_ca.tmp
mv test_ca.tmp test_ca
test_cert: test_cert.in Makefile
$(do_subst) < $(srcdir)/test_cert.in > test_cert.tmp
- chmod +x test_cert.tmp
+ $(heim_verbose)chmod +x test_cert.tmp
mv test_cert.tmp test_cert
test_chain: test_chain.in Makefile
$(do_subst) < $(srcdir)/test_chain.in > test_chain.tmp
- chmod +x test_chain.tmp
+ $(heim_verbose)chmod +x test_chain.tmp
mv test_chain.tmp test_chain
test_cms: test_cms.in Makefile
$(do_subst) < $(srcdir)/test_cms.in > test_cms.tmp
- chmod +x test_cms.tmp
+ $(heim_verbose)chmod +x test_cms.tmp
mv test_cms.tmp test_cms
test_crypto: test_crypto.in Makefile
$(do_subst) < $(srcdir)/test_crypto.in > test_crypto.tmp
- chmod +x test_crypto.tmp
+ $(heim_verbose)chmod +x test_crypto.tmp
mv test_crypto.tmp test_crypto
test_nist: test_nist.in Makefile
$(do_subst) < $(srcdir)/test_nist.in > test_nist.tmp
- chmod +x test_nist.tmp
+ $(heim_verbose)chmod +x test_nist.tmp
mv test_nist.tmp test_nist
test_nist2: test_nist2.in Makefile
$(do_subst) < $(srcdir)/test_nist2.in > test_nist2.tmp
- chmod +x test_nist2.tmp
+ $(heim_verbose)chmod +x test_nist2.tmp
mv test_nist2.tmp test_nist2
test_pkcs11: test_pkcs11.in Makefile
$(do_subst) < $(srcdir)/test_pkcs11.in > test_pkcs11.tmp
- chmod +x test_pkcs11.tmp
+ $(heim_verbose)chmod +x test_pkcs11.tmp
mv test_pkcs11.tmp test_pkcs11
test_java_pkcs11: test_java_pkcs11.in Makefile
$(do_subst) < $(srcdir)/test_java_pkcs11.in > test_java_pkcs11.tmp
- chmod +x test_java_pkcs11.tmp
+ $(heim_verbose)chmod +x test_java_pkcs11.tmp
mv test_java_pkcs11.tmp test_java_pkcs11
test_nist_cert: test_nist_cert.in Makefile
$(do_subst) < $(srcdir)/test_nist_cert.in > test_nist_cert.tmp
- chmod +x test_nist_cert.tmp
+ $(heim_verbose)chmod +x test_nist_cert.tmp
mv test_nist_cert.tmp test_nist_cert
test_nist_pkcs12: test_nist_pkcs12.in Makefile
$(do_subst) < $(srcdir)/test_nist_pkcs12.in > test_nist_pkcs12.tmp
- chmod +x test_nist_pkcs12.tmp
+ $(heim_verbose)chmod +x test_nist_pkcs12.tmp
mv test_nist_pkcs12.tmp test_nist_pkcs12
test_req: test_req.in Makefile
$(do_subst) < $(srcdir)/test_req.in > test_req.tmp
- chmod +x test_req.tmp
+ $(heim_verbose)chmod +x test_req.tmp
mv test_req.tmp test_req
test_windows: test_windows.in Makefile
$(do_subst) < $(srcdir)/test_windows.in > test_windows.tmp
- chmod +x test_windows.tmp
+ $(heim_verbose)chmod +x test_windows.tmp
mv test_windows.tmp test_windows
test_query: test_query.in Makefile
$(do_subst) < $(srcdir)/test_query.in > test_query.tmp
- chmod +x test_query.tmp
+ $(heim_verbose)chmod +x test_query.tmp
mv test_query.tmp test_query
# Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/lib/hx509/NTMakefile b/lib/hx509/NTMakefile
index 99116d76ed26..ee1bb69d09d6 100644
--- a/lib/hx509/NTMakefile
+++ b/lib/hx509/NTMakefile
@@ -1,6 +1,6 @@
########################################################################
#
-# Copyright (c) 2009, Secure Endpoints Inc.
+# Copyright (c) 2009-2017, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
@@ -30,7 +30,7 @@
#
RELDIR=lib\hx509
-intcflags=-I$(SRCDIR)\ref -I$(OBJ)
+intcflags=-I$(OBJ)
localcflags=-DASN1_LIB
!include ../../windows/NTMakefile.w32
@@ -47,6 +47,7 @@ libhx509_la_OBJS = \
$(OBJ)\cms.obj \
$(OBJ)\collector.obj \
$(OBJ)\crypto.obj \
+ $(OBJ)\crypto-ec.obj \
$(OBJ)\error.obj \
$(OBJ)\env.obj \
$(OBJ)\file.obj \
@@ -81,6 +82,7 @@ dist_libhx509_la_SOURCES = \
$(SRCDIR)\cms.c \
$(SRCDIR)\collector.c \
$(SRCDIR)\crypto.c \
+ $(SRCDIR)\crypto-ec.c \
$(SRCDIR)\doxygen.c \
$(SRCDIR)\error.c \
$(SRCDIR)\env.c \
@@ -162,7 +164,7 @@ $(OBJ)\hxtool-commands.c $(OBJ)\hxtool-commands.h: hxtool-commands.in $(SLC)
cd $(SRCDIR)
$(BINDIR)\hxtool.exe: $(OBJ)\tool\hxtool.obj $(OBJ)\tool\hxtool-commands.obj $(LIBHEIMDAL) $(OBJ)\hxtool-version.res
- $(EXECONLINK) $(LIBHEIMDAL) $(LIBROKEN) $(LIBSL) $(LIBVERS) $(LIBCOMERR)
+ $(EXECONLINK) $(LIBHEIMDAL) $(LIBROKEN) $(LIBSL) $(LIBVERS) $(LIBCOMERR) $(LIB_openssl_crypto)
$(EXEPREP)
$(OBJ)\hx509-protos.h:
@@ -190,7 +192,7 @@ $(OBJ)\sel-gram.c: sel-gram.y
$(YACC) -o $@ --defines=$(OBJ)\sel-gram.h sel-gram.y
$(OBJ)\sel-lex.c: sel-lex.l
- $(LEX) -o$@ sel-lex.l
+ $(LEX) -P_hx509_sel_yy -o$@ sel-lex.l
all:: $(INCFILES) $(LIBHX509)
diff --git a/lib/hx509/ca.c b/lib/hx509/ca.c
index cb5a7be62cc3..418a404b4aa9 100644
--- a/lib/hx509/ca.c
+++ b/lib/hx509/ca.c
@@ -61,7 +61,7 @@ struct hx509_ca_tbs {
CRLDistributionPoints crldp;
heim_bit_string subjectUniqueID;
heim_bit_string issuerUniqueID;
-
+ AlgorithmIdentifier *sigalg;
};
/**
@@ -109,6 +109,10 @@ hx509_ca_tbs_free(hx509_ca_tbs *tbs)
der_free_bit_string(&(*tbs)->subjectUniqueID);
der_free_bit_string(&(*tbs)->issuerUniqueID);
hx509_name_free(&(*tbs)->subject);
+ if ((*tbs)->sigalg) {
+ free_AlgorithmIdentifier((*tbs)->sigalg);
+ free((*tbs)->sigalg);
+ }
memset(*tbs, 0, sizeof(**tbs));
free(*tbs);
@@ -888,7 +892,7 @@ hx509_ca_tbs_set_unique(hx509_context context,
*
* @param context A hx509 context.
* @param tbs object to be signed.
- * @param env enviroment variable to expand variables in the subject
+ * @param env environment variable to expand variables in the subject
* name, see hx509_env_init().
*
* @return An hx509 error code, see hx509_get_error_string().
@@ -904,6 +908,39 @@ hx509_ca_tbs_subject_expand(hx509_context context,
return hx509_name_expand(context, tbs->subject, env);
}
+/**
+ * Set signature algorithm on the to be signed certificate
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param sigalg signature algorithm to use
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_set_signature_algorithm(hx509_context context,
+ hx509_ca_tbs tbs,
+ const AlgorithmIdentifier *sigalg)
+{
+ int ret;
+
+ tbs->sigalg = calloc(1, sizeof(*tbs->sigalg));
+ if (tbs->sigalg == NULL) {
+ hx509_set_error_string(context, 0, ENOMEM, "Out of memory");
+ return ENOMEM;
+ }
+ ret = copy_AlgorithmIdentifier(sigalg, tbs->sigalg);
+ if (ret) {
+ free(tbs->sigalg);
+ tbs->sigalg = NULL;
+ return ret;
+ }
+ return 0;
+}
+
/*
*
*/
@@ -965,8 +1002,8 @@ build_proxy_prefix(hx509_context context, const Name *issuer, Name *subject)
}
t = time(NULL);
- asprintf(&tstr, "ts-%lu", (unsigned long)t);
- if (tstr == NULL) {
+ ret = asprintf(&tstr, "ts-%lu", (unsigned long)t);
+ if (ret == -1 || tstr == NULL) {
hx509_set_error_string(context, 0, ENOMEM,
"Failed to copy subject name");
return ENOMEM;
@@ -987,6 +1024,7 @@ ca_sign(hx509_context context,
const Name *issuername,
hx509_cert *certificate)
{
+ heim_error_t error = NULL;
heim_octet_string data;
Certificate c;
TBSCertificate *tbsc;
@@ -997,7 +1035,9 @@ ca_sign(hx509_context context,
time_t notAfter;
unsigned key_usage;
- sigalg = _hx509_crypto_default_sig_alg;
+ sigalg = tbs->sigalg;
+ if (sigalg == NULL)
+ sigalg = _hx509_crypto_default_sig_alg;
memset(&c, 0, sizeof(c));
@@ -1086,6 +1126,12 @@ ca_sign(hx509_context context,
goto out;
}
} else {
+ /*
+ * If no explicit serial number is specified, 20 random bytes should be
+ * sufficiently collision resistant. Since the serial number must be a
+ * positive integer, ensure minimal ASN.1 DER form by forcing the high
+ * bit off and the next bit on (thus avoiding an all zero first octet).
+ */
tbsc->serialNumber.length = 20;
tbsc->serialNumber.data = malloc(tbsc->serialNumber.length);
if (tbsc->serialNumber.data == NULL){
@@ -1093,9 +1139,9 @@ ca_sign(hx509_context context,
hx509_set_error_string(context, 0, ret, "Out of memory");
goto out;
}
- /* XXX diffrent */
RAND_bytes(tbsc->serialNumber.data, tbsc->serialNumber.length);
((unsigned char *)tbsc->serialNumber.data)[0] &= 0x7f;
+ ((unsigned char *)tbsc->serialNumber.data)[0] |= 0x40;
}
/* signature AlgorithmIdentifier, */
ret = copy_AlgorithmIdentifier(sigalg, &tbsc->signature);
@@ -1408,9 +1454,12 @@ ca_sign(hx509_context context,
if (ret)
goto out;
- ret = hx509_cert_init(context, &c, certificate);
- if (ret)
+ *certificate = hx509_cert_init(context, &c, &error);
+ if (*certificate == NULL) {
+ ret = heim_error_get_code(error);
+ heim_release(error);
goto out;
+ }
free_Certificate(&c);
diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index 70e575603779..dd6d38917499 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -93,6 +93,14 @@ typedef struct hx509_name_constraints {
#define GeneralSubtrees_SET(g,var) \
(g)->len = (var)->len, (g)->val = (var)->val;
+static void
+init_context_once(void *ignored)
+{
+
+ ENGINE_add_conf_module();
+ OpenSSL_add_all_algorithms();
+}
+
/**
* Creates a hx509 context that most functions in the library
* uses. The context is only allowed to be used by one thread at each
@@ -108,10 +116,14 @@ typedef struct hx509_name_constraints {
int
hx509_context_init(hx509_context *context)
{
+ static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
+
*context = calloc(1, sizeof(**context));
if (*context == NULL)
return ENOMEM;
+ heim_base_once_f(&init_context, NULL, init_context_once);
+
_hx509_ks_null_register(*context);
_hx509_ks_mem_register(*context);
_hx509_ks_file_register(*context);
@@ -120,9 +132,6 @@ hx509_context_init(hx509_context *context)
_hx509_ks_dir_register(*context);
_hx509_ks_keychain_register(*context);
- ENGINE_add_conf_module();
- OpenSSL_add_all_algorithms();
-
(*context)->ocsp_time_diff = HX509_DEFAULT_OCSP_TIME_DIFF;
initialize_hx_error_table_r(&(*context)->et_list);
@@ -209,42 +218,48 @@ _hx509_cert_get_version(const Certificate *t)
*
* @param context A hx509 context.
* @param c
- * @param cert
+ * @param error
*
- * @return Returns an hx509 error code.
+ * @return Returns an hx509 certificate
*
* @ingroup hx509_cert
*/
-int
-hx509_cert_init(hx509_context context, const Certificate *c, hx509_cert *cert)
+hx509_cert
+hx509_cert_init(hx509_context context, const Certificate *c, heim_error_t *error)
{
+ hx509_cert cert;
int ret;
- *cert = malloc(sizeof(**cert));
- if (*cert == NULL)
- return ENOMEM;
- (*cert)->ref = 1;
- (*cert)->friendlyname = NULL;
- (*cert)->attrs.len = 0;
- (*cert)->attrs.val = NULL;
- (*cert)->private_key = NULL;
- (*cert)->basename = NULL;
- (*cert)->release = NULL;
- (*cert)->ctx = NULL;
-
- (*cert)->data = calloc(1, sizeof(*(*cert)->data));
- if ((*cert)->data == NULL) {
- free(*cert);
- return ENOMEM;
+ cert = malloc(sizeof(*cert));
+ if (cert == NULL) {
+ if (error)
+ *error = heim_error_create_enomem();
+ return NULL;
+ }
+ cert->ref = 1;
+ cert->friendlyname = NULL;
+ cert->attrs.len = 0;
+ cert->attrs.val = NULL;
+ cert->private_key = NULL;
+ cert->basename = NULL;
+ cert->release = NULL;
+ cert->ctx = NULL;
+
+ cert->data = calloc(1, sizeof(*(cert->data)));
+ if (cert->data == NULL) {
+ free(cert);
+ if (error)
+ *error = heim_error_create_enomem();
+ return NULL;
}
- ret = copy_Certificate(c, (*cert)->data);
+ ret = copy_Certificate(c, cert->data);
if (ret) {
- free((*cert)->data);
- free(*cert);
- *cert = NULL;
+ free(cert->data);
+ free(cert);
+ cert = NULL;
}
- return ret;
+ return cert;
}
/**
@@ -259,39 +274,41 @@ hx509_cert_init(hx509_context context, const Certificate *c, hx509_cert *cert)
* @param context A hx509 context.
* @param ptr pointer to memory region containing encoded certificate.
* @param len length of memory region.
- * @param cert a return pointer to a hx509 certificate object, will
- * contain NULL on error.
+ * @param error possibly returns an error
*
- * @return An hx509 error code, see hx509_get_error_string().
+ * @return An hx509 certificate
*
* @ingroup hx509_cert
*/
-int
+hx509_cert
hx509_cert_init_data(hx509_context context,
const void *ptr,
size_t len,
- hx509_cert *cert)
+ heim_error_t *error)
{
+ hx509_cert cert;
Certificate t;
size_t size;
int ret;
ret = decode_Certificate(ptr, len, &t, &size);
if (ret) {
- hx509_set_error_string(context, 0, ret, "Failed to decode certificate");
- return ret;
+ if (error)
+ *error = heim_error_create(ret, "Failed to decode certificate");
+ return NULL;
}
if (size != len) {
free_Certificate(&t);
- hx509_set_error_string(context, 0, HX509_EXTRA_DATA_AFTER_STRUCTURE,
- "Extra data after certificate");
- return HX509_EXTRA_DATA_AFTER_STRUCTURE;
+ if (error)
+ *error = heim_error_create(HX509_EXTRA_DATA_AFTER_STRUCTURE,
+ "Extra data after certificate");
+ return NULL;
}
- ret = hx509_cert_init(context, &t, cert);
+ cert = hx509_cert_init(context, &t, error);
free_Certificate(&t);
- return ret;
+ return cert;
}
void
@@ -827,7 +844,8 @@ check_key_usage(hx509_context context, const Certificate *cert,
_hx509_unparse_Name(&cert->tbsCertificate.subject, &name);
hx509_set_error_string(context, 0, HX509_KU_CERT_MISSING,
"Key usage %s required but missing "
- "from certifiate %s", buf, name);
+ "from certifiate %s", buf,
+ name ? name : "<unknown>");
free(name);
return HX509_KU_CERT_MISSING;
}
@@ -970,7 +988,7 @@ _hx509_cert_is_parent_cmp(const Certificate *subject,
if (ai.authorityCertIssuer->val[0].element != choice_GeneralName_directoryName)
return -1;
- name.element =
+ name.element = (enum Name_enum)
ai.authorityCertIssuer->val[0].u.directoryName.element;
name.u.rdnSequence =
ai.authorityCertIssuer->val[0].u.directoryName.u.rdnSequence;
@@ -1803,12 +1821,12 @@ match_general_name(const GeneralName *c, const GeneralName *n, int *match)
c_name._save.data = NULL;
c_name._save.length = 0;
- c_name.element = c->u.directoryName.element;
+ c_name.element = (enum Name_enum)c->u.directoryName.element;
c_name.u.rdnSequence = c->u.directoryName.u.rdnSequence;
n_name._save.data = NULL;
n_name._save.length = 0;
- n_name.element = n->u.directoryName.element;
+ n_name.element = (enum Name_enum)n->u.directoryName.element;
n_name.u.rdnSequence = n->u.directoryName.u.rdnSequence;
ret = match_X501Name(&c_name, &n_name);
@@ -1829,7 +1847,7 @@ match_alt_name(const GeneralName *n, const Certificate *c,
int *same, int *match)
{
GeneralNames sa;
- int ret;
+ int ret = 0;
size_t i, j;
i = 0;
@@ -1844,7 +1862,7 @@ match_alt_name(const GeneralName *n, const Certificate *c,
for (j = 0; j < sa.len; j++) {
if (n->element == sa.val[j].element) {
*same = 1;
- ret = match_general_name(n, &sa.val[j], match);
+ match_general_name(n, &sa.val[j], match);
}
}
free_GeneralNames(&sa);
@@ -1878,12 +1896,12 @@ match_tree(const GeneralSubtrees *t, const Certificate *c, int *match)
memset(&certname, 0, sizeof(certname));
certname.element = choice_GeneralName_directoryName;
- certname.u.directoryName.element =
+ certname.u.directoryName.element = (enum GeneralName_directoryName_enum)
c->tbsCertificate.subject.element;
certname.u.directoryName.u.rdnSequence =
c->tbsCertificate.subject.u.rdnSequence;
- ret = match_general_name(&t->val[i].base, &certname, &name);
+ match_general_name(&t->val[i].base, &certname, &name);
}
/* Handle subjectAltNames, this is icky since they
@@ -1891,7 +1909,7 @@ match_tree(const GeneralSubtrees *t, const Certificate *c, int *match)
* same type. So if there have been a match of type, require
* altname to be set.
*/
- ret = match_alt_name(&t->val[i].base, c, &same, &alt_name);
+ match_alt_name(&t->val[i].base, c, &same, &alt_name);
}
if (name && (!same || alt_name))
*match = 1;
@@ -1985,6 +2003,16 @@ hx509_verify_path(hx509_context context,
memset(&proxy_issuer, 0, sizeof(proxy_issuer));
+ if ((ctx->flags & HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE) == 0 &&
+ is_proxy_cert(context, cert->data, NULL) == 0)
+ {
+ ret = HX509_PROXY_CERT_INVALID;
+ hx509_set_error_string(context, 0, ret,
+ "Proxy certificate is not allowed as an EE "
+ "certificae if proxy certificate is disabled");
+ return ret;
+ }
+
ret = init_name_constraints(&nc);
if (ret)
return ret;
@@ -2353,20 +2381,12 @@ hx509_verify_path(hx509_context context,
goto out;
}
/*
- * Verify that the sigature algorithm "best-before" date is
- * before the creation date of the certificate, do this for
- * trust anchors too, since any trust anchor that is created
- * after a algorithm is known to be bad deserved to be invalid.
- *
- * Skip the leaf certificate for now...
+ * Verify that the sigature algorithm is not weak. Ignore
+ * trust anchors since they are provisioned by the user.
*/
- if (i != 0 && (ctx->flags & HX509_VERIFY_CTX_F_NO_BEST_BEFORE_CHECK) == 0) {
- time_t notBefore =
- _hx509_Time2time_t(&c->tbsCertificate.validity.notBefore);
- ret = _hx509_signature_best_before(context,
- &c->signatureAlgorithm,
- notBefore);
+ if (i + 1 != path.len && (ctx->flags & HX509_VERIFY_CTX_F_NO_BEST_BEFORE_CHECK) == 0) {
+ ret = _hx509_signature_is_weak(context, &c->signatureAlgorithm);
if (ret)
goto out;
}
@@ -3384,7 +3404,7 @@ hx509_cert_binary(hx509_context context, hx509_cert c, heim_octet_string *os)
void
_hx509_abort(const char *fmt, ...)
- __attribute__ ((noreturn, format (printf, 1, 2)))
+ __attribute__ ((__noreturn__, __format__ (__printf__, 1, 2)))
{
va_list ap;
va_start(ap, fmt);
@@ -3425,7 +3445,9 @@ _hx509_cert_to_env(hx509_context context, hx509_cert cert, hx509_env *env)
*env = NULL;
/* version */
- asprintf(&buf, "%d", _hx509_cert_get_version(_hx509_get_cert(cert)));
+ ret = asprintf(&buf, "%d", _hx509_cert_get_version(_hx509_get_cert(cert)));
+ if (ret == -1)
+ goto out;
ret = hx509_env_add(context, &envcert, "version", buf);
free(buf);
if (ret)
diff --git a/lib/hx509/cms.c b/lib/hx509/cms.c
index 4e0a2e03fcb6..7aa159cbb2d6 100644
--- a/lib/hx509/cms.c
+++ b/lib/hx509/cms.c
@@ -209,7 +209,7 @@ unparse_CMSIdentifier(hx509_context context,
CMSIdentifier *id,
char **str)
{
- int ret;
+ int ret = -1;
*str = NULL;
switch (id->element) {
@@ -227,8 +227,8 @@ unparse_CMSIdentifier(hx509_context context,
free(name);
return ret;
}
- asprintf(str, "certificate issued by %s with serial number %s",
- name, serial);
+ ret = asprintf(str, "certificate issued by %s with serial number %s",
+ name, serial);
free(name);
free(serial);
break;
@@ -242,15 +242,19 @@ unparse_CMSIdentifier(hx509_context context,
if (len < 0)
return ENOMEM;
- asprintf(str, "certificate with id %s", keyid);
+ ret = asprintf(str, "certificate with id %s", keyid);
free(keyid);
break;
}
default:
- asprintf(str, "certificate have unknown CMSidentifier type");
+ ret = asprintf(str, "certificate have unknown CMSidentifier type");
break;
}
- if (*str == NULL)
+ /*
+ * In the following if, we check ret and *str which should be returned/set
+ * by asprintf(3) in every branch of the switch statement.
+ */
+ if (ret == -1 || *str == NULL)
return ENOMEM;
return 0;
}
@@ -340,6 +344,8 @@ find_CMSIdentifier(hx509_context context,
* @param contentType output type oid, should be freed with der_free_oid().
* @param content the data, free with der_free_octet_string().
*
+ * @return an hx509 error code.
+ *
* @ingroup hx509_cms
*/
@@ -544,6 +550,8 @@ out:
* @param content the output of the function,
* free with der_free_octet_string().
*
+ * @return an hx509 error code.
+ *
* @ingroup hx509_cms
*/
@@ -726,14 +734,18 @@ any_to_certs(hx509_context context, const SignedData *sd, hx509_certs certs)
return 0;
for (i = 0; i < sd->certificates->len; i++) {
+ heim_error_t error;
hx509_cert c;
- ret = hx509_cert_init_data(context,
- sd->certificates->val[i].data,
- sd->certificates->val[i].length,
- &c);
- if (ret)
+ c = hx509_cert_init_data(context,
+ sd->certificates->val[i].data,
+ sd->certificates->val[i].length,
+ &error);
+ if (c == NULL) {
+ ret = heim_error_get_code(error);
+ heim_release(error);
return ret;
+ }
ret = hx509_certs_add(context, certs, c);
hx509_cert_free(c);
if (ret)
@@ -772,6 +784,8 @@ find_attribute(const CMSAttributes *attr, const heim_oid *oid)
* @param signer_certs list of the cerficates used to sign this
* request, free with hx509_certs_free().
*
+ * @return an hx509 error code.
+ *
* @ingroup hx509_cms
*/
@@ -855,7 +869,7 @@ hx509_cms_verify_signed(hx509_context context,
}
for (found_valid_sig = 0, i = 0; i < sd.signerInfos.len; i++) {
- heim_octet_string signed_data;
+ heim_octet_string signed_data = { 0, 0 };
const heim_oid *match_oid;
heim_oid decode_oid;
@@ -1016,8 +1030,10 @@ hx509_cms_verify_signed(hx509_context context,
"Failed to verify signature in "
"CMS SignedData");
}
- if (signer_info->signedAttrs)
- free(signed_data.data);
+ if (signed_data.data != NULL && content->data != signed_data.data) {
+ free(signed_data.data);
+ signed_data.data = NULL;
+ }
if (ret)
goto next_sigature;
@@ -1137,6 +1153,8 @@ add_one_attribute(Attribute **attr,
* @param signed_data the output of the function, free with
* der_free_octet_string().
*
+ * @return Returns an hx509 error code.
+ *
* @ingroup hx509_cms
*/
diff --git a/lib/hx509/crypto-ec.c b/lib/hx509/crypto-ec.c
new file mode 100644
index 000000000000..4777171cae52
--- /dev/null
+++ b/lib/hx509/crypto-ec.c
@@ -0,0 +1,533 @@
+/*
+ * Copyright (c) 2016 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+#ifdef HAVE_HCRYPTO_W_OPENSSL
+#include <openssl/ec.h>
+#include <openssl/ecdsa.h>
+#include <openssl/rsa.h>
+#include <openssl/bn.h>
+#include <openssl/objects.h>
+#define HEIM_NO_CRYPTO_HDRS
+#endif /* HAVE_HCRYPTO_W_OPENSSL */
+
+#include "hx_locl.h"
+
+extern const AlgorithmIdentifier _hx509_signature_sha512_data;
+extern const AlgorithmIdentifier _hx509_signature_sha384_data;
+extern const AlgorithmIdentifier _hx509_signature_sha256_data;
+extern const AlgorithmIdentifier _hx509_signature_sha1_data;
+
+void
+_hx509_private_eckey_free(void *eckey)
+{
+#ifdef HAVE_HCRYPTO_W_OPENSSL
+ EC_KEY_free(eckey);
+#endif
+}
+
+#ifdef HAVE_HCRYPTO_W_OPENSSL
+static int
+heim_oid2ecnid(heim_oid *oid)
+{
+ /*
+ * Now map to openssl OID fun
+ */
+
+ if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP256R1) == 0)
+ return NID_X9_62_prime256v1;
+#ifdef NID_secp521r1
+ else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP521R1) == 0)
+ return NID_secp521r1;
+#endif
+#ifdef NID_secp384r1
+ else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP384R1) == 0)
+ return NID_secp384r1;
+#endif
+#ifdef NID_secp160r1
+ else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP160R1) == 0)
+ return NID_secp160r1;
+#endif
+#ifdef NID_secp160r2
+ else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP160R2) == 0)
+ return NID_secp160r2;
+#endif
+
+ return NID_undef;
+}
+
+static int
+parse_ECParameters(hx509_context context,
+ heim_octet_string *parameters, int *nid)
+{
+ ECParameters ecparam;
+ size_t size;
+ int ret;
+
+ if (parameters == NULL) {
+ ret = HX509_PARSING_KEY_FAILED;
+ hx509_set_error_string(context, 0, ret,
+ "EC parameters missing");
+ return ret;
+ }
+
+ ret = decode_ECParameters(parameters->data, parameters->length,
+ &ecparam, &size);
+ if (ret) {
+ hx509_set_error_string(context, 0, ret,
+ "Failed to decode EC parameters");
+ return ret;
+ }
+
+ if (ecparam.element != choice_ECParameters_namedCurve) {
+ free_ECParameters(&ecparam);
+ hx509_set_error_string(context, 0, ret,
+ "EC parameters is not a named curve");
+ return HX509_CRYPTO_SIG_INVALID_FORMAT;
+ }
+
+ *nid = heim_oid2ecnid(&ecparam.u.namedCurve);
+ free_ECParameters(&ecparam);
+ if (*nid == NID_undef) {
+ hx509_set_error_string(context, 0, ret,
+ "Failed to find matcing NID for EC curve");
+ return HX509_CRYPTO_SIG_INVALID_FORMAT;
+ }
+ return 0;
+}
+
+
+/*
+ *
+ */
+
+static int
+ecdsa_verify_signature(hx509_context context,
+ const struct signature_alg *sig_alg,
+ const Certificate *signer,
+ const AlgorithmIdentifier *alg,
+ const heim_octet_string *data,
+ const heim_octet_string *sig)
+{
+ const AlgorithmIdentifier *digest_alg;
+ const SubjectPublicKeyInfo *spi;
+ heim_octet_string digest;
+ int ret;
+ EC_KEY *key = NULL;
+ int groupnid;
+ EC_GROUP *group;
+ const unsigned char *p;
+ long len;
+
+ digest_alg = sig_alg->digest_alg;
+
+ ret = _hx509_create_signature(context,
+ NULL,
+ digest_alg,
+ data,
+ NULL,
+ &digest);
+ if (ret)
+ return ret;
+
+ /* set up EC KEY */
+ spi = &signer->tbsCertificate.subjectPublicKeyInfo;
+
+ if (der_heim_oid_cmp(&spi->algorithm.algorithm, ASN1_OID_ID_ECPUBLICKEY) != 0)
+ return HX509_CRYPTO_SIG_INVALID_FORMAT;
+
+ /*
+ * Find the group id
+ */
+
+ ret = parse_ECParameters(context, spi->algorithm.parameters, &groupnid);
+ if (ret) {
+ der_free_octet_string(&digest);
+ return ret;
+ }
+
+ /*
+ * Create group, key, parse key
+ */
+
+ key = EC_KEY_new();
+ group = EC_GROUP_new_by_curve_name(groupnid);
+ EC_KEY_set_group(key, group);
+ EC_GROUP_free(group);
+
+ p = spi->subjectPublicKey.data;
+ len = spi->subjectPublicKey.length / 8;
+
+ if (o2i_ECPublicKey(&key, &p, len) == NULL) {
+ EC_KEY_free(key);
+ return HX509_CRYPTO_SIG_INVALID_FORMAT;
+ }
+
+ ret = ECDSA_verify(-1, digest.data, digest.length,
+ sig->data, sig->length, key);
+ der_free_octet_string(&digest);
+ EC_KEY_free(key);
+ if (ret != 1) {
+ ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
+ return ret;
+ }
+
+ return 0;
+}
+
+static int
+ecdsa_create_signature(hx509_context context,
+ const struct signature_alg *sig_alg,
+ const hx509_private_key signer,
+ const AlgorithmIdentifier *alg,
+ const heim_octet_string *data,
+ AlgorithmIdentifier *signatureAlgorithm,
+ heim_octet_string *sig)
+{
+ const AlgorithmIdentifier *digest_alg;
+ heim_octet_string indata;
+ const heim_oid *sig_oid;
+ unsigned int siglen;
+ int ret;
+
+ if (signer->ops && der_heim_oid_cmp(signer->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) != 0)
+ _hx509_abort("internal error passing private key to wrong ops");
+
+ sig_oid = sig_alg->sig_oid;
+ digest_alg = sig_alg->digest_alg;
+
+ if (signatureAlgorithm) {
+ ret = _hx509_set_digest_alg(signatureAlgorithm, sig_oid,
+ "\x05\x00", 2);
+ if (ret) {
+ hx509_clear_error_string(context);
+ return ret;
+ }
+ }
+
+ ret = _hx509_create_signature(context,
+ NULL,
+ digest_alg,
+ data,
+ NULL,
+ &indata);
+ if (ret)
+ goto error;
+
+ sig->length = ECDSA_size(signer->private_key.ecdsa);
+ sig->data = malloc(sig->length);
+ if (sig->data == NULL) {
+ der_free_octet_string(&indata);
+ ret = ENOMEM;
+ hx509_set_error_string(context, 0, ret, "out of memory");
+ goto error;
+ }
+
+ siglen = sig->length;
+
+ ret = ECDSA_sign(-1, indata.data, indata.length,
+ sig->data, &siglen, signer->private_key.ecdsa);
+ der_free_octet_string(&indata);
+ if (ret != 1) {
+ ret = HX509_CMS_FAILED_CREATE_SIGATURE;
+ hx509_set_error_string(context, 0, ret,
+ "ECDSA sign failed: %d", ret);
+ goto error;
+ }
+ if (siglen > sig->length)
+ _hx509_abort("ECDSA signature prelen longer the output len");
+
+ sig->length = siglen;
+
+ return 0;
+ error:
+ if (signatureAlgorithm)
+ free_AlgorithmIdentifier(signatureAlgorithm);
+ return ret;
+}
+
+static int
+ecdsa_available(const hx509_private_key signer,
+ const AlgorithmIdentifier *sig_alg)
+{
+ const struct signature_alg *sig;
+ const EC_GROUP *group;
+ BN_CTX *bnctx = NULL;
+ BIGNUM *order = NULL;
+ int ret = 0;
+
+ if (der_heim_oid_cmp(signer->ops->key_oid, &asn1_oid_id_ecPublicKey) != 0)
+ _hx509_abort("internal error passing private key to wrong ops");
+
+ sig = _hx509_find_sig_alg(&sig_alg->algorithm);
+
+ if (sig == NULL || sig->digest_size == 0)
+ return 0;
+
+ group = EC_KEY_get0_group(signer->private_key.ecdsa);
+ if (group == NULL)
+ return 0;
+
+ bnctx = BN_CTX_new();
+ order = BN_new();
+ if (order == NULL)
+ goto err;
+
+ if (EC_GROUP_get_order(group, order, bnctx) != 1)
+ goto err;
+
+#if 0
+ /* If anything, require a digest at least as wide as the EC key size */
+ if (BN_num_bytes(order) > sig->digest_size)
+#endif
+ ret = 1;
+ err:
+ if (bnctx)
+ BN_CTX_free(bnctx);
+ if (order)
+ BN_clear_free(order);
+
+ return ret;
+}
+
+static int
+ecdsa_private_key2SPKI(hx509_context context,
+ hx509_private_key private_key,
+ SubjectPublicKeyInfo *spki)
+{
+ memset(spki, 0, sizeof(*spki));
+ return ENOMEM;
+}
+
+static int
+ecdsa_private_key_export(hx509_context context,
+ const hx509_private_key key,
+ hx509_key_format_t format,
+ heim_octet_string *data)
+{
+ return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED;
+}
+
+static int
+ecdsa_private_key_import(hx509_context context,
+ const AlgorithmIdentifier *keyai,
+ const void *data,
+ size_t len,
+ hx509_key_format_t format,
+ hx509_private_key private_key)
+{
+ const unsigned char *p = data;
+ EC_KEY **pkey = NULL;
+ EC_KEY *key;
+
+ if (keyai->parameters) {
+ EC_GROUP *group;
+ int groupnid;
+ int ret;
+
+ ret = parse_ECParameters(context, keyai->parameters, &groupnid);
+ if (ret)
+ return ret;
+
+ key = EC_KEY_new();
+ if (key == NULL)
+ return ENOMEM;
+
+ group = EC_GROUP_new_by_curve_name(groupnid);
+ if (group == NULL) {
+ EC_KEY_free(key);
+ return ENOMEM;
+ }
+ EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
+ if (EC_KEY_set_group(key, group) == 0) {
+ EC_KEY_free(key);
+ EC_GROUP_free(group);
+ return ENOMEM;
+ }
+ EC_GROUP_free(group);
+ pkey = &key;
+ }
+
+ switch (format) {
+ case HX509_KEY_FORMAT_DER:
+
+ private_key->private_key.ecdsa = d2i_ECPrivateKey(pkey, &p, len);
+ if (private_key->private_key.ecdsa == NULL) {
+ hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+ "Failed to parse EC private key");
+ return HX509_PARSING_KEY_FAILED;
+ }
+ private_key->signature_alg = ASN1_OID_ID_ECDSA_WITH_SHA256;
+ break;
+
+ default:
+ return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED;
+ }
+
+ return 0;
+}
+
+static int
+ecdsa_generate_private_key(hx509_context context,
+ struct hx509_generate_private_context *ctx,
+ hx509_private_key private_key)
+{
+ return ENOMEM;
+}
+
+static BIGNUM *
+ecdsa_get_internal(hx509_context context,
+ hx509_private_key key,
+ const char *type)
+{
+ return NULL;
+}
+
+static const unsigned ecPublicKey[] ={ 1, 2, 840, 10045, 2, 1 };
+const AlgorithmIdentifier _hx509_signature_ecPublicKey = {
+ { 6, rk_UNCONST(ecPublicKey) }, NULL
+};
+
+static const unsigned ecdsa_with_sha256_oid[] ={ 1, 2, 840, 10045, 4, 3, 2 };
+const AlgorithmIdentifier _hx509_signature_ecdsa_with_sha256_data = {
+ { 7, rk_UNCONST(ecdsa_with_sha256_oid) }, NULL
+};
+
+static const unsigned ecdsa_with_sha384_oid[] ={ 1, 2, 840, 10045, 4, 3, 3 };
+const AlgorithmIdentifier _hx509_signature_ecdsa_with_sha384_data = {
+ { 7, rk_UNCONST(ecdsa_with_sha384_oid) }, NULL
+};
+
+static const unsigned ecdsa_with_sha512_oid[] ={ 1, 2, 840, 10045, 4, 3, 4 };
+const AlgorithmIdentifier _hx509_signature_ecdsa_with_sha512_data = {
+ { 7, rk_UNCONST(ecdsa_with_sha512_oid) }, NULL
+};
+
+static const unsigned ecdsa_with_sha1_oid[] ={ 1, 2, 840, 10045, 4, 1 };
+const AlgorithmIdentifier _hx509_signature_ecdsa_with_sha1_data = {
+ { 6, rk_UNCONST(ecdsa_with_sha1_oid) }, NULL
+};
+
+hx509_private_key_ops ecdsa_private_key_ops = {
+ "EC PRIVATE KEY",
+ ASN1_OID_ID_ECPUBLICKEY,
+ ecdsa_available,
+ ecdsa_private_key2SPKI,
+ ecdsa_private_key_export,
+ ecdsa_private_key_import,
+ ecdsa_generate_private_key,
+ ecdsa_get_internal
+};
+
+const struct signature_alg ecdsa_with_sha512_alg = {
+ "ecdsa-with-sha512",
+ ASN1_OID_ID_ECDSA_WITH_SHA512,
+ &_hx509_signature_ecdsa_with_sha512_data,
+ ASN1_OID_ID_ECPUBLICKEY,
+ &_hx509_signature_sha512_data,
+ PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|
+ SIG_PUBLIC_SIG|SELF_SIGNED_OK,
+ 0,
+ NULL,
+ ecdsa_verify_signature,
+ ecdsa_create_signature,
+ 64
+};
+
+const struct signature_alg ecdsa_with_sha384_alg = {
+ "ecdsa-with-sha384",
+ ASN1_OID_ID_ECDSA_WITH_SHA384,
+ &_hx509_signature_ecdsa_with_sha384_data,
+ ASN1_OID_ID_ECPUBLICKEY,
+ &_hx509_signature_sha384_data,
+ PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|
+ SIG_PUBLIC_SIG|SELF_SIGNED_OK,
+ 0,
+ NULL,
+ ecdsa_verify_signature,
+ ecdsa_create_signature,
+ 48
+};
+
+const struct signature_alg ecdsa_with_sha256_alg = {
+ "ecdsa-with-sha256",
+ ASN1_OID_ID_ECDSA_WITH_SHA256,
+ &_hx509_signature_ecdsa_with_sha256_data,
+ ASN1_OID_ID_ECPUBLICKEY,
+ &_hx509_signature_sha256_data,
+ PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|
+ SIG_PUBLIC_SIG|SELF_SIGNED_OK,
+ 0,
+ NULL,
+ ecdsa_verify_signature,
+ ecdsa_create_signature,
+ 32
+};
+
+const struct signature_alg ecdsa_with_sha1_alg = {
+ "ecdsa-with-sha1",
+ ASN1_OID_ID_ECDSA_WITH_SHA1,
+ &_hx509_signature_ecdsa_with_sha1_data,
+ ASN1_OID_ID_ECPUBLICKEY,
+ &_hx509_signature_sha1_data,
+ PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|
+ SIG_PUBLIC_SIG|SELF_SIGNED_OK,
+ 0,
+ NULL,
+ ecdsa_verify_signature,
+ ecdsa_create_signature,
+ 20
+};
+
+#endif /* HAVE_HCRYPTO_W_OPENSSL */
+
+const AlgorithmIdentifier *
+hx509_signature_ecPublicKey(void)
+{
+#ifdef HAVE_HCRYPTO_W_OPENSSL
+ return &_hx509_signature_ecPublicKey;
+#else
+ return NULL;
+#endif /* HAVE_HCRYPTO_W_OPENSSL */
+}
+
+const AlgorithmIdentifier *
+hx509_signature_ecdsa_with_sha256(void)
+{
+#ifdef HAVE_HCRYPTO_W_OPENSSL
+ return &_hx509_signature_ecdsa_with_sha256_data;
+#else
+ return NULL;
+#endif /* HAVE_HCRYPTO_W_OPENSSL */
+}
diff --git a/lib/hx509/crypto.c b/lib/hx509/crypto.c
index 4559a9c49391..5ddc54b9f232 100644
--- a/lib/hx509/crypto.c
+++ b/lib/hx509/crypto.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
+ * Copyright (c) 2004 - 2016 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,95 +33,12 @@
#include "hx_locl.h"
-struct hx509_crypto;
-
-struct signature_alg;
-
-struct hx509_generate_private_context {
- const heim_oid *key_oid;
- int isCA;
- unsigned long num_bits;
-};
-
-struct hx509_private_key_ops {
- const char *pemtype;
- const heim_oid *key_oid;
- int (*available)(const hx509_private_key,
- const AlgorithmIdentifier *);
- int (*get_spki)(hx509_context,
- const hx509_private_key,
- SubjectPublicKeyInfo *);
- int (*export)(hx509_context context,
- const hx509_private_key,
- hx509_key_format_t,
- heim_octet_string *);
- int (*import)(hx509_context, const AlgorithmIdentifier *,
- const void *, size_t, hx509_key_format_t,
- hx509_private_key);
- int (*generate_private_key)(hx509_context,
- struct hx509_generate_private_context *,
- hx509_private_key);
- BIGNUM *(*get_internal)(hx509_context, hx509_private_key, const char *);
-};
-
-struct hx509_private_key {
- unsigned int ref;
- const struct signature_alg *md;
- const heim_oid *signature_alg;
- union {
- RSA *rsa;
- void *keydata;
-#ifdef HAVE_OPENSSL
- EC_KEY *ecdsa;
-#endif
- } private_key;
- hx509_private_key_ops *ops;
-};
-
-/*
- *
- */
-
-struct signature_alg {
- const char *name;
- const heim_oid *sig_oid;
- const AlgorithmIdentifier *sig_alg;
- const heim_oid *key_oid;
- const AlgorithmIdentifier *digest_alg;
- int flags;
-#define PROVIDE_CONF 0x1
-#define REQUIRE_SIGNER 0x2
-#define SELF_SIGNED_OK 0x4
-
-#define SIG_DIGEST 0x100
-#define SIG_PUBLIC_SIG 0x200
-#define SIG_SECRET 0x400
-
-#define RA_RSA_USES_DIGEST_INFO 0x1000000
-
- time_t best_before; /* refuse signature made after best before date */
- const EVP_MD *(*evp_md)(void);
- int (*verify_signature)(hx509_context context,
- const struct signature_alg *,
- const Certificate *,
- const AlgorithmIdentifier *,
- const heim_octet_string *,
- const heim_octet_string *);
- int (*create_signature)(hx509_context,
- const struct signature_alg *,
- const hx509_private_key,
- const AlgorithmIdentifier *,
- const heim_octet_string *,
- AlgorithmIdentifier *,
- heim_octet_string *);
- int digest_size;
-};
-
-static const struct signature_alg *
-find_sig_alg(const heim_oid *oid);
-
-/*
+/*-
+ * RFC5758 specifies no parameters for ecdsa-with-SHA<N> signatures
+ * RFC5754 specifies NULL parameters for sha<N>WithRSAEncryption signatures
*
+ * XXX: Make sure that the parameters are either NULL in both the tbs and the
+ * signature, or absent from both the tbs and the signature.
*/
static const heim_octet_string null_entry_oid = { 2, rk_UNCONST("\x05\x00") };
@@ -151,44 +68,29 @@ const AlgorithmIdentifier _hx509_signature_md5_data = {
{ 6, rk_UNCONST(md5_oid_tree) }, rk_UNCONST(&null_entry_oid)
};
-static const unsigned ecPublicKey[] ={ 1, 2, 840, 10045, 2, 1 };
-const AlgorithmIdentifier _hx509_signature_ecPublicKey = {
- { 6, rk_UNCONST(ecPublicKey) }, NULL
-};
-
-static const unsigned ecdsa_with_sha256_oid[] ={ 1, 2, 840, 10045, 4, 3, 2 };
-const AlgorithmIdentifier _hx509_signature_ecdsa_with_sha256_data = {
- { 7, rk_UNCONST(ecdsa_with_sha256_oid) }, NULL
-};
-
-static const unsigned ecdsa_with_sha1_oid[] ={ 1, 2, 840, 10045, 4, 1 };
-const AlgorithmIdentifier _hx509_signature_ecdsa_with_sha1_data = {
- { 6, rk_UNCONST(ecdsa_with_sha1_oid) }, NULL
-};
-
static const unsigned rsa_with_sha512_oid[] ={ 1, 2, 840, 113549, 1, 1, 13 };
const AlgorithmIdentifier _hx509_signature_rsa_with_sha512_data = {
- { 7, rk_UNCONST(rsa_with_sha512_oid) }, NULL
+ { 7, rk_UNCONST(rsa_with_sha512_oid) }, rk_UNCONST(&null_entry_oid)
};
static const unsigned rsa_with_sha384_oid[] ={ 1, 2, 840, 113549, 1, 1, 12 };
const AlgorithmIdentifier _hx509_signature_rsa_with_sha384_data = {
- { 7, rk_UNCONST(rsa_with_sha384_oid) }, NULL
+ { 7, rk_UNCONST(rsa_with_sha384_oid) }, rk_UNCONST(&null_entry_oid)
};
static const unsigned rsa_with_sha256_oid[] ={ 1, 2, 840, 113549, 1, 1, 11 };
const AlgorithmIdentifier _hx509_signature_rsa_with_sha256_data = {
- { 7, rk_UNCONST(rsa_with_sha256_oid) }, NULL
+ { 7, rk_UNCONST(rsa_with_sha256_oid) }, rk_UNCONST(&null_entry_oid)
};
static const unsigned rsa_with_sha1_oid[] ={ 1, 2, 840, 113549, 1, 1, 5 };
const AlgorithmIdentifier _hx509_signature_rsa_with_sha1_data = {
- { 7, rk_UNCONST(rsa_with_sha1_oid) }, NULL
+ { 7, rk_UNCONST(rsa_with_sha1_oid) }, rk_UNCONST(&null_entry_oid)
};
static const unsigned rsa_with_md5_oid[] ={ 1, 2, 840, 113549, 1, 1, 4 };
const AlgorithmIdentifier _hx509_signature_rsa_with_md5_data = {
- { 7, rk_UNCONST(rsa_with_md5_oid) }, NULL
+ { 7, rk_UNCONST(rsa_with_md5_oid) }, rk_UNCONST(&null_entry_oid)
};
static const unsigned rsa_oid[] ={ 1, 2, 840, 113549, 1, 1, 1 };
@@ -234,10 +136,10 @@ heim_int2BN(const heim_integer *i)
*
*/
-static int
-set_digest_alg(DigestAlgorithmIdentifier *id,
- const heim_oid *oid,
- const void *param, size_t length)
+int
+_hx509_set_digest_alg(DigestAlgorithmIdentifier *id,
+ const heim_oid *oid,
+ const void *param, size_t length)
{
int ret;
if (param) {
@@ -266,265 +168,6 @@ set_digest_alg(DigestAlgorithmIdentifier *id,
return 0;
}
-#ifdef HAVE_OPENSSL
-
-static int
-heim_oid2ecnid(heim_oid *oid)
-{
- /*
- * Now map to openssl OID fun
- */
-
- if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP256R1) == 0)
- return NID_X9_62_prime256v1;
- else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP160R1) == 0)
- return NID_secp160r1;
- else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP160R2) == 0)
- return NID_secp160r2;
-
- return -1;
-}
-
-static int
-parse_ECParameters(hx509_context context,
- heim_octet_string *parameters, int *nid)
-{
- ECParameters ecparam;
- size_t size;
- int ret;
-
- if (parameters == NULL) {
- ret = HX509_PARSING_KEY_FAILED;
- hx509_set_error_string(context, 0, ret,
- "EC parameters missing");
- return ret;
- }
-
- ret = decode_ECParameters(parameters->data, parameters->length,
- &ecparam, &size);
- if (ret) {
- hx509_set_error_string(context, 0, ret,
- "Failed to decode EC parameters");
- return ret;
- }
-
- if (ecparam.element != choice_ECParameters_namedCurve) {
- free_ECParameters(&ecparam);
- hx509_set_error_string(context, 0, ret,
- "EC parameters is not a named curve");
- return HX509_CRYPTO_SIG_INVALID_FORMAT;
- }
-
- *nid = heim_oid2ecnid(&ecparam.u.namedCurve);
- free_ECParameters(&ecparam);
- if (*nid == -1) {
- hx509_set_error_string(context, 0, ret,
- "Failed to find matcing NID for EC curve");
- return HX509_CRYPTO_SIG_INVALID_FORMAT;
- }
- return 0;
-}
-
-
-/*
- *
- */
-
-static int
-ecdsa_verify_signature(hx509_context context,
- const struct signature_alg *sig_alg,
- const Certificate *signer,
- const AlgorithmIdentifier *alg,
- const heim_octet_string *data,
- const heim_octet_string *sig)
-{
- const AlgorithmIdentifier *digest_alg;
- const SubjectPublicKeyInfo *spi;
- heim_octet_string digest;
- int ret;
- EC_KEY *key = NULL;
- int groupnid;
- EC_GROUP *group;
- const unsigned char *p;
- long len;
-
- digest_alg = sig_alg->digest_alg;
-
- ret = _hx509_create_signature(context,
- NULL,
- digest_alg,
- data,
- NULL,
- &digest);
- if (ret)
- return ret;
-
- /* set up EC KEY */
- spi = &signer->tbsCertificate.subjectPublicKeyInfo;
-
- if (der_heim_oid_cmp(&spi->algorithm.algorithm, ASN1_OID_ID_ECPUBLICKEY) != 0)
- return HX509_CRYPTO_SIG_INVALID_FORMAT;
-
-#ifdef HAVE_OPENSSL
- /*
- * Find the group id
- */
-
- ret = parse_ECParameters(context, spi->algorithm.parameters, &groupnid);
- if (ret) {
- der_free_octet_string(&digest);
- return ret;
- }
-
- /*
- * Create group, key, parse key
- */
-
- key = EC_KEY_new();
- group = EC_GROUP_new_by_curve_name(groupnid);
- EC_KEY_set_group(key, group);
- EC_GROUP_free(group);
-
- p = spi->subjectPublicKey.data;
- len = spi->subjectPublicKey.length / 8;
-
- if (o2i_ECPublicKey(&key, &p, len) == NULL) {
- EC_KEY_free(key);
- return HX509_CRYPTO_SIG_INVALID_FORMAT;
- }
-#else
- key = SubjectPublicKeyInfo2EC_KEY(spi);
-#endif
-
- ret = ECDSA_verify(-1, digest.data, digest.length,
- sig->data, sig->length, key);
- der_free_octet_string(&digest);
- EC_KEY_free(key);
- if (ret != 1) {
- ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
- return ret;
- }
-
- return 0;
-}
-
-static int
-ecdsa_create_signature(hx509_context context,
- const struct signature_alg *sig_alg,
- const hx509_private_key signer,
- const AlgorithmIdentifier *alg,
- const heim_octet_string *data,
- AlgorithmIdentifier *signatureAlgorithm,
- heim_octet_string *sig)
-{
- const AlgorithmIdentifier *digest_alg;
- heim_octet_string indata;
- const heim_oid *sig_oid;
- unsigned int siglen;
- int ret;
-
- if (signer->ops && der_heim_oid_cmp(signer->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) != 0)
- _hx509_abort("internal error passing private key to wrong ops");
-
- sig_oid = sig_alg->sig_oid;
- digest_alg = sig_alg->digest_alg;
-
- if (signatureAlgorithm) {
- ret = set_digest_alg(signatureAlgorithm, sig_oid, "\x05\x00", 2);
- if (ret) {
- hx509_clear_error_string(context);
- goto error;
- }
- }
-
- ret = _hx509_create_signature(context,
- NULL,
- digest_alg,
- data,
- NULL,
- &indata);
- if (ret) {
- if (signatureAlgorithm)
- free_AlgorithmIdentifier(signatureAlgorithm);
- goto error;
- }
-
- sig->length = ECDSA_size(signer->private_key.ecdsa);
- sig->data = malloc(sig->length);
- if (sig->data == NULL) {
- der_free_octet_string(&indata);
- ret = ENOMEM;
- hx509_set_error_string(context, 0, ret, "out of memory");
- goto error;
- }
-
- siglen = sig->length;
-
- ret = ECDSA_sign(-1, indata.data, indata.length,
- sig->data, &siglen, signer->private_key.ecdsa);
- der_free_octet_string(&indata);
- if (ret != 1) {
- ret = HX509_CMS_FAILED_CREATE_SIGATURE;
- hx509_set_error_string(context, 0, ret,
- "ECDSA sign failed: %d", ret);
- goto error;
- }
- if (siglen > sig->length)
- _hx509_abort("ECDSA signature prelen longer the output len");
-
- sig->length = siglen;
-
- return 0;
- error:
- if (signatureAlgorithm)
- free_AlgorithmIdentifier(signatureAlgorithm);
- return ret;
-}
-
-static int
-ecdsa_available(const hx509_private_key signer,
- const AlgorithmIdentifier *sig_alg)
-{
- const struct signature_alg *sig;
- const EC_GROUP *group;
- BN_CTX *bnctx = NULL;
- BIGNUM *order = NULL;
- int ret = 0;
-
- if (der_heim_oid_cmp(signer->ops->key_oid, &asn1_oid_id_ecPublicKey) != 0)
- _hx509_abort("internal error passing private key to wrong ops");
-
- sig = find_sig_alg(&sig_alg->algorithm);
-
- if (sig == NULL || sig->digest_size == 0)
- return 0;
-
- group = EC_KEY_get0_group(signer->private_key.ecdsa);
- if (group == NULL)
- return 0;
-
- bnctx = BN_CTX_new();
- order = BN_new();
- if (order == NULL)
- goto err;
-
- if (EC_GROUP_get_order(group, order, bnctx) != 1)
- goto err;
-
- if (BN_num_bytes(order) > sig->digest_size)
- ret = 1;
- err:
- if (bnctx)
- BN_CTX_free(bnctx);
- if (order)
- BN_clear_free(order);
-
- return ret;
-}
-
-
-#endif /* HAVE_OPENSSL */
-
/*
*
*/
@@ -619,6 +262,9 @@ rsa_verify_signature(hx509_context context,
&di.digestAlgorithm,
data,
&di.digest);
+ if (ret)
+ goto out;
+
} else {
if ((size_t)retsize != data->length ||
ct_memcmp(to, data->data, retsize) != 0)
@@ -628,8 +274,8 @@ rsa_verify_signature(hx509_context context,
goto out;
}
free(to);
+ ret = 0;
}
- ret = 0;
out:
free_DigestInfo(&di);
@@ -683,7 +329,8 @@ rsa_create_signature(hx509_context context,
return HX509_ALG_NOT_SUPP;
if (signatureAlgorithm) {
- ret = set_digest_alg(signatureAlgorithm, sig_oid, "\x05\x00", 2);
+ ret = _hx509_set_digest_alg(signatureAlgorithm, sig_oid,
+ "\x05\x00", 2);
if (ret) {
hx509_clear_error_string(context);
return ret;
@@ -739,11 +386,13 @@ rsa_create_signature(hx509_context context,
"RSA private encrypt failed: %d", ret);
return ret;
}
- if ((size_t)ret > sig->length)
+ if (sig->length > (size_t)ret) {
+ size = sig->length - ret;
+ memmove((uint8_t *)sig->data + size, sig->data, ret);
+ memset(sig->data, 0, size);
+ } else if (sig->length < (size_t)ret)
_hx509_abort("RSA signature prelen longer the output len");
- sig->length = ret;
-
return 0;
}
@@ -795,8 +444,9 @@ rsa_private_key2SPKI(hx509_context context,
}
spki->subjectPublicKey.length = len * 8;
- ret = set_digest_alg(&spki->algorithm, ASN1_OID_ID_PKCS1_RSAENCRYPTION,
- "\x05\x00", 2);
+ ret = _hx509_set_digest_alg(&spki->algorithm,
+ ASN1_OID_ID_PKCS1_RSAENCRYPTION,
+ "\x05\x00", 2);
if (ret) {
hx509_set_error_string(context, 0, ret, "malloc - out of memory");
free(spki->subjectPublicKey.data);
@@ -920,115 +570,6 @@ static hx509_private_key_ops rsa_private_key_ops = {
rsa_get_internal
};
-#ifdef HAVE_OPENSSL
-
-static int
-ecdsa_private_key2SPKI(hx509_context context,
- hx509_private_key private_key,
- SubjectPublicKeyInfo *spki)
-{
- memset(spki, 0, sizeof(*spki));
- return ENOMEM;
-}
-
-static int
-ecdsa_private_key_export(hx509_context context,
- const hx509_private_key key,
- hx509_key_format_t format,
- heim_octet_string *data)
-{
- return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED;
-}
-
-static int
-ecdsa_private_key_import(hx509_context context,
- const AlgorithmIdentifier *keyai,
- const void *data,
- size_t len,
- hx509_key_format_t format,
- hx509_private_key private_key)
-{
- const unsigned char *p = data;
- EC_KEY **pkey = NULL;
-
- if (keyai->parameters) {
- EC_GROUP *group;
- int groupnid;
- EC_KEY *key;
- int ret;
-
- ret = parse_ECParameters(context, keyai->parameters, &groupnid);
- if (ret)
- return ret;
-
- key = EC_KEY_new();
- if (key == NULL)
- return ENOMEM;
-
- group = EC_GROUP_new_by_curve_name(groupnid);
- if (group == NULL) {
- EC_KEY_free(key);
- return ENOMEM;
- }
- EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
- if (EC_KEY_set_group(key, group) == 0) {
- EC_KEY_free(key);
- EC_GROUP_free(group);
- return ENOMEM;
- }
- EC_GROUP_free(group);
- pkey = &key;
- }
-
- switch (format) {
- case HX509_KEY_FORMAT_DER:
-
- private_key->private_key.ecdsa = d2i_ECPrivateKey(pkey, &p, len);
- if (private_key->private_key.ecdsa == NULL) {
- hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
- "Failed to parse EC private key");
- return HX509_PARSING_KEY_FAILED;
- }
- private_key->signature_alg = ASN1_OID_ID_ECDSA_WITH_SHA256;
- break;
-
- default:
- return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED;
- }
-
- return 0;
-}
-
-static int
-ecdsa_generate_private_key(hx509_context context,
- struct hx509_generate_private_context *ctx,
- hx509_private_key private_key)
-{
- return ENOMEM;
-}
-
-static BIGNUM *
-ecdsa_get_internal(hx509_context context,
- hx509_private_key key,
- const char *type)
-{
- return NULL;
-}
-
-
-static hx509_private_key_ops ecdsa_private_key_ops = {
- "EC PRIVATE KEY",
- ASN1_OID_ID_ECPUBLICKEY,
- ecdsa_available,
- ecdsa_private_key2SPKI,
- ecdsa_private_key_export,
- ecdsa_private_key_import,
- ecdsa_generate_private_key,
- ecdsa_get_internal
-};
-
-#endif /* HAVE_OPENSSL */
-
/*
*
*/
@@ -1157,8 +698,8 @@ evp_md_create_signature(hx509_context context,
if (signatureAlgorithm) {
int ret;
- ret = set_digest_alg(signatureAlgorithm, sig_alg->sig_oid,
- "\x05\x00", 2);
+ ret = _hx509_set_digest_alg(signatureAlgorithm,
+ sig_alg->sig_oid, "\x05\x00", 2);
if (ret)
return ret;
}
@@ -1214,36 +755,11 @@ evp_md_verify_signature(hx509_context context,
return 0;
}
-#ifdef HAVE_OPENSSL
-
-static const struct signature_alg ecdsa_with_sha256_alg = {
- "ecdsa-with-sha256",
- ASN1_OID_ID_ECDSA_WITH_SHA256,
- &_hx509_signature_ecdsa_with_sha256_data,
- ASN1_OID_ID_ECPUBLICKEY,
- &_hx509_signature_sha256_data,
- PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
- 0,
- NULL,
- ecdsa_verify_signature,
- ecdsa_create_signature,
- 32
-};
-
-static const struct signature_alg ecdsa_with_sha1_alg = {
- "ecdsa-with-sha1",
- ASN1_OID_ID_ECDSA_WITH_SHA1,
- &_hx509_signature_ecdsa_with_sha1_data,
- ASN1_OID_ID_ECPUBLICKEY,
- &_hx509_signature_sha1_data,
- PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
- 0,
- NULL,
- ecdsa_verify_signature,
- ecdsa_create_signature,
- 20
-};
-
+#ifdef HAVE_HCRYPTO_W_OPENSSL
+extern const struct signature_alg ecdsa_with_sha512_alg;
+extern const struct signature_alg ecdsa_with_sha384_alg;
+extern const struct signature_alg ecdsa_with_sha256_alg;
+extern const struct signature_alg ecdsa_with_sha1_alg;
#endif
static const struct signature_alg heim_rsa_pkcs1_x509 = {
@@ -1350,7 +866,7 @@ static const struct signature_alg rsa_with_md5_alg = {
&_hx509_signature_rsa_with_md5_data,
ASN1_OID_ID_PKCS1_RSAENCRYPTION,
&_hx509_signature_md5_data,
- PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+ PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|WEAK_SIG_ALG,
1230739889,
NULL,
rsa_verify_signature,
@@ -1434,7 +950,7 @@ static const struct signature_alg md5_alg = {
&_hx509_signature_md5_data,
NULL,
NULL,
- SIG_DIGEST,
+ SIG_DIGEST|WEAK_SIG_ALG,
0,
EVP_md5,
evp_md_verify_signature,
@@ -1448,7 +964,9 @@ static const struct signature_alg md5_alg = {
*/
static const struct signature_alg *sig_algs[] = {
-#ifdef HAVE_OPENSSL
+#ifdef HAVE_HCRYPTO_W_OPENSSL
+ &ecdsa_with_sha512_alg,
+ &ecdsa_with_sha384_alg,
&ecdsa_with_sha256_alg,
&ecdsa_with_sha1_alg,
#endif
@@ -1469,8 +987,8 @@ static const struct signature_alg *sig_algs[] = {
NULL
};
-static const struct signature_alg *
-find_sig_alg(const heim_oid *oid)
+const struct signature_alg *
+_hx509_find_sig_alg(const heim_oid *oid)
{
unsigned int i;
for (i = 0; sig_algs[i]; i++)
@@ -1511,10 +1029,13 @@ alg_for_privatekey(const hx509_private_key pk, int type)
/*
*
*/
+#ifdef HAVE_HCRYPTO_W_OPENSSL
+extern hx509_private_key_ops ecdsa_private_key_ops;
+#endif
static struct hx509_private_key_ops *private_algs[] = {
&rsa_private_key_ops,
-#ifdef HAVE_OPENSSL
+#ifdef HAVE_HCRYPTO_W_OPENSSL
&ecdsa_private_key_ops,
#endif
NULL
@@ -1539,21 +1060,18 @@ hx509_find_private_alg(const heim_oid *oid)
*/
int
-_hx509_signature_best_before(hx509_context context,
- const AlgorithmIdentifier *alg,
- time_t t)
+_hx509_signature_is_weak(hx509_context context, const AlgorithmIdentifier *alg)
{
const struct signature_alg *md;
- md = find_sig_alg(&alg->algorithm);
+ md = _hx509_find_sig_alg(&alg->algorithm);
if (md == NULL) {
hx509_clear_error_string(context);
return HX509_SIG_ALG_NO_SUPPORTED;
}
- if (md->best_before && md->best_before < t) {
+ if (md->flags & WEAK_SIG_ALG) {
hx509_set_error_string(context, 0, HX509_CRYPTO_ALGORITHM_BEST_BEFORE,
- "Algorithm %s has passed it best before date",
- md->name);
+ "Algorithm %s is weak", md->name);
return HX509_CRYPTO_ALGORITHM_BEST_BEFORE;
}
return 0;
@@ -1565,7 +1083,7 @@ _hx509_self_signed_valid(hx509_context context,
{
const struct signature_alg *md;
- md = find_sig_alg(&alg->algorithm);
+ md = _hx509_find_sig_alg(&alg->algorithm);
if (md == NULL) {
hx509_clear_error_string(context);
return HX509_SIG_ALG_NO_SUPPORTED;
@@ -1593,7 +1111,7 @@ _hx509_verify_signature(hx509_context context,
if (cert)
signer = _hx509_get_cert(cert);
- md = find_sig_alg(&alg->algorithm);
+ md = _hx509_find_sig_alg(&alg->algorithm);
if (md == NULL) {
hx509_clear_error_string(context);
return HX509_SIG_ALG_NO_SUPPORTED;
@@ -1628,7 +1146,7 @@ _hx509_create_signature(hx509_context context,
{
const struct signature_alg *md;
- md = find_sig_alg(&alg->algorithm);
+ md = _hx509_find_sig_alg(&alg->algorithm);
if (md == NULL) {
hx509_set_error_string(context, 0, HX509_SIG_ALG_NO_SUPPORTED,
"algorithm no supported");
@@ -1923,18 +1441,6 @@ hx509_signature_md5(void)
{ return &_hx509_signature_md5_data; }
const AlgorithmIdentifier *
-hx509_signature_ecPublicKey(void)
-{ return &_hx509_signature_ecPublicKey; }
-
-const AlgorithmIdentifier *
-hx509_signature_ecdsa_with_sha256(void)
-{ return &_hx509_signature_ecdsa_with_sha256_data; }
-
-const AlgorithmIdentifier *
-hx509_signature_ecdsa_with_sha1(void)
-{ return &_hx509_signature_ecdsa_with_sha1_data; }
-
-const AlgorithmIdentifier *
hx509_signature_rsa_with_sha512(void)
{ return &_hx509_signature_rsa_with_sha512_data; }
@@ -2034,11 +1540,10 @@ hx509_private_key_free(hx509_private_key *key)
if ((*key)->ops && der_heim_oid_cmp((*key)->ops->key_oid, ASN1_OID_ID_PKCS1_RSAENCRYPTION) == 0) {
if ((*key)->private_key.rsa)
RSA_free((*key)->private_key.rsa);
-#ifdef HAVE_OPENSSL
- } else if ((*key)->ops && der_heim_oid_cmp((*key)->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) == 0) {
- if ((*key)->private_key.ecdsa)
- EC_KEY_free((*key)->private_key.ecdsa);
-#endif
+ } else if ((*key)->ops && der_heim_oid_cmp((*key)->ops->key_oid,
+ ASN1_OID_ID_ECPUBLICKEY) == 0 &&
+ (*key)->private_key.ecdsa != NULL) {
+ _hx509_private_eckey_free((*key)->private_key.ecdsa);
}
(*key)->private_key.rsa = NULL;
free(*key);
@@ -2806,29 +2311,49 @@ find_string2key(const heim_oid *oid,
{
if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND40BITRC2_CBC) == 0) {
*c = EVP_rc2_40_cbc();
+ if (*c == NULL)
+ return NULL;
*md = EVP_sha1();
+ if (*md == NULL)
+ return NULL;
*s2k = PBE_string2key;
return &asn1_oid_private_rc2_40;
} else if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND128BITRC2_CBC) == 0) {
*c = EVP_rc2_cbc();
+ if (*c == NULL)
+ return NULL;
*md = EVP_sha1();
+ if (*md == NULL)
+ return NULL;
*s2k = PBE_string2key;
return ASN1_OID_ID_PKCS3_RC2_CBC;
#if 0
} else if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND40BITRC4) == 0) {
*c = EVP_rc4_40();
+ if (*c == NULL)
+ return NULL;
*md = EVP_sha1();
+ if (*md == NULL)
+ return NULL;
*s2k = PBE_string2key;
return NULL;
} else if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND128BITRC4) == 0) {
*c = EVP_rc4();
+ if (*c == NULL)
+ return NULL;
*md = EVP_sha1();
+ if (*md == NULL)
+ return NULL;
*s2k = PBE_string2key;
return ASN1_OID_ID_PKCS3_RC4;
#endif
} else if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND3_KEYTRIPLEDES_CBC) == 0) {
*c = EVP_des_ede3_cbc();
+ if (*c == NULL)
+ return NULL;
*md = EVP_sha1();
+ if (*md == NULL)
+ return NULL;
*s2k = PBE_string2key;
return ASN1_OID_ID_PKCS3_DES_EDE3_CBC;
}
@@ -3008,6 +2533,8 @@ match_keys_ec(hx509_cert c, hx509_private_key private_key)
int
_hx509_match_keys(hx509_cert c, hx509_private_key key)
{
+ if (!key->ops)
+ return 0;
if (der_heim_oid_cmp(key->ops->key_oid, ASN1_OID_ID_PKCS1_RSAENCRYPTION) == 0)
return match_keys_rsa(c, key);
if (der_heim_oid_cmp(key->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) == 0)
@@ -3025,7 +2552,7 @@ find_keytype(const hx509_private_key key)
if (key == NULL)
return NULL;
- md = find_sig_alg(key->signature_alg);
+ md = _hx509_find_sig_alg(key->signature_alg);
if (md == NULL)
return NULL;
return md->key_oid;
diff --git a/lib/hx509/data/PKITS_data.zip b/lib/hx509/data/PKITS_data.zip
new file mode 100644
index 000000000000..50d6fbb375ce
--- /dev/null
+++ b/lib/hx509/data/PKITS_data.zip
Binary files differ
diff --git a/lib/hx509/data/eccurve.pem b/lib/hx509/data/eccurve.pem
new file mode 100644
index 000000000000..a76e47d9590b
--- /dev/null
+++ b/lib/hx509/data/eccurve.pem
@@ -0,0 +1,3 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
diff --git a/lib/hx509/data/https.crt b/lib/hx509/data/https.crt
new file mode 100644
index 000000000000..2056c899c8cb
--- /dev/null
+++ b/lib/hx509/data/https.crt
@@ -0,0 +1,53 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 9 (0x9)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=hx509 Test Root CA, C=SE
+ Validity
+ Not Before: Apr 26 20:29:41 2009 GMT
+ Not After : Apr 24 20:29:41 2019 GMT
+ Subject: C=SE, CN=www.test.h5l.se
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (1024 bit)
+ Modulus:
+ 00:c6:f4:94:25:2b:d5:fa:e9:3d:00:a9:46:24:f1:
+ bf:fe:61:df:bd:cc:da:74:b7:f9:36:c1:ce:51:d2:
+ 01:6f:79:ba:b3:4a:d5:a4:43:5a:c7:ad:e4:e0:50:
+ e2:a6:bf:54:73:ad:a5:86:0a:bd:56:c4:4f:b5:f5:
+ 7f:7e:fe:10:78:17:e2:35:4c:bb:cc:4b:74:35:d0:
+ ab:63:b1:02:72:94:a7:9a:dc:10:ef:28:82:a9:6c:
+ dc:19:8d:b8:3e:5b:21:52:1f:88:51:a6:5a:f8:67:
+ cd:cb:48:6f:f5:8b:71:7c:4d:52:da:bb:f9:26:8a:
+ 27:9c:7e:8a:d1:99:54:35:7f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ X509v3 Subject Key Identifier:
+ 8A:BB:2D:06:4B:BD:DE:9A:BA:7C:5A:35:D0:E2:19:37:48:29:0E:9C
+ Signature Algorithm: sha1WithRSAEncryption
+ 90:35:ec:8c:f2:62:14:76:8a:29:52:99:44:c1:d7:c8:9e:74:
+ ef:90:4f:e7:ea:4d:cf:8f:c1:73:0c:d9:49:06:93:30:b0:19:
+ 5e:de:9c:11:93:66:02:4d:8f:e9:8c:52:fc:26:26:9e:09:69:
+ a5:a7:63:d2:2d:40:de:e5:d8:d5:51:c3:32:60:6a:2f:26:13:
+ 91:69:36:f6:67:e4:b0:54:9e:77:68:22:5f:51:b8:3c:42:bd:
+ e3:09:dc:11:9b:ed:db:63:df:90:57:38:00:90:be:89:e7:ea:
+ 8e:d8:21:cd:96:68:69:4b:a3:15:50:ce:63:80:2a:99:4b:ff:
+ dd:1c
+-----BEGIN CERTIFICATE-----
+MIICADCCAWmgAwIBAgIBCTANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA5MDQyNjIwMjk0MVoXDTE5
+MDQyNDIwMjk0MVowJzELMAkGA1UEBhMCU0UxGDAWBgNVBAMMD3d3dy50ZXN0Lmg1
+bC5zZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxvSUJSvV+uk9AKlGJPG/
+/mHfvczadLf5NsHOUdIBb3m6s0rVpENax63k4FDipr9Uc62lhgq9VsRPtfV/fv4Q
+eBfiNUy7zEt0NdCrY7ECcpSnmtwQ7yiCqWzcGY24PlshUh+IUaZa+GfNy0hv9Ytx
+fE1S2rv5JoonnH6K0ZlUNX8CAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8EBAMC
+BeAwHQYDVR0OBBYEFIq7LQZLvd6aunxaNdDiGTdIKQ6cMA0GCSqGSIb3DQEBBQUA
+A4GBAJA17IzyYhR2iilSmUTB18iedO+QT+fqTc+PwXMM2UkGkzCwGV7enBGTZgJN
+j+mMUvwmJp4JaaWnY9ItQN7l2NVRwzJgai8mE5FpNvZn5LBUnndoIl9RuDxCveMJ
+3BGb7dtj35BXOACQvonn6o7YIc2WaGlLoxVQzmOAKplL/90c
+-----END CERTIFICATE-----
diff --git a/lib/hx509/data/https.key b/lib/hx509/data/https.key
new file mode 100644
index 000000000000..ee6065a0006f
--- /dev/null
+++ b/lib/hx509/data/https.key
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMb0lCUr1frpPQCp
+RiTxv/5h373M2nS3+TbBzlHSAW95urNK1aRDWset5OBQ4qa/VHOtpYYKvVbET7X1
+f37+EHgX4jVMu8xLdDXQq2OxAnKUp5rcEO8ogqls3BmNuD5bIVIfiFGmWvhnzctI
+b/WLcXxNUtq7+SaKJ5x+itGZVDV/AgMBAAECgYBfO282I7d3NPGYQW5r/LPUBfFd
+HpNqzy0hQr+JdqZtP61YaPe+eucXMWue29jBzE+WV4YllTpwL+Ofy3VNyjsDCIva
+acqVrimYl5EAT1yiqvC1DNC0SvAfEsBlpMJr7w8F4M7wbSxvGIWjRVeZtLd7H4pw
+8ooDNZNlcXPyrBozQQJBAPGxPPiO66EpiN66ffRiqnof1lGUFaZPqBKYF/M3mybt
+X7vMKQsrQpdNQTbtR2u42yBUJGw4trhIn1qDInkgXfECQQDSu61Z/m5xRVlBk3mj
+QMqSVX+FoD3WtSry003lcxGfNsuguJtYHXHHhPbPNMUaDEtErkbUMQHNFX5mEjGp
+0RpvAkEAwbDhhOy8pw5rMtvP3w9HQdHL5tq/MuY5cpVS9EaG335yL0VhSyMjHa/6
+6HLlvs2JRnJIMjaNMEh69IWNFfc7cQJBAIOzIy3BI0jLLHMdNcHfdjpqEJ50fPE4
+nDTR9jbV6Ud1uWEivoMdM8SbxpvMwPn8gPXVbRKj5hpDupEUAdG9iyUCQQCNSVcl
+NREl42G5ZQ2Q+zYtYIJbe9SAxu7WcfzctFleRbmKPLqrcnCLWenWWHtrzZLRgFhw
+rLiglEkVDRXivfhq
+-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/mkcert.sh b/lib/hx509/data/mkcert.sh
new file mode 100755
index 000000000000..5faa571206a8
--- /dev/null
+++ b/lib/hx509/data/mkcert.sh
@@ -0,0 +1,84 @@
+#! /bin/bash
+
+set -e
+
+# For now, avoid going past the 2038 32-bit clock rollover
+DAYS=$(( ( 0x7fffffff - $(date +%s) ) / 86400 - 1 ))
+
+key() {
+ local key=$1; shift
+
+ if [ ! -f "${key}.pem" ]; then
+ openssl genpkey \
+ -paramfile <(openssl ecparam -name prime256v1) \
+ -out "${key}.pem"
+ fi
+}
+
+req() {
+ local key=$1; shift
+ local dn=$1; shift
+
+ openssl req -new -sha256 -key "${key}.pem" \
+ -config <(printf "[req]\n%s\n%s\n[dn]\nCN_default=foo\n" \
+ "prompt = yes" "distinguished_name = dn") \
+ -subj "${dn}"
+}
+
+cert() {
+ local cert=$1; shift
+ local exts=$1; shift
+
+ openssl x509 -req -sha256 -out "${cert}.pem" \
+ -extfile <(printf "%s\n" "$exts") "$@"
+}
+
+genroot() {
+ local dn=$1; shift
+ local key=$1; shift
+ local cert=$1; shift
+
+ exts=$(printf "%s\n%s\n%s\n%s\n" \
+ "subjectKeyIdentifier = hash" \
+ "authorityKeyIdentifier = keyid" \
+ "basicConstraints = CA:true" \
+ "keyUsage = keyCertSign, cRLSign" )
+ key "$key"; req "$key" "$dn" |
+ cert "$cert" "$exts" -signkey "${key}.pem" \
+ -set_serial 1 -days "${DAYS}"
+}
+
+genee() {
+ local dn=$1; shift
+ local key=$1; shift
+ local cert=$1; shift
+ local cakey=$1; shift
+ local cacert=$1; shift
+
+ exts=$(printf "%s\n%s\n%s\n%s\n" \
+ "subjectKeyIdentifier = hash" \
+ "authorityKeyIdentifier = keyid, issuer" \
+ "basicConstraints = CA:false" \
+ "keyUsage = digitalSignature, keyEncipherment, dataEncipherment" \
+ )
+ key "$key"; req "$key" "$dn" |
+ cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
+ -set_serial 2 -days "${DAYS}" "$@"
+}
+
+
+genroot "/C=SE/O=Heimdal/CN=CA secp256r1" \
+ secp256r1TestCA.key secp256r1TestCA.cert
+genee "/C=SE/O=Heimdal/CN=Server" \
+ secp256r2TestServer.key secp256r2TestServer.cert \
+ secp256r1TestCA.key secp256r1TestCA.cert
+genee "/C=SE/O=Heimdal/CN=Client" \
+ secp256r2TestClient.key secp256r2TestClient.cert \
+ secp256r1TestCA.key secp256r1TestCA.cert
+
+cat secp256r1TestCA.key.pem secp256r1TestCA.cert.pem > \
+ secp256r1TestCA.pem
+cat secp256r2TestClient.cert.pem secp256r2TestClient.key.pem > \
+ secp256r2TestClient.pem
+cat secp256r2TestServer.cert.pem secp256r2TestServer.key.pem > \
+ secp256r2TestServer.pem
diff --git a/lib/hx509/data/nist-result2 b/lib/hx509/data/nist-result2
new file mode 100644
index 000000000000..93a22e7aea75
--- /dev/null
+++ b/lib/hx509/data/nist-result2
@@ -0,0 +1,31 @@
+# $Id$
+# id FAIL
+4.2.8 EITHER depeneds on if time_t is 64 bit or not
+4.3.5 FAIL
+4.4.13 EITHER depeneds on if time_t is 64 bit or not
+4.5.1 FAIL
+4.5.4 FAIL
+4.5.6 FAIL
+4.6.15 FAIL
+4.6.17 FAIL
+4.11.2 FAIL
+4.12.2 FAIL
+4.13.19 FAIL
+4.13.21 FAIL
+4.13.23 FAIL
+4.13.26 FAIL
+4.13.27 FAIL
+4.13.30 FAIL
+4.13.33 FAIL
+4.13.34 FAIL
+4.13.37 FAIL
+4.14.1 FAIL
+4.14.4 FAIL
+4.14.5 FAIL
+4.14.7 FAIL
+4.14.13 FAIL
+4.14.18 FAIL
+4.14.19 FAIL
+4.15.4 FAIL
+4.15.5 FAIL
+4.16.2 FAIL
diff --git a/lib/hx509/data/openssl.cnf b/lib/hx509/data/openssl.cnf
index a6054009d955..b0146564592a 100644
--- a/lib/hx509/data/openssl.cnf
+++ b/lib/hx509/data/openssl.cnf
@@ -82,7 +82,7 @@ certs = .
[req]
distinguished_name = req_distinguished_name
-x509_extensions = v3_ca # The extentions to add to the self signed cert
+x509_extensions = v3_ca # The extensions to add to the self signed cert
string_mask = utf8only
diff --git a/lib/hx509/data/secp160r1TestCA.cert.pem b/lib/hx509/data/secp160r1TestCA.cert.pem
deleted file mode 100644
index 2d30fab2c608..000000000000
--- a/lib/hx509/data/secp160r1TestCA.cert.pem
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBxjCCAYagAwIBAgIJAKjMYS/6EOLdMAkGByqGSM49BAEwNjELMAkGA1UEBhMC
-U0UxEDAOBgNVBAoTB0hlaW1kYWwxFTATBgNVBAMTDENBIHNlY3AxNjByMTAeFw0w
-OTAyMTQxNzUwMDRaFw0yMDAxMjgxNzUwMDRaMDYxCzAJBgNVBAYTAlNFMRAwDgYD
-VQQKEwdIZWltZGFsMRUwEwYDVQQDEwxDQSBzZWNwMTYwcjEwPjAQBgcqhkjOPQIB
-BgUrgQQACAMqAASMHokF13aCVrlhMSr9Vgofj7loM2a7ZrU3h8/j1n/cO24ceyN/
-DpsOo4GYMIGVMB0GA1UdDgQWBBS58EWwgNdBwkYVhUSNzwIehHhEDzBmBgNVHSME
-XzBdgBS58EWwgNdBwkYVhUSNzwIehHhED6E6pDgwNjELMAkGA1UEBhMCU0UxEDAO
-BgNVBAoTB0hlaW1kYWwxFTATBgNVBAMTDENBIHNlY3AxNjByMYIJAKjMYS/6EOLd
-MAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0EAQMvADAsAhRZPKbqMYDATJasRcXQfEh5
-8oHCywIUGZ0h6FqSvPgpkZ7hoU+ZEFJ/D88=
------END CERTIFICATE-----
diff --git a/lib/hx509/data/secp160r1TestCA.key.pem b/lib/hx509/data/secp160r1TestCA.key.pem
deleted file mode 100644
index f0ce773cf8ac..000000000000
--- a/lib/hx509/data/secp160r1TestCA.key.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MFACAQEEFHegiSlX0311KSBjNrbzq6HrKjkYoAcGBSuBBAAIoSwDKgAEjB6JBdd2
-gla5YTEq/VYKH4+5aDNmu2a1N4fP49Z/3DtuHHsjfw6bDg==
------END EC PRIVATE KEY-----
diff --git a/lib/hx509/data/secp160r1TestCA.pem b/lib/hx509/data/secp160r1TestCA.pem
deleted file mode 100644
index a6f068d5476a..000000000000
--- a/lib/hx509/data/secp160r1TestCA.pem
+++ /dev/null
@@ -1,18 +0,0 @@
-issuer= /C=SE/O=Heimdal/CN=CA secp160r1
-subject= /C=SE/O=Heimdal/CN=CA secp160r1
------BEGIN CERTIFICATE-----
-MIIBxjCCAYagAwIBAgIJAKjMYS/6EOLdMAkGByqGSM49BAEwNjELMAkGA1UEBhMC
-U0UxEDAOBgNVBAoTB0hlaW1kYWwxFTATBgNVBAMTDENBIHNlY3AxNjByMTAeFw0w
-OTAyMTQxNzUwMDRaFw0yMDAxMjgxNzUwMDRaMDYxCzAJBgNVBAYTAlNFMRAwDgYD
-VQQKEwdIZWltZGFsMRUwEwYDVQQDEwxDQSBzZWNwMTYwcjEwPjAQBgcqhkjOPQIB
-BgUrgQQACAMqAASMHokF13aCVrlhMSr9Vgofj7loM2a7ZrU3h8/j1n/cO24ceyN/
-DpsOo4GYMIGVMB0GA1UdDgQWBBS58EWwgNdBwkYVhUSNzwIehHhEDzBmBgNVHSME
-XzBdgBS58EWwgNdBwkYVhUSNzwIehHhED6E6pDgwNjELMAkGA1UEBhMCU0UxEDAO
-BgNVBAoTB0hlaW1kYWwxFTATBgNVBAMTDENBIHNlY3AxNjByMYIJAKjMYS/6EOLd
-MAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0EAQMvADAsAhRZPKbqMYDATJasRcXQfEh5
-8oHCywIUGZ0h6FqSvPgpkZ7hoU+ZEFJ/D88=
------END CERTIFICATE-----
------BEGIN EC PRIVATE KEY-----
-MFACAQEEFHegiSlX0311KSBjNrbzq6HrKjkYoAcGBSuBBAAIoSwDKgAEjB6JBdd2
-gla5YTEq/VYKH4+5aDNmu2a1N4fP49Z/3DtuHHsjfw6bDg==
------END EC PRIVATE KEY-----
diff --git a/lib/hx509/data/secp160r2TestClient.cert.pem b/lib/hx509/data/secp160r2TestClient.cert.pem
deleted file mode 100644
index 716395bf8e1e..000000000000
--- a/lib/hx509/data/secp160r2TestClient.cert.pem
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBIDCB4AIJAN1XzNknE3lDMAkGByqGSM49BAEwNjELMAkGA1UEBhMCU0UxEDAO
-BgNVBAoTB0hlaW1kYWwxFTATBgNVBAMTDENBIHNlY3AxNjByMTAeFw0wOTAyMTQx
-NzUwMDRaFw0yMDAxMjgxNzUwMDRaMDAxCzAJBgNVBAYTAlNFMRAwDgYDVQQKEwdI
-ZWltZGFsMQ8wDQYDVQQDEwZDbGllbnQwPjAQBgcqhkjOPQIBBgUrgQQAHgMqAASA
-oVzj3A0W1FaSmc0NwTRdX4A8eCbDb6pf07vMpUcOqvdXVGwWN3HhMAkGByqGSM49
-BAEDMAAwLQIURJ9Jdesm0rqwpOAn8K23GdWlCkYCFQDmJtqiOLs4jjUUP6T7O17M
-Iwyrvg==
------END CERTIFICATE-----
diff --git a/lib/hx509/data/secp160r2TestClient.key.pem b/lib/hx509/data/secp160r2TestClient.key.pem
deleted file mode 100644
index e5a2fef7941b..000000000000
--- a/lib/hx509/data/secp160r2TestClient.key.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MFACAQEEFNz0QJPbDlTBMSOfUoxNSzOOpRKyoAcGBSuBBAAeoSwDKgAEgKFc49wN
-FtRWkpnNDcE0XV+APHgmw2+qX9O7zKVHDqr3V1RsFjdx4Q==
------END EC PRIVATE KEY-----
diff --git a/lib/hx509/data/secp160r2TestClient.pem b/lib/hx509/data/secp160r2TestClient.pem
deleted file mode 100644
index ca4bb331d767..000000000000
--- a/lib/hx509/data/secp160r2TestClient.pem
+++ /dev/null
@@ -1,15 +0,0 @@
-issuer= /C=SE/O=Heimdal/CN=CA secp160r1
-subject= /C=SE/O=Heimdal/CN=Client
------BEGIN CERTIFICATE-----
-MIIBIDCB4AIJAN1XzNknE3lDMAkGByqGSM49BAEwNjELMAkGA1UEBhMCU0UxEDAO
-BgNVBAoTB0hlaW1kYWwxFTATBgNVBAMTDENBIHNlY3AxNjByMTAeFw0wOTAyMTQx
-NzUwMDRaFw0yMDAxMjgxNzUwMDRaMDAxCzAJBgNVBAYTAlNFMRAwDgYDVQQKEwdI
-ZWltZGFsMQ8wDQYDVQQDEwZDbGllbnQwPjAQBgcqhkjOPQIBBgUrgQQAHgMqAASA
-oVzj3A0W1FaSmc0NwTRdX4A8eCbDb6pf07vMpUcOqvdXVGwWN3HhMAkGByqGSM49
-BAEDMAAwLQIURJ9Jdesm0rqwpOAn8K23GdWlCkYCFQDmJtqiOLs4jjUUP6T7O17M
-Iwyrvg==
------END CERTIFICATE-----
------BEGIN EC PRIVATE KEY-----
-MFACAQEEFNz0QJPbDlTBMSOfUoxNSzOOpRKyoAcGBSuBBAAeoSwDKgAEgKFc49wN
-FtRWkpnNDcE0XV+APHgmw2+qX9O7zKVHDqr3V1RsFjdx4Q==
------END EC PRIVATE KEY-----
diff --git a/lib/hx509/data/secp160r2TestServer.cert.pem b/lib/hx509/data/secp160r2TestServer.cert.pem
deleted file mode 100644
index 6b56036583cb..000000000000
--- a/lib/hx509/data/secp160r2TestServer.cert.pem
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBIDCB4AIJAN1XzNknE3lCMAkGByqGSM49BAEwNjELMAkGA1UEBhMCU0UxEDAO
-BgNVBAoTB0hlaW1kYWwxFTATBgNVBAMTDENBIHNlY3AxNjByMTAeFw0wOTAyMTQx
-NzUwMDRaFw0yMDAxMjgxNzUwMDRaMDAxCzAJBgNVBAYTAlNFMRAwDgYDVQQKEwdI
-ZWltZGFsMQ8wDQYDVQQDEwZTZXJ2ZXIwPjAQBgcqhkjOPQIBBgUrgQQAHgMqAARA
-IUAwnwABnZAs378hcEgnk8efxE35RF6B+MmxSq1Twhp2C1ophD6yMAkGByqGSM49
-BAEDMAAwLQIVAO0hl59KWXRMBaJ2iKsiu/j73/bPAhRfsTT6SIBL5+3gjLhl7SqK
-1kTMQw==
------END CERTIFICATE-----
diff --git a/lib/hx509/data/secp160r2TestServer.key.pem b/lib/hx509/data/secp160r2TestServer.key.pem
deleted file mode 100644
index a903d0f76655..000000000000
--- a/lib/hx509/data/secp160r2TestServer.key.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MFACAQEEFBR1r2nPL1Ln1U5Nk1kW9XtNEkk1oAcGBSuBBAAeoSwDKgAEQCFAMJ8A
-AZ2QLN+/IXBIJ5PHn8RN+URegfjJsUqtU8IadgtaKYQ+sg==
------END EC PRIVATE KEY-----
diff --git a/lib/hx509/data/secp160r2TestServer.pem b/lib/hx509/data/secp160r2TestServer.pem
deleted file mode 100644
index 329d871534c7..000000000000
--- a/lib/hx509/data/secp160r2TestServer.pem
+++ /dev/null
@@ -1,15 +0,0 @@
-issuer= /C=SE/O=Heimdal/CN=CA secp160r1
-subject= /C=SE/O=Heimdal/CN=Server
------BEGIN CERTIFICATE-----
-MIIBIDCB4AIJAN1XzNknE3lCMAkGByqGSM49BAEwNjELMAkGA1UEBhMCU0UxEDAO
-BgNVBAoTB0hlaW1kYWwxFTATBgNVBAMTDENBIHNlY3AxNjByMTAeFw0wOTAyMTQx
-NzUwMDRaFw0yMDAxMjgxNzUwMDRaMDAxCzAJBgNVBAYTAlNFMRAwDgYDVQQKEwdI
-ZWltZGFsMQ8wDQYDVQQDEwZTZXJ2ZXIwPjAQBgcqhkjOPQIBBgUrgQQAHgMqAARA
-IUAwnwABnZAs378hcEgnk8efxE35RF6B+MmxSq1Twhp2C1ophD6yMAkGByqGSM49
-BAEDMAAwLQIVAO0hl59KWXRMBaJ2iKsiu/j73/bPAhRfsTT6SIBL5+3gjLhl7SqK
-1kTMQw==
------END CERTIFICATE-----
------BEGIN EC PRIVATE KEY-----
-MFACAQEEFBR1r2nPL1Ln1U5Nk1kW9XtNEkk1oAcGBSuBBAAeoSwDKgAEQCFAMJ8A
-AZ2QLN+/IXBIJ5PHn8RN+URegfjJsUqtU8IadgtaKYQ+sg==
------END EC PRIVATE KEY-----
diff --git a/lib/hx509/data/secp256r1TestCA.cert.pem b/lib/hx509/data/secp256r1TestCA.cert.pem
new file mode 100644
index 000000000000..6cac58ee11ff
--- /dev/null
+++ b/lib/hx509/data/secp256r1TestCA.cert.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBuDCCAV6gAwIBAgIBATAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
+A1UEChMHSGVpbWRhbDEVMBMGA1UEAxMMQ0Egc2VjcDI1NnIxMB4XDTE0MDMxMDE5
+NDAyM1oXDTM4MDExNzE5NDAyM1owNjELMAkGA1UEBhMCU0UxEDAOBgNVBAoTB0hl
+aW1kYWwxFTATBgNVBAMTDENBIHNlY3AyNTZyMTBZMBMGByqGSM49AgEGCCqGSM49
+AwEHA0IABOUrhSvioYJaKUK9WjI5eGRAWsOB2DNslTkcgTkFsd3vD4/dGxaHBOIM
+kuD9ldGK2sQArEIDKfrOHvP+oFz3jLajXTBbMB0GA1UdDgQWBBTrUd8AqGhfZvHV
+spcznXeb328JgzAfBgNVHSMEGDAWgBTrUd8AqGhfZvHVspcznXeb328JgzAMBgNV
+HRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDAgNIADBFAiBd6J2N4B6L
+mtn0ZP/6vOyPkA7YMq2EwbVyTGlnBTwYsQIhALjsLWHQVSkt08rly48ns93DeSbM
+XejBzmT8QXEdib+1
+-----END CERTIFICATE-----
diff --git a/lib/hx509/data/secp256r1TestCA.key.pem b/lib/hx509/data/secp256r1TestCA.key.pem
new file mode 100644
index 000000000000..388826621dc7
--- /dev/null
+++ b/lib/hx509/data/secp256r1TestCA.key.pem
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgL2N0gdHhAjBGcJ40
+gHePPMwGKygIVDXTfjysn9zPiSOhRANCAATlK4Ur4qGCWilCvVoyOXhkQFrDgdgz
+bJU5HIE5BbHd7w+P3RsWhwTiDJLg/ZXRitrEAKxCAyn6zh7z/qBc94y2
+-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/secp256r1TestCA.pem b/lib/hx509/data/secp256r1TestCA.pem
new file mode 100644
index 000000000000..d0c7431880ae
--- /dev/null
+++ b/lib/hx509/data/secp256r1TestCA.pem
@@ -0,0 +1,17 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgL2N0gdHhAjBGcJ40
+gHePPMwGKygIVDXTfjysn9zPiSOhRANCAATlK4Ur4qGCWilCvVoyOXhkQFrDgdgz
+bJU5HIE5BbHd7w+P3RsWhwTiDJLg/ZXRitrEAKxCAyn6zh7z/qBc94y2
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIBuDCCAV6gAwIBAgIBATAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
+A1UEChMHSGVpbWRhbDEVMBMGA1UEAxMMQ0Egc2VjcDI1NnIxMB4XDTE0MDMxMDE5
+NDAyM1oXDTM4MDExNzE5NDAyM1owNjELMAkGA1UEBhMCU0UxEDAOBgNVBAoTB0hl
+aW1kYWwxFTATBgNVBAMTDENBIHNlY3AyNTZyMTBZMBMGByqGSM49AgEGCCqGSM49
+AwEHA0IABOUrhSvioYJaKUK9WjI5eGRAWsOB2DNslTkcgTkFsd3vD4/dGxaHBOIM
+kuD9ldGK2sQArEIDKfrOHvP+oFz3jLajXTBbMB0GA1UdDgQWBBTrUd8AqGhfZvHV
+spcznXeb328JgzAfBgNVHSMEGDAWgBTrUd8AqGhfZvHVspcznXeb328JgzAMBgNV
+HRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDAgNIADBFAiBd6J2N4B6L
+mtn0ZP/6vOyPkA7YMq2EwbVyTGlnBTwYsQIhALjsLWHQVSkt08rly48ns93DeSbM
+XejBzmT8QXEdib+1
+-----END CERTIFICATE-----
diff --git a/lib/hx509/data/secp256r2TestClient.cert.pem b/lib/hx509/data/secp256r2TestClient.cert.pem
new file mode 100644
index 000000000000..f0f3a2445c55
--- /dev/null
+++ b/lib/hx509/data/secp256r2TestClient.cert.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBrzCCAVWgAwIBAgIBAjAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
+A1UEChMHSGVpbWRhbDEVMBMGA1UEAxMMQ0Egc2VjcDI1NnIxMB4XDTE0MDMxMDE5
+NDAyM1oXDTM4MDExNzE5NDAyM1owMDELMAkGA1UEBhMCU0UxEDAOBgNVBAoTB0hl
+aW1kYWwxDzANBgNVBAMTBkNsaWVudDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BO7/MCIBHf8gQLQ5ltp1uyCOCAw8uylZZ7+v/rB3oKHuAIyL6q/QjZXZH3FR5VcI
+zANavN5SAfx9CFJpPk+pUISjWjBYMB0GA1UdDgQWBBSjXg4X3fs5xOQgTumjZQwF
+I13RejAfBgNVHSMEGDAWgBTrUd8AqGhfZvHVspcznXeb328JgzAJBgNVHRMEAjAA
+MAsGA1UdDwQEAwIEsDAKBggqhkjOPQQDAgNIADBFAiAa9d6aCxlioep3ViYqujWv
+A28/16yXOrmLY1a2wcj3awIhAMeVjMiUTP/U4yXfb3uJjJmq8hfyNZ/CAiTQKORx
+JjIt
+-----END CERTIFICATE-----
diff --git a/lib/hx509/data/secp256r2TestClient.key.pem b/lib/hx509/data/secp256r2TestClient.key.pem
new file mode 100644
index 000000000000..36c67f9db6f2
--- /dev/null
+++ b/lib/hx509/data/secp256r2TestClient.key.pem
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg6oD5CbNzN7oAWqcq
+dKJKw2WU5EwnUV05+7S9gXgeW/qhRANCAATu/zAiAR3/IEC0OZbadbsgjggMPLsp
+WWe/r/6wd6Ch7gCMi+qv0I2V2R9xUeVXCMwDWrzeUgH8fQhSaT5PqVCE
+-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/secp256r2TestClient.pem b/lib/hx509/data/secp256r2TestClient.pem
new file mode 100644
index 000000000000..acf11b0413ff
--- /dev/null
+++ b/lib/hx509/data/secp256r2TestClient.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIIBrzCCAVWgAwIBAgIBAjAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
+A1UEChMHSGVpbWRhbDEVMBMGA1UEAxMMQ0Egc2VjcDI1NnIxMB4XDTE0MDMxMDE5
+NDAyM1oXDTM4MDExNzE5NDAyM1owMDELMAkGA1UEBhMCU0UxEDAOBgNVBAoTB0hl
+aW1kYWwxDzANBgNVBAMTBkNsaWVudDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BO7/MCIBHf8gQLQ5ltp1uyCOCAw8uylZZ7+v/rB3oKHuAIyL6q/QjZXZH3FR5VcI
+zANavN5SAfx9CFJpPk+pUISjWjBYMB0GA1UdDgQWBBSjXg4X3fs5xOQgTumjZQwF
+I13RejAfBgNVHSMEGDAWgBTrUd8AqGhfZvHVspcznXeb328JgzAJBgNVHRMEAjAA
+MAsGA1UdDwQEAwIEsDAKBggqhkjOPQQDAgNIADBFAiAa9d6aCxlioep3ViYqujWv
+A28/16yXOrmLY1a2wcj3awIhAMeVjMiUTP/U4yXfb3uJjJmq8hfyNZ/CAiTQKORx
+JjIt
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg6oD5CbNzN7oAWqcq
+dKJKw2WU5EwnUV05+7S9gXgeW/qhRANCAATu/zAiAR3/IEC0OZbadbsgjggMPLsp
+WWe/r/6wd6Ch7gCMi+qv0I2V2R9xUeVXCMwDWrzeUgH8fQhSaT5PqVCE
+-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/secp256r2TestServer.cert.pem b/lib/hx509/data/secp256r2TestServer.cert.pem
new file mode 100644
index 000000000000..91acde8f60e5
--- /dev/null
+++ b/lib/hx509/data/secp256r2TestServer.cert.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBsDCCAVWgAwIBAgIBAjAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
+A1UEChMHSGVpbWRhbDEVMBMGA1UEAxMMQ0Egc2VjcDI1NnIxMB4XDTE0MDMxMDE5
+NDAyM1oXDTM4MDExNzE5NDAyM1owMDELMAkGA1UEBhMCU0UxEDAOBgNVBAoTB0hl
+aW1kYWwxDzANBgNVBAMTBlNlcnZlcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BItZgn1C8ZBvKkkNoEofWL0JLCTaHT2lJj7d9jRtSKiR2PlOtd5HhteDqP78K4eg
+lRMk5nqsmEooalfbNsFBy8SjWjBYMB0GA1UdDgQWBBTqMDTOezcRsax6lf6E/Xk+
+QzPorjAfBgNVHSMEGDAWgBTrUd8AqGhfZvHVspcznXeb328JgzAJBgNVHRMEAjAA
+MAsGA1UdDwQEAwIEsDAKBggqhkjOPQQDAgNJADBGAiEAsvf//YdUWCD6OLZesENa
+1mH8+b+kZDR6jx1JchRXAEQCIQDkTvTZrlmmxUaWEsf08/4xbxkYbrPAg4+VX2uI
+QcEwUA==
+-----END CERTIFICATE-----
diff --git a/lib/hx509/data/secp256r2TestServer.key.pem b/lib/hx509/data/secp256r2TestServer.key.pem
new file mode 100644
index 000000000000..fb57e798c73e
--- /dev/null
+++ b/lib/hx509/data/secp256r2TestServer.key.pem
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgKo/47DaveCl90GxH
+LCE7IGBua2XsE+jI4RUWZrqjhBGhRANCAASLWYJ9QvGQbypJDaBKH1i9CSwk2h09
+pSY+3fY0bUiokdj5TrXeR4bXg6j+/CuHoJUTJOZ6rJhKKGpX2zbBQcvE
+-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/secp256r2TestServer.pem b/lib/hx509/data/secp256r2TestServer.pem
new file mode 100644
index 000000000000..0e9edd782bcf
--- /dev/null
+++ b/lib/hx509/data/secp256r2TestServer.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIIBsDCCAVWgAwIBAgIBAjAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
+A1UEChMHSGVpbWRhbDEVMBMGA1UEAxMMQ0Egc2VjcDI1NnIxMB4XDTE0MDMxMDE5
+NDAyM1oXDTM4MDExNzE5NDAyM1owMDELMAkGA1UEBhMCU0UxEDAOBgNVBAoTB0hl
+aW1kYWwxDzANBgNVBAMTBlNlcnZlcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BItZgn1C8ZBvKkkNoEofWL0JLCTaHT2lJj7d9jRtSKiR2PlOtd5HhteDqP78K4eg
+lRMk5nqsmEooalfbNsFBy8SjWjBYMB0GA1UdDgQWBBTqMDTOezcRsax6lf6E/Xk+
+QzPorjAfBgNVHSMEGDAWgBTrUd8AqGhfZvHVspcznXeb328JgzAJBgNVHRMEAjAA
+MAsGA1UdDwQEAwIEsDAKBggqhkjOPQQDAgNJADBGAiEAsvf//YdUWCD6OLZesENa
+1mH8+b+kZDR6jx1JchRXAEQCIQDkTvTZrlmmxUaWEsf08/4xbxkYbrPAg4+VX2uI
+QcEwUA==
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgKo/47DaveCl90GxH
+LCE7IGBua2XsE+jI4RUWZrqjhBGhRANCAASLWYJ9QvGQbypJDaBKH1i9CSwk2h09
+pSY+3fY0bUiokdj5TrXeR4bXg6j+/CuHoJUTJOZ6rJhKKGpX2zbBQcvE
+-----END PRIVATE KEY-----
diff --git a/lib/hx509/doxygen.c b/lib/hx509/doxygen.c
index 0c7dd780aedb..a6d3d9ca0ab1 100644
--- a/lib/hx509/doxygen.c
+++ b/lib/hx509/doxygen.c
@@ -82,4 +82,4 @@
* See the @ref page_ca for description and examples. */
/** @defgroup hx509_peer hx509 certificate selecting functions */
/** @defgroup hx509_print hx509 printing functions */
-/** @defgroup hx509_env hx509 enviroment functions */
+/** @defgroup hx509_env hx509 environment functions */
diff --git a/lib/hx509/env.c b/lib/hx509/env.c
index 7598aebaae74..70969504b3a8 100644
--- a/lib/hx509/env.c
+++ b/lib/hx509/env.c
@@ -34,7 +34,7 @@
#include "hx_locl.h"
/**
- * @page page_env Hx509 enviroment functions
+ * @page page_env Hx509 environment functions
*
* See the library functions here: @ref hx509_env
*/
@@ -43,7 +43,7 @@
* Add a new key/value pair to the hx509_env.
*
* @param context A hx509 context.
- * @param env enviroment to add the enviroment variable too.
+ * @param env environment to add the environment variable too.
* @param key key to add
* @param value value to add
*
@@ -94,7 +94,7 @@ hx509_env_add(hx509_context context, hx509_env *env,
* Add a new key/binding pair to the hx509_env.
*
* @param context A hx509 context.
- * @param env enviroment to add the enviroment variable too.
+ * @param env environment to add the environment variable too.
* @param key key to add
* @param list binding list to add
*
@@ -141,7 +141,7 @@ hx509_env_add_binding(hx509_context context, hx509_env *env,
* Search the hx509_env for a length based key.
*
* @param context A hx509 context.
- * @param env enviroment to add the enviroment variable too.
+ * @param env environment to add the environment variable too.
* @param key key to search for.
* @param len length of key.
*
@@ -167,7 +167,7 @@ hx509_env_lfind(hx509_context context, hx509_env env,
* Search the hx509_env for a key.
*
* @param context A hx509 context.
- * @param env enviroment to add the enviroment variable too.
+ * @param env environment to add the environment variable too.
* @param key key to search for.
*
* @return the value if the key is found, NULL otherwise.
@@ -190,7 +190,7 @@ hx509_env_find(hx509_context context, hx509_env env, const char *key)
* Search the hx509_env for a binding.
*
* @param context A hx509 context.
- * @param env enviroment to add the enviroment variable too.
+ * @param env environment to add the environment variable too.
* @param key key to search for.
*
* @return the binding if the key is found, NULL if not found.
@@ -229,9 +229,9 @@ env_free(hx509_env b)
}
/**
- * Free an hx509_env enviroment context.
+ * Free an hx509_env environment context.
*
- * @param env the enviroment to free.
+ * @param env the environment to free.
*
* @ingroup hx509_env
*/
diff --git a/lib/hx509/error.c b/lib/hx509/error.c
index fc3cf90b3255..be09414bfffa 100644
--- a/lib/hx509/error.c
+++ b/lib/hx509/error.c
@@ -45,17 +45,6 @@ struct hx509_error_data {
char *msg;
};
-static void
-free_error_string(hx509_error msg)
-{
- while(msg) {
- hx509_error m2 = msg->next;
- free(msg->msg);
- free(msg);
- msg = m2;
- }
-}
-
/**
* Resets the error strings the hx509 context.
*
@@ -68,7 +57,7 @@ void
hx509_clear_error_string(hx509_context context)
{
if (context) {
- free_error_string(context->error);
+ heim_release(context->error);
context->error = NULL;
}
}
@@ -91,31 +80,18 @@ void
hx509_set_error_stringv(hx509_context context, int flags, int code,
const char *fmt, va_list ap)
{
- hx509_error msg;
+ heim_error_t msg;
if (context == NULL)
return;
- msg = calloc(1, sizeof(*msg));
- if (msg == NULL) {
- hx509_clear_error_string(context);
- return;
- }
-
- if (vasprintf(&msg->msg, fmt, ap) == -1) {
- hx509_clear_error_string(context);
- free(msg);
- return;
- }
- msg->code = code;
-
- if (flags & HX509_ERROR_APPEND) {
- msg->next = context->error;
- context->error = msg;
- } else {
- free_error_string(context->error);
- context->error = msg;
+ msg = heim_error_createv(code, fmt, ap);
+ if (msg) {
+ if (flags & HX509_ERROR_APPEND)
+ heim_error_append(msg, context->error);
+ heim_release(context->error);
}
+ context->error = msg;
}
/**
@@ -157,12 +133,12 @@ hx509_set_error_string(hx509_context context, int flags, int code,
char *
hx509_get_error_string(hx509_context context, int error_code)
{
- struct rk_strpool *p = NULL;
- hx509_error msg = context->error;
+ heim_error_t msg = context->error;
+ heim_string_t s;
+ char *str = NULL;
- if (msg == NULL || msg->code != error_code) {
+ if (msg == NULL || heim_error_get_code(msg) != error_code) {
const char *cstr;
- char *str;
cstr = com_right(context->et_list, error_code);
if (cstr)
@@ -175,11 +151,14 @@ hx509_get_error_string(hx509_context context, int error_code)
return str;
}
- for (msg = context->error; msg; msg = msg->next)
- p = rk_strpoolprintf(p, "%s%s", msg->msg,
- msg->next != NULL ? "; " : "");
-
- return rk_strpoolcollect(p);
+ s = heim_error_copy_string(msg);
+ if (s) {
+ const char *cstr = heim_string_get_utf8(s);
+ if (cstr)
+ str = strdup(cstr);
+ heim_release(s);
+ }
+ return str;
}
/**
@@ -215,13 +194,14 @@ hx509_err(hx509_context context, int exit_code,
va_list ap;
const char *msg;
char *str;
+ int ret;
va_start(ap, fmt);
- vasprintf(&str, fmt, ap);
+ ret = vasprintf(&str, fmt, ap);
va_end(ap);
msg = hx509_get_error_string(context, error_code);
if (msg == NULL)
msg = "no error";
- errx(exit_code, "%s: %s", str, msg);
+ errx(exit_code, "%s: %s", ret != -1 ? str : "ENOMEM", msg);
}
diff --git a/lib/hx509/file.c b/lib/hx509/file.c
index 4f7e87f070ae..5401af7a0f43 100644
--- a/lib/hx509/file.c
+++ b/lib/hx509/file.c
@@ -98,7 +98,7 @@ hx509_pem_write(hx509_context context, const char *type,
if (length > ENCODE_LINE_LENGTH)
length = ENCODE_LINE_LENGTH;
- l = base64_encode(p, length, &line);
+ l = rk_base64_encode(p, length, &line);
if (l < 0) {
hx509_set_error_string(context, 0, ENOMEM,
"malloc - out of memory");
@@ -255,7 +255,7 @@ hx509_pem_read(hx509_context context,
}
p = emalloc(i);
- i = base64_decode(buf, p);
+ i = rk_base64_decode(buf, p);
if (i < 0) {
free(p);
goto out;
diff --git a/lib/hx509/hx509-private.h b/lib/hx509/hx509-private.h
index 60891f27fca6..72d3bbdfa748 100644
--- a/lib/hx509/hx509-private.h
+++ b/lib/hx509/hx509-private.h
@@ -30,7 +30,7 @@ void
_hx509_abort (
const char */*fmt*/,
...)
- __attribute__ ((noreturn, format (printf, 1, 2)));
+ __attribute__ ((__noreturn__, __format__ (__printf__, 1, 2)));
int
_hx509_calculate_path (
@@ -193,6 +193,9 @@ _hx509_find_extension_subject_key_id (
const Certificate */*issuer*/,
SubjectKeyIdentifier */*si*/);
+const struct signature_alg *
+_hx509_find_sig_alg (const heim_oid */*oid*/);
+
int
_hx509_generate_private_key (
hx509_context /*context*/,
@@ -333,6 +336,9 @@ _hx509_pi_printf (
const char */*fmt*/,
...);
+void
+_hx509_private_eckey_free (void */*eckey*/);
+
int
_hx509_private_key_export (
hx509_context /*context*/,
@@ -440,10 +446,16 @@ _hx509_set_cert_attribute (
const heim_octet_string */*attr*/);
int
-_hx509_signature_best_before (
+_hx509_set_digest_alg (
+ DigestAlgorithmIdentifier */*id*/,
+ const heim_oid */*oid*/,
+ const void */*param*/,
+ size_t /*length*/);
+
+int
+_hx509_signature_is_weak (
hx509_context /*context*/,
- const AlgorithmIdentifier */*alg*/,
- time_t /*t*/);
+ const AlgorithmIdentifier */*alg*/);
void
_hx509_unmap_file_os (heim_octet_string */*os*/);
diff --git a/lib/hx509/hx509-protos.h b/lib/hx509/hx509-protos.h
index d03c7767e541..8de7a67ab7df 100644
--- a/lib/hx509/hx509-protos.h
+++ b/lib/hx509/hx509-protos.h
@@ -1,6 +1,7 @@
/* This is a generated file */
#ifndef __hx509_protos_h__
#define __hx509_protos_h__
+#ifndef DOXY
#include <stdarg.h>
@@ -21,12 +22,47 @@ extern "C" {
#endif
#endif
#endif
+/**
+ * Print a bitstring using a hx509_vprint_func function. To print to
+ * stdout use hx509_print_stdout().
+ *
+ * @param b bit string to print.
+ * @param func hx509_vprint_func to print with.
+ * @param ctx context variable to hx509_vprint_func function.
+ *
+ * @ingroup hx509_print
+ */
+
void
hx509_bitstring_print (
const heim_bit_string */*b*/,
hx509_vprint_func /*func*/,
void */*ctx*/);
+/**
+ * Sign a to-be-signed certificate object with a issuer certificate.
+ *
+ * The caller needs to at least have called the following functions on the
+ * to-be-signed certificate object:
+ * - hx509_ca_tbs_init()
+ * - hx509_ca_tbs_set_subject()
+ * - hx509_ca_tbs_set_spki()
+ *
+ * When done the to-be-signed certificate object should be freed with
+ * hx509_ca_tbs_free().
+ *
+ * When creating self-signed certificate use hx509_ca_sign_self() instead.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param signer the CA certificate object to sign with (need private key).
+ * @param certificate return cerificate, free with hx509_cert_free().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_sign (
hx509_context /*context*/,
@@ -34,6 +70,19 @@ hx509_ca_sign (
hx509_cert /*signer*/,
hx509_cert */*certificate*/);
+/**
+ * Work just like hx509_ca_sign() but signs it-self.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param signer private key to sign with.
+ * @param certificate return cerificate, free with hx509_cert_free().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_sign_self (
hx509_context /*context*/,
@@ -41,6 +90,20 @@ hx509_ca_sign_self (
hx509_private_key /*signer*/,
hx509_cert */*certificate*/);
+/**
+ * Add CRL distribution point URI to the to-be-signed certificate
+ * object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param uri uri to the CRL.
+ * @param issuername name of the issuer.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_add_crl_dp_uri (
hx509_context /*context*/,
@@ -48,30 +111,99 @@ hx509_ca_tbs_add_crl_dp_uri (
const char */*uri*/,
hx509_name /*issuername*/);
+/**
+ * An an extended key usage to the to-be-signed certificate object.
+ * Duplicates will detected and not added.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param oid extended key usage to add.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_add_eku (
hx509_context /*context*/,
hx509_ca_tbs /*tbs*/,
const heim_oid */*oid*/);
+/**
+ * Add a Subject Alternative Name hostname to to-be-signed certificate
+ * object. A domain match starts with ., an exact match does not.
+ *
+ * Example of a an domain match: .domain.se matches the hostname
+ * host.domain.se.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param dnsname a hostame.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_add_san_hostname (
hx509_context /*context*/,
hx509_ca_tbs /*tbs*/,
const char */*dnsname*/);
+/**
+ * Add a Jabber/XMPP jid Subject Alternative Name to the to-be-signed
+ * certificate object. The jid is an UTF8 string.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param jid string of an a jabber id in UTF8.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_add_san_jid (
hx509_context /*context*/,
hx509_ca_tbs /*tbs*/,
const char */*jid*/);
+/**
+ * Add Microsoft UPN Subject Alternative Name to the to-be-signed
+ * certificate object. The principal string is a UTF8 string.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param principal Microsoft UPN string.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_add_san_ms_upn (
hx509_context /*context*/,
hx509_ca_tbs /*tbs*/,
const char */*principal*/);
+/**
+ * Add Subject Alternative Name otherName to the to-be-signed
+ * certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param oid the oid of the OtherName.
+ * @param os data in the other name.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_add_san_otherName (
hx509_context /*context*/,
@@ -79,79 +211,273 @@ hx509_ca_tbs_add_san_otherName (
const heim_oid */*oid*/,
const heim_octet_string */*os*/);
+/**
+ * Add Kerberos Subject Alternative Name to the to-be-signed
+ * certificate object. The principal string is a UTF8 string.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param principal Kerberos principal to add to the certificate.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_add_san_pkinit (
hx509_context /*context*/,
hx509_ca_tbs /*tbs*/,
const char */*principal*/);
+/**
+ * Add a Subject Alternative Name rfc822 (email address) to
+ * to-be-signed certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param rfc822Name a string to a email address.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_add_san_rfc822name (
hx509_context /*context*/,
hx509_ca_tbs /*tbs*/,
const char */*rfc822Name*/);
+/**
+ * Free an To Be Signed object.
+ *
+ * @param tbs object to free.
+ *
+ * @ingroup hx509_ca
+ */
+
void
hx509_ca_tbs_free (hx509_ca_tbs */*tbs*/);
+/**
+ * Allocate an to-be-signed certificate object that will be converted
+ * into an certificate.
+ *
+ * @param context A hx509 context.
+ * @param tbs returned to-be-signed certicate object, free with
+ * hx509_ca_tbs_free().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_init (
hx509_context /*context*/,
hx509_ca_tbs */*tbs*/);
+/**
+ * Make the to-be-signed certificate object a CA certificate. If the
+ * pathLenConstraint is negative path length constraint is used.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param pathLenConstraint path length constraint, negative, no
+ * constraint.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_set_ca (
hx509_context /*context*/,
hx509_ca_tbs /*tbs*/,
int /*pathLenConstraint*/);
+/**
+ * Make the to-be-signed certificate object a windows domain controller certificate.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_set_domaincontroller (
hx509_context /*context*/,
hx509_ca_tbs /*tbs*/);
+/**
+ * Set the absolute time when the certificate is valid to.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param t time when the certificate will expire
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_set_notAfter (
hx509_context /*context*/,
hx509_ca_tbs /*tbs*/,
time_t /*t*/);
+/**
+ * Set the relative time when the certificiate is going to expire.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param delta seconds to the certificate is going to expire.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_set_notAfter_lifetime (
hx509_context /*context*/,
hx509_ca_tbs /*tbs*/,
time_t /*delta*/);
+/**
+ * Set the absolute time when the certificate is valid from. If not
+ * set the current time will be used.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param t time the certificated will start to be valid
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_set_notBefore (
hx509_context /*context*/,
hx509_ca_tbs /*tbs*/,
time_t /*t*/);
+/**
+ * Make the to-be-signed certificate object a proxy certificate. If the
+ * pathLenConstraint is negative path length constraint is used.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param pathLenConstraint path length constraint, negative, no
+ * constraint.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_set_proxy (
hx509_context /*context*/,
hx509_ca_tbs /*tbs*/,
int /*pathLenConstraint*/);
+/**
+ * Set the serial number to use for to-be-signed certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param serialNumber serial number to use for the to-be-signed
+ * certificate object.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_set_serialnumber (
hx509_context /*context*/,
hx509_ca_tbs /*tbs*/,
const heim_integer */*serialNumber*/);
+/**
+ * Set signature algorithm on the to be signed certificate
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param sigalg signature algorithm to use
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_set_signature_algorithm (
+ hx509_context /*context*/,
+ hx509_ca_tbs /*tbs*/,
+ const AlgorithmIdentifier */*sigalg*/);
+
+/**
+ * Set the subject public key info (SPKI) in the to-be-signed certificate
+ * object. SPKI is the public key and key related parameters in the
+ * certificate.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param spki subject public key info to use for the to-be-signed certificate object.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_set_spki (
hx509_context /*context*/,
hx509_ca_tbs /*tbs*/,
const SubjectPublicKeyInfo */*spki*/);
+/**
+ * Set the subject name of a to-be-signed certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param subject the name to set a subject.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_set_subject (
hx509_context /*context*/,
hx509_ca_tbs /*tbs*/,
hx509_name /*subject*/);
+/**
+ * Initialize the to-be-signed certificate object from a template certifiate.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param flags bit field selecting what to copy from the template
+ * certifiate.
+ * @param cert template certificate.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_set_template (
hx509_context /*context*/,
@@ -159,6 +485,24 @@ hx509_ca_tbs_set_template (
int /*flags*/,
hx509_cert /*cert*/);
+/**
+ * Set the issuerUniqueID and subjectUniqueID
+ *
+ * These are only supposed to be used considered with version 2
+ * certificates, replaced by the two extensions SubjectKeyIdentifier
+ * and IssuerKeyIdentifier. This function is to allow application
+ * using legacy protocol to issue them.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param issuerUniqueID to be set
+ * @param subjectUniqueID to be set
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_set_unique (
hx509_context /*context*/,
@@ -166,21 +510,71 @@ hx509_ca_tbs_set_unique (
const heim_bit_string */*subjectUniqueID*/,
const heim_bit_string */*issuerUniqueID*/);
+/**
+ * Expand the the subject name in the to-be-signed certificate object
+ * using hx509_name_expand().
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param env environment variable to expand variables in the subject
+ * name, see hx509_env_init().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
int
hx509_ca_tbs_subject_expand (
hx509_context /*context*/,
hx509_ca_tbs /*tbs*/,
hx509_env /*env*/);
+/**
+ * Make of template units, use to build flags argument to
+ * hx509_ca_tbs_set_template() with parse_units().
+ *
+ * @return an units structure.
+ *
+ * @ingroup hx509_ca
+ */
+
const struct units *
hx509_ca_tbs_template_units (void);
+/**
+ * Encodes the hx509 certificate as a DER encode binary.
+ *
+ * @param context A hx509 context.
+ * @param c the certificate to encode.
+ * @param os the encode certificate, set to NULL, 0 on case of
+ * error. Free the os->data with hx509_xfree().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
int
hx509_cert_binary (
hx509_context /*context*/,
hx509_cert /*c*/,
heim_octet_string */*os*/);
+/**
+ * Check the extended key usage on the hx509 certificate.
+ *
+ * @param context A hx509 context.
+ * @param cert A hx509 context.
+ * @param eku the EKU to check for
+ * @param allow_any_eku if the any EKU is set, allow that to be a
+ * substitute.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
int
hx509_cert_check_eku (
hx509_context /*context*/,
@@ -188,11 +582,40 @@ hx509_cert_check_eku (
const heim_oid */*eku*/,
int /*allow_any_eku*/);
+/**
+ * Compare to hx509 certificate object, useful for sorting.
+ *
+ * @param p a hx509 certificate object.
+ * @param q a hx509 certificate object.
+ *
+ * @return 0 the objects are the same, returns > 0 is p is "larger"
+ * then q, < 0 if p is "smaller" then q.
+ *
+ * @ingroup hx509_cert
+ */
+
int
hx509_cert_cmp (
hx509_cert /*p*/,
hx509_cert /*q*/);
+/**
+ * Return a list of subjectAltNames specified by oid in the
+ * certificate. On error the
+ *
+ * The returned list of octet string should be freed with
+ * hx509_free_octet_string_list().
+ *
+ * @param context A hx509 context.
+ * @param cert a hx509 certificate object.
+ * @param oid an oid to for SubjectAltName.
+ * @param list list of matching SubjectAltName.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
int
hx509_cert_find_subjectAltName_otherName (
hx509_context /*context*/,
@@ -200,62 +623,223 @@ hx509_cert_find_subjectAltName_otherName (
const heim_oid */*oid*/,
hx509_octet_string_list */*list*/);
+/**
+ * Free reference to the hx509 certificate object, if the refcounter
+ * reaches 0, the object if freed. Its allowed to pass in NULL.
+ *
+ * @param cert the cert to free.
+ *
+ * @ingroup hx509_cert
+ */
+
void
hx509_cert_free (hx509_cert /*cert*/);
+/**
+ * Get the SubjectPublicKeyInfo structure from the hx509 certificate.
+ *
+ * @param context a hx509 context.
+ * @param p a hx509 certificate object.
+ * @param spki SubjectPublicKeyInfo, should be freed with
+ * free_SubjectPublicKeyInfo().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
int
hx509_cert_get_SPKI (
hx509_context /*context*/,
hx509_cert /*p*/,
SubjectPublicKeyInfo */*spki*/);
+/**
+ * Get the AlgorithmIdentifier from the hx509 certificate.
+ *
+ * @param context a hx509 context.
+ * @param p a hx509 certificate object.
+ * @param alg AlgorithmIdentifier, should be freed with
+ * free_AlgorithmIdentifier(). The algorithmidentifier is
+ * typicly rsaEncryption, or id-ecPublicKey, or some other
+ * public key mechanism.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
int
hx509_cert_get_SPKI_AlgorithmIdentifier (
hx509_context /*context*/,
hx509_cert /*p*/,
AlgorithmIdentifier */*alg*/);
+/**
+ * Get an external attribute for the certificate, examples are
+ * friendly name and id.
+ *
+ * @param cert hx509 certificate object to search
+ * @param oid an oid to search for.
+ *
+ * @return an hx509_cert_attribute, only valid as long as the
+ * certificate is referenced.
+ *
+ * @ingroup hx509_cert
+ */
+
hx509_cert_attribute
hx509_cert_get_attribute (
hx509_cert /*cert*/,
const heim_oid */*oid*/);
+/**
+ * Return the name of the base subject of the hx509 certificate. If
+ * the certiicate is a verified proxy certificate, the this function
+ * return the base certificate (root of the proxy chain). If the proxy
+ * certificate is not verified with the base certificate
+ * HX509_PROXY_CERTIFICATE_NOT_CANONICALIZED is returned.
+ *
+ * @param context a hx509 context.
+ * @param c a hx509 certificate object.
+ * @param name a pointer to a hx509 name, should be freed by
+ * hx509_name_free(). See also hx509_cert_get_subject().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
int
hx509_cert_get_base_subject (
hx509_context /*context*/,
hx509_cert /*c*/,
hx509_name */*name*/);
+/**
+ * Get friendly name of the certificate.
+ *
+ * @param cert cert to get the friendly name from.
+ *
+ * @return an friendly name or NULL if there is. The friendly name is
+ * only valid as long as the certificate is referenced.
+ *
+ * @ingroup hx509_cert
+ */
+
const char *
hx509_cert_get_friendly_name (hx509_cert /*cert*/);
+/**
+ * Return the name of the issuer of the hx509 certificate.
+ *
+ * @param p a hx509 certificate object.
+ * @param name a pointer to a hx509 name, should be freed by
+ * hx509_name_free().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
int
hx509_cert_get_issuer (
hx509_cert /*p*/,
hx509_name */*name*/);
+/**
+ * Get a copy of the Issuer Unique ID
+ *
+ * @param context a hx509_context
+ * @param p a hx509 certificate
+ * @param issuer the issuer id returned, free with der_free_bit_string()
+ *
+ * @return An hx509 error code, see hx509_get_error_string(). The
+ * error code HX509_EXTENSION_NOT_FOUND is returned if the certificate
+ * doesn't have a issuerUniqueID
+ *
+ * @ingroup hx509_cert
+ */
+
int
hx509_cert_get_issuer_unique_id (
hx509_context /*context*/,
hx509_cert /*p*/,
heim_bit_string */*issuer*/);
+/**
+ * Get notAfter time of the certificate.
+ *
+ * @param p a hx509 certificate object.
+ *
+ * @return return not after time.
+ *
+ * @ingroup hx509_cert
+ */
+
time_t
hx509_cert_get_notAfter (hx509_cert /*p*/);
+/**
+ * Get notBefore time of the certificate.
+ *
+ * @param p a hx509 certificate object.
+ *
+ * @return return not before time
+ *
+ * @ingroup hx509_cert
+ */
+
time_t
hx509_cert_get_notBefore (hx509_cert /*p*/);
+/**
+ * Get serial number of the certificate.
+ *
+ * @param p a hx509 certificate object.
+ * @param i serial number, should be freed ith der_free_heim_integer().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
int
hx509_cert_get_serialnumber (
hx509_cert /*p*/,
heim_integer */*i*/);
+/**
+ * Return the name of the subject of the hx509 certificate.
+ *
+ * @param p a hx509 certificate object.
+ * @param name a pointer to a hx509 name, should be freed by
+ * hx509_name_free(). See also hx509_cert_get_base_subject().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
int
hx509_cert_get_subject (
hx509_cert /*p*/,
hx509_name */*name*/);
+/**
+ * Get a copy of the Subect Unique ID
+ *
+ * @param context a hx509_context
+ * @param p a hx509 certificate
+ * @param subject the subject id returned, free with der_free_bit_string()
+ *
+ * @return An hx509 error code, see hx509_get_error_string(). The
+ * error code HX509_EXTENSION_NOT_FOUND is returned if the certificate
+ * doesn't have a subjectUniqueID
+ *
+ * @ingroup hx509_cert
+ */
+
int
hx509_cert_get_subject_unique_id (
hx509_context /*context*/,
@@ -265,18 +849,63 @@ hx509_cert_get_subject_unique_id (
int
hx509_cert_have_private_key (hx509_cert /*p*/);
-int
+/**
+ * Allocate and init an hx509 certificate object from the decoded
+ * certificate `c´.
+ *
+ * @param context A hx509 context.
+ * @param c
+ * @param error
+ *
+ * @return Returns an hx509 certificate
+ *
+ * @ingroup hx509_cert
+ */
+
+hx509_cert
hx509_cert_init (
hx509_context /*context*/,
const Certificate */*c*/,
- hx509_cert */*cert*/);
+ heim_error_t */*error*/);
+
+/**
+ * Just like hx509_cert_init(), but instead of a decode certificate
+ * takes an pointer and length to a memory region that contains a
+ * DER/BER encoded certificate.
+ *
+ * If the memory region doesn't contain just the certificate and
+ * nothing more the function will fail with
+ * HX509_EXTRA_DATA_AFTER_STRUCTURE.
+ *
+ * @param context A hx509 context.
+ * @param ptr pointer to memory region containing encoded certificate.
+ * @param len length of memory region.
+ * @param error possibly returns an error
+ *
+ * @return An hx509 certificate
+ *
+ * @ingroup hx509_cert
+ */
-int
+hx509_cert
hx509_cert_init_data (
hx509_context /*context*/,
const void */*ptr*/,
size_t /*len*/,
- hx509_cert */*cert*/);
+ heim_error_t */*error*/);
+
+/**
+ * Print certificate usage for a certificate to a string.
+ *
+ * @param context A hx509 context.
+ * @param c a certificate print the keyusage for.
+ * @param s the return string with the keysage printed in to, free
+ * with hx509_xfree().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_print
+ */
int
hx509_cert_keyusage_print (
@@ -292,20 +921,72 @@ hx509_cert_public_encrypt (
heim_oid */*encryption_oid*/,
heim_octet_string */*ciphertext*/);
+/**
+ * Add a reference to a hx509 certificate object.
+ *
+ * @param cert a pointer to an hx509 certificate object.
+ *
+ * @return the same object as is passed in.
+ *
+ * @ingroup hx509_cert
+ */
+
hx509_cert
hx509_cert_ref (hx509_cert /*cert*/);
+/**
+ * Set the friendly name on the certificate.
+ *
+ * @param cert The certificate to set the friendly name on
+ * @param name Friendly name.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
int
hx509_cert_set_friendly_name (
hx509_cert /*cert*/,
const char */*name*/);
+/**
+ * Add a certificate to the certificiate store.
+ *
+ * The receiving keyset certs will either increase reference counter
+ * of the cert or make a deep copy, either way, the caller needs to
+ * free the cert itself.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to add the certificate to.
+ * @param cert certificate to add.
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
int
hx509_certs_add (
hx509_context /*context*/,
hx509_certs /*certs*/,
hx509_cert /*cert*/);
+/**
+ * Same a hx509_certs_merge() but use a lock and name to describe the
+ * from source.
+ *
+ * @param context a hx509 context.
+ * @param to the store to merge into.
+ * @param lock a lock that unlocks the certificates store, use NULL to
+ * select no password/certifictes/prompt lock (see @ref page_lock).
+ * @param name name of the source store
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
int
hx509_certs_append (
hx509_context /*context*/,
@@ -313,12 +994,38 @@ hx509_certs_append (
hx509_lock /*lock*/,
const char */*name*/);
+/**
+ * End the iteration over certificates.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to iterate over.
+ * @param cursor cursor that will keep track of progress, freed.
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
int
hx509_certs_end_seq (
hx509_context /*context*/,
hx509_certs /*certs*/,
hx509_cursor /*cursor*/);
+/**
+ * Filter certificate matching the query.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to search.
+ * @param q query allocated with @ref hx509_query functions.
+ * @param result the filtered certificate store, caller must free with
+ * hx509_certs_free().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
int
hx509_certs_filter (
hx509_context /*context*/,
@@ -326,6 +1033,20 @@ hx509_certs_filter (
const hx509_query */*q*/,
hx509_certs */*result*/);
+/**
+ * Find a certificate matching the query.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to search.
+ * @param q query allocated with @ref hx509_query functions.
+ * @param r return certificate (or NULL on error), should be freed
+ * with hx509_cert_free().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
int
hx509_certs_find (
hx509_context /*context*/,
@@ -333,9 +1054,32 @@ hx509_certs_find (
const hx509_query */*q*/,
hx509_cert */*r*/);
+/**
+ * Free a certificate store.
+ *
+ * @param certs certificate store to free.
+ *
+ * @ingroup hx509_keyset
+ */
+
void
hx509_certs_free (hx509_certs */*certs*/);
+/**
+ * Print some info about the certificate store.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to print information about.
+ * @param func function that will get each line of the information, if
+ * NULL is used the data is printed on a FILE descriptor that should
+ * be passed in ctx, if ctx also is NULL, stdout is used.
+ * @param ctx parameter to func.
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
int
hx509_certs_info (
hx509_context /*context*/,
@@ -343,6 +1087,24 @@ hx509_certs_info (
int (*/*func*/)(void *, const char *),
void */*ctx*/);
+/**
+ * Open or creates a new hx509 certificate store.
+ *
+ * @param context A hx509 context
+ * @param name name of the store, format is TYPE:type-specific-string,
+ * if NULL is used the MEMORY store is used.
+ * @param flags list of flags:
+ * - HX509_CERTS_CREATE create a new keystore of the specific TYPE.
+ * - HX509_CERTS_UNPROTECT_ALL fails if any private key failed to be extracted.
+ * @param lock a lock that unlocks the certificates store, use NULL to
+ * select no password/certifictes/prompt lock (see @ref page_lock).
+ * @param certs return pointer, free with hx509_certs_free().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
int
hx509_certs_init (
hx509_context /*context*/,
@@ -351,6 +1113,21 @@ hx509_certs_init (
hx509_lock /*lock*/,
hx509_certs */*certs*/);
+/**
+ * Iterate over all certificates in a keystore and call a block
+ * for each of them.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to iterate over.
+ * @param func block to call for each certificate. The function
+ * should return non-zero to abort the iteration, that value is passed
+ * back to the caller of hx509_certs_iter().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
#ifdef __BLOCKS__
int
hx509_certs_iter (
@@ -359,6 +1136,22 @@ hx509_certs_iter (
int (^func)(hx509_cert));
#endif /* __BLOCKS__ */
+/**
+ * Iterate over all certificates in a keystore and call a function
+ * for each of them.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to iterate over.
+ * @param func function to call for each certificate. The function
+ * should return non-zero to abort the iteration, that value is passed
+ * back to the caller of hx509_certs_iter_f().
+ * @param ctx context variable that will passed to the function.
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
int
hx509_certs_iter_f (
hx509_context /*context*/,
@@ -366,12 +1159,40 @@ hx509_certs_iter_f (
int (*/*func*/)(hx509_context, void *, hx509_cert),
void */*ctx*/);
+/**
+ * Merge a certificate store into another. The from store is keep
+ * intact.
+ *
+ * @param context a hx509 context.
+ * @param to the store to merge into.
+ * @param from the store to copy the object from.
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
int
hx509_certs_merge (
hx509_context /*context*/,
hx509_certs /*to*/,
hx509_certs /*from*/);
+/**
+ * Get next ceritificate from the certificate keystore pointed out by
+ * cursor.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to iterate over.
+ * @param cursor cursor that keeps track of progress.
+ * @param cert return certificate next in store, NULL if the store
+ * contains no more certificates. Free with hx509_cert_free().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
int
hx509_certs_next_cert (
hx509_context /*context*/,
@@ -382,12 +1203,42 @@ hx509_certs_next_cert (
hx509_certs
hx509_certs_ref (hx509_certs /*certs*/);
+/**
+ * Start the integration
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to iterate over
+ * @param cursor cursor that will keep track of progress, free with
+ * hx509_certs_end_seq().
+ *
+ * @return Returns an hx509 error code. HX509_UNSUPPORTED_OPERATION is
+ * returned if the certificate store doesn't support the iteration
+ * operation.
+ *
+ * @ingroup hx509_keyset
+ */
+
int
hx509_certs_start_seq (
hx509_context /*context*/,
hx509_certs /*certs*/,
hx509_cursor */*cursor*/);
+/**
+ * Write the certificate store to stable storage.
+ *
+ * @param context A hx509 context.
+ * @param certs a certificate store to store.
+ * @param flags currently unused, use 0.
+ * @param lock a lock that unlocks the certificates store, use NULL to
+ * select no password/certifictes/prompt lock (see @ref page_lock).
+ *
+ * @return Returns an hx509 error code. HX509_UNSUPPORTED_OPERATION if
+ * the certificate store doesn't support the store operation.
+ *
+ * @ingroup hx509_keyset
+ */
+
int
hx509_certs_store (
hx509_context /*context*/,
@@ -395,12 +1246,33 @@ hx509_certs_store (
int /*flags*/,
hx509_lock /*lock*/);
+/**
+ * Function to use to hx509_certs_iter_f() as a function argument, the
+ * ctx variable to hx509_certs_iter_f() should be a FILE file descriptor.
+ *
+ * @param context a hx509 context.
+ * @param ctx used by hx509_certs_iter_f().
+ * @param c a certificate
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
int
hx509_ci_print_names (
hx509_context /*context*/,
void */*ctx*/,
hx509_cert /*c*/);
+/**
+ * Resets the error strings the hx509 context.
+ *
+ * @param context A hx509 context.
+ *
+ * @ingroup hx509_error
+ */
+
void
hx509_clear_error_string (hx509_context /*context*/);
@@ -418,6 +1290,31 @@ hx509_cms_create_signed (
hx509_certs /*pool*/,
heim_octet_string */*signed_data*/);
+/**
+ * Decode SignedData and verify that the signature is correct.
+ *
+ * @param context A hx509 context.
+ * @param flags
+ * @param eContentType the type of the data.
+ * @param data data to sign
+ * @param length length of the data that data point to.
+ * @param digest_alg digest algorithm to use, use NULL to get the
+ * default or the peer determined algorithm.
+ * @param cert certificate to use for sign the data.
+ * @param peer info about the peer the message to send the message to,
+ * like what digest algorithm to use.
+ * @param anchors trust anchors that the client will use, used to
+ * polulate the certificates included in the message
+ * @param pool certificates to use in try to build the path to the
+ * trust anchors.
+ * @param signed_data the output of the function, free with
+ * der_free_octet_string().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_cms
+ */
+
int
hx509_cms_create_signed_1 (
hx509_context /*context*/,
@@ -432,6 +1329,11 @@ hx509_cms_create_signed_1 (
hx509_certs /*pool*/,
heim_octet_string */*signed_data*/);
+/**
+ * Use HX509_CMS_SIGNATURE_NO_SIGNER to create no sigInfo (no
+ * signatures).
+ */
+
int
hx509_cms_decrypt_encrypted (
hx509_context /*context*/,
@@ -441,6 +1343,34 @@ hx509_cms_decrypt_encrypted (
heim_oid */*contentType*/,
heim_octet_string */*content*/);
+/**
+ * Encrypt end encode EnvelopedData.
+ *
+ * Encrypt and encode EnvelopedData. The data is encrypted with a
+ * random key and the the random key is encrypted with the
+ * certificates private key. This limits what private key type can be
+ * used to RSA.
+ *
+ * @param context A hx509 context.
+ * @param flags flags to control the behavior.
+ * - HX509_CMS_EV_NO_KU_CHECK - Dont check KU on certificate
+ * - HX509_CMS_EV_ALLOW_WEAK - Allow weak crytpo
+ * - HX509_CMS_EV_ID_NAME - prefer issuer name and serial number
+ * @param cert Certificate to encrypt the EnvelopedData encryption key
+ * with.
+ * @param data pointer the data to encrypt.
+ * @param length length of the data that data point to.
+ * @param encryption_type Encryption cipher to use for the bulk data,
+ * use NULL to get default.
+ * @param contentType type of the data that is encrypted
+ * @param content the output of the function,
+ * free with der_free_octet_string().
+ *
+ * @return an hx509 error code.
+ *
+ * @ingroup hx509_cms
+ */
+
int
hx509_cms_envelope_1 (
hx509_context /*context*/,
@@ -452,6 +1382,30 @@ hx509_cms_envelope_1 (
const heim_oid */*contentType*/,
heim_octet_string */*content*/);
+/**
+ * Decode and unencrypt EnvelopedData.
+ *
+ * Extract data and parameteres from from the EnvelopedData. Also
+ * supports using detached EnvelopedData.
+ *
+ * @param context A hx509 context.
+ * @param certs Certificate that can decrypt the EnvelopedData
+ * encryption key.
+ * @param flags HX509_CMS_UE flags to control the behavior.
+ * @param data pointer the structure the contains the DER/BER encoded
+ * EnvelopedData stucture.
+ * @param length length of the data that data point to.
+ * @param encryptedContent in case of detached signature, this
+ * contains the actual encrypted data, othersize its should be NULL.
+ * @param time_now set the current time, if zero the library uses now as the date.
+ * @param contentType output type oid, should be freed with der_free_oid().
+ * @param content the data, free with der_free_octet_string().
+ *
+ * @return an hx509 error code.
+ *
+ * @ingroup hx509_cms
+ */
+
int
hx509_cms_unenvelope (
hx509_context /*context*/,
@@ -464,6 +1418,20 @@ hx509_cms_unenvelope (
heim_oid */*contentType*/,
heim_octet_string */*content*/);
+/**
+ * Decode an ContentInfo and unwrap data and oid it.
+ *
+ * @param in the encoded buffer.
+ * @param oid type of the content.
+ * @param out data to be wrapped.
+ * @param have_data since the data is optional, this flags show dthe
+ * diffrence between no data and the zero length data.
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_cms
+ */
+
int
hx509_cms_unwrap_ContentInfo (
const heim_octet_string */*in*/,
@@ -471,6 +1439,30 @@ hx509_cms_unwrap_ContentInfo (
heim_octet_string */*out*/,
int */*have_data*/);
+/**
+ * Decode SignedData and verify that the signature is correct.
+ *
+ * @param context A hx509 context.
+ * @param ctx a hx509 verify context.
+ * @param flags to control the behaivor of the function.
+ * - HX509_CMS_VS_NO_KU_CHECK - Don't check KeyUsage
+ * - HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH - allow oid mismatch
+ * - HX509_CMS_VS_ALLOW_ZERO_SIGNER - no signer, see below.
+ * @param data pointer to CMS SignedData encoded data.
+ * @param length length of the data that data point to.
+ * @param signedContent external data used for signature.
+ * @param pool certificate pool to build certificates paths.
+ * @param contentType free with der_free_oid().
+ * @param content the output of the function, free with
+ * der_free_octet_string().
+ * @param signer_certs list of the cerficates used to sign this
+ * request, free with hx509_certs_free().
+ *
+ * @return an hx509 error code.
+ *
+ * @ingroup hx509_cms
+ */
+
int
hx509_cms_verify_signed (
hx509_context /*context*/,
@@ -484,45 +1476,152 @@ hx509_cms_verify_signed (
heim_octet_string */*content*/,
hx509_certs */*signer_certs*/);
+/**
+ * Wrap data and oid in a ContentInfo and encode it.
+ *
+ * @param oid type of the content.
+ * @param buf data to be wrapped. If a NULL pointer is passed in, the
+ * optional content field in the ContentInfo is not going be filled
+ * in.
+ * @param res the encoded buffer, the result should be freed with
+ * der_free_octet_string().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_cms
+ */
+
int
hx509_cms_wrap_ContentInfo (
const heim_oid */*oid*/,
const heim_octet_string */*buf*/,
heim_octet_string */*res*/);
+/**
+ * Free the context allocated by hx509_context_init().
+ *
+ * @param context context to be freed.
+ *
+ * @ingroup hx509
+ */
+
void
hx509_context_free (hx509_context */*context*/);
+/**
+ * Creates a hx509 context that most functions in the library
+ * uses. The context is only allowed to be used by one thread at each
+ * moment. Free the context with hx509_context_free().
+ *
+ * @param context Returns a pointer to new hx509 context.
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509
+ */
+
int
hx509_context_init (hx509_context */*context*/);
+/**
+ * Selects if the hx509_revoke_verify() function is going to require
+ * the existans of a revokation method (OCSP, CRL) or not. Note that
+ * hx509_verify_path(), hx509_cms_verify_signed(), and other function
+ * call hx509_revoke_verify().
+ *
+ * @param context hx509 context to change the flag for.
+ * @param flag zero, revokation method required, non zero missing
+ * revokation method ok
+ *
+ * @ingroup hx509_verify
+ */
+
void
hx509_context_set_missing_revoke (
hx509_context /*context*/,
int /*flag*/);
+/**
+ * Add revoked certificate to an CRL context.
+ *
+ * @param context a hx509 context.
+ * @param crl the CRL to add the revoked certificate to.
+ * @param certs keyset of certificate to revoke.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
int
hx509_crl_add_revoked_certs (
hx509_context /*context*/,
hx509_crl /*crl*/,
hx509_certs /*certs*/);
+/**
+ * Create a CRL context. Use hx509_crl_free() to free the CRL context.
+ *
+ * @param context a hx509 context.
+ * @param crl return pointer to a newly allocated CRL context.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
int
hx509_crl_alloc (
hx509_context /*context*/,
hx509_crl */*crl*/);
+/**
+ * Free a CRL context.
+ *
+ * @param context a hx509 context.
+ * @param crl a CRL context to free.
+ *
+ * @ingroup hx509_verify
+ */
+
void
hx509_crl_free (
hx509_context /*context*/,
hx509_crl */*crl*/);
+/**
+ * Set the lifetime of a CRL context.
+ *
+ * @param context a hx509 context.
+ * @param crl a CRL context
+ * @param delta delta time the certificate is valid, library adds the
+ * current time to this.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
int
hx509_crl_lifetime (
hx509_context /*context*/,
hx509_crl /*crl*/,
int /*delta*/);
+/**
+ * Sign a CRL and return an encode certificate.
+ *
+ * @param context a hx509 context.
+ * @param signer certificate to sign the CRL with
+ * @param crl the CRL to sign
+ * @param os return the signed and encoded CRL, free with
+ * free_heim_octet_string()
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
int
hx509_crl_sign (
hx509_context /*context*/,
@@ -635,6 +1734,19 @@ hx509_crypto_set_random_key (
hx509_crypto /*crypto*/,
heim_octet_string */*key*/);
+/**
+ * Add a new key/value pair to the hx509_env.
+ *
+ * @param context A hx509 context.
+ * @param env environment to add the environment variable too.
+ * @param key key to add
+ * @param value value to add
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_env
+ */
+
int
hx509_env_add (
hx509_context /*context*/,
@@ -642,6 +1754,19 @@ hx509_env_add (
const char */*key*/,
const char */*value*/);
+/**
+ * Add a new key/binding pair to the hx509_env.
+ *
+ * @param context A hx509 context.
+ * @param env environment to add the environment variable too.
+ * @param key key to add
+ * @param list binding list to add
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_env
+ */
+
int
hx509_env_add_binding (
hx509_context /*context*/,
@@ -649,21 +1774,66 @@ hx509_env_add_binding (
const char */*key*/,
hx509_env /*list*/);
+/**
+ * Search the hx509_env for a key.
+ *
+ * @param context A hx509 context.
+ * @param env environment to add the environment variable too.
+ * @param key key to search for.
+ *
+ * @return the value if the key is found, NULL otherwise.
+ *
+ * @ingroup hx509_env
+ */
+
const char *
hx509_env_find (
hx509_context /*context*/,
hx509_env /*env*/,
const char */*key*/);
+/**
+ * Search the hx509_env for a binding.
+ *
+ * @param context A hx509 context.
+ * @param env environment to add the environment variable too.
+ * @param key key to search for.
+ *
+ * @return the binding if the key is found, NULL if not found.
+ *
+ * @ingroup hx509_env
+ */
+
hx509_env
hx509_env_find_binding (
hx509_context /*context*/,
hx509_env /*env*/,
const char */*key*/);
+/**
+ * Free an hx509_env environment context.
+ *
+ * @param env the environment to free.
+ *
+ * @ingroup hx509_env
+ */
+
void
hx509_env_free (hx509_env */*env*/);
+/**
+ * Search the hx509_env for a length based key.
+ *
+ * @param context A hx509 context.
+ * @param env environment to add the environment variable too.
+ * @param key key to search for.
+ * @param len length of key.
+ *
+ * @return the value if the key is found, NULL otherwise.
+ *
+ * @ingroup hx509_env
+ */
+
const char *
hx509_env_lfind (
hx509_context /*context*/,
@@ -671,6 +1841,18 @@ hx509_env_lfind (
const char */*key*/,
size_t /*len*/);
+/**
+ * Print error message and fatally exit from error code
+ *
+ * @param context A hx509 context.
+ * @param exit_code exit() code from process.
+ * @param error_code Error code for the reason to exit.
+ * @param fmt format string with the exit message.
+ * @param ... argument to format string.
+ *
+ * @ingroup hx509_error
+ */
+
void
hx509_err (
hx509_context /*context*/,
@@ -682,22 +1864,73 @@ hx509_err (
hx509_private_key_ops *
hx509_find_private_alg (const heim_oid */*oid*/);
+/**
+ * Free error string returned by hx509_get_error_string().
+ *
+ * @param str error string to free.
+ *
+ * @ingroup hx509_error
+ */
+
void
hx509_free_error_string (char */*str*/);
+/**
+ * Free a list of octet strings returned by another hx509 library
+ * function.
+ *
+ * @param list list to be freed.
+ *
+ * @ingroup hx509_misc
+ */
+
void
hx509_free_octet_string_list (hx509_octet_string_list */*list*/);
+/**
+ * Unparse the hx509 name in name into a string.
+ *
+ * @param name the name to print
+ * @param str an allocated string returns the name in string form
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
int
hx509_general_name_unparse (
GeneralName */*name*/,
char **/*str*/);
+/**
+ * Get an error string from context associated with error_code.
+ *
+ * @param context A hx509 context.
+ * @param error_code Get error message for this error code.
+ *
+ * @return error string, free with hx509_free_error_string().
+ *
+ * @ingroup hx509_error
+ */
+
char *
hx509_get_error_string (
hx509_context /*context*/,
int /*error_code*/);
+/**
+ * Get one random certificate from the certificate store.
+ *
+ * @param context a hx509 context.
+ * @param certs a certificate store to get the certificate from.
+ * @param c return certificate, should be freed with hx509_cert_free().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
int
hx509_get_one_cert (
hx509_context /*context*/,
@@ -729,6 +1962,12 @@ hx509_lock_command_string (
void
hx509_lock_free (hx509_lock /*lock*/);
+/**
+ * @page page_lock Locking and unlocking certificates and encrypted data.
+ *
+ * See the library functions here: @ref hx509_lock
+ */
+
int
hx509_lock_init (
hx509_context /*context*/,
@@ -756,31 +1995,98 @@ hx509_lock_set_prompter (
hx509_prompter_fct /*prompt*/,
void */*data*/);
+/**
+ * Convert a hx509_name object to DER encoded name.
+ *
+ * @param name name to concert
+ * @param os data to a DER encoded name, free the resulting octet
+ * string with hx509_xfree(os->data).
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
int
hx509_name_binary (
const hx509_name /*name*/,
heim_octet_string */*os*/);
+/**
+ * Compare to hx509 name object, useful for sorting.
+ *
+ * @param n1 a hx509 name object.
+ * @param n2 a hx509 name object.
+ *
+ * @return 0 the objects are the same, returns > 0 is n2 is "larger"
+ * then n2, < 0 if n1 is "smaller" then n2.
+ *
+ * @ingroup hx509_name
+ */
+
int
hx509_name_cmp (
hx509_name /*n1*/,
hx509_name /*n2*/);
+/**
+ * Copy a hx509 name object.
+ *
+ * @param context A hx509 cotext.
+ * @param from the name to copy from
+ * @param to the name to copy to
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
int
hx509_name_copy (
hx509_context /*context*/,
const hx509_name /*from*/,
hx509_name */*to*/);
+/**
+ * Expands variables in the name using env. Variables are on the form
+ * ${name}. Useful when dealing with certificate templates.
+ *
+ * @param context A hx509 cotext.
+ * @param name the name to expand.
+ * @param env environment variable to expand.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
int
hx509_name_expand (
hx509_context /*context*/,
hx509_name /*name*/,
hx509_env /*env*/);
+/**
+ * Free a hx509 name object, upond return *name will be NULL.
+ *
+ * @param name a hx509 name object to be freed.
+ *
+ * @ingroup hx509_name
+ */
+
void
hx509_name_free (hx509_name */*name*/);
+/**
+ * Unparse the hx509 name in name into a string.
+ *
+ * @param name the name to check if its empty/null.
+ *
+ * @return non zero if the name is empty/null.
+ *
+ * @ingroup hx509_name
+ */
+
int
hx509_name_is_null_p (const hx509_name /*name*/);
@@ -789,16 +2095,56 @@ hx509_name_normalize (
hx509_context /*context*/,
hx509_name /*name*/);
+/**
+ * Convert a hx509_name into a Name.
+ *
+ * @param from the name to copy from
+ * @param to the name to copy to
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
int
hx509_name_to_Name (
const hx509_name /*from*/,
Name */*to*/);
+/**
+ * Convert the hx509 name object into a printable string.
+ * The resulting string should be freed with free().
+ *
+ * @param name name to print
+ * @param str the string to return
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
int
hx509_name_to_string (
const hx509_name /*name*/,
char **/*str*/);
+/**
+ * Create an OCSP request for a set of certificates.
+ *
+ * @param context a hx509 context
+ * @param reqcerts list of certificates to request ocsp data for
+ * @param pool certificate pool to use when signing
+ * @param signer certificate to use to sign the request
+ * @param digest the signing algorithm in the request, if NULL use the
+ * default signature algorithm,
+ * @param request the encoded request, free with free_heim_octet_string().
+ * @param nonce nonce in the request, free with free_heim_octet_string().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_revoke
+ */
+
int
hx509_ocsp_request (
hx509_context /*context*/,
@@ -809,6 +2155,25 @@ hx509_ocsp_request (
heim_octet_string */*request*/,
heim_octet_string */*nonce*/);
+/**
+ * Verify that the certificate is part of the OCSP reply and it's not
+ * expired. Doesn't verify signature the OCSP reply or it's done by a
+ * authorized sender, that is assumed to be already done.
+ *
+ * @param context a hx509 context
+ * @param now the time right now, if 0, use the current time.
+ * @param cert the certificate to verify
+ * @param flags flags control the behavior
+ * @param data pointer to the encode ocsp reply
+ * @param length the length of the encode ocsp reply
+ * @param expiration return the time the OCSP will expire and need to
+ * be rechecked.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
int
hx509_ocsp_verify (
hx509_context /*context*/,
@@ -819,17 +2184,51 @@ hx509_ocsp_verify (
size_t /*length*/,
time_t */*expiration*/);
+/**
+ * Print a oid using a hx509_vprint_func function. To print to stdout
+ * use hx509_print_stdout().
+ *
+ * @param oid oid to print
+ * @param func hx509_vprint_func to print with.
+ * @param ctx context variable to hx509_vprint_func function.
+ *
+ * @ingroup hx509_print
+ */
+
void
hx509_oid_print (
const heim_oid */*oid*/,
hx509_vprint_func /*func*/,
void */*ctx*/);
+/**
+ * Print a oid to a string.
+ *
+ * @param oid oid to print
+ * @param str allocated string, free with hx509_xfree().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_print
+ */
+
int
hx509_oid_sprint (
const heim_oid */*oid*/,
char **/*str*/);
+/**
+ * Parse a string into a hx509 name object.
+ *
+ * @param context A hx509 context.
+ * @param str a string to parse.
+ * @param name the resulting object, NULL in case of error.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
int
hx509_parse_name (
hx509_context /*context*/,
@@ -845,25 +2244,80 @@ hx509_parse_private_key (
hx509_key_format_t /*format*/,
hx509_private_key */*private_key*/);
+/**
+ * Add an additional algorithm that the peer supports.
+ *
+ * @param context A hx509 context.
+ * @param peer the peer to set the new algorithms for
+ * @param val an AlgorithmsIdentier to add
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_peer
+ */
+
int
hx509_peer_info_add_cms_alg (
hx509_context /*context*/,
hx509_peer_info /*peer*/,
const AlgorithmIdentifier */*val*/);
+/**
+ * Allocate a new peer info structure an init it to default values.
+ *
+ * @param context A hx509 context.
+ * @param peer return an allocated peer, free with hx509_peer_info_free().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_peer
+ */
+
int
hx509_peer_info_alloc (
hx509_context /*context*/,
hx509_peer_info */*peer*/);
+/**
+ * Free a peer info structure.
+ *
+ * @param peer peer info to be freed.
+ *
+ * @ingroup hx509_peer
+ */
+
void
hx509_peer_info_free (hx509_peer_info /*peer*/);
+/**
+ * Set the certificate that remote peer is using.
+ *
+ * @param peer peer info to update
+ * @param cert cerificate of the remote peer.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_peer
+ */
+
int
hx509_peer_info_set_cert (
hx509_peer_info /*peer*/,
hx509_cert /*cert*/);
+/**
+ * Set the algorithms that the peer supports.
+ *
+ * @param context A hx509 context.
+ * @param peer the peer to set the new algorithms for
+ * @param val array of supported AlgorithmsIdentiers
+ * @param len length of array val.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_peer
+ */
+
int
hx509_peer_info_set_cms_algs (
hx509_context /*context*/,
@@ -901,12 +2355,38 @@ hx509_pem_write (
const void */*data*/,
size_t /*size*/);
+/**
+ * Print a simple representation of a certificate
+ *
+ * @param context A hx509 context, can be NULL
+ * @param cert certificate to print
+ * @param out the stdio output stream, if NULL, stdout is used
+ *
+ * @return An hx509 error code
+ *
+ * @ingroup hx509_cert
+ */
+
int
hx509_print_cert (
hx509_context /*context*/,
hx509_cert /*cert*/,
FILE */*out*/);
+/**
+ * Helper function to print on stdout for:
+ * - hx509_oid_print(),
+ * - hx509_bitstring_print(),
+ * - hx509_validate_ctx_set_print().
+ *
+ * @param ctx the context to the print function. If the ctx is NULL,
+ * stdout is used.
+ * @param fmt the printing format.
+ * @param va the argumet list.
+ *
+ * @ingroup hx509_print
+ */
+
void
hx509_print_stdout (
void */*ctx*/,
@@ -944,22 +2424,68 @@ hx509_private_key_private_decrypt (
int
hx509_prompt_hidden (hx509_prompt_type /*type*/);
+/**
+ * Allocate an query controller. Free using hx509_query_free().
+ *
+ * @param context A hx509 context.
+ * @param q return pointer to a hx509_query.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
int
hx509_query_alloc (
hx509_context /*context*/,
hx509_query **/*q*/);
+/**
+ * Free the query controller.
+ *
+ * @param context A hx509 context.
+ * @param q a pointer to the query controller.
+ *
+ * @ingroup hx509_cert
+ */
+
void
hx509_query_free (
hx509_context /*context*/,
hx509_query */*q*/);
+/**
+ * Set the query controller to match using a specific match function.
+ *
+ * @param q a hx509 query controller.
+ * @param func function to use for matching, if the argument is NULL,
+ * the match function is removed.
+ * @param ctx context passed to the function.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
int
hx509_query_match_cmp_func (
hx509_query */*q*/,
int (*/*func*/)(hx509_context, hx509_cert, void *),
void */*ctx*/);
+/**
+ * Set the query controller to require an one specific EKU (extended
+ * key usage). Any previous EKU matching is overwitten. If NULL is
+ * passed in as the eku, the EKU requirement is reset.
+ *
+ * @param q a hx509 query controller.
+ * @param eku an EKU to match on.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
int
hx509_query_match_eku (
hx509_query */*q*/,
@@ -971,27 +2497,81 @@ hx509_query_match_expr (
hx509_query */*q*/,
const char */*expr*/);
+/**
+ * Set the query controller to match on a friendly name
+ *
+ * @param q a hx509 query controller.
+ * @param name a friendly name to match on
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
int
hx509_query_match_friendly_name (
hx509_query */*q*/,
const char */*name*/);
+/**
+ * Set the issuer and serial number of match in the query
+ * controller. The function make copies of the isser and serial number.
+ *
+ * @param q a hx509 query controller
+ * @param issuer issuer to search for
+ * @param serialNumber the serialNumber of the issuer.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
int
hx509_query_match_issuer_serial (
hx509_query */*q*/,
const Name */*issuer*/,
const heim_integer */*serialNumber*/);
+/**
+ * Set match options for the hx509 query controller.
+ *
+ * @param q query controller.
+ * @param option options to control the query controller.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
void
hx509_query_match_option (
hx509_query */*q*/,
hx509_query_option /*option*/);
+/**
+ * Set a statistic file for the query statistics.
+ *
+ * @param context A hx509 context.
+ * @param fn statistics file name
+ *
+ * @ingroup hx509_cert
+ */
+
void
hx509_query_statistic_file (
hx509_context /*context*/,
const char */*fn*/);
+/**
+ * Unparse the statistics file and print the result on a FILE descriptor.
+ *
+ * @param context A hx509 context.
+ * @param printtype tyep to print
+ * @param out the FILE to write the data on.
+ *
+ * @ingroup hx509_cert
+ */
+
void
hx509_query_unparse_stats (
hx509_context /*context*/,
@@ -1030,26 +2610,81 @@ hx509_request_set_name (
hx509_request /*req*/,
hx509_name /*name*/);
+/**
+ * Add a CRL file to the revokation context.
+ *
+ * @param context hx509 context
+ * @param ctx hx509 revokation context
+ * @param path path to file that is going to be added to the context.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_revoke
+ */
+
int
hx509_revoke_add_crl (
hx509_context /*context*/,
hx509_revoke_ctx /*ctx*/,
const char */*path*/);
+/**
+ * Add a OCSP file to the revokation context.
+ *
+ * @param context hx509 context
+ * @param ctx hx509 revokation context
+ * @param path path to file that is going to be added to the context.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_revoke
+ */
+
int
hx509_revoke_add_ocsp (
hx509_context /*context*/,
hx509_revoke_ctx /*ctx*/,
const char */*path*/);
+/**
+ * Free a hx509 revokation context.
+ *
+ * @param ctx context to be freed
+ *
+ * @ingroup hx509_revoke
+ */
+
void
hx509_revoke_free (hx509_revoke_ctx */*ctx*/);
+/**
+ * Allocate a revokation context. Free with hx509_revoke_free().
+ *
+ * @param context A hx509 context.
+ * @param ctx returns a newly allocated revokation context.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_revoke
+ */
+
int
hx509_revoke_init (
hx509_context /*context*/,
hx509_revoke_ctx */*ctx*/);
+/**
+ * Print the OCSP reply stored in a file.
+ *
+ * @param context a hx509 context
+ * @param path path to a file with a OCSP reply
+ * @param out the out FILE descriptor to print the reply on
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_revoke
+ */
+
int
hx509_revoke_ocsp_print (
hx509_context /*context*/,
@@ -1057,6 +2692,29 @@ hx509_revoke_ocsp_print (
FILE */*out*/);
int
+hx509_revoke_print (
+ hx509_context /*context*/,
+ hx509_revoke_ctx /*ctx*/,
+ FILE */*out*/);
+
+/**
+ * Check that a certificate is not expired according to a revokation
+ * context. Also need the parent certificte to the check OCSP
+ * parent identifier.
+ *
+ * @param context hx509 context
+ * @param ctx hx509 revokation context
+ * @param certs
+ * @param now
+ * @param cert
+ * @param parent_cert
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_revoke
+ */
+
+int
hx509_revoke_verify (
hx509_context /*context*/,
hx509_revoke_ctx /*ctx*/,
@@ -1065,6 +2723,20 @@ hx509_revoke_verify (
hx509_cert /*cert*/,
hx509_cert /*parent_cert*/);
+/**
+ * See hx509_set_error_stringv().
+ *
+ * @param context A hx509 context.
+ * @param flags
+ * - HX509_ERROR_APPEND appends the error string to the old messages
+ (code is updated).
+ * @param code error code related to error message
+ * @param fmt error message format
+ * @param ... arguments to error message format
+ *
+ * @ingroup hx509_error
+ */
+
void
hx509_set_error_string (
hx509_context /*context*/,
@@ -1073,6 +2745,20 @@ hx509_set_error_string (
const char */*fmt*/,
...);
+/**
+ * Add an error message to the hx509 context.
+ *
+ * @param context A hx509 context.
+ * @param flags
+ * - HX509_ERROR_APPEND appends the error string to the old messages
+ (code is updated).
+ * @param code error code related to error message
+ * @param fmt error message format
+ * @param ap arguments to error message format
+ *
+ * @ingroup hx509_error
+ */
+
void
hx509_set_error_stringv (
hx509_context /*context*/,
@@ -1085,9 +2771,6 @@ const AlgorithmIdentifier *
hx509_signature_ecPublicKey (void);
const AlgorithmIdentifier *
-hx509_signature_ecdsa_with_sha1 (void);
-
-const AlgorithmIdentifier *
hx509_signature_ecdsa_with_sha256 (void);
const AlgorithmIdentifier *
@@ -1126,42 +2809,135 @@ hx509_signature_sha384 (void);
const AlgorithmIdentifier *
hx509_signature_sha512 (void);
+/**
+ * Convert a DER encoded name info a string.
+ *
+ * @param data data to a DER/BER encoded name
+ * @param length length of data
+ * @param str the resulting string, is NULL on failure.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
int
hx509_unparse_der_name (
const void */*data*/,
size_t /*length*/,
char **/*str*/);
+/**
+ * Validate/Print the status of the certificate.
+ *
+ * @param context A hx509 context.
+ * @param ctx A hx509 validation context.
+ * @param cert the cerificate to validate/print.
+
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_print
+ */
+
int
hx509_validate_cert (
hx509_context /*context*/,
hx509_validate_ctx /*ctx*/,
hx509_cert /*cert*/);
+/**
+ * Add flags to control the behaivor of the hx509_validate_cert()
+ * function.
+ *
+ * @param ctx A hx509 validation context.
+ * @param flags flags to add to the validation context.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_print
+ */
+
void
hx509_validate_ctx_add_flags (
hx509_validate_ctx /*ctx*/,
int /*flags*/);
+/**
+ * Free an hx509 validate context.
+ *
+ * @param ctx the hx509 validate context to free.
+ *
+ * @ingroup hx509_print
+ */
+
void
hx509_validate_ctx_free (hx509_validate_ctx /*ctx*/);
+/**
+ * Allocate a hx509 validation/printing context.
+ *
+ * @param context A hx509 context.
+ * @param ctx a new allocated hx509 validation context, free with
+ * hx509_validate_ctx_free().
+
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_print
+ */
+
int
hx509_validate_ctx_init (
hx509_context /*context*/,
hx509_validate_ctx */*ctx*/);
+/**
+ * Set the printing functions for the validation context.
+ *
+ * @param ctx a hx509 valication context.
+ * @param func the printing function to usea.
+ * @param c the context variable to the printing function.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_print
+ */
+
void
hx509_validate_ctx_set_print (
hx509_validate_ctx /*ctx*/,
hx509_vprint_func /*func*/,
void */*c*/);
+/**
+ * Set the trust anchors in the verification context, makes an
+ * reference to the keyset, so the consumer can free the keyset
+ * independent of the destruction of the verification context (ctx).
+ * If there already is a keyset attached, it's released.
+ *
+ * @param ctx a verification context
+ * @param set a keyset containing the trust anchors.
+ *
+ * @ingroup hx509_verify
+ */
+
void
hx509_verify_attach_anchors (
hx509_verify_ctx /*ctx*/,
hx509_certs /*set*/);
+/**
+ * Attach an revocation context to the verfication context, , makes an
+ * reference to the revoke context, so the consumer can free the
+ * revoke context independent of the destruction of the verification
+ * context. If there is no revoke context, the verification process is
+ * NOT going to check any verification status.
+ *
+ * @param ctx a verification context.
+ * @param revoke_ctx a revoke context.
+ *
+ * @ingroup hx509_verify
+ */
+
void
hx509_verify_attach_revoke (
hx509_verify_ctx /*ctx*/,
@@ -1172,14 +2948,56 @@ hx509_verify_ctx_f_allow_best_before_signature_algs (
hx509_context /*ctx*/,
int /*boolean*/);
+/**
+ * Allow using the operating system builtin trust anchors if no other
+ * trust anchors are configured.
+ *
+ * @param ctx a verification context
+ * @param boolean if non zero, useing the operating systems builtin
+ * trust anchors.
+ *
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
void
hx509_verify_ctx_f_allow_default_trustanchors (
hx509_verify_ctx /*ctx*/,
int /*boolean*/);
+/**
+ * Free an hx509 verification context.
+ *
+ * @param ctx the context to be freed.
+ *
+ * @ingroup hx509_verify
+ */
+
void
hx509_verify_destroy_ctx (hx509_verify_ctx /*ctx*/);
+/**
+ * Verify that the certificate is allowed to be used for the hostname
+ * and address.
+ *
+ * @param context A hx509 context.
+ * @param cert the certificate to match with
+ * @param flags Flags to modify the behavior:
+ * - HX509_VHN_F_ALLOW_NO_MATCH no match is ok
+ * @param type type of hostname:
+ * - HX509_HN_HOSTNAME for plain hostname.
+ * - HX509_HN_DNSSRV for DNS SRV names.
+ * @param hostname the hostname to check
+ * @param sa address of the host
+ * @param sa_size length of address
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
int
hx509_verify_hostname (
hx509_context /*context*/,
@@ -1190,11 +3008,38 @@ hx509_verify_hostname (
const struct sockaddr */*sa*/,
int /*sa_size*/);
+/**
+ * Allocate an verification context that is used fo control the
+ * verification process.
+ *
+ * @param context A hx509 context.
+ * @param ctx returns a pointer to a hx509_verify_ctx object.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
int
hx509_verify_init_ctx (
hx509_context /*context*/,
hx509_verify_ctx */*ctx*/);
+/**
+ * Build and verify the path for the certificate to the trust anchor
+ * specified in the verify context. The path is constructed from the
+ * certificate, the pool and the trust anchors.
+ *
+ * @param context A hx509 context.
+ * @param ctx A hx509 verification context.
+ * @param cert the certificate to build the path from.
+ * @param pool A keyset of certificates to build the chain from.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
int
hx509_verify_path (
hx509_context /*context*/,
@@ -1202,26 +3047,83 @@ hx509_verify_path (
hx509_cert /*cert*/,
hx509_certs /*pool*/);
+/**
+ * Set the maximum depth of the certificate chain that the path
+ * builder is going to try.
+ *
+ * @param ctx a verification context
+ * @param max_depth maxium depth of the certificate chain, include
+ * trust anchor.
+ *
+ * @ingroup hx509_verify
+ */
+
void
hx509_verify_set_max_depth (
hx509_verify_ctx /*ctx*/,
unsigned int /*max_depth*/);
+/**
+ * Allow or deny the use of proxy certificates
+ *
+ * @param ctx a verification context
+ * @param boolean if non zero, allow proxy certificates.
+ *
+ * @ingroup hx509_verify
+ */
+
void
hx509_verify_set_proxy_certificate (
hx509_verify_ctx /*ctx*/,
int /*boolean*/);
+/**
+ * Select strict RFC3280 verification of certificiates. This means
+ * checking key usage on CA certificates, this will make version 1
+ * certificiates unuseable.
+ *
+ * @param ctx a verification context
+ * @param boolean if non zero, use strict verification.
+ *
+ * @ingroup hx509_verify
+ */
+
void
hx509_verify_set_strict_rfc3280_verification (
hx509_verify_ctx /*ctx*/,
int /*boolean*/);
+/**
+ * Set the clock time the the verification process is going to
+ * use. Used to check certificate in the past and future time. If not
+ * set the current time will be used.
+ *
+ * @param ctx a verification context.
+ * @param t the time the verifiation is using.
+ *
+ *
+ * @ingroup hx509_verify
+ */
+
void
hx509_verify_set_time (
hx509_verify_ctx /*ctx*/,
time_t /*t*/);
+/**
+ * Verify a signature made using the private key of an certificate.
+ *
+ * @param context A hx509 context.
+ * @param signer the certificate that made the signature.
+ * @param alg algorthm that was used to sign the data.
+ * @param data the data that was signed.
+ * @param sig the sigature to verify.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_crypto
+ */
+
int
hx509_verify_signature (
hx509_context /*context*/,
@@ -1230,6 +3132,14 @@ hx509_verify_signature (
const heim_octet_string */*data*/,
const heim_octet_string */*sig*/);
+/**
+ * Free a data element allocated in the library.
+ *
+ * @param ptr data to be freed.
+ *
+ * @ingroup hx509_misc
+ */
+
void
hx509_xfree (void */*ptr*/);
@@ -1240,4 +3150,5 @@ yywrap (void);
}
#endif
+#endif /* DOXY */
#endif /* __hx509_protos_h__ */
diff --git a/lib/hx509/hx509.h b/lib/hx509/hx509.h
index 3954b54b1c04..781f4a59cc73 100644
--- a/lib/hx509/hx509.h
+++ b/lib/hx509/hx509.h
@@ -39,6 +39,7 @@
#include <rfc2459_asn1.h>
#include <stdarg.h>
#include <stdio.h>
+#include <heimbase.h>
typedef struct hx509_cert_attribute_data *hx509_cert_attribute;
typedef struct hx509_cert_data *hx509_cert;
diff --git a/lib/hx509/hx509_err.et b/lib/hx509/hx509_err.et
index 6225f125fb20..f0a27e83620c 100644
--- a/lib/hx509/hx509_err.et
+++ b/lib/hx509/hx509_err.et
@@ -8,7 +8,7 @@ id "$Id$"
error_table hx
prefix HX509
-# path validateion and construction related errors
+# path validation and construction related errors
error_code BAD_TIMEFORMAT, "ASN.1 failed call to system time library"
error_code EXTENSION_NOT_FOUND, "Extension not found"
error_code NO_PATH, "Certification path not found"
@@ -21,9 +21,9 @@ error_code CERT_USED_AFTER_TIME, "Certificate used after it became invalid"
error_code PRIVATE_KEY_MISSING, "Private key required for the operation is missing"
error_code ALG_NOT_SUPP, "Algorithm not supported"
error_code ISSUER_NOT_FOUND, "Issuer couldn't be found"
-error_code VERIFY_CONSTRAINTS, "Error verifing constraints"
+error_code VERIFY_CONSTRAINTS, "Error verifying constraints"
error_code RANGE, "Number too large"
-error_code NAME_CONSTRAINT_ERROR, "Error while verifing name constraints"
+error_code NAME_CONSTRAINT_ERROR, "Error while verifying name constraints"
error_code PATH_TOO_LONG, "Path is too long, failed to find valid anchor"
error_code KU_CERT_MISSING, "Required keyusage for this certificate is missing"
error_code CERT_NOT_FOUND, "Certificate not found"
@@ -32,10 +32,10 @@ error_code PARENT_IS_CA, "Parent certificate is a CA"
error_code EXTRA_DATA_AFTER_STRUCTURE, "Extra data was found after the structure"
error_code PROXY_CERT_INVALID, "Proxy certificate is invalid"
error_code PROXY_CERT_NAME_WRONG, "Proxy certificate name is wrong"
-error_code NAME_MALFORMED, "Name is malformated"
-error_code CERTIFICATE_MALFORMED, "Certificate is malformated"
+error_code NAME_MALFORMED, "Name is malformed"
+error_code CERTIFICATE_MALFORMED, "Certificate is malformed"
error_code CERTIFICATE_MISSING_EKU, "Certificate is missing a required EKU"
-error_code PROXY_CERTIFICATE_NOT_CANONICALIZED, "Proxy certificate not canonicalize"
+error_code PROXY_CERTIFICATE_NOT_CANONICALIZED, "Proxy certificate not canonicalized"
# cms related errors
index 32
@@ -58,9 +58,9 @@ error_code SIGNATURE_MISSING, "Signature missing for data"
error_code BAD_SIGNATURE, "Signature is not valid"
error_code SIG_NO_CONF, "Sigature doesn't provide confidentiality"
error_code SIG_INVALID_FORMAT, "Invalid format on signature"
-error_code OID_MISMATCH, "Mismatch bewteen oids"
+error_code OID_MISMATCH, "Mismatch between oids"
error_code NO_PROMPTER, "No prompter function defined"
-error_code SIGNATURE_WITHOUT_SIGNER, "Signature require signer, but non available"
+error_code SIGNATURE_WITHOUT_SIGNER, "Signature requires signer, but none available"
error_code RSA_PUBLIC_ENCRYPT, "RSA public encyption failed"
error_code RSA_PRIVATE_ENCRYPT, "RSA private encyption failed"
error_code RSA_PUBLIC_DECRYPT, "RSA public decryption failed"
@@ -100,4 +100,10 @@ error_code OPEN_SESSION, "Failed to open session to slot"
error_code LOGIN, "Failed to login to slot"
error_code LOAD, "Failed to load PKCS module"
+# pkinit related errors
+error_code PIN_INCORRECT, "Incorrect User PIN"
+error_code PIN_LOCKED, "User PIN locked"
+error_code PIN_NOT_INITIALIZED, "User PIN not initialized"
+error_code PIN_EXPIRED, "User PIN expired"
+
end
diff --git a/lib/hx509/hx_locl.h b/lib/hx509/hx_locl.h
index a0a5235c7586..44d241f350ae 100644
--- a/lib/hx509/hx_locl.h
+++ b/lib/hx509/hx_locl.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2004 - 2006 Kungliga Tekniska Högskolan
+ * Copyright (c) 2004 - 2016 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -70,14 +70,24 @@
#include <der.h>
+/*
+ * We use OpenSSL for EC, but to do this we need to disable cross-references
+ * between OpenSSL and hcrypto bn.h and such. Source files that use OpenSSL EC
+ * must define HEIM_NO_CRYPTO_HDRS before including this file.
+ */
+
#define HC_DEPRECATED_CRYPTO
+#ifndef HEIM_NO_CRYPTO_HDRS
#include "crypto-headers.h"
+#endif
struct hx509_keyset_ops;
struct hx509_collector;
struct hx509_generate_private_context;
typedef struct hx509_path hx509_path;
+#include <heimbase.h>
+
#include <hx509.h>
typedef void (*_hx509_cert_release_func)(struct hx509_cert_data *, void *);
@@ -186,7 +196,7 @@ struct hx509_context_data {
#define HX509_CTX_VERIFY_MISSING_OK 1
int ocsp_time_diff;
#define HX509_DEFAULT_OCSP_TIME_DIFF (5*60)
- hx509_error error;
+ heim_error_t error;
struct et_list *et_list;
char *querystat;
hx509_certs default_trust_anchors;
@@ -212,6 +222,95 @@ extern const AlgorithmIdentifier * _hx509_crypto_default_digest_alg;
extern const AlgorithmIdentifier * _hx509_crypto_default_secret_alg;
/*
+ * Private bits from crypto.c, so crypto-ec.c can also see them.
+ *
+ * This is part of the use-OpenSSL-for-EC hack.
+ */
+
+struct hx509_crypto;
+
+struct signature_alg;
+
+struct hx509_generate_private_context {
+ const heim_oid *key_oid;
+ int isCA;
+ unsigned long num_bits;
+};
+
+struct hx509_private_key_ops {
+ const char *pemtype;
+ const heim_oid *key_oid;
+ int (*available)(const hx509_private_key,
+ const AlgorithmIdentifier *);
+ int (*get_spki)(hx509_context,
+ const hx509_private_key,
+ SubjectPublicKeyInfo *);
+ int (*export)(hx509_context context,
+ const hx509_private_key,
+ hx509_key_format_t,
+ heim_octet_string *);
+ int (*import)(hx509_context, const AlgorithmIdentifier *,
+ const void *, size_t, hx509_key_format_t,
+ hx509_private_key);
+ int (*generate_private_key)(hx509_context,
+ struct hx509_generate_private_context *,
+ hx509_private_key);
+ BIGNUM *(*get_internal)(hx509_context, hx509_private_key, const char *);
+};
+
+struct hx509_private_key {
+ unsigned int ref;
+ const struct signature_alg *md;
+ const heim_oid *signature_alg;
+ union {
+ RSA *rsa;
+ void *keydata;
+ void *ecdsa; /* EC_KEY */
+ } private_key;
+ hx509_private_key_ops *ops;
+};
+
+/*
+ *
+ */
+
+struct signature_alg {
+ const char *name;
+ const heim_oid *sig_oid;
+ const AlgorithmIdentifier *sig_alg;
+ const heim_oid *key_oid;
+ const AlgorithmIdentifier *digest_alg;
+ int flags;
+#define PROVIDE_CONF 0x1
+#define REQUIRE_SIGNER 0x2
+#define SELF_SIGNED_OK 0x4
+#define WEAK_SIG_ALG 0x8
+
+#define SIG_DIGEST 0x100
+#define SIG_PUBLIC_SIG 0x200
+#define SIG_SECRET 0x400
+
+#define RA_RSA_USES_DIGEST_INFO 0x1000000
+
+ time_t best_before; /* refuse signature made after best before date */
+ const EVP_MD *(*evp_md)(void);
+ int (*verify_signature)(hx509_context context,
+ const struct signature_alg *,
+ const Certificate *,
+ const AlgorithmIdentifier *,
+ const heim_octet_string *,
+ const heim_octet_string *);
+ int (*create_signature)(hx509_context,
+ const struct signature_alg *,
+ const hx509_private_key,
+ const AlgorithmIdentifier *,
+ const heim_octet_string *,
+ AlgorithmIdentifier *,
+ heim_octet_string *);
+ int digest_size;
+};
+
+/*
* Configurable options
*/
diff --git a/lib/hx509/hxtool-commands.in b/lib/hx509/hxtool-commands.in
index ab517224ecd7..49e392d038ef 100644
--- a/lib/hx509/hxtool-commands.in
+++ b/lib/hx509/hxtool-commands.in
@@ -107,7 +107,7 @@ command = {
option = {
long = "embedded-certs"
type = "-flag"
- help = "dont embedded certficiates"
+ help = "don't embed certificates"
}
option = {
long = "embed-leaf-only"
@@ -409,6 +409,17 @@ command = {
help = "Print the OCSP responses"
}
command = {
+ name = "revoke-print"
+ option = {
+ long = "verbose"
+ type = "flag"
+ help = "verbose"
+ }
+ min_args="1"
+ argument="ocsp/crl files"
+ help = "Print the OCSP/CRL files"
+}
+command = {
name = "request-create"
option = {
long = "subject"
@@ -624,6 +635,11 @@ command = {
help = "Lifetime of certificate"
}
option = {
+ long = "signature-algorithm"
+ type = "string"
+ help = "Signature algorithm to use"
+ }
+ option = {
long = "serial-number"
type = "string"
help = "serial-number of certificate"
@@ -646,7 +662,7 @@ command = {
}
option = {
long = "pk-init-principal"
- type = "string"
+ type = "strings"
help = "PK-INIT principal (for SAN)"
}
option = {
diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c
index 4bd467f4284a..0a7048bdf428 100644
--- a/lib/hx509/hxtool.c
+++ b/lib/hx509/hxtool.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
+ * Copyright (c) 2004 - 2016 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -372,9 +372,9 @@ cms_create_sd(struct cms_create_sd_options *opt, int argc, char **argv)
infile = argv[0];
if (argc < 2) {
- asprintf(&outfile, "%s.%s", infile,
- opt->pem_flag ? "pem" : "cms-signeddata");
- if (outfile == NULL)
+ ret = asprintf(&outfile, "%s.%s", infile,
+ opt->pem_flag ? "pem" : "cms-signeddata");
+ if (ret == -1 || outfile == NULL)
errx(1, "out of memory");
} else
outfile = argv[1];
@@ -1135,6 +1135,45 @@ ocsp_print(struct ocsp_print_options *opt, int argc, char **argv)
return 0;
}
+int
+revoke_print(struct revoke_print_options *opt, int argc, char **argv)
+{
+ hx509_revoke_ctx revoke_ctx;
+ int ret;
+
+ ret = hx509_revoke_init(context, &revoke_ctx);
+ if (ret)
+ errx(1, "hx509_revoke_init: %d", ret);
+
+ while(argc--) {
+ char *s = *argv++;
+
+ if (strncmp(s, "crl:", 4) == 0) {
+ s += 4;
+
+ ret = hx509_revoke_add_crl(context, revoke_ctx, s);
+ if (ret)
+ errx(1, "hx509_revoke_add_crl: %s: %d", s, ret);
+
+ } else if (strncmp(s, "ocsp:", 4) == 0) {
+ s += 5;
+
+ ret = hx509_revoke_add_ocsp(context, revoke_ctx, s);
+ if (ret)
+ errx(1, "hx509_revoke_add_ocsp: %s: %d", s, ret);
+
+ } else {
+ errx(1, "unknown option to verify: `%s'\n", s);
+ }
+ }
+
+ ret = hx509_revoke_print(context, revoke_ctx, stdout);
+ if (ret)
+ warnx("hx509_revoke_print: %d", ret);
+
+ return ret;
+}
+
/*
*
*/
@@ -1394,7 +1433,7 @@ info(void *opt, int argc, char **argv)
if (m != NULL)
printf("dh: %s\n", m->name);
}
-#ifdef HAVE_OPENSSL
+#ifdef HAVE_HCRYPTO_W_OPENSSL
{
printf("ecdsa: ECDSA_METHOD-not-export\n");
}
@@ -1692,12 +1731,13 @@ eval_types(hx509_context contextp,
}
}
- if (opt->pk_init_principal_string) {
+ for (i = 0; i < opt->pk_init_principal_strings.num_strings; i++) {
+ const char *pk_init_princ = opt->pk_init_principal_strings.strings[i];
+
if (!ctopt.pkinit)
errx(1, "pk-init principal given but no pk-init oid");
- ret = hx509_ca_tbs_add_san_pkinit(contextp, tbs,
- opt->pk_init_principal_string);
+ ret = hx509_ca_tbs_add_san_pkinit(contextp, tbs, pk_init_princ);
if (ret)
hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_pkinit");
}
@@ -1888,6 +1928,17 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
if (ret)
hx509_err(context, 1, ret, "hx509_ca_tbs_init");
+ if (opt->signature_algorithm_string) {
+ const AlgorithmIdentifier *sigalg;
+ if (strcasecmp(opt->signature_algorithm_string, "rsa-with-sha1") == 0)
+ sigalg = hx509_signature_rsa_with_sha1();
+ else if (strcasecmp(opt->signature_algorithm_string, "rsa-with-sha256") == 0)
+ sigalg = hx509_signature_rsa_with_sha256();
+ else
+ errx(1, "unsupported sigature algorithm");
+ hx509_ca_tbs_set_signature_algorithm(context, tbs, sigalg);
+ }
+
if (opt->template_certificate_string) {
hx509_cert template;
hx509_certs tcerts;
diff --git a/lib/hx509/keyset.c b/lib/hx509/keyset.c
index c0275d949d06..ed5b22b981d3 100644
--- a/lib/hx509/keyset.c
+++ b/lib/hx509/keyset.c
@@ -107,6 +107,8 @@ _hx509_ks_register(hx509_context context, struct hx509_keyset_ops *ops)
* select no password/certifictes/prompt lock (see @ref page_lock).
* @param certs return pointer, free with hx509_certs_free().
*
+ * @return Returns an hx509 error code.
+ *
* @ingroup hx509_keyset
*/
@@ -318,8 +320,8 @@ hx509_certs_end_seq(hx509_context context,
}
/**
- * Iterate over all certificates in a keystore and call an function
- * for each fo them.
+ * Iterate over all certificates in a keystore and call a function
+ * for each of them.
*
* @param context a hx509 context.
* @param certs certificate store to iterate over.
@@ -366,21 +368,6 @@ hx509_certs_iter_f(hx509_context context,
return ret;
}
-/**
- * Iterate over all certificates in a keystore and call an function
- * for each fo them.
- *
- * @param context a hx509 context.
- * @param certs certificate store to iterate over.
- * @param func function to call for each certificate. The function
- * should return non-zero to abort the iteration, that value is passed
- * back to the caller of hx509_certs_iter().
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
#ifdef __BLOCKS__
static int
@@ -391,8 +378,8 @@ certs_iter(hx509_context context, void *ctx, hx509_cert cert)
}
/**
- * Iterate over all certificates in a keystore and call an block
- * for each fo them.
+ * Iterate over all certificates in a keystore and call a block
+ * for each of them.
*
* @param context a hx509 context.
* @param certs certificate store to iterate over.
@@ -752,11 +739,12 @@ _hx509_pi_printf(int (*func)(void *, const char *), void *ctx,
{
va_list ap;
char *str;
+ int ret;
va_start(ap, fmt);
- vasprintf(&str, fmt, ap);
+ ret = vasprintf(&str, fmt, ap);
va_end(ap);
- if (str == NULL)
+ if (ret == -1 || str == NULL)
return;
(*func)(ctx, str);
free(str);
diff --git a/lib/hx509/ks_dir.c b/lib/hx509/ks_dir.c
index 264b1bf552d8..1740dfe42c74 100644
--- a/lib/hx509/ks_dir.c
+++ b/lib/hx509/ks_dir.c
@@ -211,7 +211,10 @@ static struct hx509_keyset_ops keyset_dir = {
NULL,
dir_iter_start,
dir_iter,
- dir_iter_end
+ dir_iter_end,
+ NULL,
+ NULL,
+ NULL
};
void
diff --git a/lib/hx509/ks_file.c b/lib/hx509/ks_file.c
index d21d88928708..642dd173b53c 100644
--- a/lib/hx509/ks_file.c
+++ b/lib/hx509/ks_file.c
@@ -52,12 +52,16 @@ parse_certificate(hx509_context context, const char *fn,
const void *data, size_t len,
const AlgorithmIdentifier *ai)
{
+ heim_error_t error = NULL;
hx509_cert cert;
int ret;
- ret = hx509_cert_init_data(context, data, len, &cert);
- if (ret)
+ cert = hx509_cert_init_data(context, data, len, &error);
+ if (cert == NULL) {
+ ret = heim_error_get_code(error);
+ heim_release(error);
return ret;
+ }
ret = _hx509_collector_certs_add(context, c, cert);
hx509_cert_free(cert);
@@ -92,9 +96,10 @@ try_decrypt(hx509_context context,
password, passwordlen,
1, key, NULL);
if (ret <= 0) {
- hx509_set_error_string(context, 0, HX509_CRYPTO_INTERNAL_ERROR,
+ ret = HX509_CRYPTO_INTERNAL_ERROR;
+ hx509_set_error_string(context, 0, ret,
"Failed to do string2key for private key");
- return HX509_CRYPTO_INTERNAL_ERROR;
+ goto out;
}
clear.data = malloc(len);
@@ -315,7 +320,9 @@ struct pem_formats {
{ "CERTIFICATE", parse_certificate, NULL },
{ "PRIVATE KEY", parse_pkcs8_private_key, NULL },
{ "RSA PRIVATE KEY", parse_pem_private_key, hx509_signature_rsa },
+#ifdef HAVE_HCRYPTO_W_OPENSSL
{ "EC PRIVATE KEY", parse_pem_private_key, hx509_signature_ecPublicKey }
+#endif
};
diff --git a/lib/hx509/ks_keychain.c b/lib/hx509/ks_keychain.c
index 0552d8f7e97a..9b8224f1d237 100644
--- a/lib/hx509/ks_keychain.c
+++ b/lib/hx509/ks_keychain.c
@@ -35,6 +35,9 @@
#ifdef HAVE_FRAMEWORK_SECURITY
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
#include <Security/Security.h>
/* Missing function decls in pre Leopard */
@@ -246,6 +249,7 @@ static const RSA_METHOD kc_rsa_pkcs1_method = {
0,
NULL,
NULL,
+ NULL,
NULL
};
@@ -340,11 +344,13 @@ keychain_init(hx509_context context,
if (ret != noErr) {
hx509_set_error_string(context, 0, ENOENT,
"Failed to open %s", residue);
+ free(ctx);
return ENOENT;
}
} else {
hx509_set_error_string(context, 0, ENOENT,
"Unknown subtype %s", residue);
+ free(ctx);
return ENOENT;
}
}
@@ -420,8 +426,8 @@ keychain_iter_start(hx509_context context,
SecCertificateGetData(cr, &cssm);
- ret = hx509_cert_init_data(context, cssm.Data, cssm.Length, &cert);
- if (ret)
+ cert = hx509_cert_init_data(context, cssm.Data, cssm.Length, NULL);
+ if (cert == NULL)
continue;
ret = hx509_certs_add(context, iter->certs, cert);
@@ -470,6 +476,7 @@ keychain_iter(hx509_context context,
UInt32 attrFormat[1] = { 0 };
SecKeychainItemRef itemRef;
SecItemAttr item[1];
+ heim_error_t error = NULL;
struct iter *iter = cursor;
OSStatus ret;
UInt32 len;
@@ -501,9 +508,12 @@ keychain_iter(hx509_context context,
if (ret)
return EINVAL;
- ret = hx509_cert_init_data(context, ptr, len, cert);
- if (ret)
+ *cert = hx509_cert_init_data(context, ptr, len, &error);
+ if (*cert == NULL) {
+ ret = heim_error_get_code(error);
+ heim_release(error);
goto out;
+ }
/*
* Find related private key if there is one by looking at
@@ -586,9 +596,14 @@ struct hx509_keyset_ops keyset_keychain = {
NULL,
keychain_iter_start,
keychain_iter,
- keychain_iter_end
+ keychain_iter_end,
+ NULL,
+ NULL,
+ NULL
};
+#pragma clang diagnostic pop
+
#endif /* HAVE_FRAMEWORK_SECURITY */
/*
diff --git a/lib/hx509/ks_null.c b/lib/hx509/ks_null.c
index 136d2d43459f..5ac0beb7bf91 100644
--- a/lib/hx509/ks_null.c
+++ b/lib/hx509/ks_null.c
@@ -87,7 +87,10 @@ struct hx509_keyset_ops keyset_null = {
NULL,
null_iter_start,
null_iter,
- null_iter_end
+ null_iter_end,
+ NULL,
+ NULL,
+ NULL
};
void
diff --git a/lib/hx509/ks_p11.c b/lib/hx509/ks_p11.c
index 120bf43ef437..1b2309e20d50 100644
--- a/lib/hx509/ks_p11.c
+++ b/lib/hx509/ks_p11.c
@@ -38,7 +38,7 @@
#ifdef HAVE_DLOPEN
-#include "pkcs11.h"
+#include "ref/pkcs11.h"
struct p11_slot {
int flags;
@@ -65,6 +65,7 @@ struct p11_module {
CK_FUNCTION_LIST_PTR funcs;
CK_ULONG num_slots;
unsigned int ref;
+ unsigned int selected_slot;
struct p11_slot *slot;
};
@@ -226,6 +227,7 @@ static const RSA_METHOD p11_rsa_pkcs1_method = {
0,
NULL,
NULL,
+ NULL,
NULL
};
@@ -330,8 +332,10 @@ p11_init_slot(hx509_context context,
break;
}
- asprintf(&slot->name, "%.*s",
- (int)i, slot_info.slotDescription);
+ ret = asprintf(&slot->name, "%.*s", (int)i,
+ slot_info.slotDescription);
+ if (ret == -1)
+ return ENOMEM;
if ((slot_info.flags & CKF_TOKEN_PRESENT) == 0)
return 0;
@@ -340,7 +344,7 @@ p11_init_slot(hx509_context context,
if (ret) {
hx509_set_error_string(context, 0, HX509_PKCS11_NO_TOKEN,
"Failed to init PKCS11 slot %d "
- "with error 0x08x",
+ "with error 0x%08x",
num, ret);
return HX509_PKCS11_NO_TOKEN;
}
@@ -422,7 +426,12 @@ p11_get_session(hx509_context context,
memset(&prompt, 0, sizeof(prompt));
- asprintf(&str, "PIN code for %s: ", slot->name);
+ ret = asprintf(&str, "PIN code for %s: ", slot->name);
+ if (ret == -1 || str == NULL) {
+ if (context)
+ hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+ return ENOMEM;
+ }
prompt.prompt = str;
prompt.type = HX509_PROMPT_TYPE_PASSWORD;
prompt.reply.data = pin;
@@ -451,7 +460,18 @@ p11_get_session(hx509_context context,
"Failed to login on slot id %d "
"with error: 0x%08x",
(int)slot->id, ret);
- return HX509_PKCS11_LOGIN;
+ switch(ret) {
+ case CKR_PIN_LOCKED:
+ return HX509_PKCS11_PIN_LOCKED;
+ case CKR_PIN_EXPIRED:
+ return HX509_PKCS11_PIN_EXPIRED;
+ case CKR_PIN_INCORRECT:
+ return HX509_PKCS11_PIN_INCORRECT;
+ case CKR_USER_PIN_NOT_INITIALIZED:
+ return HX509_PKCS11_PIN_NOT_INITIALIZED;
+ default:
+ return HX509_PKCS11_LOGIN;
+ }
} else
slot->flags |= P11_LOGIN_DONE;
@@ -680,6 +700,7 @@ collect_cert(hx509_context context,
void *ptr, CK_ATTRIBUTE *query, int num_query)
{
struct hx509_collector *collector = ptr;
+ heim_error_t error = NULL;
hx509_cert cert;
int ret;
@@ -689,10 +710,13 @@ collect_cert(hx509_context context,
return 0;
}
- ret = hx509_cert_init_data(context, query[1].pValue,
- query[1].ulValueLen, &cert);
- if (ret)
+ cert = hx509_cert_init_data(context, query[1].pValue,
+ query[1].ulValueLen, &error);
+ if (cert == NULL) {
+ ret = heim_error_get_code(error);
+ heim_release(error);
return ret;
+ }
if (p->ref == 0)
_hx509_abort("pkcs11 ref == 0 on alloc");
@@ -717,9 +741,9 @@ collect_cert(hx509_context context,
if ((CK_LONG)query[2].ulValueLen != -1) {
char *str;
- asprintf(&str, "%.*s",
- (int)query[2].ulValueLen, (char *)query[2].pValue);
- if (str) {
+ ret = asprintf(&str, "%.*s",
+ (int)query[2].ulValueLen, (char *)query[2].pValue);
+ if (ret != -1 && str) {
hx509_cert_set_friendly_name(cert, str);
free(str);
}
@@ -810,6 +834,7 @@ p11_init(hx509_context context,
}
p->ref = 1;
+ p->selected_slot = 0;
str = strchr(list, ',');
if (str)
@@ -819,15 +844,12 @@ p11_init(hx509_context context,
strnext = strchr(str, ',');
if (strnext)
*strnext++ = '\0';
-#if 0
if (strncasecmp(str, "slot=", 5) == 0)
p->selected_slot = atoi(str + 5);
-#endif
str = strnext;
}
p->dl_handle = dlopen(list, RTLD_NOW);
- free(list);
if (p->dl_handle == NULL) {
ret = HX509_PKCS11_LOAD;
hx509_set_error_string(context, 0, ret,
@@ -908,11 +930,13 @@ p11_init(hx509_context context,
}
for (i = 0; i < p->num_slots; i++) {
+ if ((p->selected_slot != 0) && (slot_ids[i] != (p->selected_slot - 1)))
+ continue;
ret = p11_init_slot(context, p, lock, slot_ids[i], i, &p->slot[i]);
- if (ret)
- break;
- if (p->slot[i].flags & P11_TOKEN_PRESENT)
- num_tokens++;
+ if (!ret) {
+ if (p->slot[i].flags & P11_TOKEN_PRESENT)
+ num_tokens++;
+ }
}
free(slot_ids);
if (ret)
@@ -923,10 +947,14 @@ p11_init(hx509_context context,
}
}
+ free(list);
+
*data = p;
return 0;
out:
+ if (list)
+ free(list);
p11_release_module(p);
return ret;
}
@@ -1176,7 +1204,9 @@ static struct hx509_keyset_ops keyset_pkcs11 = {
p11_iter_start,
p11_iter,
p11_iter_end,
- p11_printinfo
+ p11_printinfo,
+ NULL,
+ NULL
};
#endif /* HAVE_DLOPEN */
diff --git a/lib/hx509/ks_p12.c b/lib/hx509/ks_p12.c
index 0ca13de1eb34..b7df0be32aca 100644
--- a/lib/hx509/ks_p12.c
+++ b/lib/hx509/ks_p12.c
@@ -130,6 +130,7 @@ certBag_parser(hx509_context context,
const void *data, size_t length,
const PKCS12_Attributes *attrs)
{
+ heim_error_t error = NULL;
heim_octet_string os;
hx509_cert cert;
PKCS12_CertBag cb;
@@ -152,10 +153,13 @@ certBag_parser(hx509_context context,
if (ret)
return ret;
- ret = hx509_cert_init_data(context, os.data, os.length, &cert);
+ cert = hx509_cert_init_data(context, os.data, os.length, &error);
der_free_octet_string(&os);
- if (ret)
+ if (cert == NULL) {
+ ret = heim_error_get_code(error);
+ heim_release(error);
return ret;
+ }
ret = _hx509_collector_certs_add(context, c, cert);
if (ret) {
@@ -697,7 +701,10 @@ static struct hx509_keyset_ops keyset_pkcs12 = {
NULL,
p12_iter_start,
p12_iter,
- p12_iter_end
+ p12_iter_end,
+ NULL,
+ NULL,
+ NULL
};
void
diff --git a/lib/hx509/libhx509-exports.def b/lib/hx509/libhx509-exports.def
index f8973a091396..f4417730158c 100644
--- a/lib/hx509/libhx509-exports.def
+++ b/lib/hx509/libhx509-exports.def
@@ -1,3 +1,4 @@
+
EXPORTS
_hx509_cert_assign_key
_hx509_cert_private_key
@@ -51,6 +52,7 @@ EXPORTS
hx509_ca_tbs_set_notBefore
hx509_ca_tbs_set_proxy
hx509_ca_tbs_set_serialnumber
+ hx509_ca_tbs_set_signature_algorithm
hx509_ca_tbs_set_spki
hx509_ca_tbs_set_subject
hx509_ca_tbs_set_template
@@ -196,6 +198,7 @@ EXPORTS
hx509_revoke_free
hx509_revoke_init
hx509_revoke_ocsp_print
+ hx509_revoke_print
hx509_revoke_verify
hx509_set_error_string
hx509_set_error_stringv
diff --git a/lib/hx509/lock.c b/lib/hx509/lock.c
index b72d45962b62..52f72dba1b71 100644
--- a/lib/hx509/lock.c
+++ b/lib/hx509/lock.c
@@ -47,7 +47,10 @@ struct hx509_lock_data {
};
static struct hx509_lock_data empty_lock_data = {
- { 0, NULL }
+ { 0, NULL },
+ NULL,
+ NULL,
+ NULL
};
hx509_lock _hx509_empty_lock = &empty_lock_data;
diff --git a/lib/hx509/name.c b/lib/hx509/name.c
index efd7b703422f..ee192e593a90 100644
--- a/lib/hx509/name.c
+++ b/lib/hx509/name.c
@@ -238,15 +238,22 @@ _hx509_Name_to_string(const Name *n, char **str)
size_t k;
ret = wind_ucs2utf8_length(bmp, bmplen, &k);
- if (ret)
+ if (ret) {
+ free(oidname);
+ free(*str);
+ *str = NULL;
return ret;
+ }
ss = malloc(k + 1);
if (ss == NULL)
_hx509_abort("allocation failure"); /* XXX */
ret = wind_ucs2utf8(bmp, bmplen, ss, NULL);
if (ret) {
+ free(oidname);
free(ss);
+ free(*str);
+ *str = NULL;
return ret;
}
ss[k] = '\0';
@@ -263,8 +270,12 @@ _hx509_Name_to_string(const Name *n, char **str)
size_t k;
ret = wind_ucs4utf8_length(uni, unilen, &k);
- if (ret)
+ if (ret) {
+ free(oidname);
+ free(*str);
+ *str = NULL;
return ret;
+ }
ss = malloc(k + 1);
if (ss == NULL)
@@ -272,6 +283,9 @@ _hx509_Name_to_string(const Name *n, char **str)
ret = wind_ucs4utf8(uni, unilen, ss, NULL);
if (ret) {
free(ss);
+ free(oidname);
+ free(*str);
+ *str = NULL;
return ret;
}
ss[k] = '\0';
@@ -966,7 +980,7 @@ hx509_general_name_unparse(GeneralName *name, char **str)
char *s;
int ret;
memset(&dir, 0, sizeof(dir));
- dir.element = name->u.directoryName.element;
+ dir.element = (enum Name_enum)name->u.directoryName.element;
dir.u.rdnSequence = name->u.directoryName.u.rdnSequence;
ret = _hx509_unparse_Name(&dir, &s);
if (ret)
diff --git a/lib/hx509/print.c b/lib/hx509/print.c
index 1e8bcabfa7e9..4d2c3e2a421d 100644
--- a/lib/hx509/print.c
+++ b/lib/hx509/print.c
@@ -969,7 +969,7 @@ hx509_validate_cert(hx509_context context,
}
validate_print(ctx,
HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE,
- "checking extention: %s\n",
+ "checking extension: %s\n",
check_extension[j].name);
(*check_extension[j].func)(ctx,
&status,
@@ -977,7 +977,7 @@ hx509_validate_cert(hx509_context context,
&t->extensions->val[i]);
}
} else
- validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extentions\n");
+ validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extensions\n");
if (status.isca) {
if (!status.haveSKI)
diff --git a/lib/hx509/ref/pkcs11.h b/lib/hx509/ref/pkcs11.h
index 2e6a1e3ed307..a294c5e94e5c 100644
--- a/lib/hx509/ref/pkcs11.h
+++ b/lib/hx509/ref/pkcs11.h
@@ -64,8 +64,9 @@ extern "C" {
(you may use a macro with a different name to keep track of your
versions). */
#define CRYPTOKI_VERSION_MAJOR 2
-#define CRYPTOKI_VERSION_MINOR 20
-#define CRYPTOKI_VERSION_REVISION 6
+#define CRYPTOKI_VERSION_MINOR 30
+#define CRYPTOKI_VERSION_REVISION 0
+#define CRYPTOKI_VERSION_AMENDMENT 0
/* Compatibility interface is default, unless CRYPTOKI_GNU is
@@ -91,7 +92,11 @@ extern "C" {
#else
+#if defined(CRYPTOKI_VISIBILITY) && defined(CRYPTOKI_EXPORTS)
+#define CK_SPEC __attribute__((visibility("default")))
+#else
#define CK_SPEC
+#endif
#endif
@@ -162,6 +167,34 @@ extern "C" {
#define min_key_size ulMinKeySize
#define max_key_size ulMaxKeySize
+#define hash_alg hashAlg
+#define source_data pSourceData
+#define source_data_len ulSourceDataLen
+
+#define slen sLen
+
+#define ck_ec_kdf_type_t CK_EC_KDF_TYPE
+
+#define shared_data_len ulSharedDataLen
+#define shared_data pSharedData
+#define public_data_len ulPublicDataLen
+#define public_data pPublicData
+
+#define private_data_len ulPrivateDataLen
+#define private_data hPrivateData
+#define public_data_len2 ulPublicDataLen2
+#define public_data2 pPublicData2
+
+#define public_key publicKey
+
+#define ck_x9_42_dh_kdf_type_t CK_X9_42_DH_KDF_TYPE
+
+#define other_info_len ulOtherInfoLen
+#define other_info pOtherInfo
+
+#define data pData
+#define len ulLen
+
#define ck_rv_t CK_RV
#define ck_notify_t CK_NOTIFY
@@ -205,7 +238,7 @@ struct ck_info
typedef unsigned long ck_notification_t;
#define CKN_SURRENDER (0)
-
+#define CKN_OTP_CHANGED (1)
typedef unsigned long ck_slot_id_t;
@@ -267,6 +300,7 @@ struct ck_token_info
#define CKF_SO_PIN_FINAL_TRY (1 << 21)
#define CKF_SO_PIN_LOCKED (1 << 22)
#define CKF_SO_PIN_TO_BE_CHANGED (1 << 23)
+#define CKF_ERROR_STATE (1 << 24)
#define CK_UNAVAILABLE_INFORMATION ((unsigned long) -1)
#define CK_EFFECTIVELY_INFINITE (0)
@@ -318,7 +352,8 @@ typedef unsigned long ck_object_class_t;
#define CKO_HW_FEATURE (5)
#define CKO_DOMAIN_PARAMETERS (6)
#define CKO_MECHANISM (7)
-#define CKO_VENDOR_DEFINED ((unsigned long) (1 << 31))
+#define CKO_OTP_KEY (8)
+#define CKO_VENDOR_DEFINED ((unsigned long) (1ul << 31))
typedef unsigned long ck_hw_feature_type_t;
@@ -326,7 +361,7 @@ typedef unsigned long ck_hw_feature_type_t;
#define CKH_MONOTONIC_COUNTER (1)
#define CKH_CLOCK (2)
#define CKH_USER_INTERFACE (3)
-#define CKH_VENDOR_DEFINED ((unsigned long) (1 << 31))
+#define CKH_VENDOR_DEFINED ((unsigned long) (1ul << 31))
typedef unsigned long ck_key_type_t;
@@ -346,6 +381,7 @@ typedef unsigned long ck_key_type_t;
#define CKK_DES3 (0x15)
#define CKK_CAST (0x16)
#define CKK_CAST3 (0x17)
+#define CKK_CAST5 (0x18)
#define CKK_CAST128 (0x18)
#define CKK_RC5 (0x19)
#define CKK_IDEA (0x1a)
@@ -356,7 +392,24 @@ typedef unsigned long ck_key_type_t;
#define CKK_AES (0x1f)
#define CKK_BLOWFISH (0x20)
#define CKK_TWOFISH (0x21)
-#define CKK_VENDOR_DEFINED ((unsigned long) (1 << 31))
+#define CKK_SECURID (0x22)
+#define CKK_HOTP (0x23)
+#define CKK_ACTI (0x24)
+#define CKK_CAMELLIA (0x25)
+#define CKK_ARIA (0x26)
+#define CKK_MD5_HMAC (0x27)
+#define CKK_SHA_1_HMAC (0x28)
+#define CKK_RIPEMD128_HMAC (0x29)
+#define CKK_RIPEMD160_HMAC (0x2A)
+#define CKK_SHA256_HMAC (0x2B)
+#define CKK_SHA384_HMAC (0x2C)
+#define CKK_SHA512_HMAC (0x2D)
+#define CKK_SHA224_HMAC (0x2E)
+#define CKK_SEED (0x2F)
+#define CKK_GOSTR3410 (0x30)
+#define CKK_GOSTR3411 (0x31)
+#define CKK_GOST28147 (0x32)
+#define CKK_VENDOR_DEFINED ((unsigned long) (1ul << 31))
typedef unsigned long ck_certificate_type_t;
@@ -364,8 +417,17 @@ typedef unsigned long ck_certificate_type_t;
#define CKC_X_509 (0)
#define CKC_X_509_ATTR_CERT (1)
#define CKC_WTLS (2)
-#define CKC_VENDOR_DEFINED ((unsigned long) (1 << 31))
+#define CKC_VENDOR_DEFINED ((unsigned long) (1ul << 31))
+#define CKC_OPENPGP (CKC_VENDOR_DEFINED|0x00504750)
+
+#define CK_OTP_FORMAT_DECIMAL (0)
+#define CK_OTP_FORMAT_HEXADECIMAL (1)
+#define CK_OTP_FORMAT_ALPHANUMERIC (2)
+#define CK_OTP_FORMAT_BINARY (3)
+#define CK_OTP_PARAM_IGNORED (0)
+#define CK_OTP_PARAM_OPTIONAL (1)
+#define CK_OTP_PARAM_MANDATORY (2)
typedef unsigned long ck_attribute_type_t;
@@ -388,6 +450,7 @@ typedef unsigned long ck_attribute_type_t;
#define CKA_URL (0x89)
#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY (0x8a)
#define CKA_HASH_OF_ISSUER_PUBLIC_KEY (0x8b)
+#define CKA_NAME_HASH_ALGORITHM (0x8c)
#define CKA_CHECK_VALUE (0x90)
#define CKA_KEY_TYPE (0x100)
#define CKA_SUBJECT (0x101)
@@ -418,6 +481,7 @@ typedef unsigned long ck_attribute_type_t;
#define CKA_BASE (0x132)
#define CKA_PRIME_BITS (0x133)
#define CKA_SUB_PRIME_BITS (0x134)
+#define CKA_SUBPRIME_BITS (0x134)
#define CKA_VALUE_BITS (0x160)
#define CKA_VALUE_LEN (0x161)
#define CKA_EXTRACTABLE (0x162)
@@ -426,6 +490,7 @@ typedef unsigned long ck_attribute_type_t;
#define CKA_ALWAYS_SENSITIVE (0x165)
#define CKA_KEY_GEN_MECHANISM (0x166)
#define CKA_MODIFIABLE (0x170)
+#define CKA_COPYABLE (0x171)
#define CKA_ECDSA_PARAMS (0x180)
#define CKA_EC_PARAMS (0x180)
#define CKA_EC_POINT (0x181)
@@ -433,6 +498,23 @@ typedef unsigned long ck_attribute_type_t;
#define CKA_AUTH_PIN_FLAGS (0x201)
#define CKA_ALWAYS_AUTHENTICATE (0x202)
#define CKA_WRAP_WITH_TRUSTED (0x210)
+#define CKA_OTP_FORMAT (0x220)
+#define CKA_OTP_LENGTH (0x221)
+#define CKA_OTP_TIME_INTERVAL (0x222)
+#define CKA_OTP_USER_FRIENDLY_MODE (0x223)
+#define CKA_OTP_CHALLENGE_REQUIREMENT (0x224)
+#define CKA_OTP_TIME_REQUIREMENT (0x225)
+#define CKA_OTP_COUNTER_REQUIREMENT (0x226)
+#define CKA_OTP_PIN_REQUIREMENT (0x227)
+#define CKA_OTP_COUNTER (0x22E)
+#define CKA_OTP_TIME (0x22F)
+#define CKA_OTP_USER_IDENTIFIER (0x22A)
+#define CKA_OTP_SERVICE_IDENTIFIER (0x22B)
+#define CKA_OTP_SERVICE_LOGO (0x22C)
+#define CKA_OTP_SERVICE_LOGO_TYPE (0x22D)
+#define CKA_GOSTR3410_PARAMS (0x250)
+#define CKA_GOSTR3411_PARAMS (0x251)
+#define CKA_GOST28147_PARAMS (0x252)
#define CKA_HW_FEATURE_TYPE (0x300)
#define CKA_RESET_ON_INIT (0x301)
#define CKA_HAS_RESET (0x302)
@@ -452,8 +534,9 @@ typedef unsigned long ck_attribute_type_t;
#define CKA_SUPPORTED_CMS_ATTRIBUTES (0x503)
#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x211)
#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x212)
+#define CKA_DERIVE_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x213)
#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE | 0x600)
-#define CKA_VENDOR_DEFINED ((unsigned long) (1 << 31))
+#define CKA_VENDOR_DEFINED ((unsigned long) (1ul << 31))
struct ck_attribute
@@ -492,6 +575,10 @@ typedef unsigned long ck_mechanism_type_t;
#define CKM_DSA_KEY_PAIR_GEN (0x10)
#define CKM_DSA (0x11)
#define CKM_DSA_SHA1 (0x12)
+#define CKM_DSA_SHA224 (0x13)
+#define CKM_DSA_SHA256 (0x14)
+#define CKM_DSA_SHA384 (0x15)
+#define CKM_DSA_SHA512 (0x16)
#define CKM_DH_PKCS_KEY_PAIR_GEN (0x20)
#define CKM_DH_PKCS_DERIVE (0x21)
#define CKM_X9_42_DH_KEY_PAIR_GEN (0x30)
@@ -504,6 +591,8 @@ typedef unsigned long ck_mechanism_type_t;
#define CKM_SHA256_RSA_PKCS_PSS (0x43)
#define CKM_SHA384_RSA_PKCS_PSS (0x44)
#define CKM_SHA512_RSA_PKCS_PSS (0x45)
+#define CKM_SHA224_RSA_PKCS (0x46)
+#define CKM_SHA224_RSA_PKCS_PSS (0x47)
#define CKM_RC2_KEY_GEN (0x100)
#define CKM_RC2_ECB (0x101)
#define CKM_RC2_CBC (0x102)
@@ -525,12 +614,18 @@ typedef unsigned long ck_mechanism_type_t;
#define CKM_DES3_MAC (0x134)
#define CKM_DES3_MAC_GENERAL (0x135)
#define CKM_DES3_CBC_PAD (0x136)
+#define CKM_DES3_CMAC_GENERAL (0x137)
+#define CKM_DES3_CMAC (0x138)
#define CKM_CDMF_KEY_GEN (0x140)
#define CKM_CDMF_ECB (0x141)
#define CKM_CDMF_CBC (0x142)
#define CKM_CDMF_MAC (0x143)
#define CKM_CDMF_MAC_GENERAL (0x144)
#define CKM_CDMF_CBC_PAD (0x145)
+#define CKM_DES_OFB64 (0x150)
+#define CKM_DES_OFB8 (0x151)
+#define CKM_DES_CFB64 (0x152)
+#define CKM_DES_CFB8 (0x153)
#define CKM_MD2 (0x200)
#define CKM_MD2_HMAC (0x201)
#define CKM_MD2_HMAC_GENERAL (0x202)
@@ -549,12 +644,21 @@ typedef unsigned long ck_mechanism_type_t;
#define CKM_SHA256 (0x250)
#define CKM_SHA256_HMAC (0x251)
#define CKM_SHA256_HMAC_GENERAL (0x252)
+#define CKM_SHA224 (0x255)
+#define CKM_SHA224_HMAC (0x256)
+#define CKM_SHA224_HMAC_GENERAL (0x257)
#define CKM_SHA384 (0x260)
#define CKM_SHA384_HMAC (0x261)
#define CKM_SHA384_HMAC_GENERAL (0x262)
#define CKM_SHA512 (0x270)
#define CKM_SHA512_HMAC (0x271)
#define CKM_SHA512_HMAC_GENERAL (0x272)
+#define CKM_SECURID_KEY_GEN (0x280)
+#define CKM_SECURID (0x282)
+#define CKM_HOTP_KEY_GEN (0x290)
+#define CKM_HOTP (0x291)
+#define CKM_ACTI (0x2A0)
+#define CKM_ACTI_KEY_GEN (0x2A1)
#define CKM_CAST_KEY_GEN (0x300)
#define CKM_CAST_ECB (0x301)
#define CKM_CAST_CBC (0x302)
@@ -605,11 +709,16 @@ typedef unsigned long ck_mechanism_type_t;
#define CKM_TLS_MASTER_KEY_DERIVE (0x375)
#define CKM_TLS_KEY_AND_MAC_DERIVE (0x376)
#define CKM_TLS_MASTER_KEY_DERIVE_DH (0x377)
+#define CKM_TLS_PRF (0x378)
#define CKM_SSL3_MD5_MAC (0x380)
#define CKM_SSL3_SHA1_MAC (0x381)
#define CKM_MD5_KEY_DERIVATION (0x390)
#define CKM_MD2_KEY_DERIVATION (0x391)
#define CKM_SHA1_KEY_DERIVATION (0x392)
+#define CKM_SHA256_KEY_DERIVATION (0x393)
+#define CKM_SHA384_KEY_DERIVATION (0x394)
+#define CKM_SHA512_KEY_DERIVATION (0x395)
+#define CKM_SHA224_KEY_DERIVATION (0x396)
#define CKM_PBE_MD2_DES_CBC (0x3a0)
#define CKM_PBE_MD5_DES_CBC (0x3a1)
#define CKM_PBE_MD5_CAST_CBC (0x3a2)
@@ -626,8 +735,43 @@ typedef unsigned long ck_mechanism_type_t;
#define CKM_PBE_SHA1_RC2_40_CBC (0x3ab)
#define CKM_PKCS5_PBKD2 (0x3b0)
#define CKM_PBA_SHA1_WITH_SHA1_HMAC (0x3c0)
+#define CKM_WTLS_PRE_MASTER_KEY_GEN (0x3d0)
+#define CKM_WTLS_MASTER_KEY_DERIVE (0x3d1)
+#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC (0x3d2)
+#define CKM_WTLS_PRF (0x3d3)
+#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE (0x3d4)
+#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE (0x3d5)
#define CKM_KEY_WRAP_LYNKS (0x400)
#define CKM_KEY_WRAP_SET_OAEP (0x401)
+#define CKM_CMS_SIG (0x500)
+#define CKM_KIP_DERIVE (0x510)
+#define CKM_KIP_WRAP (0x511)
+#define CKM_KIP_MAC (0x512)
+#define CKM_CAMELLIA_KEY_GEN (0x550)
+#define CKM_CAMELLIA_ECB (0x551)
+#define CKM_CAMELLIA_CBC (0x552)
+#define CKM_CAMELLIA_MAC (0x553)
+#define CKM_CAMELLIA_MAC_GENERAL (0x554)
+#define CKM_CAMELLIA_CBC_PAD (0x555)
+#define CKM_CAMELLIA_ECB_ENCRYPT_DATA (0x556)
+#define CKM_CAMELLIA_CBC_ENCRYPT_DATA (0x557)
+#define CKM_CAMELLIA_CTR (0x558)
+#define CKM_ARIA_KEY_GEN (0x560)
+#define CKM_ARIA_ECB (0x561)
+#define CKM_ARIA_CBC (0x562)
+#define CKM_ARIA_MAC (0x563)
+#define CKM_ARIA_MAC_GENERAL (0x564)
+#define CKM_ARIA_CBC_PAD (0x565)
+#define CKM_ARIA_ECB_ENCRYPT_DATA (0x566)
+#define CKM_ARIA_CBC_ENCRYPT_DATA (0x567)
+#define CKM_SEED_KEY_GEN (0x650)
+#define CKM_SEED_ECB (0x651)
+#define CKM_SEED_CBC (0x652)
+#define CKM_SEED_MAC (0x653)
+#define CKM_SEED_MAC_GENERAL (0x654)
+#define CKM_SEED_CBC_PAD (0x655)
+#define CKM_SEED_ECB_ENCRYPT_DATA (0x656)
+#define CKM_SEED_CBC_ENCRYPT_DATA (0x657)
#define CKM_SKIPJACK_KEY_GEN (0x1000)
#define CKM_SKIPJACK_ECB64 (0x1001)
#define CKM_SKIPJACK_CBC64 (0x1002)
@@ -653,6 +797,10 @@ typedef unsigned long ck_mechanism_type_t;
#define CKM_EC_KEY_PAIR_GEN (0x1040)
#define CKM_ECDSA (0x1041)
#define CKM_ECDSA_SHA1 (0x1042)
+#define CKM_ECDSA_SHA224 (0x1043)
+#define CKM_ECDSA_SHA256 (0x1044)
+#define CKM_ECDSA_SHA384 (0x1045)
+#define CKM_ECDSA_SHA512 (0x1046)
#define CKM_ECDH1_DERIVE (0x1050)
#define CKM_ECDH1_COFACTOR_DERIVE (0x1051)
#define CKM_ECMQV_DERIVE (0x1052)
@@ -669,10 +817,48 @@ typedef unsigned long ck_mechanism_type_t;
#define CKM_AES_MAC (0x1083)
#define CKM_AES_MAC_GENERAL (0x1084)
#define CKM_AES_CBC_PAD (0x1085)
+#define CKM_AES_CTR (0x1086)
+#define CKM_AES_GCM (0x1087)
+#define CKM_AES_CCM (0x1088)
+#define CKM_AES_CTS (0x1089)
+#define CKM_AES_CMAC (0x108a)
+#define CKM_AES_CMAC_GENERAL (0x108b)
+#define CKM_BLOWFISH_KEY_GEN (0x1090)
+#define CKM_BLOWFISH_CBC (0x1091)
+#define CKM_TWOFISH_KEY_GEN (0x1092)
+#define CKM_TWOFISH_CBC (0x1093)
+#define CKM_BLOWFISH_CBC_PAD (0x1094)
+#define CKM_TWOFISH_CBC_PAD (0x1095)
+#define CKM_DES_ECB_ENCRYPT_DATA (0x1100)
+#define CKM_DES_CBC_ENCRYPT_DATA (0x1101)
+#define CKM_DES3_ECB_ENCRYPT_DATA (0x1102)
+#define CKM_DES3_CBC_ENCRYPT_DATA (0x1103)
+#define CKM_AES_ECB_ENCRYPT_DATA (0x1104)
+#define CKM_AES_CBC_ENCRYPT_DATA (0x1105)
+#define CKM_GOSTR3410_KEY_PAIR_GEN (0x1200)
+#define CKM_GOSTR3410 (0x1201)
+#define CKM_GOSTR3410_WITH_GOSTR3411 (0x1202)
+#define CKM_GOSTR3410_KEY_WRAP (0x1203)
+#define CKM_GOSTR3410_DERIVE (0x1204)
+#define CKM_GOSTR3411 (0x1210)
+#define CKM_GOSTR3411_HMAC (0x1211)
+#define CKM_GOST28147_KEY_GEN (0x1220)
+#define CKM_GOST28147_ECB (0x1221)
+#define CKM_GOST28147 (0x1222)
+#define CKM_GOST28147_MAC (0x1223)
+#define CKM_GOST28147_KEY_WRAP (0x1224)
#define CKM_DSA_PARAMETER_GEN (0x2000)
#define CKM_DH_PKCS_PARAMETER_GEN (0x2001)
#define CKM_X9_42_DH_PARAMETER_GEN (0x2002)
-#define CKM_VENDOR_DEFINED ((unsigned long) (1 << 31))
+#define CKM_AES_OFB (0x2104)
+#define CKM_AES_CFB64 (0x2105)
+#define CKM_AES_CFB8 (0x2106)
+#define CKM_AES_CFB128 (0x2107)
+#define CKM_AES_KEY_WRAP (0x2109)
+#define CKM_AES_KEY_WRAP_PAD (0x210a)
+#define CKM_RSA_PKCS_TPM_1_1 (0x4001)
+#define CKM_RSA_PKCS_OAEPTPM_1_1 (0x4002)
+#define CKM_VENDOR_DEFINED ((unsigned long) (1ul << 31))
struct ck_mechanism
@@ -703,8 +889,137 @@ struct ck_mechanism_info
#define CKF_WRAP (1 << 17)
#define CKF_UNWRAP (1 << 18)
#define CKF_DERIVE (1 << 19)
-#define CKF_EXTENSION ((unsigned long) (1 << 31))
+#define CKF_EC_F_P (1 << 20)
+#define CKF_EC_F_2M (1 << 21)
+#define CKF_EC_ECPARAMETERS (1 << 22)
+#define CKF_EC_NAMEDCURVE (1 << 23)
+#define CKF_EC_UNCOMPRESS (1 << 24)
+#define CKF_EC_COMPRESS (1 << 25)
+#define CKF_EXTENSION ((unsigned long) (1ul << 31))
+
+
+/* The following MGFs are defined */
+#define CKG_MGF1_SHA1 (0x00000001)
+#define CKG_MGF1_SHA256 (0x00000002)
+#define CKG_MGF1_SHA384 (0x00000003)
+#define CKG_MGF1_SHA512 (0x00000004)
+#define CKG_MGF1_SHA224 (0x00000005)
+
+#define CKZ_DATA_SPECIFIED (0x00000001)
+
+struct ck_rsa_pkcs_oaep_params {
+ ck_mechanism_type_t hash_alg;
+ unsigned long mgf;
+ unsigned long source;
+ void *source_data;
+ unsigned long source_data_len;
+};
+
+struct ck_rsa_pkcs_pss_params {
+ ck_mechanism_type_t hash_alg;
+ unsigned long mgf;
+ unsigned long slen;
+};
+
+typedef unsigned long ck_ec_kdf_type_t;
+
+/* The following EC Key Derivation Functions are defined */
+#define CKD_NULL (0x00000001)
+#define CKD_SHA1_KDF (0x00000002)
+
+struct ck_ecdh1_derive_params {
+ ck_ec_kdf_type_t kdf;
+ unsigned long shared_data_len;
+ unsigned char *shared_data;
+ unsigned long public_data_len;
+ unsigned char *public_data;
+};
+
+struct ck_ecdh2_derive_params {
+ ck_ec_kdf_type_t kdf;
+ unsigned long shared_data_len;
+ unsigned char *shared_data;
+ unsigned long public_data_len;
+ unsigned char *public_data;
+ unsigned long private_data_len;
+ ck_object_handle_t private_data;
+ unsigned long public_data_len2;
+ unsigned char *public_data2;
+};
+
+struct ck_ecmqv_derive_params {
+ ck_ec_kdf_type_t kdf;
+ unsigned long shared_data_len;
+ unsigned char *shared_data;
+ unsigned long public_data_len;
+ unsigned char *public_data;
+ unsigned long private_data_len;
+ ck_object_handle_t private_data;
+ unsigned long public_data_len2;
+ unsigned char *public_data2;
+ ck_object_handle_t public_key;
+};
+typedef unsigned long ck_x9_42_dh_kdf_type_t;
+
+/* The following X9.42 DH key derivation functions are defined */
+#define CKD_SHA1_KDF_ASN1 (0x00000003)
+#define CKD_SHA1_KDF_CONCATENATE (0x00000004)
+#define CKD_SHA224_KDF (0x00000005)
+#define CKD_SHA256_KDF (0x00000006)
+#define CKD_SHA384_KDF (0x00000007)
+#define CKD_SHA512_KDF (0x00000008)
+#define CKD_CPDIVERSIFY_KDF (0x00000009)
+
+struct ck_x9_42_dh1_derive_params {
+ ck_x9_42_dh_kdf_type_t kdf;
+ unsigned long other_info_len;
+ unsigned char *other_info;
+ unsigned long public_data_len;
+ unsigned char *public_data;
+};
+
+struct ck_x9_42_dh2_derive_params {
+ ck_x9_42_dh_kdf_type_t kdf;
+ unsigned long other_info_len;
+ unsigned char *other_info;
+ unsigned long public_data_len;
+ unsigned char *public_data;
+ unsigned long private_data_len;
+ ck_object_handle_t private_data;
+ unsigned long public_data_len2;
+ unsigned char *public_data2;
+};
+
+struct ck_x9_42_mqv_derive_params {
+ ck_x9_42_dh_kdf_type_t kdf;
+ unsigned long other_info_len;
+ unsigned char *other_info;
+ unsigned long public_data_len;
+ unsigned char *public_data;
+ unsigned long private_data_len;
+ ck_object_handle_t private_data;
+ unsigned long public_data_len2;
+ unsigned char *public_data2;
+ ck_object_handle_t public_key;
+};
+
+struct ck_des_cbc_encrypt_data_params {
+ unsigned char iv[8];
+ unsigned char *data;
+ unsigned long length;
+};
+
+struct ck_aes_cbc_encrypt_data_params {
+ unsigned char iv[16];
+ unsigned char *data;
+ unsigned long length;
+};
+
+struct ck_key_derivation_string_data {
+ unsigned char *data;
+ unsigned long len;
+};
/* Flags for C_WaitForSlotEvent. */
#define CKF_DONT_BLOCK (1)
@@ -1108,6 +1423,7 @@ struct ck_c_initialize_args
#define CKR_ATTRIBUTE_SENSITIVE (0x11)
#define CKR_ATTRIBUTE_TYPE_INVALID (0x12)
#define CKR_ATTRIBUTE_VALUE_INVALID (0x13)
+#define CKR_COPY_PROHIBITED (0x1A)
#define CKR_DATA_INVALID (0x20)
#define CKR_DATA_LEN_RANGE (0x21)
#define CKR_DEVICE_ERROR (0x30)
@@ -1178,8 +1494,15 @@ struct ck_c_initialize_args
#define CKR_CRYPTOKI_ALREADY_INITIALIZED (0x191)
#define CKR_MUTEX_BAD (0x1a0)
#define CKR_MUTEX_NOT_LOCKED (0x1a1)
+#define CKR_NEW_PIN_MODE (0x1b0)
+#define CKR_NEXT_OTP (0x1b1)
+#define CKR_EXCEEDED_MAX_ITERATIONS (0x1b5)
+#define CKR_FIPS_SELF_TEST_FAILED (0x1b6)
+#define CKR_LIBRARY_LOAD_FAILED (0x1b7)
+#define CKR_PIN_TOO_WEAK (0x1b8)
+#define CKR_PUBLIC_KEY_INVALID (0x1b9)
#define CKR_FUNCTION_REJECTED (0x200)
-#define CKR_VENDOR_DEFINED ((unsigned long) (1 << 31))
+#define CKR_VENDOR_DEFINED ((unsigned long) (1ul << 31))
@@ -1253,6 +1576,24 @@ typedef struct ck_mechanism *CK_MECHANISM_PTR;
typedef struct ck_mechanism_info CK_MECHANISM_INFO;
typedef struct ck_mechanism_info *CK_MECHANISM_INFO_PTR;
+typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS;
+typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR;
+
+typedef struct ck_rsa_pkcs_pss_params CK_RSA_PKCS_PSS_PARAMS;
+typedef struct ck_rsa_pkcs_pss_params *CK_RSA_PKCS_PSS_PARAMS_PTR;
+
+typedef struct ck_ecdh1_derive_params CK_ECDH1_DERIVE_PARAMS;
+typedef struct ck_ecdh1_derive_params *CK_ECDH1_DERIVE_PARAMS_PTR;
+
+typedef struct ck_des_cbc_encrypt_data_params CK_DES_CBC_ENCRYPT_DATA_PARAMS;
+typedef struct ck_des_cbc_encrypt_data_params *CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct ck_aes_cbc_encrypt_data_params CK_AES_CBC_ENCRYPT_DATA_PARAMS;
+typedef struct ck_aes_cbc_encrypt_data_params *CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct ck_key_derivation_string_data CK_KEY_DERIVATION_STRING_DATA;
+typedef struct ck_key_derivation_string_data *CK_KEY_DERIVATION_STRING_DATA_PTR;
+
typedef struct ck_function_list CK_FUNCTION_LIST;
typedef struct ck_function_list *CK_FUNCTION_LIST_PTR;
typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR;
@@ -1325,6 +1666,30 @@ typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR;
#undef min_key_size
#undef max_key_size
+#undef ck_rsa_pkcs_oaep_params
+#undef hash_alg
+#undef source_data
+#undef source_data_len
+#undef slen
+
+#undef ck_ec_kdf_type_t
+#undef shared_data_len
+#undef shared_data
+#undef public_data_len
+#undef public_data
+#undef private_data_len
+#undef private_data
+#undef public_data_len2
+#undef public_data2
+#undef public_key
+
+#undef ck_x9_42_dh_kdf_type_t
+#undef other_info_len
+#undef other_info
+
+#undef data
+#undef len
+
#undef ck_rv_t
#undef ck_notify_t
diff --git a/lib/hx509/revoke.c b/lib/hx509/revoke.c
index 29322807487c..a777226db29e 100644
--- a/lib/hx509/revoke.c
+++ b/lib/hx509/revoke.c
@@ -337,8 +337,10 @@ load_ocsp(hx509_context context, struct revoke_ocsp *ocsp)
return ret;
ret = stat(ocsp->path, &sb);
- if (ret)
+ if (ret) {
+ rk_xfree(data);
return errno;
+ }
ret = parse_ocsp_basic(data, length, &basic);
rk_xfree(data);
@@ -361,8 +363,8 @@ load_ocsp(hx509_context context, struct revoke_ocsp *ocsp)
for (i = 0; i < basic.certs->len; i++) {
hx509_cert c;
- ret = hx509_cert_init(context, &basic.certs->val[i], &c);
- if (ret)
+ c = hx509_cert_init(context, &basic.certs->val[i], NULL);
+ if (c == NULL)
continue;
ret = hx509_certs_add(context, certs, c);
@@ -561,36 +563,65 @@ out:
}
static int
-load_crl(const char *path, time_t *t, CRLCertificateList *crl)
+crl_parser(hx509_context context, const char *type,
+ const hx509_pem_header *header,
+ const void *data, size_t len, void *ctx)
{
- size_t length, size;
- struct stat sb;
- void *data;
+ CRLCertificateList *crl = (CRLCertificateList *)ctx;
+ size_t size;
int ret;
- memset(crl, 0, sizeof(*crl));
+ if (strcasecmp("X509 CRL", type) != 0)
+ return HX509_CRYPTO_SIG_INVALID_FORMAT;
- ret = rk_undumpdata(path, &data, &length);
+ ret = decode_CRLCertificateList(data, len, crl, &size);
if (ret)
return ret;
+ /* check signature is aligned */
+ if (crl->signatureValue.length & 7) {
+ free_CRLCertificateList(crl);
+ return HX509_CRYPTO_SIG_INVALID_FORMAT;
+ }
+
+ return 0;
+}
+
+static int
+load_crl(hx509_context context, const char *path, time_t *t, CRLCertificateList *crl)
+{
+ struct stat sb;
+ size_t length;
+ void *data;
+ FILE *f;
+ int ret;
+
+ memset(crl, 0, sizeof(*crl));
+
ret = stat(path, &sb);
if (ret)
return errno;
-
+
*t = sb.st_mtime;
+
+ if ((f = fopen(path, "r")) == NULL)
+ return errno;
- ret = decode_CRLCertificateList(data, length, crl, &size);
- rk_xfree(data);
- if (ret)
- return ret;
+ rk_cloexec_file(f);
- /* check signature is aligned */
- if (crl->signatureValue.length & 7) {
- free_CRLCertificateList(crl);
- return HX509_CRYPTO_SIG_INVALID_FORMAT;
+ ret = hx509_pem_read(context, f, crl_parser, crl);
+ fclose(f);
+
+ if (ret == HX509_PARSING_KEY_FAILED) {
+
+ ret = rk_undumpdata(path, &data, &length);
+ if (ret)
+ return ret;
+
+ ret = crl_parser(context, "X509 CRL", NULL, data, length, crl);
+ rk_xfree(data);
}
- return 0;
+ return ret;
}
/**
@@ -624,7 +655,7 @@ hx509_revoke_add_crl(hx509_context context,
path += 5;
for (i = 0; i < ctx->crls.len; i++) {
- if (strcmp(ctx->crls.val[0].path, path) == 0)
+ if (strcmp(ctx->crls.val[i].path, path) == 0)
return 0;
}
@@ -644,7 +675,8 @@ hx509_revoke_add_crl(hx509_context context,
return ENOMEM;
}
- ret = load_crl(path,
+ ret = load_crl(context,
+ path,
&ctx->crls.val[ctx->crls.len].last_modfied,
&ctx->crls.val[ctx->crls.len].crl);
if (ret) {
@@ -674,7 +706,6 @@ hx509_revoke_add_crl(hx509_context context,
* @ingroup hx509_revoke
*/
-
int
hx509_revoke_verify(hx509_context context,
hx509_revoke_ctx ctx,
@@ -781,7 +812,7 @@ hx509_revoke_verify(hx509_context context,
if (ret == 0 && crl->last_modfied != sb.st_mtime) {
CRLCertificateList cl;
- ret = load_crl(crl->path, &crl->last_modfied, &cl);
+ ret = load_crl(context, crl->path, &crl->last_modfied, &cl);
if (ret == 0) {
free_CRLCertificateList(&crl->crl);
crl->crl = cl;
@@ -1064,47 +1095,23 @@ printable_time(time_t t)
return s;
}
-/**
- * Print the OCSP reply stored in a file.
- *
- * @param context a hx509 context
- * @param path path to a file with a OCSP reply
- * @param out the out FILE descriptor to print the reply on
- *
- * @return An hx509 error code, see hx509_get_error_string().
+/*
*
- * @ingroup hx509_revoke
*/
-int
-hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
+static int
+print_ocsp(hx509_context context, struct revoke_ocsp *ocsp, FILE *out)
{
- struct revoke_ocsp ocsp;
- int ret;
+ int ret = 0;
size_t i;
- if (out == NULL)
- out = stdout;
-
- memset(&ocsp, 0, sizeof(ocsp));
-
- ocsp.path = strdup(path);
- if (ocsp.path == NULL)
- return ENOMEM;
-
- ret = load_ocsp(context, &ocsp);
- if (ret) {
- free_ocsp(&ocsp);
- return ret;
- }
-
fprintf(out, "signer: ");
- switch(ocsp.ocsp.tbsResponseData.responderID.element) {
+ switch(ocsp->ocsp.tbsResponseData.responderID.element) {
case choice_OCSPResponderID_byName: {
hx509_name n;
char *s;
- _hx509_name_from_Name(&ocsp.ocsp.tbsResponseData.responderID.u.byName, &n);
+ _hx509_name_from_Name(&ocsp->ocsp.tbsResponseData.responderID.u.byName, &n);
hx509_name_to_string(n, &s);
hx509_name_free(&n);
fprintf(out, " byName: %s\n", s);
@@ -1113,8 +1120,8 @@ hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
}
case choice_OCSPResponderID_byKey: {
char *s;
- hex_encode(ocsp.ocsp.tbsResponseData.responderID.u.byKey.data,
- ocsp.ocsp.tbsResponseData.responderID.u.byKey.length,
+ hex_encode(ocsp->ocsp.tbsResponseData.responderID.u.byKey.data,
+ ocsp->ocsp.tbsResponseData.responderID.u.byKey.length,
&s);
fprintf(out, " byKey: %s\n", s);
free(s);
@@ -1126,13 +1133,13 @@ hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
}
fprintf(out, "producedAt: %s\n",
- printable_time(ocsp.ocsp.tbsResponseData.producedAt));
+ printable_time(ocsp->ocsp.tbsResponseData.producedAt));
- fprintf(out, "replies: %d\n", ocsp.ocsp.tbsResponseData.responses.len);
+ fprintf(out, "replies: %d\n", ocsp->ocsp.tbsResponseData.responses.len);
- for (i = 0; i < ocsp.ocsp.tbsResponseData.responses.len; i++) {
+ for (i = 0; i < ocsp->ocsp.tbsResponseData.responses.len; i++) {
const char *status;
- switch (ocsp.ocsp.tbsResponseData.responses.val[i].certStatus.element) {
+ switch (ocsp->ocsp.tbsResponseData.responses.val[i].certStatus.element) {
case choice_OCSPCertStatus_good:
status = "good";
break;
@@ -1146,19 +1153,116 @@ hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
status = "element unknown";
}
- fprintf(out, "\t%zu. status: %s\n", i, status);
+ fprintf(out, "\t%llu. status: %s\n", (unsigned long long)i, status);
fprintf(out, "\tthisUpdate: %s\n",
- printable_time(ocsp.ocsp.tbsResponseData.responses.val[i].thisUpdate));
- if (ocsp.ocsp.tbsResponseData.responses.val[i].nextUpdate)
+ printable_time(ocsp->ocsp.tbsResponseData.responses.val[i].thisUpdate));
+ if (ocsp->ocsp.tbsResponseData.responses.val[i].nextUpdate)
fprintf(out, "\tproducedAt: %s\n",
- printable_time(ocsp.ocsp.tbsResponseData.responses.val[i].thisUpdate));
+ printable_time(ocsp->ocsp.tbsResponseData.responses.val[i].thisUpdate));
}
fprintf(out, "appended certs:\n");
- if (ocsp.certs)
- ret = hx509_certs_iter_f(context, ocsp.certs, hx509_ci_print_names, out);
+ if (ocsp->certs)
+ ret = hx509_certs_iter_f(context, ocsp->certs, hx509_ci_print_names, out);
+
+ return ret;
+}
+
+static int
+print_crl(hx509_context context, struct revoke_crl *crl, FILE *out)
+{
+ {
+ hx509_name n;
+ char *s;
+ _hx509_name_from_Name(&crl->crl.tbsCertList.issuer, &n);
+ hx509_name_to_string(n, &s);
+ hx509_name_free(&n);
+ fprintf(out, " issuer: %s\n", s);
+ free(s);
+ }
+
+ fprintf(out, " thisUpdate: %s\n",
+ printable_time(_hx509_Time2time_t(&crl->crl.tbsCertList.thisUpdate)));
+
+ return 0;
+}
+
+
+/*
+ *
+ */
+
+int
+hx509_revoke_print(hx509_context context,
+ hx509_revoke_ctx ctx,
+ FILE *out)
+{
+ int saved_ret = 0, ret;
+ size_t n;
+
+ for (n = 0; n < ctx->ocsps.len; n++) {
+ struct revoke_ocsp *ocsp = &ctx->ocsps.val[n];
+
+ fprintf(out, "OCSP %s\n", ocsp->path);
+
+ ret = print_ocsp(context, ocsp, out);
+ if (ret) {
+ fprintf(out, "failure printing OCSP: %d\n", ret);
+ saved_ret = ret;
+ }
+ }
+
+ for (n = 0; n < ctx->crls.len; n++) {
+ struct revoke_crl *crl = &ctx->crls.val[n];
+
+ fprintf(out, "CRL %s\n", crl->path);
+
+ ret = print_crl(context, crl, out);
+ if (ret) {
+ fprintf(out, "failure printing CRL: %d\n", ret);
+ saved_ret = ret;
+ }
+ }
+ return saved_ret;
+
+}
+
+/**
+ * Print the OCSP reply stored in a file.
+ *
+ * @param context a hx509 context
+ * @param path path to a file with a OCSP reply
+ * @param out the out FILE descriptor to print the reply on
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_revoke
+ */
+
+int
+hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
+{
+ struct revoke_ocsp ocsp;
+ int ret;
+
+ if (out == NULL)
+ out = stdout;
+
+ memset(&ocsp, 0, sizeof(ocsp));
+
+ ocsp.path = strdup(path);
+ if (ocsp.path == NULL)
+ return ENOMEM;
+
+ ret = load_ocsp(context, &ocsp);
+ if (ret) {
+ free_ocsp(&ocsp);
+ return ret;
+ }
+
+ ret = print_ocsp(context, &ocsp, out);
free_ocsp(&ocsp);
return ret;
diff --git a/lib/hx509/sel-gram.c b/lib/hx509/sel-gram.c
index 70d83d645db6..4d60c918f794 100644
--- a/lib/hx509/sel-gram.c
+++ b/lib/hx509/sel-gram.c
@@ -101,6 +101,18 @@
#include <stdlib.h>
#include <hx_locl.h>
+#if !defined(yylex)
+#define yylex _hx509_sel_yylex
+#define yywrap _hx509_sel_yywrap
+#endif
+#if !defined(yyparse)
+#define yyparse _hx509_sel_yyparse
+#define yyerror _hx509_sel_yyerror
+#define yylval _hx509_sel_yylval
+#define yychar _hx509_sel_yychar
+#define yydebug _hx509_sel_yydebug
+#define yynerrs _hx509_sel_yynerrs
+#endif
@@ -124,13 +136,13 @@
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
typedef union YYSTYPE
-#line 45 "sel-gram.y"
+#line 57 "sel-gram.y"
{
char *string;
struct hx_expr *expr;
}
/* Line 193 of yacc.c. */
-#line 134 "sel-gram.c"
+#line 146 "sel-gram.c"
YYSTYPE;
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
# define YYSTYPE_IS_DECLARED 1
@@ -143,7 +155,7 @@ typedef union YYSTYPE
/* Line 216 of yacc.c. */
-#line 147 "sel-gram.c"
+#line 159 "sel-gram.c"
#ifdef short
# undef short
@@ -435,9 +447,9 @@ static const yytype_int8 yyrhs[] =
/* YYRLINE[YYN] -- source line where rule number YYN was defined. */
static const yytype_uint8 yyrline[] =
{
- 0, 73, 73, 75, 76, 77, 78, 79, 80, 81,
- 84, 85, 88, 89, 90, 91, 92, 95, 96, 97,
- 98, 101, 102, 104, 107, 110, 112
+ 0, 85, 85, 87, 88, 89, 90, 91, 92, 93,
+ 96, 97, 100, 101, 102, 103, 104, 107, 108, 109,
+ 110, 113, 114, 116, 119, 122, 124
};
#endif
@@ -1367,136 +1379,136 @@ yyreduce:
switch (yyn)
{
case 2:
-#line 73 "sel-gram.y"
+#line 85 "sel-gram.y"
{ _hx509_expr_input.expr = (yyvsp[(1) - (1)].expr); }
break;
case 3:
-#line 75 "sel-gram.y"
+#line 87 "sel-gram.y"
{ (yyval.expr) = _hx509_make_expr(op_TRUE, NULL, NULL); }
break;
case 4:
-#line 76 "sel-gram.y"
+#line 88 "sel-gram.y"
{ (yyval.expr) = _hx509_make_expr(op_FALSE, NULL, NULL); }
break;
case 5:
-#line 77 "sel-gram.y"
+#line 89 "sel-gram.y"
{ (yyval.expr) = _hx509_make_expr(op_NOT, (yyvsp[(2) - (2)].expr), NULL); }
break;
case 6:
-#line 78 "sel-gram.y"
+#line 90 "sel-gram.y"
{ (yyval.expr) = _hx509_make_expr(op_AND, (yyvsp[(1) - (3)].expr), (yyvsp[(3) - (3)].expr)); }
break;
case 7:
-#line 79 "sel-gram.y"
+#line 91 "sel-gram.y"
{ (yyval.expr) = _hx509_make_expr(op_OR, (yyvsp[(1) - (3)].expr), (yyvsp[(3) - (3)].expr)); }
break;
case 8:
-#line 80 "sel-gram.y"
+#line 92 "sel-gram.y"
{ (yyval.expr) = (yyvsp[(2) - (3)].expr); }
break;
case 9:
-#line 81 "sel-gram.y"
+#line 93 "sel-gram.y"
{ (yyval.expr) = _hx509_make_expr(op_COMP, (yyvsp[(1) - (1)].expr), NULL); }
break;
case 10:
-#line 84 "sel-gram.y"
+#line 96 "sel-gram.y"
{ (yyval.expr) = _hx509_make_expr(expr_WORDS, (yyvsp[(1) - (1)].expr), NULL); }
break;
case 11:
-#line 85 "sel-gram.y"
+#line 97 "sel-gram.y"
{ (yyval.expr) = _hx509_make_expr(expr_WORDS, (yyvsp[(1) - (3)].expr), (yyvsp[(3) - (3)].expr)); }
break;
case 12:
-#line 88 "sel-gram.y"
+#line 100 "sel-gram.y"
{ (yyval.expr) = _hx509_make_expr(comp_EQ, (yyvsp[(1) - (4)].expr), (yyvsp[(4) - (4)].expr)); }
break;
case 13:
-#line 89 "sel-gram.y"
+#line 101 "sel-gram.y"
{ (yyval.expr) = _hx509_make_expr(comp_NE, (yyvsp[(1) - (4)].expr), (yyvsp[(4) - (4)].expr)); }
break;
case 14:
-#line 90 "sel-gram.y"
+#line 102 "sel-gram.y"
{ (yyval.expr) = _hx509_make_expr(comp_TAILEQ, (yyvsp[(1) - (3)].expr), (yyvsp[(3) - (3)].expr)); }
break;
case 15:
-#line 91 "sel-gram.y"
+#line 103 "sel-gram.y"
{ (yyval.expr) = _hx509_make_expr(comp_IN, (yyvsp[(1) - (5)].expr), (yyvsp[(4) - (5)].expr)); }
break;
case 16:
-#line 92 "sel-gram.y"
+#line 104 "sel-gram.y"
{ (yyval.expr) = _hx509_make_expr(comp_IN, (yyvsp[(1) - (3)].expr), (yyvsp[(3) - (3)].expr)); }
break;
case 17:
-#line 95 "sel-gram.y"
+#line 107 "sel-gram.y"
{ (yyval.expr) = (yyvsp[(1) - (1)].expr); }
break;
case 18:
-#line 96 "sel-gram.y"
+#line 108 "sel-gram.y"
{ (yyval.expr) = (yyvsp[(1) - (1)].expr); }
break;
case 19:
-#line 97 "sel-gram.y"
+#line 109 "sel-gram.y"
{ (yyval.expr) = (yyvsp[(1) - (1)].expr); }
break;
case 20:
-#line 98 "sel-gram.y"
+#line 110 "sel-gram.y"
{ (yyval.expr) = (yyvsp[(1) - (1)].expr); }
break;
case 21:
-#line 101 "sel-gram.y"
+#line 113 "sel-gram.y"
{ (yyval.expr) = _hx509_make_expr(expr_NUMBER, (yyvsp[(1) - (1)].string), NULL); }
break;
case 22:
-#line 102 "sel-gram.y"
+#line 114 "sel-gram.y"
{ (yyval.expr) = _hx509_make_expr(expr_STRING, (yyvsp[(1) - (1)].string), NULL); }
break;
case 23:
-#line 104 "sel-gram.y"
+#line 116 "sel-gram.y"
{
(yyval.expr) = _hx509_make_expr(expr_FUNCTION, (yyvsp[(1) - (4)].string), (yyvsp[(3) - (4)].expr)); }
break;
case 24:
-#line 107 "sel-gram.y"
+#line 119 "sel-gram.y"
{ (yyval.expr) = (yyvsp[(3) - (4)].expr); }
break;
case 25:
-#line 110 "sel-gram.y"
+#line 122 "sel-gram.y"
{
(yyval.expr) = _hx509_make_expr(expr_VAR, (yyvsp[(1) - (3)].string), (yyvsp[(3) - (3)].expr)); }
break;
case 26:
-#line 112 "sel-gram.y"
+#line 124 "sel-gram.y"
{
(yyval.expr) = _hx509_make_expr(expr_VAR, (yyvsp[(1) - (1)].string), NULL); }
break;
/* Line 1267 of yacc.c. */
-#line 1500 "sel-gram.c"
+#line 1512 "sel-gram.c"
default: break;
}
YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
diff --git a/lib/hx509/sel-gram.h b/lib/hx509/sel-gram.h
index 13be3f9ab19c..9642ac7fdb12 100644
--- a/lib/hx509/sel-gram.h
+++ b/lib/hx509/sel-gram.h
@@ -66,7 +66,7 @@
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
typedef union YYSTYPE
-#line 45 "sel-gram.y"
+#line 57 "sel-gram.y"
{
char *string;
struct hx_expr *expr;
diff --git a/lib/hx509/sel-gram.y b/lib/hx509/sel-gram.y
index 7f7c9980e03b..7e9d4f26d9c2 100644
--- a/lib/hx509/sel-gram.y
+++ b/lib/hx509/sel-gram.y
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2008 Kungliga Tekniska Högskolan
+ * Copyright (c) 2017 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -39,6 +39,18 @@
#include <stdlib.h>
#include <hx_locl.h>
+#if !defined(yylex)
+#define yylex _hx509_sel_yylex
+#define yywrap _hx509_sel_yywrap
+#endif
+#if !defined(yyparse)
+#define yyparse _hx509_sel_yyparse
+#define yyerror _hx509_sel_yyerror
+#define yylval _hx509_sel_yylval
+#define yychar _hx509_sel_yychar
+#define yydebug _hx509_sel_yydebug
+#define yynerrs _hx509_sel_yynerrs
+#endif
%}
diff --git a/lib/hx509/sel-lex.c b/lib/hx509/sel-lex.c
index 51f1e8407807..c2044a435dc8 100644
--- a/lib/hx509/sel-lex.c
+++ b/lib/hx509/sel-lex.c
@@ -46,6 +46,7 @@ typedef int16_t flex_int16_t;
typedef uint16_t flex_uint16_t;
typedef int32_t flex_int32_t;
typedef uint32_t flex_uint32_t;
+typedef uint64_t flex_uint64_t;
#else
typedef signed char flex_int8_t;
typedef short int flex_int16_t;
@@ -354,7 +355,7 @@ static void yy_fatal_error (yyconst char msg[] );
*/
#define YY_DO_BEFORE_ACTION \
(yytext_ptr) = yy_bp; \
- yyleng = (size_t) (yy_cp - yy_bp); \
+ yyleng = (yy_size_t) (yy_cp - yy_bp); \
(yy_hold_char) = *yy_cp; \
*yy_cp = '\0'; \
(yy_c_buf_p) = yy_cp;
@@ -470,7 +471,7 @@ char *yytext;
#line 1 "sel-lex.l"
#line 2 "sel-lex.l"
/*
- * Copyright (c) 2004, 2008 Kungliga Tekniska Högskolan
+ * Copyright (c) 2004 - 2017 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -504,6 +505,11 @@ char *yytext;
/* $Id$ */
+#ifdef __GNUC__
+#pragma GCC diagnostic ignored "-Wunused-function"
+#endif
+
+
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
@@ -520,7 +526,6 @@ unsigned lineno = 1;
static char * handle_string(void);
static int lex_input(char *, int);
-static int lex_classic_input(void);
struct hx_expr_input _hx509_expr_input;
@@ -535,7 +540,7 @@ struct hx_expr_input _hx509_expr_input;
#undef ECHO
-#line 539 "sel-lex.c"
+#line 544 "sel-lex.c"
#define INITIAL 0
@@ -717,10 +722,10 @@ YY_DECL
register char *yy_cp, *yy_bp;
register int yy_act;
-#line 69 "sel-lex.l"
+#line 73 "sel-lex.l"
-#line 724 "sel-lex.c"
+#line 729 "sel-lex.c"
if ( !(yy_init) )
{
@@ -805,37 +810,37 @@ do_action: /* This label is used only to access EOF actions. */
case 1:
YY_RULE_SETUP
-#line 71 "sel-lex.l"
+#line 75 "sel-lex.l"
{ return kw_TRUE; }
YY_BREAK
case 2:
YY_RULE_SETUP
-#line 72 "sel-lex.l"
+#line 76 "sel-lex.l"
{ return kw_FALSE; }
YY_BREAK
case 3:
YY_RULE_SETUP
-#line 73 "sel-lex.l"
+#line 77 "sel-lex.l"
{ return kw_AND; }
YY_BREAK
case 4:
YY_RULE_SETUP
-#line 74 "sel-lex.l"
+#line 78 "sel-lex.l"
{ return kw_OR; }
YY_BREAK
case 5:
YY_RULE_SETUP
-#line 75 "sel-lex.l"
+#line 79 "sel-lex.l"
{ return kw_IN; }
YY_BREAK
case 6:
YY_RULE_SETUP
-#line 76 "sel-lex.l"
+#line 80 "sel-lex.l"
{ return kw_TAILMATCH; }
YY_BREAK
case 7:
YY_RULE_SETUP
-#line 78 "sel-lex.l"
+#line 82 "sel-lex.l"
{
yylval.string = strdup ((const char *)yytext);
return IDENTIFIER;
@@ -843,31 +848,31 @@ YY_RULE_SETUP
YY_BREAK
case 8:
YY_RULE_SETUP
-#line 82 "sel-lex.l"
+#line 86 "sel-lex.l"
{ yylval.string = handle_string(); return STRING; }
YY_BREAK
case 9:
/* rule 9 can match eol */
YY_RULE_SETUP
-#line 83 "sel-lex.l"
+#line 87 "sel-lex.l"
{ ++lineno; }
YY_BREAK
case 10:
YY_RULE_SETUP
-#line 84 "sel-lex.l"
+#line 88 "sel-lex.l"
{ return *yytext; }
YY_BREAK
case 11:
YY_RULE_SETUP
-#line 85 "sel-lex.l"
+#line 89 "sel-lex.l"
;
YY_BREAK
case 12:
YY_RULE_SETUP
-#line 86 "sel-lex.l"
+#line 90 "sel-lex.l"
ECHO;
YY_BREAK
-#line 871 "sel-lex.c"
+#line 876 "sel-lex.c"
case YY_STATE_EOF(INITIAL):
yyterminate();
@@ -1864,7 +1869,7 @@ void yyfree (void * ptr )
#define YYTABLES_NAME "yytables"
-#line 86 "sel-lex.l"
+#line 90 "sel-lex.l"
@@ -1899,6 +1904,10 @@ handle_string(void)
return strdup(x);
}
+#if !defined(yywrap)
+#define yywrap _hx509_sel_yywrap
+#endif
+
int
yywrap ()
{
diff --git a/lib/hx509/sel-lex.l b/lib/hx509/sel-lex.l
index bb7e8374c7d1..f401e40e3601 100644
--- a/lib/hx509/sel-lex.l
+++ b/lib/hx509/sel-lex.l
@@ -1,6 +1,6 @@
%{
/*
- * Copyright (c) 2004, 2008 Kungliga Tekniska Högskolan
+ * Copyright (c) 2004 - 2017 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -34,6 +34,11 @@
/* $Id$ */
+#ifdef __GNUC__
+#pragma GCC diagnostic ignored "-Wunused-function"
+#endif
+
+
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
@@ -50,7 +55,6 @@ unsigned lineno = 1;
static char * handle_string(void);
static int lex_input(char *, int);
-static int lex_classic_input(void);
struct hx_expr_input _hx509_expr_input;
@@ -116,6 +120,10 @@ handle_string(void)
return strdup(x);
}
+#if !defined(yywrap)
+#define yywrap _hx509_sel_yywrap
+#endif
+
int
yywrap ()
{
diff --git a/lib/hx509/sel.h b/lib/hx509/sel.h
index 177ec0a65b27..52a84d31c5ae 100644
--- a/lib/hx509/sel.h
+++ b/lib/hx509/sel.h
@@ -67,14 +67,18 @@ struct hx_expr_input {
extern struct hx_expr_input _hx509_expr_input;
-#define yyparse _hx509_sel_yyparse
+#if !defined(yylex)
#define yylex _hx509_sel_yylex
+#define yywrap _hx509_sel_yywrap
+#endif
+#if !defined(yyparse)
+#define yyparse _hx509_sel_yyparse
#define yyerror _hx509_sel_yyerror
#define yylval _hx509_sel_yylval
#define yychar _hx509_sel_yychar
#define yydebug _hx509_sel_yydebug
#define yynerrs _hx509_sel_yynerrs
-#define yywrap _hx509_sel_yywrap
+#endif
int _hx509_sel_yyparse(void);
int _hx509_sel_yylex(void);
diff --git a/lib/hx509/softp11.c b/lib/hx509/softp11.c
index 38f587e0fea2..f93863b7c980 100644
--- a/lib/hx509/softp11.c
+++ b/lib/hx509/softp11.c
@@ -34,7 +34,7 @@
#define CRYPTOKI_EXPORTS 1
#include "hx_locl.h"
-#include "pkcs11.h"
+#include "ref/pkcs11.h"
#define OBJECT_ID_MASK 0xfff
#define HANDLE_OBJECT_ID(h) ((h) & OBJECT_ID_MASK)
@@ -543,6 +543,8 @@ add_cert(hx509_context hxctx, void *ctx, hx509_cert cert)
CK_FLAGS flags;
type = CKO_PRIVATE_KEY;
+
+ /* Note to static analyzers: `o' is still referred to via globals */
o = add_st_object();
if (o == NULL) {
ret = CKR_DEVICE_MEMORY;
@@ -593,6 +595,7 @@ add_cert(hx509_context hxctx, void *ctx, hx509_cert cert)
hx509_xfree(issuer_data.data);
hx509_xfree(subject_data.data);
+ /* Note to static analyzers: `o' is still referred to via globals */
return 0;
}
@@ -615,7 +618,11 @@ add_certificate(const char *cert_file,
if (pin) {
char *str;
- asprintf(&str, "PASS:%s", pin);
+ ret = asprintf(&str, "PASS:%s", pin);
+ if (ret == -1 || !str) {
+ st_logf("failed to allocate memory\n");
+ return CKR_GENERAL_ERROR;
+ }
hx509_lock_init(context, &lock);
hx509_lock_command_string(lock, str);
@@ -815,6 +822,7 @@ get_config_file_for_user(void)
#ifndef _WIN32
char *home = NULL;
+ int ret;
if (!issuid()) {
fn = getenv("SOFTPKCS11RC");
@@ -828,9 +836,11 @@ get_config_file_for_user(void)
home = pw->pw_dir;
}
if (fn == NULL) {
- if (home)
- asprintf(&fn, "%s/.soft-token.rc", home);
- else
+ if (home) {
+ ret = asprintf(&fn, "%s/.soft-token.rc", home);
+ if (ret == -1)
+ fn = NULL;
+ } else
fn = strdup("/etc/soft-token.rc");
}
#else /* Windows */
@@ -1077,7 +1087,7 @@ C_GetMechanismList(CK_SLOT_ID slotID,
*pulCount = 1;
if (pMechanismList == NULL_PTR)
return CKR_OK;
- pMechanismList[1] = CKM_RSA_PKCS;
+ pMechanismList[0] = CKM_RSA_PKCS;
return CKR_OK;
}
@@ -1205,8 +1215,13 @@ C_Login(CK_SESSION_HANDLE hSession,
VERIFY_SESSION_HANDLE(hSession, NULL);
if (pPin != NULL_PTR) {
- asprintf(&pin, "%.*s", (int)ulPinLen, pPin);
- st_logf("type: %d password: %s\n", (int)userType, pin);
+ int aret;
+
+ aret = asprintf(&pin, "%.*s", (int)ulPinLen, pPin);
+ if (aret != -1 && pin)
+ st_logf("type: %d password: %s\n", (int)userType, pin);
+ else
+ st_logf("memory error: asprintf failed\n");
}
/*
diff --git a/lib/hx509/test_ca.in b/lib/hx509/test_ca.in
index 2ca294ea79e9..0264116bbe69 100644
--- a/lib/hx509/test_ca.in
+++ b/lib/hx509/test_ca.in
@@ -421,4 +421,32 @@ ${hxtool} verify --missing-revoke \
cert:FILE:cert-ee.pem \
anchor:FILE:cert-ca.pem > /dev/null || exit 1
+echo "+++++++++++ test sigalg"
+
+echo "issue cert with sha256"
+${hxtool} issue-certificate \
+ --ca-certificate=FILE:cert-ca.pem \
+ --signature-algorithm=rsa-with-sha256 \
+ --subject="cn=foo" \
+ --req="PKCS10:pkcs10-request.der" \
+ --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "verify certificate"
+${hxtool} verify --missing-revoke \
+ cert:FILE:cert-ee.pem \
+ anchor:FILE:cert-ca.pem > /dev/null || exit 1
+
+echo "issue cert with sha1"
+${hxtool} issue-certificate \
+ --ca-certificate=FILE:cert-ca.pem \
+ --signature-algorithm=rsa-with-sha1 \
+ --subject="cn=foo" \
+ --req="PKCS10:pkcs10-request.der" \
+ --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "verify certificate"
+${hxtool} verify --missing-revoke \
+ cert:FILE:cert-ee.pem \
+ anchor:FILE:cert-ca.pem > /dev/null || exit 1
+
exit 0
diff --git a/lib/hx509/test_cert.in b/lib/hx509/test_cert.in
index 6cbf21bf0571..5fa14d0f8397 100644
--- a/lib/hx509/test_cert.in
+++ b/lib/hx509/test_cert.in
@@ -46,7 +46,7 @@ if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
fi
echo "print DIR"
-${hxtool} print --content DIR:$srcdir/data > /dev/null || exit 1
+${hxtool} print --content DIR:$srcdir/data > /dev/null 2>/dev/null || exit 1
echo "print FILE"
for a in $srcdir/data/*.crt; do
diff --git a/lib/hx509/test_chain.in b/lib/hx509/test_chain.in
index df551d9c0a93..b8c8cf527684 100644
--- a/lib/hx509/test_chain.in
+++ b/lib/hx509/test_chain.in
@@ -192,13 +192,13 @@ if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then
else
echo "eccert -> root"
${hxtool} verify --missing-revoke \
- cert:FILE:$srcdir/data/secp160r2TestServer.cert.pem \
- anchor:FILE:$srcdir/data/secp160r1TestCA.cert.pem > /dev/null || exit 1
+ cert:FILE:$srcdir/data/secp256r2TestServer.cert.pem \
+ anchor:FILE:$srcdir/data/secp256r1TestCA.cert.pem > /dev/null || exit 1
echo "eccert -> root"
${hxtool} verify --missing-revoke \
- cert:FILE:$srcdir/data/secp160r2TestClient.cert.pem \
- anchor:FILE:$srcdir/data/secp160r1TestCA.cert.pem > /dev/null || exit 1
+ cert:FILE:$srcdir/data/secp256r2TestClient.cert.pem \
+ anchor:FILE:$srcdir/data/secp256r1TestCA.cert.pem > /dev/null || exit 1
fi
echo "proxy cert"
diff --git a/lib/hx509/test_cms.in b/lib/hx509/test_cms.in
index d519d25a22b2..8b3de76efd6b 100644
--- a/lib/hx509/test_cms.in
+++ b/lib/hx509/test_cms.in
@@ -53,15 +53,15 @@ if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then
else
echo "create signed data (ec)"
${hxtool} cms-create-sd \
- --certificate=FILE:$srcdir/data/secp160r2TestClient.pem \
- "$srcdir/test_chain.in" \
- sd.data > /dev/null || exit 1
+ --certificate=FILE:$srcdir/data/secp256r2TestClient.pem \
+ "$srcdir/test_chain.in" \
+ sd.data > /dev/null || exit 1
echo "verify signed data (ec)"
${hxtool} cms-verify-sd \
- --missing-revoke \
- --anchors=FILE:$srcdir/data/secp160r1TestCA.cert.pem \
- sd.data sd.data.out > /dev/null || exit 1
+ --missing-revoke \
+ --anchors=FILE:$srcdir/data/secp256r1TestCA.cert.pem \
+ sd.data sd.data.out > /dev/null || exit 1
cmp "$srcdir/test_chain.in" sd.data.out || exit 1
fi
diff --git a/lib/hx509/test_name.c b/lib/hx509/test_name.c
index d932221ddf04..9d21a7f65b03 100644
--- a/lib/hx509/test_name.c
+++ b/lib/hx509/test_name.c
@@ -319,14 +319,14 @@ test_compare(hx509_context context)
/* check transative properties of name compare function */
- ret = hx509_cert_init_data(context, certdata1, sizeof(certdata1) - 1, &c1);
- if (ret) return 1;
-
- ret = hx509_cert_init_data(context, certdata2, sizeof(certdata2) - 1, &c2);
- if (ret) return 1;
-
- ret = hx509_cert_init_data(context, certdata3, sizeof(certdata3) - 1, &c3);
- if (ret) return 1;
+ c1 = hx509_cert_init_data(context, certdata1, sizeof(certdata1) - 1, NULL);
+ if (c1 == NULL) return 1;
+
+ c2 = hx509_cert_init_data(context, certdata2, sizeof(certdata2) - 1, NULL);
+ if (c2 == NULL) return 1;
+
+ c3 = hx509_cert_init_data(context, certdata3, sizeof(certdata3) - 1, NULL);
+ if (c3 == NULL) return 1;
ret = compare_subject(c1, c1, &l0);
if (ret) return 1;
diff --git a/lib/hx509/test_soft_pkcs11.c b/lib/hx509/test_soft_pkcs11.c
index c8fc2448ee76..cdffcf803b0e 100644
--- a/lib/hx509/test_soft_pkcs11.c
+++ b/lib/hx509/test_soft_pkcs11.c
@@ -32,7 +32,7 @@
*/
#include "hx_locl.h"
-#include "pkcs11.h"
+#include "ref/pkcs11.h"
#include <err.h>
static CK_FUNCTION_LIST_PTR func;
diff --git a/lib/hx509/version-script.map b/lib/hx509/version-script.map
index b05198c42c5d..f040cd834496 100644
--- a/lib/hx509/version-script.map
+++ b/lib/hx509/version-script.map
@@ -23,7 +23,6 @@ HEIMDAL_X509_1.2 {
_hx509_request_print;
_hx509_request_set_email;
_hx509_request_to_pkcs10;
- _hx509_request_to_pkcs10;
_hx509_unmap_file_os;
_hx509_write_file;
hx509_bitstring_print;
@@ -209,6 +208,7 @@ HEIMDAL_X509_1.2 {
hx509_revoke_init;
hx509_revoke_ocsp_print;
hx509_revoke_verify;
+ hx509_revoke_print;
hx509_set_error_string;
hx509_set_error_stringv;
hx509_signature_md5;
@@ -248,3 +248,8 @@ HEIMDAL_X509_1.2 {
*;
};
+HEIMDAL_X509_1.3 {
+ global:
+ hx509_ca_tbs_set_signature_algorithm;
+};
+