Skip to content

4.2.0
Compare
Choose a tag to compare
@istepic istepic released this 19 Jan 16:45
· 26 commits to openssl1.1 since this release
4.2.0
8174d0c
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Release 4.2.0

Fixed

  • CA Tests' SetUp was changed so that all the objects involved do not depend on time when
    construction of object is made. This led to problems where object of CA class had notBefore
    attribute set to greater value than CA's certificate's notBefore which should never happen.
    This subtle bug in test SetUp has greater chance of appearing when running in slower
    environments, e.g., qemu.

Added

  • Exceptions with better error messages were added in sanity check section of
    CertificateAuthority::_signCSR function. This provides better understanding of
    scenarios which we dont allow:
    • Issued certificate has greater notAfter attribute than CA's certificate (issued
      certificate's validity period should not exceed issuing certificate's validity
      period)
    • Case with the CA's notBefore being larger than the issued certificate's notBefore. This
      results in issued certificate that are valid before issuing certificate which
      should never happen.
      This is not a behavior change in the library in the sense that a certificate that was issued
      before won't be issued anymore. Certificates with these properties were already rejected
      by CertificateAuthority::signCSR but with a rather misleading and generic error message.
      This change just improves the error reporting.
  • Clang-Format has been applied to the existing code-base of MoCOCrW and a .clang-format
    file has been included to format the code of of future PRs.
  • A foundational PKCS#11 HSM interface, based on OpenSSL's ENGINE API, has been introduced
    to MoCOCrW. This functionality is disabled by default. See README to get more
    information on how to enable it.
    Currently, the following functionality is supported:
    • Loading Public Keys
    • Loading Private Keys
    • Generating EC and RSA keypairs
  • Post Quantum Cryptography support has been added.
    Dilithium
    is used to offer signing and verification functionality. Please note that the API is
    provisional as there is currently no OpenSSL support for Dilithium. This library intends to
    switch to an OpenSSL implementation once available. As a consequence of this, the interfaces
    around Dilithium are subject to future changes. We support dilithium for experimentation and
    getting early hands-on experience but we discourage using it as it's not yet standardized.
    This functionality is disabled by default. See README to get more
    information on how to enable it.
Assets 2
Loading