main

Libreswan VCS commit list Sat, 08 Mar 2025 08:12:52 -0800

New commits:
commit 049089c99b6143a90410a8fa7a41f21dbb2ff2f3
Merge: 239b9ee091 fa2a4bda83
Author: Andrew Cagney <[email protected]>
Date:   Sat Mar 8 11:04:43 2025 -0500


    testing x509: use NSS to generate Extended Key Usage (EKU) certs
    
    This replaces the OpenSSL certs and tests.
    
    Note: this also hobbles the non ipsecIKE profiles per #2075 config
    option to allow non-ipsecIKE x.509 profile an option is needed to
    re-enable these
    
    close #2078 add EKU id-kp-ipsecIKE or anyExtendedKeyUsage, and 
eku-somethingelse
    
    Merge commit 'fa2a4bda83d7b9ba08c2d5aa56bf16ca903e40ae'

commit fa2a4bda83d7b9ba08c2d5aa56bf16ca903e40ae
Author: Andrew Cagney <[email protected]>
Date:   Sat Mar 8 10:07:13 2025 -0500

    testing x509: drop EKU certs in dist_certs.py

commit 3a46f60aef27c1a29fcf8597b5363ba28fe5d731
Author: Andrew Cagney <[email protected]>
Date:   Sat Mar 8 10:08:18 2025 -0500

    testing x509: add x509-profile-02-extended-key-usage
    
    Test extended key usage (EKU) using:
    
      west-eku-missing
      west-eku-ipsecIKE
      west-eku-x509Any
      west-eku-serverAuth
      west-eku-clientAuth
      west-eku-codeSigning
     west-eku-ipsecIKE-codeSigning
    
    Notes:
    
      - west-eku-missing is included for completeness
    
        the basic certs to not contain an EKU; but should
        that change ...
    
      - west-eku-{server,client}Auth are expected to fail
    
        getting them to pass requires a config option
    
      - west-ekuBOGUS is dropped, it contained serverAuth,clientAuth
    
        If it were unknown, it would be covered by west-eku-codeSigning.
        If it were corrupt, it would be NSS's problem.
    
      - critical is dropped
    
        It should only make a difference when NSS doesn't support a
        critical payload; but NSS supports these Extended Key Usage
        payloads.
    
    this replaces tests in:
    
      ikev2-x509-02-eku and
      ikev2-x509-26-criticalflag
      ikev2-x509-26-criticalflag-clientAuth
      ikev2-x509-02-smoketest

commit 89717fcf3d0a2b4e63583ae69e65ef420143c5c5
Author: Andrew Cagney <[email protected]>
Date:   Sat Mar 8 09:59:55 2025 -0500

    testing x509: use NSS to generate various Extended Key Usage (EKU) certs
    
    that is:
               west-eku-missing
               west-eku-ipsecIKE
               west-eku-x509Any
               west-eku-serverAuth
               west-eku-clientAuth
               west-eku-codeSigning
               west-eku-ipsecIKE-codeSigning
    Notes:
    
      - west-eku-missing is redundant
    
        since the basic certs, per RFC, do not include EKU
        it's included for completeness
    
      - west-eku-{serverAuth,clientAuth} need config option
    
        by default they should not be accepted

commit 62213f193929184a56062756f922bf2ffd18575e
Author: Andrew Cagney <[email protected]>
Date:   Sat Mar 8 09:57:57 2025 -0500

    x509: hobble non-ipsecIKE profiles
    
    see #2075 only allow IPsec cert profile by default
    need a global optiont to enable it

_______________________________________________
Swan-commit mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[Swan-commit] Changes to ref refs/heads/main

Reply via email to