IABSD.fr/src/lib/libcrypto

Branch :


Log

Author Commit Date CI Message
db2f1604 2021-11-28 17:40:14 document ASN1_tag2bit(3)
3da41355 2021-11-28 15:48:12 Document ASN1_object_size(3). While here, * call the function arguments "content_length" rather than just "length" to make it less likely that the reader confuses them with the total length returned by ASN1_object_size(3); * state that only the short form is supported for content_length <= 127; * add the missing STANDARDS section.
edff0b5c 2021-11-28 14:32:34 mark ASN1_check_infinite_end() and ASN1_const_check_infinite_end() as intentionally undocumented
aa287722 2021-11-27 16:18:03 new manual page BIO_f_asn1(3)
a925b4f7 2021-11-27 13:10:33 Fix incomplete initialization bug: BIO_new(BIO_f_asn1()) neglected initializing five of the fields in BIO_ASN1_BUF_CTX (prefix, prefix_free, suffix, suffix_free, ex_arg), inviting a segfault in a subsequent call from the application program to BIO_write(3) because subroutines of that function assume that the function pointers are either NULL or valid. Fix this by using the less error-prone calloc(3) idiom. While here, inline asn1_bio_init() at the only call site in asn1_bio_new() to simplify the code and make it easier to read. Bug found and initial patch by me, this version (with inlining) by and OK tb@.
729b1800 2021-11-26 13:48:21 spelling ok schwarze@
d3c5691d 2021-11-26 13:35:10 after the bugfix in x509_vfy.c rev. 1.100, replace the BUGS section with a shorter CAVEATS section
02c71f02 2021-11-26 13:17:09 Bugfix in X509_get_pubkey_parameters(3): If EVP_PKEY_copy_parameters(3) fails - among other reasons, this may happen when out of memory - the pkey argument and/or the chain argument will not contain all the desired parameters after returning. Consequently, report the failure to the caller rather than silently ignoring it. OK tb@
9c40052c 2021-11-26 13:05:03 Simplify the code in X509_get_pubkey_parameters(3) by using X509_get0_pubkey(3) instead of X509_get_pubkey(3); no functional change. OK tb@ This is similar to the relevant part of the follwoing commit from the OpenSSL 1.1.1 branch, which is still under a free licence, but without the bug that commit introduced into this function in OpenSSL: commit c01ff880d47392b82cce2f93ac4a9bb8c68f8cc7 Author: Dr. Stephen Henson <steve@openssl.org> Date: Mon Dec 14 13:13:32 2015 +0000
6033101e 2021-11-25 12:15:37 Document BIO_method_name(3). While here, also improve the rest of the page: * add missing BIO_TYPE_* constants * describe BIO_TYPE_START * better function argument names * more precision in the descriptions and regarding the RETURN VALUES * lots of wording improvements * improve the coding style below EXAMPLES * delete a BUGS section describing cretaceous behaviour
2b1ad87f 2021-11-24 19:33:24 Fix OCSP_basic_verify() cert chain construction in case the OCSP_BASICRESP bs contains no certificates. From David von Oheimb (OpenSSL 121738d1) ok beck
1b78ce04 2021-11-24 19:29:19 Simplify slightly by using X509_get0_pubkey() thus eliminating the need for EVP_PKEY_free(). ok beck
b95de796 2021-11-24 19:27:03 Fix a whitespace error that has annoyed me for way too long
8c08b260 2021-11-24 19:24:46 Fix timestamp printing in Signed Certificate Timestamps Our ASN1_GENERALIZEDTIME_set() doesn't accept time strings with fractional seconds, so don't feed it milliseconds, but only seconds. Ensures that openssl x509 -text prints timestamps instead of skipping them. ok beck jsing
6a95fe1b 2021-11-24 19:22:14 Add certificate transparency methods to the standard extensions. This way, CT extensions in certs will be parsed by the new CT code when they are encountered. This gets rid of a lot of gibberish when looking at a cert with 'openssl x509 -text -noout -in server.pem' ok beck jsing
5f8f3622 2021-11-24 13:30:56 add the missing const qualifiers below EXAMPLES; from <Malgorzata dot Olszowka at stunnel dot org> via OpenSSL commit 256989ce in the OpenSSL 1.1.1 branch, which is still under a free license
5f9d48b0 2021-11-24 13:18:08 document ASN1_item_ndef_i2d(3)
3f851282 2021-11-24 05:38:12 In some situations, the verifier would discard the error on an unvalidated certificte chain. This would happen when the verification callback was in use, instructing the verifier to continue unconditionally. This could lead to incorrect decisions being made in software.
aff4783b 2021-11-24 01:12:43 Make the certificate transparency code build with the rest of the library Do not expose it yet, this will wait for an upcoming bump ok tb@
ebe27d9a 2021-11-23 17:53:59 document ASN1_TYPE_set_int_octetstring(3) and ASN1_TYPE_get_int_octetstring(3)
114b2857 2021-11-23 17:06:05 Use LIBRESSL_NEXT_API to document the commented-out functions that are not yet available. ok schwarze
6370c4e2 2021-11-23 14:58:08 document ASN1_TYPE_set_octetstring(3) and ASN1_TYPE_get_octetstring(3)
d0289fc9 2021-11-23 13:52:27 document a2i_ASN1_INTEGER(3), i2a_ASN1_ENUMERATED(3), and a2i_ASN1_ENUMERATED(3)
06dfdaf8 2021-11-23 11:10:51 re-align these copies of the a2i_*(3) code with f_string.c rev. 1.19 to fix the same double-counting of the backslash and to make the parsing stricter in the same way; OK tb@
1085073b 2021-11-23 09:53:45 In DH_set0_pqg() also set dh->length if q is set to match what OpenSSL do. ok inoguchi jsing
57734b13 2021-11-22 19:32:32 Fix typo thanks Matthias Schmidt
d1fa7a12 2021-11-22 16:19:54 new manual page ASN1_NULL_new(3), also documenting ASN1_NULL_free(3)
e8d2363f 2021-11-22 14:00:27 new manual page a2d_ASN1_OBJECT(3); while here, add a few STANDARDS references
7d15cb53 2021-11-22 12:06:51 document ASN1_OBJECT_create(3)
cab5fb66 2021-11-21 17:35:53 In asn1.h rev. 1.55 and asn1/a_time.c rev. 1.28, beck@ provided ASN1_TIME_diff(3). Merge the documentation from the OpenSSL 1.1.1 branch, which is still under a free license.
b46dae7c 2021-11-21 15:16:45 oops, i forgot the STANDARDS section
151beb8c 2021-11-21 15:11:01 new manual page d2i_ASN1_BOOLEAN(3) also documenting i2d_ASN1_BOOLEAN(3)
4e56b6c4 2021-11-20 18:39:48 sort
3c46923d 2021-11-20 18:10:52 Provide the bytestring APIs for libcrypto internal use. Bring a copy of the bytestring APIs (CBB/CBS) from libssl, for use in libcrypto - these are not exposed publicly. Discussed with beck@ and tb@
4da99703 2021-11-20 13:06:26 Document ASN1_INTEGER_cmp(3) and ASN1_INTEGER_dup(3). While here, also improve the description of ASN1_INTEGER_set(3) and add a BUGS section explaining that several of these functions do not provide type safety.
4728fa65 2021-11-20 11:49:08 Improve the description of ASN1_OCTET_STRING_cmp(3), ASN1_OCTET_STRING_dup(3), and ASN1_OCTET_STRING_set(3). Explicitly say that they do not provide any type safety and explain what that means.
32d9a10f 2021-11-20 01:10:49 Make these files compile - not hooked up to build yet. ok jsing@ tb@
bb05a9b4 2021-11-19 16:35:10 minor KNF improvement, changing only whitespace, no code change: say: return_type *function_name(args); not: return_type* function_name (args); OK tb@
a000f9e8 2021-11-19 16:00:54 new manual page ASN1_BIT_STRING_num_asc(3) documenting the three functions using the BIT_STRING_BITNAME structure
0f4c0d4f 2021-11-19 15:50:46 add two missing .Dv macros; markup bug found with regress/lib/libcrypto/man/check_complete.pl
4fc3ccbc 2021-11-19 09:58:41 Make the public API function a2i_ASN1_STRING(3) actually work. It contained two bugs: 1. If an input line ended in a backslash requesting line continuation, there was duplicate code for removing that backslash, erroneously removing another byte from the input and often causing the function to return failure instead of correctly parsing valid input. 2. According to a comment in the source code, the former big "for" loop was intended to "clear all the crap off the end of the line", but actually, if there were multiple characters on the line that were not hexadecimal digits, only the last of those and everything following it was deleted, while all the earlier ones remained. Besides, code further down clearly intends to error out when there are invalid characters, which makes no sense if earlier code already deletes such characters. Hence the comment did not only contradict the code above it - but contradicted the code below it, too. Resolve these contradiction in favour of stricter parsing: No longer skip invalid characters but always error out when any are found. OK & "Unbelievable" tb@
d5b0a71e 2021-11-19 07:49:27 As long as X509_OBJECT_free_contents(3) is a public API function, make sure it fully re-initializes the object rather than leaving behind a stale pointer and a stale type in the object. The old behaviour was dangerous because X509_OBJECT_get_type(3) would then return the stale type to the user and one of X509_OBJECT_get0_X509(3) or X509_OBJECT_get0_X509_CRL(3) would then return the stale pointer to the user, provoking a use-after-free bug in the application program. Having these functions return X509_LU_NONE and NULL is better because those are the documented return values for these functions when the object is empty. OK tb@
32863f3e 2021-11-18 18:05:27 Add semicolon that will become non-optional once BN_GENCB_set() will move from an awful macro to a proper function.
276c068d 2021-11-18 18:01:08 typo in comment
e291757a 2021-11-18 16:00:15 Prevent future internal use of ASN1_CTX and ASN1_const_CTX by wrapping them inside #ifndef LIBRESSL_INTERNAL. suggested by jsing
6d6c1d22 2021-11-18 15:58:31 Remove the last pointless use of ASN1_const_CTX. Both ASN1_CTX and ASN1_const_CTX are now unused and will be garbage collected in the next libcrypto bump. ok jsing
4819803b 2021-11-18 10:09:24 In x509_vfy.h rev. 1.35 and x509_lu.c rev. 1.34, tb@ provided X509_OBJECT_new(3) and X509_OBJECT_free(3); document them. While here, stop talking about storing storing EVP_PKEY objects and plain C strings in X509_OBJECT objects. LibreSSL never fully supported that, and it certainly no longer supports that now.
491f2bff 2021-11-17 16:08:32 In x509_vfy.h rev. 1.37 and x509_vfy.c rev. 1.91, tb@ provided X509_STORE_CTX_set_verify(3) and X509_STORE_CTX_get_verify(3). Document them. In the next bump, tb@ will also provide X509_STORE_CTX_verify_fn(3) and X509_STORE_set_verify(3) and restore X509_STORE_set_verify_func(3) to working order. For efficiency of documentation work, already document those three, too, but keep the text temporariy .if'ed out until they become available. Delete X509_STORE_set_verify_func(3) from X509_STORE_set_verify_cb_func(3) because it was misplaced in that page: it is not related to the verification callback. tb@ agrees with the general direction.
cca6e7ff 2021-11-16 14:07:57 In x509_vfy.h rev. 1.37 and x509_vfy.c rev. 1.91, tb@ provided X509_STORE_CTX_get_verify_cb(3); document it.
1798df84 2021-11-16 12:06:57 Recently, tb@ provided the following functions: X509_STORE_CTX_set_error_depth x509_vfy.h 1.37 x509_vfy.c 1.91 X509_STORE_CTX_set_current_cert x509_vfy.h 1.37 x509_vfy.c 1.91 X509_STORE_CTX_get_num_untrusted x509_vfy.h 1.36 x509_vfy.c 1.90 X509_STORE_CTX_set0_verified_chain x509_vfy.h 1.37 x509_vfy.c 1.91 Merge the documentation from the OpenSSL 1.1.1 branch, which is still under a free license; tweaked by me.
d2c7d94e 2021-11-15 16:18:36 new manual page ASN1_BIT_STRING_set(3) documenting four BIT STRING accessors
ed53a826 2021-11-15 13:39:40 document ASN1_PRINTABLE_type(3) and ASN1_UNIVERSALSTRING_to_string(3)
7ad55bc0 2021-11-15 11:51:09 document ASN1_item_pack(3) and ASN1_item_unpack(3)
fcfd3e21 2021-11-15 10:41:11 document i2a_ASN1_STRING(3) and a2i_ASN1_STRING(3)
3c8e511c 2021-11-14 13:40:16 the last argument of BIO_gets(3) is called "size", not "len"
a6792a0b 2021-11-14 11:22:36 fix a typo; diff from Matthias Schmidt <xosc dot org> on tech@
947886bc 2021-11-14 08:21:47 Put curly brace on the correct line.
feb138ef 2021-11-13 20:44:00 Fix a nasty quirk in ASN1_STRING_copy(3). In case of failure, it reported the failure but corrupted the type of the destination string. Instead, let's make sure that in case of failure, existing objects remain in their original state. OK tb@
61583fc4 2021-11-13 19:21:17 Document the interactions of X509_V_FLAG_USE_CHECK_TIME, X509_V_FLAG_NO_CHECK_TIME, X509_VERIFY_PARAM_set_time(3), X509_VERIFY_PARAM_set_flags(3), and X509_VERIFY_PARAM_clear_flags(3) in detail because the API design is both surprising and surprisingly complicated in this respect, and the resulting nasty traps have already caused bugs in the past.
c6191418 2021-11-13 18:50:31 Mark the public X509_VP_FLAG_* constants as intentionally undocumented. With LibreSSL, they can only be used internally in the library itself, and even with OpenSSL, no real-world application code uses them. OK tb@
46b2c345 2021-11-13 18:24:45 Fix a bug in check_crl_time() that could result in incomplete verification, accepting CRLs that ought to be rejected, if an unusual combination of verification flags was specified. If time verification was explicitly requested with X509_V_FLAG_USE_CHECK_TIME, it was skipped on CRLs if X509_V_FLAG_NO_CHECK_TIME was also set, even though the former is documented to override the latter both in the OpenSSL and in the LibreSSL X509_VERIFY_PARAM_set_flags(3) manual page. The same bug in x509_check_cert_time() was already fixed by beck@ in rev. 1.57 on 2017/01/20. This syncs the beginning of the function check_crl_time() with the OpenSSL 1.1.1 branch, which is still under a free license. OK beck@ This teaches that having too many flags and options is bad because they breed bugs, and even more so if they are poorly designed to override each other in surprising ways.
02607ea1 2021-11-13 17:12:18 document ASN1_STRING_copy(3)
5be47371 2021-11-12 18:56:00 Document the public constants X509_V_FLAG_POLICY_MASK and X509_V_FLAG_USE_CHECK_TIME. While here, fix a typo and improve the wording for X509_V_FLAG_NOTIFY_POLICY.
4713e22e 2021-11-12 14:34:57 mention what X509_cmp_time(3) does with a cmp_time argument of NULL
a8044ef3 2021-11-12 14:05:28 As pointed out by tb@, LibreSSL no longer supports user-defined X509_LOOKUP_METHODs because these objects are now opaque. Simplify the documentation accordingly, shortening it by about 35 input lines in total, but continue providing the information which RETURN VALUES functions might return with other implementations of the library. OK tb@
6d5a2d04 2021-11-12 11:41:50 In x509_vfy.h rev. 1.41, tb@ provided X509_STORE_CTX_get_by_subject(3), changed the return type of X509_OBJECT_get_type(3) and argument types of X509_LOOKUP_by_subject(3), X509_LOOKUP_by_issuer_serial(3), X509_LOOKUP_by_fingerprint(3), X509_LOOKUP_by_alias(3), X509_OBJECT_idx_by_subject(3), X509_OBJECT_retrieve_by_subject(3), and X509_STORE_get_by_subject(3) from int to X509_LOOKUP_TYPE, and in rev. 1.42, he provided X509_STORE_CTX_get_obj_by_subject(3). Adjust the documentation. Joint work with and OK tb@.
8d4d91dc 2021-11-11 15:58:49 mention the public constants XN_FLAG_SEP_MASK and XN_FLAG_FN_MASK
ecd659a4 2021-11-11 13:58:59 Mention the X509v3_KU_* aliases for the KU_* constants because some third party application code uses them. List the full names (even though they are long) such that they can be found with "man -k Dv=...".
fbc48162 2021-11-11 13:13:38 Explicitly list all public functions in roff(7) comments that are related to this page but intentionally undocumented, to better support grepping the source directory for function names.
940020b6 2021-11-11 12:06:25 new manual page X509_policy_tree_get0_policies(3), also documenting X509_policy_tree_get0_user_policies(3)
2d391c3e 2021-11-10 14:34:21 Merge a few additional X509error(ERR_R_MALLOC_FAILURE) calls and various style improvements from the OpenSSL 1.1.1 branch, which is still under a free license. - No need to #include <openssl/lhash.h>. - BUF_MEM_free(3) and sk_pop_free(3) can handle NULL. - sk_value(3) can handle -1. - Test pointers with "== NULL" rather than with "!". - Use the safer "p = malloc(sizeof(*p))" idiom. - return is not a function. - Delete very wrong commented out code. Including parts of the these commits from the 2015 to 2018 time range: 25aaa98a b4faea50 90945fa3 f32b0abe 26a7d938 7fcdbd83 208056b2 5b37fef0 Requested by and OK tb@.
22d25e3b 2021-11-10 13:57:42 If X509_load_cert_crl_file(3) does not find any certificates and/or CRLs in the PEM input file (for example, if the file is empty), provide an error message in addition to returning 0. This merges another part of this OpenSSL commit, which is still under a free license: commit c0452248ea1a59a41023a4765ef7d9825e80a62b Author: Rich Salz <rsalz@openssl.org> Date: Thu Apr 20 15:33:42 2017 -0400 I did *not* add the similar message types X509_R_NO_CERTIFICATE_FOUND and X509_R_NO_CRL_FOUND because both code inspection and testing have shown that the code generating them is unreachable. OK tb@
256005ed 2021-11-10 09:19:25 Sync some code style improvements from the OpenSSL 1.1.1 branch, which is still under a free license. No functional change. - No need to #include <openssl/lhash.h> here. - return is not a function. - Do not use the pointless macro BIO_s_file_internal(). - No need to check for NULL before X509_CRL_free(3). This includes parts of the following OpenSSL commits from the 2015 to 2017 timeframe: 222561fe, 9982cbbb, f32b0abe, 26a7d938 OK tb@
be4127b1 2021-11-10 09:00:21 Merge two bug fixes from the OpenSSL 1.1.1 branch, which is still under a free license: 1. If the three X509_load_*(3) functions are called with a NULL file argument, do not return 1 to the caller because the return value 1 means "i loaded one certificate or CRL into the store". 2. When calling PEM load functions, do not ask the user for a password in an interactive manner. This includes parts of the following commits: commit c0452248ea1a59a41023a4765ef7d9825e80a62b Author: Rich Salz <rsalz@openssl.org> Date: Thu Apr 20 15:33:42 2017 -0400 Message: [...] Remove NULL checks and allow a segv to occur. [...] commit db854bb14a7010712cfc02861731399b1b587474 Author: Bernd Edlinger <bernd.edlinger@hotmail.de> Date: Mon Aug 7 18:02:53 2017 +0200 Message: Avoid surpising password dialog in X509 file lookup. OK tb@
b6c209be 2021-11-09 18:40:20 Switch to <endian.h> from <machine/endian.h> for better portability. ok tb@
292df47c 2021-11-09 16:23:04 Split a new page X509_load_cert_file(3) with three functions out of X509_LOOKUP_hash_dir(3) because both groups of functions differ substantially in purpose and structure. Rewrite the complete text of X509_load_cert_file(3) from scratch for correctness and clarity. This fixes several documentation errors: 1. The names of the constants were wrong, lacking the "X509_" prefix. 2. None of these functions support X509_FILETYPE_DEFAULT, neither in OpenSSL nor in LibreSSL. 3. The memory cache does not contain X509_STORE objects; instead, the X509_STORE object *is* the memory cache.
1bce098d 2021-11-09 15:41:10 Add ASPA OID draft-ietf-sidrops-aspa-profile OK tb@
469bab4b 2021-11-08 14:44:14 Document X509_gmtime_adj(3). While here, improve some argument names, improve ordering of the material, and mention the meaning of negative and of large arguments,
0c8b2837 2021-11-07 15:52:38 In X509_STORE_CTX, rename the X509_STORE store rather than ctx. ok gnezdo jsing
e30c9e23 2021-11-07 15:51:23 In X509_STORE_CTX rename the misnamed last_untrusted to num_untrusted ok jsing
a974b571 2021-11-07 15:29:01 new manual pages ASN1_item_digest(3), ASN1_item_sign(3), and ASN1_item_verify(3)
9cf3bd2b 2021-11-06 15:00:25 Improve formatting. The line breaks in the lists of methods were very ugly. While here, put descriptions right after the prototypes they describe. No content change.
8c897f43 2021-11-06 12:31:40 Start cleaning up X509_STORE_get1_issuer() Get rid of the last X509_OBJECT_free_contents() call by moving the object from the stack to the heap. I deliberately kept the obj variable to keep obj and pobj separate. Rename the out parameter from issuer to out_issuer to ensure that we only assign it when we have acquired a reference that we can return. Add a new X509 *issuer. In the first part of the function, acquire an extra reference before check_issuer/check_time. In the second part of the function, acquire a reference inside the lock to avoid a race. Deal with ret only in one place. ok jsing
62d9f894 2021-11-06 12:27:05 In X509_STORE_get1_issuer() do not call the verify callback from x509_check_cert_time(). Matches a change made in OpenSSL 70dd3c65. ok jsing
c1a623a6 2021-11-06 07:52:22 Fix indent.
c82d3592 2021-11-06 07:18:18 Refactor X509_STORE_get1_certs() Split the retrieval of the certs in the store's cache that match the desired subject into a separate function. This greatly simplifies locking, error handling and the flow of the function. with/ok jsing
72f84f5e 2021-11-05 22:03:25 typo: a static objects -> a static object
1218bdb9 2021-11-05 21:39:45 First pass of streamlining X509_STORE_get1_{certs,crls}() These functions are quite messy. On top of the tricky logic querying the cache, then refreshing the cache (unconditionally or not), then querying again, then extracting a list of certs/crls and bumping their refcounts, things are intermixed with locking and needlessly early allocations that then need to be cleaned up again. Use X509_STORE_CTX_get_obj_by_subject() to avoid using an object on the stack and defer allocation of the returned stack of certs to later. Flatten the logic a bit and prepare for further refactoring. ok jsing
2637af31 2021-11-05 20:35:14 Trade an abort() neutered by a comment for a blank line elsewhere.
9c6fb80c 2021-11-05 17:15:05 Clean up X509_STORE_add_{cert,crl}(). Add a X509_STORE_add_object() function that adds an X509 object to the store and takes care of locking and cleaning up. This way we can set up an X509_OBJECT for both the cert and CRL case and hand over to the new function. There is one intentional change of behavior: if there is an attempt to add an object which is already present in the store, succeed instead of throwing an error. This makes sense and is also the OpenSSL behavior. As pointed out by jsing, this is a partial fix for the long standing GH issue #100 on libtls where connections would fail if the store contains duplicate certificates. Also: remove the internal X509_OBJECT_dec_ref_count(), which is no longer used. ok jsing
c5de0e6a 2021-11-05 17:13:14 Unify variable names in X509_STORE_{free,up_ref,add_lookup}(). simplify the flow of X509_add_lookup(). ok jsing
c23e5f7d 2021-11-05 17:11:28 Rename the ret variable in X509_OBJECT_new() to obj.. ok jsing
9002f7e3 2021-11-05 17:09:36 Garbage collect the unused skip member of X509_LOOKUP and the unused cache member of X509_STORE. ok jsing
a047bff1 2021-11-05 17:08:12 Use calloc() to remove the need of silly zeroing of most members. Check for allocation failures and if one happens push an error on the stack and clean up using X509_STORE_free(). ok jsing
c2dc9024 2021-11-05 17:06:42 Streamline and shorten x509_object_cmp() a bit. ok jsing
66cf6b76 2021-11-05 17:05:52 Drop a bunch of unnecesary parentheses and unify the order in which callbacks are called. ok jsing
d7aba846 2021-11-05 17:03:15 Cleanup X509_LOOKUP_new() Switch from malloc() to calloc() and drop a bunch of initializations to 0. Call the returned object lu instead of the generic ret. ok jsing
0e189bdb 2021-11-05 07:25:36 Garbage collect xobj->data.{ptr,pkey} Both these are essentially unused. Remove the last use of data.ptr by initializing and copying the X509_OBJECT using memset() and struct assignment in X509_STORE_CTX_get_subject_by_name() and add a missing error check for X509_OBJECT_up_ref_count() while there. ok beck
88e5d447 2021-11-04 23:52:34 Cache sha512 hash and parsed not_before and not_after with X509 cert. Replace sha1 hash use with sha512 for certificate comparisons internal to the library. use the cached sha512 for the validator's verification cache. Reduces our recomputation of hashes, and heavy use of time1 time conversion functions noticed bu claudio@ in rpki client. ok jsing@ tb@
6982c71f 2021-11-03 15:02:14 document d2i_X509_ALGORS(3) and i2d_X509_ALGORS(3)