6 |
{{ category.title }}
7 |
8 | {{ category.description }}
9 | {{ category.links }}
10 |
2 |
11 |
--------------------------------------------------------------------------------
/validation/certs/utils/crypto.py:
--------------------------------------------------------------------------------
1 | from Cryptodome.PublicKey import RSA
2 | from Cryptodome.Hash import SHA256
3 | from Cryptodome.Hash import MD5
4 | from Cryptodome.Hash import SHA1
5 | from Cryptodome.Signature import pkcs1_15
6 |
7 |
8 | def new_rsa_keypair(size):
9 | privkey = RSA.generate(size)
10 | pubkey = privkey.publickey()
11 | return (privkey, pubkey)
12 |
13 |
14 | def rsa_sha256_sign(key, data):
15 | digest = SHA256.new()
16 | digest.update(data)
17 | return pkcs1_15.new(key).sign(digest)
18 |
19 |
20 | def rsa_md5_sign(key, data):
21 | digest = MD5.new()
22 | digest.update(data)
23 | return pkcs1_15.new(key).sign(digest)
24 |
25 |
26 | def sha1_hash(data):
27 | digest = SHA1.new(data)
28 | return digest.digest()
29 |
--------------------------------------------------------------------------------
/CONTRIBUTORS.md:
--------------------------------------------------------------------------------
1 | # Authors
2 |
3 | The project is developed at the [Centre for Research on Cryptography and Security](https://www.fi.muni.cz/research/crocs/) of [Masaryk University](http://www.muni.cz/) in Brno, Czech Republic. The main contributors are:
4 |
5 | * Martin Ukrop, 2019–today, project lead, graphic design
6 | * Pavol Žáčik, 2019–today, example certificates, error mapping
7 | * Marián Svitek, 2021–today, revocation implementation, revocation developer guides
8 | * Štepán Horáček, 2021-2021, example certificates
9 | * Eric Valčík, 2020–2021, bug fixes and pull requests to other libraries
10 | * Matěj Grabovský, 2019–2020, feedback, TLS clients, bug fixes
11 | * Michaela balážová, 2019–2020, improved error messages
12 |
13 | The authors are grateful for the financial support from [Red Hat Czech](https://research.redhat.com/) and [Kiwi.com](https://www.kiwi.com/).
14 |
--------------------------------------------------------------------------------
/assets/_scss/dev-warning.scss:
--------------------------------------------------------------------------------
1 | /* Developer version warning box */
2 |
3 | #dev-warning {
4 | --dev-space: 0.6rem;
5 | position: fixed;
6 | bottom: var(--dev-space);
7 | left: var(--dev-space);
8 | right: var(--dev-space);
9 | padding: var(--dev-space);
10 | border-radius: var(--dev-space);
11 | margin-inline: auto;
12 | width: 300px;
13 | z-index: 1070;
14 |
15 | p {
16 | text-align: center;
17 | margin-bottom: 0rem;
18 | }
19 |
20 | a#devWarningToggle {
21 | text-decoration: none;
22 | color: $c-secondary;
23 |
24 | i.fas {
25 | margin-inline: 0.3rem;
26 | }
27 | }
28 |
29 | p#devWarningDetails {
30 | padding-top: 0.5rem;
31 | }
32 | }
33 |
34 | @media (min-width: 576px) {
35 | #dev-warning {
36 | left: auto;
37 | }
38 | }
39 |
--------------------------------------------------------------------------------
/revocation/openssl-client/utils.h:
--------------------------------------------------------------------------------
1 | #ifndef OPENSSL_REVOC_UTILS_H
2 | #define OPENSSL_REVOC_UTILS_H
3 |
4 | #include
3 |
9 | Feedback
4 |Something is not working? File a bug report to our repository, please.
5 | {% include icon.html icon="button-bug" %} Bug report 6 |Other comments or ideas?
7 | {% include icon.html icon="button-email" %} Email us! 8 | Feedback
10 |
3 |
11 |
15 |
16 |
17 |
--------------------------------------------------------------------------------
/_data/libraries.yml:
--------------------------------------------------------------------------------
1 | - name: openssl
2 | title: OpenSSL
3 | docs-source: https://www.openssl.org/docs/manmaster/man3/X509_STORE_CTX_get_error.html
4 | message-source: https://github.com/openssl/openssl/blob/master/crypto/x509/x509_txt.c
5 |
6 | - name: gnutls
7 | title: GnuTLS
8 | docs-source: https://www.gnutls.org/manual/html_node/Verifying-X_002e509-certificate-paths.html#gnutls_005fcertificate_005fstatus_005ft
9 | message-source: https://github.com/gnutls/gnutls/blob/master/lib/cert-cred.c
10 |
11 | - name: botan
12 | title: Botan
13 | docs-source: https://botan.randombit.net
14 | message-source: https://github.com/randombit/botan/blob/master/src/lib/x509/cert_status.cpp
15 |
16 | - name: mbedtls
17 | title: Mbed TLS
18 | docs-source: https://tls.mbed.org/api/group__x509__module.html
19 | message-source: https://github.com/ARMmbed/mbedtls/blob/development/include/mbedtls/x509_crt.h
20 |
21 | - name: openjdk
22 | title: OpenJDK
23 | docs-source: https://openjdk.java.net/
24 | message-source: https://openjdk.java.net/
25 |
--------------------------------------------------------------------------------
/validation/clients/botan/client.hpp:
--------------------------------------------------------------------------------
1 | #ifndef CLIENT_H
2 | #define CLIENT_H
3 |
4 | #include
2 |
About the project
3 |
4 |
5 | 
6 |
7 |
8 |
6 |
7 | The project is developed at the Centre for Research on Cryptography and Security (CRoCS) at Masaryk University, Brno, Czech Republic by Martin Ukrop, Pavol Žáčik, Marián Svitek, Eric Valčík with the help of Michaela Balážová and Matěj Grabovský. For more details, see the ReadMe file in {% include icon.html icon="github" %}the project repository on GitHub.
9 |The authors are grateful for the financial support by Red Hat Czech and Kiwi.com. 10 |
2 | {% if page.slug == include.library.name %}
3 |
--------------------------------------------------------------------------------
/utils/test-cert-validation.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | if [ $# -eq 0 ]
4 | then
5 | echo "usage: "$0" In addition to this guide, we have also implemented OpenSSL guides for the following topics:
4 | {% else %} 5 | Back to {{ include.library.title }} guide 6 | {% endif %} 7 | {% assign subGuides = site.guides | where: "library", include.library.name %} 8 | {% for subGuide in subGuides %} 9 | {% if subGuide.slug != page.slug %} 10 | {{ subGuide.title-short }} 12 | {% endif %} 13 | {% endfor %} 14 |The source code from all guides is also available as a stand-alone CLI client with options to test multiple revocation schemes:
15 | TLS client source code 16 |
2 |
{{ page.title }}
3 |
4 |
26 | Our goal is to simplify the ecosystem by consolidating the errors and their documentation (similarly to web documentation) and better explaining what the validation errors mean.
5 |
6 |
14 |
15 | Correctly validating X.509 certificates turns out to be pretty complicated (e.g., Georgiev2012, Ukrop2019). Yet certificate validation is crucial for secure communication on the Internet (think TLS).
7 |For every error, we aim to provide our redesigned documentation ({% include icon.html icon="our-docs" %}), an example certificate ({% include icon.html icon="certificate" %}), original documentation provided by the library ({% include icon.html icon="docs-book" %}, unused or deprecated errors denoted by {% include icon.html icon="unused" %}). Furthermore, we provide links to corresponding errors from other libraries ({% include icon.html icon="error-link" %}). In the future, we plan on adding error frequencies based on IP-wide scans and elaborating on the consequences of individual errors.
8 |9 | 10 | See more in FAQ 11 | 12 |
13 |16 | 19 | {% assign guides = site.guides | where: "slug", page.library %} 20 | {% for guide in guides %} 21 | {% assign library = site.data.libraries | where: "name", page.library | first %} 22 | See TLS guide for {{ library.title }} 23 | {% endfor %} 24 |
25 |