diff -Nru dumpasn1-20150808/debian/changelog dumpasn1-20170309/debian/changelog --- dumpasn1-20150808/debian/changelog 2016-10-20 07:18:34.000000000 +0000 +++ dumpasn1-20170309/debian/changelog 2017-09-20 18:41:48.000000000 +0000 @@ -1,3 +1,10 @@ +dumpasn1 (20170309-1) unstable; urgency=medium + + * New upstream release. Closes: #855569 + * Bump Std-Vers to 4.1.0, no changes needed + + -- Mathieu Malaterre Wed, 20 Sep 2017 20:41:48 +0200 + dumpasn1 (20150808-3) unstable; urgency=medium * Really fix segfaults on valid certificate. Closes: #840771 diff -Nru dumpasn1-20150808/debian/control dumpasn1-20170309/debian/control --- dumpasn1-20150808/debian/control 2016-10-19 18:35:12.000000000 +0000 +++ dumpasn1-20170309/debian/control 2017-09-20 18:41:26.000000000 +0000 @@ -6,7 +6,7 @@ Homepage: http://www.cs.auckland.ac.nz/~pgut001/ Vcs-Browser: http://anonscm.debian.org/viewvc/collab-maint/deb-maint/dumpasn1/trunk/ Vcs-Svn: svn://anonscm.debian.org/collab-maint/deb-maint/dumpasn1/trunk -Standards-Version: 3.9.8 +Standards-Version: 4.1.0 Package: dumpasn1 Architecture: any diff -Nru dumpasn1-20150808/debian/patches/bug348856.patch dumpasn1-20170309/debian/patches/bug348856.patch --- dumpasn1-20150808/debian/patches/bug348856.patch 2016-03-03 20:33:09.000000000 +0000 +++ dumpasn1-20170309/debian/patches/bug348856.patch 2017-09-20 18:39:45.000000000 +0000 @@ -4,10 +4,8 @@ Reviewed-By: Mathieu Malaterre Forwarded: http://bugs.debian.org/348856#59 -Index: dumpasn1-20150808/dumpasn1.c -=================================================================== ---- dumpasn1-20150808.orig/dumpasn1.c -+++ dumpasn1-20150808/dumpasn1.c +--- a/dumpasn1.c ++++ b/dumpasn1.c @@ -60,6 +60,7 @@ #include #include @@ -16,7 +14,7 @@ #ifdef OS390 #include #endif /* OS390 */ -@@ -1315,13 +1316,13 @@ static int adjustLevel( const int level, +@@ -1316,13 +1317,13 @@ use wcstombs() to see if anything can be displayed, if it can't we drop back to trying to display the data as non-Unicode */ @@ -27,12 +25,12 @@ int outLen; /* Check whether we can display this character */ -- outLen = wcstombs( outBuf, &wCh, 1 ); -+ outLen = wcstombs( outBuf, wCh, 8 ); +- outLen = wcstombs( outBuf, &wCh, 8 ); ++ outLen = wcstombs( outBuf, wCh, 8 ); if( outLen < 1 ) { /* Tell the caller that this can't be displayed as Unicode */ -@@ -1369,13 +1370,7 @@ static int displayUnicode( const wchar_t +@@ -1370,13 +1371,7 @@ wChString[ 1 ] = 0; fprintf( output, "%ls", wChString ); #else @@ -47,7 +45,7 @@ #endif } #else -@@ -1872,7 +1867,7 @@ static void displayString( FILE *inFile, +@@ -1897,7 +1892,7 @@ } else { @@ -56,7 +54,7 @@ if( displayUnicode( wCh, level ) ) { -@@ -1884,7 +1879,7 @@ static void displayString( FILE *inFile, +@@ -1909,7 +1904,7 @@ /* The value can't be displayed as Unicode, fall back to displaying it as normal text */ @@ -65,7 +63,7 @@ } } if( strOption == STR_UTF8 && ( ch & 0x80 ) ) -@@ -3118,7 +3113,14 @@ int main( int argc, char *argv[] ) +@@ -3217,7 +3212,14 @@ #endif /* __OS390__ */ long offset = 0; int moreArgs = TRUE, doCheckOnly = FALSE; diff -Nru dumpasn1-20150808/debian/patches/bug840771.patch dumpasn1-20170309/debian/patches/bug840771.patch --- dumpasn1-20150808/debian/patches/bug840771.patch 2016-10-20 07:18:20.000000000 +0000 +++ dumpasn1-20170309/debian/patches/bug840771.patch 2017-09-20 18:41:05.000000000 +0000 @@ -5,11 +5,9 @@ Bug-Debian: https://bugs.debian.org/840771 Reviewed-by: Mathieu Malaterre -Index: dumpasn1-20150808/dumpasn1.c -=================================================================== ---- dumpasn1-20150808.orig/dumpasn1.c -+++ dumpasn1-20150808/dumpasn1.c -@@ -1362,7 +1362,7 @@ static int displayUnicode( const wchar_t +--- a/dumpasn1.c ++++ b/dumpasn1.c +@@ -1363,7 +1363,7 @@ #elif 1 /* This (and the "%ls" variant below) seem to be the least broken options */ @@ -18,7 +16,7 @@ #elif 0 wchar_t wChString[ 2 ]; -@@ -1885,13 +1885,13 @@ static void displayString( FILE *inFile, +@@ -1910,13 +1910,13 @@ if( strOption == STR_UTF8 && ( ch & 0x80 ) ) { const int secondCh = getc( inFile ); @@ -34,7 +32,7 @@ i++; /* We've read 2 characters */ fPos += 2; } -@@ -1902,12 +1902,12 @@ static void displayString( FILE *inFile, +@@ -1927,12 +1927,12 @@ const int thirdCh = getc( inFile ); /* 3-byte character in the range 0x800...0xFFFF */ diff -Nru dumpasn1-20150808/dumpasn1.c dumpasn1-20170309/dumpasn1.c --- dumpasn1-20150808/dumpasn1.c 2015-08-09 13:28:52.000000000 +0000 +++ dumpasn1-20170309/dumpasn1.c 2017-08-30 03:29:17.000000000 +0000 @@ -7,7 +7,7 @@ Manger and several other people whose names I've misplaced. Available from http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c. Last - updated 8 August 2015 (version 20150808, if you prefer it that way). + updated 9 March 2017 (version 20170309, if you prefer it that way). To build under Windows, use 'cl /MD dumpasn1.c'. To build on OS390 or z/OS, use '/bin/c89 -D OS390 -o dumpasn1 dumpasn1.c'. @@ -66,7 +66,7 @@ /* The update string, printed as part of the help screen */ -#define UPDATE_STRING "8 August 2015" +#define UPDATE_STRING "9 March 2017" /* Useful defines */ @@ -163,7 +163,7 @@ #endif /* _GUARDIAN_TARGET */ #endif /* __TANDEM */ -/* Some OS's don't define the min() macro */ +/* Some OSes don't define the min() macro */ #ifndef min #define min(a,b) ( ( a ) < ( b ) ? ( a ) : ( b ) ) @@ -173,13 +173,6 @@ #define byteToInt( x ) ( ( BYTE ) ( x ) ) -/* The level of recursion can get scary for deeply-nested structures so we - use a larger-than-normal stack under DOS */ - -#ifdef __TURBOC__ - extern unsigned _stklen = 16384; -#endif /* __TURBOC__ */ - /* Turn off pointless VC++ warnings */ #ifdef _MSC_VER @@ -692,7 +685,7 @@ { BYTE binaryOID[ MAX_OID_SIZE ]; long value; - int firstValue, valueIndex = 0, oidIndex = 3; + int firstValue = -1, valueIndex = 0, oidIndex = 3; memset( binaryOID, 0, MAX_OID_SIZE ); binaryOID[ 0 ] = OID; @@ -774,7 +767,7 @@ while( *string && index < MAX_OID_SIZE - 1 ) { - if( sscanf( string, "%4x", &value ) != 1 || value > 255 ) + if( sscanf( string, "%4x", &value ) != 1 || value < 0 || value > 255 ) { printf( "Invalid hex value in config file line %d.\n", lineNo ); return( FALSE ); @@ -1288,6 +1281,14 @@ noErrors++; } +static void complainEOF( const int level, const int missingBytes ) + { + printString( level, "%c", '\n' ); + complain( ( missingBytes > 1 ) ? \ + "Unexpected EOF, %d bytes missing" : \ + "Unexpected EOF, 1 byte missing", missingBytes, level ); + } + /* Adjust the nesting-level value to make sure that we don't go off the edge of the screen via doIndent() when we're displaying a text or hex dump of data */ @@ -1321,7 +1322,7 @@ int outLen; /* Check whether we can display this character */ - outLen = wcstombs( outBuf, &wCh, 1 ); + outLen = wcstombs( outBuf, &wCh, 8 ); if( outLen < 1 ) { /* Tell the caller that this can't be displayed as Unicode */ @@ -1406,11 +1407,22 @@ int warnNegative = FALSE, warnNonDER = FALSE, i; value = getc( inFile ); + if( value == EOF ) + { + complainEOF( level, valueLength ); + return; + } if( value & 0x80 ) warnNegative = TRUE; for( i = 0; i < valueLength - 1; i++ ) { - int ch = getc( inFile ); + const int ch = getc( inFile ); + + if( ch == EOF ) + { + complainEOF( level, valueLength - i ); + return; + } /* Check for the first 9 bits being identical */ if( i == 0 ) @@ -1501,8 +1513,7 @@ ch = getc( inFile ); if( ch == EOF ) { - printString( level, "%c", '\n' ); - complain( "Unexpected EOF, %d bytes missing", length - i, level ); + complainEOF( level, length - i ); return; } printString( level, "%s%02X", ( i % lineLength ) ? " " : "", ch ); @@ -1554,8 +1565,17 @@ fPos += length; if( useStdin ) { + int ch; + while( length-- ) - getc( inFile ); + { + ch = getc( inFile ); + if( ch == EOF ) + { + complainEOF( level, length - i ); + return; + } + } } else fseek( inFile, length, SEEK_CUR ); @@ -1761,7 +1781,7 @@ { if( bitString & currentBitMask ) value |= bitFlag; - if( !( bitString & remainderMask ) && errorStr != NULL ) + if( !( bitString & remainderMask ) && errorStr == NULL ) { /* The last valid bit should be a one bit */ errorStr = "Spurious zero bits in bitstring"; @@ -1862,6 +1882,11 @@ firstTime = FALSE; } ch = getc( inFile ); + if( ch == EOF ) + { + complainEOF( level, noBytes - i ); + return; + } #if defined( __WIN32__ ) || defined( __UNIX__ ) || defined( __OS390__ ) if( strOption == STR_BMP ) { @@ -1976,7 +2001,7 @@ getc( inFile ); i++; fPos++; - /* Drop through */ + /* Fall through */ default: if( !isprint( ch ) ) @@ -2004,6 +2029,11 @@ { int ch = getc( inFile ); + if( ch == EOF ) + { + complainEOF( level, length ); + return; + } if( strOption == STR_PRINTABLE && !isPrintable( ch ) ) warnPrintable = TRUE; if( strOption == STR_IA5 && !isIA5( ch ) ) @@ -2069,6 +2099,7 @@ tag = item->header[ index++ ] = fgetc( inFile ); if( tag == EOF ) return( FALSE ); + fPos++; item->id = tag & ~TAG_MASK; tag &= TAG_MASK; if( tag == TAG_MASK ) @@ -2090,21 +2121,14 @@ } while( value & LEN_XTND && index < 5 && !feof( inFile ) ); if( index >= 5 ) - { - fPos++; /* Tag */ return( FALSE ); - } } item->tag = tag; - if( feof( inFile ) ) - { - fPos++; - return( FALSE ); - } - fPos += 2; /* Tag + length */ - length = item->header[ index++ ] = fgetc( inFile ); + length = fgetc( inFile ); if( length == EOF ) return( FALSE ); + fPos++; + item->header[ index++ ] = length; item->headerSize = index; if( length & LEN_XTND ) { @@ -2172,6 +2196,12 @@ if( !checkEncaps ) return( FALSE ); + /* An item of length < 2 can never have encapsulated data. Even for + length 2 it can only be an encapsulated NULL, which is somewhat odd, + but no doubt there's some PKI protocol somewhere that does this */ + if( length < 2 ) + return( FALSE ); + /* Read the details of the next item in the input stream */ status = getItem( inFile, &nestedItem ); diffPos = fPos - currentPos; @@ -2461,6 +2491,16 @@ static int printAsn1( FILE *inFile, const int level, long length, const int isIndefinite ); +static void markConstructed( const int level, const ASN1_ITEM *item ) + { + /* If it's a type that's not normally constructed, tag it as such */ + if( item->id == BOOLEAN || item->id == INTEGER || \ + item->id == BITSTRING || item->id == OCTETSTRING || \ + item->id == ENUMERATED || item->id == UTF8STRING || \ + ( item->id >= NUMERICSTRING && item->id <= BMPSTRING ) ) + printString( level, "%s", " (constructed)" ); + } + static void printConstructed( FILE *inFile, int level, const ASN1_ITEM *item ) { int result; @@ -2541,6 +2581,7 @@ /* If it's constructed, print the various fields in it */ if( ( item->id & FORM_MASK ) == CONSTRUCTED ) { + markConstructed( level, item ); printConstructed( inFile, level, item ); return; } @@ -2600,6 +2641,7 @@ /* If it's constructed, print the various fields in it */ if( ( item->id & FORM_MASK ) == CONSTRUCTED ) { + markConstructed( level, item ); printConstructed( inFile, level, item ); return; } @@ -2629,6 +2671,11 @@ if( item->length != 1 ) complainLength( item, level ); ch = getc( inFile ); + if( ch == EOF ) + { + complainEOF( level, 1 ); + return; + } printString( level, " %s\n", ch ? "TRUE" : "FALSE" ); if( ch != 0 && ch != 0xFF ) { @@ -2665,6 +2712,11 @@ complainLength( item, level ); if( ( ch = getc( inFile ) ) != 0 ) { + if( ch == EOF ) + { + complainEOF( level, item->length ); + return; + } printString( level, " %d unused bit%s", ch, ( ch != 1 ) ? "s" : "" ); } @@ -2686,7 +2738,7 @@ complainLengthCanonical( item, level ); break; } - /* Drop through to dump it as an octet string */ + /* Fall through to dump it as an octet string */ } case OCTETSTRING: @@ -2806,6 +2858,11 @@ } case EOC: + printString( level, "<> %c", '\n' ); + if( item->nonCanonical ) + complainLengthCanonical( item, level ); + break; + case NULLTAG: printString( level, "%c", '\n' ); if( item->nonCanonical ) @@ -2881,6 +2938,82 @@ /* Print a complex ASN.1 object */ +static long processObjectStart( FILE *inFile, const ASN1_ITEM *item ) + { + long length = LENGTH_MAGIC; + + /* If the length isn't known and the item has a definite length, set the + length to the item's length */ + if( !item->indefinite ) + { + length = item->headerSize + item->length; + + /* We can also adjust the width of the informational data column to + maximise the amount of screen real estate (for lengths less than + the default of four) or get rid of oversized columns (for lengths + greater than four) */ + if( length < 1000 ) + infoWidth = 3; + else + if( length > 9999999 ) + infoWidth = 8; + else + if( length > 999999 ) + infoWidth = 7; + else + if( length > 99999 ) + infoWidth = 6; + else + if( length > 9999 ) + infoWidth = 5; + } + + /* If the input isn't seekable, turn off some options that require the + use of fseek(). This check isn't perfect (some streams are slightly + seekable due to buffering) but it's better than nothing */ + if( fseek( inFile, -item->headerSize, SEEK_CUR ) ) + { + useStdin = TRUE; + checkEncaps = FALSE; + puts( "Warning: Input is non-seekable, some functionality has been " + "disabled." ); + + return( length ); + } + + /* If it looks like we've been given a text file, typically due to the + input being base64-encoded, check whether it is all text */ + if( ( isalnum( item->header[ 0 ] ) && isalnum( item->header[ 1 ] ) ) || \ + ( item->header[ 0 ] == '-' && item->header[ 1 ] == '-' ) ) + { + BYTE buffer[ 4 ]; + int count, i; + + count = fread( buffer, 1, 4, inFile ); + for( i = 0; i < count; i++ ) + { + if( buffer[ i ] != '-' && !isalnum( buffer[ i ] ) ) + break; + } + if( i >= 4 ) + { + fputs( "Error: This file appears to be a base64-encoded text " + "file, not binary data.\n", stderr ); + fputs( " In order to display it you first need to decode " + "it into its\n", stderr ); + fputs( " binary form.\n", stderr ); + exit( EXIT_FAILURE ); + } + fseek( inFile, -4, SEEK_CUR ); + } + + /* Undo the fseek() that we used to determine whether the input was + seekable */ + fseek( inFile, item->headerSize, SEEK_CUR ); + + return( length ); + } + static int printAsn1( FILE *inFile, const int level, long length, const int isIndefinite ) { @@ -2896,49 +3029,9 @@ { int nonOutlineObject = FALSE; - /* Perform various special checks the first time we're called */ + /* Perform various special checks the first time that we're called */ if( length == LENGTH_MAGIC ) - { - /* If the length isn't known and the item has a definite length, - set the length to the item's length */ - if( !item.indefinite ) - { - length = item.headerSize + item.length; - - /* We can also adjust the width of the informational data - column to maximise the amount of screen real estate (for - lengths less than the default of four) or get rid of - oversized columns (for lengths greater than four) */ - if( length < 1000 ) - infoWidth = 3; - else - if( length > 9999999 ) - infoWidth = 8; - else - if( length > 999999 ) - infoWidth = 7; - else - if( length > 99999 ) - infoWidth = 6; - else - if( length > 9999 ) - infoWidth = 5; - } - - /* If the input isn't seekable, turn off some options that - require the use of fseek(). This check isn't perfect (some - streams are slightly seekable due to buffering) but it's - better than nothing */ - if( fseek( inFile, -item.headerSize, SEEK_CUR ) ) - { - useStdin = TRUE; - checkEncaps = FALSE; - puts( "Warning: Input is non-seekable, some functionality " - "has been disabled." ); - } - else - fseek( inFile, item.headerSize, SEEK_CUR ); - } + length = processObjectStart( inFile, &item ); /* Dump the header as hex data if requested */ if( doDumpHeader ) @@ -2961,13 +3054,17 @@ if( !doPure && !nonOutlineObject ) { if( item.indefinite ) + { printString( level, ( doHexValues ) ? \ LEN_HEX_INDEF : LEN_INDEF, lastPos ); + } else { if( !seenEOC ) + { printString( level, ( doHexValues ) ? \ LEN_HEX : LEN, lastPos, item.length ); + } } } @@ -3005,8 +3102,10 @@ { const int ch = fgetc( inFile ); + /* If we've run out of input but there should be more + present, let the caller know */ if( ch == EOF ) - return( 0 ); + return( 1 ); /* No object can be one byte long, try and recover. This only works sometimes because it can be caused by @@ -3015,7 +3114,7 @@ recover from spurious data by skipping the byte if it's zero or a non-basic-ASN.1 tag, but keeping it if it could be valid ASN.1 */ - if( ch && ch <= 0x31 ) + if( ch > 0 && ch <= 0x31 ) ungetc( ch, inFile ); else { @@ -3055,7 +3154,7 @@ static void usageExit( void ) { puts( "DumpASN1 - ASN.1 object dump/syntax check program." ); - puts( "Copyright Peter Gutmann 1997 - 2012. Last updated " UPDATE_STRING "." ); + puts( "Copyright Peter Gutmann 1997 - 2016. Last updated " UPDATE_STRING "." ); puts( "" ); puts( "Usage: dumpasn1 [-acdefghilmoprstuvwxz] " ); @@ -3218,7 +3317,7 @@ break; case 'O': - checkCharset = TRUE; + checkCharset = FALSE; break; case 'P': @@ -3378,7 +3477,7 @@ have to stop at min( data_end, EOCs ). To avoid false positives, we skip at least 4 EOCs worth of data and if there's still more present, we complain */ - fread( buffer, 1, 8, inFile ); /* Skip 4 EOCs */ + ( void ) fread( buffer, 1, 8, inFile ); /* Skip 4 EOCs */ if( !feof( inFile ) ) { fprintf( output, "Warning: Further data follows ASN.1 data at " diff -Nru dumpasn1-20150808/dumpasn1.cfg dumpasn1-20170309/dumpasn1.cfg --- dumpasn1-20150808/dumpasn1.cfg 2015-03-13 03:43:32.000000000 +0000 +++ dumpasn1-20170309/dumpasn1.cfg 2017-08-30 03:29:20.000000000 +0000 @@ -21,9 +21,14 @@ # description. The other attributes may be given in any order. # # - Offical attribute names vary widely depending on who's creating them. -# In an attempt to avoid a confusing mass of naming styles, this file aims -# for consistency by normalising the naming for attributes, however this -# means that the name used here may not entirely match the actual name. +# In an attempt to avoid a confusing mass of naming styles (in particular +# the more recent fashion trend of naming OIDs following formulae like +# standard-group-name-algorithm-mechanism-subalgorithm-more-standards- +# more-algorithms-I'd-like-to-thank-the-academy-etc rather than older forms +# like rsaWithSHA1 has lead to extremely noisy and hard-to-decipher names), +# this file aims for consistency by normalising the naming for attributes, +# however this means that the name used here may not entirely match the +# actual name. # # See the rest of this file for examples of what an OID description should # look like. @@ -582,11 +587,11 @@ # BSI e-Pass (TR-03110/TR-03111). TA = Terminal Authentication (Passport # PKI with monthly global cert updates), CA = Chip Authentication -# (Auth using static [EC]DH), PACE = Password Authenticated Connection -# Establishment, RI = Restricted Information Protocol, Eid = eID +# (Auth using static [EC]DH), PACE = Password Authenticated Connection +# Establishment, RI = Restricted Information Protocol, Eid = eID # Smartcard Application, PT = Privileged Terminal, IS = Inspection # System, AT = Authentication Terminal, ST = Signature Terminal. - + OID = 0 4 0 127 0 7 Comment = BSI TR-03110/TR-03111 Description = bsi @@ -2233,7 +2238,7 @@ # IEC 62351-8 -OID = 1 2 840 10070 +OID = 1 2 840 10070 Comment = IEC 62351 Description = iec62351 @@ -3028,6 +3033,18 @@ Comment = S/MIME Algorithms Description = authEnc256 +OID = 1 2 840 113549 1 9 16 3 19 +Comment = S/MIME Algorithms +Description = ecdhHKDF-SHA256 + +OID = 1 2 840 113549 1 9 16 3 20 +Comment = S/MIME Algorithms +Description = ecdhHKDF-SHA384 + +OID = 1 2 840 113549 1 9 16 3 21 +Comment = S/MIME Algorithms +Description = ecdhHKDF-SHA512 + # S/MIME miscellaneous OID = 1 2 840 113549 1 9 16 4 1 @@ -3723,7 +3740,7 @@ Comment = Adobe Acrobat security Description = pdfPPLKLiteCredential -OID = 1 2 840 113583 1 2 +OID = 1 2 840 113583 1 2 Comment = Adobe Acrobat CPS Description = acrobatCPS @@ -3751,7 +3768,7 @@ Comment = Adobe Acrobat ubiquity Description = pdfUbiquitySubRights -# The following arc is explicitly reserved for extensions that don't fall +# The following arc is explicitly reserved for extensions that don't fall # under 1 2 840 113583 1 1 9. In other words someone at Adobe either made # an editing error or codified an OID-encoding error. OID = 1 2 840 113583 1 9 @@ -4612,7 +4629,7 @@ Description = mpeg-1 # Hex OID = 06 0A 2B 06 01 04 01 97 36 DD 24 36, TSA policy that's needed -# because TSP requires a policy OID in responses. This is the 'snooze +# because TSP requires a policy OID in responses. This is the 'snooze # policy, "Anything that arrives, we sign". OID = 1 3 6 1 4 1 3029 54 11940 54 Comment = cryptlib TSA policy @@ -4893,6 +4910,22 @@ Comment = GNU encryption algorithm Description = serpent256_CFB +OID = 1 3 6 1 4 1 11591 15 1 +Comment = GNU encryption algorithm +Description = curve25519 + +OID = 1 3 6 1 4 1 11591 15 2 +Comment = GNU encryption algorithm +Description = curve448 + +OID = 1 3 6 1 4 1 11591 15 3 +Comment = GNU encryption algorithm +Description = curve25519ph + +OID = 1 3 6 1 4 1 11591 15 4 +Comment = GNU encryption algorithm +Description = curve448ph + # Northrop Grumman Mission Systems OID = 1 3 6 1 4 1 16334 509 1 1 @@ -6465,6 +6498,32 @@ Comment = Thawte certificate extension Description = strongExtranet +# Symantec, who seem to have taken over the Thawte arc via Verisign. + +OID = 1 3 101 110 +Comment = ECDH 25519 key agreement algorithm +Description = curveX25519 + +OID = 1 3 101 111 +Comment = ECDH 448 key agreement algorithm +Description = curveX448 + +OID = 1 3 101 112 +Comment = EdDSA 25519 signature algorithm +Description = curveEd25519 + +OID = 1 3 101 113 +Comment = EdDSA 448 signature algorithm +Description = curveEd448 + +OID = 1 3 101 114 +Comment = EdDSA 25519 pre-hash signature algorithm +Description = curveEd25519ph + +OID = 1 3 101 115 +Comment = EdDSA 448 pre-hash signature algorithm +Description = curveEd448ph + # SECG (Standards for Efficient Cryptography Group), who are just # Certicom "All your curves are belong to us" named elliptic curves @@ -6592,6 +6651,18 @@ Comment = SECG (Certicom) named elliptic curve Description = sect571r1 +OID = 1 3 132 1 11 1 +Comment = SECG (Certicom) elliptic curve key agreement +Description = ecdhX963KDF-SHA256 + +OID = 1 3 132 1 11 2 +Comment = SECG (Certicom) elliptic curve key agreement +Description = ecdhX963KDF-SHA384 + +OID = 1 3 132 1 11 3 +Comment = SECG (Certicom) elliptic curve key agreement +Description = ecdhX963KDF-SHA512 + # X9.84 OID = 1 3 133 16 840 9 84 @@ -6698,10 +6769,6 @@ Comment = X9.84 Biometric Description = biometricGait -OID = 1 3 133 16 840 9 84 1 -Comment = X9.84 -Description = x984ProcessingAlgorithm - OID = 1 3 133 16 840 9 84 3 Comment = X9.84 Description = x984MatchingMethod @@ -6790,10 +6857,6 @@ Comment = X9.84 IBIA Format Owner Description = ibiaOwnerSTMicroelectronics -OID = 1 3 133 16 840 9 84 4 1 -Comment = X9.84 Format Owner -Description = x984X9Owner - # X.520. X.500v4 added encrypted versions of most of these attributes # at n+2 (i.e. foo = 2 4 5 1, encryptedFoo = 2 4 5 1 2), this smells # like a horrible kludge for something and probably isn't used, so we @@ -9300,11 +9363,11 @@ OID = 2 23 134 1 4 2 1 Comment = PostSignum CA -Description = postSignumRootQCA +Description = postSignumRootQCA OID = 2 23 134 1 2 2 3 Comment = PostSignum CA -Description = postSignumPublicCA +Description = postSignumPublicCA OID = 2 23 134 1 2 1 8 210 Comment = PostSignum CA @@ -9359,14 +9422,14 @@ # EV certificate policies. There's no official record of what all the EV # policy OIDs are, it seems to be defined as "whatever the browsers will -# accept as EV". This is taken from +# accept as EV". This is taken from # http://en.wikipedia.org/wiki/Extended_Validation_Certificate, there's also -# a list in Chromium, the ev_root_ca_metadata list, but this contains +# a list in Chromium, the ev_root_ca_metadata list, but this contains # errors (e.g. the value "1.3.6.1.4.1.6449.1.2.1.5.1" [sic] is recorded as # being for both AddTrust and Comodo). # -# The OIDs are collected here in owner-name alphabetical order rather than -# scattering them throughout this list in OID order to make it easier to +# The OIDs are collected here in owner-name alphabetical order rather than +# scattering them throughout this list in OID order to make it easier to # track what's already present. OID = 1 2 40 0 17 1 22