Changes with v0.9.8 *) PKCS11 pins were rejected if a PIN was the maximum possible pin length. If no pin is entered, we skip the login. [Graham Leggett] Changes with v0.9.7 *) Fix a segfault when trusted certificates are loaded with OpenSSL, and a further attempt is made to apply a module specific configuration to the certificate. [Graham Leggett] *) The openssl verify filter was adding the leaf certificate twice, once into the leaf certificate store, the second into the chain. This caused the key to be exported twice. Fixed. [Graham Leggett] Changes with v0.9.6 *) Add --filter-verify-dane to optionally ignore DANE validation errors. This allows DANE validation failure to appear in the metadata output, rather than having the certificate filtered. [Graham Leggett] *) Remove unused LDNS_FMT_SHORT symbol that is not widely available. [Graham Leggett] Changes with v0.9.5 *) Add --filter-verify-tlsa to perform a DNS lookup and subsequent verification of certificates against a TLSA record. [Graham Leggett] *) Add --filter-purpose option to allow search and verify to limit certificates by certificate purpose. [Graham Leggett] *) Fix a crash triggered when keychain is present but not used. [Graham Leggett] *) Add calculation of TLSA records to metadata-out. [Graham Leggett] *) Add optional modules for ldns and unbound libraries. [Graham Leggett] Changes with v0.9.4 *) Add --trust-pem-in to import PEM certificates and have them considered trusted. [Graham Leggett] *) Complete error handling for seteuid() and setegid(). [Graham Leggett] *) Use seteuid() and setegid() for temporarily switching users. [Graham Leggett] *) Add support for reading certificates from the MacOS Keychain. [Graham Leggett] *) Add libical build parameters to the RPM spec file. [Graham Leggett] Changes with v0.9.3 *) Add the --calendar-out and --reminder-out options to publish certificate expiry to a calendar. [Graham Leggett] *) Add the --filter-expiry option to allow acceptance of expired leaf and chain certificates. [Graham Leggett] *) Silence the search filter message to stderr when the quiet flag is set. [Graham Leggett] *) Add --filter-date to specify the date for verification if not today. Add --metadata-threshold to indicate days before expiry we should treat as a warning. Add the error, warning, and status fields to validity in certificate metadata showing days to and from expiry. [Graham Leggett] *) Add --order-out parameter to control the order of certificates, intermediates, roots and keys that are written by the --pem-out option. [Graham Leggett] *) Add --parameter-out and --no-parameter-out to include parameters with private keys. [Graham Leggett] Changes with v0.9.2 *) Add --ssh-public-out to output public keys in one line SSH format as per RFC4253 section 6.6. [Graham Leggett] *) Set metadata format default to yaml, as yaml is way friendlier to humans than json or xml. [Graham Leggett] *) Separate stdout and stderr when generating metadata so that one doesn't ruin a cut and paste from the other. [Graham Leggett] *) Add --der-out, with the ability to split certificates, intermediates, roots, crls and keys into individual DER files. [Graham Leggett] *) Make sure when we filter no verified certificates, we exit with a non zero code. [Graham Leggett] *) Add support for reading and writing certificates and keys as specific users or groups. [Graham Leggett] Changes with v0.9.1 *) Add support for ~ expansion to pathnames in and out. [Graham Leggett] *) Default to --filter passthrough and --text-out. [Graham Leggett] *) Add --no-text-out option to suppress detailed text output in --pem-out and --metadata-out. [Graham Leggett] *) Allow the key to pick up an ID or a label from matching certificates in the pkcs11 case, covering all the options where the ID and label might need to be generated. [Graham Leggett] *) Decide on and write the label on certificates and keys when writing to pkcs11. [Graham Leggett] *) Check if certificates already exist before attempting write to NSS if --auto-out has been set. [Graham Leggett] *) Read the pkcs11 label on certificates. [Graham Leggett] *) The opencryptoki-swtok tokens can be used when uninitialised. Add a sanity check to ignore uninitialised tokens. [Graham Leggett] *) Some tokens refuse to accept a computed SubjectPublicKeyInfo. Retry the key import without one when CKR_ATTRIBUTE_TYPE_INVALID is returned. [Graham Leggett] Changes with v0.9.0 *) Initial import of redwax-tool. [Graham Leggett]